Hacking Exposed

Hacking Exposed

5.0 5
by George Kurtz, Joel Scambray
This one-of-a-kind book provides in-depth expert insight into how hackers infiltrate e-business,and how they can be stopped.

In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate


This one-of-a-kind book provides in-depth expert insight into how hackers infiltrate e-business,and how they can be stopped.

In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate e-business,and how they can be stopped. Security insiders Stuart McClure,Joel Scambray,and George Kurtz present more than 220 all-new pages of technical detail and case studies in an easy-to-follow style. The world of Internet security moves even faster than the digital economy,and all of the brand-new tools and techniques that have surfaced since the publication of the best-selling first edition are covered here. Use the real-world countermeasures in this one-of-a-kind volume to plug the holes in your network today—before they end up in the headlines tomorrow.

New and Updated Material: Brand new "Hacking the Internet User" chapter covers insidious Internet client attacks against web browsers,email software,and active content,including the vicious new Outlook email date field buffer overflow and ILOVEYOU worms.

A huge new chapter on Windows 2000 attacks and countermeasures covers offline password database attacks and Encrypting File System (EFS) vulnerabilities.

Coverage of all the new Distributed Denial of Service (DDoS) tools and techniques that almost broke down the Internet in February 2000 (Trinoo,TFN2K,Stacheldraht).

Significantly updated e-commerce hacking methodologies including new IIS and Cold Fusion vulnerabilities.

A revised and updated dial-up chapter with new material onPBX and voicemail system hacking.

New network discovery tools and techniques,including an updated section on Windows-based scanners,how to carry out eavesdropping attacks on switched networks using ARP redirection,and RIP spoofing attacks.

Coverage of new back doors and forensic techniques,including defenses against Win9x back doors like Sub7.

Updated coverage of security attacks against Windows 9x,Windows Me,Windows 2000,Windows NT,UNIX,Linux,NetWare,and dozens of other platforms,with appropriate countermeasures.

Editorial Reviews

This edition contains more than 200 new pages of what customers want -- in-depth insight into how hackers infiltrate networks and strategies to stop them. It includes a brand-new foreword written by a prominent security expert.
Gregory V. Wilson
Hacking Exposed: Network Security Secrets & Solutions, by Joel Scambray, Stuart McClure, and George Kurtz, really should have been called "Hacking Surveyed." Either way, it's a good reference for both programmers and system administrators. The authors' aim is to describe every major network security hole in every widely used operating system, and to explain what can be done to plug each one. Want to know about Windows 98 Trojans? Or brute force attacks against rsh on UNIX? This book describes these, and many others, and includes links (some of them already 404'd) to software and other reference materials. I expect that only the truly hardcore (on either side of the fence) will read the whole book, but anyone responsible for system security will find plenty to browse through.
Electronic Review of Computer Books

Product Details

Publication date:
Edition description:
Older Edition
Product dimensions:
7.50(w) x 9.25(h) x 1.47(d)

Read an Excerpt

Chapter 8: Hacking UNIX

Some feel drugs are about the only thing more addicting than obtaining root access on a UNIX system. The pursuit of root access dates back to the early days of UNIX, so we need to provide some historical background on its evolution.

The Quest for Root

In 1969, Ken Thompson, and later Dennis Ritchie, of AT&T decided that the MULTICS (Multiplexed Information and Computing System) project wasn't progressing as fast as they would have liked. Their decision to "hack up" a new operating system called UNIX forever changed the landscape of computing. UNIX was intended to be a powerful, robust, multiuser operating system that excelled at running programs, specifically, small programs called tools. Security was not one of UNIX's primary design characteristics, although UNIX does have a great deal of security if implemented properly. UNIX's promiscuity was a result of the open nature of developing and enhancing the operating system kernel, as well as the small tools that made this operating system so powerful. The early UNIX environments were usually located inside Bell Labs or in a university setting where security was controlled primarily by physical means. Thus, any user who had physical access to a UNIX system was considered authorized. In many cases, implementing root-level passwords was considered a hindrance and dismissed.

