Chained Exploits: Advanced Hacking Attacks from Start to Finish [Paperback]

Andrew Whitaker (Author), Keatron Evans (Author), Jack B. Voth (Author)

Book Description

ISBN-10: 032149881X | ISBN-13: 978-0321498816 | Publication Date: March 9, 2009 | Edition: 1

The complete guide to today’s hard-to-defend chained attacks: performing them and preventing them

 

Nowadays, it’s rare for malicious hackers to rely on just one exploit or tool; instead, they use “chained” exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don’t cover them at all. Now there’s a book that brings together start-to-finish information about today’s most widespread chained exploits–both how to perform them and how to prevent them.

 

Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today’s most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering.

 

Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today’s most effective countermeasures— both technical and human. Coverage includes:

• Constructing convincing new phishing attacks
• Discovering which sites other Web users are visiting
• Wreaking havoc on IT security via wireless networks
• Disrupting competitors’ Web sites
• Performing–and preventing–corporate espionage
• Destroying secure files
• Gaining access to private healthcare records
• Attacking the viewers of social networking pages
• Creating entirely new exploits
• and more

 

Andrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp, has been featured in The Wall Street Journal and BusinessWeek. He coauthored Penetration Testing and Network Defense. Andrew was a winner of EC Council’s Instructor of Excellence Award.

 

Keatron Evans is President and Chief Security Consultant of Blink Digital Security, LLC, a trainer for Training Camp, and winner of EC Council’s Instructor of Excellence Award.

 

Jack B. Voth specializes in penetration testing, vulnerability assessment, and perimeter security. He co-owns The Client Server, Inc., and teaches for Training Camp throughout the United States and abroad.

 

informit.com/aw

Cover photograph © Corbis /

Jupiter Images

 

$49.99 US 

$59.99 CANADA

Editorial Reviews

About the Author

Andrew Whitaker (M.Sc., CISSP, CEI, LPT, ECSA, CHFI, CEH, CCSP, CCNP, CCVP, CCDP, CCNA, CCDA, CCENT, MCSE, MCTS, CNE, A+, Network+, Convergence+, Security+, CTP, EMCPA) is a recognized expert, trainer, and author in the field of penetration testing and security countermeasures. He works as the Director of Enterprise InfoSec and Networking and as a senior ethical hacking instructor for Training Camp. Over the past several years his courses have trained thousands of security professionals throughout the world. His security courses have also caught the attention of the Wall Street Journal, BusinessWeek, San Francisco Gate, and others.

 

Keatron Evans is a senior penetration tester and principal of Blink Digital Security based in Chicago, Illinois. He has more than 11 years experience doing penetration tests, vulnerability assessments, and forensics. Keatron regularly consults with and sometimes trains several government entities and corporations in the areas of network penetration, SCADA security, and other related national infrastructure security topics. He holds several information security certifications including CISSP, CSSA, CEH, CHFI, LPT, CCSP, MCSE:Security, MCT, Security+, and others.When not doing penetration tests, you can find Keatron teaching ethical hacking and forensics classes for Training Camp and a few other security training organizations.

 

Jack Voth has been working in the information technology field for 24 years. He holds numerous industry certifications including CISSP, MCSE, LPT, CEH, CHFI, ECSA, CTP, Security+, ACA, MCT, CEI, and CCNA. He specializes in penetration testing, vulnerability assessment, perimeter security, and voice/data networking architecture. In addition to being a co-owner and senior engineer of The Client Server, Inc., Jack has been instructing for more than six years on subject matter including Microsoft, Telecommunications Industry Association (TIA), EC-Council, ISC/2, and CompTIA.

 

Excerpt. © Reprinted by permission. All rights reserved.

Introduction

Whenever we tell people about the contents of this book, we always get the same response: “Isn’t that illegal?” Yes, we tell them. Most of what this book covers is completely illegal if you re-create the scenarios and perform them outside of a lab environment. This leads to the question of why we would even want to create a book like this.

The answer is quite simple. This book is necessary in the marketplace to educate others about chained exploits. Throughout our careers we have helped secure hundreds of organizations. The biggest weakness we saw was not in engineering a new security solution, but in education. People are just not aware of how attacks really occur. They need to be educated in how the sophisticated attacks happen so that they can know how to effectively protect against them.

