Ethical Hacking and Attack Tools

Links from the class materials and other supplemental information, grouped by chapter:

Class files for labs

Chapter 1: Introduction

Chapter 2: Ethical hacking introduction

Links from the text:

• Microsoft's STRIDE model
• Wikipedia Rootkit definition
• Wikipedia Computer Worm definition
• Wikipedia Virus definition
• HIPAA (HHS web site)
• HIPAA (another web site)
• SEC info on Sarbanes-Oxley
• Wikipedia Sarbanes-Oxley page
• US Dept of Education FERPA information
• Electronic Privacy Information Center info on FERPA
• Digital Millennium Copyright Act (DMCA)
• Electronic Frontier Foundation (EFF) on the DMCA
• tool list for Backtrack 2
• Backtrack 2

Chapter 3: Intelligence about the target

Links from the text:

• The Art of War by Sun Tzu
• The Internet Archive
• The Memory Hole
• Google Hacking Database
• Edgar
• Yahoo! Finance
• Google Finance
• LACNIC
• robtex
• DNSStuff.com
• LogBud
• traceroute.org
• Geektools
• Whois.Net
• Fixed Orbit
• wink
• spock
• Maltego
• Maltego GUI

Additional links, not from the course text, or, software needed for the chapter:

EvolutionGUI-beta2-nix.tgz
EvolutionGUI-beta2-win.zip

Chapter 4: Network mapping

Links from the text:

• nmap information
• fping
• hping
• traceroute.org
• tcptraceroute
• trout

Additional links, not from the course text, or, software needed for the chapter:

hping3-20051105.tar.gz
tcptraceroute-1.5beta7.tar.gz
trout.zip
nmap-4.53-1.i386.rpm
nmap-4.53-setup.exe
zenmap-4.53-1.noarch.rpm

Chapter 5: Host mapping

Links from the text:

• nmap information
• netcat
• winfingerprint
• amap
• AOH::Passwords
• CIRT.net default passwords
• xprobe2
• the new p0f: fingerprint submission page
• p0f
• Honeynet Project

Additional links, not from the course text, or, software needed for the chapter:

winfingerprint-0.6.2.zip
xprobe2-0.3.tar.gz
p0f.tgz

Chapter 6: SNMP mapping

Links from the text:

• OIDview
• MIB Archive
• HP JetDirect password vulnerability
• SNMP Enumeration and Hacking by Mati Aharoni
• SNMP---simple management tool for hackers? by Jim Reavis
• onesixtyone
• snmpcheck

Additional links, not from the course text, or, software needed for the chapter:

snmpcheck-1.6

Chapter 7: Network Monitoring and Eavesdropping

Links from the text:

• wireshark home page
• dsniff and related tools
• A Windows port of dsniff and some (but not all) of the related tools
• EtherFlood
• ettercap
• rpm/pbone.net
• WinDNSSpoof
• Various DNS service implementations generate multiple simultaneous queries for the same resource record
• arpwatch
• WinARPWatch and other (Linux or Windows) ARP tools (attack and defense)
• arp-sk
• DNSSEC
• Detecting a packet sniffer on an IPV6-enabled Linux system
• PromqryUI
• Promqry
• sentinel

Additional links, not from the course text, or, software needed for the chapter:

dsniff-2.3.tar.gz
etherflood.zip
ettercap-NG-0.7.3.tar.gz
warpwatch.zip (WinARPWatch)
putty-0.60-installer.exe (PUTTY, a ssh for Windows)

The following two programs are unsupported by Netscape after March 1, 2008 and may contain serious serurity bugs. Only install them for use locally.
netscape-navigator-9.0.0.5.exe
netscape-navigator-9.0.0.5.tar.gz

Chapter 8: Attacking the network protocols

Links from the text:

• Project Neptune
• A collection of SYN flood attack tools
• Computer Network Security - ARP Spoofing/TCP Hijacking
• Kevin Mitnick's attack against Tsutomu Shimomura
• More details about Kevin and his arrest
• udpflood.exe

Additional links, not from the course text, or, software needed for the chapter:

SYN flood attack tools (from http://www.niksula.cs.hut.fi/~dforsber/synflood/):
SYNpacket.tgz
clog-0.0.2.tgz
synk4.c
tocsin.tgz
neptune.c

Other tools:
hping3-20051105.tar.gz udpflood.zip
fudp-0.1.tar.gz

These TCP session hijack and reset tools did not work for me, but might still be interesting:
path.tgz
hunt-1.5.tgz
juggernaut.tar.gz

Chapter 9: Network traffic injection

Links from the text:

• The Wikipedia entry on the ping of death
• The CERT advisory about the ping of death
• The Wikipedia entry on the Fraggle attack
• Windows NT/95 Out of Band Data Exploit
• OpenBSD's IPv6 mbufs remote kernel buffer overflow
• Pwnie Award Winners
• Scapy
• An introduction to scapy
• hping wiki
• Packet Crafting via HPing
• packETH

Additional links, not from the course text, or, software needed for the chapter:

scapy.py
nemesis-1.4.tar.gz
nemesis-1.4.tar.gz.asc
nemesis-1.4.zip
nemesis-1.4.zip.asc
libnet-1.0.2a.tar.gz
fraggle.c

Chapter 10: Reverse Engineering

Links from the text:

• IDA Pro
• wine information
• Jad
• JODE
• Lutz Roeder's tools page, including Reflector
• Anakrino
• Dis#

Additional links, not from the course text, or, software needed for the chapter:

idademo51.exe

Chapter 11: Black-box Testing

Links from the text:

• PROTOS information
• Wikipedia entry for equivalence partitioning
• Wikipedia entry for boundary value analysis
• Wikipedia entry on Fuzz testing
• University of Wisconsin Madison fuzz testing page
• OWASP page on fuzz testing
• OWASP Fuzz Vectors
• Wikipedia list of unit test frameworks
• Codenomicon
• darknet.org.uk fuzzing tools
• InfoSec Institute Fuzzers - The ultimate list
• Digital Dwarf Society
• HackSafe fuzz testing tool list
• Schemer from Fuzzware
• SCADASEC.net
• antiparser
• The Art of Fuzzing
• Peach Fuzzer Framework
• Peach Fuzzer Tutorial
• Python Tutorial
• Peach Fuzzer API documentation
• Python Tutorial
• Python Library Reference
• Python Global Module Index

Additional links, not from the course text, or, software needed for the chapter:

Peach-1.0.zip

Chapter 12: How HTTP works

Links from the text:

• The CGI RFC, RFC 3875
• RFC 2616
• RFC 2965
• netcat for Windows
• Cygwin

Chapter 13: Attacking Web Applications

Links from the text:

• Web proxy from PortSwigger.net
• WebScarab's web site
• Paros suite
• Nikto
• The Firefox Web Developer toolbar home page
• The Web Developer toolbar, from Mozilla.org
• IEWatch
• WebGoat project page
• WebGoat
• The Firefox SwitchProxy toolbar

Additional links, not from the course text, or, software needed for the chapter:

nikto-2.02.tar.gz
web-developer-1.1.6.xpi
burpsuite_v1.1.zip
paros-3.2.13-unix.zip
paros-3.2.13-win.dat
paros-3.2.13-win.exe
paros-3.2.13-src.zip
paros_user_guide.pdf
WebGoat-OWASP_Standard-5.1.zip (for Linux and Windows)
webgoat-5.1.sh (startup file for Linux)
webscarab-installer-20070504-1631.jar
webscarab-selfcontained-20070504-1631.jar
webscarab-src-20070504-1631.zip
switchproxy_tool-1.4.1-fx+mz+tb.xpi
tamper_data-10.0.4-fx.xpi

Chapter 14: State and the web

Links from the text:

• The bug report for the Payflow Link vulnerability
• Cart32 vulnerability information
• Other, similar hidden field vulnerabilities
• SecurityFocus.com's search page
• An example of using Java to secure client-side state with hidden forms
• The LinPHA vulnerability
• Perl session cookies
• ASP session cookies
• Java session cookies
• More Java session cookies information
• WHID 2005-61: Gmail session management bug
• FTD.com hole leaks personal information
• Microsoft vulnerability with session identifiers
• An example of exploiting the Hotmail vulnerability
• Microsoft Passport Account Hijack Attack by Obscure
• Huge Hotmail security flaw reported by ZDNN Staff
• Ipswitch session vulnerability
• Another, related vulnerability in Ipswitch IMail
• A good article with information about how ASP.NET sessions operate
• The Open Source Vulnerability Database
• Securityfocus.com
• National Vulnerability Database
• Add N Edit Cookies

Chapter 15: Other Injection attacks

Links from the text:

• Xbox Linux
• Technical Analysis of 007: Agent Under Fire save game hack
• The xkcd cartoon
• The Chris Rimmer threat

Chapter 16: Cross-site scripting (XSS)

Links from the text:

• The Cross Site Scripting (XSS) FAQ
• Wikipedia entry on cross-site scripting
• CERT Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests
• Safari Archive JavaScript Same Origin Policy Violation Vulnerability
• Mozilla Firefox Unspecified Javascript Remote Code Execution Vulnerability
• Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability
• Sun Java Runtime Environment Java Plug-in JavaScript Security Restriction Bypass Vulnerability
• Adobe Acrobat JavaScript Parsing Engine Arbitrary Code Execution Vulnerability
• MS Outlook Express 5 Javascript Email Access Vulnerability
• Example ways of session hijacking via XSS
• This link is a simple XSS example
• example of how to DoS the browser
• XSS---Stealing Cookies 101
• Example denial of service XSS attack
• Posting a bogus news message via XSS
• Another, well-written paper that includes posting a bogus story at a news site
• demo JavaScript port scanner
• The XSS worm on MySpace
• A description of the worm from its author
• More from Samy
• The Cross-site Scripting Virus
• XSS (Cross Site Scripting) Cheat Sheet Esp: for filter evasion
• Stored and Reflected XSS attacks at OWASP
• information about using Flash for XSS attacks
• ``How To: Prevent Cross-Site Scripting in ASP.NET''
• Anti-Cross Scripting Library for ASP.NET
• Adding Cross-Site Scripting Protection to ASP.NET 1.0
• the fake secure login page
• ExploreNM.com
• information about the bogus login screen
• TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks by Amir Herzberg and Ahmad Gbara

Chapter 17: Buffer overflow introduction

Links from the text:

• CWE 124
• CWE 120
• information about buffer overflow history

Chapter 18: Stack overflows

Links from the text:

• Smashing The Stack For Fun And Profit
• CWE 124
• CWE 120
• Apache mod_rewrite contains off-by-one error in ldap scheme handling
• How to use assertions in C
• ASCII table

Additional links, not from the course text, or, software needed for the chapter:

Applying `design by contract' by Meyer, B., from IEEE Computer v 25 n 10, pp 40--51.

Chapter 19: Format string errors

Links from the text:

• CWE 134
• Exploiting Format String Vulnerabilities
• Format String Exploits
• RATS---Rough Auditing Tool for Security
• PScan
• Fedora RPM for PScan
• the RPM database
• Open Source Vulnerability Database
• Wikipedia entry for ASLR
• PaX documentation

Additional links, not from the course text, or, software needed for the chapter:

pscan-1.2-1.fc4.i386.rpm
rats-2.1-win32.zip
rats-2.1.tar.gz

Chapter 20: Pointer issues

Links from the text:

• Protecting against Pointer Subterfuge (Kinda!)
• GnuPG: remotely controllable function pointer
• C++ virtual destructors
• Virtual function entry at Wikipedia
• A description of the GOT
• Another description of the GOT
• How to hijack the Global Offset Table with pointers for root shells
• GOT/DTORS
• The article by Samy appears to have disappeared. An archive copy is here
• atexit in memory bugs
• w00w00 on Heap Overflows
• Exploit: Stack Overflows - Exploiting SEH on win32
• The gcc manual

Chapter 21: Vulnerability analysis

Links from the text:

• Open Source Vulnerability Database
• SecurityFocus Vulnerability Database
• Common Vulnerabilities and Exposures
• Milw0rm
• Scurn
• Internet Archive
• Cult of the Dead Cow
• Rain Forest Puppy (RFP)
• Packetstorm
• Offensive Computing
• Phoneolit
• Darklab
• Uninformed
• hackin9
• Remote-exploit
• CIRT.net
• L0T3K
• comprehensive list of security scanners
• Arirang
• Nikto
• SARA
• Core Impact
• SAINT
• ISS
• MBSA : Microsoft Baseline Security Analyzer
• Retina
• Canvas
• nessus web site
• Sana Security

Additional links, not from the course text, or, software needed for the chapter:

Nessus-3.0.4-es4.i386.rpm
Nessus-3.0.4-fc4.i386.rpm
Nessus-3.0.4-suse10.0.i586.rpm
Nessus-3.0.6.1.exe
Nessus-3.0.6-es5.i386.rpm
Nessus-3.0.6-suse10.0.i586.rpm
NessusClient-3.0.1-es5.i386.rpm
NessusClient-3.0.1-suse10.2.i586.rpm
NessusClient-3.0.1-win.msi

Chapter 22: Metasploit

Links from the text:

• metasploit
• Cygwin

Additional links, not from the course text, or, software needed for the chapter:

metasploit_developers_guide.pdf
metasploit_user_guide.pdf
framework-3.0.tar.gz

Chapter 23: Cryptography Overview

Links from the text:

• Handbook of Applied Cryptography
• An excellent overview of cryptography
• The standards for the SHA series of hashes
• A program for finding collisions in MD5
• NIST and approved hash functions
• The American Bar Association Section of Science and Technology Information Security Committee Digital Signature Guidelines Tutorial
• Digital Signature Standard (DSS, also called DSA)
• using RSA for digital signatures
• 10 Risks of PKI
• the OpenSSL timing attack
• details about the WEP problems
• the TI transponder cracking
• OpenSSL timing attacks
• Why Cryptography Is Harder Than It Looks by Bruce Schneier
• Security Pitfalls in Cryptography by Bruce Schneier

Chapter 24: Debugging with gdb

Links from the text:

• gdb documentation
• DDD
• emacs
• Insight
• A Guided Tour of Emacs

SkillBridge Training

Examples from the class notes (or, all as one file).

Selected Solutions from the class notes (no looking until you have solved the problems!). Note that all solutions are in an appendix of your course book. All solutions in a compressed tar file.

Evaluation form (if needed)