Hack It Security Through Penetration Testing T J

Klevinsky download

https://ebookbell.com/product/hack-it-security-through-
penetration-testing-t-j-klevinsky-978328

Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

The Code Book How To Make It Break It Hack It Crack It Simon Singh

https://ebookbell.com/product/the-code-book-how-to-make-it-break-it-
hack-it-crack-it-simon-singh-11481662

The Code Book How To Make It Break It Hack It Crack It Simon Singh

https://ebookbell.com/product/the-code-book-how-to-make-it-break-it-
hack-it-crack-it-simon-singh-4413824

Postit Note Hack 1st Edition Lifeloaded

https://ebookbell.com/product/postit-note-hack-1st-edition-
lifeloaded-48005278

Some Like It Hawk Donna Andrews

https://ebookbell.com/product/some-like-it-hawk-donna-
andrews-230289288
Hawk I Did It My Way Harrelson Ken Hawk

https://ebookbell.com/product/hawk-i-did-it-my-way-harrelson-ken-
hawk-11844928

Life Hacks Volume 1 How It Works

https://ebookbell.com/product/life-hacks-volume-1-how-it-
works-11618606

The Day It Rained Militia Hucks Defeat And The Revolution In The South
Carolina Backcountry Mayjuly 1780 Michael C Scoggins

https://ebookbell.com/product/the-day-it-rained-militia-hucks-defeat-
and-the-revolution-in-the-south-carolina-backcountry-
mayjuly-1780-michael-c-scoggins-44410542

Hacks For Life And Career A Millennials Guide To Making It Big Sandeep
Das

https://ebookbell.com/product/hacks-for-life-and-career-a-millennials-
guide-to-making-it-big-sandeep-das-24231176

Life Hacks Productivity Bet You Didnt Know It Could Do That Life Hacks
Thatll Blow Your Mind Diy How To Live Living Be More Inspiration
Stress Rafael Gurkovsky

https://ebookbell.com/product/life-hacks-productivity-bet-you-didnt-
know-it-could-do-that-life-hacks-thatll-blow-your-mind-diy-how-to-
live-living-be-more-inspiration-stress-rafael-gurkovsky-25729618
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .

I l@ve RuBoard

Front Matter
Table of Contents
About the Author
Examples

Hack I.T.: Security Through Penetration Testing

T. J. Klevinsky
Scott Laliberte
Ajay Gupta
Publisher: Addison Wesley

First Edition February 01, 2002

ISBN: 0-201-71956-8, 544 pages

"This book covers not just the glamorous aspects such as the intrusion act itself, but all of the pitfalls,
contracts, clauses, and other gotchas that can occur. The authors have taken their years of trial and
error, as well as experience, and documented a previously unknown black art."
-From the Foreword by Simple Nomad, Senior Security Analyst, BindView RAZOR Team

Penetration testing--in which professional, "white hat" hackers attempt to break through an
organization’s security defenses--has become a key defense weapon in today’s information systems
security arsenal. Through penetration testing, I.T. and security professionals can take action to prevent
true "black hat" hackers from compromising systems and exploiting proprietary information.

Hack I.T.introduces penetration testing and its vital role in an overall network security plan. You will
learn about the roles and responsibilities of a penetration testing professional, the motivation and
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .

strategies of the underground hacking community, and potential system vulnerabilities, along with
corresponding avenues of attack. Most importantly, the book provides a framework for performing
penetration testing and offers step-by-step descriptions of each stage in the process. The latest
information on the necessary hardware for performing penetration testing, as well as an extensive
reference on the available security tools, is included.

Comprehensive in scope Hack I.T. provides in one convenient resource the background, strategies,
techniques, and tools you need to test and protect your system--before the real hackers attack.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .

I l@ve RuBoard

Hack I.T.: Security Through Penetration Testing

Foreword

Preface
Audience
Authors
How to Use This Book
Acknowledgments

Introduction

1. Hacking Today

2. Defining the Hacker

2.1 Hacker Skill Levels
2.2 Information Security Consultants
2.3 Hacker Myths
2.4 Information Security Myths

3. Penetration for Hire

3.1 Ramifications of Penetration Testing
3.2 Requirements for a Freelance Consultant
3.3 Announced vs. Unannounced Penetration Testing

4. Where the Exposures Lie

4.1 Application Holes
4.2 Berkeley Internet Name Domain ( BIND ) Implementations
4.3 Common Gateway Interface ( CGI )
4.4 Clear Text Services
4.5 Default Accounts
4.6 Domain Name Service ( DNS )
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.

4.7 File Permissions

4.8 FTP and telnet
4.9 ICMP
4.10 IMAP and POP
4.11 Modems
4.12 Lack of Monitoring and Intrusion Detection
4.13 Network Architecture
4.14 Network File System ( NFS )
4.15 NT Ports 135?139
4.16 NT Null Connection
4.17 Poor Passwords and User IDs
4.18 Remote Administration Services
4.19 Remote Procedure Call ( RPC )
4.20 SENDMAIL
4.21 Services Started by Default
4.22 Simple Mail Transport Protocol ( SMTP )
4.23 Simple Network Management Protocol ( SNMP ) Community Strings
4.24 Viruses and Hidden Code
4.25 Web Server Sample Files
4.26 Web Server General Vulnerabilities
4.27 Monitoring Vulnerabilities

5. Internet Penetration
5.1 Network Enumeration/Discovery
5.2 Vulnerability Analysis
5.3 Exploitation
Case Study: Dual-Homed Hosts

6. Dial-In Penetration
6.1 War Dialing
6.2 War Dialing Method
6.3 Gathering Numbers
6.4 Precautionary Methods
6.5 War Dialing Tools
Case Study: War Dialing

7. Testing Internal Penetration

7.1 Scenarios
7.2 Network Discovery
7.3 NT Enumeration
7.4 UNIX
7.5 Searching for Exploits
7.6 Sniffing
7.7 Remotely Installing a Hacker Tool Kit
7.8 Vulnerability Scanning
Case Study: Snoop the User Desktop
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.

8. Social Engineering
8.1 The Telephone
8.2 Dumpster Diving
8.3 Desktop Information
8.4 Common Countermeasures

9. UNIX Methods
9.1 UNIX Services
9.2 Buffer Overflow Attacks
9.3 File Permissions
9.4 Applications
9.5 Misconfigurations
9.6 UNIX Tools
Case Study: UNIX Penetration

10. The Tool Kit

10.1 Hardware
10.2 Software
10.3 VMware

11. Automated Vulnerability Scanners

11.1 Definition
11.2 Testing Use
11.3 Shortfalls
11.4 Network-Based and Host-Based Scanners
11.5 Tools
11.6 Network-Based Scanners
11.7 Host-Based Scanners
11.8 Pentasafe VigilEnt
11.9 Conclusion

12. Discovery Tools

12.1 WS_Ping ProPack
12.2 NetScanTools
12.3 Sam Spade
12.4 Rhino9 Pinger
12.5 VisualRoute
12.6 Nmap
12.7 What's running

13. Port Scanners

13.1 Nmap
13.2 7th Sphere Port Scanner
13.3 Strobe
13.4 SuperScan
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.

14. Sniffers
14.1 Dsniff
14.2 Linsniff
14.3 Tcpdump
14.4 BUTTSniffer
14.5 SessionWall-3 (Now eTrust Intrusion Detection)
14.6 AntiSniff

15. Password Crackers

15.1 L0phtCrack
15.2 pwdump2
15.3 John the Ripper
15.4 Cain
15.5 ShowPass

16. Windows NT Tools

16.1 NET USE
16.2 Null Connection
16.3 NET VIEW
16.4 NLTEST
16.5 NBTSTAT
16.6 epdump
16.7 NETDOM
16.8 Getmac
16.9 Local Administrators
16.10 Global (?Domain Admins?)
16.11 Usrstat
16.12 DumpSec
16.13 user2Sid/sid2User
16.14 NetBIOS Auditing Tool ( NAT )
16.15 SMBGrind
16.16 SRVCHECK
16.17 SRVINFO
16.18 AuditPol
16.19 REGDMP
16.20 Somarsoft DumpReg
16.21 Remote
16.22 Netcat
16.23 SC
16.24 AT
16.25 FPipe
Case Study: Weak Passwords
Case Study: Internal Penetration to Windows

17. Web-Testing Tools

This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.

17.1 Whisker
17.2 SiteScan
17.3 THC Happy Browser
17.4 wwwhack
17.5 Web Cracker
17.6 Brutus
Case Study: Compaq Management Agents Vulnerability

18. Remote Control

18.1 pcAnywhere
18.2 Virtual Network Computing
18.3 NetBus
18.4 Back Orifice 2000

19. Intrusion Detection Systems

19.1 Definition
19.2 IDS Evasion
19.3 Pitfalls
19.4 Traits of Effective IDSs
19.5 IDS Selection

20. Firewalls
20.1 Definition
20.2 Monitoring
20.3 Configuration
20.4 Change Control
20.5 Firewall Types
20.6 Network Address Translation
20.7 Evasive Techniques
20.8 Firewalls and Virtual Private Networks
Case Study: Internet Information Server Exploit?MDAC

21. Denial-of-Service Attacks

21.1 Resource Exhaustion Attacks
21.2 Port Flooding
21.3 SYN Flooding
21.4 IP Fragmentation Attacks
21.5 Distributed Denial-of-Service Attacks
21.6 Application-Based DoS Attacks
21.7 Concatenated DoS Tools
21.8 Summary

22. Wrapping It Up
22.1 Countermeasures
22.2 Keeping Current
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

23. Future Trends

23.1 Authentication
23.2 Encryption
23.3 Public Key Infrastructure
23.4 Distributed Systems
23.5 Forensics
23.6 Government Regulation
23.7 Hacking Techniques
23.8 Countermeasures
23.9 Cyber-Crime Insurance

A. CD-ROM Contents
Organization of the CD-ROM
Compilation of Programs

B. The Twenty Most Critical Internet Security Vulnerabilities?The Experts'

Consensus
The SANS Institute
G1?Default Installs of Operating Systems and Applications
G2?Accounts with No Passwords or Weak Passwords
G3?Non-existent or Incomplete Backups
G4?Large Number of Open Ports
G5?Not Filtering Packets for Correct Incoming and Outgoing Addresses
G6?Non-existent or Incomplete Logging
G7?Vulnerable CGI Programs
W1? Unicode Vulnerability (Web Server Folder Traversal)
W2?ISAPI Extension Buffer Overflows
W3? IIS RDS Exploit (Microsoft Remote Data Services)
W4?NETBIOS?Unprotected Windows Networking Shares
W5?Information Leakage Via Null Session Connections
W6?Weak Hashing in SAM ( LM Hash)
U1?Buffer Overflows in RPC Services
U2?Sendmail Vulnerabilities
U3?Bind Weaknesses
U4?R Commands
U5?LPD (Remote Print Protocol Daemon)
U6?Sadmind and Mountd
U7?Default SNMP Strings
Appendix Appendix A ?Common Vulnerable Ports
Appendix Appendix B ?The Experts Who Helped Create the Top Ten and Top
Twenty Internet Vulnerability Lists

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Hack I.T.: Security Through Penetration Testing

Many of the designations used by manufacturers and sellers to distinguish

their products are claimed as trademarks. Where those designations appear
in this book, and Addison-Wesley, Inc. was aware of a trademark claim, the
designations have been printed with initial capital letters or in all capitals.

The authors and publisher have taken care in the preparation of this book,
but they make no expressed or implied warranty of any kind and assume no
responsibility for errors or omissions. No liability is assumed for incidental or
consequential damages in connection with or arising out of the use of the
information or programs contained herein.

The publisher offers discounts on this book when ordered in quantity for
special sales. For more information, please contact:

Pearson Education Corporate Sales Division

201 W. 103rd Street

Indianapolis, IN 46290

(800) 428-5331

[email protected]

Visit AW on the Web: www.aw.com/cseng/

Library of Congress Cataloging-in-Publication Data

This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

Klevinsky, T.J.

Hack I.T. : security through penetration testing / T.J. Klevinsky, Scott

Laliberte, Ajay Gupta.

p. cm.

Includes index.

0-201-71956-8 (pbk.)

1. Computer security. 2. Computer—Access control—Testing. I. Laliberte,

Scott. II. Gupta, Ajay. III. Title.

QA76.9.A25 K56 2002

005.8—dc21

2001056058

Copyright © 2002 by Pearson Education, Inc.

All rights reserved. No part of this publication may be reproduced, stored in

a retrieval system, or transmitted, in any form, or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior
consent of the publisher. Printed in the United States of America. Published
simultaneously in Canada.

For information on obtaining permission for use of material from this work,
please submit a written request to:

Pearson Education, Inc.

Rights and Contracts Department

75 Arlington Street, Suite 300

Boston, MA 02116

Fax: (617) 848-7047

This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

Text printed on recycled paper

1 2 3 4 5 6 7 8 9 10—MA—0605040302

First printing, February 2002

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .

I l@ve RuBoard

Foreword

Penetration testing is one of those odd jobs you typically hear little about—it is like a black art, and can
come with not only smoke and mirrors but, for the pen tester, any number of trap doors and blind
alleys. Bits and pieces of penetration testing have made it into the mainstream media, culminating in
the classic hacker-fave film Sneakers, starring Robert Redford, Sidney Poitier, and a host of other
stars. And while plenty seems to be written about hacking and gaining access to systems, there has
been nothing written that really speaks to the art of penetration testing.

Like most other high tech jobs portrayed in the movies, pen testing is not as glamorous as most
people think. Oh sure, there are exciting moments, such as when the first system belonging to the
target is penetrated, but it is actually hard work. Comparatively, a typical intruder's job is easy.

A regular electronic intruder has to find only one hole into an organization's computers, but a pen
tester has to find them all. This is not only somewhat tedious and even boring at times, it is very
important. The intruder probably does not care about such things as accidentally damaging systems,
or wiping log files to hide his presence. The pen tester is trying to keep from disrupting normal
business, preserve records and logs, yet still trying to move about unnoticed. In other words, to be a
pen tester you have to have not only all of the intruder techniques possible, but also understand
system administration as well as corporate life in general. Not an easy task.

Many people who are new to the wily world of penetration testing quickly realize that there are not just
drudgery tasks such as mapping out entire corporate networks and finding multiple attack vectors
instead of just one. They also come face to face with a dizzying spectrum of contracts, clauses,
guarantees, periodic mid-stream debriefings with confused clients, and everything else normal
contractors might encounter, plus dozens more that a normal IT contractor would never hope to
encounter. Can you essentially plan a legalized live simulation of a crime against a target, with the
vast majority of personnel at the target unaware you are performing a simulation?

Hard as it may seem, it can be one of the most rewarding jobs a geek can get. It is more than “playing
criminal,” it is playing the ultimate game of chess—a chess game where you get to try out every move.
You just have to document your moves so you can recreate your steps if needed.

The problem with most career choices is that unless you can sit down and talk with someone in the
business, you can never fully appreciate what that career is all about. In the world of plumbers, you
can go to the library and find tons of self-help books, and you probably either know a plumber or at
least have a relative or friend who knows one you could talk to. Not the case with penetration testing.

Until now. This book covers not just the glamorous aspects such as the intrusion act itself, but all of
the pitfalls, contracts, clauses, and other gotchas that can occur. The authors have taken their years of
trial and error, as well as experience, and documented a previously unknown black art.

Penetration testing is important. It gives a company a chance to make sure their systems are secure,
their incident response policies are in place, and give them not only peace of mind but possible
compliance with the increasing insurance and government regulations placed upon them (HIPAA
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .

leaps to mind). But there are not enough good pen testers out there. This book helps to at least give
you a leg up. There is nothing more frustrating when trying something new than to encounter
unforeseen obstacles you never expected. This book isn't magic—the obstacles do not go away. But
after reading you are aware of them, and have even been given some choices to help you get around
them quickly. Enjoy the book.

Mark Loveless, aka Simple Nomad

Senior Security Analyst, BindView RAZOR Team

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Preface

Why write a book about hacking? The question is really whether a book about the
techniques and tools used to break into a network would be beneficial to the information
security community. We, the authors, believe that penetration testing is a valuable and
effective means of identifying security holes and weaknesses in a network and computing
environment. Understanding how others will try to break into a network offers considerable
insight into the common pitfalls and misconfigurations that make networks vulnerable. This
insight is essential to creating a comprehensive network security structure.

Some may argue that providing this penetration-testing information gives script kiddies and
hackers ammunition to better attack systems. However, script kiddies and hackers already
have access to this information or have the time to find it—most of the material presented
in this book is available from a variety of sources on the Internet. The problem is that the
system and security administrators defending against attacks do not have the time or
resources to research the sites necessary to compile this information. We decided to write
this book to provide defenders with the information hackers already have. A hacker has to
find only one hole to gain unauthorized access. The security group defending against the
hackers needs to find all the holes to prevent unauthorized access.

There is no tried-and-true training that can make everyone a security expert, but there are
some baseline principles, skills, and tools that must be mastered to become proficient in
this field. Our goal is to provide you with those skills in a manner that helps you to
understand the structure and tools used and to begin developing your own style of
penetration testing.

The process described in this book is not the only way to perform a penetration test. We
continue to evolve our own methodology to respond to new technologies and threats. This
process has worked well for us in the past and continues to be a successful way to
evaluate and test network security.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks .

I l@ve RuBoard

Audience

This book is intended for the security administrators, systems administrators, technology
auditors, and other authorized representatives of companies that want to legitimately test
their security posture and intrusion detection or incident response capabilities. In addition,
other individuals who need to assess systems and network security may find the tools and
techniques described in this book useful. It is designed as a beginner's book for enhancing
network security through penetration testing. No previous knowledge of penetration testing
is required, but an understanding of networking, TCP/IP, Windows NT/2000, network
security, and UNIX is needed to be able to execute a penetration test.

A word of caution: Although this book details the processes and tools for performing a
penetration test, it does not describe how to do this without alerting network security
devices. Many of these techniques will be detected and should not be performed without
the written consent of the owners of the target systems. We intend for this book to be not a
how-to hack manual but rather a framework for performing a systematic network security
review. Intrusion detection mechanisms on most networks today have become very
sophisticated and, if configured properly, can be used to track anyone practicing these
techniques on a network.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Authors

T.J. Klevinsky, CISSP

T.J. is a manager with Ernst & Young's Security and Technology Solutions practice. He is
currently responsible for coordinating attack and penetration exercises in various parts of
the world. As an instructor for his company's “Extreme Hacking” course, T.J. is constantly
researching new tools and techniques for exploiting security vulnerabilities. To keep the
course up-to-date, new tools and methods are included in the attack and penetration
methodology. Additionally, as the author and instructor for the System Administration and
Network Security (SANS) Institute course “Contemporary Hacking Tools and Penetration
Testing,” T.J. has had the opportunity to interact with other penetration-testing
professionals across the globe to identify new tools and techniques and to bring these
experiences and tools to this book.

Scott Laliberte

Scott is a manager with Ernst & Young's Security and Technology Solutions practice. He
has extensive experience and expertise in the areas of information systems security,
network operations, and electronic commerce. Specifically, Scott has managed and led
numerous attack and penetration engagements and systems vulnerability assessments for
midsize and Fortune 500 companies. During these engagements Scott used a variety of
commercial and proprietary tools and techniques to identify vulnerabilities in networks,
operating systems, and applications. Scott is also responsible for coordinating and
designing e-commerce architectures and verifying security controls and the effectiveness
of the architectures. In addition, Scott is an instructor for Ernst & Young's “Extreme
Hacking” course, where he helps train others in Ernst & Young's attack and penetration
methodology.

Ajay Gupta

Ajay is a senior security professional with Ernst & Young's Security and Technology
Solutions practice, where he performs security reviews for Ernst & Young clients. He has
experience in performing penetration testing, risk analysis, and code review engagements
as well as evaluating the security posture of client organizations ranging from Fortune 100
firms to e-commerce start-ups. Ajay is an instructor for Ernst & Young's “Extreme Hacking”
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

course and spends a large portion of his time developing and reviewing new tools. Ajay is
one of Ernst & Young's specialists in intrusion detection systems and has evaluated,
installed, and configured various intrusion detection tools. He has been a speaker in the
fields of security and electronic commerce for various national organizations and
universities.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

How to Use This Book

The managers of an ever-growing number of companies are beginning to see information

security as an issue requiring attention, showing how much of a threat they truly believe
exists. In any case, whether you work as part of the security department of a large
corporation or as a system administrator with security as part of your job description,
knowing how to get into your network is one of the best ways to secure it.

The first part of this book (Chapters 1–4) explains the roles and responsibilities of a
penetration-testing professional and the motivation and styles of the hacking community.
This information provides insight into why hacking has become so popular with the media
and what difficulties are associated with protecting a network. The material is designed to
provide background information to support the use of penetration testing as an important
part of an overall network security plan. A penetration test not only tests the network's
ability to protect information and other assets from unauthorized individuals but also can
test the organization's ability to detect such intrusion attempts and its incident response
capabilities. We also discuss some of the common pitfalls in technology and defenses that
contribute to security weaknesses. A large portion of successful network security breeches
could have been avoided if special attention had been given to these issues.

The second part of this book (Chapters 5–10) provides a structured framework for a
penetration test. Penetration testing can be broken down into a series of steps that provide
an efficient and comprehensive review of individual network segments. Whether the test is
an internal or external review, the methodology follows the steps of discovery, scanning,
and exploitation. This section outlines methods for finding the target network, identifying
possible vulnerable services, exploiting weaknesses, and documenting the results. This
methodology yields a test that is structured, efficient, and repeatable. In this section of the
book we also introduce various tools that can be used to assist with this methodology. We
briefly describe each tool's use and place in testing.

The third section of this book (Chapters 11–16) provides greater detail on the tools that can
increase the speed and accuracy of a penetration test. This “tools and techniques” section
is presented in a reference format so you can locate a tool by its role in testing and obtain
the information necessary to begin using the tool or find the information necessary to do so.
A large collection of tools have been released by commercial and open-source
programmers that identify vulnerabilities in networks, applications, and/or services and
should be used as part of an assessment. While most of them may be identified by an
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

intrusion detection system, they can usually find exposures on your network faster than
manual methods. We provide detailed explanations of each tool, including its basic usage
and where to get updates. You will find that some programs are described in greater depth
than others. We spend more time on the tools that we find more helpful or that reveal the
most information. For ease of use, we obtained demo or freeware software for many of the
tools covered and included them on the CD-ROM available with this book. This software is
intended to give you the opportunity to become familiar with some of the more popular
tools and to see which work best for you. This section is designed to help you pick out the
right hardware, operating systems, and software to make a testing tool kit.

The last section of this book (Chapters 17–23) moves toward advanced techniques and
application testing. You should review this section once you have created and are
comfortable with your own tool kit. This section details methods that can be used to evade
intrusion detection systems and firewalls, control hosts on target networks remotely, and
test Web servers. It also includes a discussion on denial-of-service attacks and a section
on how to keep up with the current trends and latest developments in information security.
This section contains a list of Web sites and e-mail lists that we used in our research, as
well as information on long-term countermeasures to improve security. Finally, we include
a brief discussion about future trends within the information technology arena and the
possible risks that these trends may produce.

At the end of some chapters are case studies that deal with some of the issues and tools
discussed. The case studies detail steps we have followed in real-world penetration-testing
engagements to help illustrate how all the pieces of penetration testing fit together. The
samples we selected include internal, external, and dial-up testing and reflect different
operating systems, vulnerabilities, and exploits in an attempt to demonstrate as many of
the techniques discussed in the book as possible. In each case we keep anonymous the
name, industry type, and any other information that could be used to identify the parties
involved.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Acknowledgments

We would like to thank the following individuals who helped in the development of this book
and without whom this work could never have been written: Fyodor, Dug Song, Rob
Kolstad, Jennifer Martinez, Marley Klevinsky, Mike Weaver, Alan Paller, Jeff Chulick, Ron
Nguyen, rain forest puppy, Lance Hayden, John Sinteur, Eric Rescorla, Amy Korman,
Charles Barley, Jr., Randy Musgrove, Erik Winkler, Christopher Brown, Beth Laliberte,
Sudeepa Gupta, Ken Williams, Matt Mancuso, Richard Bejtlich, Jose Granado, Mark
Mercer, Rod Thomas, Gregston Chu, Steve Smith, Jim Doggett, Chris Kostick, and Simple
Nomad.

—T.J. Klevinsky

—Scott Laliberte

—Ajay Gupta

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Introduction

It certainly seems that over the past few years the security ramifications of online activity
have begun to permeate the national consciousness. Mainstream media have begun to
take an interest in and glamorize the compromises that have taken place. Even Hollywood
has movies about hacking, the latest being Warner Brothers' Swordfish starring John
Travolta, Halle Berry, and Hugh Jackman as the world's foremost hacker.

Despite the growing level of interest in this field, there is still little known about the actual
issues involved in securing networks and electronic assets. Many people consider
anti-virus software used to defend against Internet e-mail viruses to be the cure-all for all
varieties of information security threats. Viruses are a big problem, no doubt, potentially
leading to huge losses in terms of lost productivity and corrupted intellectual assets.
However, cyber crime (hacking) can be much more than the release of an e-mail
attachment that proclaims love (the I LOVE YOU virus) or promises sexy pictures (the
Anna Kournikova virus) to all the friends and business associates of unsuspecting victims.

The true dangers of cyber crime are of far greater consequence. Individuals with technical
knowledge of networks and networking devices can steal sensitive information (for
example, U.S. troop deployments from Department of Defense computers, source code for
new software products, medical records) or money (through online access to bank
accounts or credit card numbers used with online retailers) or conduct a host of juvenile
pranks (erasing backup files recording the last six months of activity, raising the
temperature in buildings, turning off phone systems).

While these may seem to be scare tactics used to get people to spend time, energy, and
good money on unnecessary things, that is, unfortunately, not the case. The threats are
real. They are evident in the latest “Computer Crime and Security Survey” by the Computer
Security Institute and the Federal Bureau of Investigation and in news reports of cases of
identity theft and firms facing the realization that they are being blackmailed by a hacker
who has their customer list (including credit card information).

Given this burgeoning interest in keeping networks free from hacking minds, there has
naturally been greater interest in taking steps to ensure networks are secure. One such
step is to perform a professional penetration test, also called attack and penetration or
ethical hacking. There are various parts of the security industry, namely those people who
provide security consulting services (also called professional services), those who develop
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

and market security products, and finally those who are managed security service
providers (MSSPs).

MSSPs provide outsourced security monitoring and management of all or parts of a

network in exchange for a retainer. Firewalls, intrusion detection systems, audit logs, and
virus scanners can all be managed by an MSSP. The developers of security products
include commercial interests, a large open-source community, and smaller groups of black
hat hackers who aim to create tools to automate the network analysis and review process.
Such tools include firewalls, intrusion detection systems, auditing tools, virus scanners,
vulnerability scanners, network mappers, network sniffers, encryption tools, password
crackers, banner grabbers … the list goes on. In addition, tools and scripts, such as
denial-of-service exploits, that aid in the compromise of networks are also frequently
developed and released. Naturally, this later set of tools come generally from the domain of
open-source or black hat developers, while commercial interests stick to more benign
offerings.

Penetration-testing services are a component of consulting services. Consulting services

also include the development of security policies and procedures, the performance of
security vulnerability and risk analysis of networks, and the design and implementation of
security solutions (such as a firewall solution, a public key infrastructure, a single sign-on
solution, or an IDS solution) and a host of related services. The goal of security consulting
services, especially for penetration testing, is to improve or augment the security posture of
a network or system.

“And he that breaks a thing to find out what it is has left the path of wisdom.”

—Galdalf the Grey from The Fellowship of the Ring, Volume 1 of The Lord
of the Rings by J.R.R. Tolkien

This sentiment applies to penetration testing. Our testing does not intend to and never
should actually cripple or compromise a network. However, testing must detect as many
ways to do so as possible. The findings or results of the testing are aimed at improving the
security posture of a network by presenting countermeasures for the vulnerabilities
identified. The process is simple: take a few white hat hackers, give them black hats for a
short period of time, and let them try to figure out all the possible ways a system can be
compromised. Then, take the black hats away and have them report on their findings—to
the client, not to the general Internet hacker community.

This book focuses on presenting a method for performing penetration testing. In doing so,
we do not discuss other consulting services available. And while we do discuss in some
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

detail the tools we use for penetration testing, this work should not be considered a
comprehensive review of the security products available in the market today. We also do
not address the burgeoning MSSP field, though we briefly discuss it in the final chapter on
future trends.

We, the authors, share a connection with the professional services firm Ernst & Young
LLP. We attest that the ideas and opinions presented throughout this work are not
necessarily those of Ernst & Young but solely the critical analysis based on our years of
field experience.

Truth be told, much of the information presented here can be found in various places on
the Web, in news groups, in e-mail distribution lists, or at other destinations on the Internet
(a listing is presented in Chapter 22). Those who believe writing such a book is dangerous
since it may result in teaching people how to hack do not see the value in improving
security through testing and measuring defenses against the techniques of opponents.
Hackers already know how to hack and have the time and energy to research (and
develop) hacking techniques. The good guys, who are busy battling the day-to-day fires of
maintaining the corporate network, do not have the luxury of this time and cannot perform
this level of research. We hope this book will be a tool for the good guys. It consolidates
and organizes the information already available to the hacker community so that security
professionals can arm themselves in the security battle.

We hope you find this text as useful to read as it was challenging for us to write. We are
glad to provide our knowledge and intelligence on penetration testing. How you choose to
use it is of your own volition. Remember: Penetration testing without permission is
illegal—a point we hope this text makes clear.

Happy reading.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Chapter 1. Hacking Today

Recent media coverage of hacker incidents against well-known Internet companies has
started to promote a better understanding of the growing threat hackers pose to computer
security. Despite this new publicity, many users and senior managers still do not fully
understand the magnitude of the threat. Without the support of the end users, system
administrators constantly have to defend against security holes inadvertently opened by
the users. Additionally, without the support of management, security and system
administrators cannot obtain the resources they need to protect the company. This puts the
technical staff in a difficult position when trying to obtain the full support of the organization
to defend against the threat. Sometimes numbers speak louder than words to show an
organization's exposure to risk and to gain the support of management.

Frequently we have to convince clients that information systems security is necessary and
that the threat from hackers is substantial enough to invest in proactive security measures.
Since there is no quantifiable measurement of successful security tactics (other than not
being hacked), it is difficult to gain support for a security project. Also, unrealistic
expectations of the cost of effective security or overreliance on one or two security systems
can be a fatal flaw in the network.

There are two large problems security and system administrators need to overcome. First,
management often believes that the computer security threat is not a great enough risk to
justify funds for protective measures. Second, there is a general misunderstanding of how
complex the problem of computer security really is and how many resources are required
to adequately defend against attacks. For example, firewalls are necessary components of
a security architecture, but firewalls alone do not protect networks. An improperly
configured firewall or a firewall without other security measures in place can be worse than
an open system if it provides the company with a false sense of security.

For the last six years the Computer Security Institute (CSI) has performed a survey in
cooperation with the Federal Bureau of Investigation's (FBI) Computer Intrusion Squad to
help determine the extent of computer crime in the United States. In March 2001, CSI
published its “2001 Computer Crime and Security Survey,” which is based on responses
from 538 computer security practitioners in U.S. corporations, government agencies,
financial institutions, medical institutions, and universities. Of those organizations
surveyed, 91 percent reported detecting computer security breaches in the last 12
months[1] and 97 percent of those polled had Web sites. Of those with Web sites, 23
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

percent reported suffering an attack within the last 12 months and 27 percent did not know
if they had experienced an attack. Of those reporting attacks, 21 percent reported two to
five incidents and 58 percent reported ten or more.

[1]
Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer
Security Institute.

These statistics may be alarming, but the actual state of computer security may be worse
than the statistics suggest. Many organizations are still not equipped to detect security
breaches. Only 61 percent (up from 50 percent in 2000) of those polled in the CSI survey
reported using intrusion detection. Thus, it is likely the actual number of attacks and losses
are greater than those reported. While it appears that organizations are starting to
implement more security controls, security incidents and losses continue to grow. This
could be due to the fact that the security products are not implemented correctly or that the
proper policies and procedures are not built around them. In the 2001 CSI survey Patrice
Rapalus, CSI director, provided this insight on why incidents and loss continue to grow:

The survey results over the years offer compelling evidence that neither
technology nor policies alone really offer an effective defense for your
organization… . Organizations that want to survive need to develop a
comprehensive approach to information security embracing both the human
and technical dimensions.[2]

[2]
Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San
Francisco: Computer Security Institute, p. 1.

Organizations were also asked to estimate the financial damages they suffered as a result
of the security breaches. Although 64 percent reported financial damages, only 35 percent
were able to quantify the losses. Table 1-1 shows the results. Although the $377,828,700
in reported damages seems an enormous number, it is important to note that this reflects
the damages suffered by a mere 186 organizations (35 percent of those surveyed).
Considering the number of computer-using organizations in the country, the overall cost of
computer security breaches must be vastly greater.

Not only is the problem bad, it appears that it is getting worse. In the years 1997–1999, the
average damage due to break-ins was $120,240,180. The year 2000 losses were more
than double that average. The losses continued to increase in the year 2001, with a more
than 42 percent increase over the year 2000 losses despite 87 fewer organizations
reporting losses.[3] Table 1-2 shows the results of the CSI survey over the last five years.
Although some of the increased reported damages in the 2001 survey come from improved
detection and reporting, a large portion of the increase is due to increased hacker activity.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

[3]
Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer
Security Institute.

The reported sources of the attacks were also interesting. External attacks continue to be
more common, but the threat from internal sources is still there—49 percent of the
respondents reported attacks from internal sources. Internet connections were frequent
targets, as stated by 70 percent of the respondents, while 31 percent reported their internal
systems were a common point of attack. Keep in mind that many companies more closely
monitor Internet-connected systems for abuse and unauthorized activity than internal
systems. Even considering this fact, the results support the reality that the threat from both
internal and external sources is great. While the reported frequency of internal attacks is
lower than that for external ones, internal attackers can often cause more damage due to
their proximity to and knowledge of the systems.

Table 1-1. Losses Reported in Dollars by Type (for 2001)

Type Loss
Unauthorized insider access $6,064,000
Theft of proprietary information $151,230,100
Telecom fraud $9,041,000
Financial fraud $92,935,500
Viruses $45,288,150
Laptop theft $8,849,000
Insider abuse of Internet access $35,001,650
Denial of service $4,283,600
Sabotage $5,183,100
System penetration $19,066,600
Telecom eavesdropping $886,000
Active wiretapping $0
Other $0
Total $377,828,700
Source: Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security
Institute.

