Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition, 4th Edition

Previous Chapter

Gray Hat Hacking The Ethical Hacker’s Handbook, Fourth Edition

CONTENTS

Acknowledgments

Part I Crash Course: Preparing for the War

Chapter 1 Ethical Hacking and the Legal System

Why You Need to Understand Your Enemy’s Tactics

Recognizing Trouble When It Happens

The Ethical Hacking Process

The Penetration Testing Process

What Would an Unethical Hacker Do Differently?

The Rise of Cyberlaw

Understanding Individual Cyberlaws

The Controversy of “Hacking” Tools

Vulnerability Disclosure

Different Teams and Points of View

How Did We Get Here?

CERT’s Current Process

Organization for Internet Safety

Conflicts Will Still Exist

“No More Free Bugs”

Bug Bounty Programs

For Further Reading

Chapter 2 Programming Survival Skills

C Programming Language

Basic C Language Constructs

Compiling with gcc

Computer Memory

Random Access Memory (RAM)

Segmentation of Memory

Programs in Memory

Strings in Memory

Putting the Pieces of Memory Together

Intel Processors

Assembly Language Basics

Machine vs. Assembly vs. C

Addressing Modes

Assembly File Structure

Debugging with gdb

Disassembly with gdb

Python Survival Skills

Hello World in Python

Files with Python

Sockets with Python

For Further Reading

Chapter 3 Static Analysis

Ethical Reverse Engineering

Why Bother with Reverse Engineering?

Reverse Engineering Considerations

Source Code Analysis

Source Code Auditing Tools

The Utility of Source Code Auditing Tools

Manual Source Code Auditing

Automated Source Code Analysis

Binary Analysis

Manual Auditing of Binary Code

Automated Binary Analysis Tools

For Further Reading

Chapter 4 Advanced Analysis with IDA Pro

Static Analysis Challenges

Stripped Binaries

Statically Linked Programs and FLAIR

Data Structure Analysis

Quirks of Compiled C++ Code

Extending IDA Pro

Scripting in IDAPython

Example 4-1: Decrypting Strings in Place

Executing Python Code

For Further Reading

Chapter 5 World of Fuzzing

Introduction to Fuzzing

Choosing a Target

Ease of Automation

Types of Fuzzers

Mutation Fuzzers

Generation Fuzzers

Getting Started

Finding the Fuzzing Templates

Lab 5-1: Collecting Samples from the Internet Archive

Choosing the Optimal Template Set with Code Coverage

Lab 5-2: Selecting the Best Samples for Fuzzing

Peach Fuzzing Framework

Peach Fuzzing Strategies

Speed Does Matter

Lab 5-3: Mutation Fuzzing with Peach

Other Mutation Fuzzers

Generation Fuzzers

For Further Reading

Chapter 6 Shellcode Strategies

User Space Shellcode

Basic Shellcode

Port Binding Shellcode

Reverse Shellcode

Find Socket Shellcode

Command Execution Code

File Transfer Code

Multistage Shellcode

System Call Proxy Shellcode

Process Injection Shellcode

Other Shellcode Considerations

Shellcode Encoding

Self-Corrupting Shellcode

Disassembling Shellcode

Kernel Space Shellcode

Kernel Space Considerations

For Further Reading

Chapter 7 Writing Linux Shellcode

Basic Linux Shellcode

System Calls by C

System Calls by Assembly

Exit System Call

setreuid System Call

Shell-Spawning Shellcode with execve

Implementing Port-Binding Shellcode

Linux Socket Programming

Assembly Program to Establish a Socket

Test the Shellcode

Implementing Reverse Connecting Shellcode

Reverse Connecting C Program

Reverse Connecting Assembly Program

Encoding Shellcode

Simple XOR Encoding

Structure of Encoded Shellcode

JMP/CALL XOR Decoder Example

FNSTENV XOR Example

Putting the Code Together

Automating Shellcode Generation with Metasploit

Generating Shellcode with Metasploit

Encoding Shellcode with Metasploit

For Further Study

Part II From Vulnerability to Exploit

Chapter 8 Spoofing-Based Attacks

What Is Spoofing?

