Re: New member asking question...

[Valdis.Kletnieks () vt edu]

On Fri, 30 Jun 2006 11:47:37 CDT, "Reynolds, Joseph R" said:

> Also, are there any good "Hacking" books that I could read?  I have had
> a Hackers Tool and Techniques class at school, but all of the programs
> are very outdated, like l0phtcrack, JTR, ethereal or wireshark, and

I wouldn't call any of these "outdated" - they're still some of the best
tools in their categories.

> such.  I am looking to actually enter systems or find ways to enter
> systems and understand the weakness that allows it so I can avoid it
> later. 

It turns out that you don't actually need to be very good at *finding*
weaknesses in order to secure against it.  All you need is a good grasp
of what general classes of vulnerabilities there are, and what they can gain
an attacker.  If you need to look at actual code, I'd suggest getting a
copy of Metasploit, and just *looking* at it.  Look at the payloads section,
as that will give you a good idea of the sorts of payloads you might get
hit with.  Then just assume that the Bad Guy has an exploit for any given
outward-facing code and resource on your system...

If you want to be scared about how many exploits are already out there,
look at Nessus or the Packetstormsecurity archives. ;)

In order to secure against this, the proper method is:

0) Simply applying all the current patches for your system, and properly
configuring it, will go a *long* way.  Two good resources:

Center for Internet Security (http://www.cisecurity.org)
the NSA security guides (http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1)

(Basically, these go through all the high-risk issues discussed in 1-4 below,
and give you a easy cookbook so you don't have to re-do the research.
Disclaimer: I'm one of the perpetrators for the various CIS Unix/Linux guides,
so I'm a bit biased.)

The two biggest areas those guides don't address in depth are social engineering
and abuse of inter-machine trust relationships (if you manage to find a
weak password on one box, and then get into a second because there's a
file share or SSH key or similar...)

1) Pick a piece of code or resource that an attacker could potentially attack
(for instance, your Apache server, or a Windows file share.

2) *ASSUME* that the attacker has a Magic Bullet that can exploit it.  You
don't need to *find* one, just proceed as if the bad guy did all the hard work
and found it.

3) Start looking at ways to mitigate and control the damage.  For instance,
many "buffer overflow Magic Bullets" can be stopped with "Run Apache with
non-exec stack".  Many "own the file share Bullets" can be stopped with either
"don't export share to world" or "firewall the Windows fileshare ports". And so
on.

4) Lather, rinse, repeat for all the attacks you can think of.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/