Gray Hat Hacking: The Ethical Hacker's Handbook [5 ed.] 1260108414, 9781260108415

Table of contents :
Cover
Title page
Copyright Page
Contents
Preface
Acknowledgments
Introduction
Part I Preparation
Chapter 1 Why Gray Hat Hacking? Ethics and Law
Know Your Enemy
The Current Security Landscape
Recognizing an Attack
The Gray Hat Way
Emulating the Attack
Frequency and Focus of Testing
Evolution of Cyberlaw
Understanding Individual Cyberlaws
Summary
References
Chapter 2 Programming Survival Skills
C Programming Language
Basic C Language Constructs
Sample Program
Compiling with gcc
Computer Memory
Random Access Memory
Endian
Segmentation of Memory
Programs in Memory
Buffers
Strings in Memory
Pointers
Putting the Pieces of Memory Together
Intel Processors
Registers
Assembly Language Basics
Machine vs. Assembly vs. C
AT&T vs. NASM
Addressing Modes
Assembly File Structure
Assembling
Debugging with gdb
gdb Basics
Disassembly with gdb
Python Survival Skills
Getting Python
“Hello, World!” in Python
Python Objects
Strings
Numbers
Lists
Dictionaries
Files with Python
Sockets with Python
Summary
For Further Reading
References
Chapter 3 Next-Generation Fuzzing
Introduction to Fuzzing
Types of Fuzzers
Mutation Fuzzers
Generation Fuzzers
Genetic Fuzzing
Mutation Fuzzing with Peach
Lab 3-1: Mutation Fuzzing with Peach
Generation Fuzzing with Peach
Crash Analysis
Lab 3-2: Generation Fuzzing with Peach
Genetic or Evolutionary Fuzzing with AFL
Lab 3-3: Genetic Fuzzing with AFL
Summary
For Further Reading
Chapter 4 Next-Generation Reverse Engineering
Code Annotation
IDB Annotation with IDAscope
C++ Code Analysis
Collaborative Analysis
Leveraging Collaborative Knowledge Using FIRST
Collaboration with BinNavi
Dynamic Analysis
Automated Dynamic Analysis with Cuckoo Sandbox
Bridging the Static-Dynamic Tool Gap with Labeless
Summary
For Further Reading
References
Chapter 5 Software-Defined Radio
Getting Started with SDR
What to Buy
Not So Quick: Know the Rules
Learn by Example
Search
Capture
Replay
Analyze
Preview
Execute
Summary
For Further Reading
Part II Business of Hacking
Chapter 6 So You Want to Be a Pen Tester?
The Journey from Novice to Expert
Pen Tester Ethos
Pen Tester Taxonomy
The Future of Hacking
Know the Tech
Know What Good Looks Like
Pen Tester Training
Practice
Degree Programs
Knowledge Transfer
Pen Tester Tradecraft
Personal Liability
Being the Trusted Advisor
Managing a Pen Test
Summary
For Further Reading
Chapter 7 Red Teaming Operations
Red Team Operations
Strategic, Operational, and Tactical Focus
Assessment Comparisons
Red Teaming Objectives
What Can Go Wrong
Limited Scope
Limited Time
Limited Audience
Overcoming Limitations
Communications
Planning Meetings
Defining Measurable Events
Understanding Threats
Attack Frameworks
Testing Environment
Adaptive Testing
External Assessment
Physical Security Assessment
Social Engineering
Internal Assessment
Lessons Learned
Summary
References
Chapter 8 Purple Teaming
Introduction to Purple Teaming
Blue Team Operations
Know Your Enemy
Know Yourself
Security Program
Incident Response Program
Common Blue Teaming Challenges
Purple Teaming Operations
Decision Frameworks
Disrupting the Kill Chain
Kill Chain Countermeasure Framework
Communication
Purple Team Optimization
Summary
For Further Reading
References
Chapter 9 Bug Bounty Programs
History of Vulnerability Disclosure
Full Vendor Disclosure
Full Public Disclosure
Responsible Disclosure
No More Free Bugs
Bug Bounty Programs
Types of Bug Bounty Programs
Incentives
Controversy Surrounding Bug Bounty Programs
Popular Bug Bounty Program Facilitators
Bugcrowd in Depth
Program Owner Web Interface
Program Owner API Example
Researcher Web Interface
Earning a Living Finding Bugs
Selecting a Target
Registering (If Required)
