Gray Hat Hacking: The Ethical Hacker's Handbook. 6 Ed

Title Page....4

Copyright Page....5

Contents....16

Preface....36

Acknowledgments....37

Introduction....40

Part I Preparation....44

Chapter 1 Gray Hat Hacking....45

Gray Hat Hacking Overview....45

History of Hacking....46

Ethics and Hacking....49

Definition of Gray Hat Hacking....49

History of Ethical Hacking....50

History of Vulnerability Disclosure....51

Bug Bounty Programs....57

Know the Enemy: Black Hat Hacking....59

Advanced Persistent Threats....60

Lockheed Martin Cyber Kill Chain....60

Courses of Action for the Cyber Kill Chain....64

MITRE ATT&CK Framework....66

Summary....71

For Further Reading....72

References....72

Chapter 2 Programming Survival Skills....77

C Programming Language....77

Basic C Language Constructs....78

Lab 2-1: Format Strings....83

Lab 2-2: Loops....87

Lab 2-3: if/else....89

Sample Programs....91

Lab 2-4: hello.c....91

Lab 2-5: meet.c....92

Compiling with gcc....92

Lab 2-6: Compiling meet.c....93

Computer Memory....94

Random Access Memory....95

Endian....95

Segmentation of Memory....96

Programs in Memory....97

Buffers....99

Strings in Memory....100

Pointers....100

Putting the Pieces of Memory Together....101

Lab 2-7: memory.c....101

Intel Processors....102

Registers....103

Assembly Language Basics....105

Machine vs. Assembly vs. C....105

AT&T vs. NASM....105

Addressing Modes....110

Assembly File Structure....111

Lab 2-8: Simple Assembly Program....112

Debugging with gdb....113

gdb Basics....114

Lab 2-9: Debugging....114

Lab 2-10: Disassembly with gdb....116

Python Survival Skills....118

Getting Python....119

Lab 2-11: Launching Python....120

Lab 2-12: “Hello, World!” in Python....120

Python Objects....120

Lab 2-13: Strings....121

Lab 2-14: Numbers....123

Lab 2-15: Lists....125

Lab 2-16: Dictionaries....127

Lab 2-17: Files with Python....128

Lab 2-18: Sockets with Python....132

Summary....133

For Further Reading....134

References....135

Chapter 3 Linux Exploit Development Tools....136

Binary, Dynamic Information-Gathering Tools....137

Lab 3-1: Hello.c....137

Lab 3-2: ldd....138

Lab 3-3: objdump....139

Lab 3-4: strace....141

Lab 3-5: ltrace....143

Lab 3-6: checksec....143

Lab 3-7: libc-database....145

Lab 3-8: patchelf....147

Lab 3-9: one_gadget....148

Lab 3-10: Ropper....149

Extending gdb with Python....150

Pwntools CTF Framework and Exploit Development Library....151

Summary of Features....151

Lab 3-11: leak-bof.c....152

HeapME (Heap Made Easy) Heap Analysis and Collaboration Tool....155

Installing HeapME....156

Lab 3-12: heapme_demo.c....156

Summary....159

For Further Reading....160

References....160

Chapter 4 Introduction to Ghidra....161

Creating Our First Project....161

Installation and QuickStart....162

Setting the Project Workspace....163

Functionality Overview....163

Lab 4-1: Improving Readability with Annotations....174

Lab 4-2: Binary Diffing and Patch Analysis....180

Summary....186

For Further Reading....187

References....187

Chapter 5 IDA Pro....188

Introduction to IDA Pro for Reverse Engineering....188

What Is Disassembly?....189

Navigating IDA Pro....193

IDA Pro Features and Functionality....200

Cross-References (Xrefs)....201

Function Calls....202

Proximity Browser....204

Opcodes and Addressing....206

Shortcuts....208

Comments....209

Debugging with IDA Pro....210

Summary....218

For Further Reading....219

References....219

Part II Ethical Hacking....221

Chapter 6 Red and Purple Teams....222

Introduction to Red Teams....222

Vulnerability Scanning....225

Validated Vulnerability Scanning....226

Penetration Testing....227

Threat Simulation and Emulation....235

Purple Team....240

Making Money with Red Teaming....241

Corporate Red Teaming....241

Consultant Red Teaming....242

Purple Team Basics....244

Purple Team Skills....244

Purple Team Activities....247

Summary....247

For Further Reading....248

References....249

Chapter 7 Command and Control (C2)....251

Command and Control Systems....251

Metasploit....253

Lab 7-1: Creating a Shell with Metasploit....254

PowerShell Empire....258

Covenant....259

Lab 7-2: Using Covenant C2....259

Payload Obfuscation....266

msfvenom and Obfuscation....266

Lab 7-3: Obfuscating Payloads with msfvenom....266

Creating C# Launchers....273

Lab 7-4: Compiling and Testing C# Launchers....274

Creating Go Launchers....276

Lab 7-5: Compiling and Testing Go Launchers....277

Creating Nim Launchers....280

Lab 7-6: Compiling and Testing Nim Launchers....281

Network Evasion....284

Encryption....284

Alternate Protocols....285

C2 Templates....286

EDR Evasion....287

Killing EDR Products....288

Bypassing Hooks....289

Summary....290

For Further Reading....290

Chapter 8 Building a Threat Hunting Lab....292

Threat Hunting and Labs....292

Options of Threat Hunting Labs....292

Method for the Rest of this Chapter....293

Basic Threat Hunting Lab: DetectionLab....294

Prerequisites....294

Lab 8-1: Install the Lab on Your Host....295

Lab 8-2: Install the Lab in the Cloud....299

Lab 8-3: Looking Around the Lab....304

Extending Your Lab....304

HELK....305

Lab 8-4: Install HELK....305

Lab 8-5: Install Winlogbeat....308

Lab 8-6: Kibana Basics....310

Lab 8-7: Mordor....315

Summary....317

For Further Reading....317

References....318

Chapter 9 Introduction to Threat Hunting....321

Threat Hunting Basics....321

Types of Threat Hunting....322

Workflow of a Threat Hunt....324

Normalizing Data Sources with OSSEM....325

Data Sources....326

OSSEM to the Rescue....326

Data-Driven Hunts Using OSSEM....327

MITRE ATT&CK Framework Refresher: T1003.002....328

Lab 9-1: Visualizing Data Sources with OSSEM....328

Lab 9-2: AtomicRedTeam Attacker Emulation....333

Exploring Hypothesis-Driven Hunts....337

Lab 9-3: Hypothesis that Someone Copied a SAM File....338

Crawl, Walk, Run....340

Enter Mordor....341

Lab 9-4: Hypothesis that Someone Other than an Admin Launched PowerShell....341

Threat Hunter Playbook....347

Departure from HELK for Now....348

Spark and Jupyter....349

Lab 9-5: Automated Playbooks and Sharing of Analytics....350

Summary....355

For Further Reading....356

References....356

Part III Hacking Systems....359

Chapter 10 Basic Linux Exploits....360

Stack Operations and Function-Calling Procedures....361

Buffer Overflows....363

Lab 10-1: Overflowing meet.c....366

Ramifications of Buffer Overflows....371

Local Buffer Overflow Exploits....372

Lab 10-2: Components of the Exploit....373

Lab 10-3: Exploiting Stack Overflows from the Command Line....375

Lab 10-4: Writing the Exploit with Pwntools....377

Lab 10-5: Exploiting Small Buffers....378

Exploit Development Process....381

Lab 10-6: Building Custom Exploits....381

Summary....389

For Further Reading....389

Chapter 11 Advanced Linux Exploits....391

Lab 11-1: Vulnerable Program and Environment Setup....391

Lab 11-2: Bypassing Non-Executable Stack (NX) with Return-Oriented Programming (ROP)....395

Lab 11-3: Defeating Stack Canaries....401

Lab 11-4: ASLR Bypass with an Information Leak....406

Lab 11-5: PIE Bypass with an Information Leak....409

Summary....412

For Further Reading....412

References....412

Chapter 12 Linux Kernel Exploits....414

Lab 12-1: Environment Setup and Vulnerable procfs Module....415

Lab 12-2: ret2usr....419

Lab 12-3: Defeating Stack Canaries....423

Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)....427

Lab 12-5: Bypassing Supervisor Mode Access Prevention (SMAP)....431

Lab 12-6: Defeating Kernel Address Space Layout Randomization (KASLR)....435

Summary....438

For Further Reading....439

References....439

Chapter 13 Basic Windows Exploitation....440

Compiling and Debugging Windows Programs....441

Lab 13-1: Compiling on Windows....441

Debugging on Windows with Immunity Debugger....446

Lab 13-2: Crashing the Program....450

Writing Windows Exploits....455

Exploit Development Process Review....456

Lab 13-3: Exploiting ProSSHD Server....456

Understanding Structured Exception Handling....473

Understanding and Bypassing Common Windows Memory Protections....476

Safe Structured Exception Handling....477

Bypassing SafeSEH....478

Data Execution Prevention....481

Return-Oriented Programming....481

Gadgets....482

Building the ROP Chain....483

Summary....490

For Further Reading....491

References....491

Chapter 14 Windows Kernel Exploitation....493

The Windows Kernel....493

Kernel Drivers....495

Kernel Debugging....498

Lab 14-1: Setting Up Kernel Debugging....499

Picking a Target....501

Lab 14-2: Obtaining the Target Driver....502

Lab 14-3: Reverse Engineering the Driver....503

Lab 14-4: Interacting with the Driver....510

Token Stealing....517

Lab 14-5: Arbitrary Pointer Read/Write....520

Lab 14-6: Writing a Kernel Exploit....522

Summary....527

For Further Reading....528

References....529

Chapter 15 PowerShell Exploitation....530

Why PowerShell....530

Living off the Land....530

PowerShell Logging....531

PowerShell Portability....533

Loading PowerShell Scripts....534

Lab 15-1: The Failure Condition....534

Lab 15-2: Passing Commands on the Command Line....536

Lab 15-3: Encoded Commands....538

Lab 15-4: Bootstrapping via the Web....540

Exploitation and Post-Exploitation with PowerSploit....543

Lab 15-5: Setting Up PowerSploit....543

Lab 15-6: Running Mimikatz Through PowerShell....546

Using PowerShell Empire for C2....548

Lab 15-7: Setting Up Empire....549

Lab 15-8: Staging an Empire C2....550

Lab 15-9: Using Empire to Own the System....551

Lab 15-10: Using WinRM to Launch Empire....554

Summary....559

For Further Reading....559

Reference....560

Chapter 16 Getting Shells Without Exploits....561

Capturing Password Hashes....561

Understanding LLMNR and NBNS....562

Understanding Windows NTLMv1 and NTLMv2 Authentication....563

Using Responder....565

Lab 16-1: Getting Passwords with Responder....567

Using Winexe....572

Lab 16-2: Using Winexe to Access Remote Systems....573

Lab 16-3: Using Winexe to Gain Elevated Privileges....575

Using WMI....576

Lab 16-4: Querying System Information with WMI....576

Lab 16-5: Executing Commands with WMI....580

Taking Advantage of WinRM....583

Lab 16-6: Executing Commands with WinRM....583

Lab 16-7: Using Evil-WinRM to Execute Code....584

Summary....588

For Further Reading....588

Reference....589

Chapter 17 Post-Exploitation in Modern Windows Environments....590

Post-Exploitation....590

Host Recon....591

Lab 17-1: Using whoami to Identify Privileges....592

Lab 17-2: Using Seatbelt to Find User Information....596

Lab 17-3: System Recon with PowerShell....598

Lab 17-4: System Recon with Seatbelt....602

Lab 17-5: Getting Domain Information with PowerShell....604

Lab 17-6: Using PowerView for AD Recon....609

Lab 17-7: Gathering AD Data with SharpHound....611

Escalation....613

Lab 17-8: Profiling Systems with winPEAS....613

Lab 17-9: Using SharpUp to Escalate Privileges....615

Lab 17-10: Searching for Passwords in User Objects....617

Lab 17-11: Abusing Kerberos to Gather Credentials....618

Lab 17-12: Abusing Kerberos to Escalate Privileges....620

Active Directory Persistence....625

Lab 17-13: Abusing AdminSDHolder....625

Lab 17-14: Abusing SIDHistory....628

Summary....630

For Further Reading....631

Chapter 18 Next-Generation Patch Exploitation....632

Introduction to Binary Diffing....632

Application Diffing....633

Patch Diffing....634

Binary Diffing Tools....635

BinDiff....637

turbodiff....640

Lab 18-1: Our First Diff....642

Patch Management Process....647

Microsoft Patch Tuesday....647

Obtaining and Extracting Microsoft Patches....649

Summary....663

For Further Reading....664

References....665

Part IV Hacking IoT....666

Chapter 19 Internet of Things to Be Hacked....667

Internet of Things (IoT)....667

Types of Connected Things....668

Wireless Protocols....669

Communication Protocols....671

Security Concerns....671

Shodan IoT Search Engine....672

Web Interface....672

Shodan Command-Line Interface....677

Lab 19-1: Using the Shodan Command Line....678

Shodan API....679

Lab 19-2: Testing the Shodan API....679

Lab 19-3: Playing with MQTT....681

Implications of this Unauthenticated Access to MQTT....682

IoT Worms: It Was a Matter of Time....684

Prevention....685

Summary....685

For Further Reading....685

References....686

Chapter 20 Dissecting Embedded Devices....689

CPU....690

Microprocessor....690

Microcontrollers....690

System on Chip....691

Common Processor Architectures....691

Serial Interfaces....692

UART....693

SPI....700

I2C....703

Debug Interfaces....704

JTAG....705

SWD....708

Software....710

Bootloader....710

No Operating System....712

Real-Time Operating System....713

General Operating System....714

Summary....715

For Further Reading....716

References....717

Chapter 21 Exploiting Embedded Devices....719

Static Analysis of Vulnerabilities in Embedded Devices....719

Lab 21-1: Analyzing the Update Package....720

Lab 21-2: Performing Vulnerability Analysis....727

Dynamic Analysis with Hardware....734

The Test Environment Setup....734

Ettercap....735

Dynamic Analysis with Emulation....741

FirmAE....741

Lab 21-3: Setting Up FirmAE....741

Lab 21-4: Emulating Firmware....742

Lab 21-5: Exploiting Firmware....747

Summary....749

For Further Reading....749

References....750

Chapter 22 Software-Defined Radio....751

Getting Started with SDR....751

What to Buy....752

Not So Quick: Know the Rules....754

Learn by Example....754

Search....755

Capture....757

Replay....760

Analyze....765

Preview....776

Execute....779

Summary....780

For Further Reading....781

Part V Hacking Hypervisors....782

Chapter 23 Hypervisors....783

What Is a Hypervisor?....784

Popek and Goldberg Virtualization Theorems....784

Goldberg’s Hardware Virtualizer....788

Type-1 and Type-2 VMMs....791

x86 Virtualization....792

Dynamic Binary Translation....794

Ring Compression....795

Shadow Paging....797

Paravirtualization....800

Hardware Assisted Virtualization....802

VMX....802

EPT....805

Summary....808

References....808

Chapter 24 Creating a Research Framework....811

Hypervisor Attack Surface....812

The Unikernel....814

Lab 24-1: Booting and Communication....815

Lab 24-2: Communication Protocol....819

Boot Message Implementation....828

Handling Requests....831

The Client (Python)....833

Communication Protocol (Python)....833

Lab 24-3: Running the Guest (Python)....839

Lab 24-4: Code Injection (Python)....840

Fuzzing....846

The Fuzzer Base Class....846

Lab 24-5: IO-Ports Fuzzer....848

Lab 24-6: MSR Fuzzer....851

Lab 24-7: Exception Handling....854

Fuzzing Tips and Improvements....856

Summary....857

References....857

Chapter 25 Inside Hyper-V....859

Environment Setup....860

Hyper-V Architecture....862

Hyper-V Components....863

Virtual Trust Levels....866

Generation-1 VMs....868

Lab 25-1: Scanning PCI Devices in a Generation-1 VM....868

Generation 2 VMs....870

Lab 25-2: Scanning PCI Devices in a Generation-2 VM....870

Hyper-V Synthetic Interface....871

Synthetic MSRs....871

Lab 25-3: Setting Up the Hypercall Page and Dumping Its Contents....873

Hypercalls....879

VMBus....884

Lab 25-4: Listing VMBus Devices....888

Summary....896

For Further Reading....896

References....897

Chapter 26 Hacking Hypervisors Case Study....899

Bug Analysis....900

USB Basics....900

Lab 26-1: Patch Analysis Using GitHub API....904

Developing a Trigger....907

