You are previewing Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition, 4th Edition.
O'Reilly logo
Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition, 4th Edition

Book Description

Cutting-edge techniques for finding and fixing critical security flaws

Fortify your network and avert digital catastrophe with proven strategies from a team of security experts. Completely updated and featuring 12 new chapters, Gray Hat Hacking: The Ethical Hacker's Handbook, Fourth Edition explains the enemy’s current weapons, skills, and tactics and offers field-tested remedies, case studies, and ready-to-deploy testing labs. Find out how hackers gain access, overtake network devices, script and inject malicious code, and plunder Web applications and browsers. Android-based exploits, reverse engineering techniques, and cyber law are thoroughly covered in this state-of-the-art resource.

  • Build and launch spoofing exploits with Ettercap and Evilgrade
  • Induce error conditions and crash software using fuzzers
  • Hack Cisco routers, switches, and network hardware
  • Use advanced reverse engineering to exploit Windows and Linux software
  • Bypass Windows Access Control and memory protection schemes
  • Scan for flaws in Web applications using Fiddler and the x5 plugin
  • Learn the use-after-free technique used in recent zero days
  • Bypass Web authentication via MySQL type conversion and MD5 injection attacks
  • Inject your shellcode into a browser's memory using the latest Heap Spray techniques
  • Hijack Web browsers with Metasploit and the BeEF Injection Framework
  • Neutralize ransomware before it takes control of your desktop
  • Dissect Android malware with JEB and DAD decompilers
  • Find one-day vulnerabilities with binary diffing

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Preface
  7. Acknowledgments
  8. Introduction
  9. Part I Crash Course: Preparing for the War
    1. Chapter 1 Ethical Hacking and the Legal System
      1. Why You Need to Understand Your Enemy’s Tactics
        1. Recognizing Trouble When It Happens
      2. The Ethical Hacking Process
        1. The Penetration Testing Process
        2. What Would an Unethical Hacker Do Differently?
      3. The Rise of Cyberlaw
        1. Understanding Individual Cyberlaws
        2. The Controversy of “Hacking” Tools
      4. Vulnerability Disclosure
        1. Different Teams and Points of View
        2. How Did We Get Here?
        3. CERT’s Current Process
        4. Organization for Internet Safety
        5. Conflicts Will Still Exist
        6. “No More Free Bugs”