Understanding the Rules of the Game
Finding Vulnerabilities
Reporting Vulnerabilities
Cashing Out
Incident Response
Communication
Triage
Remediation
Disclosure to Users
Public Relations
Summary
For Further Reading
References
Part III Exploiting Systems
Chapter 10 Getting Shells Without Exploits
Capturing Password Hashes
Understanding LLMNR and NBNS
Understanding Windows NTLMv1 and NTLMv2 Authentication
Using Responder
Lab 10-1: Getting Passwords with Responder
Using Winexe
Lab 10-2: Using Winexe to Access Remote Systems
Lab 10-3: Using Winexe to Gain Elevated Privileges
Using WMI
Lab 10-4 : Querying System Information with WMI
Lab 10-5: Executing Commands with WMI
Taking Advantage of WinRM
Lab 10-6: Executing Commands with WinRM
Lab 10-7: Using WinRM to Run PowerShell Remotely
Summary
For Further Reading
Reference
Chapter 11 Basic Linux Exploits
Stack Operations and Function-Calling Procedures
Buffer Overflows
Lab 11-1: Overflowing meet.c
Ramifications of Buffer Overflows
Local Buffer Overflow Exploits
Lab 11-2: Components of the Exploit
Lab 11-3: Exploiting Stack Overflows from the Command Line
Lab 11-4: Exploiting Stack Overflows with Generic Exploit Code
Lab 11-5: Exploiting Small Buffers
Exploit Development Process
Lab 11-6: Building Custom Exploits
Summary
For Further Reading
Chapter 12 Advanced Linux Exploits
Format String Exploits
Format Strings
Lab 12-1: Reading from Arbitrary Memory
Lab 12-2: Writing to Arbitrary Memory
Lab 12-3: Changing Program Execution
Memory Protection Schemes
Compiler Improvements
Lab 11-4: Bypassing Stack Protection
Kernel Patches and Scripts
Lab 12-5: Return to libc Exploits
Lab 12-6: Maintaining Privileges with ret2libc
Bottom Line
Summary
For Further Reading
References
Chapter 13 Windows Exploits
Compiling and Debugging Windows Programs
Lab 13-1: Compiling on Windows
Windows Compiler Options
Debugging on Windows with Immunity Debugger
Lab 13-2: Crashing the Program
Writing Windows Exploits
Exploit Development Process Review
Lab 13-3: Exploiting ProSSHD Server
Understanding Structured Exception Handling (SEH)
Understanding and Bypassing Windows Memory Protections
Safe Structured Exception Handling (SafeSEH)
Bypassing SafeSEH
SEH Overwrite Protection (SEHOP)
Bypassing SEHOP
Stack-Based Buffer Overrun Detection (/GS)
Bypassing /GS
Heap Protections
Summary
For Further Reading
References
Chapter 14 Advanced Windows Exploitation
Data Execution Prevention (DEP)
Address Space Layout Randomization (ASLR)
Enhanced Mitigation Experience Toolkit (EMET) and Windows Defender Exploit Guard
Bypassing ASLR
Bypassing DEP and Avoiding ASLR
VirtualProtect
Return-Oriented Programming
Gadgets
Building the ROP Chain
Defeating ASLR Through a Memory Leak
Triggering the Bug
Tracing the Memory Leak
Weaponizing the Memory Leak
Building the RVA ROP Chain
Summary
For Further Reading
References
Chapter 15 PowerShell Exploitation
Why PowerShell
Living Off the Land
PowerShell Logging
PowerShell Portability
Loading PowerShell Scripts
Lab 15-1: The Failure Condition
Lab 15-2: Passing Commands on the Command Line
Lab 15-3: Encoded Commands
Lab 15-4: Bootstrapping via the Web
Exploitation and Post-Exploitation with PowerSploit
Lab 15-5: Setting Up PowerSploit
Lab 15-6: Running Mimikatz Through PowerShell
Lab 15-7: Creating a Persistent Meterpreter Using PowerSploit
Using PowerShell Empire for C2
Lab 15-8: Setting Up Empire
Lab 15-9: Staging an Empire C2
Lab 15-10: Using Empire to Own the System
Summary
For Further Reading
References
Chapter 16 Next-Generation Web Application Exploitation
The Evolution of Cross-Site Scripting (XSS)
Setting Up the Environment
Lab 16-1: XSS Refresher
Lab 16-2: XSS Evasion from Internet Wisdom
Lab 16-3: Changing Application Logic with XSS
Lab 16-4: Using the DOM for XSS
