Hacking For Dummies E-Book

Hacking For Dummies®, 6th Edition

Published by: John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030-5774, www.wiley.com

Copyright © 2018 by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc., and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USED THEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ADVISE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A PROFESSIONAL WHERE APPROPRIATE. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM.

For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2018944084

ISBN 978-1-119-48547-6 (pbk); ISBN 978-1-119-48554-4 (ebk); ISBN 978-1-119-48551-3 (ebk)

Hacking For Dummies For Dummies®

To view this book's Cheat Sheet, simply go to www.dummies.com and search for “Hacking For Dummies For Dummies Cheat Sheet” in the Search box.

Table of Contents

Cover

Introduction

About This Book

Foolish Assumptions

Icons Used in This Book

Beyond the Book

Where to Go from Here

Part 1: Building the Foundation for Security Testing

Chapter 1: Introduction to Vulnerability and Penetration Testing

Straightening Out the Terminology

Recognizing How Malicious Attackers Beget Ethical Hackers

Understanding the Need to Hack Your Own Systems

Understanding the Dangers Your Systems Face

Following the Security Assessment Principles

Using the Vulnerability and Penetration Testing Process

Chapter 2: Cracking the Hacker Mindset

What You’re Up Against

Who Breaks into Computer Systems

Why They Do It

Planning and Performing Attacks

Maintaining Anonymity

Chapter 3: Developing Your Security Testing Plan

Establishing Your Goals

Determining Which Systems to Test

Creating Testing Standards

Selecting Security Assessment Tools

Chapter 4: Hacking Methodology

Setting the Stage for Testing

Seeing What Others See

Scanning Systems

Determining What’s Running on Open Ports

Assessing Vulnerabilities

Penetrating the System

Part 2: Putting Security Testing in Motion

Chapter 5: Information Gathering

Gathering Public Information

Mapping the Network

Chapter 6: Social Engineering

Introducing Social Engineering

Starting Your Social Engineering Tests

Knowing Why Attackers Use Social Engineering

Understanding the Implications

Performing Social Engineering Attacks

Social Engineering Countermeasures

Chapter 7: Physical Security

Identifying Basic Physical Security Vulnerabilities

Pinpointing Physical Vulnerabilities in Your Office

Chapter 8: Passwords

Understanding Password Vulnerabilities

Cracking Passwords

General Password Cracking Countermeasures

Securing Operating Systems

Part 3: Hacking Network Hosts

Chapter 9: Network Infrastructure Systems

Understanding Network Infrastructure Vulnerabilities

Choosing Tools

Scanning, Poking, and Prodding the Network

Detecting Common Router, Switch, and Firewall Weaknesses

Putting Up General Network Defenses

Chapter 10: Wireless Networks

Understanding the Implications of Wireless Network Vulnerabilities

Choosing Your Tools

Discovering Wireless Networks

Discovering Wireless Network Attacks and Taking Countermeasures

Chapter 11: Mobile Devices

Sizing Up Mobile Vulnerabilities

Cracking Laptop Passwords

Cracking Phones and Tablets

Part 4: Hacking Operating Systems

Chapter 12: Windows

Introducing Windows Vulnerabilities

Choosing Tools

Gathering Information About Your Windows Vulnerabilities

Detecting Null Sessions

Checking Share Permissions

Exploiting Missing Patches

Running Authenticated Scans

Chapter 13: Linux and macOS

Understanding Linux Vulnerabilities

Choosing Tools

Gathering Information About Your System Vulnerabilities

Finding Unneeded and Unsecured Services

Securing the .rhosts and hosts.equiv Files

Assessing the Security of NFS

Checking File Permissions

Finding Buffer Overflow Vulnerabilities

Checking Physical Security

Performing General Security Tests

Patching

Part 5: Hacking Applications

Chapter 14: Communication and Messaging Systems

Introducing Messaging System Vulnerabilities

Recognizing and Countering Email Attacks

Understanding VoIP

Chapter 15: Web Applications and Mobile Apps

Choosing Your Web Security Testing Tools

Seeking Out Web Vulnerabilities

Minimizing Web Security Risks

Uncovering Mobile App Flaws

Chapter 16: Databases and Storage Systems

Diving Into Databases

Following Best Practices for Minimizing Database Security Risks

Opening Up About Storage Systems

Following Best Practices for Minimizing Storage Security Risks

Part 6: Security Testing Aftermath

Chapter 17: Reporting Your Results

Pulling the Results Together

Prioritizing Vulnerabilities

Creating Reports

Chapter 18: Plugging Your Security Holes

Turning Your Reports into Action

Patching for Perfection

Hardening Your Systems

Assessing Your Security Infrastructure

Chapter 19: Managing Security Processes

Automating the Security Assessment Process

Monitoring Malicious Use

Outsourcing Security Assessments

Instilling a Security-Aware Mindset

Keeping Up with Other Security Efforts

Part 7: The Part of Tens

Chapter 20: Ten Tips for Getting Security Buy-In

Cultivate an Ally and a Sponsor

Don’t Be a FUDdy-Duddy

Demonstrate That the Organization Can’t Afford to Be Hacked

Outline the General Benefits of Security Testing

Show How Security Testing Specifically Helps the Organization

Get Involved in the Business

Establish Your Credibility

Speak on Management’s Level

Show Value in Your Efforts

Be Flexible and Adaptable

Chapter 21: Ten Reasons Hacking Is the Only Effective Way to Test

The Bad Guys Think Bad Thoughts, Use Good Tools, and Develop New Methods

IT Governance and Compliance Are More Than High-Level Checklist Audits

Vulnerability and Penetration Testing Complements Audits and Security Evaluations

Customers and Partners Will Ask How Secure Your Systems Are

The Law of Averages Works Against Businesses

Security Assessments Improve Understanding of Business Threats

If a Breach Occurs, You Have Something to Fall Back On

In-Depth Testing Brings Out the Worst in Your Systems

Combined Vulnerability and Penetration Testing Is What You Need

Proper Testing Can Uncover Overlooked Weaknesses

Chapter 22: Ten Deadly Mistakes

Not Getting Approval

Assuming That You Can Find All Vulnerabilities

Assuming That You Can Eliminate All Vulnerabilities

Performing Tests Only Once

Thinking That You Know It All

Running Your Tests Without Looking at Things from a Hacker’s Viewpoint

Not Testing the Right Systems

Not Using the Right Tools

Pounding Production Systems at the Wrong Time

Outsourcing Testing and Not Staying Involved

Appendix: Tools and Resources

Advanced Malware

Bluetooth

Certifications

Databases

Denial of Service (DoS) Protection

Exploits

General Research Tools

Hacker Stuff

Keyloggers

Laws and Regulations

Linux

Live Toolkits

Log Analysis

Messaging

Miscellaneous

Mobile

Networks

Password Cracking

Patch Management

Security Education and Learning Resources

Security Methods and Models

Social Enginering and Phishing

Source Code Analysis

Statistics

Storage

System Hardening

User Awareness and Training

Voice over Internet Protocol

Vulnerability Databases

Websites and Applications

Windows

Wireless Networks

About the Author

Advertisement Page

Connect with Dummies

Index

End User License Agreement

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

iv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

303

304

305

306

307

308

309

310

311

312

313

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

395

396

397

398

399

400

401

402

Introduction

Welcome to Hacking For Dummies, 6th Edition. This book outlines — in plain English — computer hacking tricks and techniques that you can use to assess the security of your information systems, find the vulnerabilities that matter, and fix the weaknesses before criminal hackers and malicious insiders take advantage of them. This hacking is the professional, aboveboard, and legal type of security testing — which I refer to as ethical hacking or vulnerability and penetration testing throughout the book.

Computer and network security is a complex subject and an ever-moving target. You must stay on top of it to ensure that your information is protected from the bad guys. The techniques and tools outlined in this book can help.

You could implement all the security technologies and other best practices possible, and your network environment might be secure — as far as you know. But unless and until you understand how malicious attackers think, apply that knowledge, and use the right tools to assess your systems from their point of view, it’s practically impossible to have a true sense of how secure your systems and information really are.

Ethical hacking (or, more simply, security assessments), which encompasses formal and methodical vulnerability and penetration testing, is necessary to find security flaws and to validate that your information systems are truly secure on an ongoing basis. This book provides you the knowledge you need to successfully implement a security assessment program, perform proper security checks, and put the proper countermeasures in place to keep external hackers and malicious users in check.

About This Book

Hacking For Dummies is a reference guide on hacking your systems to improve security and minimize business risks. The security testing techniques are based on written and unwritten rules of computer system penetration testing, vulnerability testing, and information security best practices. This book covers everything from establishing your testing plan to assessing your systems to plugging the holes and managing an ongoing security testing program.

Realistically, for most networks, operating systems, and applications, thousands of possible vulnerabilities exist. I don’t cover them all, but I do cover the big ones on various platforms and systems that I believe contribute to most security problems in business today. I cover basic Pareto principle (80/20 rule) stuff, with the goal of helping you find the 20 percent of the issues that create 80 percent of your security risks. Whether you need to assess security vulnerabilities on a small home-office network, a medium-size corporate network, or large enterprise systems, Hacking For Dummies provides the information you need.

This book includes the following features:

Various technical and nontechnical tests and their detailed methodologies.

Specific countermeasures to protect against hacking and breaches.

Before you start testing your systems, familiarize yourself with the information in Part 1 so that you’re prepared for the tasks at hand. The adage “If you fail to plan, you plan to fail” rings true for the security assessment process. You must have a solid game plan in place if you’re going to be successful.

Foolish Assumptions

Disclaimer: This book is intended solely for information technology (IT) and security professionals to test the security of their (or their clients’) systems in an authorized fashion. If you choose to use the information in this book to hack or break into computer systems maliciously and without authorization, you’re on your own. Neither I (the author) nor anyone else associated with this book shall be liable or responsible for any unethical or criminal choices that you might make and execute using the methodologies and tools that I describe.

Okay, now that that’s out of the way, let’s get to the good stuff! This book is for you if you’re a systems administrator, information security manager, security consultant, security auditor, compliance manager, or otherwise interested in finding out more about evaluating computer systems, software, and IT operations for security flaws and, of course, making long-term improvements.

I also make a few assumptions about you, the aspiring information technology (IT) or security professional:

You’re familiar with basic computer, network, and information security concepts and terms.

You have access to a computer and a network on which to use these techniques and tools.

You have the go-ahead from your employer or your client to perform the hacking techniques described in this book.