        7. Bug Bounty Programs
      5. Summary
      6. References
      7. For Further Reading
    2. Chapter 2 Programming Survival Skills
      1. C Programming Language
        1. Basic C Language Constructs
        2. Sample Program
        3. Compiling with gcc
      2. Computer Memory
        1. Random Access Memory (RAM)
        2. Endian
        3. Segmentation of Memory
        4. Programs in Memory
        5. Buffers
        6. Strings in Memory
        7. Pointers
        8. Putting the Pieces of Memory Together
      3. Intel Processors
        1. Registers
      4. Assembly Language Basics
        1. Machine vs. Assembly vs. C
        2. AT&T vs. NASM
        3. Addressing Modes
        4. Assembly File Structure
        5. Assembling
      5. Debugging with gdb
        1. gdb Basics
        2. Disassembly with gdb
      6. Python Survival Skills
        1. Getting Python
        2. Hello World in Python
        3. Python Objects
        4. Strings
        5. Numbers
        6. Lists
        7. Dictionaries
        8. Files with Python
        9. Sockets with Python
      7. Summary
      8. References
      9. For Further Reading
    3. Chapter 3 Static Analysis
      1. Ethical Reverse Engineering
      2. Why Bother with Reverse Engineering?
        1. Reverse Engineering Considerations
      3. Source Code Analysis
        1. Source Code Auditing Tools
        2. The Utility of Source Code Auditing Tools
        3. Manual Source Code Auditing
        4. Automated Source Code Analysis
      4. Binary Analysis
        1. Manual Auditing of Binary Code
        2. Automated Binary Analysis Tools
      5. Summary
      6. For Further Reading
    4. Chapter 4 Advanced Analysis with IDA Pro
      1. Static Analysis Challenges
        1. Stripped Binaries
        2. Statically Linked Programs and FLAIR
        3. Data Structure Analysis
        4. Quirks of Compiled C++ Code
      2. Extending IDA Pro
        1. Scripting in IDAPython
        2. Example 4-1: Decrypting Strings in Place
        3. Executing Python Code
      3. Summary
      4. For Further Reading
    5. Chapter 5 World of Fuzzing
      1. Introduction to Fuzzing
      2. Choosing a Target
        1. Input Types
        2. Ease of Automation
        3. Complexity
      3. Types of Fuzzers
        1. Mutation Fuzzers
        2. Generation Fuzzers
      4. Getting Started
        1. Finding the Fuzzing Templates
        2. Lab 5-1: Collecting Samples from the Internet Archive
        3. Choosing the Optimal Template Set with Code Coverage
        4. Lab 5-2: Selecting the Best Samples for Fuzzing
      5. Peach Fuzzing Framework
        1. Peach Fuzzing Strategies
        2. Speed Does Matter
        3. Crash Analysis
        4. Lab 5-3: Mutation Fuzzing with Peach
        5. Other Mutation Fuzzers
      6. Generation Fuzzers
      7. Summary
      8. For Further Reading
    6. Chapter 6 Shellcode Strategies
      1. User Space Shellcode
        1. System Calls
        2. Basic Shellcode
        3. Port Binding Shellcode
        4. Reverse Shellcode
        5. Find Socket Shellcode
        6. Command Execution Code
        7. File Transfer Code
        8. Multistage Shellcode
        9. System Call Proxy Shellcode
        10. Process Injection Shellcode
      2. Other Shellcode Considerations
        1. Shellcode Encoding
        2. Self-Corrupting Shellcode
        3. Disassembling Shellcode
      3. Kernel Space Shellcode
        1. Kernel Space Considerations
      4. Summary
      5. References
      6. For Further Reading
    7. Chapter 7 Writing Linux Shellcode
      1. Basic Linux Shellcode
        1. System Calls
        2. System Calls by C
        3. System Calls by Assembly
        4. Exit System Call
        5. setreuid System Call
        6. Shell-Spawning Shellcode with execve
      2. Implementing Port-Binding Shellcode
        1. Linux Socket Programming
        2. Assembly Program to Establish a Socket
        3. Test the Shellcode
      3. Implementing Reverse Connecting Shellcode
        1. Reverse Connecting C Program
        2. Reverse Connecting Assembly Program
      4. Encoding Shellcode
        1. Simple XOR Encoding
        2. Structure of Encoded Shellcode
        3. JMP/CALL XOR Decoder Example
        4. FNSTENV XOR Example
        5. Putting the Code Together
      5. Automating Shellcode Generation with Metasploit
        1. Generating Shellcode with Metasploit
        2. Encoding Shellcode with Metasploit
      6. Summary
      7. For Further Study
  10. Part II From Vulnerability to Exploit
    1. Chapter 8 Spoofing-Based Attacks
      1. What Is Spoofing?
      2. ARP Spoofing
        1. Lab 8-1: ARP Spoofing with Ettercap
        2. Viewing Network Traffic
        3. Modifying Network Traffic
      3. DNS Spoofing
        1. Lab 8-2: DNS Spoofing with Ettercap
        2. Executing the Attack
