| Preface |
|
xxiv | |
| Acknowledgments |
|
xxv | |
| Introduction |
|
xxvii | |
|
Part I Crash Course: Preparing for the War |
|
|
|
Chapter 1 Ethical Hacking and the Legal System |
|
|
3 | (26) |
|
Why You Need to Understand Your Enemy's Tactics |
|
|
3 | (1) |
|
Recognizing Trouble When It Happens |
|
|
4 | (1) |
|
The Ethical Hacking Process |
|
|
5 | (1) |
|
The Penetration Testing Process |
|
|
6 | (2) |
|
What Would an Unethical Hacker Do Differently? |
|
|
8 | (1) |
|
|
|
9 | (1) |
|
Understanding Individual Cyberlaws |
|
|
10 | (7) |
|
The Controversy of "Hacking" Tools |
|
|
17 | (1) |
|
|
|
18 | (1) |
|
Different Teams and Points of View |
|
|
18 | (1) |
|
|
|
19 | (1) |
|
|
|
20 | (2) |
|
Organization for Internet Safety |
|
|
22 | (1) |
|
Conflicts Will Still Exist |
|
|
23 | (1) |
|
|
|
24 | (1) |
|
|
|
24 | (5) |
|
|
|
25 | (1) |
|
|
|
25 | (2) |
|
|
|
27 | (2) |
|
Chapter 2 Programming Survival Skills |
|
|
29 | (28) |
|
|
|
29 | (1) |
|
Basic C Language Constructs |
|
|
29 | (5) |
|
|
|
34 | (1) |
|
|
|
35 | (1) |
|
|
|
36 | (1) |
|
Random Access Memory (RAM) |
|
|
36 | (1) |
|
|
|
36 | (1) |
|
|
|
37 | (1) |
|
|
|
37 | (1) |
|
|
|
38 | (1) |
|
|
|
38 | (1) |
|
|
|
38 | (1) |
|
Putting the Pieces of Memory Together |
|
|
39 | (1) |
|
|
|
40 | (1) |
|
|
|
40 | (1) |
|
|
|
41 | (1) |
|
Machine vs. Assembly vs. C |
|
|
41 | (1) |
|
|
|
41 | (2) |
|
|
|
43 | (1) |
|
|
|
44 | (1) |
|
|
|
45 | (1) |
|
|
|
45 | (1) |
|
|
|
45 | (1) |
|
|
|
46 | (1) |
|
|
|
47 | (1) |
|
|
|
47 | (1) |
|
|
|
48 | (1) |
|
|
|
48 | (1) |
|
|
|
48 | (2) |
|
|
|
50 | (1) |
|
|
|
51 | (1) |
|
|
|
52 | (1) |
|
|
|
52 | (2) |
|
|
|
54 | (3) |
|
|
|
54 | (1) |
|
|
|
55 | (1) |
|
|
|
55 | (2) |
|
Chapter 3 Static Analysis |
|
|
57 | (32) |
|
Ethical Reverse Engineering |
|
|
57 | (1) |
|
Why Bother with Reverse Engineering? |
|
|
58 | (1) |
|
Reverse Engineering Considerations |
|
|
58 | (1) |
|
|
|
59 | (1) |
|
Source Code Auditing Tools |
|
|
60 | (2) |
|
The Utility of Source Code Auditing Tools |
|
|
62 | (2) |
|
Manual Source Code Auditing |
|
|
64 | (5) |
|
Automated Source Code Analysis |
|
|
69 | (1) |
|
|
|
70 | (1) |
|
Manual Auditing of Binary Code |
|
|
71 | (14) |
|
Automated Binary Analysis Tools |
|
|
85 | (4) |
|
|
|
87 | (1) |
|
|
|
87 | (2) |
|
Chapter 4 Advanced Analysis with IDA Pro |
|
|
89 | (28) |
|
Static Analysis Challenges |
|
|
89 | (1) |
|
|
|
90 | (2) |
|
Statically Linked Programs and FLAIR |
|
|
92 | (6) |
|
|
|
98 | (5) |
|
Quirks of Compiled C++ Code |
|
|
103 | (2) |
|
|
|
105 | (1) |
|
|
|
106 | (9) |
|
Example 4-1 Decrypting Strings in Place |
