- ホーム
- > 洋書
- > 英文書
- > Internet / General
Full Description
The complete guide to today's hard-to-defend chained attacksthem and preventing themNowadays, it's rare for malicious hackers to rely on just one exploit or tool; instead, they use "chained" exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don't cover them at all. Now there's a book that brings together start-to-finish information about today's most widespread chained exploits-both how to perform them and how to prevent them. Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today's most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering. Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today's most effective countermeasures- both technical and human. Coverage includes:Constructing convincing new phishing attacks Discovering which sites other Web users are visiting Wreaking havoc on IT security via wireless networks Disrupting competitors' Web sites Performing-and preventing-corporate espionage Destroying secure files Gaining access to private healthcare records Attacking the viewers of social networking pages Creating entirely new exploits and moreAndrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp, has been featured in The Wall Street Journal and BusinessWeek. He coauthored Penetration Testing and Network Defense. Andrew was a winner of EC Council's Instructor of Excellence Award.Keatron Evans is President and Chief Security Consultant of Blink Digital Security, LLC, a trainer for Training Camp, and winner of EC Council's Instructor of Excellence Award. Jack B. Voth specializes in penetration testing, vulnerability assessment, and perimeter security. He co-owns The Client Server, Inc., and teaches for Training Camp throughout the United States and abroad.informit.com/awCover photograph (c) Corbis /Jupiter Images$49.99 US $59.99 CANADA
Contents
Introduction xviiChapter 1 Get Your Free Credit Cards Here 1Setting the Stage 1The Approach 1The Chained Exploit 2Enumerating the PDXO Web Site 3Enumerating the Credit Card Database 5Stealing Credit Card Information from the Web Site 11Selling the Credit Card Information on the Underground Market 13Defacing the PDXO Web Site 15Chained Exploit Summary 16Countermeasures 17Change the Default HTTP Response Header 17Do Not Have Public Access to Developer Sites 17Do Not Install SQL Server on the Same Machine as IIS 17Sanitize Input on Web Forms 18Do Not Install IIS in the Default Location 18Make Your Web Site Read-Only 18Remove Unnecessary Stored Procedures from Your SQL Database 18Do Not Use the Default Username and Password for Your Database 18Countermeasures for Customers 19Conclusion 20Chapter 2 Discover What Your Boss Is Looking At 21Setting the Stage 21The Approach 22For More Information 25The Chained Exploit 28Phishing Scam 29Installing Executables 32Setting Up the Phishing Site 38Sending Mr. Minutia an E-mail 38Finding the Boss's Computer 42Connecting to the Boss's Computer 43WinPcap 45Analyzing the Packet Capture 46Reassembling the Graphics 48Other Possibilities 51Chained Exploit Summary 52Countermeasures 52Countermeasures for Phishing Scams 53Countermeasures for Trojan Horse Applications 53Countermeasures for Packet-Capturing Software 54Conclusion 54Chapter 3 Take Down Your Competitor's Web Site 55Setting the Stage 55The Approach 57For More Information 59The Chained Exploit 59Attack #1: The Test 60Attack #2: The One That Worked 66Getting Access to the Pawn Web site 68Lab-Testing the Hack 70Modifying the Pawn Web Site 80Other Possibilities 83Chained Exploit Summary 84Countermeasures 85Countermeasures for Hackers Passively Finding Information about Your Company 85Countermeasures for DDoS Attacks via ICMP 85Countermeasures for DDoS Attacks via HTTP and Other Protocols 86Countermeasures for Unauthorized Web Site Modification 86Countermeasures for Compromise of Internal Employees 87Conclusion 88Chapter 4 Corporate Espionage 89Setting the Stage 89The Approach 91The Chained Exploit 92Reconnaissance 92Getting Physical Access 96Executing the Hacks 101Bringing Down the Hospital 107Other Possibilities 119Chained Exploit Summary 120Countermeasures 121Countermeasures for Physical Security Breaches and Access Systems Compromise 121Countermeasures for Scanning Attacks 121Countermeasures for Social Engineering 122Countermeasures for Operating System Attacks 122Countermeasures for Data Theft 123Conclusion 124Chapter 5 Chained Corporations 125Setting the Stage 125The Approach 126The Chained Exploit 127Reconnaissance 127Social Engineering Attack 135More and Yet More Recon 137Aggressive Active Recon 140Building the Exploit Infrastructure 149Testing the Exploit 156Executing the Hack 166Constructing the Rootkit 167Game Over-The End Result 172Other Possibilities 173Chained Exploit Summary 173Countermeasures 174Countermeasures for Hackers Passively Finding Information about Your Company 174Countermeasures for Social Engineering Attack on Visual IQ 175Countermeasures for Recon on the Visual IQ Software 175Countermeasures for Wi-Fi Attack on Quizzi Home Network 175Countermeasures for the Keylogger Attack 176Conclusion 176Chapter 6 Gain Physical Access to Healthcare Records 177Setting the Stage 177The Approach 179For More Information 179The Chained Exploit 181Social Engineering and Piggybacking 181Gaining Physical Access 195Booting into Windows with Knoppix 201Modifying Personally Identifiable Information or Protected Medical Information 204Chained Exploit Summary 205Countermeasures 205Social Engineering and Piggybacking 206Lock Picking 208Defeating Biometrics 208Compromising a PC 208Conclusion 209Chapter 7 Attacking Social Networking Sites 211Setting the Stage 211The Approach 212The Chained Exploit 213Creating a Fake MySpace Web Site 213Creating the Redirection Web Site 217Creating a MySpace Page 218Sending a Comment 221Compromising the Account 224Logging In to the Hacked Account 224The Results 227Chained Exploit Summary 228Countermeasures 228Avoid Using Social Networking Sites 229Use a Private Profile 229Be Careful about Clicking on Links 229Require Last Name / E-mail Address to Be a Friend 230Do Not Post Too Much Information 230Be Careful When Entering Your Username/Password 230Use a Strong Password 230Change Your Password Frequently 231Use Anti-Phishing Tools 231Conclusion 231Chapter 8 Wreaking Havoc from the Parking Lot 233Setting the Stage 233The Approach 236For More Information 237Accessing Networks Through Access Points 238The Chained Exploit 239Connecting to an Access Point 239Performing the Microsoft Kerberos Preauthentication Attack 248Cracking Passwords with RainbowCrack 254Pilfering the Country Club Data 256Chained Exploit Summary 257Countermeasures 258Secure Access Points 258Configure Active Directory Properly 259Use an Intrusion Prevention System or Intrusion Detection System 260Update Anti-Virus Software Regularly 261Computer Network Security Checklist 261Conclusion 266TOC, 2/9/09, 9780321498816
