Gray Hat Hacking

Preface Acknowledgments Introduction Part I. Preparation Chapter 1. Gray Hat Hacking     Gray Hat Hacking Overview         History of Hacking         Ethics and Hacking         Definition of Gray Hat Hacking     History of Ethical Hacking         History of Vulnerability Disclosure         Bug Bounty Programs     Know the Enemy: Black Hat Hacking         Advanced Persistent Threats         Lockheed Martin Cyber Kill Chain         Courses of Action for the Cyber Kill Chain         MITRE ATT&CK Framework     Summary     For Further Reading     References Chapter 2. Programming Survival Skills     C Programming Language         Basic C Language Constructs         Lab 2-1: Format Strings         Lab 2-2: Loops         Lab 2-3: if/else         Sample Programs         Lab 2-4: hello.c         Lab 2-5: meet.c         Compiling with gcc         Lab 2-6: Compiling meet.c     Computer Memory         Random Access Memory         Endian         Segmentation of Memory         Programs in Memory         Buffers         Strings in Memory         Pointers         Putting the Pieces of Memory Together         Lab 2-7: memory.c     Intel Processors         Registers     Assembly Language Basics         Machine vs. Assembly vs. C         AT&T vs. NASM         Addressing Modes         Assembly File Structure         Lab 2-8: Simple Assembly Program     Debugging with gdb         gdb Basics         Lab 2-9: Debugging         Lab 2-10: Disassembly with gdb     Python Survival Skills         Getting Python         Lab 2-11: Launching Python         Lab 2-12: “Hello, World!” in Python         Python Objects         Lab 2-13: Strings         Lab 2-14: Numbers         Lab 2-15: Lists         Lab 2-16: Dictionaries         Lab 2-17: Files with Python         Lab 2-18: Sockets with Python     Summary     For Further Reading     References Chapter 3. Linux Exploit Development Tools     Binary, Dynamic Information-Gathering Tools         Lab 3-1: Hello.c         Lab 3-2: ldd         Lab 3-3: objdump         Lab 3-4: strace         Lab 3-5: ltrace         Lab 3-6: checksec         Lab 3-7: libc-database         Lab 3-8: patchelf         Lab 3-9: one_gadget         Lab 3-10: Ropper     Extending gdb with Python     Pwntools CTF Framework and Exploit Development Library         Summary of Features         Lab 3-11: leak-bof.c     HeapME (Heap Made Easy) Heap Analysis and Collaboration Tool         Installing HeapME         Lab 3-12: heapme_demo.c     Summary     For Further Reading     References Chapter 4. Introduction to Ghidra     Creating Our First Project     Installation and QuickStart         Setting the Project Workspace         Functionality Overview         Lab 4-1: Improving Readability with Annotations         Lab 4-2: Binary Diffing and Patch Analysis     Summary     For Further Reading     References Chapter 5. IDA Pro     Introduction to IDA Pro for Reverse Engineering     What Is Disassembly?     Navigating IDA Pro     IDA Pro Features and Functionality         Cross-References (Xrefs)         Function Calls         Proximity Browser         Opcodes and Addressing         Shortcuts         Comments     Debugging with IDA Pro     Summary     For Further Reading     References Part II. Ethical Hacking Chapter 6. Red and Purple Teams     Introduction to Red Teams         Vulnerability Scanning         Validated Vulnerability Scanning         Penetration Testing         Threat Simulation and Emulation         Purple Team     Making Money with Red Teaming         Corporate Red Teaming         Consultant Red Teaming     Purple Team Basics         Purple Team Skills         Purple Team Activities     Summary     For Further Reading     References Chapter 7. Command and Control (C2)     Command and Control Systems         Metasploit         Lab 7-1: Creating a Shell with Metasploit         PowerShell Empire         Covenant         Lab 7-2: Using Covenant C2     Payload Obfuscation         msfvenom and Obfuscation         Lab 7-3: Obfuscating Payloads with msfvenom         Creating C# Launchers         Lab 7-4: Compiling and Testing C# Launchers         Creating Go Launchers         Lab 7-5: Compiling and Testing Go Launchers         Creating Nim Launchers      &n bsp;  Lab 7-6: Compiling and Testing Nim Launchers     Network Evasion         Encryption         Alternate Protocols         C2 Templates     EDR Evasion         Killing EDR Products         Bypassing Hooks     Summary     For Further Reading Chapter 8. Building a Threat Hunting Lab     Threat Hunting and Labs         Options of Threat Hunting Labs         Method for the Rest of this Chapter     Basic Threat Hunting Lab: DetectionLab         Prerequisites         Lab 8-1: Install the Lab on Your Host         Lab 8-2: Install the Lab in the Cloud         Lab 8-3: Looking Around the Lab     Extending Your Lab         HELK         Lab 8-4: Install HELK         Lab 8-5: Install Winlogbeat         Lab 8-6: Kibana Basics         Lab 8-7: Mordor     Summary     For Further Reading     References Chapter 9. Introduction to Threat Hunting     Threat Hunting Basics         Types of Threat Hunting         Workflow of a Threat Hunt     Normalizing Data Sources with OSSEM         Data Sources         OSSEM to the Rescue     Data-Driven Hunts Using OSSEM         MITRE ATT&CK Framework Refresher: T1003.002         Lab 9-1: Visualizing Data Sources with OSSEM         Lab 9-2: AtomicRedTeam Attacker Emulation     Exploring Hypothesis-Driven Hunts         Lab 9-3: Hypothesis that Someone Copied a SAM File         Crawl, Walk, Run     Enter Mordor         Lab 9-4: Hypothesis that Someone Other than an Admin Launched PowerShell     Threat Hunter Playbook         Departure from HELK for Now         Spark and Jupyter         Lab 9-5: Automated Playbooks and Sharing of Analytics     Summary     For Further Reading     References Part III. Hacking Systems Chapter 10. Basic Linux Exploits     Stack Operations and Function-Calling Procedures     Buffer Overflows         Lab 10-1: Overflowing meet.c         Ramifications of Buffer Overflows     Local Buffer Overflow Exploits         Lab 10-2: Components of the Exploit         Lab 10-3: Exploiting Stack Overflows from the Command Line         Lab 10-4: Writing the Exploit with Pwntools         Lab 10-5: Exploiting Small Buffers     Exploit Development Process         Lab 10-6: Building Custom Exploits     Summary     For Further Reading Chapter 11. Advanced Linux Exploits         Lab 11-1: Vulnerable Program and Environment Setup         Lab 11-2: Bypassing Non-Executable Stack (NX) with Return-Oriented Programming (ROP)         Lab 11-3: Defeating Stack Canaries         Lab 11-4: ASLR Bypass with an Information Leak         Lab 11-5: PIE Bypass with an Information Leak     Summary     For Further Reading     References Chapter 12. Linux Kernel Exploits         Lab 12-1: Environment Setup and Vulnerable procfs Module         Lab 12-2: ret2usr         Lab 12-3: Defeating Stack Canaries         Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)         Lab 12-5: Bypassing Supervisor Mode Access Prevention (SMAP)         Lab 12-6: Defeating Kernel Address Space Layout Randomization (KASLR)     Summary     For Further Reading     References Chapter 13. Basic Windows Exploitation     Compiling and Debugging Windows Programs         Lab 13-1: Compiling on Windows         Debugging on Windows with Immunity Debugger         Lab 13-2: Crashing the Program     Writing Windows Exploits         Exploit Development Process Review         Lab 13-3: Exploiting ProSSHD Server     Understanding Structured Exception Handling         Understanding and Bypassing Common Windows Memory Protections         Safe Structured Exception Handling         Bypassing SafeSEH     Data Execution Prevention         Return-Oriented Programming         Gadgets         Building the ROP Chain     Summary     For Further Reading     References Chapter 14. Windows Kernel Exploitation     The Windows Kernel     Kernel Drivers     Kernel Debugging         Lab 14-1: Setting Up Kernel Debugging     Picking a Target         Lab 14-2: Obtaining the Target Driver         Lab 14-3: Reverse Engineering the Driver         Lab 14-4: Interacting with the Driver     Token Stealing         Lab 14-5: Arbitrary Pointer Read/Write         Lab 14-6: Writing a Kernel Exploit     Summary     For Further Reading     References Chapter 15. PowerShell Exploitation     Why PowerShell         Living off the Land         PowerShell Logging         PowerShell Portability     Loading PowerShell Scripts         Lab 15-1: The Failure Condition         Lab 15-2: Passing Commands on the Command Line         Lab 15-3: Encoded Commands         Lab 15-4: Bootstrapping via the Web     Exploitation and Post-Exploitation with PowerSploit         Lab 15-5: Setting Up PowerSploit         Lab 15-6: Running Mimikatz Through PowerShell     Using PowerShell Empire for C2         Lab 15-7: Setting Up Empire         Lab 15-8: Staging an Empire C2         Lab 15-9: Using Empire to Own the System         Lab 15-10: Using WinRM to Launch Empire     Summary     For Further Reading     Reference Chapter 16. Getting Shells Without Exploits     Capturing Password Hashes         Understanding LLMNR and NBNS         Understanding Windows NTLMv1 and NTLMv2 Authentication         Using Responder         Lab 16-1: Getting Passwords with Responder     Using Winexe         Lab 16-2: Using Winexe to Access Remote Systems         Lab 16-3: Using Winexe to Gain Elevated Privileges     Using WMI         Lab 16-4: Querying System Information with WMI         Lab 16-5: Executing Commands with WMI     Taking Advantage of WinRM         Lab 16-6: Executing Commands with WinRM         Lab 16-7: Using Evil-WinRM to Execute Code     Summary     For Further Reading     Reference Chapter 17. Post-Exploitation in Modern Windows Environments     Post-Exploitation         Host Recon         Lab 17-1: Using whoami to Identify Privileges         Lab 17-2: Using Seatbelt to Find User Information         Lab 17-3: System Recon with PowerShell         Lab 17-4: System Recon with Seatbelt         Lab 17-5: Getting Domain Information with PowerShell         Lab 17-6: Using PowerView for AD Recon         Lab 17-7: Gathering AD Data with SharpHound         Escalation         Lab 17-8: Profiling Systems with winPEAS         Lab 17-9: Using SharpUp to Escalate Privileges         Lab 17-10: Searching for Passwords in User Objects         Lab 17-11: Abusing Kerberos to Gather Credentials         Lab 17-12: Abusing Kerberos to Escalate Privileges     Active Directory Persistence         Lab 17-13: Abusing AdminSDHolder         Lab 17-14: Abusing SIDHistory     Summary     For Further Reading Chapter 18. Next-Generation Patch Exploitation     Introduction to Binary Diffing         Application Diffing         Patch Diffing     Binary Diffing Tools         BinDiff         turbodiff         Lab 18-1: Our First Diff     Patch Management Process         Microsoft Patch Tuesday         Obtaining and Extracting Microsoft Patches     Summary     For Further Reading     References Part IV. Hacking IoT Chapter 19. Internet of Things to Be Hacked     Internet of Things (IoT)         Types of Connected Things         Wireless Protocols         Communication Protocols         Security Concerns     Shodan IoT Search Engine         Web Interface         Shodan Command-Line Interface         Lab 19-1: Using the Shodan Command Line         Shodan API         Lab 19-2: Testing the Shodan API         Lab 19-3: Playing with MQTT         Implications of this Unauthenticated Access to MQTT     IoT Worms: It Was a Matter of Time         Prevention     Summary     For Further Reading     References Chapter 20. Dissecting Embedded Devices     CPU         Microprocessor         Microcontrollers         System on Chip         Common Processor Architectures     Serial Interfaces         UART         SPI         I2C     Debug Interfaces         JTAG         SWD     Software         Bootloader         No Operating System         Real-Time Operating System         General Operating System     Summary     For Further Reading     References Chapter 21. Exploiting Embedded Devices     Static Analysis of Vulnerabilities in Embedded Devices         Lab 21-1: Analyzing the Update Package         Lab 21-2: Performing Vulnerability Analysis     Dynamic Analysis with Hardware         The Test Environment Setup         Ettercap     Dynamic Analysis with Emulation         FirmAE         Lab 21-3: Setting Up FirmAE         Lab 21-4: Emulating Firmware         Lab 21-5: Exploiting Firmware     Summary     For Further Reading     References Chapter 22. Software-Defined Radio     Getting Started with SDR         What to Buy         Not So Quick: Know the Rules     Learn by Example         Search         Capture         Replay         Analyze         Preview         Execute     Summary     For Further Reading Part V. Hacking Hypervisors Chapter 23. Hypervisors 101     What Is a Hypervisor?         Popek and Goldberg Virtualization Theorems         Goldberg’s Hardware Virtualizer         Type-1 and Type-2 VMMs     x86 Virtualization         Dynamic Binary Translation         Ring Compression         Shadow Paging         Paravirtualization     Hardware Assisted Virtualization          VMX         EPT     Summary     References Chapter 24. Creating a Research Framework     Hypervisor Attack Surface     The Unikernel         Lab 24-1: Booting and Communication         Lab 24-2: Communication Protocol         Boot Message Implementation         Handling Requests     The Client (Python)         Communication Protocol (Python)         Lab 24-3: Running the Guest (Python)         Lab 24-4: Code Injection (Python)     Fuzzing         The Fuzzer Base Class         Lab 24-5: IO-Ports Fuzzer         Lab 24-6: MSR Fuzzer         Lab 24-7: Exception Handling         Fuzzing Tips and Improvements     Summary     References Chapter 25. Inside Hyper-V     Environment Setup     Hyper-V Architecture         Hyper-V Components         Virtual Trust Levels         Generation-1 VMs         Lab 25-1: Scanning PCI Devices in a Generation-1 V