A few days ago, I finished the book Attacking Network Protocols by James Forshaw and wanted to write down some quick thoughts about it. In case you want to check it out yourself, you can find the relevant information in the ACM Digital Library.

After waiting a few days for the order to arrive, I grabbed my copy and headed to the nearest café.

It comes in the usual “No Starch Press” style, which I’ve grown accustomed to and find mostly readable and easy on the eyes, especially when it comes to code highlighting and formatting. Still, I think more color wouldn’t hurt, especially in the diagrams. To be fair, I don’t think this is something the author has control over when publishing with a publisher like No Starch Press.

Structure Link to heading

With roughly 290 pages of content across 10 chapters (and a useful appendix), it’s definitely manageable and shouldn’t take you too long if you’re generally familiar with the topics covered. I finished it in about 2 weeks, taking it with me on lunch breaks or whenever I had time to sit somewhere for a few minutes. The chapters are described in detail in the book, so here are just some personal takeaways.

Chapter 1 - The Basics of Networking Link to heading

This is the expected TCP/IP intro that you find in pretty much every networking book. I really like the notion that the author introduces about abstracting away the OSI layers and thinking about your target in terms of Content Layer (File Request), Encoding Layer (HTTP), and Transport Layer (TCP/IP).

Chapter 2 - Capturing Application Traffic Link to heading

This covers a lot of the surrounding work you need to do when analyzing network traffic: actually capturing the targeted traffic. There are a bunch of well-known tools and techniques covered in detail, like Wireshark, SOCKS Proxies, and ProcessMonitor.

What I liked was that the author also included tools like strace and DTrace. I knew from the Author’s GitHub and Project Zero blog posts that he has written a bunch of tooling for aiding security research, so I was excited to see his Canape library in action. I personally haven’t used it before, but I’ll give it a spin on the next occasion.

Chapter 3 - Network Protocol Structures Link to heading

If you’ve seen The Martian, you know that you should always have an ASCII table at the ready. This chapter has one. Alongside it, you’ll find many other useful explanations and examples of how your computer (and everyone else’s, for that matter) represents binary data. You will learn about Encoding Schemes, Endianess, IEEE-754, Unicode, and ASN.1, among others.

This is definitely something that might be a bit overwhelming for people who are just starting to learn about network protocols, but it’s all the more important when actually trying to attack them. Make sure you internalize the information here.

Chapter 4 - Advanced Application Traffic Capture Link to heading

This chapter is short and sweet, focusing on a few techniques to capture traffic. It starts with a nice refresher on the basics like ARP, DHCP, Routing, and SNAT/DNAT. Then it shows you how to use Ettercap to position yourself as an Attacker-in-the-Middle via ARP Spoofing.

Chapter 5 - Analysis from the Wire Link to heading

No book about networking is complete without at least mentioning Wireshark (for good reason!), and this one is no exception. Its usage is demonstrated on a custom chat protocol implementation and should enable you to start using it right away. I really liked the part about building a Dissector, which I had never done before.

Chapter 6 - Application Reverse Engineering Link to heading

Make no mistake, Reverse Engineering is a huge topic, and there have been plenty of books written about it. Don’t expect to fully grasp everything by reading a single chapter in one book. That being said, I think the author did a good job of providing just enough content to give you the basics (or refresh old memories).

You will learn about lower-level details of the x86 architecture, how Threads and Processes work, get a crash course in Assembly, and receive a small introduction to IDA Pro. Lots of good knowledge here.

Chapter 7 - Network Protocol Security Link to heading

What I said earlier about Reverse Engineering holds true for cryptography as well, which is the subject of this chapter. It introduces you to a spectrum of techniques, ranging from simple XOR operations to block ciphers like AES, Diffie-Hellman Key Exchanges, RSA, Collision Attacks, X509 Certificates, and more.

You will also learn about the PKI, which is the “backbone of trust” in today’s internet (for better or worse).

It doesn’t go into too much depth mathematically or into more exotic things like ECC, which is probably for the best since this would be kind of overkill for the scope of the book. Still, I feel it introduces just the right amount of technical background to make the reader comfortable with the basics and a bit beyond. I’m certainly no expert on the subject, and I definitely liked the quick refresher.

Chapter 8 - Implementing the Network Protocol Link to heading

As the title suggests, this chapter is more development-focused, but you will use knowledge and tools described throughout the book. It starts by capturing traffic with tshark (which I really like) and then building a quick Python script to replay the packets to the server. If you ever wanted to play a CTF, take note, because this is perfect practice material.

The rest of the chapter is pretty much focused on .NET and programming topics like Reflection, Assemblies, and ctypes, with the overarching theme being the development of the server component. It also describes how to set up a self-signed Certificate in your development setup.

Chapter 9 - The Root Causes of Vulnerabilities Link to heading

This chapter provides a broad overview of different types of vulnerabilities and their root causes. While not going too deep into each single vulnerability type, the book does a decent job of explaining them in terms of network protocols. For example, while most books explain buffer overflows in terms of user input being read from a terminal and copied into a (stack) buffer, here you’ll see the data being copied from a network socket.

This might not sound like much, but it makes the book much more approachable, as it’s not just random topics thrown together for the sake of it. For people who have never seen or thought about security issues, this (and the next) chapter might be a bit daunting, but I really felt it did a good job of introducing various different topics like Auth Bypass, RCE, DoS, Buffer Overflow, Unsafe String Functions, Data Expansion Attack, Path Canonicalization Issues, Format Strings, and SQL Injection.

Chapter 10 - Finding and Exploiting Security Vulnerabilities Link to heading

This last chapter continues the theme of the previous one and dives deeper into actually exploiting vulnerabilities. Starting with a short intro into the art of Fuzzing with the simple bitflippers and the well-known one-line fuzzer

1cat /dev/urandom | nc <host> <port>

As this kind of work requires the right tools for the job, you will find extensive examples of using debuggers like CDB/LLDB/GDB and learn about techniques like PageHeap and AddressSanitizer.

With those tools in hand, the chapter closes with good examples of how to exploit vulnerabilities like Stack Buffer Overflows/Underflows, Use-After-Free, how to write and debug Shellcode and how to defeat mitigations like ASLR with Return-Oriented Programming.

Favorite Parts Link to heading

While I liked the book in general, it definitely became more interesting as it progressed. This is perhaps not the kind of book you want to pick up if your goal is just to get a surface-level understanding of TCP/IP and you’ve only just started your first Introduction to Python lecture on Udemy.

That being said, I’m glad I picked it up and would definitely recommend it. What better way to spend a Friday afternoon than with a Chai-Presso and some good infosec literature 🙂 ?