While UNIX and UNIX-derived operating systems have evolved considerably over the past 30 years, the passion for UNIX and UNIX security has not subsided. Many ardent developers and code hackers scour source code for potential vulnerabilities. Furthermore, it is a badge of honor to post newly discovered vulnerabilities to security mailing lists such as Bugtraq. In this chapter, we will explore this fervor to determine how and why the coveted root access is obtained. Throughout this chapter, remember that in UNIX there are two levels of access: the all-powerful root and everything else. There is no substitute for root!

A Brief Review

You may recall that we discussed in Chapters 1 through 3 ways to identify UNIX systems and enumerate information. We used port scanners such as nmap to help identify open TCP/UDP ports as well as to fingerprint the target operating system or device. We used rpcinfo and showmount to enumerate RPC service and NFS mount points, respectively. We even used the all-purpose netcat (nc) to grab banners that leak juicy information such as the applications and associated versions in use. In this chapter, we will explore the actual exploitation and related techniques of a UNIX system. It is important to remember that footprinting and network reconnaissance of UNIX systems must be done before any type of exploitation. Footprinting must be executed in a thorough and methodical fashion to ensure that every possible piece of information is uncovered. Once we have this information, we need to make some educated guesses about the potential vulnerabilities that may be present on the target system. This process is known as vulnerability mapping.

Vulnerability Mapping

Vulnerability mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability. This is a critical phase in the actual exploitation of a target system that should not be overlooked. It is necessary for attackers to map attributes such as listening services, specific version numbers of running servers (for example, Apache 1.3.9 being used for HTTP and sendmail 8.9.10 being used for SMTP), system architecture, and username information to potential security holes. There are several methods attackers can use to accomplish this task:

  • Manually map specific system attributes against publicly available sources of vulnerability information such as Bugtraq, Computer Emergency Response Team advisories (www.cert.org), and vendor security alerts. Although this is tedious, it can provide a thorough analysis of potential vulnerabilities without actually exploiting the target system.

  • Use public exploit code posted to various security mailing lists and any number of web sites, or write your own code. This will determine the existence of a real vulnerability with a high degree of certainty.

  • Use automated vulnerability scanning tools to identify true vulnerabilities. Respected commercial tools include the Internet Scanner from Internet Security Systems (www.iss.net) or CyberCop Scanner from Network Associates (www.nai.com). On the freeware side, Nessus (www.nessus.org) and SAINT (http://www.wwdsi.com/saint/) show promise.

    All these methods have their pros and cons; however, it is important to remember that only uneducated attackers known as "script kiddies" will skip the vulnerability mapping stage by throwing everything and the kitchen sink at a system to get in without knowing how and why an exploit works. We have witnessed many real-life attacks where the perpetrators were trying to use UNIX exploits against a Windows NT system. Needless to say, these attackers were inexpert and unsuccessful. The following list summarizes key points to consider when performing vulnerability mapping:

  • Perform network reconnaissance against the target system.
  • Map attributes such as operating system, architecture, and specific versions of listening services to known vulnerabilities and exploits.
  • Perform target acquisition by identifying and selecting key systems.
  • Enumerate and prioritize potential points of entry.


    The remainder of this chapter is broken into two major sections, remote and local access. Remote access is defined as gaining access via the network (for example, a listening service) or other communication channel. Local access is defined as having an actual command shell or login to the system. Local access attacks are also referred to as privilege escalation attacks. It is important to understand the relationship between remote and local access. There is a logical progression where attackers remotely exploit a vulnerability in a listening service and then gain local shell access. Once shell access is obtained, the attackers are considered to be local on the system. We try to logically break out the types of attacks that are used to gain remote access and provide relevant examples. Once remote access is obtained, we explain common ways attackers escalate their local privileges to root. Finally, we explain information-gathering techniques that allow attackers to garner information about the local system so that it can be used as a staging point for additional attacks. It is important to remember that this chapter is not a comprehensive book on UNIX security; for that we refer you to Practical UNIX & Internet Security by Simson Garfinkel and Gene Spafford. Additionally, this chapter cannot cover every conceivable UNIX exploit and flavor of UNIX-that would be a book in itself. Rather, we aim to categorize these attacks and to explain the theory behind them. Thus, when a new attack is discovered, it will be easy to understand how it works, though it was not specifically covered. We take the "teach a man to fish and feed him for life" approach rather than the "feed him for a day" approach.


