Hacking Exposed

If you're a network administrator, there's a good chance that somewhere on your network, there's a security hole. If there were just the one, things wouldn't be so bad. You'd just go and fix it. You might not even care what the details are, provided you have a known solution. Unfortunately, the situation is rarely, if ever, that simple. There may be hundreds of vulnerabilities of varying severities on a decent sized network, with more being discovered all the time. Now what do you do? How do you decide which problems to fix first?

The only rational approach is to understand what the vulnerabilities are, how they're exploited, what their impacts are, and the different methods of defending against them. Armed with this knowledge you can make informed, intelligent decisions about which are the most serious problems for your network, and what you'll do to address them.
But where do you get the information you need? The sources of the information are spread across the Internet on a variety of Web sites, mailing list archives, FTP servers, IRC channels, etc. Tracking down all the information on your own would be a tremendous task. Fortunately, you don't have to-that's what this book is for. It contains the accumulated knowledge of the security community on Windows 2000. The authors have been compiling this information for several years, and offering it to the public in the Hacking Exposed books.

This book continues that tradition, but focuses on the security issues of Windows 2000. Once again, the authors have collected the latest information on threats, attacks, and defenses, and added their insightful analysis. This book is a treasure trove of information no Windows administrator should be without.

Of course, would-be attackers may also make use of this information, using it as a guide to hacking. Therefore, some would argue, publishing it is bad for security. Keeping the information secret, or only allowing access to a chosen, trusted few, would be more beneficial. However, besides the fact that this would leave administrators in the dark, unable to make intelligent decisions about security issues, it assumes that the computer underground is unable to discover or propagate this information on its own. Experience shows that this is not a safe assumption.

As I write this forward, the Internet has just suffered through the first wave of the "Code Red" worm. In just a few short days, hundreds of thousands of IIS servers were infected and used to spread the worm even further. As if the first round of infections were not bad enough, there are predictions that the cycle of infections is poised to start again, and be even worse the second time around. CERT and Microsoft are issuing statements. The media is forecasting the collapse of the Internet. IIS Administrators are scrambling to install patches. Yet, through all the chaos and panic, some IIS administrators were able to sit back in (relative) calm. What made them different from the rest? Quite simply, they took the time to educate and defend themselves in advance, and were prepared when the storm struck.
By the time you read this, Code Red will likely be old news. However, one thing is sure to remain true. New vulnerabilities will continue to be found, and need to be understood and addressed before they're exploited. The knowledge contained in this book will set you on the road to being one of the prepared people the next time around. Use it well.

Foreword to the Second Edition (2003)

by Greg Wood, General Manager, Information Security
Microsoft Corporation

Working with the precision of a neurosurgeon, the computational capability of a nuclear physicist and the tenacity of a rookie detective on his first stake-out, hackers dissect complex technologies in their quest to discover and exploit a microscopic network or computer gaffe. This is a common perception IT professionals attribute to hackers and unless you arm yourself with the same knowledge as cyber-criminals, these statements might as well be true. Don’t be intimidated by the mystique surrounding “hackers”. Knowing how attackers think and the tools they use is the first step in mounting an effective defense.

These aren’t new concepts, albeit perhaps uniquely applied. 2000 years ago, SunTzu detailed a basis for war in which he almost scientifically decomposes battle into many rational decisions. Most appropriate:

“know thy enemy and know thyself; in a hundred battles you will never
be in peril. When you are ignorant of the enemy but know yourself, your
chances of winning or losing are equal. If ignorant both of your enemy
and of yourself, you are certain in every battle to be in peril.”

-- The Art of War. Sun Tzu

The only barrier to an effective defense is knowledge. Whether you are a security hobbyist, an IT professional or experienced security practitioner, understanding the basic tools and methods are critical to establishing an effective defensive posture. Computer hacking is no longer predicated on computer literacy and intelligence. Tool automation has effectively eliminated most, if not all intellectual barriers while the proliferation of high speed access has dramatically improved the capabilities of the masses. The “art” of hacking detailed in the media through the eyes of infamous social engineers turned consultants, no longer exists. Hacking today is a science. It is a series of tool enhanced processes methodically executed by criminals. In many cases, hacking has regressed to a state of cut and paste plagiarism.

