book

Gray Hat Hacking The Ethical Hacker's Handbook, Fifth Edition, 5th Edition

by Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Branko Spasojevic, Ryan Linn, Stephen Sims

April 2018

Intermediate to advanced

640 pages

17h 12m

English

McGraw-Hill

Read now

Unlock full access

Know Your EnemyThe Current Security LandscapeRecognizing an AttackThe Gray Hat WayEmulating the AttackFrequency and Focus of TestingEvolution of CyberlawUnderstanding Individual CyberlawsSummaryReferences

C Programming LanguageBasic C Language ConstructsSample ProgramCompiling with gccComputer MemoryRandom Access MemoryEndianSegmentation of MemoryPrograms in MemoryBuffersStrings in MemoryPointersPutting the Pieces of Memory TogetherIntel ProcessorsRegistersAssembly Language BasicsMachine vs. Assembly vs. CAT&T vs. NASMAddressing ModesAssembly File StructureAssemblingDebugging with gdbgdb BasicsDisassembly with gdbPython Survival SkillsGetting Python“Hello, World!” in PythonPython ObjectsStringsNumbersListsDictionariesFiles with PythonSockets with PythonSummaryFor Further ReadingReferences
Introduction to FuzzingTypes of FuzzersMutation FuzzersGeneration FuzzersGenetic FuzzingMutation Fuzzing with PeachLab 3-1: Mutation Fuzzing with PeachGeneration Fuzzing with PeachCrash AnalysisLab 3-2: Generation Fuzzing with PeachGenetic or Evolutionary Fuzzing with AFLLab 3-3: Genetic Fuzzing with AFLSummaryFor Further Reading
Code AnnotationIDB Annotation with IDAscopeC++ Code AnalysisCollaborative AnalysisLeveraging Collaborative Knowledge Using FIRSTCollaboration with BinNaviDynamic AnalysisAutomated Dynamic Analysis with Cuckoo SandboxBridging the Static-Dynamic Tool Gap with LabelessSummaryFor Further ReadingReferences
Getting Started with SDRWhat to BuyNot So Quick: Know the RulesLearn by ExampleSearchCaptureReplayAnalyzePreviewExecuteSummaryFor Further Reading
The Journey from Novice to ExpertPen Tester EthosPen Tester TaxonomyThe Future of HackingKnow the TechKnow What Good Looks LikePen Tester TrainingPracticeDegree ProgramsKnowledge TransferPen Tester TradecraftPersonal LiabilityBeing the Trusted AdvisorManaging a Pen TestSummaryFor Further Reading
Red Team OperationsStrategic, Operational, and Tactical FocusAssessment ComparisonsRed Teaming ObjectivesWhat Can Go WrongLimited ScopeLimited TimeLimited AudienceOvercoming LimitationsCommunicationsPlanning MeetingsDefining Measurable EventsUnderstanding ThreatsAttack FrameworksTesting EnvironmentAdaptive TestingExternal AssessmentPhysical Security AssessmentSocial EngineeringInternal AssessmentLessons LearnedSummaryReferences
Introduction to Purple TeamingBlue Team OperationsKnow Your EnemyKnow YourselfSecurity ProgramIncident Response ProgramCommon Blue Teaming ChallengesPurple Teaming OperationsDecision FrameworksDisrupting the Kill ChainKill Chain Countermeasure FrameworkCommunicationPurple Team OptimizationSummaryFor Further ReadingReferences
History of Vulnerability DisclosureFull Vendor DisclosureFull Public DisclosureResponsible DisclosureNo More Free BugsBug Bounty ProgramsTypes of Bug Bounty ProgramsIncentivesControversy Surrounding Bug Bounty ProgramsPopular Bug Bounty Program FacilitatorsBugcrowd in DepthProgram Owner Web InterfaceProgram Owner API ExampleResearcher Web InterfaceEarning a Living Finding BugsSelecting a TargetRegistering (If Required)Understanding the Rules of the GameFinding VulnerabilitiesReporting VulnerabilitiesCashing OutIncident ResponseCommunicationTriageRemediationDisclosure to UsersPublic RelationsSummaryFor Further ReadingReferences
