List of Figures | Hacking Exposed 5th Edition

Chapter 1: Footprinting

Figure 1-1: With http://www.heyhole.com, someone can footprint your physical presence with remarkable detail and clarity.
Figure 1-2: Publicly traded companies must file regular reports with the SEC. These reports provide interesting information regarding current events and organizational structure.
Figure 1-3: A search at http://www.archive.org reveals many years of archived pages from http://www.yahoo.com.
Figure 1-4: The very nature of a search engine can easily allow anyone access to cached content from sites that it has crawled. Here we see a cached version of http://www.yahoo.com from Google's archive.
Figure 1-5: Foundstone's SiteDigger searches Google's cache using the Google Hacking Database (GHDB) to look for vulnerable systems.
Figure 1-6: Again, Google's advanced search options can help you home in on important information quickly.
Figure 1-7: ICANN manages many of the underlying core functions of the Internet.
Figure 1-8: Currently there are five Regional Internet Registries (RIRs), four active and one in "observer" status.
Figure 1-9: The GNSO manages the generic top-level domains (gTLDs).
Figure 1-10: The CCNSO manages the country-code top-level domains (ccTLDs).
Figure 1-11: We start our domain lookup at http://whois.iana.org.
Figure 1-12: Verisign Global Registry Services shows us which registrar http:// keyhole .com is registered with.
Figure 1-13: We find the registrant details for http://keyhole.com at the appropriate registrar's site.
Figure 1-14: ARIN tells us which RIR we need to search.
Figure 1-15: It turns out that the IP address is owned by India's National Internet Backbone.
Figure 1-16: Here we see the IP ranges and BGP AS number that Google owns under its name .

Chapter 2: Scanning

Figure 2-1: SuperScan from Foundstone is one of the fastest and most flexible ping sweep utilities availableand it's free.
Figure 2-2: Using SuperScan from Foundstone, you can discover hosts hidden behind traditional firewalls.
Figure 2-3: (1) Sending a SYN packet, (2) receiving a SYN/ACK packet, and (3) sending an ACK packet
Figure 2-4: SuperScan offers numerous host-discovery tricks.
Figure 2-5: The SuperScan tool provides a number of different assessment tools, many of which are discussed in other chapters.
Figure 2-6: The Windows UDP Port Scanner (WUPS) nails a system running SNMP (UDP
Figure 2-7: cheops provides many network-mapping utilities in one graphical package.

Chapter 3: Enumeration

Figure 3-1: Sam Spade's Crawl Website feature makes it easy to parse entire sites for juicy information such as passwords.
Figure 3-2: DumpSec reveals shares over a null session with the target computer.
Figure 3-3: The NetBIOS Auditing Tool (NAT) with graphical interface and command-line output
Figure 3-4: DumpSec enumerates all services and drives running on a remote system.
Figure 3-5: SolarWinds' IP Network Browser expands information available on systems running SNMP agents when provided with the correct community string. The system shown here uses the default string "public".
Figure 3-6: Output for a search for "ASN KPE." The ASN is identified as 16394 for the AS Name KPENY-AS.
Figure 3-7: The Active Directory Administration Tool, idp.exe, enumerates Active Directory users and groups via an authenticated connection.
Figure 3-8: The Active Directory Installation Wizard (dcpromo) asks whether default permissions for user and group objects should be relaxed for legacy accessibility.
Figure 3-9: The Windows Network Neighborhood enumerates Novell servers and trees, respectively, on the wire.
Figure 3-10: Novell's NetWare Connections utility displays the NDS tree the server is contained in, the connection number, and the complete network address, including network number and node address.
Figure 3-11: Novell's On-Site Admin is the single most useful tool for enumerating Novell networks.
Figure 3-12: On-Site Admin displays volume information.
Figure 3-13: On-Site Admin allows browsing of NDS trees down to the end leaf.
Figure 3-14: SQLPing scans for instances of SQL Server and guesses a few passwords.

