Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
Document Preview
Extracts from the notes are below, to see the PDF you'll receive please use the links above
Praise for Gray Hat Hacking: The Ethical Hacker’s Handbook, Second Edition
“Gray Hat Hacking, Second Edition takes a very practical and applied approach to learning
how to attack computer systems
...
”
—Jeff Moss
Founder and Director of Black Hat
“The second edition of Gray Hat Hacking moves well beyond current ‘intro to hacking’
books and presents a well thought-out technical analysis of ethical hacking
...
The tools and vulnerability classes discussed are very current and can be
used to template assessments of operational networks
...
Dodge Jr
...
D
...
The
tools and techniques covered provide a solid foundation for aspiring information security researchers, and the coverage of popular tools such as the Metasploit Framework
gives readers the information they need to effectively use these free tools
...
com Guide for Internet/Network Security,
http://netsecurity
...
com
“Gray Hat Hacking, Second Edition provides broad coverage of what attacking systems is
all about
...
”
—Bruce Potter
Founder, The Shmoo Group
“As a security professional and lecturer, I get asked a lot about where to start in the security business, and I point them to Gray Hat Hacking
...
The fact that a second edition is
coming out is even better, as it is still very up to date
...
”
—Simple Nomad
Hacker
ABOUT THE AUTHORS
Shon Harris, MCSE, CISSP, is the president of Logical Security, an educator and security
consultant
...
S
...
Shon was also recognized as one of the top 25 women in information security
by Information Security Magazine
...
in North
Carolina
...
Additionally, he has served as
a security analyst for the U
...
Department of the Treasury, Internal Revenue Service,
Computer Security Incident Response Center (IRS CSIRC)
...
Chris Eagle is the associate chairman of the Computer Science Department at the Naval
Postgraduate School (NPS) in Monterey, California
...
He can often be found teaching at Black
Hat or playing capture the flag at Defcon
...
He and his
coworkers ensure that Microsoft’s security updates comprehensively address reported
vulnerabilities
...
He serves one weekend each month as a security engineer in a
reserve military unit
...
S
...
About the Technical Editor
Michael Baucom is a software engineer working primarily in the embedded software
area
...
He co-taught Exploiting 101 at Black Hat in 2006
...
Gray Hat
Hacking
The Ethical Hacker’s
Handbook
Second Edition
Shon Harris, Allen Harper, Chris Eagle,
and Jonathan Ness
New York • Chicago • San Francisco • Lisbon
London • Madrid • Mexico City • Milan • New Delhi
San Juan • Seoul • Singapore • Sydney • Toronto
Copyright © 2008 by The McGraw-Hill Companies
...
Manufactured in the United States of America
...
0-07-159553-8
The material in this eBook also appears in the print version of this title: 0-07-149568-1
...
Rather than put a trademark symbol after every occurrence of a
trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of
infringement of the trademark
...
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate
training programs
...
com or (212)
904-4069
...
(“McGraw-Hill”) and its licensors reserve all rights in and to
the work
...
Except as permitted under the Copyright Act of 1976 and the right to store
and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative
works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s
prior consent
...
Your right to use the work may be terminated if you fail to comply with these terms
...
” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR
WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA
HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE
...
Neither McGraw-Hill nor its licensors shall be liable to you
or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom
...
Under no circumstances shall
McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that
result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages
...
DOI: 10
...
To my loving and supporting husband, David Harris,
who has continual patience with me as I take
on all of these crazy projects! —Shon Harris
To the service members forward deployed around the world
...
—Allen Harper
To my wife, Kristen, for all of the support she has given me
through this and my many other endeavors! —Chris Eagle
To Jessica, the most amazing and beautiful person
I know
...
1
Chapter 1 Ethics of Ethical Hacking
...
17
Chapter 3 Proper and Ethical Disclosure
...
73
Chapter 4 Using Metasploit
...
101
Part III Exploits 101
...
121
Chapter 7 Basic Linux Exploits
...
169
Chapter 9 Shellcode Strategies
...
211
Chapter 11 Basic Windows Exploits
...
275
Chapter 12 Passive Analysis
...
309
Chapter 14 Advanced Reverse Engineering
...
359
Chapter 16 Exploiting Windows Access Control Model for
Local Elevation of Privilege
...
441
Chapter 18 From Vulnerability to Exploit
...
481
vii
Gray Hat Hacking: The Ethical Hacker’s Handbook
viii
Part V Malware Analysis
...
499
Chapter 21 Hacking Malware
...
537
For more information about this title, click here
CONTENTS
Preface
...
Introduction
...
1
Chapter 1 Ethics of Ethical Hacking
...
The Controversy of Hacking Books and Classes
...
Recognizing Trouble When It Happens
...
Security Does Not Like Complexity
...
17
Addressing Individual Laws
...
18 USC Section 1030 of The Computer Fraud
and Abuse Act
...
18 USC Sections 2510, et
...
and 2701
...
Cyber Security Enhancement Act of 2002
...
41
You Were Vulnerable for How Long?
...
How Did We Get Here?
...
Full Disclosure Policy (RainForest Puppy Policy)
...
Discovery
...
Validation
...
Release
...
45
47
49
50
52
54
55
55
57
60
62
62
ix
Gray Hat Hacking: The Ethical Hacker’s Handbook
x
Case Studies
...
iDefense
...
Vendors Paying More Attention
...
62
63
67
68
69
70
Part II Penetration Testing and Tools
...
75
Metasploit: The Big Picture
...
Using the Metasploit Console to Launch Exploits
...
Using the Meterpreter
...
Weakness in the NTLM Protocol
...
Brute-Force Password Retrieval with
the LM Hashes + Challenge
...
Downloading Rainbow Tables
...
Cracking Hashes with Rainbow Tables
...
Inside Metasploit Modules
...
101
BackTrack: The Big Picture
...
Booting BackTrack
...
Writing BackTrack to Your USB Memory Stick
...
Creating a Directory-Based
or File-Based Module with dir2lzm
...
Creating a Module from an Entire Session
of Changes Using dir2lzm
...
101
102
103
104
105
105
106
106
108
109
Contents
xi
Creating a New Base Module with
All the Desired Directory Contents
...
Metasploit db_autopwn
...
110
112
114
118
Part III Exploits 101
...
121
C Programming Language
...
Sample Program
...
Computer Memory
...
Endian
...
Programs in Memory
...
Strings in Memory
...
Putting the Pieces of Memory Together
...
Registers
...
Machine vs
...
C
...
NASM
...
Assembly File Structure
...
Debugging with gdb
...
Disassembly with gdb
...
Getting Python
...
Python Objects
...
Numbers
...
Dictionaries
...
Sockets with Python
...
147
Stack Operations
...
Buffer Overflows
...
c
...
Local Buffer Overflow Exploits
...
Exploiting Stack Overflows by Command Line
...
Exploiting Small Buffers
...
Real-World Example
...
Determine the Attack Vector
...
Test the Exploit
...
169
Format String Exploits
...
Reading from Arbitrary Memory
...
Taking
...
Heap Overflow Exploits
...
Implications
...
Compiler Improvements
...
Return to libc Exploits
...
169
170
173
175
177
180
181
182
182
183
183
185
192
Chapter 9 Shellcode Strategies
...
System Calls
...
Port Binding Shellcode
...
Find Socket Shellcode
...
File Transfer Code
...
System Call Proxy Shellcode
...
196
196
197
197
199
200
201
202
202
202
203
Contents
xiii
Other Shellcode Considerations
...
Self-Corrupting Shellcode
...
Kernel Space Shellcode
...
204
204
205
206
208
208
Chapter 10 Writing Linux Shellcode
...
System Calls
...
setreuid System Call
...
Implementing Port-Binding Shellcode
...
Assembly Program to Establish a Socket
...
Implementing Reverse Connecting Shellcode
...
Reverse Connecting Assembly Program
...
Simple XOR Encoding
...
JMP/CALL XOR Decoder Example
...
Putting It All Together
...
Generating Shellcode with Metasploit
...
211
212
214
216
217
220
220
223
226
228
228
230
232
232
232
233
234
236
238
238
240
Chapter 11 Basic Windows Exploits
...
Compiling on Windows
...
Debugging on Windows with OllyDbg
...
Building a Basic Windows Exploit
...
243
243
245
254
258
258
266
Part IV Vulnerability Analysis
...
277
Ethical Reverse Engineering
...
Reverse Engineering Considerations
...
Source Code Auditing Tools
...
Manual Source Code Auditing
...
Manual Auditing of Binary Code
...
279
280
282
283
289
289
304
Chapter 13 Advanced Static Analysis with IDA Pro
...
Stripped Binaries
...
Data Structure Analysis
...
Extending IDA
...
IDA Pro Plug-In Modules and the IDA SDK
...
309
310
312
318
323
325
326
329
332
Chapter 14 Advanced Reverse Engineering
...
The Software Development Process
...
Debuggers
...
Profiling Tools
...
Memory Monitoring Tools
...
Instrumented Fuzzing Tools and Techniques
...
Fuzzing Unknown Protocols
...
SPIKE Proxy
...
336
336
337
338
340
341
342
343
348
349
349
352
353
357
357
Chapter 15 Client-Side Browser Exploits
...
Client-Side Vulnerabilities Bypass Firewall Protections
...
Client-Side Vulnerabilities Can Easily Target Specific People
or Organizations
...
ActiveX Controls
...
History of Client-Side Exploits and Latest Trends
...
Notable Vulnerabilities in the History of Client-Side Attacks
...
MangleMe
...
AxFuzz
...
Heap Spray to Exploit
...
Protecting Yourself from Client-Side Exploits
...
Stay Informed
...
361
361
362
363
363
364
369
370
372
377
378
383
384
385
385
385
385
Chapter 16 Exploiting Windows Access Control Model for
Local Elevation of Privilege
...
Most People Don’t Understand Access Control
...
You’ll Find Tons of Security Vulnerabilities
...
Security Identifier (SID)
...
Security Descriptor (SD)
...
Tools for Analyzing Access Control Configurations
...
Dumping the Security Descriptor
...
Special SIDs
...
Investigating “Access Denied”
...
Attack Patterns for Each Interesting Object Type
...
Attacking Weak DACLs in the Windows Registry
...
Attacking Weak File DACLs
...
Enumerating Shared Memory Sections
...
Enumerating Other Named Kernel Objects
(Semaphores, Mutexes, Events, Devices)
...
441
Protocol Analysis
...
Installing Sulley
...
Blocks
...
Monitoring the Process for Faults
...
Controlling VMware
...
Postmortem Analysis of Crashes
...
Way Ahead
...
459
Exploitability
...
Understanding the Problem
...
Repeatability
...
Payload Protocol Elements
...
Self-Destructive Shellcode
...
Background Information
...
Research Results
...
481
Mitigation Alternatives
...
Migration
...
Source Code Patching Considerations
...
Binary Mutation
...
481
482
482
484
484
486
490
495
Contents
xvii
Part V Malware Analysis
...
499
Malware
...
Malware Defensive Techniques
...
Honeypots
...
Why Honeypots Are Used
...
Low-Interaction Honeypots
...
Types of Honeynets
...
Catching Malware: Setting the Trap
...
VMware Guest Setup
...
Initial Analysis of Malware
...
Live Analysis
...
What Have We Discovered?
...
521
Trends in Malware
...
Use of Encryption
...
Use of Rootkit Technology
...
Peeling Back the Onion—De-obfuscation
...
Unpacking Binaries
...
Malware Setup Phase
...
Automated Malware Analysis
...
This page intentionally left blank
PREFACE
This book has been developed by and for security professionals who are dedicated to
working in an ethical and responsible manner to improve the overall security posture of
individuals, corporations, and nations
...
She would also like to thank Scott David, partner at K&L Gates LLP, for reviewing and
contributing to the legal topics of this book
...
You
gave me the strength and the ability to achieve my goals
...
Chris Eagle would like to thank all of his students and fellow members of the Sk3wl
of r00t
...
He would also like to thank his family, mentors,
teachers, coworkers, pastors, and friends who have guided him along his way, contributing more to his success than they’ll ever know
...
—George Washington
He who has a thousand friends has not a friend to spare, and he who has one enemy will
meet him everywhere
...
—Sun Tzu
The goal of this book is to help produce more highly skilled security professionals
who are dedicated to protecting against malicious hacking activity
...
Corporations and nations have enemies that are very
dedicated and talented
...
The authors of this book want to provide the readers with something we believe the
industry needs: a holistic review of ethical hacking that is responsible and truly ethical
in its intentions and material
...
