The
Hacker’s
Handbook
The Strategy behind Breaking
into and
Defending Networks
© 2004 by CRC Press LLC
The ABCs of IP Addressing
Gilbert Held
ISBN: 0-8493-1144-6
The ABCs of LDAP
Reinhard Voglmaier

ISBN: 0-8493-1346-5
The ABCs of TCP/IP
Gilbert Held
ISBN: 0-8493-1463-1
Building an Information Security
Awareness Program
Mark B. Desman
ISBN: 0-8493-0116-5
Building a Wireless Office
Gilbert Held
ISBN: 0-8493-1271-X
The Complete Book of Middleware

Judith Myerson
ISBN: 0-8493-1272-8
Computer Telephony Integration,
2nd Edition
William A. Yarberry, Jr.
ISBN: 0-8493-1438-0
Electronic Bill Presentment and Payment
Kornel Terplan
ISBN: 0-8493-1452-6
Information Security Architecture
Jan Killmeyer Tudor
ISBN: 0-8493-9988-2

Information Security Management
Handbook, 4th Edition, Volume 1
Harold F. Tipton and Micki Krause, Editors
ISBN: 0-8493-9829-0
Information Security Management
Handbook, 4th Edition, Volume 2
Harold F. Tipton and Micki Krause, Editors
ISBN: 0-8493-0800-3
Information Security Management
Handbook, 4th Edition, Volume 3
Harold F. Tipton and Micki Krause, Editors
ISBN: 0-8493-1127-6

Information Security Management
Handbook, 4th Edition, Volume 4
Harold F. Tipton and Micki Krause, Editors
ISBN: 0-8493-1518-2
Information Security Policies,
Procedures, and Standards:
Guidelines for Effective Information
Security Management
Thomas R. Peltier
ISBN: 0-8493-1137-3
Information Security Risk Analysis
Thomas R. Peltier

ISBN: 0-8493-0880-1
Interpreting the CMMI: A Process
Improvement Approach
Margaret Kulpa and Kurt Johnson
ISBN: 0-8493-1654-5
IS Management Handbook,
8th Edition
Carol V. Brown and Heikki Topi
ISBN: 0-8493-1595-6
Managing a Network Vulnerability
Assessment
Thomas R. Peltier and Justin Peltier

ISBN: 0-8493-1270-1
A Practical Guide to Security Engineering
and Information Assurance
Debra Herrmann
ISBN: 0-8493-1163-2
The Privacy Papers:
Managing Technology and Consumers,
Employee, and Legislative Action
Rebecca Herold
ISBN: 0-8493-1248-5
Securing and Controlling Cisco Routers
Peter T. Davis

ISBN: 0-8493-1290-6
Six Sigma Software Development
Christine B. Tayntor
ISBN: 0-8493-1193-4
Software Engineering Measurement
John Munson
ISBN: 0-8493-1502-6
A Technical Guide to IPSec Virtual Private
Networks
James S. Tiller
ISBN: 0-8493-0876-3
Telecommunications Cost Management

Brian DiMarsico, Thomas Phelps IV,
and William A. Yarberry, Jr.
ISBN: 0-8493-1101-2
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail:
OTHER AUERBACH PUBLICATIONS
© 2004 by CRC Press LLC
AUERBACH PUBLICATIONS
A CRC Press Company
Boca Raton London New York Washington, D.C.

The
Hacker’s
Handbook
SUSAN YOUNG AND DAVE AITEL
The Strategy behind Breaking
into and
Defending Networks
© 2004 by CRC Press LLC

This book contains information obtained from authentic and highly regarded sources. Reprinted material
is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable
efforts have been made to publish reliable data and information, but the authors and the publisher cannot

assume responsibility for the validity of all materials or for the consequences of their use.
Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, microfilming, and recording, or by any information storage or
retrieval system, without prior permission in writing from the publisher.
All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or
internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page
photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923
USA. The fee code for users of the Transactional Reporting Service is ISBN 0-8493-0888-7/04/$0.00+$1.50.
The fee is subject to change without notice. For organizations that have been granted a photocopy license
by the CCC, a separate system of payment has been arranged.
The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for
creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC

for such copying.
Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.

