Andrew Hoffman, a senior security engineer at Salesforce, intro NET Core and Azure. The audience for this guide is mainly developers, development leads, and architects who are interested in building modern web applications using Microsoft technologies and services in the cloud. A secondary audience is technical decision makers who are already familiar ASP.
NET or Azure and are looking for information on whether it makes sense to And you can use cache clusters and microcaching to increase the caching capability of your web applications while simplifying implementation and reducing operational complexity.
Our goal is to provide high-quality video, TV streams, music, software, documents or any other shared files for free! Registered users can also use our File Leecher to download files directly from all file hosts where it was found on.
This effectively breaks the connection between sendmail and untrusted users, as all mail connections are received via smap, rather than directly by sendmail. Finally, consider using a more secure MTA such as qmail. Qmail is a mod- ern replacement for sendmail, written by Dan Bernstein.
One of its main goals is secu- rity, and it has had a solid reputation thus far see www. In addition to the aforementioned issues, sendmail is often misconfigured, allowing spammers to relay junk mail through your sendmail. As of sendmail version 8.
Adoption of an RPC standard is a good thing from an interoperability standpoint. How- ever, when RPC services were first introduced, there was very little security built in. Thus, Sun and other vendors have tried to patch the existing legacy framework to make it more secure, but it still suffers from a myriad of security-related problems. As discussed in Chapter 3, RPC services register with the portmapper when started. To contact an RPC service, you must query the portmapper to determine which port the required RPC service is listening on.
We also discussed how to obtain a listing of running RPC services by using rpcinfo or by using the —n option if the portmapper services were firewalled. To exacerbate matters, many of the RPC services are ex- tremely complex and run with root privileges.
Thus, a successful buffer overflow or input validation attack will lead to direct root access. The current rage in remote RPC buffer overflow attacks relates to rpc. Other dangerous RPC services include rpc. Even if the portmapper is blocked, the attacker may be able to manually scan for the RPC services via the —sR option of nmap , which typically run at a high-numbered port.
The aforementioned services are only a few examples of problematic RPC services. It is necessary to know the system name; in our example the system is named quake. We provide the target IP address of quake, which is We provide the system type 2 , which equates to Solaris 2.
This is critical, as the exploit is tailored to each oper- ating system. If an RPC service is critical to the operation of the server, consider implementing an access control device that only allows authorized systems to contact those RPC ports, which may be very difficult depending on your environment. Con- sider enabling a non-executable stack if it is supported by your operating system.
Secure RPC at- tempts to provide an additional level of authentication based upon public key cryptog- raphy. This xterm is a result of exploiting rpc. The same results would happen if an attacker were to exploit rpc. Thus, interoperability is a big issue. Finally, ensure that all the latest vendor patches have been applied. NFS allows transparent access to files and directories of remote systems as if they were stored locally. At this point, the red flags should be going up for any system that allows remote access of an exported file system.
Many buffer overflow conditions related to mountd, the NFS server, have been discovered. Additionally, NFS relies on RPC services and can be easily fooled into allowing attackers to mount a remote file system. Most of the security provided by NFS relates to a data object known as a file handle. The file handle is a token that is used to uniquely identify each file and directory on the remote server. If a file handle can be sniffed or guessed, remote attackers could easily access those files on the remote system.
The most common type of NFS vulnerability relates to a misconfiguration that ex- ports the file system to everyone. That is, any remote user can mount the file system with- out authentication. This type of vulnerability is generally a result of laziness or ignorance on the part of the administrator and is extremely common. Mount is available in most flavors of UNIX, but it is not as flexible as some other tools. The nfsshell package provides a robust client called nfs.
Nfs operates like an FTP client and allows easy ma- nipulation of a remote file system. Nfs has many options worth exploring. For security reasons, if you mount a remote file system as root, your UID and GID will map to some- thing other than 0. However, the password file is shadowed so it cannot be used to crack passwords. Daemon has potential, but bin or UID 2 is a good bet because on many systems the user bin owns the binaries. At this point, all that is necessary is to fire off an xterm or to create a back channel to our system to gain access to the target system.
We create the following script on our system and name it in. The results, a root-owned xterm like the one represented next, will be displayed on our system. Because in. Implement client and user access controls to allow only au- thorized users to access required files.
Some options include specifying machine names or netgroups, read-only options, and the ability to disallow the SUID bit. Each NFS imple- mentation is slightly different, so consult the user documentation or related man pages. Older versions of the portmapper would allow attackers to proxy connections on behalf of the attackers. This would make the request ap- pear as if it were coming from a trusted host and bypass any related access control rules.
Finally, apply all vendor-related patches. The major problem with X is that its security model is an all or nothing approach.
Once a client is granted access to an X server, pandemonium is allowed. X clients can capture the keystrokes of the console user, kill windows, capture windows for display elsewhere, and even remap the keyboard to issue nefarious com- mands no matter what the user types. Most problems stem from a weak access control paradigm or pure indolence on the part of the system administrator. The simplest and most popular form of X access control is xhost authentication.
This mechanism provides access control by IP address and is the weakest form of X authentication. Attackers can use this seemingly benign weakness to compromise the security of the target server. Xscan will scan an entire subnet looking for an open X server and log all keystrokes to a log file. Connecting to quake Host quake is running X. Starting keyboard logging of host quake A quick tail of the log file reveals what the user is typing in real time.
It is also easy for attackers to view specific windows running on the target systems. Luckily for us, it was. However, you can just comb through the re- sults of xlswins to identify an interesting window. To actually display the Netscape window on our system, we use the XWatchWin program, as shown in Figure Thus, attackers can send keyboard events to an xterm on the tar- get system as if they were typed locally.
If you are in doubt, issue the xhost — command. Xhost — will not terminate any existing connections; it will only prohibit future connections. If you must allow remote access to your X server, specify each server by IP address. Keep in mind that any user on that server can connect to your X server and snoop away.
These mechanisms provided an additional level of security when connecting to the X server. If you use xterm or a similar terminal, enable the secure key- board option. This will prohibit any other process from intercepting your keystrokes. Also consider firewalling ports — to prohibit unauthorized users from connecting to your X server ports.
Finally, consider using ssh and its tunneling functionality for en- hanced security during your X sessions. As you might imagine, the ubiquity of DNS also lends itself to attack.
Thus, a flaw in bind will almost surely result in a remote compromise most times with root privileges. To put the risk into perspective, a se- curity survey reported that over 50 percent of all DNS servers connected to the Internet are vulnerable to attack. The risk is real—beware! This buffer overflow al- lows remote attackers to execute any command they wish with root provided on the af- fected server.
Most attackers will set up automated tools to try to identify a vulnerable server run- ning named. To determine if your DNS has this potential vulnerability, you would per- form the following enumeration technique: [tsunami] dig Again, this underscores how important accurately footprinting your environment is. Other vulnerable versions of named include 8.
For this attack to work, the attackers must control a DNS server associated with a valid domain. It is necessary for the attackers to set up a subdomain associated with their do- main on this DNS server. Again, quake is a DNS server that the attackers already control. Since named runs on many UNIX variants, the following architectures are supported by this exploit.
You must not run a real DNS server on this system, or the exploit will not be able to bind to port Keep in mind, the whole exploit is predi- cated on having the target name server connect to or query our fake DNS server, which is really the exploit listening on port UDP port So how does an attacker accomplish this? The attacker simply asks the target DNS server to look up some basic infor- mation via the nslookup command: [quake] nslookup Default Server: localhost.
This causes the dns. Once the target name server connects to tsu- nami, the buffer overflow exploit will be sent to the dns. On many stock installs of UNIX particularly Linux named is fired up dur- ing boot and never used by the system. Second, you should ensure that the version of BIND you are using is current and patched for related security flaws see www. Third, run named as an unprivileged user. That is, named should fire up with root privi- leges only to bind to port 53 and then drop its privileges during normal operation with the -u option named -u dns -g dns.
