...All samurai ought certainly apply themselves to the study of military science. But a bad use can be made of this study to puff oneself up and disparage one’s colleagues by a lot of high-flown but incorrect arguments that only mislead the young and spoil their spirit. For this kind gives forth a wordy discourse that may appear to be correct and proper enough, but actually he is striving for effect and thinking only of his own advantage, so the result is the deterioration of his character and the loss of the real samurai spirit. This is a fault arising from a superficial study of the subject, so those who begin it should never be satisfied to go only halfway but persevere until they understand all the secrets and only then return to their former simplicity and live a quiet life....
This book offers unique methods for honing your information security (infosec) technique. The typical reader is an intermediate- to advanced-level practitioner. But who among us is typical? Each of us approaches infosec with distinctive training and skill. Still, before you spend your hard-earned money on this book, we will try to describe the target reader.
As an example, you might enjoy this book if you already have experience with networking and are able to program in one or more languages. Although your interest in infosec might be new, you have already read at least a few technical books on the subject, such as Practical UNIX & Internet Security from O’Reilly. You found those books to be informative, and you would like to read more of the same, but hopefully covering newer topics and at a more advanced level. Rather than an introductory survey of security from the defensive side, you would like to see through an attacker’s eyes.
You are already familiar with basic network attacks such as sniffing, spoofing, and denial-of-service. You read security articles and vulnerability mailing lists online, and you know this is the best way to broaden your education. However, you now want a single volume that can quickly ratchet your knowledge level upward by a few notches.
Instead of reading a simple catalog of software tools, you would like to delve deeper into underlying concepts such as packet fragmentation, overflow attacks, and operating system fingerprinting. You likewise want more on forensics, honeypots, and the psychological basis of social engineering. You also enjoy novel challenges such as implementing Bayesian intrusion detection and defending against wireless “airborne” viruses. Before buying into Microsoft’s Trustworthy Computing initiative, you would like to delve deeper into Windows XP attacks and Windows Server weaknesses.
These are some of the topics we cover. Although some parts will necessarily be review for more advanced users, we also cover unique topics that might gratify even seasoned veterans. To give one example, we cover reverse code engineering (RCE), including the esoteric subjects of Linux and embedded RCE. RCE is indispensable for dissecting malicious code, unveiling corporate spyware, and extracting application vulnerabilities, but until this book it has received sparse coverage in the printed literature.
This book is not married to a particular operating system, since many of you are responsible for protecting mixed networks. We have chosen to focus on security from the attacking side, rather than from the defending side. A good way to build an effective defense is to understand and anticipate potential attacks.
Throughout the text we have tried to avoid giving our personal opinions too often. However, to some extent we must, or this would be nothing more than a dry catalog of facts. We ask your forgiveness for editorializing, and we make no claim that our opinions are authoritative, or even correct. Human opinion is diverse and inherently flawed. At the very least, we hope to provide a counterpoint to your own views on a controversial subject. We also provide many anecdotal examples to help enliven some of the heavier subjects.
We have made a special effort to provide you with helpful references at the end of each chapter. These references allow us to credit some of the classic infosec sources and allow you to further explore the areas that interest you the most. This is by no means a comprehensive introduction to network security. Rather, it is a guide for rapidly advancing your skill in several key areas. We hope you enjoy reading it as much as we enjoyed writing it.
You do not have to read this book sequentially. Most of the chapters can be read independently. However, many readers prefer to pick up a technical book and read the chapters in order. To this end, we have tried to organize the book with a useful structure. The following sections outline the main parts of the book and give just a few of the highlights from each chapter.
