Table of Contents for
Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition, 4th Edition
Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition, 4th Edition
Published by
McGraw-Hill Osborne Media, 2015
- Cover
- Gray Hat Hacking The Ethical Hacker’s Handbook, Fourth Edition
- Title Page
- Copyright Page
- Dedication
- Gray Hat Hacking The Ethical Hacker’s Handbook, Fourth Edition
- Gray Hat Hacking The Ethical Hacker’s Handbook, Fourth Edition
- Gray Hat Hacking The Ethical Hacker’s Handbook, Fourth Edition
- Contents
- Preface
- Acknowledgments
- Introduction
- Part I Crash Course: Preparing for the War
- Chapter 1 Ethical Hacking and the Legal System
- Chapter 2 Programming Survival Skills
- Chapter 3 Static Analysis
- Chapter 4 Advanced Analysis with IDA Pro
- Chapter 5 World of Fuzzing
- Chapter 6 Shellcode Strategies
- Chapter 7 Writing Linux Shellcode
- Part II From Vulnerability to Exploit
- Chapter 8 Spoofing-Based Attacks
- Chapter 9 Exploiting Cisco Routers
- Chapter 10 Basic Linux Exploits
- Chapter 11 Advanced Linux Exploits
- Chapter 12 Windows Exploits
- Chapter 13 Bypassing Windows Memory Protections
- Chapter 14 Exploiting the Windows Access Control Model
- Chapter 15 Exploiting Web Applications
- Chapter 16 Exploiting IE: Smashing the Heap
- Chapter 17 Exploiting IE: Use-After-Free Technique
- Chapter 18 Advanced Client-Side Exploitation with BeEF
- Chapter 19 One-Day Exploitation with Patch Diffing
- Part III Advanced Malware Analysis
- Chapter 20 Dissecting Android Malware
- Chapter 21 Dissecting Ransomware
- Chapter 22 Analyzing 64-bit Malware
- Chapter 23 Next-Generation Reverse Engineering
- Appendix About the Download
- Index
- Gray Hat Hacking The Ethical Hacker’s Handbook, Fourth Edition
INDEX
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
Symbols and Numbers
\ (backslash), 266
/* */ (comments), 34
{ } (curly brackets)
creating Python dictionaries within, 52
< (less-than operator), 33
<= (less-than-or-equal-to operator), 33
%s token, 267–268
%x token, 267
!token debugger command, 350–352
18 USC Section 1029 (ADS), 11–12
18 USC Section 1030 (ADS), 12–13
18 USC Section 1030 (CFAA), 12–14
18 USC Sections 2510 and 2701 (ECPA), 14–15
32-bit systems
examining patches against Windows 8.0, 498
heap spray exploits on, 418
64-bit malware. See also decrypting C&C domains
common Windows API functions used by, 559
domain and IP address handling for, 557
finding configuration files of, 559–560
identifying cryptographic operations, 566–567
locating imported mutexes in, 560–561
recognizing RC4 key-scheduling algorithm, 567–568
review techniques for, 562–563
reviewing CMD54 component, 558–561
understanding AMD64 architecture, 553–557
64-bit systems
AMD64 calling conventions, 554–557
examining patch against Windows 8.0, 494–497
finding IP weaknesses with tcpip.sys, 503–506
heap spray exploits on, 418
kernel debugging to find IP vulnerabilities, 499–503
recognizing registers for, 554
VM for kernel debugging, 504–506
A
access check, 347–349
DACL check for, 347–349
privilege checks with, 347
access control. See Windows Access Control
access control entries. See ACEs
access device, 11–12
Access Device Statute, 11–12
access tokens, 340–343
dumping process tokens, 350
process, 340–343
AccessChk
displaying permissions with, 359–360
dumping ACLs with, 353
enumerating registry DACLs, 372, 373–374
finding Windows shared memory sections, 384
listing Windows system vulnerabilities, 368–369
controlling inheritance with, 346
denying access for inherited ACEs, 348–349
explicitly denied, 348
removing inherited, 358–359
types of, 344
use in DACL, 343
active scanning, 7
Adaptive Security Appliance (ASA) software, 235–236
ADC, 105
add command in assembly language, 42
Address Resolution Protocol. See ARP spoofing
Address Space Layout Randomization. See ASLR
addressing modes, 43–44
AIDS Trojan, 20–21
allow ACEs, 344
AMD architecture, 553–557
calling conventions for 64-bit, 554–557
overview of 64-bit, 553–554, 572
preventing code execution in, 316
Android application package (APK), 511–513, 521–523
Android platform, 511–530
about, 511
APK files for, 511–513
application manifest file, 513–515
decompiling source code in Java, 517–518
DEX decompilation, 518–520
DEX format for, 515–517
disassembling DEX files, 520–521
malware analysis workflow for, 423–424
reviewing applications for malware, 524–527
running APK in emulator, 521–523
Simplelocker malware for, 532
AndroidManifest.xml file, 513–515
anti-debugging checks in Ransomlock, 541–544
APIs
Bing Search, 125
browsing IDA’s list of Windows, 576–577
used by malware, 559
Yahoo! BOSS Search, 125
APK (Android application package), 511–513, 521–523
apktool, 521
app_diff subfolder, 389
Apple patches, 491
application diffing, 483–484, 489–491
applications. See Web applications
arbitrary memory
reading from, 267–269
writing to, 269–271
architecture
Intel processor, 40
ARP spoofing
shank for, 466
using Ettercap for, 195–196, 197
arrays
dumping fini_array section, 272–273
placing in malicious payload as heap spray, 427–431
ASLR (Address Space Layout Randomization)
about, 242
memory protection using, 279–280
purpose of, 317
assembly language, 41–45
add and sub commands, 42
addressing modes, 43–44
assembling and executing code, 45
assembling, linking, and testing Linux shellcode, 165
AT&T vs. NASM syntax for, 41–43
binding port to local host IP in, 173–175
call and ret commands, 43
establishing socket in, 172–175
executing setreuid system call, 165
exit system calls, 164–165
file structure of, 44
inc and dec commands, 43
int command, 43
jne, je, jz, jnz, and jmp commands, 42–43
lea command, 43
machine language, C languages, and, 41
mov command, 42
push and pop commands, 42
push and pop commands in, 239
reverse connecting shellcode in, 178–180
setreuid system calls in, 166
system calls in, 163
xor command, 42
Asterisk VOIP gateway exploitation, 460–461
AT&T syntax for assembly language, 41–43
attack patterns for Windows objects, 365–387
directory DACLs, 375–379
file DACLs, 379–383
named pipes, 384–385
other named kernel objects, 386–387
processes, 385–386
services, 365–371
shared memory sections, 383–384
weak registry DACLs, 372–375
attackers. See hackers
attacks. See also attack patterns for Windows objects; exploits
ARP poisoning, 206
determining for Windows exploits, 298, 304–306
finding for Linux exploits, 255, 258–259
recognizing possibilities for, 4–5
system call proxy shellcode for, 152–153
auditing
binary code, 71
source code, 64–69
Authenticated Users group SIDs, 355
authentication
bypassing Cisco, 235–236
effect of compromising, 390–391
MD5 hash injection for bypassing, 390–391
authentication SIDs, 355–356
AutoIt, 120
automated binary analysis tools, 85–87
BugScam, 85–86
purpose of, 85
automated source code analysis tools, 69–70
automating
browser attacks with BeEF, 478–481
DEPS, 424–425
fuzzing and, 119–120
injecting hooks with shank, 465–466
Linux shellcode generation, 187–189
Autorun scripts for browser attacks, 478–481
AutoRuns, 372–373
AVD (Android Virtual Device) Manager, 521–523
B
baksmali disassembler, 520–521
bash shell direct parameter access, 269
basic block
BinNavi’s use of, 84
IDA color coding for, 575
BeEF (Browser Exploitation Framework), 455–482
attacks using Autorun scripts, 478–481
browser exploits using Java and, 472–475
Browser Rider functionality of, 460
combining with DNS spoofing, 462–465
downloading and installing, 456–457
exploits using Metasploit and, 475–478
fingerprinting with, 466–467
injecting hooks automatically, 465–466
running basic XSS hook, 461–462
types of exploits, 471–472
updating injection packets from, 198, 203
username and passwords for, 458
using console for, 457–461
big-endian notation, 36–37
/bin/sh program execution, 167–168
binary analysis, 70–87. See also automated binary analysis tools
about, 70
dealing with stripped binaries, 90–92
decompilation in, 71–73
IDA Pro for, 74–83
manual auditing of, 71
binary diffing, 483–507
application diffing, 483–484
diffing MS14-006 with turbodiff, 398
finding IPv6 route vulnerabilities, 499–503
patch diffing, 484
patch management process, 491–493
performing, 489–491
tools for, 485–488
binary files. See also binary analysis; binary diffing; ELF files
analyzing statically linked libraries, 92–95
dealing with stripped, 90–92
IDA Pro for analyzing, 74–83
