book

Hacking: The Next Generation

by Nitesh Dhanjani, Billy Rios, Brett Hardin

August 2009

Beginner

298 pages

9h 5m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Hacking: The Next Generation
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Preface
Audience
Assumptions This Book Makes
Contents of This Book
Conventions Used in This Book
Using Code Examples
We’d Like to Hear from You
Safari® Books Online
Acknowledgments

1. Intelligence Gathering: Peering Through the Windows to Your Organization
Physical Security EngineeringDumpster DivingHanging Out at the Corporate Campus
Google Earth
Social Engineering Call Centers
Search Engine Hacking
Google HackingAutomating Google HackingExtracting Metadata from Online DocumentsSearching for Source Code
Leveraging Social Networks
Facebook and MySpaceAbusing FacebookTwitter
Tracking Employees
Email Harvesting with theHarvesterResumésJob PostingsGoogle Calendar
What Information Is Important?
Summary
2. Inside-Out Attacks: The Attacker Is the Insider
Man on the Inside
Cross-Site Scripting (XSS)
Stealing SessionsInjecting ContentStealing Usernames and PasswordsAdvanced and Automated Attacks
Cross-Site Request Forgery (CSRF)
Inside-Out Attacks
Content Ownership
Abusing Flash’s crossdomain.xmlAbusing JavaAttacking Code.google.com
Advanced Content Ownership Using GIFARs
Stealing Documents from Online Document Stores
Stealing Files from the Filesystem
Safari File StealingThe feed:// protocol handlerUsing Java to steal files
Summary
3. The Way It Works: There Is No Patch
Exploiting Telnet and FTPSniffing CredentialsBrute-Forcing Your Way InHijacking Sessions
Abusing SMTP
Snooping EmailsSpoofing Emails to Perform Social Engineering
Abusing ARP
Poisoning the NetworkCain & AbelSniffing SSH on a Switched NetworkLeveraging DNS for Remote ReconnaissanceDNS Cache SnoopingThe snooping attack in a nutshellA tool to snoop DNS cachesSample output of cache_snoop.pl
Summary
4. Blended Threats: When Applications Exploit Each Other
Application Protocol HandlersFinding Protocol Handlers on WindowsFinding Protocol Handlers on Mac OS XFinding Protocol Handlers on Linux
Blended Attacks
The Classic Blended Attack: Safari’s Carpet BombThe FireFoxUrl Application Protocol HandlerMailto:// and the Vulnerability in the ShellExecute Windows APIThe iPhoto Format String ExploitBlended Worms: Conficker/Downadup
Finding Blended Threats
Summary
5. Cloud Insecurity: Sharing the Cloud with Your Enemy
What Changes in the CloudAmazon’s Elastic Compute CloudGoogle’s App EngineOther Cloud Offerings
Attacks Against the Cloud
Poisoned Virtual MachinesAttacks Against Management ConsolesSecure by DefaultAbusing Cloud Billing Models and Cloud PhishingGoogling for Gold in the Cloud
Summary
6. Abusing Mobile Devices: Targeting Your Mobile Workforce
Targeting Your Mobile WorkforceYour Employees Are on My NetworkGetting on the NetworkDirect Attacks Against Your Employees and AssociatesPutting It Together: Attacks Against a Hotspot UserTapping into VoicemailExploiting Physical Access to Mobile Devices
Summary
7. Infiltrating the Phishing Underground: Learning from Online Criminals?
The Fresh Phish Is in the Tank
Examining the Phishers
No Time to PatchThank You for Signing My GuestbookSay Hello to Pedro!Isn’t It Ironic?
The Loot
Uncovering the Phishing KitsPhisher-on-Phisher Crime
Infiltrating the Underground
Google ReZulTFullz for Sale!Meet Cha0
Summary
8. Influencing Your Victims: Do What We Tell You, Please
The Calendar Is a Gold MineInformation in CalendarsWho Just Joined?Calendar Personalities
Social Identities
Abusing Social ProfilesStealing Social IdentitiesBreaking Authentication
Hacking the Psyche
Summary
9. Hacking Executives: Can Your CEO Spot a Targeted Attack?
Fully Targeted Attacks Versus Opportunistic Attacks
Motives
Financial GainConverting information to currencyVengeanceBenefit and Risk
Information Gathering
Identifying ExecutivesThe Trusted CircleIdentifying the trusted circle: Network analysisFriends, family, and colleaguesTwitterTweetStatsClicking links on TwitterOther Social Applications
Attack Scenarios
Email AttackIdentifying the executive to attackFinding a potential lureIdentifying the email address of the lureConstructing the emailTargeting the AssistantTrusted circle attack on the assistantLeveraging the assistant’s trustMemory Sticks
Summary
10. Case Studies: Different Perspectives
The Disgruntled EmployeeThe Performance ReviewSpoofing into Conference CallsThe Win
The Silver Bullet
The Free LunchThe SSH ServerTurning the Network Inside OutA Fool with a Tool Is Still a Fool
Summary
A. Chapter 2 Source Code Samples
Datamine.js
Pingback.js
External-datamine.js
XHRIEsniperscope()
Codecrossdomain.java
HiddenClass.java
B. Cache_Snoop.pl
Index
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly

Overview

With the advent of rich Internet applications, the explosion of social media, and the increased use of powerful cloud computing infrastructures, a new generation of attackers has added cunning new techniques to its arsenal. For anyone involved in defending an application or a network of systems, Hacking: The Next Generation is one of the few books to identify a variety of emerging attack vectors.

You'll not only find valuable information on new hacks that attempt to exploit technical flaws, you'll also learn how attackers take advantage of individuals via social networking sites, and abuse vulnerabilities in wireless technologies and cloud infrastructures. Written by seasoned Internet security professionals, this book helps you understand the motives and psychology of hackers behind these attacks, enabling you to better prepare and defend against them.

Learn how "inside out" techniques can poke holes into protected networks
Understand the new wave of "blended threats" that take advantage of multiple application vulnerabilities to steal corporate data
Recognize weaknesses in today's powerful cloud infrastructures and how they can be exploited
Prevent attacks against the mobile workforce and their devices containing valuable data
Be aware of attacks via social networking sites to obtain confidential information from executives and their assistants
Get case studies that show how several layers of vulnerabilities can be used to compromise multinational corporations

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780596806309Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills