Hacking ebook gray hat hacking, second edition
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (12.65 MB, 577 trang )
Praise for Gray Hat Hacking: The Ethical Hacker’s Handbook, Second Edition
“Gray Hat Hacking, Second Edition takes a very practical and applied approach to learning
how to attack computer systems. The authors are past Black Hat speakers, trainers, and
DEF CON CtF winners who know what they are talking about.”
—Jeff Moss
Founder and Director of Black Hat
“The second edition of Gray Hat Hacking moves well beyond current ‘intro to hacking’
books and presents a well thought-out technical analysis of ethical hacking. Although
the book is written so that even the uninitiated can follow it well, it really succeeds by
treating every topic in depth; offering insights and several realistic examples to reinforce
each concept. The tools and vulnerability classes discussed are very current and can be
used to template assessments of operational networks.”
—Ronald C. Dodge Jr., Ph.D.
Associate Dean, Information and Education Technology, United States Military Academy
“An excellent introduction to the world of vulnerability discovery and exploits. The
tools and techniques covered provide a solid foundation for aspiring information security researchers, and the coverage of popular tools such as the Metasploit Framework
gives readers the information they need to effectively use these free tools.”
—Tony Bradley
CISSP, Microsoft MVP, About.com Guide for Internet/Network Security,
“Gray Hat Hacking, Second Edition provides broad coverage of what attacking systems is
all about. Written by experts who have made a complicated problem understandable by
even the novice, Gray Hat Hacking, Second Edition is a fantastic book for anyone looking
to learn the tools and techniques needed to break in and stay in.”
—Bruce Potter
Founder, The Shmoo Group
“As a security professional and lecturer, I get asked a lot about where to start in the security business, and I point them to Gray Hat Hacking. Even for seasoned professionals
who are well versed in one area, such as pen testing, but who are interested in another,
like reverse engineering, I still point them to this book. The fact that a second edition is
coming out is even better, as it is still very up to date. Very highly recommended.”
—Simple Nomad
Hacker
/>
ABOUT THE AUTHORS
Shon Harris, MCSE, CISSP, is the president of Logical Security, an educator and security
consultant. She is a former engineer of the U.S. Air Force Information Warfare unit and
has published several books and articles on different disciplines within information
security. Shon was also recognized as one of the top 25 women in information security
by Information Security Magazine.
Allen Harper, CISSP, is the president and owner of n2netSecurity, Inc. in North
Carolina. He retired from the Marine Corps after 20 years. Additionally, he has served as
a security analyst for the U.S. Department of the Treasury, Internal Revenue Service,
Computer Security Incident Response Center (IRS CSIRC). He speaks and teaches at
conferences such as Black Hat.
Chris Eagle is the associate chairman of the Computer Science Department at the Naval
Postgraduate School (NPS) in Monterey, California. A computer engineer/scientist for
22 years, his research interests include computer network attack and defense, computer
forensics, and reverse/anti-reverse engineering. He can often be found teaching at Black
Hat or playing capture the flag at Defcon.
Jonathan Ness, CHFI, is a lead software security engineer at Microsoft. He and his
coworkers ensure that Microsoft’s security updates comprehensively address reported
vulnerabilities. He also leads the technical response of Microsoft’s incident response
process that is engaged to address publicly disclosed vulnerabilities and exploits targeting Microsoft software. He serves one weekend each month as a security engineer in a
reserve military unit.
Disclaimer: The views expressed in this book are those of the author and not of the U.S. government or the Microsoft Corporation.
About the Technical Editor
Michael Baucom is a software engineer working primarily in the embedded software
area. The majority of the last ten years he has been writing system software and tools for
networking equipment; however, his recent interests are with information security and
more specifically securing software. He co-taught Exploiting 101 at Black Hat in 2006.
For fun, he has enjoyed participating in capture the flag at Defcon for the last two years.