static analysis challenges of, 89–90
verifying execution of, 165, 166
BinCrowd, 585
bind shell. See port-binding shellcode
BinDiff
examining patch against 64-bit Windows 8.0, 494–497
Bing Search API, 125
BinNavi, 83–84
bitcoin payments, 532
bits, 36
black hat hackers
defined, 18
reasons for reviewing source code, 63
studying exploits, 239
blogs, 463
bookmarking code with IDA, 561, 562, 580, 581
breakpoints
deleting in WinDbg, 446
removing in Ransomlock code, 537
setting and hitting in Ransomlock, 539–540
stepping through strcpy functions with, 296, 298
Browser Exploitation Framework. See BeEF
browsers. See also BeEF; Internet Explorer
automating attacks on, 478–481
BeEF and Java exploits for, 472–475
connecting to BeEF servers, 455, 481
exploits with BeEF and Metasploit, 475–478
fingerprinting, 467–468
hooking, 461–466
HTML5 support for, 418
site spoofing for hooking, 462–465
support for multibyte encoding, 396
brute force
generating injection string using, 393–395
using Ncrack and Metasploit attacks, 217
buffer. See also buffer overflows
about, 241
defined, 38
exploiting small, 253–255, 276–278
buffer overflows
building larger buffer than expected, 247–249
debugging with Immunity Debuggers, 295–298
detecting with /GS, 313–314
exploiting root user privileges with, 246
exploiting small buffers, 253–255
how they work, 241–246
meet.c, 242–245
performing local, 246–255
repeating return addresses for, 248–249
strcpy/strnpy commands and attacks using, 33
using fake frame to attack small buffers, 276–278
BugScam, 85–86
Bugtraq, 19
building Windows exploits, 306–307
bypassing Windows memory protections, 318–335
avoiding SEHOP, 328–335
circumventing EMET, 328
/GS compiler option, 318
overwriting SEH record, 318–319
ProSSHD bypass of DEP, 321–327
SafeSEH, 319
byte code, 71
bytes
defined, 36
magic, 511–512
order in IP networks, 170
splitting memory into high- and low-order, 269–270
C
C programming language, 29–36
for and while loops, 33–34
assembly language vs., 41
building socket in, 171–172
comments, 34
compiling with gcc, 35–36
debugging with gdb, 45–47
decompilers for C++ and, 73
dumping fini_array data, 272–273
establishing socket in, 170
exit system calls, 163–164
finding function signature in, 162–163
functions in, 30
hostent and sockaddr_in data structures in, 78–79
IDA Pro’s recognition of binaries in, 74
if/else construct, 34
main() structure in, 29–30, 90–91
making precision desiredAccess requests in, 361–363
printf command, 31–32
reverse connecting shellcode in, 177–178
sample program in, 34–35
scanf command, 32
sockaddr structure in, 170–171
strcpy/strnpy commands, 32–33
structures in, 170
uninitialized and null pointers in, 59
variables in, 30–31
writing Linux shellcode in, 161, 163–164
C&C (Command & Control) servers. See also decrypting C&C domains
obscuring addresses for, 551
trying to capture traffic to, 548
use by ransomware, 535
C++ programming language
decompilers for, 73
dumping information about fini_array section, 272–273
hostent and sockaddr_in data structures in, 78–79
IDA Pro’s recognition of binaries in, 74
this pointers in compiled code, 103–104
vtables in, 104–105
cache
exhausting blocks of, 426
poisoning using DNS, 206
Cain
cracking Cisco Type 7 passwords with, 225, 226
transferring captured traffic to, 198
Calculator, 309
call command, 43
callback shellcode, 148–150, 177–180
calling conventions
calling functions, 240–241
canary values
defined, 267
Microsoft’s stack protection using, 293
overwriting with shellcode location, 269–271
StackGuard’s use of, 275
canonical equivalence, 405–406, 407
cash ransomware payments, 532
CERT Coordination Center (CERT/CC), 20–22
CFAA (Computer Fraud and Abuse Act)
DMCA protections vs., 15
ECPA protections vs., 14–15
provisions of, 12–13
state alternatives to, 13–14
characters
bypassing input validation controls for, 397–400
charsets, 396
converting type in MySQL, 392–393
exploiting multilanguage application vulnerabilities, 397
multibyte encoding for, 396
testing charsets, 400–401
circumvention of copyrights, 16, 57–58
Cisco routers, 215–237
attacking community strings and passwords, 215–219
cracking Type 7 passwords, 222, 224–226
data found in startup-config files, 221
discovering services with Nmap scan, 216
downloading configuration files with Metasploit, 220–222
exploits and other attacks on, 235–237
identifying Type 7 passwords, 224–225
maintaining access to, 236–237
modifying configurations with SNMP and TFTP, 222–224
OIDs used for, 220
privilege levels for, 216
routing traffic over GRE tunnel, 231–235
setting up GRE tunnels, 228–231
SNMP and TFTP used by, 219–224
Type 5 password attacks, 221, 222, 226–228
vulnerabilities of ASA software, 235, 237
class files
Java, 71
recovering source code with decompiler, 71–73
client-side exploitation. See BeEF
CMD64 component
analyzing, 557
reviewing, 558–561
string references in, 563
code. See also shellcode; source code analysis
byte, 71
detecting cryptographic, 566–567, 577–578
code coverage
defined, 124
determining, 127
selecting traces for data samples, 127–129
code importance, 124
code references for IDA, 109
collaborating in reverse engineering, 583, 585
CollabREate, 585
Command & Control servers. See C&C servers
command execution code, 151
command line
executing IDA scripts from, 115, 116
exploiting stack overflows from, 249–251
fuzzing, 119
renewing WinDbg interaction from, 417
commands
buffer overflows and strcpy/strnpy, 33
gdb, 45–47
Immunity Debugger, 295
NOP, 247
Commands tab (BeEF), 459–460
comments
C programming language, 34
Common Vulnerabilities and Exposures (CVE) list, 23
communication interceptions, 15
community strings
attacking, 215–216
guessing, 217–219
compatibility equivalence and normalization, 405, 407
compilers
converting numbers to hex equivalents, 266
downloading and starting Windows, 291–292
heap spray techniques with JIT, 431
improvements to Linux, 274–279
options for Windows, 292–293
Windows options for, 292–293
Computer Fraud and Abuse Act. See CFAA
computer memory, 36–49. See also Linux memory protections; Windows memory protections
about, 36
endian theories of, 36–37
environment/arguments section, 38
finding Windows shared memory, 383–384
heap spray consumption of, 420–422
importance of understanding, 39
placing shellcode at predictable address in, 417, 422–423, 425, 427, 429
pointers in, 38–39
program use of, 39
RAM, 36
randomizing memory calls to stack, 242, 281
reading from arbitrary, 267–269
sections loaded into, 37–38
segmentation, 37
stack section, 38
strings in, 38
Use-After-Free vulnerability in, 436
user space, 145
writing to arbitrary, 269–271
computers. See also computer memory; target computers
cyberlaws and, 9–11
fingerprinting host, 470–471
prosecuting crimes involving, 14
redefining protected, 12
configuration files
about Cisco startup-config file, 221
downloading Cisco, 220–222
locating 64-bit malware, 559–560
modifying current Cisco, 222–224
tampering with Windows, 381–382, 383
console for BeEF, 457–461
constructors, 71
consumers
OIS’ role with, 22–23
views on ethical disclosures, 18–19
vulnerabilities of smartphone apps for, 529
contact forms, 302
cookies
accessibility of, 468–469
guessing value of, 318
overwriting and replacing, 319
copyright protection, 15–16, 57–58
corporations
measuring costs of hacking, 14
public relations by, 23
crashes
gathering information with Peach, 136–140
inspecting with Immunity Debugger, 295–298
managing Windows program, 309–311
Creator Owner ACEs, 344
credentials. See also passwords
Cisco privilege levels, 216
guessing with Ncrack and Metasploit, 215–217
cross-site scripting. See XSS
CrowdRE, 585
CryptoLocker, 549–552
testing sample of, 551–552
workaround for, 552
CSEA (Cyber Security Enhancement Act), 16–17
custom Linux exploits, 255–261
determining NOP sled location, 258–259
determining offset(s), 256–258
steps for, 255
testing shellcode, 260–261
cyberlaw
Access Device Statute, 11–12
Computer Fraud and Abuse Act, 12–14
defined, 9–11
Digital Millennium Copyright Act, 15–16
Electronic Communications Privacy Act, 14–15
security research resulting in legal actions, 24
state alternatives to CFAA, 13–14
Cygwin, 361–362
D
DACLs (Discretionary Access Control Lists)
access checks for, 347–349
AccessChk for dumping, 353
ACE use in, 343
attacking weak directory, 375–379
comparing Access masks for SD and, 348
