Hacker HighSchool-Security Awareness for Teens

COMPLETE
TABLE OF CONTENTS
AND
GLOSSARY
License for Use Informaion
The following lessons and workbooks are open and publicly available under the following
terms and conditions of ISECOM:
ll works in the !acker !ighschool pro"ect are provided for non#commercial use with
elementary school students$ "unior high school students$ and high school students whether in a
public institution$ private institution$ or a part of home#schooling% These materials may not be
reproduced for sale in any form% The provision of any class$ course$ training$ or camp with
these materials for which a fee is charged is e&pressly forbidden without a license including
college classes$ university classes$ trade#school classes$ summer or computer camps$ and
similar% To purchase a license$ visit the 'ICE(SE section of the !acker !ighschool web page at
www%hackerhighschool%org)license%
The !!S *ro"ect is a learning tool and as with any learning tool$ the instruction is the influence
of the instructor and not the tool% ISECOM cannot accept responsibility for how any
information herein is applied or abused%
The !!S *ro"ect is an open community effort and if you find value in this pro"ect$ we do ask
you support us through the purchase of a license$ a donation$ or sponsorship%
ll works copyright ISECOM$ +,,-%
!
COMPLETE TABLE OF CONTENTS AND GLOSSARY
Table of Contents
Lesson "# Bein$ a %ac&er
.%, Introduction
.%. /esources
.%.%. 0ooks
.%.%+ Maga1ines and (ewspapers
.%.%2 3ines and 0logs
.%.%- 4orums and Mailing 'ists
.%.%5 (ewsgroups
.%.%6 7ebsites
.%.%8 Chat
.%.%9 *+*
.%+ 4urther 'essons
Lesson !# Basic Comman's in Lin() an' *in'o+s
+%.% Introduction and Ob"ectives
+%+% /e:uirements and Setup
+%+%. /e:uirements
+%+%+ Setup
+%2% System Operation: 7I(;O7S
+%2%. !ow to open an MS#;OS window
+%2%+ Commands and tools <7indows=
+%-% System Operations: 'inu&
+%-%. !ow to open a console window
+%-%+ Commands and tools <'inu&=
Lesson ,# Pors an' Prooco-s
2%. Introduction
2%+ 0asic concepts of networks
2%+%. ;evices
2%+%+ Topologies
2%2 TC*)I* model
2%2%. Introduction
2%2%+ 'ayers
2%2%+%. pplication
2%2%+%+ Transport
2%2%+%2 Internet
2%2%+%- (etwork ccess
2%2%2 *rotocols
2%2%2%. pplication layer protocols
2%2%2%+ Transport layer *rotocols
2%2%2%2 Internet layer *rotocols
2%2%- I* ddresses
2%2%5 *orts
,
2%2%6 Encapsulation
Lesson .# Ser/ices an' Connecions
-%, Introduction
-%. Services
-%.%. !TT* and The 7eb
-%.%+ E#Mail > *O* and SMT*
-%.%2 I/C
-%.%- 4T*
-%.%5 Telnet and SS!
-%.%6 ;(S
-%.%8 ;!C*
-%+ Connections
-%+%. IS*s
-%+%+ *lain Old Telephone Service
-%+%2 ;S'
-%+%- Cable Modems
Lesson 0# S1sem I'enificaion
5%, Introduction
5%. Identifying a Server
5%.%. Identifying the Owner of a domain
5%.%+ Identifying the I* address of a domain
5%+ Identifying Services
5%+%. *ing and Trace/oute
5%+%+ 0anner ?rabbing
5%+%2 Identifying Services from *orts and *rotocols
5%2 System 4ingerprinting
5%2%. Scanning /emote Computers
Lesson 2# Ma-+are
6%, Introduction
6%. @iruses <@irii=
6%.%. Introduction
6%.%+ ;escription
6%.%+%. 0oot Sector @iruses
6%.%+%+ The E&ecutable 4ile @irus
6%.%+%2 The Terminate and Stay /esident <TS/= @irus
6%.%+%- The *olymorphic @irus
6%.%+%5 The Macro @irus
6%+ 7orms
6%+%. Introduction
6%+%+ ;escription
6%2 Tro"ans and Spyware
6%2%. Introduction
6%2%+ ;escription
6%- /ootkits and 0ackdoors
6%-%. Introduction
.
6%-%+ ;escription
6%5 'ogicbombs and Timebombs
6%5%. Introduction
6%5%+ ;escription
6%6 Countermeasures
6%6%. Introduction
6%6%+ nti#@irus
6%6%2 (I;S
6%6%- !I;S
6%6%5 4irewalls
6%6%6 Sandbo&es
6%8 ?ood Safety dvice
Lesson 3# Aac& Ana-1sis
8%, Introduction
8%. (etstat and !ost pplication 4irewalls
8%.%. (etstat
8%.%+ 4irewalls
8%+ *acket Sniffers
8%+%. Sniffing
8%+%+ ;ecoding (etwork Traffic
8%+%2 Sniffing Other Computers
8%+%- Intrusion ;etection Systems
8%2 !oneypots and !oneynets
8%2%. Types of !oneypots
8%2%+ 0uilding a !oneypot
Lesson 4# Di$ia- Forensics
9%, Introduction
9%. 4orensic *rincipals
9%.%, Introduction
9%.%. void Contaminiation
9%.%+ ct Methodically
9%.%2 Chain of Evidence
9%.%- Conclusion
9%+ Stand#alone 4orensics
9%+%, Introduction
9%+%. !ard ;rive and Storage Media 0asics
9%+%+ Encryption$ ;ecryption and 4ile 4ormats
9%+%2 4inding a (eedle in a !aystack
9%+%2%. find
9%+%2%+ grep
9%+%2%2 strings
9%+%2%- awk
9%+%2%5 The *ipe ABC
9%+%- Making use of other sources
9%2 (etwork 4orensics
9%2%, Introduction
9%2%. 4irewall 'ogs
0
9%2%+ Mail !eaders
Lesson 5# Emai- Sec(ri1
D%, Introduction
D%. !ow E#mail 7orks
D%.%. E#mail ccounts
D%.%+ *O* and SMT*
D%.%2 7eb Mail
D%+ Safe E#mail Esage *art .: /eceiving
D%+%. Spam$ *hishing and 4raud
D%+%+ !TM' E#Mail
D%+%2 ttachment Security
D%+%- 4orged headers
D%2 Safe E#mail Esage *art +: Sending
D%2%. ;igital Certificates
D%2%+ ;igital Signatures
D%2%2 ?etting a certificate
D%2%- Encryption
D%2%5 !ow does it workF
D%2%6 ;ecryption
D%2%8 Is Encryption EnbreakableF
D%- Connection Security
Lesson "6# *e7 Sec(ri1
.,%. 4undamentals of 7eb Security
.,%.%. !ow the web really works
.,%.%+ /attling the 'ocks
.,%.%2 'ooking through Tinted 7indows # SS'
.,%.%- !aving someone else do it for you > *ro&ies
.,%+ 7eb @ulnerabilities
.,%+%. Scripting 'anguages
.,%+%+ Top Ten Most Critical 7eb pplication @ulnerabilities
.,%+%2 Security ?uidelines for 0uilding Secure 7eb pplications
.,%2 !TM' 0asics > brief introduction
.,%2%. /eading !TM'
.,%2%+ @iewing !TM' at its Source
.,%2%2 'inks
.,%2%- *ro&y methods for 7eb pplication Manipulation
.,%- *rotecting your server
.,%-%. 4irewall
.,%-%+ Intrusion ;etection System <I;S=
.,%5 Secure Communications
.,%5%. *rivacy and Confidentiality
.,%5%+ Gnowing if you are communicating securely
.,%6 Methods of @erification
.,%6%. OSSTMM
.,%6%+ O7S*
2
Lesson ""# Pass+or's
..%, Introduction
..%. Types of *asswords
..%.%. Strings of Characters
..%.%+ Strings of Characters plus a token
..%.%2 0iometric *asswords
..%+ !istory of *asswords
..%2 0uild a Strong *assword
..%- *assword Encryption
..%5 *assword Cracking <*assword /ecovery=
..%6 *rotection from *assword Cracking
Lesson "!# Le$a-iies an' E8ics
.+%.% Introduction
.+%+% 4oreign crimes versus local rights
.+%2% Crimes related to the TICs
.+%-% *revention of Crimes and Technologies of double use
.+%-%.% The global systems of monitoring: concept HCOMI(TH
.+%-%+% HEC!E'O(H System
.+%-%2% The HC/(I@O/EH system
.+%5% Ethical !acking
.+%6% The ., most common internet frauds
3
Glossary
Fin' more com9(er erm 'efiniions a +++:+e7o9e'ia:com; +8ic8 9ro/i'e'
man1 of 8e 'efiniions re9ro'(ce' 8ere:
Anon1mo(s FTP > method by which computer files are made available for downloading by
the general public
a+& > programming language designed for working with strings%
7ac&'oors > n undocumented way of gaining access to a program$ online service or an
entire computer system%
Ba(' > bits per second$ used to describe the rate at which computers e&change information%
BIOS > basic input)output system% The built#in software that determines what a computer can
do without accessing programs from a disk% On *Cs$ the 0IOS contains all the code re:uired
to control the keyboard$ display screen$ disk drives$ serial communications$ and a number of
miscellaneous functions% The 0IOS is typically placed in a /OM chip that comes with the
computer%
7-o$ <weblogs= > 7eb page that serves as a publicly accessible personal "ournal for an
individual%
Boo-ean -o$ic > 0oolean logic is a form of algebra in which all values are reduced to either
T/EE or 4'SE% 0oolean logic is especially important for computer science because it fits nicely
with the binary numbering system$ in which each bit has a value of either . or ,% nother way
of looking at it is that each bit has a value of either T/EE or 4'SE%
Boo secor > The first sector of the hard disk where the master boot records resides$ which is a
small program that is e&ecuted when a computer boots up%
cac8e > *ronounced cash$ a special high#speed storage mechanism% It can be either a
reserved section of main memory or an independent high#speed storage device% Two types
of caching are commonly used in personal computers: memory caching and disk caching%
C-ien > a program on a local computer that is used to e&change data with a remote
computer$ see server%
c-(ser < a--ocaion (ni > group of disk sectors% The operating system assigns a uni:ue
number to each cluster and then keeps track of files according to which clusters they use
coo&ies > message given to a 7eb browser by a 7eb server% The browser stores the
message in a te&t file% The message is then sent back to the server each time the browser
re:uests a page from the server%
CRC > Cyclical redundancy check%
c1c-ica- re'(n'anc1 c8ec& <C/C= > a common techni:ue for detecting data transmission
errors% Transmitted messages are divided into predetermined lengths that are divided by a
fi&ed divisor% ccording to the calculation$ the remainder number is appended onto and sent
with the message% 7hen the message is received$ the computer recalculates the remainder
and compares it to the transmitted remainder% If the numbers do not match$ an error is
detected%
D%CP > ;ynamic !ost Configuration *rotocol%
4
Di$ia- S(7scri7er Line <;S'= > technology that allows the simultaneous transmission of voice
and high#speed data using traditional telephone lines%
DNS > ;omain (ame Server%
Domain Name Ser/er <;(S= > service that translates domain names into I* addresses%
'omain names > name that identifies one or more I* addresses% 4or e&ample$ the domain
name microsoft%com represents about a do1en I* addresses% ;omain names are used in E/'s
to identify particular 7eb pages% 4or e&ample$ in the E/'
http:))www%pcwebopedia%com)inde&%html$ the domain name is pcwebopedia%com%
Every domain name has a suffi& that indicates which top level domain <T';= it belongs to%
There are only a limited number of such domains% 4or e&ample:
%gov # ?overnment agencies
%edu # Educational institutions
%org # Organi1ations <nonprofit=
%com # Commercial 0usiness
%net # (etwork organi1ations
0ecause the Internet is based on I* addresses$ not domain names$ every 7eb server re:uires
a ;omain (ame System <;(S= server to translate domain names into I* addresses%
DSL > ;igital Subscriber 'ine%
D1namic %os Confi$(raion Prooco- <;!C*= > protocol used to allow for the dynamic
configuration of networks%
E=mai- > service with allows for the transmission of simple messages across networks%
e8erea- > a packet sniffer that records traffic on your computer%
e8erne > local#area network <'(= architecture developed by Iero& Corporation in
cooperation with ;EC and Intel in .D86% It is one of the most widely implemented '(
standards%
fi-e si$na(re > Small 6#byte signature at the start of the file which identifies what kind of file it
is%
fi-e ransfer 9rooco- <4T*= > Esed to allow local computers to download files from remote
computers%
fi-ere' >9ors? > ports for which a firewall e&amines the header of a packet that is directed to
that port and determines whether or not to let it through <see open ports=%
fire+a-- > system designed to prevent unauthori1ed access to or from a private network%
4irewalls can be implemented in both hardware and software$ or a combination of both%
for(ms > n online discussion group% Online services and bulletin board services <00SJs= provide
a variety of forums$ in which participants with common interests can e&change open
messages
FTP > 4ile transfer protocol%
GC%@ > ?overnment Communications !ead:uarters$ is an intelligence and security
organi1ation in the EG%
5
$re9 > Short for global#regular#e&pression#print$ a E(II utility that allows the user to search one
or more files for a specific string of te&t and outputs all the lines that contain the string% The
user also has the option to replace the string with another%
%IDS > a host based intrusion detection% n intrusion detection system%
8one19o > n Internet#attached server that acts as a decoy$ luring in potential hackers in
order to study their activities and monitor how they are able to break into a system%
89 > hyperte&t transfer protocol
8(7 > common connection point for devices in a network% !ubs are commonly used to
connect segments of a '(%
%19ere) > a method of organi1ing and presenting data that allows the user to easily move
between related items%
819ere) ransfer 9rooco- <http= > The underlying protocol used by the 7orld 7ide 7eb$
!TT* defines how messages are formatted and transmitted$ and what actions 7eb servers
and browsers should take in response to various commands%
IANA > Internet ssigned (umbers uthority%
ICMP > Internet Control Message *rotocol%
IM > Instant messaging%
Insan messa$in$ <IM= > a type of communications service that enables you to create a kind
of private chat room with another individual in order to communicate in real time over the
Internet$ analogous to a telephone conversation but using te&t#based$ not voice#based$
communication%
inerfaces > boundary across which two independent systems meet and act on or
communicate with each other%
Inerne Assi$ne' N(m7ers A(8ori1 <I(= > n organi1ation working under the auspices of
the Internet rchitecture 0oard <I0= that is responsible for assigning new Internet#wide I*
addresses%
Inerne Conro- Messa$e Prooco- <ICM*= > n e&tension to the Internet *rotocol <I*= defined
by /4C 8D+% ICM* supports packets containing error$ control$ and informational messages% The
*I(? command$ for e&ample$ uses ICM* to test an Internet connection%
inerne 9rooco- <I*= > I* specifies the format of packets$ also called datagrams$ and the
addressing scheme% Most networks combine I* with a higher#level protocol called
Transmission Control *rotocol <TC*=$ which establishes a virtual connection between a
destination and a source%
Inerne Re-a1 C8a <I/C= > service which allows for real#time$ te&t#based communication
between Internet users%
Inerne Ser/ice Pro/i'er <IS*= > company which provides users with access to the Internet
IP > Internet protocol%
IP a''ress > n identifier for a computer in the internet or on a TC*)I* network% The format of
an I* address is a 2+#bit numeric address written as four numbers separated by periods% Each
number can be 1ero to +55% 4or e&ample$ 6.%.6,%.,%+-, could be an I* address%
i9confi$ > Tool to display information on the active interfaces on a computer%
IRC > Internet /elay Chat%
"6
ISP > Internet Service *rovider$ a company which provides users with access to the Internet
-o$ic7om7s > code designed to e&ecute when a specific activity occurs on a network or
computer%
-oo97ac& > when a computer refers to itself% 'oopback address is a special I* number
<.+8%,%,%.= that is designated for the software loopback interface of a machine% The loopback
interface has no hardware associated with it$ and it is not physically connected to a network%
MAC > Media access control %
MD0 8as8 > n algorithm used to create digital signatures% It is intended for use with 2+ bit
machines and is safer than the M;- algorithm$ which has been broken% M;5 is a one#way
hash function$ meaning that it takes a message and converts it into a fi&ed string of digits$ also
called a message digest%
me'ia access conro- <MC= > hardware address that uni:uely identifies each node of a
network%
Mo'em > Modulator);emodulator$ a device which translates digital signals into analog
signals$ and analog signals back into digital signals$ allowing computers to communicate with
each other through analog telephone lines%
MS=DOS <Microsoft ;isk Operating System= > MS#;OS is an Operating System% Mainly it allows
the communication between users and *C hardware$ and it also manages available
resources$ such as memory and C*E usage%
nesa > command which displays the status of a network%
ne+or& inr(sion 'eecion <(I;S= > Intrusion detection system in which the individual packets
flowing through a network are analy1ed%
ne+s$ro(9s > Same as forum$ an on#line discussion group%
NIDS > (etwork intrusion detection%
nma9 > a program which conducts a probe of your computer for open ports%
NSA > The (ational Security gency is the Enited StatesJ cryptologic organi1ation% It
coordinates$ directs$ and performs highly speciali1ed activities to protect ES information
systems and produce foreign intelligence information%
o9en >9ors? > ports for which all packets that is directed to that port are allowed through <see
filtered ports=%
o9erain$ s1sem > The underlying program that runs on a computer% Every general#purpose
computer must have an operating system to run other programs% Operating systems perform
basic tasks$ such as recogni1ing input from the keyboard$ sending output to the display
screen$ keeping track of files and directories on the disk$ and controlling peripheral devices
such as disk drives and printers% Some Operating Systems are 7indows$ 'inu& and E(II%
P!P > *eer#to#peer%
9ac&e sniffer > program and)or device that monitors data traveling over a network%
9ac&es > piece of a message transmitted over a packet#switching network%
9ass+or' crac&in$ > the process of attempting to determine an unknown password%
9eer=o=9eer <*+*= > a type of network in which each workstation has e:uivalent capabilities
and responsibilities%
""
9in$ > utility to determine whether a specific I* address is accessible% It works by sending a
packet to the specified address and waiting for a reply%
P-ain O-' Te-e98one Ser/ice <*OTS= > Esed to describe basic$ old#fashioned telephone service%
POP > *ost Office *rotocol$ a protocol used to retrieve e#mail from a mail server% Most e#mail
applications <sometimes called an e#mail client= use the *O* protocol$ although some can
use the newer IM* <Internet Message ccess *rotocol=%
9ors > n interface on a computer to which you can connect a device% *ersonal computers
have various types of ports% Internally$ there are several ports for connecting disk drives$
display screens$ and keyboards% E&ternally$ personal computers have ports for connecting
modems$ printers$ mice$ and other peripheral devices%
POTS > *lain old telephone service%
999 > *oint#to#*oint *rotocol$ a method of connecting a computer to the Internet% *** is
more stable than the older S'I* protocol and provides error checking features%
9ri/i-e$e' access > privilege to use computer information in some manner% 4or e&ample$ a
user might be granted read access to a file$ meaning that the user can read the file but
cannot modify or delete it% Most operating systems have several different types of access
privileges that can be granted or denied to specific users or groups of users%
9rooco- > n agreed#upon format for transmitting data between two devices%
RAM </andom ccess Memory= > a type of computer memory that can be accessed
randomlyK that is$ any byte of memory can be accessed without touching the preceding
bytes%
roo&is > malware that creates a method to retain access to a machine%
ro(er > device that forwards data packets along networks% router is connected to at
least two networks$ commonly two '(s or 7(s or a '( and its IS*Ls network% /outers are
located at gateways$ the places where two or more networks connect% /outers use headers
and forwarding tables to determine the best path for forwarding the packets$ and they use
protocols such as ICM* to communicate with each other and configure the best route
between any two hosts%
ro(in$ a7-e > In internet working$ the process of moving a packet of data from source to
destination% /outing is usually performed by a dedicated device called a router%
san'7o) > security measure in the Mava development environment% The sandbo& is a set of
rules that are used when creating an applet that prevents certain functions when the applet
is sent as part of a 7eb page%
scri9 &i''ie > person who runs hacking tools without knowing how or why they work%
secors > The smallest unit that can be accessed on a disk%
Sec(re S8e-- > protocol designed as a more secure replacement for telnet%
Ser/er > program on a remote computer that is used to provide data to a local computer$
see client%
Ser/ices # (etwork services allow local computers to e&change information with remote
computers%
SMTP > Simple Mail Transfer *rotocol$ a protocol for sending e#mail messages between servers%
Most e#mail systems that send mail over the Internet use SMT*
"!
socia- en$ineerin$ > The act of obtaining or attempting to obtain otherwise secure data by
conning an individual into revealing secure information%
s91+are > ny software that covertly gathers user information through the userJs Internet
connection without his or her knowledge
SS% > Secure Shell$ a program to log into another computer over a network$ to e&ecute
commands in a remote machine$ and to move files from one machine to another%
s+ic8 > In networks$ a device that filters and forwards packets between '( segments%
TCP > Transmission Control *rotocol% 7hereas the I* protocol deals only with packets$ TC*
enables two hosts to establish a connection and e&change streams of data% TC* guarantees
delivery of data and also guarantees that packets will be delivered in the same order in
which they were sent%
TCP<IP > Transmission Control *rotocol)Internet *rotocol% The suite of communications
protocols used to connect hosts on the Internet%
c9'(m9 > a packet sniffer that records traffic on your computer%
Te-ne > a protocol that allows a local user to connect to a remote computer and access its
resources%
ime7om7s > code designed to e&ecute at a specific time on a network or computer$ for
e&ample when the e&piration date is reached on a trial software%
o9o-o$ies > The shape of a local#area network <'(= or other communications system%
racer > utility that traces a packet from your computer to an Internet host$ showing how
many hops the packet re:uires to reach the host and how long each hop takes%
rac&s > ring on a disk where data can be written% typical floppy disk has 9, <double#
density= or .6, <high#density= tracks% 4or hard disks$ each platter is divided into tracks$ and a
single track location that cuts through all platters <and both sides of each platter= is called a
cylinder% !ard disks have many thousands of cylinders%
roAans > destructive program that mas:uerades as a benign application% Enlike viruses$
Tro"ans do not replicate themselves but they can be "ust as destructive%
*e7 Bro+ser > a program that allows users to connect to web servers and view the pages
stored on them%
*e7 Ser/er > computer where web pages are kept to be accessed by other computers%
+e7-o$s <blogs= > 7eb page that serves as a publicly accessible personal "ournal for an
individual%
*8ois > n Internet utility that returns information about a domain name or I* address%
*or-' *i'e *e7 <www=> service for the transmission and presentation of hyperte&t%
+orms > program or algorithm that replicates itself over a computer network and usually
performs malicious actions$ such as using up the computerJs resources and possibly shutting
the system down%
Bine > Small$ often free maga1ine$ usually produced by hobbyists and amateur "ournalists%
",
LESSON 1
BEING A HACKER
License for Use Information
2
LESSON 1 BEING A HACKER
Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -
1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%1 3esources%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 4
1%1%1 5ooks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 4
1%1%+ Maga6ines and (ewspapers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
1%1%8 9ines and 5logs%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
1%1%- :orums and Mailing 'ists%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;
1%1%2 (ewsgroups%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;
1%1%4 <ebsites%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% =
1%1%7 Chat%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1,
1%1%; *+*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 11
1%+ :urther 'essons%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 11

Contri!"tors
*ete !er6og$ ISECOM
Chuck Truett$ ISECOM
Marta 5arcel>$ ISECOM
?im Truett$ ISECOM
#
1$% Intro&"ction
<elcome to the !acker !ighschool program@ This program is designed to encourage you to
be well#rounded and resourceful% The core instruction theme is to harness the hacker curiosity
in you and to guide you progressively through your hacker education to help you grow into a
responsible role$ capable of determining security and privacy problems and making proper
security decisions for yourself%
<hile there is a thrill to hacking partly because of the illegal nature of computer trespass$ we
want to show you that it is "ust as big a thrill to alert others about lapses in security and make
them public without worrying about going to "ail over it% s a citi6en of most countries$ it is not
only your right$ but your responsibility$ to report security and privacy leaks to the proper
authorities% Aou do this not because you can$ but because many other people canBt% Aou
are helping those who canBt help themselves% This is what watchdog groups do% This is what
you will learn to do%
'
1$1 Reso"rces
This lesson is about how to learn C a critical skill for a hacker% !acking$ in reality$ is a creative
process that is based more on lifestyle than lesson% <e canBt teach you everything that you
need to know$ but we can help you recogni6e what you need to learn% This is also true due
to the constant advances in the computer sciences% <hat we teach today may not be
relevent tomorrow% It is much better for you to embrace hacker learning habits$ which are
probably the most vital part of hacking and will separate you from the script kiddie Da person
who runs hacking tools without knowing how or why they workE%
<ords and concepts you donBt understand in this workbook may reFuire research on the web
or in a library% If you donBt understand a word or a topic$ it is essential you look it up% Ignoring
it will only make it difficult for you to understand concepts in other workbooks% The other
workbooks may ask you to investigate a topic on the web and then e&pect you to use the
information that you find on the web to complete the e&ercises in that workbook C but those
workbooks wonBt e&plain to you how to do this research% This workbook is the only one with a
thorough e&planation of how to research built into it$ so be sure to spend as much time as you
need to learn how to research using the various resources available to you%
GonBt "ust limit yourself to computers$ hacking$ and the internet% Hreat hackers are well#
rounded and creative% Many of them are painters$ writers$ and designers% !acking skills can
also be applied to other fields$ such as *olitical Science Dsee The Prince by Machiavelli for an
e&ampleE%
5esides being interested in other fields$ you should be interested in how other businesses
operate% 3eading books on everything from psychology to science fiction will make you a
much more versatile and functional hacker% 3emember$ hacking is about figuring out how
things work regardless of how they were designed to work% This is how you e&pose insecurities$
vulnerabilities$ and leaks%
1$1$1 Boo(s
5ooks are a great way to learn the foundation and factual science of all that you are willing
to e&plore% <ant to know something about the fundamentals of a science$ like the hardware
details of your *CI (othing will help you more than reading a current book on the sub"ect%
The main problem with books for computers is that they Fuickly become old% The secret is to
learn to see the fundamental structure underneath the thin skin of details% MS#GOS and
<indows are clearly different$ but both are based on principles of 5oolean logic that have
driven computers since da$ Countess of 'ovelace$ wrote the first computer programs in the
nineteenth century% Security and privacy concerns may have changed in the last +$2,, years$
but The Art of War by Sun T6u covers fundamental principles that still apply today%
Even though information found in books may not be as Bup to dateB as information that comes
from other sources$ you will find that the information you find in books is more likely to be
factually accurate than that which comes from other sources% writer spending a year
writing a book is more likely to check facts than someone who is updating a blog si& times a
day% DSee Section 1.1.3 Zines and Blogs for more information%E 5ut remember C accurate does
not mean unbiased%
ItBs not necessary to start a library of your own$ but you may want to write notes in margins or
otherwise mark what you read$ and this is something you can only do in your own books%
:inally$ donBt look at a book and give up before you even start "ust because of the si6e and
comple&ity% Most of these massive tomes that you see sitting around are not read from cover
to cover% Think of them as prehistoric web pages% Open one up to random page and begin
)
to read% If you donBt understand something$ go backward and look for the e&planation Dor skip
forward to something that does make senseE% Jump through the book$ backwards and
forwards$ "ust as you would bounce from link to link in a web page% This type of non#linear
reading is often much more interesting and satisfying for hackers$ as itBs about satisfying
curiosity more than it is about .reading0%
1$1$2 *a+a,ines an& Ne-s.a.ers
The use of maga6ines and newspapers is highly encouraged for providing concise$ timely
information% !owever$ maga6ines are usually short on details and often focus too much on
the 6eitgeist of the community% This is something that a hacker needs to know C social
engineering and password cracking$ in particular$ are more effective if you have a solid
grounding in pop culture C but you also need to know that Bpop "ournalismB isnBt always
Baccurate "ournalismB%
nother issue you should consider is the topic or theme of the maga6ine% 'inu& maga6ine
will attempt to down#play Microsoft <indows$ because it is a conflicting theme and that is
what their main readers want to read%
The best way to combat these two flaws is by being well and widely read% If you read an
interesting fact in a maga6ine$ look into it further% *retend that you believe it$ and look for
confirmations$ then pretend that you donBt believe it$ and look for rebuttals%
E/ercises0
% Search the <eb for 8 online maga6ines regarding Security%
5% !ow did you find these maga6inesI
C% re all three maga6ines about computer securityI
1$1$ 1ines an& B2o+s
9ines are small$ often free maga6ines that have a very small distribution Dless than 1,$,,,
readersE and are often produced by hobbyists and amateur "ournalists% 9ines$ like the famous
2600 6ine or Phrack Hacking web 6ine$ are written by volunteers and the producers do not
edit the content for non#technical errors% This means the language can be harsh for those not
anticipating such writing% 9ines have a very strong theme and are very opinionated%
!owever$ they are more likely to show and argue both sides$ as they do not care to nor have
to appease advertisers and subscribers%
5logs are a moderni6ation of the 6ine% 5logs are updated more often and use communities to
tie in very strong themes% 'ike 6ines$ however$ anyone may critici6e a story and show an
opposing opinion% :or blogs$ it is important to read the commentary "ust as much as the story%
E/ercises0
% Search the <eb for 8 6ines regarding computer security%
5% !ow did you find these 6inesI
3
C% <hy do you classify these as 6inesI 3emember$ "ust because they market it as a 6ine
or put .6ine0 in the title does not mean it is one%
G% Search the <eb for 8 blogs regarding computer security%
E% <hat communities are these associated withI
1$1$# 4or"ms an& *ai2in+ Lists
:orums and mailing lists are communally developed media$ much like a recording of a series
of conversations at a party% The conversations shift focus often$ and much of what is said is
rumor$ and$ when the party is over$ no one is certain who said what% :orums and mailing lists
are similar$ because there are many ways for people to contribute inaccurate information C
sometimes intentionally C and there are also ways for people to contribute anonymously% nd$
since topics and themes change Fuickly$ itBs important to read the whole thread of comments
and not "ust the first few in order to get the best information%
Aou can find forums on almost any topic and many online maga6ines and newspapers offer
forums for readers to write opinions regarding published articles% :or this case$ forums are
invaluable for getting more than one opinion on an article$ because$ no matter how much
you liked the article$ there is certain to be someone who didnBt%
Many mailing lists e&ist on special topics$ but these are hard to find% Often times$ you must
look for an idea before you find a mailing list community supporting it%
:or a hacker$ what is most important to know is that many forums and mailing lists are not
searchable through ma"or search engines% <hile you might find a forum or a list through a
topic search in a search engine$ you may not find information on individual posts% This
information is called .the invisible web0 as it contains information and data that is invisible to
many since a very specific search is needed$ often through meta#search engines or only
directly on the website of the forum%
E/ercises0
% :ind 8 computer security forums%
5% !ow did you find these forumsI
C% Can you determine the whole theme of the websiteI
G% Go the topics in the forums reflect the theme of the website hosting themI
E% :ind 8 computer security mailing lists%
:% <ho is the .owner0 of these listsI
H% On which list would you e&pect the information to be more factual and less
opinionated and whyI
1$1$' Ne-s+ro".s
(ewsgroups have been around a long time% There were newsgroups long before the <eb
e&isted% Hoogle purchased the entire archive of newsgroups and put them online at
http:))groups%google%com% Aou will find posts in there from the early 1==,s% This archive is
important for finding who is the original owner of an idea or a product% It is also useful for
5
finding obscure information that is perhaps too small a topic for someone to put on a web
page%
(ewsgroups are not used less today than they were years ago$ before the web became the
mainstream for sharing information% !owever$ they also havenBt grown as their popularity is
replaced by new web services like blogs and forums%
E/ercises0
% /sing HoogleBs groups$ find the oldest newsgroup posting you can about security%
5% :ind other ways to use newsgroups # are there applications you can use to read
newsgroupsI
C% !ow many newsgroups can you find that talk about computer hackingI
1$1$) 6e!sites
The de facto standard for sharing information is currently through a web browser% <hile we
classify this all as .the web0 the real term is .web services$0 as not everything on the web is a
website% If you check e#mail using a web browser$ you are using a web service% Often times$
web services reFuire privileges% This means you need a login name and password to gain
access% !aving access and the legal right to access is known as having .privileges0% !acking
into a website to allow you to change the page may be having access$ but since it is not your
legal right to do so$ it is not privileged access% <e are only concerned with having privileged
access$ but as your e&perience grows with using the web$ you will find many places give
access to privileged areas by accident% s you find this$ you should get into the habit of
reporting this to the website owner%
<ebsites are searchable through a large number of search engines% ItBs even possible to
make your own search engine$ if you have the time and hard drive space% Often$ itBs the
search engines who get privileged access and pass it on to you% Sometimes it is in the form of
cache% cache is an area of memory on the search engineBs server where the search engine
stores pages that matched your search criteria% If you click on the link that says cached$
instead of the actual link$ then you will see a single page that shows what the search engine
found during its search% The search engines save this information to prove that the search was
valid C if$ for instance$ a page goes down or is changed between the time that you initiated
your search and the time that you try to access the page that was returned C but you can
also use the cached pages for other purposes$ such as bypassing a slow server%
One of the most useful public caches is at http:))www%archive%org% !ere you will find cached
versions of whole websites from over the years%
One final note on websites$ do not assume you can trust the content of the websites you visit
"ust because they appear in a search engine% Many hacker attacks and viruses are spread
"ust by visiting a website or downloading programs to run% Aou can safeguard yourself by not
downloading programs from untrusted websites and by making sure the browser you use is
up#to#date on security patches%
E/ercises0
% /sing a search engine$ find sites that may have mistakenly given privileged access to
everyone% To do this$ we will look for directory listings which are accessible when you donBt go
7
directly to the right web page% To do this$ we will go to http:))www%google%com and enter
this into the search bo&:
allintitle: "index of" .pdf
Click on a link in the results and you should find one that looks like a directory listing%
This type of searching is also known as Google Hacking%
5% Can you find other types of documents in this way using HoogleI :ind 8 more directory
listings which contain %&ls files and %avi files%
C% There are many search engines out there besides Hoogle% good researcher knows how
to use them all% Some websites speciali6e in tracking search engines$ such as
http:))www%searchengine%com% !owever$ there are many more and you can generally find
them by using search engines% There is even a search engine for .the invisible web0% :ind 1,
search engines which are (OT meta search engines%
G% Search for .security testing and ethical hacking0 and list the top 8 answers%
E% Search for the same without the Fuotes and give the top 8 answers% re they differentI
:% It is very different to search for a topic than it is to search for a word or phrase% In e&ercise
G$ you searched for a phrase% (ow you will search for an idea% To do this$ you need to think
about what you want and how you want to find it% :or e&ample$ you want to find an online
resource of maga6ines for ethical hacking% If you enter online resorce of !aga"ines for
ethical hacking into a search engine$ you will get a number of opinions about the topic% This
is helpful but not as helpful as actually getting the resource% Instead$ you need to think$ .If I
was to make such a resource$ what information would be in there and what key words could I
pick from that informationI0 *ut the following words and phrases into a search engine and
find out which provides the best results for your search:
1% my favorite list of maga6ines on ethical hacking
+% list of ethical hacking maga6ines
8% resources for ethical hackers
-% ethical hacking maga6ine
2% maga6ines ethical hacking security list resource
H% :ind the oldest website from Mo6illa in the Internet rchive% To do this you need to search
on .www%mo6illa%org0 at the http:))www%archive%org website%
!% (ow to put it all together$ letBs say you want to download version 1 of the (etscape web
browser% /sing search engines and the Internet rchives$ see if you can locate and
download version 1 Dbut donBt install itE%
1$1$3 C8at
Chats$ also known as Internet 3elay Chat DI3CE$ as well as Instant Messaging DIME$ are very
popular modes of Fuickly communicating with others%
s a research source$ chat is e&tremely inconsistent$ because you will be dealing with
individuals in real time% Some will be friendly$ and some will be rude% Some will be harmless
pranksters$ but some will be malicious liars% Some will be intelligent and willing to share
information$ and some will be completely uninformed$ but no less willing to share% It can be
difficult to know which is which%
1%
!owever$ once you get comfortable with certain groups and channels$ you may be
accepted into the community$ and you will be allowed to ask more and more Fuestions$ and
you will learn who you can trust% Eventually you will be able to learn the very newest security
information Dalso known as "ero da#$ which implies that it was "ust discoveredE and advance
your own knowledge%
E/ercises0
% :ind 8 chat programs to use for instant messaging% <hat makes them differentI Can
they all be used to talk to each otherI
5% :ind out what I3C is and how you can connect to it% Once you are able to connect$
enter the ISECOM chat room as announced on the front page of http:))www%isecom%org%
C% !ow do you know which channels e&ist to "oin in I3CI :ind 8 computer security
channels and 8 hacker channels% Can you enter these channelsI re there people talking or
are they .bots0I
1$1$5 929
*eer to *eer$ also known as *+*$ is a network inside the Internet% Instead of many local
computers communicating with each other through a centrali6ed$ remote computer$ the
computers in a *+* network communicate directly with each other% Most people associate
*+* with the downloading of mp8s and pirated movies$ however$ many other *+* networks
e&ist C both for the purposes of e&changing a wide variety of information and as a means to
conduct research on distributed information sharing% One website dedicated to teaching
about this$ http:))infoanarchy%org$ is based on the premise that information should be free%
On the Infoanarchy website$ you can find a listing of available *+* networks and clients%
The problem with *+* networks is that$ while you can find information on "ust about anything
on them$ some of that information is on the network illegally% The !acker !ighschool program
doesnBt condone the use of *+* to illegally download intellectual property$ but there is no
Fuestion that *+* networks can be a vital resource for finding information% 3emember: there
is nothing illegal about *+* networks C there are a lot of files that are available to be freely
distributed under a wide variety of licenses C but there are also a lot of files on these networks
that shouldnBt be there% GonBt be afraid to use *+* networks$ but be aware of the dangers%
1$2 4"rt8er Lessons
(ow you should practice to master the skill of researching% The better you get at it$ the more
information you can find Fuickly$ and the faster you will learn% To help you become a better
researcher for the !acker !ighschool program$ here are some additional topics and terms for
you to investigate:
*eta Searc8
:8e In;isi!2e 6e!
Goo+2e Hac(in+
Ho- Searc8 En+ines 6or(
:8e O.en So"rce Searc8 En+ine
11
LESSON 2
BASIC COMMANDS IN
LINUX AND WINDOWS
2
LESSON 2 BASIC COMMANDS IN LINUX AND WINDOWS
Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%-
+%1% Introduction and Ob"ectives%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2
+%+% 3e4uirements and Setup%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
+%+%1 3e4uirements%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
+%+%+ Setup%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
+%6% System Operation: 7I(8O7S%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9
+%6%1 !ow to open an MS#8OS window %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9
+%6%+ Commands and tools :7indows;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 9
+%-% System Operations: 'inu&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1,
+%-%1 !ow to open a console window%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1,
+%-%+ Commands and tools :'inu&;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1,
+%2% E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%16
+%2%1 E&ercises in 7indows%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%16
+%2%+ E&ercises in 'inu&%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%16
+%2%6 E&ercise 6%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%16
3
Contri!tors
8aniel <ern=nde> ?leda$ Internet Security uditors
@airo !ern=nde>$ 'a Salle /3' ?arcelona
@aume bella$ 'a Salle /3' ?arcelona # ISECOM
Aim Truett$ ISECOM
*ete !er>og$ ISECOM
Marta ?arcelB$ ISECOM
"
2#$# Intro%!ction an% O&ecti'es
This lesson introduces commands and basic tools for both 7indows and 'inu& operating
systems so that you can become familiar with them% These commands will be used to
complete the e&ercises in the following lessons
t the end of this lesson$ you should know the following commands:
Ceneral 7indows and 'inu& commands
?asic network commands and tools
# ping
# tracert
# netstat
# ipconfig
# route
(
2#2# )e*!irements an% Set!+
2#2#$ )e*!irements
<or the lesson$ the following are needed:
# a *C with 7indows DE)Me)+,,,)(T)F*)+,,6
# a *C with 'inu& Suse)8ebian)Anoppi&
# access to the Internet%
2#2#2 Set!+
This is the setup in which you are going to work% It consists of your *C$ with access
to the Internet$ and the ISECOM !acker !ighschool network$ which you will
access through the Internet% This is the network against which you will make most
of the tests%
(ote that access to the ISECOM test network is restricted% In order to gain access
to it$ your instructor must contact the sytem administrator$ as detailed on the
www%hackerhighschool%org web site%
,
2#3# S-stem O+eration. WINDOWS
Most of the tools used for the study of networks are internal commands in the
7indows operating system% Therefore$ we are going to e&plain how to open a
command window when the 7indows operating system is being used%
2#3#$ /o0 to o+en an MS1DOS 0in%o0
To issue the following commands$ it is necessary to open a command prompt :an
MS#8OS window;% The procedure for this is the same for all versions of 7indows%
1%# Click the ST3T button
+%# Choose the 3/( option
6%# Type .comman%0 if you are using 7indows D2)DE or .cm%0 for all other versions
of 7indows and press Enter or click OA%
-%# window similar to the following one will appear:
2%# (ow the commands and tools listed below can be entered%
2#3#2 Comman%s an% too2s 3Win%o0s4
Commands
%ate 8isplay or set the date of the system
time 8isplay or set the time of the system
'er 8isplay the MS#8OS version that is being used
%ir 8isplay the list of subdirectories and files of a directory
c2s Clear the screen
m5%ir6
m% directory
Make a directory with the name .directory0
E&ample: md tools
c7%ir6 c% directory 8isplay the name or change the current directory to .directory0
E&ample: cd tools
rm%ir6 r% directory 8elete the directory with the name .directory0
E&ample: rd tools
8
tree directory 8isplay the structure of folders of a path in te&t#graphic format
E&ample: tree c:Gtools
c75%s5 Check a disk and show a status report
mem Show the amount of memory used and free in the system
rename6
ren source dest
Change the name of files
E&ample: ren oldname newname
co+- source dest Copy one or more files to another location
E&ample: copy c:GtoolsGmyfile%t&t c:Gtmp
move source dest Move files and change the name of files and directories
E&ample: move c:Gtools c:Gtmp
t-+e file Type the content of one or more te&t files
E&ample: type c:GtoolsGmyfile%t&t
more file 8isplay the information screen by screen
E&ample: more c:GtoolsGmyfile%t&t
%e2ete6 %e2 file 8elete one or more files
E&ample: del c:GtoolsGmyfile%t&t
(ote: The words in italics are not commands$ and must be replaced by the desired
values% Some of the commands can be used by typing either their long version or short
versionH for e&ample$ IdeleteI and IdelJI are the same command%
Tools
+in9 host Kerify contact with the machine .host0
The command ping sends IpacketsI using ICM* :Internet Control
Message *rotocol; to another computer$ to learn whether it is
accessible through the network% In addition$ it shows a statistical
summary about the percentage of packets that have not been
answered and the response time% The name of the machine can
be used directly or its I* address%
E&amples: ping www%google%com
ping 1D6%1-2%E2%+
Some options are:
# n (: send ( packets
# t: ping the specified host until stopped :press CT3'LC to end;
To see more options: ping )h
:
tracert host Show the route that packets follow to reach the machine .host0
The command tracert is the abbreviation of trace route$ which
allows you to learn the route that a packet follows from the origin$
:your machine; to the destination machine% It can also tell you
the time it takes to make each "ump% t the most$ 6, "umps will be
listed% It is sometimes interesting to observe the names of the
machines through which the packets travel%
E&amples: tracert www%google%com
tracert 1D6%1-2%E2%+
Some options are:
# h (: to specify ($ at the most$ "umps%
# d: to not show the names of the machines%
To see more options: tracert
i+confi9 8isplay information on the active interfaces :ethernet$ ppp$ etc%;
in the computer%
Some options:
)all: to show more details
)renew name: renews connection with .name0 when automatic
configuration with 8!C* is used%
)release name: deactivates all matching connections when
automatic configuration with 8!C* is used%
To see more options: ipconfig )M
ro!te +rint 8isplay the routing table
The command route serves to define static routes$ to erase routes
or simply to see the state of the routes%
Some options:
print: to show the list of routes%
delete: to delete a route%
add: to add a route%
To see more options: route)M
netstat 8isplays information on the status of the network and established
connections with remote machines%
Some options:
#a: To sample all the connections and listening ports
#n: to display addresses and port numbers in numeric form
#e: to sample Ethernet statistics
<or e&ample: netstat # an
To see more options: netstat)M
;
<or additional information on these commands and tools type Icommand )hI or
Icommand )MJI or Ihelp commandI from a MS#8OS window%
<or e&ample$ for additional information on the tool netstat$ we have three possibilities:
1; netstat )h
+; netstat )M
6; help netstat
2#"# S-stem O+erations. Lin!<
@ust as in 7indows$ if you are using 'inu&$ a great ma"ority of the commands
that you will use are e&ecuted from a console emulation window% Therefore$
we will ne&t learn how to open a console window in 'inu&%
2#"#$ /o0 to o+en a conso2e 0in%o0
To issue the following commands$ it is necessary to open a console window:
1% # To go to the ST3T **'ICTIO( button
+% # Select .3un Command0
6% # Enter .konsole0
-% # window similar to the following one will appear:
2% # (ow the commands and tools listed below can be entered%
2#"#2 Comman%s an% too2s 3Lin!<4
Commands
+0% 8isplay the name of the current directory%
7ostname 8isplay the name of the local host :the computer which you are
currently using;
$=
fin9er user 8isplay information on the user .user0
E&ample: finger root
2s 'ist the content of the directories
E&ample: ls #la
c% directory Change from current directory to .directory0% If no directory
name is specified it changes to the home directory$
E&ample:
<or the login name .mylogin0 the command
Ncd
changes the directory to )home)mylogin
E&ample:
Ncd #
changes to the last visited directory
E&ample:
Ncd )tmp
changes to the .tmp0 directory
c+ source dest Copy files% Copy the file .source0 to the file .dest0%
E&ample: cp )etc)passwd )tmp
rm file 8elete files% Only the owner of the file :or root; can delete it%
E&ample: rm myfile
m' source dest Move or rename files and directories%
E&ample: mv oldname newname
m5%ir directory Make a directory with the name .directory0%
E&ample: mkdir tools
rm%ir directory 8elete the directory with the name .directory0 if it is empty%
E&ample: rmdir tools
fin% > 1name file <ind a file with the name .file0 beginning the search in the root
directory
E&ample: find ) #name myfile
ec7o string 7rite the string .string0 in the standard output
E&ample: echo hello
command ? file 3edirect the normal screen output of the command .command0
to the file .file0
E&ample: ls O myls
command >> file 3edirect the normal screen output of the command .command0
to the file .file0% If the file already e&ists$ it appends the output to
the end of the file%
E&ample: ls OO myls
man command Show the pages of the online manual about .command0
E&ample: man ls
(ote: The words in italics are not commands and must be replaced by the desired values%
$$
<or additional information on the use of these commands and tools$ type in Icommand
#helpI or Iman commandI in the console window%
<or e&ample$ for additional information on the .ls0 command$ type in either of these two
possibilities:
1; ls P#help
+; man ls
Tools :*lease see the 7indows section for details on these tools%;
+in9 host Kerify the contact with the machine .host0
E&ample: ping www%google%com
tracero!te host Show the route that the packets follow to reach the machine
.host0% E&ample: tracert www%google%com
ifconfi9 8isplay information on the active interfaces :ethernet$ ppp$ etc%;
ro!te 8isplay the routing table
netstat 8isplay information on the status of the network
E&ample: netstat #an
Basic comman% e*!i'a2ences for Win%o0s>Lin!<
This is a table showing the basic command e4uivalences between 'inu& and 7indows%
Commands are e&ecuted from a shell :in 'inu&; or from a MS#8OS window :in 7indows;%
'inu& 7indows
command ##help command )h$ command )M
man command help command
cp copy
rm del
mv move
mv ren
more$ less$ cat type
lpr print
rm #3 deltree
ls dir
cd cd
mkdir md
rmdir rd
route route print
traceroute PI tracert
ping ping
ifconfig ipconfig
$2
2#(# E<ercises
2#(#$ E<ercises in Win%o0s
1% Co to a MS#8OS window%
+% Identify the version of MS#8OS that you are using% 7hat version have you detectedM 7hat
command have you usedM%
6% Identify the date and time of the system% If they are incorrect$ modify them so that they are
correct% 7hat command have you usedM
-% Identify all the directories and files that are in .c:G0% 7hat command have you usedM
2% Create the directory c:GhhsGlesson,% Copy in this directory all the files with the e&tension
.%sys0 that are in .c:G0% 7hat files have you foundM 7hat commands have you usedM
5% Identify the I* address of your host% 7hat command have you usedM 7hat I* address do
you haveM
9% Trace the route to .www%google%com0% Identify I*s of the intermediate routers%
2#(#2 E<ercises in Lin!<
1% Identify the owner of the file .passwd0% :(ote: first locate where this file is;% 7hat command
have you usedM
+% Create the directory .work0 in your own home directory :for e&ample$ if your login is
.mylogin0$ create the directory in .)home)mylogin0;$ and copy the file .passwd0 in the
directory .work0 that you have "ust created% Identify the owner of the file .passwd0 that has
been copied%
6% Create the directory .%hide0 in the .work0 directory% 'ist the contents of this directory% 7hat
did you have to do to see the contents of directory I%hideIM
-% Create the file .test10 with the content .This is the content of the file test10 in the .work0
directory% Create the file .test+0 with the content .This is the content of the file test+0 in the
.work0 directory% Copy into a file with the name Itest0 the contents of previous files% 7hat
commands have you usedM
2% Identify the name and the I* address of your machine% 7hat commands have you usedM
7hat I* address do you haveM
5% Trace the route to .www%google%com0% Identify I*s of the intermediate routers%
2.5.3 Exercise 3
Complete the following table with parallelisms between 7indows and 'inu&% <or
e&ample: the 'inu& command .command #help0 is e4uivalent to the 7indows
$3
command .command )h0% s another e&ample$ in 'inu&: .cp0 is "ust like the 7indows
command$ .copy0%

