120 of 125 people found the following review helpful
on March 27, 2008
This is the second edition of a well known book about hacking and contains a lot about hacking. Jon Erickson has expanded the book from the first edition doubling the number of pages to 450 pages and a Linux based Live-CD is also included.
I don't own the first edition, since I had to choose between Hacking by Jon Erickson and The Shellcoders Handbook (first edition, it is also in 2nd ed. now). I choose the Shellcoders handbook, which I have considered my bible for buffer overflows and hacking.
Now that I have read Jon Ericksons book about hacking I have two bibles, both excellent and well written, both covering some of the same stuff - but in very different ways.
This book details the steps done to perform buffer overflows on Linux on the x86 architecture. So detailed that any computer science student can do it, and they should. Every computer science student or aspiring programmer should be forced to read this book along with another book called 19 deadly sins of software programming.
That alone would improve internet security and program reliability in the future. Why you may ask, because this book teaches hacking, and how you can get started hacking.
Not hacking as doing criminal computer break ins, but thinking like an old-school hacker - doing clever stuff, seeing the things others don't. This book contains the missing link back to the old days, where hackers were not necessarily bad guys. Unfortunately today the term hacker IS dead in the public eye, it HAS been maimed, mutilated and the war about changing it back to the old meaning is over. (Actually this war was fought in the 1990's but some youngsters new to hacking still think it can be won, don't waste your time.) The word hacking can still be used in both ways, just make sure the receiver knows what you are talking about :-)
This book teaches hacking in the old sense of the word and contains the explanation that most others books don't - and at the same time it introduces all the basic skills for performing various types of overflow attacks. Then the book also digress into some wireless security and even WEP cracking, but this part is pretty slim, not bad, just only a few pages. This is OK, since I think of this more as an example of extending the hacking into new areas and hopefully inspires more people to look into wireless security.
The best part about this book is that it is not just a book with a random Live-CD. It is an inspiration and your fingers will itch to get started trying the examples explained and experiment with the programs. This alone is the single feature that makes this book worth it, you will do the exercises and learn from them. Learn a lot.
To sum it up this books contains clever tricks and easy to follow exercises, so you can learn to apply them.
This book is for anyone interested in hacking and developing exploits. While the primary target audience is newcomers to this field I benefitted from the thorough walkthrough of the basics once again. This book kept reminding me about things I have forgotten and also some new things and tricks I hadn't thought of myself.
If you are a beginning hacker and want to get started, but was confused
by various text files found on the internet, this is the book to buy.
If you want to learn how to do basic stuff and get started thinking like a hacker, this is the book to buy.
If you are a software programmer that has started to think about software security, this is the book to buy.
This book goes from beginning hacker to inspired intermediate hacker and explains everything in depth and is well planned and you will be able to extract an awful lot of information about the way programs really work after reading this book.
If you read this book from cover to cover you will be able to follow most other references about hacking, books, papers, zines etc. from the internet.
So this book is recommended for anyone interested in hacking and could be a nice start to having your own library about hacking. Reading this book first will also help you understand other books about hacking better and get more information from them by thinking in the right way.
Then later you could expand this library with books like, Steven Levy Hackers, Steven Levy Crypto, Shellcoders Handbook, Clifford Stoll Cuckoos Egg and other references.
I am not missing much from this book, but a short explanation how you could run this CD along with your usual operating system, using something like VMware Player would have been nice.
The home page for this book is: [...]
61 of 65 people found the following review helpful
on July 28, 2011
This is the last in a recent collection of reviews on "hacking" books. Jon Erickson's Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader climb each mountain. While the material is sufficiently technical to scare some readers away, those that remain will definitely learn more about the craft.
