Customer Reviews

Chained Exploits: Advanced Hacking Attacks from Start to Finish

5 star:		(2)
4 star:		(8)
3 star:		(4)
2 star:		(1)
1 star:		(0)

 

 

I looked forward to Chained Exploits (CE) by Whitaker, Evans and Voth with much anticipation as the concept is a much needed addition to the lexicon on information security. Often academic fields are severely limited by the vocabulary available to discuss issues and the "chained exploit" is sure to become a mainstay in the discourse of information security. Despite my enthusiasm for the concept, however, I was disappointed by the material presented in CE. The genius of the chained exploit is that it upends the traditional threat matrix, typically presented as:

[value of resource] x [likelihood of exploit] = [risk level]

For example, a high value resource that is unlikely to be exploited should be ranked as a low risk, as should a low value resource that is likely to be exploited. Think of this in terms of a temporary database of publically available information used to populate a user demonstration website that is wiped out every 24 hours. If that information is compromised it has no value, so even if the compromise is likely it is a low risk system. Conversely if a system that contains critical financial information is confined to a single workstation that is removed from any networking and housed in a guarded facility it too is a low risk system (since the likelihood of compromise is low).

Unfortunately many auditors make risk assessments based on circumstances in a vacuum. This is where the concept of "chained exploits" becomes so valuable. For instance, if a vulnerability were discovered in a local binary accessible to users that allows privilege escalation, but the local binary exists on a system that has no users (other than administrators who already have root privileges) it is often considered a low risk. Many times patches for these sorts of vulnerabilities are not installed because the patch could introduce instability and would not be considered worthy of the expense given the low risk. Similarly a vulnerability could be discovered in a web service that when exploited could allow a remote attacker to gain an unprivileged local account that, say, only had access to read and write to the /tmp directory. This could also be considered a low risk since such limited access wouldn't present any threat to the system. However, if you "chained exploits" for the two vulnerabilities you suddenly have a condition where a remote attacker can gain a local account and elevate their privilege! This contravenes the low risk ranking of the individual vulnerabilities. When combined they suddenly become a very high risk to the system.

It was this sort of "chain" that I hoped CE would explore. Instead the material presented in the book consisted of context to several high risk vulnerabilities to explain why they might be used in tandem. For instance, the book would propose a scenario where a remote attacker installed a backdoor rootkit on a corporate network workstation then used that workstation to access the central database using default system administrator credentials. Each of the conditions used in these "chains" are extremely high risk already, and thus the book doesn't present any new material for seasoned information security professionals to consider.

For a novice this book is a great resource. It is full of the sorts of horror stories that professionals are all too familiar with, but could potentially be eye opening for a neophyte or someone unfamiliar with computer security. At the very least it is a page turning exploration of very real and often under appreciated risks to enterprises.

I was disappointed that the book didn't raise the level of discourse in the information security field but I suspect that wasn't the point of Chained Exploits. Instead it reads like a greatest hits sequence prepared by veteran penetration testers. It makes for interesting reading, but it isn't particularly informative. Don't look for any new 0 day exploits (or even a discussion of how to find such flaws). Instead the book contains a litany of well known routes to system compromise and illustrative narratives that tie them together in real world scenarios.

The concept of the book is decent, albeit quite similar to the Stealing the Network series of books, wrapping theoretical hacking attacks into readable stories. Unfortunately, the execution suffers from several problems.

The narratives are all over the place and rarely bear any resemblance to each other. The stories follow the work of "Phoenix", a hacker who alternates from being someone that dresses poorly enough to be mistaken for a homeless person, performing attacks under duress as a shadowy employer threatens his girlfriend, to someone who has quit his job to live in a 3500 square foot house from the income he gets renting out large botnets.

The book suffers from too-many-authoritis, and each author has a very different writing style that makes each story different from the last. One author is very good at working different tools into his story, while one author feels compelled to list every tool that could possibly be used to pick a lock or sniff wireless traffic.

