Tải bản đầy đủ (.pdf) (721 trang)
  1. Trang chủ
    2. >>
  2. Công Nghệ Thông Tin
    3. >>
  3. An ninh - Bảo mật

Hacking ebook gray hat hacking, third edition

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (12.32 MB, 721 trang )


Gray Hat Hacking, Third Edition Reviews
“Bigger, better, and more thorough, the Gray Hat Hacking series is one that I’ve enjoyed
from the start. Always right on time information, always written by experts. The Third
Edition is a must-have update for new and continuing security experts.”
—Jared D. DeMott
Principle Security Researcher, Crucial Security, Inc.
“This book is a great reference for penetration testers and researchers who want to step up
and broaden their skills in a wide range of IT security disciplines.”
—Peter Van Eeckhoutte (corelanc0d3r)
Founder, Corelan Team
“I am often asked by people how to get started in the InfoSec world, and I point people
to this book. In fact, if someone is an expert in one arena and needs a leg up in another,
I still point them to this book. This is one book that should be in every security
professional’s library—the coverage is that good.”
—Simple Nomad
Hacker
“The Third Edition of Gray Hat Hacking builds upon a well-established foundation to
bring even deeper insight into the tools and techniques in an ethical hacker’s arsenal.
From software exploitation to SCADA attacks, this book covers it all. Gray Hat Hacking
is without doubt the definitive guide to the art of computer security published in this
decade.”
—Alexander Sotirov
Security Rockstar and Founder of the Pwnie Awards
“Gray Hat Hacking is an excellent ‘Hack-by-example’ book. It should be read by anyone
who wants to master security topics, from physical intrusions to Windows memory
protections.”
—Dr. Martin Vuagnoux
Cryptographer/Computer security expert
“Gray Hat Hacking is a must-read if you’re serious about INFOSEC. It provides a muchneeded map of the hacker’s digital landscape. If you’re curious about hacking or are
pursuing a career in INFOSEC, this is the place to start.”


—Johnny Long
Professional Hacker, Founder of Hackers for Charity.org

/>

This page intentionally left blank


Gray Hat
Hacking
The Ethical Hacker’s

Handbook
Third Edition
Allen Harper, Shon Harris, Jonathan Ness,
Chris Eagle, Gideon Lenkey, and Terron Williams

New York • Chicago • San Francisco • Lisbon
London • Madrid • Mexico City • Milan • New Delhi
San Juan • Seoul • Singapore • Sydney • Toronto

/>

Copyright © 2011 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher.
ISBN: 978-0-07-174256-6
MHID: 0-07-174256-5
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174255-9,
MHID: 0-07-174255-7.

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the
work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve
one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use
the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may
be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not
warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or
error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of
cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed
through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the
possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises
in contract, tort or otherwise.


n^netsec


Swimming with the Sharks? Get Peace of Mind.
Are your information assets secure? Are you sure? N2NetSecurity's Information
Security and Compliance Services give you the peace of mind of knowing that you have
the best of the best in information Security on your side. Our deep technical knowledge
ensures that our solutions are innovative and efficient and our extensive experience
will help you avoid common and costly mistakes.
N2NetSecurity provides information security services to government and private industry.
We are a certified Payment Card Industry Qualified Security Assessor (PCI QSA). Our
talented team includes Black Hat Instructors, received a 2010 Department of Defense CIO
Award, and has coauthored seven leading IT books including Gray Hat Hacking: The
Ethical Hacker's Handbook and Security Information Event Management Implementation.
Contact us for a Free Gap Assessment and see how we can help you get peace of mind.

Get Back to Normal, Back to Business!
N2NetSecurity, Inc.
www.n2netsec.com



800.456.0058

/>

Stop Hackers in Their Tracks

Hacking Exposed,
6th Edition

Hacking Exposed

Malware & Rootkits

Hacking Exposed Computer
Forensics, 2nd Edition

24 Deadly Sins of
Software Security

Hacking Exposed Wireless,
2nd Edition

Hacking Exposed:
Web Applications, 3rd Edition

Hacking Exposed Windows,
3rd Edition

Hacking Exposed Linux,
3rd Edition

Hacking Exposed Web 2.0

IT Auditing,
2nd Edition

IT Security Metrics

Gray Hat Hacking,
3rd Edition


Available in print and ebook formats
Follow us on Twitter @MHComputing


Boost Your Security Skills
(and Salary) with Expert Tn ming
for CISSP Certification
The Shon Harris ClSSP'-Solution is the perfect self-study training
package not only for the CISSP*0 candidate or those renewing
certification, but for any security pro who wants to increase their
security knowledge and earning potential.
Take advantage of this comprehensive multimedia package
that lets you learn at your own pace and in your own home
or office. This definitive set includes:
^

In class instruction at your home

DVD set of computer-based training, over 34 hours of

instruction on the Common Body of Knowledge, the 10
domains required for certification.
CISSP55 All-in-One 5th Edition, the 1193 page best-

" selling book by Shon Harris.

0 2,200+ page CISSP® Student Workbook developed by
Shon Harris.

Complex concepts fully explained

Everything you
need to pass the
CISSP1 exam.

^Multiple hours of Shon Harris' lectures explaining the
concepts in the CISSP® Student Workbook in MP3 format
^Bonus MP3 files with extensive review sessions for
each domain.

j Over 1,600 CISSP^ review questions to test your
knowledge.
300+ Question final practice exam.
more!
Learn from the best! Leading independent authority and recognized CISSP'' training guru, Shon Harris, CISSPW, MCSE, delivers
this definitive certification program packaged together and available for the first time.

Order today! Complete info at

/>CISSP K a registered certification mark of the International Information Systems Settirily Certification Cunscrtiurn, Jnc., aTso known as (ISC)!.
No f ridersemant by, affiliation or association with (ISC)? ie impFiad.

/>

To my brothers and sisters in Christ, keep running the race. Let your light shine for Him,
that others may be drawn to Him through you. —Allen Harper
To my loving and supporting husband, David Harris, who has continual
patience with me as I take on all of these crazy projects! —Shon Harris
To Jessica, the most amazing and beautiful person I know. —Jonathan Ness
For my train-loving son Aaron, you bring us constant joy! —Chris Eagle
To Vincent Freeman, although I did not know you long, life has blessed us

with a few minutes to talk and laugh together. —Terron Williams


ABOUT THE AUTHORS
Allen Harper, CISSP, PCI QSA, is the president and owner of N2NetSecurity, Inc. in
North Carolina. He retired from the Marine Corps after 20 years and a tour in Iraq.
Additionally, he has served as a security analyst for the U.S. Department of the Treasury,
Internal Revenue Service, and Computer Security Incident Response Center (IRS CSIRC).
He regularly speaks and teaches at conferences such as Black Hat and Techno.
Shon Harris, CISSP, is the president of Logical Security, an author, educator, and security consultant. She is a former engineer of the U.S. Air Force Information Warfare unit
and has published several books and articles on different disciplines within information security. Shon was also recognized as one of the top 25 women in information
security by Information Security Magazine.
Jonathan Ness, CHFI, is a lead software security engineer in Microsoft’s Security
Response Center (MSRC). He and his coworkers ensure that Microsoft’s security updates comprehensively address reported vulnerabilities. He also leads the technical
response of Microsoft’s incident response process that is engaged to address publicly
disclosed vulnerabilities and exploits targeting Microsoft software. He serves one weekend each month as a security engineer in a reserve military unit.
Chris Eagle is a senior lecturer in the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, California. A computer engineer/scientist for
25 years, his research interests include computer network attack and defense, computer
forensics, and reverse/anti-reverse engineering. He can often be found teaching at Black
Hat or spending late nights working on capture the flag at Defcon.
Gideon Lenkey, CISSP, is the president and co-founder of Ra Security Systems, Inc., a
New Jersey–based managed services company, where he specializes in testing the information security posture of enterprise IT infrastructures. He has provided advanced
training to the FBI and served as the president of the FBI’s InfraGard program in New
Jersey. He has been recognized on multiple occasions by FBI director Robert Muller for
his contributions and is frequently consulted by both foreign and domestic government agencies. Gideon is a regular contributor to the Internet Evolution website and a
participant in the EastWest Institute’s Cybersecurity initiative.
Terron Williams, NSA IAM-IEM, CEH, CSSLP, works for Elster Electricity as a Senior Test
Engineer, with a primary focus on smart grid security. He formerly worked at Nortel as a
Security Test Engineer and VoIP System Integration Engineer. Terron has served on the
editorial board for Hakin9 IT Security Magazine and has authored articles for it. His interests are in VoIP, exploit research, SCADA security, and emerging smart grid technologies.

Disclaimer: The views expressed in this book are those of the authors and not of the
U.S. government or the Microsoft Corporation.

/>

About the Technical Editor
Michael Baucom is the Vice President of Research and Development at N2NetSecurity,
Inc., in North Carolina. He has been a software engineer for 15 years and has worked
on a wide variety of software, from router forwarding code in assembly to Windows
applications and services. In addition to writing software, he has worked as a security
consultant performing training, source code audits, and penetration tests.


CONTENTS AT A GLANCE

Part I

.....................

1

.................................

3

Chapter 1

Ethics of Ethical Hacking

Chapter 2


Ethical Hacking and the Legal System

Chapter 3

Proper and Ethical Disclosure

Part II

.......................

23

.............................

47

.........................

75

................................

77

..............................

93

.........................................


109

Penetration Testing and Tools

Chapter 4

Social Engineering Attacks

Chapter 5

Physical Penetration Attacks

Chapter 6

Insider Attacks

Chapter 7

Using the BackTrack Linux Distribution

Chapter 8

Using Metasploit

Chapter 9

Managing a Penetration Test

Part III


viii

Introduction to Ethical Disclosure

Exploiting

.....................

125

.......................................

141

..............................

157

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Chapter 10

Programming Survival Skills

...............................

173

Chapter 11


Basic Linux Exploits

.....................................

201

Chapter 12

Advanced Linux Exploits

Chapter 13

Shellcode Strategies

Chapter 14

Writing Linux Shellcode

Chapter 15

Windows Exploits

Chapter 16

Understanding and Detecting Content-Type Attacks

Chapter 17

Web Application Security Vulnerabilities


Chapter 18

VoIP Attacks

Chapter 19

SCADA Attacks

.................................

225

.....................................

251

.................................

267

......................................

297

...........

341

.....................


361

...........................................

379

........................................

395

/>

Contents

ix
Part IV

Vulnerability Analysis

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Chapter 20

Passive Analysis

........................................

Chapter 21


Advanced Static Analysis with IDA Pro

Chapter 22

Advanced Reverse Engineering

Chapter 23

Client-Side Browser Exploits

Chapter 24

Exploiting the Windows Access Control Model

Chapter 25

413

......................

445

............................

471

..............................

495


...............

525

Intelligent Fuzzing with Sulley

.............................

579

Chapter 26

From Vulnerability to Exploit

..............................

595

Chapter 27

Closing the Holes: Mitigation

..............................

617

Part V

Malware Analysis


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Chapter 28

Collecting Malware and Initial Analysis

......................

635

Chapter 29

Hacking Malware

.......................................

657

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

673


CONTENTS
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Part I
Chapter 1


Chapter 2

Chapter 3

x

Introduction to Ethical Disclosure
Ethics of Ethical Hacking

.....................

1

.................................

3

Why You Need to Understand Your Enemy’s Tactics . . . . . . . . . . . . . . .
Recognizing the Gray Areas in Security . . . . . . . . . . . . . . . . . . . . . . . . .
How Does This Stuff Relate to an Ethical Hacking Book? . . . . . . . . . .
Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Controversy of Hacking Books and Classes . . . . . . . . . . . . . . . . . .
The Dual Nature of Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recognizing Trouble When It Happens . . . . . . . . . . . . . . . . . . . .
Emulating the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Where Do Attackers Have Most of Their Fun? . . . . . . . . . . . . . . . . . . . .
Security Does Not Like Complexity . . . . . . . . . . . . . . . . . . . . . . .


3
8
10
10
11
15
16
18
19
19
20

Ethical Hacking and the Legal System

.......................

23

The Rise of Cyberlaw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding Individual Cyberlaws . . . . . . . . . . . . . . . . . . . . . . . . . .
18 USC Section 1029: The Access Device Statute . . . . . . . . . . . .
18 USC Section 1030 of the Computer Fraud and Abuse Act . .
18 USC Sections 2510, et. Seq., and 2701, et. Seq., of the
Electronic Communication Privacy Act . . . . . . . . . . . . . . . . .
Digital Millennium Copyright Act (DMCA) . . . . . . . . . . . . . . . .
Cyber Security Enhancement Act of 2002 . . . . . . . . . . . . . . . . . .
Securely Protect Yourself Against Cyber Trespass Act (SPY Act) . . .

23
25

25
29

Proper and Ethical Disclosure

38
42
45
46

.............................

47

Different Teams and Points of View . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How Did We Get Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CERT’s Current Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Full Disclosure Policy—the RainForest Puppy Policy . . . . . . . . . . . . . .
Organization for Internet Safety (OIS) . . . . . . . . . . . . . . . . . . . . . . . . .
Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conflicts Will Still Exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
“No More Free Bugs” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48
49
50

52
54
54
55
57
59
61
62
63

/>

Contents

xi

Part II
Chapter 4

Chapter 5

Chapter 6

Chapter 7

Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pros and Cons of Proper Disclosure Processes . . . . . . . . . . . . . .
Vendors Paying More Attention . . . . . . . . . . . . . . . . . . . . . . . . . .
So What Should We Do from Here on Out? . . . . . . . . . . . . . . . . . . . . .
iDefense and ZDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


67
67
71
72
72

Penetration Testing and Tools

75

Social Engineering Attacks

.........................

................................

77

How a Social Engineering Attack Works . . . . . . . . . . . . . . . . . . . . . . . .
Conducting a Social Engineering Attack . . . . . . . . . . . . . . . . . . . . . . . .
Common Attacks Used in Penetration Testing . . . . . . . . . . . . . . . . . . .
The Good Samaritan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Join the Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preparing Yourself for Face-to-Face Attacks . . . . . . . . . . . . . . . . . . . . . .
Defending Against Social Engineering Attacks . . . . . . . . . . . . . . . . . . .

77
79

81
81
86
88
89
91

Physical Penetration Attacks

..............................

93

Why a Physical Penetration Is Important . . . . . . . . . . . . . . . . . . . . . . . .
Conducting a Physical Penetration . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mental Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Common Ways into a Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Smokers’ Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manned Checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Locked Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physically Defeating Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Once You Are Inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defending Against Physical Penetrations . . . . . . . . . . . . . . . . . . . . . . . .

94
94
95
97
97

98
99
102
103
107
108

Insider Attacks

.........................................

109

Why Simulating an Insider Attack Is Important . . . . . . . . . . . . . . . . . .
Conducting an Insider Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools and Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Gaining Local Administrator Privileges . . . . . . . . . . . . . . . . . . . .
Disabling Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Raising Cain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defending Against Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

109
110
110
111
111
115
116
123


Using the BackTrack Linux Distribution

.....................

125

BackTrack: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing BackTrack to DVD or USB Thumb Drive . . . . . . . . . . . . . . . .
Using the BackTrack ISO Directly Within a Virtual Machine . . . . . . . .
Creating a BackTrack Virtual Machine with VirtualBox . . . . . . .
Booting the BackTrack LiveDVD System . . . . . . . . . . . . . . . . . . .
Exploring the BackTrack X Windows Environment . . . . . . . . . .

125
126
128
128
129
130


Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xii

Chapter 8

Chapter 9


Part III
Chapter 10

Starting Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Persisting Changes to Your BackTrack Installation . . . . . . . . . . . . . . . .
Installing Full BackTrack to Hard Drive or USB Thumb Drive . . .
Creating a New ISO with Your One-time Changes . . . . . . . . . . .
Using a Custom File that Automatically Saves and
Restores Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploring the BackTrack Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . .
Updating BackTrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

130
131
131
134

Using Metasploit

.......................................

141

Metasploit: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Metasploit Console to Launch Exploits . . . . . . . . . . . . . . . .
Exploiting Client-Side Vulnerabilities with Metasploit . . . . . . . . . . . . .
Penetration Testing with Metasploit’s Meterpreter . . . . . . . . . . . . . . . .
Automating and Scripting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . .
Going Further with Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


141
141
142
147
149
155
156

Managing a Penetration Test

135
137
139

..............................

157

Planning a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Penetration Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scope of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Locations of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . .
Organization of the Penetration Testing Team . . . . . . . . . . . . . .
Methodologies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . .
Phases of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . .
Testing Plan for a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . .
Structuring a Penetration Testing Agreement . . . . . . . . . . . . . . . . . . . . .
Statement of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Get-Out-of-Jail-Free Letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Execution of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kickoff Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access During the Penetration Test . . . . . . . . . . . . . . . . . . . . . . .
Managing Expectations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Steady Is Fast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
External and Internal Coordination . . . . . . . . . . . . . . . . . . . . . . .
Information Sharing During a Penetration Test . . . . . . . . . . . . . . . . . .
Dradis Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reporting the Results of a Penetration Test . . . . . . . . . . . . . . . . . . . . . .
Format of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Out Brief of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

157
157
158
158
158
159
159
161
161
161
162
162
162
163
163
163
164

164
164
164
168
169
169

Exploiting

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Programming Survival Skills

...............................

173

C Programming Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic C Language Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . .

173
173

/>

Contents

xiii

Chapter 11


Sample Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compiling with gcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Random Access Memory (RAM) . . . . . . . . . . . . . . . . . . . . . . . . .
Endian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Segmentation of Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Programs in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Strings in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Putting the Pieces of Memory Together . . . . . . . . . . . . . . . . . . . .
Intel Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assembly Language Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Machine vs. Assembly vs. C . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AT&T vs. NASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Addressing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assembly File Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assembling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debugging with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
gdb Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disassembly with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Python Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Getting Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hello World in Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Python Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Files with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sockets with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

178
179
180
180
180
181
181
182
182
182
183
184
184
184
185
185
188
189
189
190
190
191
192
192
193
193

193
195
196
197
197
199

Basic Linux Exploits

.....................................

201

Stack Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Function Calling Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overflow of meet.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Ramifications of Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . .
Local Buffer Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Components of the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploiting Stack Overflows from the Command Line . . . . . . . .
Exploiting Stack Overflows with Generic Exploit Code . . . . . . .
Exploiting Small Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploit Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

201
202
203

204
208
209
209
211
213
215
217
218
218


Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xiv
Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 12

Chapter 13

Chapter 14

Advanced Linux Exploits

221
222
222


.................................

225

Format String Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reading from Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . .
Writing to Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Taking .dtors to root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Memory Protection Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Compiler Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kernel Patches and Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Return to libc Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

225
225
229
231
233
236
236
240
241
249

Shellcode Strategies

.....................................


251

User Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find Socket Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Command Execution Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
File Transfer Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multistage Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Call Proxy Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Process Injection Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other Shellcode Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shellcode Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Self-Corrupting Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disassembling Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kernel Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Kernel Space Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . .

251
252
252
253
254
256
257
257
258

258
259
260
260
261
262
263
264

Writing Linux Shellcode

.................................

267

Basic Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Calls by C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Calls by Assembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exit System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
setreuid System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shell-Spawning Shellcode with execve . . . . . . . . . . . . . . . . . . . .
Implementing Port-Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . .
Linux Socket Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Assembly Program to Establish a Socket . . . . . . . . . . . . . . . . . . .
Test the Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

267
268
268

269
269
271
272
276
276
279
281

/>

Contents

xv
Implementing Reverse Connecting Shellcode . . . . . . . . . . . . . . . . . . . .
Reverse Connecting C Program . . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse Connecting Assembly Program . . . . . . . . . . . . . . . . . . . .
Encoding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Simple XOR Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Structure of Encoded Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . .
JMP/CALL XOR Decoder Example . . . . . . . . . . . . . . . . . . . . . . . .
FNSTENV XOR Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Putting the Code Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automating Shellcode Generation with Metasploit . . . . . . . . . . . . . . .
Generating Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . .
Encoding Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . .

Chapter 15

Chapter 16


Windows Exploits

284
284
285
287
287
288
288
289
291
294
294
295

......................................

297

Compiling and Debugging Windows Programs . . . . . . . . . . . . . . . . . .
Compiling on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debugging on Windows with OllyDbg . . . . . . . . . . . . . . . . . . . .
Writing Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploit Development Process Review . . . . . . . . . . . . . . . . . . . . .
ProSSHD Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Debug the Exploit if Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding Structured Exception Handling (SEH) . . . . . . . . . . . . .
Implementation of SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding Windows Memory Protections (XP SP3, Vista, 7,
and Server 2008) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stack-Based Buffer Overrun Detection (/GS) . . . . . . . . . . . . . . .
Safe Structured Exception Handling (SafeSEH) . . . . . . . . . . . . .
SEH Overwrite Protection (SEHOP) . . . . . . . . . . . . . . . . . . . . . .
Heap Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . .
Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . .
Bypassing Windows Memory Protections . . . . . . . . . . . . . . . . . . . . . . .
Bypassing /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bypassing SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bypassing ASLR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bypassing DEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bypassing SEHOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary of Memory Bypass Methods . . . . . . . . . . . . . . . . . . . .

297
297
299
304
305
305
306
308
309
312
314

316
316
318
318
320
320
320
321
321
322
323
323
324
325
331
338

Understanding and Detecting Content-Type Attacks

...........

341

How Do Content-Type Attacks Work? . . . . . . . . . . . . . . . . . . . . . . . . . .
Which File Formats Are Being Exploited Today? . . . . . . . . . . . . . . . . . .
Intro to the PDF File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

341
343
345



Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xvi

Chapter 17

Chapter 18

Chapter 19

Analyzing a Malicious PDF Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Implementing Safeguards in Your Analysis Environment . . . . .
Tools to Detect Malicious PDF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PDFiD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
pdf-parser.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools to Test Your Protections Against Content-type Attacks . . . . . . . .
How to Protect Your Environment from Content-type Attacks . . . . . .
Apply All Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable JavaScript in Adobe Reader . . . . . . . . . . . . . . . . . . . . . . .
Enable DEP for Microsoft Office Application and
Adobe Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

348
350
351
351
355
358

359
359
359

Web Application Security Vulnerabilities

.....................

361

Overview of Top Web Application Security Vulnerabilities . . . . . . . . .
Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cross-Site Scripting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . .
The Rest of the OWASP Top Ten . . . . . . . . . . . . . . . . . . . . . . . . . .
SQL Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SQL Databases and Statements . . . . . . . . . . . . . . . . . . . . . . . . . .
Testing Web Applications to Find SQL Injection
Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Cross-Site Scripting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Explaining “Scripting” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Explaining Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . .

361
361
362
362
362
365

VoIP Attacks


360

367
373
373
374

...........................................

379

What Is VoIP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protocols Used by VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Megaco H.248 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TLS and DTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ZRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SIP Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Eavesdropping/Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . .
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to Protect Against VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .

379
380
381

382
382
383
384
384
384
384
386
386
387
393

SCADA Attacks

........................................

395

What Is SCADA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Which Protocols Does SCADA Use? . . . . . . . . . . . . . . . . . . . . . . . . . . .
OPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ICCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modbus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

395
396
396
396
397

398

/>

Contents

xvii
SCADA Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SCADA Fuzzing with Autodafé . . . . . . . . . . . . . . . . . . . . . . . . . . .
SCADA Fuzzing with TFTP Daemon Fuzzer . . . . . . . . . . . . . . . .
Stuxnet Malware (The New Wave in Cyberterrorism) . . . . . . . . . . . . . .
How to Protect Against SCADA Attacks . . . . . . . . . . . . . . . . . . . . . . . . .

Part IV
Chapter 20

Chapter 21

Chapter 22

Vulnerability Analysis
Passive Analysis

399
399
405
408
408

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411


........................................

413

Ethical Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why Bother with Reverse Engineering? . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse Engineering Considerations . . . . . . . . . . . . . . . . . . . . . .
Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Source Code Auditing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Utility of Source Code Auditing Tools . . . . . . . . . . . . . . . . .
Manual Source Code Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automated Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . .
Binary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manual Auditing of Binary Code . . . . . . . . . . . . . . . . . . . . . . . . .
Automated Binary Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . .

413
414
415
416
416
418
420
425
427
427
441

Advanced Static Analysis with IDA Pro


......................

445

Static Analysis Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stripped Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Statically Linked Programs and FLAIR . . . . . . . . . . . . . . . . . . . . .
Data Structure Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quirks of Compiled C++ Code . . . . . . . . . . . . . . . . . . . . . . . . . .
Extending IDA Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Scripting with IDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IDA Pro Plug-In Modules and the IDA Pro SDK . . . . . . . . . . . . .
Building IDA Pro Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IDA Pro Loaders and Processor Modules . . . . . . . . . . . . . . . . . .

445
446
448
454
459
461
461
464
466
468

Advanced Reverse Engineering

............................


471

Why Try to Break Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Software Development Process . . . . . . . . . . . . . . . . . .
Instrumentation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Code Coverage Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . .
Profiling Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Flow Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Memory Use Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . .
Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Instrumented Fuzzing Tools and Techniques . . . . . . . . . . . . . . . . . . . .
A Simple URL Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fuzzing Unknown Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

471
472
473
474
476
477
477
480
484
484
485
487
488



Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xviii
SPIKE Static Content Primitives . . . . . . . . . . . . . . . . . . . . . . . . . .
SPIKE Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sharefuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 23

Chapter 24

Client-Side Browser Exploits

489
492
492

..............................

495

Why Client-Side Vulnerabilities Are Interesting . . . . . . . . . . . . . . . . . .
Client-Side Vulnerabilities Bypass Firewall Protections . . . . . . .
Client-Side Applications Are Often Running with
Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Client-Side Vulnerabilities Can Easily Target Specific People
or Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Explorer Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Explorer Security Zones . . . . . . . . . . . . . . . . . . . . . . . . .
History of Client-Side Exploits and Latest Trends . . . . . . . . . . . . . . . . .
Client-Side Vulnerabilities Rise to Prominence . . . . . . . . . . . . .
Notable Vulnerabilities in the History of Client-Side Attacks . .
Finding New Browser-Based Vulnerabilities . . . . . . . . . . . . . . . . . . . . .
mangleme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Mozilla Security Team Fuzzers . . . . . . . . . . . . . . . . . . . . . . . . . . .
AxEnum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AxFuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AxMan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Heap Spray to Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
InternetExploiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protecting Yourself from Client-Side Exploits . . . . . . . . . . . . . . . . . . . .
Keep Up-to-Date on Security Patches . . . . . . . . . . . . . . . . . . . . .
Stay Informed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Run Internet-Facing Applications with Reduced Privileges . . . .

495
495

Exploiting the Windows Access Control Model

496
496
497
497
498
499
499

500
506
506
509
510
515
515
521
521
522
522
522
522

...............

525

Why Access Control Is Interesting to a Hacker . . . . . . . . . . . . . . . . . . .
Most People Don’t Understand Access Control . . . . . . . . . . . . .
Vulnerabilities You Find Are Easy to Exploit . . . . . . . . . . . . . . . .
You’ll Find Tons of Security Vulnerabilities . . . . . . . . . . . . . . . . .
How Windows Access Control Works . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Access Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tools for Analyzing Access Control Configurations . . . . . . . . . . . . . . .
Dumping the Process Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dumping the Security Descriptor . . . . . . . . . . . . . . . . . . . . . . . .

Special SIDs, Special Access, and “Access Denied” . . . . . . . . . . . . . . . .
Special SIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Special Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Investigating “Access Denied” . . . . . . . . . . . . . . . . . . . . . . . . . . .

525
525
526
526
526
527
528
531
535
538
538
541
543
543
545
545

/>

Contents

xix
Analyzing Access Control for Elevation of Privilege . . . . . . . . . . . . . . .
Attack Patterns for Each Interesting Object Type . . . . . . . . . . . . . . . . . .
Attacking Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Attacking Weak DACLs in the Windows Registry . . . . . . . . . . . .
Attacking Weak Directory DACLs . . . . . . . . . . . . . . . . . . . . . . . . .
Attacking Weak File DACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Other Object Types Are Out There? . . . . . . . . . . . . . . . . . . . . . . .
Enumerating Shared Memory Sections . . . . . . . . . . . . . . . . . . . .
Enumerating Named Pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enumerating Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enumerating Other Named Kernel Objects (Semaphores,
Mutexes, Events, Devices) . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 25

Chapter 26

Chapter 27

Intelligent Fuzzing with Sulley

553
554
554
560
564
569
573
573
574
575
576


.............................

579

Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sulley Fuzzing Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Powerful Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring the Process for Faults . . . . . . . . . . . . . . . . . . . . . . . .
Monitoring the Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . .
Controlling VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Postmortem Analysis of Crashes . . . . . . . . . . . . . . . . . . . . . . . . .
Analysis of Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploring Further . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

579
581
581
581
584
588
589
589
590
592
593
594


From Vulnerability to Exploit

..............................

595

Exploitability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Debugging for Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preconditions and Postconditions . . . . . . . . . . . . . . . . . . . . . . . .
Repeatability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Payload Construction Considerations . . . . . . . . . . . . . . . . . . . . . . . . . .
Payload Protocol Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Buffer Orientation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Self-Destructive Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Documenting the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Circumstances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Research Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

596
596
597
601
602
603
611
612
612

613
614
614
614
615

Closing the Holes: Mitigation

..............................

617

Mitigation Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Port Knocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

617
618
618


Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xx
Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Source Code Patching Considerations . . . . . . . . . . . . . . . . . . . . .
Binary Patching Considerations . . . . . . . . . . . . . . . . . . . . . . . . . .
Binary Mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Third-Party Patching Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . .


Part V
Chapter 28

Chapter 29

Malware Analysis

619
620
622
626
631

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Collecting Malware and Initial Analysis

......................

635

Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Malware Defensive Techniques . . . . . . . . . . . . . . . . . . . . . . . . . .
Latest Trends in Honeynet Technology . . . . . . . . . . . . . . . . . . . . . . . . .
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why Honeypots Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limitations of Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Low-Interaction Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

High-Interaction Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Thwarting VMware Detection Technologies . . . . . . . . . . . . . . . .
Catching Malware: Setting the Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VMware Host Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VMware Guest Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using Nepenthes to Catch a Fly . . . . . . . . . . . . . . . . . . . . . . . . . .
Initial Analysis of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Live Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Norman SandBox Technology . . . . . . . . . . . . . . . . . . . . . . . . . . .

635
635
636
637
637
637
637
638
639
639
640
642
644
644
644
644
646
646

648
653

Hacking Malware

.......................................

657

Trends in Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Embedded Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Space Hiding Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use of Rootkit Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Persistence Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
De-obfuscating Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packer Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Unpacking Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reverse-Engineering Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Malware Setup Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Malware Operation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Automated Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . .

657
657
658
658
659
659
660

660
661
669
670
670
671

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

673

/>

PREFACE
This book has been developed by and for security professionals who are dedicated to
working in an ethical and responsible manner to improve the overall security posture
of individuals, corporations, and nations.

xxi


Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay
×