All the authors of this book have experience in both penetration testing (hacking into organizations with authorization to assess their weakness) as well as teaching security and ethical hacking courses for Training Camp (http://www.trainingcamp.com). Many of the chapters in this book come from attacks we have successfully performed in real-world penetration tests. We want to share these so that you know how to stop malicious attacks. We all agree that it is through training that we make the biggest impact, and this book serves as an extension to our passion for security awareness training.

What Is a Chained Exploit?

There are several excellent books in the market on information security. What has been lacking, however, is a book that covers chained exploits and effective countermeasures. A chained exploit is an attack that involves multiple exploits or attacks. Typically a hacker will use not just one method, but several, to get to his or her target.

Take this scenario as an example. You get a call at 2 a.m. from a frantic coworker, saying your Web site has been breached. You jump out of bed, throw on a baseball cap and some clothes, and rush down to your workplace. When you get there, you find your manager and coworkers frenzied about what to do. You look at the Web server and go through the logs. Nothing sticks out at you. You go to the firewall and review its logs. You do not see any suspicious traffic heading for your Web server. What do you do?

We hope you said, “Step back, and look at the bigger picture.” Look around your infrastructure. You might have dedicated logging machines, load-balancing devices, switches, routers, backup devices, VPN (virtual private network) devices, hubs, database servers, application servers, Web servers, firewalls, encryption devices, storage devices, intruder detection devices, and much more. Within each of these devices and servers runs software. Each piece of software is a possible point of entry.

In this scenario the attacker might not have directly attacked the Web server from the outside. He or she might have first compromised a router. From there, the attacker might reconfigure the router to get access to a backup server that manages all backups for your datacenter. Next the attacker might use a buffer overflow exploit against your backup software to get administrator access to the backup server. The attacker might launch an attack to confuse the intrusion detection system so that the real attack goes unnoticed. Then the attacker might launch an attack from the backup server to a server that stores all your log files. The attacker might erase all log files to cover his or her tracks, and then launch an attack from that server to your Web server. We think you get the point: Attacks are seldom simple. They often involve many separate attacks chained together to form one large attack. Your job as a security professional is to be constantly aware of the big picture, and to consider everything when someone attacks your system.

A skilled hacker acts much like the ants on the cover of this book. If you notice on the cover, the ants are in a line, each separate, but part of a chain. Each ant also takes something for its own use, like a hacker stealing information. Ants also tend to do most of their work without anyone seeing them, just as skilled hackers do their work without observation. Use this book as your pesticide; learn where the hackers are hiding so that you can eliminate them and stop them from gaining access to your organization.

Format of the Book

This book makes use of a fictional character named Phoenix. You do not need to read the chapters in any particular order, so if you want to jump into a topic of interest right away, go for it. Each chapter begins with a “Setting the Stage” section where we explain the scenario that is the basis behind Phoenix’s motivation for attack. You’ll learn how common greed or the desire for revenge can lead to sophisticated attacks with serious consequences.

Each chapter continues with a section titled “The Chained Exploit,” which is a detailed, step-by-step approach used by our fictitious character to launch his attack. As you read through this section, you will learn that an attack is more than just using one software tool to gain access to a computer. Sometimes attacks originate from within an organization, whereas other times attacks begin from outside the organization. You will even learn about compromising physical security and social engineering as means to achieving Phoenix’s goal.

Each chapter concludes with a “Countermeasures” section filled with information that you can use to prevent the chained exploit discussed in the chapter. You should compare this information with your own security policies and procedures to determine whether your organization can or should deploy these countermeasures.

---

Note - Many of the organizations and Web sites mentioned in the scenario portions of this book are fictitious and are for illustrative purposes only. For example, in Chapter 2, “Discover What Your Boss Is Looking At,” the http://www.certificationpractice.com site Phoenix copies for his phishing site does not really exist, although many like it do.

---

Additional Resources

There were many things we wanted to include in this book but could not due to time restraints. You can find more information about chained exploits by visiting http://www.chainedexploits.com. That Web site contains additional information about chained exploits and any errata for this book.

