™
1YEAR UPGRADE
BUYER PROTECTION PLAN
UPDATED
BESTSELLER!
The Only Way to Stop a Hacker is to Think Like One
David R. Mirza Ahmad
Ido Dubrawsky
Hal Flynn
Joseph “Kingpin” Grand
Robert Graham
Norris L. Johnson, Jr.
K2
Dan “Effugas” Kaminsky
F. William Lynch
Steve W. Manzuik
Ryan Permeh
Ken Pfeil
Rain Forest Puppy
Ryan Russell
Technical Editor
UPDATED
BESTSELLER!
194_HP_Net2e_FC 2/22/02 10:01 AM Page 1

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site

that we hope will exceed your expectations.
is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/solutions
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page i
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page ii
1YEAR UPGRADE
BUYER PROTECTION PLAN
David R. Mirza Ahmad
Ido Dubrawsky

Hal Flynn
Joseph “Kingpin” Grand
Robert Graham
Norris L. Johnson, Jr.
K2
Dan “Effugas” Kaminsky
F. William Lynch
Steve W. Manzuik
Ryan Permeh
Ken Pfeil
Rain Forest Puppy
Ryan Russell
Technical Editor
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the
Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack
Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of

their respective companies.
KEY SERIAL NUMBER
001 D7Y4T945T5
002 AKTRT4MW34
003 VMB663N54N
004 SGD34B39KA
005 87U8Q26NVH
006 N4D4RNTEM4
007 2HBVHTR46T
008 ZPB9R5653R
009 J6N5M4BRAS
010 5T6YH2TZFC
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Your Network, Second Edition
Copyright © 2002 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-70-9
Technical Editor: Ryan Russell Cover Designer: Michael Kavish
Acquisitions Editor: Catherine B. Nolan Page Layout and Art by: Shannon Tozier
Developmental Editor: Kate Glennon Indexer: Robert Saigh
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.

194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page iv
v
Acknowledgments
v
We would like to acknowledge the following people for their kindness and support in
making this book possible.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the
challenges of designing, deploying and supporting world-class enterprise networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel,
Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra
Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly,Andrea Tetrick, Jennifer
Pascal, Doug Reil, and David Dahl of Publishers Group West for sharing their incredible
marketing experience and expertise.
Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain that our
vision remains worldwide in scope.
Annabel Dent and Paul Barry of Harcourt Australia for all their help.
David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and
Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress program.
Jackie Gross, Gayle Voycey,Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,
Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help
and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at Jaguar
Book Group for their help with distribution of Syngress books in Canada.
From Ryan Russell
I would like to dedicate my work to my wonderful wife and children, without whom none
of this would be worth doing. I love you Sara, Happy Valentine’s Day! I would also like to
thank Brian Martin for his assistance in tech editing, and of course the authors who took the
time to write the book. Special thanks go out to those authors who worked on the first

edition, before anyone had any idea that it would do well or how it would come out.
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page v
Contributors
Dan “Effugas” Kaminsky (CISSP) worked for two years at Cisco Systems
designing security infrastructure for large-scale network monitoring systems.
Dan has delivered presentations at several major industry conferences
including Linuxworld, DEF CON, and the Black Hat Briefings, and he also
contributes actively to OpenSSH, one of the more significant cryptographic
systems in use today. Dan founded the cross-disciplinary DoxPara Research
(www.doxpara.com) in 1997, seeking to integrate psychological and techno-
logical theory to create more effective systems for non-ideal but very real
environments in the field. He is based in Silicon Valley, presently studying
Operation and Management of Information Systems at Santa Clara
University in California.
Rain Forest Puppy is a security research and development consultant for a
Midwest-based security consulting company. RFP has been working in
R&D and coding in various languages for over seven years.While the Web is
his primary hobby focus point, he has also played in other realms including:
Linux kernel security patches, lockdown of various Windows and UNIX
operating systems, and the development of honeypots and other attack alert
tools. In the past he’s reported on SQL tampering and common CGI prob-
lems, and has contributed security tools (like whisker) to the information
security community.
Ken Pfeil is the Security Program Manager for Identix Inc.’s information
technology security division. Ken started with Identix following his position
as Chief Information Security Officer for Miradiant Global Network, Inc.
Ken has over 14 years of IT and security experience, having served with
such companies as Microsoft, Dell, and Merrill Lynch.While employed at
Microsoft, Ken co-authored Microsoft’s “Best Practices for Enterprise
Security” whitepaper series, and is the founder of “The NT Toolbox”Web

site. He currently covers new security risks and vulnerabilities for Windows
and .Net magazines’ Security Administrator publication, and was the resident
expert for multiplatform integration and security issues for “The Windows
2000 Experts Journal.”
vi
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page vi
vii
Joseph “Kingpin” Grand is a Boston-based electrical engineer and
product designer. His pioneering hardware and security research has been
published in various academic and industry journals. He has lectured widely
on security product design and analysis, portable devices, and digital foren-
sics. In addition to testifying before the United States Senate Governmental
Affairs, Joseph has presented his research at the United States Naval Post
Graduate School Center for INFOSEC Studies and Research, the USENIX
Security Symposium, and the IBM Thomas J.Watson Research Center.
Joseph was a long-time researcher with the L0pht hacker think tank. He
holds a Bachelor’s of Science in Computer Engineering from Boston
University in Boston, Massachusetts.
K2 is a security engineer. He works on a variety of systems ranging from
UNIX to all other operating systems. He has spent a lot of time working
through security issues wherever they exist; core kernels, networking ser-
vices, or binary protections. K2 is a member of w00w00 and is a con-
tributing member of The Honeynet Project. He would like to thank Anya
for all her help and support throughout the year.
David M. Ahmad is Threat Analysis Manager for SecurityFocus and mod-
erator of the Bugtraq mailing list. SecurityFocus is the leading provider of
security intelligence services. David has played a key role in the develop-
ment of the vulnerability database at SecurityFocus.The focus of this duty
has been the analysis of software vulnerabilities and the methods used to
exploit them. David became the moderator of Bugtraq, the well-known

computer security mailing list in 2001. He currently resides in Calgary,
Alberta, Canada with his family.
F. William Lynch (SCSA, CCNA, LPI-I, MCSE, MCP, Linux+,A+) is co-
author for Hack Proofing Sun Solaris 8 (ISBN: 1-928994-44-X), also pub-
lished by Syngress Publishing. He is an independent security and systems
administration consultant and specializes in firewalls, virtual private net-
works, security auditing, documentation, and systems performance analysis.
William has served as a consultant to multinational corporations and the
Federal government including the Centers for Disease Control and
Prevention headquarters in Atlanta, Georgia as well as various airbases of the
USAF. He is also the founder and director of the MRTG-PME project,
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page vii
viii
which uses the MRTG engine to track systems performance of various
UNIX-like operating systems.William holds a Bachelor’s degree in
Chemical Engineering from the University of Dayton in Dayton, Ohio and
a Masters of Business Administration from Regis University in Denver,
Colorado.
Hal Flynn is a Threat Analyst at SecurityFocus, the leading provider of
Security Intelligence Services for Business. Hal functions as a Senior Analyst,
performing research and analysis of vulnerabilities, malicious code, and net-
work attacks. He provides the SecurityFocus team with UNIX and
Network expertise. He is also the manager of the UNIX Focus Area and
moderator of the Focus-Sun, Focus-Linux, Focus-BSD, and Focus-
GeneralUnix mailing lists.
Hal has worked the field in jobs as varied as the Senior Systems and
Network Administrator of an Internet Service Provider, to contracting the
United States Defense Information Systems Agency, to Enterprise-level con-
sulting for Sprint. He is also a veteran of the United States Navy Hospital
Corps, having served a tour with the 2nd Marine Division at Camp

Lejeune, North Carolina as a Fleet Marine Force Corpsman. Hal is mobile,
living between sunny Phoenix,Arizona and wintry Calgary,Alberta, Canada.
Rooted in the South, he still calls Montgomery,Alabama home.
Ryan Permeh is a developer and researcher with eEye Digital Security. He
works on the Retina and SecureIIS product lines and leads the reverse engi-
neering and custom exploitation efforts for eEye’s research team. Ryan was
behind the initital analysis of the CodeRed worm, and has developed many
proof of concept exploits provided to vendors and the security community.
Ryan has experience in NT, UNIX, systems and application programming
as well as large-scale secure network deployment and maintenance. Ryan
currently lives and works in sunny Orange County, California. Ryan would
like to offer special thanks to Riley Hassel for his assistance in providing the
Linux exploitation of a sample buffer overflow. He would also like to thank
the rest of the eEye team, Greg Hoglund, and Ryan Russell, for the original
foundation ideas included in his chapter.
Norris L. Johnson, Jr. (MCSE, MCT, CTT+,A+, Network +) is a tech-
nology trainer and owner of a consulting company in the Seattle-Tacoma
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page viii
ix
area. His consultancies have included deployments and security planning for
local firms and public agencies, as well as providing services to other local
computer firms in need of problem solving and solutions for their clients.
He specializes in Windows NT 4.0,Windows 2000, and Windows XP issues,
providing planning, implementation, and integration services. In addition to
consulting work, Norris provides technical training for clients and teaches
for area community and technical colleges. He co-authored Configuring and
Troubleshooting Windows XP Professional (Syngress Publishing, ISBN: 1-
92899480-6), and performed technical edits on Hack Proofing Windows 2000
Server (ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second
Edition (ISBN: 1-928994-60-1).

