O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Gray Hat Hacking The Ethical Hacker's Handbook, Fifth Edition, 5th Edition

Book Description

Cutting-edge techniques for finding and fixing critical security flaws

Fortify your network and avert digital catastrophe with proven strategies from a team of security experts. Completely updated and featuring 13 new chapters, Gray Hat Hacking: The Ethical Hacker’s Handbook, Fifth Edition explains the enemy’s current weapons, skills, and tactics and offers field-tested remedies, case studies, and ready-to-try testing labs. Find out how hackers gain access, overtake network devices, script and inject malicious code, and plunder Web applications and browsers. Android-based exploits, reverse engineering techniques, and cyber law are thoroughly covered in this state-of-the-art resource. And the new topic of exploiting the Internet of things is introduced in this edition.

•Build and launch spoofing exploits with Ettercap

•Induce error conditions and crash software using fuzzers

•Use advanced reverse engineering to exploit Windows and Linux software

•Bypass Windows Access Control and memory protection schemes

•Exploit web applications with Padding Oracle Attacks

•Learn the use-after-free technique used in recent zero days

•Hijack web browsers with advanced XSS attacks

•Understand ransomware and how it takes control of your desktop

•Dissect Android malware with JEB and DAD decompilers

•Find one-day vulnerabilities with binary diffing

•Exploit wireless systems with Software Defined Radios (SDR)

