Network Security Test Lab

MICHAEL GREGG is CEO of Superior Solutions. He is the author of twenty security books, including Security+ Street Smarts, and a regular contributor to Huffington Post, SearchNetworking.com, and other periodicals. During his twenty years working in security, networking, and Internet technology, he has testified before U.S. Congress and has developed a variety of learning tools for colleges and training organizations.

• Introduction xxiChapter 1 Building a Hardware and Software Test Platform 1Why Build a Lab? 2Hardware Requirements 4Physical Hardware 5Equipment You Already Have 6New Equipment Purchases 7Used Equipment Purchases 7Online Auctions 8Thrift Stores 9Company Sales 10Virtual Hardware 10VMware 12VirtualBox 15Hacker Hardware 16Software Requirements 18Operating Systems 19Microsoft Windows 19Linux 20Navigating in Linux 23Linux Basics 25Mac Os X 28Software and Applications 28Learning Applications 29Hacking Software 31Summary 32Key Terms 33Exercises 34Equipment Checklist 34Installing VMware Workstation 35Exploring Linux Operating System Options 35Using VMware to Build a Windows Image 35Using VMware Converter to Create a Virtual Machine 36Exploring Other Operating System Options 37Running Kali from VMware 37Installing Tools on Your Windows Virtual Machine 38Chapter 2 Passive Information Gathering 39Starting at the Source 40Scrutinizing Key Employees 43Dumpster Diving (Electronic) 45Analyzing Web Page Coding 48Exploiting Website Authentication Methods 51Mining Job Ads and Analyzing Financial Data 53Using Google to Mine Sensitive Information 56Exploring Domain Ownership 57Whois 59Regional Internet Registries 61Domain Name System 63Identifying Web Server Software 66Web Server Location 69Summary 70Key Terms 70Exercises 72IP Address and Domain Identification 72Information Gathering 72Google Hacking 74Banner Grabbing 74Telnet 75Netcat 75VisualRoute 76Chapter 3 Analyzing Network Traffic 77Why Packet Analysis Is Important 77How to Capture Network Traffic 78Promiscuous Mode 78Hubs and Switches 79Hubbing Out and Using Taps 79Switches 79Capturing Network Traffic 82Managed and Unmanaged Switches 83ARP Cache Poisoning 85Flooding 91DHCP Redirection 92Redirection and Interception with ICMP 94Preventing Packet Capture 94Dynamic Address Inspection 95DHCP Snooping 95Preventing VLAN Hopping 96Detecting Packet Capture 97Wireshark 99Wireshark Basics 99Filtering and Decoding Traffic 102Basic Data Capture—A Layer-by-Layer Review 108Physical—Data-Link Layer 108Network-Internet Layer 110Transport—Host-Host Layer 111Application Layer 115Other Network Analysis Tools 115Summary 118Key Terms 118Exercises 119Fun with Packets 119Packet Analysis with tcpdump 120Packet Filters 121Making a One-Way Data Cable 122Chapter 4 Detecting Live Systems and Analyzing Results 125TCP/IP Basics 125The Network Access Layer 127The Internet Layer 128The Host-to-Host Layer 132Transmission Control Protocol 132User Datagram Protocol 134The Application Layer 134Detecting Live Systems with ICMP 138ICMP—Ping 138Traceroute 142Port Scanning 147TCP and UDP Port Scanning 147Advanced Port-Scanning Techniques 151Idle Scan 151Analyzing Port Scans 155Port-Scanning Tools 156Nmap 157SuperScan 160Other Scanning Tools 161OS Fingerprinting 161Passive Fingerprinting 162Active Fingerprinting 164How Nmap OS Fingerprinting Works 165Scanning Countermeasures 167Summary 171Key Terms 171Exercises 172Understanding Wireshark 172Interpreting TCP Flags 174Performing an ICMP Packet Decode 175Port Scanning with Nmap 176Traceroute 177An Analysis of a Port Scan 178OS Fingerprinting 179Chapter 5 Enumerating Systems 181Enumeration 181Router and Firewall Enumeration 182Router Enumeration 182Firewall Enumeration 187Router and Firewall Enumeration Countermeasures 191Windows Enumeration 191Server Message Block and Interprocess Communication 194Enumeration and the IPC$ Share 195Windows Enumeration Countermeasures 195Linux/Unix Enumeration 196Enumeration of Application Layer Protocols 197Simple Network Management Protocol 197SNMP Enumeration Countermeasures 200Enumeration of Other Applications 200Advanced Enumeration 202SCADA Systems 202User Agent Strings 210Mapping the Attack Surface 213Password Speculation and Cracking 213Sniffing Password Hashes 216Exploiting a Vulnerability 218Protecting Passwords 221Summary 221Key Terms 222Exercises 223SNMP Enumeration 223Enumerating Routing Protocols 225Enumeration with DumpSec 227Identifying User Agent Strings 227Browser Enumeration 229Chapter 6 Automating Encryption and Tunneling Techniques 231Encryption 232Secret Key Encryption 233Data Encryption Standard 235Triple DES 236Advanced Encryption Standard 237One‐Way Functions (Hashes) 237md Series 238Sha 238Public Key Encryption 238Rsa 239Diffie‐Hellman 239El Gamal 240Elliptic Curve Cryptography 240Hybrid Cryptosystems 241Public Key Authentication 241Public Key Infrastructure 242Certificate Authority 242Registration Authority 242Certificate Revocation List 243Digital Certificates 243Certificate Distribution System 244Encryption Role in Authentication 244Password Authentication 245Password Hashing 246Challenge‐Response 249Session Authentication 250Session Cookies 250Basic Authentication 251Certificate‐Based Authentication 251Tunneling Techniques to Obscure Traffic 252Internet Layer Tunneling 252Transport Layer Tunneling 254Application Layer Tunneling 256Attacking Encryption and Authentication 259Extracting Passwords 259Password Cracking 260Dictionary Attack 261Brute‐Force Attack 261Rainbow Table 263Other Cryptographic Attacks 263Summary 264Key Terms 264Exercises 266CrypTool 266Extract an E‐mail Username and Password 268RainbowCrack 268John the Ripper 270Chapter 7 Automated Attack and Penetration Tools 273Why Attack and Penetration Tools Are Important 274Vulnerability Assessment Tools 274Source Code Assessment Tools 275Application Assessment Tools 276System Assessment Tools 276Attributes of a Good System Assessment Tool 278Nessus 279Automated Exploit Tools 286Metasploit 286Armitage 287Metasploit Console 288Metasploit Command‐Line Interface 289Updating Metasploit 290BeEF 290Core Impact 291Canvas 292Determining Which Tools to Use 292Picking the Right Platform 292Summary 293Key Terms 294Exercises 294Exploring N‐Stalker, a Vulnerability Assessment Tool 294Exploring Searchsploit on Kali Linux 295Metasploit Kali 296Chapter 8 Securing Wireless Systems 299Wi-Fi Basics 300Wireless Clients and NICs 301Wireless Access Points 302Wireless Communication Standards 302Bluetooth Basics 304Wi-Fi Security 305Wired Equivalent Privacy 305Wi-Fi Protected Access 307802.1x Authentication 309Wireless LAN Threats 310Wardriving 310NetStumbler 312Kismet 314Eavesdropping 314Rogue and Unauthorized Access Points 318Denial of Service 319Exploiting Wireless Networks 320Finding and Assessing the Network 320Setting Up Airodump 321Configuring Aireplay 321Deauthentication and ARP Injection 322Capturing IVs and Cracking the WEP KEY 322Other Wireless Attack Tools 323Exploiting Bluetooth 324Securing Wireless Networks 324Defense in Depth 325Misuse Detection 326Summary 326Key Terms 327Exercises 328Using NetStumbler 328Using Wireshark to Capture Wireless Traffic 329Chapter 9 An Introduction to Malware 331History of Malware 331Types of Malware 334Viruses 334Worms 337Logic Bombs 338Backdoors and Trojans 338Packers, Crypters, and Wrappers 340Rootkits 343Crimeware Kits 345Botnets 347Advanced Persistent Threats 350Spyware and Adware 350Common Attack Vectors 351Social Engineering 351Faking It! 352Pretending through Email 352Defenses against Malware 353Antivirus 353File Integrity Verification 355User Education 355Summary 356Key Terms 356Exercises 357Virus Signatures 357Building Trojans 358Rootkits 358Finding Malware 362Chapter 10 Detecting Intrusions and Analyzing Malware 365An Overview of Intrusion Detection 365IDS Types and Components 367IDS Engines 368An Overview of Snort 370Platform Compatibility 371Limiting Access to the IDS 371Verification of Configuration 372Building Snort Rules 373The Rule Header 374Logging with Snort 375Rule Options 376Advanced Snort: Detecting Buffer Overflows 377Responding to Attacks and Intrusions 379Analyzing Malware 381Tracking Malware to Its Source 382Identifying Domains and Malicious Sites 382Building a Testbed 386Virtual and Physical Targets 386Operating Systems 387Network Isolation 387Testbed Tools 388Malware Analysis Techniques 390Static Analysis 390Dynamic Analysis 394Summary 397Key Terms 397Exercises 398Building a Snort Windows System 398Analyzing Malware Communication 400Analyzing Malware with VirusTotal 401Chapter 11 Forensic Detection 403Computer Forensics 404Acquisition 405Drive Removal and Hashing 407Drive-Wiping 409Logical and Physical Copies 410Logical Copies 411Physical Copies 411Imaging the Drive 412Authentication 413Trace-Evidence Analysis 416Browser Cache 418Email Evidence 419Deleted or Overwritten Files and Evidence 421Other Trace Evidence 422Hiding Techniques 422Common File-Hiding Techniques 423Advanced File-Hiding Techniques 425Steganography 426Detecting Steganographic Tools 429Antiforensics 430Summary 431Key Terms 431Exercises 432Detecting Hidden Files 432Basic File-Hiding 432Advanced File-Hiding 433Reading Email Headers 433Use S-Tools to Embed and Encrypt a Message 435Index 439