Professional Documents
Culture Documents
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
Praise for Gray Hat Hacking: The Ethical Hacker’s Handbook, Fifth
Edition
“The Gray Hat Hacking book series continue to provide an up-to-date and detailed
view on a large variety of offensive IT security disciplines. In this fifth edition, a group
of respected infosec professionals spared no effort to share their experience and
expertise on novel techniques to bypass security mechanisms.
The exploit development chapters, written by Stephen Sims, reveal in great detail
what it takes to write an exploit for modern applications. In Chapter 14, Stephen uses a
recent vulnerability in a major web browser to demystify the complexity of writing
modern exploits for heap-related memory corruptions, bypassing memory protections
along the road.
This book is a must read for anyone who wants to step up and broaden their skills in
infosec.”
—Peter Van Eeckhoutte
Corelan Team (@corelanc0d3r)
“One of the few book series where I ALWAYS buy the updated version. Learn updated
exploit-dev techniques from the best instructors in the business. The volume of new
information available to the average information security practitioner is staggering. The
authors, who are some of the best in their respective fields, help us stay up to date with
current trends and techniques. GHH’s updates on Red Team Ops, Bug Bounties,
PowerShell Techniques, and IoT & Embedded Devices are exactly what infosec
practitioners need to add to their tool kits.”
—Chris Gates
Sr. Security Engineer (Uber)
“Never before has there been so much technology to attack nor such high levels of
controls and prevention mechanisms. For example, the advancements in modern
operating systems and applications to protect against exploitation are very impressive,
yet time and time again with the right conditions they are bypassed. Amongst a litany of
modern and up-to-date techniques, Gray Hat Hacking provides detailed and informative
walkthroughs of vulnerabilities and how controls like ASLR and DEP are bypassed.
Filled with real examples you can follow if you are seeking to upgrade your
understanding of the latest hacking techniques—this is the book for you.”
||||||||||||||||||||
||||||||||||||||||||
—James Lyne
Global Research Advisor (Sophos) and Head of R&D (SANS Institute)
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
ISBN: 978-1-26-010842-2
MHID: 1-26-010842-2
The material in this eBook also appears in the print version of this title: ISBN: 978-1-
26-010841-5,
MHID: 1-26-010841-4.
All trademarks are trademarks of their respective owners. Rather than put a trademark
symbol after every occurrence of a trademarked name, we use names in an editorial
fashion only, and to the benefit of the trademark owner, with no intention of infringement
of the trademark. Where such designations appear in this book, they have been printed
with initial caps.
All trademarks or copyrights mentioned herein are the possession of their respective
owners and McGraw-Hill Education makes no claim of ownership by the mention of
products that contain these marks.
TERMS OF USE
||||||||||||||||||||
||||||||||||||||||||
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all
rights in and to the work. Use of this work is subject to these terms. Except as permitted
under the Copyright Act of 1976 and the right to store and retrieve one copy of the work,
you may not decompile, disassemble, reverse engineer, reproduce, modify, create
derivative works based upon, transmit, distribute, disseminate, sell, publish or
sublicense the work or any part of it without McGraw-Hill Education’s prior consent.
You may use the work for your own noncommercial and personal use; any other use of
the work is strictly prohibited. Your right to use the work may be terminated if you fail
to comply with these terms.
||||||||||||||||||||
||||||||||||||||||||
To my brothers and sisters in Christ, keep running the race. Let your light shine for Him,
that others may be drawn to Him through you.
—Allen Harper
Dedicado a ti mamita Adelina Arias Cruz, cuando me pregunto de donde sale mi garra
de no dejarme de nadie o el sacrificio incansable para conseguir mis metas, solo tengo
que voltear a verte, para ti no hay imposibles, te adoro!
—Daniel Regalado
To Mom, who read to me when I was little, so I could achieve the level of literacy I
needed to become an author one day.
—Ryan Linn
To my lovely wife LeAnne and my daughter Audrey, thank you for your ongoing support!
—Stephen Sims
To my lovely daughter Elysia, thank you for your unconditional love and support. You
inspire me in so many ways. I am, and will always be, your biggest fan.
—Linda Martinez
To my family and friends for their unconditional support and making this life funny and
interesting.
||||||||||||||||||||
||||||||||||||||||||
—Branko Spasojevic
To my daughter Tiernan, thank you for your support and continuous reminders to enjoy
life and learning each and every day. I look forward to seeing the wonderful woman you
will become.
—Michael Baucom
To my son Aaron, thanks for all your love while I spend too much time at the keyboard,
and thanks for sharing your joy on all the projects we work on together.
—Chris Eagle
||||||||||||||||||||
||||||||||||||||||||
Dr. Allen Harper, CISSP. In 2007, Allen Harper retired from the military as a Marine
Corps Officer after a tour in Iraq. He has more than 30 years of IT/security experience.
He holds a PhD in IT with a focus in Information Assurance and Security from Capella,
an MS in Computer Science from the Naval Postgraduate School, and a BS in Computer
Engineering from North Carolina State University. Allen led the development of the
GEN III honeywall CD-ROM, called roo, for the Honeynet Project. He has worked as a
security consultant for many Fortune 500 and government entities. His interests include
the Internet of Things, reverse engineering, vulnerability discovery, and all forms of
ethical hacking. Allen was the founder of N2NetSecurity, Inc., served as the EVP and
chief hacker at Tangible Security, and now serves the Lord at Liberty University in
Lynchburg, Virginia.
Daniel Regalado, aka Danux, is a Mexican security researcher with more than 16
years in the security field, dissecting or pen-testing malware, 0-day exploits, ATMs, IoT
devices, IV pumps, and car infotainment systems. He is a former employee of widely
respected companies like FireEye and Symantec and is currently a principal security
researcher at Zingbox. Daniel is probably best known for his multiple discoveries and
dissection of ATM malware attacking banks worldwide, with the most notorious
findings being Ploutus, Padpin, and Ripper.
Ryan Linn has over 20 years in the security industry, ranging from systems
programmer to corporate security, to leading a global cybersecurity consultancy. Ryan
has contributed to a number of open source projects, including Metasploit and the
Browser Exploitation Framework (BeEF). Ryan participates in Twitter as @sussurro,
and he has presented his research at numerous security conferences, including Black Hat
and DEF CON, and has provided training in attack techniques and forensics worldwide.
Stephen Sims is an industry expert with over 15 years of experience in information
technology and security. He currently works out of San Francisco as a consultant
performing reverse engineering, exploit development, threat modeling, and penetration
testing. Stephen has an MS in information assurance from Norwich University and is a
course author, fellow, and curriculum lead for the SANS Institute, authoring courses on
advanced exploit development and penetration testing. He has spoken at numerous
conferences, including RSA, BSides, OWASP AppSec, ThaiCERT, AISA, and many
others. He may be reached on twitter: @Steph3nSims
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
one of the top 25 women in the Information Security field by Information Security
Magazine.
Disclaimer: The views expressed in this book are those of the authors and not of
the U.S. government or any company mentioned herein.
||||||||||||||||||||
||||||||||||||||||||
CONTENTS AT A GLANCE
Part I Preparation
Chapter 1 Why Gray Hat Hacking? Ethics and Law
Chapter 2 Programming Survival Skills
Chapter 3 Next-Generation Fuzzing
Chapter 4 Next-Generation Reverse Engineering
Chapter 5 Software-Defined Radio
||||||||||||||||||||
||||||||||||||||||||
Index
||||||||||||||||||||
||||||||||||||||||||
CONTENTS
Preface
Acknowledgments
Introduction
Part I Preparation
Chapter 1 Why Gray Hat Hacking? Ethics and Law
Know Your Enemy
The Current Security Landscape
Recognizing an Attack
The Gray Hat Way
Emulating the Attack
Frequency and Focus of Testing
Evolution of Cyberlaw
Understanding Individual Cyberlaws
Summary
References
Chapter 2 Programming Survival Skills
C Programming Language
Basic C Language Constructs
Sample Program
Compiling with gcc
Computer Memory
Random Access Memory
Endian
Segmentation of Memory
Programs in Memory
Buffers
Strings in Memory