The CSI survey provides a wealth of information and statistics concerning computer crime
and security. We have touched on just a small portion of the results that help illustrate the
risks. You can obtain a free copy of the complete CSI survey by visiting www.gocsi.com.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

Table 1-2. Total Reported Financial Losses by Year

Year Respondents (Number Reporting Losses/% of Total Respondents) Reported Losses
2001 186 respondents/35% $377,828,700
2000 273 respondents/42% $265,586,240
1999 161 respondents/31% $123,779,000
1998 216 respondents/42% $136,822,000
1997 331 respondents/59% $100,119,555
Total $1,004,135,495
Source: Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security
Institute.

CSI is not the only organization whose surveys indicate a growing computer security
threat. A global survey released in July 2000 of 4,900 information technology (IT)
professionals across 30 nations, conducted by InformationWeek Research and fielded by
PricewaterhouseCoopers LLP, predicts U.S. firms will suffer losses of over $266 billion this
year from viruses and computer hacking.[4] The prediction for worldwide losses climbs to
$1.6 trillion. The CERT Coordination Center maintains statistics for the number of incidents
reported each year (www.cert.org/stats/cert_stats.html). In 2000 there were 21,756
incidents, which is more than double the number of incidents reported in 1999 (9,859
incidents). All these statistics indicate the threat appears to be growing, which calls for a
renewed sense of urgency to address the security issues facing every company.

[4]
PRNewswire. 2000. “Study Finds Computer Viruses and Hacking Take $1.6 Trillion Toll on Worldwide
Economy.” Wire report, July 7.

The statistics are persuasive, but they are sometimes not enough to make the case for
increased computer security. However, the statistics are not the only indication of
increased computer crimes. Media outlets have started to take notice of computer crimes
and have increased the reporting of system compromises, particularly attacks that involve
well-known companies. Some of the attacks involve denial of service, stolen information, or
other forms of loss.

In February 2000, many large Internet companies suffered major disruptions in service
from distributed denial-of-service (DDoS) attacks. Denial-of-service (DoS) attacks generally
involve trying to overwhelm or bring down a target system to make it unavailable for use.
(DoS attacks are covered in greater detail in Chapter 21.) Yahoo.com, Amazon.com,
ETRADE.com, Buy.com, CNN.com, eBay.com, and others were offline for hours
combating the problem. These incidents brought great visibility to cyber crime.

Other well-known attacks also help illustrate the increase in computer crime. In October
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

2000, news sources reported an attack against Microsoft's internal systems, targeting its
source code. In May 1999, the FBI investigated several hacking groups based in the
United States. After the FBI seized a suspected teenage hacker's computer, several
hacker groups retaliated by defacing government Web sites. At one point, a DoS attack
caused the FBI Web site to be taken offline for seven days.[5] In January 2000, an Internet
hacker threatened CD Universe, stating that if the company did not pay a ransom of
$100,000 he would publish 300,000 credit card numbers he stole from its Web site. The
company refused to pay the ransom and the hacker published over 25,000 credit card
numbers. This attack destroyed consumer confidence in CD Universe and added to the
mistrust consumers already have in online buying. Between the middle of 1999 and the
beginning of 2000, computer viruses such as Melissa, I LOVE YOU, and Explorer.zip
devastated corporate networks, forcing companies to shut down for days to combat the
viruses. These viruses demonstrated the frailty of present-day virus scanners and how
easy it is to get users to execute malicious code. The incidents also illustrated the
problems and losses a company can suffer from an attack.

[5]
Mell, Peter, and John Wack. 2000. “Mitigating the Hacker Threat.” Accessed on July 18, 2000, at the
National Institute of Standards and Technology Web site, http://csrc.nist.gov/publications/nistbul/itl00-06.txt.

Web-site defacements are one of the most prevalent security incidents. Hundreds of
defaced Web sites are posted on hacker sites each month. Attrition.org (www.attrition.org)
and 2600 (www.2600.org) are two of many sites that contain defaced Web-site archives.
The archives contain a listing of sites that have been defaced and in some instances
display a copy of the defaced site. Figure 1-1 shows an example of the listings of defaced
Web sites from Attrition.org. Defacements may consist of impolite messages, a hacker's
claim to fame, pornographic material, or other embarrassing information. Even in cases
where an attack is not destructive, the loss of confidence in the organization's ability to
protect sensitive data will drive customers away.

Figure 1-1. Attrition.org's hacked site list

This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

Attrition.org maintains a breakdown of all the sites listed in its archive. There are thousands
of sites across all domains: .com, .net, .org, .gov, and .mil. Some of the defaced sites are
popular, well-known sites, while others are relatively unknown. Some hackers search the
Internet looking for sites that are vulnerable to a newly discovered exploit. When they find a
site that is vulnerable, they attack it. The archives reinforce the fact that no organization is
exempt from the threat of attack.

This information should be sufficient to make a strong case for putting information security
in the forefront of an organization's IT strategy. Most security professionals are already
aware of the risks facing IT managers today. However, there is no way security and system
administrators can both satisfy their job requirements and proactively secure their systems
without user and management support. A good way to gain support is through effective
security awareness training that is both convincing and constant. Users need to be
continually reminded of the dangers of lax security and what they can and must do to
protect against these problems. Security programs and policies must be designed to be
easy to use and follow, and they must be enforceable. These guidelines provide a place to
start your security program; however, they should be expanded to meet the goals of your
company.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Chapter 2. Defining the Hacker

In this chapter, we categorize hackers into three groups that reflect different levels of
experience and capabilities. Our objective is not to propagate any stereotypes but merely
to create a framework so that we can talk about the “other side” and their skill levels. This
information is provided to facilitate an understanding of the different types of people who
are commonly called hackers. Security professionals have started using the term cracker
to refer to malicious computer hackers. Unfortunately, the media and general population
have given the term hacker a negative connotation, so we use it to describe any person
who attempts to access a system through unauthorized channels. This chapter also
presents a profile of information security professionals and discusses popular hacker and
information security myths.

Categorizing hackers by the technology they deal with can be complicated. Because
networking and computing technology is so vast, hackers often specialize in one or a few
specific areas. For example, some focus on a particular operating system (e.g., Unix, Mac
OS, Windows), some master the workings of individual applications (e.g., e-mail servers,
firewalls, Web servers), and some focus on a particular type of attack, (e.g., denial of
service, dial-in penetration, Web hacks). Still others use social engineering as a way to
gain unauthorized access. There are a few hackers who have mastered more than one of
the above issues, but only a select few have a great deal of experience in all topics.

To avoid the intricacies identified above, our characterization of hackers is based only on
their overall technical competence and ability to compromise computer technology,
networks, protocols, and systems. For our purposes, we divide hackers into three groups:
first, second, and third tiers. These tiers form a pyramid in which there are a small number
of genius-level hackers (first tier), many more second-tier hackers, and a large population
in the third tier. Within our categorization, we discuss their capabilities and motivations.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

2.1 Hacker Skill Levels

2.1.1 First-Tier Hackers

First-tier hackers are programmers who have the ability to find unique vulnerabilities in
existing software and to create working exploit code. These hackers, as a whole, are not
seeking publicity and are rarely part of front-page news stories. As a result, they are known
only to the security community for the programs they write and the exploits they have
uncovered.

First-tier hackers are individuals with a deep understanding of the OSI model and the TCP
stack. Coding is more than just a hobby, and they dedicate a great deal of time and energy
to it. They are committed to keeping their technical knowledge and skills current. Not all
tier-one hackers are malicious. In fact, some are actively involved in developing
technologies that can be used to improve overall network security, such as hackers from
the ISS X-force, the Bindview Razor Team, and the AXENT SWAT team (AXENT has
been purchased by Symantec).

Tier-one hackers can work independently or through a network of hacking teams that run
exploits from a variety of locations, making it difficult to trace the activities back to their
source. These teams can be developed in Internet Relay Chat (IRC) channels, in
conferences such as DefCon, or in small groups of computer-savvy friends. Often one
first-tier hacker creates the programs and other members of the team run them against
target networks. This creates a reputation for the group rather than a single individual.

2.1.2 Second-Tier Hackers

Hackers in this tier have a technical skill level equivalent to that of system administrators.
Tier-two hackers are far more common than tier-one hackers and may have experience
with several operating systems, understand TCP/IP, and know how to exploit several
vulnerabilities. They generally have less depth of knowledge but possibly greater breadth
than the first tier. This level of hacker would be part of a security team in a large
organization. Some level of programming or scripting ability is required. For example, they
should be able to port a tool from one flavor of Unix to another.

A majority of security consultants fall into this tier. Tier-two hackers have worked with
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

computers for most of their careers and understand how they work. They have an
extensive collection of tools, a reliable methodology, and ability, but they generally rely on
other people to identify and code most exploits due to lack of time to specialize in a
particular technology.

Tier-two hackers like to play with new tools as soon as they come out and are often
beta-testers and part-time developers for freeware and open source security tools. They
can also be found as regular contributors to security mailing lists.

2.1.3 Third-Tier Hackers

The lowest and most populated part of the pyramid is the third tier, whose members are
commonly referred to as script kiddies. This terminology comes from the fact that
members of this tier generally rely on previously coded scripts and prepackaged hacking
tools downloaded from the Internet to do their hacking. Script kiddies are usually
individuals who are intrigued by the notion of gaining unauthorized access and are open to
using untested pieces of code, especially while others (target networks and users) are at
risk.

For this reason, tier-three hackers get the least respect but are often the most annoying
and dangerous. Tier-three hackers can cause big problems for large organizations since
they are not afraid to run untested scripts against networks without truly understanding
what the scripts do and what the consequences may be. This combination of irresponsible
experimentation and incomplete knowledge often leads to disaster, such as the unintended
loss of information.

A script or hacking tool can show the effect of a vulnerability on someone's network but
should be treated with definitive care. Once a tool is aimed and fired, it will have its effect
on the target regardless of the assailant's intention or understanding of how the tool works.

Of course, hackers in this tier are fairly easy to identify and/or catch (as compared with
first-tier hackers). In our lab, we have seen hackers attacking our NT honeypot systems by
using Unix-specific scripts (trying to NFS mount an NT share). They generally do not
attempt to cover their tracks; in fact, they may perform activities that attract attention, such
as running port scans against all possible ports, 1–65535. With minimal intrusion detection
and monitoring capabilities these attempts can be stopped.

Tier-three hackers generally hack as a hobby and are usually in search of notoriety. They
feel, perhaps from watching movies, that by successfully “hacking” a system, they will
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

become “elite.” This is the attraction in working with a programmer —it holds the promise of
valuable experience and the fame/infamy script kiddies seek. Publicity seeking is one of
the main reasons why these hackers get caught. They are so interested in becoming
known that they tell everyone about their latest conquest on hacker IRC channels.

Script kiddies do not necessarily have computer-related professions. In fact, given that they
are often the younger people on the Internet, they may still be in high school. They run the
code they find on the Internet on their office, home, or school network. Most large
organizations have at least one individual with enough computer knowledge to obtain
hacking tools but no authorization to run them. Curiosity about how the tools work and what
information might be obtained leads to an unauthorized security breech. Tier-three hackers
spend their time surfing the Internet in search of the latest and greatest automated hacker
tools. Their tool set is generally entirely downloaded from the Internet as is. Often they
scan the Internet looking for a site susceptible to the latest exploit they have just learned to
see if it really works. Tier-three hackers are generally recipients of security mailing lists,
though they may not be regular contributors, and are often vocal in hacker IRC channels.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

2.2 Information Security Consultants

An information security consultant typically tries to help organizations become safer and
more secure from hackers. They are usually individuals with a technology-related degree
or equivalent technical experience gained either professionally or as a hobby. They likely
have a large collection of licensed security tools (commercial, freeware, or shareware), are
familiar with all of them, have a user-level understanding of a majority of them, and are
extensively experienced with the workings of one or two favorite tools in each tool
category. For example, they may have a favorite port scanner, a favorite war dialer, and a
favorite vulnerability scanner that they use in their penetration-testing engagements.

An information security consultant does not need to have a programmer's understanding of

a network in order to be effective at performing a comprehensive analysis of a network's
security posture. A consultant is most likely a member of the middle tier of hackers in terms
of experience and skill. Many of the better consultants started with system administration
positions.

A consultant must have a sufficient tool set and a reliable methodology for performing
penetration testing. Also, the consultant's area of specialization must be relevant to the
client's network environment. For example, while a Unix expert can contribute to or even
perform the testing of an NT network, and someone with intimate knowledge of Check
Point Firewall-1 can attack a Gauntlet firewall, the optimal case would be for the
consultant's area of specialization to match with the OS type and the applications run by
the client. When selecting a consultant for a security engagement, inquire as to the
consultant's area of specialization before assuming they are qualified to do the job.

The most important quality an information security consultant must possess is integrity.
Consultants have access to critical systems and data. In addition, the tools and techniques
they use have the potential for seriously affecting production systems. An organization
must be able to trust that consultants will use good judgment and discretion in the work
they perform. A security consultant who leaks information from a penetration test could
damage a company's stock price, image, or both. Organizations should make sure the
consultants they hire possess a track record of honesty and integrity.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

2.3 Hacker Myths

All the perceptions of hackers and their portrayal in movies and entertainment have lead to
the development of “hacker myths.” These myths involve common misconceptions about
hackers and can lead to misconceptions about how to defend against them. Here we have
attempted to identify some of these myths and dispel common misconceptions.

1. Hackers are a well-organized, malicious group.

There is indeed a community within the hacker underground. There are

hacking-related groups such as Alt-2600 and Cult of the Dead Cow, IRC “hacking”
channels, and related newsgroups. However, these groups are not formed into a
well-organized group that targets specific networks for hacking. They share a
common interest in methods for avoiding security defenses and accessing
restricted information.

2. If you build it, they will come; and

3. It is safe if you hide in the tall grass.

Both of these myths represent opposing views on the probability of being hacked.
Myth 2 is indicative of the view that once an Internet presence is established,
malicious hackers will begin to attempt a compromise. Myth 3 expresses the
opinion that there are so many Web sites around that if you just do not make a lot
of noise and do not have one of the truly big sites, publicity-seeking hackers will not
bother to go after you.

The truth lies somewhere in the middle. You will probably be scanned by users with
malicious intent, but it may not happen the moment your systems go online. Some
scans will be by groups trying to get an idea of how many Web sites are using a
particular piece of software. Others are unethical (but legal) system
reconnaissance.

A good plan is to develop a security posture that balances the risk of system
compromise with the costs of implementing and maintaining security measures.
This will allow you to sleep at night. While you may not stamp out the chance of
compromise entirely, you will have done what you can to prevent and limit the
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

compromise without killing your budget.

4. Security through obscurity.

Myth 4 implies that because you are small and unknown or you hide a vulnerability,
you are not at risk. For example, according to this myth, if you create a Web site
but give the URL only to your friends, you don't have to worry about it being
attacked. Another example we have seen is the creation of a backdoor around a
firewall by putting a second network card in a DMZ system and directly connecting
it to the internal network. People using such a strategy think that because they
have hidden the weakness, no one will find it and the organization is safe.
However, security through obscurity does not work. Someone will find the
weakness or stumble upon it and the systems will be compromised.

5. All hackers are the same.

This myth is borne out of a lack of knowledge among the general public about the
hacker community. All hackers are not the same. As mentioned above, different
hackers focus on different technologies and have different purposes and skill
levels. Some hackers have malicious intent; some don't. They are not all teenagers
who spend far too much time in front of a computer. Not all hackers are part of a
group that defaces Web sites and creates and distributes hacking tools. The range
among hackers is great, and you need to defend against them all.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

2.4 Information Security Myths

The spread of technology has brought computers more and more into our daily lives. It has
brought along with it a collection of myths repeated so many times they seem to be true.
These myths can breed either a false sense of security or a sense of paranoia. Neither of
these conditions is desirable. Therefore, we seek to dispel these myths to help you further
understand the computer security threat.

1. Virus scanning software provides total virus protection.

Virus scanning software can detect and defend against viruses with known
signatures. New viruses, whose signatures have likely not been determined, may
not be detected and can still pose a threat to systems. Virus scanning software
needs to be upgraded regularly (at least monthly) and is generally sold on a
subscription basis to automatically provide customers this level of protection.

2. Computer connections are untraceable.

Many people assume they cannot be traced when they are online. They
erroneously believe that if they give a fake name and address when signing up for
free e-mail or with an ISP for an Internet connection, they have hidden themselves
among the millions of users speeding around the World Wide Web. If they steal a
user name and password from someone in another state, they feel they have
gained complete anonymity on the information superhighway. In reality, the use of
anonymizing systems, remote networks (sometimes in different countries), and
spoofing software is required to achieve even a small degree of anonymity. Even
then, your ISP is probably logging your initial point of entry onto the Internet.

It is easy to go to one of the countless free e-mail services on the Internet, supply
bogus information, and get an account. However, your privacy is not protected.
That e-mail service knows from which Web site (if any) you came to its site and the
IP address of the machine you used. It can find the owner of the IP address from a
“whois” query. If you signed up from home, your ISP has likely dynamically
assigned you an IP address from the collection it owns. It records the time and day
that it gave you this address and can share this information with federal, state, and
local authorities as well as interested corporations (though a legal warrant may be
required). Additionally, the use of cookies on the Web makes information about
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

what sites you visit and what software you own easier to track.

