Introduction

The term "hacker" tends to carry a mystique about it that ranges in definition from anti-social computer genius to malicious virus writer. Thus, modern hackers as defined in media stories tend to attack networks for identity theft, to steal credit cards, extort banks, or launch denial-of-service attacks. Yet hackers may also be brilliant programmers who can put together powerful tools that address some need. A hacker could also be someone who uses "illegal" tools to bypass censorship restrictions and protect personal privacy. The Internet didn't create scams, extortion, theft, or repression—it merely serves as yet another avenue for such activities. Of course, the Internet's global distribution and immediacy of communication add new dimensions to such established activities, but they share the core attributes of their "real world" counterparts. Consequently, computer security—protection from hackers—has become a significant topic of research, development, business, media, and marketing. This book strives to present several tools that serve an integral part of computer and network security. We hope that by presenting these tools you not only gain a better understanding of how to test and secure your own computing environment, but that we also lift the veil of some of the mystique behind hacking. In the end, a lot of it boils down to knowledge of tools and how to use them.

Computer security is a tough subject to deal with. Almost any networked device can be exploited, scanned, or compromised given the right tools and time. Thus, it's important from a defensive perspective to have the best tools at hand to determine your own environment's risk and implement countermeasures. Some tools may get a job done, but they may not get the job done well. Before you can select the right tools for the job, you have to know what tools are available and a little bit about them. You need to see how the tools get used in host and network administration and how they're used to attack those same systems.

This book aims to feature "best practices" for using security tools, giving background not only on how to use a tool but also on the underlying reasons of why and when to use a particular tool. Knowing about a tool's existence and its command-line options won't help today's IT professional without a fundamental understanding of the underlying security principles and concepts surrounding the tool. Through the use of screenshots, code listings, example tool usage, and case studies, this book aims to show how each tool can be used in certain real-world situations that may mirror your own. Although the inclusion of command-line flags and configuration options also makes this book useful as a desktop reference, the additional information and fundamental concepts included in each chapter make this book much more than a "How-to" manual. It lets you familiarize yourself with the tools at your disposal so you can efficiently and effectively choose (and use) the right tools to properly complete your task.

This book is divided into four parts: multifunctional tools, tools to audit systems on the network, tools to audit the network, and tools to aid in the investigation of incidents within your infrastructure. Combining the book into these four parts, you should have the proper and field-tested tools to perform

• Auditing and prevention
• Detection of incidents
• Investigations and response
• Remediation

As we have found, these tasks represent a significant amount of the effort spent in a security, network, or system administrator's life on the job. The term "Anti-Hacker" emerges because we encompass all of the previous tasks (i.e., from the beginning to the end of the security process) in this book. Some of the mystique of hacking should also wear away as you become aware of new tools and see how they're used to compromise networks.

Each chapter conforms to a continuing theme. The chapter begins with a summary of the tools discussed. Next, each tool is described. Each section also contains in-depth implementation techniques, providing you with hands-on information on how to utilize the tool best, including advice based on what we have discovered when we've used the tools in the field. Case studies to demonstrate the tool's use in the real world are used when appropriate. In some instances, one case study is used to typify multiple tools discussed in the chapter. For some topics, we were able to provide specific case studies for each tool. While we try to make the case studies as real as possible, we had to use literary license to make the story slightly more fun to read and to cover as many of the tools as possible. There are instances where we may discuss the system administrator's reactions to an incident that occurred on his network, which could be considered questionable—at best. Therefore, we want to mention that we are by no means providing a methodology or recommendation for the course of action during a security engagement or incident, but we hope to give you an interesting case study to read to help emphasize a tool's usage.

Returning readers will be rewarded with new tools and content, which will also benefit those of you new to this book. Changes in the third edition include

• Modified chapter layout for better flow and organization
• Updated content for tools throughout the book
• New case studies and examples for tools such as Netcat, tcpdump, Ethereal, nmap, hping, and more
• New tools such as THC-Amap, THC-Hydra, Trinux, Kismet, Ettercap, Wellenreiter, WinHex, X-Ways Trace, and more
• A whole new chapter on firewalls including discussions of firewall concepts, ipchains, iptables, IPFW, Cisco PIX, and more

We want to stress again that this book concentrates on the usage of tools rather than the methodologies of securing your network. Therefore, this book is a great companion to the Hacking Exposed series and Incident Response and Computer Forensics, by Kevin Mandia, Matt Pepe, and Chris Prosise, because those books build the basis for the methodologies these tools thrive upon. We suggest you read the methodologies discussed in these books before trying to understand the tools used to implement them. But, if you already have a general understanding of the methodologies, you will fit right in when reading this book.

Additionally, to use these tools we must discuss the most popular operating systems in the market today and others you may face when securing or investigating existing networks. In this book, when we mention "Windows" we mean any operating system published by Microsoft, Inc., such as 95/98/Me/NT/2000/2003, and XP, unless otherwise noted. On the other hand, when we mention the word "Unix" we mean any Unix-like operating system and not just the original version from Bell Labs. Some of the flavors of Unix on which these tools are effective include Solaris (i386 and Sparc versions), Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, and more. If a tool only operates on one version of Unix, we will note that where it is appropriate.

Since the tools mentioned throughout this book can change dramatically in the future (as we see especially with the open-source or hacker tools), we include a copious amount of screenshots and output. We do this not to provide filler material, but to help you match up later versions of the tool with the information discussed in this book.

Also included is a CD-ROM that contains copies of many of the tools mentioned in this book, which the vendors allowed us to distribute. When a tool we discuss has a commercial license, we will include the vendor-approved demonstration version. If there is not a demonstration version available to the public, you must visit the vendor's web site directly to obtain the tool. Because the open-source movement is gaining ground, we tried to include numerous noncommercial tools on the CD-ROM and in the book's content in order for you to have alternatives. We hope that the CD will remove a significant amount of the hassle involved in obtaining these tools and locating the appropriate web sites. This should aid you in following along with any of the examples pre

Part I: Multifunctional Tools

Chapter List

Chapter 1: Netcat and Cryptcat

Chapter 2: The X Window System

Chapter 3: Virtual Machines & Emulators

sented in the book.

As mentioned previously, network and security tools are constantly changing to keep up with the times and advances in technology. New tools will pop up and old tools will have new features. Because this book focuses on network and security tools, we want to have a mechanism in place that keeps you current and informed on the latest tools, tool changes, and security-related news. To accomplish this, we offer http://www.antihackertoolkit.com, a companion web site to this book. The site will contain links to tools, tool information, book errata, and content updates.