Norris holds a Bachelor’s degree from Washington State University.
He is deeply appreciative of the support of his wife Cindy and three sons
in helping to maintain his focus and efforts toward computer training and
education.
Ido Dubrawsky (CCNA, SCSA) is a Network Security Engineer and a
member of Cisco’s Secure Consulting Services in Austin,Texas. He currently
conducts security posture assessments for clients as well as provides technical
consulting for security design reviews. His strengths include Cisco routers
and switches, PIX firewall, Solaris systems, and freeware intrusion detection
systems. Ido holds a Bachelor’s and a Master’s degree from the University of
Texas at Austin and is a member of USENIX and SAGE. He has written
several articles covering Solaris security and network security for Sysadmin
magazine as well as SecurityFocus. He lives in Austin,Texas with his family.
Robert Graham has been developing sniffers since 1990, where he wrote
most of the protocol decodes for the ProTools protocol-analyzer, including
real-time tools for password sniffing and Telnet session spying. Robert
worked for Network General between 1994 and 1998 where he rewrote all
of the protocol-decodes for the Sniffer protocol-analyzer. He founded
Network ICE in 1998 and created the BlackICE network-snifing intrusion
detection system. He is now the chief architect at Internet Security Systems
in charge of the design for the RealSecure IDS.
Steve Manzuik (MCP) was most recently a Manager in Ernst & Young’s
Security and Technology Solutions practice specializing in profiling services.
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page ix
x
Over the last ten years Steve has been involved in IT integration, support, and
security. Steve is a published author on security topics, a sought after speaker
and information security panelist and is the moderator of a full disclosure
security mailing list,VulnWatch (www.vulnwatch.org). Steve also has acted as a
Security Analyst for a world wide group of White Hat Hackers and Security

Researchers, the BindView RAZOR Team.
Steve is a board member of the Calgary Security Professionals
Information Exchange (SPIE) group, which is an information-sharing group
of local security professionals from various private and government sectors.
Steve has a strong background in Microsoft technologies and the various
security issues surrounding them, and has successfully guided multiple orga-
nizations in securing Microsoft Windows NT hosts for use in a hostile envi-
ronment. He lives in Calgary,Alberta, Canada with his wife Heather, son,
Greyson and newborn daughter Hope.
The following individuals contributed to the first edition of Hack Proofing
Your Network: Internet Tradecraft.Although not contributors to the second edi-
tion, their work and ideas from the first edition have been included.
Oliver Friedrichs has over twelve years of experience in the information
security industry, ranging from development to management. Oliver is a co-
founder of the information security firm SecurityFocus.com. Previous to
founding SecurityFocus, Oliver was a Co-Founder and Vice President of
Engineering at Secure Networks, Inc., which was acquired by Network
Associates in 1998. Post acquisition, Oliver managed the development of
Network Associates’ award-winning CyberCop Scanner network auditing
product, and managed Network Associates’ vulnerability research team.
Oliver has delivered training on computer security issues for organizations
such as the IRS, FBI, Secret Service, NASA,TRW, Canadian Department of
Defense, RCMP, and CSE.
Greg Hoglund is a software engineer and researcher. He has written sev-
eral successful security products for Windows NT. Greg also operates the
From the First Edition
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page x
xi
Windows NT Rootkit project, located at www.rootkit.com. He has written
several white papers on content-based attacks, kernel patching, and forensics.