"Although Phoenix will not be using all these tools in his exploit, he could use:

-Tool A: Long description from the tool's website
-Tool B: Long description from the tool's website
-Tool C: Long description from the tool's website"

A few of the attacks are somewhat clever, while the majority are unneccessarily complex, apparently needing to hit a quota of different tools. In an attempt to find out what websites Phoenix's boss is browsing on a computer a few feet away, he decides to not use ARP Poisoning, MAC spoofing, or MAC flooding (although he discusses how each would work) in favor of using phishing to install a trojan to TFTP over a copy of netcat that he uses to manually install WinPcap so that he can trace a TCP stream in Wireshark in order to cut and paste a dump of the network traffic into a Hex Editor to save out a JPEG file. Apparently Phoenix is not a fan of simplicity.

The usage of tools is also all over the place. Sometimes he jumps right into using complex tools, while one story (the particularly egregious social engineering chapter) walks through Phoenix getting confused by how to choose the keyboard language when booting an Auditor CD.

The book would also benefit from another pass by an editor. One chapter begins with a backstory that clearly presupposes the reader has a clue about some past dealings that Phoenix has had with another character. The next story is where Phoenix is introduced to the character for the first time. Elsewhere, Phoenix decides to use his Vista based laptop, and a few pages later he is using that laptop and booting up into Windows XP. While the introduction includes the standard disclaimer that everything in the book is potentially illegal and should only be done in a lab, some authors throughout the book felt compelled to instert similar disclaimers that were unneccessary and should have been caught by the editor.

All-in-all, the book is okay, especially for someone new to the field of penetration testing who would like a little real-world context around how different tools might be use in conjunction with each other. If a second edition of this book is ever released, it could really use another pass by an editor to fix some silly errors and to help the authors speak in a unified voice. For me, the issues I mentioned above made the book somewhat difficult to read and enjoy.

I agree with some of the commentary by previous reviewers, but I think some of it is unduly harsh. I don't think it's strictly necessary for a book to contain brand new security techniques in order to qualify for publication. Book publishing is not the same as releasing a white paper or briefing at Black Hat. However, books should strive to *not* cover ground published in other books, or even in well-written white papers. In that respect I think Chained Exploits strikes a good balance. The book's novelty relies on presenting complete, technical examples of a variety of "intrusion missions." While not necessarily groundbreaking for experienced offensive security people, Chained Exploits will be informative for broader technical audiences.

On the positive side, I thought the cases were well written. The authors did a good job explaining the entire case, with an introduction, body, and summary. This was helpful when the cases later in the book got more complex. The nature of the cases was interesting, with a good amount of variety. On the negative side, I think Phoenix would have been caught and imprisoned fairly easily for some of his exploits. Anytime he interacted with the physical world, in person, near his home, he became an easy target for law enforcement. His computer tactics weren't too sharp either, as noted by other reviewers. I would have liked seeing the book end with a raid on his house, followed by a list of the ways he exposed his identity to the cops. On a minor note, the authors should have supplied better images to the publisher -- many are fuzzy.

If you liked the Hackers Challenge and Stealing the Network book series, and you want something a little more modern and complicated, you'll like Chained Exploits.

From the Description:

"Nowadays, it's rare for malicious hackers to rely on just one exploit or tool; instead, they use "chained" exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don't cover them at all. Now there's a book that brings together start-to-finish information about today's most widespread chained exploits-both how to perform them and how to prevent them.

Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today's most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering."

It took me awhile to decide on a star rating for this book. It had lots of very good pro's and to me several significant cons. So the pro's: I couldn't think of another book that approaches the problem from the "chained exploit" perspective meaning one exploit doesn't give you the keys to the kingdom or your final end state. Now, for the last 10 years we've had the Hacking Exposed Methodology which essentially tells us "how to chain exploits together" but doesn't actually walk you through the process during a chapter of a book or share the process in the "story" format that Chained Exploits does. The Hacker's Challenge series of books is similar but the Chained Exploits book gives you a bit more technical detail (code snippits, metasploit output, etc) than the Hacker's Challenge books. The countermeasures in Chained Exploits are also valuable and usable which is refreshing because they usually seem like an afterthought and less of a major piece of other books.