Capturing Password HashesUnderstanding LLMNR and NBNSUnderstanding Windows NTLMv1 and NTLMv2 AuthenticationUsing ResponderLab 10-1: Getting Passwords with ResponderUsing WinexeLab 10-2: Using Winexe to Access Remote SystemsLab 10-3: Using Winexe to Gain Elevated PrivilegesUsing WMILab 10-4: Querying System Information with WMILab 10-5: Executing Commands with WMITaking Advantage of WinRMLab 10-6: Executing Commands with WinRMLab 10-7: Using WinRM to Run PowerShell RemotelySummaryFor Further ReadingReference
Stack Operations and Function-Calling ProceduresBuffer OverflowsLab 11-1: Overflowing meet.cRamifications of Buffer OverflowsLocal Buffer Overflow ExploitsLab 11-2: Components of the ExploitLab 11-3: Exploiting Stack Overflows from the Command LineLab 11-4: Exploiting Stack Overflows with Generic Exploit CodeLab 11-5: Exploiting Small BuffersExploit Development ProcessLab 11-6: Building Custom ExploitsSummaryFor Further Reading
Format String ExploitsFormat StringsLab 12-1: Reading from Arbitrary MemoryLab 12-2: Writing to Arbitrary MemoryLab 12-3: Changing Program ExecutionMemory Protection SchemesCompiler ImprovementsLab 11-4: Bypassing Stack ProtectionKernel Patches and ScriptsLab 12-5: Return to libc ExploitsLab 12-6: Maintaining Privileges with ret2libcBottom LineSummaryFor Further ReadingReferences
Compiling and Debugging Windows ProgramsLab 13-1: Compiling on WindowsWindows Compiler OptionsDebugging on Windows with Immunity DebuggerLab 13-2: Crashing the ProgramWriting Windows ExploitsExploit Development Process ReviewLab 13-3: Exploiting ProSSHD ServerUnderstanding Structured Exception Handling (SEH)Understanding and Bypassing Windows Memory ProtectionsSafe Structured Exception Handling (SafeSEH)Bypassing SafeSEHSEH Overwrite Protection (SEHOP)Bypassing SEHOPStack-Based Buffer Overrun Detection (/GS)Bypassing /GSHeap ProtectionsSummaryFor Further ReadingReferences
Data Execution Prevention (DEP)Address Space Layout Randomization (ASLR)Enhanced Mitigation Experience Toolkit (EMET) and Windows Defender Exploit GuardBypassing ASLRBypassing DEP and Avoiding ASLRVirtualProtectReturn-Oriented ProgrammingGadgetsBuilding the ROP ChainDefeating ASLR Through a Memory LeakTriggering the BugTracing the Memory LeakWeaponizing the Memory LeakBuilding the RVA ROP ChainSummaryFor Further ReadingReferences
Why PowerShellLiving Off the LandPowerShell LoggingPowerShell PortabilityLoading PowerShell ScriptsLab 15-1: The Failure ConditionLab 15-2: Passing Commands on the Command LineLab 15-3: Encoded CommandsLab 15-4: Bootstrapping via the WebExploitation and Post-Exploitation with PowerSploitLab 15-5: Setting Up PowerSploitLab 15-6: Running Mimikatz Through PowerShellLab 15-7: Creating a Persistent Meterpreter Using PowerSploitUsing PowerShell Empire for C2Lab 15-8: Setting Up EmpireLab 15-9: Staging an Empire C2Lab 15-10: Using Empire to Own the SystemSummaryFor Further ReadingReferences
The Evolution of Cross-Site Scripting (XSS)Setting Up the EnvironmentLab 16-1: XSS RefresherLab 16-2: XSS Evasion from Internet WisdomLab 16-3: Changing Application Logic with XSSLab 16-4: Using the DOM for XSSFramework VulnerabilitiesSetting Up the EnvironmentLab 16-5: Exploiting CVE-2017-5638Lab 16-6: Exploiting CVE-2017-9805Padding Oracle AttacksLab 16-7: Changing Data with the Padding Oracle AttackSummaryFor Further ReadingReferences
