You are previewing Gray Hat Hacking The Ethical Hacker’s Handbook.
O'Reilly logo
Gray Hat Hacking The Ethical Hacker’s Handbook

Book Description

THE LATEST STRATEGIES FOR UNCOVERING TODAY'S MOST DEVASTATING ATTACKS

Thwart malicious network intrusion by using cutting-edge techniques for finding and fixing security flaws. Fully updated and expanded with nine new chapters, Gray Hat Hacking: The Ethical Hacker's Handbook, Third Edition details the most recent vulnerabilities and remedies along with legal disclosure methods. Learn from the experts how hackers target systems, defeat production schemes, write malicious code, and exploit flaws in Windows and Linux systems. Malware analysis, penetration testing, SCADA, VoIP, and Web security are also covered in this comprehensive resource.

• Develop and launch exploits using BackTrack and Metasploit

• Employ physical, social engineering, and insider attack techniques

• Build Perl, Python, and Ruby scripts that initiate stack buffer overflows

• Understand and prevent malicious content in Adobe, Office, and multimedia files

• Detect and block client-side, Web server, VoIP, and SCADA attacks

• Reverse engineer, fuzz, and decompile Windows and Linux software

• Develop SQL injection, cross-site scripting, and forgery exploits

• Trap malware and rootkits using honeypots and SandBoxes

Table of Contents

  1. Cover Page
  2. Gray Hat Hacking the Ethical Hacker’s Handbook
  3. Copyright Page
  4. Contents
  5. Preface
  6. Acknowledgments
  7. Introduction
  8. Part I Introduction to Ethical Disclosure
    1. Chapter 1 Ethics of Ethical Hacking
      1. Why You Need to Understand Your Enemy’s Tactics
      2. Recognizing the Gray Areas in Security
      3. How Does This Stuff Relate to an Ethical Hacking Book?
        1. Vulnerability Assessment
        2. Penetration Testing
      4. The Controversy of Hacking Books and Classes
      5. The Dual Nature of Tools
      6. Recognizing Trouble When It Happens
      7. Emulating the Attack
    2. Where Do Attackers Have Most of Their Fun?
      1. Security Does Not Like Complexity
    3. Chapter 2 Ethical Hacking and the Legal System
      1. The Rise of Cyberlaw
      2. Understanding Individual Cyberlaws
        1. 18 USC Section 1029: The Access Device Statute
        2. 18 USC Section 1030 of the Computer Fraud and Abuse Act
        3. 18 USC Sections 2510, et. Seq., and 2701, et. Seq., of the Electronic Communication Privacy Act
        4. Digital Millennium Copyright Act (DMCA)
        5. Cyber Security Enhancement Act of 2002
        6. Securely Protect Yourself Against Cyber Trespass Act (SPY Act)
    4. Chapter 3 Proper and Ethical Disclosure
      1. Different Teams and Points of View
        1. How Did We Get Here?
      2. CERT’s Current Process
      3. Full Disclosure Policy—the RainForest Puppy Policy
      4. Organization for Internet Safety (OIS)
        1. Discovery
        2. Notification
        3. Validation
        4. Resolution
        5. Release
      5. Conflicts Will Still Exist
        1. “No More Free Bugs”
      6. Case Studies
        1. Pros and Cons of Proper Disclosure Processes
        2. Vendors Paying More Attention
      7. So What Should We Do from Here on Out?
        1. iDefense and ZDI
  9. Part II Penetration Testing and Tools
    1. Chapter 4 Social Engineering Attacks
      1. How a Social Engineering Attack Works
      2. Conducting a Social Engineering Attack
      3. Common Attacks Used in Penetration Testing
        1. The Good Samaritan
        2. The Meeting
        3. Join the Company
      4. Preparing Yourself for Face-to-Face Attacks
      5. Defending Against Social Engineering Attacks
    2. Chapter 5 Physical Penetration Attacks
      1. Why a Physical Penetration Is Important
      2. Conducting a Physical Penetration
        1. Reconnaissance
        2. Mental Preparation
      3. Common Ways into a Building
        1. The Smokers’ Door
        2. Manned Checkpoints
        3. Locked Doors
        4. Physically Defeating Locks
        5. Once You Are Inside
      4. Defending Against Physical Penetrations
    3. Chapter 6 Insider Attacks
      1. Why Simulating an Insider Attack Is Important
      2. Conducting an Insider Attack
        1. Tools and Preparation
        2. Orientation
        3. Gaining Local Administrator Privileges
        4. Disabling Antivirus
        5. Raising Cain
      3. Defending Against Insider Attacks
    4. Chapter 7 Using the BackTrack Linux Distribution
      1. BackTrack: The Big Picture
      2. Installing BackTrack to DVD or USB Thumb Drive
      3. Using the BackTrack ISO Directly Within a Virtual Machine
        1. Creating a BackTrack Virtual Machine with VirtualBox
        2. Booting the BackTrack LiveDVD System
        3. Exploring the BackTrack X Windows Environment
        4. Starting Network Services
      4. Persisting Changes to Your BackTrack Installation
        1. Installing Full BackTrack to Hard Drive or USB Thumb Drive
        2. Creating a New ISO with Your One-time Changes
        3. Using a Custom File that Automatically Saves and Restores Changes
      5. Exploring the BackTrack Boot Menu
      6. Updating BackTrack
    5. Chapter 8 Using Metasploit
      1. Metasploit: The Big Picture
      2. Getting Metasploit
      3. Using the Metasploit Console to Launch Exploits
      4. Exploiting Client-Side Vulnerabilities with Metasploit
      5. Penetration Testing with Metasploit’s Meterpreter
      6. Automating and Scripting Metasploit
      7. Going Further with Metasploit
    6. Chapter 9 Managing a Penetration Test
      1. Planning a Penetration Test
        1. Types of Penetration Tests
        2. Scope of a Penetration Test
        3. Locations of the Penetration Test
        4. Organization of the Penetration Testing Team
        5. Methodologies and Standards
        6. Phases of the Penetration Test
        7. Testing Plan for a Penetration Test
      2. Structuring a Penetration Testing Agreement
        1. Statement of Work
        2. Get-Out-of-Jail-Free Letter
      3. Execution of a Penetration Test
        1. Kickoff Meeting
        2. Access During the Penetration Test
        3. Managing Expectations
        4. Managing Problems
        5. Steady Is Fast
        6. External and Internal Coordination
      4. Information Sharing During a Penetration Test
        1. Dradis Server
      5. Reporting the Results of a Penetration Test
        1. Format of the Report
        2. Out Brief of the Report
  10. Part III Exploiting
    1. Chapter 10 Programming Survival Skills
      1. C Programming Language
        1. Basic C Language Constructs
        2. Sample Program
        3. Compiling with gcc
      2. Computer Memory
        1. Random Access Memory (RAM)
        2. Endian
        3. Segmentation of Memory
        4. Programs in Memory
        5. Buffers
        6. Strings in Memory
        7. Pointers
        8. Putting the Pieces of Memory Together
      3. Intel Processors
        1. Registers
      4. Assembly Language Basics
        1. Machine vs. Assembly vs C
        2. AT&T vs. NASM
        3. Addressing Modes
        4. Assembly File Structure
        5. Assembling
      5. Debugging with gdb
        1. gdb Basics
        2. Disassembly with gdb
      6. Python Survival Skills
        1. Getting Python
        2. Hello World in Python
        3. Python Objects
        4. Strings
        5. Numbers
        6. Lists
        7. Dictionaries
        8. Files with Python
        9. Sockets with Python
    2. Chapter 11 Basic Linux Exploits
      1. Stack Operations
        1. Function Calling Procedure
      2. Buffer Overflows
        1. Overflow of meet.c
        2. Ramifications of Buffer Overflows
      3. Local Buffer Overflow Exploits
        1. Components of the Exploit
