Hacking Exposed

Hacking Exposed

Paperback(Older Edition)

$42.01 $44.00 Save 5% Current price is $42.01, Original price is $44. You Save 5%.
Eligible for FREE SHIPPING
  • Want it by Friday, October 26  Order now and choose Expedited Shipping during checkout.


Hacking Exposed by Joel Scambray

This one-of-a-kind book provides in-depth expert insight into how hackers infiltrate e-business,and how they can be stopped.

In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate e-business,and how they can be stopped. Security insiders Stuart McClure,Joel Scambray,and George Kurtz present more than 220 all-new pages of technical detail and case studies in an easy-to-follow style. The world of Internet security moves even faster than the digital economy,and all of the brand-new tools and techniques that have surfaced since the publication of the best-selling first edition are covered here. Use the real-world countermeasures in this one-of-a-kind volume to plug the holes in your network today—before they end up in the headlines tomorrow.

New and Updated Material: Brand new "Hacking the Internet User" chapter covers insidious Internet client attacks against web browsers,email software,and active content,including the vicious new Outlook email date field buffer overflow and ILOVEYOU worms.

A huge new chapter on Windows 2000 attacks and countermeasures covers offline password database attacks and Encrypting File System (EFS) vulnerabilities.

Coverage of all the new Distributed Denial of Service (DDoS) tools and techniques that almost broke down the Internet in February 2000 (Trinoo,TFN2K,Stacheldraht).

Significantly updated e-commerce hacking methodologies including new IIS and Cold Fusion vulnerabilities.

A revised and updated dial-up chapter with new material onPBX and voicemail system hacking.

New network discovery tools and techniques,including an updated section on Windows-based scanners,how to carry out eavesdropping attacks on switched networks using ARP redirection,and RIP spoofing attacks.

Coverage of new back doors and forensic techniques,including defenses against Win9x back doors like Sub7.

Updated coverage of security attacks against Windows 9x,Windows Me,Windows 2000,Windows NT,UNIX,Linux,NetWare,and dozens of other platforms,with appropriate countermeasures.

Product Details

ISBN-13: 9780072127485
Publisher: McGraw-Hill/OsborneMedia
Publication date: 10/03/2000
Edition description: Older Edition
Pages: 736
Product dimensions: 7.50(w) x 9.25(h) x 1.47(d)

About the Author

Joel Scambray is Managing Principal, Stuart McClure is President/CTO, and George Kurtz is CEO of Foundstone Inc., a premier security consulting and training company. They have promoted information system security over a combined fifteen years of consulting and training for Fortune 500 companies, and in forums ranging from Stuart and Joel's weekly "Security Watch" column for InfoWorld, to George's renowned Black Hat Conference presentations.

Read an Excerpt

Chapter 8: Hacking UNIX

Some feel drugs are about the only thing more addicting than obtaining root access on a UNIX system. The pursuit of root access dates back to the early days of UNIX, so we need to provide some historical background on its evolution.

The Quest for Root

In 1969, Ken Thompson, and later Dennis Ritchie, of AT&T decided that the MULTICS (Multiplexed Information and Computing System) project wasn't progressing as fast as they would have liked. Their decision to "hack up" a new operating system called UNIX forever changed the landscape of computing. UNIX was intended to be a powerful, robust, multiuser operating system that excelled at running programs, specifically, small programs called tools. Security was not one of UNIX's primary design characteristics, although UNIX does have a great deal of security if implemented properly. UNIX's promiscuity was a result of the open nature of developing and enhancing the operating system kernel, as well as the small tools that made this operating system so powerful. The early UNIX environments were usually located inside Bell Labs or in a university setting where security was controlled primarily by physical means. Thus, any user who had physical access to a UNIX system was considered authorized. In many cases, implementing root-level passwords was considered a hindrance and dismissed.

While UNIX and UNIX-derived operating systems have evolved considerably over the past 30 years, the passion for UNIX and UNIX security has not subsided. Many ardent developers and code hackers scour source code for potential vulnerabilities. Furthermore, it is a badge of honor to post newly discovered vulnerabilities to security mailing lists such as Bugtraq. In this chapter, we will explore this fervor to determine how and why the coveted root access is obtained. Throughout this chapter, remember that in UNIX there are two levels of access: the all-powerful root and everything else. There is no substitute for root!

