•
•
•
•
•
•
TableofContents
Index
Reviews
ReaderReviews
Errata
Academic
SecurityWarrior
ByAntonChuvakin,CyrusPeikari
Publisher :O'Reilly
PubDate :January2004
ISBN :0-596-00545-8
Pages :552
What'stheworstanattackercandotoyou?
You'dbetterfindout,right?That'swhat
SecurityWarriorteachesyou.Basedonthe
principlethattheonlywaytodefendyourself
istounderstandyourattackerindepth,
SecurityWarriorrevealshowyoursystems
canbeattacked.Coveringeverythingfrom
reverseengineeringtoSQLattacks,and
includingtopicslikesocialengineering,
antiforensics,andcommonattacksagainst
UNIXandWindowssystems,thisbook
teachesyoutoknowyourenemyandhowto
bepreparedtodobattle.
•
•
•
•
•
•
TableofContents
Index
Reviews
ReaderReviews
Errata
Academic
SecurityWarrior
ByAntonChuvakin,CyrusPeikari
Publisher :O'Reilly
PubDate :January2004
ISBN :0-596-00545-8
Pages :552
Copyright
Dedication
Preface
OrganizationofThisBook
PartI:SoftwareCracking
PartII:NetworkStalking
PartIV:AdvancedDefense
ConventionsUsedinThisBook
CommentsandQuestions
PartIII:PlatformAttacks
PartV:Appendix
UsingCodeExamples
Acknowledgments
PartI:SoftwareCracking
Chapter1.AssemblyLanguage
Section1.1.Registers
Section1.3.References
Section1.2.ASMOpcodes
Chapter2.WindowsReverseEngineering
Section2.1.HistoryofRCE
Section2.2.ReversingTools
Section2.4.References
Section2.3.ReverseEngineeringExamples
Chapter3.LinuxReverseEngineering
Section3.2.AGoodDisassembly
Section3.4.WritingNewTools
Section3.1.BasicToolsandTechniques
Section3.3.ProblemAreas
Section3.5.References
Chapter4.WindowsCEReverseEngineering
Section4.1.WindowsCEArchitecture
Section4.2.CEReverseEngineeringFundamentals
Section4.4.ReverseEngineeringserial.exe
Section4.3.PracticalCEReverseEngineering
Section4.5.References
Chapter5.OverflowAttacks
Section5.1.BufferOverflows
Section5.2.UnderstandingBuffers
Section5.4.HeapOverflows
Section5.6.ALiveChallenge
Section5.3.SmashingtheStack
Section5.5.PreventingBufferOverflows
Section5.7.References
PartII:NetworkStalking
Chapter6.TCP/IPAnalysis
Section6.1.ABriefHistoryofTCP/IP
Section6.2.Encapsulation
Section6.4.IP
Section6.6.ICMP
Section6.3.TCP
Section6.5.UDP
Section6.7.ARP
Section6.8.RARP
Section6.9.BOOTP
Section6.11.TCP/IPHandshaking
Section6.13.IPv6
Section6.15.PacketAnalysis
Section6.17.References
Chapter7.SocialEngineering
Section6.10.DHCP
Section6.12.CovertChannels
Section6.14.Ethereal
Section6.16.Fragmentation
Section7.1.Background
Section7.2.PerformingtheAttacks
Section7.4.References
Chapter8.Reconnaissance
Section8.2.Conclusion
Section7.3.AdvancedSocialEngineering
Section8.1.OnlineReconnaissance
Section8.3.References
Chapter9.OSFingerprinting
Section9.1.TelnetSessionNegotiation
Section9.2.TCPStackFingerprinting
Section9.4.PassiveFingerprinting
Section9.5.FuzzyOperatingSystemFingerprinting
Section9.7.References
Section9.3.Special-PurposeTools
Section9.6.TCP/IPTimeoutDetection
Chapter10.HidingtheTracks
Section10.1.FromWhomAreYouHiding?
Section10.2.PostattackCleanup
Section10.4.MaintainingCovertAccess
Section10.3.ForensicTracks
Section10.5.References
PartIII:PlatformAttacks
Chapter11.UnixDefense
Section11.1.UnixPasswords
Section11.2.FilePermissions
Section11.3.SystemLogging
Section11.4.NetworkAccessinUnix
Section11.5.UnixHardening
Section11.7.References
Section11.6.UnixNetworkDefense
Chapter12.UnixAttacks
Section12.1.LocalAttacks
Section12.2.RemoteAttacks
Section12.4.References
Section12.3.UnixDenial-of-ServiceAttacks
Chapter13.WindowsClientAttacks
Section13.1.Denial-of-ServiceAttacks
Section13.2.RemoteAttacks
Section13.4.References
Section13.3.RemoteDesktop/RemoteAssistance
Chapter14.WindowsServerAttacks
Section14.1.ReleaseHistory
Section14.2.KerberosAuthenticationAttacks
Section14.4.DefeatingBufferOverflowPrevention
Section14.6.HackingPKI
Section14.8.EncryptingFileSystemChanges
Section14.10.References
Section14.3.KerberosAuthenticationReview
Section14.5.ActiveDirectoryWeaknesses
Section14.7.SmartCardHacking
Section14.9.Third-PartyEncryption
Chapter15.SOAPXMLWebServicesSecurity
Section15.1.XMLEncryption
Section15.2.XMLSignatures
Section15.3.Reference
Chapter16.SQLInjection
Section16.1.IntroductiontoSQL
Section16.2.SQLInjectionAttacks
Section16.4.PHP-NukeExamples
Section16.3.SQLInjectionDefenses
Section16.5.References
Chapter17.WirelessSecurity
Section17.1.ReducingSignalDrift
Section17.3.CrackingWEP
Section17.4.PracticalWEPCracking
Section17.6.TKIP
Section17.8.AirborneViruses
Section17.2.ProblemswithWEP
Section17.5.VPNs
Section17.7.SSL
Section17.9.References
PartIV:AdvancedDefense
Chapter18.AuditTrailAnalysis
Section18.1.LogAnalysisBasics
Section18.2.LogExamples
Section18.4.WhentoLookattheLogs
Section18.6.ChallengeofLogAnalysis
Section18.8.GlobalLogAggregation
Chapter19.IntrusionDetectionSystems
Section18.3.LoggingStates
Section18.5.LogOverflowandAggregation
Section18.7.SecurityInformationManagement
Section18.9.References
Section19.1.IDSExamples
Section19.2.BayesianAnalysis
Section19.4.TheFutureofIDSs
Section19.6.IDSDeploymentIssues
Section19.3.HackingThroughIDSs
Section19.5.SnortIDSCaseStudy
Section19.7.References
Chapter20.Honeypots
Section20.1.Motivation
Section20.2.BuildingtheInfrastructure
Section20.4.References
Section20.3.CapturingAttacks
Chapter21.IncidentResponse
Section21.1.CaseStudy:WormMayhem
Section21.2.Definitions
Section21.4.SmallNetworks
Section21.5.Medium-SizedNetworks
Section21.7.References
Section21.3.IncidentResponseFramework
Section21.6.LargeNetworks
Chapter22.ForensicsandAntiforensics
Section22.1.HardwareReview
Section22.2.InformationDetritus
Section22.4.BootableForensicsCD-ROMs
Section22.6.ForensicsCaseStudy:FTPAttack
Section22.3.ForensicsTools
Section22.5.EvidenceEliminator
Section22.7.References
PartV:Appendix
AppendixA.UsefulSoftICECommandsandBreakpoints
SectionA.1.SoftICECommands
SectionA.2.Breakpoints
Colophon
Index
Copyright©2004O'ReillyMedia,Inc.
PrintedintheUnitedStatesofAmerica.
PublishedbyO'ReillyMedia,Inc.1005GravensteinHighway
North,Sebastopol,CA95472.
O'Reilly&Associatesbooksmaybepurchasedforeducational,
business,orsalespromotionaluse.Onlineeditionsarealso
availableformosttitles().Formore
information,contactourcorporate/institutionalsales
department:(800)998-9938or
NutshellHandbook,theNutshellHandbooklogo,andthe
O'ReillylogoareregisteredtrademarksofO'ReillyMedia,Inc.
SecurityWarrior,theimageofSumowrestlers,andrelated
tradedressaretrademarksofO'ReillyMedia,Inc.
Manyofthedesignationsusedbymanufacturersandsellersto
distinguishtheirproductsareclaimedastrademarks.Where
thosedesignationsappearinthisbook,andO'Reilly&
Associateswasawareofatrademarkclaim,thedesignations
havebeenprintedincapsorinitialcaps.
