& symbol, 19
&& operator, 195
\ (backslash) character, 229
` (backtick) character, 203
' (single quote) character, 347
< (less-than operator), 21
<= (less-than-or-equal-to operator), 21
%s format token, 230
%x format token, 230
#$ format token, 231
0-day exploits, 365
6LoWPAN protocol, 499
64-bit Kali Linux, 19, 468, 469
A
AARs (after-action reports), 140, 154
abstract syntax tree (AST), 76
Access Device Statute, 10
action element, 392
activity element, 392
acts on objectives phase, 152–153
adaptive testing, 136–139
adb command, 401
add command, 31
Add-Persistence function, 335
Address Resolution Protocol (ARP), 537
address space layout randomization. See ASLR
addressing modes, 33
Adleman, Len, 465
AFL fuzzer, 61–64
after-action reports (AARs), 140, 154
Agent section, Peach Pit, 51
AIDS Trojan malware, 418
AJAX (Asynchronous JavaScript), 348
alert function, 352
Allowed Calls parameter, 72
alternative endings, 153
American Civil Liberties Union (ACLU), 112
Amini, Pedram, 77
AMQP protocol, 499
analog-to-digital conversion (ADC) resolution, 90
analysis
collaborative, 77–82
crash, 57–60
DEX, 393–395
malware, 402–407
network, 84
ransomware, 422–441
vulnerability, 533–536
See also dynamic analysis; static analysis
Analyze phase for SDR, 96–103
Androguard project, 397
android:name attribute, 392
Android application package. See APK
android command, 400
Android Developer Reference, 393
Android platform, 389–407
APK archive format, 389–391
application manifest, 391–393
DEX analysis, 393–395
DEX decompilation, 396–398
DEX disassembling, 398–399
Droidbox analysis, 405, 406–407
emulation of APK, 399–402
Java decompilation, 395–396
malware analysis, 402–407
Android Virtual Device (AVD) Manager, 400–401
AndroidManifest.xml file, 391–393, 403
Androperm script, 403
anti-debugging checks, 427–430
APIs (application programming interfaces)
Bugcrowd functionality, 168–170
Shodan search engine, 504–505
XFS synchronous/asynchronous, 447
APK (Android application package), 389–391
decoding with apktool, 391–392
directory structure/files, 391
explanation of, 389–390
running in emulator, 399–402
apktool
baksmali disassembly using, 399
decoding the APK using, 391–392
App Paths registry key, 379
Apple Store application decrypting, 411–413
application diffing, 363–364
application element, 392
application optional exploit mitigation, 290
application programming interfaces. See APIs
applications
Android platform, 389–393
decrypting from Apple Store, 411–413
exploitation of web, 341–362
XSS changes to, 348–350, 363–364
See also mobile applications
apt-get package manager, 530
arbitrary memory
reading from, 229–232
writing to, 232–234
architecture
evaluation of, 135
master/slave, 518–519
processor, 28–29
RISC, 558
WOSA, 446
XFS, 446–447
ArithLog Rating parameter, 72
Arizona Cyber Warfare Range, 117
ARM architecture, 512, 558–559
calling convention, 565–566
cheat sheet reference, 567
profiles and applications, 513
resources about, 526
syscall renaming, 573
Art of War, The (Sun Tzu), 143, 465
Ashton, Kevin, 497
ASLR (address space layout randomization), 202
bypassing, 292–293
defeating through memory leaks, 299–316
disabling on Kali Linux, 231
explanation of, 290–291
high-entropy, 291
assembly language, 30–34
addressing modes, 33
assembling, 34
file structure, 33–34
machine language vs., 30
NASM vs. AT&T syntax, 30–33
assessments
external, 137
internal, 138–139
penetration test, 19
physical security, 137–138
asymmetric-key algorithms, 436
asynchronous call, 447
AT&T assembly syntax, 30–33
ATM machines
component overview, 443–445
functional steps in using, 445–446
physical and virtual attacks on, 453
skimmers installed on, 452
XFS standard for, 446–451
banks affected by, 453
countermeasures for, 462
customers affected by, 452–453
dissection techniques, 455–462
installation techniques, 453–455
interaction methods, 453–454, 458–462
resources about, 462
attack frameworks, 135
attack vector
Linux exploit, 219–220
Windows exploit, 267–269
AttackIQ FireDrill, 155
attacks
disrupting, 151–153
emulating, 6–9
recognizing, 5
automated dynamic analysis, 83–84
automated teller machines. See ATM machines
automation, security, 154–155
AVD (Android Virtual Device) Manager, 400–401
AV-TEST Institute, 83
B
backdoor, persistent, 333–336
bad characters, 271
baksmali disassembler, 398–399
Bandit war game, 116
bandwidth, 90
Banking Solutions Vendor Council (BSVC), 446
banks
ATM malware affecting, 453
XFS standard used by, 446–451
Barnett, Bruce, 359
bash shell, 232
basic blocks, 80–81
Basic Blocks Size parameter, 72
BeagleBone development platform, 558, 564
behavioral analysis, 84
binary diffing, 363–371
application diffing as, 363–364
describing the process of, 363
exploitation based on, 378–384
lab exercises on, 369–371, 375–378, 379–384
Microsoft patches, 375–378, 379–384
patch diffing as, 364–365, 378–384
resources about, 384–385
tools used for, 365–371
binary .plist files, 410
BinCrowd plug-in, 77
bitcoin, 418
bits, 24
Black Hat conferences, 114
black-box emulator environments
APK monitoring with Droidbox in, 406–407
monitoring malware samples in, 405
bladeRF device, 90
blue team operations, 9, 127, 145–150
common challenges of, 149–150
incident response program, 147–150
knowing your enemy for, 145–146
security frameworks, 146–147
tracking response activities of, 134
understanding your environment for, 146
See also purple teaming operations; red teaming operations
Bluetooth protocols, 499
boot process security, 408
bootloaders, 523–524
bootstrapping, PowerShell, 326–328
bottom-up approach, 437
Boyd, John, 150
Bradshaw, Stephen, 54
breakpoints
hardware, 425–426
memory leak bug, 306–313
strcpy function, 259–260
Browser Exploitation Framework (BeEF), 341
.bss section in memory, 26
BSTR allocations, 306
buffer
exploiting a small, 214–216
overrun detection, 284–286
buffer overflows, 201–216
explanation of, 201–202
local exploits, 207–216
meet.c program lab, 202–205
ramifications of, 206
small buffer exploits, 214–216
stack overflow exploits, 209–214
bug bounty programs, 161–175
BugCrowd platform, 164–171
controversy surrounding, 163
earning a living through, 171–172
history and concept of, 161
incentives offered through, 163
incident response and, 173–174
popular facilitators of, 163
resources about, 175
types of, 161–163
BugCrowd platform, 164–171
API setup and example, 168–170
overview of how it works, 164
program owner web interface, 164–170
researcher web interface, 170–171
bugs
DLL side-loading, 378–379
memory leak, 299–316
type confusion, 299
BuildUserAgentStringMobileHelper() function, 380
business structure, 119
bypassing memory protections
ASLR protections, 292–293, 299–316
DEP protections, 293–299
/GS protections, 285–286
SafeSEH protections, 275–277
SEHOP protections, 277–284
stack protections, 238–240
bypassuac command, 338
bytes, 24
C
C programming language, 15–24
basic constructs, 15–22
comments, 22
compiling with gcc, 23–24
for and while loops, 20–21
functions, 16–17
if/else construct, 22
main() function, 16
printf command, 18–19
sample program, 22–23
scanf command, 19
strcpy/strncpy commands, 20
variables, 17–18
C++ code, 74–77
HexRaysCodeXplorer, 76–77
quirks of compiled, 74–75
runtime type information, 76
virtual tables, 75
calling conventions
ARM code, 565–566
MIPS code, 566
Capability Maturity Model (CMM), 147
Capture phase for SDR, 92–94
Capture the Flag (CTF) events, 111, 116
Carbon Black Response, 149
cat phishing, 138
category element, 392
Cauquil, Damien, 277
CButton creation, 316
cellular networks, 498
CERT Coordination Center, 160
CERT.RSA file, 391
CERT.SF file, 391
Certified Ethical Hacking (CEH) certification, 114
Certified Penetration Tester (GPEN) exam, 114
CFAA (Computer Fraud and Abuse Act), 10–11
CFG (Control Flow Guard), 253, 289, 363
challenge hashes, 183
char variable, 17
checkXSS function, 351–352
Chen, Dominic, 546
Cheswick, Bill, 465
chief information security officer (CISO), 13
chips, embedded device, 511
Chrome browser. See Google Chrome
Cipher Block Chaining (CBC), 358
CISA (Cybersecurity Information Sharing Act), 12–13
Cisco device decoy emulation, 486
Cisco Discovery Protocol (CDP) packets, 486
classes.dex file, 391
Cobalt Strike software, 136, 139
code annotation, 67–77
C++ code analysis, 74–77
IDB with IDAscope, 67–73
Cohen, Danny, 25
Cohen, Fred, 465
Coldwind, Gynvael, 61
collaboration tools, 123
collaborative analysis, 77–82
BinNavi tool for, 80–82
FIRST plug-in for, 78–80
IDA plug-ins developed for, 77–78
CollabREate plug-in, 77
command and control (C2) phase, 152–153, 336
command line
exploiting stack overflows from, 209–212
interacting with decoy system, 486, 487
Shodan search engine, 503–504
commands
C language, 18–20
gdb debugger, 35
Immunity Debugger, 257–258
PowerShell, 325–326
WinRM for executing, 194–195
WMI for executing, 191–194
See also specific commands
comments
BinNavi collaboration, 82
C programming language, 22
commercial honeypots, 480
Common Ground blog, 131
Common Vulnerability Scoring System (CVSS), 173
Common Weakness Scoring System (CWSS), 173
communication protocols, 499
communications
bug bounty program, 173
purple teaming, 154
red teaming, 132–134
compiler controls exploit mitigation, 290
compilers
gcc, 23–24
Windows, 254–256
compiling process, 23
complex instruction set computing (CISC), 558
Computer Emergency Response Team (CERT), 160
Computer Fraud and Abuse Act (CFAA), 10–11
computer memory. See memory
ConPot honeypot, 472–473
containment, 128
ContentType header, 356
Control Flow Guard (CFG), 253, 289, 363
cookies
guessing the value of, 285
heap metadata, 286
padding oracle attacks on, 359–361
replacing with your own, 286
Coordinated Vulnerability Disclosure (CVD), 160
corporate bug bounty programs, 161–162
Cortex tool, 155
Cowrie honeypot, 473–475
CPUs, embedded system, 511–513
crash analysis, 57–60
crashing Windows programs, 258–261
Cross-Site Scripting. See XSS
CrowdRE plug-in, 77
CryptAcquireContextA variable, 437–439
crypter ransomware, 417, 435–441
CryptExportKey function, 436
CryptGetKeyParam function, 437
CryptGetRandom function, 437
cryptographic functions
IDAscope identification of, 72–73
ransomware employing, 436, 440–441
See also encryption
CryptReleaseContent function, 437
CSecurityManager virtual function tables, 312
CTF (Capture the Flag) events, 111, 116
CTF365.com website, 116
CTFtime.org website, 116
curiosity of spirit, 112
Curl commands, 169
custom Linux exploits, 217–222
attack vector, 219–220
building, 220–221
EIP control, 217–218
offset determination, 218–219
verifying, 221–222
CVE-2016-0041 Windows vulnerability, 379
CVE-2017-0147 Windows vulnerability, 373
CVE-2017-5638 Struts vulnerability, 354–356
CVE-2017-9805 Struts vulnerability, 356–358
“Cyber Exercise Playbook” (Mitre Corporation), 130
Cyber Kill Chain framework, 135, 151–153
Cyber Security Enhancement Act (CSEA), 12
cyberlaw, evolution of, 10–13
cybersecurity
automation of, 154–155
current landscape of, 4–5
frameworks for, 146–147
Internet of Things and, 499–500
iOS mechanisms for, 407–409
laws pertaining to, 10–13
Cybersecurity Information Sharing Act (CISA), 12–13
Cydia Impactor, 411
D
DAD decompiler, 397–398
Dai Zovi, Dino, 161
daisy chain configuration, 518–519
Dalvik executable (DEX) format
analysis of, 393–395
Java code related to, 393, 394
See also DEX code
.data section in memory, 26
data circuit-terminating equipment (DCE), 550
Data Encryption Standard (DES), 182
Data Execution Prevention. See DEP
Data Protection technology, 408
data sources, threat hunting, 148
data terminal equipment (DTE), 550
DataModel section, Peach Pit, 50
datasheet for devices, 551
DDS protocol, 499
debug interfaces, 520–523
JTAG, 520–522
SWD, 522–523
debuggers
crash analysis and, 57–60
embedded device, 520–523
!exploitable extension for, 57–58
gdb debugger, 34–37
Immunity Debugger, 256–258
OllyDbg, 281
Windows 8.0, 300
x64dbg, 85–87
dec command, 32
deception, 465–493
brief history of, 465–466
open source honeypots for, 466–480
resources on honeypots and, 491–492
TrapX DeceptionGrid for, 480–491
See also honeypots
Deception Toolkit, 465
decision frameworks, 150–151
decompilation
of Java code, 395–396
decoy systems, 485–486
decryption
Apple Store application, 411–413
cookie value, 360–361
delivery phase, 152
DEP (Data Execution Prevention)
bypassing, 293–299
explanation of, 289–290
ProSSHD exception for, 263
Department of Defense Directive (DoDD), 128
Department of Homeland Security (DHS), 117
DES (Data Encryption Standard), 182
Desktop ownership, 430–433
detection mechanisms, 153
device under test (DUT), 92
DEX code
analysis of, 393–395
decompilation of, 395, 396–397
disassembling of, 398–399
Java code related to, 393, 394
dictionaries, Python, 42
diffing process. See binary diffing
Digital Millennium Copyright Act (DMCA), 11
digital rights management (DRM), 411
Dionaea honeypot, 469–472
direct parameter access, 231–232
disassembling code
binary diffing tools for, 365–371
DEX file disassembly, 398–399
disassemblers for, 365, 398–399
gdb debugger for, 36–37
distributed denial-of-service (DDOS) attacks, 507
DLLs (dynamic link libraries), 364
side-loading bugs, 378–379
SPI interaction with, 450
dlopen() function, 245
dlsym() function, 245
DNS redirectors, 136
Docker tool, 342, 354, 357, 359, 472
Document Object Model (DOM), 348, 350–353
documentation, red team assessment, 133
DOM (Document Object Model), 348, 350–353
DOM Element Property Spray (DEPS), 286
double variable, 17
double word (DWORD), 24
downloading
IDAscope plug-in, 68
patches, 373–374
PowerSploit, 329
Python, 37
Responder, 183
Dradis reporting tool, 124
DREAD classification scheme, 135
dropped files, 84
Dullien, Thomas, 366
dumb fuzzers, 48
dumbdecrypted tool, 412
dump pipe redirectors, 136
duplex communications, 90
dynamic analysis, 83–87
automated with Cuckoo Sandbox, 83–84
bridging gap with static analysis, 84–85
emulation used for, 541–547
hardware as basis of, 536–540
of IoT malware, 562–564
lab exercises for working with, 85–87
Labeless plugin for, 85, 86, 87
of Ransomlock malware, 419–422
reverse engineering with, 83–87, 402
See also static analysis
dynamic link libraries. See DLLs
E
Eagle, Chris, 77
EBX register, 317
echo command, 358
Economou, Nicolas, 365
Edwards, Brandon, 77
EEPROM access, 519
Einstein, Albert, 3
EIP (Extended Instruction Pointer), 200, 217–218
checking for corruption, 202
controlling for exploits, 206, 217–218, 264–265
determining offset to overwrite, 218–219
first chance exceptions, 260
frame data on location of, 234
function-calling procedure and, 200–201
local buffer overflow exploits and, 207–209
Electronic Communication Privacy Act (ECPA), 11
Electronic Frontier Foundation (EFF), 112
ELF header, 559
embedded devices, 511–548
debug interfaces for, 520–523
dynamic analysis of, 536–547
emulating firmware on, 541, 543–545
exploiting firmware on, 546–547
processing architectures for, 511–513
serial interfaces for, 513–520
static analysis of vulnerabilities in, 529–536
system software used on, 523–525
update package analysis of, 529–533
upgrading firmware on, 539–540
vulnerability analysis of, 533–536
See also Internet of Things
EMET (Enhanced Mitigation Experience Toolkit), 277, 289, 291
emulating
attacks, 6–9
embedded device firmware, 541, 543–545
emulators
running APK in, 399–402
encoded commands, 325–326
encodedcommand option, 322, 326
encryption
ATM disk, 462
cookie value, 361
iOS data, 408
endian methods, 25
Enhanced Mitigation Experience Toolkit (EMET), 277, 289, 291
environment/arguments section in memory, 27
environments
black-box emulator, 405, 406–407
hardware analysis test, 536–537
sandbox, 408–409
setting up for XSS, 342–343
User Account Control, 338
epilog, function, 201
eradication, 128
Esser, Stefan, 412
_EstablisherFrame pointer, 275
ETERNALBLUE vulnerability, 435
ethical hacking
attack emulation, 6–9
explained, 5–6
red team operations vs., 128
testing process, 9–10
unethical hacking vs., 8–9
Etoh, Hiroaki, 238
Ettercap tool, 537–540
European Committee for Standardization (CEN), 446
eventhandler function, 301, 304
events, webpage, 347
evolutionary fuzzing. See genetic fuzzing
exception_handler function, 275
EXCEPTION_REGISTRATION record, 273
exceptions
first chance, 260
handler function for, 275, 276
SEH mechanism for, 273–274
Execute phase for SDR, 105–106
ExecuteTransaction function, 377–378
!exploitable debugger extension, 57–58, 60
exploitation phase, 152
Exploit-DB repository, 356
exploits
categories for mitigating, 290
embedded device, 529–548
firmware, 546–547
format string, 225–237
local buffer overflow, 207–216
PowerShell, 321–340
ProSSHD server, 262–273
return to libc, 242–247
SEH chain, 274
small buffer, 214–216
stack overflow, 209–214
web application, 341–362
See also Linux exploits; Windows exploits
Extended Instruction Pointer. See EIP
Extensions for Financial Services. See XFS
external assessments, 137
F
Facebook bug bounty program, 163
fake-frame technique, 238–239
FCC IDs, 91–92
Federal Communications Commission (FCC), 91
file command, 390
files
DEX disassembly of, 398–399
Python access to, 42–44
structure of assembly, 33–34
TrapX analysis of, 484
FinalExceptionHandler function, 277
FindCrypt plug-in, 437
FindXMLManagerPath() function, 449
Firebounty.com registry, 171
FireDrill tool, 155
Firefox browser
padding oracle attacks, 359–361
XSS attacks, 343–344, 346, 348
FIRMADYNE tool, 541–545
firmware emulation, 543–545
setting up, 541–543
firmware
emulating, 543–545
exploiting, 546–547
upgrading, 539–540
Firmware Mod Kit, 530
first chance exception, 260
FIRST plug-in, 78–80
flags, gcc, 24
flashrom tool, 519
FLIRT signatures, 85
float variable, 17
for loop, 20–21
ForeScout tools, 487
form.reset() state change, 309
format functions, 225–229
commonly used symbols for, 226
correct vs. incorrect use of, 227–228
stack operations with, 228–229
format string exploits, 225–237
format functions and, 225–229
reading from arbitrary memory, 229–232
format symbols, 226
fprintf() function, 225
frames, 234
framework vulnerabilities, 354–358
Struts CVE-2017-5638 exploits, 354–356
Struts CVE-2017-9805 exploits, 356–358
free() function, 26
FreeXFS Framework, 448
frequency channels, 90
Full Disclosure mailing list, 159
full duplex communications, 90
Full Operating System (FOS) decoy, 490
full public disclosure, 159–160
full system emulation, 571
full vendor disclosure, 158–159
function comments, 82
functions
C program, 16–17
Linux format, 225–229
procedures for calling, 199–201
wrapper, 68–69
See also specific functions
fuzzing, 47–65
crash analysis, 57–60
explanation of, 47
resources about, 64–65
G
gadgets, 294–295
Gaffie, Laurent, 183
gcc (GNU C Compiler), 23–24
gdb debugger, 34–37
commands in, 35
determining frame info with, 234–235
disassembly with, 36–37
GDBServer tool, 562
General Data Protection Regulation (GDPR), 149
general operating systems, 525
general registers, 29
generation fuzzing, 48
crash analysis and, 57–60
lab exercise on, 60
Peach fuzzer for, 54–60
generic exploit code, 212–214
genetic fuzzing, 48–49
AFL fuzzer for, 61–64
lab exercise on, 63–64
getenv utility, 230, 233, 234, 249
getName() function, 371
GETPC routine, 270
GetProcAddress function, 438
getsystem module, 338
GitHub repository, 329, 336, 342
Global Information Assurance Certification (GIAC), 114
global line comments, 82
GNU Assembler (gas), 30
GNU C Compiler (gcc), 23–24
GNU Radio Companion, 93
gnuradio software, 92–93
Google Chrome
installing, 342
XSS filters, 344–345, 348, 350
Google Rapid Response (GRR), 149
government bug bounty programs, 162
GPEN (Certified Penetration Tester) exam, 114
grammar-based fuzzers, 48
Grand, Joe, 514
Group Policy Objects (GPOs), 322
/GS protection feature, 256, 284–286
description of, 284–285
methods of bypassing, 285–286
guard pages, 287
H
Hack Me! bug bounty program, 170–171
hacked function, 353
Hacker’s Manifesto, 112
hacking
future of, 113
radio frequency, 89
unethical, 8–9
See also ethical hacking
Hacking Exposed books, 114
half duplex communications, 90
Hanel, Alexander, 67
hardware
breakpoints for, 425–426
dynamic analysis of, 536–540
hardware abstraction layer (HAL), 291
Harvard University, 117
hashes, capturing password, 181–187
!heap command, 310
HeapReAlloc function, 303, 306
heaps, 26
metadata cookies, 286
non-executable, 241
protecting in Windows, 286–287
Heffner, Craig, 540
“Hello, world!” example, 38
hexadecimal values, 314–316
HexRaysCodeXplorer, 76–77
high-entropy ASLR, 291
high-interaction honeypots, 466–467
high-order bytes (HOB), 232, 233
Hippocampe threat-feed-aggregation tool, 155
home automation systems, 507
honeyclients, 467
honeynet.org group, 466
honeypots, 466–493
commercial, 480
ConPot, 472–473
Cowrie, 473–475
deception using, 466
deployment of, 468
Dionaea, 469–472
open source, 468–480
resources on, 491–492
T-Pot, 475–480
TrapX, 480–491
types of, 466–467
virtual machine, 468
honeytokens, 467
host-based intrusion detection system (HIDS), 153
host-based intrusion prevention system (HIPS), 152, 462
htmlspecialchars function, 346
I
I2C protocol, 519–520
ICA/SCADA emulation, 472
iconv tool, 326
IDA (Interactive Disassembler), 67
binary diffing plug-ins, 365–371
collaborative analysis, 77–82
cross-reference feature in, 458
Dalvik disassembly, 393
importing memory regions into, 87
IoT malware debugging, 567–571
resources about, 88
vulnerability analysis, 534
IDA proximity browser, 440
IDA Sync plug-in, 77
IDA Toolbag plug-in, 77
IDAscope plug-in, 67–73
crypto identification, 72–73
functionality list, 68
user interface illustration, 69
WinAPI Browsing tab, 70
workflow overview, 68–70
YARA Scanner table, 71
IDB annotation, 67–73
Identity Services Engine (ISE), 487
IDLE user interface, 37
IEEE 802.11 protocol, 498
if/else construct, 22
Immunity Debugger, 256–258
commands list, 257–258
crashed programs and, 258–261
methods for using, 257
plug-ins for, 281
ROP chain generation, 316–317
inc command, 32
incident response (IR) program, 147–150
data sources, 148
incident response tools, 149
IoT devices and, 549
threat hunting, 147–148
indicators of compromise (IOCs), 123, 145, 154, 455
industrial control systems (ICSs), 112, 502
info command, 235
info frame command, 235
info functions command, 37
information property list (info.plist) file, 409
information resources. See resources
Information Systems Security Association (ISSA), 118
information theft, 452
InfraGard organization, 118
Infrastructure as Code (IAC), 146
Infrastructure for Ongoing Red Team Operations blog, 136
InitializeKeys function, 439–440
injection attacks, 343
inspectrum analyzer, 97–101
installation phase, 152
instruction set architectures (ISAs), 558
insurance considerations, 119
integrated circuits (ICs), 511
Integrated Security Operations Centers (ISOCs), 4
Intel processors
architecture, 28–29
registers, 29
intent-filter element, 392
Interactive Disassembler. See IDA
interactive logon, 190
internal assessments, 138–139
International Standards Organization (ISO), 146
International Telecommunications Union (ITU), 91
Internet Explorer
memory leak bug in, 299
PowerShell exploitation and, 322
XSS filters in, 344
Internet of Things (IoT), 497–510
communication protocols, 499
device access, 549–551
hack prevention, 508
security concerns, 499–500
Shodan search engine for, 500–505
types of connected things, 497–498
unauthenticated access to, 506–507
wireless protocols, 498–499
Internet of Things (IoT) malware, 549–574
debugging and reversing, 567–574
dynamic analysis of, 562–564
lab on troubleshooting, 551–557
physical access to device for, 549
resources related to, 574
reverse engineering, 565–574
threat lab setup for, 557–562
worm attacks as, 507–508
Internet of Things Scanner, 508
Invoke-Expression function, 327
Invoke-WebRequest function, 327
iOS platform, 407–413
applications, 409
boot process security, 408
encryption and data protection, 408
labs on malware related to, 410–413
sandbox environments, 408–409
security mechanisms, 407–409
IoT. See Internet of Things
IPA archive, 409
iPhone 4s jailbreak, 410–411
IR playbooks, 155
ISO security frameworks, 146
IV pump troubleshooting, 551–557
J
jailbreaking
classes of, 411
iPhone 4s, 410–411
Java archive (JAR), 389
Java code
decompilation of, 395–396
Java Virtual Machine (JVM), 395
JavaScript
Asynchronous, 348
error tracking, 351–352
prevalence for web applications, 348
XSS manipulation of, 352–353
JavaScript Object Notation (JSON) format, 406
JD decompiler, 395
je command, 32
JEB decompiler, 396–397
jne command, 32
jnz command, 32
Joint Test Action Group (JTAG), 520
JTAGulator tool, 514–515
jz command, 32
K
KANAL - Crypto Analyzer, 436
Katz, Phil, 390
KeePass password safe, 139
kernel patches and scripts, 241–242
keylogging process, 454
Kibana (ELK) stack, 475
Kill Chain Countermeasure framework, 153–154
Koret, Joxean, 365
L
labels, Python, 39–40
Le Berre, Stéfan, 277
lea command, 32
leakware (doxware), 418
leave statement, 200
less-than operator (<), 21
less-than-or-equal-to operator (<=), 21
LFH (low fragmentation heap), 286–287
liability considerations, 119
limited liability company (LLC), 119
Link Local Multicast Name Resolution (LLMNR), 181–182
linking process, 23
Linux exploits, 199–252
advanced, 225–252
attack vector for, 219–220
buffer overflows and, 201–207
building custom, 220–221
bypassing stack protection, 238–240
development process, 216–222
EIP control process, 206, 217–218
format string exploits, 225–237