Icons Used in This Book

Throughout this book, you’ll see the following icons in the margins.

This icon points out information that’s worth committing to memory.

This icon points out information that could have a negative effect on your vulnerability and penetration testing efforts — so please read it!

This icon refers to advice that can highlight or clarify an important point.

This icon points out technical information that’s interesting but not vital to your understanding of the topic being discussed.

Beyond the Book

First off, be sure to check out the Cheat Sheet associated with this book. You can access the Cheat Sheet by visiting dummies.com and searching for Hacking For Dummies. The Cheat Sheet is a great way to get you pointed in the right direction or get you back on track with your security testing program, if needed.

Also, be sure to check out my website www.principlelogic.com, especially the Resources page.

Where to Go from Here

The more you know about how external hackers and rogue insiders work and how your systems should be tested, the better you’re able to secure your computer and network systems. This book provides the foundation you need to develop and maintain a successful security assessment and vulnerability management program to minimize business risks.

Depending on your computer and network configurations, you may be able to skip certain chapters. For example, if you aren’t running Linux or wireless networks, you can skip those chapters. Just be careful. You may think you’re not running certain systems, but they could very well be on your network, somewhere, waiting to be exploited.

Keep in mind that the high-level concepts of security testing won’t change as often as the specific vulnerabilities you protect against. Vulnerability and penetration testing will always remain both an art and a science in a field that’s ever-changing. You must keep up with the latest hardware and software technologies, along with the various vulnerabilities that come about day after day and month after month.

You won’t find a single best way to hack your systems, so tweak this information to your heart’s content, and happy hacking!

Part 1

Building the Foundation for Security Testing

IN THIS PART …

Discover the basics of vulnerability and penetration testing.

Get a look inside a hacker’s head to undertand why and how they do what they do.

Develop a security testing plan.

Understand the methodology for finding the most (and best) vulnerabilities.

Chapter 1

Introduction to Vulnerability and Penetration Testing

IN THIS CHAPTER

Understanding hackers’ and malicious users’ objectives

Examining how the security testing process came about

Recognizing what endangers your computer systems

Starting to use the process for security testing

This book is about testing your computers and networks for security vulnerabilities and plugging the holes you find before the bad guys get a chance to exploit them.

Straightening Out the Terminology

Everyone has heard of hackers and malicious users. Many people have even suffered the consequences of their criminal actions. Who are these people and why do you need to know about them? The next few sections give you the lowdown on these attackers.

In this book, I use the following terminology:

Hackers

(or

external attackers)

try to compromise computers, sensitive information, and even entire networks for ill-gotten gains — usually from the outside — as unauthorized users. Hackers go for almost any system they think they can compromise. Some prefer prestigious, well-protected systems, but hacking into anyone’s system increases an attacker’s status in hacker circles.

Malicious users (external or internal attackers) try to compromise computers and sensitive information from the outside (i.e. customers or business partners) or the inside as authorized and trusted users. Malicious users go for systems that they believe they can compromise for ill-gotten gains or revenge, because they may have access or knowledge of a system that gives them a leg up.

Malicious attackers are, generally speaking, both hackers and malicious users. For the sake of simplicity, I refer to both as hackers and specify hacker or malicious user only when I need to differentiate and drill down further into their unique tools, techniques, and ways of thinking.

Ethical hackers

(or

good guys)

hack systems to discover vulnerabilities to protect against unauthorized access, abuse, and misuse. Information security researchers, consultants, and internal staff fall into this category.

Hacker

Hacker has two meanings:

Traditionally, hackers like to tinker with software or electronic systems. Hackers enjoy exploring and learning how computer systems operate. They love discovering new ways to work — both mechanically and electronically.

In recent years, hacker has taken on a new meaning: someone who maliciously breaks into systems for personal gain. Technically, these criminals are crackers (criminal hackers). Crackers break into, or crack, systems with malicious intent. The gain they seek could be fame, intellectual property, profit, or even revenge. They modify, delete, and steal critical information as well as take entire networks offline, often bringing large corporations and government agencies to their knees.

Don’t even get me started on how pop culture and the media have hijacked the word hack, from life hacking to so-called election meddling. Marketers, politicians, and media strategists know that the average person doesn’t understand the term hacking, so many of them use it however they desire to achieve their goals. Don’t be distracted.

The good-guy (white-hat) hackers don’t like being lumped in the same category as the bad-guy (black-hat) hackers. (In case you’re curious, the white hat and black hat come from old Western TV shows in which the good guys wore white cowboy hats and the bad guys wore black cowboy hats.) Gray-hat hackers are a bit of both. Whatever the case, most people have a negative connotation of the word hacker.

Many malicious hackers claim that they don’t cause damage but help others for the greater good of society. Yeah, whatever. Malicious hackers are electronic miscreants and deserve the consequences of their actions.

Be careful not to confuse criminal hackers with security researchers. Researchers not only hack aboveboard and develop the amazing tools that we get to use in our work, but also (usually) take responsible steps to disclose their findings and publish their code.

Malicious user

A malicious user — meaning a rogue employee, contractor, intern, or other user who abuses his or her trusted privileges — is a common term in security circles and in headlines about information breaches. The issue isn’t necessarily users hacking internal systems, but users who abuse the computer access privileges they’ve been given. Users ferret through critical database systems to glean sensitive information, email confidential client information to the competition or elsewhere to the cloud, or delete sensitive files from servers that they probably didn’t need to have access to in the first place.

