Hacking Exposedby Joel Scambray
In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate
This one-of-a-kind book provides in-depth expert insight into how hackers infiltrate e-business,and how they can be stopped.
In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate e-business,and how they can be stopped. Security insiders Stuart McClure,Joel Scambray,and George Kurtz present more than 220 all-new pages of technical detail and case studies in an easy-to-follow style. The world of Internet security moves even faster than the digital economy,and all of the brand-new tools and techniques that have surfaced since the publication of the best-selling first edition are covered here. Use the real-world countermeasures in this one-of-a-kind volume to plug the holes in your network todaybefore they end up in the headlines tomorrow.
New and Updated Material: Brand new "Hacking the Internet User" chapter covers insidious Internet client attacks against web browsers,email software,and active content,including the vicious new Outlook email date field buffer overflow and ILOVEYOU worms.
A huge new chapter on Windows 2000 attacks and countermeasures covers offline password database attacks and Encrypting File System (EFS) vulnerabilities.
Coverage of all the new Distributed Denial of Service (DDoS) tools and techniques that almost broke down the Internet in February 2000 (Trinoo,TFN2K,Stacheldraht).
Significantly updated e-commerce hacking methodologies including new IIS and Cold Fusion vulnerabilities.
A revised and updated dial-up chapter with new material onPBX and voicemail system hacking.
New network discovery tools and techniques,including an updated section on Windows-based scanners,how to carry out eavesdropping attacks on switched networks using ARP redirection,and RIP spoofing attacks.
Coverage of new back doors and forensic techniques,including defenses against Win9x back doors like Sub7.
Updated coverage of security attacks against Windows 9x,Windows Me,Windows 2000,Windows NT,UNIX,Linux,NetWare,and dozens of other platforms,with appropriate countermeasures.
Electronic Review of Computer Books
- Publication date:
- Edition description:
- Older Edition
- Product dimensions:
- 7.50(w) x 9.25(h) x 1.47(d)
Read an Excerpt
Chapter 8: Hacking UNIXSome feel drugs are about the only thing more addicting than obtaining root access on a UNIX system. The pursuit of root access dates back to the early days of UNIX, so we need to provide some historical background on its evolution.
The Quest for Root
In 1969, Ken Thompson, and later Dennis Ritchie, of AT&T decided that the MULTICS (Multiplexed Information and Computing System) project wasn't progressing as fast as they would have liked. Their decision to "hack up" a new operating system called UNIX forever changed the landscape of computing. UNIX was intended to be a powerful, robust, multiuser operating system that excelled at running programs, specifically, small programs called tools. Security was not one of UNIX's primary design characteristics, although UNIX does have a great deal of security if implemented properly. UNIX's promiscuity was a result of the open nature of developing and enhancing the operating system kernel, as well as the small tools that made this operating system so powerful. The early UNIX environments were usually located inside Bell Labs or in a university setting where security was controlled primarily by physical means. Thus, any user who had physical access to a UNIX system was considered authorized. In many cases, implementing root-level passwords was considered a hindrance and dismissed.
While UNIX and UNIX-derived operating systems have evolved considerably over the past 30 years, the passion for UNIX and UNIX security has not subsided. Many ardent developers and code hackers scour source code for potential vulnerabilities. Furthermore, it is a badge of honor to post newly discovered vulnerabilities to security mailing lists such as Bugtraq. In this chapter, we will explore this fervor to determine how and why the coveted root access is obtained. Throughout this chapter, remember that in UNIX there are two levels of access: the all-powerful root and everything else. There is no substitute for root!
A Brief Review
You may recall that we discussed in Chapters 1 through 3 ways to identify UNIX systems and enumerate information. We used port scanners such as nmap to help identify open TCP/UDP ports as well as to fingerprint the target operating system or device. We used rpcinfo and showmount to enumerate RPC service and NFS mount points, respectively. We even used the all-purpose netcat (nc) to grab banners that leak juicy information such as the applications and associated versions in use. In this chapter, we will explore the actual exploitation and related techniques of a UNIX system. It is important to remember that footprinting and network reconnaissance of UNIX systems must be done before any type of exploitation. Footprinting must be executed in a thorough and methodical fashion to ensure that every possible piece of information is uncovered. Once we have this information, we need to make some educated guesses about the potential vulnerabilities that may be present on the target system. This process is known as vulnerability mapping.
