PraiseforGrayHatHacking:TheEthicalHacker’sHandbook,SecondEdition “GrayHatHacking,SecondEditiontakesaverypracticalandappliedapproachtolearning howtoattackcomputersystems.TheauthorsarepastBlackHatspeakers,trainers,and DEF CON CtF winners who know what they are talking about.” —Jeff Moss Founder and Director of Black Hat “ThesecondeditionofGrayHatHackingmoveswellbeyondcurrent‘introtohacking’ booksandpresentsawellthought-outtechnicalanalysisofethicalhacking.Although thebookiswrittensothateventheuninitiatedcanfollowitwell,itreallysucceedsby treatingeverytopicindepth;offeringinsightsandseveralrealisticexamplestoreinforce eachconcept.Thetoolsandvulnerabilityclassesdiscussedareverycurrentandcanbe used to template assessments of operational networks.” —Ronald C. Dodge Jr., Ph.D. Associate Dean, Information and Education Technology, United States Military Academy “An excellent introduction to the world of vulnerability discovery and exploits. The toolsandtechniquescoveredprovideasolidfoundationforaspiringinformationsecu- rity researchers, and the coverage of popular tools such as the Metasploit Framework gives readers the information they need to effectively use these free tools.” —Tony Bradley CISSP, Microsoft MVP, About.com Guide for Internet/Network Security, http://netsecurity.about.com “GrayHatHacking,SecondEditionprovidesbroadcoverageofwhatattackingsystemsis allabout.Writtenbyexpertswhohavemadeacomplicatedproblemunderstandableby eventhenovice,GrayHatHacking,SecondEditionisafantasticbookforanyonelooking to learn the tools and techniques needed to break in and stay in.” —Bruce Potter Founder, The Shmoo Group “Asasecurityprofessionalandlecturer,Igetaskedalotaboutwheretostartinthesecu- rity business, and I point them to Gray Hat Hacking. Even for seasoned professionals whoarewellversedinonearea,suchaspentesting,butwhoareinterestedinanother, likereverseengineering,Istillpointthemtothisbook.Thefactthatasecondeditionis coming out is even better, as it is still very up to date. Very highly recommended.” —Simple Nomad Hacker https://www.facebook.com/pages/Download-from-harks/124201754417002 ABOUT THE AUTHORS ShonHarris,MCSE,CISSP,isthepresidentofLogicalSecurity,aneducatorandsecurity consultant.SheisaformerengineeroftheU.S.AirForceInformationWarfareunitand has published several books and articles on different disciplines within information security.Shonwasalsorecognizedasoneofthetop25womenininformationsecurity byInformation Security Magazine. Allen Harper, CISSP, is the president and owner of n2netSecurity, Inc. in North Carolina.HeretiredfromtheMarineCorpsafter20years.Additionally,hehasservedas a security analyst for the U.S. Department of the Treasury, Internal Revenue Service, Computer Security Incident Response Center (IRS CSIRC). He speaks and teaches at conferences such as Black Hat. ChrisEagleistheassociatechairmanoftheComputerScienceDepartmentattheNaval PostgraduateSchool(NPS)inMonterey,California.Acomputerengineer/scientistfor 22years,hisresearchinterestsincludecomputernetworkattackanddefense,computer forensics,andreverse/anti-reverseengineering.HecanoftenbefoundteachingatBlack Hat or playing capture the flag at Defcon. Jonathan Ness, CHFI, is a lead software security engineer at Microsoft. He and his coworkers ensure that Microsoft’s security updates comprehensively address reported vulnerabilities. He also leads the technical response of Microsoft’s incident response processthatisengagedtoaddresspubliclydisclosedvulnerabilitiesandexploitstarget- ingMicrosoftsoftware.Heservesoneweekendeachmonthasasecurityengineerina reserve military unit. Disclaimer:TheviewsexpressedinthisbookarethoseoftheauthorandnotoftheU.S.govern- mentortheMicrosoftCorporation. About the Technical Editor Michael Baucom is a software engineer working primarily in the embedded software area.Themajorityofthelasttenyearshehasbeenwritingsystemsoftwareandtoolsfor networkingequipment;however,hisrecentinterestsarewithinformationsecurityand morespecificallysecuringsoftware.Heco-taughtExploiting101atBlackHatin2006. Forfun,hehasenjoyedparticipatingincapturetheflagatDefconforthelasttwoyears. Gray Hat Hacking TheEthicalHacker’s Handbook Second Edition Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness New York • Chicago • San Francisco • Lisbon London • Madrid • Mexico City • Milan • New Delhi San Juan • Seoul • Singapore • Sydney • Toronto https://www.facebook.com/pages/Download-from-harks/124201754417002 Copyright © 2008 by The McGraw-Hill Companies. All rights reserved.Manufactured in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. 0-07-159553-8 The material in this eBook also appears in the print version of this title: 0-07-149568-1. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please contact George Hoare, Special Sales, at [email protected] or (212) 904-4069. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. DOI: 10.1036/0071495681 Professional Want to learn more? We hope you enjoy this McGraw-Hill eBook! If you’d like more information about this book, its author, or related books and websites, please click here. https://www.facebook.com/pages/Download-from-harks/124201754417002 To my loving and supporting husband, David Harris, who has continual patience with me as I take on all of these crazy projects!—Shon Harris To the service members forward deployed around the world. Thank you for your sacrifice.—Allen Harper To my wife, Kristen, for all of the support she has given me through this and my many other endeavors!—Chris Eagle To Jessica, the most amazing and beautiful person I know.—Jonathan Ness This page intentionally left blank https://www.facebook.com/pages/Download-from-harks/124201754417002 CONTENTS AT A GLANCE Part I Introduction to Ethical Disclosure . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1 Ethics of Ethical Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Chapter 2 Ethical Hacking and the Legal System . . . . . . . . . . . . . . . . . . . . . . . . 17 Chapter 3 Proper and Ethical Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Part II Penetration Testing and Tools . . . . . . . . . . . . . . . . . . . . . . . . . 73 Chapter 4 Using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Chapter 5 Using the BackTrack LiveCD Linux Distribution . . . . . . . . . . . . . . . 101 Part III Exploits 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Chapter 6 Programming Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Chapter 7 Basic Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Chapter 8 Advanced Linux Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Chapter 9 Shellcode Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Chapter 10 Writing Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Chapter 11 Basic Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Part IV Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Chapter 12 Passive Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Chapter 13 Advanced Static Analysis with IDA Pro . . . . . . . . . . . . . . . . . . . . . . 309 Chapter 14 Advanced Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Chapter 15 Client-Side Browser Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Chapter 16 Exploiting Windows Access Control Model for Local Elevation of Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Chapter 17 Intelligent Fuzzing with Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Chapter 18 From Vulnerability to Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Chapter 19 Closing the Holes:Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 vii Gray Hat Hacking:The Ethical Hacker’s Handbook viii Part V Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Chapter 20 Collecting Malware and Initial Analysis . . . . . . . . . . . . . . . . . . . . . . . 499 Chapter 21 Hacking Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 https://www.facebook.com/pages/Download-from-harks/124201754417002