www.it-ebooks.info
Gray Hat Hacking, Third Edition Reviews
“Bigger, better, and more thorough, the Gray Hat Hacking series is one that I’ve enjoyed
from the start. Always right on time information, always written by experts. The Third
Edition is a must-have update for new and continuing security experts.”
—Jared D. DeMott
Principle Security Researcher, Crucial Security, Inc.
“This book is a great reference for penetration testers and researchers who want to step up
and broaden their skills in a wide range of IT security disciplines.”
—Peter Van Eeckhoutte (corelanc0d3r)
Founder, Corelan Team
“I am often asked by people how to get started in the InfoSec world, and I point people
to this book. In fact, if someone is an expert in one arena and needs a leg up in another,
I still point them to this book. This is one book that should be in every security
professional’s library—the coverage is that good.”
—Simple Nomad
Hacker
“The Third Edition of Gray Hat Hacking builds upon a well-established foundation to
bring even deeper insight into the tools and techniques in an ethical hacker’s arsenal.
From software exploitation to SCADA attacks, this book covers it all. Gray Hat Hacking
is without doubt the definitive guide to the art of computer security published in this
decade.”
—Alexander Sotirov
Security Rockstar and Founder of the Pwnie Awards
“Gray Hat Hacking is an excellent ‘Hack-by-example’ book. It should be read by anyone
who wants to master security topics, from physical intrusions to Windows memory
protections.”
—Dr. Martin Vuagnoux
Cryptographer/Computer security expert
“Gray Hat Hacking is a must-read if you’re serious about INFOSEC. It provides a much-
needed map of the hacker’s digital landscape. If you’re curious about hacking or are

pursuing a career in INFOSEC, this is the place to start.”
—Johnny Long
Professional Hacker, Founder of Hackers for Charity.org
www.it-ebooks.info
This page intentionally left blank
www.it-ebooks.info
Gray Hat
Hacking
The Ethical Hacker’s
Handbook
Third Edition
Allen Harper, Shon Harris, Jonathan Ness,
Chris Eagle, Gideon Lenkey, and Terron Williams
New York • Chicago • San Francisco • Lisbon
London • Madrid • Mexico City • Milan • New Delhi
San Juan • Seoul • Singapore • Sydney • Toronto
www.it-ebooks.info
Copyright © 2011 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher.
ISBN: 978-0-07-174256-6
MHID: 0-07-174256-5
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174255-9,
MHID: 0-07-174255-7.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefi t of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or

mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the
work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve
one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use
the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may
be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not
warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or
error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of
cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed
through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the
possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises
in contract, tort or otherwise.
www.it-ebooks.info
n^netsec
Swimming
with
the
Sharks?
Get
Peace
of

Mind.
Are
your information assets secure?
Are you
sure?
N2NetSecurity's
Information
Security
and
Compliance Services give
you the
peace
of
mind
of
knowing that
you
have
the
best
of the
best
in
information Security
on
your side.
Our
deep
technical
knowledge

ensures
that
our
solutions
are
innovative
and
efficient
and our
extensive
experience
will help
you
avoid
common
and
costly
mistakes.
N2NetSecurity provides information security services
to
government
and
private industry.
We
are a
certified
Payment
Card
Industry
Qualified

Security
Assessor
(PCI
QSA).
Our
talented team includes
Black
Hat
Instructors, received
a
2010
Department
of
Defense
CIO
Award,
and has
coauthored seven leading
IT
books including Gray
Hat
Hacking:
The
Ethical
Hacker's
Handbook
and
Security
Information
Event

Management
Implementation.
Contact
us for a
Free
Gap
Assessment
and see how we can
help
you get
peace
of
mind.
Get
Back
to
Normal,
Back
to
Business!
N2NetSecurity,
Inc.
www.n2netsec.com

800.456.0058
www.it-ebooks.info
Stop Hackers in Their Tracks
Hack ing Exposed,
6th Edition
Hack ing Exposed

Malwar e & Rootkit s
Hack ing Exposed Comput er
For ens ics, 2nd Edition
24 Deadly Sins of
Software Sec urity
Hack ing Exposed We b 2.0 IT Auditing,
2nd Edition
IT Security Metrics Gray Hat Hac king,
3rd Edition
Hack ing Exposed Wireles s,
2nd Edition
Hack ing Exposed:
W eb Applications, 3rd Edition
Hack ing Exposed Windows,
3rd Edition
Hack ing Exposed Linux,
3rd Edition
Available in print and ebook formats
Follow us on Twitter @MHComputing
www.it-ebooks.info
Boost
Your
Security
Skills
(and
Salary)
with
Expert
Tn
for

CISSP
Certification
ming
The
Shon Harris
ClSSP'-Solution
is the
perfect
self-study training
package
not
only
for the
CISSP*
0
candidate
or
those
renewing
certification,
but for any
security
pro who
wants
to
increase
their
security
knowledge
and

earning
potential.
Take
advantage
of
this comprehensive multimedia package
that
lets
you
learn
at
your
own
pace
and in
your
own
home
or
office. This definitive
set
includes:
In
class
instruction
at
your
home
Complex
concepts fully

explained
Everything
you
need
to
pass
the
CISSP
1
exam.
^
DVD
set of
computer-based
training,
over
34
hours
of
instruction
on the
Common Body
of
Knowledge,
the 10
domains
required
for
certification.
CISSP

55
All-in-One
5th
Edition,
the
1193
page
best-
"
selling book
by
Shon Harris.
0
2,200+
page
CISSP®
Student Workbook developed
by
Shon
Harris.
^Multiple
hours
of
Shon
Harris'
lectures explaining
the
concepts
in the
CISSP®

Student Workbook
in MP3
format
^Bonus
MP3
files
with
extensive review sessions
for
each
domain.
j
Over
1,600
CISSP^
review questions
to
test your
knowledge.
300+
Question final practice exam.
more!
Learn
from
the
best!
Leading
independent
authority
and

recog-
nized
CISSP''
training
guru,
Shon
Harris,
CISSP
W
,
MCSE, delivers
this
definitive
certification
program
packaged
together
and
avail-
able
for the
first
time.
Order
today!
Complete
info
at
/>CISSP
K

a
registered
certification
mark
of
the
International
Information
Systems
Settirily
Certification
Cunscrtiurn,
Jnc.,
aTso
known
as
(ISC)
!
.
No
f
ridersemant
by,
affiliation
or
association
with
(ISC)
?
ie

impFiad.
www.it-ebooks.info
To my brothers and sisters in Christ, keep running the race. Let your light shine for Him,
that others may be drawn to Him through you. —Allen Harper
To my loving and supporting husband, David Harris, who has continual
patience with me as I take on all of these crazy projects! —Shon Harris
To Jessica, the most amazing and beautiful person I know. —Jonathan Ness
For my train-loving son Aaron, you bring us constant joy! —Chris Eagle
To Vincent Freeman, although I did not know you long, life has blessed us
with a few minutes to talk and laugh together. —Terron Williams
www.it-ebooks.info
ABOUT THE AUTHORS
Allen Harper, CISSP, PCI QSA, is the president and owner of N2NetSecurity, Inc. in
North Carolina. He retired from the Marine Corps after 20 years and a tour in Iraq.
Additionally, he has served as a security analyst for the U.S. Department of the Treasury,
Internal Revenue Service, and Computer Security Incident Response Center (IRS CSIRC).
He regularly speaks and teaches at conferences such as Black Hat and Techno.
Shon Harris, CISSP, is the president of Logical Security, an author, educator, and secu-
rity consultant. She is a former engineer of the U.S. Air Force Information Warfare unit
and has published several books and articles on different disciplines within informa-
tion security. Shon was also recognized as one of the top 25 women in information
security by Information Security Magazine.
Jonathan Ness, CHFI, is a lead software security engineer in Microsoft’s Security
Response Center (MSRC). He and his coworkers ensure that Microsoft’s security up-
dates comprehensively address reported vulnerabilities. He also leads the technical
response of Microsoft’s incident response process that is engaged to address publicly
disclosed vulnerabilities and exploits targeting Microsoft software. He serves one week-
end each month as a security engineer in a reserve military unit.
Chris Eagle is a senior lecturer in the Computer Science Department at the Naval Post-
graduate School (NPS) in Monterey, California. A computer engineer/scientist for

25 years, his research interests include computer network attack and defense, computer
forensics, and reverse/anti-reverse engineering. He can often be found teaching at Black
Hat or spending late nights working on capture the flag at Defcon.
Gideon Lenkey, CISSP, is the president and co-founder of Ra Security Systems, Inc., a
New Jersey–based managed services company, where he specializes in testing the infor-
mation security posture of enterprise IT infrastructures. He has provided advanced
training to the FBI and served as the president of the FBI’s InfraGard program in New
Jersey. He has been recognized on multiple occasions by FBI director Robert Muller for
his contributions and is frequently consulted by both foreign and domestic govern-
ment agencies. Gideon is a regular contributor to the Internet Evolution website and a
participant in the EastWest Institute’s Cybersecurity initiative.
Terron Williams, NSA IAM-IEM, CEH, CSSLP, works for Elster Electricity as a Senior Test
Engineer, with a primary focus on smart grid security. He formerly worked at Nortel as a
Security Test Engineer and VoIP System Integration Engineer. Terron has served on the
editorial board for Hakin9 IT Security Magazine and has authored articles for it. His inter-
ests are in VoIP, exploit research, SCADA security, and emerging smart grid technologies.
Disclaimer: The views expressed in this book are those of the authors and not of the
U.S. government or the Microsoft Corporation.
www.it-ebooks.info
About the Technical Editor
Michael Baucom is the Vice President of Research and Development at N2NetSecurity,
Inc., in North Carolina. He has been a software engineer for 15 years and has worked
on a wide variety of software, from router forwarding code in assembly to Windows
applications and services. In addition to writing software, he has worked as a security
consultant performing training, source code audits, and penetration tests.
www.it-ebooks.info
CONTENTS AT A GLANCE
Part I Introduction to Ethical Disclosure . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1 Ethics of Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Ethical Hacking and the Legal System . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 3 Proper and Ethical Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Part II Penetration Testing and Tools . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter 4 Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 5 Physical Penetration Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Chapter 6 Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Chapter 7 Using the BackTrack Linux Distribution . . . . . . . . . . . . . . . . . . . . . 125
Chapter 8 Using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Chapter 9 Managing a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Part III Exploiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Chapter 10 Programming Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Chapter 11 Basic Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Chapter 12 Advanced Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Chapter 13 Shellcode Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Chapter 14 Writing Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Chapter 15 Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Chapter 16 Understanding and Detecting Content-Type Attacks . . . . . . . . . . . 341
Chapter 17 Web Application Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . 361
Chapter 18 VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Chapter 19 SCADA Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
viii
www.it-ebooks.info
Contents
ix
Part IV Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Chapter 20 Passive Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Chapter 21 Advanced Static Analysis with IDA Pro . . . . . . . . . . . . . . . . . . . . . . 445
Chapter 22 Advanced Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Chapter 23 Client-Side Browser Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Chapter 24 Exploiting the Windows Access Control Model . . . . . . . . . . . . . . . 525
Chapter 25 Intelligent Fuzzing with Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Chapter 26 From Vulnerability to Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Chapter 27 Closing the Holes: Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Part V Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Chapter 28 Collecting Malware and Initial Analysis . . . . . . . . . . . . . . . . . . . . . . 635
Chapter 29 Hacking Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
www.it-ebooks.info
CONTENTS
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Part I Introduction to Ethical Disclosure . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1 Ethics of Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Why You Need to Understand Your Enemy’s Tactics . . . . . . . . . . . . . . . 3
Recognizing the Gray Areas in Security . . . . . . . . . . . . . . . . . . . . . . . . . 8
How Does This Stuff Relate to an Ethical Hacking Book? . . . . . . . . . . 10
Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The Controversy of Hacking Books and Classes . . . . . . . . . . . . . . . . . . 15
The Dual Nature of Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Recognizing Trouble When It Happens . . . . . . . . . . . . . . . . . . . . 18
Emulating the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Where Do Attackers Have Most of Their Fun? . . . . . . . . . . . . . . . . . . . . 19
Security Does Not Like Complexity . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 2 Ethical Hacking and the Legal System . . . . . . . . . . . . . . . . . . . . . . . 23
The Rise of Cyberlaw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Understanding Individual Cyberlaws . . . . . . . . . . . . . . . . . . . . . . . . . . 25
18 USC Section 1029: The Access Device Statute . . . . . . . . . . . . 25
18 USC Section 1030 of the Computer Fraud and Abuse Act . . 29
18 USC Sections 2510, et. Seq., and 2701, et. Seq., of the

Electronic Communication Privacy Act . . . . . . . . . . . . . . . . . 38
Digital Millennium Copyright Act (DMCA) . . . . . . . . . . . . . . . . 42
Cyber Security Enhancement Act of 2002 . . . . . . . . . . . . . . . . . . 45
Securely Protect Yourself Against Cyber Trespass Act (SPY Act) . . . 46
Chapter 3 Proper and Ethical Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Different Teams and Points of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
How Did We Get Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
CERT’s Current Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Full Disclosure Policy—the RainForest Puppy Policy . . . . . . . . . . . . . . 52
Organization for Internet Safety (OIS) . . . . . . . . . . . . . . . . . . . . . . . . . 54
Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Conflicts Will Still Exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
“No More Free Bugs” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
x
www.it-ebooks.info
Contents
xi
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Pros and Cons of Proper Disclosure Processes . . . . . . . . . . . . . . 67
Vendors Paying More Attention . . . . . . . . . . . . . . . . . . . . . . . . . . 71
So What Should We Do from Here on Out? . . . . . . . . . . . . . . . . . . . . . 72
iDefense and ZDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Part II Penetration Testing and Tools . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter 4 Social Engineering Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
How a Social Engineering Attack Works . . . . . . . . . . . . . . . . . . . . . . . . 77
Conducting a Social Engineering Attack . . . . . . . . . . . . . . . . . . . . . . . . 79

Common Attacks Used in Penetration Testing . . . . . . . . . . . . . . . . . . . 81
The Good Samaritan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
The Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Join the Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Preparing Yourself for Face-to-Face Attacks . . . . . . . . . . . . . . . . . . . . . . 89
Defending Against Social Engineering Attacks . . . . . . . . . . . . . . . . . . . 91
Chapter 5 Physical Penetration Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Why a Physical Penetration Is Important . . . . . . . . . . . . . . . . . . . . . . . . 94
Conducting a Physical Penetration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Mental Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Common Ways into a Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Smokers’ Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Manned Checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Locked Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Physically Defeating Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Once You Are Inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Defending Against Physical Penetrations . . . . . . . . . . . . . . . . . . . . . . . . 108
Chapter 6 Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Why Simulating an Insider Attack Is Important . . . . . . . . . . . . . . . . . . 109
Conducting an Insider Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Tools and Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Gaining Local Administrator Privileges . . . . . . . . . . . . . . . . . . . . 111
Disabling Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Raising Cain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Defending Against Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter 7 Using the BackTrack Linux Distribution . . . . . . . . . . . . . . . . . . . . . 125
BackTrack: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Installing BackTrack to DVD or USB Thumb Drive . . . . . . . . . . . . . . . . 126

Using the BackTrack ISO Directly Within a Virtual Machine . . . . . . . . 128
Creating a BackTrack Virtual Machine with VirtualBox . . . . . . . 128
Booting the BackTrack LiveDVD System . . . . . . . . . . . . . . . . . . . 129
Exploring the BackTrack X Windows Environment . . . . . . . . . . 130
www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition
xii
Starting Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Persisting Changes to Your BackTrack Installation . . . . . . . . . . . . . . . . 131
Installing Full BackTrack to Hard Drive or USB Thumb Drive . . . 131
Creating a New ISO with Your One-time Changes . . . . . . . . . . . 134
Using a Custom File that Automatically Saves and
Restores Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Exploring the BackTrack Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Updating BackTrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Chapter 8 Using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Metasploit: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Getting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Using the Metasploit Console to Launch Exploits . . . . . . . . . . . . . . . . 142
Exploiting Client-Side Vulnerabilities with Metasploit . . . . . . . . . . . . . 147
Penetration Testing with Metasploit’s Meterpreter . . . . . . . . . . . . . . . . 149
Automating and Scripting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Going Further with Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Chapter 9 Managing a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Planning a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Types of Penetration Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Scope of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Locations of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . 158
Organization of the Penetration Testing Team . . . . . . . . . . . . . . 158
Methodologies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Phases of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Testing Plan for a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . 161
Structuring a Penetration Testing Agreement . . . . . . . . . . . . . . . . . . . . . 161
Statement of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Get-Out-of-Jail-Free Letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Execution of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Kickoff Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Access During the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . 163
Managing Expectations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Managing Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Steady Is Fast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
External and Internal Coordination . . . . . . . . . . . . . . . . . . . . . . . 164
Information Sharing During a Penetration Test . . . . . . . . . . . . . . . . . . 164
Dradis Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Reporting the Results of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . 168
Format of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Out Brief of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Part III Exploiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Chapter 10 Programming Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
C Programming Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Basic C Language Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
www.it-ebooks.info
Contents
xiii
Sample Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Compiling with gcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Random Access Memory (RAM) . . . . . . . . . . . . . . . . . . . . . . . . . 180
Endian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Segmentation of Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Programs in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Strings in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Putting the Pieces of Memory Together . . . . . . . . . . . . . . . . . . . . 183
Intel Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Assembly Language Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Machine vs. Assembly vs. C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
AT&T vs. NASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Addressing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Assembly File Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Assembling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Debugging with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
gdb Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Disassembly with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Python Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Getting Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Hello World in Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Python Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Files with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Sockets with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Chapter 11 Basic Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Stack Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Function Calling Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Overflow of meet.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Ramifications of Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . 208
Local Buffer Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Components of the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Exploiting Stack Overflows from the Command Line . . . . . . . . 211
Exploiting Stack Overflows with Generic Exploit Code . . . . . . . 213
Exploiting Small Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Exploit Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition
xiv
Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Test the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Chapter 12 Advanced Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Format String Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Reading from Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . 229
Writing to Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Taking .dtors to root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Memory Protection Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Compiler Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Kernel Patches and Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Return to libc Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Chapter 13 Shellcode Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
User Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Basic Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Port Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Reverse Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Find Socket Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Command Execution Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
File Transfer Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Multistage Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
System Call Proxy Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Process Injection Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Other Shellcode Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Shellcode Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Self-Corrupting Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Disassembling Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Kernel Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Kernel Space Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Chapter 14 Writing Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Basic Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
System Calls by C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
System Calls by Assembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Exit System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
setreuid System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Shell-Spawning Shellcode with execve . . . . . . . . . . . . . . . . . . . . 272
Implementing Port-Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . 276
Linux Socket Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Assembly Program to Establish a Socket . . . . . . . . . . . . . . . . . . . 279
Test the Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
www.it-ebooks.info
Contents
xv

Implementing Reverse Connecting Shellcode . . . . . . . . . . . . . . . . . . . . 284
Reverse Connecting C Program . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Reverse Connecting Assembly Program . . . . . . . . . . . . . . . . . . . . 285
Encoding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Simple XOR Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Structure of Encoded Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . 288
JMP/CALL XOR Decoder Example . . . . . . . . . . . . . . . . . . . . . . . . 288
FNSTENV XOR Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Putting the Code Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Automating Shellcode Generation with Metasploit . . . . . . . . . . . . . . . 294
Generating Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . 294
Encoding Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . . 295
Chapter 15 Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Compiling and Debugging Windows Programs . . . . . . . . . . . . . . . . . . 297
Compiling on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Debugging on Windows with OllyDbg . . . . . . . . . . . . . . . . . . . . 299
Writing Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Exploit Development Process Review . . . . . . . . . . . . . . . . . . . . . 305
ProSSHD Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Debug the Exploit if Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Understanding Structured Exception Handling (SEH) . . . . . . . . . . . . . 316
Implementation of SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Understanding Windows Memory Protections (XP SP3, Vista, 7,
and Server 2008) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Stack-Based Buffer Overrun Detection (/GS) . . . . . . . . . . . . . . . 318
Safe Structured Exception Handling (SafeSEH) . . . . . . . . . . . . . 320

SEH Overwrite Protection (SEHOP) . . . . . . . . . . . . . . . . . . . . . . 320
Heap Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . 321
Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . 321
Bypassing Windows Memory Protections . . . . . . . . . . . . . . . . . . . . . . . 322
Bypassing /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Bypassing SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Bypassing ASLR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Bypassing DEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Bypassing SEHOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Summary of Memory Bypass Methods . . . . . . . . . . . . . . . . . . . . 338
Chapter 16 Understanding and Detecting Content-Type Attacks . . . . . . . . . . . 341
How Do Content-Type Attacks Work? . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Which File Formats Are Being Exploited Today? . . . . . . . . . . . . . . . . . . 343
Intro to the PDF File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition
xvi
Analyzing a Malicious PDF Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Implementing Safeguards in Your Analysis Environment . . . . . 350
Tools to Detect Malicious PDF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
PDFiD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
pdf-parser.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Tools to Test Your Protections Against Content-type Attacks . . . . . . . . 358
How to Protect Your Environment from Content-type Attacks . . . . . . 359
Apply All Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Disable JavaScript in Adobe Reader . . . . . . . . . . . . . . . . . . . . . . . 359
Enable DEP for Microsoft Office Application and
Adobe Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Chapter 17 Web Application Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . 361

Overview of Top Web Application Security Vulnerabilities . . . . . . . . . 361
Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Cross-Site Scripting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 362
The Rest of the OWASP Top Ten . . . . . . . . . . . . . . . . . . . . . . . . . . 362
SQL Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
SQL Databases and Statements . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Testing Web Applications to Find SQL Injection
Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Cross-Site Scripting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Explaining “Scripting” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Explaining Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Chapter 18 VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
What Is VoIP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Protocols Used by VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Megaco H.248 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
TLS and DTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
SRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
ZRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Types of VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
SIP Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Eavesdropping/Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
How to Protect Against VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Chapter 19 SCADA Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
What Is SCADA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Which Protocols Does SCADA Use? . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
OPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

ICCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Modbus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
DNP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
www.it-ebooks.info
Contents
xvii
SCADA Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
SCADA Fuzzing with Autodafé . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
SCADA Fuzzing with TFTP Daemon Fuzzer . . . . . . . . . . . . . . . . 405
Stuxnet Malware (The New Wave in Cyberterrorism) . . . . . . . . . . . . . . 408
How to Protect Against SCADA Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 408
Part IV Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Chapter 20 Passive Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Ethical Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Why Bother with Reverse Engineering? . . . . . . . . . . . . . . . . . . . . . . . . . 414
Reverse Engineering Considerations . . . . . . . . . . . . . . . . . . . . . . 415
Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Source Code Auditing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
The Utility of Source Code Auditing Tools . . . . . . . . . . . . . . . . . 418
Manual Source Code Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Automated Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . 425
Binary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Manual Auditing of Binary Code . . . . . . . . . . . . . . . . . . . . . . . . . 427
Automated Binary Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . 441
Chapter 21 Advanced Static Analysis with IDA Pro . . . . . . . . . . . . . . . . . . . . . . 445
Static Analysis Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Stripped Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Statically Linked Programs and FLAIR . . . . . . . . . . . . . . . . . . . . . 448
Data Structure Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Quirks of Compiled C++ Code . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Extending IDA Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Scripting with IDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
IDA Pro Plug-In Modules and the IDA Pro SDK . . . . . . . . . . . . . 464
Building IDA Pro Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
IDA Pro Loaders and Processor Modules . . . . . . . . . . . . . . . . . . 468
Chapter 22 Advanced Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Why Try to Break Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Overview of the Software Development Process . . . . . . . . . . . . . . . . . . 472
Instrumentation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Code Coverage Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Profiling Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Flow Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Memory Use Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Instrumented Fuzzing Tools and Techniques . . . . . . . . . . . . . . . . . . . . 484
A Simple URL Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Fuzzing Unknown Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition
xviii
SPIKE Static Content Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . 489
SPIKE Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Sharefuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Chapter 23 Client-Side Browser Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Why Client-Side Vulnerabilities Are Interesting . . . . . . . . . . . . . . . . . . 495
Client-Side Vulnerabilities Bypass Firewall Protections . . . . . . . 495
Client-Side Applications Are Often Running with
Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

Client-Side Vulnerabilities Can Easily Target Specific People
or Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Internet Explorer Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Internet Explorer Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . 498
History of Client-Side Exploits and Latest Trends . . . . . . . . . . . . . . . . . 499
Client-Side Vulnerabilities Rise to Prominence . . . . . . . . . . . . . 499
Notable Vulnerabilities in the History of Client-Side Attacks . . 500
Finding New Browser-Based Vulnerabilities . . . . . . . . . . . . . . . . . . . . . 506
mangleme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Mozilla Security Team Fuzzers . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
AxEnum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
AxFuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
AxMan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Heap Spray to Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
InternetExploiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Protecting Yourself from Client-Side Exploits . . . . . . . . . . . . . . . . . . . . 522
Keep Up-to-Date on Security Patches . . . . . . . . . . . . . . . . . . . . . 522
Stay Informed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Run Internet-Facing Applications with Reduced Privileges . . . . 522
Chapter 24 Exploiting the Windows Access Control Model . . . . . . . . . . . . . . . 525
Why Access Control Is Interesting to a Hacker . . . . . . . . . . . . . . . . . . . 525
Most People Don’t Understand Access Control . . . . . . . . . . . . . 525
Vulnerabilities You Find Are Easy to Exploit . . . . . . . . . . . . . . . . 526
You’ll Find Tons of Security Vulnerabilities . . . . . . . . . . . . . . . . . 526
How Windows Access Control Works . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Security Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Access Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Security Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
The Access Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

Tools for Analyzing Access Control Configurations . . . . . . . . . . . . . . . 538
Dumping the Process Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Dumping the Security Descriptor . . . . . . . . . . . . . . . . . . . . . . . . 541
Special SIDs, Special Access, and “Access Denied” . . . . . . . . . . . . . . . . 543
Special SIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Special Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Investigating “Access Denied” . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
www.it-ebooks.info
Contents
xix
Analyzing Access Control for Elevation of Privilege . . . . . . . . . . . . . . . 553
Attack Patterns for Each Interesting Object Type . . . . . . . . . . . . . . . . . . 554
Attacking Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Attacking Weak DACLs in the Windows Registry . . . . . . . . . . . . 560
Attacking Weak Directory DACLs . . . . . . . . . . . . . . . . . . . . . . . . . 564
Attacking Weak File DACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
What Other Object Types Are Out There? . . . . . . . . . . . . . . . . . . . . . . . 573
Enumerating Shared Memory Sections . . . . . . . . . . . . . . . . . . . . 573
Enumerating Named Pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Enumerating Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Enumerating Other Named Kernel Objects (Semaphores,
Mutexes, Events, Devices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
Chapter 25 Intelligent Fuzzing with Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Sulley Fuzzing Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Installing Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Powerful Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Monitoring the Process for Faults . . . . . . . . . . . . . . . . . . . . . . . . 588
Monitoring the Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 589

Controlling VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Postmortem Analysis of Crashes . . . . . . . . . . . . . . . . . . . . . . . . . 592
Analysis of Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Exploring Further . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Chapter 26 From Vulnerability to Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Exploitability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Debugging for Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Initial Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Understanding the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Preconditions and Postconditions . . . . . . . . . . . . . . . . . . . . . . . . 602
Repeatability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Payload Construction Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Payload Protocol Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Buffer Orientation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Self-Destructive Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Documenting the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Circumstances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Research Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Chapter 27 Closing the Holes: Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Mitigation Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Port Knocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition
xx
Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Source Code Patching Considerations . . . . . . . . . . . . . . . . . . . . . 620
Binary Patching Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 622

Binary Mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Third-Party Patching Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Part V Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Chapter 28 Collecting Malware and Initial Analysis . . . . . . . . . . . . . . . . . . . . . . 635
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Types of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Malware Defensive Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Latest Trends in Honeynet Technology . . . . . . . . . . . . . . . . . . . . . . . . . 637
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Why Honeypots Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Limitations of Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Low-Interaction Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
High-Interaction Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Types of Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Thwarting VMware Detection Technologies . . . . . . . . . . . . . . . . 642
Catching Malware: Setting the Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
VMware Host Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
VMware Guest Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Using Nepenthes to Catch a Fly . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Initial Analysis of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Live Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Norman SandBox Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Chapter 29 Hacking Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Trends in Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Embedded Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Use of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
User Space Hiding Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Use of Rootkit Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Persistence Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
De-obfuscating Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Packer Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Unpacking Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Reverse-Engineering Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Malware Setup Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Malware Operation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Automated Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
www.it-ebooks.info
PREFACE
This book has been developed by and for security professionals who are dedicated to
working in an ethical and responsible manner to improve the overall security posture
of individuals, corporations, and nations.
xxi
www.it-ebooks.info