Stealing the Network - How to Own a Continent

131ah

Russ Rogers

Jay Beale

Joe Grand

Fyodor

FX

Paul Craig

Timothy Mullen (Thor)

Tom Parker

Ryan Russell    Technical Editor

Kevin D. Mitnick    Technical Reviewer

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively Makers ) of this book ( the Work ) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied , regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions , when working with computers, networks, data, and files.

Syngress Media , Syngress , Career Advancement Through Skill Enhancement , Ask the Author UPDATE , and Hack Proofing , are registered trademarks of Syngress Publishing, Inc. Syngress: The Definition of a Serious Security Library ¢, Mission Critical ¢, and The Only Way to Stop a Hacker is to Think Like One ¢ are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

PUBLISHED BY

Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370

Copyright 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1    2    3    4    5    6    7    8    9    0

ISBN: 1-931836-05-1

Acquisitions Editor:
Christine Kloiber

Cover Designer:
Michael Kavish

Technical Editor:
Ryan Russell

Copy Editor:
Adrienne Rebello

Technical Reviewer:
Kevin D. Mitnick

Page Layout and Art:
Patricia Lupien

Distributed by O Reilly & Associates in the United States and Canada.

Acknowledgments

We would like to acknowledge the following people for their kindness and support in making this book possible.

Jeff Moss and Ping Look from Black Hat, Inc. You have been good friends to Syngress and great colleagues to work with. Thank you!

Thanks to the contributors of Stealing the Network: How to Own the Box , the first book in the Stealing series. You paved the way for this computer book genre : Dan Kaminsky, Ken Pfeil, Mark Burnett, and Ido Dubrawsky.

Syngress books are now distributed in the United States and Canada by O Reilly & Associates, Inc. The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market: Tim O Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop, Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, and Rob Bullington.

The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss, Chris Hossack, and Krista Leppiko, for making certain that our vision remains worldwide in scope.

David Buckland, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.

Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines.

Technical Editor and Contributor

Ryan Russell (aka Blue Boar) has worked in the IT field for over 13 years , focusing on information security for the last seven. He was the lead author of Hack Proofing Your Network, Second Edition (Syngress, ISBN: 1-928994-70-9), contributing author and technical editor of Stealing the Network: How to Own the Box (Syngress, ISBN: 1-931836-87-6), and is a frequent technical editor for the Hack Proofing series of books from Syngress. Ryan was also a technical advisor on Snort 2.0 Intrusion Detection (Syngress, ISBN: 1-931836-74-4). Ryan founded the vuln-dev mailing list, and moderated it for three years under the alias Blue Boar. He is a frequent lecturer at security conferences, and can often be found participating in security mailing lists and website discussions. Ryan is the QA Manager at BigFix, Inc.

131ah is the technical director and a founding member of an IT security analysis company. After completing his degree in electronic engineering he worked for four years at a software engineering company specializing in encryption devices and firewalls. After numerous typos and finger trouble, which led to the malignant growth of his personnel file, he started his own company along with some of the country s leaders in IT security. Here 131ah heads the Internet Security Analysis Team, and in his spare time plays with (what he considers to be) interesting

Contributors

concepts such as footprint and web application automation, worm propagation techniques, covert channels/Trojans and cyber warfare . 131ah is a regular speaker at international conferences including Black Hat Briefings, DEFCON, RSA, FIRST and Summercon. He gets his kicks from innovative thoughts, tea, dreaming, lots of bandwidth, learning cool new stuff, Camels, UNIX, fine food, 3 A.M. creativity and big screens. 131ah dislikes conformists, papaya, suits , animal cruelty, arrogance , and dishonest people or programs.

Russ Rogers (CISSP, CISM, IAM) is a Co-Founder, Chief Executive Officer, Chief Technology Officer, and Principle Security Consultant for Security Horizon, Inc; a Colorado-based professional security services and training provider. Russ is a key contributor to Security Horizon s technology efforts and leads the technical security practice and the services business development efforts. Russ is a United States Air Force Veteran and has served in military and contract support for the National Security Agency and the Defense Information Systems Agency. Russ is also the editor-in-chief of ˜The Security Journal and occasional staff member for the Black Hat Briefings. Russ holds an associate s degree in Applied Communications Technology from the Community College of the Air Force, a bachelor s degree from the University of Maryland in computer information systems, and a master s degree from the University of Maryland in computer systems management. Russ is a member of the Information System Security Association (ISSA), the Information System Audit and Control Association (ISACA), and the Association of Certified Fraud Examiners (ACFE). He is also an Associate Professor at the University of Advancing Technology (uat.edu), just outside of Phoenix, Arizona. Russ has contributed to many books including WarDriving, Drive, Detect, Defend: A Guide to Wireless Security (Syngress, ISBN: 1-931836-03-5) and SSCP Study Guide and DVD Training System (Syngress, ISBN: 1-931846-80-9).