H2E accomplishes a very difficult task. The book strives to take readers with little to no real "hacking" knowledge to a level where they can at least understand, if not perform, fairly complicated digital security tasks. Other books aren't as successful, e.g., "Gray Hat Hacking," which features material on C, assembly, Python, etc. into one short chapter. In contrast, H2E, in my opinion, does a credible job leading the reader from pseudo-code to C and assembly. Now, I would not recommend this book as a reader's sole introduction to programming, let alone C or assembly. Please see my older reviews for recommendations on books devoted to those topics. Still, H2E credibly integrates programming into the hacker narrative in a compelling and educational manner.
The author also has a great eye for consistency and style. I welcomed reading his examples using gdb, where he presented code, explained it, stepped through execution, showed memory, transitioned from displaying source, then assembly, and so on. This was a compelling teaching method that technical authors should try to emulate.
Overall I really liked H2E, hence the 5 star review. My only main gripe was the author seems to believe that it's in society's benefit for black hats to test and exploit defenses. His claims on p4 and p 319 that hackers improve security reminds me of the broken window fallacy, meaning it's economically beneficial to break windows so a repairman has a job. In reality, the security world is more a redirection of resources away from more beneficial innovation, not a way to build "good security jobs." Furthermore, all of the supposed advances spurred by reacting to intruder activity do not result in increased security in the enterprise. At this point so much legacy software and equipment is deployed that intruders can always find a way to accomplish their mission, thanks often to the discoveries of so-called hackers. At the end of the day one has to accept the reality that intruders will always try to breach defenses, so it behooves defenders to understand attackers for the benefit of defense.
36 of 42 people found the following review helpful
on January 20, 2009
Format: PaperbackVerified Purchase
The easiest way to sum up this book is simply "wow." Erickson discusses the fundamentals of exploits (hacks) on local machines and remote machines, and also hits on a bit of cryptology. The meat of book is sandwiched by something of an inner dialogue and history of hacking, which alone are worth the cost of the book. This book is not for the layman or the faint of heart- you have to know how to write code, and you have to at least know how to read Intel x86 assembly, if not write it. It also doesn't hurt to know how programs are actually executed- beyond just double-clicking an icon- I'm talking about stacks and heaps and everything else. The second chapter is possibly the most elegant summary of programming and the C language I have ever seen, ever, but nothing beats a few years "in the trenches."
So once you've refreshed your basics of programming, Erickson gets right into it, discussing buffer overflows. He builds up from the most simple concepts into more and more complicated tools- which seems to be exactly how we have arrived at modern exploits; the hackers and the anti-hackers have been co-evolving over the years. Next comes hacking remote machines, including how to cover your tracks- which I found to be some of the most devious ideas presented. If you take your time, and run some of the exploits yourself on the included CD, you will come away with an incredible knowledge of how many exploits work from their most fundamental level. If you're anything like me, you will enjoy the "hunt" of trying to counter the exploit before Erickson explains the solution. Also, if you're anything like me, you will walk away from the book shaking your head at the rut called ASCII that we've worked ourselves into.
<rant> I think this is another one of those books that needs to be on a mandatory reading list for all CS bachelors degree. It seems to me that most of the exploits wouldn't be a problem if programmers were a bit more diligent in their coding. strcpy() is your enemy, strncpy() is your friend. Always always ALWAYS be 100% suspicious of any input supplied from a user- check for illegal characters. Instead of if(functionThatReturnsTrue), try if(functionThatReturnsTrue == True). The list goes on and on. Computers do only what they are told, and if you leave a hole in your program that allows someone else to tell the computer what to do to save yourself the second or two it takes to hit a few more keys, well then you deserve to be hacked and summarily lose your job. Due diligence: do it- maybe then the real engineering disciplines won't be so mad when code monkeys call themselves engineers. </rant>
From what I can gather, the first edition was too terse. I think the second edition was a bit long-winded at times. And there's no discussion of hacking a Windows machine. However, this is still by far the best general hacking book out there.