While these security measures will serve you well, they are not foolproof; thus, it is im- perative to be paranoid about your DNS server security. As mentioned previously, most attackers strive to gain local access via some remote vulnerability. At the point where attackers have an interactive command shell, they are considered to be local on the system.
While it is possible to gain direct root access via a remote vulnerability, often attackers will gain user access first. The degree of difficulty in privilege escalation varies greatly by operating system and depends on the specific configuration of the target system.
Some operating systems do a superlative job of preventing users without root privileges from escalating their access to root, while others do it poorly. A default install of OpenBSD is going to be much more difficult for users to escalate their privileges than a default install of Irix.
Of course, the individual configuration has a significant impact on the overall security of the system. The next section of this chapter will focus on escalating user access to privileged or root access. We should note that in most cases attackers will attempt to gain root privileges; however, oftentimes it might not be necessary.
For exam- ple, if attackers are solely interested in gaining access to an Oracle database, the attackers may only need to gain access to the Oracle ID, rather than root. Password cracking is commonly known as an automated dictionary attack. While brute force guessing is considered an active attack, password cracking can be done offline and is passive in nature. However, we felt password cracking is best covered as a local attack. It differs from brute force guessing as the attackers are not trying to access a service or su to root in order to guess a password.
If the encrypted hash matches the hash generated by the password-cracking pro- gram, the password has been successfully cracked. The process is simple algebra. If you know two out of three items, you can deduce the third. Therefore, if we hash the input by applying the applicable algorithm and the resultant output matches the hash of the target user ID, we know what the original password is.
This process is illustrated in Figure How password cracking is accomplished Two of the best programs available to crack passwords are Crack 5. Crack 5. Crack comes with a very comprehensive wordlist that runs the gamut from the un- abridged dictionary to Star Trek terms. Crack even provides a mechanism that allows a crack session to be distributed across multiple systems.
In addition, John handles more types of password hashing algorithms than Crack. Both Crack and John provide a facility to create permutations of each word in their wordlist. By default, each tool has over 2, rules that can be applied to a dictionary list to guess passwords that would seem impossible to crack. Each tool has extensive documentation that you are encouraged to peruse. It is important to be familiar with how a password file is organized. Crack is a self-compiling program, and when executed, will begin to make certain components necessary for operation.
It is extremely common for users to have their full name listed in the GECOS field and to choose a password that is a combination of their full name.
Crack will rapidly ferret out these poorly chosen passwords. Crack: Sorting out and merging feedback, please be patient Crack: Merging password files If we execute Reporter with no options, it will display errors, warnings, and locked passwords. There are several scripts included with Crack that are extremely use- ful.
One of the most useful scripts is shadmrg. This script is used to merge the UNIX password file with the shadow file. Thus, all relevant information can be combined into one file for cracking. Other commands of interest include make tidy, which is used to re- move the residual user accounts and passwords after Crack has been executed. One final item that should be covered is learning how to identify the associated algorithm used to hash the password.
As added security measures, some vendors have implemented MD5 and blowfish algorithms. If you plan on cracking MD5 or blowfish hashes, we strongly recommend the use of John the Ripper. As mentioned before, John is one of the best and fastest password cracking programs available.
It is extremely simple to run. It will identify the associated encryption algorithm, in our case DES, and begin guessing pass- words. It first uses a dictionary file password. As you can see, the stock version of John guessed the user bob, while Crack was able to guess the user jfr. So we received different results with each program. This is primarily related to the limited word file that comes with john, so we recommend using a more comprehensive wordlist, which is controlled by the john.
Most times, buffer overflow conditions are used to exploit SUID root files, enabling the attackers to execute commands with root privileges. In this section, we discuss and give examples of how a local buffer overflow attack works. This buffer overflow condition affects many different programs because it is a buffer overflow in the system libraries libc rather than one specific program, as discussed earlier. This is an important point, and one of the reasons we chose this example.
It is possible for a buffer overflow condition to af- fect many different programs if the overflow condition exists in libc. First, we need to compile the actual exploit. Your mileage will vary greatly, as exploit code is very persnickety. Often you will have to tinker with the code to get it to compile, as it is platform dependent.