In fact, a job description for the mass-market, average computer hacker might look like the following:

Job Title: Computer Hacker
The ideal candidate must have at least 3 months of computer experience. The candidate should be experienced in both the “cut” and “paste”, although we are willing to train. In addition, the ideal candidate must be able to count to at least 1. Counting from 0 to 15 is preferred. Working knowledge of letters “A” through “F” recommended. The right candidate will possess a Pentium III and have access to a discreet, high-speed internet connection.

Obviously the tongue-in-cheek job description overstates the simplicity with which these modern day miscreants operate. The point is, as computer owner, system administrator or network operator you don’t have to be smarter than every computer hacker, just recognize you’re smarter than most. Hackers don’t want you to read this book. Hacking Exposed unravels the mystery by opening the curtain.

The fact remains, the incidence of computer borne attacks will continue to grow in number, complexity and severity. And while there are minimal defenses against the motivated professional criminal, there are some basic steps to limit your exposure. Most importantly is arming yourself with the same basic knowledge as your attacker. Without a common understanding of the tools and methods used by our collective enemy, defending against the next generation of attack is futile. The least we can do is make it challenging.

News Archive

02/24/06 - Hacking Exposed Vegas!
Hacking Exposed and co-author Joel Scambray star in the "Oceans 11" of computer security: The Code Room Vegas. Check out this 28-minute video dramatizing 3 real-world hackers who take down a Vegas casino.

11/1/05 - Sony BMG "rootkit" causes stir
SysInternals and F-Secure independently reported that music giant Sony BMG used rootkit-like technology to prevent removal of the company's copy protection software. The technology, called XCP, was apparently licensed by SonyBMG from First 4 Internet. Subsequently, Sony BMG released a statement and also posted a patch to remove the copy-protection software (although the patch itself was criticized as opaque in its activities). Subsequently, online game hackers were found to be piggybacking their cheating techniques within the Sony BMG hiding software.

8/9/04 - Windows XP Service Pack 2 Available
Microsoft's XPSP2 Support Page has the latest information. Heralded as a groundbreaking advance in the security of Windows, most of the improvements appear to be focused on improving visibility and control over settings that have existed in the OS for some time. One exception is Data Execution Prevention (DEP), which, while not a novel concept, may yet provide revolutionary protection to Windows from common memory corruption attacks like buffer overflows that have plagued the platform for many years. However, it requires processor support that is currently only present in the AMD K8 and the Intel Itanium processor families.

8/4/04 - Serious vulnerabilities identified in widely-used libpng library
These vulnerabilities announced by Chris Evans could be exploited in some instance to execute arbitrary code on the victim's system if they browsed a malicious website or viewed a malicious email (see also: CERT alert). No comment was immediately available from Microsoft on whether any products were affected through reliance on the popular network graphics format.

7/29/04 - Bill Gates wants to turn security "from something that is a concern to us to a significant business asset as well as an opportunity"
At Microsoft's annual meeting with financial analysts in Redmond, WA, Gates sought to change the tenor of Microsoft's ongoing security dialog, echoing what many CISOs now consider an "enlightened" strategy of turning the perception of security as a perennial problem to one of business enabler. See security.itworld.com coverage for more.

6/24/04 - Dual-pronged Download.Ject issue infecting Microsoft systems
Microsoft teams have confirmed a report of a security issue known as Download.Ject affecting customers using Internet Explorer. (Download.Ject is also known as: JS.Scob.Trojan, Scob, and JS.Toofeer.). The exploit also infects server-side IIS 5 systems not patched for the PCT vulnerability described on April 13 in Microsoft Security Bulletin MS04-011. For analysis and recovery information, please see Microsoft's advisory page.

6/16/04 - IPSec man-in-the-middle (MITM) vulnerabilities resurfaced
Two researchers have posted information on IPSec vulnerabilities in the past six months. This information has not received wide media coverage. Thor Lancelot Simon posted "Multiple vulnerabilities in vendor IKE implementations, including Cisco" in December 2003. Steffen Pfendtner posted a follow-up claiming that Windows IPSec implementation is also vulnerable (see "Microsoft Windows IPSec Vulnerability" posted May 10, 2004). Existing Microsoft documentation claims that protection against MITM attacks exist, although another article notes that SP3 fixed an issue related to IPSec MITM. (Thanks to Chris Weber for forwarding this information).

