Hacking Exposed


This one-of-a-kind book provides in-depth expert insight into how hackers infiltrate e-business,and how they can be stopped.

In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate e-business,and how they can be stopped. Security insiders Stuart McClure,Joel Scambray,and George Kurtz present more ...

See more details below
Paperback (Older Edition)
BN.com price
(Save 5%)$43.95 List Price
Other sellers (Paperback)
  • All (51) from $1.99   
  • New (7) from $4.09   
  • Used (44) from $1.99   
Sending request ...


This one-of-a-kind book provides in-depth expert insight into how hackers infiltrate e-business,and how they can be stopped.

In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate e-business,and how they can be stopped. Security insiders Stuart McClure,Joel Scambray,and George Kurtz present more than 220 all-new pages of technical detail and case studies in an easy-to-follow style. The world of Internet security moves even faster than the digital economy,and all of the brand-new tools and techniques that have surfaced since the publication of the best-selling first edition are covered here. Use the real-world countermeasures in this one-of-a-kind volume to plug the holes in your network today—before they end up in the headlines tomorrow.

New and Updated Material: Brand new "Hacking the Internet User" chapter covers insidious Internet client attacks against web browsers,email software,and active content,including the vicious new Outlook email date field buffer overflow and ILOVEYOU worms.

A huge new chapter on Windows 2000 attacks and countermeasures covers offline password database attacks and Encrypting File System (EFS) vulnerabilities.

Coverage of all the new Distributed Denial of Service (DDoS) tools and techniques that almost broke down the Internet in February 2000 (Trinoo,TFN2K,Stacheldraht).

Significantly updated e-commerce hacking methodologies including new IIS and Cold Fusion vulnerabilities.

A revised and updated dial-up chapter with new material onPBX and voicemail system hacking.

New network discovery tools and techniques,including an updated section on Windows-based scanners,how to carry out eavesdropping attacks on switched networks using ARP redirection,and RIP spoofing attacks.

Coverage of new back doors and forensic techniques,including defenses against Win9x back doors like Sub7.

Updated coverage of security attacks against Windows 9x,Windows Me,Windows 2000,Windows NT,UNIX,Linux,NetWare,and dozens of other platforms,with appropriate countermeasures.

Read More Show Less

Editorial Reviews

From Barnes & Noble
This edition contains more than 200 new pages of what customers want -- in-depth insight into how hackers infiltrate networks and strategies to stop them. It includes a brand-new foreword written by a prominent security expert.
Gregory V. Wilson
Hacking Exposed: Network Security Secrets & Solutions, by Joel Scambray, Stuart McClure, and George Kurtz, really should have been called "Hacking Surveyed." Either way, it's a good reference for both programmers and system administrators. The authors' aim is to describe every major network security hole in every widely used operating system, and to explain what can be done to plug each one. Want to know about Windows 98 Trojans? Or brute force attacks against rsh on UNIX? This book describes these, and many others, and includes links (some of them already 404'd) to software and other reference materials. I expect that only the truly hardcore (on either side of the fence) will read the whole book, but anyone responsible for system security will find plenty to browse through.
Electronic Review of Computer Books
Read More Show Less

Product Details

  • ISBN-13: 9780072127485
  • Publisher: McGraw-Hill/OsborneMedia
  • Publication date: 10/3/2000
  • Edition description: Older Edition
  • Edition number: 2
  • Pages: 736
  • Product dimensions: 1.46 (w) x 7.50 (h) x 9.25 (d)

Meet the Author

Joel Scambray is Managing Principal, Stuart McClure is President/CTO, and George Kurtz is CEO of Foundstone Inc., a premier security consulting and training company. They have promoted information system security over a combined fifteen years of consulting and training for Fortune 500 companies, and in forums ranging from Stuart and Joel's weekly "Security Watch" column for InfoWorld, to George's renowned Black Hat Conference presentations.
Read More Show Less

Read an Excerpt

Chapter 8: Hacking UNIX

Some feel drugs are about the only thing more addicting than obtaining root access on a UNIX system. The pursuit of root access dates back to the early days of UNIX, so we need to provide some historical background on its evolution.