Gray Hat
Hacking
The Ethical Hacker’s
Handbook
Second Edition
Shon Harris, Allen Harper, Chris Eagle,
and Jonathan Ness
New York • Chicago • San Francisco • Lisbon
London • Madrid • Mexico City • Milan • New Delhi
San Juan • Seoul • Singapore • Sydney • Toronto
/>
Copyright © 2008 by The McGraw-Hill Companies. All rights reserved.Manufactured in the United States of America. Except as
permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form
or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.
0-07-159553-8
The material in this eBook also appears in the print version of this title: 0-07-149568-1.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a
trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of
infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate
training programs. For more information, please contact George Hoare, Special Sales, at or (212)
904-4069.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to
the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store
and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative
works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s
prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly
prohibited. Your right to use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR
WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA
HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your
requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you
or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom.
McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall
McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that
result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This
limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or
otherwise.
DOI: 10.1036/0071495681
Professional
Want to learn more?
We hope you enjoy this
McGraw-Hill eBook! If
you’d like more information about this book,
its author, or related books and websites,
please click here.
/>
To my loving and supporting husband, David Harris,
who has continual patience with me as I take
on all of these crazy projects! —Shon Harris
To the service members forward deployed around the world.
Thank you for your sacrifice. —Allen Harper
To my wife, Kristen, for all of the support she has given me
through this and my many other endeavors! —Chris Eagle
To Jessica, the most amazing and beautiful person
I know. —Jonathan Ness
This page intentionally left blank
/>
CONTENTS AT A GLANCE
Part I Introduction to Ethical Disclosure . . . . . . . . . . . . . . . . . . . . .
1
Chapter 1 Ethics of Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
Chapter 2 Ethical Hacking and the Legal System . . . . . . . . . . . . . . . . . . . . . . . .
17
Chapter 3 Proper and Ethical Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41
Part II Penetration Testing and Tools . . . . . . . . . . . . . . . . . . . . . . . . .
73
Chapter 4 Using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
75
Chapter 5 Using the BackTrack LiveCD Linux Distribution . . . . . . . . . . . . . . .
101
Part III Exploits 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 6 Programming Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
121
Chapter 7 Basic Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
147
Chapter 8 Advanced Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
169
Chapter 9 Shellcode Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
195
Chapter 10 Writing Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
211
Chapter 11 Basic Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
243
Part IV Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Chapter 12 Passive Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
277
Chapter 13 Advanced Static Analysis with IDA Pro
......................
309
Chapter 14 Advanced Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
335
Chapter 15 Client-Side Browser Exploits
..............................
359
Chapter 16 Exploiting Windows Access Control Model for
Local Elevation of Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
387
Chapter 17 Intelligent Fuzzing with Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
441
Chapter 18 From Vulnerability to Exploit
..............................
459
Chapter 19 Closing the Holes: Mitigation
..............................
481
vii
Gray Hat Hacking: The Ethical Hacker’s Handbook
viii
Part V Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Chapter 20 Collecting Malware and Initial Analysis . . . . . . . . . . . . . . . . . . . . . . .
499
Chapter 21 Hacking Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
521
Index
.................................................
537
/>
For more information about this title, click here
CONTENTS
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xix
xxi
xxiii
Part I Introduction to Ethical Disclosure . . . . . . . . . . . . . . . . . . . .
1
Chapter 1 Ethics of Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
How Does This Stuff Relate to an Ethical Hacking Book? . . . . . . . . . . . .
The Controversy of Hacking Books and Classes . . . . . . . . . . . . . . .
The Dual Nature of Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recognizing Trouble When It Happens . . . . . . . . . . . . . . . . . . . . . .
Emulating the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Does Not Like Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
11
12
13
14
15
Chapter 2 Ethical Hacking and the Legal System . . . . . . . . . . . . . . . . . . . . . . . . .
17
Addressing Individual Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18 USC Section 1029: The Access Device Statute . . . . . . . . . . . . . .
18 USC Section 1030 of The Computer Fraud
and Abuse Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
State Law Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18 USC Sections 2510, et. Seq. and 2701 . . . . . . . . . . . . . . . . . . . . .
Digital Millennium Copyright Act (DMCA) . . . . . . . . . . . . . . . . . .
Cyber Security Enhancement Act of 2002 . . . . . . . . . . . . . . . . . . . .
19
19
23
30
32
36
39
Chapter 3 Proper and Ethical Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
41
You Were Vulnerable for How Long? . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Different Teams and Points of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Did We Get Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CERT’s Current Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Full Disclosure Policy (RainForest Puppy Policy) . . . . . . . . . . . . . . . . . . .
Organization for Internet Safety (OIS) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conflicts Will Still Exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
47
49
50
52
54
55
55
57
60
62
62
ix
Gray Hat Hacking: The Ethical Hacker’s Handbook
x
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pros and Cons of Proper Disclosure Processes . . . . . . . . . . . . . . . .
iDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Zero Day Initiative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vendors Paying More Attention . . . . . . . . . . . . . . . . . . . . . . . . . . . .
So What Should We Do from Here on Out? . . . . . . . . . . . . . . . . . . . . . . .
62
63
67
68
69
70
Part II Penetration Testing and Tools . . . . . . . . . . . . . . . . . . . . . . . .
73
Chapter 4 Using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
75
Metasploit: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Metasploit Console to Launch Exploits . . . . . . . . . . . . .
Exploiting Client-Side Vulnerabilities with Metasploit . . . . . . . . . . . . . .
Using the Meterpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Metasploit as a Man-in-the-Middle Password Stealer . . . . . . . . . .
Weakness in the NTLM Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Metasploit as a Malicious SMB Server . . . . . . . . . . . .
Brute-Force Password Retrieval with
the LM Hashes + Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Building Your Own Rainbow Tables . . . . . . . . . . . . . . . . . . . . . . . .
Downloading Rainbow Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Purchasing Rainbow Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cracking Hashes with Rainbow Tables . . . . . . . . . . . . . . . . . . . . . .
Using Metasploit to Auto-Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Inside Metasploit Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
75
75
76
83
87
91
92
92
Chapter 5 Using the BackTrack LiveCD Linux Distribution
94
96
97
97
97
98
98
................
101
BackTrack: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating the BackTrack CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Booting BackTrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploring the BackTrack X-Windows Environment . . . . . . . . . . . . . . . . .
Writing BackTrack to Your USB Memory Stick . . . . . . . . . . . . . . . . . . . . .
Saving Your BackTrack Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a Directory-Based
or File-Based Module with dir2lzm . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a Module from a SLAX Prebuilt Module
with mo2lzm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a Module from an Entire Session
of Changes Using dir2lzm . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automating the Change Preservation from One Session
to the Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
101
102
103
104
105
105
106
106
108
109
/>
Contents
xi
Creating a New Base Module with
All the Desired Directory Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cheat Codes and Selectively Loading Modules . . . . . . . . . . . . . . . . . . . . .
Metasploit db_autopwn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
110
112
114
118
Part III Exploits 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
119
Chapter 6 Programming Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
121
C Programming Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic C Language Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sample Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compiling with gcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Random Access Memory (RAM) . . . . . . . . . . . . . . . . . . . . . . . . . . .
Endian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Segmentation of Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Programs in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Strings in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Putting the Pieces of Memory Together . . . . . . . . . . . . . . . . . . . . . .
Intel Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assembly Language Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Machine vs. Assembly vs. C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AT&T vs. NASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Addressing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assembly File Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assembling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debugging with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
gdb Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disassembly with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Python Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hello World in Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Python Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Files with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sockets with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
121
122
126
127
128
128
128
129
129
130
130
130
131
132
132
133
133
133
135
136
137
137
137
139
139
140
140
140
141
142
143
144
144
146
Gray Hat Hacking: The Ethical Hacker’s Handbook
xii
Chapter 7 Basic Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
147
Stack Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Function Calling Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overflow of meet.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ramifications of Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . .
Local Buffer Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Components of the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploiting Stack Overflows by Command Line . . . . . . . . . . . . . . .
Exploiting Stack Overflows with Generic Exploit Code . . . . . . . . .
Exploiting Small Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploit Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
148
148
149
150
153
154
155
157
158
160
162
163
163
166
167
168
Chapter 8 Advanced Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
169
Format String Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reading from Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . . .
Writing to Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Taking .dtors to root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Heap Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Example Heap Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Memory Protection Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compiler Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kernel Patches and Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Return to libc Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
169
170
173
175
177
180
181
182
182
183
183
185
192
Chapter 9 Shellcode Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
195
User Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find Socket Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command Execution Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File Transfer Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multistage Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Call Proxy Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Process Injection Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
196
196
197
197
199
200
201
202
202
202
203
/>
Contents
xiii
Other Shellcode Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shellcode Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Self-Corrupting Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disassembling Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kernel Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kernel Space Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
204
204
205
206
208
208
Chapter 10 Writing Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
211
Basic Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exit System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
setreuid System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shell-Spawning Shellcode with execve . . . . . . . . . . . . . . . . . . . . . .
Implementing Port-Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . .
Linux Socket Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assembly Program to Establish a Socket . . . . . . . . . . . . . . . . . . . . .
Test the Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Implementing Reverse Connecting Shellcode . . . . . . . . . . . . . . . . . . . . . .
Reverse Connecting C Program . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse Connecting Assembly Program . . . . . . . . . . . . . . . . . . . . .
Encoding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Simple XOR Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Structure of Encoded Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . .
JMP/CALL XOR Decoder Example . . . . . . . . . . . . . . . . . . . . . . . . . .
FNSTENV XOR Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automating Shellcode Generation with Metasploit . . . . . . . . . . . . . . . . .
Generating Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . .
Encoding Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . . . .
211
212
214
216
217
220
220
223
226
228
228
230
232
232
232
233
234
236
238
238
240
Chapter 11 Basic Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
243
Compiling and Debugging Windows Programs . . . . . . . . . . . . . . . . . . . .
Compiling on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debugging on Windows with Windows Console Debuggers . . . .
Debugging on Windows with OllyDbg . . . . . . . . . . . . . . . . . . . . . .
Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Building a Basic Windows Exploit . . . . . . . . . . . . . . . . . . . . . . . . . .
Real-World Windows Exploit Example . . . . . . . . . . . . . . . . . . . . . .
243
243
245
254
258
258
266
Part IV Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
275
Chapter 12 Passive Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
277
Ethical Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why Reverse Engineering? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse Engineering Considerations . . . . . . . . . . . . . . . . . . . . . . . .
277
278
279
Gray Hat Hacking: The Ethical Hacker’s Handbook
xiv
Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Source Code Auditing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Utility of Source Code Auditing Tools . . . . . . . . . . . . . . . . . . .
Manual Source Code Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Binary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manual Auditing of Binary Code . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automated Binary Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . .
279
280
282
283
289
289
304
Chapter 13 Advanced Static Analysis with IDA Pro . . . . . . . . . . . . . . . . . . . . . . . .
309
Static Analysis Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stripped Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Statically Linked Programs and FLAIR . . . . . . . . . . . . . . . . . . . . . . .
Data Structure Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quirks of Compiled C++ Code . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Extending IDA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scripting with IDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IDA Pro Plug-In Modules and the IDA SDK . . . . . . . . . . . . . . . . . .
IDA Pro Loaders and Processor Modules . . . . . . . . . . . . . . . . . . . .
309
310
312
318
323
325
326
329
332
Chapter 14 Advanced Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
335
Why Try to Break Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Software Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Instrumentation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Code Coverage Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Profiling Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Memory Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Instrumented Fuzzing Tools and Techniques . . . . . . . . . . . . . . . . . . . . . .
A Simple URL Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fuzzing Unknown Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SPIKE Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sharefuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
336
336
337
338
340
341
342
343
348
349
349
352
353
357
357
Chapter 15 Client-Side Browser Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
359
Why Client-Side Vulnerabilities Are Interesting . . . . . . . . . . . . . . . . . . . .
