Table of contents : Cover Title page Copyright Page Contents Preface Acknowledgments Introduction Part I Preparation Chapter 1 Why Gray Hat Hacking? Ethics and Law Know Your Enemy The Current Security Landscape Recognizing an Attack The Gray Hat Way Emulating the Attack Frequency and Focus of Testing Evolution of Cyberlaw Understanding Individual Cyberlaws Summary References Chapter 2 Programming Survival Skills C Programming Language Basic C Language Constructs Sample Program Compiling with gcc Computer Memory Random Access Memory Endian Segmentation of Memory Programs in Memory Buffers Strings in Memory Pointers Putting the Pieces of Memory Together Intel Processors Registers Assembly Language Basics Machine vs. Assembly vs. C AT&T vs. NASM Addressing Modes Assembly File Structure Assembling Debugging with gdb gdb Basics Disassembly with gdb Python Survival Skills Getting Python “Hello, World!” in Python Python Objects Strings Numbers Lists Dictionaries Files with Python Sockets with Python Summary For Further Reading References Chapter 3 Next-Generation Fuzzing Introduction to Fuzzing Types of Fuzzers Mutation Fuzzers Generation Fuzzers Genetic Fuzzing Mutation Fuzzing with Peach Lab 3-1: Mutation Fuzzing with Peach Generation Fuzzing with Peach Crash Analysis Lab 3-2: Generation Fuzzing with Peach Genetic or Evolutionary Fuzzing with AFL Lab 3-3: Genetic Fuzzing with AFL Summary For Further Reading Chapter 4 Next-Generation Reverse Engineering Code Annotation IDB Annotation with IDAscope C++ Code Analysis Collaborative Analysis Leveraging Collaborative Knowledge Using FIRST Collaboration with BinNavi Dynamic Analysis Automated Dynamic Analysis with Cuckoo Sandbox Bridging the Static-Dynamic Tool Gap with Labeless Summary For Further Reading References Chapter 5 Software-Defined Radio Getting Started with SDR What to Buy Not So Quick: Know the Rules Learn by Example Search Capture Replay Analyze Preview Execute Summary For Further Reading Part II Business of Hacking Chapter 6 So You Want to Be a Pen Tester? The Journey from Novice to Expert Pen Tester Ethos Pen Tester Taxonomy The Future of Hacking Know the Tech Know What Good Looks Like Pen Tester Training Practice Degree Programs Knowledge Transfer Pen Tester Tradecraft Personal Liability Being the Trusted Advisor Managing a Pen Test Summary For Further Reading Chapter 7 Red Teaming Operations Red Team Operations Strategic, Operational, and Tactical Focus Assessment Comparisons Red Teaming Objectives What Can Go Wrong Limited Scope Limited Time Limited Audience Overcoming Limitations Communications Planning Meetings Defining Measurable Events Understanding Threats Attack Frameworks Testing Environment Adaptive Testing External Assessment Physical Security Assessment Social Engineering Internal Assessment Lessons Learned Summary References Chapter 8 Purple Teaming Introduction to Purple Teaming Blue Team Operations Know Your Enemy Know Yourself Security Program Incident Response Program Common Blue Teaming Challenges Purple Teaming Operations Decision Frameworks Disrupting the Kill Chain Kill Chain Countermeasure Framework Communication Purple Team Optimization Summary For Further Reading References Chapter 9 Bug Bounty Programs History of Vulnerability Disclosure Full Vendor Disclosure Full Public Disclosure Responsible Disclosure No More Free Bugs Bug Bounty Programs Types of Bug Bounty Programs Incentives Controversy Surrounding Bug Bounty Programs Popular Bug Bounty Program Facilitators Bugcrowd in Depth Program Owner Web Interface Program Owner API Example Researcher Web Interface Earning a Living Finding Bugs Selecting a Target Registering (If Required) Understanding the Rules of the Game Finding Vulnerabilities Reporting Vulnerabilities Cashing Out Incident Response Communication Triage Remediation Disclosure to Users Public Relations Summary For Further Reading References Part III Exploiting Systems Chapter 10 Getting Shells Without Exploits Capturing Password Hashes Understanding LLMNR and NBNS Understanding Windows NTLMv1 and NTLMv2 Authentication Using Responder Lab 10-1: Getting Passwords with Responder Using Winexe Lab 10-2: Using Winexe to Access Remote Systems Lab 10-3: Using Winexe to Gain Elevated Privileges Using WMI Lab 10-4 : Querying System Information with WMI Lab 10-5: Executing Commands with WMI Taking Advantage of WinRM Lab 10-6: Executing Commands with WinRM Lab 10-7: Using WinRM to Run PowerShell Remotely Summary For Further Reading Reference Chapter 11 Basic Linux Exploits Stack Operations and Function-Calling Procedures Buffer Overflows Lab 11-1: Overflowing meet.c Ramifications of Buffer Overflows Local Buffer Overflow Exploits Lab 11-2: Components of the Exploit Lab 11-3: Exploiting Stack Overflows from the Command Line Lab 11-4: Exploiting Stack Overflows with Generic Exploit Code Lab 11-5: Exploiting Small Buffers Exploit Development Process Lab 11-6: Building Custom Exploits Summary For Further Reading Chapter 12 Advanced Linux Exploits Format String Exploits Format Strings Lab 12-1: Reading from Arbitrary Memory Lab 12-2: Writing to Arbitrary Memory Lab 12-3: Changing Program Execution Memory Protection Schemes Compiler Improvements Lab 11-4: Bypassing Stack Protection Kernel Patches and Scripts Lab 12-5: Return to libc Exploits Lab 12-6: Maintaining Privileges with ret2libc Bottom Line Summary For Further Reading References Chapter 13 Windows Exploits Compiling and Debugging Windows Programs Lab 13-1: Compiling on Windows Windows Compiler Options Debugging on Windows with Immunity Debugger Lab 13-2: Crashing the Program Writing Windows Exploits Exploit Development Process Review Lab 13-3: Exploiting ProSSHD Server Understanding Structured Exception Handling (SEH) Understanding and Bypassing Windows Memory Protections Safe Structured Exception Handling (SafeSEH) Bypassing SafeSEH SEH Overwrite Protection (SEHOP) Bypassing SEHOP Stack-Based Buffer Overrun Detection (/GS) Bypassing /GS Heap Protections Summary For Further Reading References Chapter 14 Advanced Windows Exploitation Data Execution Prevention (DEP) Address Space Layout Randomization (ASLR) Enhanced Mitigation Experience Toolkit (EMET) and Windows Defender Exploit Guard Bypassing ASLR Bypassing DEP and Avoiding ASLR VirtualProtect Return-Oriented Programming Gadgets Building the ROP Chain Defeating ASLR Through a Memory Leak Triggering the Bug Tracing the Memory Leak Weaponizing the Memory Leak Building the RVA ROP Chain Summary For Further Reading References Chapter 15 PowerShell Exploitation Why PowerShell Living Off the Land PowerShell Logging PowerShell Portability Loading PowerShell Scripts Lab 15-1: The Failure Condition Lab 15-2: Passing Commands on the Command Line Lab 15-3: Encoded Commands Lab 15-4: Bootstrapping via the Web Exploitation and Post-Exploitation with PowerSploit Lab 15-5: Setting Up PowerSploit Lab 15-6: Running Mimikatz Through PowerShell Lab 15-7: Creating a Persistent Meterpreter Using PowerSploit Using PowerShell Empire for C2 Lab 15-8: Setting Up Empire Lab 15-9: Staging an Empire C2 Lab 15-10: Using Empire to Own the System Summary For Further Reading References Chapter 16 Next-Generation Web Application Exploitation The Evolution of Cross-Site Scripting (XSS) Setting Up the Environment Lab 16-1: XSS Refresher Lab 16-2: XSS Evasion from Internet Wisdom Lab 16-3: Changing Application Logic with XSS Lab 16-4: Using the DOM for XSS Framework Vulnerabilities Setting Up the Environment Lab 16-5: Exploiting CVE-2017-5638 Lab 16-6: Exploiting CVE-2017-9805 Padding Oracle Attacks Lab 16-7: Changing Data with the Padding Oracle Attack Summary For Further Reading References Chapter 17 Next-Generation Patch Exploitation Introduction to Binary Diffing Application Diffing Patch Diffing Binary Diffing Tools BinDiff turbodiff Lab 17-1: Our First Diff Patch Management Process Microsoft Patch Tuesday Obtaining and Extracting Microsoft Patches Lab 17-2: Diffing MS17-010 Patch Diffing for Exploitation DLL Side-Loading Bugs Lab 17-3: Diffing MS16-009 Summary For Further Reading References Part IV Advanced Malware Analysis Chapter 18 Dissecting Mobile Malware The Android Platform Android Application Package Application Manifest Analyzing DEX Java Decompilation DEX Decompilation DEX Disassembling Example 18-1: Running APK in Emulator Malware Analysis The iOS Platform iOS Security iOS Applications Summary For Further Reading References Chapter 19 Dissecting Ransomware The Beginnings of Ransomware Options for Paying the Ransom Dissecting Ransomlock Example 19-1: Dynamic Analysis Example 19-2: Static Analysis Wannacry Example 19-3: Analyzing Wannacry Ransomware Summary For Further Reading Chapter 20 ATM Malware ATM Overview XFS Overview XFS Architecture XFS Manager ATM Malware Analysis Types of ATM Malware Techniques for Installing Malware on ATMs Techniques for Dissecting the Malware ATM Malware Countermeasures Summary For Further Reading References Chapter 21 Deception: Next-Generation Honeypots Brief History of Deception Honeypots as a Form of Deception Deployment Considerations Setting Up a Virtual Machine Open Source Honeypots Lab 21-1: Dionaea Lab 21-2: ConPot Lab 21-3: Cowrie Lab 21-4: T-Pot Commercial Alternative: TrapX Summary For Further Reading References Part V Internet of Things Chapter 22 Internet of Things to Be Hacked Internet of Things (IoT) Types of Connected Things Wireless Protocols Communication Protocols Security Concerns Shodan IoT Search Engine Web Interface Shodan Command-Line Interface Lab 22-1: Using the Shodan Command Line Shodan API Lab 22-2: Testing the Shodan API Lab 22-3: Playing with MQTT Implications of This Unauthenticated Access to MQTT IoT Worms: It Was a Matter of Time Lab 22-4: Mirai Lives Prevention Summary For Further Reading References Chapter 23 Dissecting Embedded Devices CPU Microprocessor Microcontrollers System on Chip (SoC) Common Processor Architectures Serial Interfaces UART SPI I2C Debug Interfaces JTAG SWD (Serial Wire Debug) Software Bootloader No Operating System Real-Time Operating System General Operating System Summary For Further Reading References Chapter 24 Exploiting Embedded Devices Static Analysis of Vulnerabilities in Embedded Devices Lab 24-1: Analyzing the Update Package Lab 24-2: Performing Vulnerability Analysis Dynamic Analysis with Hardware The Test Environment Setup Ettercap Dynamic Analysis with Emulation FIRMADYNE Lab 24-3: Setting Up FIRMADYNE Lab 24-4: Emulating Firmware Lab 24-5: Exploiting Firmware Summary Further Reading References Chapter 25 Fighting IoT Malware Physical Access to the Device RS-232 Overview RS-232 Pinout Exercise 25-1: Troubleshooting a Medical Device’s RS-232 Port Setting Up the Threat Lab ARM and MIPS Overview Lab 25-1: Setting Up Systems with QEMU Dynamic Analysis of IoT Malware Lab 25-2: IoT Malware Dynamic Analysis Platform for Architecture-Neutral Dynamic Analysis (PANDA) BeagleBone Black Board Reverse Engineering IoT Malware Crash-Course ARM/MIPS Instruction Set Lab 25-3: IDA Pro Remote Debugging and Reversing IoT Malware Reversing Exercise Summary For Further Reading Index A B C D E F G H I J K L M N O P Q R S T U V W X Y Z