The Quest for Root

In 1969, Ken Thompson, and later Dennis Ritchie, of AT&T decided that the MULTICS (Multiplexed Information and Computing System) project wasn't progressing as fast as they would have liked. Their decision to "hack up" a new operating system called UNIX forever changed the landscape of computing. UNIX was intended to be a powerful, robust, multiuser operating system that excelled at running programs, specifically, small programs called tools. Security was not one of UNIX's primary design characteristics, although UNIX does have a great deal of security if implemented properly. UNIX's promiscuity was a result of the open nature of developing and enhancing the operating system kernel, as well as the small tools that made this operating system so powerful. The early UNIX environments were usually located inside Bell Labs or in a university setting where security was controlled primarily by physical means. Thus, any user who had physical access to a UNIX system was considered authorized. In many cases, implementing root-level passwords was considered a hindrance and dismissed.

While UNIX and UNIX-derived operating systems have evolved considerably over the past 30 years, the passion for UNIX and UNIX security has not subsided. Many ardent developers and code hackers scour source code for potential vulnerabilities. Furthermore, it is a badge of honor to post newly discovered vulnerabilities to security mailing lists such as Bugtraq. In this chapter, we will explore this fervor to determine how and why the coveted root access is obtained. Throughout this chapter, remember that in UNIX there are two levels of access: the all-powerful root and everything else. There is no substitute for root!

A Brief Review

You may recall that we discussed in Chapters 1 through 3 ways to identify UNIX systems and enumerate information. We used port scanners such as nmap to help identify open TCP/UDP ports as well as to fingerprint the target operating system or device. We used rpcinfo and showmount to enumerate RPC service and NFS mount points, respectively. We even used the all-purpose netcat (nc) to grab banners that leak juicy information such as the applications and associated versions in use. In this chapter, we will explore the actual exploitation and related techniques of a UNIX system. It is important to remember that footprinting and network reconnaissance of UNIX systems must be done before any type of exploitation. Footprinting must be executed in a thorough and methodical fashion to ensure that every possible piece of information is uncovered. Once we have this information, we need to make some educated guesses about the potential vulnerabilities that may be present on the target system. This process is known as vulnerability mapping.

Vulnerability Mapping

Vulnerability mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability. This is a critical phase in the actual exploitation of a target system that should not be overlooked. It is necessary for attackers to map attributes such as listening services, specific version numbers of running servers (for example, Apache 1.3.9 being used for HTTP and sendmail 8.9.10 being used for SMTP), system architecture, and username information to potential security holes. There are several methods attackers can use to accomplish this task:

  • Manually map specific system attributes against publicly available sources of vulnerability information such as Bugtraq, Computer Emergency Response Team advisories (www.cert.org), and vendor security alerts. Although this is tedious, it can provide a thorough analysis of potential vulnerabilities without actually exploiting the target system.
  • Use public exploit code posted to various security mailing lists and any number of web sites, or write your own code. This will determine the existence of a real vulnerability with a high degree of certainty.
  • Use automated vulnerability scanning tools to identify true vulnerabilities. Respected commercial tools include the Internet Scanner from Internet Security Systems (www.iss.net) or CyberCop Scanner from Network Associates (www.nai.com). On the freeware side, Nessus (www.nessus.org) and SAINT (http://www.wwdsi.com/saint/) show promise.

All these methods have their pros and cons; however, it is important to remember that only uneducated attackers known as "script kiddies" will skip the vulnerability mapping stage by throwing everything and the kitchen sink at a system to get in without knowing how and why an exploit works. We have witnessed many real-life attacks where the perpetrators were trying to use UNIX exploits against a Windows NT system. Needless to say, these attackers were inexpert and unsuccessful. The following list summarizes key points to consider when performing vulnerability mapping:

  • Perform network reconnaissance against the target system.
  • Map attributes such as operating system, architecture, and specific versions of listening services to known vulnerabilities and exploits.
  • Perform target acquisition by identifying and selecting key systems.
  • Enumerate and prioritize potential points of entry.