OK so the cons:
So the "chained exploit" approach is valuable from a teaching point of view but anybody that pentests for a living has been doing this for awhile now, its just part of "the process." Its certainly not new to the security community but maybe new to print. You could also argue that chaining reconnaissance with the sending of our phishing email really isn't "chaining" anything, again its our process of attack or methodology. Our attacker phoenix, for being such an evil black hat, makes some gross errors that go unmentioned in the book. One of the biggest errors was testing code on his home system that actually sends traffic to the later victim. A halfway decent admin with some Law Enforcement help will trace that activity right back to the source...his apartment. That leads me into my final con about the book. The book, while technically correct and well written, was not overly technical or employing many new techniques. I felt like most of the attacks mentioned in the book were pretty old and had been discussed in a lot of other places. I would have liked to have seen much more technical attacks carried out. There was no mention of semi-advanced techniques like IDS evasion, AV evasion and detection, or stealthiness. We don't live in a day and age anymore where i can push netcat to most Windows systems and not expect AV to catch it or IDS to signal on the traffic. The authors were certainly capable of more advanced technical content but did not deliver.

I purchased this book recently at a security conference along with a moderate discount. After reading I'm happy to say that a discount was applied. The book is a set of eight (8) short stories that follows a fictitious character named "Phoenix" as he completes various "Chained Exploits" to take over targets. The book does a great job keeping the reader's attention with the sometimes confusing storyline. The creative thinking the authors used wouldn't be my first choice in the attack scenarios, but it appears to work. The book makes a great reference for security students or novice professional but unfortunately the book falls short on the advanced side and instead should be titled "CHAINED EXPLOITS: Hacking Attacks from Start to Finish.

It is basically a collection of fiction stories, where the lead character uses non-fiction techniques to accomplish the "jobs" he was given.

This book is entertaining and was well written. Once I started reading it, I couldn't put it down.

The book fails to push into any new territory. It tells stories that any penetration tester is familiar with, but doesn't exceed in any particular area. It would have been nice if the authors included new or novel attacks and tools to make "chained exploits" their own rather than standard community material.

Whitaker, Evans, and Voth (2009) used a ficticious character named Phoenix to drive a series of stories related to hacking events against various types of targets (people, sites, organizations, et. al). the authors also use Phoenix to explain the motivations and reasons why hackers do what they do and it is not always about money, some are emotional in naturs (threats to loved ones, self, etc.). The moral and ethical considerations of what Phoenix dies are not described and left to the readers interpretation. Each chapter is a situation that details a type of illegal activity (credit card info snatches, recon of the boss, destroying a competitor's website, corporate espionage, chained corporations, healthcare records changes, social network attacks for personal emotional gain, country club hacks/cracks, etc.) done via a chained exploit of the targeted systems' vulnerabilities. The way the attacks are performed are discussed along with a series of countermeasures to the exploits used. A summary is provided as well to illustrate the issues the attacks bring up. It is important to note that the authors warn readers not to try anything written in the book as they are illegal. This book is a must read for IT security personnel and those in the industry because it gives them an understanding of a hacker/cracker's mindset and some tools that can be used to discourage them from continuing. All of the software and methods of attacks are real and can be investigated. Check with your legal department (if you have one) or ISSA/ISACA/infrastructure protection forums to assist you in protecting your systems. It also helps get buy-in from management for securing their data and listening to IT security personnel as is serves asa lessons learned that would otherwise be costly.

The book focuses on real techniques that are used by attackers to perform hacks. It is well written in that each chapter is clearly laid out with an intro, steps to complete the attack, and countermeasures. The authors effectively link together the multiple exploits and tools that are needed to perform a real world attack. As anyone who works in the security industry can attest, there are almost unlimited methods an attacker can use to conduct an attack. Although the author's choice for performing attacks may not always be the simplest or most realistic, they allow the authors to introduce numerous vulnerabilities and the authors also offer suggestions for other ways that the attacks could be conducted.

As the version of the book that I read was not a first edition, it was apparent that the order of the chapters had been rearranged making the flow of the overall book a little disjointed. Some chapters focused in depth on technical details of using tools while others were much more high level.

In all, it was a very good read and I would recommend it to anyone who is working or has an interest in security and especially penetration testing.

Andrew Whitaker, Keatron Evans and Jack B. Voth's CHAINED EXPLOITS: ADVANCED HACKING ATTACKS FROM START TO FINISH provides a fine guide to chained attacks and is a pick any network security library must have. Chapters cover new phishing attacks, how IT security can be vulnerable to wireless networks, how competitors' web sites are disrupted, and more. Each attack is analyzed one step at a time with the latest countermeasures - technical and human - covered. An outstanding presentation.