lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri Jun 30 20:07:01 2006
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: New member asking question...

On Fri, 30 Jun 2006 11:47:37 CDT, "Reynolds, Joseph R" said:

> Also, are there any good "Hacking" books that I could read?  I have had
> a Hackers Tool and Techniques class at school, but all of the programs
> are very outdated, like l0phtcrack, JTR, ethereal or wireshark, and

I wouldn't call any of these "outdated" - they're still some of the best
tools in their categories.

> such.  I am looking to actually enter systems or find ways to enter
> systems and understand the weakness that allows it so I can avoid it
> later. 

It turns out that you don't actually need to be very good at *finding*
weaknesses in order to secure against it.  All you need is a good grasp
of what general classes of vulnerabilities there are, and what they can gain
an attacker.  If you need to look at actual code, I'd suggest getting a
copy of Metasploit, and just *looking* at it.  Look at the payloads section,
as that will give you a good idea of the sorts of payloads you might get
hit with.  Then just assume that the Bad Guy has an exploit for any given
outward-facing code and resource on your system...

If you want to be scared about how many exploits are already out there,
look at Nessus or the Packetstormsecurity archives. ;)

In order to secure against this, the proper method is:

0) Simply applying all the current patches for your system, and properly
configuring it, will go a *long* way.  Two good resources:

Center for Internet Security (http://www.cisecurity.org)
the NSA security guides (http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1)

(Basically, these go through all the high-risk issues discussed in 1-4 below,
and give you a easy cookbook so you don't have to re-do the research.
Disclaimer: I'm one of the perpetrators for the various CIS Unix/Linux guides,
so I'm a bit biased.)

The two biggest areas those guides don't address in depth are social engineering
and abuse of inter-machine trust relationships (if you manage to find a
weak password on one box, and then get into a second because there's a
file share or SSH key or similar...)

1) Pick a piece of code or resource that an attacker could potentially attack
(for instance, your Apache server, or a Windows file share.

2) *ASSUME* that the attacker has a Magic Bullet that can exploit it.  You
don't need to *find* one, just proceed as if the bad guy did all the hard work
and found it.

3) Start looking at ways to mitigate and control the damage.  For instance,
many "buffer overflow Magic Bullets" can be stopped with "Run Apache with
non-exec stack".  Many "own the file share Bullets" can be stopped with either
"don't export share to world" or "firewall the Windows fileshare ports". And so
on.

4) Lather, rinse, repeat for all the attacks you can think of.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060630/4e4cee0d/attachment.bin

Powered by blists - more mailing lists