9 of 9 people found the following review helpful
on April 10, 2011
Format: PaperbackVerified Purchase
This book is very ambitious and succeeds in most aspects. The author's a little ambitious about trying to take the reader from zero experience with programming to understanding assembly language within 100 pages, so if you're starting from scratch I'd recommend combining this book with perhaps Dunetmann's introduction to assembly on the x86: the two books actually complement each other very nicely. Once you've survived the first 150 pages you'll have an excellent grounding in the mechanics underlying architecture attacks such as buffer overflow.
Some folks have questioned the book's applicability given its reliance on Linux. I can't agree. I'm running on a non-linux system and the examples carry over perfectly. Instances where they don't only add to the instructiveness since you are forced to think about what's really going on and adapt the author's approach accordingly. For example you're forced to analyze the different results of GDB on a 64-bit vice 32-bit architecture, having to deal with differences in how the stack is organized, etc etc. And if you really want to follow along with the author step by step you can easily mount the iso in a VM and run the software that way.:)
9 of 9 people found the following review helpful
on May 25, 2008
I found the book a pleasure to read. The book explains the fundamental concepts of hacking very well. The treatment of exploits like buffer overflow, format string vulnurabilty is very good. The chapters on networking, shellcode are also very good. All throughout the book every concept is explained by extensive source codes (with clear accompanying commentary). All in all this is a great book to start learning the concepts of hacking and security.
68 of 87 people found the following review helpful
on January 11, 2008
Jon Erickson's _Hacking_ is undoubtedly an interesting book, and one that perhaps appeals only to a small subsection of the hacker culture, those who want to learn techniques for exploitation at the conceptual level, aided by plenty of dense examples of code to illustrate those concepts. Erickson's background is in computer science, and he is a corporate lecturer on the subjects of cryptology and network security. With these bona fides, you might expect Erickson to treat the topic professionally and scientifically--and you would be right. Erickson's book is full of interesting and highly useful bits of information on cryptology, ciphers, information theory, and so on, but readers should prepare themselves for a somewhat pedantic, textbook-like style of writing. Having made such preparations, the book does open up for the reader who is looking to learn or brush up on some programming fundamentals.
The majority of _Hacking_ is very technical and deals with programming techniques. The author warns us as much in his Preface, saying that general programming knowledge is necessary in order to make your way through the book. Additionally, those looking for examples of different code flavors will find that Erickson works exclusively with the Gentoo Linux distro, the idea being that the examples are illustrative of techniques and strategies, especially if you are used to a different programming language. Otherwise, you might consider this book a useful primer on Linux, offering practical examples of various exploits, encryption/decryption, and so on.
The bulk of the book is divided into three sections: "Programming" (writing shellcode, dissemblers, and generalized exploiting techniques), "Networking" (Network sniffing and hijacking, DOS attacks, and port scanning), and "Cryptology" (developing algorithms, password cracking techniques, and WEP attacks). Each of these sections is replete with many detailed examples of code (sometimes pages long) for your referencing pleasures. Personally, I'm more drawn to the socio-political content found in the entirely-too-short Introduction, Conclusion, and Reference sections, which despite their underdeveloped feel, offer readers Erickson's thoughtful perspective on hacking (discovering and exploring system vulnerabilities is a valuable practice when done for noble ends, or in his own words, "Information itself isn't a crime"), a brief look into the history and ethics of early hacker culture (a learn-but-do-no-harm ethic borne of the 1950s MIT model railroad crowd, the distinction between hackers and crackers, and his thoughts on the importance of pursuing creative problem-solving strategies within closed logical structures), and a number of links to potentially useful web tools (hexadecimal editors and fuzzy fingerprint generators, for instance). On the whole, I found myself wishing that these sections had been developed further, as they might help broaden the potential readership for this book.
As a bookshelf resource, I can see this book being an invaluable contribution to the library of the hacker whose interests in the subject are shaped by theoretical or academic ways of thinking. Otherwise, it's not exactly a page-turner, and I don't expect social engineers, tinkerers, and certainly not skript kiddies to be the audience for this book. Nevertheless, it is important in that it marks a serious contribution to the art, science, and philosophy undergirding hacker culture. For good or for ill, it marks an attempt to formalize or legitimize a body of knowledge that has historically relied upon and even relished its underground status.
