Author: Ed Skoudis
Publisher: Prentice Hall PTR
Some people prefer books that deliver a wealth of theoretical knowledge they can build on, while other always go for the hands-on experience. This course is all hands-on experience and lots of it.
For the purpose of this review, this interactive training course was used on an Asus A1000 series notebook running Red Hat 8.0 and Real Player 220.127.116.111. Screenshots of the training course can be seen at the end of the review.
About the author
Ed Skoudis is the Vice President of Security Strategy for Predictive Systems. Ed’s expertise includes hacker attacks and defenses, the information security industry, and computer privacy issues. He has performed numerous security assessments, designed secure network architectures, and responded to computer attacks. Ed has focused on identifying and resolving security vulnerabilities on UNIX, Windows NT, firewall architectures, and Web applications. He has also conducted a demonstration of attacker techniques for the U.S. Senate.
An interview with Ed Skoudis is available here.
Inside the training course
The first lecture, “Overview and Building a Hacker Tool Analysis Laboratory”, explains the purpose of this training course. You have to know your enemy if you want to protect your network efficiently. Here the author helps you in the creation of your very own Windows and Linux analysis machines, from the installation of the operating systems up.
This training course contains videos and screen captures of various tools that enable you to either work with the tools while taking the course or just stand back and learn. In any way, it will certainly aid you in the process of getting acquainted with security tools.
The following lecture brings forward reconnaissance. Skoudis provides an understanding of both low-tech and computer-based reconnaissance. When it comes to low-tech reconnaissance the author talks about social engineering, the possibility of physical break-ins and dumpster diving. As computer-based reconnaissance is concerned, you get information on whois databases and the Domain Name System. What follows is instructions on how to install Sam Spade and then use it to gather information about a target. Skoudis also illustrates how you can search the web in order to obtain interesting information about a target.
Moving on the author discusses various scanning techniques. Here you learn how attackers search for modems and scan your systems using THC-Scan, in other words – wardialing. Skoudis guides you through the installation, configuration and usage of the program. Also presented here are some defenses from wardialing. The next topic is network mapping and the tool is Cheops-ng, one of the best network mappers available. As with the tools before, you learn how to install Cheops-ng before actually using it. As the author moves on to talk about port scanning, we get information on one of the most well-known security tools out there – nmap. After the installation and configuration instructions you see how to use nmap as well as what port scanning defenses you can deploy on your network. Scanning for vulnerabilities on your network is equally important. This is where Nessus comes into the picture.
Lecture four, “Gaining Access”, begins with an analysis of buffer overflows. Skoudis mentions the popular article on the topic by Aleph One – “Smashing the Stack for Fun and Profit” and gives an overview of buffer overflows. You learn how buffer overflow attacks are run and also that you can use Nessus to check for numerous buffer overflow vulnerabilities. Various buffer overflow defenses are listed.
Another popular way of gaining access is cracking passwords. Skoudis analyzes cracking passwords on both Windows and Linux machines by using L0phtCrack and John the Ripper. As before, you get some information on password cracking defenses. Sniffing is also a very common technique and here you get an overview of sniffing as well as knowledge on sniffing traditional LANs, switched LANs and using the Sniffit tool. Sniffing defenses are naturally included.
Netcat, the “Swiss Army Knife” of hacker tools is the last tool covered in this lecture. Skoudis provides an overview of the program as well as the installation and configuration options for both the Windows and Linux platform. You see here how to use netcat to transfer files, do port scans, and create backdoors and relays.
Once you gained access to a system, you want to keep it. Lecture five is all about maintaining access and kicks off with an analysis of an application-level Trojan Horse Backdoor. Some of the commonly used backdoors are Sub7, Back Orifice 2000, NetBus and VNC. Skoudis presents an overview of VNC and covers it’s installation and configuration. Going forward, the author presents an overview of traditional rootkits (LRK4, T0rnKit, RootKit, etc.) and gives you a good understanding on the subject. He guides you through the analysis of LRK4 without having you actually install it. Traditional rootkit defenses are also given. To close this lecture, the author provides an analysis of a kernel-level rootkit along with the defenses you can use.
At this point the attacker has not only gained access to the system, but has also altered the system. What else can go wrong? Well, he can cover his tracks. How? The last lecture will give you plenty of information on the subject. Skoudis gives you an understanding of how attackers hide files on a Windows machine and on a UNIX system, along with the file hiding defenses. After this he moves on to illustrate how intruders hide data that moves across a network and analyzes protocol tunnelling using Reverse WWW Shell and shows the possible defenses. The last lesson in this lecture covers the analysis of hiding data in headers using Covert_TCP.
My 2 cents
This training course is designed for an audience of system administrators, network administrators and security enthusiasts. I would recommend it for beginners and intermediate users.
If you are new to network security, these hands-on examples will enable you to jump right into securing your network. If, on the other hand, you already have some experience with network security, this training course will certainly give you some useful real-world experiences that you can use to prevent attacks and respond to intrusion attempts.
What’s also excellent when it comes to Ed Skoudis is the fact that he constantly notes the importance of keeping up-to-date all the time. He tells you to check the latest references and subscribe to mailing lists. This will certainly give people new to security a good foundation to build upon. I can highly recommend this training course to anyone interested in getting some real advice real fast. This course is all about things you should know yesterday if you’re responsible for the security of a network.
Click to see a larger version.