Trademark Notice:

Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation, without intent to infringe.

Visit the Auerbach Publications Web site at www.auerbach-publications.com

© 2004 by CRC Press LLC
Auerbach is an imprint of CRC Press LLC

No claim to original U.S. Government works
International Standard Book Number 0-8493-0888-7
Library of Congress Card Number 2003055391
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
Printed on acid-free paper

Library of Congress Cataloging-in-Publication Data

Young, Susan (Susan Elizabeth), 1968–
The hacker’s handbook : the strategy behind breaking into and defending Networks /
Susan Young, Dave Aitel.
p. cm.

Includes bibliographical references and index.
ISBN 0-8493-0888-7 (alk. paper)
1. Computer networks—Security measures. 2. Computer networks—Access control. 3.
Computer hackers. I. Aitel, Dave. II. Title.
TK5105.59.Y68 2003
005.8—dc22 2003055391
CIP

AU0888_C00.fm Page iv Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC

v


Acknowledgments

Every book, as they say, has a story. This book’s history has been a long
and varied one. Along the way, numerous individuals have contributed
their time, focus, energy, technical acumen, or moral support to seeing

The
Hacker’s Handbook

through to its conclusion.
The authors would like to thank the following individuals for their con-

tributions and support:
• Rich O’Hanley and the production staff at Auerbach Press for their
tireless support of this book, in spite of its long (and somewhat
nefarious) history.
• Our contributing authors — Felix Lindner, Jim Barrett, Scott Brown,
and John Zuena — for taking the time and care to write several
excellent chapters on the hacking community, malware, directory
services, and network hardware that contain some truly unique and
interesting material.
• Our technical reviewers, including Jim Tiller, Anton Chuvakin, Sean
Cemm, Ben Rothke, and Ted Shagory, for their insights and for
dedicating their time and energy to helping to shape a better book.

We are confident that this review process will continue as this text
goes to publication, and want — in advance — to thank our readers
and reviewers for their attention to the ongoing quality of this book.
In addition, Dave Aitel would like to thank Justine Bone for her support
and encouragement and Susan Young would like to thank the following indi-
viduals: the Darklord (Thomas McGinn) for keeping his personal commit-
ment to support the effort that went into this book in spite of many months
of spent deadlines, missed weekends, and fatigue (thanks, T2B); Trevor
Young, for lending his genuine talent, enthusiasm, time, and care to crafting
the illustrations throughout this book; Gemma Young, and her parents,
Sylvia and Neil, for their interest, support, and advice through two years of
long distance phone calls; and International Network Services (and parti-

cularly Steven Marandola, Bob Breingan, and Shaun Meaney) for making
available time and support for the completion of this book.

AU0888_C00.fm Page v Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC

Authors

Dave Aitel

is the founder of Immunity, Inc. (www.immunitysec.com), with
prior experience at both private industry security consulting companies and

the National Security Agency. His tools, SPIKE and SPIKE Proxy, are widely
regarded as the best black box application assessment tools available.

Susan Young



has worked in the security field for the past seven years, four
of which have been spent in the security consulting arena, helping clients
design and implement secure networks, training on security technologies,
and conducting security assessments and penetration tests of client system
or network defenses (so-called ethical hacking). Her experience has

included consulting work in the defense sector and the financial industry, as
well as time spent evaluating and deconstructing various security products.
She currently works as a senior security consultant in the Boston area secu-
rity practice of International Network Services (INS).

AU0888_C00.fm Page vi Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC

Contributors

Jim Barrett


(CISA, CISSP, MCSE, CCNP) is a principal consultant for the
Boston office of International Network Services (INS). He currently serves
as the national Microsoft practice leader for INS and has been working with
Microsoft technologies for longer than he can remember. Prior to INS, Jim
spent several years as a member of the information systems audit and
security practice of Ernst & Young LLP, where he co-authored the firm’s
audit methodology for Novell NetWare 4.1 and was an instructor at the
Ernst & Young National Education Center. His areas of expertise
include network operating systems and information systems security.

