Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Title Page
Copyright Page
Dedication
Contents
Preface
Acknowledgments
Introduction
Part I Crash Course: Preparing for the War
Chapter 1 Ethical Hacking and the Legal System
Why You Need to Understand Your Enemy’s Tactics
Recognizing Trouble When It Happens
The Ethical Hacking Process
The Penetration Testing Process
What Would an Unethical Hacker Do Differently?
The Rise of Cyberlaw
Understanding Individual Cyberlaws
The Controversy of “Hacking” Tools
Vulnerability Disclosure
Different Teams and Points of View
How Did We Get Here?
CERT’s Current Process
Organization for Internet Safety
Conflicts Will Still Exist
“No More Free Bugs”
Bug Bounty Programs
Summary
References
For Further Reading
Chapter 2 Programming Survival Skills
C Programming Language
Basic C Language Constructs
Sample Program
Compiling with gcc
Computer Memory
Random Access Memory (RAM)
Endian
Segmentation of Memory
Programs in Memory
Buffers
Strings in Memory
Pointers
Putting the Pieces of Memory Together
Intel Processors
Registers
Assembly Language Basics
Machine vs. Assembly vs. C
AT&T vs. NASM
Addressing Modes
Assembly File Structure
Assembling
Debugging with gdb
gdb Basics
Disassembly with gdb
Python Survival Skills
Getting Python
Hello World in Python
Python Objects
Strings
Numbers
Lists
Dictionaries
Files with Python
Sockets with Python
Summary
References
For Further Reading
Chapter 3 Static Analysis
Ethical Reverse Engineering
Why Bother with Reverse Engineering?
Reverse Engineering Considerations
Source Code Analysis
Source Code Auditing Tools
The Utility of Source Code Auditing Tools
Manual Source Code Auditing
Automated Source Code Analysis
Binary Analysis
Manual Auditing of Binary Code
Automated Binary Analysis Tools
Summary
For Further Reading
Chapter 4 Advanced Analysis with IDA Pro
Static Analysis Challenges
Stripped Binaries
Statically Linked Programs and FLAIR
Data Structure Analysis
Quirks of Compiled C++ Code
Extending IDA Pro
Scripting in IDAPython
Example 4-1: Decrypting Strings in Place
Executing Python Code
Summary
For Further Reading
Chapter 5 World of Fuzzing
Introduction to Fuzzing
Choosing a Target
Input Types
Ease of Automation
Complexity
Types of Fuzzers
Mutation Fuzzers
Generation Fuzzers
Getting Started
Finding the Fuzzing Templates
Lab 5-1: Collecting Samples from the Internet Archive
Choosing the Optimal Template Set with Code Coverage
Lab 5-2: Selecting the Best Samples for Fuzzing
Peach Fuzzing Framework
Peach Fuzzing Strategies
Speed Does Matter
Crash Analysis
Lab 5-3: Mutation Fuzzing with Peach
Other Mutation Fuzzers
Generation Fuzzers
Summary
For Further Reading
Chapter 6 Shellcode Strategies
User Space Shellcode
System Calls
Basic Shellcode
Port Binding Shellcode
Reverse Shellcode
Find Socket Shellcode
Command Execution Code
File Transfer Code
Multistage Shellcode
System Call Proxy Shellcode
Process Injection Shellcode
Other Shellcode Considerations
Shellcode Encoding
Self-Corrupting Shellcode
Disassembling Shellcode
Kernel Space Shellcode
Kernel Space Considerations
Summary
References
For Further Reading
Chapter 7 Writing Linux Shellcode
Basic Linux Shellcode
System Calls
System Calls by C
System Calls by Assembly
Exit System Call
setreuid System Call
Shell-Spawning Shellcode with execve
Implementing Port-Binding Shellcode
Linux Socket Programming
Assembly Program to Establish a Socket
Test the Shellcode
Implementing Reverse Connecting Shellcode
Reverse Connecting C Program
Reverse Connecting Assembly Program
Encoding Shellcode
Simple XOR Encoding
Structure of Encoded Shellcode
JMP/CALL XOR Decoder Example
FNSTENV XOR Example
Putting the Code Together
Automating Shellcode Generation with Metasploit
Generating Shellcode with Metasploit
Encoding Shellcode with Metasploit
Summary
For Further Study
Part II From Vulnerability to Exploit
Chapter 8 Spoofing-Based Attacks
What Is Spoofing?