Client-Side Vulnerabilities Bypass Firewall Protections . . . . . . . . .
Client-Side Applications Are Often Running
with Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . .
Client-Side Vulnerabilities Can Easily Target Specific People
or Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
359
359
360
360
/>
Contents
xv
Internet Explorer Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Explorer Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . .
History of Client-Side Exploits and Latest Trends . . . . . . . . . . . . . . . . . . .
Client-Side Vulnerabilities Rise to Prominence . . . . . . . . . . . . . . .
Notable Vulnerabilities in the History of Client-Side Attacks . . . .
Finding New Browser-Based Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . .
MangleMe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AxEnum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AxFuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AxMan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Heap Spray to Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
InternetExploiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protecting Yourself from Client-Side Exploits . . . . . . . . . . . . . . . . . . . . . .
Keep Up-to-Date on Security Patches . . . . . . . . . . . . . . . . . . . . . . .
Stay Informed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Run Internet-Facing Applications with Reduced Privileges . . . . . .
361
361
362
363
363
364
369
370
372
377
378
383
384
385
385
385
385
Chapter 16 Exploiting Windows Access Control Model for
Local Elevation of Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
387
Why Access Control Is Interesting to a Hacker . . . . . . . . . . . . . . . . . . . . .
Most People Don’t Understand Access Control . . . . . . . . . . . . . . .
Vulnerabilities You Find Are Easy to Exploit . . . . . . . . . . . . . . . . . .
You’ll Find Tons of Security Vulnerabilities . . . . . . . . . . . . . . . . . .
How Windows Access Control Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Identifier (SID) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Descriptor (SD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Access Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools for Analyzing Access Control Configurations . . . . . . . . . . . . . . . . .
Dumping the Process Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dumping the Security Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . .
Special SIDs, Special Access, and “Access Denied” . . . . . . . . . . . . . . . . . .
Special SIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Special Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Investigating “Access Denied” . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Analyzing Access Control for Elevation of Privilege . . . . . . . . . . . . . . . . .
Attack Patterns for Each Interesting Object Type . . . . . . . . . . . . . . . . . . .
Attacking Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attacking Weak DACLs in the Windows Registry . . . . . . . . . . . . . .
Attacking Weak Directory DACLs . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attacking Weak File DACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
387
387
388
388
388
389
390
394
397
400
401
403
406
406
408
409
417
418
418
424
428
433
Gray Hat Hacking: The Ethical Hacker’s Handbook
xvi
What Other Object Types Are out There? . . . . . . . . . . . . . . . . . . . . . . . . .
Enumerating Shared Memory Sections . . . . . . . . . . . . . . . . . . . . . .
Enumerating Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enumerating Other Named Kernel Objects
(Semaphores, Mutexes, Events, Devices) . . . . . . . . . . . . . . . . . .
437
437
439
439
Chapter 17 Intelligent Fuzzing with Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
441
Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sulley Fuzzing Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Powerful Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring the Process for Faults . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring the Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Controlling VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Postmortem Analysis of Crashes . . . . . . . . . . . . . . . . . . . . . . . . . . .
Analysis of Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Way Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
441
443
443
443
446
449
450
451
452
452
454
456
456
Chapter 18 From Vulnerability to Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
459
Exploitability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debugging for Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preconditions and Postconditions . . . . . . . . . . . . . . . . . . . . . . . . . .
Repeatability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Payload Construction Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Payload Protocol Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Buffer Orientation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Self-Destructive Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Documenting the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Circumstances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Research Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
460
460
466
466
467
475
476
476
477
478
478
478
479
Chapter 19 Closing the Holes: Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
481
Mitigation Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Knocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Source Code Patching Considerations . . . . . . . . . . . . . . . . . . . . . .
Binary Patching Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Binary Mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Third-Party Patching Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . .
481
482
482
484
484
486
490
495
/>
Contents
xvii
Part V Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
497
Chapter 20 Collecting Malware and Initial Analysis . . . . . . . . . . . . . . . . . . . . . . . .
499
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Malware Defensive Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Latest Trends in Honeynet Technology . . . . . . . . . . . . . . . . . . . . . . . . . . .
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why Honeypots Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Low-Interaction Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
High-Interaction Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Thwarting VMware Detection Technologies . . . . . . . . . . . . . . . . . .
Catching Malware: Setting the Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VMware Host Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VMware Guest Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Nepenthes to Catch a Fly . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Analysis of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Live Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Norman Sandbox Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Have We Discovered? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
499
499
500
501
501
501
502
502
503
503
504
506
508
508
508
508
510
510
512
518
520
Chapter 21 Hacking Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
521
Trends in Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Embedded Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Space Hiding Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use of Rootkit Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Persistence Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Peeling Back the Onion—De-obfuscation . . . . . . . . . . . . . . . . . . . . . . . . .
Packer Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unpacking Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse Engineering Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Malware Setup Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Malware Operation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automated Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
521
522
522
522
523
523
524
524
525
533
533
534
535
Index
537
..................................................
This page intentionally left blank
/>
PREFACE
This book has been developed by and for security professionals who are dedicated to
working in an ethical and responsible manner to improve the overall security posture of
individuals, corporations, and nations.
xix
This page intentionally left blank
/>
ACKNOWLEDGMENTS
Shon Harris would like to thank the other authors and the team members for their continued dedication to this project and continual contributions to the industry as a whole.
She would also like to thank Scott David, partner at K&L Gates LLP, for reviewing and
contributing to the legal topics of this book.
Allen Harper would like to thank his wonderful wife, Corann, and daughters, Haley
and Madison, for their support and understanding through this second edition. You
gave me the strength and the ability to achieve my goals. I am proud of you and love you
each dearly.
Chris Eagle would like to thank all of his students and fellow members of the Sk3wl
of r00t. They keep him motivated, on his toes, and most of all make all of this fun!
Jonathan Ness would like to thank Jessica, his amazing wife, for tolerating the long
hours required for him to write this book (and hold his job and his second job and third
“job” and the dozens of side projects). He would also like to thank his family, mentors,
teachers, coworkers, pastors, and friends who have guided him along his way, contributing more to his success than they’ll ever know.
xxi
This page intentionally left blank
/>
INTRODUCTION
There is nothing so likely to produce peace as to be well prepared to meet the enemy.
—George Washington
He who has a thousand friends has not a friend to spare, and he who has one enemy will
meet him everywhere.
—Ralph Waldo Emerson
Know your enemy and know yourself and you can fight a hundred battles without disaster.
—Sun Tzu
The goal of this book is to help produce more highly skilled security professionals
who are dedicated to protecting against malicious hacking activity. It has been proven
over and over again that it is important to understand one’s enemies, including their tactics, skills, tools, and motivations. Corporations and nations have enemies that are very
dedicated and talented. We must work together to understand the enemies’ processes
and procedures to ensure that we can properly thwart their destructive and malicious
behavior.
The authors of this book want to provide the readers with something we believe the
industry needs: a holistic review of ethical hacking that is responsible and truly ethical
in its intentions and material. This is why we are starting this book with a clear definition of what ethical hacking is and is not—something society is very confused about.
We have updated the material from the first edition and have attempted to deliver the
most comprehensive and up-to-date assembly of techniques and procedures. Six new
chapters are presented and the other chapters have been updated.
In Part I of this book we lay down the groundwork of the necessary ethics and expectations of a gray hat hacker. This section:
• Clears up the confusion about white, black, and gray hat definitions and
characteristics
• Reviews the slippery ethical issues that should be understood before carrying
out any type of ethical hacking activities
• Surveys legal issues surrounding hacking and many other types of malicious
activities
• Walks through proper vulnerability discovery processes and current models that
provide direction
In Part II we introduce more advanced penetration methods and tools that no other
books cover today. Many existing books cover the same old tools and methods that have
xxiii