displaying from Windows Explorer Advanced view, 354
dumping with AccessChk, 353
empty vs. NULL, 358
examining for SDs, 353
GUI interface for, 345
modifying object ownership in, 357–359
NULL, 357
registry attacks on, 372–375
spotting weaknesses in, 365
SubInACL for dumping, 353, 354
weak file DACLs, 379–383
DAD decompiler, 519–520
Dalvik VM, 515–517
.data directive, 44
Data Execution Prevention. See DEP
data structures
analyzing with IDA Pro, 98–101
IDA data references, 109
viewing program headers with IDA Pro, 101–103
debugging. See also gdb debugger; Immunity Debugger; Windows debugger
decrypting server lists via, 569, 571
deleting breakpoints in WinDbg, 446
dumping process tokens with Windows debugger, 350–353
gdb for, 45–47
kernel, 499–503
Ransomlock checks for, 541–544
using !token debugger command, 350–352
Windows exploits, 307–309
Windows with Immunity Debugger, 293–295
dec command, 43
decoders
code limitations effecting, 181
decoding shellcode, 154–155
FNSTENV, 183–184
JMP/CALL XOR, 181–183
placing on front of shellcode, 181
decompilers, 71–73
designed for C and C++, 73
Hex-Rays Decompiler plug-in, 73, 83
purpose of, 71
recovering Java class file with, 71–73
decompiling
Android application, 526–527
Android source code in Java, 517–518
DEX files, 518–520
Flash code, 429
decrypting. See also decrypting C&C domains
server lists with debugging, 569, 571
strings in IDAPython, 110–115
decrypting C&C domains, 557–571
code review techniques when, 562–563
common malware domain and IP address handling, 557
evaluating configuration files, 561–566
identifying cryptographic operations, 566–567
recognizing RC4 key-scheduling algorithm, 567–568
reviewing CMD54 component, 558–561
deleting breakpoints, 446
denial of service exploits
analyzing Microsoft patch for, 492–506
buffer overflows creating, 246
elevating execute permissions for Windows services, 368
DEP (Data Execution Prevention)
about, 316
bypassing, 321–327
disabling, 311
setting up exception for ProSHHD in, 300
using gadgets to bypass, 322–323
Department of Homeland Security (DHS), 19
DEPS (DOM element property spray)
automating, 424–425
creating heap spray with, 422–425
placing payload at predictable memory address, 422–423, 425
Desktop
regaining control of, 532, 544–549
returning to victim, 534–535
detecting cryptographic code, 566–567, 577–578
DEX (Dalvik executable)
decompiling, 518–520
disassembling, 520–521
files for, 515–517
DHS (Department of Homeland Security), 19
Digital Millennium Copyright Act. See DMCA
digital rights management (DRM), 58
direct parameter access, 268–269
directories
attacking weak DACLs of, 378–379
enumerating Windows DACLs and, 375–377
escalating read permissions of, 378
granting write access to Windows, 376–377
magic, 377
disassemblers. See also IDA Pro
disassembling shellcode, 156–157
IDA Pro, 73–83
navigating in IDA Pro, 76
disclosure phases of OIS, 22–23
Discretionary Access Control List. See DACLs
DMCA (Digital Millennium Copyright Act)
about, 15–16
reverse engineering and, 57–58
DNS cache poisoning, 206
DNS spoofing, 206–209
about, 193–194
combining BeEF cloning with, 462–465
types of, 206
using Ettercap dns_spoof plug-in for, 208–209
watching traffic in Ettercap, 196–198
documentation for penetration testing, 8
DOM element property spray. See DEPS
double words, 36
downloading
BeEF, 456–457
Cisco configuration files, 220–222
Microsoft C/C++ Optimizing Compiler and Linker, 291
Microsoft patches, 492–494
mona.py plug-in, 302
MS14-006 patch file for binary diffing, 494
Python, 47–48
DRM (digital rights management), 58
Droidbox, 527–528
dumb fuzzers, 121–123
dumping
information about fini_array section, 272–273
process tokens, 350
SDs, 353
using TrapX Threat Inspector to analyze malware, 586–587
dynamic analysis
checking key data for modifications with, 569, 571
Ransomlock, 533–535
starting reverse engineering process with, 586, 587
TrapX tools for, 586–590
E
EBP (extended base pointer)
detecting stack-based buffer overrun with, 313–314
pointing to NOP sled, 326–327
stack operations and, 239–240, 261
EEM (Embedded Event Manager) exploits, 236
EIP (extended instruction pointer), 183
calculating offset to overwrite, 256–258
controlling for exploits, 246, 261, 298, 300–302
executing malicious code at user or root level using, 246
exploit development using, 255
overwriting for Windows systems, 304–306
pointing to NOP sled, 247
saving on stack, 240, 241, 242
using in local buffer overflow exploits, 246–247
Electronic Communications Privacy Act (ECPA), 14–15
elevating privileges. See also root privileges
attacking weak directory DACLs for, 375–379
configuring privilege escalation to untrusted users, 370–371
during penetration testing, 8
process using Access Control, 365
service attacks for, 365–371
Windows registry keys for, 374–375
ELF (Executable Linking Format) files
file format for, 74, 106, 271–272
using for diffing lab, 489
Embedded Event Manager (EEM) exploits, 236
EMET (Enhanced Mitigation Experience Toolkit)
about, 317–318
bypassing, 328
enabling SEHOP using, 315
preventing use on victim’s machine, 437
emulator for Android APK, 521–523
encoding shellcode
with Metasploit, 188–189
purpose of, 154–155
reasons for, 180
structure of encoded shellcode, 181
XOR, 180–181
encrypting user files, 531, 549–551, 552
Enhanced Mitigation Experience Toolkit. See EMET
environment/arguments section, 38
environment variable
bash SHELL, 269
storing shellcode in, 253–254, 270
epilog, function, 241
errors
avoiding off-by-one C programming loop, 33
displayed by CryptoLocker, 550
executing pilfer-archive-new.py, 126
finding XSS bugs in error messages, 402
indicated in function return values, 61
stderr files, 147
/usr/bin/ld:cannot find -lc, 164
ESP (extended stack pointer), 239–240, 248–249, 261
ethical hacking. See also vulnerability disclosures
behavior of security professionals, 6
getting formal SOW, 7
need for reverse engineering in, 57–58
overview, 25
penetration testing by unethical vs., 8–9
process in, 5–6
skills preparing one for, 29, 54
software traps in, 162
studying exploits, 239
understanding enemy’s tactics, 3–4
eTrust Antivirus, 382
Ettercap
DNS spoofing using, 206–208, 462, 464–465
dns_spoof plug-in, 208–209
Lua scripting for, 198, 200–205
modifying network traffic with, 198–205
parsing credentials with, 197–198
using etterfilter command to modify traffic, 198, 199–200
using for ARP spoofing, 195–196
Etterfilter, Lua filters vs., 191–195
events, 386–387
Everyone group SIDs, 355
Evilgrade
supplying malicious updates using, 206–208
using with Ettercap, 213
exceptions, managing Windows program crash, 309–311
ExecShield memory protection, 279, 288
Executable Linking Format (ELF) files. See ELF files
“execute” access for Windows services, 368
executing assembly language code, 45
execve system call, 166–168
exit system calls, 163–165
Expect, 120
exploits. See also Linux exploits; Windows exploits; and specific exploits
with Cisco routers, 215–237
during penetration testing, 8
format string, 263–274, 288, 289
heap spray, 417–431
1-day, 484
opportunities with binary diffing, 483–484
Windows kernel, 157–159
extended base pointer. See EBP
extended instruction pointer. See EIP
extended stack pointer (ESP), 239–240, 248–249, 261
F
fake frame technique, 276–278
Faroo, 125
Fast Library Identification and Recognition Technology (FLIRT), 74
__fastcall calling convention for, 554, 556–557
FBI’s jurisdiction, 13
file DACLs
attacks on, 379–380
enumerating, 380
overview of attacks on, 383
writing to executable files, 380–381
files. See also binary files; configuration files
accessing in Python, 52–54
AndroidManifest.xml, 513–515
APK, 511–513
assembly file structure, 44
attacking data parser using tampered, 382
creating Peach Pit, 129–134
CryptoLocker’s encrypting of user, 549–551, 552
data found in Cisco startup-config, 221
DEX format, 515–517
granting write access to untrusted users of, 382
IDA Pro for analyzing binary, 75–76
Java class, 71
shellcode for transferring, 152
tampering with configuration, 381–382
weak DACLs for, 379–383
building Process Monitor, 360–361
htmlspecial chars(), 404–405
Lua vs. Etterfilter, 191–195
modifying traffic with etterfilter command, 198, 199–200
normalization for bypassing XSS, 405–406
OWASP XSS Filter Evasion Cheat Sheet, 404, 405
preventing XSS, 404–405
scripts for Lua, 195
FIN WAIT messages, 177
find socket shellcode, 150–151
