Publisher: Prentice Hall PTR
To start off the book and explain why he wrote it, Ed Skoudis cites a brief passage from the "Art of War" by Sun Tzu. The philosophy behind this book is simple - in order to be able to defeat your enemy, you have to know your enemy. The author says: "This book is one way to help make things more even." He's talking about the gap in knowledge between the attacker and the system administrator. Did Ed manage to give the security professional some quality knowledge? Let's find out. But first, let's see more details about the person behind this book.
About the author
Ed Skoudis is the Vice President of Security Strategy for Predictive Systems. Ed's expertise includes hacker attacks and defenses, the information security industry, and computer privacy issues. He has performed numerous security assessments, designed secure network architectures, and responded to computer attacks. Ed has focused on identifying and resolving security vulnerabilities on UNIX, Windows NT, firewall architectures, and Web applications. He has also conducted a demonstration of attacker techniques for the U.S. Senate.
An interview with Ed Skoudis is available here.
Inside the book
Skoudis doesn't take any knowledge for granted, that's why the book kicks off with a networking overview. So what will you learn here? There's plenty of good material covering TCP, UDP, ICMP and more. If you want to add security to your TCP/IP based network than you'll be pleased to know that the author writes about application layer security, SSL and IPSec. What's excellent in this part of the book is the fact that all the material is very well written and thus easy to follow. It seems that Skoudis is trying to foretell the questions rising in the mind of the reader and so he presents the right information at the right moment. For example, when reading about TCP and then UDP, a question arises - is UDP less secure then TCP? Do I have to say that Ed answered that one for us?
If you want to understand how many of the attacks presented in this book function, you got to have at least a basic understanding of Unix. In an overview of the Unix OS the author gives us a myriad of information. You'll learn about the Unix file system structure, accounts, permissions, common services, and so on. Why is Unix so important? While I can imagine a security professional coming up with a list of things to say, the main reasons are probably the wide use of Unix and the fact that it's the operating system of choice for many attackers to launch attacks from. Even though this overview is very well done, I wouldn't recommend it as a starting point to learn about Unix, you should already have some knowledge before getting into this book.
Moving on there's another overview where you can learn about Windows NT/2000. We get a look back in history and we see the fundamental NT concepts and security options. If you're wondering on whether to keep on using Windows NT, migrate to Unix or upgrade to Windows 2000, you'll see the changes that have occurred in the release of Windows 2000 and maybe that will give you something to think about.
After the overviews we get to the heart of this book as the juicy content starts to reveal itself. We start to learn more about the attackers. The most effective ones will try to learn as much as possible about their target. How do they obtain their information? There are many ways: social engineering, physical break-in, "old school" dumpster diving, web searches, whois database searches, etc. What's important to keep in mind here is that the author doesn't just show you how the information is collected but you also learn how to protect yourself against the mentioned techniques. To make things complete, Skoudis also depicts several tools that can be used for reconnaissance: Sam Spade, CyberKit, NetScanTools and iNetTools. This is where you just wish you got a CD-ROM with this book.
So, the attacker gathered as much information as he could about his target, what's next? This is when the scanning starts. Discussed next is war dialing and when it comes to tools we are presented with L0pht's TBA and THC-Scan. The latter is presented as one of the most full-featured, non-commercial war dialing tools available today. This is, of course, not everything that attackers do, not by a long shot. The author writes about network mapping and introduces Cheops, a popular network mapper and general purpose management tool. When it comes to port scanners, the most well known is certainly Nmap, which gets a good amount of exposure in this book with several types of Nmap scans explained. The next step for the attacker is the usage of vulnerability scanning tools so Skoudis illustrates what types of vulnerabilities these tools check for on the target system. The author lists many free and commercial vulnerability scanners. The ones available to the majority of the readers, the free ones, are: Sara, Saint, VLAD the Scanner and Nessus. All of these scans can give a lot of information to the attacker but they still need to learn how to evade detection by an intrusion detection system. You'll see how network-based intrusion detection systems work, how they can be evaded. As always, you'll see ways of defending yourself.
It's time for the attacker to try gaining access using application and operating system attacks. As Skoudis notes, the approach of gaining access will depend on the skill level of the attacker. While a script kiddie would be using pre-packaged exploits, a sophisticated attacker would use highly pragmatic approaches. The author discusses stack-based buffer overflow attacks in great detail before moving forward to illustrate password attacks. As before, Ed mentions several password cracking programs, among which there's John the Ripper, certainly one of the most popular ones. What follows is a good overview of web application attacks.
Attackers can also gain access through network-based attacks. This chapter kicks off with a discussion on sniffing and moves on to IP address spoofing and session hijacking. Some of the tools mentioned here are: Snort, Ethereal, TCPDUMP and Netcat. The author continues by describing in detail on one type of attack that everyone knows about - Denial of Service.
The attacker gained access to the target system and, naturally, they want to keep it that way. To achieve this he uses malicious software such as trojans, backdoors and rootkits. Mentioned here are tools such as Back Orifice 2000 and Sub7. It's of the utmost importance to understand these tools in order to efficiently defend your network. But that's not all the attacker does, there are other ways for him to cover his tracks and hide. What he can do is hide the evidence of the intrusion by altering event logs and creating difficult-to-find files and directories among other things. As the book nears the end, Skoudis gives us some real world examples of attacks he's seen as a way to illustrate what he said during his book. We are presented with three scenarios, each one specific on its own. These scenarios are quite interesting and are a perfect way to complete the information presented in the book. To finish the book, the author talks about the future and gives a list of resources. Some of the descriptions for the resources are outdated and some of the resources do not even exist anymore. This wouldn't be a problem if there was a big list, but this way you don't get much from what's listed.
My 2 cents
If you're in charge of the security of a network or just a security enthusiast, you'll find this book of great value. The specific tools and techniques described in this book are more valuable than just theory presented in other publications. The cross-referencing in the book is also very useful if you're using this book as a reference guide. If something is explained in less detail in a chapter and there's more information later on, Skoudis notes that basically every time.
The only downside I can think of is the lack of a CD-ROM, it really helps to have the software the author is talking about at your fingertips ready for testing. Overall, this is an excellent book, you won't regret reading it.