hakin9_2006_01_6.pdf

~ t q w ~

~ t q w ~

~ t q w ~

hakin9

Alice in Wonderland

Do you remember year 2005? Anything spectacular hap-

pened? Well, yes, in a way. That was the year when Sony

BMG music CDs placed a rootkit on Microsoft Windows PCs

when CD was played on the computer. What is more, the

company provided no motion of this in CD or its packaging.

referring only to security rights managements measures.

That’s in theory, because in practice it was an excellent

invigilation tool which allows Sony checking users iles (have

you got any mp3 guys?). Thus a word rootkit came to public

awareness and left the circle of those in know.

A well-known term says that rootkits are cloaking tech-

nologies that hides iles, registry keys and other subjects

from diagnostic and security software. However the original

and crucial scope of a rootkit is to provide access to the

system any time our unexpeted visitor wants to. That implies

this particular situation in which an intruder can break into

our computer, but anti-virus system isn’t able to catch it. The

rootkit isn’t present on the processes list, however it is there

stealing our passwords and secret codes. Sounds scary?

It should. Can you imagine yourself, lost and confused,

just like Alice in Wonderland, searching for your money on

bank account or lost data and conidential information? It’s

not a fable anymore but a real horror rather. The war has

started and you have to be prepared for a hard struggle.

The old adage says: an attack is the best form of protection.

The awareness can be as effective as a loaded revolver. It

doesn't matter that you are a paciist. Yes, happiness is a

warm gun...

In the irst issue of our magazine, we present how to

cope with rootkits under Windows platform. How hackers

create them, what are the guiding principles of rootkits and

the techniques used by rootkits developers. In other words

– you'll know an enemy's strategy (see page 14). Accord-

ing to safety issue, we also advise how to use sinkholing

techniques which help you defending your network from

Denial-of-Service attacks by redirecting speciic IP network

for different security-related purposes including analysis and

forensics, diversion of attacks, and detection of anomalous

activities (p. 40).

When it comes to the security of the IT system, event

logs play a crucial role. Over the last ten years event cor-

relator has become event processing technique in many

domains. We present what was the main motivation for

developing Simple Event Correlator and how to employ SEC

from real-time security logs (p. 28).

Our expert, Lars Packschies, discusses solution for mail

and data – cryptography. How to encrypt or decrypt mes-

sages? What you will need (p. 58)?

Finally, few words about packet snifing backdoors. Is it

able to mischief our security system? Find out by writing your

own Proof-of-Concept tool (p. 68).

Alice, welcome to Wonderland. And enjoy hakin9 .

In brief

A selection of news from the world of IT security.

hakin9.live

What's new in the latest hakin9.live version (3.0.1-aur),

provided with our magazine.

Tools

Metasploit Framework

Carlos Garcia Prado

The author presents Metasploit, a development envi-

ronment designed to ease the work of penetration

testers and network security analysts.

GFI LANguard Network

Security Scanner

Tomasz Nidecki

The author describes how GFI LANguard NSS works

and what kind of advantages you can have thanks to

the security scanner.

What's hot

Rootkits under Windows

platforms

Nzeka Gilbert

We present the link between kernel hackers and

corporations having webmarketing businesses which

develop spywares or adwares to proile websurfers

and corporations like Sony.

Find out what the guiding principles of rookits are and

what kind of techniques and tools can be used by root-

kits developers.

In Practice

Cryptography for Mail and Data

Lars Packschies

Should we put our conidencial information in an

e-mail and send it around the world? What is the

cryptography’s role in more secure communication?

We present how to set up and use keys GnuPG and

encrypt data on the ilesystem level.

Writing advanced Linux

backdoors – packet snifing

Marta Ogonek

marta.ogonek@hakin9.org

Brandon Edwards

As people create new defenses for backdoors,

intruders are forced to innovate new techniques

to keep pace with the rapidly progressing security

industry. One of them is packet snifing backdoors.

We show you how it works and how to use it in

practice.

hakin9 1/2006

www.hakin9.org

~ t q w ~

is published by Software Wydawnictwo Sp. z o.o.

Focus

Executive Director: Jarosław Szumski

Market Manager: Ewa Dudzic ewal@software.com.pl

Product Manager: Marta Ogonek marta.ogonek@software.com.pl

Editors: Krystyna Wal, Łukasz Długosz, Daniel Schleusener,

Krzysztof Konieczny,

Distribution: Monika Godlewska monikag@software.com.pl

Production: Marta Kurpiewska marta@software.com.pl

DTP: Anna Osiecka annao@software.com.pl

Cover: Agnieszka Marchocka agnes@software.com.pl

CD: Jakub Wojnowski ( Aurox Core Team )

Advertising department: adv@software.com.pl

Subscription: subscription@software.com.pl

Proofreaders: Nicholas Potter, Dustin F. Leer

Translators: Marek Szuba, Peter S. Rieth

Top betatesters: Rene Heinzl, Paul Bakker, Kedearian the Tilf,

David Stow, Wendel Guglielmetti Henrique, Pastor Adrian,

Peter Hüwe

Simple Event Correlator for

real-time security log monitoring

Risto Vaarandi

Over the past decade, event correlation has become

a prominent event process in technique in many

domains. However, existing open-source log monitor-

ing tools don't support it well. We present what cor-

relation is, what was the motivation for its developing

and how to employ SEC.

Techniques

Postal address: Software-Wydawnictwo Sp. z o.o.,

ul. Piaskowa 3, 01-067 Warsaw, Poland

Tel: +48 22 887 10 10,

Fax: +48 22 887 10 11

www.hakin9.org/en

Network Defense Applications

using Sinkholes

Victor Oppleman

A little-talk-about network security technique has

proven one of the most effective means of defense

against Denial-of-Service attacks. In this article we

describe sinkholing techniques and present methods

of protection.

Software-Wydawnictwo Sp z o.o. is looking for partners from all over

the World. If you are interested in cooperating with us,

please contact us by e-mail: cooperation@software.com.pl

Print: 101 Studio, Firma Tęgi

Printed in Poland

How to cook a covert channel

Distributed in the USA by: Source Interlink Fulfillment Division, 27500

Riverview Centre Boulevard, Suite 400, Bonita Springs, FL 34134

Tel: 239-949-4450.

Simon Castro and Gray World Team

Before starting to cook your covert channel, you irst

have to think about the receipt. How your cover chan-

nel will look like, what it will be used for and when

you'll have your dinner. We make the menu, and

teach you how to prepare a stealth control communi-

cation channel. Are you ready for cooking?

Distributed in Australia by: Europress Distributors Pty Ltd, 3/123

McEvoy St Alexandria NSW Australia 2015, Ph: +61 2 9698 4922,

Fax: +61 2 96987675

Whilst every effort has been made to ensure the high quality

of the magazine, the editors make no warranty, express or implied,

concerning the results of content usage.

All trade marks presented in the magazine were used only

for informative purposes. All rights to trade marks presented

in the magazine are reserved by the companies which own them.

Interview

There is no absolute security

– an interview with

dr. Lars Packschies

We talk to a research associate worker at the local

electronic data processing centre of the University of

Cologne. How to use cryptographic solutions? Find

out in this article.

To create graphs and diagrams we used program by

company.

The editors use automatic DTP system

ATTENTION!

Selling current or past issues of this magazine for prices that

are different than printed on the cover is – without permission of

the publisher – harmful activity and will result in judicial liability.

hakin9 is also available in: Spain, Argentina, Portugal, France,

Morocco, Belgium, Luxembourg, Canada, Germany, Austria, Switzer-

land, Poland, Czech, Slovakia

Column

The hakin9 magazine is published in 7 language versions:

EN PL ES CZ

IT FR DE

Beware the

monitor-crashing worm

Konstantin Klyagin

Would you like to get a hammer and smash the moni-

tor in front of you? Take it easy, Konstantin Klyagin

proves that you can love your e-mail worms.

DISCLAIMER!

The techniques described in our articles may only

be used in private, local networks. The editors hold

no responsibility for misuse of the presented tech-

niques or consequent data loss.

Upcoming

Announcements of articles to be published in the next

issue of hakin9.

www.hakin9.org

hakin9 Nr 2/2006

~ t q w ~

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: