-
![[Buch Cover]](../covers/swarrior.s.gif)
- Weitere Informationen zu diesem Buch:
Inhaltsverzeichnis | Index | Probekapitel | Kolophon | Rezensionen |
- Weitere Informationen zu diesem Buch:
First Edition Januar 2004
ISBN 978-0-596-00545-0
Weitere Informationen zu diesem Buch
Inhaltsverzeichnis |
Index |
Probekapitel |
Kolophon |
Rezensionen |
Index
[ Symbols ], [ Numbers ], [ A ], [ B ], [ C ], [ D ], [ E ], [ F ], [ G ], [ H ], [ I ], [ J ], [ K ], [ L ], [ M ], [ N ], [ O ], [ P ], [ Q ], [ R ], [ S ], [ T ], [ U ], [ V ], [ W ], [ X ], [ Y ], [ Z ]
Symbols[ Top ]
$ (dollar sign), 380
# (hash mark) .gdbinit comment, 44
Numbers[ Top ]
802.11 standards, 394
802.11b standard, 394
channel capacity, 398
911 virus, 406
A[ Top ]
access control lists (ACLs), 263
access point (AP) antenna placement, 394
ACLs (access control lists), 263
active attacks, 202
active fingerprinting, 229
active reconnaissance, 219-224
email, 219
FTP, 221
stealth, 221
web site analysis, 220
Address Resolution Protocol (ARP), 185
addressing, 7
adore LKM, 504
Advanced eBook Processor (AEBPR), 10
Advanced RISC Microprocessor (see ARM)
AEBPR (Advanced eBook Processor), 10
afio tool, 269
AIDE, 429, 476
airborne viruses, 404-407
Airscanner Mobile AntiVirus Pro, 408
Airscanner Mobile Sniffer, 399
ALTER command, 378
AND, OR, NOT modifier commands, 378
anomaly detectors, 430
anonymizer services, 222
antenna configuration for wireless security, 394-396
antidebugging, 69-72
antidisassembly, 72-74
anti-forensics (see forensics countermeasures)
anti-IDS (AIDS), 437
Apache, 279
access control, 290
application crashing, 325
application logs, sanitizing, 239
Arithmetic Shift Left (ASL), 130
Arithmetic Shift Right (ASR), 130
Arkin, Ofir, 232
ARM (Advanced RISC Microprocessor), 124-130
NOP vs. UMULLSS command, 136
opcodes, 125
registers, 124-126
ARP (Address Resolution Protocol), 185
ARP spoofing, 185
ASM (assembly language), 3
ASM opcodes, 7
ASP (Active Server Pages), 379
AsPack, 19
assembly language
processor types and, 124
assembly language (ASM), 3
assembly language markers, 64
attacks
ARP spoofing, 185
boot prompt attacks, 300
covert channels, 188
DoS (denial-of-service), 321
Unix, 321-328
evidence, removing (see hiding)
exploiting fragments, 193
honeypots, capturing with (see honeypots;honeynets)
intrusion detection system hacking, 436-437
fragmentation, 436
integrity checkers, 437
protocol mutation, 437
spoofing, 436
IP spoofing, 182
Palm OS viruses, 406
password attacks, 301-303
passwords, dictionary attacks on, 260
path abuse, 301
phf exploit, 430
postattack cleanup, 237-248
reconnaissance (see reconnaissance)
recovery from, 476
resource exhaustion (Unix), 323
screensaver attacks, 301
social engineering (see social engineering)
SQL injection (see SQL injection attacks)
SUID, 303
Unix, on (see Unix attacks)
WEP (see WEP)
wireless sniffing, 398-401
keystream extraction, 400-401
WU-FTP exploit, 500
audit logfiles (see log analysis)
Authentication Service (AS), Kerberos, 351
autoclave bootable floppy system, 244
awatch watchpoints, 41
AX (accumulator) register, 4
B[ Top ]
B (Branch) opcode, 126
backdoor sshd, 503
backtrace command (gdb), 38
backups, 268
backups and file recovery, 476
BalabIT, 414
.bash_history, 240
Bastille, 281
Bastille Linux, 454
Bayes theorem, 431
Bayesian analysis, 431-436
accuracy, 433
balancing sensitivity and specificity, 431
likelihood ratios, 435
predictive value, 435
sensitivity, 432
specificity, 433
Beale, Jay, 454
bfd_map_over_sections( ), 96
Biatchux CD-ROM, 487
biew hex editor, 34
big endian format, 173
binary symbols, listing, 34
BIND (Berkeley Internet Name Domain)
access controls, 288
BIOS passwords, 278
BL (Branch with Link) opcode, 126
Blue Screen of Death, 332
boot prompt attacks, 300
bootable CD-ROMs, 487-491
BOOTP, 186
bounds checking, 161
bounds-checking, 168
Branch (B) opcode, 126
Branch with Link (BL) opcode, 126
break command, 40
breakpoints (gdb), 39-42
BSD process accounting facility, 418
buffer overflows, 136, 161-165
example crackme, 168-175
payloads, 165
byte order reversal, 173
preventing, 167-168
buffers, 163
BX (BP) (base) register, 4
byte overload reversal, 173
C[ Top ]
C++ programming language
susceptibility to buffer overflows, 161
canonicalization, 372
Carrier, Brian, 505
CD-ROMs
bootable, 487-491
Cesare, Silvio, 251
chargen, security risks, 309
checksums, 397
chkrootkit, 249, 471
chkrootkit tool, 429
chmod command, 262
chroot command, 304
cipher.exe utility, 364
cloak tool, 242
CMP (Compare) opcode, 128, 134
Cohen, Fred, 490
commands command, 40
Common Criteria, 271
Compare opcode (see CMP)
computer forensics (see forensics)
condition command, 39
connection laundering, 315
contact chains, 207
