Customer Reviews

Hack the Stack: Using Snort and Ethereal to Master The 8 Layers of An Insecure Network

5 star:		(1)
4 star:		(1)
3 star:		(4)
2 star:		(0)
1 star:		(0)

 

 

I teach a course called "TCP/IP Weapons School" that involves walking students up the OSI model. We look at network traces generated by tools and techniques to defeat security measures. When I saw "Hack the Stack" (HTS) I thought it might make a good resource for my class, since HTS seemed to advocate a similar approach. Unfortunately, technical errors, shoddy production, internal repetition and poor organization, and a lack of original material make me question the value of HTS.

A critical aspect of a security book is technical accuracy, but HTS does not deliver. In some cases the book is half-right, or it omits important elements. For example, p 9 implies only port 20 TCP is used for TCP data; that's true for the server in active FTP, but passive FTP uses arbitrary ports. p 15 says SOCKS is "Windows Sockets," when SOCKS is a proxy protocol. p 71 says CSMA/CA (wireless) is similar to CSMA/CD (traditional Ethernet), but the two protocols are very different; CSMA/CA is much more complex. p 115 should say IP proto 41 is "IPv6 in IPv4", and not imply that IP proto 41 is somehow "IPv6". p 118 says "ICMP messages cannot be sent in response to other ICMP messages." That's not true; otherwise, ICMP echo would not be able to elicit an ICMP echo reply. (The authors meant ICMP error messages cannot elicit ICMP errors.)

Several times the book makes odd statements. p 14 says the first virus concept appeared in 1984, but non-PC viruses existed in the 1970s and the first PC virus (Elk Cloner) was in the wild in 1982. p 3 says "IDS has a short history" by citing Dorothy Denning's work in 1983, but ignores James Anderson's 1980 work for the Air Force as the first real IDS pioneer. p 119 says "consider disabling ICMP," which ignores breaking path MTU discovery and other crucial ICMP services. p 131 says idle scans were developed in 1988; it's 1998. p 131 also says a SYN to a closed port elicits a RST response, but it's really a RST ACK.

On the production side, Syngress did a very poor job publishing screen shots. HTS advertises "using Snort and Ethereal" in the book's subtitle, but many of the Ethereal screen captures are either too tiny or fuzzy or blacked out to be legible. This defeats the purpose of including them.

As far as organization goes, HTS is supposed to take a layer-by-layer look at security issues. However, material that should stay in one section is sometimes repeated or introduced in other sections. For example, there is no need to be discussing ARP (layer 2) manipulation in the layer 5 chapter, or again in the layer 6 chapter. HTTP interception tools should not appear in the layer 6 chapter when they fit properly in layer 7. SYN floods should not pop up in layer 4 and 5 chapters; pick one and consolidate coverage there. p 162 even says "Exchanges at the Transport layer are typically in clear text... FTP is a good example of this." The first assertion is wrong, and why is FTP appearing in the layer 4 chapter anyway? p 92 should recognize that PGP is not "Pretty Good Protection."

I didn't think it made sense to introduce Ethereal in ch 3, and then split coverage of Snort between ch 5 and ch 6. Furthermore, HTS made the mistake frequently repeated elsewhere of configuring Snort to log directly to a database. Without using unified logging with a spool reader like Barnyard, such a setup is only useful in demonstration purposes where packet loss is not an issue. To the extent necessary, Ethereal and Snort should have appeared in appendices and not the main "layer" text.

Finally, I did not find anything in the technical realm I had not read elsewhere. All of the tools (Nmap, Nessus, Hping, Amap, etc.) are familiar to most every network security practitioner, or they have been documented in great books like Anti-Hacker Toolkit or even other Syngress titles. It's ok to cover such tools if they are used in a novel way, but that didn't happen in HTS. I hoped to read something more original, say in the layer 4 chapter. Instead HTS discusses port scanning, OS fingerprinting, and SYN floods.

The two chapters which may be of interest to readers include those on layer 1 and "layer 8." Layer 1 offers some basic lock picking information as well as the sort of physical security suggestions you'd find in a CISSP book. On a sad note, the vignette on Rick Rescorla on p 35 doesn't mention that he tragically died on 9/11. Layer 8 discusses policies, social engineering, and related "people issues."

Overall, I think there is room for a book like HTS. It's too bad this one did not deliver what I was expecting. I do appreciate the authors citing my network security monitoring methodology on p 232.

I anticipated the book going more in depth in certain areas, but the overview it provided for each section was a great starter. I do agree with another reviewer that stated it was missing references to certain website links or direction to where to gather more information. This was a downside, mainly in dealing with large technical references such as this book. An index or glossary, noting the pages used and full definitions would have gone a long way.

I did like some of the directions on testing and building of products, scripts or other methods to verify your own environment however. I do realize you can only fit so much detail, but some definition areas needed more explanation that a simple paragraph. I would have looked to eliminate those and expand on others to give the feeling of deeper information.

Now saying all that, I appreciated the adding of the 8th layer that is not mentioned anywhere else. The reading was fairly straightforward and simple for the intermediate level technical administrator. Some of the references are not for the basic entry level, as it jumps right into topics that assume basic knowledge of networks, protocols and even mail and messaging.

I shared this with some staff in the office for reading of particular areas and will be keeping it on the bookshelf (which means it is a keeper)

Hack the Stack is a Syngress title that primarily focuses on security topics layer by layer. The book takes a concept most people know, the OSI model, and uses that approach to discuss security exploits, vulnerabilities, and defenses. I liked the concept and the manner in which the material was presented. The books takes the 7 layer model and adds one more for people, this made sense to me.

The book starts out with the physical layer and continues up through each layer. The final chapter is a kind of checklist that reviews the material covered in the other chapters. Each chapter provides a hands-on security project. The ones on Snort and Bluetooth were my favorites. The book uses a number of Open Source or free tools like Snort and Wireshark to explain concepts I often wondered about. The authors seem to know the material but as others have said I wish they would have provided more resources and a glossary. With that in mind I rated this book four stars.

Hack the Stack introduces a novel approach to aid in the understanding of security exploits. It discusses the various attacks that can occur and maps the attacks to one of the layers in the OSI model. This has the potential to cut through some of the confusion that someone new to the space may encounter.

Unfortunately, this book has several problems preventing it from being as useful as it could otherwise be. There is no glossary containing definitions that can be referred to later when you have forgotten what a term means. When new terms are introduced there isn't always a definition and the definitions that are given are not formatted in a way that can easily be found later while skimming through the text. This makes the lack of a glossary all the more glaring.

There is no bibliography listing all of the web sites that are mentioned. This forces you to have to hunt through the text to find a link. On top of that, some terms are merely mentioned in passing without any mention where the reader can go for more information. This makes some sections of the book useful only as a very cursor introduction that can be used mostly for gleaning search terms to enter into Google.

Most of the information that is contained in the book is very good, if a bit light on in depth details. The book seems to be targeting at those who are new to the space, but the lack of a formal definitions, glossary, bibliography, and additional links do not make it the one stop shop for most of the information.

I really enjoyed the authors' approach, their use of little "security projects" at the end of most chapters that give you some hands on experience with some very interesting security tools, and the breadth of information they cover. They answer many questions that I have often wondered about for a long time and have given me the key terms I need to use to gather more information. The authors obviously know what they are talking about and it is quite a daunting challenge to try to cover the amount of data they attempt to cover in a single book. I was consistently amazed at how much the authors know, I just wish they would have provided more resources on where to go to learn more.

If you are looking for a very good reference manual that is thoroughly cross indexed with a good bibliography so you quickly know where to go for additional information as well as a glossary so you can remind yourself what that acronym stands for without having to hunt back through the book for where it was first used, then this book is not for you.

