Hacking: The Art of Exploitation
Hacking: The Art of Exploitation (ISBN 1-59327-007-0) is a book written by Jon "Smibbs" Erickson and published by No Starch Press in 2003. It is a computer security and network security book. All of the examples in the book were developed, compiled, and tested on Gentoo Linux.
- 1 Author and background information
- 2 Content 1st edition
- 3 Content 2nd edition
- 4 See also
- 5 References
Author and background information
This book is written by Jon Erickson and was published in 2003, and updated with a second edition in 2008. Jon Erickson is a computer security expert, with a background in computer science. He currently[when?] works as a vulnerability researcher and computer security specialist in California. The contents of this book are intended to be shared with everyone who wants to learn about computer hacking. This book tries not only to give the reader an understanding about computer hacking but to make it easy for them to read. The book includes many pictures of code and examples on how to accomplish the techniques which are taught in the book. A bootable CD is included with the book which provides a linux-based programming and debugging environment for the users. The bootable CD is very useful because the users can try out the techniques that are taught in the book while they are reading it. A lot of the information in this book requires some computer and programming knowledge to fully understand it.
Content 1st edition
The content of Hacking moves between programming, networking, and cryptography. While well explained, it is a technical piece; some C programming experience is essential, although a basic understanding of networking and cryptography helps as well.
While Hacking is packed with technically accurate, detailed information, it is still a basic introduction to the subject of computer security. Hacking also does not use any notable measure of real-world examples; discussions rarely bring up specific worms and exploits that had previously existed, such as the PNG library overflows or the Blaster worm and related RPC service overflow. Thus, an inexperienced reader may not immediately make the connection between the theory and the reality of attack.
The programming portion of Hacking makes up over half of the book's total content. This section goes into the development, design, construction, and testing of exploit code, and thus involves some basic assembly programming. The demonstrated attacks range from simple buffer overflows on the stack to complex techniques involving overwriting the global offset table.
While Erickson discusses some countermeasures such as a non-executable stack and how to evade them with return-to-libc attacks, he does not dive into deeper matters without known guaranteed exploits such as address space layout randomization. Most protections afforded by the Openwall, GrSecurity, and PaX projects appear to be out of scope for Hacking; as do kernel exploits.
It has been suggested that Hacking be used to teach "basic computer programming fundamentals" in one review included in the opening pages of the book. Although these reviews are placed in the text for marketing purposes, the programming section of the book is technically accurate and does convey a lot of information not taught in typical introductory computer programming classes. Whether its use as a fundamental teaching tool would lead to more security-conscious and security-competent programmers overall is, however, neither studied nor proven.
The networking segment of Hacking has control of less than half of the remaining text. It explains the basics of the OSI model and basic networking concepts; packet sniffing; connection hijacking; denial of service; and port scanning.
Although technically accurate, the networking section of Hacking only serves as a basic introduction to network security. Countermeasures such as complex firewalls; Stateful Packet Inspection; network address translation, the threat of firewalking, and countermeasures thereof; intrusion detection and prevention; and virtual private networks are not discussed.
The cryptology section of Hacking consumes the rest of the book's pages. This is another bottom-up section, starting off with basic information theory and moving through symmetric and asymmetric encryption. It winds out in cracking WEP utilizing the Fluhrer, Mantin, and Shamir Attack.
This section appears to be miscellaneous information for the aspiring cryptology scholar. Besides the basics, including man-in-the-middle attacks, dictionary attacks, and the use of John the Ripper; Hacking discusses quantum key distribution, Lov Grover's Quantum Search Algorithm, and Peter Shor's Quantum Factoring Algorithm for breaking RSA encryption using a very large quantum computer.
- The front cover of Hacking is the complete cycle, from reverse engineering to carrying out the attack, of developing an exploit for a program that dies of a buffer overflow over long command line arguments. The example is very specific and does not necessarily reflect reverse engineering any similar exploit.
- The Persian translation of this book (released under GNU GPLv3 by Saeed Beiki) is available through http://www.secumania.net/include/files/Art-of-Exploitation-Persian.pdf
Content 2nd edition
|Country||United States (Original)|
|Language||English (Second Edition)|
|Publisher||No Starch Press|
|Media type||Print Paperback|
|ISBN||978-1593271442, (second edition, paperback)|
In the introduction of this book it makes a clear point that hacking should be about following the law and ways to prevent computer hacking. This book does not condone hacking when it is used for the wrong reasons. Furthermore the introduction describes how to think outside the box and gives a background of some basic ideas of computer hacking. However hacking can be used for good reasons also, like the preventative ones. Knowing how to hack into computers also gives you the ability to understand and prevent ways of having your own computer to be hacked into. The book is going to provide a solid base for understanding computer and network security issues. As the reader will get further into the book the information begins to get more complex. Being able to understand the concepts illustrated further into this book can only better a person’s understanding of the computer security world.
Programming is a series of statements written in a specific language. Programs are used everyday for millions of different things. Computers use machine language in order to understand the commands that we want to give to them. Programs are written for these machine languages so that they are more easily understood by the machines and by the people writing the commands. To make this process easier, translators (assembler and compiler) were created to translate less complex code into machine languages, making it easier for people and computers to understand what is happening. The languages that were created to be translated into machine code were ones like C, C++, and Fortran. Having the ability to translate programming languages into machine code saves a lot of time and resources. In the programming chapter of this book the different types of programs are described as well as shown by examples of actual coding in the book.
Changing the flow from a program's execution into a more complex flow is known as a control structure. A common type of control structure is the if-then-else statement. This type of control structure in certain cases makes it possible for a program to take a different route during the execution of the program. The if-then-else statement is a very commonly used part of programming and there are good examples of the actual code written in this book.
More Fundamental Programming Concepts
Variables, arithmetic operators, comparison operators and functions are some of the fundamental programming concepts. These types of concepts make the program able to compute things such as using numbers, decimals, and signs like > or =. All of these signs are very common and mean exactly what they appear to like the greater than sign (>). The use of these fundamental programming concepts greatly approves one’s ability to write and understand programming code. The examples in the book in relation to fundamental concepts do a very good job of showing the reader what they should look like.
Getting Your Hands Dirty
This part of the book is about using the live CD to practice some programming concepts. Now that some background in computer programming has been explained it is time to try some programming. Knowing a programming language like C will help when it comes to trying out computer programming. The live CD provides an environment so that the reader can not only follow along in the book but actually do some programming themselves. The examples illustrated in the book are also on the live CD.
Back to Basics
Applying some new ideas like strings and pointers to the computer programming makes things even easier. Most of the programming is done by using English words and phrases so that they are very basic commands. Once again the reader will be able to experience this with the live CD.
A program's memory is divided into five segments: text, data, bss, heap, and stack. These segments tell the program where certain things are located and when the program is going to be executed. When the program is executed it compiles and finds the segments in which it needs to for the completion of the program. Depending on what type of program or what type of code is written the location of the order to execute the program will be in the five segments.
Building on Basics
Now that the basic components of C have been explained things become easier to understand. This part of the book talks about everything from file access to setting file permissions that are used by functions in C. Knowing these functions once again is applied by having a background in C and some of them will be taught to you in the book. At the end of this chapter is a computer program that is set up like a game of chance. The coding and implementation of code is in the book along with other examples of programming code.
Exploitation is taking the computer's code or set of rules and changing them so the computer does what you want it to do. Finding ways or holes in the system to change is an important part of exploitation. Knowing where to look and what to look for is also a key concept when finding exploits. There are many cases of exploitation in real world scenarios and is one reason why this chapter is a very important one. Exploitation is one of the most fundamental concepts when talking about computer hacking. Most of the time a hacker is going to exploit information or code that another person has created so there is most likely going to be some errors in it. An example of a program not being coded correctly is something a hacker will find and exploit.
Generalized Exploit Techniques
Most program exploits have to do with memory corruption and Buffer Overflows. Each technique used in the book is one that requires the computer to allow you to change the actual code of the program or insert your own code. If a hacker can insert their own code into the program then it will run however the code tells it to which means a hacker can tell the computer what to do.
Buffer Overflows have been around since the first computers were invented. Internet worms even use buffer overflows to exploit vulnerabilities in programs like Internet Explorer. A buffer overflow is when a programmer does not allow even bytes of data to be processed in the code and has more bytes than they are supposed to. When the program goes to execute the code it will overflow and information can sometimes be overwritten or lost.
Experimenting With Bash
Knowing how Perl, the interpreted programming language, works is essential in this chapter. Perl is used to create buffer overflows and use shellcode to implement its own executions. There are a lot of programming code examples in this chapter that are needed to understand how Perl and Bash shellcode work. A debugger is also used in this chapter to find out where shellcode is used in programs. Buffer overflows can happen in other memory segments also like the heap and bss. The exploitation of the heap and bss can also be used when buffer overflows occur. Once again the coding which is located in the book will give the user a better idea of how these exploitation techniques work.
A Format string is another way to find exploits in programming mistakes. However vulnerabilities in this area are not as common as they used to be but they are easy to notice. Essentially using the wrong functions in programming code creates these format string mistakes. Looking at the programming code in the book or using the live cd make these mistakes very noticeable to the reader.
Communication can give programs more power especially when connected to the internet. People and programs use the internet everyday and there is a lot of information and programs on the internet. Even applications like email and instant messaging could not exist without networking. Protocols are used throughout networking for communication between devices and one example of a protocol is ipv4.
In communication among computers through networking the OSI Model is used. The OSI Model is a model that provides the standards that computers use to communicate. There are seven layers in the OSI Model and they are Physical layer, Data-Link layer, Network layer, Transport layer, Session layer, Presentation layer, and Application layer. Each packet that a computer sends out to another computer must go through each layer of the OSI Model.
The standard way to communicate on a network with the use of computer operating systems is a socket. A socket is used by a programmer to create a way to send and receive data using the layers of the OSI. There are two types of sockets a Stream Socket and a Datagram Socket. Stream Sockets use Transmission Control Protocol (TCP). A Datagram Socket uses User Datagram Protocol (UDP).
Peeling Back the Layers
Peeling back of the layers describes how the OSI layers actually work. The OSI Model is described in great detail with some images in the book that make it easy to understand.
Switched and unswitched networks exist in networking. A switched network uses devices called switches that analyze and tell the packets travelling on the network where their endpoint is. An unswitched network is a free flow of packets without them being stopped and analyzed. Sniffing refers to using a program that allows you to see packets on the network and where they are going.
Denial of Service
A denial of service attack is an attempt to make a computer resource unavailable to its intended users. This means that the denial of service attack sends a large quantity of communication requests to an intended resource in order to overflow the resource so that it becomes unusable for a certain period of time. These types of attacks are usually directed at a routers or firewalls in order to shut them down to gain access to other computers on the network. A router is very susceptible to these types of attacks but a firewall can usually handle the attack and is unaffected. A distributed denial of service attack is when communication requests come from multiple computers making the amount of requests greatly more than a regular denial of service attack. Some other types of DOS attacks include Ping of Death, Teardrop, Ping Flooding, and Amplification attacks.
TCP/IP Hijacking is another way that uses spoofed packets to take over a connection between the victim and a host machine. This technique is mainly used to collect passwords when a host machine uses a password to be connected to. When this type of attack takes place the victim and the attacker must be on the same network. Another form of TCP/IP hijacking is RST hijacking. When injecting an authentic looking reset packet instead of a real reset packet it is called RST hijacking.
Port scanning is simply a way to figure out which ports are accepting and listening to connections. The hacker would just use a program that lets him know which ports are open by scanning all the ports on a network and trying to open them. There are many other type of scans also like SYN, Idle, FIN, X-Mas, and Null scans.
Reach Out and Hack Someone
This part is about finding vulnerabilities in the typecasting of the network. Using a debugger to go through lines of code which are used for network protocols is the most efficient way to accomplish this. Once the vulnerabilities are found it is up to the hacker how they want to exploit them.
Shellcode is used in the exploitation of code. It is like the hacker's own code that he wants to run when he gains control over a program. Usually a hacker will find an exploit in a programs code and be able to insert some of his own code (shellcode) where he found the exploit.
Assembly vs. C
Assembly differs from C because assembly is a low-level programming language and when processed can communicate directly with the processor. When using C which is a high-level programming language the code must be compiled and sent to the kernel by making a system call and then making a call to the processor. In other words it is almost like taking the system calling to the kernel out of the picture when using assembly.
The Path to shellcode
This part of shellcode is about how to inject a program with shellcode so it can be taken over. There are many examples of code in the book and ways to accomplish this task.
Spawning shellcode is code that will be enabled when an exploit is found. It is shellcode that will be able to be run when a vulnerability is found in the program. The best way to accomplish this is shown in the book and by making sure the code is very small.
This type of shellcode attaches itself to a network port. Once bound to a port it will listen for a TCP connection. After it finds the TCP connection there is a lot more programming involved and is shown vividly in the book.
This type of shellcode is mainly used when getting around firewalls. Most firewalls are going to block port-binding shellcode form working because they are set up to only allow known services through the active ports. Connect-back shellcode initiates the connection back to the hacker's IP address so it will be coming out from the firewall instead of going into it. Once again the code it the book depicts with the use of shellcode on ways to accomplish this.
This part of the book is about having defenses and intrusion prevention systems to stop the hacking exploits which we now know about. Not only can hacking be harmful, hacking can be considered helpful because it also produces way to stop the exploits and new ways to better the computer industry.
Countermeasures That Detect
An administrator of the network has to be aware of when an exploit may be occurring. Using certain tools like reading logs or packet sniffing on the network are a few ways to catch exploits when they occur. Anticipating what how the hacker is going to try to penetrate the system or network is the administrator’s most valuable tool. If an administrator knows where to look and catches a hacker in the middle of the attack he can quickly shut down the program and restore files from back up. Once a hacker is detected it is a lot easier to deploy countermeasures. If a hacker is not caught he can sometimes go months without being noticed and steal large amounts of data. This is why stealth is a hackers best friend.
A System Daemon is a server program on a Unix system which receives and accepts incoming connections. A daemon is a program which runs in the background and detaches from controlling the terminal in a certain way. At this point in the book there is some code shown on how to run a daemon program. Signals are also used in a Unix based environment to make operating system calls. When a signal is type in the terminal it will immediately send an interrupt message to complete the task of whatever the signal was which was typed. The uses of signals are displayed in some coding examples in the book.
Tools of the Trade
A hacker has a certain set of tools that he needs to help him when exploiting. An exploit script is a tool in which uses already written exploit code to find holes in the system or program. Using exploit scripts is easy for even a non-hacker to use because the code is already written in it. A couple exams of some exploit tools are shown in the book and how to use them.
As stated earlier log files are a way to check events that have been happening on a computer or network. Checking these log files is one way to make sure everything is running correctly. If an error is discovered in a log file it is very easy to tell what the problem is. For a hacker having the ability to change what the log file says can help him not to be noticed. There is code and directions on how to change some log files in the book.
Overlooking the Obvious
Another sign of a program being hacked is that it will no longer work correctly. Most of the time programs do not work correctly because the hacker has modified them do accomplish another task. A skilled hacker however can modify the program so it still works correctly and does what he wants it do. If a program is exploited there are ways to tell how it happened. Finding out how a program was exploited can be a very tedious process since it usually starts with taking parts of the program and looking at them individually. Putting an exploited program back together again to see how it was exploited is shown in the book.
When a hacker is exploiting a program his IP address can be written to a log file. Camouflaging the log files so that his IP address can not be detected is shown in the book. When an IP address is hidden, it is called spoofing the IP address. There are a few ways shown in the book on how to not show up in the log files of a computer while hacking.
The Whole Infrastructure
The use of intrusion detection systems and intrusion prevention systems greatly helps avoid the risk of being exploited. Even firewalls and routers have log files that can show evidence of hacking. Making sure that outbound TCP connections cannot be processed is one way to limit being found. A few ways are shown in the book on how to use TCP connections so that it is easier to go undetected.
When using shellcode to exploit programs, it can be caught by intrusion detection systems. Usually the intrusion detection system will catch the programs that are already written and have noticeable shell code in them. Most exploit programs will be caught because real hackers are not using them. There are ways to hide shellcode so it can be harder to detect. A couple of examples on how to hide shellcode are found in the book.
Sometimes there are restrictions put on buffers so that vulnerabilities cannot be exploited. There are a few ways that the book depicts on how to get around buffer restrictions.
The exploits that are found in this book have been around for a long time. It took hackers a while before they figured out how to take advantage of the vulnerabilities described in this book. Memory corruption, a change of control, and the use of shellcode are the three easiest steps to exploitation.
Most applications do not use the stack for any type of executing. One defense is to make the stack non-executable so that buffer overflows cannot be used in the exploitation of the program. This defense is very effective for stopping the use of shellcode in an application. However there is a way to get around the use of a non-executable stack which is shown and described in the book.
Randomized Stack Space
A randomized stack is a type of countermeasure used so that the hacker is unable to tell where the shellcode he implemented is. It randomizes the memory layout within the stack. Once again, there is also a way to get around this countermeasure with some examples in the book.
Cryptology is the use of communicating secretly through the use of ciphers, and cryptanalysis is the process of cracking or deciphering such secret communications. The uses of encryption methods are common in today's world so that credit card and other valuable information cannot be stolen.
This part of the book refers to Claude Shannon and his expertise in cryptology. A few concepts of cryptology are unconditional security, one-time pads, quantum key distribution, and computational security. These concepts were influenced by the ideas of Claude Shannon.
Algorithmic Run Time
When using algorithms in computer code, the time calculated to evaluate the code is called algorithmic run time. These times will vary depending on how big or small the algorithms are. One way to express an algorithms efficiency is by Asymptotic Notation. Since some algorithms can have infinite sizes asymptotic notation must be used to calculate efficiency. There is also another mathematical notation called big-oh notation which also calculates algorithms efficiency.
Using the same key to encrypt and to decrypt messages is symmetric encryption. Asymmetric encryption in usually faster however when using different keys it can become difficult. The book gives some examples of symmetric encryption and how to use them in this chapter.
This type of encryption uses two different keys, one for encrypting and the other for decrypting. The two keys that are used are called public (encryption) and private keys (decryption). The book once again gives some examples of asymmetric encryption and how to use them.
A cipher is an encryption algorithm. Combining the use of a symmetric cipher and asymmetric cipher is called a hybrid cipher. Asymmetric key pairs provide better protection than a symmetric key but they're slower at encrypting/decrypting. For this reason an asymmetric key pair is used to establish a symmetric key so the communicating parties have the benefit of authentication without the speed penalties. Ways to attack ciphers and to get around some encryption methods are shown and described in the book.
Passwords stored on a computer are usually encrypted. Of course this chapter is going to shown examples and methods on how to get past some encryption methods. A couple methods are Brute-force attacks and hash look-ups. There are many more password methods shown in the book.
Wireless 802.11b Encryption
Wireless Internet is very insecure when it comes to some encryption methods. Examples of why wireless is insecure arise in this chapter as well as ways to get around the encryption.
Wired equivalent privacy (WEP) is not very secure and was not supposed to be very secure. There are many ways to attack it and its cryptographic protocols are not very good. The book gives many examples of ways to get around WEP and also ways to prevent WEP attacks.
- Erickson, Jon. Hacking: The Art of Exploitation. No Starch Press, 2003. ISBN 1-59327-007-0
- Beiki, Saeed. Hacking: The Art of Exploitation - Persian Edition, GNU GPLv3.
- John Baichtal (March 3, 2008). "GeekDad Review: Hacking: The Art of Exploitation". Wired. Retrieved March 27, 2009.
- Kahsari Alhadi, Milad. Metasploit: Penetration Tester's Guide - Persian Edition, GNU GPLv3.