context macro, 44-47
coordinated DoS, 328
CORE SDI, 414
Core Security Technologies, 357
CORE-SDI, 265
covert channels, 188
maintenance, 248-254
methods, 252
covert logging, 416
CPU hogging, 323
cracklib, 260
crackmes, 24
CREATE command, 378
cross-domain network access, 353
CS (code segment), 5
Ctrl-z (SIGSTOP), 42
CX (count) register, 4
cygwin, 230
D[ Top ]
DAC (discretionary access control), 261
daemon security (Unix), 278
DARPA (Defense Advanced Research Projects Agency), 179
data erasure tools, 243-246
data packets (TCP/IP), 180
data recovery
legal considerations, 484
databases, 377
attacks on (see SQL injection attacks)
design errors, findin, 385
shells, 379
usage by web sites, 379
dd command, 500
dd tool, 269
debug registers, Intel processors, 85
debug traps, 81
debuggers, 16-17
debugging
gdb (see gdb)
ptrace (see ptrace)
deception network, 453
"decrypt-except" signature transform, 370
DeepSight Analyzer, 423
Defense Advanced Research Projects Agency (DARPA), 179
defragmenting, 480
Deletang, Frederic, 331
DELETE command, 378
DES algorithm, 259
DHCP, 186
DI (destination) register, 5
dictionary attacks, 260
differential power analysis, 363
Digital Millennium Copyright Act (DMCA), 9
directional antennas, 395
directory traversal, 437
dis-asm.h, 101
disassemble_info structure, 101
disassemblers, 11-15
Linux, 51
disassembly
identifying functions, 54
prologue and epilogue, 54
intermediate code generation, 55-64
libopcodes, using, 101-116
Linux
static linking and, 72
program control flow, 64-68
writing tools for, 74-116
discretionary access control (DAC), 261
disk cloning, 483
disk imaging, 484
Disk KEK, 366
display command, 40
Dittrich, Dave, 327
DMCA (Digital Millennium Copyright Act), 9
DMZ, 498
DNS, 279
access controls, 288
DNS (Domain Name Service)
security risks, 311, 317
domain restriction, 290
DoS (denial-of-service) attacks, 321
Unix, 321-328
application-level DoS, 328
coordinated denial of service, 328
distributed DoS attacks, 326
local resource attacks, 322
reflexive DoS, 328
Windows clients, 329-339
help center attacks, 336-339
SMB (Service Message Block) attack, 330-333
UPnP (Universal Plug and Play) attacks, 333-??
DOS MZ header, 20
DOS stub, 20
DPAPI RA, 364
DROP command, 378
DS (code segment) 0??0, 5
Dshield.org, 423
dsniff, 398
dsniff toolkit, 268
dump tool, 269
dumpster-diving, 224
DX (data) register, 5
E[ Top ]
e2undel, 477
EEPROM (electrically erasable programmable read-only memory) trapping, 361
EFS (Encrypting File System), 363-365
data recovery, 364
password reset issue, 364
user interaction, 363
Elcomsoft, 10
ELF (Executable and Linkable Format), 74-81
dt_tag field, 76
Dynamic String and Dynamic Symbol tables, 77
headers, 74
identification, 74
program headers, 75
PT_DYNAMIC segment, 76
removed headers, 74
sample reader, 77-81
section headers, 75
embedde IDS, 438
embedded operating systems software, reverse engineering, 118
(see also Windows CE)
encapsulation (TCP/IP), 179
Encryption Plus Hard Disk, 365-367
Authenti-Check, 366
component names, function names, role names, 365
installation and updating, 367
local and corporate administrator recovery, 366
One-Time Password, 366
Single Sign-On, 367
user configuration options, 367
end-user license agreement (EULA), 9
ES (extra segment), 5
Ethereal, 190, 400
EULA (end-user license agreement), 9
Evidence Eliminator, 491-498
browser garbage cleaning, 494-498
Netscape Navigator, 496-498
chat logs, 494
clipboard wiping, 494
swap file wiping, 493
temporary files cleaning, 494
Windows Registry Streams wiping, 494
Executable and Linkable Format (see ELF)
Execute In Place (XIP), 121
F[ Top ]
Farmer, Dan, 267
FD (File Descriptor) field, lsof output, 48
file attributes (Unix), 264
file permissions (Unix), 261
file traces, 243
file(1) command, 36
filemon, 17
files
recovery of deleted data, 476
filesystem permissions, 273
filesystems, 480
finger service, security risks, 312
fingerprints (XML signatures), 372
finish command, 42
FIRE (Forensic and Incident Response Environment) CD-ROM, 487
firewalls
host-based, 295-298
stateful vs. stateless, 430
first in, first out, 6
Fleischmann, Stefan, 482
FLIRT (Fast Library Identification and Recognition Technology) signatures, 12
FOR loops, 65
foremost, 507
forensic traces, eliminating, 243-248
forensics, 479
bootable CD-ROMs, 487-491
case study, 498-507
DMZ, 498
incident, 499
investigation, 500-507
logging, 501
network structure, 498
hardware employed for, 479-481
hard drives, 480
RAM, 480
information detritus, 481
tools, 482-487
WinHex, 482-487
forensics countermeasures, 491-498
Evidence Eliminator, 491-498
ForensiX CD-ROM, 490
fork bombs, 324
fprintf( ), 103
fragmentation, 192, 436
fragmentation variables, 193
Fragroute, 196
