Security Testing
Network Layer
...
Port logical
...
Security Testing
...
Binary conversion
0000 = 0 ...0001 = 1 ...0010 = 2 ...0011 = 3 ....0100 = 4 ...0101 = 5 ....0110 = 6 ....0111 = 7 ....1000 = 8 .....1001 = 9 .....1010 = 10 ....1011 = 11 ...1100 = 12 ...1101 = 13 ...1110 = 14 ...1111 = 15
Short Answer: DDoS
A distributed denial-of-service (DDoS) is an attack on a host from multiple servers or computers
Virus Signature file
A file maintained by antivirus software that contains signatures of known viruses; antivirus software checks this file to determine whether a program or file on your computer is infected.
firewall
A good software or hardware firewall would most likely identify traffic that's using unfamiliar ports, but Trojan programs that use common ports, such as TCP port 80 (HTTP) or UDP port 53 (DNS), are more difficult to detect. Also, many home users and small businesses don't use software or hardware firewalls.
Botnet
A group of multiple computers, usually thousands, that behave like robots to conduct an attack on a network. The computers are called zombies because their users aren't aware their systems are being controlled by one person. See also zombies.
rootkit
AKA Back doors. are programs that give attackers a means of regaining access to the attacked computer later. A rootkit is created after an attack and usually hides itself in the OS tools, so it's almost impossible to detect. Back Orifice is still one of the most common Trojan programs used today. It allows attackers to take full control of the attacked computer, similar to the way Windows XP Remote Desktop functions, except that Back Orifice works without the user's knowledge. The program has been around since 1999, but it's now marketed as an administrative tool rather than a hacking tool
Certified Ethical Hacker
Currently, the multiple-choice CEH exam is based on 22 domains (subject areas) the tester must be familiar with. Knowledge requirements change periodically, so if you're interested in taking this exam, visit EC-Council's Web site (www.eccouncil.org) for the most upto-date information.
Short Answer: Define TCP flags
Each TCP flag occupies one bit of the TCP segment and can be set to 0 (off) or 1 (on).
TCP/IP
For computers to communicate with one another over the Internet or across an office, they must speak the same language. This language is referred to as a protocol, and the most widely used is Transmission Control Protocol/Internet Protocol (TCP/IP). No matter what medium connects workstations on a network—copper wires, fiber-optic cables, or a wireless setup— the same protocol must be running on all computers if communication is going to function correctly.
College Students eBay Hack 1999
Jerome Heckenkamp, 25. called MagicFX. installed Trojans that captured usernames and passwords that he later used to gain unauthorized access into other eBay computers
WebTV David Jeansonne
July 2002, and sent it out disguised as a tool to change the colors on MSN TV's user interface. Though the code didn't mass-mail itself to others, some of the recipients were sufficiently fooled that they forwarded it to friends, for a total of 21 victims. Known as WebTV before it was acquired by Microsoft, MSN TV works with television set-top boxes to allow users to surf the Web and send and receive e-mail without using a PC. The boxes connect to the Internet through a local dial-up number. The malicious script changed the dial-up to 9-1-1. If a victim didn't go online again after being infected, the box would summon help anyway when it tried to make an automatic daily call to the network at midnight. The code also crossmailed itself to the 18 targeted users, so it would appear in some cases to have come from someone the victim knew. Additionally, it posted victims' browser histories to a particular website, and e-mailed their hardware serial number to the free webmail account "[email protected]."
Alta Vista Laurent Chavet
Laurent Chavet, a former AltaVista employee, illegally accessed the California company's computer system in March 2002 and June 2002, after he left AltaVista and well before he went to work for Microsoft. Chavet, then living in California, copied to his home computer source code that was used by AltaVista "to perform the function of scouring the World Wide Web," according to an FBI affidavit.
OPST
OSSTMM Professional Security Tester certification is designated by the Institute for Security and Open Methodologies (ISECOM)
OSSTMM Professional Security Tester
Open Source Security Testing Methodology Manual (OSSTMM) Professional Security Tester The OSSTMM Professional Security Tester (OPST) certification is designated by the Institute for Security and Open Methodologies (ISECOM), a nonprofit organization that provides security training and certification programs for security professionals. The OPST certification uses the Open Source Security Testing Methodology Manual (OSSTMM), written by Peter Herzog, as its standardized methodology
Multiple OS's
Penetration testers and security testers usually have a laptop computer configured with multiple OSs and hacking tools
POP3
Port 110 (Post Office Protocol 3)—To retrieve e-mail from a mail server, you most likely access port 110.
