| Foreword | p. xvii |
| Acknowledgments | p. xxi |
| Introduction | p. xxiii |
| Casing the Establishment | |
| Case Study: Target Acquisition | p. 2 |
| Footprinting | p. 5 |
| What Is Footprinting? | p. 6 |
| Why Is Footprinting Necessary? | p. 6 |
| Internet Footprinting | p. 6 |
| Determine the Scope of Your Activities | p. 8 |
| Network Enumeration | p. 13 |
| DNS Interrogation | p. 22 |
| Network Reconnaissance | p. 27 |
| Summary | p. 31 |
| Scanning | p. 33 |
| Scan Types | p. 44 |
| Identifying TCP and UDP Services Running | p. 46 |
| Windows-Based Port Scanners | p. 51 |
| Port Scanning Breakdown | p. 57 |
| Active Stack Fingerprinting | p. 61 |
| Passive Stack Fingerprinting | p. 65 |
| The Whole Enchilada: Automated Discovery Tools | p. 67 |
| Summary | p. 68 |
| Enumeration | p. 71 |
| Windows NT/2000 Enumeration | p. 72 |
| NT/2000 Network Resource Enumeration | p. 76 |
| NT/2000 User and Group Enumeration | p. 87 |
| NT/2000 Applications and Banner Enumeration | p. 95 |
| Let Your Scripts Do the Walking | p. 99 |
| Novell Enumeration | p. 100 |
| Browsing the Network Neighborhood | p. 100 |
| UNIX Enumeration | p. 106 |
| Summary | p. 113 |
| System Hacking | |
| Case Study: Know Your Enemy | p. 116 |
| Hacking Windows 95/98 and ME | p. 117 |
| Win 9x Remote Exploits | p. 118 |
| Direct Connection to Win 9x Shared Resources | p. 119 |
| Win 9x Backdoor Servers and Trojans | p. 124 |
| Known Server Application Vulnerabilities | p. 129 |
| Win 9x Denial of Service | p. 130 |
| Win 9x Local Exploits | p. 130 |
| Windows Millennium Edition (ME) | p. 137 |
| Summary | p. 138 |
| Hacking Windows NT | p. 141 |
| Overview | p. 143 |
| Where We're Headed | p. 143 |
| What About Windows 2000? | p. 143 |
| The Quest for Administrator | p. 144 |
| Remote Exploits: Denial of Service and Buffer Overflows | p. 160 |
| Privilege Escalation | p. 164 |
| Consolidation of Power | p. 174 |
| Exploiting Trust | p. 185 |
| Sniffers | p. 190 |
| Remote Control and Back Doors | p. 194 |
| Port Redirection | p. 203 |
| General Countermeasures to Privileged Compromise | p. 207 |
| Rootkit: The Ultimate Compromise | p. 211 |
| Covering Tracks | p. 214 |
| Disabling Auditing | p. 214 |
| Clearing the Event Log | p. 214 |
| Hiding Files | p. 215 |
| Summary | p. 216 |
| Hacking Windows 2000 | p. 219 |
| Footprinting | p. 221 |
| Scanning | p. 221 |
| Enumeration | p. 226 |
| Penetration | p. 229 |
| NetBIOS-SMB Password Guessing | p. 229 |
| Eavesdropping on Password Hashes | p. 229 |
| Attacks Against IIS 5 | p. 229 |
| Remote Buffer Overflows | p. 233 |
| Denial of Service | p. 233 |
| Privilege Escalation | p. 238 |
| Pilfering | p. 241 |
| Grabbing the Win 2000 Password Hashes | p. 241 |
| The Encrypting File System (EFS) | p. 246 |
| Exploiting Trust | p. 249 |
| Covering Tracks | p. 251 |
| Disabling Auditing | p. 251 |
| Clearing the Event Log | p. 252 |
| Hiding Files | p. 252 |
| Back Doors | p. 252 |
| Startup Manipulation | p. 252 |
| Remote Control | p. 255 |
| Keystroke Loggers | p. 257 |
| General Countermeasures: New Windows Security Tools | p. 257 |
| Group Policy | p. 257 |
| Runas | p. 260 |
| Summary | p. 261 |
| Novell NetWare Hacking | p. 265 |
| Attaching but Not Touching | p. 267 |
| Enumerate Bindery and Trees | p. 268 |
| Opening the Unlocked Doors | p. 275 |
| Authenticated Enumeration | p. 277 |
| Gaining Admin | p. 282 |
| Application Vulnerabilities | p. 285 |
| Spoofing Attacks (Pandora) | p. 287 |
| Once You Have Admin on a Server | p. 290 |
| Owning the NDS Files | p. 292 |
| Log Doctoring | p. 298 |
| Console Logs | p. 299 |
| Further Resources | p. 302 |
| Web Sites (ftp://ftp.novell.com/pub/updates/nw/nw411/) | p. 302 |
| Usenet Groups | p. 303 |
| Summary | p. 303 |
| Hacking UNIX | p. 305 |
| The Quest for Root | p. 306 |
| A Brief Review | p. 306 |
| Vulnerability Mapping | p. 307 |
| Remote Access Versus Local Access | p. 307 |
| Remote Access | p. 308 |
| Data Driven Attacks | p. 312 |
| I Want My Shell | p. 317 |
