www.it-ebooks.info
A valuable extension to the Hacking Exposed franchise; the authors do a great job of
incorporating the vast pool of knowledge of security testing from the team who built the Open
Source Security Testing Methodology Manual (OSSTMM) into an easy-to-digest, concise read
on how Linux systems can be hacked.
Steven Splaine
Author, The Web Testing Handbook and Testing Web Security
Industry-Recognized Software Testing Expert
With Pete being a pioneer of open-source security methodologies, directing ISECOM, and
formulating the OPSA certification, few people are more qualified to write this book than him.
Matthew Conover
Principal Software Engineer
Core Research Group, Symantec Research Labs
You’ll feel as if you are sitting in a room with the authors as they walk you through the steps
the bad guys take to attack your network and the steps you need to take to protect it. Or, as the
authors put it: “Separating the asset from the threat.” Great job, guys!
Michael T. Simpson, CISSP
Senior Staff Analyst
PACAF Information Assurance
An excellent resource for security information, obviously written by those with real-world
experience. The thoroughness of the information is impressive —very useful to have it presented in
one place.
Jack Louis
Security Researcher
www.it-ebooks.info
This page intentionally left blank
www.it-ebooks.info
HACKING EXPOSED
™
LINUX:
LINUX SECURITY SECRETS

& SOLUTIONS
THIRD EDITION
ISECOM
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto
www.it-ebooks.info
Copyright © 2008 by The McGraw-Hill Companies. All rights reserved. Manufactured in the United States of America. Except as permitted
under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or
stored in a database or retrieval system, without the prior written permission of the publisher.
0-07-159642-9
The material in this eBook also appears in the print version of this title: 0-07-226257-5.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name,
we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where
such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. For more information, please contact George Hoare, Special Sales, at or (212) 904-4069.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use
of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute,
disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own
noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to
comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE
ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY
INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DIS-
CLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MER-
CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the

functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor
its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances
shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from
the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of
liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
DOI: 10.1036/0072262575
www.it-ebooks.info
As Project Leader, I want to dedicate this book to all the
volunteers who helped out and contributed through
ISECOM to make sense of security so the rest of the world
can fi nd a little more peace. It’s the selfl ess hackers like
them who make being a hacker such a cool thing.
I also need to say that all this work would be overwhelming
if not for my unbelievably supportive wife, Marta. Even my
three children, Ayla, Jace, and Aidan, who can all put
ISECOM on the list of their fi rst spoken words, were all
very helpful in the making of this book.
—Pete Herzog
www.it-ebooks.info
ABOUT THE AUTHORS
This book was written according to the ISECOM (Institute for Security and Open
Methodologies) project methodology. ISECOM is an open, nonprofit security research
and certification organization established in January 2001 with the mission to make sense
of security. They release security standards and methodologies under the Open
Methodology License for free public and commercial use.
This book was written by multiple authors, reviewers, and editors—too many to all
be listed here—who collaborated to create the best Linux hacking book they could. Since
no one person can master everything you may want to do in Linux, a community wrote
the book on how to secure it.

The following people contributed greatly and should be recognized.
About the Project Leader
Pete Herzog
As Managing Director, Pete is the co-founder of ISECOM and creator of the
OSSTMM. At work, Pete focuses on scientific, methodical testing for controlling
the quality of security and safety. He is currently managing projects in development
that include security for homeowners, hacking lessons for teenagers, source-
code static analysis, critical-thinking training for children, wireless certification
exam and training for testing the operational electromagnetic spectrum, a
legislator’s guide to security solutions, a Dr. Seuss–type children’s book in metered prose
and rhyme, a security analysis textbook, a guide on human security, solutions for
university security and safety, a guide on using security for national reform, a guide for
factually calculating trust for marriage counselors and family therapists, and of course,
the Open Source Security Testing Methodology Manual (OSSTMM).
In addition to managing ISECOM projects, Pete teaches in the Masters for Security
program at La Salle University in Barcelona and supports the worldwide security
certification network of partners and trainers. He received a bachelor’s degree from
Syracuse University. He currently only takes time off to travel in Europe and North
America with his family.
About the Project Managers
Marta Barceló
Marta Barceló is Director of Operations, co-founder of ISECOM, and is
responsible for ISECOM business operations. In early 2003, she designed the
process for the Hacker Highschool project, developing and designing teaching
methods for the website and individual and multilingual lessons. Later that
same year, she developed the financial and IT operations behind the ISESTORM
conferences. In 2006, Marta was invited to join the EU-sponsored Open Trusted
Computing consortium to manage ISECOM’s participation within the project, including
financial and operating procedures. In 2007, she began the currently running advertising
campaign for ISECOM, providing all creative and technical skills as well as direction.