5/8/04 - Microsoft Anti-virus Reward Program leads to arrest of Sasser and Netsky worm creator
On May 5, Microsoft was approached by individuals offering information about the Sasser worm creator who were interested in a reward under Microsoft's recently announced $5M Anti-virus Reward Program. Microsoft offered a potential reward of up to $250,000 if this information led to the arrest and conviction of the Sasser perpetrator. Working with the FBI and German authorities ,the ensuing investigation led to information relating not only to all four variants of the Sasser worm, but also to the Netsky worm, which was launched on Feb. 16, 2004. For full details, see Microsoft PressPass article.

4/30/04 - Sasser and Agobot/Gaobot variant worms exploiting Windows vulnerability
Sasser exploits the LSASS vulnerability described on April 13 in MS04-011, a good analysis can be found at LurHQ or any of the reputable antivirus vendor sites. Agobot/Gaobot is an existing malware family that has been updated to spread via the same vulnerability. Sasser variants do not currently install a back door; however, Agobot/Gaobot does install an IRC-controlled back door, in addition to initiating a number of other aggressive spreading techniques. Microsoft provides free support for virus and trojan infection cleanup, including toll-free phone support in the US and Canada.

2/24/04 - Bill Gates keynote at RSA Security Conference
Microsoft PressPass. NetworkWorldFusioncoverage.

2/23/04 - IPSec paper jointly authored by Microsoft and Foundstone wins technical award
"Using Microsoft Windows IPSec to Help Secure an Internal Network Server," a technical white paper jointly authored by Microsoft and Foundstone (including lead HEW2K3 author Joel Scambray), won an Excellence award in the 2003-2004 Technical Communication Competition, sponsored by the Society for Technical Communication (STC). Entries in the technical publications category (in which this paper competed) were rated on writing, graphics, copyediting, and overall integration, in the context of the paper's purpose, content, and organization.

2/23/04 - Sysinternals PSTools updated to version 1.99
If you administer Windows NT Family systems, you need these tools. The outstanding PsExec, a member of this toolset, is discussed in HEW2K3 and remains one of the premier remote command execution tools available today.

2/12/04 - Microsoft source code leak discovered
The Apocalypse, or overhyped? Read the Official Microsoft Response. Interesting commentary: "We Are Morons: a quick look at the Win2k source." Subsequent report of vulnerability in IE claimed to be based on examination of leaked code.

2/04 - Windows rootkit detection paper published
"Avoiding Windows Rootkit Detection" by Edgar Barbosa.

1/27/04 - MyDoom/DoomJuice viruses spread widely across Windows systems
Check out Microsoft's MyDoom assistance page (with cleaning tool!) for more information.

1/15/04 - HEW2K3 author presents TechNet WebCast on "Internet Data Center Security"
Joel Scambray, lead author of HEW2K3, presents on Microsoft's TechNet. See and hear the presentation on demand!

11/30/2003 - HEW2K3 author Joel Scambray interviewed on WTVN Radio's Technology Corner (Columbus, Ohio) .
Hear the interview in Real Audio.

11/10/03 - HEW2K3 makes "Product of the Week" on Sunbelt's W2Knews Electronic Newsletter
What more can be said: "This is a must-read if you want to keep your 2003 servers safe."

11/6/03 - Detecting Windows rootkits presentation posted
From Hivercon 2003, Dublin, Ireland. "Detecting Windows Server Compromises" by Joanna Rutkowska.

10/22/03: HEW2K3 published!
Get your copy on our Products page. Check out the other HE editions while you're there!

8/03 - Widespread exploitation and compromise of Windows systems vulnerable to MS03-026/Blaster worm
See, for example, Stanford University bulletin, rootkit descriptions on Distributed.net, and Microsoft's Blaster worm incident page (with links to cleanup tools!).