|
|
114 | (1) |
|
|
|
115 | (2) |
|
|
|
116 | (1) |
|
|
|
116 | (1) |
|
Chapter 5 World of Fuzzing |
|
|
117 | (28) |
|
|
|
117 | (1) |
|
|
|
118 | (1) |
|
|
|
118 | (1) |
|
|
|
119 | (1) |
|
|
|
120 | (1) |
|
|
|
121 | (1) |
|
|
|
121 | (2) |
|
|
|
123 | (1) |
|
|
|
123 | (1) |
|
Finding the Fuzzing Templates |
|
|
124 | (3) |
|
Lab 5-1 Collecting Samples from the Internet Archive |
|
|
126 | (1) |
|
Choosing the Optimal Template Set with Code Coverage |
|
|
127 | (2) |
|
Lab 5-2 Selecting the Best Samples for Fuzzing |
|
|
127 | (2) |
|
|
|
129 | (6) |
|
|
|
135 | (1) |
|
|
|
136 | (1) |
|
|
|
136 | (5) |
|
Lab 5-3 Mutation Fuzzing with Peach |
|
|
140 | (1) |
|
|
|
141 | (1) |
|
|
|
141 | (4) |
|
|
|
142 | (1) |
|
|
|
142 | (3) |
|
Chapter 6 Shellcode Strategies |
|
|
145 | (16) |
|
|
|
145 | (1) |
|
|
|
145 | (1) |
|
|
|
146 | (1) |
|
|
|
147 | (1) |
|
|
|
148 | (2) |
|
|
|
150 | (1) |
|
|
|
151 | (1) |
|
|
|
152 | (1) |
|
|
|
152 | (1) |
|
System Call Proxy Shellcode |
|
|
152 | (1) |
|
Process Injection Shellcode |
|
|
153 | (1) |
|
Other Shellcode Considerations |
|
|
154 | (1) |
|
|
|
154 | (1) |
|
Self-Corrupting Shellcode |
|
|
155 | (1) |
|
|
|
156 | (1) |
|
|
|
157 | (1) |
|
Kernel Space Considerations |
|
|
158 | (3) |
|
|
|
159 | (1) |
|
|
|
159 | (1) |
|
|
|
159 | (2) |
|
Chapter 7 Writing Linux Shellcode |
|
|
161 | (32) |
|
|
|
161 | (1) |
|
|
|
162 | (1) |
|
|
|
162 | (1) |
|
|
|
163 | (1) |
|
|
|
163 | (2) |
|
|
|
165 | (1) |
|
Shell-Spawning Shellcode with execve |
|
|
166 | (3) |
|
Implementing Port-Binding Shellcode |
|
|
169 | (1) |
|
|
|
170 | (2) |
|
Assembly Program to Establish a Socket |
|
|
172 | (3) |
|
|
|
175 | (2) |
|
Implementing Reverse Connecting Shellcode |
|
|
177 | (1) |
|
Reverse Connecting C Program |
|
|
177 | (1) |
|
Reverse Connecting Assembly Program |
|
|
178 | (2) |
|
|
|
180 | (1) |
|
|
|
180 | (1) |
|
Structure of Encoded Shellcode |
|
|
181 | (1) |
|
IMP/CALL XOR Decoder Example |
|
|
181 | (2) |
|
|
|
183 | (1) |
|
Putting the Code Together |
|
|
184 | (3) |
|
Automating Shellcode Generation with Metasploit |
|
|
187 | (1) |
|
Generating Shellcode with Metasploit |
|
|
187 | (1) |
|
Encoding Shellcode with Metasploit |
|
|
188 | (1) |
|
|
|
189 | (1) |
|
|
|
189 | (4) |
|
Part II From Vulnerability to Exploit |
|
|
|
Chapter 8 Spoofing-Based Attacks |
|
|
193 | (22) |
|
|
|
193 | (1) |
|
|
|
194 | (2) |
|
Lab 8-1 ARP Spoofing with Ettercap |
|
|
195 | (1) |
|
|
|
196 | (2) |
|
Modifying Network Traffic |
|
|
198 | (8) |
|
|
|
206 | (2) |
|
Lab 8-2 DNS Spoofing with Ettercap |
|
|
206 | (2) |
|
|
|
208 | (1) |
|
NetBIOS Name Spoofing and LLMNR Spoofing |
|
|
209 | (3) |
|
Lab 8-3 Attacking NetBIOS and LLMNR with Responder |
|
|
209 | (3) |
|
Cracking NTLMv1 and NTLMv2 Hashes |
|
|
212 | (3) |
|
|
|
213 | (1) |
|
|
|
213 | (2) |
|
Chapter 9 Exploiting Cisco Routers |
|
|
215 | (24) |
|
Attacking Community Strings and Passwords |
|
|
215 | (4) |
|
Lab 9-1 Guessing Credentials with Ncrack and Metasploit |
|
|
215 | (2) |
|
Lab 9-2 Guessing Community Strings with Onesixtyone and Metasploit |
|
|
217 | (2) |
|
|
|
219 | (5) |
|
Lab 9-3 Downloading Configuration Files with Metasploit |
|
|
220 | (2) |
|
Lab 9-4 Modifying Configurations with SNMP and TFTP |
|
|
222 | (2) |
|
Attacking Cisco Passwords |
|
|
224 | (1) |
|
Attacking Cisco Type 7 Passwords |
|
|
224 | (2) |
|
Lab 9-5 Cracking Type 7 Passwords with Cain |
|
|
225 | (1) |
|
Lab 9-6 Cracking Type 7 Passwords with Metasploit |
|
|
225 | (1) |
|
Attacking Cisco Type 5 Passwords |
|
|
226 | (2) |
|
Lab 9-7 Attacking Cisco Type 5 Passwords with John the Ripper |
|
|
226 | (2) |
|
Middling Traffic with Tunnels |
|
|
228 | (7) |
|
Lab 9-8 Setting Up a GRE Tunnel |
|
|
228 | (3) |
|
Lab 9-9 Routing Traffic over a GRE Tunnel |
|
|
231 | (4) |
|
Exploits and Other Attacks |
|
|
235 | (1) |
|
|
|
235 | (1) |
|
Maintaining Access on Cisco Devices |
|
|
236 | (3) |
|
|
|
237 | (1) |
|
|
|
237 | (2) |
|
Chapter 10 Basic Linux Exploits |
|
|
239 | (24) |
|
|
|
239 | (1) |
|
Function Calling Procedure |
|
|
240 | (1) |
|
|
|
241 | (5) |
|
Lab 10-1 Overflow of meet.c |
|
|
242 | (4) |
|
Ramifications of Buffer Overflows |
|
|
246 | (1) |
|
Local Buffer Overflow Exploits |
|
|
246 | (9) |
|
Lab 10-2 Components of the Exploit |
|
|
247 | (2) |
|
Lab 10-3 Exploiting Stack Overflows from the Command Line |
|
|
249 | (2) |
|
Lab 10-4 Exploiting Stack Overflows with Generic Exploit Code |
|
|
251 | (2) |
|
Lab 10-5 Exploiting Small Buffers |
|
|
253 | (2) |
|
Exploit Development Process |
|
|
255 | (8) |
|
Lab 10-6 Building Custom Exploits |
|
|
255 | (6) |
|
|
|
261 | (1) |
|
|
|
261 | (2) |
|
Chapter 11 Advanced Linux Exploits |
|
|
263 | (28) |
|
|
|
263 | (1) |
|
|
|
263 | (11) |
|
Lab 11-1 Reading from Arbitrary Memory |
|
|
267 | (2) |
|
Lab 11-2 Writing to Arbitrary Memory |
|
|
269 | (2) |
|
Lab 11-3 Changing Program Execution |
|
|
271 | (3) |
|
Memory Protection Schemes |
|
|
274 | (1) |
|
|
|
274 | (5) |
|
Lab 11-4 Bypassing Stack Protection |
|
|
276 | (3) |
|
Kernel Patches and Scripts |
|
|
279 | (9) |
|
Lab 11-5 Return to libc Exploits |
|
|
280 | (4) |
|
Lab 11-6 Maintaining Privileges with ret2libc |
|
|
284 | (4) |
|
|
|
288 | (3) |
|
|
|
288 | (1) |
|
|
|
289 | (1) |
|
|
|
289 | (2) |
|
Chapter 12 Windows Exploits |
|
|
291 | (22) |
|
Compiling and Debugging Windows Programs |
|
|
291 | (2) |
|
Lab 12-1 Compiling on Windows |
|
|
291 | (2) |
|
Debugging on Windows with Immunity Debugger |
|
|
293 | (5) |
|
Lab 12-2 Crashing the Program |
|
|
295 | (3) |
|
|
|
298 | (1) |
|
Exploit Development Process Review |
|
|
298 | (11) |
|
Lab 12-3 Exploiting ProSSHD Server |
|
|
299 | (10) |
|
Understanding Structured Exception Handling (SEH) |
|
|
309 | (1) |
|
|
|
310 | (3) |
|
|
|
311 | (1) |
|
|
|
311 | (1) |
|
|
|
311 | (2) |
|
Chapter 13 Bypassing Windows Memory Protections |
|
|
313 | (24) |
|
Understanding Windows Memory Protections (XP SP3, Vista, 7, 8, Server 2008, and Server 2012) |
|
|
313 | (1) |
|
Stack-Based Buffer Overrun Detection (/GS) |
|
|
313 | (1) |
|
Safe Structured Exception Handling (SafeSEH) |
|
|
314 | (1) |
|
SEH Overwrite Protection (SEHOP) |
|
|
315 | (1) |
|
|
|
315 | (1) |
|
Data Execution Prevention (DEP) |
|
|
316 | (1) |
|
Address Space Layout Randomization (ASLR) |
|
|
317 | (1) |
|
Enhanced Mitigation Experience Toolkit (EMET) |
|
|
317 | (1) |
|
Bypassing Windows Memory Protections |
|
|
318 | (1) |
|
|
|
318 | (1) |
|
|
|
319 | (1) |
|
|
|
319 | (2) |
|
|
|
321 | (7) |
|
|
|
328 | (1) |
|
|
|
328 | (9) |
|
|
|
335 | (1) |
|
|
|
335 | (1) |
|
|
|
336 | (1) |
|
Chapter 14 Exploiting the Windows Access Control Model |
|
|
337 | (52) |
|
Why Access Control Is Interesting to a Hacker |
|
|
337 | (1) |
|
Most People Don't Understand Access Control |
|
|
337 | (1) |
|
Vulnerabilities You Find Are Easy to Exploit |
|
|
338 | (1) |
|
You'll Find Tons of Security Vulnerabilities |
|
|
338 | (1) |
|
How Windows Access Control Works |
|
|
338 | (1) |
|
|
|
339 | (1) |
|
|
|
340 | (3) |
|
|
|
343 | (4) |
|
|
|
347 | (2) |
|
Tools for Analyzing Access Control Configurations |
|
|
349 | (1) |
|
Dumping the Process Token |
|
|
350 | (3) |
|
Dumping the Security Descriptor |
|
|
353 | (1) |
|
Special SIDs, Special Access, and "Access Denied" |
|
|
354 | (1) |
|
|
|
355 | (2) |
|
|
|
357 | (1) |
|
Investigating "Access Denied" |
|
|
357 | (8) |
|
Analyzing Access Control for Elevation of Privilege |
|
|
365 | (1) |
|
Attack Patterns for Each Interesting Object Type |
|
|
365 | (1) |
|
|
|
365 | (7) |
|
Attacking Weak DACLs in the Windows Registry |
|
|
372 | (3) |
|
Attacking Weak Directory DACLs |
|
|
375 | (4) |
|
Attacking Weak File DACLs |
|
|
379 | (4) |
|
What Other Object Types Are Out There? |
