Professional Documents
Culture Documents
ISBN: 978-1-26-426895-5
MHID: 1-26-426895-5
The material in this eBook also appears in the print version of this
title: ISBN: 978-1-26-426894-8, MHID: 1-26-426894-7.
—Allen Harper
Lead author and friend of Shon Harris
To my brothers and sisters in Christ, keep running the race. Let your
light shine for Him, that others may be drawn to Him through you.
—Allen Harper
To my wife, thank you for your constant encouragement and faith,
and for pushing me to push myself.
—Ryan Linn
To my lovely wife Leanne and my daughter Audrey, thank you for
your ongoing support!
—Stephen Sims
To my daughter Tiernan, thank you for your support and continuous
reminders to enjoy life and learning each and every day. I look
forward to seeing the wonderful woman you will become.
—Michael Baucom
To my beautiful wife Zoe and our children Alexander and Axel, thank
you for your continuous love and support, and for always trusting in
me and encouraging all my crazy new ideas.
—Huáscar Tejeda
To my beautiful wife Vanesa and my family for their support and
their patience every time I come up with a new project.
—Daniel Fernandez
To my wife Gina and my daughter Juliet, who I am so proud of.
Thank you for putting up with most of my harebrained ideas.
—Moses Frost
ABOUT THE AUTHORS
Dr. Allen Harper, CISSP, retired in 2007 from the military as a
Marine Corps Officer after a tour in Iraq. He has more than 30 years
of IT/security experience. He holds a PhD in IT with a focus on
information assurance and security from Capella, an MS in computer
science from the Naval Postgraduate School, and a BS in computer
engineering from North Carolina State University. In 2004, Allen led
the development of the GEN III Honeywall CD-ROM, called roo, for
the Honeynet Project. Since then, he has worked as a security
consultant for many Fortune 500 and government entities. His
interests include the Internet of Things, reverse engineering,
vulnerability discovery, and all forms of ethical hacking. Allen was the
founder of N2NetSecurity, Inc., served as the EVP and chief hacker
at Tangible Security, program director at Liberty University, and now
serves as EVP of cybersecurity at T-Rex Solutions, LLC, in Greenbelt,
Maryland.
Ryan Linn, CISSP, CSSLP, OSCP, OSCE, GREM, has over 20 years in
the security industry, ranging from systems programmer to corporate
security to leading a global cybersecurity consultancy. Ryan has
contributed to a number of open source projects, including
Metasploit, the Browser Exploitation Framework (BeEF), and
Ettercap. Ryan participates in Twitter as @sussurro, and he has
presented his research at numerous security conferences, including
Black Hat, DEF CON, Thotcon, and Derbycon, and has provided
training in attack techniques and forensics worldwide.
Stephen Sims is an industry expert with over 15 years of
experience in information technology and security. Stephen currently
works out of the San Francisco Bay Area as a consultant. He has
spent many years performing security architecture, exploit
development, reverse engineering, and penetration testing for
various Fortune 500 companies, and he has discovered and
responsibly disclosed a wide range of vulnerabilities in commercial
products. Stephen has an MS in information assurance from Norwich
University and currently leads the Offensive Operations curriculum at
the SANS Institute. He is the author of the SANS Institute’s only 700-
level course, SEC760: Advanced Exploit Development for Penetration
Testers, which concentrates on complex heap overflows, patch
diffing, and client-side exploits. He holds the GIAC Security Expert
(GSE) certification as well as the CISA, Immunity NOP, and many
others. In his spare time, Stephen enjoys snowboarding and writing
music.
Michael Baucom has over 25 years of industry experience, ranging
from embedded systems development to leading the product
security and research division at Tangible Security. With more than
15 years of security experience, he has performed security
assessments of countless systems across a multitude of areas,
including medical, industrial, networking, and consumer electronics.
Michael has been a trainer at Black Hat, speaker at several
conferences, and both an author and technical editor for Gray Hat
Hacking: The Ethical Hacker’s Handbook. His current interests are in
embedded system security and development.
Huáscar Tejeda is the co-founder and CEO of F2TC Cyber Security.
He is a seasoned, thoroughly experienced cybersecurity professional,
with more than 20 years and notable achievements in IT and
telecommunications, developing carrier-grade security solutions and
business-critical components for multiple broadband providers. He is
highly skilled in security research, penetration testing, Linux kernel
hacking, software development, and embedded hardware design.
Huáscar is also a member of the SANS Latin America Advisory
Group, SANS Purple Team Summit Advisory Board, and contributing
author of the SANS Institute’s most advanced course, SEC760:
Advanced Exploit Development for Penetration Testers.
Daniel Fernandez is a security researcher with over 15 years of
industry experience. Over his career, he has discovered and
exploited vulnerabilities in a vast number of targets. During the last
years, his focus had shifted to hypervisors, where he has found and
reported bugs in products such as Microsoft Hyper-V. He has worked
at several information security companies, including Blue Frost
Security GmbH and Immunity, Inc. Recently, he co-founded TACITO
Security. When not breaking software, Daniel enjoys training his
working dogs.
Moses Frost started his career in designing and implementing
large-scale networks around the year 2000. He has worked with
computers in some form or another since the early 1990s. His past
employers include TLO, Cisco Systems, and McAfee. At Cisco
Systems, he was a lead architect for its Cyber Defense Clinics. This
free information security dojo was used in educating individuals from
the high school and university levels as well as in many enterprises.
At Cisco, he was asked to work on crucial security projects such as
industry certifications. Moses is an author and senior instructor at
the SANS Institute. His technology interests include web app
penetration testing, cloud penetration testing, and red team
operations. He currently works as a red team operator at GRIMM.
Disclaimer: The views expressed in this book are those of
the authors and not of the U.S. government or any company
mentioned herein.
Index
CONTENTS
Preface
Acknowledgments
Introduction
Part I Preparation
C Programming Language
Basic C Language Constructs
Lab 2-1: Format Strings
Lab 2-2: Loops
Lab 2-3: if/else
Sample Programs
Lab 2-4: hello.c
Lab 2-5: meet.c
Compiling with gcc
Lab 2-6: Compiling meet.c
Computer Memory
Random Access Memory
Endian
Segmentation of Memory
Programs in Memory
Buffers
Strings in Memory
Pointers
Putting the Pieces of Memory Together
Lab 2-7: memory.c
Intel Processors
Registers
Assembly Language Basics
Machine vs. Assembly vs. C
AT&T vs. NASM
Addressing Modes
Assembly File Structure
Lab 2-8: Simple Assembly Program
Debugging with gdb
gdb Basics
Lab 2-9: Debugging
Lab 2-10: Disassembly with gdb
Python Survival Skills
Getting Python
Lab 2-11: Launching Python
Lab 2-12: “Hello, World!” in Python
Python Objects
Lab 2-13: Strings
Lab 2-14: Numbers
Lab 2-15: Lists
Lab 2-16: Dictionaries
Lab 2-17: Files with Python
Lab 2-18: Sockets with Python
Summary
For Further Reading
References
Why PowerShell
Living off the Land
PowerShell Logging
PowerShell Portability
Loading PowerShell Scripts
Lab 15-1: The Failure Condition
Lab 15-2: Passing Commands on the Command
Line
Lab 15-3: Encoded Commands
Lab 15-4: Bootstrapping via the Web
Exploitation and Post-Exploitation with PowerSploit
Lab 15-5: Setting Up PowerSploit
Lab 15-6: Running Mimikatz Through
PowerShell
Using PowerShell Empire for C2
Lab 15-7: Setting Up Empire
Lab 15-8: Staging an Empire C2
Lab 15-9: Using Empire to Own the System
Lab 15-10: Using WinRM to Launch Empire
Summary
For Further Reading
Reference
Post-Exploitation
Host Recon
Lab 17-1: Using whoami to Identify Privileges
Lab 17-2: Using Seatbelt to Find User
Information
Lab 17-3: System Recon with PowerShell
Lab 17-4: System Recon with Seatbelt
Lab 17-5: Getting Domain Information with
PowerShell
Lab 17-6: Using PowerView for AD Recon
Lab 17-7: Gathering AD Data with SharpHound
Escalation
Lab 17-8: Profiling Systems with winPEAS
Lab 17-9: Using SharpUp to Escalate Privileges
Lab 17-10: Searching for Passwords in User
Objects
Lab 17-11: Abusing Kerberos to Gather
Credentials
Lab 17-12: Abusing Kerberos to Escalate
Privileges
Active Directory Persistence
Lab 17-13: Abusing AdminSDHolder
Lab 17-14: Abusing SIDHistory
Summary
For Further Reading
CPU
Microprocessor
Microcontrollers
System on Chip
Common Processor Architectures
Serial Interfaces
UART
SPI
I 2C
Debug Interfaces
JTAG
SWD
Software
Bootloader
No Operating System
Real-Time Operating System
General Operating System
Summary
For Further Reading
References
What Is a Hypervisor?
Popek and Goldberg Virtualization Theorems
Goldberg’s Hardware Virtualizer
Type-1 and Type-2 VMMs
x86 Virtualization
Dynamic Binary Translation
Ring Compression
Shadow Paging
Paravirtualization
Hardware Assisted Virtualization
VMX
EPT
Summary
References
Environment Setup
Hyper-V Architecture
Hyper-V Components
Virtual Trust Levels
Generation-1 VMs
Lab 25-1: Scanning PCI Devices in a
Generation-1 VM
Generation 2 VMs
Lab 25-2: Scanning PCI Devices in a
Generation-2 VM
Hyper-V Synthetic Interface
Synthetic MSRs
Lab 25-3: Setting Up the Hypercall Page and
Dumping Its Contents
Hypercalls
VMBus
Lab 25-4: Listing VMBus Devices
Summary
For Further Reading
References
Bug Analysis
USB Basics
Lab 26-1: Patch Analysis Using GitHub API
Developing a Trigger
Setting Up the Target
Lab 26-2: Scanning the PCI Bus
The EHCI Controller
Triggering the Bug
Lab 26-3: Running the Trigger
Exploitation
Relative Write Primitive
Relative Read Primitive
Lab 26-4: Debugging the Relative Read Primitive
Arbitrary Read
Full Address-Space Leak Primitive
Module Base Leak
RET2LIB
Lab 26-5: Finding Function Pointers with GDB
Lab 26-6: Displaying IRQState with GDB
Lab 26-7: Launching the Exploit
Summary
For Further Reading
References
Part VI Hacking the Cloud
Microsoft Azure
Differences Between Azure and AWS
Lab 28-1: Setup of Our Labs
Lab 28-2: Additional User Steps
Lab 28-3: Validating Access
Microsoft Azure AD Overview
Azure Permissions
Constructing an Attack on Azure-Hosted Systems
Lab 28-4: Azure AD User Lookups
Lab 28-5: Azure AD Password Spraying
Lab 28-6: Getting onto Azure
Control Plane and Managed Identities
Lab 28-7: System Assigned Identities
Lab 28-8: Getting a Backdoor on a Node
Summary
For Further Reading
References
Linux Containers
Container Internals
Cgroups
Lab 29-1: Setup of our Environment
Lab 29-2: Looking at Cgroups
Namespaces
Storage
Lab 29-3: Container Storage
Applications
What Is Docker?
Lab 29-4: Looking for Docker Daemons
Container Security
Lab 29-5: Interacting with the Docker API
Lab 29-6: Executing Commands Remotely
Lab 29-7: Pivots
Breaking Out of Containers
Capabilities
Lab 29-8: Privileged Pods
Lab 29-9: Abusing Cgroups
Summary
For Further Reading
References
Index
PREFACE
This book has been developed by and for security professionals who
are dedicated to working in an ethical and responsible manner to
improve the overall security posture of individuals, corporations, and
nations.
ACKNOWLEDGMENTS
Each of the authors would like to thank the staff at McGraw Hill.
In particular, we would like to thank Wendy Rinaldi and Emily
Walters. We could not have done this book without you. Your
expertise, tireless dedication, and attention to detail helped make
this book a success. Thanks for keeping us on track and for your
patience with us as we progressed.
We would also like to thank Heather Linn, our technical editor. She
went above and beyond as a technical editor and improved the book
in many ways. She tirelessly ran all the code in the book and often
had to work with the authors to fix that code. Throughout the
process, she kept a sense of humor and encouraged us to do our
best. As an accomplished author in her own right, she completed our
team.
Allen Harper would like to thank his wonderful wife Corann and
beautiful daughters Haley and Madison for their support and
understanding as he chased yet another dream. With each edition, it
is neat to see our family grow and now spread apart, as we live in
different states. Haley and Madison, you are the joy of my life. I am
so proud of you both and am so excited for your future. Corann, I
love you more than ever, and look forward to spending the rest of
our lives together! To my colleagues at T-Rex, thanks for bringing
the best out of me and challenging me to achieve even more.
Ryan Linn would like to thank Heather for her support,
encouragement, and advice as well as his family and friends for their
support and for putting up with the long hours and infrequent
communication while the book was coming together.
Thanks to Jeff, Brian, Luke, Derek, Adrian, Shawn, Rob, Jon,
Andrew, Tom, Todd, Kelly, Debbie, and all the others who continue
to push him to grow technically, professionally, and in all aspects of
life.
Stephen Sims would like to thank his wife Leanne and daughter
Audrey for their ongoing support with the time needed to research,
write, work, teach, and travel.
He would also like to thank his parents George and Mary and his
sister Lisa for their support from afar. Finally, a special thanks to all
of the brilliant security researchers who contribute so much to the
community with publications, lectures, and tools.
Finally, a special thank you to Jaime Geiger for writing the chapter
on Windows Kernel exploitation!
Michael Baucom would like to thank his wife Bridget and his
daughter Tiernan for their sacrifices and support in allowing him to
pursue his professional goals.
He’d also like to thank his parents for their love and support and for
instilling in him the work ethic that has carried him to this point.
Additionally, he’d like to thank the Marine Corps for giving him the
courage and confidence to understand that all things are possible.
Finally, he’d like to thank his brother in Christ, long-time friend, and
colleague Allen Harper. Nothing can be accomplished without a great
team.
Huáscar Tejeda would like to thank his wife Zoe and their children
Alexander and Axel for their continuous support and encouragement.
He would also like to thank his mother Raysa for having taught him
by example the importance of being passionate about inexhaustible
study and hard work, as well as for exposing him to music, painting,
and mathematics at an early age. Additionally, he’d like to thank his
grandmother Milagros for her great love and for always believing in
him since he was a child. Also, a special thanks to his older brother
Geovanny for inviting him to the university to take computer science
classes after learning of Huáscar’s strong computer programming
skills at the age of 13. And, finally, thanks go to his brother Aneudy
for always caring and being there for him.
Daniel Fernandez would like to thank his wife Vanesa for her love
and support.
He’d also like to thank former colleagues and longtime friends
Sebastian Fernandez, Gottfrid Svartholm, and Bruno Deferrari. He
considers himself lucky to have met them and learn from them all
these years. Finally, a special thanks to Rocky, a good friend who
many years ago gave him the opportunity that resulted in his best
professional experience.
Moses Frost would like to thank his wife Gina and daughter Juliet
for their continued love, support, and sacrifices throughout the
years.
He’d also like to thank his parents who allowed him to pursue his
passions. It was not easy to break free and take chances. Finally, but
not least, he’d like to thank some former colleagues, mentors, and
friends—Fernando Martinez, Joey Muniz, Ed Skoudis, Jonathan Cran,
and so many others who have helped him be a better person.
We, the authors, would also like to collectively thank Hex-Rays for
the generous use of their tool IDA Pro.
Finally, a special thank you to Jaime Geiger for writing the chapter
on Windows Kernel exploitation!
INTRODUCTION
There is no instance of a nation benefitting from prolonged warfare.
—Sun Tzu
To be prepared for war is one of the most effective means of
preserving peace.
—George Washington
If it were a fact, it wouldn’t be called intelligence.
—Donald Rumsfeld
Like the previous editions, the purpose of this book is to provide
individuals the information once held only by governments and a few
black hat hackers. In each edition, we strive to update the reader on
the latest security techniques. Increasingly, individuals stand in the
breach of cyberwar, not only against black hat hackers, but
sometimes against governments. If you find yourself in this position,
either alone or as a defender of your organization, we want you to
be equipped with as much knowledge of the attacker as possible. To
that end, we present to you the mindset of the gray hat hacker, an
ethical hacker who uses offensive techniques for defensive purposes.
Ethical hacker is an honorable role—one that respects the laws and
the rights of others. The ethical hacker subscribes to the notion that
the adversary may be beaten to the punch by testing oneself first.
The authors of this book want to provide you, the reader, with
something we believe the industry and society in general need: a
holistic review of ethical hacking that is responsible and truly ethical
in its intentions and material. This is why we keep releasing new
editions of this book with a clear definition of what ethical hacking is
and is not—something our society is very confused about.
We have updated the material from the fifth edition and have
attempted to deliver the most comprehensive and up-to-date
assembly of techniques, procedures, and material with real hands-on
labs that can be replicated by the reader.
Eighteen new chapters are presented, and the other chapters have
been updated.
In the first section, we cover the topics required to prepare you for
the rest of the book. Keep in mind that all the skills you need are
more than can be covered in any book, but we attempt to lay out
some topics to make the rest of the book more attainable and
accessible by newer members of the field. We cover the following
topics:
In the third section, we shift gears and talk about hacking systems.
Here, you will discover the skills needed to exploit Windows and
Linux systems. This is a broad area of focus, where we cover these
topics:
• Overview of hypervisors
• Creating a research framework for testing hypervisors
• Looking inside Hyper-V
• Hacking hypervisors case study
We hope you enjoy the new and updated chapters. If you are new
to the field or are ready to take the next step to advance and
deepen your understanding of ethical hacking, this is the book for
you. In any event, use your powers for good!
Preparation
Chapter 1 Gray Hat Hacking
Chapter 2 Programming Survival Skills
Chapter 3 Linux Exploit Development Tools
Chapter 4 Introduction to Ghidra
Chapter 5 IDA Pro
CHAPTER 1
What is a gray hat hacker? Why should you care? In this chapter, we
attempt to define what a gray hat hacker is and why they are so
vital to the cybersecurity field. In short, they stand in the gap
between white hat hackers and black hat hackers and serve as
ethical hackers, never breaking the law, but instead making the
world a better place through applying their skills for good. Now, this
concept is controversial, and good people may disagree on this
topic. So, in this chapter, we try to set the record straight and give a
call to action—that you join us as gray hat hackers and practice
ethical hacking in a responsible manner. We also lay the foundation
of other critical topics discussed throughout the book.