IT training mcgraw hill hacking exposed linux third edition jul 2008 ebook DDU
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (10.48 MB, 645 trang )
A valuable extension to the Hacking Exposed franchise; the authors do a great job of
incorporating the vast pool of knowledge of security testing from the team who built the Open
Source Security Testing Methodology Manual (OSSTMM) into an easy-to-digest, concise read
on how Linux systems can be hacked.
Steven Splaine
Author, The Web Testing Handbook and Testing Web Security
Industry-Recognized Software Testing Expert
With Pete being a pioneer of open-source security methodologies, directing ISECOM, and
formulating the OPSA certification, few people are more qualified to write this book than him.
Matthew Conover
Principal Software Engineer
Core Research Group, Symantec Research Labs
You’ll feel as if you are sitting in a room with the authors as they walk you through the steps
the bad guys take to attack your network and the steps you need to take to protect it. Or, as the
authors put it: “Separating the asset from the threat.” Great job, guys!
Michael T. Simpson, CISSP
Senior Staff Analyst
PACAF Information Assurance
An excellent resource for security information, obviously written by those with real-world
experience. The thoroughness of the information is impressive—very useful to have it presented in
one place.
Jack Louis
Security Researcher
This page intentionally left blank
HACKING EXPOSED LINUX:
LINUX SECURITY SECRETS
& SOLUTIONS
™
THIRD EDITION
ISECO M
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto
Copyright © 2008 by The McGraw-Hill Companies. All rights reserved. Manufactured in the United States of America. Except as permitted
under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or
stored in a database or retrieval system, without the prior written permission of the publisher.
0-07-159642-9
The material in this eBook also appears in the print version of this title: 0-07-226257-5.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name,
we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where
such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. For more information, please contact George Hoare, Special Sales, at or (212) 904-4069.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use
of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute,
disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own
noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to
comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE
ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY
INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor
its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages
resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances
shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from
the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of
liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
DOI: 10.1036/0072262575
As Project Leader, I want to dedicate this book to all the
volunteers who helped out and contributed through
ISECOM to make sense of security so the rest of the world
can find a little more peace. It’s the selfless hackers like
them who make being a hacker such a cool thing.
I also need to say that all this work would be overwhelming
if not for my unbelievably supportive wife, Marta. Even my
three children, Ayla, Jace, and Aidan, who can all put
ISECOM on the list of their first spoken words, were all
very helpful in the making of this book.
—Pete Herzog
ABOUT THE AUTHORS
This book was written according to the ISECOM (Institute for Security and Open
Methodologies) project methodology. ISECOM is an open, nonprofit security research
and certification organization established in January 2001 with the mission to make sense
of security. They release security standards and methodologies under the Open
Methodology License for free public and commercial use.
This book was written by multiple authors, reviewers, and editors—too many to all
be listed here—who collaborated to create the best Linux hacking book they could. Since
no one person can master everything you may want to do in Linux, a community wrote
the book on how to secure it.
The following people contributed greatly and should be recognized.
About the Project Leader
Pete Herzog
As Managing Director, Pete is the co-founder of ISECOM and creator of the
OSSTMM. At work, Pete focuses on scientific, methodical testing for controlling
the quality of security and safety. He is currently managing projects in development
that include security for homeowners, hacking lessons for teenagers, sourcecode static analysis, critical-thinking training for children, wireless certification
exam and training for testing the operational electromagnetic spectrum, a
legislator’s guide to security solutions, a Dr. Seuss–type children’s book in metered prose
and rhyme, a security analysis textbook, a guide on human security, solutions for
university security and safety, a guide on using security for national reform, a guide for
factually calculating trust for marriage counselors and family therapists, and of course,
the Open Source Security Testing Methodology Manual (OSSTMM).
In addition to managing ISECOM projects, Pete teaches in the Masters for Security
program at La Salle University in Barcelona and supports the worldwide security
certification network of partners and trainers. He received a bachelor’s degree from
Syracuse University. He currently only takes time off to travel in Europe and North
America with his family.
About the Project Managers
Marta Barceló
Marta Barceló is Director of Operations, co-founder of ISECOM, and is
responsible for ISECOM business operations. In early 2003, she designed the
process for the Hacker Highschool project, developing and designing teaching
methods for the website and individual and multilingual lessons. Later that
same year, she developed the financial and IT operations behind the ISESTORM
conferences. In 2006, Marta was invited to join the EU-sponsored Open Trusted
Computing consortium to manage ISECOM’s participation within the project, including
financial and operating procedures. In 2007, she began the currently running advertising
campaign for ISECOM, providing all creative and technical skills as well as direction.
Copyright © 2008 by The McGraw-Hill Companies. Click here for terms of use.
Marta maintains the media presence of all ISECOM projects and provides technical
server administration for the websites. She attended Mannheim University of Applied
Sciences in Germany and graduated with a masters in computer science.
In addition to running ISECOM, Marta has a strong passion for the arts, especially
photography and graphic design, and her first degree is in music from the Conservatori
del Liceu in Barcelona.
Rick Tucker
Rick Tucker has provided ISECOM with technical writing, editing, and general
support on a number of projects, including SIPES and Hacker Highschool. He
currently resides in Portland, Oregon, and works for a small law firm as the goto person for all manner of mundane and perplexing issues.
About the Authors
Andrea Barisani
Andrea Barisani is an internationally known security researcher. His
professional career began eight years ago, but it all really started with a
Commodore-64 when he was ten-years-old. Now Andrea is having fun with
large-scale IDS/firewall-deployment administration, forensic analysis,
vulnerability assessment, penetration testing, security training, and his
open-source projects. He eventually found that system and security administration are
the only effective way to express his need for paranoia.
Andrea is the founder and project coordinator of the oCERT effort, the Open Source
CERT. He is involved in the Gentoo project as a member of the Security and Infrastructure
Teams and is part of Open Source Security Testing Methodology Manual, becoming an
ISECOM Core Team member. Outside the community, he is the co-founder and chief
security engineer of Inverse Path, Ltd. He has been a speaker and trainer at the PacSec,
CanSecWest, BlackHat, and DefCon conferences among many others.
Thomas Bader
Thomas Bader works at Dreamlab Technologies, Ltd., as a trainer and solution
architect. Since the early summer of 2007, he has been in charge of ISECOM
courses throughout Switzerland. As an ISECOM team member, he participates
in the development of the OPSE certification courses, the ISECOM test network,
and the OSSTMM.
From the time he first came into contact with open-source software in 1997,
he has specialized in network and security technologies. Over the following years, he
has worked in this field and gained a great deal of experience with different firms as a
consultant and also as a technician. Since 2001, Thomas has worked as a developer and
trainer of LPI training courses. Since 2006, he has worked for Dreamlab Technologies,
Ltd., the official ISECOM representative for the German- and French-speaking countries
of Europe.
Simon Biles
Simon Biles is the director and lead consultant at Thinking Security, a UK-based
InfoSec Consultancy. He is the author of The Snort Cookbook from O’Reilly, as well
as other material for ISECOM, Microsoft, and SysAdmin magazine. He is in
currently pursuing his masters in forensic computing at the Defence Academy in
Shrivenham. He holds a CISSP, OPSA, is an ISO17799 Lead Auditor, and is also a
Chartered Member of the British Computer Society. He is married with children
(several) and reptiles (several). His wife is not only the most beautiful woman ever, but
also incredibly patient when he says things like “I’ve just agreed to ...
here>.” In his spare time, when that happens, he likes messing about with Land Rovers
and is the proud owner of a semi-reliable, second-generation Range Rover.
Colby Clark
Colby Clark is Guidance Software’s Network Security Manager and has the dayto-day responsibility for overseeing the development, implementation, and
management of their information security program. He has many years of
security-related experience and has a proven track record with Fortune 500
companies, law firms, financial institutions, educational institutions,
telecommunications companies, and other public and private companies in
regulatory compliance consulting and auditing (Sarbanes Oxley and FTC Consent
Order), security consulting, business continuity, disaster recovery, incident response,
and computer forensic investigations. Colby received an advanced degree in business
administration from the University of Southern California, maintains the EnCE, CISSP,
OPSA, and CISA certifications, and has taught advanced computer forensic and incident
response techniques at the Computer and Enterprise Investigations Conference (CEIC).