Chapter 4: Hacking Windows

Figure 4-1: Disabling NetBIOS and SMB/CIFS file and printer sharing (blocking null sessions) using the Network and Dial-up Connections Advanced Settings dialog box.
Figure 4-2: Recommended audit settings for a secure server, as configured using Windows Server 2003's Security Policy snap-in.
Figure 4-3: The Windows Security Log shows failed logon attempts caused by an automated password-guessing attack.
Figure 4-4: L0phtcrack's SMB Packet Capture utility eavesdrops on Windows logins over the network and feeds them back to L0phtcrack for cracking.
Figure 4-5: The result of running one of the LSASS buffer overflow exploits against a vulnerable system
Figure 4-6: To prevent the .printer buffer overflow exploit and many like it that rely on built-in ISAPI extensions, simply remove the application mappings for the appropriate extension in the IIS Admin tool.
Figure 4-7: Removing the FrontPage Server Extensions ISAPI filter from IIS 5 and later
Figure 4-8: L0phtcrack's session options selection window
Figure 4-9: L0phtcrack at work cracking passwords. The weaker LanMan passwords are more easily guessed, eliminating the need to guess the more heavily enciphered NTLM passwords.
Figure 4-10: WINVNC connected to a remote system. This is nearly equivalent to sitting at the remote computer.
Figure 4-11: The fpipe redirector running on a compromised host. fpipe has been set to forward connections on port 53 to port 23 on 192.168.234.37 and is forwarding data here.
Figure 4-12: The Default Domain Policy GPO
Figure 4-13: The Security Center, new in XP SP2

Chapter 5: Hacking UNIX

Figure 5-1: A simplistic DMZ architecture
Figure 5-2: The xterm is a result of exploiting rpc.cmsd. The same results would happen if an attacker were to exploit rpc.ttdbserverd or rpc.statd.
Figure 5-3: With XWatchWin, we can remotely view almost any X application on the user's desktop.
Figure 5-4: How password cracking is accomplished

Chapter 6: Remote Connectivity and VoIP Hacking

Figure 6-1: Using TLCFG.EXE to enter modem configuration parameters to be used by ToneLoc for war-dialing
Figure 6-2: ToneLoc at work scanning a large range of phone numbers for carriers (electronic signals generated by a remote modem)
Figure 6-3: THC-Scan and war-dialing
Figure 6-4: PhoneSweep's graphical interface is a far cry from freeware war-dialers, and it has many other features that increase usability and efficiency.
Figure 6-5: PhoneSweep has simple scheduling parameters, making it easy to tailor dialing to suit your needs.
Figure 6-6: A small portion of a sample PhoneSweep report
Figure 6-7: Tunneling of one type of traffic within another, the basic premise of Virtual Private Networking

Chapter 7: Network Devices

Figure 7-1: Network architecture based on the OSI model
Figure 7-2: Physical man-in-the-middle attack
Figure 7-3: Spoofing ARP packets and listening on switches should be reason enough not to depend on network switches for your security.
Figure 7-4: SolarWinds' IP Network Browser uses a clean interface to display all guessed string devices.
Figure 7-5: SolarWinds' Cisco Config Viewer enables easy download of the Cisco configuration file once the read/write community string is known.
Figure 7-6: Decrypting the Cisco passwords within the configuration file is trivial with SolarWinds' Cisco Config Viewer's password decryptor.
Figure 7-7: SolarWinds' Cisco Password Decryptor provides an easy GUI application to crack Cisco's weak passwords.
Figure 7-8: RIP spoofing allows for easy network discovery and poisoning .