Even if you are able to access the Web from a private ISP, the use of Caller ID
software and system callback are making it increasingly difficult to remain
anonymous. As authentication mechanisms improve and the cost of disk space for
logs drops, it will become even harder to obtain anonymity.

3. Once you delete a file, it's gone!

When you delete a file, it is not removed from the disk. Under the Windows OS, the
space on the disk that is being occupied by this file is simply marked as “available
space.” This allows for programs, like the Windows Recycle Bin, to undelete a file
after you have erased it. Additionally, it has been proven by some forensics experts
that a file can be retrieved even after it has been overwritten nine times. At that
level, an electron microscope is required. However, files overwritten up to two times
can be retrieved using currently available software. To effectively remove a file
permanently, a program such as Wipe Disk, which overwrites a file or drive with 0s,
1s, and then 0s again, should be used. (There are some individuals who believe
they can still successfully retrieve at least portions of the data from the actual
physical memory.)

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Chapter 3. Penetration for Hire

This chapter discusses the skills and requirements generally expected of a person
performing security penetration services. You can use this information to help determine
what skills you will need to perform penetration testing or as a general guide of what to
look for when hiring a security consultant to perform these services. We discuss the
contents of the consultant's tool kit, or black bag, including the software and hardware
likely required. (The tool kit is discussed only briefly here; it is covered more fully in
Chapter 10.) Further, we discuss the two variations of a penetration test: announced to the
security team and system administrators or unannounced. In either case, management
must always be fully aware and in support of your activities.

Documented support for your activities from top-level management is a key component of
any penetration test. The activities associated with penetration testing are considered
illegal under almost any circumstances other than at the request of the company. In the
following section we discuss some of the legal issues we have encountered while
performing these tests.

We also include as a requirement of being a security consultant the upholding of the

professional standards and ethics that are an essential part of the position. The tester may
have access to sensitive data within the organization that could be of material
consequence if disclosed. The organization must be confident that this information will not
end up in the wrong hands. Untrustworthy testers are also in the position to leave back
doors and Trojans to allow them access after the testing is complete. In addition, the
results of penetration tests must be kept confidential. Computer security today is a hot topic
within the media and Wall Street. Either group could produce a substantial effect on the
organization if poor test results were disclosed. Most professional security consultants are
well aware of these ramifications and maintain high standards of integrity and discretion.
However, background checks and references are a small safeguard to assure you are
hiring a trustworthy individual.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

3.1 Ramifications of Penetration Testing

Penetration testing could have very serious ramifications if not performed properly.
Normally, companies continue to conduct business while the testing is being performed.
This increases the impact to the company if a system goes down or is unintentionally
rendered useless. For these clients, these systems should be considered “critical” and
addressed with due care. The company's management is faced with maintaining a balance
between making sure the testing is complete and ensuring they are still able to do business
so that revenue is not lost.

Further, the machines and systems being tested are very expensive. Considering the cost
of configuration and ongoing maintenance and taking into account the data and other
electronic assets (such as client databases, proprietary code, documentation, and other
often irreplaceable intellectual property) on these machines, the overall cost (or value) of
these systems can be tremendous.

In light of this, the potential legal consequences can be quite serious as well. A request
from a company employee to perform a penetration test is not necessarily a valid request.
If that person does not have the authority to request such actions and indemnify you if
anything goes wrong, you may incur fees related to court costs in addition to loss of fees
for services. Therefore, legal agreements must be reached before the testing begins, and
the tester needs to make sure he or she has a signed “Get Out of Jail Free Card” from a
company officer authorized to enter the organization into a legally binding agreement. The
“Get Out of Jail Free Card” generally entails a legal agreement signed by an authorized
representative of the organization outlining the types of activities to be performed and
indemnifying the tester against any loss or damages that may result from the testing.

During the initial discovery phase of a penetration test, identify the owners of the hardware
and software affected by the test. Both need to agree to the test before it begins. Often,
and this is especially true for the e-commerce initiatives of Internet startup firms, the
machines that support networking capabilities are leased from an Internet/application
services provider. Also, firms may have their ISP configure the router that leads to their
network in some way to help them filter traffic coming into their network. When this is the
case, clients can also ask the consultant to test the ISP's settings and service claims by
performing various tests on the ISP's router and systems, including denial-of-service tests.
In such cases, you will need to get permission from the ISP as well as your client due to
the involvement of the ISP's assets. If you plan on placing any significant load on the ISP's
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

hardware, plan the activities in advance to coordinate with the ISP.

Legal requirements are still being developed since the Internet and cyber crime are a
relatively young area. Additionally, since there are no geographical boundaries on the
Internet, it is difficult to identify a valid jurisdiction.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

3.2 Requirements for a Freelance Consultant

There are certain requirements that you must meet in order to be an effective penetration
tester in a freelance consultant role. The requirements deal with your level of security skills,
your systems and network knowledge, the depth and breadth of tools at your disposal, and
the OS and hardware on which you use them. Also critical is your attention to record
keeping and maintaining the ethics of security. Potential employers of security consultants
performing penetration services should consider the following list before hiring a
consultant.

3.2.1 Skill Set

A security consultant must be at least at the system administrator level (tier-two hacker) in
order to effectively render security advisory services. This is not to say that script kiddies
do not recognize security flaws or cannot hack—as previously stated, they often do more
damage than hackers at any other level. Script kiddies generally do not have a complete
understanding of the tools and exploits they use, and therefore they either miss critical
holes or potentially damage systems.

As a paid consultant, you are expected to definitively assert what you are doing and all the
potential effects your actions may have. Specifically, you should be able to defend your
choice of tool, why you use it, and what you use it for during testing. You are also expected
to answer any and all questions related to a tool's configuration. Some of these security
tools can cause considerable damage or downtime to networks if not used properly. At the
conclusion of the test, you will be asked to articulate the method used to penetrate the
systems and to deliver recommendations on how to fix the security holes identified during
testing.

3.2.2 Knowledge

Successful security consultants should be familiar with several pieces of technology, such
as firewalls, intrusion detection systems, sniffers, audit tools, authentication
mechanisms—the list goes on. While it is certainly advisable to be an expert in as many
technologies as possible, the tester must at least be familiar with how the technology works
(and the products that implement the technology) in order to find ways around the security
that these systems provide. The tester should be knowledgeable in all the major operating
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

systems (Windows, UNIX, Mac OS, and possibly Novell) and an expert in one. In-depth
knowledge of TCP/IP and networking protocols is required. Knowledge of application
programming or past programming experience can also be helpful since many new exploits
are constantly released as “working” code with occasional flaws. Such experience comes
in handy when writing various attacks, such as buffer overflows.

The tester must be able to use various hacking tools, scripts, and exploits in order to test
for known bugs and vulnerabilities. Further, the tester should have access to vulnerability
services that can keep him or her apprised of the latest hacking tools, scripts, and exploits
as well as new security bugs discovered in all the major hardware, software, and operating
systems. This does not have to be a paid service, but it must be reliable and up-to-date,
and it must provide information on how to exploit known bugs as well as offer a
comprehensive collection of exploits and tools.

Keeping current on the latest security developments and trends is essential for any
successful security consultant. The security consultant should subscribe to and participate
in a collection of security e-mail lists. In addition to reading technical material, security
consultants should periodically review what is being posted to “underground” Web sites.
The best way to defend against or exploit threats is to understand them. In Chapter 22, we
present several Web sites, e-mail lists, and other sources of information as a good starting
point for learning about and keeping abreast of developments in the security industry.

3.2.3 Tool Kit

Consultants develop a collection of useful software, a tool kit, with tools and scripts for
performing all types of security work, such as vulnerability testing, penetration testing,
dial-in penetration, Internet penetration, denial of service, password cracking, buffer
overflows, and risk assessments. This tool set should cover both the Windows
(9x/NT/2000) and the UNIX (including the variants, Linux, HP/UX, AIX, IRIX, DG/UX, the
BSDs, and so on) operating systems. We have included tools in this book that we have
found useful, but by no means do they form the definitive tool kit. As your own technique is
developed, you may find additional or alternative tools that work better for your style.

3.2.4 Hardware

Penetration testing often uses a lot of CPU time and bandwidth. The more powerful the
machine, the better the efficiency. We have found that a dual-boot Linux/NT laptop (with
the latest CPU, the most RAM, and as fast as possible) to be an adequate configuration. A
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

laptop is often better than a desktop because is allows for mobility. Running VMWare
allows you to run both operating systems simultaneously. This adds convenience, in that
tools are generally available for at least one of these environments, but it costs more in
terms of processor speed and memory.

Additionally, running a keystroke capture utility is an effective way to log the test. These
utilities record and time stamp all activities at the keystroke level, to some extent offloading
the record-keeping burden from you to the laptop. The hardware used for testing is
discussed in more detail in Chapter 10.

3.2.5 Record Keeping

Keeping accurate, detailed records is a critical activity for a penetration tester. We

recommend your records provide enough detail to recreate the penetration test steps. In
the unfortunate event that a company should claim that a consultant is responsible for
damages incurred as a result of penetration testing, reviewing the records will be the first
step in resolving the issue.

The record should detail everything that was performed during testing, including every tool
used and every command issued and the systems or IP addresses against which they
were used. A useful practice is to document your procedures as you perform them and to
use the last part of the day to type up your notes and record your results.

Occasionally a system administrator might accuse a tester of being responsible for attacks
that took place before or after the work was performed. In order to defend against these
accusations, detailed documentation is required. Logs from a keystroke capture utility as
well as your own notes provide the basis of defense.

Not only is it important to keep track of the actions performed during the penetration
testing, it is also important to keep track of all the information gathered on your client. This
may include information on weaknesses in the client's network, password files, the
business process, and any intellectual property such as documentation on patent-pending
processes. It is important to keep this information so you can present it to the client to
verify you were able to access it and to stress the importance of the weaknesses that
allowed you to obtain it. However, all information obtained from the client should be treated
as highly confidential. If this information were to get out, to a hacker or a competing firm, it
could put the client at significant competitive disadvantage, leading to a loss of capital. In
addition, news of a successful penetration test may also lead to a drop in consumer
confidence.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

3.2.6 Ethics

Penetration testing engagements are bound by the scope and length set forth in the rules
of the engagement. These rules are specified by the client and enable the organization to
feel comfortable enough to allow the testing to proceed. These rules address issues of
denial of service, contact information, scope of project, and timetables. This information
provides the boundaries of the engagement and cannot be misinterpreted.

At issue here is trust. One of the key things security consultants have to offer their clients is
assurance and confidence that while the consultant is examining the client's security, they
will not be planting back doors or compromising the client's network. Unfortunately, there is
no script or tool that guarantees the consultant's integrity. Each consultant must carefully
protect his or her integrity on every engagement and assignment. If your integrity is
questioned, even once, you will not recover from the accusation. There is little room for
error, accidents, or problems. Penetration testing requires the client to give a great deal of
trust to a consultant. That trust must be protected.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

3.3 Announced vs. Unannounced Penetration Testing

There are two distinct types of testing that can be performed: announced and
unannounced. The distinction comes when you define what is being tested: network
security devices or network security staff.

3.3.1 Definitions

The following definitions help clarify the differences between the two types of testing.

Announced testing is an attempt to access and retrieve preidentified flag file(s)

or to compromise systems on the client network with the full cooperation and
knowledge of the IT staff. Such testing examines the existing security infrastructure
and individual systems for possible vulnerabilities. Creating a team-oriented
environment in which members of the organization's security staff are part of the
penetration team allows for a targeted attack against the most worthwhile hosts.

Unannounced testing is an attempt to access and retrieve preidentified flag

file(s) or to compromise systems on the client network with the awareness of only
the upper levels of management. Such testing examines both the existing security
infrastructure and the responsiveness of the staff. If intrusion detection and incident
response plans have been created, this type of test will identify any weaknesses in
their execution. Unannounced testing offers a test of the organization's security
procedures in addition to the security of the infrastructure.

In both cases, the IT representative in the organization who would normally report security
breaches to legal authorities should be aware of the test to prevent escalation to law
enforcement organizations.

Also, management may place certain restrictions on the penetration test itself, such as the
need to perform a portion of the test (for example, war dialing) after hours, to avoid certain
critical servers on the network, to use only a certain subset of tools or exploits (for
example, to omit denial-of-service tools), and so on. Such guidelines that come from upper
management apply regardless of the type of engagement. At the conclusion of the
engagement, system administrators should be able to review logs to identify the
penetration test and to help them identify attacks in the future.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

3.3.2 Pros and Cons of Both Types of Penetration Testing

Everything has its advantages and disadvantages. In this section, we discuss the pros and
cons of each type of penetration testing.

Pros Announced testing is an efficient way to check on and tweak the security controls
the organization has in place. It creates a team-oriented approach to security and allows
the organization's staff to experience firsthand what their network looks like to a possible
intruder. Additionally, working with the IT staff allows the tester to concentrate efforts on
the most critical systems.

Unannounced testing requires a more subtle approach. The tester tries to identify targets
and compromise the security while staying under the radar screen of the target
organization. This test may prove more valuable to the organization due to the range of
items tested beyond the technology.

Cons With announced testing, as large holes are identified on the client network, system
administrators will close them quickly to avoid compromise. This can make further
penetration difficult by not allowing further compromise of the vulnerability. Additionally, an
announced test allows security staff time to make temporary changes to the network that
add additional security. This gives management a false sense of security. The network
may be secure during testing, but as soon as testing is complete and the original settings
are restored, any original vulnerabilities will return as well, unbeknownst to the
organization.

The risk with unannounced testing is that since the security administrators do not know that
a test is being performed, they will respond as they would to a hacker and block the
penetration testing efforts (drop connections, reboot machines, and so on). This would
indicate a good response/detection process is in place, but it can cut a test short. The
danger with this test is that occasionally security administrators have been known to
contact the relevant authorities to report the penetration activities. To control this risk, the
organization should have an escalation process in place with a specific individual being
responsible for contacting authorities. This person should be aware the test is taking place.

Another risk during unannounced testing is that administrators may be making

modifications to the environment during the testing period, which could skew the results. If
the network administrator is upgrading a system, implementing a new service, or taking
certain systems offline during the test, the results may not be as useful as they otherwise
would. Additionally, the tester should be aware of quarterly or semi-quarterly events (such
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

as large transfers of information from accounting) and backup schedules to avoid

interfering with these operations.

3.3.3 Documented Compromise

At times during penetration testing, the client may be uncomfortable with allowing the tester
to perform the actions that actually lead to a compromise. For example, it may be possible
to access the router for network A and alter its routing table to appear as if the (attacking)
network is a trusted, internal network and then route traffic from that network through the
router to another trusted, internal network, network B. Then this compromised router would
be able to connect the tester and the target network (B), bypassing security measures
through its trust relationship with a less secure network (A).

However, the client may not want this activity to be performed. Altering the routing table
may lead to additional complications for the client's network. The client may be satisfied
that you can demonstrate that it can be done and describe how to fix the situation. Screen
shots of documented system access may work well for this purpose. In such cases,
document the possible hack along with its risk level and available countermeasures.

I l@ve RuBoard
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks

I l@ve RuBoard

Chapter 4. Where the Exposures Lie

Now that we have examined the lurking threat to computer security and analyzed the
profiles of potential hackers, we need to look at where the holes lie in systems and
networks that allow these hackers to be successful. These security holes, which can be
due to misconfiguration or poor programming, should be identified for several reasons.
First, common security holes are the areas the organization should address quickly. You
need to either close the hole or learn more about it in order to mitigate the risk created by
the exposure. Second, the common holes are the areas you need to look for during your
penetration test. These holes are often called the “low-hanging fruit” in reference to being
fairly easy to identify and exploit.

Breaking into systems can be relatively simple if someone has not properly patched and
secured the systems against the latest vulnerabilities. Keeping systems up to date has
become increasingly difficult with larger multi-OS distributed networks and smaller staff
budgets. The issue facing administrators trying to keep systems up to date is that 20–70
new vulnerabilities are published each month on Bugtraq, eSecurityonline, and other
vulnerability services. Unfortunately, hackers have a window of opportunity between the
time someone publishes the vulnerability and the time the vulnerability is patched or
addressed on the systems. The longer this window stays open, the more the odds of
compromise increase. One of the keys to keeping your network secure is to constantly
monitor for emerging vulnerabilities and to patch your systems against them. The more
responsive administrators are to closing the holes, the more secure your systems will be.

Configuration errors create a risk that enables attackers to penetrate systems. Examples of
configuration errors include leaving unnecessary services open, assigning incorrect file
permission, and using poor controls for passwords and other settings that a system
administrator can set. Organizations can reduce configuration errors by creating baseline
standards and configuration management procedures. In addition, proper penetration
testing will identify many configuration holes that could allow an attacker to gain access to
systems.

There is no way to close all possible access points to a network. With enough time or
money, any system could be compromised. However, keeping patches up to date and
testing your systems will effectively close 80–90 percent of the holes.

Our experience with testing system security has revealed exposures that consistently
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. T

resurface in multiple companies. Consequently, we have developed a list of common

security holes that we have successfully exploited. The list is not all inclusive, but it can
serve as a starting point for organizations taking steps to secure their systems.
Organizations should look for these and other vulnerabilities when performing penetration
testing.

Not surprisingly, many of the holes we list in this chapter are the same as those published
by the System Administration, Networking, and Security (SANS) Institute in October 2001.
The SANS Institute did an excellent job of consolidating its list to the top 20 high-risk
vulnerabilities. Our list covers many of the SANS items plus other holes we have found to
affect networks. The SANS list is an excellent reference, and a complete copy of the report
can be found in Appendix B.

Some of the vulnerabilities we list below enabled us to directly compromise the target
systems, while others provided information that helped us develop our attack. Some of the
holes are specific, while others cover larger, more general issues. We follow the list with a
description of each vulnerability and, where applicable, give countermeasures to help close
the hole.

1. Application holes

2. Berkeley Internet Name Domain (BIND) implementations

3. Common Gateway Interface (CGI) vulnerabilities

4. Clear text services (sniffing)

5. Default accounts

6. Domain name service (DNS)

7. File permissions

8. FTP and telnet

9. ICMP

10. IMAP and POP vulnerabilities

11. Modems

12. Monitoring and intrusion detection (lack of)

Exploring the Variety of Random
Documents with Different Content
pronto se remontaban como desaparecían.
Llegaban como rebaño asustado y en dispersión, dando tumbos sobre las
lívidas olas, perseguidas siempre por el mugido feroz, que parecía divertirse
arrancándolas en cada papirotazo una vela, un trozo de mástil ó el timón,
hasta que levantando una montaña de agua verdosa, cogía de través á la
desmantelada barca y se la sorbía.
La última y más terrible lucha fué á la entrada del puerto. En las barcas
que consiguieron entrar, los tripulantes, mojados de pies á cabeza, recibían
los abrazos de sus familias con ojos de idiota, como resucitados que se
asombran al verse de pronto en plena vida. Aquella noche dejó memoria en
el Cabañal.
Grupos de mujeres desmelenadas, frenéticas de dolor, roncas de gritar
sus aclamaciones al cielo, corrían por el muelle de Levante, expuestas á ser
devoradas por las olas que escalaban los peñascos, mojadas por el polvo de
amarga agua que escupía la furiosa marea, y miraban ansiosas el horizonte,
como si en la sombra pudieran distinguir la lenta y horrible agonía de las
últimas barcas.
Faltaban muchas á llegar. ¿Dónde estarían? ¡Ay Dios!... ¡qué felices eran
las mujeres que estaban en el puerto abrazando á sus maridos é hijos,
mientras los otros, más infortunados, corrían dentro de un ataúd al través de
la noche, saltando de ola en ola, rodando á lo más hondo de hirvientes
simas, sintiendo bajo los pies el crujir de las quebrantadas tablas y sobre la
cabeza la lívida montaña de agua próxima á desplomarse!
Llovió durante toda la noche, y muchas mujeres esperaron el amanecer
en el muelle, combatido por el oleaje, envueltas en el calado mantón, en
cuclillas sobre el barro negruzco del carbón de piedra, rezando á gritos para
ser oídas mejor por los sordos de arriba, é interrumpiendo algunas veces su
oración para tirarse de los revueltos pelos, lanzando á lo alto, en un
arranque de odio y resentimiento, las terribles blasfemias de la Pescadería.
¡Hermoso amanecer! El sol asomó su hipócrita cara tras la tranquila
línea del mar, matizada á trechos por las espumas de la noche anterior;
extendió sobre las aguas su ancha faja de reflejos dorados é inquietos,
embelleciéndolo todo; allí no había pasado nada; y lo primero que doraron
sus rayos en la playa de Nazaret, fué el casco destrozado de un bergantín
noruego encallado la noche anterior, hundido en la arena, mostrando á flor
de agua sus costados despanzurrados, hechos astillas, y los palos rotos
tremolando todavía jirones de velas.
Su cargamento era madera del Norte; y mansamente empujados por los
suaves estremecimientos del mar, iban hacia la playa las enormes vigas, los
aserrados tablones que, pescados por el revuelto enjambre de puntos negros
que pululaba en la playa, desaparecían como tragados por la arena.
Bien trabajaban aquellas hormigas. Para ellas era la tempestad. Y por los
caminos de la huerta de Ruzafa deslizábanse arrastradas las hermosas
maderas del Norte, que habían de convertirse en techumbres de nuevas
barracas.
Los piratas de la playa arreaban alegremente sus caballerías como
legítimos poseedores del botín, sin pensar que tal vez estaba salpicado con
la sangre de los infelices extranjeros que dejaban á sus espaldas tendidos
sobre la arena.
En la playa, los carabineros y la muchedumbre inactiva formaban corros
más curiosos que aterrados en torno de unos cuantos cadáveres tendidos
entre el agua y la arena, hermosos mocetones rubios y fornidos, mostrando
por entre los jirones de sus ropas la carne dura, de blancura femenil,
mientras sus ojos azules, turbios é inmóviles, miraban al cielo con
misteriosa expresión.
El naufragio del bergantín noruego fué lo más notable de la tempestad.
Los periódicos hablaron de la catástrofe. Acudió la gente de Valencia como
en romería para ver de lejos el buque náufrago hundido hasta la borda en la
movediza arena, y todos olvidaron las barcas pescadoras, acogiendo con
gestos de extrañeza las lamentaciones de aquellas mujeres que no veían
volver á los suyos.
La desgracia no era tan grande como en un principio se creyó. Al
serenarse el mar fueron volviendo al puerto muchas barcas, á las que se
tenía por perdidas.
Habíanse refugiado huyendo de la tempestad en Denia, en Gandía ó en
Cullera, y cada una de ellas, al llegar al puerto, provocaba alaridos de
alegría, exclamaciones de gozo, votos de gracias á todos los santos
encargados de cuidar los hombres que se ganan en el mar la subsistencia.
Una sóla no volvió: la barca del tío Pascualo, un vividor de los más
tenaces que se conocían en el Cabañal, siempre rabiando por conquistar la
peseta, pescador en invierno y contrabandista en verano, gran marinero y
constante visitador de las playas de Argel y Orán, á las que llamaba con
familiaridad la còsta d’afòra, como si se tratase de la acera de enfrente.
Su mujer, Tona, pasó más de una semana esperándole en el puerto,
siempre con un arrapiezo al pecho y otro más talludo y gordinflón agarrado
a sus faldas. Esperaba á su Pascual, y á cada nuevo informe que la daban,
prorrumpía en lamentaciones y se mesaba los pelos, llamando á gritos á
María Santísima.
Los pescadores no se expresaban con claridad, pero al hablarla ponían el
gesto fosco. Habían visto la barca corriendo el temporal frente al cabo de
San Antonio; le faltaban las velas; no pudo ganar tierra, y hasta alguno creía
haberla visto al pie de una ola enorme, hinchada, verdosa, que la cogió de
lado, no pudiendo asegurar si reapareció ó fué engullida por el agua.
Y la infeliz mujer, siempre esperando en el puerto con sus dos hijos, tan
pronto desesperada como animándose con extraña esperanza, hasta que por
fin, á los doce días, una escampavía que costeaba persiguiendo el
contrabando, condujo á la playa la barca del tío Pascualo con la quilla al
aire, negra, lustrosa con la viscosidad del mar, flotando lúgu-bremente
como gigantesco ataúd y rodeada de un enjambre de extraños peces,
pequeños monstruos que parecían atraídos por un cebo que husmeaban á
través de las quebrantadas tablas.
Sacaron la barca á la orilla. El mástil estaba roto á ras de la cubierta, la
cala llena de agua; y cuando los pescadores pudieron bajar á ella para
acabar de vaciarla á fuerza de cubos, sus pies hundidos entre las cuerdas y
cestones que aun estaban allí revueltos, tropezaron con algo blando y
viscoso que les hizo gritar con instintivo horror. Era un muerto. Y
hundiendo sus brazos en el agua que quedaba en el fondo de la bodega,
sacaron un cuerpo hinchado, verdoso, con el vientre enorme próximo á
estallar, la cabeza destrozada como repugnante masa, y en todo el cuerpo
mordeduras de voraces pececillos que, no soltando su presa, erizábanse
sobre el cadáver, comunicándole espeluznantes estremecimientos.
Era el tío Pascualo; pero tan horrible, que la viuda prorrumpió en
lamentos, sin atreverse á tocar la masa repugnante. Algún golpe de mar le
había arrojado al fondo de la cala antes que la barca se perdiese, y allí se
quedó con la cabeza destrozada, sirviéndole de tumba el armazón de tablas,
ilusión de toda su vida, que representaba treinta años de economías
amasadas ochavo sobre ochavo.
 Las comadres del Cabañal prorrumpían en lamentos al ver cómo dejaba
el mar á los hombres que tenían el valor de explotarlo, y con sus alaridos de
plañidera acompañaron al cementerio la caja que contenía el cadáver roído
y aplastado.
Durante una semana se habló mucho del tío Pascualo; después la gente
sólo se acordó de él al ver á su viuda, siempre suspirando, con un arrapiezo
de la mano y otro al pecho.
Algo más que la pérdida del marido lloraba la pobre Tona. Veía acercarse
la miseria; pero no una miseria tolerable, sino la que espanta á la misma
pobreza acostumbrada á privaciones; la carencia de hogar, la necesidad de
tender la mano en las calles para conseguir el ochavo ó el mohoso
mendrugo.
Cuando aun estaba reciente su desgracia encontró protección; y las
limosnas, las suscripciones entre el vecindario, pudieron sostenerla durante
tres ó cuatro meses; pero la gente es olvidadiza. Tona ya no fué la viuda del
náufrago, sino una pobre más que importunaba á todos con lamentaciones
pedigüeñas, y al fin vió cerrarse muchas puertas y volverse con desvío caras
amigas que siempre habían tenido para ella cariñosas sonrisas.
Pero no era mujer para amilanarse ante el desvío general. ¡Ea! ya había
llorado bastante. Llegaba el momento de ganarse la vida como una buena
madre que tiene magníficos puños y dos bocas que la piden pan.
No la quedaba en el mundo otra fortuna que la barca rota donde murió su
marido, y que puesta en seco se pudría sobre la arena, unas veces inundada
su cala por las lluvias y otras resquebrajándose su madera con los ardores
del sol, anidando en sus grietas voraces enjambres de mosquitos.
Tona tenía un plan. Donde estaba la barca podía plantear su industria. La
tumba del padre serviría de sustento para ella y los hijos.
Un primo hermano del difunto Pascual, el tío Mariano, solterón que iba
para rico y parecía tener algún cariño á los dos sobrinos, fue, a pesar de su
avaricia, el que ayudó á la viuda en los primeros gastos.
Un costado de la barca fué aserrado hasta el suelo, formando una puerta
con pequeño mostrador. En el fondo de la barca colocáronse algunos
tonelillos de aguardiente, ginebra y vino; la cubierta fué sustituida por un
tejado de tablones embreados que dejaba mayor espacio en el lóbrego
tabuco; á proa y popa, con los tablones sobrantes, formáronse dos agujeros
á modo de camarotes; el uno para la viuda y el otro para los niños, y sobre
la puerta extendióse un tinglado de cañas, bajo el cual mostrábanse con
cierta prosopopeya dos mesillas cojas y hasta media docena de taburetes de
esparto.
La fúnebre barca convirtióse en cafetín de la playa, cerca de la casa
donde están los toros para el arrastre de las embarcaciones, en el punto en
que se descarga el pescado y es mayor la afluencia de gente.
Las comadres del Cabañal estaban asombradas. Tona era el mismo
demonio. ¡Miren qué bien sabía ganarse la vida! Toneles y botellas se
vaciaban que era una bendición de Dios; los pescadores sorbían allí sus
copas sin necesidad de atravesar toda la playa para ir á las tabernas del
Cabañal, y bajo el tinglado, en las cojas mesillas, echaban sus partidas de
truque y flor, esperando la hora de hacerse à la mar y amenizando el juego
con sendos tragos de caña que Tona recibía directamente de la misma Cuba,
según su formal juramento.
La barca en seco navegaba viento en popa. Cuando saltando de ola en
ola arrastraba las redes, jamás había producido tanto al tío Pascual como
ahora, que vieja y con el costillaje quebrantado, la explotaba la viuda.
Pruebas eran de esto las sucesivas transformaciones que iba
experimentando la original instalación. Los agujeros de los dos camarotes
cubríanse con vistosas cortinas de sarga; y cuando éstas se levantaban,
veíanse colchones nuevos y almohadas de blanca funda; sobre el mostrador
brillaba como un bloque de oro la reluciente cafetera; la barca, pintada de
blanco, había perdido el fúnebre aspecto de tumba que recordaba la
catástrofe, y junto á sus costados iban extendiéndose cercas de cañas,
conforme aumentaba la prosperidad del establecimiento. Corrían con
gracioso contoneo sobre la ardiente arena más de veinte gallinas,
capitaneadas por un gallo matón y vocinglero que se las tenía tiesas con
todos los perros vagabundos que correteaban la playa; al través de los
cañizos oíase el gruñido de un cerdo atacado del asma de la obesidad, y
frente al mostrador, bajo el sombrajo, flameaban á todas horas dos fogones,
donde las paellas de arroz burbujeaban su caldo substancioso o el pescado
chirriaba, dorándose entre el azulado vapor del aceite frito. Había allí
prosperidad y abundancia. No era para hacerse ricos, pero se vivía bien. La
Tona sonreía con satisfacción pensando que nada debía y viendo el techo
empavesado de morcillas secas, sobreasadas lustrosas, tiras de negra
mojama y algún jamón espolvoreado con pimiento rojo: los tonelitos llenos
de líquido, las botellas, escalonadas, luciendo licores de color variado, y las
sartenes de diversos tamaños colgadas de la pared, prontas á chillar sobre el
fogón con su cavidad repleta de cosas substanciosas.
¡Y pensar que había pasado hambre en los primeros meses de su viudez!
Por eso, harta y satisfecha, repetía ahora tantas veces la misma afirmación.
Por más que digan, Dios no desampara á las buenas personas.
La abundancia y la falta de cuidados la rejuvenecieron. Engordaba
dentro de su barca con cierto lustre de carnicera ahita; siempre á cubierto
del sol y la humedad, no tenía el color seco y tostado de las que esperaban
en la orilla de la playa, y se presentaba tras el mostrador luciendo sobre la
voluminosa pechuga una colección interminable de pañuelos de tomate y
huevo, complicados arabescos rojos y amarillos tejidos en la sólida seda.
Permitíase lujos de decorado. En el fondo de su tienda, sobre las
maderas blanqueadas, alternaban con los toneles una colección de cromos
baratos con rabiosos colorines que apagaban los de sus vistosos pañuelos; y
los pescadores, mientras bebían bajo el sombrajo, miraban por encima del
mostrador la Cacería del león, La muerte del justo y la del pecador, La
escala de la vida, media docena de santos, entre los cuales no faltaban San
Antonio y el comerciante flaco y el gordo representando al que fía y al que
vende al contado, con la consabida leyenda: «Hoy no se fía aquí, mañana
sí.»
Había para estar satisfecho viendo cómo se criaba la familia sin grandes
privaciones. La tienda siempre adelante, y poco á poco se llenaba de duros
ahorrados una media vieja que ella guardaba en su camarote, entre el piso
de tablas y el grueso colchón.
Algunas veces no podía contenerse, y deseosa de apreciar en conjunto su
fortuna, salía hasta la orilla de la playa. Desde allí contemplaba con ojos
enternecidos el cercado de las gallinas, la cocina al aire libre, la anchurosa
pocilga donde roncaba el sonrosado cerdo, y la barca, que asomaba entre la
aglomeración de cercas y cañares sus dos puntas de deslumbrante blancura,
como embarcación fantástica que, arrastrada por un huracán, hubiese ido á
caer en el corral de una granja.
No por esto se hallaba libre de incomodidades. Dormía poco,
levantábase al amanecer, y muchas veces, á media noche, aporreaban la
puerta de la barca y había que levantarse para servir á los pescadores recién
llegados á la playa, que descargaban su pescado y tenían que hacerse á la
mar antes del alba.
Estas francachelas nocturnas eran las más productivas y las que mayor
cuidado inspiraban á la tabernera. Conocía bien á aquella gente, que
después de pasar una semana sobre las olas, quería en las pocas horas de
holganza gozar de un golpe todos los placeres de la tierra.
Abalanzábanse al vino como mosquitos; los viejos quedábanse
dormitando sobre la mesa con la pipa apagada entre los secos labios; pero
los jóvenes mozetones fornidos, excitados por la vida trabajosa y casta del
mar, miraban á la siñá Tona de modo tal, que ella torcía el gesto con enfado
y se preparaba á rechazar los brutales cariños de aquellos tritones de
camiseta rayada.
Nunca había valido gran cosa; pero su naciente obesidad, los ojazos
negros, que parecían aclarar su rostro moreno y lustroso, y más que todo la
ligereza de ropas con que en verano servía á los nocturnos parroquianos,
hacíanla hermosa para los muchachos rudos que, al poner la proa hacia
Valencia, pensaban con regocijo en que iban á ver á la siñá Tona.
Pero ella era una hembra brava que sabía tratarlos. Jamás se rendía; las
proposiciones audaces las contestaba con gestos de desprecio; los pellizcos
con bofetones, y los abrazos por sorpresa con soberbias patadas, que más de
una vez hicieron rodar por la arena á un mocetón tieso y fuerte como el
mástil de su barca.
Ella no quería líos como muchas otras, ni permitía que le faltasen en
tanto así. Además, era madre, los dos chicos dormían á poca distancia,
separados de ella por un tabique de tablas, al través del cual oía sus
poderosos ronquidos, y sólo estaba para pensar en mantener á la familia.
El porvenir de sus chicos comenzaba á preocuparla. Se habían criado en
la playa como dos gaviotas, anidando en las horas del sol bajo la panza de
las barcas en seco ó correteando por la orilla en busca de conchas y
caracoles, hundiendo sus piernecitas de color de chocolate en las gruesas
capas de algas.
El mayor, Pascualet, era un retrato vivo de su padre. Grueso, panzudo,
carilleno; tenía cierto aire de seminarista bien alimentado, y los pescadores
le llamaron el Retor, apodo que había de conservar toda su vida.
Tenía ocho años más que su hermano Antonio, un muchacho enjuto,
nervioso y dominante, cuyos ojos eran iguales á los de Tona.
 Pascualet fue una verdadera madre para su hermano. Mientras la siñá
Tona atendía á la taberna en los primeros tiempos, que fueron los más
penosos, el bondadoso muchacho cargaba con el hermanito como niñera
cuidadosa, y jugaba con los pilletes de la playa, sin abandonar nunca al
arrapiezo rabioso y pataleante que le martirizaba la espalda y le pelaba el
cogote con sus pellizcos.
Por la noche, en el camarote estrecho de la barca-taberna, para Tonet era
el mejor sitio, y su cachazudo hermano se apelotonaba en un rincón para
dejar espacio á aquel diablejo que, á pesar de su debilidad, le trataba como
un déspota.