Scott Brown


(CISSP, GCIA, GCIH) is a senior security consultant for Interna-
tional Network Services, with more than 13 years experience in the infor-
mation technologies field. He is a Certified Information Systems Security
Professional (CISSP), and holds both SANS GCIA and GCIH certifications.
Scott is also a private pilot with a rating in single engine aircraft.

John Zuena

(CISSP, CCNA, CCDA, NNCSE) is a senior consultant for Inter-
national Network Services, with more than 14 years experience in the infor-
mation technologies field. He is a Certified Information Systems Security
Professional (CISSP) and holds both Cisco and Nortel internetworking cer-

tifications. He is also a private pilot with ratings in both single engine air-
planes and helicopters.

AU0888_C00.fm Page vii Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC

viii

Illustrator

Trevor Young


has been drawing, painting, creating, and generally exercis-
ing his artistic imagination for a very long time.
Young attended Camberwell College of Art in London, studying graphic
design and illustration, and has gone on to a successful career in the film
special effects industry in London, first working for the Film Factory and
currently as a digital compositor for Hypnosis VFX Ltd. You will find him in
the IMDb at He has continued to
work in illustration from time to time and generously contributed his time
to create a set of illustrations for this book that have become truly integral
to the book and the subject matter.

AU0888_C00.fm Page viii Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC

List of Abbreviations

ACK

Acknowledge

ARIN

American Registry for Internet Numbers


ASCII

ASCII Character Set (ASCII)

ASN

Autonomous System Number

ASP

Active Server Pages or Application Service Provider


BSDI

Berkeley Software Design (BSD) Operating System Internet
Server Edition

CANVAS

Immunity Security’s CANVAS Vulnerability Scanner

CAST

Computer Aided Software Testing


CDE

Common Desktop Environment

CHAM

Common Hacking Attack Methods

CIFS

Common Internet File Sharing


CPAN

Comprehensive Perl Archive Network

CRC

Cyclic Redundancy Check

CVE

Common Vulnerabilities and Exposures (List)


CVS

Concurrent Versions System Source Code Control System

DDoS

Distributed Denial-of-Service

DID

Direct Inward Dialing


DIT

Directory Information Tree

DNS

Domain Name System

DNSSEC

Domain Name System Security


DoS

Denial-of-Service

DSA

Digital Signature Algorithm

EFS

Encrypting File System (Microsoft)


EIGRP

Enhanced Interior Gateway Routing Protocol

EIP

Extended Instruction Pointer

ESMTP

Extended Simple Mail Transfer (Protocol)


EVT

Event (Microsoft)

FIFO

First In First Out is an approach to handling queue or stack
requests where the oldest requests are prioritized

FX


Handle for Felix Lindner

GCC

GNU C Compiler

GCIA

GIAC Certified Intrusion Analyst

GCIH


GIAC Certified Incident Handler

AU0888_C00.fm Page ix Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC

THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS

GDB

GNU Project Debugger

GID


Group ID (Access Control Lists)

GINA

Graphical Identification and Authentication (Dynamic Link
Library, Microsoft)

GNOME

GNU Free Desktop Environment


GNU

GNU Software Foundation

HIDS

Host Intrusion Detection System

HKEY

Microsoft Registry Key Designation (Hive Key)


HMAC

Keyed Hashing Message Authentication

HQ

Headquarters

HTTPS

Secure Hypertext Transmission Protocol


HUMINT

Human Intelligence

ICQ

ICQ Protocol

IDS

Intrusion Detection System


IKE

Internet Key Exchange (Protocol)

IMDb

Internet Movie Database

IPO

Initial Public Offering


IPSec

IP Security (Protocol)

IRIX

Silicon Graphics IRIX Operating System (IRIX)