Copyright © 2008 by The McGraw-Hill Companies. Click here for terms of use.
www.it-ebooks.info
Marta maintains the media presence of all ISECOM projects and provides technical
server administration for the websites. She attended Mannheim University of Applied
Sciences in Germany and graduated with a masters in computer science.
In addition to running ISECOM, Marta has a strong passion for the arts, especially
photography and graphic design, and her first degree is in music from the Conservatori
del Liceu in Barcelona.
Rick Tucker
Rick Tucker has provided ISECOM with technical writing, editing, and general
support on a number of projects, including SIPES and Hacker Highschool. He
currently resides in Portland, Oregon, and works for a small law firm as the go-
to person for all manner of mundane and perplexing issues.
About the Authors
Andrea Barisani
Andrea Barisani is an internationally known security researcher. His
professional career began eight years ago, but it all really started with a
Commodore-64 when he was ten-years-old. Now Andrea is having fun with
large-scale IDS/firewall-deployment administration, forensic analysis,
vulnerability assessment, penetration testing, security training, and his
open-source projects. He eventually found that system and security administration are
the only effective way to express his need for paranoia.
Andrea is the founder and project coordinator of the oCERT effort, the Open Source
CERT. He is involved in the Gentoo project as a member of the Security and Infrastructure
Teams and is part of Open Source Security Testing Methodology Manual, becoming an
ISECOM Core Team member. Outside the community, he is the co-founder and chief
security engineer of Inverse Path, Ltd. He has been a speaker and trainer at the PacSec,
CanSecWest, BlackHat, and DefCon conferences among many others.
Thomas Bader
Thomas Bader works at Dreamlab Technologies, Ltd., as a trainer and solution

architect. Since the early summer of 2007, he has been in charge of ISECOM
courses throughout Switzerland. As an ISECOM team member, he participates
in the development of the OPSE certification courses, the ISECOM test network,
and the OSSTMM.
From the time he first came into contact with open-source software in 1997,
he has specialized in network and security technologies. Over the following years, he
has worked in this field and gained a great deal of experience with different firms as a
consultant and also as a technician. Since 2001, Thomas has worked as a developer and
trainer of LPI training courses. Since 2006, he has worked for Dreamlab Technologies,
Ltd., the official ISECOM representative for the German- and French-speaking countries
of Europe.
www.it-ebooks.info
Simon Biles
Simon Biles is the director and lead consultant at Thinking Security, a UK-based
InfoSec Consultancy. He is the author of The Snort Cookbook from O’Reilly, as well
as other material for ISECOM, Microsoft, and SysAdmin magazine. He is in
currently pursuing his masters in forensic computing at the Defence Academy in
Shrivenham. He holds a CISSP, OPSA, is an ISO17799 Lead Auditor, and is also a
Chartered Member of the British Computer Society. He is married with children
(several) and reptiles (several). His wife is not only the most beautiful woman ever, but
also incredibly patient when he says things like “I’ve just agreed to <insert time-drain
here>.” In his spare time, when that happens, he likes messing about with Land Rovers
and is the proud owner of a semi-reliable, second-generation Range Rover.
Colby Clark
Colby Clark is Guidance Software’s Network Security Manager and has the day-
to-day responsibility for overseeing the development, implementation, and
management of their information security program. He has many years of
security-related experience and has a proven track record with Fortune 500
companies, law firms, financial institutions, educational institutions,
telecommunications companies, and other public and private companies in

regulatory compliance consulting and auditing (Sarbanes Oxley and FTC Consent
Order), security consulting, business continuity, disaster recovery, incident response,
and computer forensic investigations. Colby received an advanced degree in business
administration from the University of Southern California, maintains the EnCE, CISSP,
OPSA, and CISA certifications, and has taught advanced computer forensic and incident
response techniques at the Computer and Enterprise Investigations Conference (CEIC).
He is also a developer of the Open Source Security Testing Methodology Manual (OSSTMM)
and has been with ISECOM since 2003.
Raoul Chiesa
Raoul “Nobody” Chiesa has 22 years of experience in information security
and 11 years of professional knowledge. He is the founder and president of
@ Mediaservice.net Srl, an Italian-based, vendor-neutral security consulting
company. Raoul is on the board of directors for the OWASP Italian Chapter,
Telecom Security Task Force (TSTF.net), and the ISO International User Group.
Since 2007, he has been a consultant on cybercrime issues for the UN at the United
Nations Interregional Crime & Justice Research Institute (UNICRI).
He authored Hacker Profile, a book which will be published in the U.S. by Taylor &
Francis in late 2008. Raoul’s company was the first worldwide ISECOM partner, launching
the OPST and OPSA classes back in 2003. At ISECOM, he works as Director of
Communications, enhancing ISECOM evangelism all around the world.
Pablo Endres
Pablo Endres is a security engineer/consultant and technical solution architect
with a strong background built upon his experience at a broad spectrum of
companies: wireless phone providers, VoIP solution providers, contact centers,
universities, and consultancies. He started working with computers (an XT) in
www.it-ebooks.info
the late 1980s and holds a degree in computer engineering from the Universidad Simón
Bolívar at Caracas, Venezuela. Pablo has been working, researching, and playing around
with Linux, Unix, and networked systems for more than a decade.
Pablo would like to thank Pete for the opportunity to work on this book and with

ISECOM, and last but not least, his wife and parents for all the support and time
sharing.
Richard Feist
Richard has been working in the computer industry since 1989 when he started as
a programmer and has since moved through various roles. He has a good view of
both business and IT and is one of the few people who can interact in both spaces.
He recently started his own small IT security consultancy, Blue Secure. He
currently holds various certifications (CISSP, Prince2 Practitioner, OPST/OPSA
trainer, MCSE, and so on) in a constant attempt to stay up-to-date.
Andrea Ghirardini
Andrea “Pila” Ghirardini has over seven years expertise in computer forensics
analysis. The labs he leads (@PSS Labs, ) have assisted Italian
and Swiss Police Special Units in more than 300 different investigations related
to drug dealing, fraud, tax fraud, terrorism, weapons trafficking, murder,
kidnapping, phishing, and many others.
His labs are the oldest ones in Italy, continuously supported by the company team’s
strong background in building CF machines and storage systems in order to handle and
examine digital evidence, using both open-source-based and commercial tools. In 2007,
Andrea wrote the first book ever published in Italy on computer forensics investigations
and methodologies (Apogeo Editore). In this book, he also analyzed Italian laws related
to these kinds of crimes. Andrea holds the third CISSP certification in Italy.
Julian “HammerJammer” Ho
Julian “HammerJammer” Ho is co-founder of ThinkSECURE Pte, Ltd., (http://
securitystartshere.org), an Asia-based practical IT security certification/training
authority and professional IT security services organization and an ISECOM-
certified OPST trainer.
Julian was responsible for design, implementation, and maintenance of
security operations for StarHub’s Wireless Hotzones in Changi International
Airport Terminals 1 and 2 and Suntec Convention Centre. He is one half of the design
team for BlackOPS:HackAttack 2004, a security tournament held in Singapore; AIRRAID

(Asia’s first-ever pure wireless hacking tournament) in 2005; and AIRRAID2 (Thailand’s
first-ever public hacking tournament) in 2008. He also contributed toward research and
publication of the WCCD vulnerability in 2006.
Julian created and maintains the OSWA-Assistant wireless auditing toolkit, which
was awarded best in the Wireless Testing category and recommended/excellent in the
LiveCDs category by Security-Database.com in their “Best IT Security and Auditing
Software 2007” article.
www.it-ebooks.info
Marco Ivaldi
Marco Ivaldi () is a computer security researcher and
consultant, a software developer, and a Unix system administrator. His particular
interests are networking, telephony, and cryptology. He is an ISECOM Core
Team member, actively involved in the OSSTMM development process. He
holds the OPST certification and is currently employed as Red Team Coordinator
at @ Mediaservice.net, a leading information-security company based in Italy. His daily
tasks include advanced penetration testing, ISMS deployment and auditing, vulnerability
research, and exploit development. He is founder and editorial board member of
Linux&C, the first Italian magazine about Linux and open source. His homepage and
playground is o.
Marco wishes to thank VoIP gurus Emmanuel Gadaix of TSTF and thegrugq for their
invaluable and constant support throughout the writing of this book. His work on this
book is dedicated to z*.
Dru Lavigne
Dru Lavigne is a network and systems administrator, IT instructor, curriculum
developer, and author. She has over a decade of experience administering and
teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD
systems. She is author of BSD Hacks and The Best of FreeBSD Basics. She is currently
the editor-in-chief of the Open Source Business Resource, a free monthly
publication covering open source. She is founder and current chair of the BSD Certification
Group, Inc., a nonprofit organization with a mission to create the standard for certifying

BSD system administrators. At ISECOM, she maintains the Open Protocol Database. Her
blog can be found at />Stephane Lo Presti
Stéphane is a research scientist who has explored the various facets of trust in
computer science for the past several years. He is currently working at The City
University, London, on service-oriented architectures and trust. His past jobs
include the European project, Open Trusted Computing () at
Royal Holloway, University of London, and the Trusted Software Agents and
Services (T-SAS) project at the University of Southampton, UK. He enjoys
applying his requirement-analysis and formal-specification computing skills to modern
systems and important properties, such as trust. In 2002, he received a Ph.D. in computing
science from the Grenoble Institute of Technology, France, where he also graduated as a
computing engineer in 1998 from the ENSIMAG Grandes École of Computing and
Applied Mathematics, Grenoble, France.
Christopher Low
Christopher Low is co-founder of ThinkSECURE Pte Ltd. (http://securitystartshere
.org), an Asia-based IT-security training, certification, and professional IT security
services organization. Christopher has more than ten years of IT security
experience and has extensive security consultancy and penetration-testing
experience. Christopher is also an accomplished trainer, an ISECOM-certified
www.it-ebooks.info
OPST trainer and has developed various practical-based security certification courses
drawn from his experiences in the IT security field. He also co-designed the BlackOPS:
HackAttack 2004 security tournament held in Singapore, AIRRAID (Asia’s first-ever
pure wireless hacking tournament) in 2005, and AIRRAID2 (Thailand’s first-ever public
hacking tournament).
Christopher is also very actively involved in security research; he likes to code and
created the Probemapper and MoocherHunter tools, both of which can be found in the
OSWA-Assistant wireless auditing toolkit.
Ty Miller
Ty Miller is Chief Technical Officer at Pure Hacking in Sydney, Australia. Ty has

performed penetration tests against countless systems for large banking,
government, telecommunications, and insurance organizations worldwide, and
has designed and managed large security architectures for a number of
Australian organizations within the Education and Airline industries.
Ty presented at Blackhat USA 2008 in Las Vegas on his development of DNS
Tunneling Shellcode and was also involved in the development of the CHAOS Linux
distribution, which aims to be the most compact, secure openMosix cluster platform.
He is a certified ISECOM OPST and OPSA instructor and contributes to the Open Source
Security Testing Methodology Manual. Ty has also run web-application security courses
and penetration-testing tutorials for various organizations and conferences.
Ty holds a bachelors of technology in information and communication systems from
Macquarie University, Australia. His interests include web-application penetration
testing and shellcode development.
Armand Puccetti
Armand Puccetti is a research engineer and project manager at CEA-LIST (a
department of the French Nuclear Energy Agency, ) where
he is working in the Software Safety Laboratory. He is involved in several
European research projects belonging to the MEDEA+, EUCLID, ESSI, and
FP6 programs. His research interests include formal methods for software and
hardware description languages, semantics of programming languages, theorem
provers, compilers, and event-based simulation techniques. Before moving to CEA
in 2000, he was employed as a project manager at C-S (Communications & Systems,
a privately owned software house. At C-S he contributed to numerous
software development and applied research projects, ranging from CASE tools and
compiler development to military simulation tools and methods (a
.fr/ESCADRE) and consultancy.
He graduated from INPL () where he earned a Ph.D. in 1987
in the Semantics and Axiomatic Proof for the Ada Programming Language.
www.it-ebooks.info
About the Contributing Authors