We have updated the material from the first edition and have attempted to deliver the
most comprehensive and up-to-date assembly of techniques and procedures
...
In Part I of this book we lay down the groundwork of the necessary ethics and expectations of a gray hat hacker
...
Many existing books cover the same old tools and methods that have
xxiii
Gray Hat Hacking: The Ethical Hacker’s Handbook
xxiv
been rehashed numerous times, but we have chosen to go deeper into the advanced
mechanisms that real gray hats use today
...
We cover the following topics in this section:
• Program Coding 101 to introduce you to the concepts you will need to
understand for the rest of the sections
• How to exploit stack operations and identify and write buffer overflows
• How to identify advanced Linux and Windows vulnerabilities and how they are
exploited
• How to create different types of shellcode to develop your own proof-ofconcept exploits and necessary software to test and identify vulnerabilities
In Part IV we go even deeper, by examining the most advanced topics in ethical hacking that many security professionals today do not understand
...
At some time or another, the
ethical hacker will come across a piece of malware and may need to perform basic analysis
...
We’re interested in your thoughts and comments
...
com
...
grayhathackingbook
...
Introduction to Ethical
Disclosure
■ Chapter 1
■ Chapter 2
■ Chapter 3
Ethics of Ethical Hacking
Ethical Hacking and the Legal System
Proper and Ethical Disclosure
1
This page intentionally left blank
CHAPTER
Ethics of Ethical Hacking
•
•
•
•
Role of ethical hacking in today’s world
How hacking tools are used by security professionals
General steps of hackers and security professionals
Ethical issues among white hat, black hat, and gray hat hackers
This book has not been compiled and written to be used as a tool by individuals who wish
to carry out malicious and destructive activities
...
Let’s go ahead and get the commonly asked questions out of the way and move on
from there
...
Next question
...
The goal is to identify and prevent destruction and mayhem, not
cause it
...
I think these books are only written for profits and royalties
...
More royalties would be nice, so please
buy two copies of this book
...
Most countries’ militaries carry out scenario-based fighting exercises in many
different formats
...
” The bad guys use the tactics, techniques, and fighting methods of a
specific type of enemy—Libya, Russia, United States, Germany, North Korea, and so on
...
This may seem like a large leap for you, from pilots practicing for wartime to corporations trying to practice proper information security, but it is all about what the team is
trying to protect and the risks involved
...
Several governments around
the world have come to understand that the same assets they have spent millions and
billions of dollars to protect physically are now under different types of threats
...
This software can be hacked into,
compromised, or corrupted
...
Individual military bases still need to be protected by surveillance and military
police, which is physical security
...
These types of controls are limited in monitoring all of the physical entry points into a military base
...
So your corporation does not hold top security information about the tactical military troop movement through Afghanistan, you don’t have the speculative coordinates
of the location of bin Laden, and you are not protecting the launch codes of nuclear
bombs—does that mean you do not need to have the same concerns and countermeasures? Nope
...
The example of protecting military bases may seem extreme, but let’s look at many of
the extreme things that companies and individuals have had to experience because of
poorly practiced information security
...
From 2005 and forward, overall losses due
to malware attacks declined
...
Several factors are believed to have caused this decline, depending upon whom you talk to
...
Another theory
regarding this reduction is that attacks have become less generalized in nature, more
specifically targeted
...
The less-generalized
attacks are still taking place, but at a decreasing rate
...
The
more targeted attacks will not necessarily continue to keep the operational staff carrying
out such busy work, but the damage of these attacks is commonly much more devastating to the company overall
...
Attacks on the home user declined by approximately 7 percent in that same period
...
Over the last two to three years, hackers’ motivation has changed from just the thrill of figuring out how to exploit vulnerabilities to figuring out how to make revenue from their actions and getting paid for their skills
...
The attacks are not only getting more specific, but also increasing in sophistication
...
The year 2006 has been called the “Year of the Rootkit” because of the growing use of
rootkits, which allow hackers to attack specific targets without much risk of being identified
...
NOTE
Chapter 6 goes in-depth into rootkits and how they work
...
An interesting thing about malware is that many people seem to put it in
a category different from hacking and intrusions
...
The attacker only
has to put in some upfront effort developing the software, and then it is free to do damage
over and over again with no more effort from the attacker
...
The company Alinean has put together some cost estimates, per minute, for different
organizations if their operations are interrupted
...
Many times attacks and intrusions cause a
nuisance, and they can negatively affect production and the operations of departments,
which always correlates with costing the company money in direct or indirect ways
...
A conservative estimate from Gartner (a leading research and advisory company)
pegs the average hourly cost of downtime for computer networks at $42,000
...
Even when attacks are not newsworthy enough to be reported
on TV or talked about in security industry circles, they still negatively affect companies’
bottom lines all the time
...
Here are a few more examples and trends of the security compromises that are taking
place today:
• Both Ameritrade and E-Trade Financial, two of the top five online brokerage
services, confirmed that millions of dollars had been lost to (or stolen by)
hacker attacks on their systems in the third quarter of 2006
...
• Apple computers, which had been relatively untargeted by hackers due to their
smaller market share, are becoming the focus of more attacks
...
In another product line, Apple reported that some of their iPods
shipped in late 2006 were infected with the RavMonE
...
The virus was
Chapter 1: Ethics of Ethical Hacking
7
• In December 2006, a 26-year-old Romanian man was indicted by U
...
courts
on nine counts of computer intrusion and one count of conspiracy regarding
breaking into more than 150 U
...
government computer systems at the Jet
Propulsion Labs, the Goddard Space Flight Center, Sandia National
Laboratories, and the U
...
Naval Observatory
...
S
...
The accused faces up to 54 years
in prison if convicted on all counts
...
Symantec detected an average
of 6,110 denial-of-service (DoS) attacks per day, the United States being the most
prevalent target of attacks (54 percent), and the most prolific source of attacks
(37 percent) worldwide
...
• On September 25, 2007, hackers posted names, credit card numbers, as well as
Card Verification Value (CVV) Codes and addresses of eBay customers on a
forum that was specifically created for fraud prevention by the auction site
...
• A security breach at Pfizer on September 4, 2007, may have publicly exposed
the names, social security numbers, addresses, dates of birth, phone numbers,
credit card information, signatures, bank account numbers, and other personal
information of 34,000 employees
...
• On August 23, 2007, the names, addresses, and phone numbers of around
1
...
com
...
com reported that identity theft had
topped the Federal Trade Commission’s (FTC’s) complaint list for the seventh
year in a row
...
• Privacyrights
...
• Clay High School in Oregon, Ohio, reported on January 25, 2007, that staff and
student information had been obtained through a security breach by a former
student
...
PART I
thought to have been introduced into the production line through another
company that builds the iPods for Apple
...
S
...
• In April 2007, a woman in Nebraska was able to use TurboTax online to access
not only her previous tax returns, but the returns for other TurboTax customers
in different parts of the country
...
• A security contractor for Los Alamos National Laboratory sent critical and
sensitive information on nuclear materials over open, unsecured e-mail
networks in January 2007—a security failing ranked among the top of serious
threats against national security interests or critical Department of Energy
assets
...
Carnegie Mellon University’s Computer Emergency Response Team (CERT) shows in
its cyberterrorism study that the bad guys are getting smarter, more resourceful, and
seemingly unstoppable, as shown in Figure 1-2
...
Protection from attack was their highest
priority, followed by proprietary data protection, then customer and client
privacy, and finally regulatory compliance issues
...
• The FBI has named computer crimes as their third priority
...
5 million to fund 659 field agents
...
5 percent
increase over the 2007 fiscal year
...
• In February 2007, Forrester
...
5 percent and 9
...
These figures were fairly consistent among
different organizations, regardless of their industry, size, and geographic
location
...
Chapter 1: Ethics of Ethical Hacking
9
PART I
Figure 1-2
The sophistication and knowledge of hackers are increasing
...
Today close to a million computers are infected
with bots that are controlled by specific hackers
...
Botnets are used to spread more spam, phishing attacks, and pornography
...
Since more network administrators have properly configured their mail relays, and blacklists are used
to block mail relays that are open, spammers have had to move to different methods
(using botnets), which the hacking community has been more than willing to provide—
for a price
...
“BotHerder” was
sentenced on May 8, 2006, with a record prison sentence of 57 months (nearly five
years) in federal prison
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
10
NOTE A drastic increase in spam was experienced in the later months of 2006
and early part of 2007 because spammers embedded images with their messages
instead of using the traditional text
...
So what does this all have to do with ethics? As many know, the term “hacker” had a
positive connotation in the 1980s and early 1990s
...
As malware and attacks emerged, the press and the industry equated
the term “hacker” with someone who carries out malicious technical attacks
...
This book has been created by and
for ethical hackers
...
infonetics
...
consumer
...
Symantec Corporation, Internet Security Threat Report www
...
com/specprog/
threatreport/ent-whitepaper_symantec_internet_security_threat_report_x_09_2006
...
Bot Network Overview www
...
org
...
htm
Zero-Day Attack Prevention http://searchwindowssecurity
...
com/generic/
0,295582,sid45_gci1230354,00
...
windowsecurity
...
html
Computer Crime & Intellectual Property Section, United States Department of
Justice www
...
gov/ccnews
...
privacyrights
...
htm#CP
How Does This Stuff Relate to an Ethical
Hacking Book?
Corporations and individuals need to understand how these attacks and losses are taking
place so they can understand how to stop them
...
There is an
all too familiar battle of functionality versus security within every organization
...
Security officers are in charge of ensuring the overall security of the environment, which usually means reducing or shutting off many functionalities that users love
...
One side said that such books only increased the attackers’
skills and techniques and created new attackers
...
Who was right? They both were
...
Although some computer crimes may take on some of these
aspects, in reality it is not this grand or romantic
...
CAUTION Attackers are only one component of information security
...
Security is a much larger and more complex
beast than these technical items
...
So where do we stand on hacking books and hacking classes? Directly on top of a slippery banana peel
...
First, marketing people love to use the word “hacking” instead of more
meaningful and responsible labels such as “penetration methodology
...
All of these procedures now take on
the negative connotation that the word “hacking” has come to be associated with
...
Third, many hacking books and classes are irresponsible
...
This means more than just showing how to exploit a vulnerability
...
Instead these people are often called
“Security Nazi” or “Mr
...
They are responsible for the balance
between functionality and security within the company, and it is a hard job
...
This needs to be brought to management and presented
in business terms and scenarios, so that the ultimate decision makers can truly understand these threats without having to know the definitions and uses of fuzzing tools,
bots, and buffer overflows
...
Many books and courses tout the message of being a
resource for the white hat and security professional
...
You will make just as much (or more) money, and
you will help eliminate the confusion between the concepts of hacking and ethical
hacking
...
A lot of people do not seem to understand this
...
” The problem is that marketing people like to
use the word “hacking” because it draws more attention and paying customers
...
It would
not be useful to prove that attackers could get through the security barriers with Tool A if
attackers do not use Tool A
...
This is because the odds are against the company and
against the security professional
...
The attacker only has to be
really good at one or two exploits, or really lucky
...
S
...
The CIA and FBI are responsible for protecting the
nation from the 10 million things terrorists could possibly think up and carry out
...
NOTE Many ethical hackers engage in the hacker community so they can
learn about the new tools and attacks that are about to be used on victims
...
But these configurations cannot check for dictionary words or calculate how much protection is being provided from brute-force attacks
...
The other
choice is to go to all employees and ask what their password is, write down the password,
and eyeball it to determine if it is good enough
...
Chapter 1: Ethics of Ethical Hacking
13
The same security staff need to make sure that their firewall and router configurations
will actually provide the protection level that the company requires
...
Or they could implement the configurations and then run
tests against these settings to see if they are allowing malicious traffic into what they
thought had controlled access
...
The
tools carry out different types of attacks, which allow the team to see how the perimeter
devices will react in certain circumstances
...
In an amazing number of cases, a company seemingly does everything correctly when it comes to their infrastructure security
...
It is unfortunate that these companies put forth all the right effort and
funds only to end up on CNN as the latest victim who had all of their customers’ credit
card numbers stolen and posted on the Internet
...
Every company should decide whether their internal employees will learn and maintain their skills in vulnerability and penetration testing, or if an outside consulting service will be used, and then ensure that testing is carried out in a continual scheduled
manner
...
hackingexposed
...
html
Top 100 Network Security Tools for 2006 http://netsecurity
...
com/od/hackertools/a/
top1002006
...
darknet
...
uk/2006/04/top-15-securityhacking-toolsutilities/
Recognizing Trouble When It Happens
Network administrators, engineers, and security professionals need to be able to recognize when an attack is under way, or when one is about to take place
...