9 of 10 people found the following review helpful
on February 29, 2008
Its important to understand what this book tries to cover. Erikson covers specific hacking techniques. He stays close to Linux and C to illustrate the techniques and he exploits a lot of open source software. The goal is to familiarize the reader with the different types of exploits.
In Chapter 6, the author explains: "The state of computer security is a constantly changing landscape...if you understand the concepts of the core hacking techniques explained in this book, you can apply them in new and inventive ways to solve the problem du jour. Like LEGO bricks, these techniques can be used in millions nof different combinations and configurations. As with art, the more you practice these techniques, the better you'll understand them." Clearly, Erickson is passionate about the subject matter he covers in his book.
Any ability to exploit vulnerabilities requires a thorough understanding of the underlying subject. Here Erikson's book offers a number of quick primers on topics such as C programming and network protocols. These introductions are valuable because they introduce the subject and give you deep dives into specifics. They give you some sense of how hacking can lead to a greater understanding of the system under exploit. For example in Chapter 4, Erikson goes from introducing us to the OSI model to socket programming in four pages. But because of a very engaging writing style, it doesn't feel like a hurried course.
After the introduction in which he covers C programming language basics, Erikson introduces us to exploitation via a buffer overflow example. He covers network hacking techniques such as denial of service, TCP/IP hijacking and port scanning. He delves into the more involved topic of spawning shell code to gain control of a system. And in a very entertaining Chapter 6, he shows you how to bypass security measures that detect and track hackers. In the final chapter, he covers hacking techniques for cryptography.
8 of 9 people found the following review helpful
on April 28, 2008
Hacking, 2nd edition features an extensive overview of C and x86 Assembly, Linux, and slowly steps through major functions of GDB. It's a bad idea to read this book without a Linux distro at hand, but thankfully one is included.
I'd buy this again in a heartbeat.
4 of 4 people found the following review helpful
on March 7, 2011
Format: PaperbackVerified Purchase
The book opens with "The goal of this book is to share the art of hacking with everyone." That sums up exactly what the book does. For those that are interested in learning more about the exploitation side of security, this book is THE primer.
Hacking goes into the mindset of the hacker when it comes to exploitation. It starts out with the terms and concepts that are required to understand all of the in depth technical parts that come next.
The book ships with a LiveCD with all of the code on it, which makes it easy to follow along with each section. The sections start out with Unix basics and move forward. Most of the programs are short and easy to follow, although there are a few 400+ line programs thrown in, which for me were harder to follow.
You don't need to KNOW assembly in order to follow through with this book, however, you must have a strong enough background in computers to look up what the assembly means and be able to follow through. The only exception may be the Shellcode chapter, where the whole point is dealing with assembly tricks to remove NULL bytes in appliactions.
Each section has strong examples and explanations, and the stack overflows, heap overflows, and format string exploits are well covered. The stack and heap overflows had awesome examples and were clear and concise. The format string section was really good, although I did reference The Shellcoder's Handbook to solidify my understanding.
The book even has material on network exploitation. Before the exploitation is presented, the author goes into how the network works, how to sniff network traffic, and then finally goes into network exploitation. The background is great if you need a refresher on networking before you get to the network based exploitation.
Overall, great book. It is one of my two favorites for dealing with exploitation, and it is a must have on your bookshelf if you need to deal with exploits as a sys admin, pen tester, or vulnerability researcher or hobbyist.
5 of 5 people found the following review helpful
on May 23, 2008
This is an excellent book about hacking. Includes a very well written introduction to the C programming language. The book contains very useful chapters on Networking and on Cryptology with lots of hand-on examples. I highly recommend it if you want to learn hacking techniques presented in a systematic way. Buy this book.