h4X0R

Know Your Enemy

Hacking Methodology & Tools:
Network Reconnaissance &
Building Your Lab

Ted Mac Daibhidh, C.D.

NETWORK SECURITY &
ETHICAL HACK SPECIALIST

ubergeek@whitehats.ca
h4X0R
Know Your Enemy

Hacking Methodology & Tools:

Network Reconnaissance &
Building Your Lab
 Classification

This briefing has no

class at all - in fact…

The briefing is
UNCLASSIFIED
in its entirety.
 Briefing Goals
The goal of this briefing is five-fold:

a. acquaint the analyst with the hacker’s methodology (“The Anatomy of a

Hack”) with respect to network reconnaissance;

b. introduce the some of the methods and tools used during the network
reconnaissance process;

c. drive home the requirement for continuing professional development;

d. demonstrate the benefits of a personal lab and the methods used in lab
construction; and

e. introduce some tools that can be utilized in a personal lab environment.

 The Anatomy of a Hack
The “Anatomy of a Hack” summarizes the steps a
cracker undertakes prior to and during a network
Footprinting attack. This process consists of two distinct phases:

Scanning
• Reconnaissance and Target Acquisition
Footprinting
Enumeration
Scanning
Gaining Access Enumeration

Privilege
Escalation
• Assault
Gaining access
Pilfering
Privilege escalation
Covering Tracks
Pilfering
Back Door Covering tracks
Creation
Back door creation
Denial of
Service Denial of Service (DoS)
 Footprinting

Footprinting refers to the systematic process by which an

attacker attempts to compile as much information as possible
regarding a targeted network, including:

• Domain name
• Network blocks

• Overall security posture

• Specific IP addresses

Types of Footprinting:
• Active – The target may be alerted to the activity
(traceroutes, social engineering, zone transfers).
• Passive - The target is unaware of the reconnaissance
activity (Whois searches, other open source information).
 Footprinting Techniques & Tools

Techniques –
• DNS zone transfer/interrogation
• Online Tools
• Open source search
• Route tracing
• Social Engineering
• Whois lookup

Tools –
• nslookup
• p0f
• “Sam Spade”
• Search engines
• traceroute
• Usenet
• whois (Internic, ARIN, etc.)
• WinNSlookup
DNS Interrogation
DNS Interrogation
 DNS Interrogation
DNS Resource Record Type Codes

Most DNS RR types are defined in RFCs 1034, 1183, 1876, and 2782.

DNS RR Type Codes:

• A (Assigned) - Associates an IP with a canonical hostname.
• CNAME (Canonical Name) - Associates an alias with its canonical hostname.
• HINFO (Host Information) – Specifics regarding an individual host.
• LOC (Location Brief) – The geographical location of a host.
• MINFO (Mail Information) – Mail related resource information.
• MX (Mail Exchange) – Identifies a mail exchange resource.
• NS (Name Server) - Points to a master name server of a subordinate zone.
• RP (Responsible Person) – Identifies the individual responsible for a host.
• SOA (Start of Authority) - Identifies the start of a zone of authority.
• SRV (Server) – Designates any host providing a network service.
• WKS (Well Known Service) – Information services offered on a host.
 DNS Interrogation
DNS Record Examples

DOMAIN DNS RR TYPE RECORD ENTRY

IMISSTECH.TV. A 10.1.1.1 imisstech.tv.

HINFO HP-UX UNIX
SRV DMZ Server
WKS 10.1.1.1 tcp ftp telnet smtp pop3
RP ted.macdaibhidh.imisstech.tv.

IAMACUTEC.AT. A 192.168.1.1 iamacutec.at

MX 10 iamacutec.at
HINFO WINDOWS 2003 SERVER
WKS 192.168.1.1 udp domain
WKS 192.168.1.1 tcp ftp telnet smtp domain
RP wallie.the.tabby.cat.admin.iamacutec.at.
RP murphy.the.mainecoon.tech.iamacutec.at
Online Tools – Sam Spade
Open Source Search – Search Engine
Open Source Search – Search Engine
UseNet Search
Lookup - ARIN Whois
Lookup - InterNIC Whois
 Traceroute
c:\>tracert server.target.net
• Traceroute is a utility available
OR in both Windows and *nix OSes.
c:\>tracert 4.3.4.2 • This utility records the the
specific gateway computers at
each hop between the source
host and a specified destination
host.
• Allows the attacker to determine
some basic network topology and
determine the location of routers
and packet filtering devices.
• As a general rule of thumb, the last
host before the live target host is
performing routing/packet filtering
functions.
• Use of the “-p” switch to specify a
specific destination port may allow
tracerouting beyond packet
filtering devices.
 Traceroute

C:\WINDOWS\Desktop>tracert 1.2.61.100
Tracing route to host bb2-web1.xxx.net [1.2.61.100]
1 3 ms 9 ms 9 ms Ubergeek [xxx.xxx.xxx.xxx]
2 70 ms 49 ms 69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 116 ms 99 ms 99 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
4 117 ms 100 ms 100 ms bb2-gw2-60-22.xxx.net [1.2.60.2]
6 198 ms 109 ms 110 ms bb2-fw-2-dmz.xxx.net [1.2.61.1]
7 237 ms 179 ms 220 ms bb2-web1.xxx.net [1.2.61.100]
Trace complete.
C:\WINDOWS\Desktop>
 XXX.net Network Topology

• With one simple traceroute

to a web server, we have
determined the basic topology
of the XXX.net network.
• Armed with a basic knowledge
of network design, we can
surmise that:
a. another firewall is in place
between the internal
network cloud and the
router; and
b. other possibly vulnerable
services and applications
(e.g. FTP, databases,
e-mail)are running in the
DMZ cloud.
• Now that the basic network
topology has been resolved,
more intrusive methods can
be used to footprint other
network resources.
 Traceroute

C:\WINDOWS\Desktop>tracert
Tracing route to host bb2.fw1.xxx.xxx.net [1.2.60.3]
• We now have an initial
1 2ms 6 ms 8 ms Ubergeek [xxx.xxx.xxx.xxx]
map of the network
2 68 ms 47ms 69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138] and an insight into the
3 111 ms 92 ms 100 ms bb2.gw4.xxx.xxx.net [1.2.60.1] its naming conventions.
4 123ms 101 ms 103 ms bb2.gw2.xxx.xxx.net [1.2.60.2]
• An educated guess and
5 138 ms 107 ms 109 ms bb2.fw1.xxx.xxx.net [1.2.60.3]
another traceroute
Trace complete.
yields another firewall.
C:\WINDOWS\Desktop>
 Firewalking

• Firewalking is a technique that

allows an attacker to covertly
map the ACLs of packet
filtering devices.
• Sends TCP or UDP packets to
the packet filter that have a
TTL set at one hop greater
than the target.
• Should the packet make it
through the gateway, it is
forwarded to the next hop
where the TTL equals zero
and the packet is discarded.
• Using this method, the ACL
rules of a packet filter can
be determined without actually
touching any hosts behind the
device.
 Firewalking
Fire, walk with me…

• In this example, firewalk will

scan ports 1-1024 using TCP
packets directed at the firewall
(1.2.61.1) using the previously Ubergeek:#firewalk -n -S 1–1024 TCP 1.2.61.1 1.2.61.100
mapped host at 1.2.61.100 as a
Firewalking through 1.2.61.1 (towards 1.2.60.100) with a
metric.
maximum of 25 hops.
• The packet filter is found after
three hops and firewalk begins Ramping up hopcounts to binding host...
scanning using TCP packets with
probe: 1 TTL: 1 port 33434: <response from> [1.2.60.1]
a TTL of 4.
probe: 2 TTL: 2 port 33434: <response from> [1.2.60.2]
• In this case, the ports shown probe: 3 TTL: 3 port 33434: Bound scan: 3 hops <Found gateway
were allowed by the ACL and at 3 hops> [1.2.61.1]
passed successfully through the
Scanning...
packet filter.
• The attacker can therefore port 20: open
surmise in this case that at port 21: open
least one web server, an ssh server port 22: open
port 53: open
and an ftp server are running in
port 80: open
the DMZ.
• Armed with this information, the 1027 packets sent, 5 replies received.
attacker can plan any further actions
appropriately.
VisualRoute
 Social Engineering

Social engineering is a form of hacking that target’s people

(wetware) instead of their networks.

The most successful hackers also successful social engineers

because there is no patch for human stupidity.

Types of social engineering include:

● Tainting Trust
● Dumpster Diving
● Shoulder Surfing
● Proxy Probing
 The Anatomy of a Hack
The “Anatomy of a Hack” summarizes the steps a
cracker undertakes prior to and during a network
Footprinting attack. This process consists of two distinct phases:

Scanning
• Reconnaissance and Target Acquisition
Footprinting
Enumeration
Scanning
Gaining Access Enumeration

Privilege
Escalation
• Assault
Gaining access
Pilfering
Privilege escalation
Covering Tracks
Pilfering
Back Door Covering tracks
Creation
Back door creation
Denial of
Service Denial of Service (DoS)
 Scanning Techniques & Tools

Techniques –
• Ping sweep
• TCP/UDP port scan
• Stealth scans

Tools –
• Nmap
• SuperScan
• Internet Toolkit
• Hping
• Grim’s Ping
 Scanning
Scanning is the process by which the attacker performs bulk target assessment,
identifies listening services and locates possible points of ingress.
Types of scans include the following:
• Ping Sweep – Attempts to determine which hosts on a network are reachable.

• Vanilla – Attempts to connect to all 65535 ports.

• Stealth – Attempts to connect to ports using various techniques, including

half-open connections (FIN/SYN) in order to avoid detection.
• Reflex – Attempts to connect using fragmented packets, XMAS (all TCP flags
set) or NULL (no TCP flags set) in order provoke a specific response.

• Strobe – Attempts to connect to a few known ports.

• UDP – Attempts to locate open UDP ports.

• Horizontal Sweep – Scanning the same port across multiple hosts; attacker is
planning target a particular service.
• Vertical Sweep – Scanning multiple ports on a single host; attacker is attempting
to locate a vulnerable service.
 NMap (Network Mapper)

NMap is a powerful scanning tool that is

available in both *nix and Win32
versions.

● Employs multiple TCP scan facilities

(Null, XMAS, FIN, SYN).

● Capable of remote OS fingerprinting.

● Implements specialized stealth

scanning techniques (FTP bounce,
idle scan, etc.).
 Internet Toolkit
One of many similar tools available today, these toolkits are
capable of performing simple ping, port and service scans.

• Although quite functional,

the scanning techniques
utilized by Internet Toolkit
and similar scanning tools
(e.g. SuperScan) are quite
noisy.

• Tools such as this are

popular with skiddies as
they are easy to use and
readily available.
SuperScan

• SuperScan is a scanning
tool available free from
Foundstone.
• In addition to its scanning
ability, SuperScan
incorporates an automated
banner grabbing facility
(banner grabbing will
be discussed later).
 HPing

Hping is a very powerful command line based packet crafting tool

that allows the user to craft packets of virtually any type desired.

• Firewall testing

• Advanced port scanning

• Network testing, using

different protocols, TOS,
fragmentation

• Manual path MTU discovery

• Advanced traceroute, under

all the supported protocols

• Remote OS fingerprinting

• Remote uptime guessing

• TCP/IP stacks auditing

 HPing
# hping2 --scan known 192.168.1.103

Scanning 192.168.1.103 (192.168.1.103), port known

245 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
• The latest stable release 9 discard : .S..A... 64 0 32767 44

of HPing has implemented 13 daytime : .S..A... 64 0 32767 44

a scanning function. 21 ftp : .S..A... 64 0 32767 44

22 ssh : .S..A... 64 0 32767 44

• Even in scanning mode, it is 25 smtp : .S..A... 64 0 32767 44

37 time : .S..A... 64 0 32767 44
possible to utilize most of 80 www : .S..A... 64 0 32767 44
the tool’s functionality. 111 sunrpc : .S..A... 64 0 32767 44
113 auth : .S..A... 64 0 32767 44
631 ipp : .S..A... 64 0 32767 44
3306 mysql : .S..A... 64 0 32767 44
6000 x11 : .S..A... 64 0 32767 44
6667 ircd : .S..A... 64 0 3072 44
All replies received. Done.
No responding ports:
 Grim’s Ping
A Weapon of Mass Distribution

• Scans en masse for live

hosts, FTP and web
proxy servers.
• Capable of TCP SYN port
scanning.
• Scans for FTP public
shares (pubs).
• Plug-ins (Ping Companion,
etc.) add even more
functionality.
 The Anatomy of a Hack
The “Anatomy of a Hack” summarizes the steps a
cracker undertakes prior to and during a network
Footprinting attack. This process consists of two distinct phases:

Scanning
• Reconnaissance and Target Acquisition
Footprinting
Enumeration
Scanning
Gaining Access Enumeration

Privilege
Escalation
• Assault
Gaining access
Pilfering
Privilege escalation
Covering Tracks
Pilfering
Back Door Covering tracks
Creation
Back door creation
Denial of
Service Denial of Service (DoS)
 Enumeration

Definition of Enumeration:
A mathematical set with a total ordering and no infinite descending chains.
A total ordering "<=" satisfies x <= x; x <= y <= z => x <= z; x <= y <= x
=> x=y; and for all x, y, x <= y or y <= x. In addition, if a set W is well-
ordered then all non-empty subsets A of W have a least element, i.e. there
exists x in A such that for all y in A, x <= y.

Fortunately, man invented computers and

quickly discovered that mathematics
was no longer necessary.

Definition of Enumeration
Enumeration refers to the process by which the attacker makes use of
more intrusive probing in order to identify resource shares, user accounts,
operating systems and applications associated with the targeted network.
 Enumeration Techniques & Tools

Techniques –
• List user accounts
• List file shares
• Application/OS identification

Tools –
• Telnet
• Netcat
• SuperScan
• NAT
• NMap
• p0f
• VisualRoute
Banner Grabbing
 Banner Grabbing – Telnet
• Telnet may be utilized as a rudimentary tool to grab server banners.

• This is accomplished by opening a telnet session to the service you wish to enumerate.

• A successful telnet session should yield the server’s banner.

In the example above, telnetting into a web server on port

80 reveals that the server is running Microsoft IIS v5.0.
 Banner Grabbing - Netcat

• The much vaunted TCP/IP “Swiss

Army Knife”; every network security
professional should have Netcat in
their toolbox.
• Useful for creating custom stimuli
using “nudge files” to capture more
information in a banner reply than
would normally be provided.
• Armed with RFCs and a working
knowledge of TCP based protocols,
“nudge file” creation is easily
accomplished using a standard text
editor.
 Banner Grabbing - Netcat
Ubergeek:#nc -vv 10.1.1.1 80 < /home/usr/bin/nudge.txt

A nudge file consists of a couple of hard

carriage returns at a minimum; the nudge file
is redirected to the netcat command's stdin
using a hoinkie as demonstrated above.

Netcat is a powerful tool with many uses – this

demonstrates just one of them; you are highly
encouraged to experiment with netcat further
in your lab enviroment.
Banner Grabbing - VisualRoute

• VisualRoute is capable of
performing banner grab
enumeration of targeted
hosts.

• By directing traces at a
specific port useful
information may be obtained
about the target.

• In this case, the trace was

directed at port 80 on the
target host.
• VisualRoute has determined
that the target is an Apache
1.3.27 http server with
mod_throttle 3.1.2 and
mod_perl 1.26 installed
running on Unix.
Banner Grabbing - SuperScan

• In addition to its scanning

ability, is able to grab
banners from a targeted
network.
• This feature allows the
attacker to perform
banner grab enumeration
en masse.
• In this case, the scanner
has captured the banner
of the target’s SMTP
server.
p0f - Passive OS Fingerprinting

• P0f is a passive OS
fingerprinting tool.
• Runs in the background
and sniffs traffic on the
wire.
• The packet’s parameters
are compared against
fingerprint tables and
the program makes a
“best guess” regarding
the OS type in real time.
 OS Fingerprinting

OS Version Platform TTL Window DF TOS

Free BSD 3.x Intel 64 17520 Y 16
Open BSD 2.x Intel 64 17520 N 16
Linux 2.2 Intel 64 32120 Y 0
Solaris 8 Intel/SPARC 64 24820 Y 0
Windows 9x/NT Intel 32/128 5000-9000 Y 0
Windows 2000 Intel 128 17000-18000 Y 0

• TTL (Time To Live)

Time to live is a value in an IP packet that communicates to a network router whether or not the packet has
been on the network too long and should be discarded.
• Window
Window size is the amount of outstanding (unacknowledged by the recipient) data a host can transmit on a
single network connection before it receives an acknowledgement from the destination host.
• DF (Don’t Fragment Bit)
Located in bit two of an IP header’s sixth octet; the DF bit, if set, indicates that the packet is not to be
fragmented.
• TOS (Type of Service Byte)
The TOS byte is used for for internet service quality selection. Various fields within the byte specify
parameters for precedence, delay, throughput, and reliability.
 NMap – Active OS Fingerprinting

• NMap has the capability to

fingerprint a remote host’s
operating system, allowing
the attacker to enumerate
the target’s OS.
• Unlike p0f, NMap performs
active OS fingerprinting by
sending unusual and invalid
TCP packets to the target
host, then monitors the
wire for the target host’s
responses.
• In this case, NMap correctly
enumerated the target’s OS
as a Linux 2.4 x86 distro.
 Building Your Lab
Because there’s no place like /home

Why build a personal lab?

• Continuing professional development is a
necessary evil.
• This process can be greatly enhanced if one has
access to a personal computer lab.
• Maintaining a personal lab also provides excellent
bullets for performance reviews and résumés.
Besides, building a lab is easy and fun – and
the ladies dig guys with computer labs!
 Building Your Lab

Constructing a lab is a fairly easy process and can be

accomplished utilizing two methods:
a. hard network: one or more actual hosts
connected through a crossover cable or
switch/routing device; or
b. soft network: a single host running virtual
machines (this is the preferred configuration).

In either case, it is highly recommended that the lab

network be contained as a standalone implementation
vice being connected to a live network.
 My Lab Configuration – “Arda”

• PALANTIR is connected to the

wire via a hub and a receive-
only CAT5 cable.
• PALANTIR is isolated from the
lab network by MORANNON; the
firewall is only opened when
necessary to transfer files from
PALANTIR.
• MELKOR serves as the primary
analysis station and attack
platform; this host is directly
connected to SAURON with a
CAT5 crossover cable.
• In addition to its native
environment, SAURON is
capable of running
multiple VMWare virtual
machines to simulate
larger networks.
• GOLLUM is a standalone host
utilized for malware analysis
running a VMWare Player
virtual machine. Yes, the naming convention theme was inspired by
the Tolkien legendarium and yes, I am a Geek…
 Building Your Lab
KVM Switch
• Should you choose a hard or hard/soft combo configuration for
your lab network, multiple input/display devices are not
necessary.
• KVM switches allow you to use a single keyboard, mouse and
video display with multiple hosts.
 Building Your Lab
VMWare Player

• Run any single virtual machine.

• Real to virtual machine copy/paste and drag/drop.
• Multiple networking options.
• 32 and 64 bit OS support.
• User adjustable memory management.
• Easily and safely evaluate applications distributed in
virtual machines without any installation or
configuration.

VMware Player is a free download from the VMWare website.

Although this version supports only one virtual machine and

lacks the facility to generate virtual machine images, this
distro is adequate for most purposes where only a single
target is required.
http://www.vmware.com/products/player/
 Building Your Lab
Linux LiveCD Distros

• A LiveCD is an OS distro stored on a bootable CD-ROM that can

run without installation on a hard drive.
• Loads necessary system files into a RAM disk.
• The system returns to its previous OS/state when the LiveCD is
ejected and the computer is rebooted.
• Knoppix based distros can set up a “Persistent Home Directory”
on a Thumb Drive for storage and retrieval of files.

P S K
 Building Your Lab
Linux LiveCD Distros
General Toolkits:
Knoppix STD (Security Tools Distribution)
http://www.knoppix-std.org/

P.H.L.A.K. (Professional Hacker’s Linux Assault Kit)

http://www.phlak.org/modules/news/

Forensic Toolkits:
Helix
http://www.e-fense.com/helix/

PSK (Penguin Sleuth Kit)

http://www.linux-forensics.com/

Pen-Testing Toolkits:
KCPentrix
http://kcpentrix.net/

WHAX
ftp://ftp.belnet.be/packages/whoppix/whax-3.0-200705.iso
 Building Your Lab
Malware Analysis Tools
• All malware analysis should take place on a standalone
host, preferably one running a virtual machine.
• Once analysis is complete, the VM image can simply be
reloaded.
• Several free analysis tools are available from various
sources on the internet.
 Building Your Lab
Malware Analysis Tools
Autoruns – Displays programs configured to run during system bootup or login.
http://www.sysinternals.com/Utilities/Autoruns.html