| Common Types of Remote Attacks | p. 322 |
| Local Access | p. 339 |
| After Hacking Root | p. 357 |
| Trojans | p. 358 |
| Rootkit Recovery | p. 369 |
| Summary | p. 370 |
| Network Hacking | |
| Case Study: Sweat the Small Stuff! | p. 374 |
| Dial-Up, PBX, Voicemail, and VPN Hacking | p. 377 |
| Wardialing | p. 380 |
| Hardware | p. 380 |
| Legal Issues | p. 381 |
| Peripheral Costs | p. 382 |
| Software | p. 382 |
| A Final Note | p. 403 |
| PBX Hacking | p. 405 |
| Virtual Private Network (VPN) Hacking | p. 415 |
| Summary | p. 419 |
| Network Devices | p. 421 |
| Discovery | p. 422 |
| Detection | p. 422 |
| SNMP | p. 429 |
| Back Doors | p. 433 |
| Default Accounts | p. 433 |
| Lower the Gates (Vulnerabilities) | p. 437 |
| Shared Versus Switched | p. 443 |
| Detecting the Media You're On | p. 444 |
| Passwords on a Silver Platter: Dsniff | p. 445 |
| Sniffing on a Network Switch | p. 448 |
| snmpsniff | p. 452 |
| Summary | p. 457 |
| Firewalls | p. 459 |
| Firewall Landscape | p. 460 |
| Firewall Identification | p. 460 |
| Advanced Firewall Discovery | p. 465 |
| Scanning Through Firewalls | p. 469 |
| Packet Filtering | p. 473 |
| Application Proxy Vulnerabilities | p. 477 |
| WinGate Vulnerabilities | p. 479 |
| Summary | p. 481 |
| Denial of Service (DoS) Attacks | p. 483 |
| Motivation of DoS Attackers | p. 484 |
| Types of DoS Attacks | p. 485 |
| Bandwidth Consumption | p. 485 |
| Resource Starvation | p. 486 |
| Programming Flaws | p. 486 |
| Routing and DNS Attacks | p. 487 |
| Generic DoS Attacks | p. 488 |
| Sites Under Attack | p. 491 |
| UNIX and Windows NT DoS | p. 494 |
| Remote DoS Attacks | p. 495 |
| Distributed Denial of Service Attacks | p. 499 |
| Local DoS Attacks | p. 504 |
| Summary | p. 506 |
| Software Hacking | |
| Case Study: Using All the Dirty Tricks to Get In | p. 508 |
| Remote Control Insecurities | p. 511 |
| Discovering Remote Control Software | p. 512 |
| Connecting | p. 513 |
| Weaknesses | p. 514 |
| Revealed Passwords | p. 516 |
| Uploading Profiles | p. 517 |
| What Software Package Is the Best in Terms of Security? | p. 521 |
| pcAnywhere | p. 521 |
| ReachOut | p. 521 |
| Remotely Anywhere | p. 521 |
| Remotely Possible/ControlIT | p. 523 |
| Timbuktu | p. 523 |
| Virtual Network Computing (VNC) | p. 523 |
| Citrix | p. 526 |
| Summary | p. 527 |
| Advanced Techniques | p. 529 |
| Session Hijacking | p. 530 |
| Back Doors | p. 533 |
| Trojans | p. 555 |
| Subverting the System Environment: Rootkits and Imaging Tools | p. 558 |
| Social Engineering | p. 561 |
| Summary | p. 563 |
| Web Hacking | p. 565 |
| Web Pilfering | p. 566 |
| Finding Well-Known Vulnerabilities | p. 570 |
| Automated Scripts, for All Those "Script Kiddies" | p. 570 |
| Automated Applications | p. 572 |
| Script Inadequacies: Input Validation Attacks | p. 573 |
| Active Server Pages (ASP) Vulnerabilities | p. 582 |
| Buffer Overflows | p. 590 |
| Poor Web Design | p. 598 |
| Summary | p. 600 |
| Hacking the Internet User | p. 601 |
| Malicious Mobile Code | p. 603 |
| Microsoft ActiveX | p. 603 |
| Java Security Holes | p. 614 |
| Beware the Cookie Monster | p. 618 |
| Internet Explorer HTML Frame Vulnerabilities | p. 621 |
| SSL Fraud | p. 623 |
| Email Hacking | p. 626 |
| Mail Hacking 101 | p. 626 |
| Executing Arbitrary Code Through Email | p. 629 |
| Outlook Address Book Worms | p. 637 |
| File Attachment Attacks | p. 639 |
| IRC Hacking | p. 647 |
| Napster Hacking with Wrapster | p. 649 |
| Global Countermeasures to Internet User Hacking | p. 650 |
| Keep Antivirus Signatures Updated | p. 650 |
| Guarding the Gateways | p. 651 |
| Summary | p. 652 |
| Appendixes | |
| Ports | p. 657 |
| Top 14 Security Vulnerabilities | p. 661 |
| About the Companion Web Site | p. 663 |
| Novell | p. 664 |
| UNIX | p. 665 |
| Windows NT | p. 665 |
| Wordlists and Dictionaries | p. 666 |
| Wardialing | p. 666 |
| Enumeration Scripts | p. 666 |
| Index | p. 667 |
| Table of Contents provided by Syndetics. All Rights Reserved. |