ISAKMP

Internet Security Association and Key Management Protocol


ISS

Internet Security Systems

IUSR

Internet User (i.e., IUSR_name) is an anonymous user desig-
nation used by Microsoft’s Internet Information Server (IIS)

KB

Kilobytes or Knowledgebase


KDE

K Desktop Environment

KSL

Keystroke Logger

LKM

Loadable Kernel Modules


LM

Lan Manager (Microsoft Authentication Service)

LT2P

Layer 2 Tunneling Protocol

MIB

Management Information Base


MSDE

Microsoft Data Engine

MSDN

Microsoft Developer Network

MSRPC

Microsoft Remote Procedure Call


MUA

Mail User Agent

MVS

Multiple Virtual Storage (MVS) Operating System

MX

Mail Exchange (Record, DNS)


NASL

Nessus Attack Scripting Language (Nessus Security Scanner)

NIDS

Network Intrusion Detection System

NMAP

Network Mapper (Nmap)


NMS

Network Management Station

NTFS

NT File System

NTFS5

NT File System 5


NTLM

NT LanMan (Authentication)

OU

Organizational Unit

PCX

.pcx files created with MS Paintbrush tool


AU0888_C00.fm Page x Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC

PHP

Hypertext Preprocessor

PID

Process Identifier


PUT

PUT (FTP)

RCS

Revision Control System

RDS

Remote Data Service


RIP

Routing Information Protocol

RSA

RSA Security, Inc.

SAM

Security Accounts Manager (Microsoft)


SANS

Sysadmin, Audit, Network, Security (SANS Institute)

SASL

Simple Authentication and Security Layer

SATAN

Security Administrator Tool for Analyzing Networks
SID Security Identifier (Microsoft)

SIGINT Signal Intelligence
SMB Server Message Block (Protocol)
SOCKS Sockets Protocol (Firewall)
SRV Service Record (DNS)
SUID Set User ID (bit) utilized in UNIX Operating Systems to
impose File System Access Control Lists
SYN Synchronize (TCP SYN)
SYN-ACK Synchronize-Acknowledge (TCP SYN ACK)
USB Universal Serial Bus
VB Visual Basic
VM Virtual Machine
VMS VMS (Operating System)

VNC AT&T Virtual Network Computing (Software)
XDMCPD X Display Manager Control Protocol
XOR Exclusive OR
AU0888_C00.fm Page xi Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
Contents
1 Introduction: The Chess Game
Book Structure
Chapter 2. Case Study in Subversion
Chapter 3. Know Your Opponent
Chapter 4. Anatomy of an Attack
Chapter 5. Your Defensive Arsenal

Chapter 6. Programming
Chapter 7. IP and Layer 2 Protocols
Chapter 8. The Protocols
Chapter 9. Domain Name System (DNS)
Chapter 10. Directory Services
Chapter 11. Simple Mail Transfer Protocol (SMTP)
Chapter 12. Hypertext Transfer Protocol (HTTP)
Chapter 13. Database Hacking
Chapter 14. Malware and Viruses
Chapter 15. Network Hardware
Chapter 16. Consolidating Gains
Chapter 17. After the Fall

Chapter 18. Conclusion
PART I FOUNDATION MATERIAL
2 Case Study in Subversion
Dalmedica
The Dilemma
The Investigation
Notes
3 Know Your Opponent
Terminology
Script Kiddy
Cracker
White Hat Hacker

Black Hat Hacker
Hacktivism
Professional Attackers
AU0888_C00.fm Page xiii Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
History
Computer Industry and Campus
System Administration
Home Computers
Home Computers: Commercial Software
Home Computers: The BBS
Phone Systems

Ethics and Full Disclosure
Opponents Inside
The Hostile Insider
Corporate Politics
Conclusion
Notes
4 Anatomy of an Attack
Overview
Reconnaissance
Social Engineering and Site Reconnaissance
Internet Reconnaissance
Internet Search Engines and Usenet Tools