This is
only true for the very “noisy” attacks or overwhelming attacks, as in denial-of-service
(DoS) attacks
...
It is important to know how different types of attacks take place so
they can be properly recognized and stopped
...
Breaking employees’ passwords
could be seen as intrusive and wrong if management does not acknowledge
and allow for such activities to take place
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
14
Security issues and compromises are not going to go away anytime soon
...
The bad guys know that to hurt an
enemy is to take out what that victim depends upon most
...
Though application development and network and system configuration and maintenance are complex, security is
only going to become more entwined with them
...
In ten years, there will not be such a dividing line between security professionals and
network engineers
...
It is also important to know when an attack may be around the corner
...
There are many activities that lead up to different attacks, so understanding
these items will help the company protect itself
...
But it is very dangerous to just depend upon software that does not have the ability to
put the activities in the necessary context and make a decision
...
So it is important to see how hacking tools are really just software tools that carry out
some specific type of procedure to achieve a desired result
...
The good and the bad guys
use the same toolset; it is just the intent that is practiced when operating these utilities
that differs
...
Emulating the Attack
Once network administrators, engineers, and security professionals understand how
attackers work, they can emulate the attackers’ activities if they plan on carrying out a
useful penetration test (“pen test”)
...
This book walks you through these different steps so that you can understand how
many types of attacks take place
...
Many elementary ethical hacking books are already available in every bookstore
...
It is also obvious that although some people are just entering
this sector, many individuals are ready to move on to the more advanced topics of
Chapter 1: Ethics of Ethical Hacking
15
Security Does Not Like Complexity
Software in general is very complicated, and the more functionality that we try to shove
into applications and operating systems, the more complex software will become
...
Today’s operating systems and applications are increasing in lines of code (LOC)
...
Unix and
Linux operating systems have many fewer, usually around 2 million LOC
...
So a middle of
the road estimate would be that Windows XP has approximately 1,200,000 bugs
...
Just a guesstimation
...
The programming industry has evolved from traditional programming languages to object-oriented languages, which allow for a modular approach to developing software
...
But applications and operating systems use each other’s components, users download different
types of mobile code to extend functionality, DLLs (dynamic linked libraries) are
installed and shared, and instead of application-to-operating system communication,
today many applications communicate directly with each other
...
If we peek under the covers even further, we see that thousands of protocols are integrated into the different operating system protocol stacks, which allow for distributed
computing
...
Device drivers are developed by different vendors and installed
into the operating system
...
Device drivers work in the context of
privilege mode, so if they “act up” or contain exploitable vulnerabilities, this only allows
the attackers more privilege on the systems once the vulnerabilities are exploited
...
The goal of this book is to quickly go through some of the basic ethical
hacking concepts and spend more time with the concepts that are not readily available
to you—but are unbelievably important
...
A wide range of computer
crimes are taken seriously by today’s court system, and attackers are receiving hefty fines
and jail sentences for their activities
...
There is just as much fun and
intellectual stimulation to be had working as a good guy, with no threat of jail time!
Gray Hat Hacking: The Ethical Hacker’s Handbook
16
get even closer to the hardware level, injection of malicious code into firmware has
always been an attack vector
...
Until we understand that a majority of the
successful attacks are carried out because software vendors do not integrate security into
the design and specification phases of development, that most programmers have not
been properly taught how to code securely, that vendors are not being held liable for
faulty code, and that consumers are not willing to pay more for properly developed and
tested code, our staggering hacking and company compromise statistics will only
increase
...
Every industry in the world is becoming more reliant on software and technology
...
Although security is
becoming more of an issue, functionality of software has always been the main driving
component of products and it always will be
...
Will vendors integrate better security, ensure their programmers are properly trained
in secure coding practices, and put each product through more and more testing cycles?
Not until they have to
...
Currently most vendors are only integrating protection mechanisms because of the backlash and demand from their customer bases
...
So we are back to the original question: what does this have to do with ethical hacking? A novice ethical hacker will use tools developed by others who have uncovered specific vulnerabilities and methods to exploit them
...
The more advanced ethical hacker will be able to
identify possible vulnerabilities and programming code errors, and develop ways to rid
the software of these types of flaws
...
grayhathackingbook
...
sans
...
securitystats
...
sans
...
deaddrop
...
html
CHAPTER
Ethical Hacking and the
Legal System
•
•
•
•
Laws dealing with computer crimes and what they address
Malware and insider threats companies face today
Mechanisms of enforcement of relevant laws
Federal and state laws and their application
We are currently in a very interesting time where information security and the legal system are being slammed together in a way that is straining the resources of both systems
...
” In the past, these two very different sectors had their own
focus, goals, and procedures that did not collide with one another
...
Today’s CEOs and management not only need to worry about profit margins, market
analysis, and mergers and acquisitions
...
Business managers must develop at least a
passing familiarity with the technical, systemic, and physical elements of information
security
...
Just as businesspeople must increasingly turn to security professionals for advice in
seeking to protect their company’s assets, operations, and infrastructure, so too must
they turn to legal professionals for assistance in navigating the changing legal landscape
in the privacy and information security area
...
Thus,
the security technology developers and other professionals are constantly trying to outsmart the sophisticated attackers, and vice versa
...
Compounding the challenge for business is the fact that the information security situation is not static; it is highly fluid and will remain so for the foreseeable future
...
These and other new technologies are also giving rise
to new transaction structures and ways of doing business
...
Like business leaders,
those involved in the legal system, including attorneys, legislators, government regulators,
judges, and others, also need to be properly versed in the developing laws (and customer
and supplier product and service expectations that drive the quickening evolution of new
ways of transacting business)—all of which is captured in the term “cyberlaw
...
The rise in prominence of cyberlaw is not surprising if you consider that the first daily act of millions of American workers is to turn on their
computers (frequently after they have already made ample use of their other Internet access
devices and cell phones)
...
But the ease of access also results in business risk, since network openness can
also enable unauthorized access to networks, computers, and data, including access that
violates various laws, some of which are briefly described in this chapter
...
A very important
subset of these laws is the group of laws directed at preventing and punishing the unauthorized access to computer networks and data
...
Security professionals should be familiar with these laws, since they are expected to
work in the construct the laws provide
...
Usually it is
the guilty ones that get to remain free
...
In addition, recent real-world examples are documented to better demonstrate how the laws were created and have evolved over the years
...
stanford
...
cyberspacelaw
...
We will cover selected U
...
federal computer crime laws in
order to provide a sample of these many initiatives; a great deal of detail regarding these
laws is omitted and numerous laws are not covered
...
S
...
Instead it is meant to raise the importance of
considering these laws in your work and activities as an information security professional
...
With just a finite number of pages, we cannot properly cover all legal systems in the world
or all of the relevant laws in the United States
...
The following sections survey some of the many U
...
federal computer crime statutes,
including:
• 18 USC 1029: Fraud and Related Activity in Connection with Access Devices
• 18 USC 1030: Fraud and Related Activity in Connection with Computers
• 18 USC 2510 et seq
...
: Stored Wire and Electronic Communications and
Transactional Records Access
• The Digital Millennium Copyright Act
• The Cyber Security Enhancement Act of 2002
18 USC Section 1029: The Access Device Statute
The purpose of the Access Device Statute is to curb unauthorized access to accounts; theft
of money, products, and services; and similar crimes
...
It defines and establishes
penalties for fraud and illegal activity that can take place by the use of such counterfeit
access devices
...
These elements include consideration of the
potentially illegal activity in light of the precise meaning of “access device,” “counterfeit
access device,” “unauthorized access device,” “scanning receiver,” and other definitions
that together help to define the scope of application of the statute
...
Specifically, it is defined broadly to mean:
…any card, plate, code, account number, electronic serial number, mobile
identification number, personal identification number, or other
telecommunications service, equipment, or instrument identifier, or other
means of account access that can be used, alone or in conjunction with another
access device, to obtain money, goods, services, or any other thing of value, or
that can be used to initiate a transfer of funds (other than a transfer originated
solely by paper instrument)
...
The telephone service codes that they generate would be
considered to be within the definition of an access device, since they are codes or electronic serial numbers that can be used, alone or in conjunction with another access
device, to obtain services
...
Finally,
a crime would occur with each of the activities of producing, using, or selling these
codes, since the Access Device Statute is violated by whoever “knowingly and with intent
to defraud, produces, uses, or traffics in one or more counterfeit access devices
...
“Access device” also refers to the actual credential itself
...
A common method that attackers use when trying to figure out what credit card numbers merchants will accept is to use an automated tool that generates random sets of
potentially usable credit card values
...
The
attackers submit these generated values to retailers and others with the goal of fraudulently obtaining services or goods
...
Because this attack type has
worked so well in the past, many merchants now require users to enter a unique card
identifier when making online purchases
...
Guessing a 16-digit credit card number is challenging enough, but factoring in
another three-digit identifier makes the task much more difficult, and next to impossible without having the card in hand
...
In June 2006, the Department
of Justice (DOJ), in an operation appropriately named “Operation French Fry,” arrested
eight persons (a ninth was indicted and declared a fugitive) in an identity theft ring
where waiters had skimmed debit card information from more than 150 customers at
restaurants in the Los Angeles area
...
After requesting new PINs for the compromised accounts,
they would proceed to withdraw money from the accounts and use the funds to purchase postal money orders
...
Table 2-1 outlines the crime types addressed in section 1029 and their corresponding
punishments
...
A further example of a crime that can be punished under the Access Device Statute is
the creation of a website or the sending of e-mail “blasts” that offer false or fictitious
products or services in an effort to capture credit card information, such as products that
promise to enhance one’s sex life in return for a credit card charge of $19
...
(The snake
oil miracle workers who once had wooden stands filled with mysterious liquids and
herbs next to dusty backcountry roads have now found the power of the Internet
...
The types and seriousness of fraudulent activities that fall within the Access Device Statute are increasing every year
...
S
...
7
percent of white-collar prosecutions that month were related to Title 18 USC 1029
...
S
...
This level of activity represents a 340 percent
increase over the same month in 2005 (when there were only five district court filings),
and a 425 percent increase over July 2001 (when there were only four such filings)
...
As our dependency upon technology
increases and society becomes more comfortable with carrying out an increasingly
broad range of transactions electronically, such threats will only become more prevalent
...
So basically you need several
tools in your bag of tricks to fight the bad guys—technology, knowledge of how to use
the technology, and the legal system
...
Section 1029 addresses offenses that involve generating or illegally obtaining access credentials
...
These
activities are considered criminal whether or not a computer is involved
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
22
Crime
Penalty
Example
Producing, using, or trafficking in
one or more counterfeit access
devices
Fine of $50,000 or twice the value of
the crime and/or up to 15 years in
prison, $100,000 and/or up to 20
years if repeat offense
Fine of $10,000 or twice the value of
the crime and/or up to 10 years in
prison, $100,000 and/or up to 20
years if repeat offense
Creating or using a software tool
to generate credit card numbers
Fine of $10,000 or twice the value of
the crime and/or up to 10 years in
prison, $100,000 and/or up to 20
years if repeat offense
Fine of $50,000 or twice the value of
the crime and/or up to 15 years in
prison, $1,000,000 and/or up to 20
years if repeat offense
Fine of $10,000 or twice the value of
the crime and/or up to 10 years in
prison, $100,000 and/or up to 20
years if repeat offense
Hacking into a database and
obtaining 15 or more credit card
numbers
Using an access device to gain
unauthorized access and obtain
anything of value totaling $1,000
or more during a one-year
period
Possessing 15 or more
counterfeit or unauthorized
access devices
Producing, trafficking, having
control or possession of devicemaking equipment
Effecting transactions with
access devices issued to another
person in order to receive
payment or other thing of value
totaling $1,000 or more during a
one-year period
Soliciting a person for the
purpose of offering an access
device or selling information
regarding how to obtain an
access device
Using, producing, trafficking in,
or having a telecommunications
instrument that has been
modified or altered to obtain
unauthorized use of
telecommunications services
Using, producing, trafficking in,
or having custody or control of
a scanning receiver
Producing, trafficking, having
control or custody of hardware
or software used to alter or
modify telecommunications
instruments to obtain
unauthorized access to
telecommunications services
Causing or arranging for a
person to present, to a credit
card system member or its
agent for payment, records of
transactions made by an access
device
Table 2-1
Using a tool to capture credentials
and using the credentials to break
into the Pepsi-Cola network and
stealing their soda recipe
Creating, having, or selling devices
to illegally obtain user credentials
for the purpose of fraud
Setting up a bogus website and
accepting credit card numbers for
products or service that do not
exist
Fine of $50,000 or twice the value of
the crime and/or up to 15 years in
prison, $100,000 and/or up to 20
years if repeat offense
A person obtains advance payment
for a credit card and does not
deliver that credit card
Fine of $50,000 or twice the value of
the crime and/or up to 15 years in
prison, $100,000 and/or up to 20
years if repeat offense
Cloning cell phones and reselling
them or using them for personal
use
Fine of $50,000 or twice the value of
the crime and/or up to 15 years in
prison, $100,000 and/or up to 20
years if repeat offense
Scanners used to intercept
electronic communication to
obtain electronic serial numbers,
mobile identification numbers for
cell phone recloning purposes
Using and selling tools that can
reconfigure cell phones for
fraudulent activities; PBX
telephone fraud and different
phreaker boxing techniques to
obtain free telecommunication
service
Creating phony credit card
transactions records to obtain
products or refunds
Fine of $10,000 or twice the value of
the crime and/or up to 10 years in
prison, $100,000 and/or up to 20
years if repeat offense
Fine of $10,000 or twice the value of
the crime and/or up to 10 years in
prison, $100,000 and/or up to 20
years if repeat offense
Access Device Statute Laws
Chapter 2: Ethical Hacking and the Legal System
23
U
...