|
|
383 | (1) |
|
Enumerating Shared Memory Sections |
|
|
383 | (1) |
|
|
|
384 | (1) |
|
|
|
385 | (1) |
|
Enumerating Other Named Kernel Objects (Semaphores, Mutexes, Events, and Devices) |
|
|
386 | (3) |
|
|
|
387 | (1) |
|
|
|
387 | (2) |
|
Chapter 15 Exploiting Web Applications |
|
|
389 | (26) |
|
|
|
10 | (379) |
|
|
|
389 | (1) |
|
|
|
390 | (6) |
|
Lab 15-1 Injecting the Hash |
|
|
391 | (5) |
|
Multibyte Encoding Injection |
|
|
396 | (1) |
|
Understanding the Vulnerability |
|
|
397 | (5) |
|
Lab 15-2 Leverage Multibyte Encoding |
|
|
397 | (5) |
|
Hunting Cross-site Scripting (XSS) |
|
|
402 | (2) |
|
Lab 15-3 Basic XSS Injection into a JavaScript Block |
|
|
403 | (1) |
|
Unicode Normalization Forms Attack |
|
|
404 | (1) |
|
Lab 15-4 Leveraging Unicode Normalization |
|
|
404 | (1) |
|
Unicode Normalization Introduction |
|
|
405 | (2) |
|
|
|
407 | (1) |
|
Preparing the Environment for Testing |
|
|
407 | (2) |
|
XSS Testing via x5s the Plug-In |
|
|
409 | (1) |
|
Launching the Attack Manually |
|
|
410 | (2) |
|
Adding Your Own Test Case |
|
|
412 | (3) |
|
|
|
413 | (1) |
|
|
|
413 | (1) |
|
|
|
414 | (1) |
|
Chapter 16 Exploiting IE: Smashing the Heap |
|
|
415 | (20) |
|
Setting Up the Environment |
|
|
415 | (1) |
|
|
|
415 | (1) |
|
Attaching the Browser to WinDbg |
|
|
416 | (1) |
|
Introduction to Heap Spray |
|
|
417 | (1) |
|
|
|
418 | (4) |
|
Lab 16-1 Heap Spray via HTML5 |
|
|
420 | (2) |
|
DOM Element Property Spray (DEPS) |
|
|
422 | (3) |
|
Lab 16-2 Heap Spray via DEPS Technique |
|
|
423 | (2) |
|
|
|
425 | (1) |
|
Forcing New Allocations by Exhausting the Cache Blocks |
|
|
426 | (1) |
|
Lab 16-3 HeapLib2 Spraying |
|
|
426 | (1) |
|
Flash Spray with Byte Arrays |
|
|
427 | (2) |
|
Lab 16-4 Basic Heap Spray with Flash |
|
|
428 | (1) |
|
Flash Spray with Integer Vectors |
|
|
429 | (2) |
|
Lab 16-5 Heap Spray with Flash Vectors |
|
|
430 | (1) |
|
Leveraging Low Fragmentation Heap (LFH) |
|
|
431 | (4) |
|
|
|
432 | (1) |
|
|
|
433 | (1) |
|
|
|
433 | (2) |
|
Chapter 17 Exploiting IE: Use-After-Free Technique |
|
|
435 | (20) |
|
|
|
435 | (3) |
|
|
|
438 | (1) |
|
Dissecting Use-After-Free (UAF) |
|
|
439 | (8) |
|
Lab 17-1 Dissecting UAF, Step by Step |
|
|
439 | (8) |
|
Leveraging the UAF Vulnerability |
|
|
447 | (8) |
|
Example 17-1 Connecting the Dots |
|
|
448 | (5) |
|
|
|
453 | (1) |
|
|
|
453 | (1) |
|
|
|
453 | (2) |
|
Chapter 18 Advanced Client-Side Exploitation with BeEF |
|
|
455 | (28) |
|
|
|
455 | (6) |
|
|
|
456 | (1) |
|
Lab 18-2 Using the BeEF Console |
|
|
457 | (4) |
|
|
|
461 | (5) |
|
