Why write a book about hacking? The question is really whether a book about the techniques and tools used to break into a network would be beneficial to the information security community. We, the authors, believe that penetration testing is a valuable and effective means of identifying security holes and weaknesses in a network and computing environment. Understanding how others will try to break into a network offers considerable insight into the common pitfalls and misconfigurations that make networks vulnerable. This insight is essential to creating a comprehensive network security structure.
Some may argue that providing this penetration-testing information gives script kiddies and hackers ammunition to better attack systems. However, script kiddies and hackers already have access to this information or have the time to find it—most of the material presented in this book is available from a variety of sources on the Internet. The problem is that the system and security administrators defending against attacks do not have the time or resources to research the sites necessary to compile this information. We decided to write this book to provide defenders with the information hackers already have. A hacker has to find only one hole to gain unauthorized access. The security group defending against the hackers needs to find all the holes to prevent unauthorized access.
There is no tried-and-true training that can make everyone a security expert, but there are some baseline principles, skills, and tools that must be mastered to become proficient in this field. Our goal is to provide you with those skills in a manner that helps you to understand the structure and tools used and to begin developing your own style of penetration testing.
The process described in this book is not the only way to perform a penetration test. We continue to evolve our own methodology to respond to new technologies and threats. This process has worked well for us in the past and continues to be a successful way to evaluate and test network security.
This book is intended for the security administrators, systems administrators, technology auditors, and other authorized representatives of companies that want to legitimately test their security posture and intrusion detection or incident response capabilities. In addition, other individuals who need to assess systems and network security may find the tools and techniques described in this book useful. It is designed as a beginner's book for enhancing network security through penetration testing. No previous knowledge of penetration testing is required, but an understanding of networking, TCP/IP, Windows NT/2000, network security, and UNIX is needed to be able to execute a penetration test.
A word of caution: Although this book details the processes and tools for performing a penetration test, it does not describe how to do this without alerting network security devices. Many of these techniques will be detected and should not be performed without the written consent of the owners of the target systems. We intend for this book to be not a how-to hack manual but rather a framework for performing a systematic network security review. Intrusion detection mechanisms on most networks today have become very sophisticated and, if configured properly, can be used to track anyone practicing these techniques on a network.
T.J. is a manager with Ernst & Young's Security and Technology Solutions practice. He is currently responsible for coordinating attack and penetration exercises in various parts of the world. As an instructor for his company's “Extreme Hacking” course, T.J. is constantly researching new tools and techniques for exploiting security vulnerabilities. To keep the course up-to-date, new tools and methods are included in the attack and penetration methodology. Additionally, as the author and instructor for the System Administration and Network Security (SANS) Institute course “Contemporary Hacking Tools and Penetration Testing,” T.J. has had the opportunity to interact with other penetration-testing professionals across the globe to identify new tools and techniques and to bring these experiences and tools to this book.
Scott is a manager with Ernst & Young's Security and Technology Solutions practice. He has extensive experience and expertise in the areas of information systems security, network operations, and electronic commerce. Specifically, Scott has managed and led numerous attack and penetration engagements and systems vulnerability assessments for midsize and Fortune 500 companies. During these engagements Scott used a variety of commercial and proprietary tools and techniques to identify vulnerabilities in networks, operating systems, and applications. Scott is also responsible for coordinating and designing e-commerce architectures and verifying security controls and the effectiveness of the architectures. In addition, Scott is an instructor for Ernst & Young's “Extreme Hacking” course, where he helps train others in Ernst & Young's attack and penetration methodology.
Ajay is a senior security professional with Ernst & Young's Security and Technology Solutions practice, where he performs security reviews for Ernst & Young clients. He has experience in performing penetration testing, risk analysis, and code review engagements as well as evaluating the security posture of client organizations ranging from Fortune 100 firms to e-commerce start-ups. Ajay is an instructor for Ernst & Young's “Extreme Hacking” course and spends a large portion of his time developing and reviewing new tools. Ajay is one of Ernst & Young's specialists in intrusion detection systems and has evaluated, installed, and configured various intrusion detection tools. He has been a speaker in the fields of security and electronic commerce for various national organizations and universities.
The managers of an ever-growing number of companies are beginning to see information security as an issue requiring attention, showing how much of a threat they truly believe exists. In any case, whether you work as part of the security department of a large corporation or as a system administrator with security as part of your job description, knowing how to get into your network is one of the best ways to secure it.
The first part of this book (Chapters 1–4) explains the roles and responsibilities of a penetration-testing professional and the motivation and styles of the hacking community. This information provides insight into why hacking has become so popular with the media and what difficulties are associated with protecting a network. The material is designed to provide background information to support the use of penetration testing as an important part of an overall network security plan. A penetration test not only tests the network's ability to protect information and other assets from unauthorized individuals but also can test the organization's ability to detect such intrusion attempts and its incident response capabilities. We also discuss some of the common pitfalls in technology and defenses that contribute to security weaknesses. A large portion of successful network security breeches could have been avoided if special attention had been given to these issues.
The second part of this book (Chapters 5–10) provides a structured framework for a penetration test. Penetration testing can be broken down into a series of steps that provide an efficient and comprehensive review of individual network segments. Whether the test is an internal or external review, the methodology follows the steps of discovery, scanning, and exploitation. This section outlines methods for finding the target network, identifying possible vulnerable services, exploiting weaknesses, and documenting the results. This methodology yields a test that is structured, efficient, and repeatable. In this section of the book we also introduce various tools that can be used to assist with this methodology. We briefly describe each tool's use and place in testing.
The third section of this book (Chapters 11–16) provides greater detail on the tools that can increase the speed and accuracy of a penetration test. This “tools and techniques” section is presented in a reference format so you can locate a tool by its role in testing and obtain the information necessary to begin using the tool or find the information necessary to do so. A large collection of tools have been released by commercial and open-source programmers that identify vulnerabilities in networks, applications, and/or services and should be used as part of an assessment. While most of them may be identified by an intrusion detection system, they can usually find exposures on your network faster than manual methods. We provide detailed explanations of each tool, including its basic usage and where to get updates. You will find that some programs are described in greater depth than others. We spend more time on the tools that we find more helpful or that reveal the most information. For ease of use, we obtained demo or freeware software for many of the tools covered and included them on the CD-ROM available with this book. This software is intended to give you the opportunity to become familiar with some of the more popular tools and to see which work best for you. This section is designed to help you pick out the right hardware, operating systems, and software to make a testing tool kit.
The last section of this book (Chapters 17–23) moves toward advanced techniques and application testing. You should review this section once you have created and are comfortable with your own tool kit. This section details methods that can be used to evade intrusion detection systems and firewalls, control hosts on target networks remotely, and test Web servers. It also includes a discussion on denial-of-service attacks and a section on how to keep up with the current trends and latest developments in information security. This section contains a list of Web sites and e-mail lists that we used in our research, as well as information on long-term countermeasures to improve security. Finally, we include a brief discussion about future trends within the information technology arena and the possible risks that these trends may produce.
At the end of some chapters are case studies that deal with some of the issues and tools discussed. The case studies detail steps we have followed in real-world penetration-testing engagements to help illustrate how all the pieces of penetration testing fit together. The samples we selected include internal, external, and dial-up testing and reflect different operating systems, vulnerabilities, and exploits in an attempt to demonstrate as many of the techniques discussed in the book as possible. In each case we keep anonymous the name, industry type, and any other information that could be used to identify the parties involved.
We would like to thank the following individuals who helped in the development of this book and without whom this work could never have been written: Fyodor, Dug Song, Rob Kolstad, Jennifer Martinez, Marley Klevinsky, Mike Weaver, Alan Paller, Jeff Chulick, Ron Nguyen, rain forest puppy, Lance Hayden, John Sinteur, Eric Rescorla, Amy Korman, Charles Barley, Jr., Randy Musgrove, Erik Winkler, Christopher Brown, Beth Laliberte, Sudeepa Gupta, Ken Williams, Matt Mancuso, Richard Bejtlich, Jose Granado, Mark Mercer, Rod Thomas, Gregston Chu, Steve Smith, Jim Doggett, Chris Kostick, and Simple Nomad.
—T.J. Klevinsky
—Scott Laliberte
—Ajay Gupta