Transcription
Gray Hat Hacking, Third Edition Reviews“Bigger, better, and more thorough, the Gray Hat Hacking series is one that I’ve enjoyedfrom the start. Always right on time information, always written by experts. The ThirdEdition is a must-have update for new and continuing security experts.”—Jared D. DeMottPrinciple Security Researcher, Crucial Security, Inc.“This book is a great reference for penetration testers and researchers who want to step upand broaden their skills in a wide range of IT security disciplines.”—Peter Van Eeckhoutte (corelanc0d3r)Founder, Corelan Team“I am often asked by people how to get started in the InfoSec world, and I point peopleto this book. In fact, if someone is an expert in one arena and needs a leg up in another,I still point them to this book. This is one book that should be in every securityprofessional’s library—the coverage is that good.”—Simple NomadHacker“The Third Edition of Gray Hat Hacking builds upon a well-established foundation tobring even deeper insight into the tools and techniques in an ethical hacker’s arsenal.From software exploitation to SCADA attacks, this book covers it all. Gray Hat Hackingis without doubt the definitive guide to the art of computer security published in thisdecade.”—Alexander SotirovSecurity Rockstar and Founder of the Pwnie Awards“Gray Hat Hacking is an excellent ‘Hack-by-example’ book. It should be read by anyonewho wants to master security topics, from physical intrusions to Windows memoryprotections.”—Dr. Martin VuagnouxCryptographer/Computer security expert“Gray Hat Hacking is a must-read if you’re serious about INFOSEC. It provides a muchneeded map of the hacker’s digital landscape. If you’re curious about hacking or arepursuing a career in INFOSEC, this is the place to start.”—Johnny LongProfessional Hacker, Founder of Hackers for Charity.org
Gray HatHackingThe Ethical Hacker’sHandbookThird EditionAllen Harper, Shon Harris, Jonathan Ness,Chris Eagle, Gideon Lenkey, and Terron WilliamsNew York Chicago San Francisco LisbonLondon Madrid Mexico City Milan New DelhiSan Juan Seoul Singapore Sydney Toronto
Copyright 2011 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,without the prior written permission of the publisher.ISBN: 978-0-07-174256-6MHID: 0-07-174256-5The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174255-9,MHID: 0-07-174255-7.All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarkedname, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of thetrademark. Where such designations appear in this book, they have been printed with initial caps.McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate trainingprograms. To contact a representative please e-mail us at bulksales@mcgraw-hill.com.Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human ormechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness ofany information and is not responsible for any errors or omissions or the results obtained from the use of such information.TERMS OF USEThis is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to thework. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieveone copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may usethe work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work maybe terminated if you fail to comply with these terms.THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES ASTO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do notwarrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted orerror free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless ofcause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessedthrough the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive,consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of thepossibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arisesin contract, tort or otherwise.
n netsecSwimming with the Sharks? Get Peace of Mind.Are your information assets secure? Are you sure? N2NetSecurity's InformationSecurity and Compliance Services give you the peace of mind of knowing that you havethe best of the best in information Security on your side. Our deep technical knowledgeensures that our solutions are innovative and efficient and our extensive experiencewill help you avoid common and costly mistakes.N2NetSecurity provides information security services to government and private industry.We are a certified Payment Card Industry Qualified Security Assessor (PCI QSA). Ourtalented team includes Black Hat Instructors, received a 2010 Department of Defense CIOAward, and has coauthored seven leading IT books including Gray Hat Hacking: TheEthical Hacker's Handbook and Security Information Event Management Implementation.Contact us for a Free Gap Assessment and see how we can help you get peace of mind.Get Back to Normal, Back to Business!N2NetSecurity, Inc.www.n2netsec.cominfo@n2netsec.com800.456.0058
Stop Hackers in Their TracksHacking Exposed,6th EditionHacking ExposedMalware & RootkitsHacking Exposed ComputerForensics, 2nd Edition24 Deadly Sins ofSoftware SecurityHacking Exposed Wireless,2nd EditionHacking Exposed:Web Applications, 3rd EditionHacking Exposed Windows,3rd EditionHacking Exposed Linux,3rd EditionHacking Exposed Web 2.0IT Auditing,2nd EditionIT Security MetricsGray Hat Hacking,3rd EditionAvailable in print and ebook formatsFollow us on Twitter @MHComputing
Boost Your Security Skills(and Salary) with Expert Tn mingfor CISSP CertificationThe Shon Harris ClSSP'-Solution is the perfect self-study trainingpackage not only for the CISSP*0 candidate or those renewingcertification, but for any security pro who wants to increase theirsecurity knowledge and earning potential.Take advantage of this comprehensive multimedia packagethat lets you learn at your own pace and in your own homeor office. This definitive set includes: DVD set of computer-based training, over 34 hours ofinstruction on the Common Body of Knowledge, the 10domains required for certification.In class instruction at your homeCISSP55 All-in-One 5th Edition, the 1193 page best" selling book by Shon Harris.0 2,200 page CISSP Student Workbook developed byShon Harris. Multiple hours of Shon Harris' lectures explaining theconcepts in the CISSP Student Workbook in MP3 formatComplex concepts fully explainedEverything youneed to pass theCISSP1 exam. Bonus MP3 files with extensive review sessions foreach domain.j Over 1,600 CISSP review questions to test yourknowledge.300 Question final practice exam.more!Learn from the best! Leading independent authority and recognized CISSP'' training guru, Shon Harris, CISSPW, MCSE, deliversthis definitive certification program packaged together and available for the first time.Order today! Complete info athttp://logicalsecurity.com/cisspCISSP K a registered certification mark of the International Information Systems Settirily Certification Cunscrtiurn, Jnc., aTso known as (ISC)!.No f ridersemant by, affiliation or association with (ISC)? ie impFiad.
To my brothers and sisters in Christ, keep running the race. Let your light shine for Him,that others may be drawn to Him through you. —Allen HarperTo my loving and supporting husband, David Harris, who has continualpatience with me as I take on all of these crazy projects! —Shon HarrisTo Jessica, the most amazing and beautiful person I know. —Jonathan NessFor my train-loving son Aaron, you bring us constant joy! —Chris EagleTo Vincent Freeman, although I did not know you long, life has blessed uswith a few minutes to talk and laugh together. —Terron Williams
ABOUT THE AUTHORSAllen Harper, CISSP, PCI QSA, is the president and owner of N2NetSecurity, Inc. inNorth Carolina. He retired from the Marine Corps after 20 years and a tour in Iraq.Additionally, he has served as a security analyst for the U.S. Department of the Treasury,Internal Revenue Service, and Computer Security Incident Response Center (IRS CSIRC).He regularly speaks and teaches at conferences such as Black Hat and Techno.Shon Harris, CISSP, is the president of Logical Security, an author, educator, and security consultant. She is a former engineer of the U.S. Air Force Information Warfare unitand has published several books and articles on different disciplines within information security. Shon was also recognized as one of the top 25 women in informationsecurity by Information Security Magazine.Jonathan Ness, CHFI, is a lead software security engineer in Microsoft’s SecurityResponse Center (MSRC). He and his coworkers ensure that Microsoft’s security updates comprehensively address reported vulnerabilities. He also leads the technicalresponse of Microsoft’s incident response process that is engaged to address publiclydisclosed vulnerabilities and exploits targeting Microsoft software. He serves one weekend each month as a security engineer in a reserve military unit.Chris Eagle is a senior lecturer in the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, California. A computer engineer/scientist for25 years, his research interests include computer network attack and defense, computerforensics, and reverse/anti-reverse engineering. He can often be found teaching at BlackHat or spending late nights working on capture the flag at Defcon.Gideon Lenkey, CISSP, is the president and co-founder of Ra Security Systems, Inc., aNew Jersey–based managed services company, where he specializes in testing the information security posture of enterprise IT infrastructures. He has provided advancedtraining to the FBI and served as the president of the FBI’s InfraGard program in NewJersey. He has been recognized on multiple occasions by FBI director Robert Muller forhis contributions and is frequently consulted by both foreign and domestic government agencies. Gideon is a regular contributor to the Internet Evolution website and aparticipant in the EastWest Institute’s Cybersecurity initiative.Terron Williams, NSA IAM-IEM, CEH, CSSLP, works for Elster Electricity as a Senior TestEngineer, with a primary focus on smart grid security. He formerly worked at Nortel as aSecurity Test Engineer and VoIP System Integration Engineer. Terron has served on theeditorial board for Hakin9 IT Security Magazine and has authored articles for it. His interests are in VoIP, exploit research, SCADA security, and emerging smart grid technologies.Disclaimer: The views expressed in this book are those of the authors and not of theU.S. government or the Microsoft Corporation.
About the Technical EditorMichael Baucom is the Vice President of Research and Development at N2NetSecurity,Inc., in North Carolina. He has been a software engineer for 15 years and has workedon a wide variety of software, from router forwarding code in assembly to Windowsapplications and services. In addition to writing software, he has worked as a securityconsultant performing training, source code audits, and penetration tests.
CONTENTS AT A GLANCEPart I.1.3Chapter 1Ethics of Ethical HackingChapter 2Ethical Hacking and the Legal SystemChapter 3Proper and Ethical DisclosurePart II.23.47.75.77.93.109Penetration Testing and ToolsChapter 4Social Engineering AttacksChapter 5Physical Penetration AttacksChapter 6Insider AttacksChapter 7Using the BackTrack Linux DistributionChapter 8Using MetasploitChapter 9Managing a Penetration TestPart IIIviiiIntroduction to Ethical DisclosureExploiting.125.141.157. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Chapter 10Programming Survival Skills.173Chapter 11Basic Linux Exploits.201Chapter 12Advanced Linux ExploitsChapter 13Shellcode StrategiesChapter 14Writing Linux ShellcodeChapter 15Windows ExploitsChapter 16Understanding and Detecting Content-Type AttacksChapter 17Web Application Security VulnerabilitiesChapter 18VoIP AttacksChapter 19SCADA Attacks.225.251.267.297.341.361.379.395
ContentsixPart IVVulnerability Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411Chapter 20Passive Analysis.Chapter 21Advanced Static Analysis with IDA ProChapter 22Advanced Reverse EngineeringChapter 23Client-Side Browser ExploitsChapter 24Exploiting the Windows Access Control ModelChapter 25413.445.471.495.525Intelligent Fuzzing with Sulley.579Chapter 26From Vulnerability to Exploit.595Chapter 27Closing the Holes: Mitigation.617Part VMalware Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633Chapter 28Collecting Malware and Initial Analysis.635Chapter 29Hacking Malware.657Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
CONTENTSPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiiAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviiPart IChapter 1Chapter 2Chapter 3xIntroduction to Ethical DisclosureEthics of Ethical Hacking.1.3Why You Need to Understand Your Enemy’s Tactics . . . . . . . . . . . . . . .Recognizing the Gray Areas in Security . . . . . . . . . . . . . . . . . . . . . . . . .How Does This Stuff Relate to an Ethical Hacking Book? . . . . . . . . . .Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Controversy of Hacking Books and Classes . . . . . . . . . . . . . . . . . .The Dual Nature of Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Recognizing Trouble When It Happens . . . . . . . . . . . . . . . . . . . .Emulating the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Where Do Attackers Have Most of Their Fun? . . . . . . . . . . . . . . . . . . . .Security Does Not Like Complexity . . . . . . . . . . . . . . . . . . . . . . .38101011151618191920Ethical Hacking and the Legal System.23The Rise of Cyberlaw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Understanding Individual Cyberlaws . . . . . . . . . . . . . . . . . . . . . . . . . .18 USC Section 1029: The Access Device Statute . . . . . . . . . . . .18 USC Section 1030 of the Computer Fraud and Abuse Act . .18 USC Sections 2510, et. Seq., and 2701, et. Seq., of theElectronic Communication Privacy Act . . . . . . . . . . . . . . . . .Digital Millennium Copyright Act (DMCA) . . . . . . . . . . . . . . . .Cyber Security Enhancement Act of 2002 . . . . . . . . . . . . . . . . . .Securely Protect Yourself Against Cyber Trespass Act (SPY Act) . . .23252529Proper and Ethical Disclosure38424546.47Different Teams and Points of View . . . . . . . . . . . . . . . . . . . . . . . . . . . .How Did We Get Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CERT’s Current Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Full Disclosure Policy—the RainForest Puppy Policy . . . . . . . . . . . . . .Organization for Internet Safety (OIS) . . . . . . . . . . . . . . . . . . . . . . . . .Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Conflicts Will Still Exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .“No More Free Bugs” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .484950525454555759616263
ContentsxiPart IIChapter 4Chapter 5Chapter 6Chapter 7Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Pros and Cons of Proper Disclosure Processes . . . . . . . . . . . . . .Vendors Paying More Attention . . . . . . . . . . . . . . . . . . . . . . . . . .So What Should We Do from Here on Out? . . . . . . . . . . . . . . . . . . . . .iDefense and ZDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6767717272Penetration Testing and Tools75Social Engineering Attacks.77How a Social Engineering Attack Works . . . . . . . . . . . . . . . . . . . . . . . .Conducting a Social Engineering Attack . . . . . . . . . . . . . . . . . . . . . . . .Common Attacks Used in Penetration Testing . . . . . . . . . . . . . . . . . . .The Good Samaritan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Join the Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Preparing Yourself for Face-to-Face Attacks . . . . . . . . . . . . . . . . . . . . . .Defending Against Social Engineering Attacks . . . . . . . . . . . . . . . . . . .7779818186888991Physical Penetration Attacks.93Why a Physical Penetration Is Important . . . . . . . . . . . . . . . . . . . . . . . .Conducting a Physical Penetration . . . . . . . . . . . . . . . . . . . . . . . . . . . .Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Mental Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Common Ways into a Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .The Smokers’ Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manned Checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Locked Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Physically Defeating Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Once You Are Inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Defending Against Physical Penetrations . . . . . . . . . . . . . . . . . . . . . . . .94949597979899102103107108Insider Attacks.109Why Simulating an Insider Attack Is Important . . . . . . . . . . . . . . . . . .Conducting an Insider Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Tools and Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Gaining Local Administrator Privileges . . . . . . . . . . . . . . . . . . . .Disabling Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Raising Cain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Defending Against Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109110110111111115116123Using the BackTrack Linux Distribution.125BackTrack: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing BackTrack to DVD or USB Thumb Drive . . . . . . . . . . . . . . . .Using the BackTrack ISO Directly Within a Virtual Machine . . . . . . . .Creating a BackTrack Virtual Machine with VirtualBox . . . . . . .Booting the BackTrack LiveDVD System . . . . . . . . . . . . . . . . . . .Exploring the BackTrack X Windows Environment . . . . . . . . . .125126128128129130
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third EditionxiiChapter 8Chapter 9Part IIIChapter 10Starting Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Persisting Changes to Your BackTrack Installation . . . . . . . . . . . . . . . .Installing Full BackTrack to Hard Drive or USB Thumb Drive . . .Creating a New ISO with Your One-time Changes . . . . . . . . . . .Using a Custom File that Automatically Saves andRestores Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Exploring the BackTrack Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . .Updating BackTrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135137139Using Metasploit.141Metasploit: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Getting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using the Metasploit Console to Launch Exploits . . . . . . . . . . . . . . . .Exploiting Client-Side Vulnerabilities with Metasploit . . . . . . . . . . . . .Penetration Testing with Metasploit’s Meterpreter . . . . . . . . . . . . . . . .Automating and Scripting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . .Going Further with Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141141142147149155156Managing a Penetration Test130131131134.157Planning a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Types of Penetration Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Scope of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Locations of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . .Organization of the Penetration Testing Team . . . . . . . . . . . . . .Methodologies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . .Phases of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . .Testing Plan for a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . .Structuring a Penetration Testing Agreement . . . . . . . . . . . . . . . . . . . . .Statement of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Get-Out-of-Jail-Free Letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Execution of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Kickoff Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Access During the Penetration Test . . . . . . . . . . . . . . . . . . . . . . .Managing Expectations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Steady Is Fast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .External and Internal Coordination . . . . . . . . . . . . . . . . . . . . . . .Information Sharing During a Penetration Test . . . . . . . . . . . . . . . . . .Dradis Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Reporting the Results of a Penetration Test . . . . . . . . . . . . . . . . . . . . . .Format of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Out Brief of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64164164164168169169Exploiting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Programming Survival Skills.173C Programming Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Basic C Language Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . .173173
ContentsxiiiChapter 11Sample Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Compiling with gcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Random Access Memory (RAM) . . . . . . . . . . . . . . . . . . . . . . . . .Endian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Segmentation of Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Programs in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Strings in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Putting the Pieces of Memory Together . . . . . . . . . . . . . . . . . . . .Intel Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Assembly Language Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Machine vs. Assembly vs. C . . . . . . . . . . . . . . . . . . . . . . . . . . . . .AT&T vs. NASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Addressing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Assembly File Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Assembling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Debugging with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .gdb Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Disassembly with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Python Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Getting Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Hello World in Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Python Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Files with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Sockets with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ic Linux Exploits.201Stack Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Function Calling Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Overflow of meet.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Ramifications of Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . .Local Buffer Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Components of the Exploit . . . .
From software exploitation to SCADA attacks, this book covers it all. Gray Hat Hacking is without doubt the definitive guide to the art of computer security published in this decade.” —Alexander Sotirov Security Rockstar and Founder of the Pwnie Awards “Gray Hat Hacking is an excellent ‘Hack-by-ex