Framework Vulnerabilities
Setting Up the Environment
Lab 16-5: Exploiting CVE-2017-5638
Lab 16-6: Exploiting CVE-2017-9805
Padding Oracle Attacks
Lab 16-7: Changing Data with the Padding Oracle Attack
Summary
For Further Reading
References
Chapter 17 Next-Generation Patch Exploitation
Introduction to Binary Diffing
Application Diffing
Patch Diffing
Binary Diffing Tools
BinDiff
turbodiff
Lab 17-1: Our First Diff
Patch Management Process
Microsoft Patch Tuesday
Obtaining and Extracting Microsoft Patches
Lab 17-2: Diffing MS17-010
Patch Diffing for Exploitation
DLL Side-Loading Bugs
Lab 17-3: Diffing MS16-009
Summary
For Further Reading
References
Part IV Advanced Malware Analysis
Chapter 18 Dissecting Mobile Malware
The Android Platform
Android Application Package
Application Manifest
Analyzing DEX
Java Decompilation
DEX Decompilation
DEX Disassembling
Example 18-1: Running APK in Emulator
Malware Analysis
The iOS Platform
iOS Security
iOS Applications
Summary
For Further Reading
References
Chapter 19 Dissecting Ransomware
The Beginnings of Ransomware
Options for Paying the Ransom
Dissecting Ransomlock
Example 19-1: Dynamic Analysis
Example 19-2: Static Analysis
Wannacry
Example 19-3: Analyzing Wannacry Ransomware
Summary
For Further Reading
Chapter 20 ATM Malware
ATM Overview
XFS Overview
XFS Architecture
XFS Manager
ATM Malware Analysis
Types of ATM Malware
Techniques for Installing Malware on ATMs
Techniques for Dissecting the Malware
ATM Malware Countermeasures
Summary
For Further Reading
References
Chapter 21 Deception: Next-Generation Honeypots
Brief History of Deception
Honeypots as a Form of Deception
Deployment Considerations
Setting Up a Virtual Machine
Open Source Honeypots
Lab 21-1: Dionaea
Lab 21-2: ConPot
Lab 21-3: Cowrie
Lab 21-4: T-Pot
Commercial Alternative: TrapX
Summary
For Further Reading
References
Part V Internet of Things
Chapter 22 Internet of Things to Be Hacked
Internet of Things (IoT)
Types of Connected Things
Wireless Protocols
Communication Protocols
Security Concerns
Shodan IoT Search Engine
Web Interface
Shodan Command-Line Interface
Lab 22-1: Using the Shodan Command Line
Shodan API
Lab 22-2: Testing the Shodan API
Lab 22-3: Playing with MQTT
Implications of This Unauthenticated Access to MQTT
IoT Worms: It Was a Matter of Time
Lab 22-4: Mirai Lives
Prevention
Summary
For Further Reading
References
Chapter 23 Dissecting Embedded Devices
CPU
Microprocessor
Microcontrollers
System on Chip (SoC)
Common Processor Architectures
Serial Interfaces
UART
SPI
I2C
Debug Interfaces
JTAG
SWD (Serial Wire Debug)
Software
Bootloader
No Operating System
Real-Time Operating System
General Operating System
Summary
For Further Reading
References
Chapter 24 Exploiting Embedded Devices
Static Analysis of Vulnerabilities in Embedded Devices
Lab 24-1: Analyzing the Update Package
Lab 24-2: Performing Vulnerability Analysis
Dynamic Analysis with Hardware
The Test Environment Setup
Ettercap
Dynamic Analysis with Emulation
FIRMADYNE
Lab 24-3: Setting Up FIRMADYNE
Lab 24-4: Emulating Firmware
Lab 24-5: Exploiting Firmware
Summary
Further Reading
References
Chapter 25 Fighting IoT Malware
Physical Access to the Device
RS-232 Overview
RS-232 Pinout
Exercise 25-1: Troubleshooting a Medical Device’s RS-232 Port
Setting Up the Threat Lab
ARM and MIPS Overview
Lab 25-1: Setting Up Systems with QEMU
Dynamic Analysis of IoT Malware
Lab 25-2: IoT Malware Dynamic Analysis
Platform for Architecture-Neutral Dynamic Analysis (PANDA)
BeagleBone Black Board
Reverse Engineering IoT Malware
Crash-Course ARM/MIPS Instruction Set
Lab 25-3: IDA Pro Remote Debugging and Reversing
IoT Malware Reversing Exercise
Summary
For Further Reading
Index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z