Jay Beale is a security specialist focused on host lockdown and security audits . He is the Lead Developer of the Bastille project, which creates a hardening script for Linux, HP-UX, and Mac OS X, a member of the Honeynet Project, and the Linux technical lead in the Center for Internet Security. A frequent conference speaker and trainer, Jay speaks and trains at the Black Hat Briefings and LinuxWorld conferences, among others. Jay is a columnist with Information Security Magazine, and is Series Editor of Jay Beale s Open Source Security Series , from Syngress Publishing. Jay is also co-author of the international best seller Snort 2.0 Intrusion Detection (Syngress, ISBN: 1-931836-74-4) and Snort 2.1 Intrusion Detection Second Edition (Syngress 1-931836-04-3). A senior research scientist with the George Washington University Cyber Security Policy and Research Institute, Jay makes his living as a security consultant through the MD-based firm Intelguardians, LLC.

Jay would like to thank Visigoth for his plot critique and HD Moore for sharing the benefits of his cluster computation experience. Jay would also like to thank Neal Israel, Pat Proft, Peter Torokvei and Dave Marvit, from the wonderful movie Real Genius, without which Chapter 4 would have been far less interesting. He would also like to thank Derek Atkins and Terry Smith for background inormation. Jay dedicates his chapter to his wife, Cindy, who supported him in the chain of all night tools that made this project possible.

Joe Grand is the President and CEO of Grand Idea Studio, a product development and intellectual property licensing firm. A nationally recognized name in computer security, Joe s pioneering research on mobile devices, digital forensics, and embedded security analysis is published in various industry journals. He is a co-author of Stealing the Network: How to Own the Box (Syngress, ISBN: 1-931836-87-6), the author of Hardware Hacking: Have Fun While Voiding Your Warranty (Syngress, ISBN: 1-932266-83-6), and is a frequent contributor to other texts .

As an electrical engineer, Joe specializes in the invention and design of breakthrough concepts and technologies. Many of his creations, including consumer electronics, medical products, video games and toys, are licensed worldwide. Joe s recent developments include the Emic Text-to-Speech Module and the Stelladaptor Atari 2600 Controller-to-USB Interface.

Joe has testified before the United States Senate Governmental Affairs Committee and is a former member of the legendary hacker think-tank L0pht Heavy Industries. He has presented his work at numerous academic, industry, and private forums, including the United States Air Force Office of Special Investigations and the IBM Thomas J. Watson Research Center. Joe holds a BSCE from Boston University.

Fyodor authored the popular Nmap Security Scanner, which was named security tool of the year by Linux Journal, Info World, LinuxQuestions.Org, and the Codetalker Digest. It was also featured in the hit movie Matrix Reloaded as well as by the BBC, CNet, Wired, Slashdot, Securityfocus, and more. He also maintains the Insecure.Org and Seclists.Org security resource sites and has authored seminal papers detailing techniques for stealth port scanning, remote operating system detection via TCP/IP stack fingerprinting, version detection, and the IPID Idle Scan. He is a member of the Honeynet project and a co-author of the book Know Your Enemy: Honeynets .

FX of Phenoelit has spent the better part of the last few years becoming familiar with the security issues faced by the foundation of the Internet, including protocol based attacks and exploitation of Cisco routers. He has presented the results of his work at several conferences including DEFCON, Black Hat Briefings, and the Chaos Communication Congress. In his professional life, FX is currently employed as a Security Solutions Consultant at n.runs GmbH, performing various security audits for major customers in Europe. His specialty lies in security evaluation and testing of custom applications and black box devices. FX loves to hack and hang out with his friends in Phenoelit and wouldn t be able to do the things he does without the continuing support and understanding of his mother, his friends, and especially his young lady, Bine, with her infinite patience and love. FX was a co-author of the first edition of Stealing the Network: How to Own the Box (Syngress, ISBN: 1-931836-87-6).

Paul Craig is currently working in New Zealand for a major television broadcaster , and is also the lead security consultant at security company Pimp Industries. Paul specializes in reverse engineering technologies and cutting edge application auditing practices. Paul has contributed to many books including the first edition of Stealing the Network: How to Own the Box (Syngress, ISBN: 1-931836-87-6). If you would like to contact Paul for any nature of reason email: headpimp@pimp-industries.com

Timothy Mullen (aka Thor) began his career in application development and network integration in 1984, and is now CIO and Chief Software architect for AnchorIS.Com, a developer of secure enterprise-based accounting solutions. Mullen has developed and implemented network and security solutions for institutions such as the US Air Force, Microsoft, the US Federal Court systems, regional power generation facilities, and international banking and financial institutions. He has developed applications ranging from military aircraft statistics interfaces and biological aqua-culture management, to nuclear power-plant effect monitoring for a myriad of private, government, and military entities.