Financial Search Tools, Directories, Yellow Pages,
and Other Sources
IP and Network Reconnaissance
Registrar and whois Searches
Network Registrar Searches (ARIN)
DNS Reconnaissance
Mapping Targets
War Dialing
Network Mapping (ICMP)
ICMP Queries
TCP Pings: An Alternative to ICMP
Traceroute

Additional Network Mapping Tools
Port Scanning
TCP and UDP Scanning
Banner Grabbing
Packet Fragmentation Options
Decoy Scanning Capabilities
Ident Scanning
FTP Bounce Scanning
Source Port Scanning
Stack Fingerprinting Techniques
Vulnerability Scanning (Network-Based OS
and Application Interrogation)

Researching and Probing Vulnerabilities
System/Network Penetration
AU0888_C00.fm Page xiv Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
Account (Password) Cracking
Application Attacks
Cache Exploits
File System Hacking
Hostile and Self-Replicating Code
Programming Tactics
Process Manipulation
Shell Hacking

Session Hijacking
Spoofing
State-Based Attacks
Traffic Capture (Sniffing)
Trust Relationship Exploitation
Denial-of-Service
Consolidation
Security
Notes
References
Texts
Web References

5 Your Defensive Arsenal
The Defensive Arsenal
Access Controls
Network Access Controls (Firewalls)
State Management Attacks on Firewalls
Firewall Ruleset and Packet Filter Reconnaissance
IP Spoofing to Circumvent Network Access Controls
Denial-of-Service
Packet Fragmentation Attacks
Application Level Attacks
System Access Controls
Host-Based Firewalls

Operating System Access Controls
and Privilege Management
Authentication
IP Authentication
Password Authentication
Account/Password Cracking
Eavesdropping Attacks
Password Guessing Attacks
Token-Based Authentication
Session Authentication
Session Authentication Scheme Cracking
Generation of Counterfeit Session Auth Credentials

Session ID Brute-Forcing
AU0888_C00.fm Page xv Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
Session Auth Eavesdropping
Session Auth/ID Stealing or “Hijacking”
Client Session/ID Theft
Cryptographic (Key-Based) Authentication
Key Transfer and Key Management Vulnerabilities
Key Transfer Vulnerabilities
Key Management Vulnerabilities
(Public Key Infrastructure)
Key Binding and Impersonation Vulnerabilities

Dictionary and Brute-Force Attacks
against Weak Secrets
Centralized Authentication Servers
RADIUS
TACACS
Kerberos
Human Authentication (Biometrics)
Resource Controls
Nonrepudiation
Digital Signatures (and Digital Certificates)
Privacy
Virtual Private Network (VPN)

Session and Protocol Encryption
Secure Sockets Layer (SSL)
Certificate and Impersonation Attacks (SSL)
Cryptographic Weaknesses (SSL)
Attacks against the Handshake Protocol (SSL)
SSL Man-in-the-Middle Attacks
Man-in-the-Middle Attack Version Rollback (SSL)
Viruses, Worms, and other Application Issues (SSL)
Secure Shell (SSH)
File System Encryption
Intrusion Detection
Network-Based and Host-Based IDS

Anomaly-Based (Behavior-Based) IDS
Signature-Based (Knowledge-Based) IDS
IDS Hacking Exploits
Address Spoofing or Proxying
Attacking the IDS
Denial-of-Service
Instigating Active Events
Nondefault Evasion and Pattern Change Evasion
Packet Fragmentation and “Session Splicing”
Port Scan Evasion
TCP Session Synchronization Attacks
AU0888_C00.fm Page xvi Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC
URL Encoding (Unicode and Hex Attacks)
Web Evasion Techniques
File System Integrity Checkers
Security Information Management
Data Integrity
Application Proxies
Content Assurance (Antivirus, Content Scanning)
Notes
References
Texts
Web References