Whileeveryprecautionhasbeentakeninthepreparationofthis
book,thepublisherandauthorsassumenoresponsibilityfor
errorsoromissions,orfordamagesresultingfromtheuseof
theinformationcontainedherein.
Dedication
Dr.CyrusPeikariishumbledbeforeBahá'u'lláh,theGlory
ofGod.Healsothankshisstudents,teachers,andfellow
seekersofknowledge.Dr.Peikariisalsogratefultohis
familyfortheirsupportandencouragement.
Dr.CyrusPeikari
ThepartofthebookforwhichIamresponsibleis
dedicatedtoOlga,whoputupwithmeduringallthose
eveningsIspentworkingonthebookandwhoactually
encouragedmetowritewhenIwasgettinglazy.
Dr.AntonChuvakin
Preface
...Allsamuraioughtcertainlyapplythemselvestothe
studyofmilitaryscience.Butabadusecanbemadeof
thisstudytopuffoneselfupanddisparageone's
colleaguesbyalotofhigh-flownbutincorrectarguments
thatonlymisleadtheyoungandspoiltheirspirit.Forthis
kindgivesforthawordydiscoursethatmayappeartobe
correctandproperenough,butactuallyheisstrivingfor
effectandthinkingonlyofhisownadvantage,sothe
resultisthedeteriorationofhischaracterandthelossof
therealsamuraispirit.Thisisafaultarisingfroma
superficialstudyofthesubject,sothosewhobeginit
shouldneverbesatisfiedtogoonlyhalfwaybutpersevere
untiltheyunderstandallthesecretsandonlythenreturn
totheirformersimplicityandliveaquietlife....
DaidojiYuzan,TheCodeoftheSamurai[1]
[1]Samuraiquotecourtesyof.
Thisbookoffersuniquemethodsforhoningyourinformation
security(infosec)technique.Thetypicalreaderisan
intermediate-toadvanced-levelpractitioner.Butwhoamongus
istypical?Eachofusapproachesinfosecwithdistinctive
trainingandskill.Still,beforeyouspendyourhard-earned
moneyonthisbook,wewilltrytodescribethetargetreader.
Asanexample,youmightenjoythisbookifyoualreadyhave
experiencewithnetworkingandareabletoprograminoneor
morelanguages.Althoughyourinterestininfosecmightbe
new,youhavealreadyreadatleastafewtechnicalbookson
thesubject,suchasPracticalUNIX&InternetSecurityfrom
O'Reilly.Youfoundthosebookstobeinformative,andyou
wouldliketoreadmoreofthesame,buthopefullycovering
newertopicsandatamoreadvancedlevel.Ratherthanan
introductorysurveyofsecurityfromthedefensiveside,you
wouldliketoseethroughanattacker'seyes.
Youarealreadyfamiliarwithbasicnetworkattackssuchas
sniffing,spoofing,anddenial-of-service.Youreadsecurity
articlesandvulnerabilitymailinglistsonline,andyouknowthis
isthebestwaytobroadenyoureducation.However,younow
wantasinglevolumethatcanquicklyratchetyourknowledge
levelupwardbyafewnotches.
Insteadofreadingasimplecatalogofsoftwaretools,youwould
liketodelvedeeperintounderlyingconceptssuchaspacket
fragmentation,overflowattacks,andoperatingsystem
fingerprinting.Youlikewisewantmoreonforensics,honeypots,
andthepsychologicalbasisofsocialengineering.Youalsoenjoy
novelchallengessuchasimplementingBayesianintrusion
detectionanddefendingagainstwireless"airborne"viruses.
BeforebuyingintoMicrosoft'sTrustworthyComputinginitiative,
youwouldliketodelvedeeperintoWindowsXPattacksand
WindowsServerweaknesses.
Thesearesomeofthetopicswecover.Althoughsomepartswill
necessarilybereviewformoreadvancedusers,wealsocover
uniquetopicsthatmightgratifyevenseasonedveterans.To
giveoneexample,wecoverreversecodeengineering(RCE),
includingtheesotericsubjectsofLinuxandembeddedRCE.
RCEisindispensablefordissectingmaliciouscode,unveiling
corporatespyware,andextractingapplicationvulnerabilities,
butuntilthisbookithasreceivedsparsecoverageinthe
printedliterature.
Thisbookisnotmarriedtoaparticularoperatingsystem,since
manyofyouareresponsibleforprotectingmixednetworks.We
havechosentofocusonsecurityfromtheattackingside,rather
thanfromthedefendingside.Agoodwaytobuildaneffective
defenseistounderstandandanticipatepotentialattacks.
Throughoutthetextwehavetriedtoavoidgivingourpersonal
opinionstoooften.However,tosomeextentwemust,orthis
wouldbenothingmorethanadrycatalogoffacts.Weaskyour
forgivenessforeditorializing,andwemakenoclaimthatour
opinionsareauthoritative,orevencorrect.Humanopinionis
diverseandinherentlyflawed.Attheveryleast,wehopeto
provideacounterpointtoyourownviewsonacontroversial
subject.Wealsoprovidemanyanecdotalexamplestohelp
enlivensomeoftheheaviersubjects.
Wehavemadeaspecialefforttoprovideyouwithhelpful
referencesattheendofeachchapter.Thesereferencesallow
ustocreditsomeoftheclassicinfosecsourcesandallowyouto
furtherexploretheareasthatinterestyouthemost.Thisisby
nomeansacomprehensiveintroductiontonetworksecurity.
Rather,itisaguideforrapidlyadvancingyourskillinseveral
keyareas.Wehopeyouenjoyreadingitasmuchasweenjoyed
writingit.
OrganizationofThisBook
Youdonothavetoreadthisbooksequentially.Mostofthe
chapterscanbereadindependently.However,manyreaders
prefertopickupatechnicalbookandreadthechaptersin
order.Tothisend,wehavetriedtoorganizethebookwitha
usefulstructure.Thefollowingsectionsoutlinethemainpartsof
thebookandgivejustafewofthehighlightsfromeach
chapter.
PartI:SoftwareCracking
PartIofthisbookprimarilyfocusesonsoftwarereverse
engineering,alsoknownasreversecodeengineeringorRCE.As
youwillread,RCEplaysanimportantroleinnetworksecurity.
However,untilthisbook,ithasreceivedsparsecoverageinthe
printedinfosecliterature.InPartI,afterabriefintroductionto
assemblylanguage(Chapter1),webeginwithRCEtoolsand
techniquesonWindowsplatforms(Chapter2),includingsome
ratheruniquecrackingexercises.Wenextmoveintothemore
esotericfieldofRCEonLinux(Chapter3).Wethenintroduce
RCEonembeddedplatforms(Chapter4)specifically,cracking
applicationsforWindowsMobileplatforms(WindowsCE,Pocket
PC,Smartphone)onARM-basedprocessors.Finally,wecover
overflowattacks(Chapter5),andwebuildontheRCE
knowledgegainedinpreviouschapterstoexploitalivebuffer
overflow.
PartII:NetworkStalking
PartIIlaysthefoundationforunderstandingthenetwork
attackspresentedlaterinthebook.InChapter6,wereview
securityaspectsofTCP/IP,includingIPV6,andwecover
fragmentationattacktoolsandtechniques.Chapter7takesa
uniqueapproachtosocialengineering,usingpsychological
theoriestoexplorepossibleattacks.Chapter8movesinto
networkreconnaissance,whileinChapter9wecoverOS
fingerprinting,includingpassivefingerprintingandnoveltools
suchasXProbeandRing.Chapter10providesanadvancedlook
athowhackershidetheirtracks,includinganti-forensicsand
IDSevasion.
PartIII:PlatformAttacks
PartIIIopenswithareviewofUnixsecurityfundamentals
(Chapter11)beforemovingintoUnixattacks(Chapter12).In
contrast,thetwoWindowssecuritychapterscoverclient
(Chapter13)andserver(Chapter14)attacks,sinceexploitson
thesetwoplatformsareidiosyncratic.Forexample,onWindows
XP,weshowhowtoexploitweaknessesinRemoteAssistance,
whileonWindowsServer,weshowtheoreticalwaystocrack
Kerberosauthentication.Chapter15coversSOAPXMLweb
servicessecurity,andChapter16examinesSQLinjection
attacks.Finally,wecoverwirelesssecurity(Chapter17),
includingwirelessLANsandembedded,mobilemalwaresuchas
"airborneviruses."
PartIV:AdvancedDefense
InPartIV,wecoveradvancedmethodsofnetworkdefense.For
example,Chapter18coversaudittrailanalysis,includinglog
aggregationandanalysis.Chapter19breaksnewgroundwitha
practicalmethodforapplyingBayes'sTheoremtonetworkIDS
placement.Chapter20providesastep-by-stepblueprintfor
buildingyourownhoneypottotrapattackers.Chapter21
introducesthefundamentalsofincidentresponse,whileChapter
22reviewsforensicstoolsandtechniquesonbothUnixand
Windows.
PartV:Appendix
Finally,theAppendixattheendofthebookprovideslistof
usefulSoftIcecommandsandbreakpoints.
ConventionsUsedinThisBook
Thefollowingtypographicalconventionsareusedinthisbook:
Plaintext
Indicatesmenutitles,menuoptions,menubuttons,and
keyboardaccelerators(suchasAltandCtrl)
Italic
Indicatesnewterms,exampleURLs,emailaddresses,
filenames,fileextensions,pathnames,directories,andUnix
utilities
Constantwidth
Indicatescommands,options,switches,variables,
attributes,keys,functions,types,classes,namespaces,
methods,modules,properties,parameters,values,objects,
events,eventhandlers,XMLtags,HTMLtags,macros,the
contentsoffiles,ortheoutputfromcommands
Constantwidthbold
Showscommandsorothertextthatshouldbetyped
literallybytheuser
Constantwidthitalic
Showstextthatshouldbereplacedwithuser-supplied
values
Thisiconsignifiesatip,suggestion,orgeneralnote.
Thisiconindicatesawarningorcaution.
UsingCodeExamples
Thisbookisheretohelpyougetyourjobdone.Ingeneral,you
mayusethecodeinthisbookinyourprogramsand
documentation.Youdonotneedtocontactusforpermission
unlessyou'rereproducingasignificantportionofthecode.For
example,writingaprogramthatusesseveralchunksofcode
fromthisbookdoesnotrequirepermission.Sellingor
distributingaCD-ROMofexamplesfromO'Reillybooksdoes
requirepermission.Answeringaquestionbycitingthisbook
andquotingexamplecodedoesnotrequirepermission.
CommentsandQuestions
Pleaseaddresscommentsandquestionsconcerningthisbookto
thepublisher:
O'Reilly&Associates,Inc.
1005GravensteinHighwayNorth
Sebastopol,CA95472
(800)998-9938(intheUnitedStatesorCanada)
(707)829-0515(internationalorlocal)
(707)829-0104(fax)
Wehaveawebpageforthisbook,wherewelisterrata,
examples,andanyadditionalinformation.Youcanaccessthis
pageat:
Tocommentorasktechnicalquestionsaboutthisbook,send
emailto:
Orpleasecontacttheauthorsdirectlyviaemail:
CyrusPeikari:
AntonChuvakin:
Formoreinformationaboutourbooks,conferences,Resource
Centers,andtheO'ReillyNetwork,seeourwebsiteat:
Acknowledgments
Beforeproceeding,wewouldliketothankthemanyexperts
whoprovidedsuggestions,criticism,andencouragement.We
areespeciallygratefultothetwocontributingwriters,Seth
FogieandMammon_,withoutwhoseadditionsthisbookwould
havebeengreatlydiminished.ColleenGormanandPatricia
Peikariprovidedadditionalproofreading.Wealsothank
O'Reilly'stechnicalreviewers,eachofwhomprovidedvaluable
feedback.Innoparticularorder,thetechnicalreviewerswere
JasonGarman,JohnViega,ChrisGerg,BillGallmeister,Bob
Byrnes,andFyodor(theauthorofNmap).
CyrusPeikari
AntonChuvakin
PartI:SoftwareCracking
PartIofthisbookprimarilyfocusesonsoftwarereverse
engineering,alsoknownasreversecodeengineeringor
RCE.Asyouwillread,RCEplaysanimportantrolein
networksecurity.However,untilthisbook,ithasreceived
sparsecoverageintheprintedinfosecliterature.InPartI,
afterabriefintroductiontoassemblylanguage(Chapter
1),webeginwithRCEtoolsandtechniquesonWindows
platforms(Chapter2),includingsomeratherunique
crackingexercises.Wenextmoveintothemoreesoteric
fieldofRCEonLinux(Chapter3).WethenintroduceRCE
onembeddedplatforms(Chapter4)specifically,cracking
applicationsforWindowsMobileplatforms(WindowsCE,
PocketPC,Smartphone)onARM-basedprocessors.
Finally,wecoveroverflowattacks(Chapter5),andwe
buildontheRCEknowledgegainedinpreviouschapters
toexploitalivebufferoverflow.