find.c source code
BugScam output for compiled, 86
checking sprintf() vulnerabilities in, 80–83
manually auditing, 66–69
fingerprinting
BeEF for, 466–467
browsers, 467–468
computers, 470–471
steps in, 8
users, 468–469
firewalls
blocking port-binding shellcode, 148
bypassing with reverse shellcode, 148–150
first chance exception, 297
flags
gcc, 35
Windows inheritance, 346
FLAIR tools, 95–96
Flamer, 114–115
Flash Decompiler Trillix, 429
Flash heap spray exploits
about, 427–431
byte arrays in, 427–429
decompiling Flash code, 429
joining with JavaScript for UAF, 448–453
using integer vectors, 419–431
Flawfinder, 60
FLIRT (Fast Library Identification and Recognition Technology), 74, 94
FNSTENV assembly instruction
decoding with, 183–184
encoding and decoding with, 184–187
format string exploits, 263–274, 288, 289
changing program execution, 271–272
exploiting printf() function, 264–265
mapping out stack with %x token, 267
overwriting arbitrary address using, 269–271
reading arbitrary memory locations, 268
reading arbitrary strings, 267–268
types of Linux format functions, 263
vulnerability in stack, 265–267
format symbols, 264
functions. See also format string exploits; renaming functions with IDA; XOR function
calling, 240–241
code and data references for, 109
defined, 240
epilog, 241
error conditions indicated in return values of, 61
executing in C programs, 30
finding signature at C level, 162–163
Libsafe library, 275
Linux format, 263
locating vulnerable UAF, 430, 440–441
overwriting existing function pointers, 272–274
preconditions and postconditions for, 62
sorting by call reference, 108–109
unrecognized by IDA Pro, 107
Windows API functions used by malware, 559
fuzzing, 117–143. See also Peach fuzzing framework
automating, 119–120
creating Peach Pit files, 129–134
generation fuzzers, 123, 141–142
getting started with, 123
input interface selections for, 118–119
list of mutation fuzzers, 141
logs for Peach crash analysis, 136–140
mutation fuzzers, 121–123
parallel testing machines using Peach, 136
samples for, 127–129
selecting targets for, 118–121
strategies for Peach, 135
target complexity fir, 120–121
G
gadgets
finding in mona.py plug-in, 323, 324
using, 322–323
gcc compiler
C language’s use of, 35–36
improvements to, 274–279
non-executable stack, 278
replacement for, 275–276
gdb debugger
basic commands for, 45–47
debugging example with, 46
disassembly with, 46–47
unable to disassemble use space shellcode with, 157
generation fuzzers, 123, 141–142
Generic Route Encapsulation tunnels. See GRE tunnels
generic stack overflow exploit code, 251–252
Get System Info module, 470, 471
GETPC (get program counter) techniques
FNSTENV XOR, 183–187
JMP/CALL XOR decoder, 181–183
grammar-based testing, 123
gray hat hackers
advantages to source code reviews, 63–64
defined, 18
“No More Free Bugs” stance of, 24
GRE (Generic Route Encapsulation) tunnels
illustrated, 229
routing traffic over, 231–235
setting up, 228–231
ground rules for penetration testing, 7
/GS compiler option
bypassing, 318
stack-based buffer overrun detection, 313–314
/GS switch, 293
H
hackers
breaking authentication, 390–391
exploiting Windows Access Control, 337–338
penetration test process used by, 8–9
punishment under CSEA for, 17
understanding tactics of, 3–4
hacking tools. See tools
hacktivism, 4
hardening system methods, 9
hardware. See also AMD architecture; computer memory; target computers
using hardware traps, 162
hash. See MD5 hash injection
heap. See also heap spray exploits; LFH
memory protection and attacks on, 288
Windows memory protections for, 315–316
heap spray exploits
detecting in Nozzle, 418
Flash byte arrays in, 427–429
Flash spray with integer vectors, 419–431
HeapLib2 techniques for, 425–426
HTML5, 418–422
leveraging low fragmentation heap, 431–432
monitoring memory consumption of, 420–422
role in UAF techniques, 436
steps for, 417–418
using DEPS, 422–425
“Hello, haxor” example, 34–35, 44
“Hello, world” example in Python, 48
hex opcodes
testing Linux shellcode with, 169
writing, 161
Hex-Rays Decompiler plug-in. See also IDA Pro
FLAIR toolset with, 95–98
HOB (high-order bytes), 269–270
Hooked Browsers pane (BeEF), 458, 459
hooking browsers, 461–466
host computer fingerprinting, 470–471
hostent data structure, 78–79
HSRP (Hot Standby Router Protocol), 194
HTML/HTML5
features of HTML5, 418–419
finding XSS in links for, 402
heap spray exploits using HTML5, 419–422
htmlspecial chars() filter, 404–405
HTTP protocol
fuzzing complexity of, 120
selecting for fuzzing, 119
viewing requests in Ettercap, 197
I
IDA Pro (Interactive Disassembler Professional), 73–83, 89–116. See also specific IDA plug-ins
analyzing statically linked programs, 92–95
binary diffing tool plug-ins for, 485, 486–487
BinNavi’s integration with, 83–84
bookmarking code with, 561, 562
creating IDBs, 115–116
creating IDBs for .exe files, 115–116
data structure analysis with, 98–101
dealing with stripped binaries in, 90–92
decrypting strings in IDB, 110–115
executing scripts in, 115–116
features of, 74–75
FLIRT signature file options in, 94–95
generating signature files in, 95–98
handling AMD64 calling conventions, 555
handling static analysis challenges with, 89–90
Hex-Rays Decompiler plug-in with, 73, 83
highlighting specific registers in, 563
naming and commenting in, 76, 77
navigating in, 76
opening turbodiff in, 489–490
renaming functions in, 106–107, 574
reverse engineering plug-ins, 573–585
SDK for, 105
stack frame layouts in, 77–78
support for plug-ins and scripts, 105
using, 75–76
using FLAIR tools with, 95–96
viewing program headers with, 101–103
vulnerability discovery with, 79–80
working with compiled C++ code, 103–105
IDA Sync, 585
IDA Toolbag plug-in, 580–584, 585
bookmarking code with, 580, 581
collaboration capabilities of, 583, 585
Global Marks tab for, 580, 581
scripting with, 584
IDAPython, 106–115
about, 105
decrypting strings in, 110–115
renaming IDA functions with, 106–107
renaming wrapper functions, 109–110
sorting functions by call reference, 108–109
IDAscope plug-in, 573–580
functions of, 573–574
workflow using, 574–580
IDC programming language, 105
if/else construct, 34
IMAP protocol exploitation, 460–461
Immunity Debugger
about, 293–294
commands of, 295
debugging buffer overflow, 295–298
inspecting crashes in, 295–298
listing linked modules with, 304
main screen of, 294
reviewing Ransomlock .exe file in, 536–541
verifying SafeSEH removed from compiled programs, 331–332
inc command, 43
indentation in Python, 53
IndexDen, 125
inherited ACEs. See also ACEs
controlling inheritance with, 346
denying access for, 348–349
location in access mask, 344
removing, 358–359
injecting
BeEF hooks automatically, 465–466
MD5 hash, 390–396
multibyte encoding, 396–401
preparing packets for injection strings, 203
process injection shellcode, 153
process shellcode, 153
strings generated by brute force, 393–395
updated data from BeEF, 198, 203
XSS via JavaScript, 403–404
installing
BeEF, 456–457
FLAIR tools, 95
Windows Debugger, 415–417
integer vectors in Flash sprays, 429–431
Intel architecture. See also AMD architecture
64-bit, 553
about, 40
Interactive Disassembler Professional. See IDA Pro
Internet Explorer, 415–454. See also UAF technique
attaching WinDbg to, 416–417
consuming physical memory with heap spray, 420–422
heap spray exploits for, 417–418
installing/using WinDbg, 415–417
Use-After-Free technique for v.9-11, 435–438
zero-day techniques for, 415
Internet Security Systems (ISS), 20
IOSTrojan, 236
IP protocol
analyzing patch vulnerabilities in IPv6, 495–497
building socket for, 171
byte order for networks in, 170
converting IP to MAC addresses, 194–195, 196, 197
finding malware C&C server IP addresses, 557
IPv6 route advertisement vulnerabilities, 499–503
revising hardcoded values in reverse-connected shellcode, 178
Ipec tab (BeEF), 460–461
Isolated Heap, 436
ITS4, 60
J
Java
browser exploits using BeEF and, 472–475
decompiling Android source code, 517–518
decompiling Android source code in Java or, 517
interpreting machine-dependent byte code with, 71
JavaScript
debugging code for UAF in, 438–439
executing XSS hook, 461–462
injecting XSS via, 403–404
joining Flash heap spray code with UAF in, 448–453
je command, 42–43
JEB decompiler, 518–519
JMP/CALL XOR decoder, 181–183
jmp command, 42–43
jne command, 42–43
jnz command, 42–43
John the Ripper, 212–213, 226–228
JReversePro, 72–73
JVM. See Java Virtual Machine
jz command, 42–43
K
kernel
debugging sessions for, 499–503
patches and scripts for, 279–288
kernel space
creating shellcode for, 157–158
defined, 145
Windows’ debuggers compatible in, 298
keys
elevating privileges with Windows registry, 374–375
enumerating DACLs of Windows registry, 372–374
ransomware’s use of public key cryptography, 532, 549
recognizing RC4 key-scheduling algorithm, 567–568
reverse engineering malware, 569–571
L
languages
browser support of multiple, 396–397
exploitable vulnerabilities for multiple, 397
laws. See cyberlaw
lea command, 43
LFH (Low Fragmentation Heap)
about, 315–316
overwriting freed UAF object with, 436, 438
using maliciously, 431–432
libraries, loading on target computer, 153
Libsafe, 275
linking
defined, 35
Linux shellcode for assembly language, 165
Linux exploits, 239–289. See also custom Linux exploits; writing Linux shellcode
building larger buffer than expected, 247–249
calling functions, 240–241
changing program execution, 271–272
custom, 255–261
determining attack vector, 255, 258–259
development process for, 255
exploiting stack overflows from command line, 249–251
finding offsets for, 255, 256–258
format string exploits, 263–274, 288, 289
generating shellcode with Metasploit, 259–260
how buffer overflows work, 241–246
mapping stack with %x token, 267
memory protection schemes against, 274–288, 289
naming programs to be overwritten, 270
overview, 288–289
performing local buffer overflows, 246–255
reading arbitrary strings with %s token, 267–268
repeating return addresses, 248–249
return to libc exploits, 280–284
small buffer exploits, 253–255
stack operations for, 239–241
writing to arbitrary memory, 269–271
Linux memory protections, 274–288, 289
ASLR objectives for, 279–280
building return to libc exploits, 280–284
kernel patches and scripts, 279–288
Libsafe, 275
Linux compiler improvements, 274–279
maintaining privileges with ret2libc, 284–288
non-executable stack for gcc, 278
overview, 289
StackShield, StackGuard, and Stack Smashing Protection, 275–276
summary of, 288
Linux operating systems. See also Linux exploits; Linux memory protections
accessing system calls, 146
AMD64 calling convention for, 554–556
bash SHELL environment variable, 269
effect of calling functions, 240–241
hiding backdoor services and malicious activity on, 236-237
lists. See also DACLs
SACL, 343
using in Python, 51–52
little-endian notation, 36–37, 170
LLMNR (Link-Local Multicast Name Resolution) protocol
about, 209
LOB (low-order bytes), 269–270
logon reinstallation of malware, 545
LOGON SIDs, 356
LongFunc function, 555, 556–557
loops
for and while, 33–34
avoiding off-by-one errors in C, 33
closing Python, 54
minimizing Ransomware’s infinite, 548, 549
recognizing RC4 key-scheduling algorithm, 567–568
sample of Python for, 53
Low Fragmentation Heap. See LFH
Lua scripting for Ettercap, 198, 200–205
M
MAC addresses
revealing with Ettercap, 196, 197
turning IP addresses into, 194–195
Mac OS X computers, 47, 92, 98, 554
Mach-O (Mac OS Mach Object) format, 106
magic bytes, 511–512
magic directories, 377
main() structure
locating in stripped binary, 90–91
use in C programming, 29–30
malware. See also 64-bit malware; Android platform; decrypting C&C domains; ransomware
analyzing Android applications for, 423–424
anti-debugging checks in Ransomlock, 541–544
black-box APK analysis of, 527–529
decrypting strings in Flamer, 114–115
encrypting user files, 531, 549–551, 552
finding RC4 key-scheduling algorithm in, 567–568
IDAscope for analyzing, 573–580
maliciousness checklist for Android apps, 524
reviewing Android applications for, 524–527
taking back control of Desktop from, 532, 544–549
Windows API functions used by, 559
writing signatures in YARA, 576, 577
man-in-the-middle (MITM). See also GRE tunnels
ARP spoofing and, 193
setting up with Ettercap, 195–196, 197
manual binary analysis auditing, 71
manual source code auditing, 64–69
finding exploitable conditions when, 65–66
sources of user-supplied data for, 64–65
MD5 hash injection
bypassing authentication with, 390–391
converting type in MySQL, 392–393
finding MD5 output for conversion, 391–392
generating injection string using brute-force, 393–395
testing bypass injection string, 395–396
meet.c program
compiling in Visual Studio, 293
creating buffer overflow in, 242–245
memory. See computer memory
Metasploit
automating DEPS with, 424–425
BeEF browser exploits with, 475–478
cracking Cisco Type 7 passwords in, 225–226
downloading Cisco configuration files with, 220–222
generating Linux shellcode with, 187–189, 259–260
guessing community strings, 215–219
preventing TFTP configuration file caching in, 213
process injection payloads using Meterpreter, 153
Metasploit Framework
finding bad chars for shellcode in, 154
pairing with BeEF, 481
Microsoft. See also Internet Explorer; Windows operating systems
AMD64 calling conventions for Windows, 554, 556–557
Bug Bounty programs for, 24
patch management by, 483, 484, 491–492
Virtual Table Guard and Isolated Heap solutions, 436
Microsoft C/C++ Optimizing Compiler and Linker, 291
Microsoft PREfast Analysis tool, 60, 62
MITM. See man-in-the-middle
.model directive, 44
mona.py plug-in
downloading, 302
finding recommended gadgets for modules in, 323, 324
searching loaded Windows modules with, 304–305
using in Windows exploits, 298
mov command, 42
Mozilla, 24
MS14-006 patch file
downloading, 494
examining against 64-bit Windows 8.0, 494–497
MSDN (Microsoft Developer Network), 576
msfpayload command, 187
multibyte encoding injection, 396–401
about multibyte encoding, 396
bypassing input validation controls with, 397–400
defined, 397
testing charsets used to bypass controls, 400–401
vulnerabilities exploited with, 397
multistage shellcode, 152
mutation fuzzers, 121–123. See also Peach fuzzing framework
list of, 141
success factors for, 124
using Peach, 140–141
mutexes
enumerating, 386–387
locating imported 64-bit malware, 560–561
multibyte encoding injection using, 397, 399
type conversion process using, 392–393
N
name resolution
NBNS, 194
named pipes, 384–385
NASM (Netwide Assembler), 41–43, 168
National Institute of Standards and Technology (NIST), 29
NBNS (NetBIOS Name Services), 194
Ncrack, guessing Cisco credentials with Metasploit and, 215–217
NetBIOS protocol
about, 209
Netwide Assembler (NASM), 41
network traffic
Ettercap for modifying, 198, 199–200
flow with ARP spoofing, 195–196, 197
modifying to include BeEF hook, 465–466
routing over GRE tunnel, 231–235
setting up GRE tunnels, 228–231
transferring captured traffic to Cain, 198
trying to capture C&C server’s, 548
viewing between target and gateway, 196–198
networks. See also network traffic
byte order for IP, 170
command execution code for connecting to, 151
creating bind shell in, 147–148
duplicating socket descriptors for, 64
find socket shellcode with, 150–151
fingerprinting host computers of, 470–471
fuzzing HTTP protocols for, 119
recognizing attacks in progress, 4–5
next-generation reverse engineering, 573–591
IDA Toolbag plug-in, 580–584, 585
IDAscope plug-ins for, 573–580
TrapX dynamic analysis, 586–590
nibble, 36
NIST (National Institute of Standards and Technology), 29
Nmap scan, 216
“No More Free Bugs” stance, 24
NOP sled
about, 247
determining where to add, 258–259
filling stack with, 249–251
pointing return address to, 248
using before shellcode, 307, 308
normalization. See Unicode normalization
NTLM (NT Lan Manager)
authentication for, 209
cracking credentials for v1 and v2, 212–213
null pointers, 59
number objects in Python, 50–51
O
objdump tool
dumping fini_array section, 273
extracting hex opcodes with, 168, 175–176
objects. See also attack patterns for Windows objects; objects in Python
constructors, 72
finding address in memory of freed, 441–443
finding type of exploited freed, 441
inheritance flags for Windows, 346
learning how freed in stack, 443–444
overwriting address space for freed, 444–445
ownership rights of Windows, 357–359
objects in Python, 48–52
dictionaries, 52
lists, 51–52
numbers, 50–51
socket, 54
strings, 48–50
off-by-one C programming errors, 33
offsets
calculating Linux EIP, 255, 256–258
determining offset Windows’ EIP, 298, 302–304
heap spray, 421
OIS (Organization for Internet Safety), 22
OllyDbg, 331–332
1-day exploits, 484
