“Ryan Russell has an important message for
us all: ‘What you don’t know will hurt you…’“
— Kevin Mitnick
NETWORK
HACK PROOFING
YOUR
INTERNET TRADECRAFT
Ryan Russell, SecurityFocus.com
Stace Cunningham, CLSE, COS/2E, CLSI, COS/2I, CLSA
Foreword by Mudge, Security Advisor to
the White House and Congress
“This book provides a bold, unsparing
tour of information security that
never swerves from the practical.”
—Kevin L. Poulsen
Editorial Director
SecurityFocus.com
THE ONLY WAY TO
STOP A HACKER
IS TO THINK
LIKE ONE:
Rain Forest Puppy
Elias Levy, Bugtraq
Blue Boar, Vuln-dev
Dan “Effugas” Kaminsky,
Cisco Systems
Oliver Friedrichs,
SecurityFocus.com
Riley “Caesar” Eller,
Internet Security Advisors
Greg Hoglund,

Once you've purchased this book, browse to
www.syngress.com/solutions
.
To register, you will need to have the book handy to verify your purchase.
Thank you for giving us the opportunity to serve you.

95_hack_prod_00FM.qx 7/13/00 3:41 PM Page i
95_hack_prod_00FM.qx 7/13/00 3:41 PM Page ii
HACK PROOFING
NETWORK:
INTERNET TRADECRAFT
YOUR
95_hack_prod_00FM.qx 7/13/00 3:41 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or pro-
duction (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do
not allow the exclusion or limitation of liability for consequential or incidental damages, the above limi-
tation may not apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement
Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” and “Mission Critical™”
are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY SERIAL NUMBER

We would like to acknowledge the following people for their kindness and
support in making this book possible.
Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin
Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of
Global Knowledge, for their generous access to the IT industry’s best
courses, instructors and training facilities.
Ralph Troupe and the team at Callisma for their invaluable insight into the
challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin
Votel, Brittin Clark, Sarah Schaffer, Ellen Lafferty and Sarah MacLachlan
of Publishers Group West for sharing their incredible marketing experience
and expertise.
Mary Ging, Caroline Hird, and Simon Beale of Harcourt International for
making certain that our vision remains worldwide in scope.
Annabel Dent, Anneka Baeten, Clare MacKenzie, and Laurie Giles of
Harcourt Australia for all their help.
David Buckland, Wendi Wong, David Loh, Marie Chieng, Lucy Chong,
Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the
enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the
Syngress program.
Special thanks to the professionals at Osborne with whom we are proud to
publish the best-selling Global Knowledge Certification Press series.
v
Acknowledgments
95_hack_prod_00FM.qx 7/13/00 3:41 PM Page v
At Global Knowledge we strive to support the multiplicity of learning styles
required by our students to achieve success as technical professionals. As

putting up with him while he finished this book.
Introduction, Chapters 1, 2, 4, 5, 10, and 13
Blue Boar
has been interested in computer security since he first discovered
that a Northstar multiuser CP/M system he worked on as a high school
freshman had no memory protection, so all the input and output from all
terminals were readable by any user. Many years ago he founded the Thievco
Main Office BBS, which he ran until he left home for college. Recently, Blue
Boar was resurrected by his owner for the purpose of publishing security
information that his owner would rather not have associated with himself or
his employers. Blue Boar is best known currently as the moderator of the
vuln-dev mailing list () which is dedicated to the
open investigation and development of security holes.
Contributed to Chapter 6
Riley (caezar) Eller
is a Senior Security Engineer for the Internet Security
Advisors Group, where he works on penetration and security tool develop-
ment. He has extensive experience in operating system analysis and design,
reverse engineering, and defect correction in closed-source and proprietary
operating systems, without the benefit of having access to the source code. Mr.
Eller is the first to reveal ASCII-armored stack overflow exploits. Prior to his
employment with ISAG, Mr. Eller spent six years developing operating systems
for Internet embedded devices. His clients have included government and mili-
tary contractors and agencies, as well as Fortune 500 companies, worldwide.
Products on which he has worked have been deployed on systems as varied as
Enterprise Desktop, Global Embedded Internet, Hard Time Real Analyses and
Contributors
95_hack_prod_00FM.qx 7/13/00 3:41 PM Page vii
Single Tasking Data Collection. Mr. Eller has spoken about his work at infor-
mation security industry conferences such as Black Hat, both in the United