Disclaimer

The attacks in this book are illegal if performed outside a lab environment. All the examples in this book are from the authors’ experience performing authorized penetration tests against organizations. Then the authors re-created the examples in a lab environment to ensure accuracy. At no point should you attempt to re-create any of these attacks described in this book. Should you want to use the techniques to assess the security of your organization, be sure to first obtain written authorization from key stakeholders and appropriate managers before you perform any tests.

© Copyright Pearson Education. All rights reserved.

Product Details

• Paperback: 312 pages
• Publisher: Addison-Wesley Professional; 1 edition (March 9, 2009)
• Language: English
• ISBN-10: 032149881X
• ISBN-13: 978-0321498816
• Product Dimensions: 9.3 x 7 x 0.7 inches
• Shipping Weight: 1.2 pounds (View shipping rates and policies)
• Average Customer Review: 3.7 out of 5 stars  See all reviews (15 customer reviews)
• Amazon Best Sellers Rank: #562,892 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

13 of 15 people found the following review helpful:

3.0 out of 5 stars Disappointing Exploits, April 12, 2009

By 

Justin C. Klein Keane "Mad Irish" (Philadelphia, PA USA) - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: Chained Exploits: Advanced Hacking Attacks from Start to Finish (Paperback)

I looked forward to Chained Exploits (CE) by Whitaker, Evans and Voth with much anticipation as the concept is a much needed addition to the lexicon on information security. Often academic fields are severely limited by the vocabulary available to discuss issues and the "chained exploit" is sure to become a mainstay in the discourse of information security. Despite my enthusiasm for the concept, however, I was disappointed by the material presented in CE. The genius of the chained exploit is that it upends the traditional threat matrix, typically presented as:

[value of resource] x [likelihood of exploit] = [risk level]

For example, a high value resource that is unlikely to be exploited should be ranked as a low risk, as should a low value resource that is likely to be exploited. Think of this in terms of a temporary database of publically available information used to populate a user demonstration website that is wiped out every 24 hours. If that information is compromised it has no value, so even if the compromise is likely it is a low risk system. Conversely if a system that contains critical financial information is confined to a single workstation that is removed from any networking and housed in a guarded facility it too is a low risk system (since the likelihood of compromise is low).

Unfortunately many auditors make risk assessments based on circumstances in a vacuum. This is where the concept of "chained exploits" becomes so valuable. For instance, if a vulnerability were discovered in a local binary accessible to users that allows privilege escalation, but the local binary exists on a system that has no users (other than administrators who already have root privileges) it is often considered a low risk. Many times patches for these sorts of vulnerabilities are not installed because the patch could introduce instability and would not be considered worthy of the expense given the low risk. Similarly a vulnerability could be discovered in a web service that when exploited could allow a remote attacker to gain an unprivileged local account that, say, only had access to read and write to the /tmp directory. This could also be considered a low risk since such limited access wouldn't present any threat to the system. However, if you "chained exploits" for the two vulnerabilities you suddenly have a condition where a remote attacker can gain a local account and elevate their privilege! This contravenes the low risk ranking of the individual vulnerabilities. When combined they suddenly become a very high risk to the system.

It was this sort of "chain" that I hoped CE would explore. Instead the material presented in the book consisted of context to several high risk vulnerabilities to explain why they might be used in tandem. For instance, the book would propose a scenario where a remote attacker installed a backdoor rootkit on a corporate network workstation then used that workstation to access the central database using default system administrator credentials. Each of the conditions used in these "chains" are extremely high risk already, and thus the book doesn't present any new material for seasoned information security professionals to consider.

For a novice this book is a great resource. It is full of the sorts of horror stories that professionals are all too familiar with, but could potentially be eye opening for a neophyte or someone unfamiliar with computer security. At the very least it is a page turning exploration of very real and often under appreciated risks to enterprises.

I was disappointed that the book didn't raise the level of discourse in the information security field but I suspect that wasn't the point of Chained Exploits. Instead it reads like a greatest hits sequence prepared by veteran penetration testers. It makes for interesting reading, but it isn't particularly informative. Don't look for any new 0 day exploits (or even a discussion of how to find such flaws). Instead the book contains a litany of well known routes to system compromise and illustrative narratives that tie them together in real world scenarios.

