Book Review - Hacking: The Art of Exploitation

Networking/Security Forums -> News // Columns // Articles

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Sun Dec 07, 2003 11:46 pm    Post subject: Book Review - Hacking: The Art of Exploitation
    ----
Hacking: The Art of Exploitation

Author: Jon Erickson
Publisher: No Starch
Book Specifications: Soft-Cover, 241 Pages
Category: Hacking in the original sense of the word
User Level: Intermediate/Advanced - Knowledge of Linux is fairly much essential
Suggested Publisher Price: $39.95 USA/ $59.95 CAN/ £28.99 Net UK (inc of VAT)
ISBN: 1-59327-007-0
Amazon.co.uk: Hacking: The Art of Exploitation
Amazon.com: Hacking: The Art of Exploitation



Info from Back: "Hacking is the art of creative problem solving, whether used to find an unconventional solution to a difficult problem or to exploit holes in sloppy programming. Many people call themselves hackers, but few have the strong technical foundation that a hacker needs to be successful. Hacking: The Art of Exploitation explains things that every real hacker should know. While many hacking books show you how to run other people's exploits without really explaining the technical details, Hacking: The Art of Exploitation introduces you to the spirit and theory of hacking as well as the science behind it all."

Introduction

I was approached by No Starch the publisher of this book as they thought we might be interested in reviewing this book for the site. For anyone that doesn't know, No Starch is a small-ish independent publisher that deals with books the big houses won't publish, more info HERE. I was of course, after reading the synopsis, very interested! At first glance it looks like the first book of its kind, a book that really covers string exploits, return-into-libc, shellcode, tcp-ip hijacking, WEP cracking and format string vulnerabilities. These are things that I've been looking at a lot lately, trying to increase the depth of my knowledge, return to system(), return to libc, polymorphic shell code, format strings and off-by-one amongst others. To get things straight from the start, if you have absolutely no idea what I am talking about here, this is not the book for you.

I have some experience with the areas within this book (Programming, Networking and Cryptography) but as stated above, definitely areas I am still learning about and probably always will be as things evolve (Non executable stacks for example). Of course being curious and always wanting to know more, I wanted to see if this book could explain some concepts I was having problems with and perhaps show me some new things.

This book covers a decent area with the main focus being programming and exploitation on the Linux platform, the networking and cryptography sections are more tasters which are worth of their own books. As mentioned above this is an advanced book covering very technical topics, it's ideal for someone with a fair grasp of programming concepts and experience of exploitation (meaning understand the fundamentals and the theory but not all of the practical side).

Contents

The book is split into 5 chapters with no overall sections really, but a lot of subsections within the chapters.The preface of the book explains that it is a very technical book, it uses x86 architecture and the distribution used was Gentoo. There is a brief contents page followed by a detailed contents page (Available HERE), then the short introductory chapter.

You can find a sample chapter here: http://www.nostarch.com/hacking_ch3.pdf

The introduction basically explains what hacking is in the true sense of the word, hacking ethics, hacker vs. cracker and how hacking began.

As mentioned above the main bulk of this book is the programming section which accounts for 128 pages of the book, well over half. The programming section is well segmented with subsections and sub-subsections covering memory, buffer overflows, stack overflows, heap overflows, format strings, shellcode and return to libc. The essence of the book is to explain the more advanced methods of 'hacking' in a fairly easy to understand form. The techniques discussed throughout are the mainstays of REAL exploitation and are written and explained in a way that makes it clear what is happening. It's like the next step up from the papers you can find at Badc0ded and stuff like Aleph-One's Smashing the Stack where you get more confused the more you read. The examples in the book are excellent and it really allows you to create your own simple programs and then exploit them.

There is a lot of code in the book, in a fixed width font making it easy to read and ensuring it stands out. There is a smattering of diagrams for things like the stack and heap and no pretty pictures or screengrabs, which is fine as they are not expected in this type of book. The Networking section makes good use of diagrams explaining the OSI model and various other bits like packet headers and TCP/IP connection states. The chapter on Networking covers all the basics and then moves onto sniffing and the use of ARP, then there is a good section on TCP/IP Hijacking (one of those mythical topics) and briefly describes all the main types of DoS attacks.

The cryptology section opens with an overview of cryptology, cryptography and cryptanalysis explaining the meaning of each. It then moves onto some of the more complex cryptographic theories such as One-Time Pads and Quantum Key Distribution. There is some fairly intense mathematics in this chapter and even with my decent base in crypto I found some of it a little hard to digest, it is to be expected though as I believe the author works as a cryptologist.

Style and Detail

The style of this book is very 'hacker-ish', it's quite plainly laid out, there is no colour anywhere and very few diagrams. Where there are diagrams they are quite plain and straight forward, which makes a refreshing change from all the multi-coloured jazzed up diagrams we tend to get nowdays. I mean if it explains the concept it is intended to, it's fine by me. It is refreshing to see a book written in this manner, it's clear concise and easy to read (considering the deeply technical topics it's covering). The author clearly shows (without being cocky about it) he really knows what he's talking about, to me this is best demonstrated by his ability to make extremely complex concepts understandable.

The book is well structured and each topic follows on well from the previous section, you can easily skip through to parts that you are unfamiliar with or just the read the whole book cover to cover. There are various references to useful security tools such as Dissembler (generate ASCII printable polymorphic shellcode), dsniff and Nemisis (a command-line network packet crafting and injection). The technical parts of the book as expected are extremely detailed, which they need to be to explain the topics this book covers.

Conclusion

From all the books I've read so far, I would consider this the seminal hackers handbook. The majority of other security books are more on a script kiddie or management level than a technical hacking level (they talk about using other peoples tools without explaining exactly how they work, or talk on a more management-esque general level). If you are really interested in hacking, penetration testing and real world security threats you need to read this book. Even if you are "au fait" with the majority of the topics covered by this book, but struggling with some others I would recommend it as it will clear up any niggles you have or any areas of confusion.

This book won't really date or get old as it covers fundamental concepts and the real mindset attributed to hacking, also if you are looking for a book on point and click hacking with GUI tools, then don't look here.

If it had a CD or perhaps even a website to download the code and examples etc. I guess I'd shift to 9/10 as this is pretty much a 8.5/10. There are very few things that annoy me more than hand typing code in from a book!

I give it a great SFDC 8/10



*EDIT* I have spoken to the publisher and the author has made all of the code available on his site here http://www.phiral.com/book_code/

This review is copyright 2004 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.


Last edited by ShaolinTiger on Sun Jan 18, 2004 7:01 pm; edited 1 time in total

Author: DunceorLocation: Sweden PostPosted: Sun Jan 04, 2004 2:16 am    Post subject:
    ----
This is a book I have looked into also and I'll probobly order it very soon. I saw about it when it first was announced and I read the example chapter and wasn't that pleased with that one but when I hear you say it got alot of code I got happy and relized I need to buy it Smile

Great review ST Smile

Author: BuddaLocation: Lymm. UK PostPosted: Sat Apr 17, 2004 1:45 am    Post subject:
    ----
Just bought this book on Amazon before reading the review. Looks like I made a good choice though:-)

Wanted to know how the tools worked, rather than how to use them. Should be interesting stuff...

Author: savvy PostPosted: Wed Jul 21, 2004 12:45 pm    Post subject:
    ----
thanx for sharing.

as i'm to order it, the review is really helpful.

Author: rocos PostPosted: Mon Aug 02, 2004 4:46 pm    Post subject:
    ----
Thanks for the author!

Author: CyberCowboyLocation: Louisiana PostPosted: Sun Aug 22, 2004 1:53 am    Post subject: Reading this Book
    ----
I'm currently reading this book and am finding it a very easy read. Can't wait to get to the end of it.

Author: ZarnickLocation: Brazil PostPosted: Sun Aug 22, 2004 7:27 am    Post subject:
    ----
I've bought this book some time now.....and I got to say....it is a piece of the art....it's very very good.....Excelent choice.

Author: hakimkt PostPosted: Sun Oct 10, 2004 11:03 am    Post subject: Conclusion
    ----
Hacking tends to be a misunderstood topic, and the media likes to sensationalize, which just exacerbates this condition. Changes in terminology have been mostly ineffective — what's needed is a change in mindset. Hackers are just people with innovative spirits and an in-depth knowledge of technology. Hackers aren't necessarily criminals, though as long as crime has the potential to pay, there will always be some criminals who are hackers. There's nothing wrong with the hacker knowledge itself, despite its potential applications.

Like it or not, vulnerabilities exist in the software and networks that the world depends on from day to day. It's simply an inevitable result of profit-oriented software development. As long as money is connected to technology, there will be vulnerabilities in software and criminals in networks. This is usually a bad combination, but the people finding the vulnerabilities in software are not just profit-driven, malicious criminals. These people are hackers, each with their own motives; some are driven by curiosity, others are paid for their work, still others just like the challenge, and several are, in fact, criminals. The majority of these people don't have malicious intent and instead help vendors fix their vulnerable software. Without hackers, the vulnerabilities and holes in software would remain undiscovered.

Some would argue that if there weren't hackers, there would be no reason to fix these undiscovered vulnerabilities. That is one perspective, but personally I prefer progress over stagnation. Hackers play a very important role in the co-evolution of technology. Without hackers, there would be little reason for computer security to improve. Besides, as long as the questions "Why?" and "What if?" are asked, hackers will always exist. A world without hackers would be a world without curiosity and innovation.

I hope this book has explained some basic techniques of hacking and perhaps even the spirit of it. Technology is always changing and expanding, so there will always be new hacks. There will always be new vulnerabilities in software, ambiguities in protocol specifications, and a myriad of other oversights. The knowledge gained from this book is just a starting point. It's up to you to expand upon it by continually figuring out how things work, wondering about the possibilities, and thinking of the things that the developers didn't think of. It's up to you to make the best of these discoveries and apply this knowledge however you see fit. Information itself isn't a crime.


References
Aleph One. "Smashing the Stack for Fun and Profit", Phrack 49. http://www.phrack.org/show.php?p=49&a=14

Bennett, C., F. Bessette, and G. Brassard. "Experimental Quantum Cryptography", Journal of Cryptology 5, no. 1 (1992): 3–28.

Borisov, N., I. Goldberg, and D. Wagner. "Intercepting Mobile Communications: The Insecurity of 802.11." http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

Brassard, G. and P. Bratley. Fundamentals of Algorithmics. Englewood Cliffs, NJ: Prentice-Hall, 1995.

CNET News. "40-Bit Crypto Proves No Problem." January 31, 1997. http://news.com.com/2100-1017-266268.html

Conover, M. (Shok). "w00w00 on Heap Overflows", w00w00 Security Development. http://www.w00w00.org/files/articles/heaptut.txt

Electronic Frontier Foundation. "Felten vs RIAA." http://www.eff.org/sc/felten/

Eller, Riley (caezar). "Bypassing MSB Data Filters for Buffer Overflow Exploits on Intel Platforms." http://community.core-sdi.com/~juliano/bypass-msb.txt

Engler, C. "Wire Fraud Case Reveals Loopholes in U.S. Laws Protecting Software." http://www.cs.usask.ca/undergrads/bcb668/490/Week5/wirefraud.html

Fluhrer, S., I. Mantin, and A. Shamir. "Weaknesses in the Key Scheduling Algorithm of RC4." http://citeseer.nj.nec.com/fluhrer01weaknesses.html

Grover, L. "Quantum Mechanics Helps in Searching for a Needle in a Haystack." Physical Review Letters 79, no. 2 (July 14, 1997): 325–28.

Joncheray, L. "Simple Active Attack Against TCP." http://www.insecure.org/stf/iphijack.txt

Krahmer, S. "SSH for Fun and Profit." http://www.shellcode.com.ar/docz/asm/ssharp.pdf

Levy, Steven. Hackers: Heroes of the Computer Revolution. New York, NY: Doubleday, 1984.

McCullagh, D. "Russian Adobe Hacker Busted", Wired News. July 17, 2001. http://www.wired.com/news/politics/0,1283,45298,00.html

The NASM Development Team, "NASM – The Netwide Assembler (Manual)", version 0.98.34. http://nasm.sourceforge.net/

Rieck, K. "Fuzzy Fingerprints: Attacking Vulnerabilities in the Human Brain." http://www.thehackerschoice.com/papers/ffp.pdf

Schneier, B. Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed. New York: John Wiley & Sons, 1996.