        2. Exploiting Stack Overflows from the Command Line
        3. Exploiting Stack Overflows with Generic Exploit Code
        4. Exploiting Small Buffers
      4. Exploit Development Process
        1. Control eip
        2. Determine the Offset(s)
        3. Determine the Attack Vector
        4. Build the Exploit Sandwich
        5. Test the Exploit
    3. Chapter 12 Advanced Linux Exploits
      1. Format String Exploits
        1. The Problem
        2. Reading from Arbitrary Memory
        3. Writing to Arbitrary Memory
        4. Taking dtors to root
      2. Memory Protection Schemes
        1. Compiler Improvements
        2. Kernel Patches and Scripts
        3. Return to libc Exploits
        4. Bottom Line
    4. Chapter 13 Shellcode Strategies
      1. User Space Shellcode
        1. System Calls
        2. Basic Shellcode
        3. Port Binding Shellcode
        4. Reverse Shellcode
        5. Find Socket Shellcode
        6. Command Execution Code
        7. File Transfer Code
        8. Multistage Shellcode
        9. System Call Proxy Shellcode
        10. Process Injection Shellcode
      2. Other Shellcode Considerations
        1. Shellcode Encoding
        2. Self-Corrupting Shellcode
        3. Disassembling Shellcode
      3. Kernel Space Shellcode
        1. Kernel Space Considerations
    5. Chapter 14 Writing Linux Shellcode
      1. Basic Linux Shellcode
        1. System Calls
        2. System Calls by C
        3. System Calls by Assembly
        4. Exit System Call
        5. setreuid System Call
        6. Shell-Spawning Shellcode with execve
      2. Implementing Port-Binding Shellcode
        1. Linux Socket Programming
        2. Assembly Program to Establish a Socket
        3. Test the Shellcode
      3. Implementing Reverse Connecting Shellcode
        1. Reverse Connecting C Program
        2. Reverse Connecting Assembly Program
      4. Encoding Shellcode
        1. Simple XOR Encoding
        2. Structure of Encoded Shellcode
        3. JMP/CALL XOR Decoder Example
        4. FNSTENV XOR Example
        5. Putting the Code Together
      5. Automating Shellcode Generation with Metasploit
        1. Generating Shellcode with Metasploit
        2. Encoding Shellcode with Metasploit
    6. Chapter 15 Windows Exploits
      1. Compiling and Debugging Windows Programs
        1. Compiling on Windows
        2. Debugging on Windows with OllyDbg
      2. Writing Windows Exploits
        1. Exploit Development Process Review
        2. ProSSHD Server
        3. Control eip
        4. Determine the Offset(s)
        5. Determine the Attack Vector
        6. Build the Exploit Sandwich
        7. Debug the Exploit if Needed
      3. Understanding Structured Exception Handling (SEH)
        1. Implementation of SEH
      4. Understanding Windows Memory Protections (XP SP3, Vista, 7, and Server 2008)
        1. Stack-Based Buffer Overrun Detection (/GS)
        2. Safe Structured Exception Handling (SafeSEH)
        3. SEH Overwrite Protection (SEHOP)
        4. Heap Protections
        5. Data Execution Prevention (DEP)
        6. Address Space Layout Randomization (ASLR)
      5. Bypassing Windows Memory Protections
        1. Bypassing /GS
        2. Bypassing SafeSEH
        3. Bypassing ASLR
        4. Bypassing DEP
        5. Bypassing SEHOP
        6. Summary of Memory Bypass Methods
    7. Chapter 16 Understanding and Detecting Content-Type Attacks
      1. How Do Content-Type Attacks Work?
      2. Which File Formats Are Being Exploited Today?
      3. Intro to the PDF File Format
      4. Analyzing a Malicious PDF Exploit
        1. Implementing Safeguards in Your Analysis Environment
      5. Tools to Detect Malicious PDF Files
        1. PDFiD
        2. pdf-parserpy
      6. Tools to Test Your Protections Against Content-type Attacks
      7. How to Protect Your Environment from Content-type Attacks