Department of Justice www
...
gov/cccases
...
usdoj
...
html
Orange County Identity Theft Task Force Cracks Criminal Operation www
...
gov/usao/
cac/pr2006/133
...
corporate
...
com
TracReports http://trac
...
edu/tracreports/bulletins/white_collar_crime/monthlyjul06
18 USC Section 1030 of The Computer Fraud
and Abuse Act
The Computer Fraud and Abuse Act (CFAA) (as amended by the USA Patriot Act) is an
important federal law that addresses acts that compromise computer network security
...
It addresses unauthorized access to government, financial institution,
and other computer and network systems, and provides for civil and criminal penalties for
violators
...
Table 2-2 outlines the categories of the crimes that section 1030 of the Act addresses
...
You can be held liable under the CFAA if you
knowingly accessed a computer system without authorization and caused harm, even if
you did not know that your actions might cause harm
...
S
...
The CFAA is the most widely referenced statute in
the prosecution of many types of computer crimes
...
It indicates that
the law applies also to any system “used in interstate or foreign commerce or communication
...
Almost every computer connected to a network or the Internet is used for some type of
commerce or communication, so this small clause pulls nearly all computers and their
uses under the protective umbrella of the CFAA
...
So if the United States can get the attackers, they
will attempt to prosecute them no matter where they live in the world
...
There are two
types of unauthorized access that can be prosecuted under the CFAA
...
S
...
Obtaining information in a financial record of a
financial institution or a card issuer, or information
on a consumer in a file of a consumer reporting
agency
...
S
...
Affecting a computer exclusively for the use of a
U
...
government department or agency or, if it is
not exclusive, one used for the government where
the offense adversely affects the use of the
government’s operation of the computer
...
Hacking into a government
computer to obtain classified
data
...
Breaking into a computer to
obtain another person’s
credit information
...
Furthering a fraud by accessing a federal interest
computer and obtaining anything of value, unless
the fraud and the thing obtained consists only of the
use of the computer and the use is not more than
$5,000 in a one-year period
...
The result is damage or the
victim suffers some type of loss
...
Furthering a fraud by trafficking in passwords or
similar information that will allow a computer to be
accessed without authorization, if the trafficking
affects interstate or foreign commerce or if the
computer affected is used by or for the
government
...
Fine and/or up to 1
year in prison, up to 10
years if repeat offense
...
Carrying out denial-of-service
attacks against government
agencies
...
Intentional: Disgruntled
employee uses his access to
delete a whole database
...
(Or if the
prosecution cannot prove
that the attacker’s intent was
malicious
...
Table 2-2
Penalty with intent to
harm: Fine and/or up to
5 years in prison, up to
10 years if repeat
offense
...
5 years and $250,000
fine for first offense, 10
years and $250,000 for
subsequent offenses
...
Computer Fraud and Abuse Act Laws
commit crimes
...
This
helps companies prosecute employees when they carry out fraudulent activities by abusing (and exceeding) the access rights the companies have given to them
...
The Secret
Service now deals with several areas to protect the nation and has established
an Information Analysis and Infrastructure Protection division to coordinate
activities in this area
...
The following are examples of the application of the CFAA to intrusions against a
government agency system
...
S
...
The attack came
from East Asia and included probes of government systems, attempts to steal passwords,
and attempts to implant various backdoors to maintain regular access to the systems
...
NOTE In December 2006, in an attempt to reduce the number of attacks on
its protected systems, the DoD barred the use of HTML-based e-mail due to
the relative ease of infection with spyware and executable code that could
enable intruders to gain access to DoD networks
...
The operation was called “Operation Cyber Sweep
...
The attacker was a
former IT technician of a software vendor who provided the critical voice-response system
used by the hotline service
...
A
...
This brought the service to a screeching halt
...
Many IT professionals and security professionals have relatively unlimited access
rights to networks due to the requirements of their job, and based upon their reputation
and levels of trust they’ve earned throughout their careers
...
The CFAA could
apply in these cases to prosecute even trusted, credentialed employees who performed
such misdeeds
...
The FBI is responsible for
cases dealing with national security, financial institutions, and organized crime
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
26
hospital workers, and police officers, were unable to access the hotline or experienced
major delays
...
The cracker was
arrested by the FBI and faced charges under the CFAA of five years in prison and fines
that could total $250,000
...
In this case, an Arizona cracker used his knowledge of automobile computer
systems to obtain credit history information that was stored in databases of automobile
dealers
...
The cracker used the information that he acquired, including
credit card numbers, Social Security numbers, and other sensitive information, to
engage in identity fraud against several individuals
...
It is all too common to
see CNN lead its news coverage with a virus outbreak alert
...
The malware is constantly becoming more sophisticated, and a record number of home users run insecure systems, which is just a welcome
mat to one and all hackers
...
The CFAA
criminalizes the activity of knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage
without authorization to a protected computer
...
This case, United States v
...
The hacker sent an e-mail to these subscribers that contained a malicious worm
...
Several areas from New York to Los Angeles experienced these false 9-1-1 calls
...
When it was launched, the users
thought a simple display change was being made to their monitor, such as a color setting
...
The next time the
users attempted to connect to their web service, the 9-1-1 call was sent out instead
...
As part
of WebTV service, automated dialing is performed each night at midnight in order to
download software updates and to retrieve user data for that day
...
The maximum penalty for the case, filed as
violating Title 18 USC 1030(a)(5)(A)(i), is ten years in prison and a fine of $250,000
...
Because viruses can spread so quickly, and their impact can grow exponentially, serious countermeasures have begun to surface
...
In Minnesota, an individual was
brought to justice under the CFAA for issuing a B variant of the worm that infected 7,000
users
...
These kinds of attacks have gained the attention of high-ranking government and law
enforcement officials
...
Cyber
hacking is not joy riding
...
The Department of Justice takes these crimes very seriously, and we will
devote every resource possible to tracking down those who seek to attack our technological infrastructure
...
Sadly, many of these attackers are not located and prosecuted because of the difficulty of investigating digital crimes
...
“This case is a good example of how effectively and quickly law
enforcement and prosecutors can work together and cooperate on a national level,”
commented U
...
District Attorney Tom Heffelfinger
...
Jana Monroe, FBI assistant director,
cyber division, stated, “Malicious code like Blaster can cause millions of dollars’ worth of
damage and can even jeopardize human life if certain computer systems are infected
...
” In response to this
and other types of computer crime, the FBI has identified investigating cybercrime as one of
its top three priorities, behind counterterrorism and counterintelligence investigations
...
Heckenkamp); a case in which the defendant was
charged with illegally accessing a company’s computer system to get at credit information on approximately 60 persons (United States v
...
So many of these computer crimes happen today, they don’t even make the news anymore
...
If more people
knew the amount of digital criminal behavior that is happening these days (prosecuted
or not), security budgets and awareness would certainly rise
...
But wouldn’t the better approach
be to ensure that software does not contain so many flaws that can be exploited and that
continually cause these types of issues? That is why we wrote this book
...
Networks should not have a hard shell and a
chewy inside—the protection level should properly extend across the enterprise and
involve not just the perimeter devices
...
It seems like a coldhearted reaction, especially in cases where an employee has worked for a company for many years
and has done nothing wrong
...
But still these individuals are told to
leave and are sometimes treated like criminals instead of former valued employees
...
The saying “one bad apple can ruin a bushel” comes to
mind
...
There are physical security issues,
employee safety issues, and in some cases, forensic issues to contend with
...
It has happened to
many unsuspecting companies, and yours could be next if you don’t protect it
...
Several cases under the CFAA have involved former or current employees
...
In
May of that same year, Muvico’s online ticket-ordering system crashed costing the company an estimated $100,000
...
Authorities believe that the former employee literally hid in the bushes outside
the company’s headquarters building while implementing the attack
...
In another example, a 2002 case was brought in Pennsylvania involving a former
employee who took out his frustration on his previous employer
...
S
...
usdoj
...
html
Computer Fraud and Abuse Act www
...
energy
...
White Collar Prof Blog http://lawprofessors
...
com/whitecollarcrime_blog/computer_
crime/index
...
The cracker’s first actions were to
post usernames and passwords on Yahoo hacker boards
...
Problems could
have been avoided if the company had simply changed usernames, passwords, and configuration parameters, but they didn’t
...
He successfully brought down the network, which prevented customers from placing orders online
...
The company did notice the intrusion after some time and made the necessary adjustments to prevent the attacker from
doing further damage; however, significant harm had already been done
...
There was no way for American Eagle to prove how many
customers were turned away when trying to access the website, and there was no way to
prove that they were going to buy goods if they had been successful at accessing the site
...
The Act does, however, also provide
for criminal fines and imprisonment designed to dissuade individuals from engaging in
hacking attacks
...
In some intrusion cases, real damages can be calculated
...
This
act caused major malfunctions on core systems, the cost of which could be quantified
...
” The Department of Justice press release said that the hacker
was sentenced to 12 months of imprisonment and was ordered to pay $80,713
...
These are just a few of the many attacks performed each year by disgruntled employees
against their former employers
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
30
State Law Alternatives
The amount of damage resulting from a violation of the CFAA can be relevant for either
a criminal or civil action
...
A criminal violation is brought by a government official and is
punishable by either a fine or imprisonment or both
...
The amount of damage is relevant for some but not
all of the activities that are prohibited by the statute
...
For most of the violations under CFAA, the losses must
equal at least $5,000 during any one-year period
...
For example, when computers are used in distributed denial-of-service
attacks or when the processing power is being used to brute force and uncover an
encryption key, the issue of damages becomes cloudy
...
The victim of an attack can
suffer various qualitative harms that are much harder to quantify
...
In that context, this
federal statute may not be a useful tool for you and your legal team
...
To fill these gaps, many relevant state laws
outlawing fraud, trespass, and the like, that were developed before the dawn of cyberlaw,
are being adapted, sometimes stretched, and applied to new crimes and old crimes taking place in a new arena—the Internet
...
Often victims will turn to state laws that may offer more flexibility when prosecuting
an attacker
...
For example, if an unauthorized party is accessing, scanning, probing, and gathering
data from your network or website, this may fall under a state trespassing law
...
This legal theory was
used by eBay in response to its continually being searched by a company that implemented automated tools for keeping up-to-date information on many different auction
sites
...
The probing used eBay’s system resources and precious bandwidth, but this use was difficult to quantify
...
So eBay’s
Chapter 2: Ethical Hacking and the Legal System
31
TIP If you think you may prosecute for some type of computer crime that
happened to your company, start documenting the time people have to spend
on the issue and other costs incurred in dealing with the attack
...
A case in Ohio illustrates how victims can quantify damages by keeping an accurate
count of the hours needed to investigate and recover from a computer-based attack
...
However, according to the case report, he accessed files that were beyond those
for which he was authorized and downloaded personal data located in the databases,
such as customer credit card numbers, usernames, and passwords
...
This critical piece allowed the attacker to download customer files
...
” The victim was a Cincinnati-based company,
Acxiom, which reported that they suffered nearly $6 million in damages and listed the
following specific expenses associated with the attack: employee time, travel expenses,
security audits, and encryption software
...
Resort to state laws is not, however, always straightforward
...
Thus, for example, trespass law varies from one state to the next
...
For instance, some states require a
showing of damages as part of the claim of trespass (not unlike the CFAA requirement),
while other states do not require a showing of damage in order to establish that an
actionable trespass has occurred
...
Companies will not, however, have total discretion as to where they bring the case
...
Thus, for example, a cracker in New Jersey attacking computer networks in New York will not be prosecuted under the laws of California,
since the activity had no connection to that state
...
Even with these
limitations, companies sometimes have to rely upon this patchwork quilt of different
non-computer–related state laws to provide a level of protection similar to the intended
blanket of protection of federal law
...
The penalty for this offense under CFAA consists
of a maximum prison term of five years and a fine of $250,000
...
If these confirmations are not in place, it could lead to misunderstandings and, in the extreme case, prosecution under the Computer Fraud and
Abuse Act or other applicable law
...
Department of Air Force, the
court rejected an employee’s claim that alterations to computer contracts were made to
demonstrate the lack of security safeguards and found the employee liable, since the
statute only required proof of use of a computer system for any unauthorized purpose
...
References
State Laws www
...
net/State/state_index
...
law
...
edu/uscode/18/1030
...
ussc
...
Computer World www
...
com/securitytopics/security/cybercrime/story/
0,10801,79854,00
...
Seq
...
The ECPA therefore has a
different focus than the CFAA, which is directed at protecting computers and network systems
...
The Wiretap Act has been around since 1918, but the ECPA extended its reach to electronic communication when society moved that way
...
The Stored Communications Act protects some
of the same type of communications before and/or after it is transmitted and stored
electronically somewhere
...
The Wiretap Act generally provides that there cannot be any intentional interception
of wire, oral, or electronic communication in an illegal manner
...
” Does it
apply only when the data is being transmitted as electricity or light over some type of
transmission medium? Does the interception have to occur at the time of the transmission? Does it apply to this transmission and to where it is temporarily stored on different
Chapter 2: Ethical Hacking and the Legal System
33
Interesting Application of ECPA
Many people understand that as they go from site to site on the Internet, their browsing
and buying habits are being collected and stored as small text files on their hard drives
...
Suppose you go to a website that uses cookies, looking for a
new pink sweater for your dog because she has put on 20 pounds and outgrown her old
one, and your shopping activities are stored in a cookie on your hard drive
...
Different websites share this browsing and buying-habit information
with each other
...
It is all about targeting the customer based on preferences,
and through the targeting, promoting purchases
...
As it happens, some people did not like this “Big Brother” approach and tried to sue a
company that engaged in this type of data collection
...
An example will help to illustrate the issue
...
Assume that since Al Gore invented the Internet, he has also figured out
how to intercept and read messages sent over the Internet
...
”
Through a series of court cases, it has been generally established that “intercept” only
applies to moments when data is traveling, not when it is stored somewhere permanently or temporarily
...
The ECPA,
which amended both earlier laws, therefore is the “one-stop shop” for the protection of
data in both states—transmission and storage
...
For example, if the government wants
to listen in on phone calls, Internet communication, e-mail, network traffic, or you whispering into a tin can, it can do so if it complies with safeguards established under the
ECPA that are intended to protect the privacy of persons who use those systems
...
It is very important for information security professionals and
businesses to be clear about the scope of authorized access that is intended to be provided to various parties to avoid these issues
...
They also claimed that this violated the Wiretap
Law because the company intercepted the users’ communication to other websites as
browsing was taking place
...
Since the other website vendors were allowing this specific company to gather buying
and browsing statistics, they were the party that authorized this interception of data
...
Trigger Effects of Internet Crime
The explosion of the Internet has yielded far too many benefits to list in this writing
...
Commercial organizations, healthcare organizations, nonprofit
organizations, government agencies, and even military organizations publicly disclose
vast amounts of information via websites
...
However, as the world progresses
in a positive direction, the bad guys are right there keeping up with and exploiting technologies, waiting for their opportunities to pounce on unsuspecting victims
...
It is widely recognized that the Internet represents a fundamental change in how information is made available to the public by commercial and governmental entities, and that a
balance must continually be struck between the benefits of such greater access and the
downsides
...
After the tragic events of September 11, 2001, many government agencies began reducing
their disclosure of information to the public, sometimes in areas that were not clearly associated with national security
...
Residents near Aberdeen, Maryland, have worried for years
about the safety of their drinking water due to their suspicion that potential toxic chemicals
leak into their water supply from a nearby weapons training center
...
However, when residents found out that rocket fuel had entered
their drinking water in 2002, they also noticed that the maps the army provided were much
different than before
...
The army responded to complaints by saying
the omission was part of a national security blackout policy to prevent terrorism
...
All branches of the government have tightened their security policies
...
Chapter 2: Ethical Hacking and the Legal System
35
• The Homeland Security Act of 2002 offers companies immunity from lawsuits
and public disclosure if they supply infrastructure information to the
Department of Homeland Security
...
• Information related to the task force for energy policies that was formed by Vice
President Dick Cheney was concealed
...
Another manifestation of the current administration’s desire to limit access to information in its attempt to strengthen national security is reflected in its support in 2001
for the USA Patriot Act
...
Among the many laws that it amended
PART I
Limiting information made available on the Internet is just one manifestation of the
tighter information security policies that are necessitated, at least in part, by the perception that the Internet makes information broadly available for use or misuse
...
Roger Pilon, Vice President of Legal
Affairs at the Cato Institute, lashed out at one such measure: “Every administration overclassifies documents, but the Bush administration’s penchant for secrecy has challenged
due process in the legislative branch by keeping secret the names of the terror suspects
held at Guantanamo Bay
...
In a separate
report, they documented that the U
...
government spent more than $7
...
The White House classified 44
...
That figure
equals the total number of classifications that President Clinton’s administration made
during his entire second four-year term
...
Bush granted classification powers to the Secretary
of Agriculture, Secretary of Health and Human Services, and the administrator of the
Environmental Protection Agency
...
The terrorist threat has been used “as an excuse to close the doors of the government”
states OMB Watch Government Secrecy Coordinator Rick Blum
...
Some examples include the following:
Gray Hat Hacking: The Ethical Hacker’s Handbook
36
are the CFAA (discussed earlier), under which the restrictions that were imposed on
electronic surveillance were eased
...
The Patriot Act also facilitated surveillance through amendments to
the Wiretap Act (discussed earlier) and other laws
...
References
U
...
Department of Justice www
...
gov/criminal/cybercrime/usc2701
...
fas
...
cpsr
...
html
Digital Millennium Copyright Act (DMCA)
The DMCA is not often considered in a discussion of hacking and the question of information security, but it is relevant to the area
...
The WIPO Treaty requires treaty parties to “provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that
are used by authors,” and to restrict acts in respect to their works which are not authorized
...
The DMCA establishes both civil and criminal liability for the
use, manufacture, and trafficking of devices that circumvent technological measures
controlling access to, or protection of the rights associated with, copyrighted works
...
In hearings, the crime that the anticircumvention provision is designed to prevent was described as “the electronic equivalent of breaking into a locked room in order to obtain a copy of a book
...
” The legislative history provides that “if unauthorized access to a copyrighted work is effectively prevented through use of a password, it
would be a violation of this section to defeat or bypass the password
...
” Therefore, measures that can be deemed to “effectively control access to a work” would be those
based on encryption, scrambling, authentication, or some other measure that requires the
use of a key provided by a copyright owner to gain access to a work
...
• Write laws at a higher abstraction level, which covers many more possible
activities that could take place in the future, but is then wide open for different
judges, juries, and lawyers to interpret
...
Sometimes the vagueness is inadvertent (possibly reflecting an incomplete or inaccurate understanding of the subject),
while at other times it is intended to broaden the scope of that law’s application
...
If the DMCA indicates that no service can be offered
that is primarily designed to circumvent a technology that protects a copyrighted work,
where does this start and stop? What are the boundaries of the prohibited activity?
The fear of many in the information security industry is that this provision could be
interpreted and used to prosecute individuals carrying out commonly applied security
practices
...
Security classes are offered to teach people how these attacks take place so
they can understand what countermeasure is appropriate and why
...
If you have created a
nifty little program that will control access to all of your written interpretations of the
grandness of the invention of pickled green olives, and someone tries to break this program to gain access to your copyright-protected insights and wisdom, the DMCA could
come to your rescue
...
If someone were willing to extend the necessary resources to break your
access control safeguard, the DMCA would be of no help to you for prosecution purposes because it only protects works that fall under the copyright act
...
The DMCA also provides that no one can create,
import, offer to others, or traffic in any technology, service, or device that is designed for
the purpose of circumventing some type of access control that is protecting a copyrighted item
...
If your mother tells you to “be good,” this is vague and open to interpretation
...
There are two
approaches to laws and writing legal contracts:
Gray Hat Hacking: The Ethical Hacker’s Handbook
38
hired to break these mechanisms before they are deployed into a production environment
or go to market, to uncover flaws and missed vulnerabilities
...
But how will people learn how to hack, crack, and uncover vulnerabilities and flaws if the DMCA indicates that classes, seminars, and the like cannot be conducted to teach the security professionals these skills? The DMCA provides an explicit
exemption allowing “encryption research” for identifying flaws and vulnerabilities of
encryption technologies
...
Yep, as you pull one
string, three more show up
...
An interesting aspect of the DMCA is that there does not need to be an infringement
of the work that is protected by the copyright law for prosecution under the DMCA to
take place
...
The
DMCA, like the CFAA and the Access Device Statute, is directed at curbing unauthorized
access itself, but not directed at the protection of the underlying work, which is the role
performed by the copyright law
...
Two for the price of one
...
Among these are:
• A case in which the defendant was convicted of producing and distributing
modified DirecTV access cards (United States v
...
• A case in which the defendant was charged for creating a software program that was
directed at removing limitations put in place by the publisher of an e-book on the
buyer’s ability to copy, distribute, or print the book (United States v
...
• A case in which the defendant pleaded guilty to conspiring to import, market,
and sell circumvention devices known as modification (mod) chips
...
Rocci)
...
eff
...
While there is growing pressure on Congress to limit the DCMA, Congress is taking action to broaden the controversial law with the Intellectual Property Protection Act
of 2006
...
Chapter 2: Ethical Hacking and the Legal System
39
Digital Millennium Copyright Act Study www
...
gov/reports/studies/dmca/dmca_
study
...
copyright
...
com
...
html?tag=politech
Trigger Effects of the Internet www
...
gov
Anti DCMA Organization www
...
org
Intellectual Property Protection Act of 2006 www
...
org/issues/hr2391
Cyber Security Enhancement Act of 2002
Several years ago, Congress determined that there was still too much leeway for certain
types of computer crimes, and some activities that were not labeled “illegal” needed to
be
...
The CSEA made a number of changes to federal law involving computer crimes
...
If an attacker carries out a crime that could result in another’s bodily
harm or possible death, the attacker could face life in prison
...
For example, if an
attacker were to compromise embedded computer chips that monitor hospital patients,
cause fire trucks to report to wrong addresses, make all of the traffic lights change to
green, or reconfigure airline controller software, the consequences could be catastrophic
and under the Act result in the attacker spending the rest of her days in jail
...
This targeting of a hospital led to a conviction on one count of intentional computer damage that interferes with medical treatment
...
It is believed that the attacker was compensated
$30,000 in commissions for his successful infection of computers with the adware
...
S
...
One way in which
this is done is that the Act allows service providers to report suspicious behavior and not
risk customer litigation
...
If a law enforcement agent requested information on one
of their customers and the provider gave it to them without the customer’s knowledge or
permission, the service provider could, in certain circumstances, be sued by the customer for unauthorized release of private information
...
This and other provisions of the Patriot Act have certainly gotten many civil rights
PART I
References
Gray Hat Hacking: The Ethical Hacker’s Handbook
40
monitors up in arms
...
The reports that are given by the service providers are also exempt from the Freedom
of Information Act
...
This is
another issue that has upset civil rights activists
...
Vendors have scrambled to continually meet this demand while attempting to increase profits and market share
...
The flaws in different software packages range from mere nuisances to critical
and dangerous vulnerabilities that directly affect the customer’s protection level
...
The number of vulnerabilities that
were discovered in Microsoft Office in 2006 tripled from the number that had been discovered in 2005
...
A few were zero-day exploits
...
Once the user opens one of these document types, malicious code that is embedded in the document, spreadsheet, or presentation file executes
and can allow a remote attacker administrative access to the now-infected system
...
Internet Explorer
• W2
...
Microsoft Office
• W4
...
Windows Configuration Weaknesses
• M1
...
UNIX Configuration Weaknesses
• Cross-Platform Applications
• C1 Web Applications
• C2
...
P2P File Sharing Applications
• C4 Instant Messaging
• C5
...
DNS Servers
• C7
...
Security, Enterprise, and Directory Management Servers
• Network Devices
• N1
...
Network and Other Devices Common Configuration Weaknesses
• Security Policy and Personnel
• H1
...
Users (Phishing/Spear Phishing)
• Special Section
• Z1
...
The Trojan horse’s reported name is
syosetu
...
If a user logs in as an administrator on a system and the attacker exploits
this vulnerability, the attacker can take complete control over the system working under
the context of an administrator
...
If the user logs in under a less powerful account type, the
attacker is limited to what she can carry out under that user’s security context
...
The specially created presentation was a PowerPoint slide
deck that discussed the difference between men and women in a humorous manner,
which seems to always be interesting to either sex
...
One of the
main problems today is that many of these messages contain zero-day attacks,
which means that victims are vulnerable until the vendor releases some type
of fix or patch
...
Today’s attackers are
not necessarily out for the “fun of it”; they are more serious about penetrating their targets for financial gains and attempt to stay under the radar of the corporations they are
attacking and of the press
...
Exploitation of these vulnerabilities was not highly publicized for quite
some time
...
Because these attacks cannot be detected through the analysis of large traffic
patterns or even voluminous intrusion detection system (IDS) and firewall logs, they are
harder to track
...
This does have the potential to be a dangerous combination
...
While on the large scale it has very little impact, for those few who
are attacked, it could still be a massively damaging event
...
They are considered to be small problems as long as they
are scattered and infrequent attacks that only affect a few
...
Where Microsoft products once were
the main or only targets of these kinds of attacks due to their inherent vulnerabilities
and extensive use in the market, there has been a shift toward exploits that target other
products
...
There has also been a
major upswing in the types of attacks that exploit flaws in programs that are designed to
process media files such as Apple QuickTime, iTunes, Windows Media Player,
RealNetworks RealPlayer, Macromedia Flash Player, and Nullsoft Winamp
...
Macintosh systems, which were considered to be relatively safe from attacks, had to
deal with their own share of problems with zero-day attacks during 2006
...
Then at Black Hat in 2006, Apple drew even more fire
when Jon Ellch and Dave Maynor demonstrated how a rootkit could be installed on an
Apple laptop by using third-party Wi-Fi cards
...
Macintosh users did not like to hear that their
systems could potentially be vulnerable and have questioned the validity of the vulnerability
...
Mac OS X was once thought to be virtually free from flaws and vulnerabilities
...
While overall the MAC OS systems don’t have the number of
identified flaws as Microsoft products, enough has been discovered to draw attention to
the virtually ignored operating system
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
44
Complacency is the greatest threat now for Mac users
...
Mac users aren’t used to this, and the misconception of being less
vulnerable to attacks could be their undoing
...
Still another security flaw came to light for Apple in early 2006
...
Apple did develop a patch for the vulnerability
...
Apparently the new problem lies in the way that Mac OS X was processing
archived files
...
The file and the embedded code would run when a Mac user would visit the
malicious site using the Safari browser
...
This problem was made even worse
by the fact that these files would automatically be opened by Safari when it encountered
them on the Web
...
The shell script can be disguised as practically anything
...
This kind of malicious file can even be hidden as a JPEG image
...
If the file has any executable bits set, it will be run using Terminal, the Unix command-line prompt used in Mac OS X
...
At the writing of this edition, Mac OS X users can protect
themselves by disabling the “Open safe files after downloading” option in Safari
...
Attackers have come to understand that if they discover a flaw that was previously unknown, it is very unlikely that
their targets will have any kind of protection against it until the vendor gets around to
providing a fix
...
Through the use of fuzzing tools,
the process for discovering these flaws has become largely automated
...
This is because if the vector of an attack is discovered and steps are taken to
protect against these kinds of attacks, the attackers know that it won’t be long before
more vectors will be found to replace the ones that have been negated
...
With 2006 being the named “the year of zero-day attacks” it wasn’t surprising that
security experts were quick to start using the phrase “zero-day Wednesdays
...
It wasn’t uncommon for vendors to
avoid talking about, or even dealing with, the security defects in their products that
allowed these attacks to occur
...
A shift occurred in
the mid-‘90s, and it became more common to discuss security bugs
...
Vendors, once mute on the topic, even
started to assume roles that became more and more active, especially in areas that
involved the dissemination of information that provided protective measures
...
Although this all sounds good and gracious, in reality
gray hat attackers, vendors, and customers are still battling with each other and
among themselves on how to carry out this process
...
came about because hackers quickly found a way to exploit the cycles in which
Microsoft issued its software patches
...
Since most
corporations and home users do not patch their systems every week, or every month,
this provides a window of time for attackers to use the vulnerabilities against the targets
...
Guilfanov is a Russian software developer and had developed the fix
for himself and his friends
...
NOTE The Windows Meta File flaw uses images to execute malicious code
on systems
...
Guilfanov’s release caused a lot of controversy
...
Second, some feel uneasy about trusting
the downloading of third-party fixes compared with the vendors’ fixes
...
) And third, this opens a whole new
PART I
Evolution of the Process
Gray Hat Hacking: The Ethical Hacker’s Handbook
46
can of worms pertaining to companies installing third-party fixes instead of waiting for
the vendor
...
You Were Vulnerable for How Long?
Even when a vulnerability has been reported, there is still a window where the exploit is
known about but a fix hasn’t been created by the vendors or the antivirus and antispyware companies
...
Figure 3-1 displays how long it took for vendors to release fixes to
identified vulnerabilities
...
It is imperative for vendors
not to sit on the discovery of true vulnerabilities, but to work to get the fixes to the customers who need them as soon as possible
...
The flaws can
present serious security concerns to the user
...
How to address the problem is a complicated issue because it involves a few
key players who usually have very different views on how to achieve a resolution
...
An individual or company buys the product, relies on it,
and expects it to work
...
When the customer
finds a flaw, she reports it to the vendor and expects a solution in a reasonable timeframe
...
It develops the product and is responsible
for its successful operation
...
When a flaw is reported to
PART I
For this to take place properly, ethical hackers must understand and follow the proper
methods of disclosing identified vulnerabilities to the software vendor
...
If an individual uncovers a vulnerability and exploits it with authorization, he is considered a white hat
...
Unlike other books and resources that are available today, we are promoting the use
of the knowledge that we are sharing with you to be used in a responsible manner that
will only help the industry—not hurt it
...
These items have been created because of
the difficulty in the past of teaming up these different parties (gray hats and vendors) in
a way that was beneficial
...
On the other hand, many times when gray
hats have tried to contact vendors with their useful information, the vendor has ignored
repeated requests for communication pertaining to a particular weakness in a product
...
This is then followed by successful attacks taking place and the vendor having to scramble to come up with a patch and
endure a reputation hit
...
So before you jump into the juicy attack methods, tools, and coding issues we cover,
make sure you understand what is expected of you once you uncover the security flaws
in products today
...
We are
looking to you to step up and do the right thing
...
Gray hats are also involved in this dance when they find software flaws
...
They, in one manner or
another, attempt to work with the vendor to develop a fix
...
Sometimes vendors
will not address the flaw until the next scheduled patch release or the next updated version of the product altogether
...
The issue of public disclosure has created quite a stir in the computing industry,
because each group views the issue so differently
...
Furthermore, many individuals feel that the only way to truly get quick
results from a large software vendor is to pressure it to fix the problem by threatening to
make the information public
...
This approach doesn’t have the best interests of the
consumers in mind, however, as they must sit and wait while their business is put in
danger with the known vulnerability
...
Disclosing sensitive information about a software flaw causes two major problems
...
The vendor’s argument is that if the issue is
kept confidential while a solution is being developed, attackers will not know how to
exploit the flaw
...
It is
much like a smear campaign in a political race that appears as the headline story in a
newspaper
...
Vendors fear the same consequence
for massive releases of vulnerability reports
...
Vendors are often slow to publicly acknowledge
the vulnerabilities because they either don’t have time to develop and distribute a suitable
fix, or they don’t want the public to know their software has serious problems, or both
...
In
April 2005, a 24-year-old security researcher named Michael Lynn, an employee of the
security firm Internet Security Systems, Inc
...
This vulnerability allowed the
attacker full control of the router
...
When Cisco was slow to address the issue, Lynn planned to
disclose the vulnerability at the July Black Hat Conference
...
Cisco employees spent hours tearing out Lynn’s disclosure
presentation from the conference program notes that were being provided to attendees
...
Just before giving
Chapter 3: Proper and Ethical Disclosure
49
NOTE Those who are interested can still find a copy of the Lynn
presentation
...
One of the hot buttons in this arena of researcher
frustration is the Month of Bugs (often referred to as MoXB) approach, where individuals target a specific technology or vendor and commit to releasing a new bug every day
for a month
...
D
...
Since then, several other individuals have announced their own targets, like the
November 2006 Month of Kernel Bugs (MoKB) and the January 2007 Month of Apple
Bugs (MoAB)
...
They didn’t want to limit the opportunity by choosing a short month
...
Others
consider this to be extortion and call for prosecution with lengthy prison terms
...
This chapter will attempt to cover the issue from all sides and to help educate you
on the fundamentals behind the ethical disclosure of software vulnerabilities
...
The creation of
Bugtraq provided an open forum for individuals to discuss these same issues and to
work collectively
...
Posting more and more
PART I
his alternate presentation, Lynn resigned from ISS and then delivered his original Cisco
vulnerability disclosure presentation
...
“It has been confirmed that bad people are working on this
(compromising IOS)
...
” Lynn further stated, “When you attack a host machine, you gain
control of that machine—when you control a router, you gain control of the network
...
Cisco
sued Lynn and won a permanent injunction against him, disallowing any further disclosure of the information in the presentation
...
” Cisco did provide a fix and
stopped shipping the vulnerable version of the IOS
...
This activity increased the number of attacks on the Internet, networks, and
vendors
...
In 2002, Internet Security Systems (ISS) discovered several critical vulnerabilities in
products like Apache web server, Solaris X Windows font service, and Internet Software
Consortium BIND software
...
A patch that was developed and released by Sun Microsystems was flawed and had
to be recalled
...
These types of incidents, and many more like them,
caused individuals and companies to endure a lower level of protection, to fall victim to
attacks, and eventually to deeply distrust software vendors
...
They suggest that by releasing system flaws and vulnerabilities, they generate good press
for themselves and thus promote new business and increased revenue
...
It created detailed procedures to follow when discovering a
vulnerability, and how and when that information would be released to the public
...
This fueled the anger of the people who feel that
vulnerability information should be available for the public to protect themselves
...
There are differing views and individual
motivations that drive each group down different paths
...
NOTE The amount of emotion, debates, and controversy over the topic of
full disclosure has been immense
...
Vendors
are frustrated because exploitable code is continually released as they are trying to develop
fixes
...
CERT’s Current Process
The first place to turn to when discussing the proper disclosure of software vulnerabilities
is the governing body known as the CERT Coordination Center (CERT/CC)
...
This timeframe will be executed even if the software
vendor does not have an available patch or appropriate remedy
...
• CERT/CC will notify the software vendor of the vulnerability immediately so
that a solution can be created as soon as possible
...
• During the 45-day window, CERT/CC will update the reporter on the current
status of the vulnerability without revealing confidential information
...
The independent body further
states that all decisions on the release of information to the public are based on what is
best for the overall community
...
The
vendors, on the other hand, feel the pressure to create solutions in a short timeframe,
while also shouldering the obvious hits their reputations will take as news spreads
about flaws in their product
...
A common argument that was posed when CERT/CC announced their policy was,
“Why release this information if there isn’t a fix available?” The dilemma that was raised
is based on the concern that if a vulnerability is exposed without a remedy, hackers will
scavenge the flawed technology and be in prime position to bring down users’ systems
...
Too often, a software maker could simply delay
the fix into a later release, which puts the consumer in a vulnerable position
...
PART I
and related issues
...
In 2000, the organization issued a policy that outlined the controversial practice of releasing software vulnerability information to the public
...
In instances when the vendor
disagrees with the vulnerability assessment, the vendor’s opinion will be
released as well, so that both sides can have a voice
...
Examples of parties that could be privy to
confidential information include participating vendors, experts who could
provide useful insight, Internet Security Alliance members, and groups that may
be in the critical path of the vulnerability
...
As of this writing, the model that is most commonly used is the Organization
for Internet Safety (OIS) guidelines
...
The following are just some of the vulnerability issues posted by CERT:
• VU#179281 Electronic Arts SnoopyCtrl ActiveX control and plug-in stack buffer
overflows
• VU#336105 Sun Java JRE vulnerable to unauthorized network access
• VU#571584 Google Gmail cross-site request forgery vulnerability
• VU#611008 Microsoft MFC FindFile function heap buffer overflow
• VU#854769 PhotoChannel Networks Photo Upload Plugin ActiveX control
stack buffer overflows
• VU#751808 Apple QuickTime remote command execution vulnerability
• VU#171449 Callisto PhotoParade Player PhPInfo ActiveX control buffer
overflow
• VU#768440 Microsoft Windows Services for UNIX privilege escalation
vulnerability
• VU#716872 Microsoft Agent fails to properly handle specially crafted URLs
• VU#466433 Web sites may transmit authentication tokens unencrypted
Full Disclosure Policy (RainForest Puppy Policy)
A full disclosure policy, known as RainForest Puppy Policy (RFP) version 2, takes a
harder line with software vendors than CERT/CC
...
Under this
Chapter 3: Proper and Ethical Disclosure
53
• The issue begins when the originator (the reporter of the problem) e-mails the
maintainer (the software vendor) with the details of the problem
...
The originator is responsible
for locating the appropriate contact information of the maintainer, which can
usually be obtained through its website
...
The common e-mail formats that should be implemented by vendors include:
security-alert@[maintainer]
secure@[maintainer]
security@[maintainer]
support@[maintainer]
info@[maintainer]
• The maintainer will be allowed five days from the date of contact to reply to the
originator
...
M
...
M
...
The maintainer must respond within five days, which would
be 7 A
...
Pacific time five days later
...
If the maintainer does not establish contact
within the allotted time, the originator is free to disclose the information
...
The RFP policy warns the vendor that contact should
be made sooner rather than later
...
• The originator should make every effort to assist the vendor in reproducing
the problem and adhering to its reasonable requests
...
Both parties should work together to find a solution
...
It should also be
noted that it is solely the responsibility of the vendor to provide updates, and
not the responsibility of the originator to request them
...
This is considered a professional
gesture to the individual or company for voluntarily exposing the problem
...
PART I
model, strict policies are enforced upon the vendor if it wants the situation to remain
confidential
...
Both sides are expected to work together throughout
the process
...
The resolution could include the originator disclosing the
vulnerability, or the maintainer disclosing the information and available fixes
while also crediting the originator
...
Because the vulnerability is already known, it is the
responsibility of the vendor to provide specific details, such as the diagnosis,
the solution, and the timeframe
...
He has a long history of successfully, and at times
unsuccessfully, working with vendors on helping them develop fixes for the problems
he has uncovered
...
The key to these disclosure policies is that they are just guidelines and suggestions on
how vendors and bug finders should work together
...
Since the RFP policy takes a strict stance on dealing with vendors on these issues,
many vendors have chosen not to work under this policy
...
Organization for Internet Safety (OIS)
There are three basic types of vulnerability disclosures: full disclosure, partial disclosure,
and nondisclosure
...
CERT and RFP take a rigid approach to disclosure practices
...
The Organization for Internet Safety (OIS) was created to help meet the needs
of all groups and it fits into a partial disclosure classification
...
OIS is a group of researchers and vendors that was formed with the goal of improving
the way software vulnerabilities are handled
...
), Guardent, Internet Security Systems (owned by VeriSign), Microsoft Corporation, Network Associates (a division of McAfee, Inc
...
• Improve the overall engineering quality of software by tightening the security
placed upon the end product
...
Most of it has to do with where the organization’s
loyalties lie
...
The root of
this is how the information about a vulnerability is handled, as well as to whom it is disclosed
...
The thinking
is that vendors should be allowed to fix a problem, but how much time is a fair window to
give them? Keep in mind that the entire time the vulnerability has not been announced, or
a fix has not been created, the vulnerability still remains
...
As the saying goes, “You can’t make everyone happy all of the time
...
While some question their real allegiance, since the group is made
up mostly of vendors, it is probably more of a case of, “A good deed never goes unpunished
...
Discovery
The OIS process begins when someone finds a flaw in the software
...
The OIS calls this person or group the finder
...
Discover if the flaw has already been reported in the past
...
Look for patches or service packs and determine if they correct the problem
...
Determine if the flaw affects the default configuration of the product
...
Ensure that the flaw can be reproduced consistently
...
The OIS believes that vendors and consumers should work together to identify issues and devise reasonable resolutions for both parties
...
The model was formed to accomplish two goals:
Gray Hat Hacking: The Ethical Hacker’s Handbook
56
After the finder completes this “sanity check” and is sure that the flaw exists, the issue
should be reported
...
The VSR
includes the following components:
• Finder’s contact information
• Security response policy
• Status of the flaw (public or private)
• Whether the report contains confidential information
• Affected products/versions
• Affected configurations
• Description of flaw
• Description of how the flaw creates a security problem
• Instructions on how to reproduce the problem
Notification
The next step in the process is contacting the vendor
...
Open and effective communication is the
key to understanding and ultimately resolving the software vulnerability
...
The vendor is expected to do the following:
• Provide a single point of contact for vulnerability reports
...
• Include in contact information:
• Reference to the vendor’s security policy
• A complete listing/instructions for all contact methods
• Instructions for secure communications
• Make reasonable efforts to ensure that e-mails sent to the following formats are
rerouted to the appropriate parties:
• abuse@[vendor]
• postmaster@[vendor]
• sales@[vendor]
• info@[vendor]
• support@[vendor]
Chapter 3: Proper and Ethical Disclosure
57
• Cooperate with the finder, even if it chooses to use insecure methods of
communication
...
• If the finder cannot locate a valid contact address, it should send the VSR to one
or many of the following addresses:
• abuse@[vendor]
• postmaster@[vendor]
• sales@[vendor]
• info@[vendor]
• supports@[vendor]
Once the VSR is received, some vendors will choose to notify the public that a flaw
has been uncovered and that an investigation is under way
...
It
is also expected that vendors will inform the finder that they intend to disclose the information to the public
...
After the VSR is sent, the vendor must respond directly to the
finder within seven days
...
The RFCR is basically a final
warning to the vendor stating that a vulnerability has been found, a notification has been
sent, and a response is expected
...
The vendor will be given three days to respond
...
The OIS strongly encourages
both the finder and the vendor to exercise caution before releasing potentially dangerous information to the public
...
• Exit the process only after providing notice to the vendor (RFCR would be
considered an appropriate notice statement)
...
The OIS encourages, but does not require, the use of a third party to assist with communication breakdowns
...
If the
finder uses encrypted transmissions to send its message, the vendor should
reply in a similar fashion
...
A third party can consist of security companies, professionals, coordinators, or arbitrators
...
If all efforts have been made and the finder and vendor are still not in agreement,
either side can elect to exit the process
...
Validation
The validation phase involves the vendor reviewing the VSR, verifying the contents, and
working with the finder throughout the investigation
...
The OIS provides some general rules regarding status updates:
• Vendor must provide status updates to the finder at least once every seven
business days, unless another arrangement is agreed upon by both sides
...
Examples of these methods include telephone, e-mail, or an FTP site
...
• The vendor then has three business days to respond to the RFS
...
Investigation
The investigation work that a vendor undertakes should be thorough and cover all related
products linked to the vulnerability
...
The steps of
the investigation are as follows:
1
...
2
...
3
...
4
...
Shared Code Bases
In some instances, one vulnerability is uncovered in a specific product, but the basis of
the flaw is found in source code that may spread throughout the industry
...
• Establish contact with an organization that can coordinate the communication
to all affected vendors
...
Once the other affected vendors have been notified, the original vendor has the following responsibilities:
• Maintain consistent contact with the other vendors throughout the investigation
and resolution process
...
The
plan should include such items as frequency of status updates and
communication methods
...
Some examples of the help that a vendor would need include
more detailed characteristics of the flaw, more detailed information about the environment in which the flaw occurred (network architecture, configurations, and so on), or
the possibility of a third-party software product that contributed to the flaw
...
NOTE Although cooperation is strongly recommended, the only requirement
of the finder is to submit a detailed VSR
...
• It has disproved the reported flaw
...
PART I
believes it is the responsibility of both the finder and the vendor to notify all affected
vendors of the problem
...
The finder and vendor should do at least one of the following action items:
Gray Hat Hacking: The Ethical Hacker’s Handbook
60
The vendor is not required to provide detailed testing results, engineering practices, or
internal procedures; however, it is required to demonstrate that a thorough, technically
sound investigation was conducted
...
• The behavior that the finder reported exists, but does not create a security
concern
...
In this
case, the finder should reply to the vendor with its own testing results that validate its
claim and contradict the vendor’s findings
...
The vendor is responsible for reviewing
the dispute, investigating it again, and responding to the finder accordingly
...
Test
Chapter 3: Proper and Ethical Disclosure
61
• Provide code to the vendor that better demonstrates the proposed vulnerability
...
In this case, the finder should follow appropriate guidelines on
releasing vulnerability information to the public (covered later in the chapter)
...
It is important that remedies are created for all supported products and versions of
the software that are tied to the identified flaw
...
The OIS suggests the following
steps when devising a vulnerability resolution:
1
...
If one exists, the vendor should
notify the finder immediately
...
2
...
3
...
The finder is not required to participate in this step
...
The vendor is expected to produce
a remedy to the flaw within 30 days of acknowledging the VSR
...
The fix must solve the problem and not create additional flaws that will put both parties
back in the same situation in the future
...
One of the factors is “the engineering complexity of the fix
...
For
example, data validation errors and buffer overflows are usually flaws that can be easily
recoded, but when the errors are embedded in the actual design of the software, then the
vendor may actually have to redesign a portion of the product
...
At this point, the
finder can move forward in the following ways:
Gray Hat Hacking: The Ethical Hacker’s Handbook
62
CAUTION Vendors have released “fixes” that introduced new vulnerabilities
into the application or operating system—you close one window and open two
doors
...
So although it is easy to put the blame on the network
administrator for not patching a system, sometimes it is the worst thing that he could do
...
Configuration change fixes involve giving the users instructions on how to change their program settings or parameters to effectively resolve the
flaw
...
There are three main types of software change fixes:
• Patches Unscheduled or temporary remedies that address a specific problem
until a later release can completely resolve the issue
...
Software vendors often refer to these solutions as service packs, service
releases, or maintenance releases
...
Vendors consider several factors when deciding which software remedy to implement
...
In addition, the established maintenance schedule will also
weigh into the final decision
...
If a scheduled maintenance release is months away, the vendor may issue a specific patch to fix the problem
...
Vendors will usually want to
integrate the fix into their already scheduled patch or new version release
...
Release
The final step in the OIS “Security Vulnerability Reporting and Response Policy” is the
release of information to the public
...
OIS does not
advise against advance notification, but realizes that the practice exists in case-by-case
instances and is too specific to address in the policy
...
Finders of vulnerabilities usually have the motive of trying to protect the overall industry by identifying and helping remove dangerous software from commercial products
...
Vendors, on the other hand, are motivated to improve their product, avoid lawsuits, stay clear of bad press, and maintain a responsible public image
...
The possible legal liability issues software vendors may or may not face in the future is a can of
worms we will not get into, but these issues are gaining momentum in the industry
...
Critics have voiced their
concerns that the guidelines will allow vendors to continue to stonewall and deny specific problems
...
Although controversy still surrounds the topic of the OIS guidelines, they are a good
starting point
...
Case Studies
The fundamental issue that this chapter addresses is how to report discovered vulnerabilities responsibly
...
Along with a simple “yes” or “no” to the question of whether there should be full
disclosure of vulnerabilities to the public, other factors should be considered, such as
how communication should take place, what issues stand in the way, and what both
sides of the argument are saying
...
Pros and Cons of Proper Disclosure Processes
Following professional procedures with regard to vulnerability disclosure is a major
issue
...
The process is not cut and dried, however
...
It’s a tough game to play
and even tougher to referee
...
• Knowing the details helps the good guys more than the bad guys
...
• Making vulnerabilities public is an effective tool to make vendors improve their
products
...
In one example, a customer
reported a vulnerability to his vendor
...
Frustrated and angered, the customer escalated the issue and told
the vendor that if he did not receive a patch by the next day, he would post the full vulnerability on a user forum web page
...
These types of stories are very common and are continually presented by the proponents
of full vulnerability disclosure
...
• When good guys publish full exploitable code, they are acting as black hats and
are not helping the situation but making it worse
...
Vendors continue to argue that only a trusted community of people should be privy
to virus code and specific exploit information
...
All members of the consortium are given access to vulnerability information so that research and testing can be
done across companies, platforms, and industries
...
Knowledge Management
A case study at the University of Oulu in Finland titled “Communication in the Software
Vulnerability Reporting Process” analyzed how the two distinct groups (reporters and
receivers) interacted with one another and worked to find the root cause of the
Chapter 3: Proper and Ethical Disclosure
65
• Know-what
• Know-why
• Know-how
• Know-who
The know-how and know-who are the two most telling factors
...
In addition, the case study divides the reporting process into
four different learning phases, known as interorganizational learning:
• Socialization stage When the reporting group evaluates the flaw internally to
determine if it is truly a vulnerability
• Externalization phase
the flaw
When the reporting group notifies the vendor of
• Combination phase When the vendor compares the reporter’s claim with its
own internal knowledge about the product
• Internalization phase When the receiving vendor accepts the notification and
passes it on to its developers for resolution
One problem that apparently exists in the reporting process is the disconnect and
sometimes even resentment between the reporting party and the receiving party
...
From the case
study, it was learned that over 50 percent of the receiving parties who had received
potential vulnerability reports indicated that less than 20 percent were actually valid
...
Publicity
The case study included a survey that circled the question of whether vulnerability information should be disclosed to the public; it was broken down into four individual statements that each group was asked to respond to:
1
...
2
...
3
...
4
...
As expected, the feedback from the questions validated the assumption that there is a
decided difference of opinion between the reporters and the vendors
...
The researchers determined that this process involved four main categories
of knowledge:
Gray Hat Hacking: The Ethical Hacker’s Handbook
66
and feel much more strongly about all information being made immediately public
than the reporters do
...
Reporters want to help solve the problem, but are
treated as outsiders by the vendors
...
The concluding summary was that both participants in the process rarely have standard communications
with one another
...
Go figure!
Team Approach
Another study, “The Vulnerability Process: A Tiger Team Approach to Resolving Vulnerability Cases,” offers insight into the effective use of teams comprising the reporting and
receiving parties
...
The
research team focuses on the technical aspects of the suspected flaw, while the management team handles the correspondence with the vendor and ensures proper tracking
...
Research
Reporter discovers the flaw and researches its behavior
...
Verification
Reporter attempts to re-create the flaw
...
Reporting Reporter sends notification to receiver, giving thorough details of
the problem
...
Evaluation
5
...
Solutions are developed
...
Patch evaluation
7
...
The solution is delivered to the reporter
...
Advisory generation
The disclosure statement is created
...
Advisory evaluation
The disclosure statement is reviewed for accuracy
...
Advisory release
11
...
The user community offers comments on the vulnerability/fix
...
They found that factors
such as holidays, time zone differences, and workload issues were most prevalent
...
This makes communicating all the more difficult
...
The tiger team case study found that the collection of vulnerability data can be very challenging due to this major difference
...
For example, the vendor could
appoint a customer advocate to interact directly with the finder
...
Patch Failures
The tiger team case also pointed out some common factors that contribute to patch failures in the software vulnerability process, such as incompatible platforms, revisions,
regression testing, resource availability, and feature changes
...
It was concluded that a lower quality of
patch would be expected if this is the case
...
This happens for several reasons
...
This is the reason that
there is a maturing product line and new processes being developed in the security
industry to deal with “patch management
...
So although it is easy to shake our fists at the network and security administrators for not applying the released fixes, the task is usually much more difficult than it
sounds
...
Started in August 2002, iDefense employs researchers and engineers to uncover
PART I
responsibilities and rarely contributed to time delays
...
Secure communication channels between the reporter and the receiver should be
established throughout the life cycle
...
For example, if the sides agree to use encrypted e-mail exchange, they
must ensure that they are using similar protocols
...
Gray Hat Hacking: The Ethical Hacker’s Handbook
68
potentially dangerous security flaws that exist in commonly used computer applications
throughout the world
...
iDefense’s program, Vulnerability Contributor Program (VCP), has pinpointed hundreds of threats over
the past few years within a long list of applications
...
The biggest fear here is that the practice could lead to unethical behavior and, potentially,
legal complications
...
Researchers may get paid by the number of bugs they find—much like
the commission a salesperson makes per sale
...
” Many believe that bug hunters should
be employed by the software companies or work on a voluntary basis to avoid this profiteering mentality
...
They believe bug finding
should be considered an act of goodwill and not a profitable endeavor
...
In addition, they are paid for their
work and do not work on a bug commission plan as some skeptics maintain
...
In the first quarter of 2007, iDefense, a VeriSign company, offered up a challenge to the
security researchers
...
Interestingly, this has fueled debates from some unexpected angles
...
Security researchers feel that their
work is being “discounted
...
Because of decrease in payment for the gray hat work for
finding vulnerabilities, there is a growing dialogue between these gray hatters to auction
off newly discovered, zero-day vulnerabilities and exploit code through an underground
brokerage system
...
The exploit writers
and the buyers could remain anonymous
...
Spam-spewing
botnets and Trojan horses sell for about $5,000 each
...
The debate over higher pay versus ethics rages on
...
Chapter 3: Proper and Ethical Disclosure
69
Zero Day Initiative
Another method for reporting vulnerabilities that is rather unique is the Zero Day Initiative (ZDI)
...
The company involved, TippingPoint (owned by 3Com), does not resell any of the vulnerability details or the code that has been exploited
...
Nothing too
unique there; what is unique though, is that after they have developed a fix for the vulnerability, they offer the information about the vulnerability to other security vendors
...
Researchers
interested in participating can provide exclusive information about previously undisclosed vulnerabilities that they have discovered
...
After an
agreement on the acquisition of the vulnerability, 3Com will work with the vendor to
generate a fix
...
When TippingPoint started this program, they
followed this sequence of events:
1
...
2
...
3
...
This will allow the researcher to track the unique
vulnerability through the ZDI secure portal
...
3Com researches the vulnerability and verifies it
...
This usually happens within a week
...
Further,
from the blogs, it seems that uncovering a typical, run-of-the-mill vulnerability, understanding it, and writing exploit code takes, on average, two to three weeks
...
Putting this into perspective, Windows Vista has approximately 70 million lines of
code
...
This extrapolates to predict
that Windows Vista has about 35,000 bugs in it
...
Can the software development industry afford to pay this? Can they afford not to pay
this? The path taken will probably lie somewhere in the middle
...
3Com makes an offer for the vulnerability, and the offer is sent to the researcher
via e-mail that is accessible through the ZDI secure portal
...
The researcher is able to access the e-mail through the secure portal and can
decide to accept the offer
...
7
...
3Com responsibly
notifies the affected product vendor of the vulnerability
...
8
...
9
...
The researcher will be given full credit for the discovery, or if it so
desires, it can remain anonymous to the public
...
Instead of following the preceding procedure, it took a different
approach
...
The announcement would
only be a bare-bones advisory that would be issued at the time it was reported to the
vendor
...
There is no mention as to which specific product is being affected
...
The decision to preannounce is very different from many of the other vendors in the
industry that also purchase data on flaws and exploits from external individuals
...
Some critics feel that this kind of advanced reporting could cause more problems for, rather than help, the industry
...
Only time will truly tell if this will be good for the industry or detrimental
...
When bugs do arise, they are expected to release fixes almost immediately
...
However, the common practice of “penetrate and patch” has drawn criticism from the security community as vendors simply release multiple temporary fixes to
appease the users and keep their reputation intact
...
Most security flaws occur early
in the application design process
...
Mistrust of user input Users should be treated as “hostile agents” as data is
verified on the server side and as strings are stripped of tags to prevent buffer
overflows
...
End-to-end session encryption Entire sessions should be encrypted, not just
portions of activity that contain sensitive information
...
4
...
For example, passwords should remain encrypted
while being stored in databases, and secure data segregation should be
implemented
...
5
...
The problem is that these
enhancements usually contain serious security flaws
...
6
...
An example of this is vendors who create security quality
assurance (SQA) teams to manage all security-related issues
...
Here are some
suggestions that should be followed if we really want to improve our environments:
1
...
Firewalls are no longer an effective single
countermeasure against attacks
...
2
...
It is just as much the consumers’ responsibility as the developers’ to ensure
that the environment is secure
...
Many security
breaches happen because of improper configurations by the customer
...
Authentication and authorization The best applications ensure that
authentication and authorization steps are complete and cannot be circumvented
...
Educate application developers
...
Vendors should make a conscious effort to train their
employees in areas of security
...
Access early and often
...
Vendors should consider hiring
security consultant firms to offer advice on how to implement security practices
into the overall design, testing, and implementation processes
...
Engage finance and audit
...
Engaging budget
committees and senior management at an early stage is also critical
...
• Metasploit: the big picture
• Getting Metasploit
• Using the Metasploit console to launch exploits
• Using Metasploit to exploit client-side vulnerabilities
• Using the Metasploit Meterpreter
• Using Metasploit as a man-in-the-middle password stealer
• Using Metasploit to auto-attack
• Inside Metasploit exploit modules
Metasploit: The Big Picture
Metasploit is a free, downloadable tool that makes it very easy to acquire, develop, and
launch exploits for computer software vulnerabilities
...
When H
...
Moore released
Metasploit in 2003, it permanently changed the computer security scene
...
Software vendors could no longer drag their feet fixing
publicly disclosed vulnerabilities, because the Metasploit crew was hard at work developing exploits that would be released for all Metasploit users
...
However, it is probably more
often used today by security professionals and hobbyists as a “point, click, root” environment to launch exploits included with the framework
...
To save space,
we’ll strategically snip out nonessential text, so the output you see while following along
might not be identical to what you see in this book
...
Getting Metasploit
Metasploit runs natively on Linux, BSD, Mac OS X, and Windows inside Cygwin
...
metasploit
...
The Windows console application (msfconsole) that we will be using throughout this
chapter requires the Cygwin environment to run
...
The Cygwin downloader is
www
...
com/setup
...
Be sure to install at least the following, in addition to the
base packages:
• Devel
readline, ruby, and subversion (required for msfupdate)
• Interpreters
ruby
• Libs readline
• Net
openssl
References
Installing Metasploit on Windows http://metasploit
...
com/dev/trac/wiki/Metasploit3/
InstallMacOSX
Installing Metasploit on Gentoo http://metasploit
...
com/dev/trac/wiki/Metasploit3/
InstallUbuntu
Installing Metasploit on Fedora http://metasploit
...
We’ll try to get a remote command shell running on that box using the RRAS exploit built into the Metasploit framework
...
So we can
choose to use the RRAS vulnerability to open a command shell, create an administrator,
start a remote VNC session, or to do a bunch of other stuff
...
$
...
0
177 exploits - 104 payloads
17 encoders - 5 nops
30 aux
Chapter 4: Using Metasploit
77
The interesting commands to start with are
show
info
use
Other commands can be found by typing help
...
windows/smb/ms04_011_lsass
DsRolerUpgradeDownlevelServer Overflow
windows/smb/ms04_031_netdde
Overflow
windows/smb/ms05_039_pnp
Overflow
windows/smb/ms06_025_rasmans_reg
Registry Overflow
windows/smb/ms06_025_rras
windows/smb/ms06_040_netapi
NetpwPathCanonicalize Overflow
…
Microsoft LSASS Service
Microsoft NetDDE Service
Microsoft Plug and Play Service
Microsoft RRAS Service RASMAN
Microsoft RRAS Service Overflow
Microsoft Server Service
There it is! Metasploit calls it windows/smb/ms06_025_rras
...
msf > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) >
Notice that the prompt changes to enter “exploit mode” when you use an exploit
module
...
You can get back to the original launch state at the main console by issuing the back command
...
Let’s see what options need to be set to
make the RRAS exploit work
...
msf exploit(ms06_025_rras) > set RHOST 192
...
1
...
168
...
220
As you can see, the syntax to set an option is
set