95_pgwFP.qx
11/22/00
12:45 PM
Page 1
“Ryan Russell has an important message for
us all: ‘What you don’t know will hurt you…’“
— Kevin Mitnick
HACK
PROOFING
YOUR
NETWORK
INTERNET TRADECRAFT
Y TO
LY WAK
ER
THE ONA
C
HA
STOP TO THINK
IS
E:
LIKE ON
Rain Forest Puppy
“This book provides a bold, unsparing
tour of information security that
never swerves from the practical.”
—Kevin L. Poulsen
Editorial Director
SecurityFocus.com
Elias Levy, Bugtraq
Blue Boar, Vuln-dev
Dan “Effugas” Kaminsky,
Cisco Systems
Oliver Friedrichs,
SecurityFocus.com
Riley “Caesar” Eller,
Internet Security Advisors
Greg Hoglund,
Click To Secure
Jeremy Rauch
Georgi Guninski
Ryan Russell, SecurityFocus.com
Stace Cunningham, CLSE, COS/2E, CLSI, COS/2I, CLSA
Foreword by Mudge, Security Advisor to
the White House and Congress
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page i
[email protected]
With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we have come to know many of you personally. By
listening, we've learned what you like and dislike about typical computer
books. The most requested item has been for a web-based service that
keeps you current on the topic of the book and related technologies. In
response, we have created
[email protected], a service that
includes the following features:
■
A one-year warranty against content obsolescence that occurs as
the result of vendor product upgrades. We will provide regular web
updates for affected chapters.
■
Monthly mailings that respond to customer FAQs and provide
detailed explanations of the most difficult topics, written by content
experts exclusively for
[email protected].
■
Regularly updated links to sites that our editors have determined
offer valuable additional information on key topics.
■
Access to “Ask the Author”™ customer query forms that allow
readers to post questions to be addressed by our authors and
editors.
Once you've purchased this book, browse to
www.syngress.com/solutions.
To register, you will need to have the book handy to verify your purchase.
Thank you for giving us the opportunity to serve you.
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page ii
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page iii
HACK PROOFING
NETWORK:
YO U R
INTERNET TRADECRAFT
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page iv
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do
not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement
Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” and “Mission Critical™”
are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010
SERIAL NUMBER
AB7153MGC6
KTY864GHPL
SRS587EPHN
TYP244KBGK
468ZJRHGM9
1LBVBC7466
6724ED1M84
CCVX153SCC
MKM719ACK
NJGMB98445
PUBLISHED BY
Syngress Media, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Your Network: Internet Tradecraft
Copyright © 2000 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may
be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-15-6
Product Line Manager: Kate Glennon
Technical Edit by: Stace Cunningham
and Ryan Russell
Co-Publisher: Richard Kristof
Distributed by Publishers Group West
Index by: Robert Saigh
Copy Edit by: Beth Roberts
Proofreading by: Adrienne Rebello and Ben Chadwick
Page Layout and Art: Reuben Kantor and Kate Glennon
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and
support in making this book possible.
Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin
Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of
Global Knowledge, for their generous access to the IT industry’s best
courses, instructors and training facilities.
Ralph Troupe and the team at Callisma for their invaluable insight into the
challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin
Votel, Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan
of Publishers Group West for sharing their incredible marketing experience
and expertise.
Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for
making certain that our vision remains worldwide in scope.
Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of
Harcourt Australia for all their help.
David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong,
Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the
enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the
Syngress program.
Special thanks to the professionals at Osborne with whom we are proud to
publish the best-selling Global Knowledge Certification Press series.
v
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page vi
From Global Knowledge
At Global Knowledge we strive to support the multiplicity of learning styles
required by our students to achieve success as technical professionals. As
the world's largest IT training company, Global Knowledge is uniquely
positioned to offer these books. The expertise gained each year from providing instructor-led training to hundreds of thousands of students worldwide has been captured in book form to enhance your learning experience.
We hope that the quality of these books demonstrates our commitment to
your lifelong learning success. Whether you choose to learn through the
written word, computer based training, Web delivery, or instructor-led
training, Global Knowledge is committed to providing you with the very
best in each of these categories. For those of you who know Global
Knowledge, or those of you who have just found us for the first time, our
goal is to be your lifelong competency partner.
Thank your for the opportunity to serve you. We look forward to serving
your needs again in the future.
Warmest regards,
Duncan Anderson
President and Chief Executive Officer, Global Knowledge
vi
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page vii
Contributors
Ryan Russell has been working in the IT field for over ten years, the last five
of which have been spent primarily in information security. He has been an
active participant in various security mailing lists, such as Bugtraq, for years.
Ryan has served as an expert witness, and has done internal security investigation for a major software vendor. Ryan has contributed to three other
Syngress books, on the topics of networking. He has a degree in computer science from San Francisco State University. Ryan is presently employed by
SecurityFocus.com.
Ryan would like to dedicate his portion of the work to his wife, Sara, for
putting up with him while he finished this book.
Introduction, Chapters 1, 2, 4, 5, 10, and 13
Blue Boar has been interested in computer security since he first discovered
that a Northstar multiuser CP/M system he worked on as a high school
freshman had no memory protection, so all the input and output from all
terminals were readable by any user. Many years ago he founded the Thievco
Main Office BBS, which he ran until he left home for college. Recently, Blue
Boar was resurrected by his owner for the purpose of publishing security
information that his owner would rather not have associated with himself or
his employers. Blue Boar is best known currently as the moderator of the
vuln-dev mailing list (
[email protected]) which is dedicated to the
open investigation and development of security holes.
Contributed to Chapter 6
Riley (caezar) Eller is a Senior Security Engineer for the Internet Security
Advisors Group, where he works on penetration and security tool development. He has extensive experience in operating system analysis and design,
reverse engineering, and defect correction in closed-source and proprietary
operating systems, without the benefit of having access to the source code. Mr.
Eller is the first to reveal ASCII-armored stack overflow exploits. Prior to his
employment with ISAG, Mr. Eller spent six years developing operating systems
for Internet embedded devices. His clients have included government and military contractors and agencies, as well as Fortune 500 companies, worldwide.
Products on which he has worked have been deployed on systems as varied as
Enterprise Desktop, Global Embedded Internet, Hard Time Real Analyses and
vii
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page viii
Single Tasking Data Collection. Mr. Eller has spoken about his work at information security industry conferences such as Black Hat, both in the United
States and in Asia. He is also a frequent panel member for the “Meet the
Enemy” discussion groups.
Contributed to Chapter 8
Georgi Guninski is a security consultant in Bulgaria. He is a frequent contributor to security mailing lists such as Bugtraq, where he is well-known for
his discovery of numerous client-side holes, frequently in Internet Explorer. In
1997, he created the first buffer overflow exploits for AIX. Some of his most
visible work has included numerous exploits that could affect subscribers of
Microsoft’s Hotmail service. He is frequently quoted in news articles. Georgi
holds an MA in international economic relations from the University of
National and World Economy in Bulgaria. His web page can be found at
www.nat.bg/~joro.
Contributed to Chapter 13
Oliver Friedrichs has over ten years of experience in the information security
industry, ranging from development to management. Oliver is a co-founder of
the information security firm SecurityFocus.com. Previous to founding
SecurityFocus.com, Oliver was a co-founder and Vice President of Engineering
at Secure Networks, Inc., which was acquired by Network Associates in 1998.
Post acquisition, Oliver managed the development of Network Associates’s
award-winning CyberCop Scanner network auditing product, and managed
Network Associates’ vulnerability research team. Oliver has delivered training
on computer security issues for organizations such as the IRS, FBI, Secret
Service, NASA, TRW, Canadian Department of Defense, RCMP and CSE.
Chapter 9
Greg Hoglund is a software engineer and researcher. He has written several
successful security products for Windows NT. Greg also operates the Windows
NT Rootkit project, located at www.rootkit.com. He has written several white
papers on content-based attacks, kernel patching, and forensics. Currently he
works as a founder of Click To Secure, Inc., building new security and qualityassurance tools. His web site can be found at www.clicktosecure.com. He
would like to thank all the Goons of DefCon, Riley (caezar) Eller, Jeff Moss,
Dominique Brezinski, Mike Schiffman, Ryan Russell, and Penny Leavy.
Chapter 8
viii
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page ix
Dan Kaminsky, also known as “Effugas”, primarily spends his time designing
security infrastructure and cryptographic solutions for Cisco Systems’
Advanced Network Services division. He is also the founder of the multidisciplinary DoxPara Research (www.doxpara.com), and has spent several
years studying both the technological and psychological impacts of networked
systems as deployed in imperfect but real user environments. His primary
field of research at the present is known as Gateway Cryptography, which
seeks ideal methodologies to securely traverse non-ideal networks.
Chapter 11
Elias Levy is the moderator of Bugtraq, one of the most read security mailing
lists on the Internet, and a co-founder of Security Focus. Throughout his
career, Elias has served as computer security consultant and security engineer
for some of the largest corporations in the United States, and outside of the
computer security industry, he has worked as a UNIX software developer, a
network engineer, and system administrator.
Chapter 15
Mudge is the former CEO and Chief Scientist of renowned ‘hacker think-tank’
the L0pht, and is considered the nation’s leading ‘grey-hat hacker.’ He and the
original members of the L0pht are now heading up @stake’s research labs,
ensuring that the company is at the cutting edge of Internet security. Mudge
is a widely sought-after keynote speaker in various forums, including analysis
of electronic threats to national security. He has been called to testify before
the Senate Committee on Governmental Affairs and to be a witness to the
House and Senate joint Judiciary Oversight committee. Mudge has briefed a
wide range of members of Congress and has conducted training courses for
the Department of Justice, NASA, the US Air Force, and other government
agencies. In February, following the wave of denial of service attacks on consumer web sites, Mudge participated in President Clinton’s security summit at
the White House. He joined a small group of high tech executives, privacy
experts, and government officials to discuss Internet security.
A recognized name in crytpanalysis, Mudge has co-authored papers with
Bruce Schneier that were published in the 5th ACM Conference on Computer
and Communications Security, and the Secure Networking – CQRE
International Exhibition and Congress.
He is the original author of L0phtCrack, the award winning NT password
auditing tool. In addition, Mudge co-authored AntiSniff, the world’s first commercial remote promiscuous mode detection program. He has written over a
dozen advisories and various tools, many of which resulted in numerous
CERT advisories, vendor updates, and patches.
Foreword
ix
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page x
Rain Forest Puppy (RFP) is a Midwest-based security consultant and
researcher. His background is in programming (about eight years of various
languages); he started playing around with networks only in the last few
years. Contrary to popular belief, he is not just an NT admin—he worked with
Novell and Linux before he ever touched an NT box. In the last year and a half
he has focused on vulnerability research and network assessments/penetration testing. Recent notable security issues he has published include insufficient input checking on SQL servers, ways to fool perl scripts, bugs and holes
in intrusion detection systems, and uncovering interesting messages hidden in
Microsoft program code.
RFP has this to say about his handle: “I was in an elevator, and scratched
into the wooden walls was the phrase ‘Save the whales, rain forest, puppies,
baby seals, ...’. At first I thought ‘puppies?’, and I didn’t notice the comma, so
it seemed like ‘rain forest puppies.’ I made a joke to my companion about ‘rain
forest puppies’ being ‘neato.’ About two days later, I just started using ‘rain
forest puppy’ as a handle.”
Chapters 7 and 14
Jeremy Rauch has been involved for a number of years in a wide variety of
roles in computer security. Jeremy was involved in the development of several
groundbreaking and industry-leading products, including Internet Security
System’s (ISS) Internet Security Scanner, and Network Associates’ CyberCop
Scanner and Monitor. Other roles have ranged from development of secure
VPN and authentication systems, to penetration testing and auditing, to code
analysis and evaluation. Through relationships built with industry-leading
companies, he has helped in the identification and repair of numerous vulnerabilities and security flaws. He has also spoken at several conferences on
topics in the area of network infrastructure security, and has been published
and quoted in numerous print and online publications. Jeremy holds a BS in
computer science from Johns Hopkins University.
Chapter 12
Technical Editor
Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I,
CLSA, MCPS, A+) is a security consultant currently located in Biloxi, MS. He
has assisted several clients, including a casino, in the development and implementation of network security plans for their organizations.
Both network and operating system security has always intrigued Stace, so
he strives to constantly stay on top of the changes in this ever-evolving field,
now and as well as when he held the positions of Network Security Officer and
Computer Systems Security Officer while serving in the US Air Force.
x
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page xi
While in the Air Force, Stace was also heavily involved for over 14 years in
installing, troubleshooting, and protecting long-haul circuits with the appropriate level of cryptography necessary to protect the level of information traversing the circuit as well as protecting the circuits from TEMPEST hazards.
This not only included American equipment but also equipment from Britain
and Germany while he was assigned to Allied Forces Southern Europe (NATO).
Stace was an active contributor to The SANS Institute booklet “Windows
NT Security Step by Step.” In addition, he has co-authored over 18 books published by Osborne/McGraw-Hill, Syngress Media, and Microsoft Press. He has
also performed as Technical Editor for various other books and is a published
author in Internet Security Advisor magazine.
His wife Martha and daughter Marissa are very supportive of the time he
spends with his computers, routers, and firewalls in the “lab” of their house.
Without their love and support he would not be able to accomplish the goals
he has set for himself.
Greets to frostman, trebor, b8zs_2k and phreaku2.
In addition to acting as technical editor for the book, Stace authored Chapters 3
and 6, and contributed writing to Chapters 8 and 9.
Technical Consultant
Mike Schiffman has been involved throughout his career in most every technical arena computer security has to offer. He has researched and developed
many cutting-edge technologies including tools like firewalk and tracerx as
well as the low-level packet shaping library libnet. Mike has led audit teams
through engagements for Fortune 500 companies in the banking, automotive,
and manufacturing industries. Mike has spoken in front of NSA, CIA, DOD,
AFWIC, SAIC, and others, and has written for numerous technical journals
and books. He is currently employed at Guardent, the leading provider of professional security services, as the director of research and development.
xi
95_hack_prod_00FM.qx
7/13/00
3:41 PM
Page xii
95_hack_prod_toc
7/13/00
3:43 PM
Page xiii
Contents
Foreword
xxiii
Introduction
xxvii
Part I: Theory and Ideals
Chapter 1: Politics
Introduction
Definitions of the Word Hacker
Hacker
Cracker
Script Kiddie
Phreak
White Hat/Black Hat
Grey Hat
Hacktivism
The Role of the Hacker
Criminal
Magician
Security Professional
Consumer Advocate
Civil Rights Activist
Cyber Warrior
Motivation
Recognition
Admiration
Curiosity
Power & Gain
Revenge
Legal/Moral Issues
What’s Illegal
Reasonably Safe
What’s Right?
Exceptions?
The Hacker Code
Why This Book?
Public vs. Private Research
Who Is Affected when an Exploit Is Released?
Summary
FAQs
1
2
2
2
3
5
6
6
7
8
9
9
10
11
12
13
14
15
15
16
16
17
17
19
19
21
22
23
23
24
25
26
27
28
xiii
95_hack_prod_toc
xiv
7/13/00
3:43 PM
Page xiv
Contents
Chapter 2 Laws of Security
Introduction
What Are the Laws of Security?
