the First Edition (2001)
by Todd Sabin
Security Researched and Creator of the pwdump2 Tool
If you're a
network administrator, there's a good chance that somewhere on your
network, there's a security hole. If there were just the one, things
wouldn't be so bad. You'd just go and fix it. You might not even care
what the details are, provided you have a known solution. Unfortunately,
the situation is rarely, if ever, that simple. There may be hundreds
of vulnerabilities of varying severities on a decent sized network,
with more being discovered all the time. Now what do you do? How do
you decide which problems to fix first?
The only rational approach is to understand what the vulnerabilities
are, how they're exploited, what their impacts are, and the different
methods of defending against them. Armed with this knowledge you can
make informed, intelligent decisions about which are the most serious
problems for your network, and what you'll do to address them.
But where do you get the information you need? The sources of the information
are spread across the Internet on a variety of Web sites, mailing list
archives, FTP servers, IRC channels, etc. Tracking down all the information
on your own would be a tremendous task. Fortunately, you don't have
to-that's what this book is for. It contains the accumulated knowledge
of the security community on Windows 2000. The authors have been compiling
this information for several years, and offering it to the public in
the Hacking Exposed books.
This book continues that tradition, but focuses on the security issues
of Windows 2000. Once again, the authors have collected the latest information
on threats, attacks, and defenses, and added their insightful analysis.
This book is a treasure trove of information no Windows administrator
should be without.
Of course, would-be attackers may also make use of this information,
using it as a guide to hacking. Therefore, some would argue, publishing
it is bad for security. Keeping the information secret, or only allowing
access to a chosen, trusted few, would be more beneficial. However,
besides the fact that this would leave administrators in the dark, unable
to make intelligent decisions about security issues, it assumes that
the computer underground is unable to discover or propagate this information
on its own. Experience shows that this is not a safe assumption.
As I write this forward, the Internet has just suffered through the
first wave of the "Code Red" worm. In just a few short days,
hundreds of thousands of IIS servers were infected and used to spread
the worm even further. As if the first round of infections were not
bad enough, there are predictions that the cycle of infections is poised
to start again, and be even worse the second time around. CERT and Microsoft
are issuing statements. The media is forecasting the collapse of the
Internet. IIS Administrators are scrambling to install patches. Yet,
through all the chaos and panic, some IIS administrators were able to
sit back in (relative) calm. What made them different from the rest?
Quite simply, they took the time to educate and defend themselves in
advance, and were prepared when the storm struck.
By the time you read this, Code Red will likely be old news. However,
one thing is sure to remain true. New vulnerabilities will continue
to be found, and need to be understood and addressed before they're
exploited. The knowledge contained in this book will set you on the
road to being one of the prepared people the next time around. Use it
the Second Edition (2003)
by Greg Wood, General Manager, Information Security
Working with the precision of a neurosurgeon, the computational capability
of a nuclear physicist and the tenacity of a rookie detective on his
first stake-out, hackers dissect complex technologies in their quest
to discover and exploit a microscopic network or computer gaffe. This
is a common perception IT professionals attribute to hackers and unless
you arm yourself with the same knowledge as cyber-criminals, these statements
might as well be true. Dont be intimidated by the mystique surrounding
hackers. Knowing how attackers think and the tools they
use is the first step in mounting an effective defense.
These arent new concepts, albeit perhaps uniquely applied. 2000
years ago, SunTzu detailed a basis for war in which he almost scientifically
decomposes battle into many rational decisions. Most appropriate:
know thy enemy and know thyself; in a hundred battles you will
be in peril. When you are ignorant of the enemy but know yourself,
chances of winning or losing are equal. If ignorant both of your enemy
and of yourself, you are certain in every battle to be in peril.
-- The Art of War. Sun Tzu
The only barrier to an effective defense is knowledge. Whether you
are a security hobbyist, an IT professional or experienced security
practitioner, understanding the basic tools and methods are critical
to establishing an effective defensive posture. Computer hacking is
no longer predicated on computer literacy and intelligence. Tool automation
has effectively eliminated most, if not all intellectual barriers while
the proliferation of high speed access has dramatically improved the
capabilities of the masses. The art of hacking detailed
in the media through the eyes of infamous social engineers turned consultants,
no longer exists. Hacking today is a science. It is a series of tool
enhanced processes methodically executed by criminals. In many cases,
hacking has regressed to a state of cut and paste plagiarism.
