Preface
Acknowledgments
Introduction

Part I. Preparation

Chapter 1. Gray Hat Hacking
    Gray Hat Hacking Overview
        History of Hacking
        Ethics and Hacking
        Definition of Gray Hat Hacking
    History of Ethical Hacking
        History of Vulnerability Disclosure
        Bug Bounty Programs
    Know the Enemy: Black Hat Hacking
        Advanced Persistent Threats
        Lockheed Martin Cyber Kill Chain
        Courses of Action for the Cyber Kill Chain
        MITRE ATT&CK Framework
    Summary
    For Further Reading
    References

Chapter 2. Programming Survival Skills
    C Programming Language
        Basic C Language Constructs
        Lab 2-1: Format Strings
        Lab 2-2: Loops
        Lab 2-3: if/else
        Sample Programs
        Lab 2-4: hello.c
        Lab 2-5: meet.c
        Compiling with gcc
        Lab 2-6: Compiling meet.c
    Computer Memory
        Random Access Memory
        Endian
        Segmentation of Memory
        Programs in Memory
        Buffers
        Strings in Memory
        Pointers
        Putting the Pieces of Memory Together
        Lab 2-7: memory.c
    Intel Processors
        Registers
    Assembly Language Basics
        Machine vs. Assembly vs. C
        AT&T vs. NASM
        Addressing Modes
        Assembly File Structure
        Lab 2-8: Simple Assembly Program
    Debugging with gdb
        gdb Basics
        Lab 2-9: Debugging
        Lab 2-10: Disassembly with gdb
    Python Survival Skills
        Getting Python
        Lab 2-11: Launching Python
        Lab 2-12: “Hello, World!” in Python
        Python Objects
        Lab 2-13: Strings
        Lab 2-14: Numbers
        Lab 2-15: Lists
        Lab 2-16: Dictionaries
        Lab 2-17: Files with Python
        Lab 2-18: Sockets with Python
    Summary
    For Further Reading
    References

Chapter 3. Linux Exploit Development Tools
    Binary, Dynamic Information-Gathering Tools
        Lab 3-1: Hello.c
        Lab 3-2: ldd
        Lab 3-3: objdump
        Lab 3-4: strace
        Lab 3-5: ltrace
        Lab 3-6: checksec
        Lab 3-7: libc-database
        Lab 3-8: patchelf
        Lab 3-9: one_gadget
        Lab 3-10: Ropper
    Extending gdb with Python
    Pwntools CTF Framework and Exploit Development Library
        Summary of Features
        Lab 3-11: leak-bof.c
    HeapME (Heap Made Easy) Heap Analysis and Collaboration Tool
        Installing HeapME
        Lab 3-12: heapme_demo.c
    Summary
    For Further Reading
    References

Chapter 4. Introduction to Ghidra
    Creating Our First Project
    Installation and QuickStart
        Setting the Project Workspace
        Functionality Overview
        Lab 4-1: Improving Readability with Annotations
        Lab 4-2: Binary Diffing and Patch Analysis
    Summary
    For Further Reading
    References

Chapter 5. IDA Pro
    Introduction to IDA Pro for Reverse Engineering
    What Is Disassembly?
    Navigating IDA Pro
    IDA Pro Features and Functionality
        Cross-References (Xrefs)
        Function Calls
        Proximity Browser
        Opcodes and Addressing
        Shortcuts
        Comments
    Debugging with IDA Pro
    Summary
    For Further Reading
    References

Part II. Ethical Hacking

Chapter 6. Red and Purple Teams
    Introduction to Red Teams
        Vulnerability Scanning
        Validated Vulnerability Scanning
        Penetration Testing
        Threat Simulation and Emulation
        Purple Team
    Making Money with Red Teaming
        Corporate Red Teaming
        Consultant Red Teaming
    Purple Team Basics
        Purple Team Skills
        Purple Team Activities
    Summary
    For Further Reading
    References

Chapter 7. Command and Control (C2)
    Command and Control Systems
        Metasploit
        Lab 7-1: Creating a Shell with Metasploit
        PowerShell Empire
        Covenant
        Lab 7-2: Using Covenant C2
    Payload Obfuscation
        msfvenom and Obfuscation
        Lab 7-3: Obfuscating Payloads with msfvenom
        Creating C# Launchers
        Lab 7-4: Compiling and Testing C# Launchers
        Creating Go Launchers
        Lab 7-5: Compiling and Testing Go Launchers
        Creating Nim Launchers
        Lab 7-6: Compiling and Testing Nim Launchers
    Network Evasion
        Encryption
        Alternate Protocols
        C2 Templates
    EDR Evasion
        Killing EDR Products
        Bypassing Hooks
    Summary
    For Further Reading

Chapter 8. Building a Threat Hunting Lab
    Threat Hunting and Labs
        Options of Threat Hunting Labs
        Method for the Rest of this Chapter
    Basic Threat Hunting Lab: DetectionLab
        Prerequisites
        Lab 8-1: Install the Lab on Your Host
        Lab 8-2: Install the Lab in the Cloud
        Lab 8-3: Looking Around the Lab
    Extending Your Lab
        HELK
        Lab 8-4: Install HELK
        Lab 8-5: Install Winlogbeat
        Lab 8-6: Kibana Basics
        Lab 8-7: Mordor
    Summary
    For Further Reading
    References

Chapter 9. Introduction to Threat Hunting
    Threat Hunting Basics
        Types of Threat Hunting
        Workflow of a Threat Hunt
    Normalizing Data Sources with OSSEM
        Data Sources
        OSSEM to the Rescue
    Data-Driven Hunts Using OSSEM
        MITRE ATT&CK Framework Refresher: T1003.002
        Lab 9-1: Visualizing Data Sources with OSSEM
        Lab 9-2: AtomicRedTeam Attacker Emulation
    Exploring Hypothesis-Driven Hunts
        Lab 9-3: Hypothesis that Someone Copied a SAM File
        Crawl, Walk, Run
    Enter Mordor
        Lab 9-4: Hypothesis that Someone Other than an Admin Launched PowerShell
    Threat Hunter Playbook
        Departure from HELK for Now
        Spark and Jupyter
        Lab 9-5: Automated Playbooks and Sharing of Analytics
    Summary
    For Further Reading
    References

Part III. Hacking Systems

Chapter 10. Basic Linux Exploits
    Stack Operations and Function-Calling Procedures
    Buffer Overflows
        Lab 10-1: Overflowing meet.c
        Ramifications of Buffer Overflows
    Local Buffer Overflow Exploits
        Lab 10-2: Components of the Exploit
        Lab 10-3: Exploiting Stack Overflows from the Command Line
        Lab 10-4: Writing the Exploit with Pwntools
        Lab 10-5: Exploiting Small Buffers
    Exploit Development Process
        Lab 10-6: Building Custom Exploits
    Summary
    For Further Reading

Chapter 11. Advanced Linux Exploits
        Lab 11-1: Vulnerable Program and Environment Setup
        Lab 11-2: Bypassing Non-Executable Stack (NX) with Return-Oriented Programming (ROP)
        Lab 11-3: Defeating Stack Canaries
        Lab 11-4: ASLR Bypass with an Information Leak
        Lab 11-5: PIE Bypass with an Information Leak
    Summary
    For Further Reading
    References

Chapter 12. Linux Kernel Exploits
        Lab 12-1: Environment Setup and Vulnerable procfs Module
        Lab 12-2: ret2usr
        Lab 12-3: Defeating Stack Canaries
        Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)
        Lab 12-5: Bypassing Supervisor Mode Access Prevention (SMAP)
        Lab 12-6: Defeating Kernel Address Space Layout Randomization (KASLR)
    Summary
    For Further Reading
    References

Chapter 13. Basic Windows Exploitation
    Compiling and Debugging Windows Programs
        Lab 13-1: Compiling on Windows
        Debugging on Windows with Immunity Debugger
        Lab 13-2: Crashing the Program
    Writing Windows Exploits
        Exploit Development Process Review
        Lab 13-3: Exploiting ProSSHD Server
    Understanding Structured Exception Handling
        Understanding and Bypassing Common Windows Memory Protections
        Safe Structured Exception Handling
        Bypassing SafeSEH
    Data Execution Prevention
        Return-Oriented Programming
        Gadgets
        Building the ROP Chain
    Summary
    For Further Reading
    References

Chapter 14. Windows Kernel Exploitation
    The Windows Kernel
    Kernel Drivers
    Kernel Debugging
        Lab 14-1: Setting Up Kernel Debugging
    Picking a Target
        Lab 14-2: Obtaining the Target Driver
        Lab 14-3: Reverse Engineering the Driver
        Lab 14-4: Interacting with the Driver
    Token Stealing
        Lab 14-5: Arbitrary Pointer Read/Write
        Lab 14-6: Writing a Kernel Exploit
    Summary
    For Further Reading
    References

Chapter 15. PowerShell Exploitation
    Why PowerShell
        Living off the Land
        PowerShell Logging
        PowerShell Portability
    Loading PowerShell Scripts
        Lab 15-1: The Failure Condition
        Lab 15-2: Passing Commands on the Command Line
        Lab 15-3: Encoded Commands
        Lab 15-4: Bootstrapping via the Web
    Exploitation and Post-Exploitation with PowerSploit
        Lab 15-5: Setting Up PowerSploit
        Lab 15-6: Running Mimikatz Through PowerShell
    Using PowerShell Empire for C2
        Lab 15-7: Setting Up Empire
        Lab 15-8: Staging an Empire C2
        Lab 15-9: Using Empire to Own the System
        Lab 15-10: Using WinRM to Launch Empire
    Summary
    For Further Reading
    Reference