Sometimes, an innocent (or ignorant) insider whose intent isn’t malicious still causes security problems by moving, deleting, or corrupting sensitive information. Even an innocent fat finger on the keyboard can have dire consequences in the business world. Think about all the ransomware infections affecting businesses around the world. All it takes is one click by a careless user for your entire network to be affected.

Malicious users are often the worst enemies of IT and information security professionals because they know exactly where to go to get the goods and don’t need to be computer-savvy to compromise sensitive information. These users have the access they need, and management trusts them — often without question.

What about that Edward Snowden guy — the former National Security Agency employee who ratted out his own employer? That subject is a complicated one. (I talk about hacker motivations in Chapter 2.) Regardless of what you think of Snowden, he abused his authority and violated the terms of his nondisclosure agreement. The same can be said of others who, for whatever reason, are placed on a pedestal because of their notoriety.

Recognizing How Malicious Attackers Beget Ethical Hackers

You need protection from hacker shenanigans; you have to become as savvy as the guys who are trying to attack your systems. A true security assessment professional possesses the skills, mindset, and tools of a hacker but is trustworthy. He or she performs hacks as security tests against systems based on how hackers think and work.

Ethical hacking (otherwise known as vulnerability and penetration testing) involves the same tools, tricks, and techniques that criminal hackers use, with one major difference: It’s performed with the target’s permission in a professional setting. The intent of this testing is to discover vulnerabilities from a malicious attacker’s viewpoint to better secure systems. Vulnerability and penetration testing is part of an overall information risk management program that allows for ongoing security improvements. This security testing can also ensure that vendors’ claims about the security of their products are legitimate.

Vulnerability and penetration testing versus auditing

Many people confuse security testing via vulnerability and penetration testing with security auditing, but big differences exist in the objectives. Security auditing involves comparing a company’s security policies (or compliance requirements) with what’s actually taking place. The intent of security auditing is to validate that security controls exist, typically by using a risk-based approach. Auditing often involves reviewing business processes and in some cases isn’t very technical. Security audits, in fact, can be as basic as security checklists that simply serve to meet a specific compliance requirement.

Not all audits are high-level, but many of the ones I’ve seen — especially those involving compliance with the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) — are quite simplistic. Often, these audits are performed by people who have no technical computer, network, or application experience — or, worse, work outside IT altogether!

Conversely, security assessments based on ethical hacking focus on vulnerabilities that can be exploited. This testing approach validates that security controls don’t exist or are ineffectual. This formal vulnerability and penetration testing can be both highly technical and nontechnical, and although it involves the use of formal methodology, it tends to be a bit less structured than formal auditing. Where auditing is required (such as for SSAE 16 SOC 1/2/3 audits and the ISO 27001 certification) in your organization, you might consider integrating the vulnerability and penetration testing techniques I outline in this book into your IT/security audit program. Auditing and vulnerability and penetration testing complement one another really well.

Policy considerations

If you choose to make vulnerability and penetration testing an important part of your business’s information risk management program, you really need to have a documented security testing policy. Such a policy outlines who’s doing the testing, the general type of testing that’s performed, and how often the testing takes place. Specific procedures for carrying out your security tests could outline the methodologies I cover in this book. You might also consider creating a security standards document that outlines the specific security testing tools used and the specific people performing the testing. You could establish standard testing dates, such as once per quarter for external systems and biannual tests for internal systems — whatever works for your business.

Compliance and regulatory concerns

Your own internal policies may dictate how management views security testing, but you also need to consider the state, federal, and international laws and regulations that affect your business. In particular, the Digital Millennium Copyright Act (DMCA) sends chills down the spines of legitimate researchers. See www.eff.org/issues/dmca for everything that the DMCA has to offer.

Many federal laws and regulations in the United States — such as HIPAA and the associated Health Information Technology for Economic and Clinical Health (HITECH) Act, Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements, and PCI DSS — require strong security controls and consistent security evaluations. Related international laws —such as the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s General Data Protection Regulation (GDPR), and Japan’s Personal Information Protection Act (JPIPA) — are no different. Incorporating your security tests into these compliance requirements is a great way to meet state and federal regulations and to beef up your overall information security and privacy program.

Understanding the Need to Hack Your Own Systems

To catch a thief, you must think like a thief. That adage is the basis of vulnerability and penetration testing. Knowing your enemy is critical. The law of averages works against security. With the increased number of hackers and their expanding knowledge, and the growing number of system vulnerabilities and other unknowns, all computer systems and applications will eventually be hacked or compromised in some way. Protecting your systems from the bad guys —not just addressing general security best practices — is critical. When you know hacker tricks, you find out how vulnerable your systems really are.

Hacking preys on weak security practices and undisclosed vulnerabilities. More and more research, such as the annual Verizon Data Breach Investigations Report (www.verizonenterprise.com/verizon-insights-lab/dbir), shows that long-standing, known vulnerabilities are also being targeted. Firewalls, encryption, and other fancy (and expensive) security technologies often create a false feeling of safety. These security systems tend to focus on high-level vulnerabilities, such as access control and protecting information in transit, without affecting how the bad guys work. Attacking your own systems to discover vulnerabilities — especially the low-hanging fruit that gets so many people into trouble — helps make them more secure. Vulnerability and penetration testing is a proven method for greatly hardening your systems from attack. If you don’t identify weaknesses, it’s only a matter of time before the vulnerabilities are exploited.