Currently he works as a founder of Click To Secure, Inc., building new
security and quality assurance tools. His web site can be found at
www.clicktosecure.com.
Elias Levy is the moderator of Bugtraq, one of the most read security
mailing lists on the Internet, and a co-founder of Security Focus.
Throughout his career, Elias has served as computer security consultant and
security engineer for some of the largest corporations in the United States.
Outside of the computer security industry, he has worked as a UNIX soft-
ware developer, a network engineer, and system administrator.
Mudge is the former CEO and Chief Scientist of renowned ‘hacker think-
tank’ the L0pht, and is considered the nation’s leading “grey-hat hacker.” He
and the original members of the L0pht are now heading up @stake’s
research labs, ensuring that the company is at the cutting edge of Internet
security. Mudge is a widely sought-after keynote speaker in various forums,
including analysis of electronic threats to national security. He has been
called to testify before the Senate Committee on Governmental Affairs and
to be a witness to the House and Senate joint Judiciary Oversight com-
mittee. Mudge has briefed a wide range of members of Congress and has
conducted training courses for the Department of Justice, NASA, the US Air
Force, and other government agencies. Mudge participated in President
Clinton’s security summit at the White House. He joined a small group of
high tech executives, privacy experts, and government officials to discuss
Internet security.
A recognized name in cryptanalysis, Mudge has co-authored papers with
Bruce Schneier that were published in the 5th ACM Conference on
Computer and Communications Security, and the Secure Networking –
CQRE International Exhibition and Congress.
He is the original author of L0phtCrack, the award winning NT pass-
word auditing tool. In addition, Mudge co-authored AntiSniff, the world’s
first commercial remote promiscuous mode detection program. He has

written over a dozen advisories and various tools, many of which resulted in
numerous CERT advisories, vendor updates, and patches.
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page xi
xii
Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI,
COS/2I, CLSA, MCPS,A+) is a security consultant currently located in
Biloxi, MS. He has assisted several clients in the development and imple-
mentation of network security plans for their organizations. Both network
and operating system security has always intrigued Stace, so he strives to
constantly stay on top of the changes in this ever-evolving field.While in
the Air Force he held the positions of Network Security Officer and
Computer Systems Security Officer.While in the Air Force, Stace was
heavily involved in installing, troubleshooting, and protecting long-haul cir-
cuits with the appropriate level of cryptography necessary to protect the
level of information traversing the circuit as well as protecting the circuits
from TEMPEST hazards. Stace was a contributor to The SANS Institute
booklet “Windows NT Security Step by Step.” In addition, he has co-
authored over 18 books published by Osborne/McGraw-Hill, Syngress, and
Microsoft Press. He has also performed as Technical Editor for various other
books and has written for Internet Security Advisor magazine.
Ryan Russell is the best-selling author of Hack Proofing Your Network:
Internet Tradecraft (Syngress Publishing, ISBN: 1-928994-15-6). He is an
Incident Analyst at SecurityFocus, has served as an expert witness on secu-
rity topics, and has done internal security investigation for a major software
vendor. Ryan has been working in the IT field for over 13 years, the last 7
of which have been spent primarily in information security. He has been an
active participant in various security mailing lists, such as BugTraq, for years,
and is frequently sought after as a speaker at security conferences. Ryan has
contributed to four other Syngress Publishing titles on the topic of net-
working, and four on the topic of security. He holds a Bachelors of Science

degree in Computer Science.
Technical Editor and Contributor
194_HPYN2e_FM.qxd 2/15/02 2:36 PM Page xii
Contents
xiii
Foreword v 1.5 xxix
Foreword v 1.0 xxxiii
Chapter 1 How To Hack 1
Introduction 2
What We Mean by “Hack” 2
Why Hack? 3
Knowing What To Expect in the Rest of This Book 4
Understanding the Current Legal Climate 6
Summary 8
Frequently Asked Questions 8
Chapter 2 The Laws of Security 11
Introduction 12
Knowing the Laws of Security 12
Client-Side Security Doesn’t Work 14
You Cannot Securely Exchange Encryption
Keys without a Shared Piece of Information 15
Malicious Code Cannot Be
100 Percent Protected against 18
Any Malicious Code Can Be Completely
Morphed to Bypass Signature Detection 20
Firewalls Cannot Protect
You 100 Percent from Attack 22
Social Engineering 24
Attacking Exposed Servers 24
Attacking the Firewall Directly 26

Client-Side Holes 26
Any IDS Can Be Evaded 27
Secret Cryptographic Algorithms Are Not Secure 28
If a Key Is Not Required,You Do Not Have
Encryption—You Have Encoding 30
Passwords Cannot Be Securely Stored on
the Client Unless There Is Another Password
to Protect Them 32
In Order for a System to Begin to Be
Considered Secure, It Must Undergo
an Independent Security Audit 35
Security through Obscurity Does Not Work 37
Understanding the
Current Legal Climate
This book will teach you
techniques that, if used in
the wrong way, will get
you in trouble with the
law. Me saying this is like
a driving instructor saying,
“I’m going to teach you
how to drive; if you drive
badly, you might run
someone over.” In both
cases, any harm done
would be your fault.
Tools & Traps…
Want to Check that
Firewall?
There are an incredible

number of freeware tools
available to you for
beginning your checks of
vulnerability. I have a
couple of favorites that
allow for quick probes and
checks of information
about various IP
addresses:
■
SuperScan, from
Foundstone
Corporation:
www.foundstone.com/
knowledge/free_tools
.html
■
Sam Spade, from
SamSpade.org:
www.samspade.org.
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xiii
xiv Contents
Summary 39
Solutions Fast Track 39
Frequently Asked Questions 42
Chapter 3 Classes of Attack 45
Introduction 46
Identifying and Understanding the Classes
of Attack 46
Denial of Service 47

Local Vector Denial of Service 47
Network Vector Denial of Service 50
Information Leakage 56
Service Information Leakage 56
Protocol Information Leakage 58
Leaky by Design 60
Leaky Web Servers 60
A Hypothetical Scenario 61
Why Be Concerned with Information
Leakage? 61
Regular File Access 62
Permissions 62
Symbolic Link Attacks 63
Misinformation 65
Standard Intrusion Procedure 67
Special File/Database Access 69
Attacks against Special Files 69
Attacks against Databases 70
Remote Arbitrary Code Execution 72
The Attack 73
Code Execution Limitations 74
Elevation of Privileges 74
Remote Privilege Elevation 75
Identifying Methods of Testing for Vulnerabilities 77
Proof of Concept 77
Exploit Code 78
Automated Security Tools 79
Versioning 79
Standard Research Techniques 80
Whois 81

Domain Name System 86
Nmap 89
Web Indexing 90
; There are seven classes
of attacks: denial of
service (DoS),
information leakage,
regular file access,
misinformation, special
file/database access,
remote arbitrary code
execution, and
elevation of privileges.
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xiv
Contents xv
Summary 93
Solutions Fast Track 95
Frequently Asked Questions 96
Chapter 4 Methodology 99
Introduction 100
Understanding Vulnerability Research
Methodologies 100
Source Code Research 101
Searching For Error-Prone Functions 101
Line-By-Line Review 102
Discovery Through Difference 102
Binary Research 104
Tracing Binaries 104
Debuggers 105
Guideline-Based Auditing 105

Sniffers 105
The Importance of Source Code Reviews 106
Searching Error-Prone Functions 106
Buffer Overflows 106
Input Validation Bugs 110
Race Conditions 112
Reverse Engineering Techniques 113
Disassemblers, Decompilers, and Debuggers 120
Black Box Testing 125
Chips 126
Summary 128
Solutions Fast Track 129
Frequently Asked Questions 130
Chapter 5 Diffing 131
Introduction 132
What Is Diffing? 132
Why Diff? 135
Looking to the Source Code 136
Going for the Gold:A Gaming Example 139
Exploring Diff Tools 143
Using File-Comparison Tools 143
Using the fc Tool 143
Using the diff Command 145
Working with Hex Editors 146
Hackman 147
[N] Curses Hexedit 148
Hex Workshop 149
Q: Is decompiling and
other reverse
engineering legal?

A: In the United States,
reverse engineering
may soon be illegal.
The Digital Millennium
Copyright Act includes
a provision designed to
prevent the
circumvention of
technological measures
that control access to
copyrighted works.
Source code can be
copyrighted, and
therefore makes the
reverse engineering of
copyrighted code
illegal.
Recursive Grepping
According to Ryan
Tennant’s (Argoth) Solaris
Infrequently Asked
Obscure Questions (IAOQ)
at unix
.org/~argoth/iaoq, a
recursive grep can be
performed using the
following command:
/usr/bin/find . |
/usr/bin/xargs
/usr/bin/grep PATTERN

194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xv
xvi Contents
Utilizing File System Monitoring Tools 150
Doing It The Hard Way: Manual
Comparison 150
Comparing File Attributes 151
Using the Archive Attribute 153
Examining Checksums and Hashes 154
Finding Other Tools 155
Troubleshooting 157
Problems with Checksums and Hashes 157
Problems with Compression and Encryption 159
Summary 160
Solutions Fast Track 161
Frequently Asked Questions 162
Chapter 6 Cryptography 165
Introduction 166
Understanding Cryptography Concepts 166
History 167
Encryption Key Types 167
Learning about Standard Cryptographic
Algorithms 169
Understanding Symmetric Algorithms 170
DES 170
AES (Rijndael) 172
IDEA 173
Understanding Asymmetric Algorithms 174
Diffie-Hellman 174
RSA 176
Understanding Brute Force 177