If, however, you are looking for a book that provides a novel approach to introducing security concepts, and you want to be guided through some basic hands on use with some very powerful security tools, and you don't mind having to scan through the book for links to additional information or having to go to Google for the definitions on some key terms then this book may be a good addition to your library, just don't expect it to be the one true source for security knowledge.

I've read other reviews saying the book isn't perfect, however I do like the approach through the OSI Model etc which makes the book worth it and something which has become a permanent part of my skill set/approach. A good value.

Trying to map the OSI 7-layer stack to network security isn't a novel idea, but I haven't seen it attempted on such a full scale. Probably the closest thing out there would be some of the pen-testing books or Zalewski's "Silence on the wire". Sadly, while this is a neat concept, it doesn't come off very well.

The 7-layer model is often jokingly extended to 9 layers (adding money and politics to the top of the stack). Here they go for 8 layers, and make the top "people". People, after all, can be tricked into bypassing any technology you throw in their way. This approach makes sense.

Layer 1, the physical layer, has a decent overview (with errors, like any chapter), and goes into two topics more deeply than the other ones: lock bypassing and Bluetooth adapter modifications. OK, not bad, but sort of incomplete. Layer 2 gives a sometimes confusing intro to the data link layer, and covers ARP layer attacks. While there are some errors in this chapter, it's a decent overview. The sections on cracking Wifi WEP keys could have been better organized for improved effect.

Layer 3 covers the network layer (IP and ICMP). If you want a good intro to these subjects, look at Stevens, Comer, or some of the other top notch TCP/IP guides. We start looking at some of the tools like NMAP and p0f. Sadly, the authors mix active and passive fingerprinting techniques under "Passive fingerprinting", adding to some confusion. The presentation of the IP topics isn't very strong or very complete. Layer 4 covers the transport layer (TCP, UDP, etc) and additional techniques for OS fingerprinting. Again, some confusing writing, some poor diagrams (which, I might add, are inconsistent thorough the book), and some incomplete descriptions. The section on installing Snort should have been moved to an Appendix.

By this point I'm seeing a pattern: the authors, it seems, didn't coordinate their diagrams and topics very well, it seems. This means that the book is spotty and chopping in places, and sometimes confusing. There's some mild repetition in the book, and in short you sometimes have to struggle to get what's going on. The clarity of the book suffers for this, unfortunately.

Layer 5 covers the session layer, and again some confusing bits. The section the ACK storm isn't well constructed in places, and the session hijack tools could have been better covered. Because this chapter jumps around from defense to attacks, authentication to pure packets, it seems poorly organized. The Snort rules at the end of the chapter appear to hang in the middle of nowhere, I'm not sure if this was complete. Layer 6 focuses on NetBIOS and SMB attacks, and talks a lot about using the Burp proxy to attack web browsing. The sections on IPsec and other encryption mechanisms are incomplete.

Layer 7 covers the application layer, and uses the FTP protocol as an example, and DNS as another example. A while host of other attacks (beyond plaintext data transmission) are covered, and we even get into some buffer overflow sections. This chapter feels very ambitious, and as a result of an incomplete treatment it's poorly executed. Everything feels too rushed and cursory. Finally in chapter 9 we cover the 8th layer, people. A very cursory overview of many attacks, including dumpster diving, phishing, social engineering, and password cracking is given. Again, ambitious and incomplete, unfortunately (whole books are written on this type of stuff). The book finishes with an appendix that reviews the attacks and defenses in the preceding chapters as you move up the stack, which is a nice addition.

I agree with many of the other reviewers, including Richard. This book simply looked like a good idea, but was poorly executed. In addition to the errors Richard found, I found several myself, so you'll want to be wary of trusting everything you read. A set of resources for every chapter, or even for the whole book, would have been welcome. URLs scattered in the text make them difficult to find.

While ambitious, Hack the Stack fails to truly deliver. It's plagued with consistency, organization, and completeness problems. A more focused book with tighter editing and review may have done a better job.