Those who have read my reviews of parts of the second edition of “Hacking: The Art of Exploitation” by Jon Erickson may not be surprised to see that I am continuing this series of reviews of sections of that book. At the end of my review of the third chapter of that book, I mentioned that I looked forward to reading and reviewing the fourth chapter of the book, which is the chapter on networking. Networking is an interesting concept, and an important one, as Erickson mentions at the beginning of this chapter. Networking has allowed computers to have many more capabilities than they would have had without it. However, with these increased capabilities have come more vulnerabilities. In this chapter of the book, the basics of networking are explained in detail, leading to explanations of vulnerabilities and how they can be exploited.
The chapter appropriately begins with an introduction to the layers of the OSI model. Although I have seen better introductions to the OSI model, this section of the chapter serves its purpose in giving a basic introduction to networking. The basics of programming with sockets are then covered, and are covered well. This then leads to a description of how a very basic web server can be written. After this is a segue into a description of the OSI model again, with more detailed descriptions of protocol layers. These layers are described using interesting and appropriate analogies. As an example, the data link layer is described as being analogous to interoffice mail, the physical layer is compared to the carts used to deliver the mail, whereas the network layer above these layers is compared to a worldwide postal system. It was also interesting to see the details of how TCP/IP connections are started, and to see why they are started using the “three-way handshake” method.
Next, sniffing of network traffic is explained. The libpcap library is described in detail, and code examples are given to explain how a sniffer can be written to display network traffic at three different levels. The examples of what gets sniffed may make those who read them want to conduct experiments. Some may want to see more about the data that would be transmitted, such as the SYN and ACK values in TCP/IP connections. It is later mentioned that sniffing cannot be done easily on switched networks. Then it is described how the way in which ARP is implemented easily allows both spoofing of ARP addresses as well as ARP cache poisoning, and how that can be done to sniff traffic on switched networks. While readers read through it, some of them might consider how to defend against this flaw inherent in ARP that allows cache poisoning. Some of them might also be entertained by the author’s cleverness, as the MAC address of the attacker in the ARP spoofing example is, appropriately enough, 00:00:00:FA:CA:DE. The libnet library is then described, as are the tools known as Nemesis and arpspoof that use this library. The author appropriately encourages readers to view the source code of software that uses these libraries so that they will be better able to learn about these libraries. Many code examples are given, and the author seems to understandably assume that readers will work with these examples. He often says that the code examples should make sense to readers.
Denial-of-service attacks are covered next. The author explains how the implementation of protocols can be exploited, in particular in the description of SYN floods. It is then explained that that attack and similar ones are unlikely to succeed now, as operating systems have been updated to prevent these attacks from happening. However, it is explained why these historical examples matter. The author mentions that while oversized ICMP packets will not crash computers anymore, some Bluetooth implementations are vulnerable to oversized ping packets. As the author says, it is often that “the same mistakes made in the past are repeated by early implementations of new products.”
In the next section of this chapter, the importance of being able to sniff network traffic is underscored. It is demonstrated how this sniffing is what needs to be done to be able to hijack TCP/IP connections. Prior to the explanation of how this hijacking is done, it is appropriately explained that this can be done when a one-time password is used to connect to a host. Next, port scanning and the different methods of it are covered. The author then explains how discovery of which ports are open can be prevented. This is done by creating the illusion that all ports are open, which is done by responding to any packets that are sent when ports are being scanned. As is the case with previous sections of the chapter, example source code is given to illustrate how this can be implemented.
What I consider the best part of the chapter is near the end of it, where it is explained how concepts from the previous chapter can be combined with concepts explained in this chapter. The reader is first given a second chance to look for a buffer overflow vulnerability in a code example given previously in the chapter on networking. It is then explained how this vulnerability can lead to shell-spawning code being run. Then, to make the attack more useful, it is demonstrated how port-binding shellcode can be used to open a port to which the attacker can connect and gain root access to a remote system. This combination of interesting concepts may have been awaited by readers as they read through the book. This combination of concepts makes these concepts more interesting than they were individually.
After reading this chapter, readers of it should understand that the implementation of network software can be, and historically has been, flawed and vulnerable to attacks. The author encourages readers to write software that implements the concepts that are explained, such as the “ping of death” attack. Readers of this book are understandably expected to understand the material well enough to be able to do that. Something else that readers should understand after reading that chapter is how concepts can be combined. The author does not explicitly say in this chapter that readers should understand this. However, readers who will get the most out of this book will see how that can be done. After the chapter ended with explanations of how shellcode can be more advanced, and how countermeasures against attacks can be implemented, readers will want to keep reading this book. The next two chapters cover the topics of shellcode and countermeasures, and I plan on reading and reviewing them once I find the time to do so.
This chapter of the book is quite informative. The explanations of concepts are clear, and are sometimes even entertaining. The clever sense of humour that the author has is quite evident in it. Those who try to fully understand the material and pay attention to detail will enjoy this chapter. Reviews of the next chapters of the book may appear here before long, as I continue to enjoy reading this book.