Brute Force Basics 177
Using Brute Force to Obtain Passwords 178
L0phtcrack 180
Crack 181
John the Ripper 182
Knowing When Real Algorithms
Are Being Used Improperly 183
Bad Key Exchanges 183
Hashing Pieces Separately 184
Using a Short Password to Generate
a Long Key 185
Improperly Stored Private or Secret Keys 186
Understanding Amateur Cryptography Attempts 188
Classifying the Ciphertext 189
John the Ripper
John the Ripper is another
password-cracking
program, but it differs
from Crack in that it is
available in UNIX, DOS,
and Win32 editions. Crack
is great for older systems
using crypt(), but John the
Ripper is better for newer
systems using MD5 and
similar password formats.
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xvi
Contents xvii
Frequency Analysis 189
Ciphertext Relative Length Analysis 190

Similar Plaintext Analysis 190
Monoalphabetic Ciphers 191
Other Ways to Hide Information 191
XOR 191
UUEncode 195
Base64 195
Compression 197
Summary 199
Solutions Fast Track 200
Frequently Asked Questions 202
Chapter 7 Unexpected Input 205
Introduction 206
Understanding Why Unexpected Data
Is Dangerous 206
Finding Situations Involving Unexpected Data 208
Local Applications and Utilities 208
HTTP/HTML 208
Unexpected Data in SQL Queries 211
Application Authentication 215
Disguising the Obvious 220
Using Techniques to Find and Eliminate
Vulnerabilities 221
Black-Box Testing 222
Discovering Network and System
Problems 225
Use the Source 226
Untaint Data by Filtering It 227
Escaping Characters Is Not Always Enough 227
Perl 228
Cold Fusion/Cold Fusion

Markup Language (CFML) 229
ASP 229
PHP 230
Protecting Your SQL Queries 231
Silently Removing versus Alerting on
Bad Data 232
Invalid Input Function 232
Token Substitution 233
Utilizing the Available Safety Features
in Your Programming Language 233
Understanding Why
Unexpected Data Is
Dangerous
; Almost all applications
interact with the user,
and thus take data
from them.
; An application can’t
assume that the user is
playing by the rules.
; The application has to
be wary of buffer
overflows, logic
alteration, and the
validity of data passed
to system functions.
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xvii
xviii Contents
Perl 233
PHP 235

ColdFusion/ColdFusion Markup Language 235
ASP 236
MySQL 237
Using Tools to Handle Unexpected Data 237
Web Sleuth 237
CGIAudit 237
RATS 237
Flawfinder 238
Retina 238
Hailstorm 238
Pudding 238
Summary 239
Solutions Fast Track 239
Frequently Asked Questions 242
Chapter 8 Buffer Overflow 243
Introduction 244
Understanding the Stack 244
The Code 246
Disassembly 247
The Stack Dump 248
Oddities and the Stack 249
Understanding the Stack Frame 249
Introduction to the Stack Frame 250
Passing Arguments to a Function:
A Sample Program 250
The Disassembly 251
The Stack Dumps 254
Stack Frames and Calling Syntaxes 256
Learning about Buffer Overflows 257
A Simple Uncontrolled Overflow:

A Sample Program 259
The Disassembly 260
The Stack Dumps 262
Creating Your First Overflow 263
Creating a Program with an Exploitable
Overflow 264
Writing the Overflowable Code 264
Disassembling the Overflowable Code 265
Stack Dump after the Overflow 267
Performing the Exploit 267
Damage & Defense…
Understanding Assembly
Language
There are a few specific
pieces of assembly
language knowledge that
are necessary to
understand the stack. One
thing that is required is to
understand the normal
usage of registers in a
stack:
■
EIP The extended
instruction pointer.
■
ESP The extended
stack pointer.
■
EBP The extended

base pointer.
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xviii
Contents xix
General Exploit Concepts 268
Buffer Injection Techniques 268
Methods to Execute Payload 269
Designing Payload 281
Performing the Exploit on Linux 282
Performing the Exploit on Windows NT 293
Learning Advanced Overflow Techniques 303
Input Filtering 303
Incomplete Overflows and Data
Corruption 304
Stack Based Function Pointer Overwrite 306
Heap Overflows 306
Corrupting a Function Pointer 307
Trespassing the Heap 307
Advanced Payload Design 310
Using What You Already Have 310
Dynamic Loading New Libraries 311
Eggshell Payloads 313
Summary 314
Solutions Fast Track 314
Frequently Asked Questions 317
Chapter 9 Format Strings 319
Introduction 320
Understanding Format String Vulnerabilities 322
Why and Where Do Format
String Vulnerabilities Exist? 326
How Can They Be Fixed? 327