command ##
help
command )
h
cp copy
del
mv
more
print
deltree
ls
cd
md
rd
route
tracert
*ing
ipconfig
$"
@!rt7er )ea%in9
<or an e&tensive glossary of terms visit the following /3's:
http:))www%matisse%net)files)glossary%html
http:))www%uic%edu)depts)accc)inform)v1,5%html
http:))www%catb%org)Qesr)"argon)
7indows P for additional information on commands and tools$ type in Icommand )hI or
Icommand )MJI or Ihelp commandI from a MS#8OS window%
'inu& P for additional information on commands and tools$ type in Icommand ##helpI or
Iman commandI from a shell%
$(
LESSON 3
PORTS AND PROTOCOLS
2
LESSON 3 PORTS AND PROTOCOLS
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%-
1%2 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3
1%+ 4asic concepts of networks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
1%+%2 6evices %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
1%+%+ Topologies %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
1%1 TC*)I* model%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
1%1%2 Introduction %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%7
1%1%+ 'ayers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%7
1%1%+%2 pplication %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
1%1%+%+ Transport%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%7
1%1%+%1 Internet %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8
1%1%+%- (etwork ccess%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8
1%1%1 *rotocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8
1%1%1%2 pplication layer protocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 9
1%1%1%+ Transport layer *rotocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 9
1%1%1%1 Internet layer *rotocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 9
1%1%- I* ddresses %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9
1%1%3 *orts %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2+
1%1%5 Encapsulation %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%21
1%- E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2-
1%-%2 E&ercise 2: (etstat %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2-
1%-%+ E&ercise +: *orts and *rotocols %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 23
1%-%1 E&ercise 1: My :irst Server %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 23
:urther ;eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%27
3
Contribtors
<ary &ten$ ISECOM
'a Salle /;' 4arcelona
=im Truett$ ISECOM
Marta 4arcel>$ ISECOM
*ete !er?og$ ISECOM
!
3"# Intro$ction
The te&t and e&ercises in this lesson try to impart a basic understanding of the ports and
protocols in current use$ as well as their relevance within the operating systems$ @indows and
'inu&%
dditionally$ you will have the opportunity to become familiar with a number of useful utilities
which will allow you to properly understand the network capabilities of your computer system%
t the end of the lesson you should have a basic knowledge of:
# the concepts of networks
# I* addresses
# ports and protocols%
%
3"2 &asic conce'ts of net(or)s
3"2"# De*ices
In order to understand the e&planation of protocols and ports$ it is necessary for you to
become familiar with the icons that represent the most common devices that are seen in the
basic schemes% These are:
3"2"2 To'o+o,ies
@ith these devices$ local area networks Aor '(sB can be created% In a '($ computers can
share resources$ such as hard drives$ printers and internet connections$ and an administrator
can control how these resources are shared% @hen a '( is being designed$ it is possible to
choose any of the following physical topologies:
In a bus topology$ all the computers are connected to a single means of transmission$ and
each computer can communicate directly with any of the others% In the ring configuration$
each computer is connected to the following one$ and the last one to the first$ and each
computer can only communicate directly with the two ad"acent computers% In the star
topology$ none of the computers are directly connected with others% Instead they are
connected through a central point and the device at that central point is responsible for
relaying information from computer to computer% If several central points are connected to
each other$ an extended star topology is obtained% In a star or e&tended star topology$ all the
central points are peers, that is$ each e&changes information on an eCual basis% !owever$ if
you connect two star or e&tended star networks together using a central point which controls
or limits the e&change of information between the two networks$ then you have created a
single$ hierarchical network topology%
-
Bus Ring
Star
Extended
Star
Hierarchic
3"3 TCP.IP mo$e+
3"3"# Intro$ction
TC*)I* was developed by the 6o6 A6epartment of 6efenseB of the /nited States and 6;*
A6efense dvanced ;esearch *ro"ect gencyB in the 297,s% TC*)I* was designed to be an
open standard that anyone could use to connect computers together and e&change
information between them% /ltimately$ it became the basis for the Internet%
3"3"2 La/ers
The TC*)I* model defines four totally independent layers into which it divides the process of
communication between two devices% The layers through which it passes information
between two devices are:
3"3"2"# A''+ication
The application layer is the layer nearest the end user% This is the layer that is in charge of
translating data from applications into information that can be sent through the network%
The basic functions of this layer are:
# ;epresentation
# Codification
# 6ialog Control
# pplication Management
3"3"2"2 Trans'ort
The transport layer establishes$ maintains and finishes virtual circuits for information transfer% It
provides control mechanisms for data flow and allows broadcasting$ and it provides
mechanisms for the detection and correction of errors% The information that arrives at this
layer from the application layer is divided into different segments% Information that comes to
the transport layer from the internet layer is delivered back to the application layer through
ports% ASee Section 3"3"% Ports for details on ports%B
0
The basic functions of this layer are:
# ;eliability
# :low Control
# Error Correction
# 4roadcasting
3"3"2"3 Internet
This layer divides the segments of the transport layer into packets and sends the packets
across the networks that make up the Internet% It uses IP$ or internet protocol addresses to
determine the location of the recipient device% It does not ensure reliability in the
connections$ because this is already taken care of by the transport layer$ but it is responsible
for selecting the best route between the originating device and the recipient device%
3"3"2"! Net(or) Access
This layer is in charge of sending information at both the '( level and the physical level% It
transforms all the information that arrives from the superior layers into basic information AbitsB
and directs it to the proper location% t this level$ the destination of the information is
determined by the MAC$ or media access control$ address of the recipient device%
3"3"3 Protoco+s
To be able to send information between two devices$ both must speak the same language%
This language is called the protocol%
The protocols that appear in the application layer of the TC*)I* model are:
# :ile Transfer *rotocol A:T*B
# !yperte&t Transfer *rotocol A!TT*B
# Simple Mail Transfer *rotocol AsmtpB
# 6omain (ame Service A6(SB
# Trivial :ile Transfer *rotocol AT:T*B
The protocols of the transport layer are:
# Transport Control *rotocol ATC*B
# /ser 6atagram *rotocol A/6*B
The protocols of the internet layer are:
# Internet *rotocol AI*B
The protocol most often used in the network access layer is:
# Ethernet
The protocols listed above and their associated ports will be described in the following
sections%
1
3"3"3"# A''+ication +a/er 'rotoco+s
FTP or file transfer protocol is used for the transmission of files between two devices% It uses TC*
to create a virtual connection for the control of information$ then creates another connection
to be used for the delivery of data% The most commonly used ports are +, and +2%
HTTP or hypertext transfer protocol is used to translate information into web pages% This
information is distributed in a manner similar to that used for electronic mail% The most
commonly used port is 8,%
SMTP or simple mail transfer protocol is a mail service that is based on the :T* model% It
transfers electronic mail between two systems and provides notifications of incoming mail% The
most commonly used port is +3%
!S or domain name ser"ice provides a means to associate a domain name with an ip
address% The most commonly used port is 31%
TFTP or tri"ial file transfer protocol has the same functions as :T* but uses /6* instead of TC*%
ASee Section 3"3"3"2 for details on the differences between /6* and TC*%B This gives it more
speed$ but less security and trustworthiness% The most commonly used port is 59%
3"3"3"2 Trans'ort +a/er Protoco+s
There are two protocols which can be used by the transport layer to deliver information
segments%
TCP or transmission control protocol establishes a logical connection between the final points
of the network% It synchroni?es and regulates the traffic with what is known as the DThree @ay
!andshakeD% In the .Three @ay !andshake$0 the originating device sends an initial packet
called a S#! to the recipient device% The recipient device sends an acknowledgment
packet$ called a S#!$AC%& The originating device then sends a packet called an AC%, which
is an acknowledgment of the acknowledgment% t this point$ both the originating device
and the recipient device have established that there is a connection between the two and
both are ready to send and receive data to and from each other%
'P or user datagram protocol is a transport protocol which is not based on a connection% In
this case$ the originating device sends packets without warning the recipient device to
e&pect these packets% It is then up to the recipient device to determine whether or not those
packets will be accepted% s a result$ /6* is faster that TC*$ but it cannot guarantee that a
packet will be accepted%
3"3"3"3 Internet +a/er Protoco+s
IP or internet protocol serves as a universal protocol to allow any two computers to
communicate through any network at any time% 'ike /6*$ it is connectionless, because it does
not establish a connection with the remote computer% Instead$ it is what is known as a best
effort service$ in that it will do whatever is possible to ensure that it works correctly$ but its
reliability is not guaranteed% The Internet *rotocol determines the format for the packet
headers$ including the I* addresses of both the originating and the recipient devices%
3"3"! IP A$$resses
domain name is the web address that you normally type into a web browser% That name
identifies one or more I* addresses% :or e&ample$ the domain name microsoft%com represents
about a do?en I* addresses% 6omain names are used in /;'s to identify particular @eb pages%
2
:or e&ample$ in the /;' http:))www%pcwebopedia%com)inde&%html$ the domain name is
pcwebopedia%com%
Every domain name has a suffi& that indicates which top level domain AT'6B it belongs to%
There are only a limited number of such domains% :or e&ample:
%gov # <overnment agencies
%edu # Educational institutions
%org # Organi?ations AnonprofitB
%com # Commercial 4usiness
%net # (etwork organi?ations
4ecause the Internet is based on I* addresses$ not domain names$ every @eb server reCuires
a 6omain (ame System A6(SB server to translate domain names into I* addresses%
I* ddresses are the identifiers that are used to differentiate between computers and other
devices that are connected to a network% Each device must have a different I* address$ so
that there are no problems of mistaken identity within the network% I* addresses consist of 1+
bits that are divided in four 8 bit octets which are separated by dots% *art of the I* address
identifies the network$ and the remainder of the I* address identifies the individual computers
on the network%
There are both public and private I* addresses% *rivate I* addresses are used by private
networks that have no connection with outside networks% I* addresses within a private
network should not be duplicated within that network$ but computers on two different E but
unconnected E private networks could have duplicated I* addresses% The I* addresses that
are defined by I($ the Internet ssigned (umbers uthority$ as being available for private
networks are:
2,%,%,%, through 2,%+33%+33%+33
27+%25%,%, through 27+%12%+33%+33
29+%258%,%,% through 29+%258%+33%+33
I* addresses are divided into classes based on what portion of the address is used to identify
the network and what portion is used to identify the individual computers%
6epending on the si?e assigned to each part$ more devices will be allowed within the
network$ or more networks will be allowed% The e&isting classes are:
#3
# Class : The first bit is always ?ero$ so this class includes the addresses between ,%,%,%,
and 2+5%+33%+33%+33% (ote: the addresses of 2+7%&%&%& are reserved for the services of
loopback or localhost%
# Class 4: The first two bits of the first octet are F2,F$ so this class includes the addresses
between 2+8%,%,%, and 292%+33%+33%+33%
# Class C: The first three bits of the first octet are F22,F$ so this class includes the
addresses between 29+%,%,%, and ++1%+33%+33%+33%
# Class 6: The first four bits of the first octet are F222,F$ so this class includes the
addresses between ++-%,%,%, and +19%+33%+33%+33% These addresses are reserved for
group multicast implementations%
# The remaining addresses are used for e&perimentation or for possible future
allocations%
t this time$ the classes are not used to differentiate between the part of the address used to
identify the network and the part used to identify the individual devices% Instead$ a mas( is
used% In the mask$ a F2F binary bit represents the part containing the network identification and
a F,F binary bit represents the part that identifies the individual devices% Therefore$ to identify a
device$ in addition to the I* address$ it is necessary to specify a network mask:
I*: 27+%25%2%+,
Mask: +33%+33%+33%,
I* addresses 2+7%&%&%& are reserved to be used as loopback or local host addresses$ that is$
they refer directly back to the local computer% Every computer has a local host address of
2+7%,%,%2$ therefore that address cannot be used to identify different devices% There are also
other addresses that cannot be used% These are the net)or( address and the broadcast
address%
The net)or( address is an address in which the part of the address which normally identifies
the device is all ?eros% This address cannot be used$ because it identifies a network and can
never be used to identify a specific device%
I*: 27+%25%2%,
Mask: +33%+33%+33%,
##
The broadcast address is an address in which the part of the address which normally identifies
the device is all ones% This address cannot be used to identify a specific device$ because it is
the address that is used to send information to all of the computers that belong to the
specified network%
I*: 27+%25%2%+33
Mask: +33%+33%+33%,
3"3"% Ports
4oth TC* and /6* use ports to e&change information with applications% port is an e&tension
of an address$ similar to adding an apartment or room number to a street address% letter
with a street address will arrive at the correct apartment building$ but without the apartment
number$ it will not be delivered to the correct recipient% *orts work in much the same way%
packet can be delivered to the correct I* address$ but without the associated port$ there is
no way to determine which application should act on the packet%
Once the ports have been defined$ it is possible for the different types of information that are
sent to one I* address to then be sent to the appropriate applications% 4y using ports$ a
service running on a remote computer can determine what type of information a local client
is reCuesting$ can determine the protocol needed to send that information$ and maintain
simultaneous communication with a number of different clients%
:or e&ample$ if a local computer attempts to connect to the website www%osstmm%org$
whose I* address is 5+%8,%2++%+,1$ with a web server running on port 8,$ the local computer
would connect to the remote computer using the soc(et address *
-2"13"#22"233413
In order to maintain a level of standardi?ation among the most commonly used ports$ I(
has established that the ports numbered from , to 2,+- are to be used for common services%
The remaining ports E up through 53313 E are used for dynamic allocations or particular
services%
The most commonly used ports E as assigned by the I( E are listed here:
Port Assignments
Decimals Keywords Description
0 Reserved
1-4 Unassigned
5 rje Remote Job Entry
7 echo Echo
9 discard Discard
11 systat Active Users
1 daytime Daytime
15 netstat !ho is U" or #E$%$A$
17 &otd '(ote o) the Day
19 chargen *haracter +enerator
,0 )t"-data -i.e $rans)er /De)a(.t Data0
,1 )t" -i.e $rans)er /*ontro.0
,, ssh %%1 Remote 2ogin 3rotoco.
#2
Port Assignments
Decimals Keywords Description
, te.net $e.net
,5 smt" %im".e 4ai. $rans)er
7 time $ime
9 r." Reso(rce 2ocation 3rotoco.
4, nameserver 1ost #ame %erver
4 nicname !ho 5s
5 domain Domain #ame %erver
67 boot"s 7ootstra" 3rotoco. %erver
68 boot"c 7ootstra" 3rotoco. *.ient
69 t)t" $rivia. -i.e $rans)er
70 go"her +o"her
75 any "rivate dia. o(t service
77 any "rivate RJE service
79 )inger -inger
80 999-htt" !or.d !ide !eb 1$$3
95 s("d(" %U3DU3
101 hostname #5* 1ost #ame %erver
10, iso-tsa" 5%:-$%A3 *.ass 0
110 "o" 3ost :))ice 3rotoco. - ;ersion
11 a(th A(thentication %ervice
117 ((c"-"ath UU*3 3ath %ervice
119 nnt" #et9or< #e9s $rans)er 3rotoco.
1, nt" #et9or< $ime 3rotoco.
17 netbios-ns #E$75:% #ame %ervice
18 netbios-dgm #E$75:% Datagram %ervice
19 netbios-ssn #E$75:% %ession %ervice
140-159 Unassigned
160-,, Reserved
Gou can also refer to the @eb page: http*$$)))&isecom&info$cgi+
local$protocoldb$bro)se&dsp for more detailed information on ports%
3"3"- Enca's+ation
@hen a piece of information E an e#mail message$ for e&ample E is sent from one computer to
another$ it is sub"ect to a series of transformations% The application layer generates the data$
which is then sent to the transport layer% The transport layer takes this information and adds a
header to it% This header contains information$ such as the I* addresses of the originating and
recipient computers$ that e&plains what must be done to the data in order to get it to the
appropriate destination% The ne&t layer adds yet another header$ and so on% This recursive
procedure is known as encapsulation%
Each layer after the first makes its data an encapsulation of the previous layerFs data$ until you
arrive at the final layer$ in which the actual transmission of data occurs% The following figure
e&plains encapsulation in a graphic form:
#3
@hen the encapsulated information arrives at its destination$ it must then be de#
encapsulated% s each layer receives information from the previous layer$ it removes the
unneeded information contained in the header placed there by the previous layer%
3"! E5ercises
3"!"# E5ercise #4 Netstat
(etstat
The (etstat command allows you to see the state of the ports on a computer% In order to
e&ecute it$ you must open an MS#6OS window and type:
netstat
In the MS#6OS window$ you will then see a list of the established connections% If you want to
see the connections displayed in numeric form$ type:
netstat # n
To see the connections and the active ports$ type:
netstat # an
To see a list of other options$ type:
netstat # h
In the (etstat output$ the second and third columns list the local and remote I* addresses
being used by the active ports% @hy are the addresses of the remote ports different from the
local addressesH
(e&t$ using a web browser$ open this web page:
http:))291%2-3%83%+,+
then return to the MS#6OS prompt and run (etstat again% @hat new connection Aor
connectionsB appearH
Open another web browser and go to this web page:
http:))291%2-3%83%+,1
;eturn to the MS#6OS prompt and run (etstat:
#!
DATA
SEGMENT
PACKET
FRAME
# @hy does the protocol !TT* appear in several linesH
# @hat differences e&ist between each one of themH
# If there are several web browsers open$ how does the computer know which information
goes to which browserH
3"!"2 E5ercise 24 Ports an$ Protoco+s
In this lesson$ you learned that ports are used to differentiate between services%
@hy is it that when a web browser is used$ no port is specifiedH
@hat protocols are usedH
Is it possible that one protocol gets used in more than one instanceH
3"!"3 E5ercise 34 6/ 7irst Ser*er
To perform this e&ercise$ you must have the !etcat program% If you do not have it$ you can
download it from the page:
http:))www%atstake%com)research)tools)networkIutilities)
Once you have (etcat installed$ open an MS#6OS window% Change to the (etcat directory
and type:
nc # h
This displays the options that are available in (etcat% To create a simple server$ type:
nc # l # p 2+1-
@hen this command e&ecutes$ port 2+1- is opened and incoming connections are allowed%
Open a second MS#6OS window and type:
netstat E a
This should verify that there is a new service listening on port 2+1-% Close this MS#6OS window%
To be able to say that a server has been implemented$ you must establish a client association%
Open an MS#6OS window and type:
nc localhost 2+1-
@ith this command$ a connection is made with the server that is listening to port 2+1-% (ow$
anything that is written in either of the two open MS#6OS windows can be seen in the other
window%
Create a file named FtestF$ that contains the te&t$ .@elcome to the !acker !ighschool serverJ0
In an MS#6OS window$ type:
nc # l # p 2+1- K test
:rom another MS#6OS window$ connect to the server by typing:
nc localhost 2+1-
@hen the client connects to the server$ you should see the output of the file$ FtestF%
To close the service$ switch to the MS#6OS window in which it is running and press CT;'#C%
@hat protocol has been used to connect with the serverH
#%
6oes (etcat allow you to change thisH If so$ howH
#-
7rt8er Rea$in,
Gou can find more information on ports and protocols by looking at the following links:
http:))www%oreilly%com)catalog)fire+)chapter)ch21%html
http:))www%oreilly%com)catalog)puis1)chapter)ch22%pdf
http:))www%oreilly%com)catalog)ipv5ess)chapter)ch,+%pdf
http:))info%acm%org)crossroads)&rds2#2)tcp"my%html
http:))www%garykessler%net)library)tcpip%html
http:))www%cisco%com)univercd)cc)td)doc)cisintwk)itoIdoc)ip%htm
http:))www%redbooks%ibm%com)redbooks)<<+-1175%html
*ort (umber references:
http:))www%iana%org)assignments)port#numbers
http:))www%isecom%info)cgi#local)protocoldb)browse%dsp
#0
LESSON 4
SERVICES AND
CONNECTIONS
2
LESSON 4 SERVICES AND CONNECTIONS
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%-
-%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
-%2 Services%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3
-%2%2 !TT* and The 4eb%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
-%2%+ E#Mail 5 *O* and SMT*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%6
-%2%7 I8C%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9
-%2%- :T*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%9
-%2%1 Telnet and SS!%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2,
-%2%3 ;(S%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2,
-%2%6 ;!C*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 22
-%+ Connections%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2+
-%+%2 IS*s %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2+
-%+%+ *lain Old Telephone Service%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2+
-%+%7 ;S'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2+
-%+%- Cable Modems%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 27
:urther 8eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2-
3
Contri!tors
<uiomar Corral$ 'a Salle /8' =arcelona
>aume bella$ 'a Salle /8' =arcelona # ISECOM
?im Truett$ ISECOM
Marta =arcel@$ ISECOM
*ete !erAog$ ISECOM
4
4"# Intro$!ction
The purpose of this lesson is to give you an understanding of some of the basic services which
networks use to provide and e&change information$ and to discuss some of the methods in
which personal computers and local networks connect with the other networks which make
up the Internet%
%
4"& Ser'ices
Bou have a computer$ and you know that there is useful information on this computer$ but not
very much% Bou also know that other people$ millions of other people also have computers$
and that their computers will also have useful information%
(ow$ you can assume that these other people$ and these other computers may very likely
have lots of information on them that would be of interest to you% The only problem is how to
access all this useful information that may be on other peopleCs computers%
The computers themselves can communicate with each other$ easily$ through ports$ using the
different protocols that have been designed$ but that doesnCt really help you% Bou canCt
understand the streams of binary data that the computers e&change between themselves%
Bou need some way for your computer to interpret the information that it can receive from
the other computers in some way that you can use it%
The programs that the computers use to translate the data that they e&change into a form
that is useful to you are call services% These services allow you to view web pages$ e&change
e#mail$ chat$ and interact in remote computers in many other different ways%
Bour computer$ the local computer uses programs called clients to interpret the information
that you receive% The other computers$ the remote computers$ use programs called servers to
provide this information to your computer%
4"&"& (TT) an$ T*e +e
4hen you say$ Cthe Internet$C what comes to mind for most people is$ in fact$ the World Wide
Web% The 4orld 4ide 4eb$ or "ust the 4eb$ is not the Internet% Instead$ it is a method of using
the Internet to e&change information between computers% The 4eb uses http or hypertext
transfer protocol and services known as web browsers and web servers to allow information in
the form of web pages to be e&changed between local and remote computers%
On the local side$ what you see is the web browser% Information from the remote computer is
sent to your local computer using the http protocol% The web browser interprets that
information and displays it on your local computer in the form of web pages%
The hypertext part of the http protocol refers to a non#linear method of presenting
information% Te&t is normally read in a linear fashion: word + follows word 2D sentence 7 follows
sentence +D paragraph 1 follows paragraph -% The idea of hyperte&t allows information to be
viewed in a non#linear way% This is the ma"or difference between hyperte&t and the older$
plain te&t methods of displaying information%
4ith hyperte&t$ words and ideas can connect$ not only with the words that directly surround
them$ but also with other words$ ideas or images% !yperte&t is not restricted to the 4eb% Most
full#featured word processors will allow you to create locally stored pages in web or http
format% These pages are read using your web browser and act as would any other web page$
only they are stored on your local computer$ not a remote computer%
On your local computer$ you use a client program called a web browser% Contrary to what
you might have been lead to believe$ there are actually a number of web browsers available
for both 4indows and 'inu&% These include MicrosoftCs Internet E&plorer$ (etscape (avigator$
and the MoAilla :irefo& browsers%
Bou can also create your own web page% The easiest way to do this is to use one of the
common word processors$ such as OpenOffice$ Microsoft 4ord$ or 4ord*erfect% These
programs will allow you to produce simple web pages$ combining te&t$ hyperte&t and images%
,
*lenty of people have made useful$ clever and innovative web pages using these simple
tools%
=ut these pages arenCt flashy% :lashy means frames and scripts and animations% It also means
spending lots of money on a fancy web page design program% These programs allow you to
create many interesting effects on your web page$ but they are more comple& to use than
the word processors that you are probably already familiar with%
Once you have the pages designed$ youCll need a computer to put them on$ so that other
people can view them% This is called web hosting%
The hosting computer will be running a web server% It is possible to run one of these servers
from your own home$ using your own computer$ but there are several drawbacks$ the primary
one of these being persistence% Information stored on a web server is only available when
that server is powered up$ operating properly and has an open connection% So$ if you want to
run a web server from your own bedroom$ you have to leave your computer on all the timeD
you have to make sure that the web server program is operating properly all the time Ethis
includes troubleshooting hardware problems$ controlling viruses$ worms and other attacks$
and dealing with the inevitable bugs and flaws within the program itselfF$ and you have to
keep a connection to the Internet open% This is why most people pay someone else to do all
this%
web hosting company will store your web page on their computer% perfect web hosting
company will have multiple$ redundant servers and a regular backup policy$ so that your
service is not lost because of hardware problems$ a support staff to keep the server running
despite hacker attacks and program bugs$ and a number of open connections to the
Internet$ so that all your have to do is design your web page$ upload it to the hosting
companyCs server$ hang up the phone$ turn off the computer$ and go to sleep$ and your web
page will be available to the entire world%
ItCs also possible to find organiAations that offer free web hosting% Some of these organiAations
are funded by paid advertising$ which means that anyone who wants to view your web page
will first have to view someone elseCs advertisement% =ut they donCt have to buy anything$ and
you donCt have to pay anything%
4"&"2 E-.ai/ )O) an$ S.T)
The second most visible aspect of the Internet is probably e#mail% On your computer$ you use
an e#mail client$ which connects to a mail server% 4hen you set up your e#mail account$ you
are given a uniGue name in the form of user@domain% Bou are also asked to provide a
password to use to retrieve your e#mail%
The SMTP protocol$ which is used to send e#mail$ does not reGuire a password% This may not
have been a fault when the protocol was designed$ and the Internet was a small world
inhabited by like minded people$ but now it has become a loophole which allows for
unauthoriAed use of mail servers and various other tricks$ such as Ce#mail spoofingC$ in which
someone sends an e#mail that appears to come from another address% !owever$ some mail
servers minimiAe this flaw by implementing an authentication step$ in which you must prove
your identity before you can send an e#mail%
One important thing to remember is$ despite being password protected$ e#mail is not a way
to send secure information% Most *O* clients and servers reGuire that your password be
communicated 5 unencrypted 5 to your mail server% This doesnCt mean than anyone who
receives an e#mail from you also receives your passwordD but it does mean that someone with
0
the right knowledge and tools can relatively easily Csniff outC your password% E:or ideas on
making your e#mail more secure$ see Lesson 12 E-mai/ Sec!rit3%F
4"&"3 IRC
IR$ or Internet relay chat$ is where the unregulated nature of the Internet is most clearly
e&pressed% On I8C$ anyone with anything to say gets a chance to say it%
Bou may be familiar with the chat rooms used by certain online services% I8C is "ust like a chat
room$ only there are no rules$ there are no standards$ and 5 Guite often 5 there are no
chaperones% Bou may find e&actly what you are looking for on an I8C channel$ or you "ust
may find something that you had rather you never knew e&isted%
ll the rules that youCve heard about chat rooms are applicable to I8C channels% ;onCt tell
anyone your real name% ;onCt give out your phone number$ your address$ or your bank
account numbers% =ut have funH
E4ercises2
:ind and "oin three I8C channels which focus on security topics% !ow do you "oin in the public
conversationI 4hat do you have to do to have a private conversation with a personI
It is possible to e&change files through I8C% !ow could you do thisI 4ould you always want to
e&change files through I8CI 4hy or why notI
4"&"4 5T)
!TP stands for file transfer protocol% s the name implies$ it allows for files to be transferred
between a local and a remote computer% 4hile it can be used for private file transfers$ it is
more commonly associated with free$ anonymous ftp servers which offer public access to
collections of files%
nonymous ftp was once the means by which most computer users e&changed files over the
Internet% 4hile many anonymous ftp servers are used to distribute files that are available
illegallyEand are possibly infected with virusesF$ there are also many which are legally used to
distribute programs and files% Servers which offer anonymous ftp services can be found
through various means$ including Internet search engines%
Most anonymous ftp servers now allow you to access their files using the ftp protocol through
a web browser%
E4ercises2
=oth 4indows and 'inu& come with a basic$ command line ftp clientD to access it$ open a
command prompt or terminal window and type:
ftp
t the ftp> prompt$ you can type help$ to get a list of available commands%
ftp> help
Commands may be abbreviated. Commands are:
! delete literal prompt send
? debug ls put status
append dir mdelete pwd trace
ascii disconnect mdir quit type
6
bell get mget quote user
binary glob mkdir recv verbose
bye hash mls remotehelp
cd help mput rename
close lcd open rmdir
Some important commands are:
ftp> open <domain.name>
4hich connects you to the ftp server named domain"name%
ftp> ls
or
ftp> dir
4hich lists the contents of the remote working directory%
ftp> cd <newdir>
4hich changes the remote working directory to a directory named newdir%
ftp> get <filename>
4hich downloads a file named filename from the remote computer to the local computer%
ftp> mget <file> <file!> <file">
4hich downloads files named file#$ file$$ and file% from the remote computer to the local
computer%
ftp> close
4hich disconnects you from the remote ftp server%
ftp> quit
4hich shuts down your local ftp client%
To connect to an anonymous ftp service$ you must first open your local ftp client:
ftp
/se the open command to connect to the server% The command
ftp> open <anon.server>
connects your ftp client with the anonymous ftp server named anon"server%
4hen the remote ftp server makes its connection$ it will identify itself to your local client$ then
ask for a user name%
Connected to anon.server.
!!# $ro%&$' (erver )*elcome . . . +
,ser )anon.server:)none++:
:or most anonymous ftp servers$ you should enter in the word anonymous as the user name%
The remote ftp server will acknowledge that you are connecting as an anonymous user$ and
will give you instructions on what to use as a password%
"" -nonymous login ok. send your complete email address as your
password.
1
$assword:
In most cases$ the remote server does not check the validity of the email address entered as
a password$ so it will not stop you from accessing the server if you enter an invalid address%
!owever$ this is considered to be a breach of etiGuette% fter you have entered a password$
the remote server will send a welcome message to your local computer%
+7,#
4elcome to ftp%anon%server$ the public ftp server of anon%server% 4e
hope you find what youCre looking for%
If you have any problems or Guestions$ please send email to
ftpadminJanon%server
ThanksH
+7, nonymous access granted$ restrictions apply%
:rom here$ you can use the ls$ dir$ cd and get commands to download files from the remote
server to your local computer%
/sing these e&amples$ see if you can download a file from an anonymous ftp server% /se your
web browser and a search engine to find an anonymous ftp server which has a copy of lice
in Wonderland$ then$ using the command line ftp client 5 not your web browser 5 try to
download the file%
4"&"% Te/net an$ SS(
Telnet allows a local user to send a wide variety of commands to a remote computer% This
allows the local user to instruct the remote computer to perform functions and return data to
the local computer$ almost as if you were sitting at a keyboard in front of the remote
computer% SS&' or secure shell is intended as a secure replacement for telnet%
gain$ both 4indows and 'inu& come with a basic$ command line telnet clientD to access it$
open a command prompt or terminal window and type: telnet%
To access a telnet server$ you will need to have an account and password set up for you by
the administrator of the server$ because the telnet program allows you to perform a large
number of actions$ some of which could severely compromise the remote computer%
Telnet was used in the past to allow computer administrators to remotely control servers and
to provide user support from a distance%
Telnet can also be used for a number of other tasks$ such as sending and receiving email and
viewing the source code for web pages Ealthough telnet does fall under the heading of the
most difficult way to do these thingsF% Telnet can be used to do many things that are illegal
and immoral$ but there are also legitimate reasons for using it% Bou can use telnet to check
your email$ and view$ not "ust the sub"ect line$ but the first few lines of an email$ which will
allow you to decide whether or not to delete the email without downloading the entire
message%
4"&", DNS
4hen you want to call a friend on the phone$ you need to know the correct phone numberD
when you want to connect to a remote computer$ you also need to know its number% Bou
&#
may remember from previous lessons that$ for computers on the Internet$ this number is called
the IP address"
s numbers$ these I* addresses are very easily managed by computers$ but as humans$ we
prefer to use what are called domain names" :or e&ample$ to connect to the !acker
!ighschool web page$ we type Cwww%hackerhighschool%orgC into the address bar of a web
browser% !owever$ the web browser canCt use this name to connect to the server that hosts
the !acker !ighschool web page 5 it must use the I* address% This means that your local
computer must have some means of translating domain names into I* addresses% If there
were only hundreds$ or even thousands of computers on the Internet$ then it might be possible
for you to have a simple table stored on your computer to use to look up these addresses$ but$
not only are there are millions of computers on the Internet$ the correlations between domain
names and I* addresses can change daily%
:or this reason$ ()S or (omain )ame Service is used to translate domain names into I*
addresses% 4hen you type the domain name www"domainname"com into your web browser$
your web browser contacts the ;(S server chosen by your IS*% If that ;(S server has
www"domainname"com in its database$ then it will return the I* address to your computer$
allowing you to connect%
If your ;(S server doesnCt have www"domainname"com in its database$ then it will send a
reGuest to another ;(S server$ and it will keep sending reGuests to other ;(S servers until it
finds the correct I* address$ or it establishes that the domain name is invalid%
E4ercises2
To learn more about ;(S:
Open an MS#;OS window and identify the I* address of your computer% 4hat command
have you usedI 4hat I* address do you haveI
Identify the I* address of your ;(S server% 4hat command have you usedI 4hat is the I*
address of the ;(S server%
*ing www"isecom"org% ;o you receive an affirmative answerI 4hat I* address answers the
pingI
Can you direct your computer to use a different ;(S serverI If so$ change the configuration
of your computer so that it uses a different ;(S server% *ing www"isecom"org again% ;o you
receive the same responseI 4hyI
4"&"0 D(C)
(&P or (ynamic &ost configuration Protocol allows for I* addresses to be dynamically
allocated within a network% The network is given a block of I* addresses for its use% 4hen a
computer "oins the network$ it is assigned an I* address% 4hen a computer leaves$ its I*
address becomes available for use by another computer%
This is useful for large networks of computers$ since it is not necessary for each computer to
have an individually assigned$ static I* address% Instead$ you use a (&P server" 4hen a new
computer connects to the network$ the first thing that it does is reGuest an I* address from the
;!C* server% Once it has been assigned an I* address$ the computer then has access to all
the services of the network%
&&
4"2 Connections
Most computers connect to the Internet through a modem% Modems translate the digital
signals produced by computers into analog signals that can be transmitted across commonly
available telephone lines% Modem speeds are measured in baud or bits per second% !igher
baud rates are better$ since they allow for faster transmission of data$ but you must also
consider what you are planning to do% There are certain applications 5 such as telnetting into
M/;s 5 for which a twenty year old 7,, baud modem would still be acceptable Eprovided
your typing speed wasnCt so goodF$ while high bandwidth applications such as streaming
video can often strain even the most powerful cable modems%
4"2"& IS)s
Bou donCt "ust call up the Internet% Bou need to access a server that will connect your
computer to the Internet% The server does all the heavy work$ like being on all the time% The
server is run by an ISP or Internet Service Provider"
n IS* has a point#of#presence on the Internet that is constant$ and it has servers that run the
services you are going to use% (ow$ you can run these services on your own% :or e&ample$ you
can run a mail server on your local computer$ but it will reGuire you to have your computer
powered up and connected to a network all the time$ "ust waiting for those brief moments
when information has to be e&changed% n IS*$ however$ consolidates the efforts of a large
number of users$ so the mail server is working all the time$ instead of sitting around$ doing
nothing% dditionally$ an IS*Cs computers are going to use a high speed connection to
connect to a (* or (etwork ccess *oint% These (*s then interconnect with each other
through ultra#high speed connections called bac*bones% This is the Internet%
4"2"2 )/ain O/$ Te/e7*one Ser'ice
*OTS$ or plain old telephone service$ is still the most widely used method of accessing the
Internet% Its primary disadvantage is its low speed$ but in many cases this is made up for by its
wide availability% Most national Internet service providers have a large number of local access
numbers$ and almost everyone still has a phone with a land line% In theory$ if you had an
acoustic modem and a pocket full of change$ you could connect from almost any public
pay phone% (ot that you would really want to do that%
*OTS is slow% The fastest telephone modems are rated at a speed of 13$3,, baud% That$
however$ as they e&plain in the small print$ is a lie% *ower constraints limit the actual download
speed to about 17$,,, baud and the effective rate is usually much lower% This doesnCt
compare very well with ;S' or cable modems%
That said$ telephone service is widely available$ and *OTS based IS*s are relatively cheap
Eand sometimes freeF% Bou wouldnCt want to trade pirated movies over *OTS$ because itCs
immoral$ illegal and ties up your phone line all night and maybe into the afternoon$ but you
could certainly send friendly$ te&t based e#mails to <ranny% nd if you used telnet$ you could
even do it with a dusty ;OS based machine that you pulled out of the basement%
4"2"3 DSL
;S' or digital subscriber line$ is a method of sending large amounts of information over the
wires that already e&ist for the *OTS% Its main advantage over *OTS is that it is much faster
than analog modems$ and it provides a permanent connection% In addition$ it allows you to
make and receive regular telephone calls while you are connected to the Internet% Its main
&2
disadvantage is that its availability is limited by your pro&imity to the telephone companyCs
switching eGuipment 5 if you live too far down the lineD youCre out of luck%
E4ercises2
/sing a web search engine$ find two companies that supply ;S' access% 4hat other services
do these companies provide Etelephone service$ tv service % % % FI
4"2"4 Ca/e .o$ems
Cable modems do not use the traditional telephone lines to connect to the Internet% Instead
they make use of the optical fiber lines that are used by cable companies to transmit digital
cable signals% 'ike ;S'$ cable modems allow you to make and receive regular telephone calls
while you are connected to the Internet$ and they provide a permanent connection$ but
cable modems are generally faster than ;S'%
Cable modems have two basic flaws% The first is that cable modem access is a shared
resource$ so your connection speeds will be decreased when there are other users in close
geographic pro&imity% The second is that cable modem access is only available in areas
where cable companies have installed the necessary fiber optic wiring%
E4ercises2
/sing a web search engine$ find two companies that provide Internet access through cable
modems% 4hat other services do these companies provide Etelephone service$ tv
service % % % FI
&3
5!rt*er Rea$in8
!ow E#mail 4orks: http:))computer%howstuffworks%com)email%htm
n I8C :K: http:))www%irchelp%org)irchelp)new+irc%html
=asic :T* :K Eold$ but e&tensiveF: http:))www%faGs%org)faGs)ftp#list)faG)
nother :T* :K Ealso oldF: http:))www%ibiblio%org)pub)'inu&)docs)faGs):T*#:K
n Overview of SMT* Ewith a link to 8:C 9+2$ which details the protocolF:
http:))www%freesoft%org)CIE)Topics)L-%htm
nd a complementary Overview of *O*7 Ewith a link to 8:C 26+1F:
http:))www%freesoft%org)CIE)Topics)L1%htm
n Overview of Telnet: http:))www%dmine%com)bbscorner)telover%htm
8etrieving Mail with Telnet:
http:))wiki%linu&Guestions%org)wiki)8etrievingMmailMmanuallyMusingMtelnet
SS! 5 a more secure alternative to Telnet: http:))www%openssh%com)
=asic ;(S Information:
http:))hotwired%lycos%com)webmonkey)webmonkey)geektalk)L6),7)inde&-a%html
More ;etailed ;(S Information:
http:))www%microsoft%com)technet)itsolutions)network)deploy)confeat)domain%msp&
collection of ;(S commands$ tests and lookups: http:))www%dnsstuff%com)
detailed ;!C* :K: http:))www%dhcp#handbook%com)dhcpMfaG%html
long article on ;C!*$ with information on (T and routers:
http:))hotwired%lycos%com)webmonkey),,)7L)inde&7a%htmlItwNbackend
n Overview of Cable Modems: http:))electronics%howstuffworks%com)cable#modem%htm
&4
LESSON 5
SYSTEM IDENTIFICATION
2
LESSON 5 SYSTEM IDENTIFICATION
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -
1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1%2 Identifying a Server%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
1%2%2 Identifying the Owner of a 4omain%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
1%2%+ Identifying the I* address of a 4omain%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3
1%+ Identifying Services%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
1%+%2 *ing and Trace5oute%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
1%+%+ 6anner 7rabbing%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8
1%+%9 Identifying Services from *orts and *rotocols%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8
1%9 System :ingerprinting%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;
1%9%2 Scanning 5emote Computers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ;
:urther 5eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2+

Contri!"tors
Marta 6arcel<$ ISECOM
=im Truett$ ISECOM
*ete !er>og$ ISECOM
#
5$% Intro&"ction
It is obvious that someone who sits down at the keyboard of your computer can gather
information about it$ including the operating system and the programs that are running$ but it
is also possible for someone to use a network connection to gather information about a
remote computer% This lesson will describe some of the ways in which that information can be
gathered% =nowing how this information is gathered will help you to ensure that your local
computer is safe from these activities%
5
5$' I&entif(in) a Ser*er
There are a number of useful sources on the ?eb which will allow you to collect information
about domain names and I* addresses%
5$'$' I&entif(in) t+e O,ner of a Domain
The first step in identifying a remote system is to look at the domain name or I* address% /sing
a Whois lookup$ you can discover valuable information$ including the identity of the owner of
a domain and contact information$ which may include addresses and phone numbers% (ote
that there are now a number of domain name registrars$ and not all whois databases contain
information for all domains% @ou may have to look at more that one whois database to find
information on the domain that you are investigating%
5$'$2 I&entif(in) t+e I- a&&ress of a Domain
There are a number of ways to determine the I* address of a domain% The address may be
contained in the whois information or you may have to use a DNS or Domain Name Service
lookup% A web search engine will provide a number of resources for discovering I* addresses
from domain names%B
Once you have the I* address$ you can access the records of the various members of the
Number Resource Organization Ahttp:))www%arin%net) or http:))www%ripe%net)B$ to gain
information about how I* addresses are distributed% I* numbers are assigned to service
providers and networks in large groups$ and knowing which group an I* address is contained
in$ and who has the rights to that group$ can be very useful% This can help you determine
information about the server or service provider that a website uses%
E.ercises/
*ick a valid domain name and use a Whois lookup to find out who owns that domain%
dominio Ahttp:))www%whois%com #C .isecom%org0D7o #C ?hois 'ookupB ?hat other
information is availableE ?hen was the domain createdE ?hen will it e&pireE ?hen was it last
updatedE
:ind the I* address for this domain name% /sing the whois lookups for the various members of
the Number Resource Organization determine who this I* address has been assigned to% AStart
with the www.arin.net$ page$ which also links to the other members of the (5O%B ?hat is the
range of the other numbers that have also been registered to this entityE
5$2 I&entif(in) Ser*ices
Once you have established the owner and the I* address of a domain$ then you can start to
look for information about the server to which that domain refers%
5$2$' -in) an& Trace0o"te
(ow that you know who owns the domain$ and who the I* number has been assigned to$ you
can check to see if the server that the website is on is actually active% The ping command will
tell you if there is actually a computer associated with that domain or I*% The command
ping domain or
ping ipaddress
1
will tell you if there is an active computer at that address%
If the output of the ping command indicates that the packets sent were received$ then you
can assume that the server is active%
nother command$ tracert Ain ?indowsB or traceroute Ain 'inu&B will show you the steps that
information takes as it travels from your computer to the remote computer% Tracing the route
that the packets take will sometimes give you additional information about the computers in
the network with the computer that is the target of your trace% :or e&ample$ computers will
similar I* addresses will often be part of the same network%
E.ercises/
Ping a valid website or I* address Aping www%isecom%org or ping +23%;+%223%29B% If you get a
successful response$ ping the ne&t I* address% 4id this produce a successful responseE
/se tracert or traceroute to trace the route from your local computer to the I* address that
you used in the previous e&ercise% !ow many steps does it takeE 4o any of the listed
computers have similar I* addressesE
5$2$2 2anner 3ra!!in)
The ne&t step in identifying a remote system is to try to connect using telnet and :T*% The
server programs for these services display te&t messages called banners% banner may state
clearly and precisely what server program is running% :or e&ample$ when you connect to an
anonymous :T* server$ you might get the following message:
Connected to anon%server%
++, *ro:T*4 Server A?elcome % % % B
/ser Aanon%server:AnoneBB:
?hile the number ++, is an :T* code which indicates that the server is ready for a new user$
the te&t message ProFTPD Server identifies the :T* server program that is running on the
remote computer% /sing a web search engine$ you can learn what operating system the
program runs on and other details about its reFuirements$ capabilities$ limitations$ and flaws%
The primary flaw in the use of banner grabbing to gather information about a system is that
clever system administrators can spoof banners% banner that reads NoneOfYourusiness
Server is obviously misleading$ but a /ni& system with a banner that reads WS!FTP Server Aa
?indows#based :T* serverB is going to complicate any intelligence gathering that may be
done%
5$2$ I&entif(in) Ser*ices from -orts an& -rotoco4s
@ou can also determine what programs are running on a system by looking at what ports are
open and what protocols are in use%
Start by looking at your own local computer% 7o to a command line or shell prompt and run
the netstat program using the "a Aor allB switch:
netstat -a
The computer will display a list of open ports and some of the services that are using those
ports:
Active Connections
5
Proto Local Address Foreign Address State
TCP YourComputer:microsoft-ds YourComputer:0 LISTEI!
TCP YourComputer:"0#$ YourComputer:0 LISTEI!
TCP YourComputer:"0%0 YourComputer:0 LISTEI!
TCP YourComputer:$000 YourComputer:0 LISTEI!
TCP YourComputer:net&ios-ssn YourComputer:0 LISTEI!
TCP YourComputer:"""0 #"'(#%)($*("+*:,ttp TI-E./AIT
01P YourComputer:microsoft-ds 2:2
01P YourComputer:isa3mp 2:2
01P YourComputer:"0#* 2:2
01P YourComputer:"0%+ 2:2
01P YourComputer:"0%' 2:2
01P YourComputer:ntp 2:2
01P YourComputer:net&ios-ns 2:2
01P YourComputer:net&ios-dgm 2:2
:rom this you can see many of the programs and services that are running on your local
computer G many of which you donHt even reali>e are running%
nother program$ called fport$ provides information similar to that which netstat does$ but it
also details which programs are using the open ports and protocols% A:port is available for free
download from www.foun#stone.com.B
nother program$ called nmap Afor networ$ mapperB$ will more thoroughly probe your
computer for open ports% ?hen nmap is run$ it will display a list of open ports and the services
or protocols that use those ports% It may also be able to determine what operating system
your computer is using% :or e&ample$ if you run nmap on your local computer$ you might see
the following output:
Port State Service
##4tcp open ss,
'54tcp open d,cpclient
"%)4tcp open net&ios-ssn
++$4tcp open microsoft-ds
1evice t6pe: general purpose
7unning: Linu8 #(+9:#($(9
;S details: Linu8 <ernel #(+(0 = #($(#0
0ptime "(0#+ da6s >since Sat ?ul + "#:"$:+5 #00+@
Nmap is available on your !acker !ighschool or '% % S% cd% It is also available for download
from www.insecure.org%
E.ercises/
5un netstat on your local computer$ using the #a switch%
netstat -a
6
?hat ports are openE /sing a web search engine$ can you match these ports with the
services that run on themE AThis would be a good e&ercise to try at home$ also$ to see if your
computer is running unnecessary G and potentially dangerous G services$ such as :T* and
telnet%B
5un nmap$ using the #sS Afor S@( Stealth scanB$ and #O Afor guess operating systemB switches
and the I* address 2+8%,%,%2 as the target%
nmap -sS -; "#*(0(0("
The I* address 2+8%,%,%2 specifies the local host$ or your local computer% A(ote: this is different
from the I* address that other computers on the internet use to communicate with yoursI on
any machine$ the I* address 2+8%,%,%2 refers to the local computerB ?hat open ports does
nmap findE ?hat services and programs are using these portsE Try running nmap while you
have a web browser or telnet client open% 4oes this change the resultsE
5$ S(stem Fin)er7rintin)
(ow that you know how to identify a server and how to scan for open ports and use this
information to determine what services are running$ you can put this information together to
fingerprint a remote system$ establishing the most likely operating system and services that the
remote computer is running%
5$$' Scannin) 0emote Com7"ters
/sing an I* address or a domain name other than 2+8%,%,%2 as an argument for nmap allows
you to scan for open ports on remote computers% It doesnHt mean that there will be open
ports$ or that you will find them$ but it does allow you to try%
:or e&ample$ imagine that you have been receiving a large amount of spam e#mails$ and you
want to discover information about the person who is sending you these e#mails% 'ooking at
the headers of one of the e#mails$ you see that many of the e#mails have originated from the
same I* address: +13%;+%223%29 Asee Lesson 8/ E9mai4 Sec"rit( for more details on reading e#
mail headersB%
whois lookup shows you that the address is part of a block assigned to a large IS*$ but gives
you no information regarding this particular I* address%
If you then use nmap to scan the computer at that address$ you get the following results:
nmap -sS -; #$'()#(""'("%
Starting nmap %($0 > ,ttp:44AAA(insecure(org4nmap @ at #00+-0*-0% #0:"%
Eastern 1a6lig,t Time
Interesting ports on #$'()#(""'("%:
>T,e "'%# ports scanned &ut not s,oAn &eloA are in state: closed@
P;7T STATE SE7BICE
#"4tcp open ftp
##4tcp open ss,
#%4tcp open telnet
#$4tcp open smtp
504tcp open ,ttp
8
""04tcp open pop%
""%4tcp open aut,
"%$4tcp filtered msrpc
"%'4tcp filtered profile
"%*4tcp filtered net&ios-ns
"%54tcp filtered net&ios-dgm
"%)4tcp filtered net&ios-ssn
"+%4tcp open imap
"++4tcp open neAs
"'"4tcp filtered snmp
%0'4tcp open un3noAn
++%4tcp open ,ttps
++$4tcp filtered microsoft-ds
$"%4tcp open login
$"+4tcp open s,ell
o e8act ;S matc,es for ,ost >If 6ou 3noA A,at ;S is running on itC see
,ttp:44AAA(insecure(org4cgi-&in4nmap-su&mit(cgi@(
TCP4IP fingerprint:
SInfo>BD%($0EPDi'5'-pc-AindoAs-AindoAsE1D*4%ETimeD+0E*+EC0E;D#"ECD"@
TSeF>ClassDT7EIPI1D71ETSD"000GH@
T">7espDYE1FDYE/DFFFFEAC<DSIIEFlagsDASE;psD-/T@
T#>7espD@
T%>7espD@
T+>7espD@
T$>7espDYE1FDE/D0EAC<DSIIEFlagsDA7E;psD@
T'>7espD@
T*>7espD@
0ptime "(5** da6s >since T,u ?ul 0" #%:#%:$' #00+@
map run completed -- " IP address >" ,ost up@ scanned in **$($*5 seconds
The ports marked as fi%tere# are well#known as potentially vulnerable to attack$ so it is not a
surprise to find them listed as filtered% ?hat is most interesting is that ports +2$ ++ and +9 G for
ftp$ ssh and telnet G are all listed as open%
The last thing that nmap does is to try to identify the operating system that is running on the
scanned computer% In this instance$ the tests that nmap runs are inconclusive$ however$ since
nmap does show that ftp and telnet services are both running$ you can attempt to connect
through each of those to see if there is a banner that will be broadcast%
?hen you connect through :T* you see a banner that says:
'%
++, ftp923%pair%com (c:T*d Server Alicensed copyB ready%
?hen you then connect through telnet$ the computer displays a banner which says
:ree6S4)i9J3 Attyp8B
Fuick web search tells you that (c:T*d is a /ni& program and that :ree6S4 is a /ni&#type
operating system$ so it is likely that the server is running a version of :ree6S4 as its operating
system% @ou canHt be certain that this is accurate Abanners can be spoofedB$ but you can
accept this as a reasonable guess%
So$ by using nmap$ along with :T* and telnet$ you have determined that the server which has
been sending you spam runs a /ni&#type operating system G probably :ree6S4 G and is set up
to send and receive a large variety of information$ through a number of services including :T*$
telnet$ http$ smtp and pop9%
''
F"rt+er 0ea&in)
(map: http:))www%insecure%org)nmap)
More on (map:
http:))www%networkmaga>ine%com)shared)article)showrticle%"htmlEarticleIdKJ8,+;-+Lclassr
oomK
:port:http:))www%foundstone%com)inde&%htmEsubnavKresources)navigation%htmLsubcontent
K)resources)proddesc)fport%htm
number of site detailing ports and the services that use them:
http:))www%chebucto%ns%ca)Mrakerman)port#table%html
http:))www%chebucto%ns%ca)Mrakerman)port#table%htmlNI(
http:))www%iana%org)assignments)port#numbers
http:))www%networksorcery%com)enp)protocol)ip)ports,,,,,%htm
Oarious 4(S lookups: http:))www%dnsstuff%com)
*ing:http:))www%freesoft%org)CIE)Topics)19%htm
'2
LESSON 6
MALWARE
2
LESSON 6 MALWARE
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -
1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%3 4iruses 54irii6%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%3%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%3%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%3%+%3 8oot Sector 4iruses%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%3%+%+ The E&ecutable 9ile 4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%3%+%: The Terminate and Stay ;esident 5TS;6 4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1%3%+%- The *olymorphic 4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1%3%+%2 The Macro 4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1%+ <orms%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% =
1%+%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% =
1%+%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% =
1%: Tro"ans and Spyware%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% =
1%:%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% =
1%:%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% =
1%- ;ootkits and 8ackdoors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >
1%-%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >
1%-%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >
1%2 'ogicbombs and Timebombs%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >
1%2%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% >
1%2%+ 7escription%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ?
1%1 Countermeasures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ?
1%1%3 Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ?
1%1%+ nti#4irus%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ?
1%1%: (I7S%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ?
1%1%- !I7S%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3,
1%1%2 9irewalls%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3,
1%1%1 Sandbo&es%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3,
1%= @ood Safety dvice%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33
9urther ;eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3+
3
LESSON 6 MALWARE
Contribtors
Simon 8iles$ Computer Security Online 'td%
Aim Truett$ ISECOM
*ete !erBog$ ISECOM
Marta 8arcelC$ ISECOM
!
LESSON 6 MALWARE
6"# Intro$ction
.Malware0 are programs or parts of programs that have a malicious 5 .Mal0 6 or unpleasant
effect on your computer security% This covers many different terms that you may have heard
before$ such as .4irus0$ .<orm0 and .Tro"an0 and possibly a few that you havenDt like
.;ootkit0$ .'ogicbomb0 and .Spyware0% This lesson will introduce$ define and e&plain each of
these subdivisions of malware$ will give you e&amples$ and will e&plain some of the
countermeasures that can be put into place to restrict the problems caused by malware%
6"% &irses '&irii(
6"%"% Intro$ction
4irus E this is the most common type of malware that people will be aware of% The reason that
it is known as a virus$ rather than anything else$ is historical% The press ran the stories of the first
computer virus at the same time as articles concerning the spread of I7S% t the time$ there
were simple parallels that could be easily drawn between the two$ propagation through
interaction with a contaminated party$ the reliance on a host and the ultimate .death0 of
anything infected% This resulted$ and still does occasionally$ in concerns that people could
become .infected0 with a computer virus%
6"%"2 )escri*tion
4iruses or virii are self#replicating pieces of software that$ similar to a biological virus$ attach
themselves to another program$ or$ in the case of .macro viruses0$ to another file% The virus is
only run when the program or the file is run or opened% It is this which differentiates viruses from
worms% If the program or file is not accessed in any way$ then the virus will not run and will not
copy itself further%
There are a number of types of viruses$ although$ significantly$ the most common form today is
the macro virus$ and others$ such as the boot sector virus are now only found .in captivity0%
6"%"2"% +oot Sector &irses
The boot sector virus was the first type of virus created% It hides itself in the e&ecutable
code at the beginning of bootable disks% This meant that in order to infect a machine$ you
needed to boot from an infected floppy disk% long time ago$ 5 32 years or so 6 booting
from floppy was a relatively regular occurrence$ meaning that such viruses were actually
Fuite well spread by the time that people figured out what was happening% This virus 5 and
all other types 6 should leave a signature which subseFuent infection attempts detect$ so
as not to repeatedly infect the same target% It is this signature that allows other software
5 such as nti#4irus#software 6 to detect the infection%
6"%"2"2 ,-e E.ectab/e 0i/e &irs
The E&ecutable 9ile virus attaches itself to files$ such as %e&e or %com files% Some viruses
would specifically look for programs which were a part of the operating system$ and thus
were most likely to be run each time the computer was turned on$ increasing their
chances of successful propagation% There were a few ways of adding a virus to an
1
LESSON 6 MALWARE
e&ecutable file$ some of which worked better than others% The simplest way 5 and the least
subtle 6 was to overwrite the first part of the e&ecutable file with the virus code% This meant
that the virus e&ecuted$ but that the program would subseFuently crash$ leaving it Fuite
obvious that there was an infection E especially if the file was an important system file%
6"%"2"3 ,-e ,erminate an$ Sta2 Resi$ent ',SR( &irs
TS; is a term from 7OS where an application would load itself into memory$ and then
remain there in the background$ allowing the computer to run as normal in the
foreground% The more comple& of these viruses would intercept system calls that would
e&pose them and return false results # others would attach themselves to the DdirD
command$ and then infect every application in the directory that was listed E a few even
stopped 5 or deleted 6 nti#4irus software installed onto the systems%
6"%"2"! ,-e 3o/2mor*-ic &irs
Early viruses were easy enough to detect% They had a certain signature to identify them$
either within themselves as a method to prevent re#infection$ or simply that they had a
specific structure which it was possible to detect% Then along came the polymorphic virus%
*oly E meaning multiple and morphic E meaning shape% These viruses change themselves
each time they replicate$ rearranging their code$ changing encryption and generally
making themselves look totally different% This created a huge problem$ as instantly there
were much smaller signatures that remained the same E some of the .better0 viruses were
reduced to a detection signature of a few bytes% The problem was increased with the
release of a number of polymorphic kits into the virus writing community which allowed
any virus to be recreated as a polymorph%
6"%"2"1 ,-e Macro &irs
The Macro 4irus makes use of the built#in ability of a number of programs to e&ecute
code% *rograms such as <ord and E&cel have limited$ but very powerful$ versions of the
4isual 8asic programming language% This allows for the automation of repetitive tasks$ and
the automatic configuration of specific settings% These macro languages are misused to
attach viral code to documents which will automatically copy itself on to other
documents$ and propagate% lthough Microsoft has turned off the feature by default now
on new installations$ it used to be that Outlook would automatically e&ecute certain code
attached to e#mails as soon as they were read% This meant that viruses were propagating
very Fuickly by sending themselves to all of the e#mail addresses that were stored on the
infected machine%
E.ercises4
36 /sing the internet$ try to find an e&ample of each of the above types of virus%
+6 ;esearch the AleB virus:
# what is its .payload0
# the AleB virus is well know for S*OO9I(@% <hat is spoofing$ and how does AleB use itG
# you "ust learned that your computer is infected with AleB% ;esearch how to remove it%
:6 Hou "ust received an email with the following Sub"ect .<arning about your email
account0% The body of the message e&plains that your inappropriate use of email will
6
LESSON 6 MALWARE
result in your losing Internet privileges and that you should see the attachment for details%
8ut you havenDt done anything weird with email as far as you know% re you suspiciousG
Hou should be% ;esearch this information and determine what virus is attached to this
message% 5!I(T: <hen you start thinking of breakfast E youDre correct%6
6"2 Worms
6"2"% Intro$ction
<orms are older than viruses% The first worm was created many years before the first virus%
This worm made use of a flaw in the /(II finger command to Fuickly bring down most of
the Internet 5which was much smaller at that time6% This following section deals with
worms%
6"2"2 )escri*tion
worm is a program that$ after it has been started$ replicates without any need for
human intervention% It will propagate from host to host$ taking advantage of an
unprotected service or services% It will traverse a network without the need for a user to
send an infected file or e#mail% Most of the large incidents in the press recently have been
worms rather than viruses%
E.ercises4
36 /sing the internet$ see if you can find the first worm that was ever created%
+6 9ind out what vulnerability the Code ;ed and (imda worms use to propagate%
6"3 ,ro5ans an$ S*26are
6"3"% Intro$ction
The first Tro"an !orse was created by the @reeks several thousand years ago% 5 Think about the
film .Troy0 if you have seen it 6% The basic concept is that you sneak something nasty into an
otherwise secure computer in the guise of something nicer% This can range from a
downloaded game trailer to an e#mail promising naked pictures of your favorite celebrity% This
section covers tro"ans and spyware%
6"3"2 )escri*tion
Tro"ans are pieces of malware which masFuerade as something either useful or
desirable in order to get you to run them% t this point they may well do something unpleasant
to your computer such as install a backdoor or rootkit 5see section 1%-6$ or # even worse # dial a
premium rate phone number that will cost you money%
Spyware is software that installs itself surreptitiously$ often from websites that you might
visit% Once it is installed it will look for information that it considers valuable% This may be usage
7
LESSON 6 MALWARE
statistics regarding your web surfing$ or it might be your credit card number% Some pieces of
spyware blow their cover by rather irritatingly popping up advertisements all over your
desktop%
E.ercises4
36 /sing the internet$ find an e&ample of a tro"an and of spyware%
6"! Root8its an$ +ac8$oors
6"!"% Intro$ction
Often when a computer has been compromised by a hacker$ they will attempt to
install a method to retain easy access to the machine% There are many variations on this$
some of which have become Fuite famous E have a look on the Internet for .8ack Orifice0 J
6"!"2 )escri*tion
;ootkits and backdoors are pieces of malware that create methods to retain access
to a machine% They could range from the simple 5 a program listening on a port 6 to the very
comple& 5 programs which will hide processes in memory$ modify log files$ and listen to a
port 6% Often a backdoor will be as simple as creating an additional user in a password file
which has super#user privileges$ in the hope that it will be overlooked% This is because a
backdoor is designed to bypass the systemDs normal authentication% 8oth the Sobig and
My7oom viruses install back doors as part of their payload%
E.ercises4
36 9ind on the Internet e&amples of rootkits and backdoors%
+6 ;esearch .8ack Orifice0$ and compare its functionality to the commercially available
offering for remote systems management from Microsoft%
6"1 Lo9icbombs an$ ,imebombs
6"1"% Intro$ction
Systems programmers and administrators can be Fuite odd people% It has been known
for there to be measures on a system that will activate should certain criteria be met% 9or
e&ample: a program could be created that$ should the administrator fail to log in for more
than three weeks$ would start to delete random bits of data from the disks% This occurred in a
well#known case involving a programmer at a company called @eneral 7ynamics in 3??+%
!e created a logicbomb which would delete critical data and which was set to be activated
after he was gone% !e e&pected that the company would then pay him significant amounts
to come back and fi& the problem% !owever$ another programmer found the logic bomb
before it went off$ and the malicious programmer was convicted of a crime and fined K2$,,,
:
LESSON 6 MALWARE
/S dollars% The "udge was merciful E the charges the man faced in court carried fines of up to
K2,,$,,, /S dollars$ plus "ail time%
6"1"2 )escri*tion
'ogicbombs and Timebombs are programs which have no replication ability and no
ability to create an access method$ but are applications or parts of applications that will
cause damage to data should they become active% They can be stand#alone$ or part of
worms or viruses% Timebombs are programmed to release their payload at a certain time%
'ogicbombs are programmed to release their payload when a certain event occurs%
The idea behind timebombs$ however$ is also a useful one% Timebomb programming is
used to allow you to download and try a program for a period of time E usually :, days% t
the end of the trial period$ the program ceases to function$ unless a registration code is
provided% This is an e&ample of non#malicious timebomb programming%
E.ercises4
36 <hat other reasonable 5 and legal 6 uses might there be for timebomb and logicbomb
coding%
+6 Think about how you might detect such a program on your system%
6"6 Contermeasres
6"6"% Intro$ction
There are a number of ways that you can detect$ remove and prevent malware% Some of
these are common sense$ others are technological alternatives% The following section
highlights some of these$ with a brief e&planation and e&amples%
6"6"2 Anti;&irs
nti#4irus#software is available in many commercial and Open Source versions% These all work
following the same method% They each have a database of known viruses and they will
match the signatures of these against the files on the system to see if there are any infections%
Often though$ with modern viruses$ these signatures are very small$ and there can often be
false positives # things that appear to be viruses that are not% Some virus scanners employ a
techniFue known as heuristics$ which means that they have a concept of what a virus .looks
like0 and can determine if an unknown application matches these criteria% ;ecently nti4irus
software has also crossed the boundary into !ost 8ased Intrusion 7etection$ by keeping a list
of files and checksums in order to increase the speed of scanning%
6"6"3 NI)S
(etwork intrusion detection is similar to nti4irus software% It looks for a particular signature or
behavior from a worm or virus% It can then either alert the user$ or automatically stop the
network traffic carrying the malware%
<
LESSON 6 MALWARE
6"6"! =I)S
!ost based Intrusion 7etection systems$ such as Tripwire$ are capable of detecting changes
made to files% It is reasonable to e&pect that an application$ once it is compiled$ should not
need to change$ so watching various aspects of it$ such as its siBe$ last modification date and
checksum$ make it instantly obvious that something is wrong%
6"6"1 0ire6a//s
<orms propagate across the network by connecting to vulnerable services on each host%
part from ensuring that none of these vulnerable services are running$ the ne&t best thing is
to ensure that your firewall does not allow connections to these services% Many modern
firewalls will provide some form of packet filtering similar to a (I7S which will rule out packets
matching a certain signature% 59irewalls are discussed in more detail in section =%3%+6%
6"6"6 San$bo.es
The concept of a sandbo& is simple% Hour application has its own little world to play in and
canDt do anything to the rest of your computer% This is implemented as standard in the Lava
programming language$ and can also be implemented through other utilities such as chroot
in 'inu&% This restricts the damage that any malware can do to the host operating system by
simply denying it the access reFuired% nother option is to run a full machine inside a machine
using a virtual machine product such as 4M<are% This isolates the virtual machine from the
host operating system$ only allowing access as defined by the user%
E&ample E http:))www%vmware%com E 4M<are virtual machines
E.ercises4
3% Matching @ame: ;esearch each of the following and match it to the type of
countermeasure that it is:
3% http:))www%vmware%com (I7S
+% http:))www%tripwire%org ntivirus
:% http:))www%snort%org 9irewalls
-% http:))www%checkpoint%com Sandbo&es
2% http:))www%sophos%com !I7S
+% ;esearch Spybot Search and 7estroy and determine what type of malware it protects your
computer again%
:% ;esearch how (I7s and !I7S works%
-% ;esearch 9irewall solutions on the net%
2% 'ook up .chroot0 on the internet% ;ead about this type of ."ail0 or .sandbo&0%
%#
LESSON 6 MALWARE
6"7 >oo$ Safet2 A$?ice
There are a number of simple things that you can do in order to minimiBe your risk to Malware%
Only download from reputable sources 5 that means no <-;:M$ please% 6
7onDt open e#mail attachments from people you donDt know%
7onDt leave macros enabled by default in your applications%
Aeep your OS and applications up to date with patches%
If downloading and installing software with a checksum E check the checksum%
%%
LESSON 6 MALWARE
0rt-er Rea$in9
4 4endor Sites #
http:))www%sophos%com
http:))www%symantec%com
http:))www%fsecure%com
ll of these sites have databases listing details of tro"ans$ viruses and
other malware% There are also detailed descriptions of the functioning
of the above%
http:))www%cess%org)adware%htm
http:))www%microsoft%com)technet)security)topics)virus)malware%msp&
http:))www%Beltser%com)sans)gcih#practical)revmalw%html
http:))www%securityfocus%com)infocus)3111
http:))www%spywareguide%com)
http:))www%brettglass%com)spam)paper%html
http:))www%lavasoft%nu) # dware Cleaning Software 59reeware 4ersion6
http:))www%claymania%com)removal#tools#vendors%html
http:))www%io%com)Ncwagner)spyware%html
http:))www%bo+k%com)
http:))www%sans%org)rr)catinde&%phpGcatOidP:1
%2
LESSON 6 MALWARE
LESSON 7
ATTACK ANALYSIS
2
LESSON 7 ATTACK ANALYSIS
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -
1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%3 (etstat and !ost pplication 4irewalls%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%3 (etstat%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%+ 4irewalls%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1%3%6 E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
1%+ *acket Sniffers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8
1%+%3 Sniffing%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8
1%+%+ 9ecoding (etwork Traffic%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33
1%+%6 Sniffing Other Computers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3+
1%+%- Intrusion 9etection Systems%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36
1%+%2 E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36
1%6 !oneypots and !oneynets%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3-
1%6%3 Types of !oneypots%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3-
1%6%+ :uilding a !oneypot%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 32
1%6%6 E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 32
4urther ;eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 31
<lossary%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 37
3
Contribtors
*ete !er=og$ ISECOM
Marta :arcel>$ ISECOM
?im Truett$ ISECOM
!
7"# Intro$ction
There are a lot of programs on your computer that will want to open up network connections%
Some of these programs have valid reasons for connecting @your web browser wonAt work
nearly as well without access to a network connection as it will with oneB$ others have been
written by people with motives ranging from Cuestionable to criminal% If you want to protect
your computer$ youAll have to learn how to detect network access$ and identify the source
and intent% (ot every attempt at network access is an attack$ but if you donAt know how to
identify friend from foe$ you might as well "ust leave your door open%
7"% Netstat an$ &ost A''(ication )ire*a((s
To be able to identify an attack$ you have to know what applications and processes normally
run on your computer% Dust looking at a graphical interface$ whether in Eindows or 'inu&$
wonAt let you see whatAs going on underneath the surface% Netstat and a firewall can be used
to help you identify which programs should be allowed to connect with the network%
7"%"% Netstat
@netstat is also discussed in section 2%+%6B The netstat command will display the status of the
network% (etstat can give you information about what ports are open and the I* addresses
that are accessing them$ what protocols those ports are using$ the state of the port$ and
information about the process or program using the port%
t a command prompt enter:
netstat -aon @for EindowsB or
netstat -apn @for 'inu&B
and netstat will produce a display similar to this:
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:1134 0.0.0.0:0 LIST!I!" 3400
TCP 0.0.0.0:1#43 0.0.0.0:0 LIST!I!" 3400
TCP 0.0.0.0:1#$# 0.0.0.0:0 LIST!I!" #%40
TCP #$%.3$.%.1#&:1#43 '4.#$%.1'%.((:&0 STA)LIS*D 3400
TCP #$%.3$.%.1#&:1#$& '3.14%.#$%.3%:'''% STA)LIS*D 3&3&
TCP 1#%.0.0.1:1$4# 0.0.0.0:0 LIST!I!" 1$1'
TCP 1#%.0.0.1:1133 1#%.0.0.1:1134 STA)LIS*D 3400
TCP 1#%.0.0.1:1134 1#%.0.0.1:1133 STA)LIS*D 3400
TCP 1#%.0.0.1:1#$1 1#%.0.0.1:1#$# STA)LIS*D #%40
TCP 1#%.0.0.1:1#$# 1#%.0.0.1:1#$1 STA)LIS*D #%40

(ow$ you need to match the numbers in the *I9 column with names of the processes that are
running% In Eindows$ you should bring up the Windows Task Manager$ by pressing
+
CT'F'TF9E'% @If it doesnAt show a *I9 column$ click on View$ then Select Columns$ then select
PID.B In 'inu&$ go to a command prompt and enter ps a+,- to display the processor status%
In the case of our e&ample results listed above$ we find that *I9 6-,, belongs to our web
browser and *I9 +1-, belongs to our email client$ both of which we have knowingly
e&ecuted$ and both of which have valid reasons for establishing connections to the Internet%
!owever$ *I9 6767 belongs to a program named 5r3n%e&e$ and *I9 3235 belongs to a
program named buscanv%e&e$ neither of which we are familiar with%
!owever$ "ust because you donAt recogni=e the name of a program$ that doesnAt mean that it
doesnAt have a reason to be running on your system% The ne&t step in this process is for us to go
to an Internet search engine and try to discover what these two programs do%
In our search$ we discover that buscanv%e&e is reCuired by our virus scanner and should be
running% !owever$ 5r3n%e&e could be a tro"an% 'ooking again at the display from netstat$ we
can see that the port associated with the 5r3n%e&e program is 5551$ an I;C port commonly
used by tro"ans for remote access% t this point$ we begin researching methods for removing
the tro"an%
7"%"2 )ire*a((s
(ow$ you could sit at your computer and run netstat over and over and over and over$
keeping a constant vigil on the data moving in and out of your computer$ or you could use a
firewall program to do it for you%
firewall monitors network traffic on your computer and uses a number of rules or filters to
determine whether or not a program should be allowed to access the network% firewall can
filter data according to I* addresses and domain names$ ports and protocols$ or even
transmitted data% This means that you can do things such as:
block or allow all data coming from a specific I* address
block or allow all data coming from a specific domain
close or open specific ports
block or allow specific protocols
block or allow packets which contain specific data strings%
Gou can also combine these filters to allow for careful control of the data that is allowed
through the network% 4or e&ample$ you could:
allow data from www.ibiblio.com through ports +, or +3 only
allow data from www.google.com that uses the /9* protocol
allow data from www.yaoo.com only through port 7, and only if the packets contain
the te&t string .I will not waste bandwidth0%
Gou$ however$ wonAt need to work out all the rules on your own% Gou can take advantage of
the firewalls ability to set these filters itself% fter you first install a firewall$ you will be hit with a
flurry of warnings and reCuests for access$ and you will have to determine whether or not a
program will be allowed to access the network% @The firewall may also give you the option to
let the firewall determine what rights programs have to access the network$ but then you
wouldnAt learn anything$ would youHB This process is going to be similar to the one that we
used to identify the programs listed by netstat% program named ie!"lorer.e!e is obviously
MicrosoftAs Internet E&plorer and$ if you use it as your web browser$ then the firewall must allow
it to access the Internet% :ut a program named cbo!.e!e could be anything% GouAve got no
,
choice but to go to your preferred web search engine and check it out% @Of course$ before
you can do this$ youAve got to tell the firewall to allow your web browser to access the
Internet%B
The firewall program should also give you the option to allow access to a program
repeatedly$ or "ust once% Some programs I like your web browser I should be allowed to
access the network anytime$ but for other programs I such as the ones that automatically
check for program updates I you can learn a lot about how your computer works by having
the firewall ask for permission every time that the program reCuests access%
4irewalls are available as stand#alone programs @including a number of free versions for both
Eindows and 'inu&B or they are often bundled with anti#virus software% dditionally$ Eindows
J* comes with a built#in firewall$ but$ as is the case with Eindows Internet E&plorer$ it will be
targeted by people looking for e&ploits I flaws in other firewalls may never be found$ but flaws
in a Microsoft firewall will be found and they will be e&ploited%
E-ercises.
Open up a command prompt on your computer and enter:
netstat -aon @for EindowsB or
netstat -apn @for 'inu&B
Match the *I9 numbers with program names and try to determine which programs on your
computer are accessing the network% @This is something that you can try at home$ also%B
7
7"2 /ac0et Sniffers
(etstat will tell you what programs are connected to the network$ but it wonAt show you what
data these programs are sending% "acket sniffer$ however$ gives you the means to record
and study the actual data that the programs are sending through the network%
7"2"% Sniffin1
packet sniffer will record the network traffic on your computer$ allowing you to look at the
data% Tc"dum" @and its Eindows port$ windum"B may be considered the archetypical
packet sniffers$ but weAre going to use #tereal for our e&amples$ because its graphical
interface is simpler$ and it allows you to more Cuickly record and view a basic capture file%
If you donAt already have Ethereal$ it can be downloaded from www.etereal.com. (ote to
Eindows users: To use Ethereal on a Eindows based system$ you must first download and
install the WinPca" packet capture driver% Ein*cap is available on the Ethereal download
page or you can go to www.win"ca"."olito.it to download it directly%
Shut down all other applications$ then start Ethereal% In the menu click on View then
$utoscroll in %i&e Ca"ture. (e&t$ click on Ca"ture' then Start to go to the Ca"ture ("tions
screen% On the Ca"ture ("tions screen$ make sure that the bo& marked .Capture packets in
promiscuous mode0 is not checked$ that the three check bo&es under .(ame ;esolution0 are
checked$ and that the bo& marked ./pdate list of packets in real time0 is checked%
2
(ow$ click on the .O?0 button%
In theory$ nothing should happen now% GouAll see a window for Ethereal which displays the
number of packets that have been captured$ and$ behind this$ youAll see the Ethereal screen
which displays the data in those packets% Gou may see a small amount of traffic that is
caused by the computers on the local network trying to keep track of each other @;*$ (:(S$
ICM*B followed by 9(S activity as Ethereal attempts to resolve names%
To see activity$ youAre going to generate some activity% Ehile Ethereal is running$ open your
web browser% Minimi=e everything other than the main Ethereal screen and your web browser$
and arrange the Ethereal and web browser windows so that you can see both at the same
time% (ow go to a web search engine$ such as www.google.com%
s the web page loads$ your should see information about captured packets scrolling up
through the Ethereal screen% *ick a search term and enter it into the search bar% Click on
some of the web pages that are brought up by the search and watch what happens in
Ethereal as you do%
3
(ote: If Ethereal reports no network activity at all$ you may have the wrong network interface
chosen% <o to the Interface drop#down list in the Ca"ture ("tions screen and choose a
different network interface%
7"2"2 4eco$in1 Net*or0 Traffic
(ow that you can see the network data thatAs moving through your computer$ you have to
figure out how to decode it%
In Ethereal$ the first step$ before you even end the capture session$ is to look at the summary
capture screen that the program displays while it is performing the capture% 4or our web
browsing session$ most of the packets should have been TC* packets @although if you
stopped to watch a streaming video$ your /9* packet numbers will have been increasedB%
!owever$ if youAre capturing a simple web browsing session$ and you see a large number of
;* or ICM* packets$ that could indicate a problem%
fter youAve ended the capture session$ youAre going to see output similar to this:
(o% Time Source 9estination *rotocol Info
1 0.000000 #$%.10.3.#$0 rodan..o/illa.org TCP 1'$' 0 &0&0 1S2!3 Se450 Ac650 7in51'3&4 Len50 8SS514'0
# 0.04$1($ #$%.10.3.#$0 r9eet..o/illa.org TCP 1'$% 0 9ttp 1S2!3 Se450 Ac650 7in51'3&4 Len50 8SS514'0
3 0.33$1(4 r9eet..o/illa.org #$%.10.3.#$0 TCP 9ttp 0 1'$% 1S2!: AC;3 Se450 Ac651 7in5$&40 Len50 8SS514'0
4 0.33$#$$ #$%.10.3.#$0 r9eet..o/illa.org TCP 1'$% 0 9ttp 1AC;3 Se451 Ac651 7in51%$#0 Len50
$ 0.33&#34 #$%.10.3.#$0 r9eet..o/illa.org *TTP "T <prod+cts<-ire-o,<start< *TTP<1.1
' 0.44104( r9eet..o/illa.org #$%.10.3.#$0 TCP 9ttp 0 1'$% 1AC;3 Se451 Ac65$&0 7in5'(4& Len50
% 0.441&1' r9eet..o/illa.org #$%.10.3.#$0 *TTP *TTP<1.1 304 !ot 8odi-ied
& 0.$$(13# #$%.10.3.#$0 r9eet..o/illa.org TCP 1'$% 0 9ttp 1AC;3 Se45$&0 Ac65#0( 7in51%31# Len50
%#
( #.&$$(%$ #$%.10.3.#$0 rodan..o/illa.org TCP 1'$' 0 &0&0 1S2!3 Se450 Ac650 7in51'3&4 Len50 8SS514'0
10 4.4%$$#( #$%.10.3.#$0 na.e.server.co. D!S Standard 4+er= PT> #$0.3.10.#$%.in-addr.arpa
11 4.4%$%%' #$%.10.3.#$0 na.e.server.co. D!S Standard 4+er= PT> #0$.111.1#'.#0%.in-addr.arpa
1# 4.4%$&$4 #$%.10.3.#$0 na.e.server.co. D!S Standard 4+er= PT> #0#.111.1#'.#0%.in-addr.arpa
In this e&ample$ these twelve packets illustrate the web browserAs activity as it connects with
its specified start page% The most easily decoded information is in the Source and Destination
columns% I* address +21%3,%6%+2, is the local computerK the other I* addresses have been
resolved to names by Ethereal% Since the web browser used was the Mo=illa 4irefo& browser$
and since its start page was the default Mo=illa 4irefo& page$ it is not surprising to see
addresses from the mo)illa.org domain% The reCuests sent to name.ser&er.com were probably
generated by Ethereal when it sent 9(S Cueries to resolve the I* addresses into names% @(ote:
these accesses by the Ethereal program were caused by the options you set in the Dis"lay
("tions and Name *esolution bo&es% They were set to on in this e&ample in order to produce
a more readable output% If you toggle these options to off$ then you wonAt have this e&tra
data%B
'ooking at source and destination information can help you spot unauthori=ed activity% 4or
e&ample$ an unfamiliar domain name that is repeatedly accessed might indicate that you
have a spyware program installed%
The ne&t column is the Protocol column$ which tells you what protocol the packets used%
gain$ to know when something is wrong here$ youAre going to have to know what to e&pect%
In our web browsing session$ we e&pect TC* and !TT*$ and we understand why the 9(S
packets are there$ but$ for e&ample$ a large number of ICM* packets could mean that your
machine is being pinged or traced%
The last column$ Info$ provides more detailed information about the packets% *ackets +$ 6 and
- show the TC* tree+anded andsake of S2!: S2!<AC;: AC;$ which indicates that a
connection has been made% *acket 2 shows an *TTP "T command followed in packet 1 by
a 304 !ot 8odi-ied response%
If you want more information about the packets$ the bottom two panes in the Ethereal screen
show detailed e&planations% The middle pane shows the details of the packet header% The
bottom pane shows a he& and ascii dump of the data in the packet%
7"2"3 Sniffin1 Ot5er Com'ters
Some of you$ having looked at the information in this section I and having looked at the data
that can be recorded by Ethereal$ may be wondering about the possibilities of using packet
sniffing software to record activity on other peopleAs computers% Is this possibleH
Ges I and no% ItAs called "romiscuous mode and it allows a packet sniffer to monitor network
activity for all computers on a network% This means that you might be able to record network
activity on another computer that is in your own network @depending on the way that the
hardware is set upB$ but you canAt pick any one computer at random and magically sniff their
data I the two computers must be physically connected$ and the hardware and software
must be properly configured%
7"2"! Intrsion 4etection S6stems
GouAve probably reali=ed that$ to use a packet sniffer to detect unauthori=ed activity in real
time$ would reCuire you to sit at your computer$ watching the output of the packet sniffer
and desperately hoping to see some kind of pattern% n intrusion detection system performs
%%
this task for you% These programs combine the ability to record network activity with sets of
rules that allow them to flag unauthori=ed activity and generate real#time warnings%
E-ercises.
3% Open Ethereal and start a live capture% (ow open your web browser and look for a plain
te&t document to download% 9ownload and save the te&t file to your hard drive$ then close
the web browser and end the capture session in Ethereal% 'ook through the packets captured
by Ethereal$ paying close attention to the SCII dump in the bottom pane% Ehat do you seeH
If you have access to an email account$ try checking your email while Ethereal is performing
a capture% Ehat do you see thereH
+% Open Ethereal% On the Ca"ture ("tions Screen$ make sure that the bo& marked .Capture
packets in promiscuous mode0 is checked% This option may allow you to capture packets
directed to or coming from other computers% :egin the capture and see what happens% 9o
you see any traffic that is intended for a computer other than yoursH
Ehat do you know about the hardware that connects your computer to the networkH 9oes it
connect to the other computers through a switch$ a router or a hubH <o to a web search
engine and try to find out which piece or pieces of hardware would make it most difficult to
capture packets from other computers% Ehat hardware would make it easiestH
6% <o to www.snort.org$ or use a web search engine to research intrusion detection systems%
!ow are they different from firewallsH Ehat do they have in common with packet sniffersH
Ehat kinds of unauthori=ed activity can they detectH Ehat kinds of activity might they be
unable to detectH
%2
7"3 &one6'ots an$ &one6nets
*eople who like to watch monkeys go to the =oo$ because there might be monkeys there%
*eople who like to watch birds put out bird feeders$ and the birds come to them% *eople who
like to watch fish build aCuariums$ and bring the fish to themselves% :ut what do you do if you
want to watch hackersH
Gou put out a oney"ot%
Think about it this way I youAre a bear% Gou may not know much @being a bearB but you do
know that honey is tasty$ and there is nothing better on a warm summer day than a big
handful of honey% So you see a big pot full of honey sitting out in the center of a clearing$ and
youAre thinking$ AGumL0 :ut once you stick your paw in the honey pot$ you risk getting stuck% If
nothing else$ youAre going to leave big$ sticky paw prints everywhere$ and everyone is going
to know that someone has been in the honey$ and thereAs a good chance that anyone who
follows the big$ sticky paw prints is going to discover that itAs you% More than one bear has
been trapped because of his affection for tasty honey%
oney"ot is a computer system$ network$ or virtual machine that serves no other purpose
than to lure in hackers% In a honeypot$ there are no authori=ed users I no real data is stored in
the system$ no real work is performed on it I so$ every access$ every attempt to use it$ can be
identified as unauthori=ed% Instead of sifting through logs to identify intrusions$ the system
administrator knows that every access is an intrusion$ so a large part of the work is already
done%
7"3"% T6'es of &one6'ots
There are two types of honeypots: "roduction and researc.
Production honeypots are used primarily as warning systems% production honeypot identifies
an intrusion and generates an alarm% They can show you that an intruder has identified the
system or network as an ob"ect of interest$ but not much else% 4or e&ample$ if you wanted to
know if bears lived near your clearing$ you might set out ten tiny pots of honey% If you
checked them in the morning and found one or more of them empty$ then you would know
that bears had been in the vicinity$ but you wouldnAt know anything else about the bears%
*esearc honeypots are used to collect information about hackerAs activities% research
honeypot lures in hackers$ then keeps them occupied while it Cuietly records their actions% 4or
e&ample$ if I instead of simply documenting their presence I you wanted to study the bears$
then you might set out one big$ tasty$ sticky pot of honey in the middle of your clearing$ but
then you would surround that pot with movie cameras$ still cameras$ tape recorders and
research assistants with clipboards and pith helmets%
The two types of honeypots differ primarily in their comple&ity% Gou can more easily set up and
maintain a production honeypot because of its simplicity and the limited amount of
information that you hope to collect% In a production honeypot$ you "ust want to know that
youAve been hitK you donAt care so much whether the hackers stay around$ !owever$ in a
research honeypot$ you want the hackers to stay$ so that you can see what they are doing%
This makes setting up and maintaining a research honeypot more difficult$ because you must
make the system look like a real$ working system that offers files or services that the hackers
find interesting% bear who knows what a honeypot looks like$ might spend a minute looking
at an empty pot$ but only a full pot full of tasty honey is going to keep the bear hanging
around long enough for you to study it%
%3
7"3"2 7i($in1 a &one6'ot
In the most basic sense$ a honeypot is nothing more than a computer system which is set up
with the e&pectation that it will be compromised by intruders% Essentially$ this means that if you
connect a computer with a insecure operating system to the Internet$ then let it sit there$
waiting to be compromised$ you have created a honeypotL
:ut this isnAt a very useful honeypot% ItAs more like leaving your honey out in the clearing$ then
going home to the city% Ehen you come back$ the honey will be gone$ but you wonAt know
anything about who$ how$ when or why% Gou donAt learn anything from your honeypot$ useless
you have some way of gathering information regarding it% To be useful$ even the most basic
honeypot most have some type of intrusion detection system%
The intrusion detection system could be as simple as a firewall% (ormally a firewall is used to
prevent unauthori=ed users from accessing a computer system$ but they also log everything
that passes through or is stopped% ;eviewing the logs produced by the firewall can provide
basic information about attempts to access the honeypot%
More comple& honeypots might add hardware$ such as switches$ routers or hubs$ to further
monitor or control network access% They may also use packet sniffers to gather additional
information about network traffic%
;esearch honeypots may also run programs that simulate normal use$ making it appear that
the honeypot is actually being accessed by authori=ed users$ and teasing potential intruders
with falsified emails$ passwords and data% These types of programs can also be used to
disguise operating systems$ making it appear$ for e&ample$ that a 'inu& based computer is
running Eindows%
:ut the thing about honey I itAs sticky$ and thereAs always a chance that your honeypot is
going to turn into a bees nest% nd when the bees come home$ you donAt want to be the one
with your hand stuck in the honey% n improperly configured honeypot can easily be turned
into a launching pad for additional attacks% If a hacker compromises your honeypot$ then
promptly launches an assault on a large corporation or uses your honeypot to distribute a
flood of spam$ thereAs a good chance that you will be identified as the one responsible%
Correctly configured honeypots control network traffic going into and out of the computer%
simple production honeypot might allow incoming traffic through the firewall$ but stop all
outgoing traffic% This is a simple$ effective solution$ but intruders will Cuickly reali=e that is is not
a real$ working computer system% slightly more comple& honeypot might allow some
outgoing traffic$ but not all%
;esearch honeypots I which want to keep the intruders interested as long as possible I
sometimes use manglers' which audit outgoing traffic and disarm potentially dangerous data
by modifying it so that it is ineffective%
E-ercises.
!oneypots can be useful tools for research and for spotting intruders$ but using them to
capture and prosecute these intruders is another Cuestion% 9ifferent "urisdictions have different
definitions and standards$ and "udges and "uries often have varying views$ so there are many
Cuestions that need to be considered% 9o honeypots represent an attempt at entrapmentH Is
recording a hackerAs activities a form of wiretappingH
nd on the specific Cuestion of honeypots I can it be illegal to compromise a system that was
designed to be compromisedH These Cuestions have yet to be thoroughly tested%
%!
9iscuss your opinions on the legalities of using honeypots for capturing hackers involved in
criminal activities% 9o you think it would be a useful tool for law enforcement agenciesH Is it
entrapmentH 9o you think it constitutes an Aattractive nuisanceAH If a hacker comprises a
honeypot$ who do you think is ultimately responsibleH
%+
)rt5er 8ea$in1
(etstat
http:))www%microsoft%com)resources)documentation)windows)&p)all)proddocs)en#
us)netstat%msp&
<eneral 4irewall Information:
http:))www%howstuffworks%com)firewall%htm
http:))www%interhack%net)pubs)fwfaC)
One of many free firewall programs:
http:))www%agnitum%com)inde&%html
4irewalling for 'inu&:
http:))www%iptables%org)
*acket Sniffing
http:))www%robertgraham%com)pubs)sniffing#faC%html
Snort and I9S:
http:))www%linu&security%com)featureMstories)featureMstory#-8%html
http:))www%snort%org)docs)lisapaper%t&t
!oneypots:
http:))www%honeypots%net)honeypots)links)
%,
LESSON 8
DIGITAL FORENSICS
2
LESSON 8 DIGITAL FORENSICS
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -
1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1%3 4orensic *rinciples%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%3 void Contamination%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%+ ct Methodically%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%6 Chain of Evidence%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%- Conclusion%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%+ Stand#alone 4orensics%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
1%+%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
1%+%3 !ard 8rive and Storage Media 9asics%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
1%+%+ Encryption$ 8ecryption and 4ile 4ormats%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1%+%6 4inding a (eedle in a !aystack%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3,
1%+%6%3 find%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3,
1%+%6%+ grep%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3,
1%+%6%6 strings%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33
1%+%6%- awk%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33
1%+%6%2 The *ipe .:0%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33
1%+%- Making use of other sources%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 33
1%6 (etwork 4orensics%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36
1%6%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36
1%6%3 4irewall 'ogs%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36
1%6%+ Mail !eaders%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 36
4urther ;eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3-

Contri!"tors
Simon 9iles$ Computer Security Online 'td%
*ete !er<og$ ISECOM
Marta 9arcel=$ ISECOM
>im Truett$ ISECOM
#
8$% Intro&"ction
4orensics concerns the application of a methodical investigation techni?ue in order to
reconstruct a se?uence of events% Most people are now familiar with the concept of forensics
from T@ and films$ .CSI A Crime Scene Investigation B0 being one of the most popular% 4orensic
science was for a long time C and still is really C most associated with 4orensic *athology C
finding out how people died% The first recorded description of forensics was on "ust this sub"ect
In 3+-1$ a Chinese book called Hsi DuanYu Athe Dashing way of DrongsB was published% This
book describes how to tell if someone has drowned or has been strangled%
3
8igital forensics is a bit less messy and a bit less well known% This is the art of recreating
what has happened in a digital device% In the past it was restricted to computers only$ but
now encompasses all digital devices such as mobile phones$ digital cameras$ and even E*S
+
devices% It has been used to catch murderers$ kidnappers$ fraudsters$ Mafia bosses and many
other decidedly unfriendly people%
In this lesson$ we are going to cover two aspects of forensics Aall computer based IFm
afraid C no mobile phone stuff hereB%
3% Dhat people have been up to on their own computer%
This covers %%%
%%% the recovery of deleted files%
%%% elementary decryption%
%%% searching for certain file types%
%%% searching for certain phrases%
%%% looking at interesting areas of the computer%
+% Dhat a remote user has been doing on someone elseFs computer%
This covers %%%
%%% reading log files%
%%% reconstructing actions%
%%% tracing the source%
This lesson is going to focus on the tools available under 'inu&% There are tools that are
available under Dindows$ as well as dedicated software and hardware for doing forensics$
but with the capability of 'inu& to mount and understand a large number of alternate
operating and file systems$ it is the ideal environment for most forensic operations%
1 Apparently it is something to do with marks left around the throat, and the level of water penetration
into the lungs.
2 Global Positioning System a thing whih tell you where you are in the world using a number of
orbiting satellites.
'
8$( Forensic )rinci*+es
8$($% Intro&"ction
There are a number of basic principles that are necessary regardless of whether you
are e&amining a computer or a corpse% This section is a ?uick summary of these principals%
8$($( A,oi& Contamination
On T@ you see forensic e&aminers dressed up in white suits with gloves$ handling all
evidence with twee<ers and putting it into sealed plastic bags% This is all to prevent
.contamination0% This is where evidence is tainted$ for e&ample$ by fingerprints being added
to the handle of a knife by someone picking it up Athink The Fugitive if you have seen it %%% 'ook
what trouble it got him into G B
8$($2 Act -et.o&ica++/
Dhatever you do$ when A if H B you get to court$ you will need to "ustify all the actions
that you have taken% If you act in a scientific and methodical manner$ making careful notes
of what it is that you are doing and how you do it$ this "ustification becomes much easier% It
also allows for someone else to follow your steps and verify that you havenFt made a mistake
which may cast the value of your evidence in doubt%
8$($ C.ain of E,i&ence
Iou must maintain something called the .Chain of Evidence0% This means that at any
point in time from the sei<ure of the evidence until itFs final presentation in court$ that you can
account for who has had access to it$ and where it has been% This rules out the possibility that
someone has tampered with it$ or falsified it in some way$
8$($# Conc+"sion
>eep these things in mind$ and even if you are not going to take your work to court$
you will be able to ma&imi<e your abilities as a forensic e&aminer%
0
8.2 Stand-alone Forensics
8.2.0 Introduction
This section is about the forensic e&amination of an individual machine% 4or want of a better
term$ we will call it .stand#alone forensics0% This is probably the most common part of
computer forensics # its main role is to find out what has been done using a particular
computer% The forensic e&aminer could be looking for evidence of fraud$ such as financial
spreadsheets$ evidence of communication with someone else$ e#mails or an address book$ or
evidence of a particular nature$ such as pornographic images%
8$2$( 1ar& Dri,e an& Stora2e -e&ia 3asics
There are several components that make up an average computer% There is the processor$
memory$ graphics cards$ C8 drives and much more% One of the most crucial components is
the harddisk Ahard driveB% This is where a ma"ority of the information that the computer re?uires
to operate is stored% The Operating System A OS B such as Dindows or 'inu& resides here$ along
with user applications such as word processors and games% This is also where significant
amounts of data is stored$ either deliberately$ through the action of saving a file$ or
incidentally$ through the use of temporary files and caches% This allows a forensic e&aminer to
reconstruct the actions that a computer user has carried out on a computer$ which files have
been accessed and much$ much more%
There are several levels at which you can e&amine a harddisk% 4or the purposes of this
e&ercise$ we are only going to look at the file system level% It is worth noting though$ that
professionals are capable of looking in a great level of detail at a disk to determine what it
used to contain C even if it has been overwritten many times%
The file system is the computerFs implementation of a filing cabinet% It contains drawers
A partitions B$ files AdirectoriesB and individual pieces of paper A files B% 4iles and directories can
be hidden$ although this is only a superficial thing and can easily be overcome%
Dorking through the following E&ercises should give you a far better understanding of the
basics of disk storage%
E4ercises5
4or each of the following terms about storage media$ search for information and learn how
they work% /nderstanding how e?uipment functions normally is your first step toward forensics%
3% Magnetic)!ard)*hysical 8isk: This is where your computer stores files% E&plain how
magnetism is used on a hard disk%
+% Tracks: Dhat are referred to as Jtracks on a hard diskH
6% Sectors: This is a fi&ed space that data fits into% E&plain how%
-% Cluster)llocation unit: E&plain why when a file is written to a hard disk that it may be
assigned more space than it needs% Dhat happens to that empty spaceH 'ooking up the
term Jfile slackJ should help you%
2% 4ree)J/nallocatedJ Space: This is what you have left after files are deleted% Or are those
files really goneH E&plain how a file is deleted on the computer% 'ooking for tools on Jsecure
6
deleteJ may help you% >nowing how you are supposed to securely delete a file so itFs really
gone is a great way to learn why such tools are needed%
5% !ash$ also known as an M82 hash: E&plain what this hash is and what itFs used for%
7% 9IOS: This stands for J9asic Input)Output SystemJ% Dhat is this and where is it stored on a *CH
1% 9oot Sector: This works with partition tables to help your *C find the operating system to run%
There are many tools for working with partitions$ with the standard one being called fdisk%
>nowing how these tools work is your first clue to understanding partitions and the boot sector%
K% Cyclical ;edundancy Check AC;CB: Dhen you get a Jread errorJ message from your hard
disk$ this means that the data failed a C;C check% 4ind out what the C;C check is and what
it does%
3,% 4ile Signature: Often times a file has a small 5#byte signature at the start of the file which
identifies what kind of file it is% Opening a file in a te&t#editor is the easiest way to see this%
Open 6 files of each of the following file types in a te&t editor: %"pg$ %gif$ %e&e$ %mp6% Dhat was
the first word at the top of the file for eachH
33% ;M A;andom#ccess MemoryB: This is also known as JmemoryJ and it is a temporary
location to read and write information% It is much$ much faster than writing to the hard disk%
ItFs also gone when power is lost to the computer% E&plain how ;M works% >nowing your
computer may have anywhere from 5- to 23+ Mb of ;M$ search for information about a
computer that has more ;M than that%
3+% Currently$ the largest ;M disk Aa super fast hard disk emulated in ;MB is +%2 Tb ATerabyteB%
!ow many times larger than your *C is thatH
8$2$2 Encr/*tion7 Decr/*tion an& Fi+e Formats
lot of the files that you will come across will not be immediately readable% Many programs
have their own proprietary file formats$ while others use standard formats C for e&ample the
standard picture formats # gif$ "peg$ etc% 'inu& provides an e&cellent utility to help you to
determine what a given file is% It is called fi+e$
Command Line Switch Effect
-k Don't stop at the first match, keep going.
-L Follow symbolic links
- !ttempt to look inside compressed files.
n e&ample of the use of the file command is shown below:
[simon@frodo file_example]$ ls
arp.c nwrap.pl
isestorm_DivX.avi oprp_may11_2004.txt
r!"#1.$.$ %isio&val.exe
r!"#1.$.$.tar 'indows200$.vmx
r!"#1.$.$.tar.().asc
[simon@frodo file_example]$ file *
arp.c+ ,-.// . pro(ram text
8
isestorm_DivX.avi+ 0/11 2little#endian3 data4 ,%/
r!"#1.$.$+ directory
r!"#1.$.$.tar+ 56-/X tar arc7ive
r!"#1.$.$.tar.().asc+ 585 armored data
nwrap.pl+ 5a9l 1alstad:s )s7 script text
exec9ta!le
oprp_may11_2004.txt+ ,-.// &n(lis7 text4 wit7 very lon(
lines4 wit7 .0;1 line terminators
%isio&val.exe+ <-#D6- exec9ta!le 2&X&34 6-=2 or <-
'indows
'indows200$.vmx+ a =9sr=!in=vmware script text
exec9ta!le
[simon@frodo file_example]$
4rom this you can start to make some attempts to read a certain type of file% There are a
number of file conversion utilities available to you under 'inu&$ and even more available on
the Internet$ as well as a number of file viewers for various formats% Sometimes it may re?uire
more than one step to get to a place where you can really work with the data C try to think
laterallyG
Occasionally$ you will come across files which have been encrypted or password protected%
The complication that this presents varies$ from encryption that is easily broken to stuff that
would even give the (S A or EC!L or whatever your local government agency happens to
be B a headache% There are again a number of tools available on the Internet that you can
use to try to break the encryption on a file% It pays to e&amine the area surrounding the
computer that you are dealing with% *eople arenFt very good at remembering passwords$ it
may well be written down somewhere nearby% Common choices for passwords also involve :
pets$ relatives$ dates A marriage$ date of birth B$ telephone numbers$ car registrations$ and
other simple combinations A 3+6-25$ abcdef$ ?werty etc% B% *eople are also reluctant to use
more than one or two passwords for everything$ so if you can reverse engineer a password on
one file or application$ try it on the others% It is highly likely to be the same%
E4ercises5
4or these E&ercises$ we will learn about password cracking% Dhile it is legal to crack your own
passwords if you forget them$ it is not legal in some countries to figure out how something else
is encrypted$ in order to protect the other material from being cracked%
8@8 movies are encrypted to prevent them from being stolen off the 8@8 and sold% Dhile
this is an e&cellent use of encryption$ it is illegal for anyone to research how that encryption is
used% This leads to your first e&ercise:
3% Dhat is J8eCSSJ and how does it relate to 8@8 encryptionH Search on JdecssJ to learn
more%
+% >nowing that something is password protected means learning how to open that file% This is
known as JcrackingJ the password% 4ind information about cracking various types of
passwords% To do this search for Jcracking MIN passwordsJ where MIN is the password type you
are looking for% 8o this for the following password types:
a% M82
8
b% dobe *84
c% E&cel
6% If the encryption method is too strong to be broken$ it may be necessary to perform a
.dictionary attack0 A sometimes known as .brute force0B% 4ind out what a dictionary attack is%
8$2$ Fin&in2 a Nee&+e in a 1a/stac9
Commercial forensic software includes powerful search tools that allow you to search for
many combinations and permutations of factors% Dithout these e&pensive commercial tools
you need to be a little more resourceful% 'inu& provides you with plenty of scope to construct
similar tools using standard utilities% The following te&t details the use of fin&7 2re* and strin2s$
and then describes the use of the *i*e to combine them%
8$2$$( fin&
find [pat7...][expression]
fin& is used to locate files meeting certain criteria within the operating system% It is not
designed for looking within the files% There must be a million permutations of e&pressions that
can be combined to search for a file%
E&ercise:
3% ;ead the manual page for find% Complete the .Effect0 for each .E&pression0 in the table
below% A!int: Dhere a number is given as an argument$ it can be specified as follows: On C for
2reater than nP #n C for +ess than nP n C for e4act+/ n%B
E"pression Effect
-amin n File last accessed n min#tes ago
-anewer
-atime
-cnewer
-iname
-in#m
-name
-rege"
-sie
-type
-#ser
8$2$$2 2re*
2re* is an immensely powerful tool% It is used to find certain lines within a file% This allows you to
?uickly find files that contain certain things within a directory or file system% It also allows for
(%
searching on regular e&pressions% There are search patterns that allow you to specify criteria
that the search must match% 4or e&ample: finding all strings in the dictionary that start with .s0
and finish with .t0 to help with doing a crossword%
(rep >s.*t$ =9sr=s7are=dict=words
E&ercises:
3% ;ead the manual page for grep%
+% 'ook up regular e&pressions for grep on the Internet% Try to construct a regular e&pression
that looks for all words that are four letters long and contain an .a0%
8$2$$ strin2s
strin2s is another useful utility% This will search through a file of any type for human readable
strings% This can return a great deal of information about a specific file$ often providing
information about the application that created it$ authors$ original creation time and so on%
E&ercise:
3% ;ead the manual page for strings%
8$2$$# a:9
a:9 is a programming language designed for working with strings% It is used to e&tract
information from one command to feed into another% 4or e&ample$ to take "ust the running
programs from the ps command$ you would use the following:
ps ? aw :@print $4A:
E&ercise:
3% ;ead the manual page for awk%
8$2$$' T.e )i*e ;
ll of the above tools are easily combined using the /(IM .pipe0 command% This is shown with
the .:0 symbol% This allows you to take the output of one command and feed it down a pipe
to another command% To find all files in the current directory that are mpg files$ use the
following:
ls ? (rep mp(
E4ercises5
3% /sing the pipe$ the ls command and grep$ find all files in the current directory that were
created this month%
+% /sing the ps command and awk$ print a list of all the running process names%
8$2$# -a9in2 "se of ot.er so"rces
There are many other interesting ways of e&amining how a computer has been used% (early
every application that gets run will record some additional data beyond the files that it
((
directly takes in$ or files that it puts out% This could include temporary files for processing$ lists of
last accessed files or the history of a web#browser%
E4ercises5
3% Dhat is browser cacheH 4ind the location where your web browser stores its cache%
+% Dhat are browser cookiesH 4ind the location where your web browser stores its cookies%
6% Search for information about web browser cookies% Dhat kinds of cookies are there and
what kind of information is stored in themH
-% Iour computer uses temporary directories where it writes files by default for the user% This is
often times known as pplication 8ata% 4ind the temporary directories you have available on
your computer% Dhile may be called tmp or temp$ often times$ there are many more that you
donFt know about% Try 4I(8 on files written with todayFs date as a great way to find temporary
files% 8o those files disappear when you reboot the computerH
(2
8$ Net:or9 Forensics
8$$% Intro&"ction
(etwork forensics is used to find out where a computer is located and to prove whether a
particular file was sent from a particular computer% Dhile network forensics can be very
complicated$ we will cover some of the basics that can be applied to everyday life%
8$$( Fire:a++ Lo2s
DhoFs connecting to meH The firewall is a utility which can choke connections between two
points in a network% Many types of firewalls e&ist% ;egardless of the type and "ob of the
firewall$ it is the firewall logs which give you the details% Only by using the logs$ can you find
patterns of attacks and abuse to your firewall%
E4ercises5
3% @isit the website http:))www%dshield%org% This website takes firewall logs from all over the
world to find patterns of network attack attempts% This helps security professionals be sure to
verify if the networks they are protecting are vulnerable to those particular attacks before
they happen% ;ead through the website and e&plain how that pie graph of the world is
made and what it means%
+% On the same website$ read through the J4ight backJ section and the response e#mails they
receive% E&plain the purpose of this%
8$$2 -ai+ 1ea&ers
E#mails come with information of every computer they pass through to get to you% This is kept
in the headers% Sometimes even more information is in the headers% To view the headers
however is not always so simple% @arious mail clients will all have different ways to view this%
The real trick to reading headers$ though$ is to know they are backwards% The top of the list is
you% Then it travels goes with each line until the very last line is the computer or network that
the mail was sent from%
E4ercises5
3% great resource focused on network forensics for fighting S*M is
http:))www%samspade%org% @isit SamSpade%org and go to the section called JThe 'ibraryJ%
/sing this section you should be able to e&plain how to read e#mail headers% Iou should also
read about forged e#mail headers and e#mail abuse% E&plain the various ways e#mail can be
used to cause harm%
+% 8etermine how to look at your e#mail headers in the e#mails you receive% re there any
particular fields in those headers that seem foreign to youH 'ook them up% Iou should be
able to e&plain what each field means in that header%
(
F"rt.er Rea&in2
!he following links are in "nglish.
http#$$www.honeynet.org$papers$forensis$
http#$$www.honeynet.org$mis$hall.html % Some forensi "&erises.
http#$$www.porupine.org$forensis$ % !he lassis
http#$$www.omputerforensis.net$
http#$$www.guidanesoftware.om$orporate$whitepapers$inde&.shtm'"("
http#$$www.forensifous.om$
http#$$www.seurityfous.om$infous$1)*+
http#$$www.linu&seurity.om$feature,stories$feature,story%1-+.html
http#$$www.linu&seurity.om$feature,stories$feature,story%1./.html
http#$$www.seurityfous.om$inidents
http#$$staff.washington.edu$dittrih$talks$blakhat$blakhat$forensis.html
http#$$www.openforensis.org$
http#$$fire.dm0s.om$
http#$$www.sleuthkit.org$
http#$$www.fbi.gov$h1$lab$fs$bakissu$ot2///$omputer.htm
(#
LESSON 9
E-MAIL SECURITY
2
LESSON 9 E-MAIL SECURITY
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%-
1%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2
1%3 !ow E#mail 4orks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%3 E#mail ccounts%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%+ *O* and SMT*%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5
1%3%6 4eb Mail%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%7
1%+ Safe E#mail /sage *art 3: 8eceiving%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1%+%3 Spam$ *hishing and 9raud%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1%+%+ !TM' E#Mail %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1%+%6 ttachment Security%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1%+%- 9orged headers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3,
1%6 Safe E#mail /sage *art +: Sending%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3+
1%6%3 :igital Certificates%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3+
1%6%+ :igital Signatures%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%36
1%6%6 ;etting a certificate%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3-
1%6%- Encryption%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3-
1%6%2 !ow does it work<%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%3-
1%6%5 :ecryption%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%32
1%6%7 Is Encryption /nbreakable<%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%32
1%- Connection Security%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 35

Contri!"tors
Stephen 9% Smith$ 'ockdown (etworks
Marta =arcel>$ ISECOM
?im Truett$ ISECOM
#
9$% Intro&"ction
Everyone uses e#mail% It is the second most used application on the internet ne&t to your web
browser% =ut what you might not reali@e is that a significant portion of network attacks and
compromises originate through e#mail% nd with respect to your privacy$ misuse of e#mail has
the potential to disclose either the contents of your message$ or give a spammer information
about you% The purpose of this module is to give you information on how e#mail works$ safe e#
mail usage$ e#mail based attacks$ and security strategies for e#mail%
'
9$( )o* E-mai+ ,or-s
Aust like airmail is sent through the air$ BeB#mail is sent through the BeB C the BeB in this case being
the web of electronic connections within and between the networks that make up the
Internet% 4hen you send an e#mail from your computer$ the data is sent from your computer
to an SMT* server% The SMT* server then searches for the correct *O*6 server and sends your
e#mail to that server$ where it waits until your intended recipient retrieves it%
9$($( E-mai+ Acco"nts
E#mail accounts are available through many different sources% Dou may get one through
school$ through your work or through your IS*% 4hen you get an e#mail account$ you will be
given a two part e#mail address$ in this form: username@domain.name% The first part$
username identifies you on your network$ differentiating you from all the other users on the
network% The second part$ domain.name is used to identify your specific network% The
username must be uniEue within your network$ "ust as the domain name must be uniEue
among all the other networks on the Internet% !owever$ user names are not uniEue outside of
their networksF it is possible for two users on two different networks to share user names% 9or
e&ample$ if there is one user with the address bill@bignetwork.net$ there will not be another
user on bignetwork.net whose user name is bill% !owever$ bill@bignetwork.net and
bill@smallnetwork.net are both valid e#mail addresses that can refer to different users%
One of the first things that you will do when you are setting up your e#mail is to enter your e#
mail address into your e#mail client program% Dour e#mail client is the program that you will use
to send and receive e#mails% MicrosoftBs Outlook E&press may be the most widely known Gsince
it comes free with every copy of a Microsoft operating systemH$ but there are many others
available for both 4indows and 'inu&$ including Mo@illa$ Eudora$ Thunderbird and *ine%
9$($2 .O. an& SMT.
fter your e#mail client knows your e#mail address$ itBs going to need to know where to look for
incoming e#mail and where to send outgoing e#mail%
Dour incoming e#mails are going to be on a computer called a POP server% The *O* server C
usually named something like pop.smallnetwork.net or mail.smallnetwork.net has a file on it
that is associated with your e#mail address and which contains e#mails that have been sent to
you from someone else% POP stands for post office protocol%
Dour outgoing e#mails will be sent to a computer called a SMT* server% This server C named
smtp.smallnetwork.net C will look at the domain name contained in the e#mail address of any
e#mails that you send$ then will perform a DNS lookup to determine which *O*6 server it
should send the e#mail to% SMTP stands for simple mail transfer protocol%
4hen you start up your e#mail client$ a number of things happen:
3% the client opens up a network connection to the *O* server
+% the client sends your secret password to the *O* server
6% the *O* server sends your incoming e#mail to your local computer
-% the client sends your outgoing e#mail to the SMT* server%
The first thing to note is that you do not send a password to the SMT* server% SMT* is an old
protocol$ designed in the early days of e#mail$ at a time when almost everyone on the
Internet knew each other personally% The protocol was written with the assumption that
/
everyone who would be using it would be trustworthy$ so SMT* doesnBt check to ensure that
you are you% Most SMT* servers use other methods to authenticate users$ but C in theory C
anyone can use any SMT* server to send e#mail% G9or more information on this$ see section
9$2$# 0or1e& )ea&ers%H
The second thing to note is that$ when you send your secret password to the *O* server$ you
send it in a plain#te&t format% It may be hidden by little asterisks on your computer screen$ but
it is transmitted through the network in an easily readable format% nyone who is monitoring
traffic on the network C using a packet sniffer$ for instance C will be able to clearly see your
password% Dou may feel certain that our network is safe$ but you have little control over what
might be happening on any other network through which your data may pass%
The third$ and possibly most important thing that you need to know about your e#mails$ is that
they are C "ust like your password C transmitted and stored in a plain#te&t format% It is possible
that they may be monitored any time they are transferred from the server to your computer%
This all adds up to one truth: e!mail is not a secure met"od of transferring information% Sure$ itBs
great for relaying "okes$ and sending out spunkball warnings$ but$ if youBre not comfortable
yelling something out through the window to your neighbor$ then maybe you should think
twice about putting it in an e#mail%
:oes that sound paranoid< 4ell$ yeah$ it is paranoid$ but that doesnBt necessarily make it
untrue% Much of our e#mail communications are about insignificant details% (o one but you$
=ob and lice$ care about your dinner plans for ne&t Tuesday% nd$ even if Carol desperately
wants to know where you and =ob and lice are eating ne&t Tuesday$ the odds are slim that
she has a packet sniffer running on any of the networks your e#mail might pass through% =ut$ if
a company is known to use e#mail to arrange for credit card transactions$ it is not unlikely to
assume that someone has$ or is trying to$ set up a method to sniff those credit card numbers
out of the network traffic%
9.1.3 Web Mail
second option for e#mail is to use a web based e#mail account% This will allow you to use a
web browser to check your e#mail% Since the e#mail for these accounts is normally stored on
the web e#mail server C not on your local computer C it is very convenient to use these
services from multiple computers% It is possible that your IS* will allow you to access your e#mail
through both *O* and the web%
!owever$ you must remember that web pages are cac"ed or stored on local computers$
sometimes for significant lengths of time% If you check your e#mail through a web based
system on someone elseBs computer$ there is a good chance that your e#mails will be
accessible to someone else who uses that computer%
4eb based e#mail accounts are often free and easy to get% This means that they offer an
opportunity for you to have several identities online% Dou can$ for instance$ have one e#mail
address that you use only for friends and another that is only for relatives% This is usually
considered acceptable$ as long as you are not intentionally intending to defraud anyone%
E2ercises3
3% Dou can learn a lot about how *O* e#mail is retrieved by using the telnet program% 4hen
you use telnet instead of an e#mail client$ you have to enter all the commands by hand
Gcommands that the e#mail client program usually issues automaticallyH% /sing a web
search engine$ find the instructions and commands necessary to access an e#mail
4
account using the telnet program% 4hat are the drawbacks to using this method to
retrieve e#mail< 4hat are some of the potential advantages<
+% 9ind three organi@ations that offer web based e#mail services% 4hat$ if any$ promises do
they make about the security of e#mail sent or received using their services< :o they make
any attempts to authenticate their users<
6% Gpossibly homeworkH :etermine the SMT* server for the email address you use most
freEuently%
5
9$2 Safe E-mai+ Usa1e .art (3 Recei6in1
Everyone uses e#mail$ and to the surprise of many people$ your e#mail can be used against
you% E#mail should be treated as a post card$ in that anyone who looks can read the
contents% Dou should never put anything in an ordinary e#mail that you donIt want to be
read% That being said there are strategies for securing your e#mail% In this section we will cover
safe and sane e#mail usage and how to protect your privacy online%
9$2$( S7am8 .9is9in1 an& 0ra"&
Everybody likes to get e#mail% long time ago$ in a gala&y far far away it used to be you only
got mail from people you knew$ and it was about things you cared about% (ow you get e#
mail from people you never heard of asking you to buy software$ drugs$ and real estate$ not
to mention help them get +- million dollars out of (igeria% This type of unsolicited advertising is
called spam% It comes as a surprise to many people that e#mail they receive can provide a
lot of information to a sender$ such as when the mail was opened and how many times it was
read$ if it was forwarded$ etc% This type of technology C called web bugs C is used by both
spammers and legitimate senders% lso$ replying to an e#mail or clicking on the unsubscribe
link may tell the sender that they have reached a live address% nother invasion of privacy
concern is the increasingly common .phishing0 attack% !ave you ever gotten an e#mail
asking you to login and verify your bank or E#bay account information< =eware$ because it is
a trick to steal your account information% To secure yourself against these types of attacks$
there are some simple strategies to protect yourself outlined below%
9$2$2 )TML E-Mai+
One of the security concerns with !TM' based e#mail is the use of web bugs% 4eb bugs are
hidden images in your e#mail that link to the sendersI web server$ and can provide them with
notification that you have received or opened the mail% nother flaw with !TM' e#mail is
that the sender can embed links in the e#mail that identify the person who clicks on them%
This can give the sender information about the status of the message% s a rule$ you should
use a mail client that allows you to disable the automatic downloading of attached or
embedded images% nother problem is related to scripts in the e#mail that may launch an
application $if your browser has not been patched for security flaws%
9or web based e#mail clients$ you may have the option of disabling the automatic download
of images$ or viewing the message as te&t% Either is a good security practice% The best way to
protect yourself against !TM' e#mail based security and privacy attacks is to use te&t based e#
mail% If you must use !TM' e#mail$ bewareJ
9$2$ Attac9ment Sec"rit:
nother real concern related to received e#mail security is attachments% ttackers can send
you malware$ viruses$ Tro"an horses and all sorts of nasty programs% The best defense against
e#mail borne malware is to not open anything from anyone you donIt know% (ever open a
file with the e&tension %e&e or %scr$ as these are e&tensions that will launch an e&ecutable file
that may infect your computer with a virus% 9or good measure$ any files you receive should be
saved to your hard drive and scanned with an antivirus program% =eware of files that look like
a well known file type$ such as a @ip file% Sometimes attackers can disguise a file by changing
the icon or hiding the file e&tension so you donIt know it is an e&ecutable%
9
9$2$# 0or1e& 9ea&ers
Occasionally you may receive an e#mail that looks like it is from someone you know$ or from
the .dministrator0 or .*ostmaster0 or .Security Team0 at your school or IS*% The sub"ect may
be .8eturned Mail0 or .!acking ctivity0 or some other interesting sub"ect line% Often there will
be an attachment% The problem is that it takes no technical knowledge and about 3,
seconds of work to forge an e#mail address% GIt also C depending on where you live C may be
ver illegal%H
To do this$ you make a simple change to the settings in your e#mail client software% 4here it
asks you to enter your e#mail address Gunder Options$ Settings or PreferencesH you enter
something else% 9rom here on out$ all your messages will have a fake return address% :oes this
mean that youBre safe from identification< (o$ not really% nyone with the ability to read an e#
mail header and procure a search warrant can probably figure out your identity from the
information contained on the header% 4hat it does mean is that a spammer can represent
himself as anyone he wants to% So if 9annie ;yotoku KtelecommunicatecreaturesLco&%netM
sells you a magic cell phone antenna that turns out to be a cereal bo& covered with tin foil$
you can complain to co&%net$ but donBt be surprised when they tell you that there is no such
user%
Most IS*s authenticate senders and prevent relaying$ which means that you have to be who
you say you are to send mail via their SMT* server% The problem is that hackers and spammers
often run an SMT* server on their *C$ and thus donIt have to authenticate to send e#mail$ and
can make it appear any way they want% The one sure way to know if a suspicious e#mail is
legitimate is to know the sender and call them up% (ever reply to a message that you suspect
may be forged$ as this lets the sender know they have reached an actual address% Dou can
also look at the header information to determine where the mail came from$ as in the
following e&ample:
This is an e#mail from someone I donIt know$ with a suspicious attachment% (ormally$ I would
"ust delete this but I want to know where it came from% So IIll look at the message header% I
use Outlook +,,6 as my e#mail client$ and to view the header you go to viewNoptions and you
will see the header information as below:
Microsoft Mail Internet Headers Version 2.0
(%
Received: from srv1.mycompany.com ([192.16.10.!"#$ %y m&1.mycompany.com
over '() sec*red c+annel ,it+ Microsoft )M'-)V.(6.0."/90.0$0
Mon1 9 2*3 2004 11:20:1 50/00
Received: from [10.10.20!.241# (+elo6,,,.mycompany.com$
%y srv1.mycompany.com ,it+ esmtp (7&im 4."0$
id 18*73(500019:5a0 Mon1 09 2*3 2004 11:1!:"/ 50/00
Received: from ;ara.or3 (6/.10.219.194.ptr.*s.&o.net [6/.10.219.194#$
%y ,,,.mycompany.com (.12.10<.12.10$ ,it+ )M'- id i/9I8=:r0"002
for >sales?mycompany.com@0 Mon1 9 2*3 2004 11:11:"4 50/00
Aate: Mon1 09 2*3 2004 14:1!:"! 50!00
'o: B)alesB >sales?mycompany.com@
Crom: B)alesB >sales?innovonics.com@
)*%Dect:
Messa3e5IA: >cd;da%3*rd3ef*pf+nt?mycompany.com@
MIM75Version: 1.0
.ontent5'ype: m*ltipart<mi&ed0
%o*ndary6B55555555cf,rie%,,%nnf;;moD3aB
E5)can5)i3nat*re: 1/%fa99/4a422!06/4%1924a9c2"!
Ret*rn5-at+: sales?innovonics.com
E59ri3inal2rrival'ime: 09 2*3 2004 1:20:1.090 (:'.$ CI(7'IM76
[6C7220:01.4/7"A#
5555555555cf,rie%,,%nnf;;moD3a
.ontent5'ype: te&t<+tml0 c+arset6B*s5asciiB
.ontent5'ransfer57ncodin3: /%it
5555555555cf,rie%,,%nnf;;moD3a
.ontent5'ype: application<octet5stream0 name6BpriceF0.GipB
.ontent5'ransfer57ncodin3: %ase64
.ontent5Aisposition: attac+ment0 filename6BpriceF0.GipB
5555555555cf,rie%,,%nnf;;moD3aH
(ow$ the part IIm interested in is highlighted above% (ote that the .8eceived0 is from
kara%org at an I* that appears to be an &o%net :S' line$ which does not agree with
innovonics%com$ the purported sender%
lso$ if I look up innovonics%comIs mail server using nslookup$ its address comes back as
follows:
.:I@nsloo;*p innovonics.com
)erver: dc.mycompany.com
2ddress: 192.16.10.!4
((
Jon5a*t+oritative ans,er:
Jame: innovonics.com
2ddress: 64.14".90.9
So$ my suspicion was correct$ and this is an e#mail that is carrying some malware in an
e&ecutable file posing as a @ip file% The malware has infected the personIs computer on the
:S' line$ which is now a @ombie$ sending copies of the malware to everyone in the infected
computers address book% IIm glad I checked it outJ
E2ercises3
3% Citbank and *ay*al are two of the most common targets of phishing emails% 8esearch
what Citibank or *ay*al are doing to fight ) control phishing%
+% 8esearch whether your bank or credit card holder has a published statement about the
use of email and personal information%
6% Gpossibly homeworkH 8esearch a spam email you have received and see if you can
determine the real source%
9$ Safe E-mai+ Usa1e .art 23 Sen&in1
Sending mail is a little more care free% There are some things you can do to make sure your
conversation is secure though% The first is to ensure your connection is secure Gsee section 9$#
Connection Sec"rit: for more informationH% There are also methods to allow you to digitally
sign your messages$ which guarantees that the message is from you and has not been
tampered with en route% nd for ma&imum security$ you can encrypt your messages to make
sure no one reads them%
:igital signatures prove who e#mail comes from$ and that it has not been altered in transit% If
you establish the habit of using digital signatures for important e#mail$ you will have a lot of
credibility if you ever need to disown forged mail that appears to be from you% They also allow
you to encrypt e#mail so that no one can read it e&cept the recipient% *;* in particular offers
high levels of encryption which to break would reEuire e&treme computing power%
9$$( ;i1ita+ Certificates
digital certificate is uniEue to an individual$ kind of like a drivers license or passport$ and is
composed of + parts% These parts are a public and private key% The certificate is uniEue to
one person$ and typically certificates are issued by a trusted Certificate uthority$ or C% The
list of Certificate uthorities you trust is distributed automatically Gif you are a Microsoft
4indows /serH by 4indows /pdate and the list is accessible in your browser under
toolsNinternet optionsNcontentNcertificates% Dou can go here to view certificates installed on
your machine Gyours and othersH$ and other certificate authorities you trust%
(2
Dou can disable the automatic update of Cs$ and choose to remove all Cs from the list$
although this is not recommended% Instructions on how to do this are on MicrosoftIs web site%
9$$2 ;i1ita+ Si1nat"res
digital signature is generated by your e#mail software and your private key to assure the
authenticity of your e#mail% The purpose of the signature is twofold% The first is to certify it
came from you% This is called non#repudiation% The second is to ensure the contents have not
been altered% This is called data integrity% The way an e#mail program accomplishes this is by
running the contents of your message through a one way hash function% This produces a fi&ed
si@e output of your e#mail called a message digest% This is a uniEue value$ and if the
mathematical algorithm that produces it is strong$ the message digest has the following
attributes%
The original message canIt be reproduced from the digest%
Each digest is uniEue%
fter the digest is created$ it is encrypted with your private key% The encrypted digest is
attached to the original message along with your public key% The recipient then opens the
message$ and the digest is decrypted with your public key% The digest is compared to an
identical digest generated by the recipientsI mail program% If they match$ then youIre done%
If not$ your mail client will let you know the message has been altered% There are + types of
signing ) encryption functions$ S)MIME and *;*% S)MIME is considered to be the corporate
and government choice$ possibly because it uses the less labor intensive certificate authority
model for authentication$ and because it is more easily implemented through MicrosoftBs
Outlook E&press e#mail program% *;* is more often the choice of the computer user
community$ because it is based on a non#centrali@ed web of trust for authentication$ where a
userBs trustworthiness is validated through the Bfriend of a friendB system$ where you agree that$
if you trust me$ then you can also trust those people who I trust$ and because members of the
computer user community donBt really care if it takes them four hours to figure out how to
(
make *;* work with Thunderbird C they consider these types of challenges to be a form of
recreation%
9$$ <ettin1 a certificate
If you are interested in getting a digital certificate or digital I:$ you need to contact a
#ertificate $ut"orit GOerisign and thawte are the most well known$ although a web search
may find others%H =oth reEuire you to provide identification to prove to them that you are who
you are% Dou can get a free certificate from thawte$ but they reEuire a significant amount of
personal information$ including a government identification number Gsuch as a passport$ ta&
id or driverBs licenseH% Oerisign charges a fee for its certificate and reEuires that you pay this fee
with a credit card$ but asks for less personal information% G*resumably$ Oerisign is relying on the
credit card company to validate your personal information%H These reEuests for information
may seem intrusive$ but remember$ you are asking these companies to vouch for your
trustworthiness% nd C as always C check with your parents or guardians before you give out
any personal information Gor run up large balances on their credit cardsH%
The biggest disadvantage to using a certificate authority is that your private key is available
to someone else C the certificate authority% If the certificate authority is compromised$ then
your digital I: is also compromised%
9$$# Encr:7tion
s an additional layer of security$ you can encrpt your e#mail% Encryption will turn your e#mail
te&t into a garbled mess of numbers and letters that can only be read by its intended
recipient% Dour deepest secrets and your worst poetry will be hidden from all but the most
trusted eyes%
!owever$ you must remember$ that$ while this may sound good to you C and to all of us who
donBt really wish to be e&posed to bad poetry C some governments do not approve% Their
arguments may C or may not C be valid Gyou can discuss this amongst yourselvesH$ but validity
is not the point% The point is that$ depending on the laws of the nation in which you live$
sending an encrypted e#mail may be a crime$ regardless of the content%
9$$' )o* &oes it *or-=
Encryption is fairly complicated$ so IIll try to e&plain it in a low tech way:
Aason wants to send an encrypted message% So the first thing Aason does is go to a
Certificate uthority and get a :igital Certificate% This Certificate has two parts$ a *ublic ?ey
and a *rivate ?ey%
If Aason wants to receive and send encrypted messages with his friend ?ira$ they must first
e&change *ublic keys% If you retrieve a public key from a Certificate uthority that you have
chosen to trust$ the key can be verified back to that certifying authority automatically% That
means your e#mail program will verify that the certificate is valid$ and has not been revoked%
If the certificate did not come from an authority you trust$ or is a *;* key$ then you need to
verify the key fingerprint% Typically this is done separately$ by either a face to face e&change
of the key or fingerprint data%
(ow letBs assume that both ?ira and Aason are using compatible encryption schemes$ and
have e&changed signed messages$ so they have each others public keys%
(#
4hen Aason wants to send an encrypted message$ the encryption process begins by
converting the te&t of AasonIs message to a pre hash code% This code is generated using a
mathematical formula called an encryption algorithm% There are many types of algorithms$
but for e#mail S)MIME and *;* are most common%
The hash code of AasonIs message is encrypted by the e#mail program using AasonIs private
key% Aason then uses ?iraIs public key to encrypt the message$ so only ?ira can decrypt it with
her private key$ and this completes the encryption process%
9$$/ ;ecr:7tion
So ?ira has received an encrypted message from Aason% This typically is indicated by a lock
Icon on the message in her in bo&% The process of decryption is handled by the e#mail
software$ but what goes on behind the scenes is something like this: ?iraIs e#mail program
uses her private key to decipher the encrypted pre hash code and the encrypted message%
Then ?iraIs e#mail program retrieves AasonIs public key from storage Gremember$ we
e&changed keys earlierH% This public key is used to decrypt the pre hash code and to verify the
message came from Aason% ?iraIs e#mail program then generates a post hash code from the
message% If the post hash code eEuals the pre hash code$ the message has not been altered
en route%
(ote: if you lose your private key$ your encrypted files become useless$ so it is important to
have a procedure for making backups of your private and public keys%
9$$4 Is Encr:7tion Un!rea-a!+e=
ccording to the numbers$ the level of encryption offered by$ for e&ample$ *;* is
unbreakable% Sure$ a million computers working on breaking it would eventually succeed$ but
not before the million monkeys finished their script for %omeo and &uliet. The number theory
behind this type of encryption involves factoring the products of very large prime numbers$
and$ despite the fact that mathematicians have studied prime numbers for years$ thereBs "ust
no easy way to do it%
=ut encryption and privacy are about more than "ust numbers% !owever$ if someone else has
access to your private key$ then they have access to all of your encrypted files% Encryption
only works if it is part of a larger security framework which offers protection to both your
private key and your pass#phrase%
E2ercises3
3% Is encryption of email legal in the country that you reside in< 9ind one other country that it
is legal in$and one country where it is illegal to encrypt email%
+% Science fiction writers have imagined two types of futures$ one in which peopleBs lives are
transparent$ that is$ they have no secrets$ and one in which everyoneBs thoughts and
communications are completely private% *hil Pimmerman$ creator of *;*$ believes in
privacy as a source of freedom% 8ead his thoughts on why you need *;* at
http:))www%pgpi%org)doc)whypgp)en)% Then look at science fiction writer :avid =rinBs
article B *arable about OpennessB at http:))www%davidbrin%com)akademos%html in which
he makes a number of points advocating openness as a source of freedom% :iscuss these
two opposing viewpoints% 4hich do you prefer< 4hich do you think would most likely
succeed< 4hat do you think the future of privacy will be like<
('
9$# Connection Sec"rit:
'ast but not least is connection security% 9or web mail$ ensure you are using an SS'
connection to your IS*s e#mail% small lock icon will appear in the bar at the bottom of your
browser% If you are using *O* and an e#mail client$ ensure that you have configured your e#
mail client to use SS' with *O* on port 112 and SMT* on port -52% This encrypts your mail from
you to your server$ as well as protecting your *O* ) SMT* username and password% Dour IS*
should have a how#to on their web site to configure this% If they donIt offer a secure *O* )
SMT* connection$ change IS*sJ
E2ercise3
If you have an e#mail account$ find out if your account is using SS' for its connection% !ow do
you check this in your e#mail client< :oes your IS* provide information regarding an SS'
connection<Q%, Introduction
(/
0"rt9er Rea&in1
Can someone else read my e#mail<
http:))www%research%att%com)Rsmb)securemail%html
MITBs *;* freeware page
http:))web%mit%edu)network)pgp%html
;eneral news on Internet privacy issues:
Electronic *rivacy Information Center
http:))www%epic%org)
and
Electronic 9rontier 9oundation
http:))www%eff%org)
More about *;*
http:))www%openpgp%org)inde&%shtml
!ow 8eading an Email Can Compromise Dour *rivacy
http:))email%about%com)od)staysecureandprivate)a)webbugSprivacy%htm
voiding E#mail Oiruses
http:))www%ethanwiner%com)virus%html
=rief Overview of E#mail Security Tuestions Gwith a short advertisement at the endH
http:))www%@@ee%com)email#security)
=rief Overview of E#mail Security Tuestions Gwith no advertisementH
http:))www%claymania%com)safe#he&%html
4indows =ased E#mail *recautions
http:))www%windowsecurity%com)articles)*rotectingSEmailSOirusesSMalware%html
http:))computer#techs%home%att%net)emailSsafety%htm
:ifferences =etween 'inu& and 4indows Oiruses Gwith information on why most 'inu& e#mail
programs are more secureH
http:))www%theregister%co%uk)+,,6)3,),5)linu&SvsSwindowsSviruses)
(4
LESSON 10
WEB SECURITY AND
PRIVACY
License for Use Inform!ion
"
LESSON 10 # WEB SECURITY AND PRIVACY
Table of Contents
.'icense for /se0 Information%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%1 2undamentals of 3eb Security%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%1%1 !ow the web really works%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%1%+ 4attling the 'ocks%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%1%5 'ooking through Tinted 3indows # SS'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%1%- !aving someone else do it for you 6 *ro&ies%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%+ 3eb 7ulnerabilities%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%+%1 Scripting 'anguages%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%+%+ Common 3eb pplication *roblems%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%+%5 8uidelines for 9uilding Secure 3eb pplications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%5 !TM' 9asics 6 brief introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%5%1 4eading !TM'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%5%+ 7iewing !TM' at its Source%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%5%5 'inks %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%5%- *ro&y methods for 3eb pplication Manipulation%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1
1,%- *rotecting your server%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%-%1 2irewall%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%-%+ Intrusion :etection System ;I:S<%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%= Secure Communications%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%=%1 *rivacy and Confidentiality%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%=%+ >nowing if you are communicating securely%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%? Methods of 7erification%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
1,%?%1 OSSTMM%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
E&ercises%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
2urther 4eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1
$
Con!ri%&!ors
Simon 9iles
*ete !er@og$ ISECOM
9ill Matthews
!ernAn Marcelo 4acciatti
Chris 4amire@
*% Shreekanth
>im Truett $ ISECOM
Marta 9arcelB$ ISECOM
:ario 4iCuelme Dornow
'
10.1 Fundamentals of Web Security
3hat you do on the 3orld 3ide 3eb is your business% Or so you would think% 9ut itEs "ust not
true% 3hat you do on the web is about as private and anonymous as where you go when
you leave the house% gain$ you would think that itEs your business and many$ including
ISECOM$ would agree with you% !owever$ consider a private investigator following you
around town$ writing down what you saw and who you spoke with%
The focus of this lesson is to get you learn how to protect yourself on the web and to do that$
you will have to learn where the dangers are%
The 3orld 3ide 3eb works in a very straight#forward manner% Once connected to the
Internet through you IS*$ you open a browser$ tell it a website$ and you get that website on
your screen% !owever$ the truth is in the details% !ow does the web really workF
Cuick trip to the 3orld 3ide 3eb Consortium ;35C<$ those fine folks who make standards
for the web$ will teach you all you want to know about the web% http:))www%w5%org% Even
the history of the web: http:))www%w5%org)!istory%html The problem is$ will definitions and
standards teach you how to be safeF pparently not% The people who want to hurt you do
not necessarily follow the standards%
10(1(1 )o* !+e *e% re,,- *or.s
The steps involved in connecting to the Internet and then to the web are very detailed even if
it does seem to be smooth from the user end%
So what happens for real when you "ust want to get to the ISECOM websiteF ssuming you
are already connected to the internet$ here are the steps that occur in order:
1% Gou open your browser%
+% Gou type in the /4' ;website name<%
5% 3ebsite name saved in !istory Cache on the hard disk%
-% Gour computer looks up the name of the address to your default :(S server to find
the I* address%
=% Gour computer connects to the server at the I* address provided at the default
web port of H, TC* if you used .!TT*:))0 or --5 TC* if you used .!TT*S:))0 at the front
of the web server name ;by the way$ if you used !TT*S then there are other steps
involved using server certificates which we will not follow in this e&ample<%
?% Gour computer reCuests the page or directory you specified with the default often
being .inde&%htm0 if you donEt specify anything% 9ut the server decides tEs default
and not your browser%
I% The pages are stored in a cache on your harddisk% Even if you tell it to store the
information in memory ;4M<$ there is a good chance it will end up somewhere on
your disk either in a *8E2I'E or in a S3*2I'E%
H% The browser nearly instantaneously shows you what it has stored% gain$ there is a
difference between .perceived speed0 and .actual speed0 of your web surfing
which is actually the difference between how fast something is downloaded
;actual< and how fast your browser and graphics card can render the page and
graphics and show them to you ;perceived<% Just because you didnEt see it doesnEt
mean it didnEt end up in your browser cache%
/
The history of the 3orld 3ide 3eb ; "ust .web0 from now on < started at CE4(
1
in 1KHK% It was
conceived by Tim 9erners#'ee and 4obert Cailliau who built a basic hyperte&t based system
for sharing information% Over the ne&t few years Tim 9erners#'ee continued to develop the
system until in 1KK5 CE4( announced that the web was free for anyone to use$ and the web
as we know it now e&ploded onto the scene%
The 3eb is a client and server based concept$ with clients such as Internet E&plorer$ 2irefo&$
Mo@illa$ Opera$ (etscape and others connecting to web servers such as IIS and pache
which supply them with content in the form of !TM'
+
pages% Many companies$ organi@ations
and individuals have collections of pages hosted on servers delivering a large amount of
information to the world at large%
So why do we care about web security thenF 3eb servers often are the eCuivalent to the
shop window of a company% It is a place where you advertise and e&hibit information$ but this
is supposed to be under your control% 3hat you donEt want to do is leave the window open so
that any passer by can reach in and take what they want for free$ and you ideally want to
make sure that if someone throws a brick$ that the window doesnEt shatter L /nfortunately
web servers are comple& programs$ and as such have a high probability of containing a
number of bugs$ and these are e&ploited by the less scrupulous members of society to get
access to data that they shouldnEt be seeing%
nd the reverse is true as well% There are risks also associated with the client side of the
eCuation like your browser% There are a number of vulnerabilities which have been discovered
in the last year which allow for a malicious web site to compromise the security of a client
machine making a connection to them%
10(1(" R!!,in0 !+e Loc.s
Standard !TM' pages are transferred using !TT*
5
$ this standard TC* based protocol is plain
te&t based and this means that we can make connections to a server easily using tools such
as .telnet0 or .netcat0% 3e can use this facility to gain a great deal of information about
what software is running on a specific server% 2or e&ample :
simon@exceat:~> netcat www.computersecurityonline.com 80
HEAD / HTTP/.0
!TT*)1%1 +,, O>
:ate: 2ri$ ,I Jan +,,= 1,:+-:5, 8MT
Server: pache)1%5%+I 9en#SS')1%-H ;/ni&< *!*)-%+%5
'ast#Modified: Mon$ +I Sep +,,- 15:1I:=- 8MT
ETag: M1fH1d#5+a#-1=H15,+M
ccept#4anges: bytes
Content#'ength: H1,
Connection: close
Content#Type: te&t)html
9y entering .!E: ) !TT*)1%,0 followed by hitting the .4eturn0 key twice$ I can gain all of the
information above about the !TT* Server% Each version and make of !TT* Server will return
different information at this reCuest 6 an IIS server will return the following :
1 Centre Europen pour la Recherche Nuclaire ;European Centre for (uclear 4esearch<
+ !yper Te&t Markup 'anguage
5 !yper Te&t Transfer *rotocol
1
simon@exceat:~> netcat www.microso!t.com 80
HEAD / HTTP/.0
!TT*)1%1 +,, O>
Connection: close
:ate: 2ri$ ,I Jan +,,= 11:,,:-= 8MT
Server: Microsoft#IIS)?%,
*5*: C*NM'' I(: :S* CO4 :M CO(o C/4 C/So I7o I7:o *S *S: TI TE'o O/4
SMo C(T COM I(T (7 O(' *!G *4E */4 /(IM
O#*owered#9y: S*%(ET
O#sp(et#7ersion: 1%1%-5++
Cache#Control: public$ ma&#ageNK,=I
E&pires: 2ri$ ,I Jan +,,= 15:51:-5 8MT
'ast#Modified: 2ri$ ,I Jan +,,= 1,:-=:,5 8MT
Content#Type: te&t)html
Content#'ength: 1+K5-
Gou can take this further and obtain more information by using the .O*TIO(S0 reCuest in the
!TT* reCuest as follows :
simon@exceat:~> netcat www.computersecurityonline.com 80
"PT#"$% / HTTP/.0
!TT*)1%1 +,, O>
:ate: 2ri$ ,I Jan +,,= 1,:5+:5H 8MT
Server: pache)1%5%+I 9en#SS')1%-H ;/ni&< *!*)-%+%5
Content#'ength: ,
llow: 8ET$ !E:$ *OST$ */T$ :E'ETE$ CO((ECT$ O*TIO(S$ *TC!$ *4O*2I(:$
*4O**TC!$ M>CO'$ CO*G$ MO7E$ 'OC>$ /('OC>$ T4CE
Connection: close
This will give you all of the allowed !TT* commands that the server will respond to%
:oing all of this by hand is rather tedious$ and matching it manually against a database of
know signatures and vulnerabilities is more than anyone would want to do% 2ortunately for us$
some very enterprising people have come up with an automated solution called .nikto0%
.(ikto0 is a *erl script which carries out various tests automagically L The options are as follows:
#CgidirsP Scan these C8I dirs: EnoneE$ EallE$ or a value like E)cgi)E
#cookies print cookies found
#evasionP ids evasion techniCue ;1#K$ see below<
#findonly find http;s< ports only$ donEt perform a full scan
#2ormat save file ;#o< 2ormat: htm$ csv or t&t ;assumed<
#generic force full ;generic< scan
#hostP target host
#idP host authentication to use$ format is userid:password
#mutateP mutate checks ;see below<
#nolookup skip name lookup
#outputP write output to this file
#portP port to use ;default H,<
#rootP prepend root value to all reCuests$ format is )directory
#ssl force ssl mode on port
#timeout timeout ;default 1, seconds<
#usepro&y use the pro&y defined in config%t&t
2
#7ersion print plugin and database versions
#vhostP virtual host ;for !ost header<
;P means it reCuires a value<

These options cannot be abbreviated:
#debug debug mode
#dbcheck synta& check scanQdatabase%db and userQscanQdatabase%db
#update update databases and plugins from cirt%net
#verbose verbose mode

I:S Evasion TechniCues:
1 4andom /4I encoding ;non#/T2H<
+ :irectory self#reference ;)%)<
5 *remature /4' ending
- *repend long random string
= 2ake parameter
? T9 as reCuest spacer
I 4andom case sensitivity
H /se 3indows directory separator ;R<
K Session splicing
Mutation TechniCues:
1 Test all files with all root directories
+ 8uess for password file names
5 Enumerate user names via pache ;)Suser type reCuests<
- Enumerate user names via cgiwrap ;)cgi#bin)cgiwrap)Suser type reCuests<
.(ikto0 is Cuite comprehensive in its reporting as you can see from the following scan :
exceat:/& ./ni'to.pl ()ost www.computersecurityonline.com
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
( $i'to .*+/.,- ( www.cirt.net
. Tar/et #P: ,0.*0.+.,
. Tar/et Hostname: www.computersecurityonline.com
. Tar/et Port: 80
. %tart Time: 1ri 2an 0 ,:,*:34 ,003
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
( %can is 5epen5ent on 6%er7er6 strin/ w)ic) can 8e !a'e59 use (/ to o7erri5e
. %er7er: Apac)e/.*.,0 :en(%%;/.+8 <=nix> PHP/+.,.*
( %er7er 5i5 not un5erstan5 HTTP .9 switc)in/ to HTTP .0
. %er7er 5oes not respon5 wit) ?+0+? !or error messa/es <uses ?+00?>.
. T)is may increase !alse(positi7es.
. Allowe5 HTTP @et)o5s: AET9 HEAD9 P"%T9 P=T9 DE;ETE9 B"$$EBT9 "PT#"$%9 PATBH9 PC"P1#$D9
PC"PPATBH9 @DB";9 B"PE9 @"FE9 ;"BD9 =$;"BD9 TCABE
. HTTP met)o5 ?P=T? met)o5 may allow clients to sa7e !iles on t)e we8 ser7er.
. HTTP met)o5 ?B"$$EBT? may allow ser7er to proxy client reGuests.
. HTTP met)o5 ?DE;ETE? may allow clients to remo7e !iles on t)e we8 ser7er.
. HTTP met)o5 ?PC"P1#$D? may in5icate DAF/He8DAF is installe5. T)is may 8e use5 to /et
5irectory listin/s i! in5exin/ is allowe5 8ut a 5e!ault pa/e exists.
. HTTP met)o5 ?PC"PPATBH? may in5icate DAF/He8DAF is installe5.
. HTTP met)o5 ?TCABE? is typically only use5 !or 5e8u//in/. #t s)oul5 8e 5isa8le5.
. Apac)e/.*.,0 appears to 8e out5ate5 <current is at least Apac)e/,.0.30>. Apac)e .*.* is
still maintaine5 an5 consi5ere5 secure.
. :en(%%;/.+8 appears to 8e out5ate5 <current is at least .33>
. PHP/+.,.* appears to 8e out5ate5 <current is at least 3.0.>
. PHP/+.,.* ( PHP 8elow +.*.* may allow local attac'ers to sa!e mo5e an5 /ain access to
unaut)oriIe5 !iles. :#D(8,0*.
. Apac)e/.*.,0 ( Hin5ows an5 "%/, 7ersion 7ulnera8le to remote exploit. BA$(,00*(0+40
. Apac)e/.*.,0 ( Apac)e .* 8elow .*.,- are 7ulnera8le to o7er!lows in mo5Jrewrite an5
mo5Jc/i. BA$(,00*(03+,.
. /~root ( Enumeration o! users is possi8le 8y reGuestin/ ~username <respon5s wit) 1or8i55en
!or real users9 not !oun5 !or non(existent users> <AET>.
. /icons/ ( Directory in5exin/ is ena8le59 it s)oul5 only 8e ena8le5 !or speci!ic 5irectories
<i! reGuire5>. #! in5exin/ is not use5 all9 t)e /icons 5irectory s)oul5 8e remo7e5. <AET>
. / ( TCABE option appears to allow K%% or cre5ential t)e!t. %ee
)ttp://www.c/isecurity.com/w)ite)at(mirror/H)itePaperJscreen.p5! !or 5etails <TCABE>
. / ( TCABD option <?TCABE? alias> appears to allow K%% or cre5ential t)e!t. %ee
)ttp://www.c/isecurity.com/w)ite)at(mirror/H)itePaperJscreen.p5! !or 5etails <TCABD>
. /BF%/Entries ( BF% Entries !ile may contain 5irectory listin/ in!ormation. <AET>
3
. /ima/es/ ( in5ex o! ima/e 5irectory a7aila8le <AET>
. /manual/ ( He8 ser7er manualL ts' ts'. <AET>
. /c/i(8in/c/iwrap ( %ome 7ersions o! c/iwrap allow anyone to execute comman5s remotely. <AET>
. /c/i(8in/c/iwrap/~a5m ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
wit) t)e ?((wit)(Guiet(errors? option to stop user enumeration. <AET>
. /c/i(8in/c/iwrap/~8in ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /c/i(8in/c/iwrap/~5aemon ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /c/i(8in/c/iwrap/~lp ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /c/i(8in/c/iwrap/~root ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /c/i(8in/c/iwrap/~xxxxx ( :ase5 on error messa/e9 c/iwrap can li'ely 8e use5 to !in5 7ali5
user accounts. Cecompile c/iwrap wit) t)e ?((wit)(Guiet(errors? option to stop user
enumeration. <AET>
. /c/i(8in/c/iwrap/~root ( c/iwrap can 8e use5 to enumerate user accounts. Cecompile c/iwrap
. /css ( Ce5irects to )ttp://www.computer(security(online.com/css/ 9 T)is mi/)t 8e
interestin/...
. ,++- items c)ec'e5 ( 3 item<s> !oun5 on remote )ost<s>
. En5 Time: 1ri 2an 0 ,:,3:*4 ,003 <00 secon5s>
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
)ost<s> teste5
/sing the other options you can fine tune (ikto to do e&actly what you need to achieve$
including stealth$ mutation and cookie detection%
10(1($ Loo.in0 !+ro&0+ Tin!e4 Win4o*s 5 SSL
It wasnEt too long before everyone reali@ed that !TT* in plain te&t wasnEt much good for
security% So the ne&t variation was to apply encryption to it% This comes in the form of SS'
-
$ and
is a reasonably secure -, or 1+H bit public key encryption method% /sing a -, bit key is a lot
less secure than the 1+H bit and$ with speciali@ed hardware$ may well be brute force
breakable within a period of minutes$ where as the 1+H bit key will still take longer that the
age of the /niverse to break by brute force% There are however more comple& technical
attacks using something called a known cypherte&t attack 6 this involved calculating the
encryption key by analy@ing a large number of messages ; T 1 million < to deduce the key% In
any case$ you arenEt going to be rushing to try and crack 1+H bit encryption 6 so what can we
learn about SS' !TT* ServersF
Uuite a lot actually% s the SS' merely encrypts the standard !TT* traffic$ if we set up an SS'
tunnel$ we can Cuery the server as we did in section 1%1% Creating an SS' tunnel is Cuite
straight forward$ and there is a utility called .stunnel0 purely for this purpose% Enter the
following into a file called stunnel%conf$ ;replacing ssl%enabled%host with the name of the SS'
server that you want to connect to:
clientNyes
verifyN,
Vpsuedo#httpsW
accept N H,
connect N ssl%enabled%host:--5
TIMEO/Tclose N ,
Stunnel will then map the local port H, to the remote SS' *ort --5 and will pass out plain te&t$
so you can connect to it using any of the methods listed above :
- Secure Sockets 'ayer
6
simonXe&ceat:ST netcat 1+I%,%,%1 H,
)EAD 7 )TTP71(0
!TT*)1%1 +,, O>
Server: (etscape#Enterprise)-%1
:ate: 2ri$ ,I Jan +,,= 1,:5+:5H 8MT
Content#type: te&t)html
'ast#modified: 2ri$ ,I Jan +,,= ,=:5+:5H 8MT
Content#length: =-5I
ccept#ranges: bytes
Connection: close
10(1(' )8in0 someone e,se 4o i! for -o& # Pro9ies
*ro&ies are middlemen in the !TT* transaction process% The client reCuests the pro&y$ the pro&y
reCuests the server$ the server responds to the pro&y and then the pro&y finally passes back
the reCuest to the client$ completing the transaction% *ro&y servers are vulnerable to attacks
in themselves$ and are also capable of being a "umping off point for launching attacks onto
other web servers% They can however increase security by filtering connections$ both to and
from servers%
10(" We% V&,ner%i,i!ies
The simplicity of giving someone something that they ask for is made much more comple&
when youEre in the business of selling% 3eb sites that sell to you$ companies selling products$
bloggers selling ideas and personality$ or newspapers selling news$ reCuires more than "ust
!TM'#encoded te&t and pictures% :ynamic web pages that help you decide what to ask for$
show you alternatives$ recommend other options$ upsell add#ons$ and only give you what you
pay for reCuire comple& software% 3hen we say goodbye to websites and hello to web
applications we are in a whole new world of security problems%
10("(1 Scri:!in0 Ln0&0es
Many scripting languages have been used to develop applications that allow businesses to
bring their products or services to the web% Though this is great for the proliferation of
businesses$ it also creates a new avenue of attack for hackers% The ma"ority of web
application vulnerabilities come not from bugs in the chosen language but in the methods
and procedures used to develop the web application as well as how the web server was
configured% 2or e&ample$ if a form reCuests a @ip code and the user enters .abcde0$ the
application may fail if the developer did not properly validate incoming form data% Several
languages can be used for creating web applications$ including C8IYs$ *!* and S*%
Common ;!e*- In!erfce <C;I=: 3hatis%com defines a C8I as . standard way for a web
server to pass a web userYs reCuest to an application program and to receive data back to
forward to the user%0 C8I is part of the webYs !yperte&t Transfer *rotocol ;!TT*<% Several
languages can be used to facilitate the application program that receives and processes
user data% The most popular C8I applications are: C$ CPP$ Java and *E4'%
10
P)P # )-:er!e9! Pre:rocessor <P)P=> *!* is an open#source server#side scripting language
where the script is embedded within a web page along with its !TM'% 9efore a page is sent
to a user$ the web server calls *!* to interpret and perform any operations called for in the
*!* script% 3hereas !TM' displays static content$ *!* allows the developer to build pages
that present the user with dynamic$ customi@ed content based on user input% !TM' pages
that contain *!* scripting are usually given a file name with the suffi& of .%php0%
Ac!i8e Ser8er P0es <ASP=> 3eb pages that have an %asp ctive server pages ;S*<$ are
database drive dynamically created 3eb page with a %S* e&tension% They utili@e ctiveO
scripting ## usually 79 Script or Jscript code% 3hen a browser reCuests an S*$ the 3eb server
generates a page with !TM' code and immediately sends it back to the browser 6 in this way
they allow web users to view real time data$ but they are more vulnerable to security
problems%
10("(" Common We% A::,ic!ion Pro%,ems
3eb applications do not necessarily have their own special types of problems but they do
have some of their own terms for problems as they appear on the web% s web application
testing has grown$ a specific security following has grown too and with that$ a specific
classification of web vulnerabilities% Common web application problems are classified below
according to the OSSTMM 4isk ssessment 7alues
;http:))www%isecom%org)securitymetrics%shtml<$ a specific way to measure security by how it
affects how things work%
RAV What it means Web Examples
uthenticatio
n
These are the identification and
authori@ation mechanisms used to
be certain that the person or
computer using the web
application is the correct person to
be using it%
Every time you login to a web page that
has your personal data then you are
authenticating% uthentication often
means "ust giving a login and password%
Sometimes it means giving an
identification number or even "ust
coming from n acceptable I* ddress
;white#listing<%
(on#
4epudiation
record that proves that the data
sent to or from the web application
was really sent and where%
lthough you may not see it$ most web
applications keep track of purchases
you make from a particular I* address
using a particular browser on a
particular operating system as a record
that it was most likely smeone on your
computer who made that purchase%
3ithout specific .authentication0 they
canEt guarantee 1,,Z it was you though%
Confidentialit
y
way to assure that
communication with the web
application cannot be listened in
on by another person%
The !TT*S part of interaction with a web
application provides pretty good
confidentiality% It does a decent "ob of
making your web traffic with the web
app from being publicly readable%
11
*rivacy way to assure that the way you
contact and communicate with
the web application cannot be
pre#determined by another person%
3hile it is very rare$ it is not unimaginable
that a web application that contains
very private information would not even
show you it is there unless you come from
the right place and know the right secret
combination to get the web app to be
accessible% One way is to have to click
a picture in = different places in a
specific order to get to the login screen%
nother manner is called port#knocking
and it means that the server reCuires a
specific seCuence of interactions before
it opens a port$ such as the !TT* port$ to
the user%
Indemnificati
on
These are ways to assure that the
web application has legal
protection or at the least$ can be
financially protected with
insurance%
Some web sites clearly print on the login
screen that itEs for authori@ed personnel
only% If someone steals a login and
password or even brute#forces it open$
the attacker$ if caught$ cannot say he
didnEt know it was private%
Integrity This is a record of the validity of the
communication with the web
application to assure that what is
sent and then received by the
other is the same thing and if it
changed$ both the web pplication
and the user have a record of the
change%
Some web apps provide a .!S!0 with
files to be downloaded% This !S! is a
number generated from that specifc file%
3hen you download the file$ you can
check the !S! you generate from the
file against the one they post% This is to
assure that some attacker is not trying to
trick you with a different file either
replaced or through deception$ such as
in Cross Site Scripting%
Safety This is how we protect the web
application from itEs own security
devices% If security fails$ we need
to make sure that it does not affect
the operation of the web
application as a whole%
It is very possible to have an application
use a daemon that can re#initiali@e itself
or even prevent an attack from crashing
any part of itself by presenting itself only
virtually% Gou can also find scenarios
where a web app uses an intrusion
detection mechanism that .stops0
attacks by blocking the attacker by I*
address% In this case$ we canEt say Safety
e&ists if the security device is configured
to prevent an attacker from spoofing
the web appEs own resources and
causing this defense to block important
traffic% Instead$ it is considered either a
misconfiguration of the defense or in
some cases a weakness of design% :onEt
confuse a poorly made or .accidental0
defense with a designed loss control%
1"
/sability way to prevent the user from
having to make security decisions
about interacting with the web
application% This means that
proper security is built in and the
user doesnEt have to choose which
or what security mechanisms to
turn on or off%
3hen a web app reCuires use of !TT*
over SS' ;!TT*S< then we can say that it is
using /sability as part of security%
!owever$ if it lets you choose to interact
with it less securely$ for e&ample$ to send
your credit card number by insecure e#
mail rather than post it via a form by
way of !TT*S$ then it is (OT e&ercising
/sabilty%
Continuity This is how we keep a service
based on a web application from
failing to work no matter what
problem or disaster occurs%
Often times a web app that receives a
lot of traffic will have a reverse pro&y in
front of it which directs the traffic to one
of many mirrored web servers% This way$
if one goes down$ service is not
interrupted% nother e&ample is a web
application that caches its website to
many different servers over the internet
so when you visit one$ you are nt
actually going to the originating web
server% If a cache goes down or gets
corrupted$ then the traffic will get
redirected to another cache or the
originating website%
larm notification$ either immediate or
delayed$ regarding a problem with
any of these mechanisms%
basic form of alarm is the log file
generated by the web server% The bad
thing about an alarm is that you can
choose to ignore it% This is especially true
if it sounds all the time ;think of the story
of the boy who cried .wolf0% Or in the
case of a log file$ it may not sound at all%
larm is only as good as your reaction
time to it%
E9ercises>
1( Open up google and type in .inurl:search%asp0 or .inurl:search%php0% 3ith any of the
websites which come up$ attempt to type in the following in the search field ?scri:!@,er!
<+e,,o=?7scri:!@% 3hat happensF Try this for several sites%
"( In google$ type in .inurl:login%asp0 ond .inurl:login%php0% 3ith any of the websites which
come up$ attempt to type in special characters ;X[\]^< for both the username and
password% 3hat happensF Try this for several sites%
$( >nowing the types of security mechanisms a web application may have$ open your
favorite$ interactive website and try to identify if it has security mechanisms which conform to
any of the 47 classifications%
'( Commonly discussed web vulnerabilities are Cross Site Scripting ;OSS< and SU' in"ection%
3hat are they and how does an attacker use them to steal data or information from a web
applicationF
1$
10("($ ;&i4e,ines for B&i,4in0 Sec&re We% A::,ic!ions
3hile there are many opinions and most of the details to building with security in mind come
from the logic of the programmer and their skill with the programming language$ these basic
guidelines are also derived from materials available from the OSSTMM
;http:))www%osstmm%org<%
1% ssure security does not reCuire user decisions%
+% ssure business "ustifications for all inputs and outputs in the application%
5% Uuarantine and validate all inputs including app content%
-% 'imit trusts ;to systems and users<%
=% Encrypt data%
?% !ash the components%
I% ssure all interactions occur on the server side%
H% 'ayer the security%
K% Invisible is best# show only the service itself%
1,% Trigger it to alarm%
11% Security awareness is reCuired for users and helpdesks%
E9ercises>
1% 8ive e&amples for any three of the above guidelines%
+% 8ive three types of technologies that one could apply to a web application as an
alarm%
10($ )TAL Bsics # A %rief in!ro4&c!ion
!TM' is a set of instructions that e&plains how information is to be presented from a web server
;pache$ Internet Information Server< to a browser ;2irefo&$ Opera<% It is the heart of the 3orld
3ide 3eb%
!TM' can do much more than "ust display data on a web page% It can also provide data
entry forms$ where data can be entered for processing by a higher level language ;*erl$ *!*$
etc<% In a business setting this is where !TM' is at its most useful but in a hacker setting$ this is
where !TM' is at its most vulnerable%
10($(1 Re4in0 )TAL
!TM' is communicated with a series of tags or markups% Each opening tag$ _h1T$ for instance$
must have a closing tag$ _)h1T% This tells the browser to stop the markup described by the
preceding tag% Opening and closing tags are a part of well#formed !TM'%
Take$ for e&ample$ the code:
_htmlT
_headT_titleT!ello 3orld_)titleT_)headT
_bodyT
_h1T!ello 3orldL_)h1T
_)bodyT
1'
_)htmlT
2igure 1: !TM' Code
3e are telling the browser this is an !TM' document with the tag _htmlT and we have a title
of E!ello 3orldE with the _titleT tag% The _bodyT tag tells our browser .here is where the
information you will be displaying goes%0 2inally$ the _h1T tags tells the browser to display the
information in .!eading 10 style% The tags that are preceded with a E)E are merely the closing
tag$ this tells the browser to stop displaying the contents described by the opening tag%
E&ercise 1: Cut and paste the code in figure one and paste it into a te&t file called hello%html%
Open that file in your browser of choice and you should see something similar to this:
1/
10($(" Vie*in0 )TAL ! i!s So&rce
ll modern browsers contain a way to view the underlying !TM' code that generated the
web page you are looking at% In most cases$ this is the .view source0 option under the .view0
menu in your browser%
E&ercise +: Choose 7iew ##T 7iew Source in your browser while surfing your favorite web page%
11
Illustration 1View Menu
The results should be something pretty similar to this:
!TM' code is visible to anyone with a web browser% This is why it is very important when coding
web pages to not try to hide passwords or important information in the !TM' source code% s
you can see$ its not very secret%
10($($ Lin.s
'inks ;or hyper#links< are really the heart of !TM' page building% The biggest strength of !TM' is
the ability to link to other documents% link$ in the conte&t of !TM' is denoted as _a
hrefN0www%yahoo%com0Twww%yahoo%com_)aT The link will appear as www%yahoo%com on
your website% This will take visitors of your site to Gahoo%
'inks can be checked and followed followed by so#called link checker programs% These
programs search !TM' source code for the _a hrefNT_)aT tags and then create a file or inde&
of the found links% Spammers will often use this techniCue to find email addresses or contact
forms they can use to spread their mass emails% 'ink checkers can also be used to check your
website for .broken0 links or links that donEt go anywhere% This can happen a lot even in
relatively small sites%
E&ercise 1: Create a link
Create a link to www%hackerhighschool%org that displays as !acker !igh School on your web
page%
9onus e&ercise: /se the tool
12
Illustration 2Source viewed in text editor
1% 2ind and download a link checking program
+% 4un that program against www%hackerhighschool%org and document how
many broken links you find%
10($(' Pro9- me!+o4s for We% A::,ic!ion Ani:&,!ion
n !TT* pro&y server serves as a middle man between a web server and a web client
;browser<% It intercepts and logs all connections between them and in some cases can
manipulate that data reCuest to test how the server will respond% This can be useful for testing
applications for various cross#site scripting attacks ;provide reference link here<$ SU' In"ection
attacks and any other direct reCuest style attack% pro&y testing utility ;Spike*ro&y$ 3eb*ro&y$
etc<$ will assist with most of these tests for you% 3hile some have an automation feature$ you
will Cuickly learn that it is actually a weak substitute for a real person behind the wheel of such
tools%
E&ercise 1: Choose your software
1% :ownload a pro&y utility
+% Install the software according to the 4E:ME file
5% Change your browser setting to point to the new pro&y
This is usually port H,H, on localhost for these tools but read the
instructions to be sure%
Once the pro&y server is installed and your browser is pointed at it$ surf around the site your
testing% 4emember$ be sure to use a website that you have permission to test% Once you have
surfed around$ point your browser to the pro&yEs admin page ;for Spike*ro&y$ it
http:))www%immunitysec%com)resources#freesoftware%shtml< and begin testing the site% 2rom
the admin interface you can have the tool brute force the siteEs authentication methods or
test for cross#site scripting% ;ctually$ we recommend using Mo@illa or 2irefo& and
http:))livehttpheaders%mo@dev%org) and http:))addneditcookies%mo@dev%org) together to
modify headers and cookies on the fly without the need for a seperate pro&y port% (ot only
does it really simplify things$ itEs a much more powerful tool set as we teach it in ISECOMEs
OSSTMM *rofessional Security Tester class ;O*ST<% 9ut since you will need to know about
setting up pro&ies for other things$ like ad and spam filters$ privacy filters$ etc% 3e thought you
should actually set one up for real and Spike is a good one to try%<
pro&y server can be a powerful tool in helping you determine how solid a web application
is% 2or penetration tests or vulnerability assessments$ you must have a good pro&y tool in your
toolbo&% There are detailed tutorials available on using Spike*ro&y at
http:))www%immunitysec%com)resources#papers%shtml%
10(' Pro!ec!in0 -o&r ser8er
There are several steps that can be taken to protecting your server% These include ensuring
that your software is always updated and patched with any security updates that are
available from the manufacturer% This includes ensuring that your OS and web servers are
updates as well% In addition$ 2irewalls and Intrusion detections systems can help protect your
server$ as discussed below%
13
10('(1 Bire*,,
2irewalls originally were fireproof walls used as barriers to prevent fire from spreading$ such as
between apartment units within a building% The same term is used for systems ;hardware and
software< that seeks to prevent unauthori@ed access of an organi@ationEs information% 2irewalls
are like security guards that$ based on certain rules$ allow or deny access to)from traffic that
enters or leaves an organi@ation ;home< system% They are important systems safe guards that
seek to prevent an organi@ationYs system from being attacked by internal or e&ternal users% It is
the first and most important security gate between e&ternal and internal systems%
2irewalls are generally placed between the Internet and an organi@ationYs information system%
The firewall administrator configures the firewall with rules allowing or denying information
packets from entering into or leaving the organi@ation%
The rules are made using a combination of Internet *rotocol ;I*< address and *orts` such rules
are made depending on the organi@ation needs e%g% in a school$ students are allowed in
based on identity card%
The rule to the security guard in a school would be to allow all persons that carry a valid
identity card and deny everyone else% !owever the security guard would have another rule
for e&iting from the school` the rule would be to allow everyone e&it e&cept small children
unless accompanied by adults% similar system is followed for firewall configuration
depending on the nature of the organi@ation$ the criticality of information asset$ cost of
security$ security policy and risk assessment%
The firewall "ust like a security guard cannot "udge the contents of the information packet` "ust
like the guard allows all persons with a valid identity card irrespective of nature of the persons$
firewall allows entry or e&it based mainly on I* address and *ort numbers% !ence an entry or
e&it is possible by masking I* address or *ort% To mitigate this risk$ organi@ations use Intrusion
:etection System$ which is e&plained in the ne&t section%
There are various kinds of firewall depending on the features that it has vi@% packet filter
;operates on I* packets<$ stateful firewall ;operates based connection state< or application
firewall ;using pro&y<%
E&ample of a firewall rule could be: 9lock inbound TC* address +,,%++-%=-%+=5 from port 15=%
;n imaginary e&ample<` such rule would tell a computer connected to Internet to block any
traffic originating from the computer with an I* address +,,%++-%=-%+=5 using *ort 15=%
Important activities relating to firewalls are initial configuration ;creating initial rules<$ system
maintenance ;additions or change in environment<$ review of audit logs$ acting on alarms
and configuration testing%
10('(" In!r&sion De!ec!ion S-s!em <IDS=
Imagine in a school that has proper security guards` how will the authorities detect entry of
unauthori@ed personsF The authorities would install burglar alarm that will ring on entry of
unauthori@ed persons% This is e&actly the function of intrusion detection system in computer
parlance% 2irewall ;security guard or fence< and I:S ;burglar alarm or patrolling guard< work
together` while firewall regulates entry and e&its$ I:S alerts)denies unauthori@ed access%
16
So how does I:S helpF Just like burglar alarms$ I:S alerts the authori@ed person ;alarm rings<
that an authori@ed packet has entered or left% 2urther$ I:S can also instantly stop such access
or user from entering or e&iting the system by disabling user or access% It can also activate
some other script` I:S can for e&ample prevent or reduce impact of denial of service by
blocking all access from a computer or groups of computer%
I:S can be host based or network based` host based I:S are used on individual computers
while network I:S are used between computers% !ost based I:S can be used to detect$ alert
or regulate abnormal activity on critical computers` network I:S is similarly used in respect of
traffic between computers% I:S thus can also be used to detect abnormal activity%
I:S like patrolling guard regularly monitors network traffic to detect any abnormality e%g% high
traffic from some computers or unusual activity on a server$ e%g% user logged onto application
and involved in malicious activity% I:S compare any event with historical data to detect any
deviation% On detection of deviation$ I:S act depending on the rule created by I:S
administrator such as alerting$ storing such intrusion in audit logs$ stopping user from doing any
activity or generating script for starting a string of activities% I:S can also detect deviation
based on its database of signatures 6 any deviation to signature is detected and acted upon#
this action is similar to anti virus software% I:S is also used for detection of any activity on
critical resource or for forensic by Cuietly watching the suspect%
E9ercises>
1% re both firewall and Intrusion :etection System reCuired in an organi@ation for
securing its information systemF If yes whyF If not$ why notF
+% Think of an e&ample of a specific use of firewall rules that is applicable to the front
desk person in a school` does she need to access InternetF If not$ how will the rule be
enforcedF
5% Can a student access the school score database that contains complete information
on e&amination scores of all students% !ow will this be controlledF !ow will this be
detected in case an e&ternal party using Internet unauthori@edly accesses itF
10(/ Sec&re Comm&nic!ions
8enerally$ the concept associated with security communications are the processes of
computer systems that creates confidence and reduces risks% 2or electronic communications$
three reCuirements are necessary to ensure security% < uthenticity b< Integrity c< (on
repudiation%
A&!+en!ici!-: This concept has to do with ensuring that the source of a communication is who
it claims to be% It is not difficult to falsify electronic mail$ or to slightly vary the name of a web
page$ and thus redirect users$ for e&ample http:))www%diisney%com appears to be the :isney
web page$ but it has + letters MiM and can be confusing% In this case$ you are actually
transferred to a gambling site and the communications are not safe%
In!e0ri!-: That a communication has Integrity means that what was sent$ is e&actly what
arrives$ and has not undergone alterations ;voluntary or involuntary< in the passage%
Non re:&4i!ion> If the conditions of authenticity and Integrity are fulfilled$ non#repudiation
means that the emitter cannot deny the sending of the electronic communication%
"0
2or e&ample$ if a 3eb site grants a pri@e to me$ and I can prove it # that is to say$ if a 3eb site
sends a discount coupon$ and I verify that the 3eb site is authentic$ and that nobody
manipulated the information in the way$ the site cannot deny that the coupon was sent%
The form used to assure these conditions from a 3eb site is called an electronic certificate%
Maintaining the conditions of security gives us tranCuillity in our electronic communications$
and allows to assure the principle the privacy in the cyberspace%
10(/(1 Pri8c- n4 Confi4en!i,i!-
Most web sites receive some information from those who browse them # either by e&plicit
means like forms$ or more covert methods like cookies or even navigation registries% This
information can be helpful and reasonable 6 like remembering your book preferences on
ma@on%com and$ therefore$in order to ensure security to the person who browses$ many sites
have established declarations of *rivacy and Confidentiality%
Pri8c- refers keeping your information as yours 6 or limiting it to close family or your friends$ or
your contacts$ but at the most$ those who you have agreed to share the information% (o one
wants their information shared everywhere without control$ for that reason$ there are sub"ects
declared as private$ that is to say$ that of restricted distribution%
On the other hand$ the confi4en!i,i!- talks about that a sub"ectEs information will stay secret$
but this time from the perspective of the person receiving that information%
2or e&ample$ if you desire a pri@e$ but you do not want your information distributed$ you
declare that this information is private$ authori@e the information to a few people$ and they
maintain confidentiality% If for some reason$ in some survey$ they ask to you specifically for that
pri@e$ and you respond that if you have it$ you would hope that that information stays
confidential$ that is to say$ who receive the information keep it in reserve%
3e could generali@e the definition of confidentiality like Mthat the information received under
condition of privacy$ I will maintain as if it was my own private informationM% It is necessary to
declare the conditions of the privacy of information handling$ to give basic assurances of
security%
lso it is recommended that you read the conditions established by the web site you visit in
their privacy policy%
E9ercise>
1% 4eview the conditions of privacy of world#wide suppliers of 3ebMail: 8oogle and
!otmail and of manufacturer like 8eneral Motors motors
http:))www%gm%com)privacy)inde&%html% re they eCualF Of those$ who will share the
information that I giveF 3hat measures will I be able to take if they do not observe
these rulesF
10(/(" Cno*in0 if -o& re comm&nic!in0 sec&re,-
"1
Even with conditions of *rivacy and Confidentiality$ somebody can still intercept the
communications% In order to give conditions discussed at the beginning of this section$ a layer
of security has been previously discussed called SS'$ which uses digital certificates to establish
a safe connection ;is to say that it fulfills the authenticity$ integrity and non repudiation< and
provides a level with encryption in communications ;this is to hide information so that if
somebody takes part of the information$ they cannot access it$ because the message is
encypted so that only the sender that sends it and the receiver$ with a correct certificates$ is
able to understand it<% This layer is called Security Socket 'ayer$ SS'$ and is visible through two
elements within the web browser%
The communications is considered to be safe when the web address /4' changes from !TT*
to https$ this change even modifies the port of the communication$ from H, to --5% lso$ in the
lower bar of the navigator$ a closed padlock appears$ which indicates conditions of security
in the communications%
If you put mouse on this padlock$ a message will apepar detailing the number of bits that are
used to provide the communications ;the encryption level<$ which as of today$ 1+H bits is the
recommended encryption level% This means that a number is used that can be represented in
1+H bits to base the communications%
type of called trick phishing e&ists ;http:))www%antiphishing%org)< in which a 3eb mimics the
page to make seem from a bank ;they copy the graphics$ so that the clients enter their data$
trusting that it is the bank$ although it is not it<% In order to avoid these situations$ the
authenticity of the site should be verified$ and checked that the communications are safe
;https and the closed padlock<$ and to the best of your knowledge$ it verifies the certificate%
10(1 Ae!+o4s of Verific!ion
t this point$ you have had opportunity to know the foundations the security in the 3eb$ the
main aspects related to some of the vulnerabilities found commonly in the web servers used
to lodge the different sites with which we routinely interact when browsing in Internet$ and the
form in which different defects in the development of web applications$ affect the security
and)or the privacy of the users in general%
On the other hand$ you have learned some of the technologies on which we rely to protect
our servers and also our privacy% !owever$ probably at this moment$ you are reali@ing
Cuestions such as: I am safe$ now that I have taken the corresponding actionsF Is my system
safeF The developers that have programmed some of the functionalities that I have used in
my 3eb site$ have they taked care of ensuring aspects to the securityF !ow I can verify these
aspectsF
s probably you have thought$ it is not enough to apply manufacturer updates or trust the
good intentions of the developer$ when your security or privacy is concerned% In the past$
there have been several cases in which manufacturerEs patches corrected one vulnerability$
but causing another problem in the system$ or once patched discovered a new vulnerability%
:ue to this and other reasons$ you will have to consider$ that is absolutely necessary to verify
freCuently the implemented systems$ in order to the system MremainsM safe%
'uckily$ many people have developed in their own time$ some MMethods of 7erificationM$ most
of which are available free$ so that we all may take advantage of the benefits of its use% Such
they are based on the e&perience of hundreds of professionals$ and include numerous Mgood
practicesM regarding implementing technology in safe form% Therefore$ it is recommended$
that you adopt these methodologies at the time of making your tasks of verification%
""
n e&ample of these$ the OSSTMM is discussed briefly below%
10(1(1 OSSTAA
The OSSTMM$ which is an abbreviation for MOpen Source Security Testing Manual
MethodologyM is one of the methodologies of testing security that is widely used% s described
in its introduction$ although certain individual tests are mentioned$ these are not particularly
revolutionary$ the methodology altogether represents a standard of essential reference$ for
anyone wanting to carry out a test of security in an ordered format and with professional
Cuality% The OSSTMM$ is divided in several sections% In the same way$ it is possible to identify
within it$ a series of specific testing modules$ through which each dimension of security is
tested and integrated with the tasks needed to ensure security%
This sections include: *ersonnel Security$ :ata (etwork Security$ Telecommunications Security$
3ireless Communications Security$ and *hysical Security$ and the sections of this methodology
detail security from the point of view of 3!IC! test to do$ 3!G to do it and 3!E( to do it%
The OSSTMM by itself details the technical scopes and traditional operation of security$ but $
and this is perhaps one of the very important aspects$ not the e&act tests$ rather it presents$
what should be tested$ the form in which the test results must be presented)displayed$ the
rules for testers to follow to assure best results$ and also$ incorporates the concept of security
metrics with 47s ;4isk ssessment 7alues< to put a factual number on how much security you
have% The OSSTMM is a document for professionals but it is never too early to try to
understand it and learn how it works% The concepts are very thorough and itEs written in an
easy#to#comprehend style%
E9ercises
1% *atching is a common problem today where web administrators are currently needing
to patch code as new vulnerabilities are discovered% 4esearch for a case in where a
new problem occurred when installing a new security patch% :iscuss about the
possibilities and conseCuences that an administrator$ who has a new patch to install$
reali@es that this will open a breach in its system that already was resolved% Should the
patch still be installedF In relation to this sub"ect$ would it matter whether you have the
source code and notF
+% 8o to http:))cve%mitre%org and go to search for C7Es% Enter the name of a web server
;ie pache< into the search field% 3hen did the latest vulnerability get releasedF !ow
often have vulnerabilities come out ;weekly$ monthly$ etc%<F In reference to Cuestion
number one$ is patching a realistic solution to securityF 3hy or why notF 3hat other
security measures can be used if you decide not to play the cat and mouse game of
patchingF
5% :ownload a copy of the OSSTMM and review the methodology concepts% 3hat
aspects would you emphasi@e from this methodologyF !ow you think that this
methodology can integrate with your verifications of securityF
-% 3hat you can find out of the 47sF
"$
B&r!+er Re4in0
http:))www%osstmm%org
http:))www%oreilly%com)catalog)websec+)chapter)ch,H%html
http:))www%w5%org)Security)2aC)
http:))www%privacyalliance%org)
http:))www%perl%com)pub)a)+,,+),+)+,)css%html
http:))www%oreilly%com)catalog)webprivp5p)chapter)ch,1%pdf
http:))www%defenselink%mil)specials)websecurity)
http:))www%epic%org)
http:))www%cgisecurity%com)
http:))www%eff%org)privnow)
!ere are some sites to check out if you want more information on creating your own
web pages or !TM' in general%
http:))www%htmlgoodies%com)
http:))www%htmlhelp%com)
http:))www%w5schools%com)
"'
LESSON 11
PASSWORDS
2
LESSON 11 - PASSWORDS
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -
11%, Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
11%1 Types of *asswords%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
11%1%1 Strings of Characters%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
11%1%+ Strings of Characters plus a token%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
11%1%4 5iometric *asswords %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3
11%+ !istory of *asswords%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6
11%4 5uild a Strong *assword%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7
11%- *assword Encryption%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8
11%2 *assword Cracking 9*assword :ecovery;%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%11
11%3 *rotection from *assword Cracking%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1+
<urther :eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 14
=lossary%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1-
3
Contri!tors
>im Truett$ ISECOM
?% gust@n Aaballos$ 'a Salle /:' 5arcelona
*ete !erBog$ ISECOM
?aume bella$ 'a Salle /:' 5arcelona # ISECOM
Marta 5arcelC$ ISECOM
"
11#$ Intro%!ction
One of the principal characters in The Matri& :eloaded is the >eymaker% The >eymaker is
critically importantD he is protected by the Matri& and sought by (eo$ because he makes and
holds the keys to the various parts of the Matri&% The Matri& is a computer generated worldD
the keys he makes are passwords% Eithin the movie$ he has general passwords$ back door
passwords and master keys F passwords to everywhere%
*asswords are keys that control access% They let you in and keep others out% They provide
information control 9passwords on documents;D access control 9passwords to web pages;
and authentication 9proving that you are who you say you are;%
&
11#1 '()es of Pass*or%s
There are three main types of passwords%
11#1#1 Strin+s of C,aracters
t the most basic level$ passwords are stings of characters$ numbers and symbols% ccess to a
keyboard or keypad allows entry of these types of passwords% These passwords range from the
simplest F such as the three digit codes used on some garage door openers F to the more
complicated combinations of characters$ numbers and symbols that are recommended for
protecting highly confidential information%
11#1#2 Strin+s of C,aracters )-!s a to.en
The ne&t level in passwords is to reGuire a string of characters$ numbers and symbols plus a
token of some type% n e&ample of this is the TM$ which reGuires a card # the token # plus a
personal identification number or *I(% This is considered more secure$ because if you lack
either item$ you are denied access%
11#1#3 /iometric Pass*or%s
The third level in passwords is the biometric password% This is the use of non#reproducible
biological features$ such as fingerprints or facial features to allow access% n e&ample of this is
the retinal scan$ in which the retina F which is the interior surface of the back of the eye F is
photographed% The retina contains a uniGue pattern of blood vessels that are easily seen and
this pattern is compared to a reference% 5iometric passwords are the most sophisticated and
are considered HsaferH but in reality a password that you HcarryH in your finger or eye is no safer
than a strong password that you carry in your head$ provided that the software that uses the
password is correctly configured%
0
11#2 1istor( of Pass*or%s
Trivia in *assword !istory:
In older versions of MS E&cel and Eord$ passwords were stored as plain te&t in the document
header information% Iiew the header and you could read the password% This is valid for all
versions older than Office +,,,%
Eindows once stored passwords as plain te&t in a hidden file% <orget your passwordJ Kou
could "ust delete the hidden file$ and the password was erased%
Early on$ Microsoft and dobe both used passwords to mean that a file was password
protected when opened with their applications% If you opened it with another application$
such as (otepad$ the password wasnHt necessary%
Microsoft ccess +%, databases could be opened as a te&t file easily by "ust renaming them
with a .%t&t0 e&tension% Loing this allowed you to see the database data%
dobe *L< files in versions -%, and older were printable and often viewable using 'inu& *L<
readers or =hostview for Eindows%
Eireless networks have a problem with encryption as the key for the encryption can be
guessed once you collect enough encrypted data out of the air to find the patterns and
guess the keys% Eith todays computing power in the normal home$ the key can be cracked
almost immediately to find the password%
5luetooth security is considered very secure$ once it is setup% The problem is that bluetooth
transmits a uniGue$ freshly generated$ password between the devices to establish the
connection and the password is sent as plain te&t% If that password is intercepted$ all future
transmissions for that session can be easily decoded%
E2ercise3
Lownload a *L< file off the Internet and try opening it with other programs% !ow is the data
viewableJ
4
11#3 /!i-% a Stron+ Pass*or%
The best passwords:
cannot be found in a dictionary
contain numbers$ letters and those odd swear symbols on top of the numbers
contain upper and lower case letters
the longer the .stronger0
Eith a + letter password$ and +3 letters in the alphabet$ plus 1, numbers 9ignoring symbols;$
there are +43 possible combinations 9376$,,,$,,, possibilities;% Increase the password length to
7 characters$ and there are 743 combinations 94+-$,,,$,,,$,,,$,,,$,,,$,,,$,,,$,,,$,,,$,,,
possibilities;%
There are many password generators available on the internet$ but these will generate a
nearly impossible to remember password%
Try instead to use a seemingly random string of letters or numbers that you can easily recall%
<or e&ample:
gandt4bM 9goldilocks and the 4 bearsM;
??*'+c1d 9"ohn$ "ill$ paul$ lucy$ + cats$ 1 d F the members of your household;
E2ercises3
1% Create a strong password$ t,at (o! co!-% rememer that scores well at the following web
page: http:))www%securitystats%com)tools)password%php
+% 'ook at the Eeb pages for three different banks and find out what type of password is
needed to allow an account holder to access restricted information% Lo the banks also
offer recommendations that would lead users to create strong passwordsJ
5
11#" Pass*or% Encr()tion
*eople donHt usually discuss password encryption$ because there seems to be no options to
discuss F passwords are$ by definition$ encrypted% Ehile this is usually true$ encryption is not a
simple yes or no proposition% The effectiveness of encryption$ usually described as its strength$
ranges from very weak to e&tremely robust%
t its weakest$ we have passwords that have been simply encoded. This produces a
password that is not readable directly$ but$ given the key$ we could easily translate it using a
computer$ pen and paper$ or a plastic decoder ring from a cereal bo&% n e&ample of this is
the ROT13 cypher% :OT14 replaces every letter in a te&t with the letter that is 14 places away
from it in the alphabet% <or e&ample H5CH becomes H(O*H%
Even when using algorithms that can more accurately be called encryption$ the encryption is
weak$ if the key used to generate it is weak% /sing :OT14 as an e&ample$ if you consider the 14
place differential to be the key$ then :OT14 has an e&tremely weak key% :OT14 can be
strengthened by using a different key% Kou could use :OT1,$ replacing each letter with the
one ten places forward$ or you could use :OT#+$ replacing each letter with the one two
places before it% Kou could strengthen it even more$ by varying the differential$ such as :OTpi$
where the first letter is shifted 4 placesD the second$ 1 placeD the third$ - placesD the fourth$ 1
placeD and so on$ using pi 94%1-128+32%%%; to provide a constantly varying differential%
5ecause of these possible variations$ when you are encrypting any type of information$ you
must be sure that you are using a reliable method of encryption and that the key F your
contribution to the encryption F will provide you with a robust result%
Kou must also remember that a good system of encryption is useless without good passwords$
"ust as good passwords are useless without good encryption%
E2ercises3
1% !ere is a list of fruits encoded using the :OT14 cypher% Try to decode them:
a; nccyr
b; benatr
c; yrBba
d; "ngreBryba
e; gbBngb
+% <ind a web page that will allow you to decode the :OT14 encoded words automatically%
4% There are many different systems that are called encryption$ but the truth is that many of
these are simple encoding methods% true encryption reGuires a password$ called a key$
in order to be encoded or decoded% Of the following systems$ which ones are true
methods of encryption and which ones are simple codesJ
a; Twofish
b; MIME
c; :S
6
d; CST
e; ES
f; 5SE3-
g; ILE
h; TripleLES
i; :OT14
"; T'S
1$
11#& Pass*or% Crac.in+ 7Pass*or% Reco8er(9
*assword cracking for illegal purposes is illegal% 5ut if it is your password$ then itHs your
information% Once you password protect something$ and then forget your password$ you are
stuck% !ence password recovery%
*assword cracking consists of a few basic techniGues
.'ooking around0: passwords are often taped to the bottom of keyboards$ under mousepads$
posted on personal bulletin boards%
5rute force: "ust keep trying passwords until one works
utomated dictionary attacks: these programs run through a series of possible dictionary
words until one works as a password%
There are many programs available on the web to assist with password recovery on
documents% !owever$ newer versions of programs are becoming more and more secure$ and
therefore$ more and more difficult to obtain passwords using the techniGues above$ or using
password recovery software%
E2ercise3
Identify three different programs that are used for developing documents 9te&t$ spreadsheets$
archives; and also allow the use of passwords to limit access to these documents% (e&t$ using
the Internet$ find instructions on how to recover lost passwords for these files%
11
11#0 Protection from Pass*or% Crac.in+
!ere are some suggestions on how to keep your passwords from being cracked:
1% /se strong passwords that cannot be determined by a dictionary attack%
+% LonHt post your passwords near your computer%
4%'imit wrong attempts to three tries$ then lock the account% The password must then be reset%
9This does not apply to documents or password protected Bip files F they do not have lock out
options%;
-%Change passwords regularly%
2% /se a variety of passwords for different computers% Loes this mean that you need to create
a uniGue password for everythingJ bsolutely not% Maintain a master password for things that
donHt matter to you 9perhaps the account you were reGuired to create for TheSIMS%com or for
your account on the local newspaper;% 5ut use good passwords for anything that actually
needs to be secure%
E2ercise3
Liscuss with the class the recommendations found in
http:))www%securitystats%com)tools)password%php
12
:!rt,er Rea%in+
http:))www%password#crackers%com)pwdcrackfaG%html
http:))docs%rinet%ru)'omamIse)ch1,)ch1,%htm
http:))www%"a%net)CE:T)5elgers)/(IN#password # deadlink
http:))www%crypticide%com)users)alecm)#security%html # deadlink
http:))www%securitystats%com)tools)password%php
http:))www%openwall%com)"ohn)
http:))www%atstake%com)products)lc)
http:))geodsoft%com)howto)password)ntOpasswordOhashes%htm
13
LESSON 12
INTERNET LEGALITIES AND
ETHICS
2
LESSON 12 INTERNET LEGALITIES AND ETHICS
Table of Contents
Contributors%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%-
1+%1% Introduction%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2
1+%+% 3oreign crimes versus local rights %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2
1+%4% Crimes related to the TICs %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
1+%-% *revention of Crimes and Technologies of double use %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%6
1+%-%1% The global systems of monitoring: concept 7COMI(T7 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%6
1+%-%+% 7EC!E'O(7 System%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8
1+%-%4% The 7C9(I:O9E7 system%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8
1+%2% Ethical !acking%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%11
1+%;% The 1, most common internet frauds%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1+
1+%5% 9ecommended 9eading%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%1-

Contri!"tors
3rancisco de <uinto$ *i=u> bogados sociados
?ordi Salda@a$ *i=u> bogados sociados
?aume bella$ Enginyeria 'a Salle A/9'B C ISECOM
Marta DarcelE$ ISECOM
Fim Truett$ ISECOM
*ete !erGog$ ISECOM
#
12$1$ Intro%"ction
(ew technologies$ while building a new paradigm that invades every human activity$ also
influence the dark side of these activities: criminal behavior of individuals and of organiGed
groups%
3or this reason$ we have reserved the last lesson of !!S to analyGe some aspects related to
'egality and Ethics$ analyGing several behaviors that could end in crimes and the
conse=uences of these crimes%
12$2$ &orei'n crimes (ers"s )oca) ri'*ts
s noted above$ the introduction of new technologies can result in the creation of new dark
sides of activities: criminal behavior of individuals or organiGed groups% There are two main
characteristics through which Information Technology and Communications ATICHsB are
related to crime:
1% Technologies can give the possibility of renewing traditional ways of breaking the law%
These are illegal activities which traditionally appear in the penal codes$ but are now
being attempted in new ways% E&amples include money laundering and illegal types
of pornography%
+% In addition$ because of their own innovation$ TICHs are resulting in the appearance of
new types of criminal activities$ and because of their nature$ these new crimes are in
the process of being added to the legislation of several countries% E&amples include
the distribution of spam and virus attacks%
nother characteristic of the TICs which must be emphasiGed is their territorial displacement$
which affects the general surroundings but without any doubt affects other countries as well%
*reviously$ areas of IlawI always had a clear territory regarding the "udicial authority "udging
ACOM*ETE(T ?/9ISJICTIO(B and also regarding the law to be applied in the "udging
A**'ICD'E 'KB% Doth concepts are still noticeably geographic%
In summary$ we can say that the TICs are global and essentially multi#border$ while the law
and the courts are limited to a specific state or territory% In addition$ this disorientation is even
more confusing than it initially appears% lthough we are not aware of it$ a bidirectional online
communication between a user in Darcelona and a Keb site hosted in an IS* in California
can pass through more than 1, IS*s$ hosted in a variety of remote points around the world%
3acing this diversity of addresses and nationalities$ it becomes necessary to ask What laws of
which country will be applied in case of litigation? Which of the possible countries will be the
suitable court to adjudicate the case?
The relatively recent European CouncilIs agreement on cyber#crime was signed in (ovember
+,,1 in Dudapest by almost 4, countries$ including the 12 partners of the European /nion$ the
/nited States$ Canada$ ?apan and South frica% This agreement intends to restore the
TE99ITO9I' *9I(CI*'E to define competent "urisdiction% The signing of this agreement is the
culmination of four years of work that have resulted in a document containing -6 articles that
are organiGed into four categories:
1% Infractions against confidentiality
+% 3alsification and computer science fraud
4% Infractions relative to contents
-% :iolations of intellectual property
+
Once the especially comple& regulations and sanctions on criminal activity on the Internet
have been described$ consensus must to reached on three main areas of concerns or
difficulties:
1st DI&&ICULT,- .URISDICTION CON&LICT$ Election of the most competent court for "udging
multinational and multi#border crimes% This problem is not definitively solved by any of the
known "udicial systems%
2n% DI&&ICULT,- CON&LICT O& LA/S$ Once the court has been chosen$ the first obstacle
that the court will encounter is choosing the law applicable for the case to be "udged%
gain we are forced to conclude that traditional legal criteria are not designed for the
virtual surroundings%
r% DI&&ICULT,- E0ECUTION O& SENTENCE$ Once the competent court has determined a
sentence$ the sentence must be carried out$ possibly by a different country than the
country which dictated the sentence% Therefore$ it is necessary to have an international
commitment to recognition and acceptance of any sentences imposed% This problematic
issue is even more complicated to solve than the two previous ones%
These complications were clearly demonstrated in the recent case of a hacker in 9ussia$ who
had hacked several /S systems$ and was invited to a phony /S company for an interview%
Juring the interview$ he demonstrated his skills by hacking into his own network in 9ussia% It
turned out that the interview was actually conducted by the 3DI$ and he was arrested% The
3DI used sniffers placed on the interview computer to raid the hackerIs computer in 9ussia and
download evidence that was used to convict him%
Dut there are many unresolved issues:
Kas it legal for the 3DI to e&amine the contents of a computer in 9ussian$ without
obtaining permission from the 9ussian governmentL
Dy inviting the hacker to the /S$ the 3DI did not have to arrange for his e&tradition to
the /S% Kas this legalL
Could the /S convict a person for crimes that were technically committed on 9ussian
soilL
3inally$ he was convicted in the /S$ because he had used a pro&y server in the /S to conduct
some of the attacks% !e served "ust under - years in prison and now lives and works in the /S%
E1ercise-
Conduct a modified white#hat ) black#hat discussion of at least one of these =uestions
Ae&amination of a computer on foreign soilM invitation or entrapmentALB to avoid e&traditionM
conviction for internet crimes committed against a country from foreign soilB%
1% 3irst$ have students focus on and list reasons why the chosen topic was probably legal%
+% Then reverse and have them focus on and list why the chosen topic was probably
illegal%
4% fter these completely separate discussions$ see if the class can reach a decision%
(ote C these =uestions are interesting for discussion% There is no right answers$ and
governments are still working to come to a consensus on these and other issues related to the
international nature of these crimes% This e&ercise is purely for critically e&amining and thinking
about internet crimes$ as well as formulating a logical argument for an opinion related to
internet crimes%
2
12$$ Crimes re)ate% to t*e TICs
The classifications of the criminal behaviors is one of the essential principles in the penal
systems% 3or this reason$ several countries must think of changes to their penal codes$ such as
Spain$ where the effective *enal Code was promulgated relatively recently% The well known
Delloch *enal Code was approved on (ovember +4rd 1882 AOrganic 'aw from the *enal
Code 1,)1882B and it recogniGes the need to adapt the penal criteria to the present social
reality%
mong others$ we can classify potential criminal actions into the following si& sections%
1% Manipulation of data and information contained in files or on other computer
devices%
+% ccess to data or use of data without authoriGation%
4% Insertion of programs)routines in other computers to destroy or modify information$
data or applications%
-% /se of other peopleIs computers or applications without e&plicit authoriGation$ with the
purpose of obtaining benefits for oneself and)or harming others%
2% /se of the computer with fraudulent intentions%
;% ttacks on privacy$ by means of the use and processing of personal data with a
different purpose from the authoriGed one%
The technological crime is characteriGed by the difficulties involved in discovering it$ proving it
and prosecuting it% The victims prefer to undergo the conse=uences of the crime and to try to
prevent it in the future rather than initiate a "udicial procedure% This situation makes is very
difficult to calculate the number of such crimes committed and to plan for preventive legal
measures%
This is complicated by the constantly changing technologies% !owever$ laws are changing to
increasingly add legal tools of great value to "udges$ "urists and lawyers punish crimes related
to the TICs%
(e&t we will analyGe some specific crimes related to the TICIs%
1% Misrepresentation: The anonymity of the internet allows users to pretend to be anyone
that they want to be% s a result$ crimes can be committed when users pretend to be
someone else to gain information$ or to gain the trust of other individuals%
+% Interception of communications: Interceptions of secrets or private communications$
such as emails$ or cell phone transmissions$ using listening devices$ recording$ or
reproduction of sounds and or images%
4% Jiscovery and revelation of secrets: Jiscovering company secrets by illegally
e&amining data$ or electronic documents% In some cases$ the legal sentences are
e&tended if the secrets are disclosed to a third party%
-% /nauthoriGed access to computers: Illegal access to accounts and information$ with
the intent of profiting% This includes identify theft%
2% Jamaging computer files: Jestroying$ altering$ making unusable of in any other way$
damaging electronic data$ programs$ or document on other computers$ networks or
systems%
3
;% Illegal copying: Illegal copying of copy#righted materials$ literary$ artistic$ scientific
works through any means without the authoriGation of the owners of the intellectual
property or its assignees%
E1ercise:
1% Choose one of the topics above$ and conduct the following searches:
3ind a legal case which can be classified as the chosen type of crime%
Kas there a legal "udgment$ and if there was$ what sentence was applied L
Khy did the authors commit this crimeL
+% 9egarding intellectual property: re the following actions a crimeL
*hotocopy a book in its totality
To copy a music CJ that we have not bought
To make a copy of a music CJ you have bought
To download music M*4$ or films in JI:N from Internet
Khat if it were your music or movie that you were not getting royalties forL Khat if it
were your artwork$ that others were copying and stating that they created itL

12$#$ 4re(ention of Crimes an% Tec*no)o'ies of
%o"!)e "se
The only reliable way to be prepared for criminal aggression in the area of the TICs is to
reasonably apply the safety measures that have been e&plained throughout the previous !!S
lessons% lso it is e&tremely important for the application of these measures to be done in a
way that it becomes practically impossible to commit any criminal or doubtful behaviors%
It is important to note that technologies can have multiple uses and the same techni=ue used
for security can$ simultaneously$ result in criminal activity% This is called TEC!(O'OOIES O3
JO/D'E /SE$ whose biggest components are cryptography and technologies used to
intercept electronic communications% This section discusses the reality of this phenomenon
and its alarming conse=uences at all levels of the human activity including policy$ social$
economic and research%
12$#$1$ T*e ')o!a) s5stems of monitorin'- conce6t 7CO8INT7
The term COMI(T was created recently as a result of the integration of the terms
7COMmunications I(Telligence7 and refers to the interception of communications that has
resulted from the development and the massive implementation of the TICIs% (owadays$
COMI(T represents a lucrative economic activity providing clients$ both private and public$
with intelligent contents on demand$ especially in the areas of diplomacy$ economy and
research% This has resulted in the displacement of the obsolete scheme of military espionage
with the more or less open implementation of new technologies for the e&amination and
collection of data%
The most representative e&amples of COMI(T technologies are the systems 7EC!E'O(7 and
7C9(I:O9E7 which are discussed ne&t%
9
12$#$2$ 7ECHELON7 S5stem
The system has its origins in 18-5$ "ust after Korld Kar II$ in an agreement between the /F and
/S with clear military and security purposes% The details of this agreement are still not
completely known% 'ater$ countries like Canada$ ustralia and (ew Pealand "oined the
agreement$ working as information providers and subordinates%
The system works by indiscriminately intercepting enormous amounts of communications$ no
matter what means is used for transport and storage$ mainly emphasiGing the following
listening areas:
Droadband transmissions Awideband and InternetB
3acsimile and telephone communications by cable: interception of cables$ and
submarines by means of ships e=uipped for this
Cell phone communications
:oice 9ecognition Systems
Diometric System 9ecognition such as facial recognition via anonymous filming
'ater$ the valuable information is selected according to the directives in the Echelon System$
with the help of several methods of rtificial Intelligence AIB to define and apply FEQ KO9JS%
Each one of the five member countries provides 7FEQ KO9J JICTIO(9IES7 which are
introduced in the communication interception devices and act as an 7automatic filter7%
'ogically$ the 7words7 and the 7dictionaries7 change over time according to the particular
interests of the member countries of the System% t first$ EC!E'O( had clear military and
security purposes% 'ater$ it became a dual system officially working for the prevention of the
international organiGed crime Aterrorism$ mobs$ trafficking in arms and drugs$ dictatorships$
etc%B but with an influence reaching Olobal Economy and Commercial *olicies in companies%
'ately$ EC!E'O( has been operating with a five#point star structure around two main areas%
Doth are structures of the (S A(ational Security gencyB: one in the /nited States$ coinciding
with their head=uarters in 3ort Meade AMarylandB$ and another one in England$ to the north
of Qorkshire$ known like Meanwith !ill%
The points of the star are occupied by the tracking stations of the collaborating partners:
The /S A+B: Sugar Orove and Qakima%
(ew Pealand A1B: Kai *ai%
ustralia A1B: Oeraldtown%
/F A1B: Morwenstow ACornwellB%
There was another one in !ong Fong before the territory was returned to China%
12$#$$ T*e 7CARNI:ORE7 s5stem
The second great global systems of interception and espionage is the one sponsored by the
/S 3DI and is known as C9(I:O9E$ with a stated purpose of fighting organiGed crime and
reinforcing the security of the /S% Decause of its potent technology and its versatility to apply
its listening and attention areas$ C9(I:O9E has caused the head#on collision between this
state of the art system$ political organiGations A/S CongressB and mass media%
;
C9(I:O9E was developed in +,,,$ and is an automatic system$ intercepting internet
communications by taking advantage of one of the fundamental principles of the net: the
dissemination of information in 7packages7 or groups of uniform data% C9(I:O9E is able to
detect and to identify these 7packages of information7% This is supposedly done in defense of
national security and to reinforce the fight against organiGed and technological crime%
The merican civil rights organiGations immediately protested this as a new attack on privacy
and confidentiality of electronic information transactions% One group$ the Electronic *rivacy
Information Center AE*ICB has re=uested that a federal "udge order the 3DI to allow access by
the IS*IS to the monitoring system C to ensure that this system is not going to be used beyond
the limits of the law%
In the beginning of ugust +,,,$ the ppeals Court of the Jistrict of Columbia re"ected a law
allowing the 3DI to intercept telecommunications Aspecifically cell phonesB without the need
to ask for previous "udicial permission$ through a 3ederal Commission of Telecommunications
pro"ect that tried to force mobile telephone companies to install tracking devices in all
phones and thus obtain the automatic location of the calls% It would have increased the cost
of manufacturing e=uipment by -2R%
Kith these two e&amples$ we see the intentions of the 3DI to generate a domestic Echelon
system$ centering on the internet and cell phones$ known as C9(I:O9E% The pro"ect has
been widely re"ected by different "udicial courts in the /S and by Congress$ as there is no
doubt it means an aggression to merican civil rights$ at least in this initial version%
The pro"ect is being rethought$ at least formally$ including the previous "udicial authoriGation
Asuch as a search warrantB as a re=uirement for any data obtained to be accepted as
evidence in a trial%
E1ercise-
"oke related to these COMI(T systems is found on the Internet% Ke include it here for class
discussion of the ethical and legal implications:
An old Iraqi Muslim Arab, settled in Chicago for more than 4 years, has been wanting to
plant potatoes in his garden, but to plow the ground is a !ery difficult wor" for him# $is only
son, Amhed, is studying in %rance# &he old man sends an email to his son e'plaining the
following problem(
)Amhed, I feel bad because I am not going to be able to ha!e potatoes in my garden this
year# I am too old to plow the soil# If you were here, all my problems would disappear# I "now
that you would plow the soil for me# *o!es you, +apa# )
%ew days later, he recei!es an email from his son(
)%ather( %or ,od-s sa"e, do not touch the garden-s soil# &hat is where I hid that # # # *o!es you,
Amhed# )
&he ne't morning at 4(, suddenly appears the local police, agents of the %.I, the CIA,
/#W#A#& teams, the 0A1,20/, the MA0I12/, /te!en /eagal, /yl!ester /tallone and some more
of elite representati!es of the +entagon who remo!e all the soil searching for any materials to
construct pumps, anthra', whate!er# &hey do not find anything, so they go away#
&hat same day, the man recei!es another email from his son(
)%ather( /urely, the soil is ready to plant potatoes# It is the best I could do gi!en the
circumstances# *o!es you, Ahmed#)
1<
E1ercise-
Search for information about the Echelon and Carnivore systems on the internet$ as well as
their application on networks and TICs systems in your country to answer the following
=uestion:
1% Khat does the term 7EC!E'O(7 meanL
+% Khat elements form the EC!E'O( systemL
4% Khat elements form the C9(I:O9E systemL
-% Search for an e&ample of controversy attributed to the EC!E'O( system and related
to famous personalities%
2% Search for an e&ample of the application of the C9(I:O9E system related to a
TE99O9IST known worldwide%
;% Khat is your opinion about the 7legality7 of such systemsL
12$+$ Et*ica) Hac=in'
Desides talking about criminal behaviors$ crimes$ and their respective sanctions$ we must
make it very clear that being a hacker does not mean being a delin=uent%
(owadays$ companies are hiring services from .Ethical !ackers7 to detect vulnerabilities of
their computer science systems and therefore$ improve their defense measures%
Ethical !ackers$ with their knowledge$ help to define the parameters of defense% They do
7controlled7 attacks$ previously authoriGed by the organiGation$ to verify the systemIs defenses%
They create groups to learn new attack techni=ues$ e&ploitations and vulnerabilities$ among
others% They work as researchers for the security field%
Sun TGu said in his book 7The rt of Kar7$ 7ttack is the secret of defenseM defense is the
planning of an attack7%
The methodology of ethical hacking is divided in several phases:
1% ttack *lanning
+% Internet ccess
4% Test and e&ecution of an attack
-% Oathering information
2% nalysis
;% ssessment and Jiagnosis
5% 3inal 9eport
One helpful tool that Ethical !ackers use is the OSSTMM methodology # Open Source Security
Testing Methodology Manual% This methodology is for the testing of any security system$ from
guards and doors to mobile and satellite communications and satellites% t the moment it is
applied and used by important organiGations such as:
Spanish 3inancial institutions
the /S Treasury Jepartment for testing financial institutions
11
/S (avy S ir 3orce
E1ercise-
3ind information about Ethical !acking and its role in IT security companies%
Search for information about the OSSTMM and methodologies%
Search for information about 7certifications7 related to the Ethical !acking%
12$2$ T*e 1< most common internet fra"%s
'isted below is a summary from the /S 3ederal Trade Commission of the most common crimes
on the Internet as of +,,2%
1% Internet uctions: Shop in a 7virtual marketplace7 that offers a huge selection of
products at great deals% fter sending their money$ consumers receive an item that is
less valuable than promised$ or$ worse yet$ nothing at all%
+% Internet ccess Services: 3ree money$ simply for cashing a check% Consumers are
7trapped7 into long#term contracts for Internet access or another web service$ with
substantial penalties for cancellation or early termination%
4% Credit Card 3raud: Surf the Internet and view adult images online for free$ "ust for
sharing your credit card number to prove youIre over 16% 3raudulent promoters use
their credit card numbers to run up charges on the cards%
-% International Modem Jialing: Oet free access to adult material and pornography by
downloading a 7viewer7 or 7dialer7 computer program% Consumers complained about
e&orbitant long#distance charges on their phone bill% Through the program$ their
modem is disconnected$ then reconnected to the Internet through an international
long#distance number%
2% Keb Cramming: Oet a free custom#designed website for a 4,#day trial period$ with no
obligation to continue% Consumers are charged on their telephone bills or received a
separate invoice$ even if they never accepted the offer or agreed to continue the
service after the trial period%
;% Multilevel Marketing *lans) *yramids: Make money through the products and services
you sell as well as those sold by the people you recruit into the program% Consumers
say that theyIve bought into plans and programs$ but their customers are other
distributors$ not the general public%
5% Travel and :acation: Oet a lu&urious trip with lots of 7e&tras7 at a bargain#basement
price% Companies deliver lower#=uality accommodations and services than theyIve
advertised or no trip at all% Others impose hidden charges or additional re=uirements
after consumers have paid%
6% Dusiness Opportunities: Taken in by promises about potential earnings$ many
consumers have invested in a 7biG op7 that turned out to be a 7biG flop%7 There was no
evidence to back up the earnings claims%
8% Investments: Make an initial investment in a day trading system or service and youIll
=uickly realiGe huge returns% Dut big profits always mean big risk% Consumers have lost
money to programs that claim to be able to predict the market with 1,, percent
accuracy%
12
1,% !ealth Care *roducts)Services: Claims for 7miracle7 products and treatments convince
consumers that their health problems can be cured% Dut people with serious illnesses
who put their hopes in these offers might delay getting the health care they need%
E1ercise-
Think about the following =uestions and discuss them with the rest of the class:
1% Jo you think that you could have been a victim of some of the crimes mentioned
throughout the lessonL
+% !ere is a =uote from an ISECOM board member: .In order to have the proper
background to evaluate the security readiness of a computer system $ or even an
entire organiGation$ one must possess a fundamental understanding of security
mechanisms$ and know how to measure the level of assurance to be placed in those
security mechanisms% Jiscuss what is meant by this and how you could prepare to
.evaluate the security readiness of a computer system0% !ave these lessons given you
enough materials to get startedL
4% Toptional e&ercise for personal consideration Anot general discussionBU: fter analyGing
the comments in this lesson$ you may find that there are technological activities that
you have heard about$ or that you may have even done$ that you never considered
to be illegal$ but now you are not sure% Some research on the internet may help clear
up any =uestions or confusion that you have%
1
12$3$ Recommen%e% Rea%in'
http:))www%ftc%gov)bcp)menu#internet%htm
http:))www%ic4%gov)
http:))www%ccmostwanted%com)
http:))www%scambusters%org)
http:))compnetworking%about%com)od)networksecurityprivacy)l)aa,518,,a%htm
http:))www%echelonwatch%org)
http:))www%isecom%org)
1#

Язык

Добро пожаловать в Scribd!

Hacker HighSchool-Security Awareness for Teens

Загружено:

Сведения о документе

Дата загрузки

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Описание:

Авторское право:

Доступные форматы

Hacker HighSchool-Security Awareness for Teens

Загружено:

Описание:

Авторское право:

Доступные форматы

Похожие издания

COMPLETE

LESSON 1 BEING A HACKER

LESSON 5 SYSTEM IDENTIFICATION

LESSON 8 DIGITAL FORENSICS

LESSON 9 E-MAIL SECURITY

LESSON 12 INTERNET LEGALITIES AND ETHICS

Похожие интересы

Документы, похожие на «Hacker HighSchool-Security Awareness for Teens»

Другое от пользователя: Muhammad Ichsan

Популярные на тему «Website»

Похожие издания

Оценить

Поделиться