frames
functions
frames, 165
+Fravia, 11
free space, 485
FTP, 279
security risks, 309
FTP site reconnaissance, 221
functions
generating signatures for (Linux), 73
identifying, 54
signature collisions, 73
fuzzy operating system fingerprinting, 232-234
Fyodor, 226
G[ Top ]
gateway IDS, 450
gdb (GNU debugger), 36-47
backtrace command, 38
breakpoint support, 39-42
config file (.gdbinit), 43
context macro, 44-47
disassemble, p and x commands, 37
display command, 40
hardware debug register support or lack of, 41
help info command, 37
hexdump macro, 44
info command, 37
info frame command, 38
info registers command, 38
ptrace (see ptrace)
reg macro, 44
SIGSTOP, 42
standard process control instructions, 38
watchpoints, 41
GenI honeypot, 450
GenII honeypot, 450
geometric display of data, 440
getfacl command (Solaris 8), 263
GNU BFD (Binary File Descriptor) library, 93-101
file formats, 93
initializing, 94
GNU binutils package, drawbacks, 73
GNU development tools, 34
Granger, Sarah, 200
GWES (Graphics, Windowing, and Event Subsystem), 122
H[ Top ]
hard drives
filesystems, 480
wiping tools, 491
hard reboot, 122
hardening, 272
automation via scripts, 280-285
kernel-level, 282
hardware reverse engineering, 361
hash algorithms, 260
hbreak command, 40
HCP (Help Center Protocol), Windows systems, 338
header chaining, 188
heads, 480
heap overflows, 166
heaps, 166
Help Center program, Windows XP clients, 336
help info command (gdb), 37
hex dumping, Linux, 52-54
hex editors, 11
hexdump macro, 44
hexdump program, 53
hexedit hex editor, 34
hiding, 236-254
covert channels
maintenance, 248-254
forensic traces eliminating, 243-248
postattack cleanup, 237-248
post-cleanup file traces, 243
rootkits, functioning of, 249
target assessment, 236
High Cracking University (+HCU), 11
.history, 240
Hogwash, 450
honeyd, 448
Honeynet Project, 447
honeynets, 447
assembly prior to network connection, 458
building, 452
capturing attacks, 458
installing the OSs, 453
planning, 449-452
victim machine installation, 457
virtual environments, 449
honeypots, 447-459
motivation for deployment, 448
purpose, 448
research vs. production honeypots, 448
Windows, problems deploying, 451
horizontal port scans, 475
host command, 213
host IDSs, 426-429
integrity monitors, 428
logfile monitors, 426-428
host restriction, 290
host-based firewalls, 295-298
hosts.allow, 286
hosts.deny, 286
hping, 194
HTTP
security risks, 312
HTTPS, security risks, 314
human reconnaissance, 223
I[ Top ]
ICE-86, 16
ICMP (Internet Control Message Protocol), 185
ICMP "telnet"covert channel, 252
IDA Pro, 11
disassembly options, 13
processor-specific parameters, 12
Ident fingerprinting, 229
identd, security risks, 313
IDS (intrusion detection systems), 266
IDSs (intrusion detection systems), 425-446
attacks against, 436-437
fragmentation, 436
integrity checkers, 437
protocol mutation, 437
spoofing, 436
Bayesian analysis, 431-436
accuracy, 433
balancing sensitivity and specificity, 431
likelihood ratios, 435
predictive value, 435
sensitivity, 432
specificity, 433
deployment issues, 444-446
top five mistakes, 444
future development, 438-440
embedded IDS, 438
strict anomaly detection, 439
visual display of dat, 440
gateway IDS, 450
host IDSs, 426-429
CDROMs, usage in, 429
integrity monitors, 428
logfile monitors, 426-428
IDS rule tuning, 444
limitations and vulnerabilities, 431
network IDSs (NIDSs), 429-431
anomaly detectors, 430
signature matchers, 429
Snort IDS case study, 440-444
stateful vs. stateless, 430
IF-ELSE statements, 66, 68
IMAP, security risks, 314
import tables, 20
In Control 5, 22
incident case, 462
incident report, 462
incident response, 460-478
aggressive response, 476
definition, 461
framework (see incident response framework)
importance of backups, 476
incident identification, 475
integrity-checking programs, 476
large networks, 474-475
cost effectiveness, 474
diagnostic tools, 474
medium-size networks, 472-474
audit trail, 473
logging tools, 473
recovery, 476
SANS six-step incident response methodology, 463
small networks, 467-472
best practices, 468
Linux tools, 469
Windows 95/98/Me diagnostics (WinTop), 469
Windows NT/2000/XP tools, 469
incident response framework, 463-467
containment, 465
eradication, 465
follow-up, 466
identification, 464
preparation, 464
recovery, 466
inegrity checkers
attacks against, 437
inetd.conf, 267, 278, 279, 286
info command (gdb), 37
info frame command (gdb), 38
infor registers command (gdb), 38
information detritus, 481
initialization vectors (IS), 401
initialization vectors (IVs), 397
IV collision, 401
INSERT command, 378
insn_list.pl, 60
insn_output.pl, 62-64
insn_xref.pl, 61
install managers, 22
instruction sets, 8
int_code.pl, 55-??
integrity checking software, 250
integrity monitors, 428
Intel processors
debug registers, 85
intermediate code, 55-64
Internet Control Message Protocol (ICMP), 185
Internet Protocol (IP), 182
Internet protocols (see TCP/IP)
intrusion detection systems (IDS), 266
intrusion detection systems (see IDSs)
IP (instruction pointer), 5
IP (Internet Protocol), 182
IPv4 packet format, 183-184
IP spoofing, 182
ipchains, 296
IPSec, 438
iptables, 296
IPv6, 188-190
addressing, 189
header chaining, 188
security, 189
IRC, security risks, 316
J[ Top ]
John the Ripper password cracker, 260
K[ Top ]
KDC (Key Distribution Center), 351
Kerberos protocol, 351
KDC (Key Distribution Center), 351
preauthentication, 355
timestamp decryption, 355-356
principals, 351
referrals, 353
weaknesses, 354-356
kernel processes, Windows CE, 120
kernel-level hardening, 282
Key Distribution Center (see KDC)
key scheduling algorithm (KSA), 397
Kismet, 399
Kiwi Syslog, 419
klogd, 412
L[ Top ]
LDR/STR (Load/Store) opcode, 128
lease period, 186
Liberty Crack Trojan, 407
libopcodes, 101-116
library Trojan kits, 251
libwrap.so system library, 287
Light, Steve, 364
light-induced voltage alteration, 361
LIKE modifier command, 378
Linux
Bastille, 281
debugging (see gdb; ptrace)
disassemblers, 51
ELF (see ELF)
GNU development tools, 34
hex dumps, 52-54
iptables and ipchains, 296
reverse code engineering, 33-116
antidebugging, 69-72
antidisassembly, 72-74
disassembly tools, writing, 74-116
problem areas, 69-74
runtime monitoring, 47-51
lsof utility, 48-50
ltrace utility, 50
sys_ptrace, 84
Linux HOWTOs, 275
Litchfield, David, 356
little endian format, 173
LKM (Loadable Kernel Module), 249
Load String system call, 133
Load/Store (LDR/STR) opcode, 128
local DoS resource attacks (Unix), 322
log analysis, 410-423
aggregation, 421
challenges, 422
correlation, 411
covert logging, 416
sniffers, 417
global log aggregation, 423
integration of Windows into Unix logging framework, 419
kernel logging, 412
log overflow, 421
logfile types, 410
loggable events, 419
process accounting, 418
SIM (Security Information Management) tools, 422
Unix, 411-415
remote logging, 412
utilization of log data, 420
Windows, 416
logcheck, 473
logfile monitors, 426-428
logfiles
identification, 238
post-cleanup file traces, 243
sanitizing, 237-242
application logs, 239
editing tools, 239
Unix binary logs, 241
Unix shell history, 240
logging
remote logging, 265
logging servers, 265
Logical Shift Left LSL, 130
Logical Shift Right LSR, 130
login records, 241
logsurfer, 473
logwatch, 266, 473
low-energy charge induced voltage alteration, 361
lsof utility, 48-50
ltrace utility, 50
M[ Top ]
MAC (Media Access Control) addresses, 398
"Magic" packet-activated backdoor, 253
mail servers, identifying, 219
malicious code, reverse engineering, 28-31
malloc( ) bombs, 323
ManTrap, 450
Maximum Transmission Unit (MTU), 183
MD5 algorithm, 259
Meade, Ian, 11
MessageBoxW system call, 133
Microsoft
SOAP (see SOAP)
Microsoft SQL server vulnerabilities, 385
Microsoft Word forensics, 217
mirrors, 483
MOV (Move) opcode, 127
Move opcode (see MOV)
M-SEARCH directive, 333
Mstream, 327
msyslog, 414
MTU (Maximum Transmission Unit), 183
Muad'Dib's Crackme #1, 24-28
MULTICS OS, 257
mutual authentication, 351
MVC (eMbedded Visual C++), 143-145
Call Stack windows, 143
"Hello World" program, 131
Modules window, 144
Registers screen, 143
test.exe, reverse engineering with, 144-145
MVT (eMbedded Visual Tools), 125, 141-143
device emulator, 132
MyNetWatchMan, 423
MySQL database server, security risks, 316
N[ Top ]
ncftp, 502
Netcraft.com, 223
netForensics, 423
NetScanTools Pro, 216
Network Filesystem (NFS), 268
network IDSs (NIDSs), 429-431
anomaly detectors, 430
signature matchers, 429
Network Information Services (NIS), 268
network stalking, xv
Network Time Protocol (NTP), security risks, 313
NFS (Network File System)
security risks, 315, 318
NFS (Network Filesystem), 268
ngrep, 417
NIS (Network Information Services), 268
nm system utility, 34
symbol scope, 35
symbol types, 35
Nmap, 194, 226-228
countermeasures to, 228
techniques, 227
NNTP, security risks, 313
no-listener (sniffer-based) backdoor, 253
NOP (nonoperation) sliding, 136
NOTIFY directive, 339
NOTIFY signal, 333
npasswd tool, 275
nslookup command, 213
NTP (Network Time Protocol), security risks, 313, 317
O[ Top ]
objdump utility, 51
object store, 122
od (octal dump) program, 52-54
O'Dwyer, Frank, 354
Old Red Cracker (+ORC), 11
One-Time Password (EP Hard Disk), 366
online reconnaissance, 212-223
opcode patching, 11
opcodes, 7
opcodes (operation codes), 125
Open Source Security Testing Methodology Manual (OSSTMM), 201
OpenSSH access control, 290
(see also SSH)
operating systems
fingerprinting (see OS fingerprinting)
Orange Book, 271
OS fingerprinting, 225-234
active fingerprinting, 229
Ident fingerprinting, 229
Nmap, 226-228
countermeasures, 228
techniques, 227
passive fingerprinting, 229
pOf (passive OS fingerprinting tool), 229-232
RING tool, 234
special purpose tools, 229
TCP stack fingerprinting, 226-229
TCP/IP timeout detection, 234
TSN (telnet session negotiation), 225
XProbe, 232-234
fuzzy matching system, 233
OSSTMM (Open Source Security Testing Methodology Manual), 201
overflow attacks, 161-175
buffer overflows (see buffer overflows)
P[ Top ]
packers, 19
packet analysis, 191
packet format, IPv4, 183-184
packet fragmentation, 183, 192
exploitation of, 193
Nmap, using, 194
variables, 193
packet keys, 396
packet sniffing, 190
packet splitting, 436
page files, 493
Palm OS viruses, 406
Liberty Crack Trojan, 407
Phage virus, 405, 407
passive attacks, 202
passive fingerprinting, 229
passive reconnaissance, 212-219
tools, 213-219
password attacks, 301-303
password crackers
TSCrack program, 345
password shadowing, 302
password-guessing attacks, 354
passwords, 275
BIOS passwords, 278
path abuse, 301
payloads, 165
byte overload reversal, 173
PE header, 20
PE loader, 20
PE (Portable Executable) file format, 19
sections, 20
penetration testing, 201
permanent data reservoir (RAM), 481
personal firewalls, 21
Phage virus, 405
phf exploit, 430
PHP, 379
PHP-Nuke application, 390-393
defense examples, 392
example attacks, 391
installation, 390
PHP-Nuke web site framework, 379
physical sector copies, 483
ping command, 185
PINs (smart cards), 360
PKI (Public Key Infrastructure), 359
PKINIT, 354
platform attacks, xv
platters, 480
Pocket PC, vulnerability to viruses, 405
pOf (passive OS fingerprinting tool), 229-232
POP3 (Post Office Protocol Version 3), security risks, 312
Portable Executable (PE) file format, 19
Portmapper, security risks, 313
ports, security aspects of, 307-321
most-attacked Unix ports, 320
TCP, 308-317
UDP, 317-318
postattack cleanup, 237-248
power consumption analysis, 362
prevention-detection-response, 462
principals, 351
printer daemon, security risks, 315
prism-getIV.pl, 402
ProcDump, 20
process accounting, 266, 418
process audit records, 241
process control instructions (gdb), 38
processors
ARM processor (see ARM))
assembly language and, 124
Windows CE, supported by, 119
production honeypots, 448
program control flow, 64-68
programming languages
buffer overflows, 161
programming languages, choice of, 123
protocol mutation, 437
Provos, Niels, 448
ps command, 469
pseudorandom generation algorithm, 397
ptrace, 81-93
breakpoints and, 83
debug registers, implementing, 86
functions, 82
hostile binaries and, 69
process monitoring, 92
PTRACE_PEEKUSER and PTRACE_POKEUSER, 85
PTRACE_SYSCALL, 92
wrapping with kernel modules, 70
public Internet terminals, 223
public web proxies, 221
pwconv command, 275
R[ Top ]
radio frequency signal drift, reducing, 394-396
RADIUS (remote authentication dial-in user service), 403
Rain Forest Puppy, 381
RAM (Random Access Memory), 121, 480
RAM types, 481
rapport, 209
RARP (Reverse Address Resolution Protocol), 186
RC4 algorithm, 396
RCE (reverse code engineering), xv, 9
embedded operating systems (see Windows CE)
history, 10
legality, 33
Linux, 33-116
antidebugging, 69-72
antidisassembly, 72-74
disassembly tools, writing, 74-116
problem areas, 69-74
serial.exe (see serial.exe, reverse engineering)
test.exe, using MVC, 144-145
Windows CE (see Windows CE)
Windows code tools, 11-23
debuggers, 16-17
disassemblers, 11-15
hex editors, 11
install managers, 22
personal firewalls, 21
system monitors, 17-19
unpackers, 19-21
Windows examples, 23-31
malicious binaries, 28-31
Muad'Dib's Crackme #1, 24-28
realms (Kerberos), 353
receiver operating characteristic (ROC) curve, 434
reconnaissance, 212-224
active, 219-224
email, 219
FTP, 221
stealth, 221
web site analysis, 220
evidence left by, 238
human, 223
online, 212-223
passive, 212-219
tools, 213-219
web searching, 216
Recourse Man Trap, 450
recover, 477
Recovery Agents (RAs), 364
reflexive denial of service, 328
reg macro, 44
registers, 4
ARM processor, description of, 124-126
Registry system call, 133
regmon, 17
relational databases (see databases)
remote assistance (Windows), 346
Remote Desktop (Windows), 343
remote root shells, 308
research honeypots, 448
resource consumption, 325
resource exhaustion attacks, 323
Reverse Address Resolution Protocol (RARP), 186
reverse code engineering (see RCE)
reverse shell/telnet covert channel, 252
reverse tunneled shell covert channel, 253
RING tool, 234
risk analysis, 209
rlogin, security risks, 314
Rogue, 323
ROM (Read Only Memory), 121
root, 258
root servers, 213
rootkits, 248-254
commonly replaced binaries, 248
LKM kits, 249
methodologies of, 249
sniffers, 292
Rotate Right Extended (ROR), 130
routing protocols, 291
RPC
security risks, 313
RPC attacks, evidence, 238
rsh, security risks, 314
runtime monitoring
Linux and Unix, 47-51
rwatch watchpoints, 41
S[ Top ]
salt, 259
Samspade.org, 216
SAN Dshield.org, 423
Sanfilippo, Salvatore, 194
SANS
six-step incident response methodology, 463
SANS "The Twenty Most Critical Internet Security Vulnerabilities", 319
scheduler, Windows CE, 120
screensaver attacks, 301
search engines, 216
section tables, 20
sections, 20
sectors, 480
secure wiping utilities, 481
security event, 461
security event correlation, 465
security incident, 461
security response, 462
segment regeneration, 234
SELECT command, 378
Sendmail
access control, 289
sendmail, 279
sequential disassemblers, 54
sequential port scans, 475
serial number cracking, 133-135
(see also serial.exe, reverse engineering)
serial.exe, reverse engineering, 147-159
debugging, 150
loading to a disassembler, 147
step-through investigation, 151
(see also Windows CE)
setfacl command (Solaris 8), 263
SGI machines, security risks, 308
SGID bit, 262
SGID (Set Group ID), 274
Shadow Password Suite, 275
Shaft, 327
shifting operations opcodes, 130
shoulder surfing, 300
shred tool, 244
shroud tool, 242
SI (source) register, 5
signal drift, reducing, 394-396
signature collisions, 73
signature matchers, 429
SIGSTOP, 42
SIM (Security Information Management) tools, 422
Sklyarov, Dmitry, 10
slack space, 485
smart cards, 360
hacking, 360-363
reverse engineering, 361
SMB network services, security risks, 314
SMB (Service Message Block) attack, 330-333
SMB (Service Message Block) protocol, 330
SMB_COM_TRANSACTION command, 331
smbnuke, 331
SMS (short messaging service) vulnerabilities, 407
SMTP protocol server, security risks, 310
sniffers, 292, 417
Snort, 429
case study, 440-444
machine and OS requirements, 440
system setup, 441-443
configuration for a honeypot, 456
SOAP (Simple Object Access Protocol), 369
web services security, 369-373
Xenc (XML Encryption), 369
social engineering, 199-211
action plans, 206-208
attacks, passive and active, 202
contact chains, 207
definitions, 200
information collection template, 208
methodologies, 202-206
risk analysis, 209
subroutines or shortcuts, 210
targeting, 202
SOCKS proxy port, security risks, 315
SoftICE, 16-17
breakpoints, 515
commands, 511-515
advanced, 512
backtrace commands, 514
basic, 511
customization, 513
mode control, 513
special operators, 515
symbol/source commands, 514
Window commands, 514
Window control, 514
software development
programmming languages, choosing, 123
Song, Dug, 268
source routing, 291
SP (stack pointer) address, 5
Spitzner, Lance, 447
spoofing, 436
SQL, 377-??