papers on content-based attacks, kernel patching, and forensics. Currently he
works as a founder of Click To Secure, Inc., building new security and quality-
assurance tools. His web site can be found at www.clicktosecure.com. He
would like to thank all the Goons of DefCon, Riley (caezar) Eller, Jeff Moss,
Dominique Brezinski, Mike Schiffman, Ryan Russell, and Penny Leavy.
Chapter 8
viii
95_hack_prod_00FM.qx 7/13/00 3:41 PM Page viii
Dan Kaminsky
, also known as “Effugas”, primarily spends his time designing
security infrastructure and cryptographic solutions for Cisco Systems’
Advanced Network Services division. He is also the founder of the multi-
disciplinary DoxPara Research (www.doxpara.com), and has spent several
years studying both the technological and psychological impacts of networked
systems as deployed in imperfect but real user environments. His primary
field of research at the present is known as Gateway Cryptography, which
seeks ideal methodologies to securely traverse non-ideal networks.
Chapter 11
Elias Levy
is the moderator of Bugtraq, one of the most read security mailing
lists on the Internet, and a co-founder of Security Focus. Throughout his
career, Elias has served as computer security consultant and security engineer
for some of the largest corporations in the United States, and outside of the
computer security industry, he has worked as a UNIX software developer, a
network engineer, and system administrator.
Chapter 15
Mudge
is the former CEO and Chief Scientist of renowned ‘hacker think-tank’
the L0pht, and is considered the nation’s leading ‘grey-hat hacker.’ He and the
original members of the L0pht are now heading up @stake’s research labs,

tion testing. Recent notable security issues he has published include insuffi-
cient input checking on SQL servers, ways to fool perl scripts, bugs and holes
in intrusion detection systems, and uncovering interesting messages hidden in
Microsoft program code.
RFP has this to say about his handle: “I was in an elevator, and scratched
into the wooden walls was the phrase ‘Save the whales, rain forest, puppies,
baby seals, ...’. At first I thought ‘puppies?’, and I didn’t notice the comma, so
it seemed like ‘rain forest puppies.’ I made a joke to my companion about ‘rain
forest puppies’ being ‘neato.’ About two days later, I just started using ‘rain
forest puppy’ as a handle.”
Chapters 7 and 14
Jeremy Rauch
has been involved for a number of years in a wide variety of
roles in computer security. Jeremy was involved in the development of several
groundbreaking and industry-leading products, including Internet Security
System’s (ISS) Internet Security Scanner, and Network Associates’ CyberCop
Scanner and Monitor. Other roles have ranged from development of secure
VPN and authentication systems, to penetration testing and auditing, to code
analysis and evaluation. Through relationships built with industry-leading
companies, he has helped in the identification and repair of numerous vulner-
abilities and security flaws. He has also spoken at several conferences on
topics in the area of network infrastructure security, and has been published
and quoted in numerous print and online publications. Jeremy holds a BS in
computer science from Johns Hopkins University.
Chapter 12
Technical Editor
Stace Cunningham
(CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I,
CLSA, MCPS, A+) is a security consultant currently located in Biloxi, MS. He
has assisted several clients, including a casino, in the development and imple-

well as the low-level packet shaping library libnet. Mike has led audit teams
through engagements for Fortune 500 companies in the banking, automotive,
and manufacturing industries. Mike has spoken in front of NSA, CIA, DOD,
AFWIC, SAIC, and others, and has written for numerous technical journals
and books. He is currently employed at Guardent, the leading provider of pro-
fessional security services, as the director of research and development.
xi
95_hack_prod_00FM.qx 7/13/00 3:41 PM Page xi
95_hack_prod_00FM.qx 7/13/00 3:41 PM Page xii
Contents
xiii
Foreword xxiii
Introduction xxvii
Part I: Theory and Ideals
Chapter 1: Politics 1
Introduction 2
Definitions of the Word Hacker 2
Hacker 2
Cracker 3
Script Kiddie 5
Phreak 6
White Hat/Black Hat 6
Grey Hat 7
Hacktivism 8
The Role of the Hacker 9
Criminal 9
Magician 10
Security Professional 11
Consumer Advocate 12
Civil Rights Activist 13

Exceptions 40
Defense 41
Viruses and Trojans Cannot Be 100 Percent
Protected Against 41
Applying the Law 42
Exceptions 43
Defense 44
Firewalls Cannot Protect You 100 Percent from Attack 44
Applying the Law 45
Social Engineering 46
Attacking Exposed Servers 46
Attacking the Firewall Directly 47
Client-side Holes 48
Exceptions 48
Defense 49
Secret Cryptographic Algorithms Are Not Secure 49
Applying the Law 50
Exceptions 51
Defense 51
If a Key Isn't Required, You Don't Have Encryption;
You Have Encoding 51
Applying the Law 52
Exceptions 53
Defense 53
Passwords Cannot Be Securely Stored on the Client
Unless There Is Another Password to Protect Them 53
Applying the Law 55
Exceptions 56
Defense 57
In Order for a System to Begin to Be Considered

Problems 88
How Do You Test for Vulnerability without
Exercising the Exploit? 89
How to Secure Against These Classes of Attack 90
Denial-of-Service 91
Information Leakage 92
File Creation, Reading, Modification, Removal 94
Misinformation 95
Special File/Database Access 95
Elevation of Privileges 97
Summary 97
FAQs 98
Chapter 4: Methodology 101
Introduction 102
Types of Problems 102
Black Box 102
Chips 102
Unknown Remote Host 105
Information Leakage 105
Translucent Box 107
Tools 107
System Monitoring Tools 108
Packet Sniffing 112
Debuggers, Decompilers, and Related Tools 113
Crystal Box 117
95_hack_prod_toc 7/13/00 3:43 PM Page xv
xvi Contents
Problems 117
Cost/Availability of Tools 117
Obtaining/Creating a Duplicate Environment 118

Problems with Cryptography 153
Secret Storage 154
Universal Secret 157
Entropy and Cryptography 159
Brute Force 163
L0phtCrack 164
Crack 166
John the Ripper 166
Other Ways Brute Force Attacks Are Being Used 167
Distributed.net 167
Deep Crack 169
95_hack_prod_toc 7/13/00 3:43 PM Page xvi
Contents xvii
Real Cryptanalysis 169
Differential Cryptanalysis 170
Side-Channel Attacks 172
Summary 173
Additional Resources 173
FAQs 174
Chapter 7: Unexpected Input 177
Introduction 178
Why Unexpected Data Is Dangerous 178
Situations Involving Unexpected Data 179
HTTP/HTML 179
Unexpected Data in SQL Queries 181
Disguising the Obvious 185
Finding Vulnerabilities 186
Black-Boxing 186
Use the Source (Luke) 189
Application Authentication 190

Call Register 219
Push Return 220
What Is an Offset? 220
No Operation (NOP) Sled 221
Off-by-One Struct Pointer 221
Dereferencing—Smashing the Heap 222
Corrupting a Function Pointer 222
Trespassing the Heap 223
Designing Payload 225
Coding the Payload 225
Injection Vector 225
Location of Payload 226
The Payload Construction Kit 226
Getting Bearings 237
Finding the DATA Section, Using a Canary 237
Encoding Data 238
XOR Protection 238
Using What You Have—Preloaded Functions 238
Hashing Loader 243
Loading New Libraries and Functions 245
WININET.DLL 246
Confined Set Decoding 247
Nybble-to-Byte Compression 247
Building a Backward Bridge 247
Building a Command Shell 247
“The Shiny Red Button”—Injecting a Device Driver
into Kernel Mode 251
Worms 253
Finding New Buffer Overflow Exploits 253
Summary 257

Advanced Sniffing Techniques 272
Switch Tricks 272
ARP Spoofing 273
ARP Flooding 273
Routing Games 273
Operating System Interfaces 274
Linux 274
BSD 277
libpcap 277
Windows 279
Protection 279
Encryption 279
Secure Shell (SSH) 279
Switching 281
Detection 281
Local Detection 281
Network Detection 282
DNS Lookups 282
Latency 282
Driver Bugs 282
AntiSniff 283
Network Monitor 283
Summary 283
Additional Resources 283
FAQs 284
Chapter 10: Session Hijacking 285
Introduction 286
What Is Session Hijacking? 286
TCP Session Hijacking 287
TCP Session Hijacking with Packet Blocking 290