6 Programming
Languages
Speed and Security Trade-Offs
Native Compiled Code: C/C++/Assembly
Bytecode/Just in Time Compiled Code
(“Managed” Code): C#/Java
Interpreted (Usually Compiled into Byte Codes
at Runtime): Perl, Python (Scripting Languages),
PHP, Visual Basic, .ASP, Lisp, JSP (Web Languages)
Language-Specific Flaws and Strategic Ways to Protect
against Them
The Basics of Buffer Overflows and Other Memory

Allocation Errors
History
Basic Stack Overflows
Options for the Hacker after a Stack Overflow
So What Is a Stack Canary?
Heap Overflows
Format String Bugs
Integer Overflows
Signal Races on UNIX
What Is Shellcode?
Interpreter Bugs
File Name Canonicalization

Logic Error War Stories
Platform-Specific Programming Security Issues
Windows NT Compared to UNIX
Types of Applications
Web Applications
Cross-Site Scripting Vulnerabilities
Java J2EE
Traditional ASP
AU0888_C00.fm Page xvii Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
.Net
LAMP

Remote Procedure Calling
Creating an RPC Program
Special Cases
Setuid Applications on UNIX
DCOM Services
Auditing Techniques
Tools That Aid Source Auditing
Tools That Aid Reverse Engineering
Fuzzing Audit Tools
Web Security Audit Tools
General Security Tools
Encryption and Authentication

Layered Defenses
Platform-Specific Defenses (Security through Security
and Security through Obscurity)
Nonexecutable Stack
Using a Different Platform Than Expected
File System User Access Controls
Process Logging
The Insider Problem, Backdoors, and Logic Bombs
Buying an Application Assessment
Conclusion
References
7 IP and Layer 2 Protocols

Layer 2 Protocols
Address Resolution Protocol (ARP)
Protocol
Hacking Exploits
Security (Mapping ARP Exploits to ARP Defenses)
Static ARP Entries on Internet Gateways
and Firewalls
Network Management
ARP Monitoring
Port-Level Security
Reverse Address Resolution Protocol (RARP)
Protocol

Hacking Exploits
Security (Defenses for RARP-Related Attacks:
DHCP, BOOTP)
Assignment of Static IP Addresses to Clients
Use of DHCP/BOOTP MAC Controls
ARP Monitoring
AU0888_C00.fm Page xviii Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
Port-Level Security
Layer 3 Protocols
IP Protocol
Protocol

Hacking Exploits
IP Eavesdropping (Packet Sniffing)
IP Spoofing
IP Session Hijacking (Man-in-the-Middle Attacks)
IP Packet Fragmentation Attacks
ICMP-Based Fragmentation Attacks
Tiny Fragment Attacks
Overlapping Fragment Attacks
IP Covert Tunneling
Security (Mapping IP Exploits to IP Defenses)
Tools and Techniques to Detect Promiscuous
Mode Packet Sniffers

System Audits to Identify NICs
in Promiscuous Mode
System Hardening Procedures
to Inhibit Sniffer Installation
Inspection of Systems for Signs
of Rootkit Compromise
Institution of Switched Network
Institution of ARP Monitoring
Institution of Traffic Encryption
Implementation of Strong Authentication
Institution of Spoof Protection at Firewalls
and Access Control Devices

Patch TCP/IP Implementations
Deny Source Routing at Gateways and Firewalls
Deny ICMP Redirects at Gateways and Firewalls
Deter the Use of IP Addresses for Authentication
or Construction of Trust Relationships
Implement ARP Controls
Monitor Network Traffic Using Network
and Host-based IDS
Restrict ICMP Traffic into and out of
a Protected Network
Patch Firewalls and Intrusion Detection Systems
against Packet Fragmentation Attacks

Notes
References
Texts
Request for Comments (RFCs)
White Papers and Web References
AU0888_C00.fm Page xix Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
8 The Protocols
Layer 3 Protocols
Internet Control Message Protocol (ICMP)
Protocol
Hacking Exploits

ICMP-Based Denial-of-Service
ICMP Network Reconnaissance
ICMP Time Exceeded
ICMP Access Control Enumeration
ICMP Stack Fingerprinting
ICMP Covert Tunneling
Security
Deny ICMP Broadcasts
Network Controls against ICMP Packet Flooding
IP Spoofing Defenses
Patch TCP/IP Implementations against
ICMP Denial-of-Service and ICMP Typing

Monitor Network Traffic Using Network and
Host-Based Intrusion Detection Systems (IDSs)
Restriction of Specific ICMP Message Types
Monitor ICMP Activity at Firewalls
and Intrusion Detection Systems
Layer 4 Protocols
Transmission Control Protocol (TCP)
Protocol
Hacking Exploits
Covert TCP
TCP Denial-of-Service
TCP Sequence Number Prediction

(TCP Spoofing and Session Hijacking)
TCP Stack Fingerprinting
TCP State-Based Attacks
Security
Network Controls against TCP Packet Flooding
IP Spoofing Defenses
Patch TCP/IP Implementations against TCP
Denial-of-Service, TCP Stack Fingerprinting,
and TCP Sequence Number Prediction
Monitor Network Traffic Using Network
and Host-Based IDS Systems
Activation of SYN Flood Protection on Firewalls

and Perimeter Gateways
Implement Stateful Firewalling
User Datagram Protocol (UDP)
Protocol
AU0888_C00.fm Page xx Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
Hacking Exploits
Covert UDP
UDP Denial-of-Service
UDP Packet Inspection Vulnerabilities
Security
Disable Unnecessary UDP Services

Network Controls against UDP Packet Flooding
IP Spoofing Defenses
Patch TCP/IP Implementations against UDP
Denial-of-Service
Monitor Network Traffic Using Network-
and Host-Based IDS Systems
Implement Stateful Firewalling
Notes
References
Texts
Request for Comments (RFCs)
White Papers and Web References

PART II SYSTEM AND NETWORK PENETRATION
9 Domain Name System (DNS)
The DNS Protocol
DNS Protocol and Packet Constructs
(Packet Data Hacking)
DNS Vulnerabilities
DNS Exploits and DNS Hacking
Protocol-Based Hacking
Reconnaissance
DNS Registration Information
Name Server Information
IP Address and Network Topology Data

Information on Key Application Servers
Protocol-Based Denial-of-Service
Dynamic DNS (DDNS) Hacking
Application-Based Attacks
Buffer Overflows (Privileged Server Access,
Denial-of-Service)
Exploiting the DNS Trust Model
DNS Registration Attacks
DNS Spoofing
Cache Poisoning
DNS Hijacking
DNS Security and Controls

Mapping Exploits to Defenses
Defensive Strategy
AU0888_C00.fm Page xxi Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
Configuration Audit and Verification Tools
DDNS Security
Name Server Redundancy
DNSSEC: Authentication and Encryption of DNS Data
Name Server Software Upgrade(s)
Network and Name Server Monitoring
and Intrusion Detection
Berkeley Internet Name Daemon (BIND)

Logging Controls
Microsoft Windows 2000 DNS Logging Controls
Patches and Service Packs
Server-Side Access Controls
Split-Level DNS Topologies (and DNS Proxying)
Split-Level DNS Topology
System and Service Hardening
Notes
References
Texts
Request for Comments (RFCs)
Mailing Lists and Newsgroups

Web References
10 Directory Services
What Is a Directory Service?
Components of a Directory
Schema
Leaf Object
Container Object
Namespace
Directory Information Tree
Directory Information Base (DIB)
Directory Features
Directory Security

Single Sign On
Uses for Directory Systems
Directory-Enabled Networking
Linked Provisioning
Global Directory
Public Key Infrastructure
Directory Models
Physical vs. Logical
Flat vs. Hierarchical
X.500 Directory
X.500 Schema
X.500 Partitions

X.500 Objects and Naming
AU0888_C00.fm Page xxii Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
A Word about Aliases
X.500 Back-End Processes
Directory Information Tree
Directory Information Base
Replication
Agents and Protocols
X.500 Directory Access
X.500 Security
Authentication

