A while ago, I had the crazy idea that I needed to read more technical books, so I purchased a pair of books that appealed to me: Attacking Network Protocols and Serious Cryptography, both published by No Starch Press. I was interested in reading along with others and sharing our thoughts and opinions, so I spoke with members of VERT and our marketing team. Thus #TripwireBookClub was born. Since I already owned Attacking Network Protocols, it became the first book we read. Attacking Network Protocols: A Hacker’s Guide to Capture, Analysis, and Exploitation by James Forshaw is designed to take you from "The Basics of Networking" all the way to "Finding and Exploiting Security Vulnerabilities" (coincidentally, the names of the first and last chapters of the book). The book covers an almost dizzying array of topics in simple and easy-to-understand language; it could easily read as the syllabus and course text for a college computer security course. The author, James Forshaw, is well known for his security research and conference talks, and the book reads like a download from his mind to yours. There are very few individuals better suited to share their knowledge on this subject, and James goes out of his way to include code examples that you download as a companion to the book. There are a few moments in the book where it feels like the technical editor let items fall through the cracks and where the terminology isn’t as precise as you’d like, but, in the end, it stands as one of the best, if not the best, reference books on this material. Here's what others who read the book with me had to say...
Attacking Network Protocols covers a variety of topics, but the Application Reverse Engineering chapter has to be mentioned. The Application Reverse Engineering chapter covers the difference between interpreted languages and compiled languages. James Forshaw’s explanation was pretty accurate and allowed a reader without any knowledge to understand the difference. The author went on and gave a great review of the x86 architecture by going into detail on the common x86 instructions. Furthermore, James Forshaw helped the reader understand the difference between the CPU registers and how the registers are broken down into four main categories. These explanations would help a reader without any knowledge of the x86 architecture and the CPU registers to understand the information and hopefully continue on reading without an issue. Without these explanations, a reader could potentially get confused in the chapter and potentially not want to read the remainder of the book. This may have been especially true for the IDA Pro Free Edition guide. This guides goes into some of the basics of IDA Pro Free Edition and could have confused the reader if they didn’t know the common x86 instructions and CPU registers. At the end of the chapter, James Forshaw mentions that you should not get frustrated by reverse engineering, as you may not be able to learn all the aspects very easily.
– Andrew Swoboda, Security Researcher, Tripwire
Attacking Network Protocols by James Forshaw provides a solid introduction to network bug hunting. The book provides hands-on activities for readers to follow along and develop their knowledge of important concepts. I would definitely recommend this book to anyone looking to learn the ropes of network analysis and bug hunting. More experienced hackers may also find value in this book but will likely want to skip at least the first 6 chapters. As someone who has already spent years analyzing and hacking on network protocols, I can’t say I really learned much from this book, but there are definitely some resources I expect to use in the future. For example, chapter 10 has some helpful listings of equivalent debugging commands for CDB (Windows), GDB, and LLDB. This book did, however, lose some points from me due to some loose technical wording. I’ll acknowledge that this may be a bit of nitpicking on my part, but I prefer when technical resources use proper technical terms as much as possible. A prime example of this in Attacking Network Protocols is the sometimes-imprecise use of the term ‘packet’. For example, chapter 7 has a diagram of the TLS handshake process where handshake messages are referred to as packets rather than messages. This is a minor distinction, but there are times when it can be rather important to distinguish between packets and higher-level protocol constructs. Apart from that, I found myself wondering if this book was a bit too ambitious in the material it covered. I think it might make more sense to separate some of the more detailed technical discussion from the more beginner topics like character sets, executable formats, and packet capture techniques. The bottom line here is that this book does an excellent job in conveying a little information about a lot of different topics, but these topics span a wide range of technical depth and are therefore likely to leave some readers feeling a little lost while leaving other readers a little bored.
– Craig Young, Principal Security Researcher, Tripwire
This month, I had the pleasure of reading Attacking Network Protocols written by James Forshaw. The book is intended to introduce readers to the art and science of network protocol analysis with an overall goal of teaching readers how to understand computer communication protocols in order to find security vulnerabilities. Providing a single book with all the necessary knowledge to go from reading data off the wire to discovering new vulnerabilities in a protocol is not trivial. However, James does a great job of providing just the right amount of knowledge in a very logical and concise sequences of chapters that gives the reader a very good basis for understanding network protocols for analysis, vulnerability research, penetration testing, and such. My favorite chapters in the book were chapter 6 and chapter 10. Chapter 6 covered application reverse engineering. I’ve never been much involved with reverse engineering, so it was neat to read about it in the context of reverse engineering network protocols. Entire books are written on reverse engineering, but James does a great job of getting the reader up and going in a single chapter while introducing the reader to all the modern and important aspects of reverse engineering. After reading Chapter 6, one gains a view of most of the basics, from understanding the x86 processor architecture to details of compiled programs to operating systems and through static and dynamic reversing engineering along with many important tools used for these technologies. Chapter 10 was also packed with many pieces of useful information related to finding and exploiting vulnerabilities in protocols, specifically applications that use or implement network protocols. The chapter starts with a very brief discussion of fuzz testing, aka fuzzing. Unfortunately, there was not much detail on this very important piece of the puzzle needed for finding and exploiting network application vulnerabilities. That is my main complaint for Chapter 10. Other than that, the chapter goes into all the important information needed for the goals of this chapter. After reading Chapter 10, one gains understanding of vulnerability exploitation, developing shell code, and memory corruption, including understanding of mitigations for memory corruption. Overall, this book was a great read, and I would recommend it for anyone who is interested in the technical side of computer and network security or even for engineers who need to understand how to write more secure code.
– Lane Thames, Senior Security Researcher, Tripwire
Attacking Network Protocols is a solid practical guide for someone looking for an introduction to network security from an offensive perspective. Forshaw includes a custom C# library so a beginner doesn’t have to spend time reinventing any wheels, and by the end of the book, someone with zero prior experience can come away with the experience of implementing a demo network protocol and exploiting it. Forshaw covers a lot of the practicalities for network analysis and capture including packet capture, setting up proxies and man-in-the-middle setups, ARP poisoning, some basic disassembly, and he includes beginner friendly step-by-step demos for the related tools you’ll need to do all of the above. These practical sections do a terrific job getting your feet wet. Forshaw also spends a lot of time, especially in the early chapters, on broad overviews of different aspects of network security. Forshaw starts almost from zero, giving a crash course on networking fundamentals, and there are sections of the book dedicated to the basics of networking protocols, encryption, and various classes of vulnerabilities. Some chapters seem written for different audiences. For example, when discussing networking fundamentals, Forshaw seems to presume almost no prior technical knowledge, but later chapters (particularly the chapter on reverse engineering and the final chapter) could be a slog for the same reader. A novice reader will need to be prepared for that uneven learning curve, and a more advanced reader should be prepared to selectively skim. In these conceptual sections, Forshaw will move on after only touching on the broad strokes of any particular subject, and the practical sections are primarily demonstrations rather than comprehensive guides. If you’re someone who can let things go and research them later, Forshaw’s approach will leave you inspired to do so. But if you’re a depth-first kind of person, it could also leave you frustrated. I’d recommend Attacking Network Protocols for anyone who is interested in network security but doesn’t know where to start—it’ll leave you with a big picture and the appetite for more.
– Ed Bull, Security Researcher, Tripwire
At this point, hopefully you’ve made an informed decision surrounding the book and you’re thinking about picking up a copy to give it a read. There’s a lot of good to be said for the book, which is why I would lean toward giving the book at 4.5/5. The book presents a lot of solid, useful information and really just needs a better set of eyes performing the secondary review, which likely would have caught most of the issues that people identified. Several years ago, I designed a college course around computer security and hacking techniques and used Gray Hat Hacking, Second Edition as the course text (upgrading to the Third Edition in a later semester). While I haven’t read the latest edition, (The Fifth Edition comes out in June and is likely a book we’ll look at later this year.) I suspect that Attacking Network Protocols would have served me just as well as the textbook for the course.