The remainder of this chapter is broken into two major sections, remote and local access. Remote access is defined as gaining access via the network (for example, a listening service) or other communication channel. Local access is defined as having an actual command shell or login to the system. Local access attacks are also referred to as privilege escalation attacks. It is important to understand the relationship between remote and local access. There is a logical progression where attackers remotely exploit a vulnerability in a listening service and then gain local shell access. Once shell access is obtained, the attackers are considered to be local on the system. We try to logically break out the types of attacks that are used to gain remote access and provide relevant examples. Once remote access is obtained, we explain common ways attackers escalate their local privileges to root. Finally, we explain information-gathering techniques that allow attackers to garner information about the local system so that it can be used as a staging point for additional attacks. It is important to remember that this chapter is not a comprehensive book on UNIX security; for that we refer you to Practical UNIX & Internet Security by Simson Garfinkel and Gene Spafford. Additionally, this chapter cannot cover every conceivable UNIX exploit and flavor of UNIX-that would be a book in itself. Rather, we aim to categorize these attacks and to explain the theory behind them. Thus, when a new attack is discovered, it will be easy to understand how it works, though it was not specifically covered. We take the "teach a man to fish and feed him for life" approach rather than the "feed him for a day" approach.


As mentioned previously, remote access involves network access or access to another communications channel, such as a dial-in modem attached to a UNIX system. We find that analog/ISDN remote access security at most organizations is abysmal. We are limiting our discussion, however, to accessing a UNIX system from the network via TCP/IP. After all, TCP/IP is the cornerstone of the Internet, and it is most relevant to our discussion on UNIX security.

The media would like everyone to believe that there is some sort of magic involved with compromising the security of a UNIX system. In reality, there are three primary methods to remotely circumventing the security of a UNIX system:

1. Exploiting a listening service (for example, TCP/UDP)
2. Routing through a UNIX system that is providing security between two or more networks
3. User-initiated remote execution attacks (for example, hostile web site, Trojan horse email, and so on)

Let's take a look at a few examples to understand how different types of attacks fit into the preceding categories.

  • Exploit a Listening Service Someone gives you a user ID and password and says, "break into my system." This is an example of exploiting a listening service. How can you log in to the system if it is not running a service that allows interactive logins (telnet, ftp, rlogin, or ssh)? What about when the latest wuftp vulnerability of the week is discovered? Are your systems vulnerable? Potentially, but attackers would have to exploit a listening service, wuftp, to gain access. It is imperative to remember that a service must be listening to gain access. If a service is not listening, it cannot be broken into remotely.

Route Through a UNIX System Your UNIX firewall was circumvented by attackers. How is this possible? you ask. We don't allow any inbound services, you say. In many instances attackers circumvent UNIX firewalls by source routing packets through the firewall to internal systems. This feat is possible because the UNIX kernel had IP forwarding enabled when the firewall application should have been performing this function. In most of these cases, the attackers never actually broke into the firewall per se; they simply used it as a router.

  • User-Initiated Remote Execution Are you safe because you disabled all services on your UNIX system? Maybe not. What if you surf to www.evilhacker.org and your web browser executes malicious code that connects back to the evil site? This may allow evilhacker.org to access your system. Think of the implications of this if you were logged in with root privileges while web surfing. What if your sniffer is susceptible to a buffer overflow attack (http://www.wOOwOO.org/advisories/snoop.html)?

Throughout this section, we will address specific remote attacks that fall under one of the preceding three categories. If you have any doubt about how a remote attack is possible, just ask yourself three questions:

1. Is there a listening service involved?
2. Does the system perform routing?
3. Did a user or a user's software execute commands that jeopardized the security of the host system?

You are likely to answer yes to at least one question....