Tim is also a columnist for Security Focus Microsoft section, and a regular contributor of InFocus technical articles. Also known as Thor, he is the founder of the Hammer of God security co-op group . Mullen s writings appear in multiple publications such as Stealing the Network: How to Own the Box (Syngress, ISBN: 1-931836-87-6) and Hacker s Challenge , technical edits in Windows XP Security , with security tools and techniques features in publications such as the Hacking Exposed series and New Scientist magazine.

Tom Parker is one of Britain s most highly prolific security consultants . Along side his work for some of the worlds largest organizations, providing integral security services, Mr. Parker is also widely known for his vulnerability research on a wide range of platforms and commercial products. His more recent technical work includes the development of an embedded operating system, media management system and cryptographic code for use on digital video band (DVB) routers, deployed on the networks of hundreds of large organizations around the globe. In 1999, Tom helped form Global InterSec LLC, playing a leading role in developing key relationships between GIS and the public and private sector security companies. Tom has spent much of the last few years researching methodologies aimed at characterizing adversarial capabilities and motivations against live, mission critical assets and providing methodologies to aid in adversarial attribution in the unfortunate times when incidents do occur. Currently working as a security consultant for Netsec, a provider of managed and professional security services; Tom continues his research into finding practical ways for large organizations, to manage the ever growing cost of security, through the identification where the real threats lay there by defining what really matters. Tom is also co-author of Cyber Adversary Characterization: Auditing the Hacker Mind (Syngress, ISBN: 1-931836-11-6).

Jeff Moss (aka The Dark Tangent) CEO of Black Hat Inc. and founder of DEFCON, is a computer security scientist most well known for his forums bringing together a unique mix in security: the best minds from government agencies and global corporations with the underground s best hackers. Jeff s forums have gained him exposure and respect from each side of the information security battle, enabling him to continuously be aware of new security defense and penetration techniques and trends. Jeff brings this information to three continents, North America, Europe and Asia, through his Black Hat Briefings, DEFCON, and Meet the Enemy sessions.

Jeff speaks to the media regularly about computer security, privacy and technology and has appeared in such media as Business Week, CNN, Forbes, Fortune, New York Times, NPR, National Law Journal, and Wired Magazine. Jeff is a regular presenter at conferences including Comdex, CSI, Forbes CIO Technology Symposium, Fortune Magazine s CTO Conference, The National Information System Security Convention, and PC Expo.

Prior to Black Hat, Jeff was a director at Secure Computing Corporation, and helped form and grow their Professional Services Department in the United States, Taipei, Tokyo, Singapore, Sydney, and Hong Kong. Prior to Secure Computing Corporation, Jeff worked for Ernst & Young, LLP in their Information System Security division.

Jeff graduated with a BA in Criminal Justice, and halfway through law school, he went back to his first love, computers, and started his first IT consulting business in 1995. He is CISSP certified, and a member of the American Society of Law Enforcement Trainers.

Technical Reviewer

Kevin Mitnick is a security consultant to corporations worldwide and a cofounder of Defensive Thinking, a Los Angeles-based consulting firm (www.defensivethinking.com). He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government s information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Court TV, Good Morning America , 60 Minutes , CNN s Burden of Proof and Headline News , and has been a keynote speaker at numerous industry events. He has also hosted a weekly radio show on KFI AM 640, Los Angeles. Kevin is author of the best-selling book, The Art of Deception: Controlling the Human Element of Security .

Technical Advisors

SensePost is an independent and objective organisation specialising in IT Security consultation, training and assessment services. The company is situated in South Africa from where it provides services to more than 70 large and very large clients in Australia, South Africa, Germany, Switzerland, Belgium, The Netherlands, United Kingdom, Malaysia, United States of America, and various African countries . More than 20 of these clients are in the financial services industry, where information security is an essential part of their core competency.

SensePost analysts are regular speakers at international conferences including Black Hat Briefings, DEFCON and Summercon. The analysts also have been training two different classes at the Black Hat Briefings for the last 2 years. Here they meet all sorts of interesting people and make good friends. SensePost personnel typically think different thoughts, have inquisitive minds, never give up and are generally good looking...

For more information, or just to hang out with us, visit: www.sensepost.com .