The following is a brief [and biased] review of the pages of Hacking: The Next Generation. In one sentence, I would recommend it to an IT student thinking of getting closer to security as a first-time security flavour.
Disclaimer: These lines do not substitute the reading of the book. They are meant to provide a global overview of what the reader can find in the book. My kudos to the authors, writing a book is always a big effort. And even a greater effort if the books talks about a changing target as IT security.
The book: Hacking: The Next Generation.
The authors: Nitesh Dhanjani, Billy Rios, Brett Hardin.
Publication year: August 2009.
Publisher: O'Reilly Media.
Chapter 1 Intelligence gathering: peering through the windows to your organization
The first chapter gives some actual tips on social engineering and intelligence gathering. They mention the Google Hacking Database and the Search Engine Assessment Tool and the usefulness of metadata and social networks to collect information that for a future attack. Tools like theHarverster.py and metagoofil.py are also mentioned. Syntax in google such as resume filetype:doc "current projects" and even the simple use of public google calendars can also render nice results.
Chapter 2 inside-out attacks: the attacker is the insider
This chapter proposes an easy path to understand how currently an external threat becomes an internal one thanks to threat vectors such as xss and xsrf. After reading this chapter, you will not use the remember password functionality in a browser.
Flash and Java are also mentioned. Another learning point in this chapter is that we should only share documents we trust with people we trust. Difficult task!
Chapter 3 The way it works: There is no patch
A varied chapter. It starts with the traditional description of the insecurities of telnet and ftp, both clear-text protocols. They also mention tools such as wireshark and a little python script named goog-mail.py to carve out email addresses. The authors also suggest the use of a password brute-force attacker tool such as hydra and John the ripper.
This chapter also deals with session hijacking using tools such as hunt (to hijack clear-text TCP-based sessions). The fact that they are using private IP addresses makes sometimes some examples a little less realistic. On this topic, I miss a reference to the need to have a network card in promiscuous mode, also when we are trying to hijack session in a wireless network.
A basic description of SMTP snooping (with mail snarf) and spoofing is also part of this chapter. They finalise the chapter describing ARP poisoning with tools such as Cain&Abel and DNS Cache snooping with cache_snoop.pl.
Chapter 4 Blended threats: When applications exploit each other
The helicopter-view summary of this chapter is brief. Exploits currently constitute what authors name blended threats i.e. creating a big threat vector out of the combination, or beter said, chaining, of several harmless-looking vulnerabilities.
The key concept to understand is the application protocol handler: a way for two applications to interact using the operating system. They provide examples both in Windows and Mac OS.
Finally, the most flashy example of blended threats, conficker, with 9 million infected machines as of January 2009.
Chapter 5 Cloud insecurity: sharing the cloud with your enemy
This chapter presents the differences between cloud services offered by Amazon (based on what they call AMI - Amazon Machine Images) and Google (based on the Google App Engine). It is an eye-opener in the sense that insecurity now has a new meaning if we think of cloud services.
The apply common sense and present the two most visible vulnerability vectors i.e. misconfigured virtual machines and insecure management consoles.
Finally, they also present real vulnerabilities, already solved, (based on CSRF) that the authors discovered in Amazon Web Services.
Chapter 6 Abusing mobile devices: targeting our mobile workforce
These pages deal with ways to compromise corporate networks and information without even connecting ever to the corporate network. The rey resides in the threats targeted at mobile workforces.
First basic step to attack a corporate mobile force, spoof the MAC address of the attacking laptop. Second step, use a mix of common sense and social engineering. Certainly, also useful tools such as Burp Intruder and Cain & Abel. The first one useful to defeat easy entry portals and the second one excellent to get credentials used in services that do not use SSL permanently.
The authors also present man-in-the-middle attacks (e.g. although they don't mention it, they refer to a la ettercap-style attacks) and how easily users double click on any certificate warning appearing in their browsers.
The chapter ends with some words on metasploit, voicemail tapping and exploiting physical access to mobile devices.
Chapter 7 Infiltrating the phishing underground: learning from online criminals?
These pages deal with a real threat to our society and economy i.e. cybercrime and, more specifically, phishing (on page 177 I think there is a typo, when they refer to foreign companies, they really mean foreign countries. Some interesting facts they mention:
- phishing sites have a time to tlive (TTL) of just a few hours.
- www.phishtankcom publishes the URLs of phishing sites that are online. Very interesting for demo purposes!
- often an insecurely configured server becomes a phishing site for different phishers.
- all this points show the importance to securely configure any web server running on the Internet
The authors also mention a very useful tool for web testing, burp proxy and a skill that good phishers have: they know how to use different elements present on the Internet for their evil purposes (and they try to phish other phishers by inserting backdoors!).
They also talk about a phishing toolkit called the loot, offering phishing kits for many institutions, and about some phishing lingo such as "ReZultT" and "fullz" (all information required to steal someone's identity).
Chapter 8 Influencing your victims: do what we tell you, please
This chapter refers to human hacking. Rather than targeting a web application, sometimes accessing someone's calendar or eavesdropping a conference call (by knowing the conference ID) provide juicy information more easily.
The authors also mention the importance of social network in current hacking trends. For example, they created a fake identity in linkedin, or rather, they stole someone's identity and in several minutes this identity had received 82 incoming requests to be part of their network.
They also mention the evilness of the "forgot your password?" questions that some sites use to authenticate users, especially when complemented by facebook or linkedin information.
They complete this chapter with sentiment analysis based on tools such as Yahoo!Pipes, sites like wefeelfine.org and concepts such a a word cloud.
Chapter 9: Hacking executives: can your CEO spot a targeted attack?
This is the flashiest chapter. Easy to read and really implementable. The authors talk about how to construct personalised attacks, with little effort, against executives based on network analysis (note that network here is a set of acquaintances and not cables and switches). Why attacking executives? They are normally the most informed members of the organisation.
They mention two main motives: financial gains and vengeance. Regarding how to monetise an attack, the authors mention that it is more profitable to try to sell the information to the company that actually owned it rather than trying to go to the competitor.
Information gathering using public sites and social networks is the first step in the attack. The input gathered helps identifying the executive's trusted circle and, specially, those with the most influence over the executive. A little but interesting detail, probably family members will not be in that trusted circle. Another one, sending the attack to the executive's assistant provide promising results given the trust existing between both players.
The authors also mention useful sites such as www.tweetstats.com, namechk.com, the phyton script titled theharvester and the enticing USB data stealer named USB switchblade.
Chapter 10 Case studies: different perspectives
In this last chapter they present two case studies. The first one clearly shows the need to disable old accounts and to control who joins a teleconference.The second one claims the importance of hardening ssh servers, the need not to publish IT information related to a company in Internet and the beauty of XSS based exploits.
Happy next generation hacking reading!