Copyright © 2012 by The McGraw-Hill Companies,
Inc. All rights reserved. Except as permitted under the
United States Copyright Act of 1976, no part of this
publication may be reproduced or distributed in any
form or by any means, or stored in a database or
retrieval system, without the prior written permission
of the publisher.
ISBN: 978-0-07-178029-2
MHID: 0-07-178029-7
The material in this eBook also appears in the print
version of this title: ISBN: 978-0-07-178028-5,
MHID: 0-07-178028-9.
All trademarks are trademarks of their respective
owners. Rather than put a trademark symbol after
every occurrence of a trademarked name, we use
names in an editorial fashion only, and to the benefit of
the trademark owner, with no intention of infringement
of the trademark. Where such designations appear in
this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity
discounts to use as premiums and sales promotions, or
for use in corporate training programs. To contact a
representative please e-mail us at bulksales@mcgraw-
hill.com.
Information has been obtained by McGraw-Hill from
sources believed to be reliable. However, because of
the possibility of human or mechanical error by our
sources, McGraw-Hill, or others, McGraw-Hill does

not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible
for any errors or omissions or the results obtained
from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill
Companies, Inc. (“McGraw-Hill”) and its licensors
reserve all rights in and to the work. Use of this work
is subject to these terms. Except as permitted under
the Copyright Act of 1976 and the right to store and
retrieve one copy of the work, you may not
decompile, disassemble, reverse engineer, reproduce,
modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the
work or any part of it without McGraw-Hill’s prior
consent. You may use the work for your own
noncommercial and personal use; any other use of the
work is strictly prohibited. Your right to use the work
may be terminated if you fail to comply with these
terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-
HILL AND ITS LICENSORS MAKE NO
GUARANTEES OR WARRANTIES AS TO THE
ACCURACY, ADEQUACY OR
COMPLETENESS OF OR RESULTS TO BE
OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN
BE ACCESSED THROUGH THE WORK VIA
HYPERLINK OR OTHERWISE, AND
EXPRESSLY DISCLAIM ANY WARRANTY,

EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE. McGraw-Hill and its
licensors do not warrant or guarantee that the
functions contained in the work will meet your
requirements or that its operation will be uninterrupted
or error free. Neither McGraw-Hill nor its licensors
shall be liable to you or anyone else for any
inaccuracy, error or omission, regardless of cause, in
the work or for any damages resulting therefrom.
McGraw-Hill has no responsibility for the content of
any information accessed through the work. Under no
circumstances shall McGraw-Hill and/or its licensors
be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the
use of or inability to use the work, even if any of them
has been advised of the possibility of such damages.
This limitation of liability shall apply to any claim or
cause whatsoever whether such claim or cause arises
in contract, tort or otherwise.
To my amazing boys (who hack me on a daily
basis), I love you beyond words. FANMW…
URKSHI. To my Dawn, for her seemingly endless
patience and love—I never knew the meaning of
both until you. And to the new girls in my life,
Jessica and Jillian… I love you.
—Stuart McClure
To Austin, TX, my new home and a great place to
live; hopefully we’re helping keep it weird.

—Joel Scambray
To my loving family, Anna, Alexander, and
Allegra who provide inspiration and support,
allowing me to follow my passion. To the late Joe
Petrella, for always reminding me “many are
called—few are chosen…”
—George Kurtz
ABOUT THE AUTHORS
Stuart McClure
Stuart McClure, CNE, CCSE, is the CEO/President of
Cylance, Inc., an elite global security services and
products company solving the world’s most difficult
security problems for the most critical companies
around the globe. Prior to Cylance, Stuart was Global
CTO for McAfee/Intel, where he was responsible for a
nearly $3B consumer and corporate security products’
business. During his tenure at McAfee, Stuart McClure
also held the General Manager position for the Security
Management Business for McAfee/Intel, which enabled
all McAfee corporate security products to be
operationalized, managed, and measured. Alongside
those roles, Stuart McClure ran an elite team of good
guy hackers inside McAfee called TRACE that
discovered new vulnerabilities and emerging threats.
Before McAfee, Stuart helped run security at the largest
healthcare company in the U.S., Kaiser Permanente. In
1999, Stuart was also the original founder of
Foundstone, Inc., a global consulting and products
company, which was acquired by McAfee in 2004.
Stuart is the creator, lead author, and original

founder of the Hacking Exposed™ series of books
and has been hacking for the good guys for over 25
years. Widely recognized and asked to present his
extensive and in-depth knowledge of hacking and
exploitation techniques, Stuart is considered one of the
industry’s leading authorities on information security risk
today. A well-published and acclaimed security
visionary, McClure brings a wealth of technical and
executive leadership with a profound understanding of
both the threat landscape and the operational and
financial risk requirements to be successful in today’s
world.
Joel Scambray
Joel is a Managing Principal at Cigital, a leading
software security firm established in 1992. He has
assisted companies ranging from newly minted startups
to members of the Fortune 500 to address information
security challenges and opportunities for over 15 years.
Joel’s background includes roles as an executive,
technical consultant, and entrepreneur. He cofounded
and led information security consulting firm Consciere
before it was acquired by Cigital in June 2011. He has
been a Senior Director at Microsoft Corporation,
where he provided security leadership in Microsoft’s
online services and Windows divisions. Joel also
cofounded security software and services startup
Foundstone, Inc. and helped lead it to acquisition by
McAfee in 2004. He previously held positions as a
Manager for Ernst & Young, security columnist for
Microsoft TechNet, Editor at Large for InfoWorld

Magazine, and Director of IT for a major commercial
real-estate firm.
Joel is a widely recognized writer and speaker on
information security. He has co-authored and
contributed to over a dozen books on IT and software
security, many of them international best-sellers. He has
spoken at forums including Black Hat, as well as for
organizations, including IANS, CERT, CSI, ISSA,
ISACA, and SANS, private corporations, and
government agencies, including the FBI and the RCMP.
Joel holds a BS from the University of California at
Davis, an MA from UCLA, and he is a Certified
Information Systems Security Professional (CISSP).
George Kurtz
George Kurtz, CISSP, CISA, CPA, is cofounder and
CEO of CrowdStrike, a cutting-edge big data security
technology company focused on helping enterprises and
governments protect their most sensitive intellectual
property and national security information. George is
also an internationally recognized security expert,
author, entrepreneur, and speaker. He has almost 20
years of experience in the security space and has helped
hundreds of large organizations and government
agencies around the world tackle the most demanding
security problems. His entrepreneurial background and
ability to commercialize nascent technologies has
enabled him to drive innovation throughout his career by
identifying market trends and correlating them with
customer feedback, resulting in rapid growth for the
businesses he has run.

In 2011, George relinquished his role as McAfee’s
Worldwide Chief Technology Officer to his co-author
and raised $26M in venture capital to create
CrowdStrike. During his tenure as McAfee’s CTO,
Kurtz was responsible for driving the integrated security
architectures and platforms across the entire McAfee
portfolio. Kurtz also helped drive the acquisition
strategy that allowed McAfee to grow from $1b in
revenue in 2007 to over $2.5b in 2011. In one of the
largest tech M&A deals in 2011, Intel (INTC) acquired
McAfee for nearly $8b. Prior to joining McAfee, Kurtz
was Chief Executive Officer and cofounder of
Foundstone, Inc., which was acquired by McAfee in
October 2004. You can follow George on Twitter
@george_kurtz or his blog at securitybattlefield.com.
About the Contributing Authors
Christopher Abad is a security researcher at McAfee
focusing on embedded threats. He has 13 years of
professional experience in computer security research
and software and hardware development and studied
mathematics at UCLA. He has contributed to numerous
security products and has been a frequent speaker at
various security conferences over the years.
Brad Antoniewicz works in Foundstone’s security
research division to uncover flaws in popular
technologies. He is a contributing author to both the
Hacking Exposed
™
and Hacking Exposed
™