Ethereal – Packet capture & protocol analysis.

http://www.ethereal.com

Filemon – Displays file system activity on a system in real-time.

http://www.sysinternals.com/Utilities/Filemon.html

ListDLLs – Displays which DLLs are loaded.

http://www.sysinternals.com/Utilities/ListDlls.html

Ollydbg - Assembler level analysing debugger.

http://www.ollydbg.de/

RegMon – Displays in Registry activity in real time.

http://www.sysinternals.com/Utilities/Regmon.html

Rootkit Revealer – Detects registry and API anomalies.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

VICE -
WinDump/TCPDump – Pcap (sniffer) tools.
http://www.winpcap.org/windump
http://www.tcpdump.org/
 Building Your Lab
Compilers, Debuggers & Decompilers
Most exploits are made available as source code will have to be compiled in
order to be made executable; executable exploits can be decompiled and the
recovered code analyzed.
#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32")

// Use for find the ASM code

#define PROC_BEGIN __asm _emit 0x90 __asm
_emit 0x90\
__asm _emit 0x90 __asm _emit 0x90\
__asm _emit 0x90 __asm _emit 0x90\
__asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN
#define SEARCH_STR
"\x90\x90\x90\x90\x90\x90\x90\x90\x90"
#define SEARCH_LEN 8
#define MAX_SC_LEN 2048
#define HASH_KEY 13

// Define Decode Parameter

#define DECODE_LEN 21
#define SC_LEN_OFFSET 7
#define ENC_KEY_OFFSET 11
#define ENC_KEY 0xff

// Define Function Addr

#define ADDR_LoadLibraryA [esi]
#define ADDR_GetSystemDirectoryA [esi+4]
 Building Your Lab
Compilers
Bloodshed C/C++ IDE (Integrated Development Enviroment)
http://bloodshed.net

Digital Mars C+/C++ compiler

http://digitalmars.com

MinGW32 C/C++/ObjC compiler

http://mingw.org

Open Watcom C/C++ compiler

http://openwatcom.org

Decompilers
REC Multi format binary decompiler
http://www.backerstreet.com/rec/rec.htm

CHM Encoder MS compiled HTML Help Format (CHM) decompiler

http://www.gridinsoft.com/chm.php

DJ Java Decompiler Java demcompiler

http://mingw.org
 Building Your Lab
Metasploit Framework

The Metasploit Framework is an open source

computer security tool for developing and
executing exploit code against a remote
target machine.

The Framework is easily implemented on a

Windows host and incorporates a web
interface for ease of use; this makes it an
ideal tool for the neophyte to utilize in a lab
enviroment.

http://www.metasploit.com
 Building Your Lab
Metasploit Framework

“The Metasploit Framework. Point. Click. Pwn.”

 Building Your Lab
Reference Material
“The more you read, the more you learn and the less your adversary will know."
Sun Tzu, Chinese General,
“The Art of War”, c. 500 B.C.E.

Reference material can be a valuable asset to the InfoSec

professional, both in the lab and in the workplace.

• Many InfoSec related titles are available from both the public and
CIRT libraries.
• Deeply discounted computer books can be purchased at any
“Computer Books for Less” outlet in the Ottawa area.
 Words of Wisdom

“Know the enemy and know yourself and you need not fear the result of a hundred battles…
Sun Tzu, Chinese General,
“The Art of War”, c. 500 B.C.E.

Fight the Networks, Neo!

 Questions

For sooth, thus endeth the brief…

Questions?
 Acknowledgments

Mr. John Ronald Reuel Tolkien

For the damned good reads and the inspiration for my lab’s naming convention. Yessss –
my lab – my preciousssss.
http://www.tolkien.co.uk/frame_nf.htm

Mr. J.D. “Iliad” Frazer

For his kind permission to use “User Friendly” cartoons in my briefs.
http://www.userfriendly.org

Hacking Exposed, McGraw-Hill Publishing

http://www.foundstone.com

Inside Network Perimeter Security, Sams Publishing

http://www.samspublishing.com

Infosec Career Hacking, Syngress Press

http://www.syngress.com

Intrusion Signatures and Analysis, Sams Publishing

http://www.samspublishing.com

My Friends
For continuing to support my delusions of grandeur – as long as the cheques continue to clear.

Network Intrusion Detection, Sams Publishing

http://www.samspublishing.com