He is also a developer of the Open Source Security Testing Methodology Manual (OSSTMM)
and has been with ISECOM since 2003.
Raoul Chiesa
Raoul “Nobody” Chiesa has 22 years of experience in information security
and 11 years of professional knowledge. He is the founder and president of
@ Mediaservice.net Srl, an Italian-based, vendor-neutral security consulting
company. Raoul is on the board of directors for the OWASP Italian Chapter,
Telecom Security Task Force (TSTF.net), and the ISO International User Group.
Since 2007, he has been a consultant on cybercrime issues for the UN at the United
Nations Interregional Crime & Justice Research Institute (UNICRI).
He authored Hacker Profile, a book which will be published in the U.S. by Taylor &
Francis in late 2008. Raoul’s company was the first worldwide ISECOM partner, launching
the OPST and OPSA classes back in 2003. At ISECOM, he works as Director of
Communications, enhancing ISECOM evangelism all around the world.
Pablo Endres
Pablo Endres is a security engineer/consultant and technical solution architect
with a strong background built upon his experience at a broad spectrum of
companies: wireless phone providers, VoIP solution providers, contact centers,
universities, and consultancies. He started working with computers (an XT) in
the late 1980s and holds a degree in computer engineering from the Universidad Simón
Bolívar at Caracas, Venezuela. Pablo has been working, researching, and playing around
with Linux, Unix, and networked systems for more than a decade.
Pablo would like to thank Pete for the opportunity to work on this book and with
ISECOM, and last but not least, his wife and parents for all the support and time
sharing.
Richard Feist
Richard has been working in the computer industry since 1989 when he started as
a programmer and has since moved through various roles. He has a good view of
both business and IT and is one of the few people who can interact in both spaces.
He recently started his own small IT security consultancy, Blue Secure. He
currently holds various certifications (CISSP, Prince2 Practitioner, OPST/OPSA
trainer, MCSE, and so on) in a constant attempt to stay up-to-date.
Andrea Ghirardini
Andrea “Pila” Ghirardini has over seven years expertise in computer forensics
analysis. The labs he leads (@PSS Labs, ) have assisted Italian
and Swiss Police Special Units in more than 300 different investigations related
to drug dealing, fraud, tax fraud, terrorism, weapons trafficking, murder,
kidnapping, phishing, and many others.
His labs are the oldest ones in Italy, continuously supported by the company team’s
strong background in building CF machines and storage systems in order to handle and
examine digital evidence, using both open-source-based and commercial tools. In 2007,
Andrea wrote the first book ever published in Italy on computer forensics investigations
and methodologies (Apogeo Editore). In this book, he also analyzed Italian laws related
to these kinds of crimes. Andrea holds the third CISSP certification in Italy.
Julian “HammerJammer” Ho
Julian “HammerJammer” Ho is co-founder of ThinkSECURE Pte, Ltd., (http://
securitystartshere.org), an Asia-based practical IT security certification/training
authority and professional IT security services organization and an ISECOMcertified OPST trainer.
Julian was responsible for design, implementation, and maintenance of
security operations for StarHub’s Wireless Hotzones in Changi International
Airport Terminals 1 and 2 and Suntec Convention Centre. He is one half of the design
team for BlackOPS:HackAttack 2004, a security tournament held in Singapore; AIRRAID
(Asia’s first-ever pure wireless hacking tournament) in 2005; and AIRRAID2 (Thailand’s
first-ever public hacking tournament) in 2008. He also contributed toward research and
publication of the WCCD vulnerability in 2006.
Julian created and maintains the OSWA-Assistant wireless auditing toolkit, which
was awarded best in the Wireless Testing category and recommended/excellent in the
LiveCDs category by Security-Database.com in their “Best IT Security and Auditing
Software 2007” article.
Marco Ivaldi
Marco Ivaldi () is a computer security researcher and
consultant, a software developer, and a Unix system administrator. His particular
interests are networking, telephony, and cryptology. He is an ISECOM Core
Team member, actively involved in the OSSTMM development process. He
holds the OPST certification and is currently employed as Red Team Coordinator
at @ Mediaservice.net, a leading information-security company based in Italy. His daily
tasks include advanced penetration testing, ISMS deployment and auditing, vulnerability
research, and exploit development. He is founder and editorial board member of
Linux&C, the first Italian magazine about Linux and open source. His homepage and
playground is o.