onesixtyone, 217–218
Open Source Intelligence (OSINT), 7
Open Web Application Security Project. See OWASP
opening turbodiff, 489–490
operating systems. See also Linux operating systems; Windows operating systems
communicating with kernel of, 162
Oracle patches, 491
Organization for Internet Safety (OIS), 22
overwriting
canary values, 269–271
existing function pointers, 272–274
exploits using, 274
freed object address space, 444–445
preventing shellcode stack, 155–156
SEH, 318–319
OWASP (Open Web Application Security Project)
ranking for MD5 Hash Injection, 390
top Web vulnerabilities list of, 389
XSS Filter Evasion Cheat Sheet, 404, 405
P
Page-eXec (PaX) patches, 279, 280, 288
paramiko module, 301
partial return pointer overwrites, 321
passive scanning, 7
passwords. See also John the Ripper
attacking Cisco community strings and, 215–219
attacking Cisco Type 5, 221, 222, 226–228
attacking Cisco Type 7, 224–226
BeEF username and, 458
cracking NTLMv1 and NTLMv2, 212–213
exploiting weak Cisco, 215
guessing Cisco default, 216–217
identifying Cisco Type 7, 224–225
retrieving from Cisco configuration files, 221–222
storing hash data for, 390–391
wordlists for cracking, 227
patch diffing, 484
patches
about patch management process, 491
Apple and Oracle, 491
downloading/extracting patches, 492–494
examining tcpip.sys, 494–497
Microsoft’s patch management process, 483, 484, 491–492
MS14-006, 494–497
paying ransoms, 532
PE (Portable Executable) file format, 74, 106
Peach fuzzing framework
about, 127
crash analysis using, 136–140
creating Peach Pit files, 129–134
mutation fuzzing using, 140–141
parallelization of testing using, 136
selecting samples with Peach Miniset, 127–129
strategies for using, 135
using as generation fuzzer, 142
penetration testing
steps in, 7–8
used by hackers, 8–9
vulnerability assessments vs., 5–6
printing shellcode into binary file, 249
using backticks to wrap, 243, 250
permissions, reviewing sensitive Android, 524–527
phishing, hooking browsers using, 461
PHP scripts, exploiting normalization in, 405–407
Pilfer-Archive script, 125, 126–127
PipeList.exe, 384–385
plug-ins
Ettercap dns_spoof, 208–209
Hex-Rays Decompiler, 73, 83, 95–98
IDA Pro binary diffing, 485, 486–487
IDA Pro support for, 105
IDAscope, 573–580
mona.py, 298, 302, 304–305, 323, 324
pointers. See also EBP; EIP
determining address of pointers to VirtualProtect function, 321–322
overwriting calling function, 318
SFP, 314
this, 103–104
uninitialized, 59
use in computer memory, 38–39
vtable, 104–105
pop command in assembly language, 42
port-binding shellcode
uses for, 147–148
writing in Linux, 169–177
port_bind_asm.asm program, 173–175
port_bind.c program, 171–172
port_bind_sc.c code, 176–177
ports
binding Linux shellcode to, 169–177
blocking port-binding shellcode to, 147–148
establishing sockets for, 171
reversing connecting shellcode to, 148–150, 177–180
testing port-binding shellcode for, 175–177
writing shellcode to find open sockets, 150–151
postconditions, defined, 62
preconditions, defined, 62
premium-rate SMS payments, 532
printf command, 31–32
printf() function
exploiting incorrect Linux, 264–265
using to maintain privileges, 288
vulnerability in stack, 265–267
privileges. See elevating privileges; root privileges
process DACLs, 385–386
Process Explorer, 350–352
process injection shellcode, 153
Process Monitor
building filter for, 360–361
log of supertype.exe in, 362, 363
Process Monitor Filter dialog, 533
process tokens, 340–343
dumping, 350
processors
Itanium, 553
Opteron, 553
professional behavior of security professionals, 6
program headers, viewing with IDA Pro, 101–103
programming, 29–55. See also C programming language; C++ programming language
assembly language skills, 41–45
C programming language, 29–36
computer memory skills for, 36–49
constructors in object-oriented languages, 72
debugging with gdb, 45–47
IDC language, 105
Intel processors, 40
Python skills, 47–54
prosecuting computer crimes, 14
ProSSHD servers
about, 299
bypassing DEP, 321–327
setting up exception in DEP, 300
protected computer, legal definition of, 12
public key cryptography, 532, 549
push command in assembly language, 42
Python, 47–54. See also IDAPython; objects in Python
about, 47
dictionaries in, 52
downloading or launching, 47–48
file access in, 52–54
“Hello, world” in, 48
objects in, 48–52
sockets, 54
R
Radamsa, 141
RAM (random access memory), defined, 36
random access memory (RAM), defined, 36
randomization fuzzing, 122
anti-debugging checks used by, 541–544
dynamic analysis of, 533–535
killing processes in, 534
obscuring debugger from, 544
static analysis of, 535–541
taking back control of Desktop from, 544–549
understanding techniques used by, 535–541
ransomware, 531–552
methods of payment, 532
RATS (Rough Auditing Tool for Security), 60–61
RC4 key-scheduling algorithm, 567–568
“read” access
impact of elevating directory, 378
modifying file permissions for, 383
to Windows registry keys, 375
to Windows services, 367–368
README file for labs, 195
registers
categories of Intel, 40
IDA highlighting of specific, 563
passing arguments with System V calling convention to, 554–556
storing memory segments in, 37
registry key attack, 372
relative identifiers (RIDs), 339–340
remote access
gaining to Cisco devices, 235–236
gaining with UAF vulnerability, 447–453
getting to machine infected with ransomware, 533–535
taking back control of Desktop from malware’s, 532, 544–549
renaming functions with IDA
template for IDB function wrappers, 574
using IDAPython script, 106–107
using identified tags, 574
Responder, 209–213
restricted tokens, 342–343, 349
ret command, 43
return addresses, repeating, 248–249
return to libc (ret2libc) exploits
building, 280–284
maintaining privileges with, 284–288
uses for, 284
reverse engineering. See also 64-bit malware; IDA Pro; next-generation reverse engineering
Android, 529
binaries, 70
BinDiff for, 486
defined, 57
DMCA and, 57–58
dynamic analysis for malware, 533–535, 569, 571, 586, 587
IDA Toolbag plug-in, 580–584, 585
IDAscope plug-ins for, 573–580
need for, 58
reasons for, 57
used in static analysis, 57–59
reverse shellcode, 148–150, 177–180
Rider tab (BeEF), 460
RIDs (relative identifiers), 339–340
RockYou site, 212–243
root privileges
gaining with format string exploits, 266–267
maintaining with ret2libc, 284–288
using EIP to execute malicious code at, 246
root users, buffer overflows exploiting privileges of, 246
ROP (return-oriented programming)
about, 322
modifying permissions with, 300
ROP chain
building with mona.py plug-in, 323–324
generating in ASLR bypass, 321
Rough Auditing Tool for Security (RATS), 60–61
routers. See Cisco routers
rule-based fuzzing, 123
Run As user interface (Windows), 341–342
S
SACL (System Access Control List), 343
SafeSEH
memory protection with, 314–315
sandboxes using TrapX, 586, 588
Sawyer vs. Department of Air Force, 14
scanf command, 32
scanning
active and passive, 7
Cisco port, 215
SCM (service control manager), 370–371
scpclient module, 301
scripting. See also XSS
browser attacks, 478–481
bypassing DEP using prosshd_dep.py, 324–326
creating Lua filter, 195
cross-site, 402–404
decrypting strings with IDAPython, 110–115
Ettercap’s Lua scripting engine, 198, 200–205
exploiting Cisco EEM, 236
with IDA Toolbag plug-in, 584
launching Windows script to control EIP, 301–302
renaming wrapper functions using, 109–110
running Pilfer-Archive in Internet Archive, 125, 126–127
sorting functions by call reference, 108–109
using IDAPython, 106–115
SD (security descriptor)
comparing access masks for DACL and, 348
illustrated, 344
role in Windows Access Control, 338, 343–346
SDs, dumping, 353
Secret Service, jurisdiction of, 13
Secure Access Control Server (ACS), 236
security identifiers. See SIDs
security professionals
professional and ethical behavior of, 6
recognizing attacks in progress, 4–5
segmentation, 37
SEH (structured exception handling)
illustrated, 310
overwriting, 318–319
protecting with SafeSEH, 314–315
understanding, 309–311
SEHOP (SEH Overwrite Protection)
about, 315
bypassing, 328–335
Selenium, 120
self-corrupting shellcode, 155–156
semaphores, 386–387
servers. See also C&C servers
connecting browser to BeEF, 455, 481
ProSSHD, 299
Secure Access Control, 236
services, subverting Universal Plug and Play, 338
set-based fuzzing, 122
Set User ID (SUID)
compiling and setting buffer as, 253
gaining privileges using, 246
setreuid system call
signature of, 166
uses for, 165
SFP (saved frame pointer), 314
shank, 465–467
shared memory, enumerating sections of, 383–384
shellcode, 145–159. See also user space shellcode; writing Linux shellcode
automating with Metasploit, 187–189
choosing code to run, 146–147
creating file transfer code, 152
creating local buffer overflow with, 247–249
demonstrating execution in Windows exploits, 309
disassembling, 156–157
establishing network connections, 151
estimating stack space needed for Windows, 306
exploiting, 145
find socket, 150–151
generating in Metasploit, 259–260
making system calls in, 145–146
multistage, 152
placing at predictable addresses in memory, 417, 422–423, 425, 427, 429
placing decoders on front of, 181
placing in heap sprays, 415, 427–431, 432
port-binding, 147–148, 169–177
process injection, 153
self-corrupting, 155–156
storing in environment variable, 253–254, 270
system call proxy, 152–153
user space, 145–153
vulnerabilities in kernel space, 157–158
shells, direct parameter access for, 269
SIDs (security identifiers)
Authenticated Users group, 355
checking restricted, 349
contained in access token, 340
Everyone group, 355
LOGON, 356
looking for access granted to nonadmin, 365
role in Windows Access Control, 338, 339
special, 355
types of authentication, 355–356
signature files
exit, 163–165
FLIRT options for, 94–95
generating IDA Pro, 95–98
YARA for writing malware, 576, 577
Simplelocker, 532
slicing lists, 51
smali assembler, 520
smartphones. See also Android platform
Android, 511
vulnerabilities of, 529
SNMP (Simple Network Management Protocol)
exploiting weak Cisco community strings, 215–219
getting information about Cisco devices via, 219
modifying Cisco configuration files with TFTP and, 222–224
SNMP traps, 219
sockaddr structure, 170–171
sockaddr_in data structure, 78–79
socketcall system calls, 172–173
sockets. See also port-binding shellcode
binding shell to target computer TCP, 147–148
building in C with port_bind.c program, 171–172
creating in assembly language, 172–175
defined, 171
establishing in C, 170–171
programming in Linux, 170–173
shellcode to find open, 150–151
using in Python, 54
software traps, 162
software vendors. See also Microsoft
bug bounty programs by, 24–25
CERT/CC’s work with, 20–22
ISS’ approach to disclosures, 20
OIS’ role with, 22–23
response to Bugtraq-related attacks, 19
views on ethical disclosures, 18–19
source code analysis, 59–70
about, 59
auditing tools, 60–62
black hat reviews, 63
manually auditing code, 64–69
white hat reviews, 62–63
Yasca automated, 69–70
special SIDs, 355
Splint (Secure Programming Lint), 60, 61–62
spoofing. See also ARP spoofing; DNS spoofing
about, 213
defined, 193
hooking browsers with site, 462–465
Windows NetBIOS and LLMNR protocols, 194, 209–213
Windows vulnerabilities to, 194
sprintf()
checking for vulnerabilities in, 80–83
disassembling arguments in stack, 80–82
SQL. See also MySQL
multibyte encoding injection using, 397, 399
queries testing MD5 bypass injection string in, 395–396
SSH brute force attacks, Metasploit and Ncrack for, 217
stack
about, 239–240
allocation order of local variables on, 68
alternative to executing code on, 322
analyzing with IDA Pro, 77–78
bypassing protection for, 276–278
determining location to add NOP sled, 258–259
direct parameter access to, 268–269
disassembling sprintf() arguments in, 80–82
EBP and ESP on, 240
exploiting overflows of, 249–252
learning how object freed in, 443–444
mapping in Linux with %x token, 267
memory protection and attacks on, 288
non-executable memory pages, 278
preventing shellcode overwriting in, 155–156
randomizing memory calls to, 242, 281
residence in Windows systems, 304
saving EIP to, 247
vulnerability of format functions in, 265–267
.stack directive, 44
stack section, 38
Stack Smashing Protection (SSP), 275–276
StackGuard, 275
StackShield, 275
startup-config file, 221
Statement of Work (SOW), defined, 7
static analysis, 57–88. See also reverse engineering
about reverse engineering, 57–59
automated binary analysis tools, 85–87
binary analysis, 70–87
challenges in, 89–90
Droidbox for Android applications, 527–528
Ransomlock, 535–541
source code analysis, 59–70
stdin (standard input) files, 147
stdout (standard output) files, 147
sterr (standard error) files, 147
stopping/starting Peach fuzzing sessions, 133–134
Stored Communications Act, 15
strcpy command
setting breakpoint to step through function, 296, 298
strings. See also format string exploits
attacks on community, 215–216
guessing community, 217–219
placing shellcode in, 167–168
preparing packets to receive injection, 203
reading arbitrary Linux, 267–268
reviewing CMD54 for encoded malware, 558–561
scripts for decrypting IDA, 110–115
testing port-binding shellcode placed in, 176–177
use in memory, 38
using Python, 48–50
strip utility, 90
strnpy command, strcpy command vs., 32–33, 62–63
structures
assembly language file, 44
C language main(), 29–30, 90–91
defined, 170
identifying with IDA Pro, 78–79
sub command in assembly language, 42
SUID binaries, elevating privileges using, 261
Swftools suite, 428
System Access Control List (SACL), 343
system call proxy, 152–153
system calls
in assembly languages, 163
by C programming language, 162–163
execve, 166–168
exit, 163–165
making in user space shellcode, 145–146
setreuid, 165
socketcall, 172–173
software traps in system kernel, 162
System V calling convention, 554–556
T
target computers
accessing with port-binding shellcode, 147–148
binding to port with find socket shellcode, 150–151
loading libraries with process injection payloads, 153
modifying network traffic to, 198–205
reverse shellcode to connect to, 148–150
uploading files with wget utility, 152
using system call proxy for accessing, 152–153
viewing traffic between gateway and, 196–198
target routers
routing traffic over GRE tunnel from, 231–235
tunneling traffic from, 228–231
targets
choosing for fuzzing, 118–121
selecting, 8
Telnet sessions, executing shell operations over unencrypted, 151
templates
choosing fuzzing, 127
finding fuzzing, 124–125
bypass injection string, 395–396
charsets used for multibyte encoding injection, 400–401
CryptoLocker sample, 551–552
grammar-based, 123
Linux exploit code, 165, 168, 169, 255, 260–261
MD5 bypass injection string, 395–396
penetration, 5–9
port-binding shellcode, 175–177
programs in VMware host-only networking mode, 299
structure of Peach Pit file, 131–133
TIME WAIT or FIN WAIT messages during, 177
using parallel machines for Peach fuzzing, 136
XSS vulnerabilities, 409–410, 412–413
.text directive, 44
TFTP (Trivial File Transfer Protocol)
about, 220
getting Cisco device information via, 219
loading configuration information for Cisco devices via, 220
modifying Cisco configuration files with SNMP and, 222–224
this pointers, 103–104
Tidserv, 557–571
TIME WAIT messages, 177
token kidnapping, 386
tokens
%s, 267–268
%x, 267
process, 340–343
Windows Access Control, 338, 340–343
tools. See also specific tools
!token debugger command, 350–352
about hacking, 5
automated binary analysis, 85–87
binary diffing, 485–488
controversial hacking, 17–18
fuzzing, 117
objdump, 168, 175–176, 271, 272, 273
Process Explorer, 350–352
source code analysis auditing, 60–62
TrapX dynamic analysis, 586–590
Yasca, 69–70
traps
SNMP, 219
TrapX Malware Trap, 587–590
TrapX Threat Inspector, 586–587
Trivial File Transfer Protocol. See TFTP
tunneling. See GRE tunnels
turbodiff
about, 485
diffing MS14-006 with, 398
examining patch against 32-bit Windows 8.0, 498
features of, 487–488
opening, 489–490
U
UAF (Use-After-Free) technique
about, 435–436
analyzing code for, 436–438
dissecting exploits, 439–447
finding object’s address in memory, 441–443
identifying type of exploited freed objects, 441
leveraging vulnerabilities with, 447–453
locating vulnerable UAF functions, 430, 440–441
overwriting freed object address space, 444–445
understanding root cause of vulnerability, 445–447
Unicode normalization, 404–409
attacking applications using, 410–412
canonical equivalence in, 405–406, 407
compatibility equivalence and, 405, 407
defined, 405
identifying normalized data, 409–410
Normalization Forms, 407
Unicode UTF-8 encoding, 396
Uninformed Journal, 158
uninitialized pointers, 59
Universal Plug and Play (UPnP) vulnerabilities, 337, 338