6 of 6 people found the following review helpful:

3.0 out of 5 stars Needs another editorial pass, July 12, 2009

By 

Sean Earp (Auburn, WA United States) - See all my reviews
(REAL NAME)   

This review is from: Chained Exploits: Advanced Hacking Attacks from Start to Finish (Paperback)

The concept of the book is decent, albeit quite similar to the Stealing the Network series of books, wrapping theoretical hacking attacks into readable stories. Unfortunately, the execution suffers from several problems.

The narratives are all over the place and rarely bear any resemblance to each other. The stories follow the work of "Phoenix", a hacker who alternates from being someone that dresses poorly enough to be mistaken for a homeless person, performing attacks under duress as a shadowy employer threatens his girlfriend, to someone who has quit his job to live in a 3500 square foot house from the income he gets renting out large botnets.

The book suffers from too-many-authoritis, and each author has a very different writing style that makes each story different from the last. One author is very good at working different tools into his story, while one author feels compelled to list every tool that could possibly be used to pick a lock or sniff wireless traffic.

"Although Phoenix will not be using all these tools in his exploit, he could use:

-Tool A: Long description from the tool's website
-Tool B: Long description from the tool's website
-Tool C: Long description from the tool's website"

A few of the attacks are somewhat clever, while the majority are unneccessarily complex, apparently needing to hit a quota of different tools. In an attempt to find out what websites Phoenix's boss is browsing on a computer a few feet away, he decides to not use ARP Poisoning, MAC spoofing, or MAC flooding (although he discusses how each would work) in favor of using phishing to install a trojan to TFTP over a copy of netcat that he uses to manually install WinPcap so that he can trace a TCP stream in Wireshark in order to cut and paste a dump of the network traffic into a Hex Editor to save out a JPEG file. Apparently Phoenix is not a fan of simplicity.

The usage of tools is also all over the place. Sometimes he jumps right into using complex tools, while one story (the particularly egregious social engineering chapter) walks through Phoenix getting confused by how to choose the keyboard language when booting an Auditor CD.

The book would also benefit from another pass by an editor. One chapter begins with a backstory that clearly presupposes the reader has a clue about some past dealings that Phoenix has had with another character. The next story is where Phoenix is introduced to the character for the first time. Elsewhere, Phoenix decides to use his Vista based laptop, and a few pages later he is using that laptop and booting up into Windows XP. While the introduction includes the standard disclaimer that everything in the book is potentially illegal and should only be done in a lab, some authors throughout the book felt compelled to instert similar disclaimers that were unneccessary and should have been caught by the editor.

All-in-all, the book is okay, especially for someone new to the field of penetration testing who would like a little real-world context around how different tools might be use in conjunction with each other. If a second edition of this book is ever released, it could really use another pass by an editor to fix some silly errors and to help the authors speak in a unified voice. For me, the issues I mentioned above made the book somewhat difficult to read and enjoy.

5 of 5 people found the following review helpful:

4.0 out of 5 stars A good book with fairly solid cases, May 6, 2009

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: Chained Exploits: Advanced Hacking Attacks from Start to Finish (Paperback)

I agree with some of the commentary by previous reviewers, but I think some of it is unduly harsh. I don't think it's strictly necessary for a book to contain brand new security techniques in order to qualify for publication. Book publishing is not the same as releasing a white paper or briefing at Black Hat. However, books should strive to *not* cover ground published in other books, or even in well-written white papers. In that respect I think Chained Exploits strikes a good balance. The book's novelty relies on presenting complete, technical examples of a variety of "intrusion missions." While not necessarily groundbreaking for experienced offensive security people, Chained Exploits will be informative for broader technical audiences.

On the positive side, I thought the cases were well written. The authors did a good job explaining the entire case, with an introduction, body, and summary. This was helpful when the cases later in the book got more complex. The nature of the cases was interesting, with a good amount of variety. On the negative side, I think Phoenix would have been caught and imprisoned fairly easily for some of his exploits. Anytime he interacted with the physical world, in person, near his home, he became an easy target for law enforcement. His computer tactics weren't too sharp either, as noted by other reviewers. I would have liked seeing the book end with a raid on his house, followed by a list of the ways he exposed his identity to the cops. On a minor note, the authors should have supplied better images to the publisher -- many are fuzzy.

If you liked the Hackers Challenge and Stealing the Network book series, and you want something a little more modern and complicated, you'll like Chained Exploits.