Patrick Boucher

Patrick Boucher is a senior security consultant for Gardien Virtuel. Patrick has many years of experience with ethical hacking, security policy, and strategic planning like disaster recovery and continuity planning. His clients include many Fortune 500 companies, financial institutions, telecommunications companies, and SME enterprises throughout Canada. Patrick has obtained CISSP and CISA certifications

This page intentionally left blank

For more information about this title,

For more information about this title,

CONTENTS

Foreword

Acknowledgments Introduction . . . .

xxv xxvii xxix

Security and Controls

Applying Security

Case Study

Free from Risk

The Four Comprehensive Constraints

The Elements of Security

Summary

Applying Interactive Controls . .

Case Study

The Five Interactive Controls Summary

Applying Process Controls .

Case Study

The Five Process Controls Summary

8 11

14 16 24

28 30 37

Hacking the System

Case Study

Physical Access to Linux Systems Console Access

Part I

Privilege Escalation 52

Sudo 53

File Permissions and Attributes 62

Chrooting 73

Physical Access, Encryption, and Password Recovery 80

Volatile Data 83

Summary 85

▼ 5 Data Networks Security 87

Case Study 88

Network Visibility 89

Network and Systems Profiling 94

Network Architecture 99

Covert Communications and Clandestine Administration 107

Summary 121

▼ 6 Unconventional Data Attack Vectors 123

Case Study 124

Overview of PSTN, ISDN, and PSDN Attack Vectors 127

Introducing PSTN 128

Introducing ISDN 129

Introducing PSDN and X.25 130

Communication Network Attacks 131

Tests to Perform 139

PSTN 139

ISDN 140

PSDN 140

Tools to Use 142

PAW and PAWS 143

Intelligent Wardialer 143

Shokdial 146

ward 147

THCscan Next Generation 149

PSDN Testing Tools 150

admx25 150

Sun Solaris Multithread and Multichannel X.25 Scanner by Anonymous 150

vudu 150

TScan 151

Common Banners 151

How X.25 Networks Work 157

Basic Elements 157

Call Setup 159

Error Codes 159

X.3/X.28 PAD Answer Codes 159

X.25 Addressing Format 162

DCC Annex List 164

Key Points for Getting X.25 Access 173

X.28 Dialup with NUI 173

X.28 Dialup via Reverse Charge 174

Private X.28 PAD via a Standard or Toll-Free PSTN or ISDN

Number 174

Internet to X.25 Gateways 175

Cisco Systems 175

VAX/VMS or AXP/OpenVMS 175

*NIX Systems 176

Summary 176

Case Study 180

VoIP Attack Taxonomy 182

Network Attacks 186

System Attacks 189

Signaling Attacks 197

Introduction to VoIP Testing Tools 198

Transport Attacks 207

VoIP Security Challenges 211

Firewalls and NAT 211

Encryption 212

Summary 213

▼ 8 Wireless Networks 215

Case Study 216

The State of the Wireless 219

Wireless Hacking Physics: Radio Frequency 225

RF Spectrum Analysis 238

Exploiting 802.11 The Hacker Way 240

Wireless Auditing Activities and Procedures 251

Auditing Wireless Policies 251

Summary 279

▼ 9 Input/Output devices 281

Case Study 282

About Bluetooth 283

Bluetooth Profiles 284

Entities on the Bluetooth Protocol Stack 286

Summary 294

▼ 10 RFID—Radio Frequency Identification 295

Case Study 296

History of RFID: Leon Theremin and "The Thing" 297

Identification-Friend-or-Foe 298

RFID Components 299

Purpose of RFID 299

Passive Tags 300

Active Tags 300

RFID Uses 301

RFID-Enabled Passports 301

Ticketing 303

Other Current RFID Uses 303

RFID Frequency Standards 303

RFID Technology Standards 304

RFID Attacks 305

RFID Hacker's Toolkit 311

Implementing RFID Systems Using Linux 311

RFID Readers Connected to a Linux System 311

RFID Readers with Embedded Linux 312

Linux Systems as Backend/Middleware/Database

Servers in RFID Systems 312

Linux and RFID-Related Projects and Products 313

OpenMRTD 313

OpenPCD 313

OpenPICC 315

Magellan Technology 315

RFIDiot 316

RFID Guardian 316

OpenBeacon 316

Omnikey 316

Linux RFID Kit 316

Summary 318

▼ 11 Emanation Attacks 321

Case Study 322

Van Eck Phreaking 323

Other "Side-Channel" Attacks 326

Summary 330

▼ 12 Trusted Computing 331

Case Study 332

Introduction to Trusted Computing 334

Platform Attack Taxonomy 340

Hardware Attacks 344

Low-Level Software Attacks 347

System Software Attacks 351

Application Attacks 353

General Support for Trusted Computing Applications 355

TPM Device Driver 356

TrouSerS 356

TPM Emulator 358

jTSS Wrapper 358

TPM Manager 358

Examples of Trusted Computing Applications 359