As hackers expand their knowledge, so should you. You must think like them and work like them to protect your systems from them. As an ethical hacker, you must know the activities that unethical hackers carry out, as well as how to stop their efforts. Knowing what to look for and how to use that information helps you thwart hackers’ efforts.

You don’t have to protect your systems from everything. You can’t. The only protection against everything is unplugging your computer systems and locking them away so no one can touch them — not even you. But doing so is not the best approach to security, and it’s certainly not good for business! What’s important is protecting your systems from known vulnerabilities and common attacks — the 20 percent of the issues that create 80 percent of the risks, which happen to be some of the most overlooked weaknesses in most organizations.

Anticipating all the possible vulnerabilities you’ll have in your systems and business processes is impossible. You certainly can’t plan for all types of attacks — especially the unknown ones. But the more combinations you try and the more often you test whole systems instead of individual units, the better your chances are of discovering vulnerabilities that affect your information systems in their entirety.

Don’t take your security testing too far, though; hardening your systems from unlikely (or even less likely) attacks makes little sense.

Your overall goals for security testing are to:

Prioritize your systems so that you can focus your efforts on what matters.

Test your systems in a nondestructive fashion.

Enumerate vulnerabilities and, if necessary, prove to management that business risks exist.

Apply results to address the vulnerabilities and better secure your systems.

Understanding the Dangers Your Systems Face

It’s one thing to know generally that your systems are under fire from hackers around the world and malicious users around the office; it’s another to understand specific potential attacks against your systems. This section discusses some well-known attacks but is by no means a comprehensive listing.

Many security vulnerabilities aren’t critical by themselves, but exploiting several vulnerabilities at the same time can take its toll on a system or network environment. A default Windows operating system (OS) configuration, a weak SQL Server administrator password, or a server running on a wireless network may not be a major security concern by itself. But someone who exploits all three of these vulnerabilities at the same time could enable unauthorized remote access and disclose sensitive information (among other things).

Complexity is the enemy of security.

Vulnerabilities and attacks have grown enormously in recent years because of virtualization, cloud computing, and even social media. These three things alone add immeasurable complexity to your environment.

Nontechnical attacks

Exploits that involve manipulating people — end users and even you — are the greatest vulnerability in any computer or network infrastructure. Humans are trusting by nature, which can lead to social-engineering exploits. Social engineering is exploiting the trusting nature of human beings to gain information (often via email phishing — for malicious purposes. Check out Chapter 6 for more information about social engineering and how to guard your systems against it.

Other common, effective attacks against information systems are physical. Hackers break into buildings, computer rooms, or other areas that contain critical information or property to steal computers, servers, and other valuable equipment. Physical attacks can also include dumpster diving — rummaging through trash cans and bins for intellectual property, passwords, network diagrams, and other information.

Network infrastructure attacks

Attacks on network infrastructures can be easy to accomplish because many networks can be reached from anywhere in the world via the Internet. Examples of network infrastructure attacks include the following:

Connecting to a network through an unsecured wireless access point attached behind a firewall.

Exploiting weaknesses in network protocols, such as File Transfer Protocol (FTP) and Secure Sockets Layer (SSL).

Flooding a network with too many requests, creating denial of service (DoS) for legitimate requests.

Installing a network analyzer on a network segment and capturing every packet that travels across it, revealing confidential information in clear text.

Operating system attacks

Hacking an OS is a preferred method of the bad guys. OS attacks make up a large portion of attacks simply because every computer has an operating system. they are susceptible to many well-known exploits, including vulnerabilities that remain unpatched years later.

Occasionally, some OSes that tend to be more secure out of the box — such as the old-but-still-out-there Novell NetWare, OpenBSD, and IBM Series i — are attacked, and vulnerabilities turn up. But hackers tend to prefer attacking Windows, Linux, and Mac OS because they’re more widely used.

Here are some examples of attacks on operating systems:

Exploiting missing patches

Attacking built-in authentication systems

Breaking file system security

Cracking passwords and weak encryption implementations

Application and other specialized attacks

Applications take a lot of hits by hackers. Web applications and mobile apps, which are probably the most popular means of attack, are often beaten down. For example, the following are examples of application attacks and related exploits that are often present on business networks:

Web applications are everywhere. Thanks to what’s called

shadow IT,

in which people in various areas of the business run and manage their own technology, web applications are in every corner of the internal network and out in the cloud. Unfortunately, many IT and security professionals are unaware of the presence of shadow IT and the risks it creates.

Mobile apps face increasing attacks, given their popularity in business settings. There are also rogue apps discovered on the app stores that can create challenges in your environment.

Unsecured files containing sensitive information are scattered across workstation and server shares as well as out into the cloud in places like OneDrive and Google Drive. Database systems also contain numerous vulnerabilities that malicious users can exploit.

Following the Security Assessment Principles

Security professionals must carry out the same attacks against computer systems, physical controls, and people that malicious hackers do. (I introduce those attacks in the preceding section.) A security professional’s intent, however, is to highlight any associated weaknesses. Parts 2 through 5 of this book cover how you might proceed with these attacks in detail, along with specific countermeasures you can implement against attacks on your business.