      4. NetBIOS Name Spoofing and LLMNR Spoofing
        1. Lab 8-3: Attacking NetBIOS and LLMNR with Responder
        2. Cracking NTLMv1 and NTLMv2 Hashes
      5. Summary
      6. For Further Reading
    2. Chapter 9 Exploiting Cisco Routers
      1. Attacking Community Strings and Passwords
        1. Lab 9-1: Guessing Credentials with Ncrack and Metasploit
        2. Lab 9-2: Guessing Community Strings with Onesixtyone and Metasploit
      2. SNMP and TFTP
        1. Lab 9-3: Downloading Configuration Files with Metasploit
        2. Lab 9-4: Modifying Configurations with SNMP and TFTP
      3. Attacking Cisco Passwords
        1. Attacking Cisco Type 7 Passwords
        2. Lab 9-5: Cracking Type 7 Passwords with Cain
        3. Lab 9-6: Cracking Type 7 Passwords with Metasploit
        4. Attacking Cisco Type 5 Passwords
        5. Lab 9-7: Attacking Cisco Type 5 Passwords with John the Ripper
      4. Middling Traffic with Tunnels
        1. Lab 9-8: Setting Up a GRE Tunnel
        2. Lab 9-9: Routing Traffic over a GRE Tunnel
      5. Exploits and Other Attacks
        1. Cisco Exploits
        2. Maintaining Access on Cisco Devices
      6. Summary
      7. For Further Reading
    3. Chapter 10 Basic Linux Exploits
      1. Stack Operations
        1. Function Calling Procedure
      2. Buffer Overflows
        1. Lab 10-1: Overflow of meet.c
        2. Ramifications of Buffer Overflows
      3. Local Buffer Overflow Exploits
        1. Lab 10-2: Components of the Exploit
        2. Lab 10-3: Exploiting Stack Overflows from the Command Line
        3. Lab 10-4: Exploiting Stack Overflows with Generic Exploit Code
        4. Lab 10-5: Exploiting Small Buffers
      4. Exploit Development Process
        1. Lab 10-6: Building Custom Exploits
      5. Summary
      6. For Further Reading
    4. Chapter 11 Advanced Linux Exploits
      1. Format String Exploits
        1. The Problem
        2. Lab 11-1: Reading from Arbitrary Memory
        3. Lab 11-2: Writing to Arbitrary Memory
        4. Lab 11-3: Changing Program Execution
      2. Memory Protection Schemes
        1. Compiler Improvements
        2. Lab 11-4: Bypassing Stack Protection
        3. Kernel Patches and Scripts
        4. Lab 11-5: Return to libc Exploits
        5. Lab 11-6: Maintaining Privileges with ret2libc
        6. Bottom Line
      3. Summary
      4. References
      5. For Further Reading
    5. Chapter 12 Windows Exploits
      1. Compiling and Debugging Windows Programs
        1. Lab 12-1: Compiling on Windows
        2. Debugging on Windows with Immunity Debugger
        3. Lab 12-2: Crashing the Program
      2. Writing Windows Exploits
        1. Exploit Development Process Review
        2. Lab 12-3: Exploiting ProSSHD Server
      3. Understanding Structured Exception Handling (SEH)
        1. Implementation of SEH
      4. Summary
      5. References
      6. For Further Reading
    6. Chapter 13 Bypassing Windows Memory Protections
      1. Understanding Windows Memory Protections (XP SP3, Vista, 7, 8, Server 2008, and Server 2012)
        1. Stack-Based Buffer Overrun Detection (/GS)
        2. Safe Structured Exception Handling (SafeSEH)
        3. SEH Overwrite Protection (SEHOP)
        4. Heap Protections
        5. Data Execution Prevention (DEP)
        6. Address Space Layout Randomization (ASLR)
        7. Enhanced Mitigation Experience Toolkit (EMET)
      2. Bypassing Windows Memory Protections
        1. Bypassing /GS
        2. Bypassing SafeSEH
        3. Bypassing ASLR
        4. Bypassing DEP
        5. Bypassing EMET
        6. Bypassing SEHOP
      3. Summary
      4. References
      5. For Further Reading
    7. Chapter 14 Exploiting the Windows Access Control Model
      1. Why Access Control Is Interesting to a Hacker
        1. Most People Don’t Understand Access Control
        2. Vulnerabilities You Find Are Easy to Exploit
        3. You’ll Find Tons of Security Vulnerabilities
      2. How Windows Access Control Works
        1. Security Identifier
        2. Access Token
        3. Security Descriptor
        4. The Access Check
      3. Tools for Analyzing Access Control Configurations
        1. Dumping the Process Token
        2. Dumping the Security Descriptor
      4. Special SIDs, Special Access, and “Access Denied”
        1. Special SIDs
        2. Special Access
        3. Investigating “Access Denied”
      5. Analyzing Access Control for Elevation of Privilege
      6. Attack Patterns for Each Interesting Object Type
        1. Attacking Services
        2. Attacking Weak DACLs in the Windows Registry
        3. Attacking Weak Directory DACLs
        4. Attacking Weak File DACLs
      7. What Other Object Types Are Out There?
        1. Enumerating Shared Memory Sections
        2. Enumerating Named Pipes
        3. Enumerating Processes
        4. Enumerating Other Named Kernel Objects (Semaphores, Mutexes, Events, and Devices)
      8. Summary
      9. For Further Reading
    8. Chapter 15 Exploiting Web Applications
      1. Overview of the Top 10 Web Vulnerabilities
      2. MD5 Hash Injection
        1. Lab 15-1: Injecting the Hash
      3. Multibyte Encoding Injection
        1. Understanding the Vulnerability
        2. Lab 15-2: Leverage Multibyte Encoding
      4. Hunting Cross-site Scripting (XSS)
        1. Lab 15-3: Basic XSS Injection into a JavaScript Block
      5. Unicode Normalization Forms Attack
        1. Lab 15-4: Leveraging Unicode Normalization
        2. Unicode Normalization Introduction
        3. Normalization Forms
        4. Preparing the Environment for Testing
        5. XSS Testing via x5s the Plug-In
        6. Launching the Attack Manually
        7. Adding Your Own Test Case
      6. Summary
      7. References
      8. For Further Reading
    9. Chapter 16 Exploiting IE: Smashing the Heap
      1. Setting Up the Environment
        1. WinDbg Configuration
        2. Attaching the Browser to WinDbg
      2. Introduction to Heap Spray
      3. Spraying with HTML5
        1. Lab 16-1: Heap Spray via HTML5
      4. DOM Element Property Spray (DEPS)
        1. Lab 16-2: Heap Spray via DEPS Technique
      5. HeapLib2 Technique
        1. Forcing New Allocations by Exhausting the Cache Blocks
        2. Lab 16-3: HeapLib2 Spraying
      6. Flash Spray with Byte Arrays
        1. Lab 16-4: Basic Heap Spray with Flash
      7. Flash Spray with Integer Vectors
        1. Lab 16-5: Heap Spray with Flash Vectors
      8. Leveraging Low Fragmentation Heap (LFH)
      9. Summary
      10. References
      11. For Further Reading
    10. Chapter 17 Exploiting IE: Use-After-Free Technique
      1. Use-After-Free Overview
        1. Debugging JavaScript
      2. Dissecting Use-After-Free (UAF)
        1. Lab 17-1: Dissecting UAF, Step by Step
      3. Leveraging the UAF Vulnerability
        1. Example 17-1: Connecting the Dots
      4. Summary
      5. References
      6. For Further Reading
    11. Chapter 18 Advanced Client-Side Exploitation with BeEF
      1. BeEF Basics
        1. Lab 18-1: Setting Up Beef
        2. Lab 18-2: Using the BeEF Console
      2. Hooking Browsers
        1. Lab 18-3: The Basic XSS Hook
        2. Lab 18-4: Hooking Browsers with Site Spoofing
        3. Lab 18-5: Automatically Injecting Hooks with Shank
      3. Fingerprinting with BeEF
        1. Lab 18-6: Fingerprinting Browsers with BeEF
        2. Lab 18-7: Fingerprinting Users with BeEF
        3. Lab 18-8: Fingerprinting Computers with BeEF
      4. Browser Exploitation
        1. Lab 18-9: Exploiting Browsers with BeEF and Java
        2. Exploiting Browsers with BeEF and Metasploit
      5. Automating Attacks
      6. Summary
      7. For Further Reading
    12. Chapter 19 One-Day Exploitation with Patch Diffing
      1. Introduction to Binary Diffing
        1. Application Diffing
        2. Patch Diffing
      2. Binary Diffing Tools
        1. BinDiff
        2. turbodiff
        3. Lab 19-1: Our First Diff
      3. Patch Management Process
        1. Microsoft Patch Tuesday
        2. Lab 19-2: Obtaining and Extracting Microsoft Patches
        3. Examining the Patch
        4. Lab 19-3: Diffing MS14-006 with turbodiff
        5. Kernel Debugging
        6. Lab 19-4: Kernel Debugging MS14-006
      4. Summary
      5. References
      6. For Further Reading
  11. Part III Advanced Malware Analysis
    1. Chapter 20 Dissecting Android Malware
      1. The Android Platform
        1. Android Application Package
        2. Application Manifest
        3. Analyzing DEX
        4. Java Decompilation
        5. DEX Decompilation
        6. DEX Disassembling
        7. Example 20-1: Running APK in Emulator
      2. Malware Analysis
        1. Malware Analysis Primer
        2. Example 20-2: Black-Box APK Monitoring with Droidbox
      3. Summary
      4. For Further Reading
    2. Chapter 21 Dissecting Ransomware
      1. History of Ransomware
      2. Options for Paying the Ransom
      3. Dissecting Ransomlock
        1. Example 21-1: Dynamic Analysis
        2. Example 21-2: Static Analysis
      4. CryptoLocker
      5. Summary
      6. For Further Reading
    3. Chapter 22 Analyzing 64-bit Malware
      1. Overview of the AMD64 Architecture
        1. AMD64 Calling Conventions
      2. Decrypting C&C Domains
        1. Example 22-1: Decrypting C&C Domains
      3. Summary
      4. For Further Reading
    4. Chapter 23 Next-Generation Reverse Engineering
      1. Notable IDA Plug-ins
        1. IDAscope
        2. IDA Toolbag
        3. Collaboration
      2. Honeypots and Sandboxes Using TrapX
        1. A Free Tool for Dynamic Analysis
        2. A Commercial Alternative: TrapX Malware Trap
      3. Summary
      4. References
      5. For Further Reading
  12. Appendix About the Download
  13. Index