ANSI standards, 377
commands, 378-379
modifier commands, 378
SQL injection attacks, 377-393
attack types, 381-385
authentication bypass, 383
database modification, 384
unauthorized data access, 381-383
basic attack strings, 386
defenses, 386-390
coding defenses, 389
external defenses (application blocking), 388
filters, 389
obfuscation, 387
PHP-Nuke application, 390-393
defense examples, 392
example attacks, 391
installing, 390
prevention, 385-390
SQL injection, 380
Squid web proxies, security risks, 315
SS (stack segment), 5
sscan, 308
SSDP (Simple Service Discovery Protocol), 333
SSH
securing from abuse, 277
ssh covert channel, 252
SSH (Secure Shell), 280, 293-295
access control, 290
security risks, 310
SSL (Secure Sockets Layer), 404
Stacheldraht, 327
stack, 6
static linking and disassembly, 72
stealth interface, 454
sterilize tools, 457
strcmp (string comparison) instruction, 134
strict anomaly detection, 439
strlen (string length) comparison, 133
su command, 276
subroutines, 138
SucKit, 251
SUID
attacks using, 303
SUID bit, 262
SUID root vulnerability, 249
SUID (Set User ID), 274
swap files, 493
swatch, 473
SWITCH statements, 68
Symantec DeepSight Analyzer, 423
SYN cookie, 291
SYN-ACK timeout and regeneration cycles, OS fingerprinting with, 234
SysInternals, 17
syslog
problems, 413
syslog daemon, 264
syslog output, 411
syslog, security risks, 318
syslog.conf, 413
syslog-ng, 414
sys_ptrace, 84
systat service, security risks, 309
system hardening, 271
system logging, 264
(see also log files)
system logs, attack evidence in, 237
system monitors, 17-19
system records, sanitizing, 242
(see also logfiles, sanitizing)
System Time system call, 133
T[ Top ]
talk, security risks, 318
tar tool, 269
TASK, 505
tbreak command, 40
TCP stack fingerprinting, 226-229
TCP (Transmission Control Protocol), 180-182
ports, security risks of, 308-317
TCP wrappers, 267, 285-288
binary form, 286
tcpd, 267, 286
TCP/IP (Transmission Control Protocol/Internet Protocol), 179
data packets, 179
encapsulation, 179
TCP/IP handshaking, 186
TCT (The Coroner's Toolkit), 477, 505
telnet, 278
security risks, 310
telnet session negotiation (see TSN)
telnet, shell on port covert channel, 252
test.exe, 138
reverse engineering with MVC, 144
TFN (Tribal Flood Network), 327
TFN2K, 327
TFTP (Trivial File Transfer Protocol), security risks of, 311
TGTs (Ticket-Granting Tickets), 351
The Coroner's Toolkit (see TCT)
throwaway Internet accounts, 223
Ticket-Granting Service (TGS), Kerberos, 351
Ticket-Granting Tickets (TGTs), 351
tickets, 351
timestamps, 411
Timofonica Trojan, 405
TKIP (Temporal Key Integrity Protocol), 403
/tmp directory, security risks, 274
Torn 8, 251
trace traps, 81
traceroute, 185, 215
tracks, 480
Transmission Control Protocol (TCP), 180-182
Trinoo, 327
Tripwire, 250, 428
AIDE clone, 476
Trojans, 248
TSCrack, 345
TSN (telnet session negotiation), 225
tsweb (Microsoft), 345
tunneling, 402
"The Twenty Most Critical Internet Security Vulnerabilities", 319
U[ Top ]
UDP
ports, security risks of, 317-318
UDP listener covert channel, 252
UDP protocol, 184
Ultra Edit, 11
umask command, 262
UNION command, 378
Universal Root Kit (URK), 251
Unix, 257
access control, 263
application-specific access controls, 288-291
binary logs, 265
building a honeynet, 452
daytime service, security risks, 309
dd command, 500
directory sticky bit, 262
echo ports, security risks, 308
file attributes, 264
file permissions, 261
groups, 260
history, 266
log analysis, 411-415
remote logging, 412
Windows logging framework integration, 419
network protocols, 292
network security, 267-298
attacks on (see Unix attacks)
automated hardening, 280-285
backups, 268
BIOS passwords, 278
daemons, 278
eavesdropping, prevention, 291
filesystem permissions, 273
hardening, 270
host-based firewalls, 295-298
login security, 275
NFS and NIS, 268
physical security, 277
removal of insecure softwar, 272
resource control, 276
SSH, 277, 293-295
system configuration changes, 291
system logging and accounting, 280
system patches, 273
TCP wrappers, 267, 285-288
/tmp directory, risks of, 274
user management, 276
X Windows, 270
passwords, 257, 275
encrypted vs. non-encrypted, 259
storage in files, 261
process accounting, 266
remote logging, 265
root, 258
runtime monitoring, 47-51
system logging, 264