Scut and Team Teso. "Exploiting Format String Vulnerabilities", version 1.2. http://www.team-teso.net/releases/formatstring-1.2.tar.gz

Shor, P. "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer." SIAM Journal of Computing 26 (1997): 1484–509. http://www.research.att.com/~shor/papers/

Smith, N. "Stack Smashing Vulnerabilities in the UNIX Operating System." http://tinfpc3.vub.ac.be/papers/nate-buffer.pdf

Solar Designer. "Getting Around Non-Executable Stack (and Fix)." BugTraq post dated Sunday, Aug. 10, 1997. http://lists.insecure.org/lists/bugtraq/1997/Aug/0066.html

Stinson, D. Cryptography: Theory and Practice. Boca Raton, FL: CRC Press, 1995.

Zwicky, E., S. Cooper, and D. Chapman. Building Internet Firewalls, 2nd ed. Sebastopol, CA: O'Reilly, 2000.


pcalc

A programmer's calculator available from Peter Glen http://ibiblio.org/pub/Linux/apps/math/calc/pcalc-000.tar.gz

NASM

The Netwide Assembler, from the NASM Development Group http://nasm.sourceforge.net/

hexedit

A hexadecimal editor from Pixel (Pascal Rigaux) http://www.chez.com/prigaux/hexedit.html

Dissembler

A printable ASCII bytecode polymorpher from Matrix (Jose Ronnick) http://www.phiral.com/

Nemesis

A packet-injection tool from obecian (Mark Grimes) and Jeff Nathan http://www.packetfactory.net/projects/nemesis/

ssharp

An SSH man-in-the-middle tool from Stealth http://stealth.7350.org/SSH/7350ssharp.tgz

ffp

A fuzzy fingerprint generation tool from Konrad Rieck http://www.thehackerschoice.com/thc-ffp/

John the Ripper

A password cracker from Solar Designer http://www.openwall.com/john/

Author: JaxGoughLocation: UK PostPosted: Thu Jan 06, 2005 3:21 am    Post subject: my 2 pence/cents
    ----
This is a truly excellent book and a excellent review of it. I highly recommend this book. I have read it twice (so far), some of it is a bit fuzzy, but I have a very limited knowledge of programming.
Personally, I will sort out my programming, learn all I can and as I do this the book will never leave my side.

Jax

Author: TutterLocation: Canada, eh PostPosted: Mon May 02, 2005 11:25 pm    Post subject:
    ----
I bought the book and dove into it - excellent read - but what gets me is their use of sudo chown - you can't chown files and make them root in order to obtain root...

I am new to this stuff so forgive me if I'm wrong, but on my freebsd box it didn't work for me - and I like to see things working rather than just reading about them Smile

Any thoughts?

Author: DCLXVI PostPosted: Tue May 03, 2005 1:17 am    Post subject:
    ----
Tutter wrote:
I bought the book and dove into it - excellent read - but what gets me is their use of sudo chown - you can't chown files and make them root in order to obtain root...

I am new to this stuff so forgive me if I'm wrong, but on my freebsd box it didn't work for me - and I like to see things working rather than just reading about them Smile

Any thoughts?


Well, in order to utilize the kind of vulnerabilities that he demonstrates in the book you'll need to exploit binaries that are sudo root. The whole point is that you'll need to find vulnerable sudo root binaries already on your system and figure out how to exploit them, the author simply goes about showing the baby steps on how you could possibly do that.

Also, the code examples are written for linux not FreeBSD, if you want to make them work on another platform you'll need to make the appropriate changes, most notably linux kernel interrupts that change your uid won't work on BSD and thusly the shellcode given in the book will be useless to you.

Author: xosLocation: Netherlands PostPosted: Thu May 26, 2005 4:58 pm    Post subject:
    ----
Does anyone know if this book still a good one to buy? Or are there in the meanwhile better books available?

Thx

Author: zeedoLocation: Scotland PostPosted: Thu May 26, 2005 5:02 pm    Post subject:
    ----
Yes it's still worth it infact it was mentioned today on ISC http://isc.sans.org/diary.php?date=2005-05-25 .
In the list of "Books for Summer/Winter Vacation/Holiday". Which some of the ISC readers recommend that anyone working in infosec should read.

FWIW I agree with most of the books that are on that list and have also read most of them.

Author: akrlot PostPosted: Tue Aug 08, 2006 6:36 am    Post subject:
    ----
thanx for sharing

Author: Carlo GambinoLocation: Ohio, USA PostPosted: Wed Feb 20, 2008 4:42 am    Post subject:
    ----
Thanks for this review.

It's nice to see publications starting to emerge that focus on real world "wild" implementation.



Networking/Security Forums -> News // Columns // Articles


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group