Marco wishes to thank VoIP gurus Emmanuel Gadaix of TSTF and thegrugq for their
invaluable and constant support throughout the writing of this book. His work on this
book is dedicated to z*.
Dru Lavigne
Dru Lavigne is a network and systems administrator, IT instructor, curriculum
developer, and author. She has over a decade of experience administering and
teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD
systems. She is author of BSD Hacks and The Best of FreeBSD Basics. She is currently
the editor-in-chief of the Open Source Business Resource, a free monthly
publication covering open source. She is founder and current chair of the BSD Certification
Group, Inc., a nonprofit organization with a mission to create the standard for certifying
BSD system administrators. At ISECOM, she maintains the Open Protocol Database. Her
blog can be found at />
Stephane Lo Presti
Stéphane is a research scientist who has explored the various facets of trust in
computer science for the past several years. He is currently working at The City
University, London, on service-oriented architectures and trust. His past jobs
include the European project, Open Trusted Computing () at
Royal Holloway, University of London, and the Trusted Software Agents and
Services (T-SAS) project at the University of Southampton, UK. He enjoys
applying his requirement-analysis and formal-specification computing skills to modern
systems and important properties, such as trust. In 2002, he received a Ph.D. in computing
science from the Grenoble Institute of Technology, France, where he also graduated as a
computing engineer in 1998 from the ENSIMAG Grandes École of Computing and
Applied Mathematics, Grenoble, France.
Christopher Low
Christopher Low is co-founder of ThinkSECURE Pte Ltd. (http://securitystartshere
.org), an Asia-based IT-security training, certification, and professional IT security
services organization. Christopher has more than ten years of IT security
experience and has extensive security consultancy and penetration-testing
experience. Christopher is also an accomplished trainer, an ISECOM-certified
OPST trainer and has developed various practical-based security certification courses
drawn from his experiences in the IT security field. He also co-designed the BlackOPS:
HackAttack 2004 security tournament held in Singapore, AIRRAID (Asia’s first-ever
pure wireless hacking tournament) in 2005, and AIRRAID2 (Thailand’s first-ever public
hacking tournament).
Christopher is also very actively involved in security research; he likes to code and
created the Probemapper and MoocherHunter tools, both of which can be found in the
OSWA-Assistant wireless auditing toolkit.
Ty Miller
Ty Miller is Chief Technical Officer at Pure Hacking in Sydney, Australia. Ty has
performed penetration tests against countless systems for large banking,
government, telecommunications, and insurance organizations worldwide, and
has designed and managed large security architectures for a number of
Australian organizations within the Education and Airline industries.
Ty presented at Blackhat USA 2008 in Las Vegas on his development of DNS
Tunneling Shellcode and was also involved in the development of the CHAOS Linux
distribution, which aims to be the most compact, secure openMosix cluster platform.
He is a certified ISECOM OPST and OPSA instructor and contributes to the Open Source
Security Testing Methodology Manual. Ty has also run web-application security courses
and penetration-testing tutorials for various organizations and conferences.
Ty holds a bachelors of technology in information and communication systems from
Macquarie University, Australia. His interests include web-application penetration
testing and shellcode development.
Armand Puccetti
Armand Puccetti is a research engineer and project manager at CEA-LIST (a
department of the French Nuclear Energy Agency, ) where
he is working in the Software Safety Laboratory. He is involved in several
European research projects belonging to the MEDEA+, EUCLID, ESSI, and
FP6 programs. His research interests include formal methods for software and
hardware description languages, semantics of programming languages, theorem
provers, compilers, and event-based simulation techniques. Before moving to CEA
in 2000, he was employed as a project manager at C-S (Communications & Systems,
a privately owned software house. At C-S he contributed to numerous
software development and applied research projects, ranging from CASE tools and
compiler development to military simulation tools and methods (a
.fr/ESCADRE) and consultancy.
He graduated from INPL () where he earned a Ph.D. in 1987
in the Semantics and Axiomatic Proof for the Ada Programming Language.
About the Contributing Authors
Görkem Çetin
Görkem Çetin has been a renowned Linux and open-source professional for more than
15 years. As a Ph.D. candidate, his current doctorate studies focus on human/computer
interaction issues of free/open-source software. Görkem has authored four books on
Linux and networking and written numerous articles for technical and trade magazines.
He works for the National Cryptography and Technology Institute of Turkey (TUBITAK/
UEKAE) as a project manager.
Volkan Erol
Volkan Erol is a researcher at the Turkish National Research Institute of Electronics and
Cryptology (TUBITAK-NRIEC). After receiving his bachelor of science degree in
computer engineering from Galatasaray University Engineering and Technology Faculty,
Volkan continued his studies in the Computer Science, Master of Science program, at
Istanbul Technical University. He worked as software engineer at the Turkcell ShubuoTurtle project and has participated in TUBITAK-NRIEC since November 2005. He works
as a full-time researcher in the Open Trusted Computing project. His research areas are
Trusted Computing, applied cryptography, software development, and design and
image processing.
Chris Griffin
Chris Griffin has nine years of experience in information security. Chris obtained the
OPST, OPSA, CISSP, and CNDA certifications and is an active contributor to ISECOM’s
OSSTMM. Chris has most recently become ISECOM’s Trainer for the USA. He wants to
thank Pete for this opportunity and his wife and kids for their patience.
Fredesvinda Insa Mérida
Fredesvinda Insa Mérida is the Strategic Development Manager of Cybex. Dr. Insa
graduated in law from the University of Barcelona (1994–1998). She also holds a Ph.D. in
information sciences and communications, from the University Complutense of Madrid.
Dr. Insa has represented Cybex in several computer-forensics and electronic-evidence
meetings. She has a great deal of experience in fighting against computer-related crimes.
Within Cybex, she provides legal assistance to the computer forensics experts.
About the Editors and Reviewers
Chuck Truett
Chuck Truett is a writer, editor, SAS programmer, and data analyst. In addition to his
work with ISECOM, he has written fiction and nonfiction for audiences ranging from
children to role-playing gamers.
Adrien de Beaupré
Adrien de Beaupré is practice lead at Bell Canada. He holds the following certifications:
GPEN, GCIH, GSEC, CISSP, OPSA, and OPST. Adrien is very active with isc.sans.org. He
is an ISECOM OSSTMM-certified instructor. His areas of expertise include vulnerability
assessments, penetration testing, incident response, and digital forensics.
Mike Hawkins
Michael Hawkins, CISSP, has over ten years experience in the computer industry, the
majority of time spent at Fortune 500 companies. He is currently the Manager of
Networks and Security at the loudspeaker company Klipsch. He has been a full-time
security professional for over five years.
Matías Bevilacqua Trabado
Matías Bevilacqua Trabado graduated in computer engineering from the University of
Barcelona and currently works for Cybex as IT Manager. From a security background,
Matías specializes in computer forensics and the admissibility of electronic evidence. He
designed and ran the first private forensic laboratory in Spain and is currently leading
research and development at Cybex.
Patrick Boucher
Patrick Boucher is a senior security consultant for Gardien Virtuel. Patrick has many
years of experience with ethical hacking, security policy, and strategic planning like
disaster recovery and continuity planning. His clients include many Fortune 500
companies, financial institutions, telecommunications companies, and SME enterprises
throughout Canada. Patrick has obtained CISSP and CISA certifications
This page intentionally left blank
For more information about this title, click here
CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Part I Security and Controls
▼ 1 Applying Security
.....................................................
3
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Free from Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Four Comprehensive Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Elements of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
6
7
8
11
▼ 2 Applying Interactive Controls
............................................
13
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Five Interactive Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
16
24
▼ 3 Applying Process Controls
..............................................
27
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Five Process Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
28
30
37
Part II Hacking the System
▼ 4 Local Access Control
..................................................
41
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical Access to Linux Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
43
44
xv
xvi
Hacking Exposed Linux: Linux Security Secrets & Solutions
Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File Permissions and Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chrooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical Access, Encryption, and Password Recovery . . . . . . . . . . . . . . . . . .
Volatile Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ 5 Data Networks Security
52
53
62
73
80
83
85
................................................