    As mentioned previously, remote access involves network access or access to another communications channel, such as a dial-in modem attached to a UNIX system. We find that analog/ISDN remote access security at most organizations is abysmal. We are limiting our discussion, however, to accessing a UNIX system from the network via TCP/IP. After all, TCP/IP is the cornerstone of the Internet, and it is most relevant to our discussion on UNIX security.

    The media would like everyone to believe that there is some sort of magic involved with compromising the security of a UNIX system. In reality, there are three primary methods to remotely circumventing the security of a UNIX system:

    1. Exploiting a listening service (for example, TCP/UDP)
    2. Routing through a UNIX system that is providing security between two or more networks
    3. User-initiated remote execution attacks (for example, hostile web site, Trojan horse email, and so on)

    Let's take a look at a few examples to understand how different types of attacks fit into the preceding categories.

  • Exploit a Listening Service Someone gives you a user ID and password and says, "break into my system." This is an example of exploiting a listening service. How can you log in to the system if it is not running a service that allows interactive logins (telnet, ftp, rlogin, or ssh)? What about when the latest wuftp vulnerability of the week is discovered? Are your systems vulnerable? Potentially, but attackers would have to exploit a listening service, wuftp, to gain access. It is imperative to remember that a service must be listening to gain access. If a service is not listening, it cannot be broken into remotely.

    Route Through a UNIX System Your UNIX firewall was circumvented by attackers. How is this possible? you ask. We don't allow any inbound services, you say. In many instances attackers circumvent UNIX firewalls by source routing packets through the firewall to internal systems. This feat is possible because the UNIX kernel had IP forwarding enabled when the firewall application should have been performing this function. In most of these cases, the attackers never actually broke into the firewall per se; they simply used it as a router.

  • User-Initiated Remote Execution Are you safe because you disabled all services on your UNIX system? Maybe not. What if you surf to www.evilhacker.org and your web browser executes malicious code that connects back to the evil site? This may allow evilhacker.org to access your system. Think of the implications of this if you were logged in with root privileges while web surfing. What if your sniffer is susceptible to a buffer overflow attack (http://www.wOOwOO.org/advisories/snoop.html)?

    Throughout this section, we will address specific remote attacks that fall under one of the preceding three categories. If you have any doubt about how a remote attack is possible, just ask yourself three questions:

    1. Is there a listening service involved?
    2. Does the system perform routing?
    3. Did a user or a user's software execute commands that jeopardized the security of the host system?

    You are likely to answer yes to at least one question....

  • Videos

    Meet the Author

    Joel Scambray is Managing Principal, Stuart McClure is President/CTO, and George Kurtz is CEO of Foundstone Inc., a premier security consulting and training company. They have promoted information system security over a combined fifteen years of consulting and training for Fortune 500 companies, and in forums ranging from Stuart and Joel's weekly "Security Watch" column for InfoWorld, to George's renowned Black Hat Conference presentations.

    Customer Reviews

    Average Review:

    Write a Review

    and post it to your social network


    Most Helpful Customer Reviews

    See all customer reviews >

    Hacking Exposed 5 out of 5 based on 0 ratings. 5 reviews.
    Guest More than 1 year ago
    This is very 'warez' book I've ever read. The coolest way for hacking and protecting your awsome server.
    Guest More than 1 year ago
    This is the best book for people who wish to become hackers or for people who want to be safe from them. This is a real good it is worth every penny a MUST BUY! What are you waiting for buy this book and be safe! You may think your safe but your not wait until you buy this book and see how safe you will be!
    Guest More than 1 year ago
    Guest More than 1 year ago
    This is a great book that teaches the reader not only how to hack a certain vulnerbility, but also how to fix it so it doesn't happen to you. The second edition is great, better than the first. It includes a whole new chapter, 'Hacking the Internet User,' and win2k exploits.
    Guest More than 1 year ago
    The first edition was a great book, explaining how people use trojans and different scripts to break into networks, but this one is even better. It not only has better coverage of things from the first book, it includes great exploits for Win2k