Thông tin tài liệu
www.dbebooks.com - Free Books & magazines
SECURITY
POWER
TOOLS
®
Other computer security resources from O’Reilly
Related titles
Security Warrior
Snort Cookbook™
Practical Unix and Internet
Security
Essential System
Administration
SSH, The Secure Shell: The
Definitive Guide
TCP/IP Network
Administration
Network Security Hacks™
Security Books
Resource Center
security.oreilly.com is a complete catalog of O’Reilly’s books on
security and related technologies, including sample chapters
and code examples.
oreillynet.com is the essential portal for developers interested in
open and emerging technologies, including new platforms, pro-
gramming languages, and operating systems.
Conferences
O’Reilly brings diverse innovators together to nurture the ideas
that spark revolutionary industries. We specialize in document-
ing the latest tools and systems, translating the innovator’s
knowledge into useful skills for those in the trenches. Visit con-
ferences.oreilly.com for our upcoming events.
Safari Bookshelf (safari.oreilly.com) is the premier online refer-
ence library for programmers and IT professionals. Conduct
searches across more than 1,000 books. Subscribers can zero in
on answers to time-critical questions in a matter of seconds.
Read the books on your Bookshelf from cover to cover or sim-
ply flip to the page you need. Try it today for free.
SECURITY
POWER
TOOLS
®
Bryan Burns, Jennifer Stisa Granick, Steve Manzuik,
Paul Guersch, Dave Killion, Nicolas Beauchesne, Eric Moret,
Julien Sobrier, Michael Lynn, Eric Markham,
Chris Iezzoni, and Philippe Biondi
Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo
Security Power Tools®
by Bryan Burns, Jennifer Stisa Granick, Steve Manzuik, Paul Guersch, Dave Killion, Nicolas
Beauchesne, Eric Moret, Julien Sobrier, Michael Lynn, Eric Markham, Chris Iezzoni, and Philippe
Biondi
Copyright © 2007 O’Reilly Media, Inc. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (safari.oreilly.com). For more information, contact our
corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com.
Editors:
Mike Loukides and Colleen Gorman
Production Editor:
Mary Brady
Copyeditor:
Derek Di Matteo
Proofreader:
Mary Brady
Indexer:
Lucie Haskins
Cover Designer:
Mike Kohnke
Interior Designer:
David Futato
Illustrators:
Robert Romano and Jessamyn Read
Printing History:
August 2007: First Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of
O’Reilly Media, Inc. Security Power Tools, the image of a rotary hammer, and related trade dress are
trademarks of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and authors
assume no responsibility for errors or omissions, or for damages resulting from the use of the
information contained herein.
This book uses RepKover
™
, a durable and flexible lay-flat binding.
ISBN-10: 0-596-00963-1
ISBN-13: 978-0-596-00963-2
[C]
v
Table of Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Part I Legal and Ethics
1. Legal and Ethics Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Core Issues 4
1.2 Computer Trespass Laws: No “Hacking” Allowed 7
1.3 Reverse Engineering 13
1.4 Vulnerability Reporting 22
1.5 What to Do from Now On 26
Part II Reconnaissance
2. Network Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.1 How Scanners Work 31
2.2 Superuser Privileges 33
2.3 Three Network Scanners to Consider 34
2.4 Host Discovery 34
2.5 Port Scanning 37
2.6 Specifying Custom Ports 39
2.7 Specifying Targets to Scan 40
2.8 Different Scan Types 42
vi Table of Contents
2.9 Tuning the Scan Speed 45
2.10 Application Fingerprinting 49
2.11 Operating System Detection 49
2.12 Saving Nmap Output 51
2.13 Resuming Nmap Scans 51
2.14 Avoiding Detection 52
2.15 Conclusion 54
3. Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.1 Nessus 55
3.2 Nikto 72
3.3 WebInspect 76
4. LAN Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.1 Mapping the LAN 87
4.2 Using ettercap and arpspoof on a Switched Network 88
4.3 Dealing with Static ARP Tables 92
4.4 Getting Information from the LAN 94
4.5 Manipulating Packet Data 98
5. Wireless Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.1 Get the Right Wardriving Gear 101
5.2 802.11 Network Basics 102
5.3 802.11 Frames 103
5.4 How Wireless Discovery Tools Work 105
5.5 Netstumbler 105
5.6 Kismet at a Glance 107
5.7 Using Kismet 110
5.8 Sorting the Kismet Network List 112
5.9 Using Network Groups with Kismet 112
5.10 Using Kismet to Find Networks by Probe Requests 113