Chapter 8: Wireless Hacking

Figure 8-1: Typical war-driving antennas
Figure 8-2: Quad stacked antenna
Figure 8-3: WISPer antenna
Figure 8-4: GPS unit
Figure 8-5: Network Stumbler
Figure 8-6: StumbVerter
Figure 8-7: JiGLE
Figure 8-8: Node99's Mognet interface
Figure 8-9: The three panes of the Ethereal interface
Figure 8-10: Airfart traffic analysis interface
Figure 8-11: The AiroPeek NX Packets tab
Figure 8-12: WifiScanner Linux command-line interface
Figure 8-13: The Peer Map tab
Figure 8-14: gvoid11 interface
Figure 8-15: IEEE 802.11 packet structure

Chapter 10: Denial of Service Attacks

Figure 10-1: In the TCP three-way handshake, the initial SYN leaves the connection in a " half- open " state that can be exploited to deplete capacity on the server.
Figure 10-2: A single zombie network performs a DDoS attack.

Chapter 11: Hacking Code

Figure 11-1: A directory traversal attempt that would be blocked by a web server
Figure 11-2: A directory traversal attempt that would not be blocked by a vulnerable web server
Figure 11-3: A model Security Development Lifecycle process, showing each key security checkpoint

Chapter 12: Web Hacking

Figure 12-1: Authentication options available in Offline Explorer Pronote that NTLM authentication is performed automatically if DOMAIN\username syntax is used.
Figure 12-2: Achilles in action, intercepting HTTP requests and responses
Figure 12-3: Paros Proxy analyzes a complex website by proxying client and server requests as a user traverses the site, recording all URLs, cookies, and so forth.
Figure 12-4: Paros Proxy's "hash/encoding" utility easily converts cleartext to Base64, a handy feature during intense web application security assessment.
Figure 12-5: WebSleuth's Options tab, with the plug-ins palette pulled down
Figure 12-6: WebSleuth's Sessions Brute Forcer plug-in samples cookies from a website and brute-forces them.
Figure 12-7: WebProxy's RequestEditor plug-in allows you to edit HTTP and HTTPS requests on the fly.
Figure 12-8: Using Form Scalpel to test input validation on a site. Here, we've manually set the value of "q" to "foundstone".
Figure 12-9: WASAT's forms-based authentication configuration options.
Figure 12-10: SPI Dynamics' WebInspect web application security scanning tool scans the company's sample website, http://www.zero.webappsecurity.com.
Figure 12-11: SPI Dynamics' Cookie Cruncher utility, from the company's SPI Toolkit web application security analysis tool suite
Figure 12-12: A simple web form that uses the Response.Redirect ASP method to send user input to another site

Chapter 13: Hacking the Internet User

Figure 13-1: A cross-site scripting exploit prompts a user for their password. Are you sure that password is going where you think it is?
Figure 13-2: By double-clicking the "lock" icon in Internet Explorer, you can view information about the validity of the site you are visiting.
Figure 13-3: A modal dialog window executing in the Local Computer Zone, part of the exploit of MS04-025
Figure 13-4: Disabling all ActiveX settings using the Internet Options control panel will protect against malicious controls downloaded via hostile web pages.
Figure 13-5: Configuring Outlook to use the Restricted Sites zone when browsing
Figure 13-6: The new "Manage Add-ons" feature in XP SP2
Figure 13-7: XP SP2's new Information Bar window pops up when potentially unauthorized behavior is blocked.
Figure 13-8: The XP SP2 crash dump message from testing the proof-of-concept PNG exploits at http://zcrayfish.augurtech.com/bad.htm. Note the affected module (pngfilt.dll) and memory offset.
Figure 13-9: A phishing e-mail targeted at Wells Fargo banking customers
Figure 13-10: Earthlink's ScamBlocker, a free tool for helping users identify and avoid phishing sites
Figure 13-11: The warning shown to users who visit a known phishing site with Earthlink's ScamBlocker enabled
Figure 13-12: The msconfig utility enumerates autostart extensibility points on Windows XP. Note the peer-to-peer networking software program highlighted here.
Figure 13-13: Spybot Search & Destroy finds adware and spyware on a system.
Figure 13-14: Microsoft's AntiSpyware beta, illustrating some of its best features, such as real-time monitoring/protection and automatic signature downloads