Los dos muchachos, arrullados por el sordo oleaje, que en los días de
marea llegaba hasta la misma taberna, y oyendo como el viento del invierno
silbaba al querer introducirse por entre los tablones, dormíanse
estrechamente abrazados bajo la misma colcha. Algunas noches
despertábanse con el ruido de los pescadores, que celebraban su fiesta de
tierra; oían las palabrotas que su madre profería en momentos de
indignación, el sonoro choque de alguna bofetada, y más de una vez el
tabique de su camarote conmovíase con el sordo golpe de un cuerpo falto de
equilibrio; pero volvían á dormirse, poseídos por una ignorancia inocente,
libre de sospechas y alarmas.
La siñá Tona tenía injustas debilidades tratándose de sus hijos. Al
principio de su viudez, cuando por las coches les veía dormir en el angosto
camarote, con las cabecitas juntas, rozando tal vez la misma madera en que
se había aplastado el cráneo de su padre, sentía profunda emoción y lloraba
como si fuera á perderlos dentro del fúnebre armazón de tablas, como ya
había perdido á su Pascual. Pero cuando llegó la abundancia y el tiempo fué
borrando el recuerdo de la catástrofe, la siñá Tona comenzó á mostrar
predilección por su Tonet, criatura de gracia felina, que trataba á todos con
sequedad é imperio, pero que tenía para su madre cariños de gatito travieso.
La viuda entusiasmábase por su Tonet, vagabundo de la playa, que á los
siete años pasaba casi todo el día fuera de la barcaza, correteando con la
granujería y volviendo al anochecer con las ropas rotas y agua y arena en
los bolsillos. Mientras tanto, el mayor, relevado ya de cuidar á su hermano,
pasaba el día en la taberna limpiando vasos, sirviendo á los parroquianos,
dando de comer á las gallinas y al cerdo y vigilando con grave atención las
sartenes que chirriaban en los fogones de la cocina.
 Cuando su madre, soñolienta tras el mostrador en las horas de sol, se
fijaba en Pascualet, experimentaba siempre una violenta sorpresa. Creía ver
a su marido tal como ella le conoció en la infancia cuando era grumete de
barca pescadora. Era su mismo rostro, carrilludo y sonriente, su cuerpo
cuadrado y fornido, sus piernas robustas y cortas y aquel aire de sencillez
honrada, de laboriosidad cachazuda que lo acreditaba ante todos como
hombre de bien.
En lo moral era lo mismo. Muy bondadosote y tímido, pero una
verdadera fiera cuando se trataba de ganar una peseta, y con un cariño loco
por la mar, madre fecunda de los hombres valientes que saben pedirla el
sustento.
Á los trece años ya no podía conformarse á seguir en la taberna. Dábalo
á entender con palabras sueltas, con frases truncadas y algo incoherentes,
que era lo único que podía salir de su dura mollera. Él no había nacido para
servir en la taberna. Era faena demasiado cómoda; eso para su hermano,
que no mostraba gran afición al trabajo. Él era fuerte, le gustaba el mar y
quería ser pescador como su padre.
La siñá Tona se asustaba al oírle, y en su memoria resucitaba la horrible
catástrofe del día de Cuaresma. Pero el chico era testarudo. Aquellas
desgracias no pasaban todos los días, y ya que tenía vocación, debía seguir
el oficio de su padre y de su abuelo, como muchas veces se lo había dicho
el tío Borrasca, un viejo patrón de barcas, gran amigo del tío Pascualo.
Por fin la madre cedió cuando iba a comenzar la temporada de la pesca
del bòu, y Pascualet se enganchó con el tío Borrasca como grumete ó gato
de barca, teniendo como salario la comida y la propiedad de todos los
cabets, ó sea el pescado menudo que saliese en las redes, camarones,
caballitos de mar, etc.
El aprendizaje comenzó bien. Hasta entonces le habían vestido con la
ropa vieja de su padre, pero la siñá Tona quiso que entrase con cierta
dignidad en su nuevo oficio, y una tarde, cerrando la taberna, fueron al
Grao á un bazar del puerto, donde vendían ropas hechas para los marineros.
Pascualet recordó durante muchos años la tal tienda, que le parecía el
santuario del lujo. Los ojos se le fueron tras los chaquetones azules, los
impermeables de amarillo hule, las enormes botas de aguas, prendas todas
que sólo usaban los patrones, y salió orgulloso con su hatillo de grumete,
compuesto de dos camisas mallorquinas, tiesas, ásperas y burdas, como si
fuesen de papel de lija; una faja de lana negra, un traje completo de bayeta,
de un amarillo rabioso; una barretina roja para calársela hasta el cuello en el
mal tiempo y gorra de seda negra para bajar a tierra. Por fin, le vestían a su
medida; ya no tendría que luchar con las chaquetas de su padre, que en los
días de viento se hinchaban como velas, haciéndole correr por la playa más
aprisa que quería. De zapatos no había que hablar. Él no recordaba haber
metido jamás en tal tormento sus ágiles pies.
No se equivocaba el muchacho al decir que había nacido para el mar. En
la barca del tío Borrasca se encontraba mucho mejor que en la otra
encallada en la arena, junto á la cual gruñía el cerdo y cacareaban las
gallinas. Trabajaba mucho, y además de su pitanza percibía algunos
puntapiés del viejo patrón, cariñoso en tierra, pero que una vez sobre su
barca no respetaba ni á su mismo padre. Trepaba al mástil á poner el farol ó
arreglar una cuerda con la ligereza de un gato; ayudaba á tirar de las redes
cuando llegaba el momento de chorrar; baldeaba la cubierta, alineaba en la
cala los grandes cestos del pescado y soplaba el fogón, cuidando de que el
caldero estuviera siempre en su punto para que no se quejara la gente de á
bordo. Pero como compensación á estos trabajos, ¡cuántas satisfacciones!
Al terminar el patrón y los suyos la comida que él y otro gato de la barca
presenciaban inmóviles y respetuosos, dejábanles las sobras a los chicos, y
los dos sentábanse a proa con el negro caldero entre las piernas y un pan
bajo del brazo. Ellos sacaban la mejor parte, y cuando las cucharas
tropezaban ya con el fondo, entonces entraba la rebañadura mendrugo en
mano, hasta que el metal quedaba limpio y brillante, como si acabasen de
fregarlo.
Después venía el huroneo en busca del vino que la tripulación había
dejado olvidado en el fondo del porrón de lata; y los gatos, si no había
trabajo, tendíanse como unos príncipes en la proa, con la camisa fuera de
los pantalones y la panza al aire, arrullados por el cabeceo de la barca y las
cosquillas de la brisa.
Tabaco no faltaba, y el tío Borrasca dábase á todos los demonios viendo
con qué rapidez desaparecía de los bolsillos de su chaquetón unas veces la
alguilla de Argel y otras la picadura de la Habana, según la calidad del
último alijo hecho en el Cabañal.
Aquella vida era inmejorable para Pascualet, y cada vez que bajaba á
tierra, su madre le veía más robusto, más recocido por el sol y tan
bondadosote como siempre, á pesar de su continuo roce con los gatos de
barca, pilletes precoces capaces de las mayores malicias y que al hablar
echaban á las narices ajenas el humo de una pipa casi tan grande como
ellos.
Las rápidas apariciones en la taberna eran lo único que hacía á la siñá
Tona acordarse de su hijo mayor.
La tabernera mostrábase preocupada. Pasaba los días enteros en su
barcaza, sola, como si no tuviese hijos. El Retor estaba en el mar ganándose
su parte de cabets, para después, en los días de fiesta, llegar muy ufano á
entregar á su madre tres ó cuatro pesetas, que eran el jornal de la semana, y
el otro, el pequeño, aquel Tonet de piel de diablo, había salido un bohemio
incorregible, que sólo volvía a casa acosado por el hambre.
Juntábase con la pillería de la playa, un tropel de chicuelos que no sabían
más de sus padres que los perros vagabundos que les acompañaban en sus
correteos por la arena; nadaba como un pez, y en verano zambullíase en el
puerto, mostrando con impudor tranquilo su cuerpo enjuto y rojizo para
coger con la boca piezas de dos cuartos que le arrojaban los paseantes.
Presentábase por la noche en la taberna con el pantalón roto y la cara
arañada; su madre le había sorprendido varias veces amorrado con delicia al
tonelillo del aguardiente, y una tarde tuvo que ponerse el mantón é ir á la
capitanía del puerto para pedir con lágrimas y lamentos que le soltasen,
prometiendo que ella le quitaría el feo vicio de arañar en el interior de las
cajas de azúcar depositadas en el muelle.
Era una alhaja el tal Tonet. ¡Dios mío! ¿Á quién se parecía? Era una
vergüenza que de padres tan honrados saliese un muchacho así; un pillete
que, teniendo en su casa comida abundante, pasaba el tiempo huroneando
por cerca de los vapores que venían de Escocia, aguardando un descuido de
los descargadores para echar á correr con un bacalao bajo del brazo. Un hijo
así iba á ser su castigo. Doce años á la espalda y sin afición al trabajo ni el
menor respeto á su madre, á pesar de los rabos de escoba que le había roto
en las costillas.
Y la siñá Tona hacía confidente de sus desdichas á Martínez, un
carabinero joven que estaba de servicio en aquella parte de la playa, y
pasaba las horas del calor sentado bajo el sombrajo de la taberna, con el
fusil entre las rodillas, mirando vagamente el límite del mar, con el oído
atento á las eternas lamentaciones de la tabernera.
 El tal Martínez era andaluz, de Huelva; un muchacho guapo y esbelto,
que llevaba con mucha marcialidad el uniforme viejo de servicio y se
atusaba al hablar el rubio bigote con expresión distinguida.
La siñá Tona le admiraba. Las personas que son finas no lo pueden
ocultar; á la legua se las conoce.
Y además, ¡qué gracia en el lenguaje! ¡qué términos tan escogidos
gastaba! Bien se conocía que era hombre leído. Como que había estudiado
muchos años en el Seminario de su provincia; y si ahora se veía así era
porque, no queriendo ser cura y deseando ver mundo, había reñido con su
familia, sentando plaza, para venir al fin á meterse en carabineros.
La tabernera oíale embobada contar su historia con aquel pesado ceceo
de andaluz sin gracia; y cuando tenía que hablarle, empleaba en justa
reciprocidad un castellano grotesco é ininteligible, que hubiese hecho reír
en el mismo Cabañal.
—Mire osté, siñor Martines: mi chico me tiene loca con todas esas
burrás que hase. Lo que yo li digo: ¿Te hase falta algo, condenat? ¿Pues
entonses por qué te ajuntas con esa pillería pollosa? Osté, siñor Martines,
que tiene tanta labia, hágali miedo. Dígali que se lo llevará á Valensia para
meterlo en la cársel si no es buen chico.
Y el siñor Martines prometía hacerle miedo al travieso pillete, y hasta le
sermoneaba con la cara muy fosca, logrando que Tonet, al menos por un
rato, permaneciese encogido y como aterrado por el uniforme de aquel
hombre y el terrible fusil, que no se separaba nunca de sus manos.
Estos pequeños servicios introducían á Martínez en la vida de familia,
haciéndole intimar cada vez más con la siñá Tona. Allí le guisaban la
comida; allí pasaba casi todo el día, y más de una vez la tabernera se prestó
gustosa á zurcirle la ropa blanca y á pegarle botones en prendas interiores.
¡Pobre siñor Martines! ¿Qué sería de un joven tan fino sin una persona
como ella? Iría roto y abandonado como un perdido, y esto, francamente, no
podía consentirlo una persona de buen corazón.
En las tardes del verano, cuando el sol caía de lleno sobre la desierta
playa sacando reflejos de incendio de la tostada arena, bajo del sombrajo de
cañas ocurría siempre la misma escena. Martínez, sentado en un taburete de
esparto, cerca del mostrador, leía á su autor favorito, Pérez Escrich, en
tomos abultados y mugrientos, con las puntas roídas, que habían corrido
toda la costa, pasando de unos carabineros á otros.
 La siñá Tona no se equivocaba. De aquellos librotes, que la inspiraban el
supersticioso respeto del que no sabe leer, era de donde sacaba Martínez las
palabritas sonoras y rebuscadas, aquella filosofía moral que la conmovía.
Y desde el otro lado del mostrador, cosiendo á tientas, sin saber lo que
hacía, contemplaba fijamente á Martínez, dedicando media hora á su fino y
rubio bigote y no menos tiempo á apreciar cómo tenía la nariz ó con qué
exquisito gusto se abría la raya, aplanando en ambos lados el dorado
cabello.
Algunas veces, al volver la página, levantaba Martínez la cabeza, y
sorprendiendo los negros ojazos de Tona fijos en él, ruborizábase y seguía
leyendo.
La tabernera reprendíase después por tales contemplaciones. ¿Pero qué
era aquello?... En la vida se le había ocurrido, viviendo su Pascual, mirarle
detenidamente para apreciar cómo tenía la cara. Y ahora se estaba ella como
una boba horas y más horas comprometiéndose con una contemplación de
la que no podía librarse. ¿Qué diría la gente al saberlo?... Indudablemente le
tenia ley a aquel hombre.... ¡Claro!... ¡Era tan fino y tan guapo!... ¡Hablaba
tan bien!...
Pero era un disparate todo aquello. Ella ya iba para los cuarenta; no se
acordaba con exactitud, pero debía estar en los treinta y siete o cosa así; y él
no pasaba de los veinticuatro... Pero ¡qué demonio! aunque le llevase
algunos años, ella no estaba mal; encontrábase bien conservada, y si no, que
lo dijera la gentuza de las barcas que tanto la importunaba. Además, aquel
pensamiento no sería ningún disparate, ya que la gente se adelantaba
suponiéndolo; y lo mismo los carabineros amigos de Martínez que las
pescaderas que iban á la playa, daban á entender sus maliciosas
suposiciones con indirectas demasiado directas.
Al fin ocurrió lo que todos esperaban. La siñá Tona, para aturdirse,
argüía a sus escrúpulos que sus hijos necesitaban un padre, y nadie mejor
que Martínez; y la valerosa amazona, que aporreaba á los rudos pescadores
á la menor audacia, se entregó voluntariamente, teniendo que vencer la
cortedad de aquel muchachote tímido. De ella partió la iniciativa, y
Martínez se dejó arrastrar con su sumisión de hombre superior que,
pensando en cosas más altas, permite que en los asuntos terrenales le
manejen como un autómata.
 El suceso se hizo público. La misma siñá Tona no se enojaba de ello;
antes bien, deseaba que fuera bien sabido que la casa tenía amo. Cuando la
llamaba al Cabañal alguna ocupación, dejaba la taberna al cuidado de
Martínez, que, como en tiempos pasados, seguía sentado bajo el sombrajo
mirando al mar con el fusil entre las rodillas.
Hasta los dos chicos parecían enterados de la novedad, El Retor, al bajar
á tierra, miraba á hurtadillas á su madre con cierto asombro y mostrábase
tímido y vergonzoso en presencia del mocetón rubio y uniformado, al que
encontraba siempre en la taberna; pero el otro muchacho, Tonet, delataba en
su sonrisa maliciosa que todo aquel suceso había sido objeto de maliciosos
comentarios en las reuniones de los pillos de la playa, y en vez de asustarse
como antes con los sermones del carabinero, contestábale con muecas y se
alejaba dando saltos y haciendo cabriolas sobre la arena, como en señal de
desprecio.
Aquella temporada fué para Tona una luna de miel en plena madurez de
su vida. Parecíale ahora su matrimonio con Pascual una monótona
servidumbre. Amaba con vehemencia al carabinero, con la explosión de
cariño propia de una mujer que va hacia el ocaso; y cegada por esta pasión,
hacia alarde de ella, sin importarle lo que murmurase la gente. ¿Y qué?...
Que dijesen lo que quisieran. Otras hacían peor que ella, y la que hablase
sería por envidia, al ver que se llevaba un buen mozo.
Martínez, siempre con su aire de soñador, dejábase mimar y acariciar
como un hombre que todo lo merece; gozaba de gran prestigio entre sus
compañeros y superiores, pues podía disponer del cajón de la taberna y
hasta de aquella media repleta de duros que tantas veces se le clavaba en el
costado al tenderse en el colchón del camarote.
Por evitarse tal vez esta molestia, se dió prisa á vaciarla, sin que la siñá
Tona protestase. ¿No había de ser su marido? Pues suyo era aquel dinero.
Mientras la taberna marchase bien, ella no debía quejarse.
Pero cuatro ó cinco meses después llegó un día en que la Tona se puso
seria.
Martínez, siñor Martines, baje usted de esa nebulosa altura en que vive
su pensamiento. Dígnese escuchar á la Tona. ¿No la oye usted? Que es
preciso arreglar la situación. Que las cosas no pueden quedar así. Que hay
que justificar lo que venga, y una mujer honrada, madre de dos hijos, no
puede serlo de tres sin un hombre que saque la cara diciendo: «Esta es mi
obra.»
Y Martínez contestó ¡bueno! á todo, aunque torciendo el gesto
dolorosamente, como si acabase de sufrir un tremendo batacazo, cayendo
de las alturas ideales en que se refugiaba como hombre no comprendido,
para soñar en la probabilidad de ser general, jefe de Estado y otras muchas
cosas, como los personajes de sus novelas favoritas.
Pediría los papeles para el casamiento, pero tendrían que esperar, porque
Huelva está lejos.
Y Tona esperó, siempre con el pensamiento puesto en Huelva, tierra
remota, que por su cuenta debía estar en los alrededores de Cuba ó
Filipinas.
Pero el tiempo pasaba y la cosa iba haciéndose urgente.
Martínez, siñor Martines, que sólo faltan dos meses; que á la Tona le es
imposible ocultar por más tiempo lo que viene, y la gente se va enterando.
¡Qué dirán los chicos al verse con un nuevo hermano!... Pero Martínez
protestaba. No era suya la culpa. Bien veía ella las muchas cartas que
escribía para activar el envío de los papeles.
Por fin, un día el carabinero declaró que iba á emprender el viaje á su
tierra y traerse los malditos documentos, para lo cual tenía ya el permiso de
sus jefes.
Muy bien: aquella resolución le gustaba á la siñá Tona. Y para ayuda del
viaje le entregó toda la plata que tenía en el cajón del mostrador, lo peinó
por última vez, lloró un poco y ¡hasta la vista! ¡Buen viaje!
La pobre Tona ya no vió más al siñor Martines. Entre los carabineros
que pasaban la playa no faltó una buena alma que tuvo el gusto de decirla la
verdad.
No había tal viaje á Huelva. Las cartas que escribía Martínez iban á
Madrid, pidiendo que lo trasladasen á un punto lejano, pues los aires de
Valencia no le probaban. Y efectivamente, lo habían trasladado á la
comandancia de la Coruña.
La siñá Tona creyó volverse loca. ¡Ladrón, más que ladrón! ¡Miren el
mosquita muerta!... Fíese usted de esas personas de mucha labia. ¡Pagarle
así á ella... á ella, que le hubiese dado hasta el último céntimo, y que le
peinaba bajo el tinglado en las horas de siesta tan amorosamente como si
fuese su madre!
Pero toda la desesperación de la pobre mujer no impidió que saliese á luz
lo que tan urgente hacía el matrimonio; y á los pocos meses la siñá Tona
despachaba copas tras el mostrador, enseñando su pecho voluminoso de
vaca rolliza, y agarrada al obscuro pezón una niña blanca, enteca, de ojos
azules y cabeza rubia y voluminosa, que parecía una bola de oro.

III
Pasaron los años sin que sufriese la menor alteración en su monótona
vida la familia que se albergaba en la barca convertida en taberna.
El Retor era todo un marinero, fornido, cachazudo, bravo en el peligro.
De gato había ascendido á ser el tripulante de más confianza en la barca del
tío Borrasca, y cada mes solía entregar á su madre cuatro ó cinco duros de
ahorros para que los guardase.
Tonet no hacía carrera. Entre él y su madre habíase entablado una lucha:
Tona buscándole oficios, y él abandonándolos á los pocos días. Fué una
semana aprendiz de zapatero; navegó poco más de dos meses con el tío
Borrasca en calidad de gato, pero el patrón se cansó de pegarle, sin
conseguir que le obedeciese; después intentó hacerse tonelero, que era el
más seguro de los oficios, pero el maestro le echó á la calle, y por fin á los
diez y siete años se metió en una còlla del puerto, cuadrilla de
descargadores de buques, en la que trabajaba hasta dos veces por semana, y
esto de mala voluntad.
Pero su vagancia y sus malas costumbres encontraban excusa á los ojos
de la siñá Tona, cuando ésta le contemplaba en los días de fiesta (que eran
los más para aquel bigardo) con la gorra de seda de hinchado plato sobre el
rostro moreno, en el que comenzaba á apuntar el bigote; la chaqueta de
lienzo azul ajustada al esbelto tronco y la faja de seda obscura ceñida sobre
la camiseta de franela á cuadros negros y verdes.
Daba gloria ser madre de un mozo así. Iba á ser otro pillo como aquel
Martínez de infausta memoria; pero más salao, más audaz y travieso, y de
ello daban fe las chicas del Cabañal, que se lo disputaban por novio.
Tona regocijábase al saber el aprecio en que tenían á su hijo, y estaba
enterada de todas sus aventuras. ¡Lástima que le tirase tanto el maldito
aguardiente! Era todo un hombre; no como el cachazudo de su hermano,
que no se alteraba aunque le pasase un carro por encima.
Una tarde de domingo, en la taberna de Las buenas costumbres, título
terriblemente irónico, se tiró los vasos á la cabeza con los de una còlla de
cargadores que trabajaban más barato, y cuando entraron los carabineros á
poner paz, pilláronle faca en mano persiguiendo por entre las mesas á los
contrarios.
Más de una semana lo tuvieron encerrado en el calabozo de la casa
capitular; las lágrimas de la siñá Tona y las influencias del tío Mariano, que
era muñidor en las elecciones, consiguieron sacarle á flote; pero tanto le
corrigió el arresto, que en la misma noche de su libertad sacó otra vez la
dichosa faca contra dos marineros ingleses que, después de beber con él,
intentaron boxearle.
Era el gallito del Cabañal. Faena poca; pero una verdadera fiera para
resistir las noches de borrasca, de taberna en taberna, no presentándose en
la de su madre en semanas enteras.
Tenía su poquito de amores serios con cierta intimidad, que para muchos
olía á matrimonio anticipado. Su madre no estaba conforme con tales
relaciones. No quería una princesa para su Tonet, pero la hija de Paella el
tartanero le parecía poca cosa. La tal Dolores era descarada como una
mona; muy guapa, sí señor, pero capaz de comerse á la pobre suegra que
tuviese que aguantarla.
Era natural que fuese así. Se había criado sin madre, al lado del tío
Paella, un borrachón que daba traspiés al amanecer cuando enganchaba la
tartana y á quien el vino tenía consumido, engordándole únicamente la
nariz, siempre en creciente por las rojas hinchazones.
Era un mal hombre que gozaba la peor fama. Toda su parroquia la tenía
en Valencia en el barrio de Pescadores. Cuando llegaba barco inglés se
ofrecía como un sinvergüenza á los marineros para llevarles á sitios de
confianza, y en las noches de verano cargaba su tartana de chicuelas con
blancos matinées, mejillas embadurnadas y flores en la cabeza,
conduciéndolas con sus amigos á los merenderos de la playa, donde se
corrían juergas hasta el amanecer, mientras que él, alejado, sin abandonar el
látigo ni el porrón de vino, se emborrachaba, mirando paternalmente á las
que llamaba su ganado.
 Y lo peor era que no se recataba ante su hija. Hablábala con los mismos
términos que si fuera una de sus parroquianas; su vino locuaz sentía la
necesidad de contarlo todo, y la pequeña Dolores, encogida, lejos de los
agresivos pies de su padre, con los ojos desmesuradamente abiertos y en
ellos una expresión de curiosidad malsana, oía el brutal soliloquio del tío
Paella, que se relataba á sí mismo todas las porquerías é infamias
presenciadas durante el día.
Y así fué criándose Dolores. ¡Vaya, que lo que aquella chica ignorase!...
Por eso Tona no la podía admitir como nuera. Si no se había perdido ahora
que comenzaba á ser una mujer guapa, era porque algunas vecinas le
aconsejaban bien; pero aun así, la muchacha también daba sus escándalos
con Tonet, que entraba en casa de su novia como si fuese el amo. Comía
con ella, aprovechándose de que el tartanero no volvía hasta muy entrada la
noche, y Dolores le repasaba la ropa y hasta hurgaba en los bolsillos del tío
Paella para dar dinero al novio, lo que hacía lanzar al borracho un vómito
interminable de injurias contra la falsa amistad, creyendo que en los
momentos de alcohólica turbación le robaban las pesetas sus compinches de
taberna.
Era un secuestro en regla el que hacía aquella chica, y Tonet, lentamente,
una pieza hoy y otra mañana, fué trasladando toda su ropa desde la taberna
de la playa á la casa del tartanero.
La siñá Tona se quedaba sola. El Retor estaba siempre en el mar
persiguiendo la peseta, como él decía, unas veces pescando y otras
enganchándose como marinero en algún laúd de los que iban por sal á
Torrevieja; Tonet, corriendo tabernas ó metido en casa del tío Paella, y ella
aviejándose tras el mostrador de su tiendecilla, sin otra compañía que
aquella chicuela rubia, á la que quería de un modo raro, con intermitencias,
pues era el viviente recuerdo del pillo de Martínez. ¡Ojalá se lo haya
llevado el demonio!...
Decididamente Dios sólo protegía á temporadas á las personas buenas.
Los tiempos presentes no eran ya los de la primera época de su viudez.
Otras barcas viejas varadas en la playa habían sido convertidas en
tabernas; los pescadores tenían donde escoger, y además ella envejecía y la
gente de mar no mostraba tantos deseos de beber, requebrándola.
Resultado: que aunque la tabernilla conservaba sus antiguos
parroquianos, sólo se sacaba de ella lo preciso para vivir, y Tona más de una
vez contempló de lejos su blanca barcaza, considerando melancólicamente
el fogón apagado, la cerca casi derribada, tras la cual no gruñía el blanco
cerdo esperando la matanza anual, y la media docena de gallinas que
picoteaban tristemente en la desierta arena.
Pasó el tiempo para ella con lenta monotonía, sumida en una estúpida
somnolencia, de la que la sacaban únicamente las diabluras de Tonet ó la
contemplación de un retrato del siñor Martines, puesto de uniforme, que
ella conservaba colgado en su camarote con cierto refinamiento cruel, como
para recordarse la debilidad pasada.
La pequeña Roseta, la chicuela caída en la barca por obra y gracia del
pillo carabinero, apenas si merecía la atención de su madre. Criábase como
una bestiezuela bravía. Por la noche Tona había de ir en su busca para
encerrarla en la barca, después de darla una terrible zurra, y durante el día
presentábase cuando la aguijoneaba el hambre.
¡Todo sea por Dios! La tal chiquilla era una nueva cruz que había de
arrastrar la pobre Tona.
Huraña y amiga de la soledad, tendíase en la arena mojada, cogiendo
conchas y caracoles ó amontonando algas. Á veces pasaba horas enteras
con los ojos azules fijos en el infinito, en una inmóvil vaguedad de
hipnótica, mientras la brisa salobre arremolinaba sus pelillos rubios,
enroscados y tiesos como culebras, ó hacía ondear el viejo refajo, que
dejaba al descubierto las piernecitas entecas, de una blancura deslumbrante,
en cuyas extremidades el ardor del sol había suplido la falta de medias
tostando la piel con un color rojo.
Allí se estaba horas y más horas con el vientre hundido en la arena
mojada, que cedía bajo su peso, acariciado el rostro por la delgadísima capa
de agua que avanzaba y retrocedía sobre el reluciente suelo con las
ondulaciones caprichosas del moaré.
Era una bohemia incorregible. Lo que decía Tona: De tal palo, tal
astilla. También el granuja de su padre se pasaba las horas muertas
embobado ante el horizonte, como si soñara despierto y sin servir para otra
cosa.
Si ella tuviera que vivir de lo que trabajase su hija, estaba arreglada.
¡Criatura más desmañada y perezosa!... En la taberna rompía vasos y platos
al intentar limpiarlos; quemábase el pescado en la sartén si ella cuidaba del
fogón, y al fin su madre tenía que dejarla corretear por la playa ó que fuese
á la costura del Cabañal. Á temporadas dominábala un deseo loco de
aprender, y se escapaba, exponiéndose á una paliza, para ir en busca de la
maestra; pero poco después huía de la escuela, cuando su madre mostrábase
conforme en que asistiera á ella.
En verano únicamente ayudaba a la pobre Tona. El lucro uníase á su afán
de correteo sin objeto, y cargada con un cántaro tan grande como ella, iba
vaso en mano por la playa de los baños ó pasaba audazmente por entre los
lujosos carruajes que rodaban por el muelle, mirando á todas partes con sus
ojazos soñadores, agitando la maraña de rubios pelos y gritando con su voz
débil: ¡Al aigua fresqueta! sacada de la fuente del Gas.
Unas veces con esto y otras con el cesto de caña lleno de galletas, que
pregonaba con tono melancólico: ¡Salaes y dolses! Roseta conseguía
entregar á su madre por las noches unos dos reales, lo que aclaraba un poco
el gesto fosco de Tona, á la que los malos negocios iban haciendo egoísta.
Y así creció Roseta; siempre en huraño aislamiento, acogiendo con
serenidad amenazante las palizas de su madre; odiando á Tonet, que nunca
se había fijado en ella; sonriendo algunas veces al Retor, que cuando bajaba
á tierra solía tirarle amistosamente de los retorcidos pelos, y despreciando á
la pillería de la playa, de la cual alejábase con un airecillo de reina
orgullosa.
Tona acabó por no ocuparse de la chiquilla, á pesar de ser la única
compañera en aquella vivienda, que en las tardes del invierno parecía estar
en pleno desierto. Tonet y la hija del tartanero eran su continua
preocupación.
Aquella perdida habíase propuesto robarle toda su familia. Ya no se
contentaba con Tonet, y éste llevaba á casa de Dolores á su hermano el
Retor, el cual, al saltar á tierra, pasaba como rápida exhalación por la
tabernilla de la playa, yendo á descansar en casa del tartanero, donde
resultaba para los novios un testigo poco molesto.
Pero en realidad lo que incomodaba á Tona más que la influencia que
Dolores ejercía sobre sus hijos, era que veía desvanecerse un plan que
acariciaba hacía mucho tiempo.
Tenía pensado el matrimonio de Tonet con la hija de una antigua amiga.
Como guapa, no podía compararse con la endemoniada hija del
tartanero; pero la siñá Tona se hacía lenguas de su bondad (la condición de
los seres insignificantes) y se callaba lo más importante, ó sea que Rosario,
la muchacha en quien había puesto los ojos, era huérfana; sus padres habían
tenido en el Cabañal una tiendecita, de la que se surtía la tabernera, y ahora,
después de su muerte, le quedaba á la hija casi una fortuna; lo menos tres ó
cuatro mil duros.
¡Y cómo quería á Tonet la pobrecita! Al encontrarle en las calles del
Cabañal, le saludaba siempre con una de sus sonrisas de cordera mansa, y
pasaba las tardes en la playa gozándose en hablar con la siñá Tona, tan sólo
porque era la madre del gallito bravo que traía revuelta toda la población.
Pero del muchacho no podía esperarse cosa buena. Ni la misma Dolores,
con tener sobre él tan absoluto poderío, lograba domarlo cuando le soplaba
la racha de las locuras, y á lo mejor desaparecía semanas enteras,
sabiéndose después, por referencias, que había estado en Valencia
durmiendo de día en alguna casa del barrio de Pescadores,
emborrachándose de noche, aporreando á sus embrutecidas compañeras de
hospedaje y gastándose en orgías de pirata hambriento lo que ganaba en
alguna timba de calderilla.
En una de esas escapatorias fué cuando come tió el gran disparate, que
costó á su madre un mes de llantos é innumerables alaridos. Tonet, con
otros amigotes, sentó plaza en la marina de guerra. Estaban hastiados de la
vida del Cabañal; les resultaba desabrido el vino de las tabernas.
Y llegó el día en que el endiablado muchacho, vestido de azul, con la
blanca gorrilla ladeada y el saco de ropa al hombro, se despidió de Dolores
y de su madre para ir á Cartagena, donde estaba el buque á que iba
destinado.
¡Anda con Dios! Mucho le quería la siñá Tona, pero al fin podía
descansar. Por quien más lo sentía era por la pobre Rosario, que, siempre
calladita y humilde, iba á coser en la playa en compañía de Roseta y
preguntaba con emocionada timidez á la siñá Tona si había recibido carta
del marinero.
Así pasó el tiempo, siguiendo ellas desde la barcaza de la playa todos los
viajes y estaciones que hacía la Villa de Madrid, fragata en la que iba Tonet
como marinero de primera.
¡Qué emoción cuando caía sobre el mostrador de húmedos tablones el
estrecho sobre, pegado unas veces con roja oblea y otras con miga de pan,
con su complicada dirección en letras gruesas: «Para la siñora Tona la del
cafetín, junto á la casa dels bòus!»
 Un perfume raro, exótico, que hablaba á los sentidos de vegetaciones
desconocidas, mares tempestuosos, costas envueltas en celajes de rosa y
cielos de fuego, parecía salir de las groseras envol turas de papel; y las tres
mujeres, leyendo y releyendo las cuatro carillas, soñaban con países
desconocidos, viendo con la imaginación los negros de la Habana, los
chinos de Filipinas y las modernas ciudades del Sur de América.
¡Qué chico aquel! ¡Cuánto tendría que contar cuando volviese! Tal vez
había sido un bien que cometiera la calaverada de marcharse; así sentaría la
cabeza. Y la siñá Tona, poseída de nuevo por aquella preferencia que la
hacía idolatrar á su hijo menor, pensaba con cierto despecho en que su
Tonet, el gallito bravo, estaba sometido á la rígida disciplina de á bordo,
mientras que el otro, el Retor, el que ella tenía por un infeliz, marchaba
viento en popa y era casi un prohombre en el gremio de la pesca.
Iba siempre á partir con el dueño de su barca; tenía sus secretos con el
tío Mariano, aquel personaje al que recurría Tona en todos sus apuros. En
fin, que ganaba dinero, y la siñá Tona se daba á todos los demonios viendo
que no traía un cuarto á casa y apenas si por ceremonia iba á sentarse un
rato bajo el toldo de la tabernilla.
En otra parte le guardaban los ahorros; ¿y dónde había de ser? en casa de
Dolores, de la gran maldecida; que sin duda les había dado á sus hijos
polvos seguidores, pues corrían á ella como perros sumisos.
Allí estaba metido el Retor, como si en casa del tartanero se le perdiera
algo al gran babieca. ¿No sabía que Dolores era para el otro? ¿No veía las
cartas de Tonet y las contestaciones que ella hacía escribir á algún vecino?
Pero el muy tonto, sin hacer caso de las burlas de su madre, allí permanecía,
usurpando poco á poco el puesto de su hermano, sin que pareciera darse
cuenta de sus avances. Dolores tenía con él las mismas atenciones que con
Tonet. Le arreglaba la ropa y le guardaba los ahorros, cosa que no le ocurría
con el otro despilfarrador.
Un día murió el tío Paella. Lo trajeron á casa destrozado por las ruedas
de su tartana. La borrachera le había hecho caer de su asiento, y murió
como hombre consecuente, agarrado al látigo, que no abandonaba ni para
dormir, sudando aguardiente por todos los poros y con la tartana llena de
parroquianas pintarrajeadas, á las que él llamaba su ganado.
Á Dolores no le quedaba otro arrimo que su tía Picores la pescadera,
protectora poco envidiable, pues hacía el bien á bofetadas.
 Y entonces, á los dos años de estar ausente Tonet, fué cuando circuló la
gran noticia. Dolores y el Retor se casaban. ¡Gran Dios! ¡Qué ruido produjo
la noticia en el Cabañal! La gente decía que era ella la que se había
declarado al novio, añadiendo otros detalles más fuertes que hacían reír.
Á Tona había que oirla. Aquella siñora de la herradura se había
empeñado en meterse en la familia, é iba á conseguirlo. Ya sabía lo que se
hacía la muy tunanta. Un marido bobalicón que se matase trabajando era lo
que le convenía. ¡Ah ladrona! ¡Cómo había sabido coger el único de la
familia que ganaba dinero!
Pero la reflexión egoísta hizo callar poco después á la siñá Tona. Mejor
era que se casasen. Esto simplificaba la situación y favorecía sus planes.
Tonet se casaría con Rosario. Y aunque á regañadientes, se dignó asistir á la
boda y llamar filla mehua al hermoso culebrón, que tan fácilmente dejaba á
unos para tomar á otros.
Á todos preocupaba lo que diría Tonet al saber la noticia. ¡Bonito genio
tenía el marinero! Y por esto la sorpresa fué general al saberse que había
contestado dándolo todo por bien hecho. Sin duda, la ausencia y los viajes
le habían cambiado, hasta el punto de parecerle muy natural que Dolores se
casase, ya que le faltaba arrimo. Además—como él decía—, para que
cayese en otro, mejor era que se casara con su hermano, que era un buen
muchacho.
Y tan razonable como en sus cartas se mostró el marinero cuando, con la
licencia en el bolsillo y el saco del equipaje á cuestas, se presentó en el
Cabañal, asombrando á todos con su gallardo porte y el rumbo con que
gastaba el puñado de pesetas que le habían entregado como alcances del
servicio.
Saludó á Dolores como una buena hermana. ¡Qué demonio! De lo
pasado no había que acordarse. Él también había hecho de las suyas en sus
viajes. Y no se preocupó gran cosa de ella ni del Retor, atento á gozar el
aura de popularidad que le proporcionaba su regreso.
Noches enteras pasaba la gente al fresco, sentada en sillas bajas ó en el
suelo, frente á la puerta de la antigua casa de Paella, donde ahora vivía el
Retor, oyendo con arrobamiento al marinero la descripción de extraños
países, en la cual intercalaba graciosas mentiras para mayor asombro de los
papanatas que le admiraban.
 Comparado con los pescadores rudos y embrutecidos por el trabajo, ó
con sus antiguos compañeros en la descarga, Tonet aparecía ante las
muchachas del Cabañal como un aristócrata, con su palidez morena, el
bigotillo erizado, las manos limpias y cuidadas y la cabeza aceitosa y bien
peinada, con la raya en medio y dos puntitas pegadas á la frente asomando
bajo la gorra de seda.
La siñá Tona estaba satisfecha de su hijo. Reconocía que era tan pillo
como antes, pero sabía vivir mejor, y bien se conocía que le había
aprovechado la dura existencia del barco. Era el mismo; pero la ruda
disciplina militar había pulido su exterior de burdas asperezas: si bebía no
se emborrachaba; seguía echándola de guapo, aunque sin llegar á ser
pendenciero, y ya no buscaba realizar sus caprichos de aturdido, sino
satisfacer sus egoísmos de vividor.
Por esto acogió benévolamente todas las proposiciones de su madre.
¿Casarse con Rosario? Conforme; era una buena chica; además, tenía un
capitalito que podía hacer mucho en manos de un hombre inteligente, y esto
era lo que él deseaba.
Un hombre, después de servir en la marina real, no podía dignamente
cargarse sacos en el muelle. Todo antes que eso.
Y con gran alegría de la siñá Tona, se casó con Rosario. Todo iba bien.
¡Qué hermosa pareja! Ella, pequeñita, tímida, sumisa, creyendo en él á ojos
cerrados; Tonet, soberbio en su fortuna, tieso, como si bajo la camisa de
franela llevase una coraza hecha con los miles de duros de su mujer;
dispensando protección á todos y dándose la vida de un prohombre, en el
café tarde y noche, fumando la pipa y luciendo altas botas impermeables en
los días de lluvia.
Dolores le veía sin mostrar la menor emoción. Únicamente en sus ojos
de soberana brillaban puntos de oro, chispas delatoras del ardor de
misteriosos deseos.
Pasó un año de felicidad. El dinero, amasado ochavo sobre ochavo en la
mísera tiendecita donde nació Rosario, escapábase locamente por entre los
dedos de Tonet; pero llegó el momento de verle el fondo al saco, como
decía la tabernera de la playa al reprender las prodigalidades de su hijo.
Comenzaron los apuros, y con ellos la discordia, el llanto y hasta las
palizas en casa de Tonet. Ella se agarró á la cesta del pescado, como lo
hacían todas las vecinas. De su fama de rica descendió á la vida
embrutecedora y fatigosa de pescadera de las más pobres. Levantábase poco
después de media noche; esperaba en la playa con los pies en los charcos y
el cuerpo mal cubierto por el viejo mantón, que muchas veces ondeaba con
el viento de tempestad; iba á pie á Valencia, abrumada por el peso de las
banastas; volvía por la tarde á su casa desfallecida por el hambre y el
cansancio, pero se tenía por feliz si podía mantener al señor en su antiguo
boato y evitarle toda humillación que se tradujera en maldiciones y
alborotos.
Para que Tonet pasase la noche en el café, en la tertulia de maquinistas
de vapor y patrones de barca, ahogaba muchas mañanas en la Pescadería su
hambre rabiosa, excitada ante los humeantes chocolates y las chuletas
entrepanadas que veía sobre las mesas de sus compañeras.
Lo importante era que nada faltase al ídolo, pronto siempre á enfadarse y
á maldecir la perra suerte de su casamiento, y á la pobre mujercita, cada vez
más flaca y derrotada, le parecían insignificantes todas sus miserias,
siempre que al señor no le faltase la peseta para el café y el dominó, la
comida abundante y las camisetas de franela bien vistosas para seguir
sosteniendo la antigua fama. Algo caro le costaba; ella envejecía antes de
los treinta años, pero podía lucir como propiedad exclusiva el mejor mozo
del Cabañal.
El infortunio les aproximaba al Retor, al otro matrimonio que subía y
subía por el camino de la prosperidad, mientras ellos rodaban cabeza abajo.
Los hermanos deben ayudarse en los malos trances; nada más natural, y
por esto Rosario, aunque á regañadientes, iba á casa de Dolores y consentía
que Tonet reanudase una amistad íntima con su cuñada. Esto la
atormentaba, pero no había que reñir: se disgustaba el Retor, y él era el que
muchas semanas mantenía al matrimonio cuando no había pescado para
vender ó el vago de gentil aspecto no lograba ganarse algún duro
interviniendo en los pequeños negocios propios de los puertos de mar.
Pero llegó el momento en que las dos mujeres, que se odiaban,
cansáronse de fingir.
Después de cuatro años de matrimonio, Dolores resultó encinta. El Retor
sonreía como un bendito al dar á todo el mundo la fausta noticia, y las
vecinas alegrábanse también, pero de un modo maligno. Era pura sospecha,
pero se comentaba la coincidencia de aquel embarazo tardío con la época en
que Tonet mostró mayor apego á la casa de su hermano, pasando en ella
más tiempo que en el café.
Las dos cuñadas riñeron con toda la franqueza salvaje de sus caracteres;
entre ellas marcóse eterna división, y en adelante sólo visitó Tonet la casa
del Retor, lo que indignaba á Rosario, haciendo que las riñas conyugales
terminasen siempre con bárbaras palizas.
Y de este modo transcurrió el tiempo. Rosario, afirmando que el
chiquillo de Dolores tenía la misma cara de Tonet; éste siempre á remolque
de su hermano mayor, que sentía por él la debilidad de otros tiempos, y á
pesar de su espíritu económico se dejaba saquear por aquel vago; y la
hermosa hija del tío Paella burlábase de su cuñada la tísica, la pava,
gozándose en insultar su pobreza, su vida trabajosa, y haciendo alarde del
poderío que tenía sobre Tonet, el cual, como en otros tiempos, iba tras ella,
dominado y sumiso como un perro.
Un hálito de perpetua guerra, de burlona insolencia, parecía ir desde la
antigua casa del tío Paella, restaurada y embellecida, á la barraca miserable
de techo desvencijado donde Rosario se había refugiado empujada por la
miseria. Las buenas vecinas, con la más santa de las intenciones, se
encargaban de circular las insolencias é insultos, llevando y trayendo
recados.
Cuando Rosario, roja de indignación y con los ojos llorosos, necesitaba
desahogo y consuelo, iba á la playa, á la barcaza-taberna, que adquiría un
color sombrío y parecía envejecer como su dueña. Allí la oían
silenciosamente, moviendo su cabeza, con expresión de desconsuelo, la
siñá Tona y Roseta, las cuales, á pesar de su íntimo parentesco, vivian con
huraña hostilidad, no coincidiendo más que en su despreciativo odio á los
hombres. La barca que les servía de madriguera era como un observatorio,
desde el que contemplaban lo que ocurría entre las dos familias.
¡Los hombres! ¡Vaya una gentuza! La siñá Tona lo afirmaba, mirando de
soslayo el retrato del carabinero, que parecía presidir la taberna. Todos eran
unos granujas, que no valían ni el cordel para ahorcarlos. Y Roseta, con sus
ojazos verde mar, límpidos y serenos de virgen que todo lo sabe y está
curada de espanto, murmuraba con expresión soñadora:
—Y el que no es granuja, es com el Retor: un bestia.

IV
 Aunque el día era de invierno, picaba tanto el sol, que el Retor y Tonet
estaban en la playa, agazapados á la sombra de un laúd viejo encallado en la
arena. Tiempo les quedaba de tostarse cuando saliesen al mar.
Los dos hablaban lentamente, como adormecidos por el brillo y el calor
de la playa. ¡Vaya un día hermoso! Parecíales imposible que estuviesen en
vísperas de Semana Santa, época de los aguaceros y de los repentinos
temporales.
El cielo, inundado de luz, tenía un tinte blanquecino; como copos de
espuma caídos al azar, bogaban por él algunos jirones de vapor plateado, y
de la arena caldeada salía un vaho húmedo que envolvía los objetos lejanos,
haciendo temblar sus contornos.
La playa estaba en reposo. La casa dels bòus, donde rumiaban en sus
establos los enormes bueyes para el arrastre de las barcas, alzaba su
cuadrada mole con rojizo tejado y azules cuadrantes en sus paredes sobre
las largas filas de barcas puestas en seco, que formaban en la orilla una
ciudad nómada con calles y encrucijadas; algo semejante á un campamento
griego de la edad heroica, donde las birremes puestas en seco servían de
trincheras.
Los mástiles latinos, inclinados graciosamente hacia la proa con sus
puntas gruesas y romas, formaban un bosque de lanzas; entrecruzábanse las
embreadas cuerdas, como lianas y trepadoras de aquella selva de palos; bajo
las gruesas velas caídas en las cubiertas, rebullía toda una población anfibia,
al aire las rojizas piernas, con la gorra calada hasta las orejas, repasando las
redes ó atizando el fogón, en el que burbujeaba el suculento caldo de
pescado, y sobre la ardiente arena descansaban las ventrudas quillas
pintadas de blanco ó azul, como panzas de monstruos marinos tendidos
voluptuosamente bajo las caricias del sol.
Reinaba en esta población improvisada, tal vez deshecha á la noche para
esparcirse por la inmensidad de la faja azul que cerraba el horizonte, el
orden y la simetría de una ciudad moderna tirada á cordel.
En primera fila, junto á las olas que se adelgazaban como láminas de
cristal sobre los arabescos de arena, estaban las barcas pequeñas, las que
pescan al volantí, pequeños y airosos esquifes, que parecían la vistosa
pollada de las grandes barcas alineadas detrás, parejas del bòu con idéntica
altura é iguales colores.
 En la última fila estaban los veteranos de la playa, los barcos viejos, con
el vientre abierto, mostrando por los negros rasguños las carcomidas
costillas, con el mismo aire de tristeza de los caballos de plaza de toros,
como si pensasen en la ingratitud humana, que abandona á la vejez.
Ondeaban izadas en los mástiles las redes rojizas puestas á secar, las
camisetas de franela, los calzones de bayeta amarilla, y por encima de este
vistoso empavesado pasaban las gaviotas trazando círculos, como si
estuvieran borrachas de sol, hasta que se dejaban caer por un instante en el
mar azul y tranquilo, agitado por leves estremecimientos é hirviente con
burbujas luminosas bajo el calor del mediodía.
El Retor hablaba del tiempo, paseando sus ojos amarillentos de buey
manso sobre el mar y la costa.
Seguía con la vista las puntiagudas velas que corrían por la línea verdosa
del horizonte como alas de palomas que bebían allá lejos, y después miraba
la costa, que se encorvaba formando golfo, con su orla de masas verdes y
blancos caseríos: las colinas del Puig, enormes tumefacciones de la playa
baja que invadía el mar en sus ratos de cólera; el castillo de Sagunto,
enroscando sus ondeados baluartes sobre la larga montaña de un suave
color de caramelo, y desde allí, tierra adentro y cerrando el horizonte, la
dentellada cordillera, oleaje de rojo granito que, con sus crestas inmóviles,
parecía lamer el cielo.
Ya estaban en el buen tiempo. El Retor era quien lo afirmaba, y sabido
era en el Cabañal que en estas cuestiones había heredado el acierto de su
patrón, el tío Borrasca. Aun quedaban para la próxima semana algunas
tormentas, pero serían poca cosa: había que dar gracias á Dios porque el
mal tiempo acababa pronto, y los hombres honrados podrían ganarse el pan
sin miedo.
Y hablaba con lentitud, mascando la negra tagarnina de contrabando y
sumiéndose en el majestuoso silencio de la playa. Algunas veces, sobre el
lento susurro del agua tranquila, destacábase la voz lejana de una
muchacha, como si saliera de bajo de la tierra, entonando una canción de
monótona cadencia; sonaba lentamente el ¡oh... oh, isa! de unos cuantos
muchachos que tiraban de un pesado mástil al compás de la soñolienta
exclamación; gritaban como pájaros desde las cubiertas de las barcas las
mujeres desgreñadas, llamando á comer á los gatos, que estaban en los
establos contemplando los bueyes; sonaban los pesados mazos de los
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookbell.com