The Importance of Identity 313
The Evolution of Trust 314
Asymmetric Signatures between Human Beings 314
Establishing Identity within Computer Networks 316
Return to Sender 317
In the Beginning, there was…a Transmission 318
Capability Challenges 320
Ability to Transmit: “Can It Talk to Me?” 320
Ability to Respond: “Can It Respond to Me?” 321
Ability to Encode: “Can It Speak My Language?” 324
Ability to Prove a Shared Secret:
“Does It Share a Secret with Me?” 326
Ability to Prove a Private Keypair:
“Can I Recognize Your Voice?” 328
Ability to Prove an Identity Keypair: “Is Its Identity
Independently Represented in My Keypair?” 329
Configuration Methodologies: Building a
Trusted Capability Index 329
Local Configurations vs. Central Configurations 329
Desktop Spoofs 330
The Plague of Auto-Updating Applications 331
Impacts of Spoofs 332
Subtle Spoofs and Economic Sabotage 332
Subtlety Will Get You Everywhere 333
95_hack_prod_toc 7/13/00 3:43 PM Page xx
Contents xxi
Selective Failure for Selecting Recovery 333
Attacking SSL through Intermittent Failures 335
Summary 335
FAQs 337

Minimize Use 370
Anti-Virus Software 373
Limiting Trust 373
Client Configuration 375
Summary 378
FAQs 380
Chapter 14: Viruses, Trojan Horses, and Worms 383
Introduction 384
How Do Viruses, Trojans Horses, and Worms Differ? 384
Viruses 384
Worms 385
95_hack_prod_toc 7/13/00 3:43 PM Page xxi
xxii Contents
Macro Virus 385
Trojan Horses 386
Hoaxes 387
Anatomy of a Virus 387
Propagation 388
Payload 389
Other Tricks of the Trade 390
Dealing with Cross-Platform Issues 391
Java 391
Macro Viruses 391
Recompilation 392
Proof that We Need to Worry 392
Morris Worm 392
ADMw0rm 392
Melissa and I Love You 393
Creating Your Own Malware 398
New Delivery Methods 398

they work. I surround myself with people who see the merit to this,
yet bring different aptitudes to the table. The sharing of information
from our efforts, both internally and with the world, is designed to
help educate people on where problems arise, how they might have
been avoided, and how to find them on their own.
This brought together some fine people whom I consider close
friends, and is where the L0pht grew from. As time progressed and as
our understanding of how to strategically address the problems that
we came across in our research grew, we became aware of the
paradigm shift that the world must embrace. Whether it was the gov-
ernment, big business, or the hot little e-commerce startup, it was
apparent that the mentality of addressing security was to wait for the
building to collapse, and come in with brooms and dustbins. This was
not progress. This was not even an acceptable effort. All that this dealt
with was reconstitution and did not attempt to address the problems
at hand. Perhaps this would suffice in a small static environment with
few users, but the Internet is far from that. As companies and organi-
zations move from the closed and self-contained model to the open
and distributed form that fosters new communications and data
movement, one cannot take the tactical ‘repair after the fact’
xxiii
95_hack_prod_00Foreword 7/13/00 3:45 PM Page xxiii
approach. Security needs to be brought in at the design stage and built in to
the architecture for the organization in question.
But how do people understand what they will need to protect? What is the
clue to what the next attack will be if it does not yet exist? Often it is an easy
task if one takes an offensive research stance. Look for the new problems
yourself. In doing so, the researcher will invariably end up reverse-engineering
the object under scrutiny and see where the faults and stress lines are. These
areas are the ones on which to spend time and effort buttressing against

attacks work, what they take advantage of, where they came from, and where
the next wave might be aimed. We create proof-of-concept tools and code to
demonstrate to ourselves and to others just how things work and where they
are weak. We postulate and provide suggestions on how these things might be
addressed before it’s after the fact and too late. We must do this responsibly,
lest we provide people who are afraid of understanding these problems too
xxiv Foreword
www.syngress.com
95_hack_prod_00Foreword 7/13/00 3:45 PM Page xxiv