(see also log files)
vendor web sites, 273
Unix attacks, 299-328
application crashing, 325
boot prompt attacks, 300
chroot command, circumvention, 304-307
DoS (denial-of-service), 321-328
filling kernel data structures, 324
local attacks, 299-307
DoS (denial-of-service), 322-324
network attacks, 307-??, 324-326, ??-328
password attacks, 301-303
path abuse, 301
ports, 307-321
most frequently attacked, 320
screensaver attacks, 301
SUID, 303
TCP services, 308-317
/tmp and symlink/hardlink abuse, 304
Unix binary logs, 241
Unix shell history, 240
unpackers, 19-21
ProcDump, 20
UPDATE command, 378
uplddrvinfo.htm, 337
UPnP (Uniiversal Plug and Play), 333
UPnP (Universal Plug and Play)
buffer overflow attack using, 339
URK (Universal Root Kit), 251
user processes, Windows CE, 120
usernames, 258
V[ Top ]
VALUES modifier command, 378
Vapor virus, 407
Venema, Vietse, 267
viruses
airborne, 404-407
W[ Top ]
Watchman, 423
watchpoints (gdb), 41
web proxies, 221
web proxies, security risks, 316
web services, 369
web site analysis, 220
weird.exe, 168
WEP (Wired Equivalent Privacy), 396-402
cracking, 396
data analysis, 397
example, 402
IV collision, 401
wireless sniffing, 398-401
WEPCRACK, 402
WHERE modifier command, 378
manipulation, 382
WHILE loops, 65
Whisker, 437
whois command, 214, 215
Windows
forensic tools, 482-487
honeypots, difficulty in deploying, 451
log analysis, 416
integration into Unix logging framework, 419
reconnaissance tools, 216
reverse code engineering
examples, 23-31
tools, 11-23
SOAP (see SOAP)
Windows 2003 Server, 350
EFS (Encrypting File System) enhancements, 363-365
data recovery, 364
password reset issue, 364
user interaction, 363
Kerberos implementation, 351-354
release history, 350
third party encryption (EP Hard Disk), 365-367
Authenti-Check, 366
component names, function names, role names, 365
installation and updating, 367
local and corporate administrator recovery, 366
One-Time Password, 366
Single Sign-On, 367
user configuration options, 367
Windows CE, 118
architecture, 119-123
contrasted with other Windows OSes, 120
cracking techniques, 133-137
NOP sliding, 136
predictable system calls, 133
strcmp and cmp, 134-??
strlen and wsclen, 133
disassembling a program, 137-141
disassembling programs
IDA Pro, using, 138
GWES, 122
kernel, 119
memory architecture, 121
MVC (see MVC)
processes, 120
RAM vs. ROM, 121
reverse code engineering, 118-159
ARM processors (see ARM)
fundamentals, 123-130
scheduler, 120
serial.exe (see serial.exe, reverse engineering)
supported processors, 119
threads, 120
Windows client attacks, 329-348
buffer overflow attacks, 339-343
DoS (denial-of-service), 329-339
help center attacks, 336-339
SMB (Service Message Block) attack, 330-333
UPnP attacks, 333-??
remote assistance vulnerabilities, 346-348
Remote Desktop, vulnerabilitiies, 343-346
Windows NT/2000 Resource Kit, 469
Windows Server attacks, 350-368
Active Directory exploitation, 357
buffer overflow attacks, 356
Kerberos cracking, 354-356
(see also Kerberos)
PKI (Public Key Infrastructure), hacking, 359
smart card hacking, 360-363
WinHex, 482-487
automatic file recovery, 487
binary editor, 483
copying and imaging capabilities, 484
disk cataloging, 486
disk wiping, 485
expert features, 485
parallel search facility, 486
scripting, 487
text filtering, 486
WINICE.EXE, 16
WinPcap, 230
WinTop, 469
wiping tools, 243-246
testing, 245
wireless security, 394-408
airborne viruses, 404-407
antenna configuration, 394-396
RADIUS (remote authentication dial-in user service), 403
SSL (Secure Sockets Layer), 404
TKIP (Temporal Key Integrity Protocol), 403
VPNs (Virtual Private Networks), 402
WEP (see WEP)
wireless sniffing, 398-401
keystream extraction, 400-401
World Wide Web Consortium (W3C) XML Encryption standard, 369
wsclen instruction, 133
cracking example, 140
WU-FTP exploit, 500
X[ Top ]
X Window System
security risks, 316
x86 processor
key registers, 4
xbreak command, 40
Xenc (XML Encryption), 369-372
xfs servers, security risks, 316
xinetd, 287
XIP (Execute In Place), 121
XML Encryption (see Xenc)
XML (Extensible Markup Language), 369
XML signatures, 372
XML-DSIG-Decrypt, 370
XProbe, 232-234
fuzzy matching system, 233
Y[ Top ]
Yarochkin, Fyodor, 232
Z[ Top ]
zap tool, 241
zombies, 327
Zone Alarm, 22
Zurück zu Security Warrior