To ensure that security testing is performed adequately and professionally, every security professional needs to follow a few basic tenets. The following sections introduce the important principles.

If you don’t heed these principles, bad things could happen. I’ve seen them ignored or forgotten by IT departments while planning and executing security tests. The results weren’t positive; trust me.

Working ethically

The word ethical in this context means working with high professional morals and values. Whether you’re performing security tests against your own systems or for someone who has hired you, everything you do must be aboveboard in support of the company’s goals, with no hidden agenda — just professionalism. Being ethical also means reporting all your findings, whether or not they may create political backlash. Don’t laugh; on numerous occasions, I’ve witnessed people brushing off security vulnerability findings because they didn’t want to rock the boat or to deal with difficult executives or vendors.

Trustworthiness is the ultimate tenet. It’s also the best way to get (and keep) people on your side in support of your security program. Misusing information and power is forbidden; that’s what the bad guys do, so let them pay a fine or go to prison because of their poor choices. Keep in mind that you can be ethical but not trustworthy and vice versa, along the lines of Edward Snowden. These complexities are part of the overall challenges in your security program. I don’t envy you for this complexity.

Respecting privacy

Treat the information you gather with respect. All information you obtain during your testing — from web application flaws to clear text email passwords to personally identifiable information (PII) and beyond — must be kept private. Nothing good can come of snooping into confidential corporate information or employees’ private lives.

Involve others in your process. Employ a peer review or similar oversight system that can help build trust and support for your security assessment projects.

Not crashing your systems

One of the biggest mistakes I’ve seen people make when trying to test their own systems is inadvertently crashing the systems they’re trying to keep running. Crashing systems doesn’t happen as often as it used to, given the resiliency of today’s systems, but poor planning and timing can have negative consequences.

Although you’re not likely to do so, you can create DoS conditions on your systems when testing. Running too many tests too quickly can cause system lockups, data corruption, reboots, and similar problems, especially when you’re testing older servers and web applications. (I should know; I’ve done it!) Don’t assume that a network or specific host can handle the beating that network tools and vulnerability scanners can dish out.

You can even accidentally create an account or system lockout by using vulnerability scanners or by socially engineering someone into changing a password without realizing the consequences of your actions. Proceed with caution and common sense. Either way, be it you or someone else, these weaknesses still exist, and it’s better that you discover them first!

Many vulnerability scanners can control how many tests are performed on each system at the same time. These settings are especially handy when you need to run the tests on production systems during regular business hours. Don’t be afraid to throttle back your scans. Completing your testing will take longer, but throttling back may save you a lot of grief if an unstable system is present.

Using the Vulnerability and Penetration Testing Process

As with practically any IT or security project, you need to plan security testing. It’s been said that action without planning is the root of every failure. Strategic and tactical issues in vulnerability and penetration testing need to be determined and agreed on in advance. To ensure the success of your efforts, spend time planning for any amount of testing, from a simple OS password-cracking test against a few servers to a penetration test of a complex web environment.

If you choose to hire a “reformed” hacker to work with you during your testing or to obtain an independent perspective, be careful. I cover the pros and cons and the do’s and don’ts associated with hiring security resources in Chapter 19.

Formulating your plan

Getting approval for security testing is essential. Make sure that what you’re doing is known and visible — at least to the decision-makers. Obtaining sponsorship of the project is the first step. This is how your testing objectives are defined. Sponsorship could come from your manager, an executive, your client, or even yourself if you’re the boss. You need someone to back you up and sign off on your plan. Otherwise, your testing may be called off unexpectedly if someone (including third parties such as cloud service and hosting providers) claims that you were never authorized to perform the tests. Worse, you could be fired or charged with criminal activity.

The authorization can be as simple as an internal memo or an email from your boss when you perform these tests on your own systems. If you’re testing for a client, have a signed contract stating the client’s support and authorization. Get written approval of this sponsorship as soon as possible to ensure that none of your time or effort is wasted. This documentation is your “Get Out of Jail Free” card if anyone — such as your Internet service provider (ISP), cloud service provider, or a related vendor —questions what you’re doing or if the authorities come calling. Don’t laugh — it wouldn’t be the first time it has happened.

One slip can crash your systems, which isn’t necessarily what anyone wants. You need a detailed plan, but you don’t need volumes of testing procedures that make the plan overly complex. A well-defined scope includes the following information:

Specific systems to be tested:

When selecting systems to test, start with the most critical systems and processes or the ones that you suspect are the most vulnerable. You could test server OS passwords, test an Internet-facing web application, or attempt social engineering via email phishing before drilling down into all your systems.

Risks involved: Have a contingency plan for your security testing process in case something goes awry. Suppose that you’re assessing your firewall or web application, and you take it down. This situation can cause system unavailability, which can reduce system performance or employee productivity. Worse, it might cause loss of data integrity, loss of data itself, and even bad publicity. It’ll most certainly tick off a person or two and make you look bad. All of these can create business risks.

Handle social engineering and DoS attacks carefully. Determine how they might affect the people and systems you test.

Dates when the tests will be performed and overall timeline: Determining when the tests are to be performed is something you must think long and hard about. Decide whether to perform tests during normal business hours, or late at night or early in the morning so that production systems aren’t affected. Involve others to make sure that they approve of your timing.