Chapter 16. Getting Shells Without Exploits
    Capturing Password Hashes
        Understanding LLMNR and NBNS
        Understanding Windows NTLMv1 and NTLMv2 Authentication
        Using Responder
        Lab 16-1: Getting Passwords with Responder
    Using Winexe
        Lab 16-2: Using Winexe to Access Remote Systems
        Lab 16-3: Using Winexe to Gain Elevated Privileges
    Using WMI
        Lab 16-4: Querying System Information with WMI
        Lab 16-5: Executing Commands with WMI
    Taking Advantage of WinRM
        Lab 16-6: Executing Commands with WinRM
        Lab 16-7: Using Evil-WinRM to Execute Code
    Summary
    For Further Reading
    Reference

Chapter 17. Post-Exploitation in Modern Windows Environments
    Post-Exploitation
        Host Recon
        Lab 17-1: Using whoami to Identify Privileges
        Lab 17-2: Using Seatbelt to Find User Information
        Lab 17-3: System Recon with PowerShell
        Lab 17-4: System Recon with Seatbelt
        Lab 17-5: Getting Domain Information with PowerShell
        Lab 17-6: Using PowerView for AD Recon
        Lab 17-7: Gathering AD Data with SharpHound
        Escalation
        Lab 17-8: Profiling Systems with winPEAS
        Lab 17-9: Using SharpUp to Escalate Privileges
        Lab 17-10: Searching for Passwords in User Objects
        Lab 17-11: Abusing Kerberos to Gather Credentials
        Lab 17-12: Abusing Kerberos to Escalate Privileges
    Active Directory Persistence
        Lab 17-13: Abusing AdminSDHolder
        Lab 17-14: Abusing SIDHistory
    Summary
    For Further Reading

Chapter 18. Next-Generation Patch Exploitation
    Introduction to Binary Diffing
        Application Diffing
        Patch Diffing
    Binary Diffing Tools
        BinDiff
        turbodiff
        Lab 18-1: Our First Diff
    Patch Management Process
        Microsoft Patch Tuesday
        Obtaining and Extracting Microsoft Patches
    Summary
    For Further Reading
    References

Part IV. Hacking IoT

Chapter 19. Internet of Things to Be Hacked
    Internet of Things (IoT)
        Types of Connected Things
        Wireless Protocols
        Communication Protocols
        Security Concerns
    Shodan IoT Search Engine
        Web Interface
        Shodan Command-Line Interface
        Lab 19-1: Using the Shodan Command Line
        Shodan API
        Lab 19-2: Testing the Shodan API
        Lab 19-3: Playing with MQTT
        Implications of this Unauthenticated Access to MQTT
    IoT Worms: It Was a Matter of Time
        Prevention
    Summary
    For Further Reading
    References

Chapter 20. Dissecting Embedded Devices
    CPU
        Microprocessor
        Microcontrollers
        System on Chip
        Common Processor Architectures
    Serial Interfaces
        UART
        SPI
        I²C
    Debug Interfaces
        JTAG
        SWD
    Software
        Bootloader
        No Operating System
        Real-Time Operating System
        General Operating System
    Summary
    For Further Reading
    References

Chapter 21. Exploiting Embedded Devices
    Static Analysis of Vulnerabilities in Embedded Devices
        Lab 21-1: Analyzing the Update Package
        Lab 21-2: Performing Vulnerability Analysis
    Dynamic Analysis with Hardware
        The Test Environment Setup
        Ettercap
    Dynamic Analysis with Emulation
        FirmAE
        Lab 21-3: Setting Up FirmAE
        Lab 21-4: Emulating Firmware
        Lab 21-5: Exploiting Firmware
    Summary
    For Further Reading
    References

Chapter 22. Software-Defined Radio
    Getting Started with SDR
        What to Buy
        Not So Quick: Know the Rules
    Learn by Example
        Search
        Capture
        Replay
        Analyze
        Preview
        Execute
    Summary
    For Further Reading

Part V. Hacking Hypervisors

Chapter 23. Hypervisors 101
    What Is a Hypervisor?
        Popek and Goldberg Virtualization Theorems
        Goldberg’s Hardware Virtualizer
        Type-1 and Type-2 VMMs
    x86 Virtualization
        Dynamic Binary Translation
        Ring Compression
        Shadow Paging
        Paravirtualization
    Hardware Assisted Virtualization
        VMX
        EPT
    Summary
    References