        1. Apply All Security Updates
        2. Disable JavaScript in Adobe Reader
        3. Enable DEP for Microsoft Office Application and Adobe Reader
    8. Chapter 17 Web Application Security Vulnerabilities
      1. Overview of Top Web Application Security Vulnerabilities
        1. Injection Vulnerabilities
        2. Cross-Site Scripting Vulnerabilities
        3. The Rest of the OWASP Top Ten
      2. SQL Injection Vulnerabilities
        1. SQL Databases and Statements
        2. Testing Web Applications to Find SQL Injection Vulnerabilities
      3. Cross-Site Scripting Vulnerabilities
        1. Explaining “Scripting”
        2. Explaining Cross-Site Scripting
    9. Chapter 18 VoIP Attacks
      1. What Is VoIP?
      2. Protocols Used by VoIP
        1. SIP
        2. Megaco H.248
        3. H.323
        4. TLS and DTLS
        5. SRTP
        6. ZRTP
      3. Types of VoIP Attacks
        1. Enumeration
        2. SIP Password Cracking
        3. Eavesdropping/Packet Capture
        4. Denial of Service
      4. How to Protect Against VoIP Attacks
    10. Chapter 19 SCADA Attacks
      1. What Is SCADA?
      2. Which Protocols Does SCADA Use?
        1. OPC
        2. ICCP
        3. Modbus
        4. DNP3
      3. SCADA Fuzzing
        1. SCADA Fuzzing with Autodafé
        2. SCADA Fuzzing with TFTP Daemon Fuzzer
      4. Stuxnet Malware (The New Wave in Cyberterrorism)
      5. How to Protect Against SCADA Attacks
  11. Part IV Vulnerability Analysis
    1. Chapter 20 Passive Analysis
      1. Ethical Reverse Engineering
      2. Why Bother with Reverse Engineering?
        1. Reverse Engineering Considerations
      3. Source Code Analysis
        1. Source Code Auditing Tools
        2. The Utility of Source Code Auditing Tools
        3. Manual Source Code Auditing
        4. Automated Source Code Analysis
      4. Binary Analysis
        1. Manual Auditing of Binary Code
        2. Automated Binary Analysis Tools
    2. Chapter 21 Advanced Static Analysis with IDA Pro
      1. Static Analysis Challenges
        1. Stripped Binaries
        2. Statically Linked Programs and FLAIR
        3. Data Structure Analysis
        4. Quirks of Compiled C++ Code
      2. Extending IDA Pro
        1. Scripting with IDC
        2. IDA Pro Plug-In Modules and the IDA Pro SDK
        3. Building IDA Pro Plug-Ins
        4. IDA Pro Loaders and Processor Modules
    3. Chapter 22 Advanced Reverse Engineering
      1. Why Try to Break Software?
      2. Overview of the Software Development Process
      3. Instrumentation Tools
        1. Debuggers
        2. Code Coverage Analysis Tools
        3. Profiling Tools
        4. Flow Analysis Tools
        5. Memory Use Monitoring Tools
      4. Fuzzing
      5. Instrumented Fuzzing Tools and Techniques
        1. A Simple URL Fuzzer
        2. Fuzzing Unknown Protocols
        3. SPIKE
        4. SPIKE Static Content Primitives
        5. SPIKE Proxy
        6. Sharefuzz
    4. Chapter 23 Client-Side Browser Exploits
      1. Why Client-Side Vulnerabilities Are Interesting
        1. Client-Side Vulnerabilities Bypass Firewall Protections
        2. Client-Side Applications Are Often Running with Administrative Privileges
        3. Client-Side Vulnerabilities Can Easily Target Specific People or Organizations
      2. Internet Explorer Security Concepts
        1. ActiveX Controls
        2. Internet Explorer Security Zones
      3. History of Client-Side Exploits and Latest Trends
        1. Client-Side Vulnerabilities Rise to Prominence
        2. Notable Vulnerabilities in the History of Client-Side Attacks
      4. Finding New Browser-Based Vulnerabilities
        1. mangleme
        2. Mozilla Security Team Fuzzers
        3. AxEnum
        4. AxFuzz
        5. AxMan
      5. Heap Spray to Exploit
        1. InternetExploiter
      6. Protecting Yourself from Client-Side Exploits