Part I: Software Cracking
Part I of this book primarily focuses on software reverse engineering, also known as reverse code engineering or RCE. As you will read, RCE plays an important role in network security. However, until this book, it has received sparse coverage in the printed infosec literature. In Part I, after a brief introduction to assembly language (Chapter 1), we begin with RCE tools and techniques on Windows platforms (Chapter 2), including some rather unique cracking exercises. We next move into the more esoteric field of RCE on Linux (Chapter 3). We then introduce RCE on embedded platforms (Chapter 4)—specifically, cracking applications for Windows Mobile platforms (Windows CE, Pocket PC, Smartphone) on ARM-based processors. Finally, we cover overflow attacks (Chapter 5), and we build on the RCE knowledge gained in previous chapters to exploit a live buffer overflow.
Part II: Network Stalking
Part II lays the foundation for understanding the network attacks presented later in the book. In Chapter 6, we review security aspects of TCP/IP, including IPV6, and we cover fragmentation attack tools and techniques. Chapter 7 takes a unique approach to social engineering, using psychological theories to explore possible attacks. Chapter 8 moves into network reconnaissance, while in Chapter 9 we cover OS fingerprinting, including passive fingerprinting and novel tools such as XProbe and Ring. Chapter 10 provides an advanced look at how hackers hide their tracks, including anti-forensics and IDS evasion.
Part III: Platform Attacks
Part III opens with a review of Unix security fundamentals (Chapter 11) before moving into Unix attacks (Chapter 12). In contrast, the two Windows security chapters cover client (Chapter 13) and server (Chapter 14) attacks, since exploits on these two platforms are idiosyncratic. For example, on Windows XP, we show how to exploit weaknesses in Remote Assistance, while on Windows Server, we show theoretical ways to crack Kerberos authentication. Chapter 15 covers SOAP XML web services security, and Chapter 16 examines SQL injection attacks. Finally, we cover wireless security (Chapter 17), including wireless LANs and embedded, mobile malware such as “airborne viruses.”
Part IV: Advanced Defense
In Part IV, we cover advanced methods of network defense. For example, Chapter 18 covers audit trail analysis, including log aggregation and analysis. Chapter 19 breaks new ground with a practical method for applying Bayes’s Theorem to network IDS placement. Chapter 20 provides a step-by-step blueprint for building your own honeypot to trap attackers. Chapter 21 introduces the fundamentals of incident response, while Chapter 22 reviews forensics tools and techniques on both Unix and Windows.
Part V: Appendix
Finally, the Appendix at the end of the book provides list of useful SoftIce commands and breakpoints.
The following typographical conventions are used in this book:
- Plain text
Indicates menu titles, menu options, menu buttons, and keyboard accelerators (such as Alt and Ctrl)
- Italic
Indicates new terms, example URLs, email addresses, filenames, file extensions, pathnames, directories, and Unix utilities
Constant widthIndicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, or the output from commands
Constant width boldShows commands or other text that should be typed literally by the user
Constant width italicShows text that should be replaced with user-supplied values
This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission.
Please address comments and questions concerning this book to the publisher:
| O’Reilly & Associates, Inc. |
| 1005 Gravenstein Highway North |
| Sebastopol, CA 95472 |
| (800) 998-9938 (in the United States or Canada) |
| (707) 829-0515 (international or local) |
| (707) 829-0104 (fax) |
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:
| http://www.securitywarrior.com |
To comment or ask technical questions about this book, send email to:
| [email protected] |
Or please contact the authors directly via email:
| CyrusPeikari: [email protected] |
| AntonChuvakin: [email protected] |
For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at:
| http://www.oreilly.com |
Before proceeding, we would like to thank the many experts who provided suggestions, criticism, and encouragement. We are especially grateful to the two contributing writers, Seth Fogie and Mammon_, without whose additions this book would have been greatly diminished. Colleen Gorman and Patricia Peikari provided additional proofreading. We also thank O’Reilly’s technical reviewers, each of whom provided valuable feedback. In no particular order, the technical reviewers were Jason Garman, John Viega, Chris Gerg, Bill Gallmeister, Bob Byrnes, and Fyodor (the author of Nmap).
—Cyrus Peikari
—Anton Chuvakin