How Format String Vulnerabilities
Are Exploited 328
Denial of Service 329
Reading Memory 329
Writing to Memory 330
How Format String Exploits Work 332
Constructing Values 333
What to Overwrite 335
Overwriting Return Addresses 335
Overwriting Global Offset Table
Entries and Other Function Pointers 335
Examining a Vulnerable Program 336
Testing with a Random Format String 340
Writing a Format String Exploit 344
Q: How can I eliminate or
minimize the risk of
unknown format string
vulnerabilities in
programs on my
system?
A: A good start is having
a sane security policy.
Rely on the least-
privileges model,
ensure that only the
most necessary utilities
are installed setuid and
can be run only by
members of a trusted
group. Disable or block

access to all services
that are not completely
necessary.
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xix
xx Contents
Summary 356
Solutions Fast Track 356
Frequently Asked Questions 358
Chapter 10 Sniffing 361
Introduction 362
What Is Sniffing? 362
How Does It Work? 362
What to Sniff? 363
Obtaining Authentication Information 363
Monitoring Telnet (Port 23) 364
Monitoring FTP (Port 21) 364
Monitoring POP (Port 110) 365
Monitoring IMAP (Port 143) 365
Monitoring NNTP (Port 119) 366
Monitoring rexec (Port 512) 366
Monitoring rlogin (Port 513) 367
Monitoring X11 (Port 6000+) 368
Monitoring NFS File Handles 368
Capturing Windows NT Authentication
Information 369
Capturing Other Network Traffic 370
Monitoring SMTP (Port 25) 370
Monitoring HTTP (Port 80) 370
Popular Sniffing Software 371
Ethereal 371

Network Associates Sniffer Pro 372
NT Network Monitor 374
WildPackets 375
TCPDump 376
dsniff 377
Ettercap 380
Esniff.c 380
Sniffit 381
Carnivore 382
Additional Resources 385
Advanced Sniffing Techniques 385
Man-in-the-Middle (MITM) Attacks 385
Cracking 386
Switch Tricks 386
ARP Spoofing 386
MAC Flooding 387
Routing Games 388
Ethereal Capture
Preferences
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xx
Contents xxi
Exploring Operating System APIs 388
Linux 388
BSD 392
libpcap 392
Windows 395
Taking Protective Measures 395
Providing Encryption 395
Secure Shell (SSH) 396
Secure Sockets Layers (SSL) 397

PGP and S/MIME 397
Switching 398
Employing Detection Techniques 398
Local Detection 398
Network Detection 399
DNS Lookups 399
Latency 399
Driver Bugs 400
AntiSniff 400
Network Monitor 400
Summary 401
Solutions Fast Track 402
Frequently Asked Questions 404
Chapter 11 Session Hijacking 407
Introduction 408
Understanding Session Hijacking 408
TCP Session Hijacking 410
TCP Session Hijacking with Packet
Blocking 411
Route Table Modification 411
ARP Attacks 414
UDP Hijacking 415
Examining the Available Tools 416
Juggernaut 416
Hunt 420
Ettercap 425
SMBRelay 430
Storm Watchers 430
ACK Storms 431
Playing MITM for Encrypted Communications 433

Man-in-the-Middle Attacks 434
Dsniff 435
Other Hijacking 436
Understanding Session
Hijacking
; The point of hijacking a
connection is to steal
trust.
; Hijacking is a race
scenario: Can the
attacker get an
appropriate response
packet in before the
legitimate server or
client can?
; Attackers can remotely
modify routing tables
to redirect packets or
get a system into the
routing path between
two hosts.
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxi
xxii Contents
Summary 438
Solutions Fast Track 438
Frequently Asked Questions 440
Chapter 12 Spoofing: Attacks
on Trusted Identity 443
Introduction 444
What It Means to Spoof 444

Spoofing Is Identity Forgery 444
Spoofing Is an Active Attack
against Identity Checking Procedures 445
Spoofing Is Possible at All
Layers of Communication 445
Spoofing Is Always Intentional 446
Spoofing May Be Blind or Informed,
but Usually Involves Only Partial
Credentials 447
Spoofing Is Not the Same Thing as Betrayal 448
Spoofing Is Not Necessarily Malicious 448
Spoofing Is Nothing New 449
Background Theory 449
The Importance of Identity 450
The Evolution of Trust 451
Asymmetric Signatures between Human
Beings 451
Establishing Identity within Computer
Networks 453
Return to Sender 454
In the Beginning,There Was…
a Transmission 455
Capability Challenges 457
Ability to Transmit:“Can It Talk
to Me?” 457
Ability to Respond:“Can It Respond
to Me?” 459
Ability to Encode:“Can It Speak My
Language?” 463
Ability to Prove a Shared Secret:

“Does It Share a Secret with Me?” 465
Ability to Prove a Private Keypair:
“Can I Recognize Your Voice?” 467
Tools & Traps…
Perfect Forward Secrecy:
SSL’s Dirty Little Secret
The dirty little secret of
SSL is that, unlike SSH and
unnecessarily like standard
PGP, its standard modes
are not perfectly forward
secure. This means that an
attacker can lie in wait,
sniffing encrypted traffic
at its leisure for as long as
it desires, until one day it
breaks in and steals the
SSL private key used by
the SSL engine (which is
extractable from all but
the most custom
hardware).
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxii
Contents xxiii
Ability to Prove an Identity Keypair:
“Is Its Identity Independently
Represented in My Keypair?” 468
Configuration Methodologies:
Building a Trusted Capability Index 470
Local Configurations vs. Central

Configurations 470
Desktop Spoofs 471
The Plague of Auto-Updating Applications 471
Impacts of Spoofs 473
Subtle Spoofs and Economic Sabotage 474
Flattery Will Get You Nowhere 474
Subtlety Will Get You Everywhere 476
Selective Failure for Selecting Recovery 476
Bait and Switch: Spoofing the Presence
of SSL Itself 478
Down and Dirty: Engineering Spoofing Systems 486
Spitting into the Wind: Building
a Skeleton Router in Userspace 486
Designing the Nonexistent:The
Network Card That Didn’t Exist but
Responded Anyway 487
Implementation: DoxRoute, Section
by Section 488
Bring Out the Halon: Spoofing
Connectivity Through Asymmetric
Firewalls 510
Symmetric Outgoing TCP:
A Highly Experimental Framework
for Handshake-Only TCP
Connection Brokering 511
Summary 518
Solution Fast Track 519
Frequently Asked Questions 523
Chapter 13 Tunneling 527
Introduction 528

Strategic Constraints of Tunnel Design 530
Privacy:“Where Is My Traffic Going?” 532
Routability:“Where Can This Go Through?” 532
Deployability:“How Painful
Is This to Get Up and Running?” 533
Flexibility:“What Can
We Use This for,Anyway?” 534
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxiii
xxiv Contents
Quality:“How Painful Will
This System Be to Maintain?” 537
Designing End-to-End Tunneling Systems 537
Drilling Tunnels Using SSH 538
Security Analysis: OpenSSH 3.02 539
Setting Up OpenSSH 541
Open Sesame:Authentication 543
Basic Access:Authentication by Password 543
Transparent Access:Authentication by
Private Key 544
Server to Client Authentication 544
Client to Server Authentication 545
Command Forwarding: Direct
Execution for Scripts and Pipes 550
Port Forwarding:Accessing Resources on
Remote Networks 556
Local Port Forwards 557
Dynamic Port Forwards 560
Internet Explorer 6: Making the Web
Safe for Work 561
Speak Freely: Instant Messaging

over SSH 564
That’s a Wrap: Encapsulating Arbitrary
Win32 Apps within the Dynamic
Forwarder 566
Summoning Virgil: Using Dante’s
Socksify to Wrap UNIX Applications 567
Remote Port Forwards 569
When in Rome:Traversing
the Recalcitrant Network 571
Crossing the Bridge:Accessing
Proxies through ProxyCommands 571
No Habla HTTP? Permuting thy Traffic 575
Show Your Badge: Restricted
Bastion Authentication 576
Bringing the Mountain: Exporting
SSHD Access 579
Echoes in a Foreign Tongue:
Cross-Connecting Mutually
Firewalled Hosts 581
Not In Denver, Not Dead: Now What? 584
Standard File Transfer over SSH 584
Primary questions for
privacy of
communications
include the following:
■
Can anyone else
monitor the traffic
within this tunnel?
Read access, addressed

by encryption.
■
Can anyone else
modify the traffic
within this tunnel, or
surreptitiously gain
access to it? Write
access, addressed
primarily through
authentication.
194_HPYN2e_toc.qxd 2/15/02 2:56 PM Page xxiv