5.11 Kismet GPS Support Using gpsd 113
5.12 Looking Closer at Traffic with Kismet 114
5.13 Capturing Packets and Decrypting Traffic with Kismet 116
5.14 Wireshark at a Glance 117
5.15 Using Wireshark 119
5.16 AirDefense Mobile 122
5.17 AirMagnet Analyzers 126
5.18 Other Wardriving Tools 129
Table of Contents vii
6. Custom Packet Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6.1 Why Create Custom Packets? 130
6.2 Hping 132
6.3 Scapy 136
6.4 Packet-Crafting Examples with Scapy 163
6.5 Packet Mangling with Netfilter 183
6.6 References 189
Part III Penetration
7. Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.1 Metasploit Interfaces 194
7.2 Updating Metasploit 200
7.3 Choosing an Exploit 200
7.4 Choosing a Payload 202
7.5 Setting Options 206
7.6 Running an Exploit 209
7.7 Managing Sessions and Jobs 212
7.8 The Meterpreter 215
7.9 Security Device Evasion 219
7.10 Sample Evasion Output 220
7.11 Evasion Using NOPs and Encoders 221
7.12 In Conclusion 224
8. Wireless Penetration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
8.1 WEP and WPA Encryption 225
8.2 Aircrack 226
8.3 Installing Aircrack-ng 227
8.4 Running Aircrack-ng 229
8.5 Airpwn 231
8.6 Basic Airpwn Usage 231
8.7 Airpwn Configuration Files 235
8.8 Using Airpwn on WEP-Encrypted Networks 236
8.9 Scripting with Airpwn 237
8.10 Karma 238
8.11 Conclusion 241
viii Table of Contents
9. Exploitation Framework Applications . . . . . . . . . . . . . . . . . . . . . . . . . 242
9.1 Task Overview 242
9.2 Core Impact Overview 244
9.3 Network Reconnaissance with Core Impact 246
9.4 Core Impact Exploit Search Engine 247
9.5 Running an Exploit 249
9.6 Running Macros 250
9.7 Bouncing Off an Installed Agent 253
9.8 Enabling an Agent to Survive a Reboot 253
9.9 Mass Scale Exploitation 254
9.10 Writing Modules for Core Impact 255
9.11 The Canvas Exploit Framework 258
9.12 Porting Exploits Within Canvas 260
9.13 Using Canvas from the Command Line 261
9.14 Digging Deeper with Canvas 262
9.15 Advanced Exploitation with MOSDEF 262
9.16 Writing Exploits for Canvas 264
9.17 Exploiting Alternative Tools 267
10. Custom Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
10.1 Understanding Vulnerabilities 269
10.2 Analyzing Shellcode 275
10.3 Testing Shellcode 279
10.4 Creating Shellcode 285
10.5 Disguising Shellcode 302
10.6 Execution Flow Hijacking 306
10.7 References 320
Part IV Control
11. Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
11.1 Choosing a Backdoor 324
11.2 VNC 325
11.3 Creating and Packaging a VNC Backdoor 327
11.4 Connecting to and Removing the VNC Backdoor 332
11.5 Back Orifice 2000 334
11.6 Configuring a BO2k Server 335
11.7 Configuring a BO2k Client 340
Table of Contents ix
11.8 Adding New Servers to the BO2k Workspace 342
11.9 Using the BO2k Backdoor 343
11.10 BO2k Powertools 345
11.11 Encryption for BO2k Communications 355
11.12 Concealing the BO2k Protocol 356
11.13 Removing BO2k 358
11.14 A Few Unix Backdoors 359
12. Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
12.1 Windows Rootkit: Hacker Defender 363
12.2 Linux Rootkit: Adore-ng 366
12.3 Detecting Rootkits Techniques 368
12.4 Windows Rootkit Detectors 371
12.5 Linux Rootkit Detectors 376
12.6 Cleaning an Infected System 380
12.7 The Future of Rootkits 381
Part V Defense
13. Proactive Defense: Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
13.1 Firewall Basics 385
13.2 Network Address Translation 389
13.3 Securing BSD Systems with ipfw/natd 391
13.4 Securing GNU/Linux Systems with netfilter/iptables 401
13.5 Securing Windows Systems with Windows Firewall/Internet
Connection Sharing 412
13.6 Verifying Your Coverage 417
14. Host Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
14.1 Controlling Services 422
14.2 Turning Off What You Do Not Need 423
14.3 Limiting Access 424
14.4 Limiting Damage 430
14.5 Bastille Linux 436
14.6 SELinux 438
14.7 Password Cracking 444
14.8 Chrooting 448
14.9 Sandboxing with OS Virtualization 449
[...]... engineer at EADS Innovation Works, where I work in the IT security lab I am the creator of many programs, such as Scapy and ShellForge I authored Chapter 6, Custom Packet Generation (in which Scapy is the main security power tool) and Chapter 10, Custom Exploitation xx Credits Preface Security Power Tools is written by members of the Juniper Networks’ J -Security Team as well as two guests: Jennifer Granick... and what wrote who Bryan Burns: I am Chief Security Architect with the Juniper Networks’ J -Security Team I work closely with the other Juniper authors of this book on a daily basis to ensure that Juniper’s security products can defend against all the tools and techniques listed in this book In fact, the real reason why I’m so familiar with these security tools is because I use and study them to know... most of the sections are accessible to beginners Chapter 17, Device Security Testing, by Julien Sobrier The tools presented in this chapter are complementary and cover different areas of security testing A lot of examples on how to automate the tests are given throughout The tools are great to use in all QA processes—not just for security devices but for any network device Monitoring Chapter 18, Network... different security tools, and when there is so much work to be done? Well, the answer is fairly simple My group’s knowledge of these tools came through years of working with them and applying them The information they have to present xiv Foreword Foreword to you goes beyond the simple two-page summary of what the tool does This is not a simpleton’s instruction manual We also assume that you, as a security. .. 1,200 or 2,400 baud Attack tools and defense tools were also very rudimentary The most advanced security- related industry was—and to a certain extent, still is—the Virus/Anti-Virus industry Can you remember the DOS Ping Pong virus from 1988? Forensics was also in its infancy and was really only limited to the high-end companies and government agencies In a very simple sense, security was defined primarily... I’m currently the manager of a versatile team of hacker security professionals called SABRE (or Security Audit Blueprint and Response Engineering) We do everything from code security analysis to Functional Specs review, to engineer training in secure coding, and even to publishing of white papers intended to support talks we give at computer security conferences In this book, I authored Chapter 20,... future Julien Sobrier: I’m a network security engineer at Juniper Networks I work mainly on the Intrusion Detection and Preventions systems I have been working for Juniper for about two years and previously worked for Netscreen, another security network company I wrote Chapter 3, Vulnerability Scanning, Chapter 16, Email Security and Anti-Spam, Chapter 17, Device Security Testing, and half of Chapter... sophistication level of both attack and defense tools The pervasive nature of the Internet had also made it a target-rich environment, and it provided attackers multiple locations from which to launch their attacks xiii At the same time that the security landscape changed, the discussion around security had changed as well To borrow an expression from the cryptology field, security was largely accomplished through... around a little and reviewing those tools that are seemingly at your level, and either working up or down as you introduce yourself to tools you may not know Our final struggle was which tools to document Our O’Reilly editor gave us an ideal page count to shoot for This was our first parameter or else the book would cost a hundred dollars Next, each of us reviewed different tools depending on our chapter... anything to talk about (because quite frankly, some tools do one thing so well and so simplistically that they are almost too obvious and easy to use) There are a dozen other reasons that we chose the tools that we did, and not all of the tools we initially picked made it into the book; in the end, we had to make decisions Our apologies to those tools that didn’t make the cut; and to those that did, . Books & magazines SECURITY POWER TOOLS ® Other computer security resources from O’Reilly Related titles Security Warrior Snort Cookbook™ Practical Unix and Internet Security Essential System Administration SSH,. Guide TCP/IP Network Administration Network Security Hacks™ Security Books Resource Center security. oreilly.com is a complete catalog of O’Reilly’s books on security and related technologies, including. Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today for free. SECURITY POWER TOOLS ® Bryan Burns, Jennifer Stisa Granick, Steve Manzuik, Paul Guersch, Dave Killion,
Ngày đăng: 25/03/2014, 12:07
Xem thêm: security power tools, security power tools, 4 Securing GNU/Linux Systems with netfilter/iptables, 4 Python/Scapy Script Fixes Checksums, FileStat.exe: Very Detailed Data on a Specific File