Chapter 24. Creating a Research Framework
    Hypervisor Attack Surface
    The Unikernel
        Lab 24-1: Booting and Communication
        Lab 24-2: Communication Protocol
        Boot Message Implementation
        Handling Requests
    The Client (Python)
        Communication Protocol (Python)
        Lab 24-3: Running the Guest (Python)
        Lab 24-4: Code Injection (Python)
    Fuzzing
        The Fuzzer Base Class
        Lab 24-5: IO-Ports Fuzzer
        Lab 24-6: MSR Fuzzer
        Lab 24-7: Exception Handling
        Fuzzing Tips and Improvements
    Summary
    References

Chapter 25. Inside Hyper-V
    Environment Setup
    Hyper-V Architecture
        Hyper-V Components
        Virtual Trust Levels
        Generation-1 VMs
        Lab 25-1: Scanning PCI Devices in a Generation-1 VM
        Generation 2 VMs
        Lab 25-2: Scanning PCI Devices in a Generation-2 VM
    Hyper-V Synthetic Interface
        Synthetic MSRs
        Lab 25-3: Setting Up the Hypercall Page and Dumping Its Contents
        Hypercalls
        VMBus
        Lab 25-4: Listing VMBus Devices
    Summary
    For Further Reading
    References

Chapter 26. Hacking Hypervisors Case Study
    Bug Analysis
        USB Basics
        Lab 26-1: Patch Analysis Using GitHub API
    Developing a Trigger
        Setting Up the Target
        Lab 26-2: Scanning the PCI Bus
        The EHCI Controller
        Triggering the Bug
        Lab 26-3: Running the Trigger
    Exploitation
        Relative Write Primitive
        Relative Read Primitive
        Lab 26-4: Debugging the Relative Read Primitive
        Arbitrary Read
        Full Address-Space Leak Primitive
        Module Base Leak
        RET2LIB
        Lab 26-5: Finding Function Pointers with GDB
        Lab 26-6: Displaying IRQState with GDB
        Lab 26-7: Launching the Exploit
    Summary
    For Further Reading
    References

Part VI. Hacking the Cloud

Chapter 27. Hacking in Amazon Web Services
    Amazon Web Services
        Services, Locations, and Infrastructure
        How Authorization Works in AWS
        Abusing AWS Best Practices
        Lab 27-1: Environment Setup
    Abusing Authentication Controls
        Types of Keys and Key Material
        Lab 27-2: Finding AWS Keys
        Attacker Tools
        Lab 27-3: Enumerating Permissions
        Lab 27-4: Leveraging Access to Perform Unauthorized Actions
        Lab 27-5: Persistence Through System Internals
    Summary
    For Further Reading
    References

Chapter 28. Hacking in Azure
    Microsoft Azure
        Differences Between Azure and AWS
        Lab 28-1: Setup of Our Labs
        Lab 28-2: Additional User Steps
        Lab 28-3: Validating Access
        Microsoft Azure AD Overview
        Azure Permissions
    Constructing an Attack on Azure-Hosted Systems
        Lab 28-4: Azure AD User Lookups
        Lab 28-5: Azure AD Password Spraying
        Lab 28-6: Getting onto Azure
    Control Plane and Managed Identities
        Lab 28-7: System Assigned Identities
        Lab 28-8: Getting a Backdoor on a Node
    Summary
    For Further Reading
    References

Chapter 29. Hacking Containers
    Linux Containers
        Container Internals
        Cgroups
        Lab 29-1: Setup of our Environment
        Lab 29-2: Looking at Cgroups
        Namespaces
        Storage
        Lab 29-3: Container Storage
    Applications
        What Is Docker?
        Lab 29-4: Looking for Docker Daemons
    Container Security
        Lab 29-5: Interacting with the Docker API
        Lab 29-6: Executing Commands Remotely
        Lab 29-7: Pivots
    Breaking Out of Containers
        Capabilities
        Lab 29-8: Privileged Pods
        Lab 29-9: Abusing Cgroups
    Summary
    For Further Reading
    References

Chapter 30. Hacking on Kubernetes
    Kubernetes Architecture
    Fingerprinting Kubernetes API Servers
        Lab 30-1: Cluster Setup
        Finding Kubernetes API Servers
        Lab 30-2: Fingerprinting Kubernetes Servers
    Hacking Kubernetes from Within
        Lab 30-3: Kubestriker
        Lab 30-4: Attacking from Within
        Lab 30-5: Attacking the API Server
    Summary
    For Further Reading
    References

Index

Rent More, Save More! Use code: ECRENTAL

Rent More, Save More! Use code: ECRENTAL

5% off 1 book, 7% off 2 books, 10% off 3+ books

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition

How To: Textbook Rental

Table of Contents

Supplemental Materials

Rewards Program