Lab 8-1: ARP Spoofing with Ettercap

Viewing Network Traffic

Modifying Network Traffic

Lab 8-2: DNS Spoofing with Ettercap

Executing the Attack

NetBIOS Name Spoofing and LLMNR Spoofing

Lab 8-3: Attacking NetBIOS and LLMNR with Responder

Cracking NTLMv1 and NTLMv2 Hashes

For Further Reading

Chapter 9 Exploiting Cisco Routers

Attacking Community Strings and Passwords

Lab 9-1: Guessing Credentials with Ncrack and Metasploit

Lab 9-2: Guessing Community Strings with Onesixtyone and Metasploit

Lab 9-3: Downloading Configuration Files with Metasploit

Lab 9-4: Modifying Configurations with SNMP and TFTP

Attacking Cisco Passwords

Attacking Cisco Type 7 Passwords

Lab 9-5: Cracking Type 7 Passwords with Cain

Lab 9-6: Cracking Type 7 Passwords with Metasploit

Attacking Cisco Type 5 Passwords

Lab 9-7: Attacking Cisco Type 5 Passwords with John the Ripper

Middling Traffic with Tunnels

Lab 9-8: Setting Up a GRE Tunnel

Lab 9-9: Routing Traffic over a GRE Tunnel

Exploits and Other Attacks

Maintaining Access on Cisco Devices

For Further Reading

Chapter 10 Basic Linux Exploits

Stack Operations

Function Calling Procedure

Buffer Overflows

Lab 10-1: Overflow of meet.c

Ramifications of Buffer Overflows

Local Buffer Overflow Exploits

Lab 10-2: Components of the Exploit

Lab 10-3: Exploiting Stack Overflows from the Command Line

Lab 10-4: Exploiting Stack Overflows with Generic Exploit Code

Lab 10-5: Exploiting Small Buffers

Exploit Development Process

Lab 10-6: Building Custom Exploits

For Further Reading

Chapter 11 Advanced Linux Exploits

Format String Exploits

Lab 11-1: Reading from Arbitrary Memory

Lab 11-2: Writing to Arbitrary Memory

Lab 11-3: Changing Program Execution

Memory Protection Schemes

Compiler Improvements

Lab 11-4: Bypassing Stack Protection

Kernel Patches and Scripts

Lab 11-5: Return to libc Exploits

Lab 11-6: Maintaining Privileges with ret2libc

For Further Reading

Chapter 12 Windows Exploits

Compiling and Debugging Windows Programs

Lab 12-1: Compiling on Windows

Debugging on Windows with Immunity Debugger

Lab 12-2: Crashing the Program

Writing Windows Exploits

Exploit Development Process Review

Lab 12-3: Exploiting ProSSHD Server

Understanding Structured Exception Handling (SEH)

Implementation of SEH

For Further Reading

Chapter 13 Bypassing Windows Memory Protections

Understanding Windows Memory Protections (XP SP3, Vista, 7, 8, Server 2008, and Server 2012)

Stack-Based Buffer Overrun Detection (/GS)

Safe Structured Exception Handling (SafeSEH)

SEH Overwrite Protection (SEHOP)

Heap Protections

Data Execution Prevention (DEP)

Address Space Layout Randomization (ASLR)

Enhanced Mitigation Experience Toolkit (EMET)

Bypassing Windows Memory Protections

Bypassing SafeSEH

Bypassing SEHOP

For Further Reading

Chapter 14 Exploiting the Windows Access Control Model

Why Access Control Is Interesting to a Hacker

Most People Don’t Understand Access Control

Vulnerabilities You Find Are Easy to Exploit

You’ll Find Tons of Security Vulnerabilities

How Windows Access Control Works

Security Identifier

Security Descriptor

The Access Check

Tools for Analyzing Access Control Configurations

Dumping the Process Token

Dumping the Security Descriptor

Special SIDs, Special Access, and “Access Denied”

Investigating “Access Denied”

Analyzing Access Control for Elevation of Privilege

Attack Patterns for Each Interesting Object Type

Attacking Services

Attacking Weak DACLs in the Windows Registry

Attacking Weak Directory DACLs

Attacking Weak File DACLs

What Other Object Types Are Out There?

Enumerating Shared Memory Sections

Enumerating Named Pipes

Enumerating Processes

Enumerating Other Named Kernel Objects (Semaphores, Mutexes, Events, and Devices)

For Further Reading

Chapter 15 Exploiting Web Applications

Overview of the Top 10 Web Vulnerabilities

MD5 Hash Injection

Lab 15-1: Injecting the Hash

Multibyte Encoding Injection

Understanding the Vulnerability

Lab 15-2: Leverage Multibyte Encoding

Hunting Cross-site Scripting (XSS)

Lab 15-3: Basic XSS Injection into a JavaScript Block

Unicode Normalization Forms Attack

Lab 15-4: Leveraging Unicode Normalization

Unicode Normalization Introduction

Normalization Forms

Preparing the Environment for Testing

XSS Testing via x5s the Plug-In

Launching the Attack Manually

Adding Your Own Test Case

For Further Reading

Chapter 16 Exploiting IE: Smashing the Heap

Setting Up the Environment

WinDbg Configuration

Attaching the Browser to WinDbg

Introduction to Heap Spray

Spraying with HTML5

Lab 16-1: Heap Spray via HTML5

DOM Element Property Spray (DEPS)

Lab 16-2: Heap Spray via DEPS Technique

HeapLib2 Technique

Forcing New Allocations by Exhausting the Cache Blocks

Lab 16-3: HeapLib2 Spraying

Flash Spray with Byte Arrays

Lab 16-4: Basic Heap Spray with Flash

Flash Spray with Integer Vectors

Lab 16-5: Heap Spray with Flash Vectors

Leveraging Low Fragmentation Heap (LFH)

For Further Reading

Chapter 17 Exploiting IE: Use-After-Free Technique

Use-After-Free Overview

Debugging JavaScript

Dissecting Use-After-Free (UAF)

Lab 17-1: Dissecting UAF, Step by Step

Leveraging the UAF Vulnerability

Example 17-1: Connecting the Dots

For Further Reading

Chapter 18 Advanced Client-Side Exploitation with BeEF

Lab 18-1: Setting Up Beef

Lab 18-2: Using the BeEF Console

Hooking Browsers

Lab 18-3: The Basic XSS Hook

Lab 18-4: Hooking Browsers with Site Spoofing

Lab 18-5: Automatically Injecting Hooks with Shank

Fingerprinting with BeEF

Lab 18-6: Fingerprinting Browsers with BeEF

Lab 18-7: Fingerprinting Users with BeEF

Lab 18-8: Fingerprinting Computers with BeEF

Browser Exploitation

Lab 18-9: Exploiting Browsers with BeEF and Java

Exploiting Browsers with BeEF and Metasploit

Automating Attacks

For Further Reading

Chapter 19 One-Day Exploitation with Patch Diffing

Introduction to Binary Diffing

Application Diffing

Binary Diffing Tools

Lab 19-1: Our First Diff

Patch Management Process

Microsoft Patch Tuesday

Lab 19-2: Obtaining and Extracting Microsoft Patches

Examining the Patch

Lab 19-3: Diffing MS14-006 with turbodiff

Kernel Debugging

Lab 19-4: Kernel Debugging MS14-006

For Further Reading

Part III Advanced Malware Analysis

Chapter 20 Dissecting Android Malware

The Android Platform

Android Application Package

Application Manifest

Java Decompilation

DEX Decompilation

DEX Disassembling

Example 20-1: Running APK in Emulator

Malware Analysis

Malware Analysis Primer

Example 20-2: Black-Box APK Monitoring with Droidbox

For Further Reading

Chapter 21 Dissecting Ransomware

History of Ransomware

Options for Paying the Ransom

Dissecting Ransomlock

Example 21-1: Dynamic Analysis

Example 21-2: Static Analysis

For Further Reading

Chapter 22 Analyzing 64-bit Malware

Overview of the AMD64 Architecture

AMD64 Calling Conventions

Decrypting C&C Domains

Example 22-1: Decrypting C&C Domains

For Further Reading

Chapter 23 Next-Generation Reverse Engineering

Notable IDA Plug-ins

Honeypots and Sandboxes Using TrapX

A Free Tool for Dynamic Analysis

A Commercial Alternative: TrapX Malware Trap

For Further Reading

Appendix About the Download

Previous Chapter

Gray Hat Hacking The Ethical Hacker’s Handbook, Fourth Edition