Introduction to Binary DiffingApplication DiffingPatch DiffingBinary Diffing ToolsBinDiffturbodiffLab 17-1: Our First DiffPatch Management ProcessMicrosoft Patch TuesdayObtaining and Extracting Microsoft PatchesLab 17-2: Diffing MS17-010Patch Diffing for ExploitationDLL Side-Loading BugsLab 17-3: Diffing MS16-009SummaryFor Further ReadingReferences
The Android PlatformAndroid Application PackageApplication ManifestAnalyzing DEXJava DecompilationDEX DecompilationDEX DisassemblingExample 18-1: Running APK in EmulatorMalware AnalysisThe iOS PlatformiOS SecurityiOS ApplicationsSummaryFor Further ReadingReferences
The Beginnings of RansomwareOptions for Paying the RansomDissecting RansomlockExample 19-1: Dynamic AnalysisExample 19-2: Static AnalysisWannacryExample 19-3: Analyzing Wannacry RansomwareSummaryFor Further Reading
ATM OverviewXFS OverviewXFS ArchitectureXFS ManagerATM Malware AnalysisTypes of ATM MalwareTechniques for Installing Malware on ATMsTechniques for Dissecting the MalwareATM Malware CountermeasuresSummaryFor Further ReadingReferences
Brief History of DeceptionHoneypots as a Form of DeceptionDeployment ConsiderationsSetting Up a Virtual MachineOpen Source HoneypotsLab 21-1: DionaeaLab 21-2: ConPotLab 21-3: CowrieLab 21-4: T-PotCommercial Alternative: TrapXSummaryFor Further ReadingReferences
Internet of Things (IoT)Types of Connected ThingsWireless ProtocolsCommunication ProtocolsSecurity ConcernsShodan IoT Search EngineWeb InterfaceShodan Command-Line InterfaceLab 22-1: Using the Shodan Command LineShodan APILab 22-2: Testing the Shodan APILab 22-3: Playing with MQTTImplications of This Unauthenticated Access to MQTTIoT Worms: It Was a Matter of TimeLab 22-4: Mirai LivesPreventionSummaryFor Further ReadingReferences
CPUMicroprocessorMicrocontrollersSystem on Chip (SoC)Common Processor ArchitecturesSerial InterfacesUARTSPII2CDebug InterfacesJTAGSWD (Serial Wire Debug)SoftwareBootloaderNo Operating SystemReal-Time Operating SystemGeneral Operating SystemSummaryFor Further ReadingReferences
Static Analysis of Vulnerabilities in Embedded DevicesLab 24-1: Analyzing the Update PackageLab 24-2: Performing Vulnerability AnalysisDynamic Analysis with HardwareThe Test Environment SetupEttercapDynamic Analysis with EmulationFIRMADYNELab 24-3: Setting Up FIRMADYNELab 24-4: Emulating FirmwareLab 24-5: Exploiting FirmwareSummaryFurther ReadingReferences
Physical Access to the DeviceRS-232 OverviewRS-232 PinoutExercise 25-1: Troubleshooting a Medical Device’s RS-232 PortSetting Up the Threat LabARM and MIPS OverviewLab 25-1: Setting Up Systems with QEMUDynamic Analysis of IoT MalwareLab 25-2: IoT Malware Dynamic AnalysisPlatform for Architecture-Neutral Dynamic Analysis (PANDA)BeagleBone Black BoardReverse Engineering IoT MalwareCrash-Course ARM/MIPS Instruction SetLab 25-3: IDA Pro Remote Debugging and ReversingIoT Malware Reversing ExerciseSummaryFor Further Reading

Content preview from Gray Hat Hacking The Ethical Hacker's Handbook, Fifth Edition, 5th Edition

CHAPTER 10 Getting Shells Without Exploits

One of the key tenets in penetration testing is stealth. The sooner we are seen on the network, the faster the responders can stop us from progressing. As a result, using tools that seem natural on the network and using utilities that do not generate any noticeable impact for users is one of the ways we can stay under the radar. In this chapter we are going to look at some ways to gain access and move laterally through an environment while using tools that are native on the target systems.

In this chapter, we discuss the following topics:

• Capturing password hashes

• Using Winexe

• Using WMI

• Taking advantage of WinRM