Görkem Çetin
Görkem Çetin has been a renowned Linux and open-source professional for more than
15 years. As a Ph.D. candidate, his current doctorate studies focus on human/computer
interaction issues of free/open-source software. Görkem has authored four books on
Linux and networking and written numerous articles for technical and trade magazines.
He works for the National Cryptography and Technology Institute of Turkey (TUBITAK/
UEKAE) as a project manager.
Volkan Erol
Volkan Erol is a researcher at the Turkish National Research Institute of Electronics and
Cryptology (TUBITAK-NRIEC). After receiving his bachelor of science degree in
computer engineering from Galatasaray University Engineering and Technology Faculty,
Volkan continued his studies in the Computer Science, Master of Science program, at
Istanbul Technical University. He worked as software engineer at the Turkcell Shubuo-
Turtle project and has participated in TUBITAK-NRIEC since November 2005. He works
as a full-time researcher in the Open Trusted Computing project. His research areas are
Trusted Computing, applied cryptography, software development, and design and
image processing.
Chris Griffi n
Chris Griffin has nine years of experience in information security. Chris obtained the
OPST, OPSA, CISSP, and CNDA certifications and is an active contributor to ISECOM’s
OSSTMM. Chris has most recently become ISECOM’s Trainer for the USA. He wants to
thank Pete for this opportunity and his wife and kids for their patience.
Fredesvinda Insa Mérida
Fredesvinda Insa Mérida is the Strategic Development Manager of Cybex. Dr. Insa
graduated in law from the University of Barcelona (1994–1998). She also holds a Ph.D. in
information sciences and communications, from the University Complutense of Madrid.
Dr. Insa has represented Cybex in several computer-forensics and electronic-evidence
meetings. She has a great deal of experience in fighting against computer-related crimes.
Within Cybex, she provides legal assistance to the computer forensics experts.
About the Editors and Reviewers

Chuck Truett
Chuck Truett is a writer, editor, SAS programmer, and data analyst. In addition to his
work with ISECOM, he has written fiction and nonfiction for audiences ranging from
children to role-playing gamers.
www.it-ebooks.info
Adrien de Beaupré
Adrien de Beaupré is practice lead at Bell Canada. He holds the following certifications:
GPEN, GCIH, GSEC, CISSP, OPSA, and OPST. Adrien is very active with isc.sans.org. He
is an ISECOM OSSTMM-certified instructor. His areas of expertise include vulnerability
assessments, penetration testing, incident response, and digital forensics.
Mike Hawkins
Michael Hawkins, CISSP, has over ten years experience in the computer industry, the
majority of time spent at Fortune 500 companies. He is currently the Manager of
Networks and Security at the loudspeaker company Klipsch. He has been a full-time
security professional for over five years.
Matías Bevilacqua Trabado
Matías Bevilacqua Trabado graduated in computer engineering from the University of
Barcelona and currently works for Cybex as IT Manager. From a security background,
Matías specializes in computer forensics and the admissibility of electronic evidence. He
designed and ran the first private forensic laboratory in Spain and is currently leading
research and development at Cybex.
Patrick Boucher
Patrick Boucher is a senior security consultant for Gardien Virtuel. Patrick has many
years of experience with ethical hacking, security policy, and strategic planning like
disaster recovery and continuity planning. His clients include many Fortune 500
companies, financial institutions, telecommunications companies, and SME enterprises
throughout Canada. Patrick has obtained CISSP and CISA certifications
www.it-ebooks.info
This page intentionally left blank
www.it-ebooks.info

xv
CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Part I Security and Controls
▼
1 Applying Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Free from Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The Four Comprehensive Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
The Elements of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
▼ 2 Applying Interactive Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
The Five Interactive Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
▼ 3 Applying Process Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
The Five Process Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Part II Hacking the System
▼
4 Local Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Physical Access to Linux Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
For more information about this title, click here
www.it-ebooks.info
xvi