Unix operating systems. See also Linux operating systems
execve system calls for, 146–147
updating, software with Evilgrade, 206–208, 213
UPnP (Universal Plug and Play) vulnerabilities, 337, 338
URL hooks, 461–462
US-CERT, 13
Use-After-Free technique. See UAF technique
user space
defined, 145
Immunity Debugger’s compatibility in, 298
user space shellcode, 145–153
accessing target with port-binding shellcode, 147–148
choosing which code to run, 146–147
connecting to network with reverse, 148–150
creating file transfer code, 152
disassembling, 156–157
encoding, 154–155
establishing network connections, 151
find socket shellcode, 150–151
making system calls in, 145–146
multistage, 152
self-corrupting, 155–156
system call proxy, 152–153
users
accessing privileges with buffer overflows, 246
CryptoLocker’s encrypting of files, 549–551, 552
escalating privilege for untrusted Windows, 370–371
fingerprinting, 468–469
regaining control of Desktop, 532, 544–549
responding to ransoms, 532
tricking into running hook, 461–462
visibility of Java applets during fingerprinting, 470
/usr/bin/ld:cannot find -lc error, 164
UTF-8 encoding, 396
V
variables
allocation stack order of local, 68
environment, 253–254, 269, 270
used C programs, 30–31
verifying
binary file execution with strace, 165, 166
Linux exploit code, 255, 260–261
SafeSEH removed from compiled programs, 331–332
Virtual Table Guard (VTGuard), 436
virtual table pointers (VPTRs), 318, 435
VirtualKD, 499
VirtualProtect () function, 321–322, 326
Visual Studio 2013 Express, 293
VLC plug-in check, 467–468
VMware
testing vulnerable programs in host-only networking mode, 299
VMWare Workstation, 499
VPTRs (virtual table pointers), 318, 435
vtables in C++ compiled code, 104–105
VTGuard (Virtual Table Guard), 436
vulnerabilities. See also spoofing; and specific exploits
auditing source code for, 65–66
binary diffing locating, 483–484
bug bounty programs for, 24–25
Cisco ASA and ACS software, 236–237
discovering with IDA Pro, 79–80
exploiting uncovered, 8
finding XSS, 402
kernel space shellcode, 157–158
locating Windows services, 368–370
multilanguage web application, 397
public disclosure of, 23
reverse engineering to assess, 58–59
uncovering Windows Access Control, 337–338
web application, 389–390, 397, 413–414
vulnerability assessments, 5–6
vulnerability disclosures, 18–25
consumers’ and software vendors’ views on, 18–19
how hackers deal with vulnerabilities, 18
OIS’ role in, 22–23
position of CERT/CC on, 20–22
W
web applications, 389–414. See also browsers; websites; XSS
adding your own test cases, 412–413
cross-site scripting, 402–404
exploiting multilanguage, 397
injecting pop-up box into page of, 189–190
launching XSS attacks manually, 410–412
MD5 hash injection, 390–396
multibyte encoding injection, 396–401
Unicode normalization, 404–409
URL hooks for, 461–462
vulnerabilities in, 389–390, 397, 413–414
XSS testing via x5s, 409–410, 412–413
websites. See also XSS
automatically rewriting traffic for, 465–466
hooking browsers with site spoofing, 462–465
wget utility, 152
white-box testing, 123
white hat hackers
defined, 18
reasons for reviewing source code, 62–63
white space in Python, 53
WinDbg. See Windows Debugger
Windows Access Control, 337–388. See also ACEs; DACLs
access token for, 338, 340–343
ACE inheritance, 346–349
Authenticated Users group SIDs, 355
building filter for Process Monitor, 360–361
elevating privileges using, 365
enumerating shared memory sections, 383–384
escalating directory read permissions, 378
Everyone group SIDs, 355
exploiting weak DACLs in registry, 372–375
GUI view of DACL, 345
investigating “access denied”, 357–360
kernel object enumeration, 396–397
key components of, 338
loading attack DLL at runtime, 377
modifying data files to attack data parser, 382
named pipe enumeration, 384–385
precision desiredAccess requests in, 361–364
process enumeration for, 385–386
removing inherited ACEs, 358–359
replacing .exe with attack .exe, 377
rights of ownership and, 357
security descriptors, 338, 343–346
security identifier for, 338, 339
special SIDs, 354–356
tampering with configuration files, 381–382, 383
tools for analyzing configurations of, 349–354
vulnerabilities in, 337–338
weak directory DACLs, 375–379
weak file DACLs, 379–383
Windows Debugger (WinDbg)
analyzing HeapLib2 spraying with, 426–427
attaching to Internet Explorer, 416–417
changing desiredAccess request using, 363–364
debugging kernel in, 499–503
deleting breakpoints in, 446
dissecting UAF exploits with, 439–447
dumping process tokens with, 350–353
installing and configuring, 415–416
kernel space compatibility of, 298
restarting from command line, 417
Windows exploits, 291–312. See also attack patterns for Windows objects
building, 306–307
compiling Windows programs, 291–293
debugging, 307–309
debugging meet.exe program, 295–298
determining attack vector, 298, 304–306
Immunity Debugger for, 293–295
structured exception handling, 309–311
verifying successful execution, 309
writing, 298–299
Windows memory protections. See also bypassing Windows memory protections
ASLR, 317
bypassing, 318–335
DEP, 316
EMET, 317–318
/GS compiler option, 313–314
heap protections, 315–316
SafeSEH, 314–315
SEHOP, 315
understanding, 313
Windows operating systems. See also Windows Access Control; Windows exploits; Windows memory protections
64-bit versions of, 553–554
API functions used by malware, 559
CreateProcess function for, 147
downloading/extracting patches, 492–494
__fastcall calling convention for, 554, 556–557
kernel-level exploits in, 157–159
making system calls in shellcode, 145–146
regaining Desktop control from Ransomlock, 549
services of, 365–371
setting network preferences with Responder, 212
spoofing NetBIOS and LLMNR protocols, 194, 209–213
tampering with configuration files, 381–382, 383
tools analyzing access control configs, 349–354
understanding SEH, 309–311
using LFH maliciously, 431–432
vulnerabilities to spoofing attacks, 194
Windows registry
attacks against, 372
enumerating DACLs of keys, 372–374
granting “write” permission to, 374
read access to Windows registry keys, 375
Windows services, 365–371
configuring privilege escalation for, 370–371
elevating execute permissions for, 368
enumerating DACLs of, 366–367
finding vulnerable, 368–370
granting write access to, 367
modifying read access to, 367–368
WIPO (World Intellectual Property Organization) Copyright Treaty, 15–16
Wireshark, 506
Wiretap Act, 15
wordlists for password cracking, 227
World Intellectual Property Organization (WIPO) Copyright Treaty, 15–16
wrapper functions, 109–110, 574
“write” access elevation
giving to Windows services, 367
granting to users of Windows directories, 376–377
modifying files for, 382
to Windows registry, 374
writing. See also writing Linux shellcode
to arbitrary memory, 269–271
file DACLs to executable files, 380–381
hex opcodes, 161
malware signatures in YARA, 576, 577
Windows exploits, 298–299
writing Linux shellcode
automating with Metasploit, 187–189
basics of, 161–169
creating system call software traps, 162
encoding shellcode, 180–187
executing execve system calls, 166–168
extracting hex opcodes, 168, 175–176
finding function signature at C level, 162–163
implementing port-binding shellcode, 169–177
reverse-connecting shellcode, 177–180
system calls by assembly, 163–168
ways to write shellcode, 161
X
x5s plug-in
about, 407
hunting XSS using, 408–409
testing XSS vulnerabilities with, 409–410, 412–413
Xcode, 47
XOR function
decoding JMP/CALL with, 181–183
decrypting location of, 578–580
encoding using, 180–181
running number with itself using, 165
use in assembly language, 42
using FNSTENV XOR, 183–187
XSS (cross-site scripting), 402–404
about, 402
bypassing XSS filters with normalization, 405–406
filters preventing, 404–405
hunting with x5s plug-in, 408–409
injecting via JavaScript, 403–404
launching attacks manually, 410–412
OWASP XSS Filter Evasion Cheat Sheet, 404
testing with x5s, 409–410, 412–413
tricking users to run hook with, 461–462
using x5s plug-in to find, 407
XSS Filter Evasion Cheat Sheet, 404, 405
XssRays tab (BeEF), 460
Y
Yahoo!, 125
Yasca, 69–70
Z
zero-day attacks
about, 4
capturing and analyzing code for, 587–588
heap spray exploits for, 429
techniques for IE, 415
Zero-Day Initiative (ZDI), 25
ZIP archives for Android, 511–512
Zzuf, 141