Wireless series of books and has authored various
internal and external Foundstone tools, whitepapers,
and methodologies.
Christiaan Beek is a principal architect on the
McAfee Foundstone Services team. As such, he serves
as the practice lead for the Incident Response and
Forensics services team in EMEA. He has performed
numerous forensic investigations from system
compromise, theft, child pornography, malware
infections, Advanced Persistent Threats (APT), and
mobile devices.
Carlos Castillo is a Mobile Malware Researcher at
McAfee, an Intel company, where he performs static
and dynamic analysis of suspicious applications to
support McAfee’s Mobile Security for Android
product. Carlos’ recent research includes dissection of
the Android Market malware DroidDream, and he is
the author of “Android Malware Past, Present, and
Future,” a whitepaper published by McAfee. Carlos
also is an active blogger on McAfee Blog Central. Prior
to McAfee, Carlos performed security compliance
audits for the Superintendencia Financiera of Colombia.
Before that, Carlos worked at a security startup Easy
Solutions, Inc., where he conducted penetration tests
on web applications, helped shut down phishing and
malicious websites, supported security and network
appliances, performed functional software testing, and
assisted in research and development related to anti-
electronic fraud. Carlos joined the world of malware
research when he won ESET Latin America’s “Best

Antivirus Research” contest. His winning paper was
entitled “Sexy View: The Beginning of Mobile Botnets.”
Carlos holds a degree in Systems Engineering from the
Universidad Javeriana in Bogotá, Colombia.
Carric Dooley has been working primarily in
information security since 1997. He originally joined the
Foundstone Services team in March 2005 after five
years on the ISS Professional Services team. Currently
he is building the Foundstone Services team in EMEA
and lives in the UK with his lovely wife, Michelle, and
three children. He has led hundreds of assessments of
various types for a wide range of verticals, and regularly
works with globally recognized banks, petrochemicals,
and utilities, and consumer electronics companies in
Europe and the Middle East. You may have met Carric
at either the Black Hat (Vegas/Barcelona/Abu Dhabi)
or Defcon conferences, where he has been on staff and
taught several times, in addition to presenting at Defcon
16.
Max Klim is a security consultant with Cigital, a
leading software security company founded in 1992.
Prior to joining Cigital, Max worked as a security
consultant with Consciere. Max has over nine years of
experience in IT and security, having served both
Fortune 500 organizations and startups. He has
extensive experience in penetration testing, digital
forensics, incident response, compliance, and network
and security engineering. Max holds a Bachelor of
Applied Science in Information Technology
Management from Central Washington University and is

an Encase Certified Examiner (EnCE), Certified
Information Systems Security Professional (CISSP),
and holds several Global Information Assurance
Certification (GIAC) credentials.
Tony Lee has over eight years of professional
experience pursuing his passion in all areas of
information security. He is currently a Principal Security
Consultant at Foundstone Professional Services (a
division of McAfee), in charge of advancing many of the
network penetration service lines. His interests of late
are Citrix and kiosk hacking, post exploitation, and
SCADA exploitation. As an avid educator, Tony has
instructed thousands of students at many venues
worldwide, including government agencies, universities,
corporations, and conferences such as Black Hat. He
takes every opportunity to share knowledge as a lead
instructor for a series of classes that includes
Foundstone’s Ultimate Hacking (UH), UH: Windows,
UH: Expert, UH:Wireless, and UH: Web. He holds a
Bachelor of Science in Computer Engineering from
Virginia Tech (Go Hokies!) and Master of Science in
Security Informatics from The Johns Hopkins
University.
Slavik Markovich has over 20 years of experience
in infrastructure, security, and software development.
Slavik cofounded Sentrigo, the database security
company recently acquired by McAfee. Prior to co-
founding Sentrigo, Slavik served as VP R&D and Chief
Architect at db@net, a leading IT architecture
consultancy. Slavik has contributed to open source