Setting Up the Target....907

Lab 26-2: Scanning the PCI Bus....908

The EHCI Controller....910

Triggering the Bug....912

Lab 26-3: Running the Trigger....916

Exploitation....917

Relative Write Primitive....918

Relative Read Primitive....919

Lab 26-4: Debugging the Relative Read Primitive....921

Arbitrary Read....924

Full Address-Space Leak Primitive....925

Module Base Leak....928

RET2LIB....929

Lab 26-5: Finding Function Pointers with GDB....929

Lab 26-6: Displaying IRQState with GDB....932

Lab 26-7: Launching the Exploit....934

Summary....934

For Further Reading....935

References....935

Part VI Hacking the Cloud....936

Chapter 27 Hacking in Amazon Web Services....937

Amazon Web Services....938

Services, Locations, and Infrastructure....938

How Authorization Works in AWS....939

Abusing AWS Best Practices....942

Lab 27-1: Environment Setup....944

Abusing Authentication Controls....945

Types of Keys and Key Material....945

Lab 27-2: Finding AWS Keys....946

Attacker Tools....952

Lab 27-3: Enumerating Permissions....954

Lab 27-4: Leveraging Access to Perform Unauthorized Actions....957

Lab 27-5: Persistence Through System Internals....960

Summary....964

For Further Reading....965

References....965

Chapter 28 Hacking in Azure....967

Microsoft Azure....968

Differences Between Azure and AWS....969

Lab 28-1: Setup of Our Labs....970

Lab 28-2: Additional User Steps....973

Lab 28-3: Validating Access....976

Microsoft Azure AD Overview....977

Azure Permissions....978

Constructing an Attack on Azure-Hosted Systems....980

Lab 28-4: Azure AD User Lookups....981

Lab 28-5: Azure AD Password Spraying....985

Lab 28-6: Getting onto Azure....987

Control Plane and Managed Identities....988

Lab 28-7: System Assigned Identities....989

Lab 28-8: Getting a Backdoor on a Node....992

Summary....993

For Further Reading....994

References....994

Chapter 29 Hacking Containers....995

Linux Containers....996

Container Internals....996

Cgroups....997

Lab 29-1: Setup of our Environment....997

Lab 29-2: Looking at Cgroups....998

Namespaces....1002

Storage....1003

Lab 29-3: Container Storage....1005

Applications....1008

What Is Docker?....1010

Lab 29-4: Looking for Docker Daemons....1010

Container Security....1012

Lab 29-5: Interacting with the Docker API....1013

Lab 29-6: Executing Commands Remotely....1013

Lab 29-7: Pivots....1016

Breaking Out of Containers....1017

Capabilities....1018

Lab 29-8: Privileged Pods....1018

Lab 29-9: Abusing Cgroups....1020

Summary....1023

For Further Reading....1024

References....1025

Chapter 30 Hacking on Kubernetes....1027

Kubernetes Architecture....1028

Fingerprinting Kubernetes API Servers....1030

Lab 30-1: Cluster Setup....1030

Finding Kubernetes API Servers....1033

Lab 30-2: Fingerprinting Kubernetes Servers....1035

Hacking Kubernetes from Within....1038

Lab 30-3: Kubestriker....1040

Lab 30-4: Attacking from Within....1044

Lab 30-5: Attacking the API Server....1049

Summary....1054

For Further Reading....1055

References....1055

Index....1056

Up-to-date strategies for thwarting the latest, most insidious network attacks

This fully updated, industry-standard security resource shows, step by step, how to fortify computer networks by learning and applying effective ethical hacking techniques. Based on curricula developed by the authors at major security conferences and colleges, the book features actionable planning and analysis methods as well as practical steps for identifying and combating both targeted and opportunistic attacks.

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition clearly explains the enemy’s devious weapons, skills, and tactics and offers field-tested remedies, case studies, and testing labs. You will get complete coverage of Internet of Things, mobile, and Cloud security along with penetration testing, malware analysis, and reverse engineering techniques. State-of-the-art malware, ransomware, and system exploits are thoroughly explained.

• Fully revised content includes 7 new chapters covering the latest threats
• Includes proof-of-concept code stored on the GitHub repository
• Authors train attendees at major security conferences, including RSA, Black Hat, Defcon, and B-Sides