Stealing the Network - How to Own the Box. Syngress

Foreword by Jeff Moss

President & CEO, Black Hat, Inc

Ryan Russell Tim Mullen (Thor) FX Dan “Effugas” Kaminsky
Joe Grand Ken Pfeil Ido Durbrawsky
Mark Burnett Paul Craig

e-books shop
Stealing the Network - How to Own the Box


We would like to acknowledge the following people for their kindness and support
in making this book possible.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,
Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell,
Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Kristin
Keith, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of
Publishers Group West for sharing their incredible marketing experience and expertise.
The incredibly hard working team at Elsevier Science, including Jonathan
Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna
Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for
making certain that our vision remains worldwide in scope.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie
Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with
which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates
for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at
Jaguar Book Group for their help with distribution of Syngress books in Canada.
David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley
Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books
throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands,
and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of
Syngress books in the Philippines.
Ping Look and Jeff Moss of Black Hat for their invaluable insight into the world
of computer security and their support of the Syngress publishing program. A special
thanks to Jeff for sharing his thoughts with our readers in the Foreword to this book,
and to Ping for providing design expertise on the cover.
Syngress would like to extend a special thanks to Ryan Russell. Ryan has been
an important part of our publishing program for many years; he is a talented author
and tech editor, and an all-around good guy.Thank you Ryan.

Technical Editor
Ryan Russell has worked in the IT field for over 13 years, focusing on information
security for the last seven. He was the primary author of Hack Proofing Your Network:
Internet Tradecraft (Syngress Publishing, ISBN: 1-928994-15-6), and is a frequent technical
editor for the Hack Proofing series of books. He is also a technical advisor to
Syngress Publishing’s Snort 2.0 Intrusion Detection (ISBN: 1-931836-74-4). Ryan
founded the vuln-dev mailing list, and moderated it for three years under the alias
“Blue Boar.” He is a frequent lecturer at security conferences, and can often be found
participating in security mailing lists and Web site discussions. Ryan is the Director of
Software Engineering for, where he’s developing the anti-worm
product, Enforcer. One of Ryan’s favorite activities is disassembling worms.

Dan Kaminsky, also known as Effugas, is a Senior Security Consultant for Avaya’s
Enterprise Security Practice, where he works on large-scale security infrastructure.
Dan’s experience includes two years at Cisco Systems, designing security infrastructure
for cross-organization network monitoring systems, and he is best known for his
work on the ultra-fast port scanner, scanrand, part of the “Paketto Keiretsu,” a collection
of tools that use new and unusual strategies for manipulating TCP/IP networks.
He authored the Spoofing and Tunneling chapters for Hack Proofing Your Network:
Second Edition (Syngress Publishing, ISBN: 1-928994-70-9), and has delivered presentations
at several major industry conferences, including LinuxWorld, DefCon, and
past Black Hat Briefings. Dan was responsible for the Dynamic Forwarding patch to
OpenSSH, integrating the majority of VPN-style functionality into the widely
deployed cryptographic toolkit. Finally, he founded the cross-disciplinary DoxPara
Research in 1997, seeking to integrate psychological and technological theory to
create more effective systems for non-ideal but very real environments in the field.
Dan is based in Silicon Valley, CA.

FX of Phenoelit has spent the better part of the last few years becoming familiar
with the security issues faced by the foundation of the Internet, including protocol
based attacks and exploitation of Cisco routers. He has presented the results of his
work at several conferences, including DefCon, Black Hat Briefings, and the Chaos
Communication Congress. In his professional life, FX is currently employed as a
Security Solutions Consultant at n.runs GmbH, performing various security audits
for major customers in Europe. His specialty lies in security evaluation and testing of
custom applications and black box devices. FX loves to hack and hang out with his
friends in Phenoelit and wouldn’t be able to do the things he does without the continuing
support and understanding of his mother, his friends, and especially his young
lady, Bine, with her infinite patience and love.