Client-side Security Doesn't Work
Applying the Law
Exceptions
Defense
You Can't Exchange Encryption Keys without a
Shared Piece of Information
Applying the Law
Exceptions
Defense
Viruses and Trojans Cannot Be 100 Percent
Protected Against
Applying the Law
Exceptions
Defense
Firewalls Cannot Protect You 100 Percent from Attack
Applying the Law
Social Engineering
Attacking Exposed Servers
Attacking the Firewall Directly
Client-side Holes
Exceptions
Defense
Secret Cryptographic Algorithms Are Not Secure
Applying the Law
Exceptions
Defense
If a Key Isn't Required, You Don't Have Encryption;
You Have Encoding
Applying the Law
Exceptions
Defense
Passwords Cannot Be Securely Stored on the Client
Unless There Is Another Password to Protect Them
Applying the Law
Exceptions
Defense
In Order for a System to Begin to Be Considered
Secure, It Must Undergo an Independent Security Audit
Applying the Law
Exceptions
Defense
Security Through Obscurity Doesn't Work
Applying the Law
Exceptions
31
32
32
33
34
37
37
37
38
40
41
41
42
43
44
44
45
46
46
47
48
48
49
49
50
51
51
51
52
53
53
53
55
56
57
57
57
58
58
58
59
60
95_hack_prod_toc
7/13/00
3:43 PM
Page xv
Contents
Defense
People Believe That Something Is More Secure
Simply Because It's New
Applying the Law
Exceptions
Defense
What Can Go Wrong Will Go Wrong
Applying the Law
Exceptions
Defense
Summary
FAQs
Chapter 3: Classes of Attack
Introduction
What Are the Classes of Attack?
Denial-of-Service
Information Leakage
File Creation, Reading, Modification, Removal
Misinformation
Special File/Database Access
Elevation of Privileges
Problems
How Do You Test for Vulnerability without
Exercising the Exploit?
How to Secure Against These Classes of Attack
Denial-of-Service
Information Leakage
File Creation, Reading, Modification, Removal
Misinformation
Special File/Database Access
Elevation of Privileges
Summary
FAQs
Chapter 4: Methodology
Introduction
Types of Problems
Black Box
Chips
Unknown Remote Host
Information Leakage
Translucent Box
Tools
System Monitoring Tools
Packet Sniffing
Debuggers, Decompilers, and Related Tools
Crystal Box
61
61
62
63
63
64
64
64
64
64
65
67
68
68
68
79
82
82
83
85
88
89
90
91
92
94
95
95
97
97
98
101
102
102
102
102
105
105
107
107
108
112
113
117
xv
95_hack_prod_toc
xvi
7/13/00
3:43 PM
Page xvi
Contents
Problems
Cost/Availability of Tools
Obtaining/Creating a Duplicate Environment
How to Secure Against These Methodologies
Limit Information Given Away
Summary
Additional Resources
FAQs
117
117
118
118
119
119
120
120
Part II: Theory and Ideals
Chapter 5: Diffing
Introduction
What Is Diffing?
Files
Tools
File Comparison Tools
Hex Editors
File System Monitoring Tools
Other Tools
Problems
Checksums/Hashes
Compression/Encryption
How to Secure Against Diffing
Summary
FAQs
Chapter 6: Cryptography
Introduction
An Overview of Cryptography and Some of Its
Algorithms (Crypto 101)
History
Encryption Key Types
Algorithms
Symmetric Algorithms
Asymmetric Algorithms
Problems with Cryptography
Secret Storage
Universal Secret
Entropy and Cryptography
Brute Force
L0phtCrack
Crack
John the Ripper
Other Ways Brute Force Attacks Are Being Used
Distributed.net
Deep Crack
121
122
122
123
126
126
128
132
136
140
140
141
142
142
143
145
146
146
146
147
149
149
151
153
154
157
159
163
164
166
166
167
167
169
95_hack_prod_toc
7/13/00
3:43 PM
Page xvii
Contents
Real Cryptanalysis
Differential Cryptanalysis
Side-Channel Attacks
Summary
Additional Resources
FAQs
169
170
172
173
173
174
Chapter 7: Unexpected Input
177
Introduction
Why Unexpected Data Is Dangerous
Situations Involving Unexpected Data
HTTP/HTML
Unexpected Data in SQL Queries
Disguising the Obvious
Finding Vulnerabilities
Black-Boxing
Use the Source (Luke)
Application Authentication
Protection: Filtering Bad Data
Escaping Characters Is Not Always Enough
Perl
Cold Fusion/Cold Fusion Markup Language (CFML)
ASP
PHP
Protecting Your SQL Queries
Silently Removing vs. Alerting on Bad Data
Invalid Input Function
Token Substitution
Available Safety Features
Perl
PHP
Cold Fusion/Cold Fusion Markup Language
ASP
MySQL
Summary
FAQs
Chapter 8: Buffer Overflow
Introduction
What Is a Buffer Overflow?
Smashing the Stack
Hello Buffer
What Happens When I Overflow a Buffer?
Methods to Execute Payload
Direct Jump (Guessing Offsets)
Blind Return
Pop Return
178
178
179
179
181
185
186
186
189
190
194
194
194
195
195
196
196
197
198
198
198
199
200
200
200
201
201
202
203
204
204
207
207
210
216
216
216
218
xvii
95_hack_prod_toc
xviii
7/13/00
3:43 PM
Page xviii
Contents
Call Register
Push Return
What Is an Offset?
No Operation (NOP) Sled
Off-by-One Struct Pointer
Dereferencing—Smashing the Heap
Corrupting a Function Pointer
Trespassing the Heap
Designing Payload
Coding the Payload
Injection Vector
Location of Payload
The Payload Construction Kit
Getting Bearings
Finding the DATA Section, Using a Canary
Encoding Data
XOR Protection
Using What You Have—Preloaded Functions
Hashing Loader
Loading New Libraries and Functions
WININET.DLL
Confined Set Decoding
Nybble-to-Byte Compression
Building a Backward Bridge
Building a Command Shell
“The Shiny Red Button”—Injecting a Device Driver
into Kernel Mode
Worms
Finding New Buffer Overflow Exploits
Summary
FAQs
219
220
220
221
221
222
222
223
225
225
225
226
226
237
237
238
238
238
243
245
246
247
247
247
247
251
253
253
257
258
Part III: Remote Attacks
Chapter 9: Sniffing
What Is “Sniffing?”
How Is Sniffing Useful to an Attacker?
How Does It Work?
What to Sniff?
Authentication Information
Telnet (Port 23)
FTP (Port 21)
POP (Port 110)
IMAP (Port 143)
NNTP (Port 119)
rexec (Port 512)
rlogin (Port 513)
X11 (Port 6000+)
259
260
260
260
261
261
261
262
262
262
263
263
264
264
95_hack_prod_toc
7/13/00
3:43 PM
Page xix
Contents
NFS File Handles
Windows NT Authentication
Other Network Traffic
SMTP (Port 25)
HTTP (Port 80)
Common Implementations
Network Associates Sniffer Pro
NT Network Monitor
TCPDump
dsniff
Esniff.c
Sniffit
Advanced Sniffing Techniques
Switch Tricks
ARP Spoofing
ARP Flooding
Routing Games
Operating System Interfaces
Linux
BSD
libpcap
Windows
Protection
Encryption
Secure Shell (SSH)
Switching
Detection
Local Detection
Network Detection
DNS Lookups
Latency
Driver Bugs
AntiSniff
Network Monitor
Summary
Additional Resources
FAQs
Chapter 10: Session Hijacking
Introduction
What Is Session Hijacking?
TCP Session Hijacking
TCP Session Hijacking with Packet Blocking
Route Table Modification
ARP Attacks
TCP Session Hijacking Tools
Juggernaut
Hunt
264
265
266
266
266
267
267
268
269
270
271
271
272
272
273
273
273
274
274
277
277
279
279
279
279
281
281
281
282
282
282
282
283
283
283
283
284
285
286
286
287
290
290
292
293
293
296
xix