function-calling procedures and, 199–201
local buffer overflow exploits, 207–216
memory protection schemes against, 237–251
offset determination for, 218–219
program execution changes, 234–237
reading from arbitrary memory, 229–232
return to libc exploits, 242–247
small buffer exploits, 214–216
stack overflow exploits, 209–214
verifying custom, 221–222
writing to arbitrary memory, 232–234
Linux memory protections, 237–251
ASLR objectives for, 242
bypassing for stacks, 238–240
kernel patches and scripts, 241–242
Libsafe library, 237
non-executable stacks, 241
privilege maintenance, 247–251
return to libc exploits and, 242–247
Stack Smashing Protection, 238
StackShield and StackGuard, 237
summary list of, 251
lists, Python, 41–42
living off the land, 321–322
LoadLibrary function, 378, 438
LoadLibraryEX function, 379
LoadManagerFunction(), 449
local buffer overflow exploits, 207–216
components of, 207–209
small buffers and, 214–216
stack overflows and, 209–214
local line comments, 82
Local Security Authority Subsystem Service (LSASS), 331–332
locker ransomware, 417, 419–435
logging, PowerShell, 322
logic analyzer, 555–556
logical services, 449
LogonID information, 190
LogonType information, 190
Logstash tool, 375
Lookaside List, 287
low fragmentation heap (LFH), 286–287
low-interaction honeypots, 467
low-order bytes (LOB), 232, 233
lsusb command, 555
Lukan, Dejan, 55
Lum, Kelly, 77
M
MAC addresses, 537
machine language, 30
machine-learning-based tools, 149
magic bytes, 390
malloc() function, 26
malware
Android, 402–407
ATM, 443–463
black-box analysis of, 405, 406–407
Internet of Things, 549–574
labs on iOS-related, 410–413
reverse-engineering, 70
YARA signatures and, 72
See also ransomware
MANIFEST.MF file, 391
man-in-the-middle (MITM) attacks, 537
Martinez, Ramses, 163
Massachusetts Institute of Technology (MIT), 117
master/slave architecture, 518–519
McMaster, John, 557
measurable events, 133–134
Media Address Control (MAC) addresses, 537
medical device troubleshooting, 551–557
medium-interaction honeypots, 467
meet.c program, 202–205
memmove function, 310
memory, 24–28
arbitrary, 229–234
buffers in, 27
decoding ransomware in, 422–427
example of using, 28
explanation of, 24
importing segments from, 87
leaks in, 299–316
pointers in, 27–28
programs in, 26–27
random access, 24–25
segmentation of, 25
strings in, 27
writing data into, 25
memory leak bug, 299–319
breakpoints, 306–313
description of, 299–300
RVA ROP chain, 316–319
tracing, 303–313
triggering, 300–303
weaponizing, 314–316
memory protections
Linux schemes as, 237–251
Windows mechanisms as, 275–287
See also Linux memory protections; Windows memory protections
memset function, 377–378
META-INF directory, 391
Metasploit
building exploits with, 220–221
Meterpreter callback handler, 333–336, 382
Meterpreter callback handler, 333–336, 382
microcontrollers, 512
microprocessors, 512
Microsoft
diffing patches from, 375–378, 379–384
obtaining/extracting patches from, 373–375
patch Tuesday updates cycle, 372–373
vulnerability disclosures, 160, 372
See also Windows systems
Microsoft C/C++ Optimizing Compiler and Linker, 254
Microsoft Catalog Server, 373–374
Microsoft Developer Network (MSDN), 70
Microsoft Internet Explorer. See Internet Explorer
middleware for XFS, 448
Miller, Charlie, 161
Miller, Mark, 160
Mimikatz tool
running through PowerShell, 330–333
TrapX DeceptionGrid and, 490
MIPS architecture, 513, 558–559
calling convention, 566
cheat sheet reference, 567
syscall renaming, 572
Mirai worm, 507–508
mitigation
categories of exploit, 290
Windows 10 improvements in, 319
mmap() command, 242
mobile applications, 389–415
Android platform for, 389–407
iOS platform for, 407–413
malware analysis for, 402–407
resources about, 413–414
summary review of, 413
Model-View-Controller (MVC) architecture, 354
module logging, 322
Mona plug-in, 266–267, 268, 295
Monti, Eric, 326
mov command, 31
Move with Zero-Extend instruction, 303
MoviePlayer application, 404–405
MQTT protocol, 499
lab on playing with, 505–506
security concerns with, 500
unauthenticated access to, 506–507
MS16-009 patch, 379–380
MS17-010 patch, 373
binary diffing of, 375–378
exploitation of, 379–384
msfvenom command, 220–221, 334, 382
MT-7621A processor, 517, 526–527
Mudge, Raphael, 136
mutation fuzzing, 48
lab exercise on, 53–54
Peach fuzzer for, 49–54
N
NASM assembly syntax, 30–33
National Institute of Standards and Technology (NIST), 12
Computer Security Incident Handling Guide, 147
Cyber Security Framework, 146
National Security Agency (NSA), 117
.NET, PowerShell integration, 321
net localgroup command, 193
net localuser command, 193
net user command, 193
NetBIOS Name Service (NBNS), 182
Netdata page view, 479
NetNTLM authentication, 182–183
Network Access Control (NAC), 487
network analysis, 84
network intrusion detection system (NIDS), 153
network intrusion prevention system (NIPS), 153
network logon, 190
Next SEH (NSEH) value, 274
nibbles, 24
NIST. See National Institute of Standards and Technology
Nmap command, 476
no OS devices, 524–525
node comments, 82
NOP command, 207
NOP sled, 207
--nosandbox directive, 344
NTLM authentication, 182–183
numbers, Python, 40–41
NYDFS Cybersecurity Regulations, 13
O
object code, 23
Objective-C programming language, 409
objects, Python, 38–44
Offensive Security Certified Professionals (OSCP), 114
offset registers, 29
offsets
Linux EIP, 218–219
RVA, 314–316
Windows EIP, 266–267
Oh, Jeong Wook, 365
OllyDbg debugger, 281
OllySSEH plug-in, 281
onCreate function, 404
OODA Loop, 150–151
opcodes, 37
open source bug bounty programs, 162–163
open source honeypots, 468–480
ConPot, 472–473
Cowrie, 473–475
Dionaea, 469–472
T-Pot, 475–480
Open Source Intelligence (OSINT), 7, 151
Open Source Technology Improvement Fund (OSTIF), 162–163
Open Web Application Security Project (OWASP), 135
OpenOCD tool, 520
OpenXFS header files, 459
operating frequency, 90
Operation Bodyguard, 465
operational risk reduction, 119
optimization, purple teaming, 154–155
orchestration, security, 155
OS control exploit mitigation, 290
OSINT (Open Source Intelligence), 7, 151
osmocom sink, 105
OverTheWire.org website, 116, 117
P
package element, 392
padbuster tool, 360–361
padding oracle attacks, 358–361
changing data with, 359–361
explanation of, 358–359
page table entry (PTE), 241
PAGEEXEC method, 241
Page-eXec (PaX) patches, 241, 242
PageHeap tool, 302
PANDA platform, 564
parallel interfaces, 513
paramiko module, 264
passwd command, 206
passwords
capturing hashes for, 181–186
cracking with John the Ripper, 186–187
getting with Responder, 185–187
patch diffing, 364–365
PatchClean script, 374
patches, 363–385
binary diffing of, 363–371, 378–384
downloading/extracting, 373–375
exploitation based on diffing of, 378–384
lab exercises on diffing, 369–371, 375–378, 379–384
management process for, 373–378
Microsoft updates and, 372–375
PatchExtract script, 374
pattern_create tool, 218
pattern_offset tool, 219
PaX (Page-eXec) patches, 241, 242
pcap capture, 357
Peach fuzzer
generation fuzzing with, 54–60
mutation fuzzing with, 49–54
Pegasus spyware, 407
PEiD signature scanner, 436
penetration testing, 5–6, 111–126
assessment comparison, 129
degree programs, 117–118
ethos of, 112
frequency of, 120–121
future of hacking and, 113
hands-on practice of, 115–117
IoT device, 549
knowledge required for, 113
liability considerations for, 119
managing the process of, 121–124
recognizing good security for, 113–114
report generation, 123–124
steps in process of, 7–8
taxonomy of, 112
tradecraft for, 118–124
training and education, 114, 117–118
trusted advisor role, 120
Penetration Testing: A Hands-On Introduction to Hacking (Weidman), 114
permissions, SEND_SMS, 403–404
persistent meterpreter, 333–336
Phantom community edition, 155
phishing e-mails, 138
phoneinfo.dll file, 381, 382, 383
physical ATM attacks, 453
physical security assessment, 137–138
PIC microcontroller, 524
PIN_GET_DATA command, 454
pins/pinouts
JTAG, 520–522
MAX3227E, 553–554
RS-232, 550–551
SWD, 522
pipe character, 325
Pit files, 49–51
planning meetings, 132–133
Plohmann, Daniel, 67
Ploutus malware, 454, 455, 457, 462
pointers, memory, 27–28
Popp, Joseph, 418
Portainer UI, 478
Portnoy, Aaron, 77
Position Independent Executable (PIE) technique, 242
Pouvesle, Nicolas, 365
PowerShell, 321–340
benefits of using, 321–322
bootstrap process, 326–328
command execution, 325
Empire framework, 328, 336–339
encoded commands, 325–326
execution policies, 324
logging options, 322
Mimikatz run through, 330–333
portability of, 323
PowerSploit tools for, 328–330
remotely running using WinRM, 195–196
resources about, 340
script execution, 323–328
summary review of, 339–340
PowerShell Empire, 328, 336–339
setting up, 336
staging an Empire C2, 337
using to own the system, 337–339
PowerSploit, 328–330
overview on setting up, 329–330
persistent meterpreter creation, 333–336
PowerUp tool, 139
Preview phase for SDR, 103–105
printf() function, 204, 225, 226–228, 248
private bug bounty programs, 162
private key encryption, 440
privileges
elevating with Winexe, 188–189
maintaining with ret2libc, 247–251
methods for escalating, 139
procedure statement, 16
process memory, 84
ProcessBuilder class, 356, 368
processors
architecture of, 28–29, 512–513
embedded system, 511–513
Procmon (Process Monitor), 420
program execution changes, 234–237
programming, 15–45
assembly language, 30–34
C language, 15–24
computer memory, 24–28
debugging with gdb, 34–37
Intel processor, 28–29
Objective-C language, 409
Python language, 37–44
reasons for studying, 15
resources about, 45
return-oriented, 294
Swift language, 409
Project Zero, 160
prolog, function, 200
Proof of Concept (POC) code, 158
property list (.plist) files, 410
ProSSHD server exploits, 262–273
protocols
communication, 499
wireless, 498–499
proximity browsing, 80
proximity view, 439–440
PSEXEC service, 484
pszProvider argument, 439
public bug bounty programs, 162
public key cryptography, 418, 440
public vulnerability disclosure, 159–160, 174
purple teaming operations, 130, 143, 150–156
communications in, 154
decision frameworks for, 150–151
disrupting attacks in, 151–153
explanatory overview of, 143–145
incident response programs and, 147
Kill Chain Countermeasure framework, 153–154
optimization of, 154–155
resources about, 156
See also blue team operations; red teaming operations
PUSHAD instruction, 426
Pwn2Own competition, 161
PyBOMBS system, 92
Python, 37–44
dictionaries, 42
downloading, 37
file access, 42–44
“Hello, world!” example, 38
lists, 41–42
numbers, 40–41
objects, 38–44
pywinrm library, 194
Shodan library, 504
sockets, 44
sshuttle program, 544–545
strings, 38–40
PythonClassInformer, 76
Q
QEMU (Quick Emulator), 558
binary emulation, 568–571
full system emulation, 571
setting up systems with, 560–562
quadruple word (QWORD), 24
R
radio frequency (RF) hacking, 89
random access memory (RAM), 24–25
Ransomlock malware, 419–435
dynamic analysis of, 419–422
static analysis of, 422–435
ransomware, 417–442
analyzing, 435–441
anti-debugging checks, 427–430
deactivation process, 435
decoding in memory, 422–427
Desktop ownership by, 430–433
dynamic analysis of, 419–422
encryption methods, 436, 440–441
historical origins of, 418
payment methods, 418–419
Ransomlock, 419–435
resources about, 441–442
static analysis of, 422–435
summary review of, 441
types of, 417–418
Wannacry, 435–441
Ranum, Marcus, 159
Raspberry Pi platform, 558
RDP (Remote Desktop Protocol), 137, 490
realloc() function, 26
real-time operating system (RTOS), 525
reconnaissance phase, 151
red teaming operations, 9, 127–141
adaptive testing in, 136–139
after action report on, 140
attack frameworks for, 135
communications required for, 132–134
compared to other assessments, 129–130
explanatory overview of, 128
external assessment, 137
internal assessment, 138–139
levels of focus for, 129
measurable events in, 133–134
objectives of, 130–131
physical security assessment, 137–138
planning meetings for, 132–133
potential limitations of, 131–132
purple teaming and, 130
social engineering assessment, 138
testing infrastructure for, 136
understanding threats for, 134–135
See also blue team operations; purple teaming operations
redirectors, 136
reflective attacks, 507
registers, 29
Remote Desktop Protocol (RDP), 137, 490
remote interactive logon, 190
remote systems
accessing with Winexe, 187–188
artifacts left on, 188
code execution on, 356–358
running PowerShell on, 195–196
RemoteSigned policy, 324
renaming
functions, 69
syscalls, 572–573
repeating return addresses, 208–209
Replay phase for SDR, 94–96
reports
penetration test, 123–124
Shodan search engine, 503
vulnerability, 172
res folder, 391
resources
on ATM malware, 462
on binary diffing, 384–385
on bug bounty programs, 175
on embedded devices, 526–527, 547
on fuzzing, 64–65
on honeypots, 491–492
on Internet of Things, 509, 574
on mobile applications, 413–414
on PowerShell, 340
on programming, 45
on purple teaming, 156
on ransomware, 441–442
on reverse engineering, 88
on software-defined radio, 106–107
on web application exploits, 362
on Windows exploits, 287–288, 319
resources.arsc file, 391
Responder program, 183–187
downloading, 183
getting passwords with, 185–187
resources about, 197
running, 184–185
responsible vulnerability disclosure, 160
REST interface, 356
ret2libc, 247–251
ret command, 32
RETN instruction, 260
return-oriented programming (ROP)
chain building, 295–299, 316–319
explanation of, 294
gadgets, 294–295
RVA ROP chain, 316–319
reverse engineering (RE), 67–88
code annotation for, 67–77
collaborative analysis for, 77–82
dynamic analysis for, 83–87, 402
IoT malware, 565–574
resources about, 88
Reverse Engineering Intermediate Language (REIL), 78
reverse_https payload, 333
Ridlinghafer, Jarrett, 161
Ring0 debugger, 261
Ripper malware, 451, 455, 456, 457, 458
RISC architectures, 558
Ritchie, Dennis, 15
.rm files, 54
root file system (RFS), 530
root shell, 201
ROP. See return-oriented programming
Ropper tool, 314
RS-232 serial port, 549–551
overview, 550
pinouts, 550–551
troubleshooting, 551–557
Ruby BlackBag toolkit, 326
run function, 301
runtime type information (RTTI), 76
RVA offset, 314–316
RVA ROP chain, 316–319
S
S corporations, 119
safe unlinking, 286
SafeDllSearchMode, 379, 381, 382, 383
SafeSEH
bypassing, 275–277
memory protection with, 275
Saleae logic analyzer, 556
Samba service, 327–328
samples per second, 90
sandbox environments, 408–409, 558
saved frame pointer (SFP), 285
scanf command, 19
Schirra, Sascha, 314
scpclient module, 264
SCRAPE process, 91–106
Analyze phase, 96–103
Capture phase, 92–94
Execute phase, 105–106
Preview phase, 103–105
Replay phase, 94–96
Search phase, 91–92
script block logging, 322
scripts
Androperm, 403
PatchClean, 374
PatchExtract, 374
PowerShell, 323–328
See also XSS
SDR. See software-defined radio
Search phase for SDR, 91–92
searchsploit function, 355, 356
Secure Software Development Lifecycle (SSDLC), 121
security. See cybersecurity
security automation, 154–155
security frameworks, 146–147
security information event management (SIEM), 149, 467
security operations center (SOC), 155, 486, 491
security orchestration, 155
SecurityTube.net website, 118
segment registers, 29
segmentation fault, 202
segmentation of memory, 25
SEGMEXEC method, 241
SEH (Structured Exception Handling)
description of, 274–275
exploitation of, 275
overwriting records for, 286
protecting with SafeSEH, 275
SEHOP overwrite protection, 277–284
SEHOP (SEH Overwrite Protection), 277–284
bypassing, 277–284
description of, 277
semantic coloring, 69
semi-tethered jailbreaks, 411
semi-untethered jailbreaks, 411
SEND_SMS permission, 403–404
sendTextMessage function, 405
serial interfaces, 513–520
I2C, 519–520
RS-232 port, 549–551
SPI, 518–519
UART, 513–518
Serial Peripheral Interface (SPI), 518–519
Serial Wire Debug (SWD) protocol, 522–523
Server Message Block (SMB) shares, 323
service logon, 190
service provider interface (SPI), 448, 450
Set User ID (SUID), 206
Shacham, Hovav, 294
Shadow Brokers hacking group, 435
SHELL variable, 231
shells
user vs. root, 201
See also PowerShell
Shodan search engine, 500–505
command line interface, 503–504
Python library API, 504–505
report generation, 503
web interface, 500–503
SIEM (security information event management), 149, 467
signature-based tools, 149
SimpleHTTPServer module, 382
sizeof() function, 17
skimmers, ATM, 452
Skype application exploit, 383–384
sleep() function, 265
smali/baksmali tool, 398–399
small buffer exploits, 214–216
smart redirectors, 136
smartphone apps. See mobile applications
SMS scams, 403–404
SmsManager object, 405
snmpwalk command, 472
snprintf() function, 225
SOC (security operations center), 155, 486, 491
social engineering assessment, 138
Social Engineering Toolkit (SET), 328
sockaddr structure, 572–573
sockets, Python, 44
software
disclosing vulnerabilities in, 157–161
embedded device system, 523–525
software-defined radio (SDR), 89–107
Analyze phase, 96–103
buying considerations, 89–91
Capture phase, 92–94
Execute phase, 105–106
explanatory overview, 89
licensing requirement, 91
Preview phase, 103–105
Replay phase, 94–96
resources about, 106–107
SCRAPE process, 91–106
Search phase, 91–92
Sotirov, Alex, 161
special registers, 29
SPI (Serial Peripheral Interface), 518–519
SPI (service provider interface), 448, 450
SpiderFoot search page, 478
Spitzner, Lance, 465
Spy++ tool, 433
SQL (Structured Query Language), 189
SrvSmbTransaction() function, 375
sshuttle program, 544–545
stack
bypassing protection for, 238–241
format functions and, 228–229
function-calling procedures and, 199–201
GCC-based non-executable, 241
memory protections, 237–238
overflow exploits, 209–214
randomization process, 243
token used to map out, 230
stack canary protection, 256, 284
stack overflows, 209–214
command line exploits, 209–212
generic code exploits, 212–214
Stack Smashing Protection (SSP), 238
stack-based buffer overrun detection (/GS), 284–286
description of, 284–285
methods of bypassing, 285–286
standard operating procedures (SOPs), 144
Stanford University, 117
statement of work (SOW), 122
StateModel section, Peach Pit, 50
static analysis
Cuckoo Sandbox, 84
of embedded devices, 529–536
of Ransomlock malware, 422–435
See also dynamic analysis
static signatures, 436
strcpy command, 20, 203, 205, 244, 259
STRIDE classification scheme, 135
strings
format, 225–229
memory, 27
Python, 38–40
reading arbitrary, 230
strncpy command, 20
Structured Exception Handling. See SEH
Structured Query Language (SQL), 189
Struts framework, 354–358
CVE-2017-5638 vulnerability, 354–356
CVE-2017-9805 vulnerability, 356–358
setting up the environment for, 354
Struts Showcase application, 355
sub command, 31
SUCEFUL malware, 458
SUID program, 206
svc command, 572
SWD (Serial Wire Debug) protocol, 522–523
Swift programming language, 409
symmetric-key algorithms, 436
synchronous call, 447
Synopsys report, 157
syscall instructions, 33, 572–573
Sysdream.com team, 277
sysenter instruction, 33
system calls, 32–33
--system flag, 189
system() function, 242–247
system information queries, 189–191
System on Chip (SoC), 512
SYSTEM user, 338
T
tactics, techniques, and procedures (TTPs), 321
tar command, 472
target addresses, 234–235
Terraform project, 146
test access port (TAP), 520
Test section, Peach Pit, 51
testing
adaptive, 136–139
frequency and focus of, 9
infrastructure for, 136
See also fuzzing
tethered jailbreaks, 411
.text section in memory, 26
textarea object, 300, 301, 304
TheHive Project, 155
this pointers, 74–75
Thread Information Block (TIB), 273
threats
IoT lab for emulating, 557–562
understanding for red team assessments, 134–135
thresh parameter, 102
Thumb instruction set, 558
tokens
%s format, 230
%x format, 230
#$ format, 231
tools
binary diffing, 365–371
collaboration, 123
incident response, 149
PowerSploit, 328–330
virtual machine, 565
See also specific tools
top-level domains (TLDs), 136
T-Pot honeypot, 475–480
tracing memory leaks, 303–313
translation look-aside buffers (TLBs), 241
TrapX DeceptionGrid, 480–491
dashboard, 481
emulation process, 485–491
Event Analysis screen, 482
file analysis, 484
kill chain view, 483
triage efforts, 173
trusted advisor role, 120–121
tsec user account, 476
type confusion bugs, 299
U
UAF (use-after-free) bugs, 286, 299–303
UART protocol, 513–518
U-Boot bootloader, 523
Ubuntu systems, 476, 480, 555, 560
unethical hacker pen tests, 8–9
Unicode, 312, 313, 314–316, 405
--uninstall flag, 188
Universal Naming Convention (UNC) paths, 327
untethered jailbreaks, 411
update packages, 529–533
use-after-free (UAF) bugs, 286, 299–303
-UseBasicParsing option, 327
User Account Control (UAC) environment, 338
user behavior analytics (UBA), 153
user shell, 201
user vulnerability disclosure, 174
uses-permission element, 393
USRP B200 device, 90
UTF-8 characters, 357
V
Valasek, Chris, 287
Van Eeckhoutte, Peter, 268
variables, C program, 17–18
vendor vulnerability disclosure, 158–159
verifying exploits, 221–222
Vidas, Tim, 77
viewstate information, 358
virtual ATM attacks, 453
virtual machines (VM)
honeypots installed on, 468
QEMU system setup, 560–562
running in NAT mode on, 544
setting up VMware, 262–263
tools and cross-compilers for, 565
unprotected backups of, 139
virtual network interface card (VNIC), 263
virtual tables (vtables), 75
virtual technology pen testing, 115
VirtualAlloc() function, 293, 295
VirtualBox, 560
VirtualProtect() function, 293, 295, 296, 317
viruses, computer, 465
VMs. See virtual machines
VMware, 262–263
volatile memory, 24
Volume Shadow Services (VSS), 330
vtguard protection, 287
VulnDB database, 124
vulnerability analysis, 533–536
vulnerability assessments, 129
vulnerability disclosure, 157–175
bug bounty programs for, 161–171
compensation issues with, 160–161
earning a living through, 171–172
full public disclosure, 159–160
full vendor disclosure, 158–159
history and overview of, 157–158
incident response and, 173–174
resources about, 175
responsible disclosure, 160
vulnerability reports, 172
vulnerability scans, 5
Vulnhub.com resources, 115
vulnserver application, 54–55
VxWorks systems, 525
W
Wannacry ransomware, 435–441, 487
Warner, Justin, 131
weaponization phase, 151–152, 153
weaponizing memory leak bug, 314–316
web application exploitation, 341–362
framework vulnerabilities and, 354–358
padding oracle attacks and, 358–361
resources about, 362
summary review of, 362
XSS vulnerabilities and, 341–353
web console, 479
Web Proxy Auto-Discovery (WPAD) protocol, 185
web resources. See resources
Weidman, Georgia, 114
Western Governors University, 118
Weston, David, 291
Wetty tool, 479
WFS_INF_IDC_STATUS command, 461
WFSOpen API, 449–451, 458, 459
WFSRegister API, 451
WFSStartUp API, 448–449
wget command, 357–358
while loop, 21
white box fuzz testing, 48
white card approach, 132
Wi-Fi networks, 498
win32_logonsession class, 189–190
window object, 352
Windows Community Edition, 254
Windows Defender Exploit Guard, 289, 291
Windows exploits, 253–288
advanced, 289–319
attack vector for, 267–269
building, 270–271
bypassing memory protections, 275–287, 292–319
compilers and, 254–256
controlling the EIP, 264–265
crashed programs and, 258–261
debugging process, 256–257, 271–273
exploit development process, 262–273
Immunity Debugger for, 256–261
memory leak bug, 299–319
offset determination for, 266–267
ProSSHD server exploits, 262–273
SEH process and, 273–274
Windows Management Instrumentation. See WMI
Windows memory protections, 275–287
ASLR, 290–291
DEP, 289–290
EMET, 291
/GS compiler, 284–286
heap protections, 286–287
SafeSEH, 275–277
SEHOP, 277–284
Windows Defender Exploit Guard, 291
Windows Open Service Architecture (WOSA), 446
Windows Server Update Services (WSUS), 372
Windows systems
compiling programs on, 254–261
crashing programs on, 258–261
debugging programs on, 256–258
exploitation of, 253–320
LLMNR and NBNS on, 181–182
market share of, 253
memory protections for, 275–287
mitigation improvements on, 319
NTLM authentication on, 182–183
Update tool for, 372
WOSA/XFS standard, 446–451
Windows Update for Business (WUB), 372
Winexe, 187–189
accessing remote systems using, 187–188
gaining elevated privileges using, 188–189
WinRM tool, 194–196
executing commands with, 194–195
remotely running PowerShell with, 195–196
WIPO Treaty, 11
wireless protocols, 498–499
Wireshark analyzer, 537–538
WMI (Windows Management Instrumentation), 189–194
executing commands with, 191–194
PowerSploit tools using, 330
querying system information with, 189–191
WMI Query Language (WQL), 189
words (data), 24
worms
Internet of Things, 507–508
ransomware, 435
WQL (WMI Query Language), 189
wrapper functions, 68–69
wsshd.exe process, 265
X
x64dbg debugger, 85–87
XFS (Extensions for Financial Services), 446–451
architecture overview, 446–447
middleware available for, 448
XFS manager operation, 448–451
XML files, 410
XMPP protocol, 499
xor command, 31
XOR decryption locations, 72–73
XSS (Cross-Site Scripting), 341–353
browser filters for, 344–345, 348
changing application logic with, 348–350
evasion from Internet wisdom, 346–348
history and overview of, 341
JavaScript DOM used for, 350–353
refresher on how it works, 343–345
setting up the environment for, 342–343
Y
Yahoo! bug bounty program, 163
YARA signatures, 70–72, 436, 437
Young, Adam, 418
Yung, Moti, 418
Z
Zigbee protocol, 498–499
Zingbox, Inc., 557
ZIP archives, 390
Z-wave protocol, 499