Mark Burnett is an independent security consultant, freelance writer, and a specialist
in securing Windows-based IIS Web servers. Mark is co-author of Maximum
Windows Security and is a contributor to Dr.Tom Shinder’s ISA Server and Beyond: Real
World Security Solutions for Microsoft Enterprise Networks (Syngress Publishing, ISBN:
1-931836-66-3). He is a contributor and technical editor for Syngress Publishing’s
Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle (ISBN: 1-
931836-69-8). Mark speaks at various security conferences and has published articles
in Windows & .NET, Information Security, Windows Web Solutions, Security Administrator,
and is a regular contributor at Mark also publishes articles on his
own Web site,

Joe Grand is the President and CEO of Grand Idea Studio, Inc., a product design
and development firm that brings unique inventions to market through intellectual
property licensing. As an electrical engineer, many of his creations including consumer
devices, medical products, video games and toys, are sold worldwide.A recognized
name in computer security and former member of the legendary hacker
think-tank,The L0pht, Joe’s pioneering research on product design and analysis,
mobile devices, and digital forensics is published in various industry journals. He is a
co-author of Hack Proofing Your Network, Second Edition (Syngress Publishing, ISBN 1-
928994-70-9). Joe has testified before the United States Senate Governmental Affairs
Committee on the state of government and homeland computer security. He has
presented his work at the United States Naval Post Graduate School Center for
INFOSEC Studies and Research, the United States Air Force Office of Special
Investigations, the USENIX Security Symposium, and the IBM Thomas J.Watson
Research Center. Joe is a sought after personality who has spoken at numerous universities
and industry forums.

Ido Dubrawsky (CCNA, CCDA, SCSA) is a Network Security Architect working
in the SAFE architecture group of Cisco Systems, Inc. His responsibilities include
research into network security design and implementation. Previously, Ido was a
member of Cisco’s Secure Consulting Services in Austin,TX where he conducted
security posture assessments and penetration tests for clients as well as provided technical
consulting for security design reviews. Ido was one of the co-developers of the
Secure Consulting Services wireless network assessment toolset. His strengths
include Cisco routers and switches, PIX firewalls, the Cisco Intrusion Detection
System, and the Solaris operating system. His specific interests are in freeware intrusion
detection systems. Ido holds a bachelor’s and master’s degree from the University
of Texas at Austin in Aerospace Engineering and is a longtime member of USENIX
and SAGE. He has written numerous articles covering Solaris security and network
security for Sysadmin as well as the online SecurityFocus. He is a contributor to Hack
Proofing Sun Solaris 8 (Syngress Publishing, ISBN: 1-928994-44-X) and Hack Proofing
Your Network, Second Edition (Syngress, ISBN: 1-928994-70-9). He currently resides in
Silver Spring, MD with his family.

Paul Craig is a network administrator for a major broadcasting company in New
Zealand. He has experience securing a great variety of networks and operating systems.
Paul has also done extensive research and development in digital rights management
(DRM) and copy protection systems.

Ken Pfeil is a Senior Security Consultant with Avaya’s Enterprise Security
Consulting Practice, based in New York. Ken’s IT and security experience spans over
18 years with companies such as Microsoft, Dell, Identix and Merrill Lynch in
strategic positions ranging from Systems Technical Architect to Chief Security
Officer. While at Microsoft, Ken co-authored Microsoft’s Best Practices for Enterprise
Security white paper series, was a technical contributor to the MCSE Exam, Designing
Security for Windows 2000 and official curriculum for the same. Other books Ken has
co-authored or contributed to include Hack Proofing Your Network, Second Edition
(Syngress Publishing, ISBN: 1-928994-70-9), The Definitive Guide to Network Firewalls
and VPN’s,Web Services Security, Security Planning and Disaster Recovery, and The CISSP
Study Guide. Ken holds a number of industry certifications, and participates as a
Subject Matter Expert for CompTIA’s Security+ certification. In 1998 Ken founded
The NT Toolbox Web site, where he oversaw all operations until GFI Software
acquired it in 2002. Ken is a member of ISSA’s International Privacy Advisory Board,
the New York Electronic Crimes Task Force, IEEE, IETF, and CSI.

Timothy Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer
of secure enterprise-based accounting solutions. Mullen is also a columnist for
Security Focus’ Microsoft Focus section, and a regular contributor of InFocus technical
articles. Also known as Thor, he is the founder of the “Hammer of God” security coop group.

Table of Contents
Foreword—Jeff Moss . . . . . . . . . . . . . . . . . .xix

Chapter 1 . . . . . . . . . . . . . . . . . . . . . . . . . .1
Hide and Sneak—Ido Dubrawsky
If you want to hack into someone else’s network, the week
between Christmas and New Year’s Day is the best time. I love that
time of year. No one is around, and most places are running on a
skeleton crew at best. If you’re good, and you do it right, you
won’t be noticed even by the automated systems. And that was a
perfect time of year to hit these guys with their nice e-commerce
site—plenty of credit card numbers, I figured.
The people who ran this site had ticked me off. I bought some
computer hardware from them, and they took forever to ship it to
me. On top of that, when the stuff finally arrived, it was damaged.
I called their support line and asked for a return or an exchange,
but they said that they wouldn’t take the card back because it was a
closeout.Their site didn’t say that the card was a closeout! I told
the support drones that, but they wouldn’t listen.They said, “policy
is policy,” and “didn’t you read the fine print?”Well, if they’re
going to take that position…. Look, they were okay guys on the
whole.They just needed a bit of a lesson.That’s all.

Chapter 2 . . . . . . . . . . . . . . . . . . . . . . . . . .21
The Worm Turns—Ryan Russell
and Tim Mullen
After a few hours, I’ve got a tool that seems to work. Geeze, 4:30
A.M. I mail it to the list for people to check out and try.
Heh, it’s tempting to use the root.exe and make the infected
boxes TFTP down my tool and fix themselves. Maybe by putting it
out there some idiot will volunteer himself. Otherwise the tool
won’t do much good, the damage is done. I’m showing like 14,000
unique IPs in my logs so far. Based on previous worms, that usually
means there are at least 10 times as many infected. At least. My
little home range is only 5 IP addresses.
I decide to hack up a little script that someone can use to
remotely install my fix program, using the root.exe hole.That way,
if someone wants to fix some of their internal boxes, they won’t
have to run around to the consoles.Then I go ahead and change it
to do a whole range of IP addresses, so admins can use it on their
whole internal network at once. When everyone gets to work
tomorrow, they’re going to need all the help they can get. I do it
in C so I can compile it to a .exe, since most people won’t have
the Windows perl installed.

Chapter 3 . . . . . . . . . . . . . . . . . . . . . . . . . .47
Just Another Day at the Office
—Joe Grand
I can’t disclose much about my location. Let’s just say it’s damp and
cold. But it’s much better to be here than in jail, or dead. I thought
I had it made—simple hacks into insecure systems for tax-free dollars.
And then the ultimate heist: breaking into a sensitive lab to
steal one of the most important weapons the U.S. had been developing.
And now it’s over. I’m in a country I know nothing about,
with a new identity, doing chump work for a guy who’s fresh out
Contents xiii
of school. Each day goes by having to deal with meaningless corporate
policies and watching employees who can’t think for themselves,
just blindly following orders. And now I’m one of them. I
guess it’s just another day at the office.

Chapter 4 . . . . . . . . . . . . . . . . . . . . . . . . . .79
h3X’s Adventures in Networkland—FX
h3X is a hacker, or to be more precise, she is a hackse (from hexe,
the German word for witch). Currently, h3X is on the lookout for
some printers. Printers are the best places to hide files and share
them with other folks anonymously. And since not too many
people know about that, h3X likes to store exploit codes and other
kinky stuff on printers, and point her buddies to the Web servers
that actually run on these printers. She has done this before.

Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . .133
The Thief No One Saw—Paul Craig
My eyes slowly open to the shrill sound of my phone and the
blinking LED in my dimly lit room. I answer the phone.
“Hmm … Hello?”
“Yo, Dex, it’s Silver Surfer. Look, I got a title I need you to get
for me.You cool for a bit of work?”
Silver Surfer and I go way back. He was the first person to get
me into hacking for profit. I’ve been working with him for almost
two years. Although I trust him, we don’t know each other’s real
names. My mind slowly engages. I was up till 5:00 A.M., and it’s
only 10:00 A.M. now. I still feel a little mushy.
“Sure, but what’s the target? And when is it due out?”
“Digital Designer v3 by Denizeit. It was announced being final
today and shipping by the end of the week, Mr. Chou asked for
this title personally. It’s good money if you can get it to us before
it’s in the stores.There’s been a fair bit of demand for it on the
street already.”
“Okay, I’ll see what I can do once I get some damn coffee.”
“Thanks dude. I owe you.”There’s a click as he hangs up.

Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . .155
Flying the Friendly Skies—Joe Grand
Not only am I connected to the private wireless network, I can
also access the Internet. Once I’m on the network, the underlying
wireless protocol is transparent, and I can operate just as I would
on a standard wired network. From a hacker’s point of view, this is
great. Someone could just walk into a Starbucks, hop onto their
wireless network, and attack other systems on the Internet, with
hardly any possibility of detection. Public wireless networks are
perfect for retaining your anonymity.
Thirty minutes later, I’ve finished checking my e-mail using a
secure Web mail client, read up on the news, and placed some bids
on eBay for a couple rare 1950’s baseball cards I’ve been looking
for. I’m bored again, and there is still half an hour before we’ll start
boarding the plane.

Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . .169
dis-card—Mark Burnett
One of my favorite pastimes is to let unsuspecting people do the
dirty work for me.The key here is the knowledge that you can
obtain through what I call social reverse-engineering, which is
nothing more than the analysis of people. What can you do with
social reverse-engineering? By watching how people deal with
computer technology, you’ll quickly realize how consistent people
really are.You’ll see patterns that you can use as a roadmap for
human behavior.
Humans are incredibly predictable. As a teenager, I used to
watch a late-night TV program featuring a well-known mentalist. I
watched as he consistently guessed social security numbers of audience
members. I wasn’t too impressed at first—how hard would it
be for him to place his own people in the audience to play along?
It was what he did next that intrigued me: He got the TV-viewing
audience involved. He asked everyone at home to think of a vegetable.
I thought to myself, carrot.To my surprise, the word
CARROT suddenly appeared on my TV screen. Still, that could
have been a lucky guess.

Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . .189
Social (In)Security—Ken Pfeil
While I‘m not normally a guy prone to revenge, I guess some
things just rub me the wrong way. When that happens, I rub
back—only harder. When they told me they were giving me
walking papers, all I could see was red. Just who did they think
they were dealing with anyway? I gave these clowns seven years of
sweat, weekends, and three-in-the-morning handholding. And for
what? A lousy week’s severance? I built that IT organization, and
then they turn around and say I’m no longer needed.They said
they’ve decided to “outsource” all of their IT to ICBM Global Services.
The unemployment checks are about to stop, and after
spending damn near a year trying to find another gig in this
economy, I think it’s payback time.Maybe I’ve lost a step or two
technically over the years, but I still know enough to hurt these
bastards. I’m sure I can get some information that’s worth selling to
a competitor, or maybe to get hired on with them. And can you
imagine the looks on their faces when they find out they were
hacked? If only I could be a fly on the wall.

Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . .211
BabelNet—Dan Kaminsky
Black Hat Defense: Know Your Network Better Than
The Enemy Can Afford To…
SMB—short for Server Message Block, was ultimately the protocol
behind NBT(NetBIOS over TCP/IP), the prehistoric IBM LAN
Manager, and its modern n-th generation clone,Windows File
Sharing. Elena laughed as chunkage like ECFDEECACACACACACACACACACACACACA
spewed across the display. Once upon a
time, a particularly twisted IBM engineer decided that “First Level
Encoding” might be a rational way to write the name “BSD”.
Humanly readable? Not unless you were the good Luke Kenneth
Casson Leighton, whose ability to fully grok raw SMB from hexdumps
was famed across the land, a postmodern incarnation of
sword swallowing.

Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . .235
The Art of Tracking—Mark Burnett
It’s strange how hackers think.You’d think that white hat hackers
would be on one end of the spectrum and black hat hackers on
the other. On the contrary, they are both at the same end of the
spectrum, the rest of the world on the other end.There really is no
difference between responsible hacking and evil hacking. Either
way it’s hacking.The only difference is the content. Perhaps that is
why it is so natural for a black hat to go legit, and why it is so easy
for a white hat to go black.The line between the two is fine,
mostly defined by ethics and law.To the hacker, ethics and laws
have holes just like anything else.
Many security companies like to hire reformed hackers.The
truth is that there is no such thing as a reformed hacker.They may
have their focus redirected and their rewards changed, but they are
never reformed. Getting paid to hack doesn’t make them any less
of a hacker.
Hackers are kind of like artists. An artist will learn to paint by
painting whatever they want.They could paint mountains, animals,
or perhaps nudes.They can use any medium, any canvas, and any
colors they wish. If the artist some day gets a job doing art, he
becomes a commercial artist.The only difference is that they now
paint what other people want.

Appendix . . . . . . . . . . . . . . . . . . . . . . . . .269
The Laws of Security—Ryan Russell
This book contains a series of fictional short stories demonstrating
criminal hacking techniques that are used every day. While these
stories are fictional, the dangers are obviously real. As such, we’ve
included this appendix, which discusses how to mitigate many of
the attacks detailed in this book. While not a complete reference,
these security laws can provide you with a foundation of knowledge
prevent criminal hackers from stealing your network.


e-books shop

Purchase Now !
Just with Paypal

Product details
 3.00 USD
 329 p
 File Size
 4,699 KB
 File Type
 PDF format
 2003 by Syngress Publishing, Inc 

═════ ═════

Loading... Protection Status