A Brief Review

You may recall that we discussed in Chapters 1 through 3 ways to identify UNIX systems and enumerate information. We used port scanners such as nmap to help identify open TCP/UDP ports as well as to fingerprint the target operating system or device. We used rpcinfo and showmount to enumerate RPC service and NFS mount points, respectively. We even used the all-purpose netcat (nc) to grab banners that leak juicy information such as the applications and associated versions in use. In this chapter, we will explore the actual exploitation and related techniques of a UNIX system. It is important to remember that footprinting and network reconnaissance of UNIX systems must be done before any type of exploitation. Footprinting must be executed in a thorough and methodical fashion to ensure that every possible piece of information is uncovered. Once we have this information, we need to make some educated guesses about the potential vulnerabilities that may be present on the target system. This process is known as vulnerability mapping.

Vulnerability Mapping

Vulnerability mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability. This is a critical phase in the actual exploitation of a target system that should not be overlooked. It is necessary for attackers to map attributes such as listening services, specific version numbers of running servers (for example, Apache 1.3.9 being used for HTTP and sendmail 8.9.10 being used for SMTP), system architecture, and username information to potential security holes. There are several methods attackers can use to accomplish this task:

  • Manually map specific system attributes against publicly available sources of vulnerability information such as Bugtraq, Computer Emergency Response Team advisories (www.cert.org), and vendor security alerts. Although this is tedious, it can provide a thorough analysis of potential vulnerabilities without actually exploiting the target system.

  • Use public exploit code posted to various security mailing lists and any number of web sites, or write your own code. This will determine the existence of a real vulnerability with a high degree of certainty.

  • Use automated vulnerability scanning tools to identify true vulnerabilities. Respected commercial tools include the Internet Scanner from Internet Security Systems (www.iss.net) or CyberCop Scanner from Network Associates (www.nai.com). On the freeware side, Nessus (www.nessus.org) and SAINT (http://www.wwdsi.com/saint/) show promise.

    All these methods have their pros and cons; however, it is important to remember that only uneducated attackers known as "script kiddies" will skip the vulnerability mapping stage by throwing everything and the kitchen sink at a system to get in without knowing how and why an exploit works. We have witnessed many real-life attacks where the perpetrators were trying to use UNIX exploits against a Windows NT system. Needless to say, these attackers were inexpert and unsuccessful. The following list summarizes key points to consider when performing vulnerability mapping:

  • Perform network reconnaissance against the target system.
  • Map attributes such as operating system, architecture, and specific versions of listening services to known vulnerabilities and exploits.
  • Perform target acquisition by identifying and selecting key systems.
  • Enumerate and prioritize potential points of entry.


    The remainder of this chapter is broken into two major sections, remote and local access. Remote access is defined as gaining access via the network (for example, a listening service) or other communication channel. Local access is defined as having an actual command shell or login to the system. Local access attacks are also referred to as privilege escalation attacks. It is important to understand the relationship between remote and local access. There is a logical progression where attackers remotely exploit a vulnerability in a listening service and then gain local shell access. Once shell access is obtained, the attackers are considered to be local on the system. We try to logically break out the types of attacks that are used to gain remote access and provide relevant examples. Once remote access is obtained, we explain common ways attackers escalate their local privileges to root. Finally, we explain information-gathering techniques that allow attackers to garner information about the local system so that it can be used as a staging point for additional attacks. It is important to remember that this chapter is not a comprehensive book on UNIX security; for that we refer you to Practical UNIX & Internet Security by Simson Garfinkel and Gene Spafford. Additionally, this chapter cannot cover every conceivable UNIX exploit and flavor of UNIX-that would be a book in itself. Rather, we aim to categorize these attacks and to explain the theory behind them. Thus, when a new attack is discovered, it will be easy to understand how it works, though it was not specifically covered. We take the "teach a man to fish and feed him for life" approach rather than the "feed him for a day" approach.


    As mentioned previously, remote access involves network access or access to another communications channel, such as a dial-in modem attached to a UNIX system. We find that analog/ISDN remote access security at most organizations is abysmal. We are limiting our discussion, however, to accessing a UNIX system from the network via TCP/IP. After all, TCP/IP is the cornerstone of the Internet, and it is most relevant to our discussion on UNIX security.

    The media would like everyone to believe that there is some sort of magic involved with compromising the security of a UNIX system. In reality, there are three primary methods to remotely circumventing the security of a UNIX system:

    1. Exploiting a listening service (for example, TCP/UDP)
    2. Routing through a UNIX system that is providing security between two or more networks
    3. User-initiated remote execution attacks (for example, hostile web site, Trojan horse email, and so on)

    Let's take a look at a few examples to understand how different types of attacks fit into the preceding categories.