This particular exploit is written for Solaris 2. This results in the unmistakable sign, indicating that we have gained root ac- cess. This exercise was quite simple and can make anyone look like a security expert. In reality, the Shadow Penguin Security group performed the hard work by discovering and exploiting this vulnerability. As you can imagine, the ease of obtaining root access is a major attraction to most attackers when using local buffer overflow exploits.
U Local Buffer Overflow Countermeasure The best buffer overflow countermeasure is secure coding practices combined with a non-executable stack. If the stack had been non-executable, we would have had a much harder time trying to exploit this vulnerability.
While this is a convenient place to write temporary files, it is also fraught with peril. The main security problem stems from pro- grams blindly following symbolic links to other files. A symbolic link is a mechanism where a file is created via the ln command. A symbolic link is nothing more than a file that points to a different file. This seemingly benign feature is a root compromise waiting to happen. In our example, we are going to study the dtappgather exploit for Solaris.
Dtappgather is a utility shipped with the common desktop environment. It also changes the ownership of the file to the UID of the user who executed the program. Un- fortunately, dtappgather does not perform any sanity checking to determine if the file exists or if it is a symbolic link.
U Symlink Countermeasure Secure coding practices are the best countermeasure available. Unfortunately, many pro- grams are coded without performing sanity checks on existing files. As always, remove the SUID bit from as many files as possible to mitigate the risks of symlink vulnerabilities.
By convention, file descriptors 0, 1, and 2 have im- plied uses that equate to standard input, standard output, and standard error, respec- tively. Thus, when the kernel opens an existing file or creates a new file, it returns a specific file descriptor that a program can use to read or write to that file.
Therefore, attackers may be able to modify a critical system file and gain root access. Oddly enough, the ever-bulletproof OpenBSD was vulnerable to a file descriptor allo- cation attack in version 2. Oliver Friedrichs discovered that the chpass command used to modify some of the information stored in the password file did not allocate file descriptors correctly. When chpass was executed, a temporary file was created that us- ers were allowed to modify with the editor of their choice.
Any changes were merged back into the password database when the users closed their editor. At this point our shell has inherited access to an open file descriptor. F 6 lines, characters. The close-on-exec flag should be set when the execve system call is executed.
As mentioned previously, remove the SUID bits on any program where they are not absolutely necessary. This axiom holds true in the cyberworld as well. Attackers will take advan- tage of a program or process while it is performing a privileged operation.
Typically this includes timing the attack to abuse the program or process after it enters a privileged mode but before it gives up its privileges. Most times, there is a limited window for at- tackers to abscond with their booty.
A vulnerability that allows attackers to abuse this window of opportunity is called a race condition. We are going to focus on those that deal with signal handling as they are very common. Signal Handling Issues Signals are a mechanism in UNIX used to notify a process that some particular condition has occurred and provide a mechanism to handle asynchronous events.
In this regard, signals are used to alter the flow of a program. Once again, the red flag should be popping up when we discuss anything that can alter the flow of a running program. The ability to alter the flow of a running program is one of the main security issues related to signal handling. An example of signal handling abuse is the wu-ftpd v2. This vulnerability allowed both regular and anonymous users to access files as root.
It was caused by a bug in the FTP server related to how signals were handled. The FTP server installed two signal handlers as part of its startup procedure.
Normally, when a user logs in to an FTP server, the server runs with the effective UID of the user and not with root privileges. It is the point at which the server changes its effective UID to 0 that it is vulnerable to attack.
This creates a race condition where the attackers must issue the SIGURG signal after the server changes its effective UID to 0 but before the user is successfully logged out. If the attackers are suc- cessful which may take a few tries , they will still be logged in to the FTP server with root privileges. At this point, attackers can put or get any file they like and potentially exe- cute commands with root privileges.
As mentioned time and time again, reduce the num- ber of SUID files on each system, and apply all relevant vendor-related security patches. There is a lot of sensitive information that is stored in memory when a UNIX system is running, including password hashes read from the shadow password file. One example of a core-file manipulation vulnerability was found in older versions of FTPD. FTPD allowed attackers to cause the FTP server to write a world-readable core file to the root directory of the file system if the PASV command were issued before logging in to the server.
