book

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

Name: Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition
ISBN: 9781264268955

by Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost

March 2022

Intermediate to advanced

752 pages

18h 47m

English

McGraw-Hill

Read now

Unlock full access

Cover
Title Page
Copyright Page
Contents
Preface
Acknowledgments
Introduction
Part I Preparation
Chapter 1 Gray Hat Hacking
Gray Hat Hacking OverviewHistory of HackingEthics and HackingDefinition of Gray Hat HackingHistory of Ethical HackingHistory of Vulnerability DisclosureBug Bounty ProgramsKnow the Enemy: Black Hat HackingAdvanced Persistent ThreatsLockheed Martin Cyber Kill ChainCourses of Action for the Cyber Kill ChainMITRE ATT&CK FrameworkSummaryFor Further ReadingReferences
Chapter 2 Programming Survival Skills
C Programming LanguageBasic C Language ConstructsLab 2-1: Format StringsLab 2-2: LoopsLab 2-3: if/elseSample ProgramsLab 2-4: hello.cLab 2-5: meet.cCompiling with gccLab 2-6: Compiling meet.cComputer MemoryRandom Access MemoryEndianSegmentation of MemoryPrograms in MemoryBuffersStrings in MemoryPointersPutting the Pieces of Memory TogetherLab 2-7: memory.cIntel ProcessorsRegistersAssembly Language BasicsMachine vs. Assembly vs. CAT&T vs. NASMAddressing ModesAssembly File StructureLab 2-8: Simple Assembly ProgramDebugging with gdbgdb BasicsLab 2-9: DebuggingLab 2-10: Disassembly with gdbPython Survival SkillsGetting PythonLab 2-11: Launching PythonLab 2-12: “Hello, World!” in PythonPython ObjectsLab 2-13: StringsLab 2-14: NumbersLab 2-15: ListsLab 2-16: DictionariesLab 2-17: Files with PythonLab 2-18: Sockets with PythonSummaryFor Further ReadingReferences

Chapter 3 Linux Exploit Development Tools
Binary, Dynamic Information-Gathering ToolsLab 3-1: Hello.cLab 3-2: lddLab 3-3: objdumpLab 3-4: straceLab 3-5: ltraceLab 3-6: checksecLab 3-7: libc-databaseLab 3-8: patchelfLab 3-9: one_gadgetLab 3-10: RopperExtending gdb with PythonPwntools CTF Framework and Exploit Development LibrarySummary of FeaturesLab 3-11: leak-bof.cHeapME (Heap Made Easy) Heap Analysis and Collaboration ToolInstalling HeapMELab 3-12: heapme_demo.cSummaryFor Further ReadingReferences
Chapter 4 Introduction to Ghidra
Creating Our First ProjectInstallation and QuickStartSetting the Project WorkspaceFunctionality OverviewLab 4-1: Improving Readability with AnnotationsLab 4-2: Binary Diffing and Patch AnalysisSummaryFor Further ReadingReferences
Chapter 5 IDA Pro
Introduction to IDA Pro for Reverse EngineeringWhat Is Disassembly?Navigating IDA ProIDA Pro Features and FunctionalityCross-References (Xrefs)Function CallsProximity BrowserOpcodes and AddressingShortcutsCommentsDebugging with IDA ProSummaryFor Further ReadingReferences
Part II Ethical Hacking
Chapter 6 Red and Purple Teams
Introduction to Red TeamsVulnerability ScanningValidated Vulnerability ScanningPenetration TestingThreat Simulation and EmulationPurple TeamMaking Money with Red TeamingCorporate Red TeamingConsultant Red TeamingPurple Team BasicsPurple Team SkillsPurple Team ActivitiesSummaryFor Further ReadingReferences
Chapter 7 Command and Control (C2)
Command and Control SystemsMetasploitLab 7-1: Creating a Shell with MetasploitPowerShell EmpireCovenantLab 7-2: Using Covenant C2Payload Obfuscationmsfvenom and ObfuscationLab 7-3: Obfuscating Payloads with msfvenomCreating C# LaunchersLab 7-4: Compiling and Testing C# LaunchersCreating Go LaunchersLab 7-5: Compiling and Testing Go LaunchersCreating Nim LaunchersLab 7-6: Compiling and Testing Nim LaunchersNetwork EvasionEncryptionAlternate ProtocolsC2 TemplatesEDR EvasionKilling EDR ProductsBypassing HooksSummaryFor Further Reading
Chapter 8 Building a Threat Hunting Lab
Threat Hunting and LabsOptions of Threat Hunting LabsMethod for the Rest of this ChapterBasic Threat Hunting Lab: DetectionLabPrerequisitesLab 8-1: Install the Lab on Your HostLab 8-2: Install the Lab in the CloudLab 8-3: Looking Around the LabExtending Your LabHELKLab 8-4: Install HELKLab 8-5: Install WinlogbeatLab 8-6: Kibana BasicsLab 8-7: MordorSummaryFor Further ReadingReferences
Chapter 9 Introduction to Threat Hunting
Threat Hunting BasicsTypes of Threat HuntingWorkflow of a Threat HuntNormalizing Data Sources with OSSEMData SourcesOSSEM to the RescueData-Driven Hunts Using OSSEMMITRE ATT&CK Framework Refresher: T1003.002Lab 9-1: Visualizing Data Sources with OSSEMLab 9-2: AtomicRedTeam Attacker EmulationExploring Hypothesis-Driven HuntsLab 9-3: Hypothesis that Someone Copied a SAM FileCrawl, Walk, RunEnter MordorLab 9-4: Hypothesis that Someone Other than an Admin Launched PowerShellThreat Hunter PlaybookDeparture from HELK for NowSpark and JupyterLab 9-5: Automated Playbooks and Sharing of AnalyticsSummaryFor Further ReadingReferences
Part III Hacking Systems
Chapter 10 Basic Linux Exploits
Stack Operations and Function-Calling ProceduresBuffer OverflowsLab 10-1: Overflowing meet.cRamifications of Buffer OverflowsLocal Buffer Overflow ExploitsLab 10-2: Components of the ExploitLab 10-3: Exploiting Stack Overflows from the Command LineLab 10-4: Writing the Exploit with PwntoolsLab 10-5: Exploiting Small BuffersExploit Development ProcessLab 10-6: Building Custom ExploitsSummaryFor Further Reading
Chapter 11 Advanced Linux Exploits
Lab 11-1: Vulnerable Program and Environment SetupLab 11-2: Bypassing Non-Executable Stack (NX) with Return-Oriented Programming (ROP)Lab 11-3: Defeating Stack CanariesLab 11-4: ASLR Bypass with an Information LeakLab 11-5: PIE Bypass with an Information LeakSummaryFor Further ReadingReferences
Chapter 12 Linux Kernel Exploits
Lab 12-1: Environment Setup and Vulnerable procfs ModuleLab 12-2: ret2usrLab 12-3: Defeating Stack CanariesLab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)Lab 12-5: Bypassing Supervisor Mode Access Prevention (SMAP)Lab 12-6: Defeating Kernel Address Space Layout Randomization (KASLR)SummaryFor Further ReadingReferences
Chapter 13 Basic Windows Exploitation
Compiling and Debugging Windows ProgramsLab 13-1: Compiling on WindowsDebugging on Windows with Immunity DebuggerLab 13-2: Crashing the ProgramWriting Windows ExploitsExploit Development Process ReviewLab 13-3: Exploiting ProSSHD ServerUnderstanding Structured Exception HandlingUnderstanding and Bypassing Common Windows Memory ProtectionsSafe Structured Exception HandlingBypassing SafeSEHData Execution PreventionReturn-Oriented ProgrammingGadgetsBuilding the ROP ChainSummaryFor Further ReadingReferences
Chapter 14 Windows Kernel Exploitation
The Windows KernelKernel DriversKernel DebuggingLab 14-1: Setting Up Kernel DebuggingPicking a TargetLab 14-2: Obtaining the Target DriverLab 14-3: Reverse Engineering the DriverLab 14-4: Interacting with the DriverToken StealingLab 14-5: Arbitrary Pointer Read/WriteLab 14-6: Writing a Kernel ExploitSummaryFor Further ReadingReferences
Chapter 15 PowerShell Exploitation
Why PowerShellLiving off the LandPowerShell LoggingPowerShell PortabilityLoading PowerShell ScriptsLab 15-1: The Failure ConditionLab 15-2: Passing Commands on the Command LineLab 15-3: Encoded CommandsLab 15-4: Bootstrapping via the WebExploitation and Post-Exploitation with PowerSploitLab 15-5: Setting Up PowerSploitLab 15-6: Running Mimikatz Through PowerShellUsing PowerShell Empire for C2Lab 15-7: Setting Up EmpireLab 15-8: Staging an Empire C2Lab 15-9: Using Empire to Own the SystemLab 15-10: Using WinRM to Launch EmpireSummaryFor Further ReadingReference
Chapter 16 Getting Shells Without Exploits
Capturing Password HashesUnderstanding LLMNR and NBNSUnderstanding Windows NTLMv1 and NTLMv2 AuthenticationUsing ResponderLab 16-1: Getting Passwords with ResponderUsing WinexeLab 16-2: Using Winexe to Access Remote SystemsLab 16-3: Using Winexe to Gain Elevated PrivilegesUsing WMILab 16-4: Querying System Information with WMILab 16-5: Executing Commands with WMITaking Advantage of WinRMLab 16-6: Executing Commands with WinRMLab 16-7: Using Evil-WinRM to Execute CodeSummaryFor Further ReadingReference
Chapter 17 Post-Exploitation in Modern Windows Environments
Post-ExploitationHost ReconLab 17-1: Using whoami to Identify PrivilegesLab 17-2: Using Seatbelt to Find User InformationLab 17-3: System Recon with PowerShellLab 17-4: System Recon with SeatbeltLab 17-5: Getting Domain Information with PowerShellLab 17-6: Using PowerView for AD ReconLab 17-7: Gathering AD Data with SharpHoundEscalationLab 17-8: Profiling Systems with winPEASLab 17-9: Using SharpUp to Escalate PrivilegesLab 17-10: Searching for Passwords in User ObjectsLab 17-11: Abusing Kerberos to Gather CredentialsLab 17-12: Abusing Kerberos to Escalate PrivilegesActive Directory PersistenceLab 17-13: Abusing AdminSDHolderLab 17-14: Abusing SIDHistorySummaryFor Further Reading
Chapter 18 Next-Generation Patch Exploitation
Introduction to Binary DiffingApplication DiffingPatch DiffingBinary Diffing ToolsBinDiffturbodiffLab 18-1: Our First DiffPatch Management ProcessMicrosoft Patch TuesdayObtaining and Extracting Microsoft PatchesSummaryFor Further ReadingReferences
Part IV Hacking IoT
Chapter 19 Internet of Things to Be Hacked
Internet of Things (IoT)Types of Connected ThingsWireless ProtocolsCommunication ProtocolsSecurity ConcernsShodan IoT Search EngineWeb InterfaceShodan Command-Line InterfaceLab 19-1: Using the Shodan Command LineShodan APILab 19-2: Testing the Shodan APILab 19-3: Playing with MQTTImplications of this Unauthenticated Access to MQTTIoT Worms: It Was a Matter of TimePreventionSummaryFor Further ReadingReferences
Chapter 20 Dissecting Embedded Devices
CPUMicroprocessorMicrocontrollersSystem on ChipCommon Processor ArchitecturesSerial InterfacesUARTSPII2CDebug InterfacesJTAGSWDSoftwareBootloaderNo Operating SystemReal-Time Operating SystemGeneral Operating SystemSummaryFor Further ReadingReferences
Chapter 21 Exploiting Embedded Devices
Static Analysis of Vulnerabilities in Embedded DevicesLab 21-1: Analyzing the Update PackageLab 21-2: Performing Vulnerability AnalysisDynamic Analysis with HardwareThe Test Environment SetupEttercapDynamic Analysis with EmulationFirmAELab 21-3: Setting Up FirmAELab 21-4: Emulating FirmwareLab 21-5: Exploiting FirmwareSummaryFor Further ReadingReferences
Chapter 22 Software-Defined Radio
Getting Started with SDRWhat to BuyNot So Quick: Know the RulesLearn by ExampleSearchCaptureReplayAnalyzePreviewExecuteSummaryFor Further Reading
Part V Hacking Hypervisors
Chapter 23 Hypervisors
What Is a Hypervisor?Popek and Goldberg Virtualization TheoremsGoldberg’s Hardware VirtualizerType-1 and Type-2 VMMsx86 VirtualizationDynamic Binary TranslationRing CompressionShadow PagingParavirtualizationHardware Assisted VirtualizationVMXEPTSummaryReferences
Chapter 24 Creating a Research Framework
Hypervisor Attack SurfaceThe UnikernelLab 24-1: Booting and CommunicationLab 24-2: Communication ProtocolBoot Message ImplementationHandling RequestsThe Client (Python)Communication Protocol (Python)Lab 24-3: Running the Guest (Python)Lab 24-4: Code Injection (Python)FuzzingThe Fuzzer Base ClassLab 24-5: IO-Ports FuzzerLab 24-6: MSR FuzzerLab 24-7: Exception HandlingFuzzing Tips and ImprovementsSummaryReferences
Chapter 25 Inside Hyper-V
Environment SetupHyper-V ArchitectureHyper-V ComponentsVirtual Trust LevelsGeneration-1 VMsLab 25-1: Scanning PCI Devices in a Generation-1 VMGeneration 2 VMsLab 25-2: Scanning PCI Devices in a Generation-2 VMHyper-V Synthetic InterfaceSynthetic MSRsLab 25-3: Setting Up the Hypercall Page and Dumping Its ContentsHypercallsVMBusLab 25-4: Listing VMBus DevicesSummaryFor Further ReadingReferences
Chapter 26 Hacking Hypervisors Case Study
Bug AnalysisUSB BasicsLab 26-1: Patch Analysis Using GitHub APIDeveloping a TriggerSetting Up the TargetLab 26-2: Scanning the PCI BusThe EHCI ControllerTriggering the BugLab 26-3: Running the TriggerExploitationRelative Write PrimitiveRelative Read PrimitiveLab 26-4: Debugging the Relative Read PrimitiveArbitrary ReadFull Address-Space Leak PrimitiveModule Base LeakRET2LIBLab 26-5: Finding Function Pointers with GDBLab 26-6: Displaying IRQState with GDBLab 26-7: Launching the ExploitSummaryFor Further ReadingReferences
Part VI Hacking the Cloud
Chapter 27 Hacking in Amazon Web Services
Amazon Web ServicesServices, Locations, and InfrastructureHow Authorization Works in AWSAbusing AWS Best PracticesLab 27-1: Environment SetupAbusing Authentication ControlsTypes of Keys and Key MaterialLab 27-2: Finding AWS KeysAttacker ToolsLab 27-3: Enumerating PermissionsLab 27-4: Leveraging Access to Perform Unauthorized ActionsLab 27-5: Persistence Through System InternalsSummaryFor Further ReadingReferences
Chapter 28 Hacking in Azure
Microsoft AzureDifferences Between Azure and AWSLab 28-1: Setup of Our LabsLab 28-2: Additional User StepsLab 28-3: Validating AccessMicrosoft Azure AD OverviewAzure PermissionsConstructing an Attack on Azure-Hosted SystemsLab 28-4: Azure AD User LookupsLab 28-5: Azure AD Password SprayingLab 28-6: Getting onto AzureControl Plane and Managed IdentitiesLab 28-7: System Assigned IdentitiesLab 28-8: Getting a Backdoor on a NodeSummaryFor Further ReadingReferences
Chapter 29 Hacking Containers
Linux ContainersContainer InternalsCgroupsLab 29-1: Setup of our EnvironmentLab 29-2: Looking at CgroupsNamespacesStorageLab 29-3: Container StorageApplicationsWhat Is Docker?Lab 29-4: Looking for Docker DaemonsContainer SecurityLab 29-5: Interacting with the Docker APILab 29-6: Executing Commands RemotelyLab 29-7: PivotsBreaking Out of ContainersCapabilitiesLab 29-8: Privileged PodsLab 29-9: Abusing CgroupsSummaryFor Further ReadingReferences
Chapter 30 Hacking on Kubernetes
Kubernetes ArchitectureFingerprinting Kubernetes API ServersLab 30-1: Cluster SetupFinding Kubernetes API ServersLab 30-2: Fingerprinting Kubernetes ServersHacking Kubernetes from WithinLab 30-3: KubestrikerLab 30-4: Attacking from WithinLab 30-5: Attacking the API ServerSummaryFor Further ReadingReferences
Index

Content preview from Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

CHAPTER 16 Getting Shells Without Exploits

In this chapter, we cover the following topics:

• Capturing password hashes

• Using Winexe

• Using WMI

• Taking advantage of WinRM

One of the key tenets in penetration testing is stealth. The sooner we are seen on the network, the faster the responders can stop us from progressing. As a result, using tools that seem natural on the network and using utilities that do not generate any noticeable impact for users is one of the ways we can stay under the radar. In this chapter we are going to look at some ways to gain access and move laterally through an environment while using tools that are native on the target systems.

Capturing Password Hashes

When we look at ways to gain access to systems ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

CEH Certified Ethical Hacker Cert Guide, 4th Edition

Publisher Resources

ISBN: 9781264268955

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

by Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost

CHAPTER 16