Read More Show Less

Table of Contents

Foreword xvii
Acknowledgments xxi
Introduction xxiii
Part I Casing the Establishment
Case Study: Target Acquisition 2
1 Footprinting 5
What Is Footprinting? 6
Why Is Footprinting Necessary? 6
Internet Footprinting 6
Step 1. Determine the Scope of Your Activities 8
Step 2. Network Enumeration 13
Step 3. DNS Interrogation 22
Step 4. Network Reconnaissance 27
Summary 31
2 Scanning 33
Scan Types 44
Identifying TCP and UDP Services Running 46
Windows-Based Port Scanners 51
Port Scanning Breakdown 57
Active Stack Fingerprinting 61
Passive Stack Fingerprinting 65
The Whole Enchilada: Automated Discovery Tools 67
Summary 68
3 Enumeration 71
Windows NT/2000 Enumeration 72
NT/2000 Network Resource Enumeration 76
NT/2000 User and Group Enumeration 87
NT/2000 Applications and Banner Enumeration 95
Let Your Scripts Do the Walking 99
Novell Enumeration 100
Browsing the Network Neighborhood 100
UNIX Enumeration 106
Summary 113
Part II System Hacking
Case Study: Know Your Enemy 116
4 Hacking Windows 95/98 and ME 117
Win 9x Remote Exploits 118
Direct Connection to Win 9x Shared Resources 119
Win 9x Backdoor Servers and Trojans 124
Known Server Application Vulnerabilities 129
Win 9x Denial of Service 130
Win 9x Local Exploits 130
Windows Millennium Edition (ME) 137
Summary 138
5 Hacking Windows NT 141
Overview 143
Where We're Headed 143
What About Windows 2000? 143
The Quest for Administrator 144
Remote Exploits: Denial of Service and Buffer Overflows 160
Privilege Escalation 164
Consolidation of Power 174
Exploiting Trust 185
Sniffers 190
Remote Control and Back Doors 194
Port Redirection 203
General Countermeasures to Privileged Compromise 207
Rootkit: The Ultimate Compromise 211
Covering Tracks 214
Disabling Auditing 214
Clearing the Event Log 214
Hiding Files 215
Summary 216
6 Hacking Windows 2000 219
Footprinting 221
Scanning 221
Enumeration 226
Penetration 229
NetBIOS-SMB Password Guessing 229
Eavesdropping on Password Hashes 229
Attacks Against IIS 5 229
Remote Buffer Overflows 233
Denial of Service 233
Privilege Escalation 238
Pilfering 241
Grabbing the Win 2000 Password Hashes 241
The Encrypting File System (EFS) 246
Exploiting Trust 249
Covering Tracks 251
Disabling Auditing 251
Clearing the Event Log 252
Hiding Files 252
Back Doors 252
Startup Manipulation 252
Remote Control 255
Keystroke Loggers 257
General Countermeasures: New Windows Security Tools 257
Group Policy 257
Runas 260
Summary 261
7 Novell NetWare Hacking 265
Attaching but Not Touching 267
Enumerate Bindery and Trees 268
Opening the Unlocked Doors 275
Authenticated Enumeration 277
Gaining Admin 282
Application Vulnerabilities 285
Spoofing Attacks (Pandora) 287
Once You Have Admin on a Server 290
Owning the NDS Files 292
Log Doctoring 298
Console Logs 299
Further Resources 302
Web Sites (ftp://ftp.novell.com/pub/updates/nw/nw411/) 302
Usenet Groups 303
Summary 303
8 Hacking UNIX 305
The Quest for Root 306
A Brief Review 306
Vulnerability Mapping 307
Remote Access Versus Local Access 307
Remote Access 308
Data Driven Attacks 312
I Want My Shell 317
Common Types of Remote Attacks 322
Local Access 339
After Hacking Root 357
Trojans 358
Rootkit Recovery 369
Summary 370
Part III Network Hacking
Case Study: Sweat the Small Stuff! 374
9 Dial-Up, PBX, Voicemail, and VPN Hacking 377
Wardialing 380
Hardware 380
Legal Issues 381
Peripheral Costs 382
Software 382
A Final Note 403
PBX Hacking 405
Virtual Private Network (VPN) Hacking 415
Summary 419
10 Network Devices 421
Discovery 422
Detection 422
SNMP 429
Back Doors 433
Default Accounts 433
Lower the Gates (Vulnerabilities) 437
Shared Versus Switched 443
Detecting the Media You're On 444
Passwords on a Silver Platter: Dsniff 445
Sniffing on a Network Switch 448
snmpsniff 452
Summary 457
11 Firewalls 459
Firewall Landscape 460
Firewall Identification 460
Advanced Firewall Discovery 465
Scanning Through Firewalls 469
Packet Filtering 473
Application Proxy Vulnerabilities 477
WinGate Vulnerabilities 479
Summary 481
12 Denial of Service (DoS) Attacks 483
Motivation of DoS Attackers 484
Types of DoS Attacks 485
Bandwidth Consumption 485
Resource Starvation 486
Programming Flaws 486
Routing and DNS Attacks 487
Generic DoS Attacks 488
Sites Under Attack 491
UNIX and Windows NT DoS 494
Remote DoS Attacks 495
Distributed Denial of Service Attacks 499
Local DoS Attacks 504
Summary 506
Part IV Software Hacking
Case Study: Using All the Dirty Tricks to Get In 508
13 Remote Control Insecurities 511
Discovering Remote Control Software 512
Connecting 513
Weaknesses 514
Revealed Passwords 516
Uploading Profiles 517
What Software Package Is the Best in Terms of Security? 521
pcAnywhere 521
ReachOut 521
Remotely Anywhere 521
Remotely Possible/ControlIT 523
Timbuktu 523
Virtual Network Computing (VNC) 523
Citrix 526
Summary 527
14 Advanced Techniques 529
Session Hijacking 530
Back Doors 533
Trojans 555
Subverting the System Environment: Rootkits and Imaging Tools 558
Social Engineering 561
Summary 563
15 Web Hacking 565
Web Pilfering 566
Finding Well-Known Vulnerabilities 570
Automated Scripts, for All Those "Script Kiddies" 570
Automated Applications 572
Script Inadequacies: Input Validation Attacks 573
Active Server Pages (ASP) Vulnerabilities 582
Buffer Overflows 590
Poor Web Design 598
Summary 600
16 Hacking the Internet User 601
Malicious Mobile Code 603
Microsoft ActiveX 603
Java Security Holes 614
Beware the Cookie Monster 618
Internet Explorer HTML Frame Vulnerabilities 621
SSL Fraud 623
Email Hacking 626
Mail Hacking 101 626
Executing Arbitrary Code Through Email 629
Outlook Address Book Worms 637
File Attachment Attacks 639
IRC Hacking 647
Napster Hacking with Wrapster 649
Global Countermeasures to Internet User Hacking 650
Keep Antivirus Signatures Updated 650
Guarding the Gateways 651
Summary 652
Part V Appendixes
A Ports 657
B Top 14 Security Vulnerabilities 661
C About the Companion Web Site 663
Novell 664
UNIX 665
Windows NT 665
Wordlists and Dictionaries 666
Wardialing 666
Enumeration Scripts 666
Index 667
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 7 Customer Reviews
  • Anonymous

    Posted March 6, 2003

    Think Like The Hackers

    Sink into the mind of those looking to break into your systems. The author suggests tools, often freely available, to find the problems in a system which place it at risk and evaluates those tools critically. Know what the hackers know. Evaluate your risks so you can patch or redesign your web site to reduce your the risks to a minimum.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted August 15, 2001

    Amazing Book

    This is very 'warez' book I've ever read. The coolest way for hacking and protecting your awsome server.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted April 11, 2001


    This is the best book for people who wish to become hackers or for people who want to be safe from them. This is a real good it is worth every penny a MUST BUY! What are you waiting for buy this book and be safe! You may think your safe but your not wait until you buy this book and see how safe you will be!

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted January 20, 2001

    G@@D B@@K


    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted January 7, 2001

    great book for wannabe hackers and for webmasters

    This is a great book that teaches the reader not only how to hack a certain vulnerbility, but also how to fix it so it doesn't happen to you. The second edition is great, better than the first. It includes a whole new chapter, 'Hacking the Internet User,' and win2k exploits.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted October 26, 2000

    Even better than the first

    The first edition was a great book, explaining how people use trojans and different scripts to break into networks, but this one is even better. It not only has better coverage of things from the first book, it includes great exploits for Win2k

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted May 7, 2010

    No text was provided for this review.

Sort by: Showing all of 7 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)