Hacking Exposed Linux: Linux Security Secrets & Solutions
Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
File Permissions and Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Chrooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Physical Access, Encryption, and Password Recovery . . . . . . . . . . . . . . . . . . 80
Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
▼ 5 Data Networks Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Network Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Network and Systems Profi ling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Covert Communications and Clandestine Administration . . . . . . . . . . . . . . 107
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
▼ 6 Unconventional Data Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Overview of PSTN, ISDN, and PSDN Attack Vectors . . . . . . . . . . . . . . . . . . 127
Introducing PSTN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Introducing ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Introducing PSDN and X.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Communication Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Tests to Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
PSTN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
PSDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Tools to Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
PAW and PAWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Intelligent Wardialer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Shokdial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

ward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
THCscan Next Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
PSDN Testing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
admx25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Sun Solaris Multithread and Multichannel X.25 Scanner
by Anonymous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
vudu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
TScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Common Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
How X.25 Networks Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Basic Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Call Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
X.3/X.28 PAD Answer Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
www.it-ebooks.info
Contents
xvii
X.25 Addressing Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
DCC Annex List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Key Points for Getting X.25 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
X.28 Dialup with NUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
X.28 Dialup via Reverse Charge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Private X.28 PAD via a Standard or Toll-Free PSTN or ISDN
Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Internet to X.25 Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Cisco Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
VAX/VMS or AXP/OpenVMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
*NIX Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
▼ 7 Voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
VoIP Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
System Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Signaling Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Introduction to VoIP Testing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Transport Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
VoIP Security Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Firewalls and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
▼ 8 Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
The State of the Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Wireless Hacking Physics: Radio Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . 225
RF Spectrum Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Exploiting 802.11 The Hacker Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Wireless Auditing Activities and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Auditing Wireless Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
▼ 9 Input/Output devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
About Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Bluetooth Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Entities on the Bluetooth Protocol Stack . . . . . . . . . . . . . . . . . . . . . . . . 286
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
▼ 10 RFID—Radio Frequency Identifi cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
www.it-ebooks.info
xviii

Hacking Exposed Linux: Linux Security Secrets & Solutions
History of RFID: Leon Theremin and “The Thing” . . . . . . . . . . . . . . . . . . . . . 297
Identifi cation-Friend-or-Foe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
RFID Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Purpose of RFID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Passive Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Active Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
RFID Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
RFID-Enabled Passports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Ticketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Other Current RFID Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
RFID Frequency Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
RFID Technology Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
RFID Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
RFID Hacker’s Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Implementing RFID Systems Using Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
RFID Readers Connected to a Linux System . . . . . . . . . . . . . . . . . . . . 311
RFID Readers with Embedded Linux . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Linux Systems as Backend/Middleware/Database
Servers in RFID Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Linux and RFID-Related Projects and Products . . . . . . . . . . . . . . . . . . . . . . . 313
OpenMRTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
OpenPCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
OpenPICC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Magellan Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
RFIDiot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
RFID Guardian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
OpenBeacon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Omnikey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Linux RFID Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
▼ 11 Emanation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Van Eck Phreaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Other “Side-Channel” Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
▼ 12 Trusted Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Introduction to Trusted Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Platform Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Hardware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Low-Level Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
System Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
www.it-ebooks.info
Contents
xix
General Support for Trusted Computing Applications . . . . . . . . . . . . . . . . . 355
TPM Device Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
TrouSerS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
TPM Emulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
jTSS Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
TPM Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Examples of Trusted Computing Applications . . . . . . . . . . . . . . . . . . . . . . . . 359
Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
TrustedGRUB (tGrub) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
TPM Keyring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Turaya.VPN and Turaya.Crypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Open Trusted Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
TCG Industrial Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Part III Hacking the Users
▼
13 Web Application Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Access and Controls Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Insuffi cient Data Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Web 2.0 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Trust Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Trust and Awareness Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Man-in-the-Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Web Infrastructure Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
▼ 14 Mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
SMTP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Understanding Sender and Envelope Sender . . . . . . . . . . . . . . . . . . . 434
Email Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
SMTP Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Alteration of Data or Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Denial of Service or Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
▼ 15 Name Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Case study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
DNS Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
DNS and IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
www.it-ebooks.info
xx

Hacking Exposed Linux: Linux Security Secrets & Solutions
The Social Aspect: DNS and Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
WHOIS and Domain Registration and Domain Hijacking . . . . . . . . . . . . . . 476
The Technical Aspect: Spoofi ng, Cache Poisoning, and Other Attacks . . . . 478
Bind Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Part IV Care and Maintenance
▼
16 Reliability: Static Analysis of C Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Formal vs. Semiformal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Semiformal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
C Code Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Analyzing C Code Using Hoare Logics . . . . . . . . . . . . . . . . . . . . . . . . 505
The Weakest Precondition Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Verifi cation Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Some C Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Tools Based on Abstract Interpretation . . . . . . . . . . . . . . . . . . . . . . . . . 518
Tools Based on Hoare Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Tools Based on Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Additional References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
▼ 17 Security Tweaks in the Linux Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Linux Security Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
CryptoAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
NetFilter Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Enhanced Wireless Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
File System Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
POSIX Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
NFSv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Additional Kernel Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Man Pages Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Other References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
www.it-ebooks.info
Contents
xxi
Part V Appendixes
▼
A Management and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Best Practices Node Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Use Cryptographically Secured Services . . . . . . . . . . . . . . . . . . . . . . . 532
Prevention Against Brute-Force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Deny All, Allow Specifi cally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Automated Scanning Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Lock Out on Too High Fail Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Avoid Loadable Kernel Module Feature . . . . . . . . . . . . . . . . . . . . . . . . 537
Enforce Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Use sudo for System Administration Tasks . . . . . . . . . . . . . . . . . . . . . 537
Check IPv6 Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Justify Enabled Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Set Mount and Filesystem Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Harden a System Through /proc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Hardware Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542

Checking Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Best Practices Network Environment Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Ingress and Egress Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Build Network Segments and Host-based Firewalls . . . . . . . . . . . . . 544
Perform Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Watch Security Mailing Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Collect Log Files at a Central Place . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Collect Statistics Within the Network . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Use VPN for Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Additional Helpful Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Replace Legacy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
xinetd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
syslog-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
daemontools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Other Service Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Automating System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
Perl Scripting Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
cfengine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
▼ B Linux Forensics and Data Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
Hardware: The Forensic Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Hardware: Other Valuable Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Software: Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
www.it-ebooks.info
Software: Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
So, Where Should You Start From? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Live Investigation/Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Post Mortem Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Handling Electronic Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565

Legislative Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Defi nition of Electronic Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
Equivalence of Traditional Evidence to Electronic Evidence . . . . . . . 566
Advantages and Disadvantages of Electronic Evidence . . . . . . . . . . 566
Working with Electronic Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Requirements That Electronic Evidence Must Fulfi ll to Be Admitted
in Court . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
▼ C BSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Overview of BSD Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Security Features Found in All BSDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
securelevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Security Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
sysctl(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
rc.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
rc.subr(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
chfl ags(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
ttys(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
sshd_confi g(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Blowfi sh Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
System Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
IPsec(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Randomness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
chroot(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
MAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
OpenBSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
OpenPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
jail(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
VuXML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

portaudit(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
gbde(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
geli(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
NetBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
kauth(9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
veriexec(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
pw_policy(3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
fi leassoc(9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
Audit-Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
www.it-ebooks.info
Contents
xxiii
cgd(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
clockctl(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
ProPolice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
W^X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
systrace(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Encrypted Swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
pf(4) Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
BSD Security Advisories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Additional BSD Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Online Man Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
www.it-ebooks.info
This page intentionally left blank
www.it-ebooks.info