0071836551
Copyright © 2015 by McGraw-Hill Education. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.
ISBN: 978-0-07-183656-2 MHID: 0-07-183656-X
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-183655-5, MHID: 0-07-183655-1.
eBook conversion by codeMantra Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please visit the Contact Us page at www.mhprofessional.com.
Information contained in this work has been obtained by McGraw-Hill Education from sources believed to be reliable. However, neither McGraw-Hill Education nor its authors guarantee the accuracy or completeness of any information published herein, and neither McGraw-Hill Education nor its authors shall be responsible for any errors, omissions, or damages arising out of use of this information. This work is published with the understanding that McGraw-Hill Education and its authors are supplying information but are not attempting to render engineering or other professional services. If such services are required, the assistance of an appropriate professional should be sought.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
http://www.mhprofessional.com
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
Chocolate of course my Ancient Love. Morning and night I’m thinking of. Because of you two types of day one you’re here the other away.
—Vincent Nestler
I would like to thank my parents, Donald and Karen, for encouraging and supporting me and my endeavors. Their example will continue to inspire me throughout my life.
—Keith Harrison
About the Authors Vincent Nestler has a PhD in instructional design and an MS in network security from Capitol College, as well as an MAT in education from Columbia University. He is a professor at California State University – San Bernardino and has more than 20 years of experience in network administration and security. He has served as a data communications maintenance officer in the U.S. Marine Corps Reserve, and he designed and implemented the training for Marines assigned to the Defense Information Systems Agency (DISA) Computer Emergency Response Team. He also served as the assistant operations officer (training) for the Joint Broadcast System during its transition to DISA. Since 2007, he has been integral to training CyberCorps students both at Idaho State University and at California State University – San Bernardino. He is a professor of practice in information assurance at Capitol College. His professional certifications include Red Hat Certified Engineer, Microsoft Certified Trainer, Microsoft Certified Systems Engineer, AccessData Certified Examiner, AccessData Mobile Examiner, and Security+.
Keith Harrison has a PhD in computer science from the University of Texas – San Antonio. Dr. Harrison’s doctoral dissertation was on the scalable detection of community cyberincidents utilizing distributed and anonymous security information sharing. His research interests include community cybersecurity, information sharing, cryptography, peer-to-peer networks, honeynets, virtualization, and visualization. In addition to his research activities, Dr. Harrison is the lead developer of the Collegiate Cyber Defense Competition (CCDC) Scoring Engine and the CyberPatriot Competition System (CCS) Scoring Engine. He also enjoys assisting in the operation of the National Collegiate Cyber Defense Competition (NCCDC), Panoply King of the Hill Competition, and the CyberPatriot National High School Cyber Defense Competition.
Matthew Hirsch has an MS in network security from Capitol College and a BA in physics from State University of New York (SUNY) – New Paltz. Mr. Hirsch has worked in the information security operations group for a large financial firm, data distribution for firms including Deutsche Bank and Sanwa Securities, and systems/network administration for Market Arts Software. Formerly an adjunct professor at Capitol College, Katharine Gibbs School, and DeVry, Mr. Hirsch also enjoys a long-term association with Dorsai, a New York City nonprofit ISP/hosting firm.
Dr. Wm. Arthur Conklin, CompTIA Security+, CISSP, CSSLP, GISCP, CRISC, is an associate professor and director of the Center for Information Security Research and Education in the College of Technology at the University of Houston. He holds two terminal degrees: a PhD in business administration (specializing in information security) from the University of Texas – San Antonio (UTSA) and the degree Electrical Engineer (specializing in space systems engineering) from the Naval Postgraduate School in Monterey, California. He is a fellow of ISSA, a senior member of ASQ, and a member of IEEE and ACM. His research interests include the use of systems theory to explore information security, specifically in cyber physical systems. He has coauthored six security books and numerous academic articles associated with information security. He is active in the DHS- sponsored Industrial Control Systems Joint Working Group (ICSJWG) efforts associated with workforce development and cybersecurity aspects of industrial control systems. He has an extensive background in secure coding and is a co-chair of the DHS/DoD Software Assurance Forum working group for workforce education, training, and development.
About the Series Editor Corey Schou, PhD, is a frequent public speaker and an active researcher of more than 300 books, papers, articles, and other presentations. His interests include information assurance, software engineering, secure applications development, security and privacy, collaborative decision making, and the impact of technology on organization structure.
He has been described in the press as the father of the knowledge base used worldwide to establish computer security and information assurance. He was responsible for compiling and editing computer security training standards for the U.S. government.
In 2003 he was selected as the first university professor at Idaho State University. He directs the Informatics Research Institute and the National Information Assurance Training and Education Center. His program was recognized by the U.S. government as a Center of Academic Excellence in Information Assurance and is a leading institution in the CyberCorps/Scholarship for Service program.
In addition to his academic accomplishments, he holds a broad spectrum of certifications including Certified Cyber Forensics Professional (CCFP), Certified Secure Software Lifecycle Professional (CSSLP), HealthCare Information Security and Privacy Practitioner (HCISPP), Information Systems Security Architecture Professional (CISSP-ISSAP), and Information Systems Security Management Professional (CISSP-ISSMP).
During his career he has been recognized by many organizations including the Federal Information Systems Security Educators Association, which selected him as the 1996 Educator of the Year, and his research and center were cited by the Information Systems Security Association for Outstanding Contributions to the Profession. In 1997 he was given the TechLearn award for contributions to distance education.
He was nominated and selected as an honorary Certified Information Systems Security Professional (CISSP) based on his lifetime achievement. In 2001 the International Information Systems Security Certification Consortium (ISC)2 selected him as the second recipient of the Tipton award for contributions to the information security profession. In 2007, he was recognized as Fellow of (ISC)2.
About the Technical Editor Stephen R. Hyzny is a university lecturer in information technology at Governors State University specializing in IT security. He has more than 25 years of experience and is a subject matter expert for CompTIA and a senior network consultant and trainer for Einstein Technology Solutions. He is a board member of the Illinois Technology Foundation, an ACM member and advisor for Governors State’s ACM chapter and Collegiate Cyber Defense team, and a member of the Upsilon Pi Epsilon honor society. Stephen graduated from St. Mary’s University with a BA in computer science and from Capella University with an MS in technology concentration on network architecture and design. He holds numerous certifications from Cisco, Microsoft, CompTIA, and Novell.
About the Contributors
James D. Ashley III is a California cybersecurity professional with seven years of experience in the IT field. His experience includes a range of topics such as systems and network administration, web development, IT security and solutions consulting, Python and C++ development, and project management. He holds a BS in administration with a cybersecurity concentration from California State University – San Bernardino, as well as being a certified associate in project management. His early career was widely focused on private enterprise, while now he is currently employed as the project manager and solutions architect for the NICE Challenge Project, a virtual challenge environment development program funded by the National Science Foundation and the Department of Homeland Security. While his personal interests and professional interests are well aligned in his spare time, he often researches new security tools and follows the business side of the technology industry.
Jeffrey D. Echlin is a cybersecurity professional from California, with more than a decade of IT fieldwork and consultancy experience, including penetration testing and incident response. His enthusiasm for technology began at the age of 9 with his first computer and persists to this day reflected in every technological achievement and project he has completed. He holds a BS degree in business administration/cybersecurity from California State University – San Bernardino. Jeffrey also holds Security+, Network+, A+, and Certified Ethical Hacker certifications. He has transitioned from the private sector into the government sector and is currently the lead builder for the NICE Challenge project, funded by the National Science Foundation and the Department of Homeland Security. His primary personal and professional interests include penetration testing, forensics, and malware analysis.
Contents at a Glance
PART I NETWORKING BASICS: HOW DO NETWORKS WORK?
Chapter 1 WORKSTATION NETWORK CONFIGURATION AND CONNECTIVITY
Chapter 2 NETWORK TRANSPORTS
Chapter 3 NETWORK APPLICATIONS
PART II VULNERABILITIES AND THREATS: HOW CAN SYSTEMS BE COMPROMISED?
Chapter 4 PENETRATION TESTING
Chapter 5 ATTACKS AGAINST APPLICATIONS
Chapter 6 MORE ATTACKS: TROJAN ATTACKS, MITM, STEGANOGRAPHY
PART III PREVENTION: HOW DO YOU PREVENT HARM TO NETWORKS?
Chapter 7 HARDENING THE HOST COMPUTER
Chapter 8 SECURING NETWORK COMMUNICATIONS
PART IV DETECTION AND RESPONSE: HOW DO YOU DETECT AND RESPOND TO ATTACKS?
Chapter 9 PREPARING FOR AND DETECTING ATTACKS
Chapter 10 DIGITAL FORENSICS
Appendix OBJECTIVES MAP: COMPTIA SECURITY+™
INDEX
Contents FOREWORD ACKNOWLEDGMENTS INTRODUCTION
PART I NETWORKING BASICS: HOW DO NETWORKS WORK?
Chapter 1 WORKSTATION NETWORK CONFIGURATION AND CONNECTIVITY Lab 1.1: Network Workstation Client Configuration
Lab 1.1w: Windows Client Configuration Lab 1.1l: Linux Client Configuration Lab 1.1 Analysis Questions Lab 1.1 Key Terms Quiz
Lab 1.2: Computer Name Resolution Lab 1.2w: Name Resolution in Windows Lab 1.2 Analysis Questions Lab 1.2 Key Terms Quiz
Lab 1.3: IPv6 Basics Lab 1.3w: Windows IPv6 Basics (netsh/ping6) Lab 1.3 Analysis Questions Lab 1.3 Key Terms Quiz
Chapter 2 NETWORK TRANSPORTS Lab 2.1: Network Communication Analysis
Lab 2.1w: Network Communication Analysis in Windows Lab 2.1 Analysis Questions Lab 2.1 Key Terms Quiz
Lab 2.2: Port Connection Status Lab 2.2w: Windows-Based Port Connection Status Lab 2.2l: Linux-Based Port Connection Status Lab 2.2 Analysis Questions Lab 2.2 Key Terms Quiz
Chapter 3 NETWORK APPLICATIONS Lab 3.1: FTP Communication (FTP-HTTP)
Lab 3.1w: Windows FTP Communication (FTP-HTTP)
Lab 3.1l: Linux FTP Communication (FTP-HTTP) Lab 3.1 Analysis Questions Lab 3.1 Key Terms Quiz
Lab 3.2: E-mail Protocols: SMTP and POP3 Lab 3.2m: Windows E-mail: SMTP and POP3 Lab 3.2l: Linux E-mail: SMTP and POP3 Lab 3.2 Analysis Questions Lab 3.2 Key Terms Quiz
PART II VULNERABILITIES AND THREATS: HOW CAN SYSTEMS BE COMPROMISED?
Chapter 4 PENETRATION TESTING Lab 4.1: IP Address and Port Scanning, Service Identity Determination
Lab 4.1w: Using Nmap in Windows Lab 4.1 Analysis Questions Lab 4.1 Key Terms Quiz
Lab 4.2: GUI-Based Vulnerability Scanners Lab 4.2m: Using a Vulnerability Scanner (OpenVAS) Lab 4.2 Analysis Questions Lab 4.2 Key Terms Quiz
Lab 4.3: Researching System Vulnerabilities Lab 4.3i: Researching System Vulnerabilities Lab 4.3 Analysis Questions Lab 4.3 Key Terms Quiz
Lab 4.4: Using Metasploit Lab 4.4l: Using the Metasploit Framework Lab 4.4 Analysis Questions Lab 4.4 Key Terms Quiz
Lab 4.5: Password Cracking Lab 4.5l: Password Cracking Lab 4.5 Analysis Questions Lab 4.5 Key Terms Quiz
Lab 4.6: Using Cobalt Strike Lab 4.6l: Using Cobalt Strike Lab 4.6 Analysis Questions Lab 4.6 Key Terms Quiz
Chapter 5 ATTACKS AGAINST APPLICATIONS Lab 5.1: Web SQL Injection
Lab 5.1li: Web SQL Injection in Linux Lab 5.1 Analysis Questions Lab 5.1 Key Terms Quiz
Lab 5.2: Web Browser Exploits Lab 5.2m: Web Browser Exploits Lab 5.2 Analysis Questions Lab 5.2 Key Terms Quiz
Lab 5.3: E-mail System Exploits Lab 5.3m: Exploiting E-mail Vulnerabilities in Windows Lab 5.3 Analysis Questions Lab 5.3 Key Terms Quiz
Chapter 6 MORE ATTACKS: TROJAN ATTACKS, MITM, STEGANOGRAPHY Lab 6.1: Trojan Attacks
Lab 6.1w: Using the Dark Comet Trojan Lab 6.1 Analysis Questions Lab 6.1 Key Terms Quiz
Lab 6.2: Man-in-the-Middle Attack Lab 6.2m: Man-in-the-Middle Attack Lab 6.2 Analysis Questions Lab 6.2 Key Terms Quiz
Lab 6.3: Steganography Lab 6.3w: Steganography in Windows Lab 6.3 Analysis Questions Lab 6.3 Key Terms Quiz
PART III PREVENTION: HOW DO YOU PREVENT HARM TO NETWORKS?
Chapter 7 HARDENING THE HOST COMPUTER Lab 7.1: Hardening the Operating System
Lab 7.1w: Hardening Windows 7 Lab 7.1 Analysis Questions Lab 7.1 Key Terms Quiz
Lab 7.2: Using Antivirus Applications Lab 7.2w: Antivirus in Windows
Lab 7.2 Analysis Questions Lab 7.2 Key Terms Quiz
Lab 7.3: Using Firewalls Lab 7.3l: Configuring a Personal Firewall in Linux Lab 7.3 Analysis Questions Lab 7.3 Key Terms Quiz
Chapter 8 SECURING NETWORK COMMUNICATIONS Lab 8.1: Using GPG to Encrypt and Sign E-mail
Lab 8.1m: Using GPG in Windows Lab 8.1 Analysis Questions Lab 8.1 Key Terms Quiz
Lab 8.2: Using Secure Shell (SSH) Lab 8.2l: Using Secure Shell in Linux Lab 8.2m: Using Secure Shell in Windows Lab 8.2 Analysis Questions Lab 8.2 Key Terms Quiz
Lab 8.3: Using Secure Copy (SCP) Lab 8.3l: Using Secure Copy in Linux Lab 8.3m: Using Secure Copy in Windows Lab 8.3 Analysis Questions Lab 8.3 Key Terms Quiz
Lab 8.4: Using Certificates and SSL Lab 8.4l: Using Certificates and SSL in Linux Lab 8.4 Analysis Questions Lab 8.4 Key Terms Quiz
Lab 8.5: Using IPsec Lab 8.5w: Using IPsec in Windows Lab 8.5 Analysis Questions Lab 8.5 Key Terms Quiz
PART IV DETECTION AND RESPONSE: HOW DO YOU DETECT AND RESPOND TO ATTACKS?
Chapter 9 PREPARING FOR AND DETECTING ATTACKS Lab 9.1: System Log Analysis
Lab 9.1w: Log Analysis in Windows
Lab 9.1l: Log Analysis in Linux Lab 9.1 Analysis Questions Lab 9.1 Key Terms Quiz
Lab 9.2: Intrusion Detection Systems Lab 9.2l: Using a Network Intrusion Detection System (Snort) in Linux Lab 9.2 Analysis Questions Lab 9.2 Key Terms Quiz
Lab 9.3: Backing Up and Restoring Data Lab 9.3w: Backing Up and Restoring Data in Windows Lab 9.3l: Backing Up and Restoring Data in Linux Lab 9.3 Analysis Questions Lab 9.3 Key Terms Quiz
Lab 9.4: Using Honeypots Lab 9.4w: Using Honeypots in Windows Lab 9.4 Analysis Questions Lab 9.4 Key Terms Quiz
Chapter 10 DIGITAL FORENSICS Lab 10.1: Live Analysis: Incident Determination
Lab 10.1w: Live Analysis: Incident Determination in Windows Lab 10.1 Analysis Questions Lab 10.1 Key Terms Quiz
Lab 10.2: Acquiring the Data Lab 10.2w: Acquiring the Data in Windows Lab 10.2 Analysis Questions Lab 10.2 Key Terms Quiz
Lab 10.3: Forensic Analysis Lab 10.3l: Forensic Analysis in CAINE Lab 10.3 Analysis Questions Lab 10.3 Key Terms Quiz
Lab 10.4: Remote Image Capture Lab 10.4l: Remote Forensic Image Capture Over a Network Lab 10.4 Analysis Questions Lab 10.4 Key Terms Quiz
Appendix OBJECTIVES MAP: COMPTIA SECURITY+™
INDEX
Foreword
In a cyber environment of hackers, attackers, and malefactors, defending and securing computer systems and forensic analysis is an increasingly important set of skills. Between script kiddies and experts, the defenders will always be outnumbered. Every time you detect a system attack, someone ought to do something. The underlying problem is that to some extent, each attack is unique but shares characteristics with other attacks—how are we to learn?
There are actually two forewords to this book. One is for the advanced learner who is already battle-hardened through many courses, while the other is for the aspiring practitioner who is learning the art of securing systems.
For the Advanced Student You might ask, why in the world should I use this book? I have listened intently in all my classes, and I certainly know about hardware, software, operating systems, computers, security, networks, and the myriad things that can go wrong. Right?
Nevertheless, how often do you have a chance to practice making things right? Sometimes there have been limited chances to do something hands on. You do not want your first hands-on practice to start right after the phone rings at 3 a.m. Something has happened, and from what you can tell from the panicked user, it means the end of the world as he knows it. So, you grab a cup of coffee and head into battle with the unknown.
Like most students, you know the theory of solving security problems, but you have little practice solving real problems.
As an advanced student, you are about to become a warrior in an ongoing cyberwar. There is an old adage—warriors fight only as well as they train. Well-trained warriors will prevail even when presented with a problem they have never encountered directly. A colleague of mine told me about an incident while he was in the Navy that required the crew to confront an unanticipated life-threatening situation. Their training made the difference. As professionals, we must train so that our actions are fluid and well practiced. If we are lucky, we have learned a kata (a form) from a well-seasoned sensei (teacher) who understands that in computer security each crisis is entirely new. This book allows you to practice your art without risking critical systems. It helps you improve your kata, and it helps you nurture aspiring practitioners. It will help make you a professional.
For the Aspiring Practitioner Years ago, a student of mine told me that he was a member of the Screen Actors Guild (SAG) union. I was impressed, and I asked him how he had gotten in. He laughed and told me that it was tricky. You could get a union card only if you had been in a professional performance, and the only way you could get a job in a professional performance was to have a union card. Well, to some extent, computer security presents a similar problem. The only way to get a computer security job is to have experience; the only way to get experience is to have a job. This book helps solve that problem: You
gain real knowledge and experience through real-world learning scenarios.
Learning How to Defend No matter your level of expertise, you will be able to practice the skills you need by learning about how systems work, system vulnerabilities, system threats, attack detection, attack response/defense, and attack prevention.
Using a flexible approach, you will be learning practical skills associated with the following items:
If you are an expert or you are just aspiring to know more about computer security, this book is a practical assistant that lets you practice, practice, practice. It can accompany any textbook or resource you want. The principles used are the essentials of the profession expressed in a hands-on environment.
—Corey D. Schou, PhD Series Editor
Acknowledgments
I would like to give special thanks to Brian Hay and Kara Nance of the University of Alaska Fairbanks for their support and for the use of the RAVE labs for the testing and development of this manual. Thank you to Tony Coulson and Jake Zhu for their continued support of my professional development and career path. To Greg Frey and Elizabeth Grimes, for your tireless dedication and attention to detail. Special thanks to Dr. Corey Schou. Ten years ago, you took the time and interest in what I had to share. You have helped me in no small way to make it further along my path. I am grateful for your kindness and generosity with your expertise.
—Vincent Nestler
Testing and Review Many hours were spent testing and tweaking the exercises in this manual. Thank you to the testers and reviewers, who contributed insightful reviews, criticisms, and helpful suggestions that continue to shape this book.