  • Exploit a Listening Service Someone gives you a user ID and password and says, "break into my system." This is an example of exploiting a listening service. How can you log in to the system if it is not running a service that allows interactive logins (telnet, ftp, rlogin, or ssh)? What about when the latest wuftp vulnerability of the week is discovered? Are your systems vulnerable? Potentially, but attackers would have to exploit a listening service, wuftp, to gain access. It is imperative to remember that a service must be listening to gain access. If a service is not listening, it cannot be broken into remotely.

    Route Through a UNIX System Your UNIX firewall was circumvented by attackers. How is this possible? you ask. We don't allow any inbound services, you say. In many instances attackers circumvent UNIX firewalls by source routing packets through the firewall to internal systems. This feat is possible because the UNIX kernel had IP forwarding enabled when the firewall application should have been performing this function. In most of these cases, the attackers never actually broke into the firewall per se; they simply used it as a router.

  • User-Initiated Remote Execution Are you safe because you disabled all services on your UNIX system? Maybe not. What if you surf to www.evilhacker.org and your web browser executes malicious code that connects back to the evil site? This may allow evilhacker.org to access your system. Think of the implications of this if you were logged in with root privileges while web surfing. What if your sniffer is susceptible to a buffer overflow attack (http://www.wOOwOO.org/advisories/snoop.html)?

    Throughout this section, we will address specific remote attacks that fall under one of the preceding three categories. If you have any doubt about how a remote attack is possible, just ask yourself three questions:

    1. Is there a listening service involved?
    2. Does the system perform routing?
    3. Did a user or a user's software execute commands that jeopardized the security of the host system?

    You are likely to answer yes to at least one question....