If password hashes were re- coverable from the core file, attackers could potentially crack a privileged account and gain root access to the vulnerable system. U Core-File Countermeasure Core files are necessary evils. While they may provide attackers with sensitive informa- tion, they can also provide a system administrator with valuable information in the event that a program crashes. Based on your security requirements, it is possible to restrict the system from generating a core file by using the ulimit command.
By setting ulimit to 0 in your system profile, you turn off core-file generation. This code is linked to a host-shared library during compilation. When the program is executed, a target-shared library is referenced and the necessary code is available to the running program.
The main advantages of using shared libraries are to save system disk and memory, and to make it easier to maintain the code. Updating a shared library effectively updates any program that uses the shared library. Of course, there is a security price to pay for this convenience.
If attackers were able to modify a shared library or provide an alternate shared library via an environment variable, the at- tackers could gain root access. An example of this type of vulnerability occurred in the in. This is an ancient vulnerability, but makes a nice example. Essentially, some versions of in. To successfully exploit this vulnerability, attackers had to place a modified shared li- brary on the target system by any means possible.
When in. This allowed the attackers to execute code with root privileges. In reality there are going to be programming flaws in these libraries that would expose the system to attack when a SUID binary is executed.
With this com- plexity, UNIX and other advanced operating systems will inevitably have some sort of programming flaws. For UNIX systems, the most devastating security flaws are associ- ated with the kernel itself.
The UNIX kernel is the core component of the operating sys- tem that enforces the overall security model of the system. This model includes honoring file and directory permissions, the escalation and relinquishment of privileges from SUID files, how the system reacts to signals, and so on. If a security flaw occurs in the kernel it- self, the security of the entire system is in grave danger.
An example of a kernel flaw that affects millions of systems was discovered in June and is related to almost all Linux 2. Essentially, these capabilities were designed to enhance the security of the overall system. Unfortunately, due to a programming flaw, the functionality of this security measure does not work as intended. This flaw can be exploited by fooling SUID pro- grams for example, sendmail into not dropping privileges when they should. Thus, attackers who have shell access to a vulnerable system could escalate their privilege to root.
U Kernel Flaws Countermeasure This vulnerability affects many Linux systems and is something that any Linux adminis- trator should patch immediately. Luckily, the fix is fairly straightforward. We have short listed some of the highly recommended books for beginners and advanced hackers. These best ethical hacking books will help you to get the best security professional job you aspire.
January 11, Here are the Best Hacking EBooks Download in PDF Free and you can get hacking books for beginners pdf and also check out the hacking ebooks pdf free for beginners that can help you to learn hacking from basics.
The hacking era book pdf. Have you always wanted to hack? This book contains tons of tips and strategies on how to hack. Even if you are not a beginner, this book contains tons of new information on hacking. Become a hacking master today!
This guide will explain the most common types of attacks and also walk you through how you can hack your way into a computer, website, or a smartphone device. Anonymity is the best and most powerful tool for every hacker. Not only this you also need anonymous in your locality. There are many books that will tell you what to do — use prepaid burner phones and anonymous email accounts, encrypt your communications and data, make your purchases anonymously — but Incognito Toolkit will show you how and give you the tools to actually do it.
The best hacking tool is in your pocket. You can communicate secretly, browse the web anonymously, access the Deep Web and hidden networks, view banned content, download privately, and continue using Twitter and Facebook if their services are ever blocked locally. You need this book and the secret described within this eBook.
How to Beat the Police Interrogation is a tongue-in-cheek look at law enforcement, criminals, the criminal justice system, and the science of interrogation. You will learn about the dirty tricks and the advanced psychological methods the police use to get people sometimes innocent people to confess.
Would you know what to do and say if the police questioned you — even if you are innocent and think you have nothing to hide? The below best ethical hacking books for beginners in pdf format which you can easily read in any PDF reader. By reading these hacking tutorial pdf you can learn some basic and advanced tricks and hack.
0コメント