hakin9_2009_06_25.pdf

and convenient way to sort expenses and prepare for tax time. However, I think that

we do such summarising not only when we have to take into account ourselves, but

also when we think about our life and work. I have all 6 issues that have been published

in 2009 on my desk, when looking at the covers I see how many new topics we have

presented in Hakin9 and how fast it has changed.

I hope that you agree that it was a really fruitful year for all of us. We also need to

remember that it was also a really hard year for all of us, but we must think positively

that the next one will be better than the last. This year has brought us many new attacks

and many new defense techniques. We are all waiting for the next one to be able to

write about them, to find more and more information on how to prevent against these

attacks and to make our life really interesting and enjoyable.

As most surveys reported, we also wrote about Web 2.0 and virtualisation this year

and we provided you with various articles on the hot topic of data protection. Data theft

was and is probably the main motive for most of the exploits.

We have also noticed that the attacks are becoming more and more sophisticated.

The world was attacked by the Confiker worm this year, a simple virus that infected 9

million machines. Just connecting a USB stick with devices, like a printer to print some

PDF documents, was enough for Confiker to infect and spread.

We also wrote about PDF (in)security in the 2009 issues. And we continue this motif

in the Hakin9 6/2009 issue. Let’s see what you have in your hands now and what you

can read in this end-of-the-year issue.

Our lead article is Windows FE A Windows-PE Based Forensic Boot CD written

by Marc Remmert. Also you can find an instructional tutorial (without sound) on the

CD. I hope that it will make for good additional content and will help you follow the

instructions included within the article. To further peak your interest in digital forensics;

go to page 24 and start reading Mervyn Heng’s article Network Forensics: More Than

Looking For Cleartext Passwords .

In the Attack section of the magazine you will find some excellent articles

concerning ways and means to breach security. You will learn how to stay hidden in

networks if you read Steffen Wendzel’s article on Protocol Channels . You can also find

out how fuzzing works by reading the article on page 42 written by Tamin Hanna.

Definitively, you should open the magazine on page 46 and read the second part of

Windows Timeline Analysis article written by Harlan Carvey. This time Harlan applies

all the theory to practice and tells you how to build your own timeline. Turn to page

50 to learn all about how to analyze PDF documents with the PDFiD and PDF-Parser

tools. This is the second part of Didier Stevens’ article on Anatomy of Malicious PDF

Documents.

Finally the last two articles in the Defence section definitely need to be read. If

you want to see how symbol recovery can be applied to other areas, read Recovering

Debugging Symbols From Stripped Static Compiled Binaries written by Justin Sunwoo

Kim and if you want to know how to check on possible data leakage, you should read the

article entitled Simple DLP Verification Using Network Grep contributed by Joshua Morin.

I hope that you find some free evenings as you have 9 articles in this issue to read.

Please do not forget about the Regulars. The fantastic article on how the mobile phone

opens the door to location (LBS) tracking, proximity marketing and cybercrime written

by Julian Evans and Matt Jonkman’s great column – Emerging Threats entitled Viva la

Revolucion .

We are always looking for new article topics and ideas that make Hakin9 unique and

continue taking on challenges in the creation of our magazine to provide you next year with

even greater joy and knowledge. Please remember we are waiting for your emails. Send

them to en@hakin9.org . All ideas and thoughts help us prepare a better and stimulating

magazine for you. Our aim is to create the magazine that will be read by all security

experts in the world – It is for all of you that we strive so hard to keep everyone in touch

with the latest techniques, thoughts and concerns throughout the IT Security industry...

We wish you joyful and happy holidays.

Hakin9 Team

Year-End Summary

I know that the Year-End Summary is mostly related to our finances and is an easy

CONTENTS

team

BASICS

Editor in Chief: Ewa Dudzic

ewa.dudzic@hakin9.org

14 Windows FE

A Windows-PE Based Forensic Boot CD

MARC REMMERT

The basic work was conducted by Troy Larson, a Senior Forensic

Investigator in Microsoft's IT Security Group. He first built a modified

Windows PE for forensic purposes called Windows FE, which stands

for Forensic Environment. Astonishingly Windows is broadly used as an

operating system for almost all of the recognized big forensic software

packages – but it has never been used before as the base system for a

forensic Boot-CD. Marc Remmert will try to show how to build your own

Windows-based Boot CD.

Editorial Advisory Board: Matt Jonkman, Rebecca

Wynn, Rishi Narang, Shyaam Sundhar, Terron Williams,

Steve Lape, Peter Giannoulis, Aditya K Sood, Donald

Iverson, Flemming Laugaard, Nick Baronian, Tyler Hudak,

Michael Munt

DTP: Ireneusz Pogroszewski , Przemysław Banasiewicz,

Art Director: Agnieszka Marchocka

agnieszka.marchocka@hakin9.org

Cover’s graphic: Łukasz Pabian

CD: Rafał Kwaśny

rafal.kwasny@gmail.com

Proofreaders: Konstantinos Xynos, Ed Werzyn, Neil

Smith, Steve Lape, Michael Munt, Monroe Dowling, Kevin

Mcdonald, John Hunter, Michael Paydo, Kosta Cipo, Lou

Rabom, James Broad

Top Betatesters: Joshua Morin, Michele Orru, Clint

Garrison, Shon Robinson, Brandon Dixon, Justin Seitz,

Matthew Sabin, Stephen Argent, Aidan Carty, Rodrigo Rubira

Branco, Jason Carpenter, Martin Jenco, Sanjay Bhalerao, Avi

Benchimol, Rishi Narang, Jim Halfpenny, Graham Hili, Daniel

Bright, Conor Quigley, Francisco Jesús Gómez Rodríguez,

Julián Estévez, Chris Gates, Chris Grifin, Alejandro Baena,

Michael Sconzo, Laszlo Acs, Benjamin Aboagye, Bob

Folden, Cloud Strife, Marc-Andre Meloche, Robert White,

Sanjay Bhalerao, Sasha Hess, Kurt Skowronek, Bob Monroe,

Michael Holtman, Pete LeMay

24 Network Forensics: More Than Looking For

Cleartext Passwords

MERVYN HENG

Digital forensics can be defined as the acquisition and analysis of evidence

from electronic data to discover incidents of malicious or suspicious intent

and correlate them with hackers or non-compliant employees. Sources

of electronic data would include computer systems, storage mediums,

electronic files and packets traversing over a network. Digital forensics is

mainly conducted at two layers: network and system. Mervyn Heng will

introduce you to network forensics.

Special Thanks to the Beta testers and Proofreaders who

helped us with this issue. Without their assistance there

would not be a Hakin9 magazine.

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Łozowicka

ewa.lozowicka@software.com.pl

Production Director: Andrzej Kuca

andrzej.kuca@hakin9.org

Marketing Director: Ewa Dudzic

ewa.dudzic@hakin9.org

Circulation Manager: Ilona Lepieszka

ilona.lepieszka@hakin9.org

ATTACK

28 Unified Communications Intrusion Detection

Using Snort

MARK RUBINO

Unified Communications (UC) is one of the hottest topics in the

communications industry. UC converges several communications

technologies – voice, video, messaging (instant and email) and collaboration

(conferencing, white board) into one seamless IP based communication

architecture. The UC service seamlessly detects the location, application,

network and device through which to make contact. Much of the promise

of UC is based on features found in and delivered by the Session

Initiation Protocol (SIP) IETF RFC 3261. Mark Rubino's article is intended to

simplify configuration of Snort for operation on Windows platforms and to

provide a measure of warning of malicious SIP activity aimed at unified

communications servers and services in their infrastructure.

Subscription:

Email: subscription_support@hakin9.org

Publisher: Software Press Sp. z o.o. SK

02-682 Warszawa, ul. Bokserska 1

Phone: 1 917 338 3631

www.hakin9.org/en

Print: ArtDruk www.artdruk.com

Distributed in the USA by: Source Interlink Fulfillment

Division, 27500 Riverview Centre Boulevard, Suite 400,

Bonita Springs, FL 34134, Tel: 239-949-4450.

Distributed in Australia by: Gordon and Gotch, Australia

Pty Ltd., Level 2, 9 Roadborough Road, Locked Bag 527,

NSW 2086 Sydney, Australia, Phone: + 61 2 9972 8800,

Whilst every effort has been made to ensure the high quality

of the magazine, the editors make no warranty, express or

implied, concerning the results of content usage.

All trade marks presented in the magazine were used only

for informative purposes.

All rights to trade marks presented in the magazine are

reserved by the companies which own them.