  • Table of Contents

    Part ICasing the Establishment
    Case Study: Target Acquisition2
    What Is Footprinting?6
    Why Is Footprinting Necessary?6
    Internet Footprinting6
    Step 1.Determine the Scope of Your Activities8
    Step 2.Network Enumeration13
    Step 3.DNS Interrogation22
    Step 4.Network Reconnaissance27
    Scan Types44
    Identifying TCP and UDP Services Running46
    Windows-Based Port Scanners51
    Port Scanning Breakdown57
    Active Stack Fingerprinting61
    Passive Stack Fingerprinting65
    The Whole Enchilada: Automated Discovery Tools67
    Windows NT/2000 Enumeration72
    NT/2000 Network Resource Enumeration76
    NT/2000 User and Group Enumeration87
    NT/2000 Applications and Banner Enumeration95
    Let Your Scripts Do the Walking99
    Novell Enumeration100
    Browsing the Network Neighborhood100
    UNIX Enumeration106
    Part IISystem Hacking
    Case Study: Know Your Enemy116
    4Hacking Windows 95/98 and ME117
    Win 9x Remote Exploits118
    Direct Connection to Win 9x Shared Resources119
    Win 9x Backdoor Servers and Trojans124
    Known Server Application Vulnerabilities129
    Win 9x Denial of Service130
    Win 9x Local Exploits130
    Windows Millennium Edition (ME)137
    5Hacking Windows NT141
    Where We're Headed143
    What About Windows 2000?143
    The Quest for Administrator144
    Remote Exploits: Denial of Service and Buffer Overflows160
    Privilege Escalation164
    Consolidation of Power174
    Exploiting Trust185
    Remote Control and Back Doors194
    Port Redirection203
    General Countermeasures to Privileged Compromise207
    Rootkit: The Ultimate Compromise211
    Covering Tracks214
    Disabling Auditing214
    Clearing the Event Log214
    Hiding Files215
    6Hacking Windows 2000219
    NetBIOS-SMB Password Guessing229
    Eavesdropping on Password Hashes229
    Attacks Against IIS 5229
    Remote Buffer Overflows233
    Denial of Service233
    Privilege Escalation238
    Grabbing the Win 2000 Password Hashes241
    The Encrypting File System (EFS)246
    Exploiting Trust249
    Covering Tracks251
    Disabling Auditing251
    Clearing the Event Log252
    Hiding Files252
    Back Doors252
    Startup Manipulation252
    Remote Control255
    Keystroke Loggers257
    General Countermeasures: New Windows Security Tools257
    Group Policy257
    7Novell NetWare Hacking265
    Attaching but Not Touching267
    Enumerate Bindery and Trees268
    Opening the Unlocked Doors275
    Authenticated Enumeration277
    Gaining Admin282
    Application Vulnerabilities285
    Spoofing Attacks (Pandora)287
    Once You Have Admin on a Server290
    Owning the NDS Files292
    Log Doctoring298
    Console Logs299
    Further Resources302
    Web Sites (ftp://ftp.novell.com/pub/updates/nw/nw411/)302
    Usenet Groups303
    8Hacking UNIX305
    The Quest for Root306
    A Brief Review306
    Vulnerability Mapping307
    Remote Access Versus Local Access307
    Remote Access308
    Data Driven Attacks312
    I Want My Shell317
    Common Types of Remote Attacks322
    Local Access339
    After Hacking Root357
    Rootkit Recovery369
    Part IIINetwork Hacking
    Case Study: Sweat the Small Stuff!374
    9Dial-Up, PBX, Voicemail, and VPN Hacking377
    Legal Issues381
    Peripheral Costs382
    A Final Note403
    PBX Hacking405
    Virtual Private Network (VPN) Hacking415
    10Network Devices421
    Back Doors433
    Default Accounts433
    Lower the Gates (Vulnerabilities)437
    Shared Versus Switched443
    Detecting the Media You're On444
    Passwords on a Silver Platter: Dsniff445
    Sniffing on a Network Switch448
    Firewall Landscape460
    Firewall Identification460
    Advanced Firewall Discovery465
    Scanning Through Firewalls469
    Packet Filtering473
    Application Proxy Vulnerabilities477
    WinGate Vulnerabilities479
    12Denial of Service (DoS) Attacks483
    Motivation of DoS Attackers484
    Types of DoS Attacks485
    Bandwidth Consumption485
    Resource Starvation486
    Programming Flaws486
    Routing and DNS Attacks487
    Generic DoS Attacks488
    Sites Under Attack491
    UNIX and Windows NT DoS494
    Remote DoS Attacks495
    Distributed Denial of Service Attacks499
    Local DoS Attacks504
    Part IVSoftware Hacking
    Case Study: Using All the Dirty Tricks to Get In508
    13Remote Control Insecurities511
    Discovering Remote Control Software512
    Revealed Passwords516
    Uploading Profiles517
    What Software Package Is the Best in Terms of Security?521
    Remotely Anywhere521
    Remotely Possible/ControlIT523
    Virtual Network Computing (VNC)523
    14Advanced Techniques529
    Session Hijacking530
    Back Doors533
    Subverting the System Environment: Rootkits and Imaging Tools558
    Social Engineering561
    15Web Hacking565
    Web Pilfering566
    Finding Well-Known Vulnerabilities570
    Automated Scripts, for All Those "Script Kiddies"570
    Automated Applications572
    Script Inadequacies: Input Validation Attacks573
    Active Server Pages (ASP) Vulnerabilities582
    Buffer Overflows590
    Poor Web Design598
    16Hacking the Internet User601
    Malicious Mobile Code603
    Microsoft ActiveX603
    Java Security Holes614
    Beware the Cookie Monster618
    Internet Explorer HTML Frame Vulnerabilities621
    SSL Fraud623
    Email Hacking626
    Mail Hacking 101626
    Executing Arbitrary Code Through Email629
    Outlook Address Book Worms637
    File Attachment Attacks639
    IRC Hacking647
    Napster Hacking with Wrapster649
    Global Countermeasures to Internet User Hacking650
    Keep Antivirus Signatures Updated650
    Guarding the Gateways651
    Part VAppendixes
    BTop 14 Security Vulnerabilities661
    CAbout the Companion Web Site663
    Windows NT665
    Wordlists and Dictionaries666
    Enumeration Scripts666

    Customer Reviews

    Most Helpful Customer Reviews

    See All Customer Reviews

    Hacking Exposed 5 out of 5 based on 0 ratings. 5 reviews.
    Guest More than 1 year ago
    This is very 'warez' book I've ever read. The coolest way for hacking and protecting your awsome server.
    Guest More than 1 year ago
    This is the best book for people who wish to become hackers or for people who want to be safe from them. This is a real good it is worth every penny a MUST BUY! What are you waiting for buy this book and be safe! You may think your safe but your not wait until you buy this book and see how safe you will be!
    Guest More than 1 year ago
    Guest More than 1 year ago
    This is a great book that teaches the reader not only how to hack a certain vulnerbility, but also how to fix it so it doesn't happen to you. The second edition is great, better than the first. It includes a whole new chapter, 'Hacking the Internet User,' and win2k exploits.
    Guest More than 1 year ago
    The first edition was a great book, explaining how people use trojans and different scripts to break into networks, but this one is even better. It not only has better coverage of things from the first book, it includes great exploits for Win2k