In fact, a job description for the mass-market, average computer hacker
might look like the following:
Job Title: Computer Hacker
The ideal candidate must have at least 3 months of computer experience.
The candidate should be experienced in both the cut and
paste, although we are willing to train. In addition,
the ideal candidate must be able to count to at least 1. Counting
from 0 to 15 is preferred. Working knowledge of letters A
through F recommended. The right candidate will possess
a Pentium III and have access to a discreet, high-speed internet connection.
Obviously the tongue-in-cheek job description overstates the simplicity
with which these modern day miscreants operate. The point is, as computer
owner, system administrator or network operator you dont have
to be smarter than every computer hacker, just recognize youre
smarter than most. Hackers dont want you to read this book. Hacking
Exposed unravels the mystery by opening the curtain.
The fact remains, the incidence of computer borne attacks will continue
to grow in number, complexity and severity. And while there are minimal
defenses against the motivated professional criminal, there are some
basic steps to limit your exposure. Most importantly is arming yourself
with the same basic knowledge as your attacker. Without a common understanding
of the tools and methods used by our collective enemy, defending against
the next generation of attack is futile. The least we can do is make
02/24/06 - Hacking Exposed Vegas!
Hacking Exposed and co-author Joel Scambray star in the "Oceans
11" of computer security: The
Code Room Vegas. Check out this 28-minute video dramatizing 3 real-world
hackers who take down a Vegas casino.
11/1/05 - Sony BMG "rootkit" causes stir
independently reported that music giant Sony BMG used rootkit-like
technology to prevent removal of the company's copy protection software.
The technology, called XCP,
was apparently licensed by SonyBMG from First
4 Internet. Subsequently, Sony BMG released a statement
and also posted a patch
to remove the copy-protection software (although the patch itself was
criticized as opaque in its activities). Subsequently, online
game hackers were found to be piggybacking their cheating techniques
within the Sony BMG hiding software.
8/9/04 - Windows XP Service Pack 2 Available
Support Page has the latest information. Heralded as a groundbreaking
advance in the security of Windows, most of the improvements appear
to be focused on improving visibility and control over settings that
have existed in the OS for some time. One exception is Data
Execution Prevention (DEP), which, while
not a novel concept, may yet provide revolutionary protection to
Windows from common memory corruption attacks like buffer overflows
that have plagued the platform for many years. However, it requires
processor support that is currently only present in the AMD K8 and the
Intel Itanium processor families.
8/4/04 - Serious vulnerabilities identified in widely-used libpng
These vulnerabilities announced by Chris
Evans could be exploited in some instance to execute arbitrary code
on the victim's system if they browsed a malicious website or viewed
a malicious email (see also: CERT
alert). No comment was immediately available from Microsoft on whether
any products were affected through reliance on the popular network graphics
7/29/04 - Bill Gates wants to turn security "from something
that is a concern to us to a significant business asset as well as an
At Microsoft's annual meeting with financial analysts in Redmond, WA,
Gates sought to change the tenor of Microsoft's ongoing security dialog,
echoing what many CISOs now consider an "enlightened" strategy
of turning the perception of security as a perennial problem to one
of business enabler. See security.itworld.com
coverage for more.
6/24/04 - Dual-pronged Download.Ject issue infecting Microsoft systems
Microsoft teams have confirmed a report of a security issue known as
Download.Ject affecting customers using Internet Explorer. (Download.Ject
is also known as: JS.Scob.Trojan, Scob, and JS.Toofeer.). The exploit
also infects server-side IIS 5 systems not patched for the PCT vulnerability
described on April 13 in Microsoft
Security Bulletin MS04-011. For analysis and recovery information,
please see Microsoft's advisory
6/16/04 - IPSec man-in-the-middle (MITM) vulnerabilities resurfaced
Two researchers have posted information on IPSec vulnerabilities in
the past six months. This information has not received wide media coverage.
Thor Lancelot Simon posted "Multiple
vulnerabilities in vendor IKE implementations, including Cisco"
in December 2003. Steffen Pfendtner posted a follow-up claiming that
Windows IPSec implementation is also vulnerable (see "Microsoft
Windows IPSec Vulnerability" posted May 10, 2004).
Existing Microsoft documentation claims that protection against
MITM attacks exist, although another
article notes that SP3 fixed an issue related to IPSec MITM. (Thanks
to Chris Weber for forwarding this information).
5/8/04 - Microsoft Anti-virus Reward Program leads to arrest of
Sasser and Netsky worm creator
On May 5, Microsoft was approached by individuals offering information
about the Sasser worm creator who were interested in a reward under
Microsoft's recently announced $5M
Anti-virus Reward Program. Microsoft offered a potential reward
of up to $250,000 if this information led to the arrest and conviction
of the Sasser perpetrator. Working with the FBI and German authorities
,the ensuing investigation led to information relating not only to all
four variants of the Sasser worm, but also to the Netsky worm, which
was launched on Feb. 16, 2004. For full details, see Microsoft
4/30/04 - Sasser and Agobot/Gaobot variant worms exploiting Windows
exploits the LSASS vulnerability described on April 13 in MS04-011,
a good analysis can be found at LurHQ
or any of the reputable antivirus
vendor sites. Agobot/Gaobot is an existing malware family that has
been updated to spread via the same vulnerability. Sasser variants do
not currently install a back door; however, Agobot/Gaobot does install
an IRC-controlled back door, in addition to initiating a number of other
aggressive spreading techniques. Microsoft provides free
support for virus and trojan infection cleanup, including toll-free
phone support in the US and Canada.
2/24/04 - Bill Gates keynote at RSA Security Conference
2/23/04 - IPSec paper jointly authored by Microsoft and Foundstone
wins technical award
Microsoft Windows IPSec to Help Secure an Internal Network Server,"
a technical white paper jointly authored by Microsoft and Foundstone
(including lead HEW2K3 author Joel Scambray), won an Excellence award
in the 2003-2004 Technical Communication Competition, sponsored by the
Society for Technical Communication
(STC). Entries in the technical publications category (in which
this paper competed) were rated on writing, graphics, copyediting, and
overall integration, in the context of the paper's purpose, content,
2/23/04 - Sysinternals PSTools
updated to version 1.99
If you administer Windows NT Family systems, you need these tools. The
outstanding PsExec, a member of this toolset, is discussed in HEW2K3
and remains one of the premier remote command execution tools available
2/12/04 - Microsoft source code leak discovered
The Apocalypse, or overhyped? Read the Official
Microsoft Response. Interesting commentary: "We
Are Morons: a quick look at the Win2k source." Subsequent
report of vulnerability in IE claimed to be based on examination
of leaked code.
2/04 - Windows rootkit detection paper published
Windows Rootkit Detection" by Edgar Barbosa.
1/27/04 - MyDoom/DoomJuice viruses spread widely across Windows
Check out Microsoft's
MyDoom assistance page (with cleaning tool!) for more information.
1/15/04 - HEW2K3 author presents TechNet WebCast on "Internet
Data Center Security"
Joel Scambray, lead author of HEW2K3, presents on Microsoft's TechNet.
See and hear the presentation on
11/30/2003 - HEW2K3 author Joel Scambray interviewed
on WTVN Radio's
Technology Corner (Columbus, Ohio) .
Hear the interview in Real Audio.
11/10/03 - HEW2K3 makes "Product of the Week" on
Sunbelt's W2Knews Electronic Newsletter
What more can be said: "This is a must-read if you want to keep
your 2003 servers safe."
11/6/03 - Detecting Windows rootkits presentation posted
2003, Dublin, Ireland. "Detecting
Windows Server Compromises" by Joanna Rutkowska.
10/22/03: HEW2K3 published!
Get your copy on our Products page.
Check out the other HE editions while you're there!
8/03 - Widespread exploitation and compromise of Windows systems
vulnerable to MS03-026/Blaster worm
See, for example, Stanford
rootkit descriptions on Distributed.net, and Microsoft's
Blaster worm incident page (with links to cleanup tools!).