        1. Keep Up-to-Date on Security Patches
        2. Stay Informed
        3. Run Internet-Facing Applications with Reduced Privileges
    5. Chapter 24 Exploiting the Windows Access Control Model
      1. Why Access Control Is Interesting to a Hacker
        1. Most People Don’t Understand Access Control
        2. Vulnerabilities You Find Are Easy to Exploit
        3. You’ll Find Tons of Security Vulnerabilities
      2. How Windows Access Control Works
        1. Security Identifier
        2. Access Token
        3. Security Descriptor
        4. The Access Check
      3. Tools for Analyzing Access Control Configurations
        1. Dumping the Process Token
        2. Dumping the Security Descriptor
      4. Special SIDs, Special Access, and “Access Denied”
        1. Special SIDs
        2. Special Access
        3. Investigating “Access Denied”
      5. Analyzing Access Control for Elevation of Privilege
      6. Attack Patterns for Each Interesting Object Type
        1. Attacking Services
        2. Attacking Weak DACLs in the Windows Registry
        3. Attacking Weak Directory DACLs
        4. Attacking Weak File DACLs
      7. What Other Object Types Are Out There?
        1. Enumerating Shared Memory Sections
        2. Enumerating Named Pipes
        3. Enumerating Processes
        4. Enumerating Other Named Kernel Objects (Semaphores, Mutexes, Events, Devices)
    6. Chapter 25 Intelligent Fuzzing with Sulley
      1. Protocol Analysis
      2. Sulley Fuzzing Framework
        1. Installing Sulley
        2. Powerful Fuzzer
        3. Blocks
        4. Monitoring the Process for Faults
        5. Monitoring the Network Traffic
        6. Controlling VMware
        7. Putting It All Together
        8. Postmortem Analysis of Crashes
        9. Analysis of Network Traffic
        10. Exploring Further
    7. Chapter 26 From Vulnerability to Exploit
      1. Exploitability
        1. Debugging for Exploitation
        2. Initial Analysis
      2. Understanding the Problem
        1. Preconditions and Postconditions
        2. Repeatability
      3. Payload Construction Considerations
        1. Payload Protocol Elements
        2. Buffer Orientation Problems
        3. Self-Destructive Shellcode
      4. Documenting the Problem
        1. Background Information
        2. Circumstances
        3. Research Results
    8. Chapter 27 Closing the Holes: Mitigation
      1. Mitigation Alternatives
        1. Port Knocking
        2. Migration
      2. Patching
        1. Source Code Patching Considerations
        2. Binary Patching Considerations
        3. Binary Mutation
        4. Third-Party Patching Initiatives
  12. Part V Malware Analysis
    1. Chapter 28 Collecting Malware and Initial Analysis
      1. Malware
        1. Types of Malware
        2. Malware Defensive Techniques
      2. Latest Trends in Honeynet Technology
        1. Honeypots
        2. Honeynets
        3. Why Honeypots Are Used
        4. Limitations of Honeypots
        5. Low-Interaction Honeypots
        6. High-Interaction Honeypots
        7. Types of Honeynets
        8. Thwarting VMware Detection Technologies
      3. Catching Malware: Setting the Trap
        1. VMware Host Setup
        2. VMware Guest Setup
        3. Using Nepenthes to Catch a Fly
      4. Initial Analysis of Malware
        1. Static Analysis
        2. Live Analysis
        3. Norman SandBox Technology
    2. Chapter 29 Hacking Malware
      1. Trends in Malware
        1. Embedded Components
        2. Use of Encryption
        3. User Space Hiding Techniques
        4. Use of Rootkit Technology
        5. Persistence Measures
      2. De-obfuscating Malware
        1. Packer Basics
        2. Unpacking Binaries
      3. Reverse-Engineering Malware
        1. Malware Setup Phase
        2. Malware Operation Phase
        3. Automated Malware Analysis
  13. Index