||||||||||||||||||||
||||||||||||||||||||
Pointers
Putting the Pieces of Memory Together
Intel Processors
Registers
Assembly Language Basics
Machine vs. Assembly vs. C
AT&T vs. NASM
Addressing Modes
Assembly File Structure
Assembling
Debugging with gdb
gdb Basics
Disassembly with gdb
Python Survival Skills
Getting Python
“Hello, World!” in Python
Python Objects
Strings
Numbers
Lists
Dictionaries
Files with Python
Sockets with Python
Summary
For Further Reading
References
Chapter 3 Next-Generation Fuzzing
Introduction to Fuzzing
Types of Fuzzers
Mutation Fuzzers
Generation Fuzzers
Genetic Fuzzing
Mutation Fuzzing with Peach
Lab 3-1: Mutation Fuzzing with Peach
Generation Fuzzing with Peach
Crash Analysis
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
Lessons Learned
Summary
References
Chapter 8 Purple Teaming
Introduction to Purple Teaming
Blue Team Operations
Know Your Enemy
Know Yourself
Security Program
Incident Response Program
Common Blue Teaming Challenges
Purple Teaming Operations
Decision Frameworks
Disrupting the Kill Chain
Kill Chain Countermeasure Framework
Communication
Purple Team Optimization
Summary
For Further Reading
References
Chapter 9 Bug Bounty Programs
History of Vulnerability Disclosure
Full Vendor Disclosure
Full Public Disclosure
Responsible Disclosure
No More Free Bugs
Bug Bounty Programs
Types of Bug Bounty Programs
Incentives
Controversy Surrounding Bug Bounty Programs
Popular Bug Bounty Program Facilitators
Bugcrowd in Depth
Program Owner Web Interface
Program Owner API Example
Researcher Web Interface
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
References
Chapter 17 Next-Generation Patch Exploitation
Introduction to Binary Diffing
Application Diffing
Patch Diffing
Binary Diffing Tools
BinDiff
turbodiff
Lab 17-1: Our First Diff
Patch Management Process
Microsoft Patch Tuesday
Obtaining and Extracting Microsoft Patches
Lab 17-2: Diffing MS17-010
Patch Diffing for Exploitation
DLL Side-Loading Bugs
Lab 17-3: Diffing MS16-009
Summary
For Further Reading
References
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
I2C
Debug Interfaces
JTAG
SWD (Serial Wire Debug)
Software
Bootloader
No Operating System
Real-Time Operating System
General Operating System
Summary
For Further Reading
References
Chapter 24 Exploiting Embedded Devices
Static Analysis of Vulnerabilities in Embedded Devices
Lab 24-1: Analyzing the Update Package
Lab 24-2: Performing Vulnerability Analysis
Dynamic Analysis with Hardware
The Test Environment Setup
Ettercap
Dynamic Analysis with Emulation
FIRMADYNE
Lab 24-3: Setting Up FIRMADYNE
Lab 24-4: Emulating Firmware
Lab 24-5: Exploiting Firmware
Summary
Further Reading
References
Chapter 25 Fighting IoT Malware
Physical Access to the Device
RS-232 Overview
RS-232 Pinout
Exercise 25-1: Troubleshooting a Medical Device’s RS-232
Port
Setting Up the Threat Lab
ARM and MIPS Overview
||||||||||||||||||||
||||||||||||||||||||
Index
||||||||||||||||||||
||||||||||||||||||||
PREFACE
This book has been developed by and for security professionals who are dedicated to
working in an ethical and responsible manner to improve the overall security posture of
individuals, corporations, and nations.
Technet24
||||||||||||||||||||
||||||||||||||||||||
ACKNOWLEDGMENTS
Each of the authors would like to thank the staff at McGraw-Hill Education. In
particular, we would like to thank Wendy Rinaldi and Claire Yee. You really went
above and beyond, keeping us on track and greatly helping us through the process. Your
highest levels of professionalism and tireless dedication to this project were truly
noteworthy and bring great credit to your publisher. Thanks.
Allen Harper would like to thank his wonderful wife Corann and beautiful daughters
Haley and Madison for their support and understanding as I chased yet another dream.
It is wonderful to see our family and each of us individually grow stronger in Christ
each year. Madison and Haley, I love you both dearly and am proud of the young ladies
you have become. In addition, I would like to thank the members of my former and
current employer. To the friends at Tangible Security, I am thankful for your impact on
my life—you made me better. To my brothers and sisters in Christ at Liberty University,
I am excited for the years ahead as we labor together and aim to train Champions for
Christ!
Daniel Regalado le gustaría agradecer primero a Dios por la bendición de estar
vivo, a su esposa Diana por aguantarlo, por siempre motivarlo, por festejar cada uno de
sus triunfos como si fueran de ella, por ser tan bella y atlética, te amo! A sus hijos
Fercho y Andrick por ser la luz de la casa y su motor de cada dia y finalmente pero no
menos importante a la Familia Regalado Arias: Fernando, Adelina, Susana Erwin y
Belem, sin ellos, sus triunfos no sabrían igual, los amo! Y a su Papa Fernando, hasta el
ultimo dia que respire, viviré con la esperanza de volver a abrazarte. Cape, Cone,
Rober, hermandad para siempre!
Branko Spasojevic would like to thank his family—Sanja, Sandra, Ana Marija,
Magdalena, Ilinka, Jevrem, Olga, Dragisa, Marija, and Branislav—for all the support
and knowledge they passed on.
Another big thanks goes to all my friends and colleagues who make work and play
fun. Some people who deserve special mention are Ante Gulam, Antonio, Cedric,
Clement, Domagoj, Drazen, Goran, Keith, Luka, Leon, Matko, Santiago, Tory, and
everyone in TAG, Zynamics, D&R, and Orca.
Ryan Linn would like to thank Heather for her support, encouragement, and advice as
well as his family and friends for their support and for putting up with the long hours
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
INTRODUCTION
History teaches that wars begin when governments believe the price of aggression
is cheap.
—Ronald Reagan
You can’t say civilization don’t advance…in every war they kill you in a new way.
—Will Rogers
The purpose of this book is to provide individuals the information once held only by
governments and a few black hat hackers. In this day and age, individuals stand in the
breach of cyberwar, not only against black hat hackers, but sometimes against
governments. If you find yourself in this position, either alone or as a defender of your
organization, we want you to be equipped with as much knowledge of the attacker as
possible. To that end, we submit to you the mindset of the gray hat hacker, an ethical
hacker that uses offensive techniques for defensive purposes. The ethical hacker always
respects laws and the rights of others, but believes the adversary may be beat to the
punch by testing oneself first.
The authors of this book want to provide you, the reader, with something we believe
the industry and society in general needs: a holistic review of ethical hacking that is
responsible and truly ethical in its intentions and material. This is why we keep
releasing new editions of this book with a clear definition of what ethical hacking is and
is not—something our society is very confused about.
We have updated the material from the fourth edition and have attempted to deliver the
most comprehensive and up-to-date assembly of techniques, procedures, and material
with real hands-on labs that can be replicated by the readers. Thirteen new chapters are
presented, and the other chapters have been updated.
In Part I, we prepare you for the battle with all the necessary tools and techniques to
get the best understanding of the more advanced topics. This section moves quite
quickly but is necessary for those just starting out in the field and others looking to move
to the next level. This section covers the following:
||||||||||||||||||||
||||||||||||||||||||
In Part II, we discuss the business side of hacking. If you are looking to move beyond
hacking as a hobby and start paying the bills, this section is for you. If you are a
seasoned hacking professional, we hope to offer you a few tips as well. In this section,
we cover some of the softer skills required by an ethical hacker to make a living:
In Part III, we discuss the skills required to exploit systems. Each of these topics has
been covered before, but the old exploits don’t work anymore; therefore, we have
updated the discussions to work past system protections. We cover the following topics
in this section:
In Part IV, we cover advanced malware analysis. In many ways, this is the most
advanced topic in the field of cybersecurity. On the front lines of cyberwar is malware,
and we aim to equip you with the tools and techniques necessary to perform malware
analysis. In this section, we cover the following:
Technet24
||||||||||||||||||||
||||||||||||||||||||
Finally, in Part V, we are proud to discuss the topic of Internet of Things (IoT)
hacking. The Internet of Things is exploding and, unfortunately, so are the vulnerabilities
therein. In this section, we discuss these latest topics:
We do hope you will see the value of the new content that has been provided and will
also enjoy the newly updated chapters. If you are new to the field or ready to take the
next step to advance and deepen your understanding of ethical hacking, this is the book
for you.
NOTE To ensure your system is properly configured to perform the labs, we have
provided the files you will need. The lab materials and errata may be downloaded from
either the GitHub repository at https://github.com/GrayHatHacking/GHHv5 or the
publisher’s site, at www.mhprofessional.com.
||||||||||||||||||||
||||||||||||||||||||
PART I
Preparation
Technet24
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 1
Why Gray Hat Hacking? Ethics and
Law
The purpose of this book is to support individuals who want to refine their ethical
hacking skills to better defend against malicious attackers. This book is not written to be
used as a tool by those who wish to perform illegal and unethical activities.
In this chapter, we discuss the following topics:
• Know your enemy: understanding your enemy’s tactics
• The gray hat way and the ethical hacking process
• The evolution of cyberlaw
The security challenges we face today will pale in comparison to those we’ll face in the
future. We already live in a world so highly integrated with technology that
cybersecurity has an impact on our financial markets, our elections, our families, and
our healthcare. Technology is advancing and the threat landscape is increasing. On the
one hand, vehicles that are capable of autonomous driving are being mass-produced as
smart cities are being developed. On the other hand, hospitals are being held for
ransom, power grids are being shut down, intellectual property and secrets are being
stolen, and cybercrime is a booming industry. In order to defend and protect our assets
and our people, we must understand the enemy and how they operate. Understanding
how attacks are performed is one of the most challenging and important aspects of
defending the technology on which we rely. After all, how can we possibly defend
ourselves against the unknown?
This book was written to provide relevant security information to those who are
dedicated to stopping cyberthreats. The only way to address today and tomorrow’s
||||||||||||||||||||
||||||||||||||||||||
• In February 2016, attackers targeted Swift, a global bank transfer system, and
fraudulently transferred $81 million from the Bangladesh Bank’s account at the
Federal Reserve Bank of New York. Most funds were not recovered after being
routed to accounts in the Philippines and diverted to casinos there.1
• In July 2016, it was discovered that the Democratic National Committee (DNC)
was compromised and damaging e-mails from officials were leaked on
WikiLeaks. The attack was attributed to two Russian adversary groups. The CIA
concluded that Russia worked during the 2016 US election to prevent Hillary
Clinton from winning the US presidency.2
• In October 2016, millions of insecure Internet of Things (IOT) cameras and
digital video recorders (DVR) were used in a distributed denial-of-service
(DDOS) attack targeting Dyn, a DNS provider. The Mirai botnet was used to take
down the likes of Twitter, Netflix, Etsy, GitHub, SoundCloud, and Spotify a month
after its source code was released to the public.3
• In December 2016, Ukraine’s capital Kiev experienced a power outage caused by
a cyberattack affecting over 225,000 people for multiple days. The attackers
sabotaged power-distribution equipment, thus complicating attempts to restore
power. The attack prompted discussions about the vulnerabilities in industrial
control systems (ICSs) and was linked to Russia.4
Technet24
||||||||||||||||||||
||||||||||||||||||||
In recent years, we’ve seen the Federal Bureau of Investigation (FBI), Department of
Homeland Security (DHS), Sony Entertainment, Equifax, Federal Deposit Insurance
Corporation (FDIC), and Internal Revenue Service (IRS) all have major breaches—
sometimes multiple large breaches. We’ve seen hospitals like the infamous Hollywood
Presbyterian Medical Center pay ransoms to be able to continue to operate. While some
attacks have a larger impact than others, on average a cyberattack costs organizations
about $4 million, with some breaches costing hundreds of millions of dollars.
The security industry is also evolving. Products designed to promote self-healing
networks competed in the first DARPA Cyber Grand Challenge. Malware solutions
based on machine learning are replacing signature-based solutions. Integrated Security
Operations Centers (ISOCs) are helping the security field collaborate. Cybersecurity
conferences, degree programs, and training are increasingly popular. The security
industry is responding to increasing cyberattacks with new tools, ideas, and
collaborations.
Attackers have different motivations. Some are financially motivated and aim to make
the biggest profit possible, some are politically motivated and aim to undermine
governments or steal state secrets, some are motivated by a social cause and are called
hacktivists, and some are angry and just want revenge.
Recognizing an Attack
When an attack occurs, there are always the same questions. How did the attacker get
in? How long have they been inside the network? What could we have done to prevent
it? Attacks can be difficult to detect, and bad actors can stay in the environment for a
prolonged amount of time. Ethical hacking helps you learn how to recognize when an
attack is underway or about to begin so you can better defend the assets you are
protecting. Some attacks are obvious. Denial-of-service and ransomware attacks
announce themselves. However, most attacks are stealth attacks intended to fly under the
radar and go unnoticed by security personnel and products alike. It is important to know
how different types of attacks take place so they can be properly recognized and
stopped.
Some attacks have precursors—activities that can warn you an attack is imminent. A
ping sweep followed by a port scan is a pretty good indication that an attack has begun
and can be used as an early warning sign. Although tools exist to help detect certain
activities, it takes a knowledgeable security professional to maintain and monitor
systems. Security tools can fail, and many can be easily bypassed. Relying on tools
alone will give you a false sense of security.
Hacking tools are just IT tools that are good when used for sanctioned purposes and
bad when used for malicious purposes. The tools are the same, just applied toward
different ends. Ethical hackers understand how these tools are used and how attacks are
||||||||||||||||||||
||||||||||||||||||||
performed, and that’s what allows them to defend against these attacks. Many tools will
be mentioned throughout this book. Tools that will help you recognize an attack are
covered specifically in Chapters 7 and 8 as well as dispersed throughout the book.
Technet24
||||||||||||||||||||
||||||||||||||||||||
about the environment and after demonstrating that you can penetrate the environment
you are given information to make your efforts more efficient.
Also, the nature and duration of tests will vary widely. Assessments can be focused
on a location, business division, compliance requirement, or product. The
methodologies used for exploiting embedded devices are different from those used
during red team assessments (both are described in later chapters). The variety of
exploits described in this book, from ATM malware to Internet of Things exploits, are
demonstrative of the fascinating variety of specialties available to ethical hackers.
||||||||||||||||||||
||||||||||||||||||||
• Remain accountable for your actions. Log and document all your testing activities.
It’s not uncommon to perform a penetration test only to discover you are not the
first one to the party and that a breach is in progress. Be sure to discuss start and
stop dates and blackout periods.
The typical steps of the penetration test are briefly described here and are discussed
in more depth in following chapters:
1. Compile Open Source Intelligence (OSINT). Gather as much information about the
target as possible while maintaining zero contact with the target. Compiling
OSINT, otherwise known as “passive scanning,” can include using the following:
• Social networking sites
• Online databases
• Google, LinkedIn, and so on
• Dumpster diving
2. Employ active scanning and enumeration. Probe the target’s public exposure with
scanning tools and the following techniques:
• Network mapping
• Banner grabbing
• War dialing
• DNS zone transfers
• Traffic sniffing
• Wireless war driving
3. Perform fingerprinting. Perform a thorough probe of the target systems to identify
the following:
• Operating system type and patch level
• Applications and patch level
• Open ports
• Running services
• User accounts
4. Select a target system. Identify the most useful target(s).
5. Exploit the uncovered vulnerabilities. Execute the appropriate attacks targeted at
the suspected exposures. Keep the following points in mind:
• Some may not work.
• Some may kill services or even kill the server.
Technet24
||||||||||||||||||||
||||||||||||||||||||
NOTE A more detailed approach to the attacks that are part of each methodology are
included throughout the book.
1. Select a target. Motivations could be due to a grudge or for fun or profit. There are
no ground rules, no hands-off targets, and the security team is definitely blind to
the upcoming attack.
2. Use intermediaries. The attacker launches their attack from a different system
(intermediary) than their own, or a series of other systems, to make tracking back
to them more difficult in case the attack is detected. Intermediaries are often
victims of the attacker as well.
3. Proceed with the penetration testing steps described previously.
• Open Source Intelligence gathering
• Active scanning and enumeration
• Fingerprinting
• Select a target system
• Exploiting the uncovered vulnerabilities
||||||||||||||||||||
||||||||||||||||||||
• Escalating privileges
4. Preserve access. This involves uploading and installing a rootkit, back door,
Trojan applications, and/or bots to ensure that the attacker can regain access at a
later time.
5. Cover tracks. This step involves the following activities:
• Scrubbing event and audit logs
• Hiding uploaded files
• Hiding the active processes that allow the attacker to regain access
• Disabling messages to security software and system logs to hide malicious
processes and actions
6. Harden the system. After taking ownership of a system, an attacker may fix the
open vulnerabilities so no other attacker can use the system for other purposes.
Attackers will use compromised systems to suit their needs—many times remaining
hidden in the network for months or years while they study the environment. Often,
compromised systems are then used to attack other systems, thus leading to difficulty
attributing attacks to the correct source.
Technet24
||||||||||||||||||||
||||||||||||||||||||
capabilities. Red teaming is often reserved for organizations with more mature incident
response capabilities. Chapter 7 provides more information on this topic.
Many organizations are moving to a model where penetration tests occur at least
quarterly. This allows these organizations to choose a different focus for each quarter.
Many organizations align quarterly penetration testing with their change management
process, thus ensuring testing activities take a thorough look at parts of the environment
that have recently changed.
Evolution of Cyberlaw
Cybersecurity is a complex topic, and cyberlaw adds many more layers of complexity
to it. Cyberlaw reaches across geopolitical boundaries and defies traditional
governance structures. When cyberattacks range across multiple countries or include
botnets spread throughout the world, who has the authority to make and enforce laws?
How do we apply existing laws? The challenges of anonymity on the Internet and
difficulty of attributing actions to an individual or group make prosecuting attackers
even more complex.
Governments are making laws that greatly apply to private assets, and different rules
apply to protecting systems and data types, including critical infrastructure, proprietary
information, and personal data. CEOs and management not only need to worry about
profit margins, market analysis, and mergers and acquisitions; they also need to step into
a world of practicing security with due care, understand and comply with new
government privacy and information security regulations, risk civil and criminal
liability for security failures (including the possibility of being held personally liable
for certain security breaches), and try to comprehend and address the myriad ways in
which information security problems can affect their companies.
||||||||||||||||||||
Another random document with
no related content on Scribd:
And I so sorrowed at her sorrowes eft,
That, what with griefe, and feare, my wits were reft.
19.
20.
21.
22.
23.
24.
25.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
Crookebackt hee was, toothshaken, and blere eyde,
Went on three feete, and somtyme,[1540] crept on fowre,
With olde lame boanes, that ratled by his syde,
His scalpe all pild, and hee with eld forlore:
His withred fist still knocking at Death’s dore,
Fumbling, and driueling, as hee drawes his breath,
[1541]
For briefe, the shape and messenger of Death.
49.
50.
51.
52.
Great was her force, whome stone wall could not stay,
Her tearing nayles snatching at all shee sawe:
With gaping iawes, that by no[1543] meanes ymay
Be satisfide from hunger of her mawe,
But eates herselfe as shee that hath no lawe:
Gnawing, alas, her carkas all in vayne,
Where you may count ech sinew, bone, and veyne.
53.
54.
55.
56.
57.
58.
59.[1549]
60.
61.
62.
63.
But Troy, alas, mee thought, aboue them all,
It made myne eyes in very teares consume:
When I behelde the woefull werd befall,
That by the wrathfull will of gods[1552] was come:
And Ioue’s vnmoued sentence and foredoome
On Priam king, and on his towne so bent,
I could not lin, but I must there lament.
64.
65.
66.
68.
69.
70.
71.
72.
Wee had not long forth past, but that wee sawe
Blacke Cerberus, the hydeous hound of hell,
With bristles reard, and with a three mouth’d jawe,
Foredinning th’ayre[1561] with his horrible yell:
Out of the deepe darke caue where hee did dwell,
The goddesse straight hee knewe, and, by and by,
Hee peast, and couched, while[1562] that wee past by.
[1563]
73.
74.[1564]
Heare pewled[1565] the babes, and here the maydes
vnwed,
With folded hands theyr sory chaunce bewayld:
Here wept the guiltles slayne, and louers dead,
That slew them selues when nothing els auayld:
A thousand sorts of sorrows here, that waylde
With sighs, and teares, sobs, shrikes, and all yfeare,
That, oh,[1566] alas, it was a hell to heare.[1567]
75.[1568]
76.
77.
78.
79.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.