Network News Transport Protocol
Port 119 (Network News Transport Protocol)—This port is used to connect to a news server for use with newsgroups
Microsoft RPC
Port 135 (Remote Procedure Call)—This port, used by Microsoft RPC, is critical for the operation of Microsoft Exchange Server as well as Active Directory, available in Windows 2000 Server and later
NetBIOS
Port 139 (NetBIOS)—This port is used by Microsoft's NetBIOS Session Service to share resources
SMTP
Port 25 (Simple Mail Transfer Protocol)—E-mail servers listen on this port. If you attempt to send e-mail to a remote user, your workstation connects to port 25 on a mail server
DNS
Port 53 (Domain Name System)—If a server on your network uses DNS, it's using port 53. Most networks require a DNS server so that users can connect to Web sites with URLs instead of IP addresses. When a user enters a URL, such as www.yahoo.com, the DNS server resolves the name to an IP address. The DNS server might be internal to the company, or each computer might be configured to point to the IP address of a DNS server that's serviced by the company's ISP.
TFTP
Port 69 (Trivial File Transfer Protocol)—Many network engineers use the TFTP service to transfer router and backup router configurations
HTTP
Port 80 (Hypertext Transfer Protocol)—Most certification exams have a question about port 80 being used for HTTP. Port 80 is used when you connect to a Web server. If security personnel decided to filter out HTTP traffic, almost every user would notice a problem on the network
FTP
Ports 20 and 21 (File Transfer Protocol)—FTP has been around as long as the Internet. It was the standard for moving or copying large files and is still used today, although to a lesser extent because of the popularity of HTTP (covered later in this section). FTP uses port 20 for data transfer and port 21 for control. FTP requires entering a logon name and password and is more secure than Trivial File Transfer Protocol (TFTP; covered later in this list)
Session hijacking
Session hijacking enables an attacker to join a TCP session and make both parties think he or she is the other party. This attack, discussed briefly in Chapter 2 in relation to initial sequence numbers (ISNs), is a complex attack that's beyond the scope of this book
SANS
SysAdmin, Audit, Network, Securit
Port
The logical component of a connection that identifies the service running on a network device. For example, port 110 is the POP3 mail service
ICMP
The protocol used to send informational messages and test network connectivity.
Buffer Overflow
a programmer finds a vulnerability in poorly written code that doesn't check for a defined amount of memory space use. For example, if a program defines a buffer size of 100 MB (the total amount of memory the program is supposed to use), and the program writes data over the 100 MB mark without triggering an error or preventing this occurrence, you have a buffer overflow. Basically, the attacker writes code that overflows the buffer, which is possible because the buffer capacity hasn't been defined correctly in the program. The trick is to not fill the overflow buffer with meaningless data, but fill it with executable program code. That way, the OS runs the code, and the attacker's program does something harmful. Usually, the code elevates the attacker's permissions to an administrator's level or gives the attacker the same privileges as the program's owner or creator
Ping of Death
a type of DoS attack, is not as common as it was during the late 1990s. The attacker simply creates an ICMP packet (discussed in Chapter 2) that's larger than the maximum allowed 65,535 bytes. The large packet is fragmented into smaller packets and reassembled at its destination. The user's system at the destination point can't handle the reassembled oversized packet, thereby causing the system to crash or freeze.
spybot
adware removal programs
Session hijacking
an attack that relies on guessing the ISNs of TCP packets.
Keyloggers
are hardware devices or software that can be used to capture keystrokes on a computer. Software keyloggers behave like Trojan programs and are loaded on a computer. A hardware keylogger is a small device, often smaller than an inch long. It can usually be installed in less than 30 seconds. It's a simple matter of unplugging the keyboard, plugging the small device into the keyboard input jack, and then plugging the keylogger jack into the computer's keyboard port. After installing the hardware, most vendors require you to run a word processing program, such as WordPad, and then enter the vendor-supplied password in a blank document. After entering the password, a menu is displayed. Some common hardware keyloggers are KeyKatcher and KeyGhos
card access
card is scanned, and access is given to the cardholder while documenting the time of entry. This method also makes it possible for one card to allow access to several doors without having to issue multiple keys or having users memorize different combinations
Certified information Systems Security Professional (CISSP)
certification for security professionals is issued by the International Information Systems Security Certification Consortium (ISC2). Even though the CISSP certification isn't geared toward the technical IT professional, it has become one of the standards for many security professionals. The exam doesn't require testers to have technical knowledge in IT; it tests security-related managerial skills
Tiger box
collection of tools for conducting vulnerability assessments and attacks is sometimes referred to as
Trojan programs
disguise themselves as useful programs and can install a backdoor or rootkit on a computer.
public key infrastructure
encryption
Virus
is a program that attaches itself to a file or another program, often sent via e-mail. The key word is "attaches." A virus doesn't stand on its own, so it can 't replicate itself or operate without the presence of a host. A virus attaches itself to a host file or program (such as Microsoft Word), just as the flu attaches itself to a host organism, and then performs whatever the creator designed it to
Worm
is a program that replicates and propagates itself without having to attach itself to a host (unlike a virus, which needs to attach itself to a host). The most infamous worms are Code Red (covered in Activity 3-3), Nimda, and Conficker. Theoretically, a worm that replicates itself multiple times to every user it infects can infect every computer in the world over a short period
Transport Layer
is concerned with controlling the flow of data, sequencing packets for reassembly, and encapsulating the segment with a TCP or User Datagram Protocol (UDP) header. TCP/UDP services This layer is responsible for getting data packets to and from the Application layer by using port numbers. TCP also verifies packet delivery by using acknowledgments
Network Layer
is concerned with physically moving electrons across a medium (whether it's copper wire, fiber-optic cables, or wireless) This layer represents the physical network pathway and the network interface card
Network Security
is concerned with the security of computers or devices that are part of a network infrastructure
Internet Layer
is responsible for routing packets by using IP addresses. This layer uses IP addresses to route packets to the correct destination network.
Application Layer
is where applications and protocols, such as HTTP and Telnet, operate. This layer includes network services and client software.
Black Box
management doesn't divulge to staff that penetration testing is being conducted, nor does it give the tester any diagrams or describe what technologies the company is using. This model puts the burden on the tester to find this information by using techniques you learn throughout this book. This model also helps management see whether the company's security personnel can detect an attack
US Dept of Justice Hacking
many people have been sentenced to prison for "hacking," the term used by the Department of Justice
Global Information Assurance Certification (GIAC)
offers training and IT security certifications
SysAdmin, Audit, Network, Security (SANS) Instifute
offers training and IT security certifications through Global Information Assurance Certification (GIAC). It also disseminates research documents on computer and network security worldwide at no cost. One of the most popular SANS Institute documents is the Top 20 list, which details the most common network exploits and suggests ways of correcting vulnerabilities. This list offers a wealth of information for penetration testers or security professionals
DoS
prevents legitimate users from accessing network resources. Some forms of DoS attacks don't even involve computers. For example, intentionally looping a document on a fax machine by taping two pages together can use up reams of paper on the destination fax machine, thus preventing others from using it. In a DoS attack that does involve computers, attackers aren't attempting to access information from servers. However, they might be using the attack to cripple the network until it's vulnerable to a different type of attack.
adware
sometimes displays a banner that notifies users of its presence. Adware's main purpose is to determine a user's purchasing habits so that Web browsers can display advertisements tailored to this user. The biggest problem with adware is that it slows down the computer it's running on.
Security Testing
testers do more than attempt to break in; they also analyzes a company's security policy and procedures and report any vulnerabilities to management. Security testing, in other words, takes penetration testing to a higher level
Adrian Lamo
the homeless hacker. 2-20-81
Red Team Testing
you'll most likely be placed on a team that conducts penetration tests. This team is composed of people with varied skills who perform the tests. For example, a red team might include a programming expert who can perform SQL injections or other programming vulnerability testing
Script kiddies
younger, inexperienced people who experienced hackers refer to as