To create graphs and diagrams

we used program by

Cover-mount CD’s were tested with AntiVirenKit

by G DATA Software Sp. z o.o

The editors use automatic DTP system

38 Protocol Channels

STEFFEN WENDZEL

A protocol channel switches one of at least two protocols to send a bit

combination to a destination. The main goal of a protocol channel is that

the packets sent look equal to all other usual packets of the system. This is

what makes a protocol channel hard to detect. Protocol channels provide

attackers with a new way to stay hidden in networks. Even if detection by

network security monitoring systems is possible – e.g. because of the unusual

protocols used by the attacker – a regeneration of the hidden data near

impossible, since it would need information about the transferred data type,

the way the sent protocol combinations are interpreted (big-endian or little-

endian) and recording of all sent packets to make a regeneration possible.

Mathematical formulas created by Design Science

MathType™

ATTENTION!

Selling current or past issues of this magazine for

prices that are different than printed on the cover is

– without permission of the publisher – harmful activity

and will result in judicial liability.

DISCLAIMER!

The techniques described in our articles may only be

used in private, local networks. The editors hold no

responsibility for misuse of the presented techniques

or consequent data loss.

4 HAKIN9 6/2009

CONTENTS

42 Fuzzing

Finding Vulnerabilities With rand()

TAMIN HANNA

Traditionally, the search for security-related flaws in code took place as

follows: relevant sections of code were printed out, and developers went

over them trying to find as many potential issues as possible. So-called

code reviews tend to work quite well – but happen rarely due to the

immense cost involved. Tamin will present you with what fuzing is and how

it works.

REGULARS

06 In brief

Selection of short articles from the IT

security world.

Armando Romeo &

www.hackerscenter.com

ID Theft Protect

DEFENSE

08 ON THE CD

What's new on the latest Hakin9 CD.

hakin9 team

46 Windows Timeline Analysis, Building a

Timeline, Part 2

HARLAN CARVEY

The increase in sophistication of the Microsoft (MS) Windows family of

operating systems (Windows 2000, XP, 2003, Vista, 2008, and Windows

7) as well as that of cybercrime has long required a corresponding

increase or upgrade in response and analysis techniques. Harlan Carvey

will describe what sources of timeline data are available on a Windows

XP system and how to construct a timeline of system and user activity for

analysis from an acquired image.

12 Tools

DefenceWall HIPS

Don Iverson

Wireless Security Auditor

Michael Munt

70 ID fraud expert says...

A Look at How the Mobile Phone Opens

the Door to Location (LBS) Tracking,

Proximity Marketing and Cybercrime

Julian Evans

50 Anatomy of Malicious PDF Documents, Part 2

DIDIER STEVENS

Malware analysis must be done in a safe environment – a virus lab. The

virus lab must help you prevent the malware from executing and contain

the malware in the virus lab, should it ever execute. The questions is, what

tools you need to analyze a malicious PDF document? You could use

Acrobat Reader, but then you run the risk of infecting your machine when

opening the PDF document. Didier Stevens, in this second article on

malicious PDF documents, will introduce some tools to help you with your

analysis.

76 Interview

Interview with Michael Helander

Ewa Dudzic

78 Emerging Threats

Viva la Revolucion!

Matthew Jonkman

56 Recovering Debugging Symbols From

Stripped Static Compiled Binaries

JUSTIN SUNWOO KIM

A lot of malware programs have been stripped to prevent from analyzing

them and the method described will enhance the process of debugging

those malware programs and many other stripped binaries. Justin Sunwoo

Kim will show you a method that merely reflect other signature finding

methods such as FLIRT. Also his article will be based on finding libc

functions in the ELF binary format. As he claims, he first started to look into

symbol recovery to better solve various war-games with stripped binaries.

However, this can be applied to various areas.

79 Book Review

The Myths of Security: What the

Computer Security Industry Doesn't Want

You to Know

Michael Munt

Blown to Bits

Lou Raban

82 Upcoming

Topics that will be brought up in the

upcoming issue of Hakin9

Ewa Dudzic

66 Simple DLP Verification Using Network Grep

JOSHUA MORIN

Today, companies have to worry about espionage and battling the internal

threat of confidential information being stolen or leaked. The demand to

implement and deploy network equipment and software for DLP increases

every year. How do you know if your network is safe? How do you know if

your configurations are set properly to prevent data loss? Joshua Morin

will actually show simple techniques for obtaining information or checking

possible data leakage.

Code Listings

As it might be hard for you to use the code

listings printed in the magazine, we decided

to make your work with Hakin9 much easier.

We place the complex code listings from

the articles on the Hakin9 website ( http:

//www.hakin9.org/en ).

6/2009

HAKIN9

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: