Ebook Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth
Visualize that you obtain such certain incredible experience and knowledge by only checking out an e-book Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth. How can? It seems to be better when an e-book could be the most effective point to discover. Publications now will certainly show up in printed and also soft documents collection. Among them is this e-book Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth It is so normal with the published publications. Nevertheless, lots of people sometimes have no space to bring the book for them; this is why they can not review the book anywhere they want.
Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth
Ebook Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth
Is Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth publication your preferred reading? Is fictions? Exactly how's about past history? Or is the most effective vendor unique your choice to fulfil your spare time? And even the politic or spiritual books are you hunting for now? Right here we go we offer Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth book collections that you need. Bunches of numbers of books from lots of fields are offered. From fictions to science and religious can be looked as well as figured out here. You could not worry not to find your referred publication to read. This Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth is one of them.
If you ally need such a referred Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth book that will give you value, get the most effective vendor from us now from several preferred authors. If you want to enjoyable books, numerous novels, tale, jokes, and also more fictions collections are additionally released, from best seller to one of the most recent released. You may not be confused to take pleasure in all book collections Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth that we will certainly give. It is not concerning the rates. It's about exactly what you require now. This Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth, as one of the very best sellers here will certainly be among the ideal selections to read.
Locating the right Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth publication as the ideal need is type of good lucks to have. To start your day or to end your day in the evening, this Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth will be proper sufficient. You could just look for the floor tile right here as well as you will certainly obtain guide Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth referred. It will certainly not bother you to reduce your valuable time to opt for purchasing book in store. In this way, you will likewise invest money to pay for transport as well as other time invested.
By downloading the on the internet Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth publication here, you will get some benefits not to choose guide establishment. Just link to the internet and begin to download the web page web link we share. Now, your Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth prepares to take pleasure in reading. This is your time as well as your serenity to get all that you want from this publication Chained Exploits: Advanced Hacking Attacks From Start To Finish, By Andrew Whitaker, Keatron Evans, Jack Voth
The complete guide to today’s hard-to-defend chained attacks: performing them and preventing them
�
Nowadays, it’s rare for malicious hackers to rely on just one exploit or tool; instead, they use “chained” exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don’t cover them at all. Now there’s a book that brings together start-to-finish information about today’s most widespread chained exploits–both how to perform them and how to prevent them.
�
Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today’s most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering.
�
Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today’s most effective countermeasures— both technical and human. Coverage includes:
- Constructing convincing new phishing attacks
- Discovering which sites other Web users are visiting
- Wreaking havoc on IT security via wireless networks
- Disrupting competitors’ Web sites
- Performing–and preventing–corporate espionage
- Destroying secure files
- Gaining access to private healthcare records
- Attacking the viewers of social networking pages
- Creating entirely new exploits
- and more
�
Andrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp, has been featured in The Wall Street Journal and BusinessWeek. He coauthored Penetration Testing and Network Defense. Andrew was a winner of EC Council’s Instructor of Excellence Award.
�
Keatron Evans is President and Chief Security Consultant of Blink Digital Security, LLC, a trainer for Training Camp, and winner of EC Council’s Instructor of Excellence Award.
�
Jack B. Voth specializes in penetration testing, vulnerability assessment, and perimeter security. He co-owns The Client Server, Inc., and teaches for Training Camp throughout the United States and abroad.
�
informit.com/aw
Cover photograph � Corbis /
Jupiter Images
�
$49.99 US�
$59.99 CANADA
- Sales Rank: #402050 in Books
- Published on: 2009-03-09
- Original language: English
- Number of items: 1
- Dimensions: 9.20" h x .70" w x 7.00" l, 1.09 pounds
- Binding: Paperback
- 312 pages
From the Back Cover
The complete guide to today's hard-to-defend chained attacks: performing them and preventing them Nowadays, it's rare for malicious hackers to rely on just one exploit or tool; instead, they use "chained" exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don't cover them at all. Now there's a book that brings together start-to-finish information about today's most widespread chained exploits-both how to perform them and how to prevent them. "Chained Exploits" demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today's most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering. Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today's most effective countermeasures- both technical and human. Coverage includes:
- Constructing convincing new phishing attacks
- Discovering which sites other Web users are visiting
- Wreaking havoc on IT security via wireless networks
- Disrupting competitors' Web sites
- Performing-and preventing-corporate espionage
- Destroying secure files
- Gaining access to private healthcare records
- Attacking the viewers of social networking pages
- Creating entirely new exploits
- and more
About the Author
Andrew Whitaker (M.Sc., CISSP, CEI, LPT, ECSA, CHFI, CEH, CCSP, CCNP, CCVP, CCDP, CCNA, CCDA, CCENT, MCSE, MCTS, CNE, A+, Network+, Convergence+, Security+, CTP, EMCPA) is a recognized expert, trainer, and author in the field of penetration testing and security countermeasures. He works as the Director of Enterprise InfoSec and Networking and as a senior ethical hacking instructor for Training Camp. Over the past several years his courses have trained thousands of security professionals throughout the world. His security courses have also caught the attention of the Wall Street Journal, BusinessWeek, San Francisco Gate, and others.
�
Keatron Evans is a senior penetration tester and principal of Blink Digital Security based in Chicago, Illinois. He has more than 11 years experience doing penetration tests, vulnerability assessments, and forensics. Keatron regularly consults with and sometimes trains several government entities and corporations in the areas of network penetration, SCADA security, and other related national infrastructure security topics. He holds several information security certifications including CISSP, CSSA, CEH, CHFI, LPT, CCSP, MCSE:Security, MCT, Security+, and others.When not doing penetration tests, you can find Keatron teaching ethical hacking and forensics classes for Training Camp and a few other security training organizations.
�
Jack Voth has been working in the information technology field for 24 years. He holds numerous industry certifications including CISSP, MCSE, LPT, CEH, CHFI, ECSA, CTP, Security+, ACA, MCT, CEI, and CCNA. He specializes in penetration testing, vulnerability assessment, perimeter security, and voice/data networking architecture. In addition to being a co-owner and senior engineer of The Client Server, Inc., Jack has been instructing for more than six years on subject matter including Microsoft, Telecommunications Industry Association (TIA), EC-Council, ISC/2, and CompTIA.
�
Excerpt. � Reprinted by permission. All rights reserved.
Introduction Introduction
Whenever we tell people about the contents of this book, we always get the same response: “Isn’t that illegal?” Yes, we tell them. Most of what this book covers is completely illegal if you re-create the scenarios and perform them outside of a lab environment. This leads to the question of why we would even want to create a book like this.
The answer is quite simple. This book is necessary in the marketplace to educate others about chained exploits. Throughout our careers we have helped secure hundreds of organizations. The biggest weakness we saw was not in engineering a new security solution, but in education. People are just not aware of how attacks really occur. They need to be educated in how the sophisticated attacks happen so that they can know how to effectively protect against them.
All the authors of this book have experience in both penetration testing (hacking into organizations with authorization to assess their weakness) as well as teaching security and ethical hacking courses for Training Camp (http://www.trainingcamp.com). Many of the chapters in this book come from attacks we have successfully performed in real-world penetration tests. We want to share these so that you know how to stop malicious attacks. We all agree that it is through training that we make the biggest impact, and this book serves as an extension to our passion for security awareness training.
What Is a Chained Exploit?There are several excellent books in the market on information security. What has been lacking, however, is a book that covers chained exploits and effective countermeasures. A chained exploit is an attack that involves multiple exploits or attacks. Typically a hacker will use not just one method, but several, to get to his or her target.
Take this scenario as an example. You get a call at 2 a.m. from a frantic coworker, saying your Web site has been breached. You jump out of bed, throw on a baseball cap and some clothes, and rush down to your workplace. When you get there, you find your manager and coworkers frenzied about what to do. You look at the Web server and go through the logs. Nothing sticks out at you. You go to the firewall and review its logs. You do not see any suspicious traffic heading for your Web server. What do you do?
We hope you said, “Step back, and look at the bigger picture.” Look around your infrastructure. You might have dedicated logging machines, load-balancing devices, switches, routers, backup devices, VPN (virtual private network) devices, hubs, database servers, application servers, Web servers, firewalls, encryption devices, storage devices, intruder detection devices, and much more. Within each of these devices and servers runs software. Each piece of software is a possible point of entry.
In this scenario the attacker might not have directly attacked the Web server from the outside. He or she might have first compromised a router. From there, the attacker might reconfigure the router to get access to a backup server that manages all backups for your datacenter. Next the attacker might use a buffer overflow exploit against your backup software to get administrator access to the backup server. The attacker might launch an attack to confuse the intrusion detection system so that the real attack goes unnoticed. Then the attacker might launch an attack from the backup server to a server that stores all your log files. The attacker might erase all log files to cover his or her tracks, and then launch an attack from that server to your Web server. We think you get the point: Attacks are seldom simple. They often involve many separate attacks chained together to form one large attack. Your job as a security professional is to be constantly aware of the big picture, and to consider everything when someone attacks your system.
A skilled hacker acts much like the ants on the cover of this book. If you notice on the cover, the ants are in a line, each separate, but part of a chain. Each ant also takes something for its own use, like a hacker stealing information. Ants also tend to do most of their work without anyone seeing them, just as skilled hackers do their work without observation. Use this book as your pesticide; learn where the hackers are hiding so that you can eliminate them and stop them from gaining access to your organization.
Format of the BookThis book makes use of a fictional character named Phoenix. You do not need to read the chapters in any particular order, so if you want to jump into a topic of interest right away, go for it. Each chapter begins with a “Setting the Stage” section where we explain the scenario that is the basis behind Phoenix’s motivation for attack. You’ll learn how common greed or the desire for revenge can lead to sophisticated attacks with serious consequences.
Each chapter continues with a section titled “The Chained Exploit,” which is a detailed, step-by-step approach used by our fictitious character to launch his attack. As you read through this section, you will learn that an attack is more than just using one software tool to gain access to a computer. Sometimes attacks originate from within an organization, whereas other times attacks begin from outside the organization. You will even learn about compromising physical security and social engineering as means to achieving Phoenix’s goal.
Each chapter concludes with a “Countermeasures” section filled with information that you can use to prevent the chained exploit discussed in the chapter. You should compare this information with your own security policies and procedures to determine whether your organization can or should deploy these countermeasures.
Note - Many of the organizations and Web sites mentioned in the scenario portions of this book are fictitious and are for illustrative purposes only. For example, in Chapter 2, “Discover What Your Boss Is Looking At,” the http://www.certificationpractice.com site Phoenix copies for his phishing site does not really exist, although many like it do.
Additional ResourcesThere were many things we wanted to include in this book but could not due to time restraints. You can find more information about chained exploits by visiting http://www.chainedexploits.com. That Web site contains additional information about chained exploits and any errata for this book.
DisclaimerThe attacks in this book are illegal if performed outside a lab environment. All the examples in this book are from the authors’ experience performing authorized penetration tests against organizations. Then the authors re-created the examples in a lab environment to ensure accuracy. At no point should you attempt to re-create any of these attacks described in this book. Should you want to use the techniques to assess the security of your organization, be sure to first obtain written authorization from key stakeholders and appropriate managers before you perform any tests.
� Copyright Pearson Education. All rights reserved.
Most helpful customer reviews
8 of 8 people found the following review helpful.
Needs another editorial pass
By Sean Earp
The concept of the book is decent, albeit quite similar to the Stealing the Network series of books, wrapping theoretical hacking attacks into readable stories. Unfortunately, the execution suffers from several problems.
The narratives are all over the place and rarely bear any resemblance to each other. The stories follow the work of "Phoenix", a hacker who alternates from being someone that dresses poorly enough to be mistaken for a homeless person, performing attacks under duress as a shadowy employer threatens his girlfriend, to someone who has quit his job to live in a 3500 square foot house from the income he gets renting out large botnets.
The book suffers from too-many-authoritis, and each author has a very different writing style that makes each story different from the last. One author is very good at working different tools into his story, while one author feels compelled to list every tool that could possibly be used to pick a lock or sniff wireless traffic.
"Although Phoenix will not be using all these tools in his exploit, he could use:
-Tool A: Long description from the tool's website
-Tool B: Long description from the tool's website
-Tool C: Long description from the tool's website"
A few of the attacks are somewhat clever, while the majority are unneccessarily complex, apparently needing to hit a quota of different tools. In an attempt to find out what websites Phoenix's boss is browsing on a computer a few feet away, he decides to not use ARP Poisoning, MAC spoofing, or MAC flooding (although he discusses how each would work) in favor of using phishing to install a trojan to TFTP over a copy of netcat that he uses to manually install WinPcap so that he can trace a TCP stream in Wireshark in order to cut and paste a dump of the network traffic into a Hex Editor to save out a JPEG file. Apparently Phoenix is not a fan of simplicity.
The usage of tools is also all over the place. Sometimes he jumps right into using complex tools, while one story (the particularly egregious social engineering chapter) walks through Phoenix getting confused by how to choose the keyboard language when booting an Auditor CD.
The book would also benefit from another pass by an editor. One chapter begins with a backstory that clearly presupposes the reader has a clue about some past dealings that Phoenix has had with another character. The next story is where Phoenix is introduced to the character for the first time. Elsewhere, Phoenix decides to use his Vista based laptop, and a few pages later he is using that laptop and booting up into Windows XP. While the introduction includes the standard disclaimer that everything in the book is potentially illegal and should only be done in a lab, some authors throughout the book felt compelled to instert similar disclaimers that were unneccessary and should have been caught by the editor.
All-in-all, the book is okay, especially for someone new to the field of penetration testing who would like a little real-world context around how different tools might be use in conjunction with each other. If a second edition of this book is ever released, it could really use another pass by an editor to fix some silly errors and to help the authors speak in a unified voice. For me, the issues I mentioned above made the book somewhat difficult to read and enjoy.
6 of 6 people found the following review helpful.
A good book with fairly solid cases
By Richard Bejtlich
I agree with some of the commentary by previous reviewers, but I think some of it is unduly harsh. I don't think it's strictly necessary for a book to contain brand new security techniques in order to qualify for publication. Book publishing is not the same as releasing a white paper or briefing at Black Hat. However, books should strive to *not* cover ground published in other books, or even in well-written white papers. In that respect I think Chained Exploits strikes a good balance. The book's novelty relies on presenting complete, technical examples of a variety of "intrusion missions." While not necessarily groundbreaking for experienced offensive security people, Chained Exploits will be informative for broader technical audiences.
On the positive side, I thought the cases were well written. The authors did a good job explaining the entire case, with an introduction, body, and summary. This was helpful when the cases later in the book got more complex. The nature of the cases was interesting, with a good amount of variety. On the negative side, I think Phoenix would have been caught and imprisoned fairly easily for some of his exploits. Anytime he interacted with the physical world, in person, near his home, he became an easy target for law enforcement. His computer tactics weren't too sharp either, as noted by other reviewers. I would have liked seeing the book end with a raid on his house, followed by a list of the ways he exposed his identity to the cops. On a minor note, the authors should have supplied better images to the publisher -- many are fuzzy.
If you liked the Hackers Challenge and Stealing the Network book series, and you want something a little more modern and complicated, you'll like Chained Exploits.
14 of 17 people found the following review helpful.
Disappointing Exploits
By Justin C. Klein Keane
I looked forward to Chained Exploits (CE) by Whitaker, Evans and Voth with much anticipation as the concept is a much needed addition to the lexicon on information security. Often academic fields are severely limited by the vocabulary available to discuss issues and the "chained exploit" is sure to become a mainstay in the discourse of information security. Despite my enthusiasm for the concept, however, I was disappointed by the material presented in CE. The genius of the chained exploit is that it upends the traditional threat matrix, typically presented as:
[value of resource] x [likelihood of exploit] = [risk level]
For example, a high value resource that is unlikely to be exploited should be ranked as a low risk, as should a low value resource that is likely to be exploited. Think of this in terms of a temporary database of publically available information used to populate a user demonstration website that is wiped out every 24 hours. If that information is compromised it has no value, so even if the compromise is likely it is a low risk system. Conversely if a system that contains critical financial information is confined to a single workstation that is removed from any networking and housed in a guarded facility it too is a low risk system (since the likelihood of compromise is low).
Unfortunately many auditors make risk assessments based on circumstances in a vacuum. This is where the concept of "chained exploits" becomes so valuable. For instance, if a vulnerability were discovered in a local binary accessible to users that allows privilege escalation, but the local binary exists on a system that has no users (other than administrators who already have root privileges) it is often considered a low risk. Many times patches for these sorts of vulnerabilities are not installed because the patch could introduce instability and would not be considered worthy of the expense given the low risk. Similarly a vulnerability could be discovered in a web service that when exploited could allow a remote attacker to gain an unprivileged local account that, say, only had access to read and write to the /tmp directory. This could also be considered a low risk since such limited access wouldn't present any threat to the system. However, if you "chained exploits" for the two vulnerabilities you suddenly have a condition where a remote attacker can gain a local account and elevate their privilege! This contravenes the low risk ranking of the individual vulnerabilities. When combined they suddenly become a very high risk to the system.
It was this sort of "chain" that I hoped CE would explore. Instead the material presented in the book consisted of context to several high risk vulnerabilities to explain why they might be used in tandem. For instance, the book would propose a scenario where a remote attacker installed a backdoor rootkit on a corporate network workstation then used that workstation to access the central database using default system administrator credentials. Each of the conditions used in these "chains" are extremely high risk already, and thus the book doesn't present any new material for seasoned information security professionals to consider.
For a novice this book is a great resource. It is full of the sorts of horror stories that professionals are all too familiar with, but could potentially be eye opening for a neophyte or someone unfamiliar with computer security. At the very least it is a page turning exploration of very real and often under appreciated risks to enterprises.
I was disappointed that the book didn't raise the level of discourse in the information security field but I suspect that wasn't the point of Chained Exploits. Instead it reads like a greatest hits sequence prepared by veteran penetration testers. It makes for interesting reading, but it isn't particularly informative. Don't look for any new 0 day exploits (or even a discussion of how to find such flaws). Instead the book contains a litany of well known routes to system compromise and illustrative narratives that tie them together in real world scenarios.
Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth PDF
Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth EPub
Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth Doc
Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth iBooks
Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth rtf
Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth Mobipocket
Chained Exploits: Advanced Hacking Attacks from Start to Finish, by Andrew Whitaker, Keatron Evans, Jack Voth Kindle
No comments:
Post a Comment