•Exploit Internet of things devices

•Dissect and exploit embedded devices

•Understand bug bounty programs

•Deploy next-generation honeypots

•Dissect ATM malware and analyze common ATM attacks

•Learn the business side of ethical hacking


Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. Contents
  6. Preface
  7. Acknowledgments
  8. Introduction
  9. Part I Preparation
    1. Chapter 1 Why Gray Hat Hacking? Ethics and Law
      1. Know Your Enemy
        1. The Current Security Landscape
        2. Recognizing an Attack
      2. The Gray Hat Way
        1. Emulating the Attack
        2. Frequency and Focus of Testing
      3. Evolution of Cyberlaw
        1. Understanding Individual Cyberlaws
      4. Summary
      5. References
    2. Chapter 2 Programming Survival Skills
      1. C Programming Language
        1. Basic C Language Constructs
        2. Sample Program
        3. Compiling with gcc
      2. Computer Memory
        1. Random Access Memory
        2. Endian
        3. Segmentation of Memory
        4. Programs in Memory
        5. Buffers
        6. Strings in Memory
        7. Pointers
        8. Putting the Pieces of Memory Together
      3. Intel Processors
        1. Registers
      4. Assembly Language Basics
        1. Machine vs. Assembly vs. C
        2. AT&T vs. NASM
        3. Addressing Modes
        4. Assembly File Structure
        5. Assembling
      5. Debugging with gdb
        1. gdb Basics
        2. Disassembly with gdb
      6. Python Survival Skills
        1. Getting Python
        2. “Hello, World!” in Python
        3. Python Objects
        4. Strings
        5. Numbers
        6. Lists
        7. Dictionaries
        8. Files with Python
        9. Sockets with Python
      7. Summary
      8. For Further Reading
      9. References
    3. Chapter 3 Next-Generation Fuzzing
      1. Introduction to Fuzzing
        1. Types of Fuzzers
        2. Mutation Fuzzers
        3. Generation Fuzzers
        4. Genetic Fuzzing
      2. Mutation Fuzzing with Peach
        1. Lab 3-1: Mutation Fuzzing with Peach
      3. Generation Fuzzing with Peach
        1. Crash Analysis
        2. Lab 3-2: Generation Fuzzing with Peach
      4. Genetic or Evolutionary Fuzzing with AFL
        1. Lab 3-3: Genetic Fuzzing with AFL
      5. Summary
      6. For Further Reading
    4. Chapter 4 Next-Generation Reverse Engineering
      1. Code Annotation
        1. IDB Annotation with IDAscope
        2. C++ Code Analysis
      2. Collaborative Analysis
        1. Leveraging Collaborative Knowledge Using FIRST
        2. Collaboration with BinNavi
      3. Dynamic Analysis
        1. Automated Dynamic Analysis with Cuckoo Sandbox
        2. Bridging the Static-Dynamic Tool Gap with Labeless
      4. Summary
      5. For Further Reading
      6. References
    5. Chapter 5 Software-Defined Radio
      1. Getting Started with SDR
        1. What to Buy
        2. Not So Quick: Know the Rules
      2. Learn by Example
        1. Search
        2. Capture
        3. Replay
        4. Analyze
        5. Preview
        6. Execute
      3. Summary
      4. For Further Reading
  10. Part II Business of Hacking
    1. Chapter 6 So You Want to Be a Pen Tester?
      1. The Journey from Novice to Expert
        1. Pen Tester Ethos
        2. Pen Tester Taxonomy
        3. The Future of Hacking
        4. Know the Tech
        5. Know What Good Looks Like
        6. Pen Tester Training
        7. Practice
        8. Degree Programs
        9. Knowledge Transfer
      2. Pen Tester Tradecraft
        1. Personal Liability
        2. Being the Trusted Advisor
        3. Managing a Pen Test
      3. Summary
      4. For Further Reading
    2. Chapter 7 Red Teaming Operations
      1. Red Team Operations
        1. Strategic, Operational, and Tactical Focus
        2. Assessment Comparisons
      2. Red Teaming Objectives
      3. What Can Go Wrong
        1. Limited Scope
        2. Limited Time
        3. Limited Audience
        4. Overcoming Limitations
      4. Communications
        1. Planning Meetings
        2. Defining Measurable Events
      5. Understanding Threats
      6. Attack Frameworks
      7. Testing Environment
      8. Adaptive Testing
        1. External Assessment
        2. Physical Security Assessment
        3. Social Engineering
        4. Internal Assessment
      9. Lessons Learned
      10. Summary
      11. References
    3. Chapter 8 Purple Teaming
      1. Introduction to Purple Teaming
      2. Blue Team Operations
        1. Know Your Enemy
        2. Know Yourself
        3. Security Program
        4. Incident Response Program
        5. Common Blue Teaming Challenges
      3. Purple Teaming Operations
        1. Decision Frameworks
        2. Disrupting the Kill Chain
        3. Kill Chain Countermeasure Framework
        4. Communication
      4. Purple Team Optimization
      5. Summary
      6. For Further Reading
      7. References
    4. Chapter 9 Bug Bounty Programs
      1. History of Vulnerability Disclosure
        1. Full Vendor Disclosure
        2. Full Public Disclosure
        3. Responsible Disclosure
        4. No More Free Bugs
      2. Bug Bounty Programs
        1. Types of Bug Bounty Programs
        2. Incentives
        3. Controversy Surrounding Bug Bounty Programs
