book

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

by Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost

March 2022

Intermediate to advanced

752 pages

18h 47m

English

McGraw-Hill

Read now

Unlock full access

Gray Hat Hacking OverviewHistory of HackingEthics and HackingDefinition of Gray Hat HackingHistory of Ethical HackingHistory of Vulnerability DisclosureBug Bounty ProgramsKnow the Enemy: Black Hat HackingAdvanced Persistent ThreatsLockheed Martin Cyber Kill ChainCourses of Action for the Cyber Kill ChainMITRE ATT&CK FrameworkSummaryFor Further ReadingReferences
C Programming LanguageBasic C Language ConstructsLab 2-1: Format StringsLab 2-2: LoopsLab 2-3: if/elseSample ProgramsLab 2-4: hello.cLab 2-5: meet.cCompiling with gccLab 2-6: Compiling meet.cComputer MemoryRandom Access MemoryEndianSegmentation of MemoryPrograms in MemoryBuffersStrings in MemoryPointersPutting the Pieces of Memory TogetherLab 2-7: memory.cIntel ProcessorsRegistersAssembly Language BasicsMachine vs. Assembly vs. CAT&T vs. NASMAddressing ModesAssembly File StructureLab 2-8: Simple Assembly ProgramDebugging with gdbgdb BasicsLab 2-9: DebuggingLab 2-10: Disassembly with gdbPython Survival SkillsGetting PythonLab 2-11: Launching PythonLab 2-12: “Hello, World!” in PythonPython ObjectsLab 2-13: StringsLab 2-14: NumbersLab 2-15: ListsLab 2-16: DictionariesLab 2-17: Files with PythonLab 2-18: Sockets with PythonSummaryFor Further ReadingReferences

Binary, Dynamic Information-Gathering ToolsLab 3-1: Hello.cLab 3-2: lddLab 3-3: objdumpLab 3-4: straceLab 3-5: ltraceLab 3-6: checksecLab 3-7: libc-databaseLab 3-8: patchelfLab 3-9: one_gadgetLab 3-10: RopperExtending gdb with PythonPwntools CTF Framework and Exploit Development LibrarySummary of FeaturesLab 3-11: leak-bof.cHeapME (Heap Made Easy) Heap Analysis and Collaboration ToolInstalling HeapMELab 3-12: heapme_demo.cSummaryFor Further ReadingReferences
Creating Our First ProjectInstallation and QuickStartSetting the Project WorkspaceFunctionality OverviewLab 4-1: Improving Readability with AnnotationsLab 4-2: Binary Diffing and Patch AnalysisSummaryFor Further ReadingReferences
Introduction to IDA Pro for Reverse EngineeringWhat Is Disassembly?Navigating IDA ProIDA Pro Features and FunctionalityCross-References (Xrefs)Function CallsProximity BrowserOpcodes and AddressingShortcutsCommentsDebugging with IDA ProSummaryFor Further ReadingReferences
Introduction to Red TeamsVulnerability ScanningValidated Vulnerability ScanningPenetration TestingThreat Simulation and EmulationPurple TeamMaking Money with Red TeamingCorporate Red TeamingConsultant Red TeamingPurple Team BasicsPurple Team SkillsPurple Team ActivitiesSummaryFor Further ReadingReferences
Command and Control SystemsMetasploitLab 7-1: Creating a Shell with MetasploitPowerShell EmpireCovenantLab 7-2: Using Covenant C2Payload Obfuscationmsfvenom and ObfuscationLab 7-3: Obfuscating Payloads with msfvenomCreating C# LaunchersLab 7-4: Compiling and Testing C# LaunchersCreating Go LaunchersLab 7-5: Compiling and Testing Go LaunchersCreating Nim LaunchersLab 7-6: Compiling and Testing Nim LaunchersNetwork EvasionEncryptionAlternate ProtocolsC2 TemplatesEDR EvasionKilling EDR ProductsBypassing HooksSummaryFor Further Reading
Threat Hunting and LabsOptions of Threat Hunting LabsMethod for the Rest of this ChapterBasic Threat Hunting Lab: DetectionLabPrerequisitesLab 8-1: Install the Lab on Your HostLab 8-2: Install the Lab in the CloudLab 8-3: Looking Around the LabExtending Your LabHELKLab 8-4: Install HELKLab 8-5: Install WinlogbeatLab 8-6: Kibana BasicsLab 8-7: MordorSummaryFor Further ReadingReferences
Threat Hunting BasicsTypes of Threat HuntingWorkflow of a Threat HuntNormalizing Data Sources with OSSEMData SourcesOSSEM to the RescueData-Driven Hunts Using OSSEMMITRE ATT&CK Framework Refresher: T1003.002Lab 9-1: Visualizing Data Sources with OSSEMLab 9-2: AtomicRedTeam Attacker EmulationExploring Hypothesis-Driven HuntsLab 9-3: Hypothesis that Someone Copied a SAM FileCrawl, Walk, RunEnter MordorLab 9-4: Hypothesis that Someone Other than an Admin Launched PowerShellThreat Hunter PlaybookDeparture from HELK for NowSpark and JupyterLab 9-5: Automated Playbooks and Sharing of AnalyticsSummaryFor Further ReadingReferences
Stack Operations and Function-Calling ProceduresBuffer OverflowsLab 10-1: Overflowing meet.cRamifications of Buffer OverflowsLocal Buffer Overflow ExploitsLab 10-2: Components of the ExploitLab 10-3: Exploiting Stack Overflows from the Command LineLab 10-4: Writing the Exploit with PwntoolsLab 10-5: Exploiting Small BuffersExploit Development ProcessLab 10-6: Building Custom ExploitsSummaryFor Further Reading
Lab 11-1: Vulnerable Program and Environment SetupLab 11-2: Bypassing Non-Executable Stack (NX) with Return-Oriented Programming (ROP)Lab 11-3: Defeating Stack CanariesLab 11-4: ASLR Bypass with an Information LeakLab 11-5: PIE Bypass with an Information LeakSummaryFor Further ReadingReferences
Lab 12-1: Environment Setup and Vulnerable procfs ModuleLab 12-2: ret2usrLab 12-3: Defeating Stack CanariesLab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)Lab 12-5: Bypassing Supervisor Mode Access Prevention (SMAP)Lab 12-6: Defeating Kernel Address Space Layout Randomization (KASLR)SummaryFor Further ReadingReferences
Compiling and Debugging Windows ProgramsLab 13-1: Compiling on WindowsDebugging on Windows with Immunity DebuggerLab 13-2: Crashing the ProgramWriting Windows ExploitsExploit Development Process ReviewLab 13-3: Exploiting ProSSHD ServerUnderstanding Structured Exception HandlingUnderstanding and Bypassing Common Windows Memory ProtectionsSafe Structured Exception HandlingBypassing SafeSEHData Execution PreventionReturn-Oriented ProgrammingGadgetsBuilding the ROP ChainSummaryFor Further ReadingReferences
The Windows KernelKernel DriversKernel DebuggingLab 14-1: Setting Up Kernel DebuggingPicking a TargetLab 14-2: Obtaining the Target DriverLab 14-3: Reverse Engineering the DriverLab 14-4: Interacting with the DriverToken StealingLab 14-5: Arbitrary Pointer Read/WriteLab 14-6: Writing a Kernel ExploitSummaryFor Further ReadingReferences
Why PowerShellLiving off the LandPowerShell LoggingPowerShell PortabilityLoading PowerShell ScriptsLab 15-1: The Failure ConditionLab 15-2: Passing Commands on the Command LineLab 15-3: Encoded CommandsLab 15-4: Bootstrapping via the WebExploitation and Post-Exploitation with PowerSploitLab 15-5: Setting Up PowerSploitLab 15-6: Running Mimikatz Through PowerShellUsing PowerShell Empire for C2Lab 15-7: Setting Up EmpireLab 15-8: Staging an Empire C2Lab 15-9: Using Empire to Own the SystemLab 15-10: Using WinRM to Launch EmpireSummaryFor Further ReadingReference
Capturing Password HashesUnderstanding LLMNR and NBNSUnderstanding Windows NTLMv1 and NTLMv2 AuthenticationUsing ResponderLab 16-1: Getting Passwords with ResponderUsing WinexeLab 16-2: Using Winexe to Access Remote SystemsLab 16-3: Using Winexe to Gain Elevated PrivilegesUsing WMILab 16-4: Querying System Information with WMILab 16-5: Executing Commands with WMITaking Advantage of WinRMLab 16-6: Executing Commands with WinRMLab 16-7: Using Evil-WinRM to Execute CodeSummaryFor Further ReadingReference
Post-ExploitationHost ReconLab 17-1: Using whoami to Identify PrivilegesLab 17-2: Using Seatbelt to Find User InformationLab 17-3: System Recon with PowerShellLab 17-4: System Recon with SeatbeltLab 17-5: Getting Domain Information with PowerShellLab 17-6: Using PowerView for AD ReconLab 17-7: Gathering AD Data with SharpHoundEscalationLab 17-8: Profiling Systems with winPEASLab 17-9: Using SharpUp to Escalate PrivilegesLab 17-10: Searching for Passwords in User ObjectsLab 17-11: Abusing Kerberos to Gather CredentialsLab 17-12: Abusing Kerberos to Escalate PrivilegesActive Directory PersistenceLab 17-13: Abusing AdminSDHolderLab 17-14: Abusing SIDHistorySummaryFor Further Reading
Introduction to Binary DiffingApplication DiffingPatch DiffingBinary Diffing ToolsBinDiffturbodiffLab 18-1: Our First DiffPatch Management ProcessMicrosoft Patch TuesdayObtaining and Extracting Microsoft PatchesSummaryFor Further ReadingReferences
Internet of Things (IoT)Types of Connected ThingsWireless ProtocolsCommunication ProtocolsSecurity ConcernsShodan IoT Search EngineWeb InterfaceShodan Command-Line InterfaceLab 19-1: Using the Shodan Command LineShodan APILab 19-2: Testing the Shodan APILab 19-3: Playing with MQTTImplications of this Unauthenticated Access to MQTTIoT Worms: It Was a Matter of TimePreventionSummaryFor Further ReadingReferences
CPUMicroprocessorMicrocontrollersSystem on ChipCommon Processor ArchitecturesSerial InterfacesUARTSPII2CDebug InterfacesJTAGSWDSoftwareBootloaderNo Operating SystemReal-Time Operating SystemGeneral Operating SystemSummaryFor Further ReadingReferences
Static Analysis of Vulnerabilities in Embedded DevicesLab 21-1: Analyzing the Update PackageLab 21-2: Performing Vulnerability AnalysisDynamic Analysis with HardwareThe Test Environment SetupEttercapDynamic Analysis with EmulationFirmAELab 21-3: Setting Up FirmAELab 21-4: Emulating FirmwareLab 21-5: Exploiting FirmwareSummaryFor Further ReadingReferences
Getting Started with SDRWhat to BuyNot So Quick: Know the RulesLearn by ExampleSearchCaptureReplayAnalyzePreviewExecuteSummaryFor Further Reading
What Is a Hypervisor?Popek and Goldberg Virtualization TheoremsGoldberg’s Hardware VirtualizerType-1 and Type-2 VMMsx86 VirtualizationDynamic Binary TranslationRing CompressionShadow PagingParavirtualizationHardware Assisted VirtualizationVMXEPTSummaryReferences
Hypervisor Attack SurfaceThe UnikernelLab 24-1: Booting and CommunicationLab 24-2: Communication ProtocolBoot Message ImplementationHandling RequestsThe Client (Python)Communication Protocol (Python)Lab 24-3: Running the Guest (Python)Lab 24-4: Code Injection (Python)FuzzingThe Fuzzer Base ClassLab 24-5: IO-Ports FuzzerLab 24-6: MSR FuzzerLab 24-7: Exception HandlingFuzzing Tips and ImprovementsSummaryReferences
Environment SetupHyper-V ArchitectureHyper-V ComponentsVirtual Trust LevelsGeneration-1 VMsLab 25-1: Scanning PCI Devices in a Generation-1 VMGeneration 2 VMsLab 25-2: Scanning PCI Devices in a Generation-2 VMHyper-V Synthetic InterfaceSynthetic MSRsLab 25-3: Setting Up the Hypercall Page and Dumping Its ContentsHypercallsVMBusLab 25-4: Listing VMBus DevicesSummaryFor Further ReadingReferences
Bug AnalysisUSB BasicsLab 26-1: Patch Analysis Using GitHub APIDeveloping a TriggerSetting Up the TargetLab 26-2: Scanning the PCI BusThe EHCI ControllerTriggering the BugLab 26-3: Running the TriggerExploitationRelative Write PrimitiveRelative Read PrimitiveLab 26-4: Debugging the Relative Read PrimitiveArbitrary ReadFull Address-Space Leak PrimitiveModule Base LeakRET2LIBLab 26-5: Finding Function Pointers with GDBLab 26-6: Displaying IRQState with GDBLab 26-7: Launching the ExploitSummaryFor Further ReadingReferences
Amazon Web ServicesServices, Locations, and InfrastructureHow Authorization Works in AWSAbusing AWS Best PracticesLab 27-1: Environment SetupAbusing Authentication ControlsTypes of Keys and Key MaterialLab 27-2: Finding AWS KeysAttacker ToolsLab 27-3: Enumerating PermissionsLab 27-4: Leveraging Access to Perform Unauthorized ActionsLab 27-5: Persistence Through System InternalsSummaryFor Further ReadingReferences
Microsoft AzureDifferences Between Azure and AWSLab 28-1: Setup of Our LabsLab 28-2: Additional User StepsLab 28-3: Validating AccessMicrosoft Azure AD OverviewAzure PermissionsConstructing an Attack on Azure-Hosted SystemsLab 28-4: Azure AD User LookupsLab 28-5: Azure AD Password SprayingLab 28-6: Getting onto AzureControl Plane and Managed IdentitiesLab 28-7: System Assigned IdentitiesLab 28-8: Getting a Backdoor on a NodeSummaryFor Further ReadingReferences
Linux ContainersContainer InternalsCgroupsLab 29-1: Setup of our EnvironmentLab 29-2: Looking at CgroupsNamespacesStorageLab 29-3: Container StorageApplicationsWhat Is Docker?Lab 29-4: Looking for Docker DaemonsContainer SecurityLab 29-5: Interacting with the Docker APILab 29-6: Executing Commands RemotelyLab 29-7: PivotsBreaking Out of ContainersCapabilitiesLab 29-8: Privileged PodsLab 29-9: Abusing CgroupsSummaryFor Further ReadingReferences
Kubernetes ArchitectureFingerprinting Kubernetes API ServersLab 30-1: Cluster SetupFinding Kubernetes API ServersLab 30-2: Fingerprinting Kubernetes ServersHacking Kubernetes from WithinLab 30-3: KubestrikerLab 30-4: Attacking from WithinLab 30-5: Attacking the API ServerSummaryFor Further ReadingReferences

Content preview from Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

CHAPTER 26 Hacking Hypervisors Case Study

In this chapter, we cover the following topics:

• Root cause analysis of a device emulation vulnerability in QEMU

• USB and EHCI basics

• Development of a VM escape exploit for a user-mode worker process (QEMU)

In this chapter, we will analyze and exploit CVE-2020-14364,¹ by Xiao Wei and Ziming Zhang, in QEMU’s USB emulation code. It is a simple and reliable vulnerability, which makes it a great case study. Hypervisors such as KVM and Xen use QEMU as their worker process component, so when we target QEMU, we will be performing user-mode exploitation.

This chapter assumes that on your host you are using a Linux installation with KVM virtualization enabled and that you have a working install ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Gray Hat Hacking The Ethical Hacker's Handbook, Fifth Edition, 5th Edition

Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Branko Spasojevic, Ryan Linn, Stephen Sims

Defensive Security Handbook, 2nd Edition

Lee Brotherston, Amanda Berlin, William F. Reyor

Hands on Hacking

Matthew Hickey, Jennifer Arcuri

Certified Ethical Hacker (CEH) v12 312-50 Exam Guide

Dale Meredith

Publisher Resources

ISBN: 9781264268955

CHAPTER 26

Hacking Hypervisors Case Study