Simple Authentication
Strong Authentication
Access Control
Rights
Summary
Lightweight Directory Access Protocol (LDAP)
LDAP Schema
LDAP Partitions
LDAP Objects and Naming
LDAP Queries
LDAP Data Interchange Format (LDIF)
LDAP Security

Authentication
Anonymous Access
Simple Authentication
Simple Authentication with Secure Sockets
Layer (SSL)/Transport Layer Security (TLS)
Simple Authentication and Security Layer (SASL)
Access Control
Summary
Active Directory
Windows NT
Windows 2000 Schema
Windows 2000 Partitions

Windows 2000 Objects and Naming
The Domain
The Tree
The Forest
The Forest Root Domain
Naming Standards and Resolution in Windows 2000
Active Directory Back-End Processes
The Directory Information Base (DIB)
Replication
The Global Catalog
Windows 2000 Security
Authentication

AU0888_C00.fm Page xxiii Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC
Kerberos
NTLM
Access Control
Exploiting LDAP
Sun ONE Directory Server 5.1
Microsoft Active Directory
Summary
Future Directions
Further Reading
11 Simple Mail Transfer Protocol (SMTP)

The SMTP Protocol
SMTP Protocol and Packet Constructs
(Packet Data Hacking)
SMTP Vulnerabilities
SMTP Protocol Commands and Protocol Extensions
Protocol Commands
Protocol Extensions
SMTP Exploits and SMTP Hacking
SMTP Protocol Attacks
Account Cracking
Eavesdropping and Reconnaissance
ESMTP and Command Set Vulnerabilities

Protocol-Based Denial-of-Service
Mail Bombing
Mail Spamming
Man-in-the-Middle Attacks
Application-Based Attacks
Malicious Content (MIME Attacks)
Buffer Overflows (Privileged Server Access)
Worms and Automated Attack Tools
Application-Based Denial-of-Service
Attacks on the Mail Trust Model
Mail Spoofing
Identity Impersonation

Attacks on Data Integrity
Delivery Status Notification Manipulation
SMTP Security and Controls
Mapping Exploits to Defenses
Defensive Strategy
Antispam/Antirelay Controls
Antivirus and Content Scanning
Client-Side Access Controls
Content or Code Signing
Delivery Status Notification Controls
Disable Vulnerable ESMTP and SMTP Commands
AU0888_C00.fm Page xxiv Wednesday, October 1, 2003 5:41 AM

© 2004 by CRC Press LLC
Disable Vulnerable MIME Types
Network and SMTP Server Monitoring,
Intrusion Detection
Patches and Service Packs
Separation of SMTP and Intranet Account Databases
Server-Side Access Controls
Server Redundancy
SMTP Header Stripping and Parsing
SMTP Source Routing Controls
Split SMTP Topology
System and Service Hardening

Transport Layer Security, Secure Socket
Layer Security
Notes
References
Texts
Request for Comments (RFCs)
White Papers and Web References
12 Hypertext Transfer Protocol (HTTP)
The HTTP Protocol
HTTP Protocol and Packet Constructs
(Packet Data Hacking)
HTTP Vulnerabilities

HTTP Protocol Methods (and Associated Vulnerabilities)
HTTP Exploits and HTTP Hacking
HTTP Protocol Attacks
Eavesdropping and Reconnaissance
Account Cracking
Basic Access Authentication
Digest Access Authentication
HTTP Method Vulnerabilities
Content Vulnerabilities
Caching Exploits
Cache Poisoning
Man-in-the-Middle Attacks

Unauthorized Retrieval of Cache Data
and Cache Monitoring
Denial-of-Service
Protocol-Based Denial-of-Service
Application-Based Attacks
Buffer Overflows (Privileged Server Access,
Denial-of-Service)
Directory Traversal Attacks
Application-Based Denial-of-Service
Attacks on the HTTP Trust Model
AU0888_C00.fm Page xxv Wednesday, October 1, 2003 5:41 AM
© 2004 by CRC Press LLC