Network Security Tools. Writing, Hacking and Modifying Security Tools
by Nitesh Dhanjani and Justin Clarke
O'Reilly 2005.
ISBN 0-596-00794-9. $34.95, 324 pages; Index
Reviewed by Bob Bruen 09/16/05
Although this book is not offered as a cookbook, it comes pretty close. From a teaching and learning perspective it is right on the mark. In part one, all of the tools have an example that extends the tool in some way. The code examples are small, easy to understand and straightforward to implement. The tools are are well-known [ed. they are well-known to those to whom they are well-known!]: Nessus, ettercap, hydra, nmap and nitko. Metasploit is also covered. In my opinion Metasploit is much more than a tool, although that is not really important. Kudos for including it.
Most of these tools are documented in many places, but the techniques for customizing them, especially when one has its own language, can be daunting. The book brings it all down to the level of clarity. Once you can replicate and understand the examples, you are on your way. Like most tools in world outside of computers, their ease of use and usefulness determines how widespread they become. The tools presented in the first part of this are some of the popular ones. A complete set of tools and examples would be a large reference manual, but this is definitely the place to start.
A goodly number of pages is devoted to web applications attack for the obvious reason that web servers tend to be in the DMZ or directly connected to the net. Other applications are more likely to be behind firewalls or otherwise better protected. It feels like web related problems, such as with cross-site scripting, PHP, shopping carts, etc are the source of as many, if not more problems, than Internet Explorer. A bit of a discovery for me was PMD, a static source analysis tool for Java, available at Sourceforge. It is included with the web applications chapter. More than likely if you write Java code, you are already familiar with it. Comparing the print given to the other tools, PMD gets more attention and it appears with reason. In my opinion, in spite of several excellent books on proper coding for security, there is still not enough. It is hard to imagine how many problems would vanish with better coding. PMD is a rule based package which can be extended, which is demonstrated nicely, and includes a code walkthrough.
The second part of the book shows us to write our own tools, after we have have seen how to add our own special extensions to the standard tools. The first example is how to write a Linux Kernel Module. In true Unix tradition, it is "hello_world.c". Of course, this is fun, but much more interesting is the explanation and example to intercept system calls. Another review in this issue, of Rootkits by Hoglund and Butler, noted that Windows system call interception was a common technique. The Linux kernel, starting with 2.5, stopped exporting the sys_call_table structure, but the authors demonstrate a brute force method to gain access to system calls. They also show how to use LMK-based rootkits to hide processes (always a good idea) and part of rootkit.
As in the first part, web applications come under scrutiny. In this chapter the example is a simple scanner written in Perl. This is followed by an exploit scanner targeting SQL. The last two chapters teach you how to put together a network sniffer of your own and a packet injection tool. This all reminds me of the science kits for putting together a working tool or experiment. Everything you need is included and each project is just the right size to learn how to do it. This is great book for script-kiddies who might want to understand how those exploits come about.
It is also a good book for anyone who wants to get a handle on the tools used for security, perhaps to extend or write that customized application. This book makes the cut for one you should buy.