Lab 18-3 The Basic XSS Hook |
|
|
461 | (1) |
|
Lab 18-4 Hooking Browsers with Site Spoofing |
|
|
462 | (3) |
|
Lab 18-5 Automatically Injecting Hooks with Shank |
|
|
465 | (1) |
|
|
|
466 | (5) |
|
Lab 18-6 Fingerprinting Browsers with BeEF |
|
|
467 | (1) |
|
Lab 18-7 Fingerprinting Users with BeEF |
|
|
468 | (2) |
|
Lab 18-8 Fingerprinting Computers with BeEF |
|
|
470 | (1) |
|
|
|
471 | (4) |
|
Lab 18-9 Exploiting Browsers with BeEF and Java |
|
|
472 | (3) |
|
Exploiting Browsers with BeEF and Metasploit |
|
|
475 | (3) |
|
|
|
478 | (5) |
|
|
|
481 | (1) |
|
|
|
482 | (1) |
|
Chapter 19 One-Day Exploitation with Patch Diffing |
|
|
483 | (28) |
|
Introduction to Binary Diffing |
|
|
483 | (1) |
|
|
|
483 | (1) |
|
|
|
484 | (1) |
|
|
|
485 | (1) |
|
|
|
486 | (1) |
|
|
|
487 | (4) |
|
|
|
489 | (2) |
|
|
|
491 | (1) |
|
|
|
491 | (3) |
|
Lab 19-2 Obtaining and Extracting Microsoft Patches |
|
|
492 | (2) |
|
|
|
494 | (5) |
|
Lab 19-3 Diffing MS14-006 with turbodiff |
|
|
498 | (1) |
|
|
|
499 | (12) |
|
Lab 19-4 Kernel Debugging MS14-006 |
|
|
503 | (3) |
|
|
|
506 | (1) |
|
|
|
507 | (1) |
|
|
|
507 | (4) |
|
Part III Advanced Malware Analysis |
|
|
|
Chapter 20 Dissecting Android Malware |
|
|
511 | (20) |
|
|
|
511 | (1) |
|
Android Application Package |
|
|
511 | (2) |
|
|
|
513 | (2) |
|
|
|
515 | (2) |
|
|
|
517 | (1) |
|
|
|
518 | (2) |
|
|
|
520 | (3) |
|
Example 20-1 Running APK in Emulator |
|
|
521 | (2) |
|
|
|
523 | (1) |
|
|
|
524 | (7) |
|
Example 20-2 Black-Box APK Monitoring with Droidbox |
|
|
527 | (2) |
|
|
|
529 | (1) |
|
|
|
529 | (2) |
|
Chapter 21 Dissecting Ransomware |
|
|
531 | (22) |
|
|
|
531 | (1) |
|
Options for Paying the Ransom |
|
|
532 | (1) |
|
|
|
532 | (17) |
|
Example 21-1 Dynamic Analysis |
|
|
533 | (2) |
|
Example 21-2 Static Analysis |
|
|
535 | (14) |
|
|
|
549 | (4) |
|
|
|
552 | (1) |
|
|
|
552 | (1) |
|
Chapter 22 Analyzing 64-bit Malware |
|
|
553 | (20) |
|
Overview of the AMD64 Architecture |
|
|
553 | (1) |
|
AMD64 Calling Conventions |
|
|
554 | (3) |
|
|
|
557 | (16) |
|
Example 22-1 Decrypting C&C Domains |
|
|
571 | (1) |
|
|
|
572 | (1) |
|
|
|
572 | (1) |
|
Chapter 23 Next-Generation Reverse Engineering |
|
|
573 | (20) |
|
|
|
573 | (1) |
|
|
|
573 | (7) |
|
|
|
580 | (5) |
|
|
|
585 | (1) |
|
Honeypots and Sandboxes Using TrapX |
|
|
586 | (1) |
|
A Free Tool for Dynamic Analysis |
|
|
586 | (1) |
|
A Commercial Alternative: TrapX Malware Trap |
|
|
587 | (6) |
|
|
|
591 | (1) |
|
|
|
591 | (1) |
|
|
|
591 | (2) |
| Appendix About the Download |
|
593 | (2) |
| Index |
|
595 | |