ARP Spoofing
Lab 8-1: ARP Spoofing with Ettercap
Viewing Network Traffic
Modifying Network Traffic
DNS Spoofing
Lab 8-2: DNS Spoofing with Ettercap
Executing the Attack
NetBIOS Name Spoofing and LLMNR Spoofing
Lab 8-3: Attacking NetBIOS and LLMNR with Responder
Cracking NTLMv1 and NTLMv2 Hashes
Summary
For Further Reading
Chapter 9 Exploiting Cisco Routers
Attacking Community Strings and Passwords
Lab 9-1: Guessing Credentials with Ncrack and Metasploit
Lab 9-2: Guessing Community Strings with Onesixtyone and Metasploit
SNMP and TFTP
Lab 9-3: Downloading Configuration Files with Metasploit
Lab 9-4: Modifying Configurations with SNMP and TFTP
Attacking Cisco Passwords
Attacking Cisco Type 7 Passwords
Lab 9-5: Cracking Type 7 Passwords with Cain
Lab 9-6: Cracking Type 7 Passwords with Metasploit
Attacking Cisco Type 5 Passwords
Lab 9-7: Attacking Cisco Type 5 Passwords with John the Ripper
Middling Traffic with Tunnels
Lab 9-8: Setting Up a GRE Tunnel
Lab 9-9: Routing Traffic over a GRE Tunnel
Exploits and Other Attacks
Cisco Exploits
Maintaining Access on Cisco Devices
Summary
For Further Reading
Chapter 10 Basic Linux Exploits
Stack Operations
Function Calling Procedure
Buffer Overflows
Lab 10-1: Overflow of meet.c
Ramifications of Buffer Overflows
Local Buffer Overflow Exploits
Lab 10-2: Components of the Exploit
Lab 10-3: Exploiting Stack Overflows from the Command Line
Lab 10-4: Exploiting Stack Overflows with Generic Exploit Code
Lab 10-5: Exploiting Small Buffers
Exploit Development Process
Lab 10-6: Building Custom Exploits
Summary
For Further Reading
Chapter 11 Advanced Linux Exploits
Format String Exploits
The Problem
Lab 11-1: Reading from Arbitrary Memory
Lab 11-2: Writing to Arbitrary Memory
Lab 11-3: Changing Program Execution
Memory Protection Schemes
Compiler Improvements
Lab 11-4: Bypassing Stack Protection
Kernel Patches and Scripts
Lab 11-5: Return to libc Exploits
Lab 11-6: Maintaining Privileges with ret2libc
Bottom Line
Summary
References
For Further Reading
Chapter 12 Windows Exploits
Compiling and Debugging Windows Programs
Lab 12-1: Compiling on Windows
Debugging on Windows with Immunity Debugger
Lab 12-2: Crashing the Program
Writing Windows Exploits
Exploit Development Process Review
Lab 12-3: Exploiting ProSSHD Server
Understanding Structured Exception Handling (SEH)
Implementation of SEH
Summary
References
For Further Reading
Chapter 13 Bypassing Windows Memory Protections
Understanding Windows Memory Protections (XP SP3, Vista, 7, 8, Server 2008, and Server 2012)
Stack-Based Buffer Overrun Detection (/GS)
Safe Structured Exception Handling (SafeSEH)
SEH Overwrite Protection (SEHOP)
Heap Protections
Data Execution Prevention (DEP)
Address Space Layout Randomization (ASLR)
Enhanced Mitigation Experience Toolkit (EMET)
Bypassing Windows Memory Protections
Bypassing /GS
Bypassing SafeSEH
Bypassing ASLR
Bypassing DEP
Bypassing EMET
Bypassing SEHOP
Summary
References
For Further Reading
Chapter 14 Exploiting the Windows Access Control Model
Why Access Control Is Interesting to a Hacker
Most People Don’t Understand Access Control
Vulnerabilities You Find Are Easy to Exploit
You’ll Find Tons of Security Vulnerabilities
How Windows Access Control Works
Security Identifier
Access Token
Security Descriptor
The Access Check
Tools for Analyzing Access Control Configurations
Dumping the Process Token
Dumping the Security Descriptor
Special SIDs, Special Access, and “Access Denied”
Special SIDs
Special Access
Investigating “Access Denied”
Analyzing Access Control for Elevation of Privilege
Attack Patterns for Each Interesting Object Type
Attacking Services
Attacking Weak DACLs in the Windows Registry
Attacking Weak Directory DACLs
Attacking Weak File DACLs
What Other Object Types Are Out There?
Enumerating Shared Memory Sections
Enumerating Named Pipes
Enumerating Processes
Enumerating Other Named Kernel Objects (Semaphores, Mutexes, Events, and Devices)
Summary
For Further Reading
Chapter 15 Exploiting Web Applications
Overview of the Top 10 Web Vulnerabilities
MD5 Hash Injection
Lab 15-1: Injecting the Hash
Multibyte Encoding Injection
Understanding the Vulnerability
Lab 15-2: Leverage Multibyte Encoding
Hunting Cross-site Scripting (XSS)
Lab 15-3: Basic XSS Injection into a JavaScript Block
Unicode Normalization Forms Attack
Lab 15-4: Leveraging Unicode Normalization
Unicode Normalization Introduction
Normalization Forms
Preparing the Environment for Testing
XSS Testing via x5s the Plug-In
Launching the Attack Manually
Adding Your Own Test Case
Summary
References
For Further Reading
Chapter 16 Exploiting IE: Smashing the Heap
Setting Up the Environment
WinDbg Configuration
Attaching the Browser to WinDbg
Introduction to Heap Spray
Spraying with HTML5
Lab 16-1: Heap Spray via HTML5
DOM Element Property Spray (DEPS)
Lab 16-2: Heap Spray via DEPS Technique
HeapLib2 Technique
Forcing New Allocations by Exhausting the Cache Blocks
Lab 16-3: HeapLib2 Spraying
Flash Spray with Byte Arrays
Lab 16-4: Basic Heap Spray with Flash
Flash Spray with Integer Vectors
Lab 16-5: Heap Spray with Flash Vectors
Leveraging Low Fragmentation Heap (LFH)
Summary
References
For Further Reading
Chapter 17 Exploiting IE: Use-After-Free Technique
Use-After-Free Overview
Debugging JavaScript
Dissecting Use-After-Free (UAF)
Lab 17-1: Dissecting UAF, Step by Step
Leveraging the UAF Vulnerability
Example 17-1: Connecting the Dots
Summary
References
For Further Reading
Chapter 18 Advanced Client-Side Exploitation with BeEF
BeEF Basics
Lab 18-1: Setting Up Beef
Lab 18-2: Using the BeEF Console
Hooking Browsers
Lab 18-3: The Basic XSS Hook
Lab 18-4: Hooking Browsers with Site Spoofing
Lab 18-5: Automatically Injecting Hooks with Shank
Fingerprinting with BeEF
Lab 18-6: Fingerprinting Browsers with BeEF
Lab 18-7: Fingerprinting Users with BeEF
Lab 18-8: Fingerprinting Computers with BeEF
Browser Exploitation
Lab 18-9: Exploiting Browsers with BeEF and Java
Exploiting Browsers with BeEF and Metasploit
Automating Attacks
Summary
For Further Reading
Chapter 19 One-Day Exploitation with Patch Diffing
Introduction to Binary Diffing
Application Diffing
Patch Diffing
Binary Diffing Tools
BinDiff
turbodiff
Lab 19-1: Our First Diff
Patch Management Process
Microsoft Patch Tuesday
Lab 19-2: Obtaining and Extracting Microsoft Patches
Examining the Patch
Lab 19-3: Diffing MS14-006 with turbodiff
Kernel Debugging
Lab 19-4: Kernel Debugging MS14-006
Summary
References
For Further Reading
Part III Advanced Malware Analysis
Chapter 20 Dissecting Android Malware
The Android Platform
Android Application Package
Application Manifest
Analyzing DEX
Java Decompilation
DEX Decompilation
DEX Disassembling
Example 20-1: Running APK in Emulator
Malware Analysis
Malware Analysis Primer
Example 20-2: Black-Box APK Monitoring with Droidbox
Summary
For Further Reading
Chapter 21 Dissecting Ransomware
History of Ransomware
Options for Paying the Ransom
Dissecting Ransomlock
Example 21-1: Dynamic Analysis
Example 21-2: Static Analysis
CryptoLocker
Summary
For Further Reading
Chapter 22 Analyzing 64-bit Malware
Overview of the AMD64 Architecture
AMD64 Calling Conventions
Decrypting C&C Domains
Example 22-1: Decrypting C&C Domains
Summary
For Further Reading
Chapter 23 Next-Generation Reverse Engineering
Notable IDA Plug-ins
IDAscope
IDA Toolbag
Collaboration
Honeypots and Sandboxes Using TrapX
A Free Tool for Dynamic Analysis
A Commercial Alternative: TrapX Malware Trap
Summary
References
For Further Reading
Appendix About the Download
Index
← Prev
Back
Next →
← Prev
Back
Next →