87
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network and Systems Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Covert Communications and Clandestine Administration . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
88
89
94
99
107
121
▼ 6 Unconventional Data Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
123
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of PSTN, ISDN, and PSDN Attack Vectors . . . . . . . . . . . . . . . . . .
Introducing PSTN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introducing ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introducing PSDN and X.25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Communication Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tests to Perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PSTN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ISDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PSDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools to Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAW and PAWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intelligent Wardialer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shokdial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
THCscan Next Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PSDN Testing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
admx25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sun Solaris Multithread and Multichannel X.25 Scanner
by Anonymous . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vudu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Common Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How X.25 Networks Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Call Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
X.3/X.28 PAD Answer Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
124
127
128
129
130
131
139
139
140
140
142
143
143
146
147
149
150
150
150
150
151
151
157
157
159
159
159
Contents
X.25 Addressing Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DCC Annex List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Key Points for Getting X.25 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
X.28 Dialup with NUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
X.28 Dialup via Reverse Charge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Private X.28 PAD via a Standard or Toll-Free PSTN or ISDN
Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet to X.25 Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cisco Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VAX/VMS or AXP/OpenVMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
*NIX Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
162
164
173
173
174
174
175
175
175
176
176
▼ 7 Voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
179
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VoIP Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Signaling Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to VoIP Testing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Transport Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VoIP Security Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firewalls and NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
180
182
186
189
197
198
207
211
211
212
213
▼ 8 Wireless Networks
....................................................
215
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The State of the Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wireless Hacking Physics: Radio Frequency . . . . . . . . . . . . . . . . . . . . . . . . . .
RF Spectrum Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploiting 802.11 The Hacker Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Wireless Auditing Activities and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . .
Auditing Wireless Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
216
219
225
238
240
251
251
279
▼ 9 Input/Output devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
281
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Bluetooth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bluetooth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Entities on the Bluetooth Protocol Stack . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
282
283
284
286
294
▼ 10 RFID—Radio Frequency Identification
Case Study
.....................................
295
.......................................................
296
xvii
xviii
Hacking Exposed Linux: Linux Security Secrets & Solutions
History of RFID: Leon Theremin and “The Thing” . . . . . . . . . . . . . . . . . . . . .
Identification-Friend-or-Foe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Purpose of RFID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Passive Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Active Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID-Enabled Passports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ticketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other Current RFID Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID Frequency Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID Technology Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID Hacker’s Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Implementing RFID Systems Using Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID Readers Connected to a Linux System . . . . . . . . . . . . . . . . . . . .
RFID Readers with Embedded Linux . . . . . . . . . . . . . . . . . . . . . . . . . .
Linux Systems as Backend/Middleware/Database
Servers in RFID Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Linux and RFID-Related Projects and Products . . . . . . . . . . . . . . . . . . . . . . .
OpenMRTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OpenPCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OpenPICC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Magellan Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFIDiot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RFID Guardian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OpenBeacon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Omnikey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Linux RFID Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ 11 Emanation Attacks
297
298
299
299
300
300
301
301
303
303
303
304
305
311
311
311
312
312
313
313
313
315
315
316
316
316
316
316
318
....................................................
321
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Van Eck Phreaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other “Side-Channel” Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
322
323
326
330
▼ 12 Trusted Computing
....................................................
331
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction to Trusted Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Platform Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Low-Level Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Software Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Application Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
332
334
340
344
347
351
353
Contents
General Support for Trusted Computing Applications . . . . . . . . . . . . . . . . .
TPM Device Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TrouSerS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TPM Emulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
jTSS Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TPM Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples of Trusted Computing Applications . . . . . . . . . . . . . . . . . . . . . . . .
Enforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TrustedGRUB (tGrub) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TPM Keyring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Turaya.VPN and Turaya.Crypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Open Trusted Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TCG Industrial Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
355
356
356
358
358
358
359
359
359
359
359
360
361
361
Part III Hacking the Users
▼ 13 Web Application Hacking
...............................................
365
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access and Controls Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Insufficient Data Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web 2.0 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trust Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Trust and Awareness Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Man-in-the-Middle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Web Infrastructure Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
366
367
375
385
395
406
406
413
422
428
▼ 14 Mail Services
........................................................
429
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SMTP Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding Sender and Envelope Sender . . . . . . . . . . . . . . . . . . .
Email Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SMTP Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alteration of Data or Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Denial of Service or Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
430
431
434
435
438
439
458
463
468
▼ 15 Name Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
469
Case study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS and IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
470
471
475
xix
xx
Hacking Exposed Linux: Linux Security Secrets & Solutions
The Social Aspect: DNS and Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
WHOIS and Domain Registration and Domain Hijacking . . . . . . . . . . . . . .
The Technical Aspect: Spoofing, Cache Poisoning, and Other Attacks . . . .
Bind Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
475
476
478
481
492
Part IV Care and Maintenance
▼ 16 Reliability: Static Analysis of C Code
......................................
495
Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Formal vs. Semiformal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Semiformal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C Code Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Analyzing C Code Using Hoare Logics . . . . . . . . . . . . . . . . . . . . . . . .
The Weakest Precondition Calculus . . . . . . . . . . . . . . . . . . . . . . . . . . .
Verification Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Some C Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools Based on Abstract Interpretation . . . . . . . . . . . . . . . . . . . . . . . . .
Tools Based on Hoare Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools Based on Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
496
498
499
499
502
504
505
507
512
515
515
517
518
519
520
520
521
▼ 17 Security Tweaks in the Linux Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
523
Linux Security Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CryptoAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NetFilter Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enhanced Wireless Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File System Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
POSIX Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NFSv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Kernel Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Man Pages Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
524
524
525
525
525
526
526
526
526
526
527
Contents
Part V Appendixes
▼ A Management and Maintenance
..........................................
531
Best Practices Node Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Cryptographically Secured Services . . . . . . . . . . . . . . . . . . . . . . .
Prevention Against Brute-Force . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deny All, Allow Specifically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
One-Time Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automated Scanning Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lock Out on Too High Fail Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Avoid Loadable Kernel Module Feature . . . . . . . . . . . . . . . . . . . . . . . .
Enforce Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use sudo for System Administration Tasks . . . . . . . . . . . . . . . . . . . . .
Check IPv6 Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Justify Enabled Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Mount and Filesystem Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Harden a System Through /proc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Checking Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Best Practices Network Environment Setup . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ingress and Egress Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Build Network Segments and Host-based Firewalls . . . . . . . . . . . . .
Perform Time Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Watch Security Mailing Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Collect Log Files at a Central Place . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Collect Statistics Within the Network . . . . . . . . . . . . . . . . . . . . . . . . . .
Use VPN for Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional Helpful Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Replace Legacy Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xinetd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
syslog-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
daemontools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other Service Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automating System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Perl Scripting Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
cfengine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
532
532
534
534
535
536
536
537
537
537
538
538
539
540
540
542
542
542
542
544
545
545
545
545
546
546
546
547
549
549
549
550
550
550
550
551
▼ B Linux Forensics and Data Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
553
Hardware: The Forensic Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hardware: Other Valuable Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Software: Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
554
555
556
xxi
Software: Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
So, Where Should You Start From? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Live Investigation/Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Post Mortem Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Handling Electronic Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Legislative Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Definition of Electronic Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Equivalence of Traditional Evidence to Electronic Evidence . . . . . . .
Advantages and Disadvantages of Electronic Evidence . . . . . . . . . .
Working with Electronic Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Requirements That Electronic Evidence Must Fulfill to Be Admitted
in Court . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
▼ C BSD
556
558
558
560
565
565
565
566
566
567
567
...............................................................
569
Overview of BSD Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Features Found in All BSDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
securelevel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sysctl(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rc.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rc.subr(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
chflags(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ttys(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sshd_config(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Blowfish Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPsec(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Randomness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
chroot(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OpenBSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OpenPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
jail(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VuXML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
portaudit(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
gbde(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
geli(8) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NetBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
kauth(9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
veriexec(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pw_policy(3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
fileassoc(9) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audit-Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
570
571
572
572
572
574
574
575
575
576
576
577
577
577
577
578
578
578
578
579
579
579
580
581
581
581
581
582
582
582
582
Contents
▼
cgd(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clockctl(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProPolice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
W^X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
systrace(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encrypted Swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pf(4) Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
BSD Security Advisories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional BSD Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Online Man Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
583
583
583
583
584
584
584
584
587
588
588
588
589
Index
591
...............................................................
xxiii
This page intentionally left blank