projects and is a regular speaker at industry
conferences.
Hernan Ochoa is a security consultant and
researcher with over 15 years of professional
experience. Hernan is the founder of Amplia Security,
provider of information security–related services,
including network, wireless, and web application
penetration tests, standalone/client-server application
black-box assessments, source code audits, reverse
engineering, and vulnerability analysis. Hernan began his
professional career in 1996 with the creation of Virus
Sentinel, a signature-based file/memory/mbr/boot sector
detection/removal antivirus application with heuristics to
detect polymorphic viruses. Hernan also developed a
detailed technical virus information database and
companion newsletter. He joined Core Security
Technologies in 1999 and worked there for 10 years in
various roles, including security consultant and exploit
writer performing diverse types of security assessments,
developing methodologies, shellcode, and security
tools, and contributing new attack vectors. He also
designed and developed several low-level/kernel
components for a multi-OS security system ultimately
deployed at a financial institution, and served as
“technical lead” for ongoing development and support
of the multi-OS system. Hernan has published a number
of security tools and presented his work at several
international security conferences including Black Hat,
Hack in the Box, Ekoparty, and RootedCon.
Dr. (Shane) Shook is a Senior Information Security

advisor and SME who has architected, built, and
optimized information security implementations. He
conducts information security audits and vulnerability
assessments, business continuity planning, disaster
recovery testing, and security incident response,
including computer forensics analysis and malware
assessment. He has provided expert testimony on
technical issues in criminal, class action, IRS, SEC,
EPA, and ITC cases, as well as state and federal
administrative matters.
Nathan Sportsman is the founder and CEO of
Praetorian, a privately held, multimillion-dollar security
consulting, research, and product company. He has
extensive experience in information security and has
consulted across most industry sectors with clients
ranging from the NASDAQ stock exchange to the
National Security Agency. Prior to founding Praetorian,
Nathan held software development and consulting
positions at Sun Microsystems, Symantec, and
McAfee. Nathan is a published author, US patent
holder, NIST individual contributor, and DoD cleared
resource. Nathan holds a degree in Electrical &
Computer Engineering from The University of Texas.
About the Technical Reviewers
Ryan Permeh is chief scientist at McAfee. He works
with the Office of the CTO to envision how to protect
against the threats of today and tomorrow. He is a
vulnerability researcher, reverse engineer, and exploiter
with 15 years of experience in the field. Ryan has
spoken at several security and technology conferences

on advanced security topics, published many blogs and
articles, and contributed to books on the subject.
Mike Price is currently chief architect for iOS at
Appthority, Inc. In this role, Mike focuses full time on
research and development related to iOS operating
system and application security. Mike was previously
Senior Operations Manager for McAfee Labs in
Santiago, Chile. In this role, Mike was responsible for
ensuring smooth operation of the office, working with
external entities in Chile and Latin America and
generally promoting technical excellence and innovation
across the team and region. Mike was a member of the
Foundstone Research team for nine years. Most
recently, he was responsible for content development
for the McAfee Foundstone Enterprise vulnerability
management product. In this role, Mike worked with
and managed a global team of security researchers
responsible for implementing software checks designed
to detect the presence of operating system and
application vulnerabilities remotely. He has extensive
experience in the information security field, having
worked in the area of vulnerability analysis and infosec-
related R&D for nearly 13 years. Mike is also
cofounder of the 8.8 Computer Security Conference,
held annually in Santiago, Chile. Mike was also a
contributor to Chapter 11.
AT A GLANCE
Part I Casing the Establishment
1 Footprinting
2 Scanning

3 Enumeration
Part II Endpoint and Server Hacking
4 Hacking Windows
5 Hacking UNIX
6 Cybercrime and Advanced Persistent Threats
Part III Infrastructure Hacking
7 Remote Connectivity and VoIP Hacking
8 Wireless Hacking
9 Hacking Hardware
Part IV Application and Data Hacking
10 Web and Database Hacking
11 Mobile Hacking
12 Countermeasures Cookbook
Part V Appendixes
A Ports
B Top 10 Security Vulnerabilities
C Denial of Service (DoS) and Distributed Denial
of Service (DDoS) Attacks
Index