Vulnerability mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability. This is a critical phase in the actual exploitation of a target system that should not be overlooked. It is necessary for attackers to map attributes such as listening services, specific version numbers of running servers (for example, Apache 1.3.9 being used for HTTP and sendmail 8.9.10 being used for SMTP), system architecture, and username information to potential security holes. There are several methods attackers can use to accomplish this task:
All these methods have their pros and cons; however, it is important to remember that only uneducated attackers known as "script kiddies" will skip the vulnerability mapping stage by throwing everything and the kitchen sink at a system to get in without knowing how and why an exploit works. We have witnessed many real-life attacks where the perpetrators were trying to use UNIX exploits against a Windows NT system. Needless to say, these attackers were inexpert and unsuccessful. The following list summarizes key points to consider when performing vulnerability mapping:
REMOTE ACCESS VERSUS LOCAL ACCESS
The remainder of this chapter is broken into two major sections, remote and local access. Remote access is defined as gaining access via the network (for example, a listening service) or other communication channel. Local access is defined as having an actual command shell or login to the system. Local access attacks are also referred to as privilege escalation attacks. It is important to understand the relationship between remote and local access. There is a logical progression where attackers remotely exploit a vulnerability in a listening service and then gain local shell access. Once shell access is obtained, the attackers are considered to be local on the system. We try to logically break out the types of attacks that are used to gain remote access and provide relevant examples. Once remote access is obtained, we explain common ways attackers escalate their local privileges to root. Finally, we explain information-gathering techniques that allow attackers to garner information about the local system so that it can be used as a staging point for additional attacks. It is important to remember that this chapter is not a comprehensive book on UNIX security; for that we refer you to Practical UNIX & Internet Security by Simson Garfinkel and Gene Spafford. Additionally, this chapter cannot cover every conceivable UNIX exploit and flavor of UNIX-that would be a book in itself. Rather, we aim to categorize these attacks and to explain the theory behind them. Thus, when a new attack is discovered, it will be easy to understand how it works, though it was not specifically covered. We take the "teach a man to fish and feed him for life" approach rather than the "feed him for a day" approach.
As mentioned previously, remote access involves network access or access to another communications channel, such as a dial-in modem attached to a UNIX system. We find that analog/ISDN remote access security at most organizations is abysmal. We are limiting our discussion, however, to accessing a UNIX system from the network via TCP/IP. After all, TCP/IP is the cornerstone of the Internet, and it is most relevant to our discussion on UNIX security.
The media would like everyone to believe that there is some sort of magic involved with compromising the security of a UNIX system. In reality, there are three primary methods to remotely circumventing the security of a UNIX system:
1. Exploiting a listening service (for example, TCP/UDP)
2. Routing through a UNIX system that is providing security between two or more networks
3. User-initiated remote execution attacks (for example, hostile web site, Trojan horse email, and so on)
Let's take a look at a few examples to understand how different types of attacks fit into the preceding categories.
Route Through a UNIX System Your UNIX firewall was circumvented by attackers. How is this possible? you ask. We don't allow any inbound services, you say. In many instances attackers circumvent UNIX firewalls by source routing packets through the firewall to internal systems. This feat is possible because the UNIX kernel had IP forwarding enabled when the firewall application should have been performing this function. In most of these cases, the attackers never actually broke into the firewall per se; they simply used it as a router.
Throughout this section, we will address specific remote attacks that fall under one of the preceding three categories. If you have any doubt about how a remote attack is possible, just ask yourself three questions:
1. Is there a listening service involved?
2. Does the system perform routing?
3. Did a user or a user's software execute commands that jeopardized the security of the host system?
You are likely to answer yes to at least one question....
Meet the Author
Joel Scambray is Managing Principal, Stuart McClure is President/CTO, and George Kurtz is CEO of Foundstone Inc., a premier security consulting and training company. They have promoted information system security over a combined fifteen years of consulting and training for Fortune 500 companies, and in forums ranging from Stuart and Joel's weekly "Security Watch" column for InfoWorld, to George's renowned Black Hat Conference presentations.
and post it to your social network
Most Helpful Customer Reviews
See all customer reviews >
This is very 'warez' book I've ever read. The coolest way for hacking and protecting your awsome server.
This is the best book for people who wish to become hackers or for people who want to be safe from them. This is a real good it is worth every penny a MUST BUY! What are you waiting for buy this book and be safe! You may think your safe but your not wait until you buy this book and see how safe you will be!
i think this book was reALLY GOOD IT SHOWED ME HOW TO KEEP MY COMPUTER SAFE FROM HACKERS AND CRACKERS !!! THANKS A BUNCH REAL GOOD BOOK
This is a great book that teaches the reader not only how to hack a certain vulnerbility, but also how to fix it so it doesn't happen to you. The second edition is great, better than the first. It includes a whole new chapter, 'Hacking the Internet User,' and win2k exploits.
The first edition was a great book, explaining how people use trojans and different scripts to break into networks, but this one is even better. It not only has better coverage of things from the first book, it includes great exploits for Win2k