You may get pushback and suffer DoS-related consequences, but the best approach is an unlimited attack, in which any type of test is possible at any time of day. The bad guys aren’t breaking into your systems within a limited scope, so why should you? Some exceptions to this approach are performing all-out DoS attacks, social engineering, and physical security tests.

Whether you intend to be detected: One of your goals may be to perform the tests without being detected. You might perform your tests on remote systems or on a remote office and don’t want the users to be aware of what you’re doing. Otherwise, the users or IT staff may catch on to you and be on their best behavior instead of their normal behavior.

Whether to leave security controls enabled: An important, yet often-overlooked, issue is whether to leave enabled security controls such as firewalls, intrusion prevention systems (IPSes), and web application firewalls (WAFs) so that they block scans and exploit attempts. Leaving these controls enabled provides a real-world picture of where things stand. But I’ve found much more value in disabling these controls (or whitelisting your IP address) so that you can pull back the curtains and find the greatest number of vulnerabilities.

Many people want to leave their security controls enabled. After all, that approach can make them look better, because many security checks will likely be blocked. To me, however, this defense-in-depth approach is great, but it can create a serious false sense of security and doesn’t paint the entire picture of an organization’s overall security posture.

Knowledge of the systems before testing: You don’t need extensive knowledge of the systems you’re testing — just basic understanding, which protects both you and the tested systems. Understanding the systems you’re testing shouldn’t be difficult if you’re testing your own in-house systems. If you’re testing a client’s systems, you may have to dig deeper. In fact, only one or two clients have asked me for a fully blind assessment.

Most IT managers and others who are responsible for security are scared of blind assessments, which can take more time, cost more, and be less effective. Base the type of test you perform on the organization’s or client’s needs.

Actions to take when a major vulnerability is discovered:

Don’t stop after you find one or two security holes; keep going to see what else you can discover. I’m not saying that you should keep testing until the end of time or until you crash all your systems; ain’t nobody got time for that! Instead, simply pursue the path you’re going down until you can’t hack it any longer (pun intended). If you haven’t found any vulnerabilities, you haven’t looked hard enough. Vulnerabilities are there. If you uncover something big, you need to share that information with the key players (developers, database administrators, IT managers, and so on) as soon as possible to plug the hole before it’s exploited.

The specific deliverables:

Deliverables include vulnerability scanner reports and your own distilled report outlining important vulnerabilities to address, along with recommendations and countermeasures to implement.

Selecting tools

As in any project, if you don’t have the right tools for your security testing, you’ll have difficulty accomplishing the task effectively. Having said that, just because you use the right tools doesn’t mean that you’ll discover all the right vulnerabilities. Experience counts.

Know the limitations of your tools. Many vulnerability scanners generate false positives and negatives (incorrectly identifying vulnerabilities). Others skip vulnerabilities. In certain situations, such as testing web applications, you have to run multiple vulnerability scanners to find all the vulnerabilities.

Many tools focus on specific tests, and no tool can test for everything. For the same reason that you wouldn’t drive a nail with a screwdriver, don’t use a port scanner to uncover specific network vulnerabilities. You need a set of specific tools for the task. The more (and better) tools you have, the easier your security testing efforts will be.

Make sure that you’re using tools like these for your tasks:

To crack passwords, you need cracking tools such as Ophcrack and Proactive Password Auditor.

For an in-depth analysis of a web application, a web vulnerability scanner (such as Netsparker or Acunetix Web Vulnerability Scanner) is more appropriate than a network analyzer (such as Wireshark or Omnipeek).

The capabilities of many security and hacking tools are misunderstood. This misunderstanding has cast a negative light on otherwise excellent and legitimate tools; even government agencies around the world are talking about making them illegal. Part of this misunderstanding is due to the complexity of some security testing tools. Whichever tools you use, familiarize yourself with them before you start using them. That way, you’re prepared to use the tools in the ways that they’re intended to be used. Here are ways to do that:

Read the readme and/or online help files and FAQs (frequently asked questions).

Study the user guides.

Use the tools in a lab or test environment.

Watch tutorial videos on YouTube (if you can bear the poor production of most of them).

Consider formal classroom training from the security-tool vendor or another third-party training provider, if available.

Look for these characteristics in tools for security testing:

Adequate documentation.

Detailed reports on discovered vulnerabilities, including how they might be exploited and fixed.

General industry acceptance.

Availability of updates and responsiveness of technical support.

High-level reports that can be presented to managers or nontechnical types (especially important in today’s audit- and compliance-driven world).

These features can save you a ton of time and effort when you’re performing your tests and writing your final reports.

Executing the plan

Good security testing takes persistence. Time and patience are important. Also, be careful when you’re performing your tests. A criminal on your network or a seemingly benign employee looking over your shoulder may watch what’s going on and use this information against you or your business.

Making sure that no hackers are on your systems before you start isn’t practical. Just be sure to keep everything as quiet and private as possible, especially when you’re transmitting and storing test results. If possible, encrypt any emails and files that contain sensitive test information or share them via a cloud-based file sharing service.

You’re on a reconnaissance mission. Harness as much information as possible about your organization and systems, much as malicious hackers do. Start with a broad view and narrow your focus. Follow these steps:

Search the Internet for your organization’s name, its computer and network system names, and its IP addresses.

Google is a great place to start.

Narrow your scope, targeting the specific systems you’re testing.

Whether you’re assessing physical security structures or web applications, a casual assessment can turn up a lot of information about your systems.

Further narrow your focus by performing scans and other detailed tests to uncover vulnerabilities on your systems.

Perform the attacks and exploit any vulnerabilities you find (if that’s what you choose to do).

Check out Chapters 4 and 5 for information and tips on this process.

Evaluating results

Assess your results to see what you’ve uncovered, assuming that the vulnerabilities haven’t been made obvious before now. Knowledge counts. Your skill in evaluating the results and correlating the specific vulnerabilities discovered will get better with practice. You’ll end up knowing your systems much better than anyone else does, which will make the evaluation process much simpler moving forward.

Submit a formal report to management or to your client, outlining your results and any recommendations you need to share. Keep these parties in the loop to show that your efforts and their money are well spent. Chapter 17 describes the security assessment reporting process.

Moving on

When you finish your security tests, you (or your client) still need to implement your recommendations to make sure that the systems are secure. Otherwise, all the time, money, and effort spent on testing goes to waste. Sadly, I see this very scenario fairly often.

New security vulnerabilities continually appear. Information systems change and become more complex. New security vulnerabilities and exploits are uncovered. Vulnerability scanners get better. Security tests provide a snapshot of the security posture of your systems. At any time, everything can change, especially after you upgrade software, add computer systems, or apply patches. This situation underscores the need to update your tools often — before each use, if possible. Plan to test regularly and consistently (such as once a month, once a quarter, or biannually). Chapter 19 covers managing security changes as you move forward.

Chapter 2

Cracking the Hacker Mindset

IN THIS CHAPTER

Understanding the enemy

Profiling hackers and malicious users

Understanding why attackers do what they do

Examining how attackers go about their business

Before you start assessing the security of your systems, it’s good to know a few things about the people you’re up against. Many security product vendors and security professionals claim that you should protect all of your systems from the bad guys — both internal and external. But what does this mean? How do you know how these people think and execute their attacks?

Knowing what hackers and malicious users want helps you understand how they work. Understanding how they work helps you look at your information systems in a whole new way. In this chapter, I describe the challenges you face from the people who actually do the misdeeds, as well as their motivations and methods. This understanding better prepares you for your security tests.

What You’re Up Against

Thanks to sensationalism in the media, public perception of hacker has transformed from harmless tinkerer to malicious criminal. Nevertheless, hackers often state that the public misunderstands them, which is mostly true. It’s easy to prejudge what you don’t understand. Unfortunately, many hacker stereotypes are based on misunderstanding rather than fact, and that misunderstanding fuels a constant debate.

Hackers can be classified by both their abilities and their underlying motivations. Some are skilled, and their motivations are benign; they’re merely seeking more knowledge. Still, other hackersmay have malicious intent and seek some form of personal, political, or economic gain. Unfortunately, the negative aspects of hacking usually overshadow the positive aspects and promote the negative stereotypes.

Historically, hackers hacked for the pursuit of knowledge and the thrill of the challenge. Script kiddies (hacker wannabes with limited skills) aside, traditional hackers are adventurous and innovative thinkers who are always devising new ways to exploit computer vulnerabilities. (For more on script kiddies, see the section “Who Breaks into Computer Systems” later in this chapter.) Hackers see what others often overlook. They’re very inquisitive and have good situational awareness. They wonder what would happen if a cable was unplugged, a switch was flipped, or lines of code were changed in a program. They do these things and then notice what happens. These old-school hackers are like Tim “The Tool Man” Taylor — Tim Allen’s character on the classic sitcom Home Improvement — thinking that they can improve electronic and mechanical devices by “rewiring them.”

When they were growing up, hackers’ rivals were monsters and villains on video game screens. Now hackers see their electronic foes as only that: electronic. Hackers who perform malicious acts don’t really think about the fact that human beings are behind the firewalls, wireless networks, and web applications they’re attacking. They ignore the fact that their actions often affect those human beings in negative ways, such as jeopardizing their job security and putting their personal safety at risk. Government-backed hacking? Well, that’s a different story, as those hackers are making calculated decisions to do these things.

On the flip side, odds are good that you have at least a few employees, contractors, interns, or consultants who intend to compromise sensitive information on your network for malicious purposes. These people don’t hack in the way that people normally suppose. Instead, they root around in files on server shares; delve into databases they know they shouldn’t be in; and sometimes steal, modify, and delete sensitive information to which they have access. This behavior can be very hard to detect, especially given the widespread belief among management that users can and should be trusted to do the right things. This activity is perpetuated if these users passed their criminal background and credit checks before they were hired. Past behavior is often the best predictor of future behavior, but just because someone has a clean record and authorization to access sensitive systems doesn’t mean that he or she won’t do anything bad. Criminal behavior has to start somewhere!

As negative as breaking into computer systems often can be, hackers and researchers play key roles in the advancement of technology. In a world without these people, odds are good that the latest intrusion prevention technology, data loss prevention (DLP), or vulnerability scanning and exploit tools would likely be different, if they existed at all. Such a world might not be bad, but technology does keep security professionals employed and the field moving forward. Unfortunately, the technical security solutions can’t ward off all malicious attacks and unauthorized use, because hackers and (sometimes) malicious users are usually a few steps ahead of the technology designed to protect against their wayward actions.