        4. Popular Bug Bounty Program Facilitators
      3. Bugcrowd in Depth
        1. Program Owner Web Interface
        2. Program Owner API Example
        3. Researcher Web Interface
      4. Earning a Living Finding Bugs
        1. Selecting a Target
        2. Registering (If Required)
        3. Understanding the Rules of the Game
        4. Finding Vulnerabilities
        5. Reporting Vulnerabilities
        6. Cashing Out
      5. Incident Response
        1. Communication
        2. Triage
        3. Remediation
        4. Disclosure to Users
        5. Public Relations
      6. Summary
      7. For Further Reading
      8. References
  11. Part III Exploiting Systems
    1. Chapter 10 Getting Shells Without Exploits
      1. Capturing Password Hashes
        1. Understanding LLMNR and NBNS
        2. Understanding Windows NTLMv1 and NTLMv2 Authentication
        3. Using Responder
        4. Lab 10-1: Getting Passwords with Responder
      2. Using Winexe
        1. Lab 10-2: Using Winexe to Access Remote Systems
        2. Lab 10-3: Using Winexe to Gain Elevated Privileges
      3. Using WMI
        1. Lab 10-4: Querying System Information with WMI
        2. Lab 10-5: Executing Commands with WMI
      4. Taking Advantage of WinRM
        1. Lab 10-6: Executing Commands with WinRM
        2. Lab 10-7: Using WinRM to Run PowerShell Remotely
      5. Summary
      6. For Further Reading
      7. Reference
    2. Chapter 11 Basic Linux Exploits
      1. Stack Operations and Function-Calling Procedures
      2. Buffer Overflows
        1. Lab 11-1: Overflowing meet.c
        2. Ramifications of Buffer Overflows
      3. Local Buffer Overflow Exploits
        1. Lab 11-2: Components of the Exploit
        2. Lab 11-3: Exploiting Stack Overflows from the Command Line
        3. Lab 11-4: Exploiting Stack Overflows with Generic Exploit Code
        4. Lab 11-5: Exploiting Small Buffers
      4. Exploit Development Process
        1. Lab 11-6: Building Custom Exploits
      5. Summary
      6. For Further Reading
    3. Chapter 12 Advanced Linux Exploits
      1. Format String Exploits
        1. Format Strings
        2. Lab 12-1: Reading from Arbitrary Memory
        3. Lab 12-2: Writing to Arbitrary Memory
        4. Lab 12-3: Changing Program Execution
      2. Memory Protection Schemes
        1. Compiler Improvements
        2. Lab 11-4: Bypassing Stack Protection
        3. Kernel Patches and Scripts
        4. Lab 12-5: Return to libc Exploits
        5. Lab 12-6: Maintaining Privileges with ret2libc
        6. Bottom Line
      3. Summary
      4. For Further Reading
      5. References
    4. Chapter 13 Windows Exploits
      1. Compiling and Debugging Windows Programs
        1. Lab 13-1: Compiling on Windows
        2. Windows Compiler Options
        3. Debugging on Windows with Immunity Debugger
        4. Lab 13-2: Crashing the Program
      2. Writing Windows Exploits
        1. Exploit Development Process Review
        2. Lab 13-3: Exploiting ProSSHD Server
      3. Understanding Structured Exception Handling (SEH)
      4. Understanding and Bypassing Windows Memory Protections
        1. Safe Structured Exception Handling (SafeSEH)
        2. Bypassing SafeSEH
        3. SEH Overwrite Protection (SEHOP)
        4. Bypassing SEHOP
        5. Stack-Based Buffer Overrun Detection (/GS)
        6. Bypassing /GS
        7. Heap Protections
      5. Summary
      6. For Further Reading
      7. References
    5. Chapter 14 Advanced Windows Exploitation
      1. Data Execution Prevention (DEP)
      2. Address Space Layout Randomization (ASLR)
      3. Enhanced Mitigation Experience Toolkit (EMET) and Windows Defender Exploit Guard
      4. Bypassing ASLR
      5. Bypassing DEP and Avoiding ASLR
        1. VirtualProtect
        2. Return-Oriented Programming
        3. Gadgets
        4. Building the ROP Chain
      6. Defeating ASLR Through a Memory Leak
        1. Triggering the Bug
        2. Tracing the Memory Leak
        3. Weaponizing the Memory Leak
        4. Building the RVA ROP Chain
      7. Summary
      8. For Further Reading
      9. References
    6. Chapter 15 PowerShell Exploitation
      1. Why PowerShell
        1. Living Off the Land
        2. PowerShell Logging
        3. PowerShell Portability
      2. Loading PowerShell Scripts
        1. Lab 15-1: The Failure Condition
        2. Lab 15-2: Passing Commands on the Command Line
        3. Lab 15-3: Encoded Commands
        4. Lab 15-4: Bootstrapping via the Web
      3. Exploitation and Post-Exploitation with PowerSploit
        1. Lab 15-5: Setting Up PowerSploit
        2. Lab 15-6: Running Mimikatz Through PowerShell
        3. Lab 15-7: Creating a Persistent Meterpreter Using PowerSploit
      4. Using PowerShell Empire for C2
        1. Lab 15-8: Setting Up Empire
        2. Lab 15-9: Staging an Empire C2
        3. Lab 15-10: Using Empire to Own the System
      5. Summary
      6. For Further Reading
      7. References
    7. Chapter 16 Next-Generation Web Application Exploitation
      1. The Evolution of Cross-Site Scripting (XSS)
        1. Setting Up the Environment
        2. Lab 16-1: XSS Refresher
        3. Lab 16-2: XSS Evasion from Internet Wisdom
        4. Lab 16-3: Changing Application Logic with XSS
        5. Lab 16-4: Using the DOM for XSS
      2. Framework Vulnerabilities
        1. Setting Up the Environment
        2. Lab 16-5: Exploiting CVE-2017-5638
        3. Lab 16-6: Exploiting CVE-2017-9805
      3. Padding Oracle Attacks
        1. Lab 16-7: Changing Data with the Padding Oracle Attack
      4. Summary
      5. For Further Reading
      6. References
    8. Chapter 17 Next-Generation Patch Exploitation
      1. Introduction to Binary Diffing
        1. Application Diffing
        2. Patch Diffing
      2. Binary Diffing Tools
        1. BinDiff
        2. turbodiff
        3. Lab 17-1: Our First Diff
      3. Patch Management Process
        1. Microsoft Patch Tuesday
        2. Obtaining and Extracting Microsoft Patches
        3. Lab 17-2: Diffing MS17-010
      4. Patch Diffing for Exploitation
        1. DLL Side-Loading Bugs
        2. Lab 17-3: Diffing MS16-009
      5. Summary
      6. For Further Reading
      7. References
  12. Part IV Advanced Malware Analysis
    1. Chapter 18 Dissecting Mobile Malware
      1. The Android Platform
        1. Android Application Package
        2. Application Manifest
        3. Analyzing DEX
        4. Java Decompilation
        5. DEX Decompilation
        6. DEX Disassembling
        7. Example 18-1: Running APK in Emulator
        8. Malware Analysis
      2. The iOS Platform
        1. iOS Security
        2. iOS Applications
      3. Summary
      4. For Further Reading
      5. References
    2. Chapter 19 Dissecting Ransomware
      1. The Beginnings of Ransomware
      2. Options for Paying the Ransom
      3. Dissecting Ransomlock
        1. Example 19-1: Dynamic Analysis
        2. Example 19-2: Static Analysis
      4. Wannacry
        1. Example 19-3: Analyzing Wannacry Ransomware
      5. Summary
      6. For Further Reading
    3. Chapter 20 ATM Malware
      1. ATM Overview
      2. XFS Overview
        1. XFS Architecture
        2. XFS Manager
      3. ATM Malware Analysis
        1. Types of ATM Malware
        2. Techniques for Installing Malware on ATMs
        3. Techniques for Dissecting the Malware
        4. ATM Malware Countermeasures
      4. Summary
      5. For Further Reading
      6. References
    4. Chapter 21 Deception: Next-Generation Honeypots
      1. Brief History of Deception
        1. Honeypots as a Form of Deception
        2. Deployment Considerations
        3. Setting Up a Virtual Machine
      2. Open Source Honeypots
        1. Lab 21-1: Dionaea
        2. Lab 21-2: ConPot
        3. Lab 21-3: Cowrie
        4. Lab 21-4: T-Pot
      3. Commercial Alternative: TrapX
      4. Summary
      5. For Further Reading
      6. References
  13. Part V Internet of Things
    1. Chapter 22 Internet of Things to Be Hacked
      1. Internet of Things (IoT)
        1. Types of Connected Things
        2. Wireless Protocols
        3. Communication Protocols
        4. Security Concerns
      2. Shodan IoT Search Engine
        1. Web Interface
        2. Shodan Command-Line Interface
        3. Lab 22-1: Using the Shodan Command Line
        4. Shodan API
        5. Lab 22-2: Testing the Shodan API
        6. Lab 22-3: Playing with MQTT
        7. Implications of This Unauthenticated Access to MQTT
      3. IoT Worms: It Was a Matter of Time
        1. Lab 22-4: Mirai Lives
        2. Prevention
      4. Summary
      5. For Further Reading
      6. References
    2. Chapter 23 Dissecting Embedded Devices
      1. CPU
        1. Microprocessor
        2. Microcontrollers
        3. System on Chip (SoC)
        4. Common Processor Architectures
      2. Serial Interfaces
        1. UART
        2. SPI
        3. I2C
      3. Debug Interfaces
        1. JTAG
        2. SWD (Serial Wire Debug)
      4. Software
        1. Bootloader
        2. No Operating System
        3. Real-Time Operating System
        4. General Operating System
      5. Summary
      6. For Further Reading
      7. References
    3. Chapter 24 Exploiting Embedded Devices
      1. Static Analysis of Vulnerabilities in Embedded Devices
        1. Lab 24-1: Analyzing the Update Package
        2. Lab 24-2: Performing Vulnerability Analysis
      2. Dynamic Analysis with Hardware
        1. The Test Environment Setup
        2. Ettercap
      3. Dynamic Analysis with Emulation
        1. FIRMADYNE
        2. Lab 24-3: Setting Up FIRMADYNE
        3. Lab 24-4: Emulating Firmware
        4. Lab 24-5: Exploiting Firmware
      4. Summary
      5. Further Reading
      6. References
    4. Chapter 25 Fighting IoT Malware
      1. Physical Access to the Device
        1. RS-232 Overview
        2. RS-232 Pinout
        3. Exercise 25-1: Troubleshooting a Medical Device’s RS-232 Port
      2. Setting Up the Threat Lab
        1. ARM and MIPS Overview
        2. Lab 25-1: Setting Up Systems with QEMU
      3. Dynamic Analysis of IoT Malware
        1. Lab 25-2: IoT Malware Dynamic Analysis
        2. Platform for Architecture-Neutral Dynamic Analysis (PANDA)
        3. BeagleBone Black Board
      4. Reverse Engineering IoT Malware
        1. Crash-Course ARM/MIPS Instruction Set
        2. Lab 25-3: IDA Pro Remote Debugging and Reversing
        3. IoT Malware Reversing Exercise
      5. Summary
      6. For Further Reading
  14. Index