Enforcer 359

TrustedGRUB (tGrub) 359

TPM Keyring 359

Turaya.VPN and Turaya.Crypt 359

Open Trusted Computing 360

TCG Industrial Applications 361

Summary 361

Part III Hacking the Users

▼ 13 Web Application Hacking 365

Case Study 366

Enumeration 367

Access and Controls Exploitation 375

Insufficient Data Validation 385

Web 2.0 Attacks 395

Trust Manipulation 406

Trust and Awareness Hijacking 406

Man-in-the-Middle 413

Web Infrastructure Attacks 422

Summary 428

Case Study 430

SMTP Basics 431

Understanding Sender and Envelope Sender 434

Email Routing 435

SMTP Attack Taxonomy 438

Fraud 439

Alteration of Data or Integrity 458

Denial of Service or Availability 463

Summary 468

Case study 470

DNS Basics 471

DNS and IPv6 475

The Social Aspect: DNS and Phishing 475

WHOIS and Domain Registration and Domain Hijacking 476

The Technical Aspect: Spoofing, Cache Poisoning, and Other Attacks . . . . 478

Bind Hardening 481

Summary 492

Part IV Care and Maintenance

▼ 16 Reliability: Static Analysis of C Code 495

Case Study 496

Formal vs. Semiformal Methods 498

Semiformal Methods 499

Formal Methods 499

Static Analysis 502

C Code Static Analysis 504

Analyzing C Code Using Hoare Logics 505

The Weakest Precondition Calculus 507

Verification Conditions 512

Termination 515

Methodology 515

Some C Analysis Tools 517

Tools Based on Abstract Interpretation 518

Tools Based on Hoare Logics 519

Tools Based on Model Checking 520

Additional References 520

Summary 521

▼ 17 Security Tweaks in the Linux Kernel 523

Linux Security Modules 524

CryptoAPI 524

NetFilter Enhancements 525

Enhanced Wireless Stack 525

File System Enhancement 525

POSIX Access Control Lists 526

NFSv4 526

Additional Kernel Resources 526

Man Pages Online 526

Online Documentation 526

Other References 527

Appendixes

▼ A Management and Maintenance 531

Best Practices Node Setup 532

Use Cryptographically Secured Services 532

Prevention Against Brute-Force 534

Deny All, Allow Specifically 534

One-Time Passwords 535

Automated Scanning Techniques 536

Lock Out on Too High Fail Count 536

Avoid Loadable Kernel Module Feature 537

Enforce Password Policy 537

Use sudo for System Administration Tasks 537

Check IPv6 Status 538

Justify Enabled Daemons 538

Set Mount and Filesystem Options 539

Harden a System Through /proc 540

Passwords 540

Hardware Health 542

Checking Log Files 542

Best Practices Network Environment Setup 542

Ingress and Egress Filtering 542

Build Network Segments and Host-based Firewalls 544

Perform Time Synchronization 545

Watch Security Mailing Lists 545

Collect Log Files at a Central Place 545

Collect Statistics Within the Network 545

Use VPN for Remote Management 546

Additional Helpful Tools 546

Intrusion Detection Systems 546

System Monitoring 547

Replace Legacy Applications 549

xinetd 549

syslog-ng 549

daemontools 550

Other Service Management Tools 550

Automating System Administration 550

Perl Scripting Language 550

cfengine 551

▼ B Linux Forensics and Data Recovery 553

Hardware: The Forensic Workstation 554

Hardware: Other Valuable Tools 555

Software: Operating System 556

Software: Tools 556

So, Where Should You Start From? 558

Live Investigation/Acquisition 558

Post Mortem Analysis 560

Handling Electronic Evidence 565

Legislative Regulations 565

Definition of Electronic Evidence 565

Equivalence of Traditional Evidence to Electronic Evidence 566

Advantages and Disadvantages of Electronic Evidence 566

Working with Electronic Evidence 567

Requirements That Electronic Evidence Must Fulfill to Be Admitted in Court 567

Overview of BSD Projects 570

Security Features Found in All BSDs 571

securelevel 572

Security Scripts 572

sysctl(8) 572

rc.conf 574

chflags(1) 575

sshd_config(5) 576

Blowfish Support 576

System Accounting 577

Randomness 577

chroot(8) 577

FreeBSD 578

ACLs 578

MAC Policies 578

OpenBSM 578

OpenPAM 579

VuXML 579

portaudit(1) 580

NetBSD 581

veriexec(4) 582

pw_policy(3) 582

fileassoc(9) 582

Audit-Packages 582

clockctl(4) 583

OpenBSD 583

ProPolice 583

WAX 584

systrace(l) 584

Encrypted Swap 584

pf(4) Firewall Features 584

BSD Security Advisories 587

Additional BSD Resources 588

Online Man Pages 588

Online Documentation 588

Books 589

This page intentionally left blank

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment