INDEX
A
access
AWS. See authentication in AWS
access control lists (ACLs), 355
access keys (AKIA) in AWS, 572
AccessKeyId in AWS, 574–575
ACLs (access control lists), 355
actions on objectives in Cyber Kill Chain, 13
Active Directory (AD)
Azure, overview, 591
Azure, password spraying, 596–597
Azure, permissions, 591–593
Azure, user lookups, 594–595
Distinguished Names, 345
Domain Admin group, 344
Group group, 346
persistence, 364–367
PowerShell, 352–354
PowerView, 354–356
privilege escalation, 357–359
recon overview, 351
SharpHound, 356–357
ADC (analog-to-digital conversion) resolution in SDR, 448
ADD-ADDBSidHistory cmdlet, 367
add command, 38
Add-ObjectAcl cmdlet, 365
add_region method, 506
Address Resolution Protocol (ARP), 436
address space layout randomization (ASLR)
bypassing, 228–231
description, 202
disabling, 208
KASLR, 246–248
Windows exploitation, 264–265
address translation in x86 virtualization, 477–478
addressing in IDA Pro, 100
addressing modes in assembly language, 40
admin bastion host design in AWS, 570
AdminSDHolder object, abusing, 364–366
advanced persistent threats (APTs), 11
agents
Command and Control, 127–128
PowerShell Empire, 319–320
WinRM, 321–322
agriculture and breeding, IoT things for, 394
AKIA (access keys) in AWS, 572
Alias groups in Active Directory, 346
allocators in VMMs, 470
AllSigned execution policy, 308
Amazon Resource Name (ARN) format, 570
Amazon Web Services (AWS)
attacker tools overview, 575–576
authentication, 571–583
authorization, 568–570
vs. Azure, 586–587
best practices, 570–571
Boto library, 576
environment setup, 571
introduction, 567
keys and key material, 572–575
PACU Framework, 576
permissions, 577–578
readings, 583
RedBoto, 576–577
references, 583–584
services, locations, and infrastructure, 568
summary, 583
system internals, 580–583
unauthorized actions, 579–580
ampersands (&) in C language, 26
amplitude plots in SCRAPE process, 457
AMSI. See Antimalware Scan Interface (AMSI)
analog-to-digital conversion (ADC) resolution in SDR, 448
Analyze phase in SCRAPE process, 454–461
annotations in Ghidra, 78, 80–83
Antimalware Scan Interface (AMSI)
domain recon, 352
Evil-WinRM, 340
PowerShell Empire, 131, 318–319
PowerSploit, 315
system recon, 348
AntivirusBypass subdirectory in PowerSploit, 314
API Servers in Kubernetes
attacking, 636–638
description, 624
finding, 627–628
fingerprinting, 625–626, 628–630
applications
containers, 611–613
diffing, 369–370
penetration testing, 115
APT29 attack data, 186
APT334 group, 120
APTs (advanced persistent threats), 11
arbitrary_read_near function, 556
arbitrary reads in hypervisor case study, 555–556
arbitrary_write function, 561
ARM architectures
embedded devices, 410–411
interface descriptions, 418–419
pinouts, 420–421
ARN (Amazon Resource Name) format, 570
ARP (Address Resolution Protocol), 436
Ashton, Kevin, 393
ASLR. See address space layout randomization (ASLR)
assembly language
addressing modes, 40
AT&T vs. NASM, 37–40
file structure, 41
vs. machine language and C, 37
sample program, 41
assert function, 496
asynchronous transfer lists in EHCI controller, 548
AT&T assembly language, 37–40
AtomicRedTeam attacker emulation, 181–183
Attack Navigator, 118
attack surfaces for hypervisors, 487–489
attack vectors
exploit development, 215–216
Windows exploitation, 264–266
Aufs file system, 608
auth function, 219–221
authenticated vulnerability scanning, 113
authentication in AWS
attacker tools overview, 575–576
introduction, 571
keys and key material, 572–575
PACU Framework, 576
permissions, 577–578
RedBoto, 576–577
system internals, 580–583
unauthorized actions, 579–580
authorization in AWS, 568–570
automotive industry, IoT things for, 394
aviation industry, IoT things for, 394
AWS. See Amazon Web Services (AWS)
Azure
accounts for DetectionLab installation, 158–159
Active Directory, overview, 591
Active Directory, password spraying, 596–597
Active Directory, permissions, 591–593
Active Directory, user lookups, 594–595
attack overview, 593–594
vs. AWS, 586–587
backdoors on nodes, 600
CLI tool, 589
control plane and managed identities, 598–600
introduction, 585
lab setup, 587–590
overview, 585–586
readings, 601
references, 601
summary, 601
Azure Functions for Windows, 587
Azure Portal, 588–590
B
b64 script, 310–311
backdoors on nodes in Azure, 600
bad characters in Windows exploits, 268
bandwidth in SDR, 448
base indexed relative addressing mode, 40
Base64-encoded strings, 310, 319
based relative addressing mode, 40
bastion host design in AWS, 570
bcdedit command, 285
beacon times, 128
behavior-sensitive CPU instructions, 470–471
best practices in AWS, 570–571
Bianco, David J., 123
big-endian memory order, 32
binary diffing
application, 369–370
BinDiff, 372–373
Ghidra, 83–86
introduction, 369
patch, 370–371
tools overview, 371–372
turbodiff, 374–378
Binary Launcher screen in Covenant, 133–134
bind shells, 129
BinDiffHelper plug-in, 83
BinExport plug-in, 84
binkit tool, 371
BinNavi tool, 372
bits, memory, 31
black hat hacking
advanced persistent threats, 11
Cyber Kill Chain, 11–14
description, 4
MITRE ATT&CK framework, 14–17
Blichmann, Christian, 372
Block Storage in AWS, 570–571
BloodHound tool, 356–357
Bluetooth Low Energy protocol, 395
boot drivers, 282
boot message implementation in unikernel, 497–499
booting in unikernel, 489–492
bootloaders for embedded devices, 421–422
bootstrapping via web, 311–313
Boto library, 576
breaking out of containers, 616–620
breakpoints
gdb, 42
Ida Pro, 104–106
Immunity Debugger, 254–256
Windows kernel drivers, 292
brute-force strategy for stack canaries, 226
.bss section in memory, 33
buffer overflows
Linux, 65–67
local, 207–212
overview, 201–206
ramifications, 206
sample program, 203–204
buffers, memory, 34
bug bounty programs, 10
build_nim.sh command, 146
Bullock, Beau, 596
Bus Pirate tool, 415
BusyBox container, 618
Bypass-4MSI command, 340
bypassing
ASLR, 228–231
KPTI, 241–243
memory, 271–272
NX stack, 222–225
PIE, 230–232
SafeSEH, 272–274
SMAP, 244–246
SMEP, 241–243
UAC, 319–320
bypassuac command, 319
Byt3bl33der user, 145
bytes, memory, 31
bzImage file, 233
C
C/C++ Optimizing Compiler and Linker, 250
C programming language
basic constructs, 21–22
comments, 29
compiling, 30–31
computer memory, 31–35
C programming language
functions, 22–23
if/else construct, 28–29
introduction, 21
loops, 27–28
printf command, 24–25
sample programs, 29–30
scanf command, 26
strcpy and strncpy commands, 26–27
variables, 23–24
C# programming language launchers, compiling and testing, 141–142
C2. See Command and Control (C2)
call command
assembly language, 39
stack operations, 200
call graphs in Ghidra, 79
Capture phase in SCRAPE process, 450–452
capture the flag (CTF) framework, 64–67
capturing password hashes, 325–331
CDM (Common Data Model), 176
cellular networks, 394
CERT (Computer Emergency Response Team) Coordination Center (CC), 9
cgroups. See control groups (cgroups) for containers
channels
SDR, 448
VMBus, 532–537
checksec shell script, 60
Chen, Dominic, 444
chroot technology for containers, 604
class IDs (CLSIDs) in system recon, 348
classically virtualizable VMMs, 471
clients in research frameworks, 500–508
clocks
I2C, 417
JTAG, 418
SPI, 416
SWD, 420
clone function, 608
cloud
Amazon Web Services. See Amazon Web Services (AWS)
Azure. See Azure
containers. See containers
DetectionLab installation in, 157–160
Kubernetes. See Kubernetes
penetration testing, 116
CLSIDs (class IDs) in system recon, 348
clusters in Kubernetes, 625–627, 632–633, 636–637
Code Browser in Ghidra, 74–77
Code Bytes, 77
Code class for research framework clients, 505–506
Code section in Immunity Debugger, 252–253
code segment in memory, 33
CodeExecution subdirectory in PowerSploit, 314
Cohen, Danny, 32
color schemes
IDA Pro, 96
Immunity Debugger, 254
Command and Control (C2)
C# launchers, 141–142
Covenant, 131–136
Cyber Kill Chain, 13
EDR evasion, 149–150
go launchers, 142–144
Metasploit, 128–131
network evasion, 147–149
Nim launchers, 144–147
overview, 127–128
payload obfuscation, 136–140
PowerShell Empire, 131, 316–322
readings, 150–151
summary, 150
command line
AWS, 568–569
local buffer overflows, 208–209
PowerShell, 309–310
commands and command execution
containers, remote, 614–615
PowerShell, 309–311
WinRM, 338–341
WMI, 337–338
comments
assembly language, 37–38
C language, 29
Ghidra Code Browser, 75–76
IDA Pro, 102
Python, 51
commit_creds() function, 236–238, 242
Common Data Model (CDM), 176
common_interrupt_return function, 242
Common Vulnerability Scoring System (CVSS) score, 114
communication
Internet of Things, 395
research framework clients, 500–504
unikernel, 489–497
compiling
C language, 30–31
C# launchers, 141–142
go launchers, 143–144
Nim launchers, 145–147
Windows programs, 250–252
compound USB devices, 542
Computer Emergency Response Team (CERT) Coordination Center (CC), 9
Computer Fraud and Abuse Act, 4
computer memory. See memory
Console – Scripting window in Ghidra Code Browser, 75
constant string references in Linux, 57–58
Construct module for research framework clients, 500–504
consultant red teams, 122
ContainerD interface, 612
containers
applications, 611–613
breakouts, 616–620
capabilities, 617–618
cgroups, 618–620
introduction, 603
Linux. See Linux containers
pivots, 616
privileged pods, 617–618
readings, 620–621
references, 621
remote commands, 614–615
security, 613–615
summary, 620
control fields in VMCS, 481
control groups (cgroups) for containers
abusing, 618–620
description, 604
looking at, 605–607
process mappings to, 615
control planes
Azure, 597–600
control-sensitive CPU instructions, 470–471
control transfers in USB, 542
controllers in Kubernetes, 624
ConvertFrom-SID cmdlet, 355
ConvertThreadToFiber function, 144
coordinated disclosure, 8–9
corporate red teams, 121–122
Covenant framework, 131–136
CPUs
embedded devices, 409–411
Popek and Goldberg virtualization theorems, 470
CR4 register in SMAP bypassing, 244–245
crashing Windows programs, 255–258
crc32 function, 496
CreateFiber function, 144
credentials
AWS, 575
Azure, 597
data-driven hunts, 177
gathering, 360–362
NTLM, 327
TTP, 119–120
WimRM, 320–322
Winexe, 333
cross-reference links in Ghidra Code Browser, 77
cross-references (xrefs) in IDA Pro, 96–97
CTE (cyber threat emulation), 16–17
CTF (capture the flag) framework, 64–67
CVSS (Common Vulnerability Scoring System) score, 114
Cyber Kill Chain
courses of action, 13–14
description, 11
steps, 12–13
cyber threat emulation (CTE), 16–17
cyber threat intel in MITRE ATT&CK framework, 15–16
cyclic_find function, 215
D
daemons in Docker, 612–613
Dai Zovi, Dino, 9
DAST (dynamic application security testing), 115
Data CRC field in USB packets, 543
Data Dictionaries (DD), 176
.data directive in assembly language, 41
data-driven hunts, 174, 177–180
Data Execution Prevention (DEP)
ProSSHD, 260
Windows exploitation, 274
data fields in USB packets, 543
data planes
Azure, 593
Kubernetes, 623
Data Reference Analyzer in Ghidra, 74
Data section in Immunity Debugger, 253
.data section in memory, 33
data sources, normalizing, 175–176
Data Type Manager in Ghidra Code Browser, 75
database joins, 190–191
DbMemmove structure, 297–298
DBT (dynamic binary translation) in x86 virtualization, 476
DCSync attacks, 362–363
DD (Data Dictionaries), 176
DDM (Detection Data Model), 176
DDoS (denial-of-service) attacks
buffer overflows, 206
IoT things, 404–405
debug interfaces for embedded devices, 418–421
debugging
disassembly, 44–45
gdb. See gdb debugger
IDA Pro, 102–107
Immunity Debugger, 252–259, 262–265
relative_read function, 554–555
Windows exploits, 267–269
Windows kernel, 284–285
Windows programs, 252–254
dec command, 39
deceive phase in Cyber Kill Chain, 14
decoding data SCRAPE process, 457–461
decompiler in Ghidra, 75, 78, 80–81
degrade phase in Cyber Kill Chain, 14
Dekel, Kasif, 286
del_region method, 506
delivery phase in Cyber Kill Chain, 12
delta_patch.py script, 383–384
denial-of-service (DDoS) attacks
buffer overflows, 206
IoT things, 404–405
deny phase in Cyber Kill Chain, 13
DEP (Data Execution Prevention)
ProSSHD, 260
Windows exploitation, 274
desc_string function, 558
describeInstances.py script, 579
describeUserData.py script, 579
destroy phase in Cyber Kill Chain, 14
detect phase in Cyber Kill Chain, 13
Detection Data Model (DDM), 176
detection engineering in purple teams, 125
DetectionLab
examining, 160
installing in cloud, 157–160
installing on host, 155–157
prerequisites, 154
determinism requirement for unikernel, 489
Developer Command Prompt, 250
_DEVICE_OBJECT structure, 283, 289
DeviceGuard, checking for, 350
DeviceIoControl function, 292–293
devices
IoT. See Internet of Things (IoT)
penetration testing, 116
USB, 542
VMBus, 534
dictionaries, Python, 50
diffing. See binary diffing
Digital Millennium Copyright Act, 4
digital rights management (DRM), 4
Disassembler section in Immunity Debugger, 252–253
disassemblers, IDA Pro. See Interactive Disassembler (IDA) Pro
disassembly
gdb debugger, 44–45
overview, 90–92
dispatch routines for kernel drivers, 283
dispatchers for VMMs, 470–471
disrupt phase in Cyber Kill Chain, 14
Distinguished Names (DNs), obtaining, 345
Dll-Loader command for Evil-WinRM, 340
DLLs (loaded modules) in Windows exploitation, 264–265
DNS
network evasion, 147–148
steps, 325–326
DNs (Distinguished Names), obtaining, 345
do_token_in function, 553
do_token_out function, 549
do_token_setup function, 545–546, 549
Docker
API interaction, 614–615
container capabilities, 617–618
daemons, 612–613
Dockerfiles, 609–611
Hyper-V images, 518–519
hypervisor case study, 541
Linux containers, 605–607
overview, 612
remote commands, 614–615
Docker-Compose orchestrator, 612
docker inspect command, 609
Docker Swarm, 612
docker volume command, 609
domain groups, obtaining, 345–346
domain recon
overview, 351
PowerShell, 352–354
PowerView, 354–356
SharpHound, 356–357
Donut-Loader command, 340
double words (DWORDs) in memory, 31
_DRIVER_OBJECT structure, 283, 288–289
DriverEntry function, 287
drivers in Windows kernel
interacting with, 292–296
obtaining, 286–287
overview, 282–284
reverse engineering, 287–288
target selection, 285–286
DRM (digital rights management), 4
Dullien, Thomas, 372
duplex in SDR, 448
DWORDs (double words) in memory, 31
dynamic application security testing (DAST), 115
dynamic binary translation (DBT) in x86 virtualization, 476
dynamic vulnerabilities analysis for embedded devices
with emulation, 440–445
with hardware, 436–440
E
EBP (Extended Base Pointer)
stack operations, 200–201
Windows exploitation, 279–280
Windows programs, 256
EC2. See Elastic Compute Cloud (EC2)
Economou, Nicolas, 371
EDR (endpoint detection and response), 149–150
EFER.LMSLE feature, 477
efficiency property for virtual machines, 471
EHCI (Enhanced Host Controller Interface) controller, 547–548
EIP. See Extended Instruction Pointer (EIP)
EKS (Elastic Kubernetes Service), 625–626, 629
Elastic Compute Cloud (EC2)
permissions, 577–578
persistence, 580–582
service delivery, 568
unauthorized actions, 579–580
Elastic Kubernetes Service (EKS), 625–626, 629
elevated privileges with Winexe, 333
Elfin group, 120
embedded devices
CPUs, 409–411
debug interfaces, 418–421
introduction, 409
JTAG, 418–420
readings, 424
references, 425
serial interfaces, 411–417
software, 421–423
summary, 424
SWD, 420–421
update packages, 427–432
embedded devices vulnerabilities analysis
dynamic, with emulation, 440–445
dynamic, with hardware, 436–440
performing, 432–435
readings, 446
references, 446
static, 427–435
summary, 445
Empire tool. See PowerShell Empire
encoded commands in PowerShell, 310–311
encodedcommand option in PowerShell, 306, 310, 312
encryption for network evasion, 147
end of message (EOM) MSRs in Hyper-V, 528
endpoint addresses in USB packets, 543
endpoint detection and response (EDR), 149–150
endpoints
finding, 627
USB, 542
energy industry, IoT things for, 394
Enhanced Host Controller Interface (EHCI) controller, 547–548
Enter-PSSession cmdlet, 366
Entropy Legend sidebar in Ghidra Code Browser, 77
EnumDeviceDrivers function, 299
environment/arguments section in memory, 33–34
environment setup
AWS, 571
Docker, 615
embedded device vulnerability analysis, 436
Hyper-V, 517–519
Linux containers, 604–605
Linux kernel exploits, 233–234
vulnerable program, 219–220
EOM (end of message) MSRs in Hyper-V, 528
epilogs for function, 201
_EPROCESS structure, 296–297, 299–301
EPT pointer (EPTP), 482–483
EPTs (Extended Page Tables), 482–483
equivalence property for virtual machines, 471
escalate_privileges function, 238, 242
escalation of privileges
Active Directory recon, 359
description, 16
Kerberos, 360–364
local, 357–359
SharpUp, 358–359
user object passwords, 359–360
winPEAS, 357–358
escape sequences in strings, 34
ESP (Extended Stack Pointer)
offsets, 264
stack operations, 200–201
Windows programs, 256
Etcd store in Kubernetes, 624
ethical hacking history, 6–9
ethics in gray hat hacking, 5
Ettercap tool, 436–440
ETW (Event Tracing for Windows) events, 145
EtwEventWrite function, 145–146
event IDs in data-driven hunts, 180
Event Tracing for Windows (ETW) events, 145
Evil-WinRM tool, 338–341
except_handler function, 272
exception handling
fuzzing, 513–514
Windows programs, 257, 270–272
EXCEPTION_REGISTRATION structure, 270–271
exec command in Docker, 615
Execute phase in SCRAPE process, 464
execution policies in PowerShell, 308–309
Exfiltration folder in PowerSploit, 314
expand tool for patches, 381
exploit command
Metasploit, 130
payload obfuscation, 139
exploitation phase in Cyber Kill Chain, 12
Exports tab in IDA Pro, 96
Extended Base Pointer (EBP)
stack operations, 200–201
Windows exploitation, 279–280
Windows programs, 256
Extended Instruction Pointer (EIP)
buffer overflows, 202–206
controlling, 212–214
offsets, 264
stack operations, 200–201
Windows programs, 257
Extended Page Tables (EPTs), 482–483
Extended Stack Pointer (ESP)
offsets, 264
stack operations, 200–201
Windows programs, 256
external symbols in IDA Pro, 93
F
f-maps for hardware virtualizer, 473
failure condition in PowerShell, 307–309
fast hypercalls in Hyper-V, 529–530
fast (re)booting in unikernel, 489
fat applications in penetration testing, 115
faults, VM, 472–473
federated tenants in Azure, 595
FFI (Foreign Function Interface) bindings, 293
fgets() function, 370
files
assembly language, 41
AWS storage, 570–571
Python, 51–52
Find-InterestingDomainAcl cmdlet, 361
findpeersh function, 216
fingerprint option in Responder, 329
fingerprinting API Servers, 625–626, 628–630
FirmAE tool, 440–445
firmware emulation, 441–445
first chance exceptions in Windows programs, 257
Flake, Halvar, 372
flip_bits method, 513
flow arrows in Ghidra Code Browser, 76
flow graphs in Ghidra, 79
for loops in C language, 27–28
Foreign Function Interface (FFI) bindings, 293
format strings for C print command, 24–25
free() function, 33
frequency
SCRAPE process, 455
SDR, 448
FromBase64String function, 319
full address-space leak primitive in hypervisor case study, 556–558
Full Disclosure mailing list, 8
full duplex in SDR, 448
full outer joins, 191
full public disclosure, 8
full vendor disclosure, 7
function addresses in USB packets, 543
Function Analyzer in Ghidra, 74
function-calling procedures in stack operations, 199–201
functionality in Ghidra, 72–73
functions
C language, 22–23
finding pointers to, 559–560
kernel drivers, 283
fuzzing
base class, 509–510
exception handling, 513–514
IO-Ports, 510–511
MSR fuzzer, 511–513
research frameworks, 508–515
tips and improvements, 514–515
G
g_free function, 559
g_spawn_command_line_async function, 559–561
gadgets
one-gadgets, 62–63
ROP, 222
Ropper Console, 242–243
SMAP bypass, 244–245
Windows exploitation, 274–278
gcc compiler, 30–31
gdb debugger
basics, 42–45
buffer overflows, 203–206, 211–213, 216–217
extension, 64
function pointers, 559–560
IDA Pro, 103–104
IRQState, 561
Linux kernel exploits, 235
Linux vulnerable program setup, 220–223
segmentation faults, 202
gdbserver command, 105
general operating systems for embedded devices, 423
General Options in IDA Pro, 100
General Registers in IDA Pro, 104, 107
general registers in Intel processors, 36
Generation-1 VMs, scanning devices in, 522–523
Generation-2 VMs, scanning devices in, 523–524
Gerstenkorn, Ryan, 580
Get-ChildItem cmdlet, 348
GET command
network evasion, 148–149
ProSSHD server exploitation, 259
unikernel communication, 494
Get-ComputerInfo cmdlet, 349–350
Get-DomainObjectAcl cmdlet, 355
get_kernel_base function, 300
Get-LocalUser command, 339
GetDeviceDriverBaseNameA function, 299
getEC2WinCreds.py script, 580
getpid command, 142
GetProcAddress function, 300
GetProcessHeap function, 91
gets() function, 370
getuid command, 130
ghh_read function, 235
ghh_seek function, 244
ghh_write function, 235
Ghidra tool
binary diffing and patch analysis, 83–87
Code Browser, 74–77
decompiler, 78
functionality, 72–73
graphs, 78–79
installing, 72
introduction, 71
program analysis, 73–74
program annotations, 78
project workspace, 72
readability, 80–83
readings, 88
references, 88
search, 77
summary, 87
vulnerabilities analysis, 432–435
global namespace in Windows kernel, 293
Global Offset Tables (GOTs), 57, 229
globally unique identifiers (GUIDs), 521
GNU Radio Companion tool, 451–452
go launchers, 142–144
goal-oriented penetration testing, 114
Goldberg, Robert P., 470
Goldberg’s hardware virtualizer, 472–474
Golden Tickets
creating, 119
GOTs (Global Offset Tables), 57, 229
gpa_range function, 535
gpa_range_size function, 535
GPADLs (Guest Physical Address Descriptor Lists), 534–537
GPAs. See guest physical addresses (GPAs)
GPFNs (guest page frame numbers), 534–535, 537
Grand, Joe, 412
Graph Overview window in IDA Pro, 94
graphs
Ghidra, 78–79
IDA Pro, 95
gray hat hacking overview
black hat hacking, 11–17
bug bounty programs, 10
definition, 5–6
ethical hacking history, 6–9
ethics, 5
history, 3–5
introduction, 3
readings, 18
references, 18–20
summary, 17
greeting() function, 255–256, 258
Group groups, 346
groups in Active Directory, 345–346
Grunts in Covenant, 132–135
/GS switch for Windows compiler, 252
GsDriverEntry for Windows kernel drivers, 287
GuardDuty
AWS, 574
RedBoto, 576
guest OS identity MSRs, 524
guest page frame numbers (GPFNs), 534–535, 537
Guest Physical Address Descriptor Lists (GPADLs), 534–537
guest physical addresses (GPAs)
EPTs, 482
hypercalls, 529–530
shadow paging, 477–479
x86 virtualization, 477–478
guest state in VMCS, 481
guest virtual addresses (GVAs)
EPTs, 482–483
x86 virtualization, 478
guests in research framework clients, 504–506
GUIDs (globally unique identifiers), 521
GVAs (guest virtual addresses)
EPTs, 482–483
x86 virtualization, 478
H
HAL (Hardware Abstraction Layer), 282
half duplex in SDR, 448
Ham It Up Nano add-on, 448
handler tool in Metasploit, 130
handling
exceptions, 257, 270–272, 513–514
unikernel requests, 499–500
handshakes for USB packets, 543
Hardware Abstraction Layer (HAL), 282
hardware assisted virtualization
EPT, 482–483
introduction, 480
VMX, 480–482
hardware for vulnerabilities analysis, 436–440
hardware virtualizer, 472–474
hashes, capturing, 325–331
Heap Made Easy (HeapME) tool, 67–69
heap section in memory, 33
HeapAlloc function, 91–92, 96–97
HELK threat hunting lab, 161–163
help command in Metasploit, 130
Hex Dump section in Immunity Debugger, 253
honeyscores, 401
hooks in EDR evasion, 150
host state area in VMCS, 481
hosts
DetectionLab installation on, 155–157
recon, 344
USB, 542
hotkeys in IDA Pro, 100–101
HTTP in network evasion, 148–149
hubs, USB, 542
HV_MESSAGE structure, 527
HvCallCreatePort method, 526, 528
HvCallEnablePartitionVtl method, 521
HvCallEnableVpVtl method, 521
HvCallFlushVirtualAddressList hypercall, 530
HvCallFlushVirtualAddressSpace hypercall, 530
HvCallPostMessage method, 527, 532, 535–536
HvCallSignalEvent method, 528, 537
HvCallVtlCall method, 522, 525
HvCallVtlReturn method, 522, 525
HVCI (Hypervisor-protected Code Integrity), 521
hybrid virtual machines (HVMs), 471–472
Hyper-V hypervisor
architecture, 519
components, 519–521
environment setup, 517–519
Generation-1 VMs, 522–523
Generation-2 VMs, 523–524
hypercalls, 528–531
introduction, 517
readings, 538–539
references, 539
summary, 538
synthetic interface, 524–531
Virtual Trust Levels, 521–522
VMBus, 532–538
worker processes, 519–521
hypercall page MSRs, 524–525
hypercalls in Hyper-V, 528–531
hyperv_guest.py script, 518
hypervisor case study
arbitrary reads, 555–556
EHCI controller, 547–548
exploit launching, 562
full address-space leak primitive, 556–558
function pointers, 559–560
introduction, 541
IRQState, 561
module base leak, 558
readings, 563
references, 563
relative read primitive, 553–555
relative write primitive, 552–553
hypervisor case study
ret2lib technique, 559–560
summary, 562
trigger development, 546–552
USB basics, 542–546
Hypervisor-protected Code Integrity (HVCI), 521
hypervisors
attack surfaces, 487–489
description, 469–470
dynamic binary translation, 476
Goldberg’s hardware virtualizer, 472–474
hardware assisted virtualization, 480–483
Hyper-V. See Hyper-V hypervisor
paravirtualization, 479–480
Popek and Goldberg virtualization theorems, 470–472
references, 484–485
ring compression, 476–477
summary, 483
types, 474–475
x86 virtualization, 475–480
hypothesis-driven hunts
exploring, 183–186
overview, 174–175
I
I/O Request Packet (IRP) in kernel drivers, 283
I2C (Inter-Integrated-Circuit), 417
IAM (Identity and Access Management) service, 569
iconv function, 310
ICS (industrial control systems), IoT things for, 399
ICs (integrated circuits), 409
ICs (Integration Components), 520–521
IDA Pro. See Interactive Disassembler (IDA) Pro
identities in Azure, 598–600
Identity and Access Management (IAM) service, 569
Identity Metadata Service (IMDS), 574
identity providers (IdPs), 591–592, 595
IDS/IPS evasion, 147
IDTR registers, 475
IDTs (Interrupt Descriptor Tables), 526
fuzzers, 514
x86 virtualization, 475
if/else construct in C language, 28–29
IMDS (Identity Metadata Service), 574
immediate addressing mode, 40
Immunity Debugger
attack vectors, 264–265
offsets, 262–264
Windows programs, 252–259
Impacket script, 334
impact ratings in penetration test reports, 117–118
import_keys command, 578
Imports tab in IDA Pro, 96
inc command, 39
incentives in bug bounty programs, 10
indentation in Python, 52
independent living, IoT things for, 394
index patterns
hypothesis-driven hunts, 187
Kibana, 165–166
indexed relative addressing mode, 40
indicators of compromise (IOCs), 119
industrial control systems (ICS), IoT things for, 399
info functions command, 45
information-gathering tools in Linux, 55–64
information leaks
ASLR bypassing, 228–230
PIE bypassing, 230–232
Information section in Immunity Debugger, 253
infrastructure, AWS, 568
inheritance in Azure, 586
initramfs.cpio file, 233
injectCreateRemoteThread function, 146
inner joins in queries, 191
innocuous CPU instructions, 470–471
Inspectrum analyzer for SCRAPE process, 456–457, 463
install_idt method, 514
installing
Cyber Kill Chain, 12–13
DetectionLab in cloud, 157–160
DetectionLab on host, 155–157
Ghidra, 72
HELK, 161–163
winlogbeat, 163–164
instance metadata in AWS, 573
instruction pointer in Windows exploitation, 260–262
int instruction, 40
integrated circuits (ICs), 409
Integration Components (ICs), 520–521
Intel-driven hunts, 174
Intel processors, 36–37
Inter-Integrated-Circuit (I2C), 417
Interactive Disassembler (IDA) Pro
comments, 102
cross-references, 96–97
debugging, 102–107
disassembly overview, 90–92
features and functionality overview, 96
function calls, 98
introduction, 89
navigating, 92–96
opcodes and addressing, 100
proximity viewer, 99–100
readings, 107
references, 107
reverse engineering, 89
shortcuts, 100–101
summary, 107
InternalAddPrinterDriverEx function, 388
Internet of Things (IoT)
communication protocols, 395
embedded devices. See embedded devices
introduction, 393
MQTT, 402–404
readings, 406
references, 406–407
security concerns, 396
Shodan API, 401–402
Shodan command-line interface, 400–401
Shodan search engine, 396
summary, 405
types, 394
web interface, 397–400
wireless protocols, 394–395
worms, 404–405
Internet Protocol version 6 (IPv6) over Low-power Wireless Personal Area Networks (6LoWPAN), 395
interpreters for VMMs, 470
Interrupt Descriptor Table (IDTs), 526
fuzzers, 514
x86 virtualization, 475
Interrupt Return (iretq) instruction, 238, 242
Invoke-AtomicTest tool, 183–186
Invoke-Binary command, 340–341
Invoke-Expression cmdlet, 311, 339
Invoke-Mimikatz.ps1 script, 315
Invoke-Seatbelt module, 347
Invoke-WebRequest cmdlet, 311, 339, 599
IO-Ports fuzzer, 510–511
_IO_STACK_LOCATION structure, 283, 289–290
IoCreateDevice function, 288
IoCreateSymbolicLink function, 288
IOCs (indicators of compromise), 119
ioctl function, 298
IoT. See Internet of Things (IoT)
iov_from_buf function, 551
IPC$ share in Winexe, 332
ipython3 for SCRAPE process, 460
IRP (I/O Request Packet) in kernel drivers, 283
_IRP_MJ_DEVICE_CONTROL structure, 283, 289
IRP_MJ_ functions, 288
IRQState, finding, 561
J
jitter in Command and Control, 128
John the Ripper tool, 331, 360–361
joins in queries, 190–191
Joint Test Action Group (JTAG), 418–420
jq tool, 544–546
JSON
jq tool, 544–545
JSON Web Tokens (JWTs)
Azure, 599
Kubernetes, 633
JTAG (Joint Test Action Group), 418–420
JTAGulator tool, 412–413
jump commands, 39
JumpOpXref hotkey in IDA Pro, 98
Jupyter for threat hunting, 190–193
JWTs (JSON Web Tokens)
Azure, 599
Kubernetes, 633
K
kafkacat tool, 169
Kali, Python for, 45
KASLR (Kernel Address Space Layout Randomization), 246–248
Kerberoasting, 360–361
Kerberos
credential gathering, 360–361
privilege escalation, 361–364
kernel
Linux. See Linux kernel exploits
Windows. See Windows kernel exploits
Kernel Address Space Layout Randomization (KASLR), 246–248
kernel-land debuggers, 284
kernel-mode code signing (KMCS), 283
Kernel Page-Table Isolation (KPTI)
bypassing, 241–243
x86 virtualization, 477
keys and key material in AWS, 572–575
Kibana, 164
AtomicRedTeam attacker emulation, 182
index patterns, 165–166
queries, 166–167
KMCS (kernel-mode code signing), 283
KoreLogic ruleset, 331
Koret, Joxean, 371
_KPROCESS structure, 296
KPTI (Kernel Page-Table Isolation)
bypassing, 241–243
x86 virtualization, 477
Krebs, Brian, 404
Kube-proxy component, 624
kubectl exec command, 633
kubectl get pods command, 634
kubectl get svc command, 637
Kubelet component, 624
Kubernetes
API Servers, attacking, 636–638
API Servers, finding, 627–628
API Servers, fingerprinting, 625–626, 628–630
architecture, 623–624
attacks from within, 633–635
hacking overview, 630–631
introduction, 623
Kubestriker tool, 631–633
readings, 639
references, 639
summary, 639
Kubestriker tool, 631–633
L
L0pht group, 5
Lambda functions in AWS, 582
LAN Manager (LM), 326–327
launchers
C#, 141–142
go, 142–144
Nim, 144–147
ldd tool, 56
lea command, 39–40
leak-bof.c sample, 65–67
leak_bytes function, 230
leak_module_base function, 558–559
leak_multiple function, 558
leave statement in stack operations, 201
left joins in queries, 191
libc-database, 61
libraries
IDA Pro, 93
Linares, Greg, 381
Link Local Multicast Name Resolution (LLMNR)
overview, 325–326
linking C language, 30
Linux containers
cgroups, 604–607
environment setup, 604–605
internals, 604
namespaces, 607–608
overview, 603–604
storage, 608–611
Linux exploit development tools
HeapMe, 67–69
information-gathering tools, 55–64
introduction, 55
Pwntools, 64–67
Python gdb extension, 64
readings, 70
references, 70
summary, 70
Linux exploits
buffer overflows, local, 207–212
buffer overflows, overview, 201–206
development process, 212–217
introduction, 199
kernel. See Linux kernel exploits
readings, 217
stack operations and function-calling procedures, 199–201
summary, 217
vulnerable program, ASLR bypass, 228–230
vulnerable program, NX stack bypass, 222–225
vulnerable program, PIE bypass, 230–232
vulnerable program, readings, 232
vulnerable program, references, 232
vulnerable program, setup, 219–221
vulnerable program, stack canaries, 225–228
vulnerable program, summary, 232
Linux kernel exploits
gdb setup, 235–236
KASLR, 246–248
readings, 248
references, 248
ret2usr, 236–238
RIP overwriting, 236
setup, 233–234
SMAP bypassing, 244–246
SMEP and KPTI bypassing, 241–243
stack canaries, 238–241
summary, 248
listeners in Covenant, 132–134
Listing window in Ghidra Code Browser, 75–77
lists in Python, 49–50
little-endian memory order, 32
LLMNR (Link Local Multicast Name Resolution)
overview, 325–326
LM (LAN Manager), 326–327
loaded modules (DLLs) in Windows exploitation, 264–265
loadLib function, 146
LoadLibraryA function, 299–300
local buffer overflows
command lines, 208–209
NOP sleds, 207
Pwntools framework, 209–210
shellcode, 207–208
small buffers, 210–212
local privilege escalation, 357–359
locations in AWS, 568
Lockheed Martin Cyber Kill Chain, 11–14
log providers for data-driven hunts, 180
logging in PowerShell, 306
login sessions in WMI, 334–336
Long, Chris, 154
loops in C language, 27–28
ltrace utility, 59
M
MAC (media access control) addresses, 436
machine language
vs. assembly language, 37
disassembly, 90–92
macOS, Python for, 45
main() function in C language, 22
major functions in kernel drivers, 283
make deploy command, 582
make_vector_handler method, 514
malicious code, buffer overflows from, 206
malloc() function, 33
man-in-the-middle (MITM) attacks, 436
managed identities in Azure, 598–600
managed nodes in Kubernetes, 635
managed tenants in Azure, 594
management groups in Azure, 586
Mandatory Integrity Control (MIC) level, 320–321
manufacturing, IoT things for, 394
Martinez, Ramses, 10
Mayhem folder in PowerSploit, 314
MBI (multiboot info) area for unikernel messages, 498
media access control (MAC) addresses, 436
medical and healthcare, IoT things for, 394
memcpy function
IDA Pro, 99
Windows kernel drivers, 290
memmove() function, 290–292, 294–296
memory
buffers, 34
bypassing in Windows exploitation, 271–272
C language, 31–35
DetectionLab, 156
endian, 32
kernel, 282
pointers, 34–35
programs in, 32–34
random access memory, 31–32
sample program, 35
segmentation, 32
stack operations, 199–201
strings, 34
memory addresses in Ghidra Code Browser, 77
Memory Management Units (MMUs), 477–479
memory-mapped I/O (MMIO) access in Hyper-V, 520
memory-mapped I/O (MMIO) emulation in fuzzing, 514
Message Queuing Telemetry Transport (MQTT) services
playing with, 403–404
searching for, 402
unauthenticated access, 404
messages method for research framework clients, 507
Metasploit framework
introduction, 128
payload obfuscation, 136–140
shell creation, 129–131
Metcalf, Sean, 364
Meterpreter
node backdoors, 600
payload creation, 129–130
payload obfuscation, 136–140
MIC (Mandatory Integrity Control) level, 320–321
microcontrollers for embedded devices, 410
microprocessors for embedded devices, 410
Microsoft Online Services program, 10
Microsoft Patch Tuesday, 379–380
Microsoft Security TechCenter site, 379
Miller, Charlie, 9
Miller, Mark, 8
Mimikatz
detection engineering, 125
PowerShell for, 315–316
threat simulation and emulation, 119–120
WinRM, 321–322
mimikatz logonpasswords command, 321
MIPS architectures for embedded devices, 410–411
Mirai worm, 405
MITM (man-in-the-middle) attacks, 436
MITRE ATT&CK framework
Attack Navigator, 118
cyber threat emulation, 16–17
cyber threat intel, 15–16
data-driven hunts, 177–180
hypothesis-driven hunts, 174–175
introduction, 14–15
security engineering, 17
tactics, 15–16
threat hunting, 17
threat simulation and emulation, 120
mmap function
mapping randomization, 228
SMAP bypass, 244–246
MMIO (memory-mapped I/O) access in Hyper-V, 520
MMIO (memory-mapped I/O) emulation in fuzzing, 514
MMUs (Memory Management Units), 477–479
.model directive in assembly language, 41
model-specific registers (MSRs)
fuzzer, 511–513
synthetic, 524–528
module base leak in hypervisor case study, 558
module logging in PowerShell, 306
mona.py plug-in, 262–265
Monti, Eric, 310
Mordor datasets
threat hunting, 186–190
threat hunting labs, 168–169
mount command, 615
mov command, 38
MQTT (Message Queuing Telemetry Transport) services
playing with, 403–404
searching for, 402
unauthenticated access, 404
MSDELTA API for patches, 383
msfvenom tool
payload creation, 129
payload obfuscation, 136–140
MSOLSpray tool, 596
MSRs (model-specific registers)
fuzzer, 511–513
synthetic, 524–528
MT enumeration, 493
multiboot info (MBI) area for unikernel messages, 498
multiboot_tag_mmap structure, 499
multitasking OS kernel, 472–474
multitenant environments in AWS, 567
myAtoi program, 90–94
N
n-day exploits, 371
namespaces for Linux containers, 607–608
NASM (Netwide Assembler) assembly language, 37–40
native_write_cr4 function, 244
NBNS (NetBIOS Name Service), 325–326
Neo4j viewer, 356–357
nested virtualization, 471
NetBIOS Name Service (NBNS), 325–326
Netwide Assembler (NASM) assembly language, 37–40
network evasion
alternate protocols, 147–148
C2 templates, 148–149
encryption, 147
network penetration testing, 115
next-generation patch exploitation
binary diffing, 369–378
introduction, 369
Microsoft Patch Tuesday, 379–380
patch acquisition and extraction, 380–388
readings, 390
references, 390
summary, 389–390
Next SEH (NSEH) value in Structured Exception Handling, 271
nibbles, memory, 31
Nickels, Katie, 14
Nim launchers, 144–147
No More Free Bugs sign, 9
no operation (NOP) command sleds
exploit development, 215–216
local buffer overflows, 207
nodes, backdoors on, 600
non-executable stack (NX), bypassing, 222–225
non-root mode in VMX, 480
nonces for hashes, 327
NOP (no operation) command sleds
exploit development, 215–216
local buffer overflows, 207
normalizing data sources, 175–176
NSEH (Next SEH) value in Structured Exception Handling, 271
NT LAN Manager (NTLM), 326–327
null_mut() function, 293
numbers in Python, 48–49
NX bit in Data Execution Prevention, 274
NX (non-executable stack), bypassing, 222–225
O
o365spray tool, 596
obfuscation, payload, 136–140
objdump tool
payload obfuscation, 138–139
strings, 62–63
object code in C language, 30
objects in Python, 46–48
OCI (Open Container Initiative), 604
Offensive Nim repository, 145
offer requests for VMBus, 533–534
offsets
EIP, 213–215
Windows exploitation, 262–264
Oh, Jeong Wook, 371
on_boot method for fuzzing, 514
on-off keying in SCRAPE process, 456
1-day exploits, 371
one_gadget tool, 62–63
OOB (out-of-band) messages
debugging, 492
unikernel communication, 494–497
OOBAssert message, 497
OOBPRINT maco, 497
OOBType enumeration, 497
op_commit method, 507
op_exec method, 507
op_write method, 507
opcodes in IDA Pro, 100
Open Container Initiative (OCI), 604
Open Source Security Event Metadata (OSSEM) project
data-driven hunts, 177–180
data source normalization, 175–176
hypothesis-driven hunts, 186
Operand Analyzer in Ghidra, 74
operating frequency in SDR, 448
operating systems for embedded devices, 422–423
OpExec operations in unikernel requests, 500
OpWrite operations in unikernel requests, 500
Organizational Units (OUs), 352–355
OSSEM (Open Source Security Event Metadata) project
data-driven hunts, 177–180
data source normalization, 175–176
hypothesis-driven hunts, 186
Ostrom, Jason, 587–588
OUs (Organizational Units), 352–355
out-of-band (OOB) messages
debugging, 492
unikernel communication, 494–497
Output window in IDA Pro, 94–95
overflow_build method, 553
overflows, buffer. See buffer overflows
Overlay2 file system, 608
OverlayFS file system, 608
Overview Legend sidebar, 77
OwnTracks app, 404
P
PaaS (platform as a service), 603
packets, USB, 543–544
PACU Framework, 576–578
page frame numbers (PFNs), 478
paging in x86 virtualization, 477–479
paramiko module, 261
paravirtualization, 479–480
partitions in Hyper-V, 519
PAs (physical addresses) in x86 virtualization, 477–478
Pasknel, Victor, 404
pass-the-hash attacks, 327
passing commands in PowerShell, 309–310
passwords
hash capturing, 325–331
PowerShell Empire, 321–322
user objects, 359–360
Patch Storage Files (PSFs), 381
Patch Tuesday, 379–380
patchelf utility, 62
patches
Ghidra, 86–87
next-generation exploitation. See next-generation patch exploitation
USB, 544–546
PatchExtract tool, 381
Patchntdll function, 145
payload obfuscation, 136–140
PCI devices, scanning, 522–524, 547
PEBs (Process Environment Blocks), 271
penetration testing
application, 115
cloud, 116
network, 115
overview, 114
physical, 115–116
process, 116–117
permissions
buffer overflows, 206
persistence
Active Directory, 364–367
AWS, 580–583
Persistence directory in PowerSploit, 314
PFNs (page frame numbers), 478
physical addresses (PAs) in x86 virtualization, 477–478
physical penetration testing, 115–116
PIE (Position Independent Executable), bypassing, 230–232
pipes for USB devices, 542
pivots for containers, 616
Plaa, Cornelis de, 150
platform as a service (PaaS), 603
PLTs (Procedure Linkage Tables), 57, 229
pointers
arbitrary read/writes, 297–298
finding, 559–560
memory, 34–35
Pond, Weld, 5
pop command
assembly language, 38
ROP chains, 275
stack operations, 199
Popek, Gerald J., 470
Popek and Goldberg virtualization theorems, 470–472
portability
PowerShell, 307
unikernel, 489
ports
Docker, 612–614
EHCI controller, 560
fuzzing, 510–511
Responder, 329
serial, 412
USB, 542
Position Independent Executable (PIE), bypassing, 230–232
post-exploitation in modern Windows environments
Active Directory persistence, 364–367
domain recon, 351–357
escalation, 357–364
host recon, 344–346
overview, 343
privilege identification, 344–346
readings, 368
summary, 368
system recon, 348–351
user information, 346–348
POST requests in network evasion, 148–149
PowerShell Empire, 131
C2 staging, 317–318
introduction, 316
launching, 320–321
setting up, 316–317
threat simulation and emulation, 120
PowerShell exploitation
bootstrapping, 311–313
command-line commands, 309–310
domain recon, 352–353
encoded commands, 310–311
execution policies, 308–309
failure condition, 307–309
logging, 306
patch extraction, 381
portability, 307
PowerShell Empire, 316–322
PowerSploit, 313–316
readings, 323
references, 323
script loading, 307
summary, 323
system recon, 348–350
tools, 305–306
PowerShell launches in hypothesis-driven hunts, 186–188
PowerSploit
domain recon, 354
Mimikatz through, 315–316
setting up, 313–314
PowerView for domain recon, 354–356
prepare_kernel_cred function, 238, 242
Preview phase in SCRAPE process, 461–463
Prime Indoor Wireless Power Outlet remote, 450
printf command
buffer overflows, 204–205
C language, 24–25
PrintNightmare vulnerability, 383–384
PrivEsc directory in PowerSploit, 314
Privilege Escalation Awesome Script (winPEAS) tool, 357–358
privileged CPU instructions, 470–471
privileged pods for containers, 617–618
privileges
escalating. See escalation of privileges
identifying, 344–346
Winexe, 333
Procedure Linkage Tables (PLTs), 57, 229
procedure statements in C language, 22
Process Environment Blocks (PEBs), 271
processors
embedded devices, 410–411
Intel, 36–37
procfs module, 233–234
program annotations in Ghidra, 78
Program Trees in Ghidra Code Browser, 74
programmatic access keys, 568–569, 572–575
programming survival skills
assembly language, 37–42
C language. See C programming language
debugging, 42–45
Intel processors, 36–37
memory, 31–35
Python language. See Python programming language
readings, 53–54
references, 54
summary, 53
programs in computer memory, 32–34
project window in Ghidra, 72–73
project workspace in Ghidra, 72
Project Zero, 9
prologs for function, 200–201
ProSSHD server, exploiting, 258–260
protocols
Internet of Things, 394–395
network evasion, 147–148
proximity viewer (PV) in IDA Pro, 99–100
proxy detection, evading, 147
PSFs (Patch Storage Files), 381
PsInitialSystemProcess function, 300
PTES standards, 117
pth-wmic client, 334
ptrace command, 58
public disclosure, 8
purple teams
activities, 124–125
detection engineering, 125
overview, 120–121
readings, 126
references, 126
skills, 123–124
summary, 126
threat research, 124–125
PurpleCloud project, 587–588
push command
assembly language, 38
stack operations, 199
PUT command, 494
put_mbi function, 498–499
put_va function, 498
PV (proximity viewer) in IDA Pro, 99–100
Pwn2Own competition, 10
Pwntools framework
ASLR bypassing, 230
exploit development, 214–216
features, 65–67
function pointers, 560
introduction, 64–65
local buffer overflows, 209–210
PyBOMBS, 450–451
PyCommand plug-in, 275–276
Pyramid of Pain, 123–124
Python programming language
buffer overflows, 203–206
dictionaries, 50
files, 51–52
introduction, 45
lists, 49–50
numbers, 48–49
objects, 46–48
obtaining, 45–46
research framework clients, 500–508
sockets, 53
strings, 46–48
pywinrm tool, 338
Q
QEMU for Linux kernel exploits, 233–234
QH (Queue Head) elements in EHCI controller, 548
quadruple words (QWORDs) in memory, 31
queries
joins, 190–191
Kibana, 166–167
Queue Head (QH) elements in EHCI controller, 548
QWORDs (quadruple words) in memory, 31
R
radio frequency (RF). See software-defined radio (SDR)
Rain Forest Puppy (consultant), 8
random access memory (RAM), 31–32
Ranum, Marcus, 8
read_serial function, 492
readability of Ghidra, 80–83
reads
hypervisor case study, 555–556
pointer, 297–298
real-time operating system (RTOS) for embedded devices, 423
realloc() function, 33
Reaper worm, 405
Recon directory in PowerSploit, 314
reconnaissance
Cyber Kill Chain, 12
domain, 351–357
host, 344–346
MITRE ATT&CK framework, 16
modern Windows environments, 344–346
penetration testing, 117
system, 348–351
recv_msg function, 496
red teams
consultant, 122
corporate, 121–122
introduction, 111–112
maturity model, 112
penetration testing, 114–117
readings, 126
references, 126
summary, 126
threat simulation and emulation, 118–120
vulnerability scanning, 112–113
RedBoto tools, 576–577
Redis package for containers, 616
references to Linux constant strings, 57–58
register addressing mode, 40
register indirect addressing mode, 40
registers
IDA Pro, 104
Immunity Debugger, 252–253
Intel processors, 36–37
memory segmentation, 32
regular comments in IDA Pro, 102
regular functions in IDA Pro, 93
relative_read function, 553–555, 557
relative virtual addresses (RVAs) of symbols, 300
relative_write function, 552–554, 557
Release To Manufacturing (RTM) version of patches, 382–383
Relocation Read Only (RELRO) exploit mitigation technique, 232
remote commands for containers, 614–615
remote system access in Winexe, 332–333
RemoteMemory class for research framework clients, 505–507
RemoteSigned execution policy for PowerShell, 308
rep hypercalls, 530–531
repeatable comments in IDA Pro, 102
Replay phase in SCRAPE process, 452–454
repo
GitHub, 128
PurpleCloud, 588
reporting phase in penetration testing, 117–118
requests
unikernel, 499–500
USB, 544
VMBus, 533–534
research for threats, 124–125
research frameworks
clients, 500–508
fuzzing, 508–515
hypervisor attack surfaces, 487–489
references, 515
summary, 515
unikernel, 489–500
resilience of unikernel, 489
resource-control property for virtual machines, 471
resource groups in Azure, 586
resource mappings for VMMs, 472–473
Responder
obtaining, 327
password hash captures, 327–331
running, 328–329
responsible disclosure, 8–9
Restricted execution policy for PowerShell, 308
ret command, 39
ret2lib technique, 559–560
ret2libc technique, 275
ret2usr (return-to-user) exploit, 236–238
return-oriented programming (ROP)
ASLR bypass, 229–230
NX stack bypass, 222–225
Windows exploitation, 274–279
return-to-user (ret2usr) exploit, 236–238
reverse engineering in IDA Pro, 89
reverse shells, 129
RF (radio frequency). See software-defined radio (SDR)
RFS (root file system) for embedded devices, 428
Ridlinghafer, Jarrett, 10
ring 0 debuggers, 284
ring-buffer communication in VMBus, 537–538
ring compression in x86 virtualization, 476–477
RIP
leaking in PIE bypassing, 230–231
Ritchie, Dennis, 21
Rodriguez, Jose
contributions, 161
Jupyter notebooks, 191
Mordor, 168
OSSEM project, 176
threat hunting lab support, 154
Rodriguez, Roberto
HELK development, 161
Jupyter notebooks, 191
OSSEM project, 176
threat hunting lab support, 154
ROE (rules of engagement) in penetration testing, 116
roles in Azure, 590–592
root accounts in AWS, 568
root file system (RFS) for embedded devices, 428
root hubs in USB, 542
root mode in VMX, 480
root partitions in Hyper-V, 519
rop command, 275
ROP (return-oriented programming)
ASLR bypass, 229–230
NX stack bypass, 222–225
Windows exploitation, 274–279
ROP tool, 230
Ropper tool, 63–64
rpath tool, 56
RpcAddPrinterDriver function, 385–387
RpcAddPrinterDriverEx function, 386–388
RtlCopyMemory function, 144
RtlDispatchException routine, 272
RTM (Release To Manufacturing) version of patches, 382–383
RTOS (real-time operating system) for embedded devices, 423
Rubeus tool, 360
Ruby BlackBag tools, 310
Ruler tool, 120
rules of engagement (ROE) in penetration testing, 116
run-command feature in Azure, 586
run iam__bruteforce_permissions command, 578
RunningAsLUA function, 386
Rust, 292–296
RVAs (relative virtual addresses) of symbols, 300
S
S3 buckets in AWS, 569–571, 581
Safe Structured Exception Handling (SafeSEH), 272–274
Salvati, Marcello, 145
SAM (Security Account Manager)
attack emulation, 181–183
hypothesis-driven hunts, 183–185
obtaining, 177
SAML (Security Assertion Markup Language), 116, 571
samples per second rates in SDR, 448
SAST (static application security testing), 115
Satellite view in Ghidra, 79
saved frame pointer (SFP)
PIE bypass, 231
stack canaries, 225
scanf command, 26
scheduled tasks in AWS, 580–583
schedules
EHCI controller, 547–548
Kubernetes, 624
Schroeder, Will, 131
scp module, 261
SCP (Secure Copy Protocol), 259
SCRAPE process
Analyze phase, 454–461
Capture phase, 450–452
Execute phase, 464
introduction, 449
Preview phase, 461–463
Replay phase, 452–454
Search phase, 449–450
script block logging, 306
script loading, 307
SDLC (software development life cycle) process, application testing in, 115
SDProp process, 364
SDR. See software-defined radio (SDR)
search
Ghidra, 77
Shodan. See Shodan search engine
Search phase in SCRAPE process, 449–450
Seatbelt tool
system recon, 350–351
user information, 346–348
Second Level Address Translation (SLAT), 482–483
SecretAccessKey in AWS, 574
Secure Copy Protocol (SCP), 259
Security Account Manager (SAM)
attack emulation, 181–183
hypothesis-driven hunts, 183–185
obtaining, 177
Security Assertion Markup Language (SAML), 116, 571
security engineering in MITRE ATT&CK framework, 17
security for containers, 613–615
Security Information Event Management (SIEM) devices, 174
segment registers, 36
segmentation faults for buffer overflows, 202
segmentation of memory, 32
SEH (Structured Exception Handling), 270–271
SeLoadDriverPrivilege for kernel drivers, 282
serial interfaces
embedded devices, 411–417
SPI, 416–417
UART, 411–415
Serial Peripheral Interface (SPI), 416–417
serial ports for unikernel, 491
Serial Wire Debug (SWD) protocol, 420–421
server-side request forgery (SSRF) vulnerability, 573
Service Principal Names (SPNs) in Kerberos, 360
Service Principals in Azure, 587
ServiceAccount in Kubernetes, 632–634
services in AWS, 568
sessions command for payload obfuscation, 139
set follow-fork-mode child statement, 213, 220
Set-group identification (SGID), 206
Set-MPPreference command, 322
Set-user Identification (SUID), 206
setns() function, 608
setup_serial function, 492
SFP (saved frame pointer)
PIE bypass, 231
stack canaries, 225
SGID (Set-group identification), 206
Shacham, Hovav, 274
shadow paging in x86 virtualization, 477–479
shared libraries in Linux, 56
SharpBlock tool, 150
SharpHound tool, 356–357
SharpSploit framework, 141
SharpUp tool, 358–359
shell command, 130
shellcode
local buffer overflows, 207–208
Nim, 146
shellcraft package, 216
shells, Metasploit, 129–131
shells without exploits
password hash captures, 325–331
readings, 342
references, 342
summary, 341–342
Winexe, 332–333
WinRM, 338–341
WMI, 334–338
Shodan search engine
API, 401–402
command-line interface, 400–401
Internet of Things, 396
MQTT services, 402–404
shortcuts in IDA Pro, 100–101
SIDHistory object, abusing, 366–367
SIDs
converting, 355
domains, 363
obtaining, 344–346
SIDT (Store Interrupt Descriptor Table Register) instruction, 475
SIEFP (Synthetic Interrupt Event Flags Page) MSRs, 528
SIEM (Security Information Event Management) devices, 174
signatures in C functions, 22
SIMP (Synthetic Interrupt Message Page) MSRs, 527–528
simple hypercalls in Hyper-V, 530–531
simplicity property for unikernel, 489
SINTx (synthetic interrupt source) register MSRs, 526
6LoWPAN (Internet Protocol version 6 over Low-power Wireless Personal Area Networks), 395
sizeof() function, 23
skills for purple teams, 123–124
SLAT (Second Level Address Translation), 482–483
sleep() function, 261–262
slow hypercalls in Hyper-V, 529–530
small buffers in local buffer overflows, 210–212
SMAP (Supervisor Mode Access Prevention), bypassing, 244–246
smart things, 394
SMEP (Supervisor Mode Execution Protection), bypassing, 241–243
snprintf function, 26–27
SoC (System on Chip) for embedded devices, 410
sockets
Docker, 618
Python, 53
TCP, 127–128
software-defined radio (SDR)
buying, 447–449
introduction, 446
readings, 465
rules, 449
SCRAPE process. See SCRAPE process
summary, 464
software development life cycle (SDLC) process, application testing in, 115
software for embedded devices, 421–423
software-invisible traps in VMMs, 472
Software Publisher Certificates (SPCs), 286
Software Reverse Engineering (SRE) tools, 71
software-visible mappings in VMMs, 472–473
Sotirov, Alex, 9
SOWs (statements of work) for penetration testing, 114
SPAs (system physical addresses), 477–478, 482
SPCs (Software Publisher Certificates), 286
special registers, 36–37
SPFNs (system page frame numbers), 478
SPI (Serial Peripheral Interface), 416–417
SplAddPrinterDriverEx function, 388
SPNs (Service Principal Names) in Kerberos, 360
spooling services, 383–388
SRE (Software Reverse Engineering) tools, 71
SSRF (server-side request forgery) vulnerability, 573
Stack Analyzer, 74
stack canaries, defeating, 225–228, 238–241
.stack directive in assembly language, 41
stack pointer in IDA Pro, 103
Stack section in Immunity Debugger, 253, 257
stack section in memory, 33
StackGuard, 225–228
stacks
hypervisors, 488
Linux exploits, 199–201
stageless payload generators, 129
standard USB requests, 544
statements of work (SOWs) for penetration testing, 114
static application security testing (SAST), 115
static vulnerabilities analysis for embedded devices, 427–435
status transactions for USB devices, 544
STIX (Structured Threat Information Expression) language, 15
storage, container, 608–611
Store Interrupt Descriptor Table Register (SIDT) instruction, 475
strace command, 58–59
strcpy() function
buffer overflows, 204
C language, 26–27
IDA Pro debugging, 104–106
Windows kernel drivers, 290
Windows programs, 255–256, 258
strings
buffer overflows, 201–202
memory, 34
Python, 46–48
strncpy command, 26–27
Structured Exception Handling (SEH), 270–271
Structured Threat Information Expression (STIX) language, 15
sub command, 38
subscriptions in Azure, 586
SUID (Set-user Identification), 206
Supervisor Mode Access Prevention (SMAP), bypassing, 244–246
Supervisor Mode Execution Protection (SMEP), bypassing, 241–243
supervisor-sensitive CPU instructions, 471
SWD (Serial Wire Debug) protocol, 420–421
SwitchToFiber function, 144
symAddr function, 146
symbol tables for C variables, 23
Symbol Tree in Ghidra Code Browser, 75–76
symbols
IDA Pro, 93
SCRAPE process, 456–461
SynIC (Synthetic Interrupt Controller) MSRs, 526
Synopsys report, 6
synthetic interface for Hyper-V, 524–531
Synthetic Interrupt Controller (SynIC) MSRs, 526
Synthetic Interrupt Event Flags Page (SIEFP) MSRs, 528
Synthetic Interrupt Message Page (SIMP) MSRs, 527–528
synthetic interrupt source (SINTx) register MSRs, 526
syscall instruction, 40
Sysdig tools, 636
sysenter instruction, 40
system assigned identities in Azure, 598–600
system calls in assembly language, 40
System Control Panel, 260
system() function, 222
system information in WMI, 334–336
system internals in AWS, 580–583
System on Chip (SoC) for embedded devices, 410
system page frame numbers (SPFNs), 478
system physical addresses (SPAs), 477–478, 482
system recon
PowerShell, 348–350
Seatbelt, 350–351
System Service Dispatcher, 282
T
tactics in MITRE ATT&CK framework, 15–16
tactics, techniques, and procedures (TTPs), 118–119
tailgating, 119
target setup in hypervisor case study, 546
tasks in Covenant, 135
TAXII (Trusted Automated Exchange of Intelligence Information) servers, 15
TCP ports for Kubernetes, 627
Tejeda, Huáscar, 67
telecommunications, IoT things for, 394
templates in network evasion, 148–149
tenants, Azure, 594–595
terraform show command, 329
test environment setup for vulnerabilities analysis, 436
testing, penetration, 114–117
.text directive in assembly language, 41
.text section in memory, 33
text view in IDA Pro, 95
TGSs (Ticket Granting Servers), 360
TGTs (Ticket Granting Tickets), 361
Thread Information Blocks (TIBs), 270–271
threads in shellcode, 141
threat hunting
AtomicRedTeam attacker emulation, 181–183
basics, 173
data-driven hunts, 177–180
description, 173
hypothesis-driven, 183–186
MITRE ATT&CK framework, 17
Mordor datasets, 186–190
normalizing data sources, 175–176
playbook, 190–194
readings, 195
references, 195–196
Spark and Jupyter, 190–194
summary, 195
types, 174–175
workflow, 175
threat hunting labs
description, 152
DetectionLab, 154–160
HELK, 161–163
Kibana, 164–167
Mordor, 168–169
options, 153–154
readings, 169–170
references, 170–171
summary, 169
winlogbeat, 163–164
threat simulation and emulation for red teams, 118–120
ThreatHunterPlaybook, 154
threats research, 124–125
TIBs (Thread Information Blocks), 270–271
Ticket Granting Servers (TGSs), 360
Ticket Granting Tickets (TGTs), 361
tickets in Kerberos, 360–361
tiers in USB devices, 542
time plots in SCRAPE process, 455–456
timing variances in Command and Control, 128
TLS-based evasion, 147
Token CRC field in USB packets, 543
_TOKEN structure, 296
tokens
AWS, 574–575
EHCI controller, 548–550
Kubernetes, 630–631
patch analysis, 545–546
payload obfuscation, 136–137
stealing in Windows kernel exploits, 296–297, 300–301
toolbar in Ghidra Code Browser, 74
TP enumeration
research framework clients, 502
unikernel communication, 493–494
transportation and logistics, IoT things for, 394
trap-and-emulate VMMs, 471
trigger_overflow method, 552
triggers in hypervisor case study
developing, 546–552
running, 551–552
triggering, 549–551
Trusted Automated Exchange of Intelligence Information (TAXII) servers, 15
TTPs (tactics, techniques, and procedures), 118–119
turbodiff tool, 374–378
Tuyl, Russel Van, 143
Type-1 hypervisors, 474–475, 488
Type-2 hypervisors, 474–475, 488
U
U-Boot bootloader for embedded devices, 421–422
UAC (User Account Control)
bypassing, 319–320
PowerSploit, 316
system recon, 351
UART (Universal Asynchronous Receiver-Transmitter) protocol, 411–415
UDP ports in Kubernetes, 627
UEFI (Unified Extensible Firmware Interface) architecture, 523–524
UMIP (User-Mode Instruction Prevention), 475
unauthenticated access to MQTT services, 404
unauthenticated vulnerability scanning in red teams, 113
UNC (Universal Naming Convention) paths in PowerShell, 312–313
Unified Extensible Firmware Interface (UEFI) architecture, 523–524
Uniform Resource Identifiers (URIs) in Kubernetes, 627–628
unikernel
boot message implementation, 497–499
booting, 489–492
communication, 489–497
overview, 489
request handling, 499–500
union file system (UnionFS), 608
Universal Asynchronous Receiver-Transmitter (UART) protocol, 411–415
Universal Naming Convention (UNC) paths in PowerShell, 312–313
Universal Serial Bus (USB) system
control transfers, 542
endpoints, 542
introduction, 542
packets, 543–544
patch analysis, 544–546
pipes, 542
standard requests, 544
universally unique identifiers (UUIDs), 534
unmanaged tenants in Azure, 595
Unrestricted execution policy in PowerShell, 308
unshare() function, 608
update packages for embedded devices, 427–432
UPNs (User Principal Names) in Azure, 595
URIs (Uniform Resource Identifiers) in Kubernetes, 627–628
usb_desc_get_string function, 557
usb_desc_string function, 556–557
usb_ehci_realize function, 560
usb_packet_copy function, 545, 549–553
usb_register_port function, 560
USB system. See Universal Serial Bus (USB) system
USBCMD register, 548
USBDescString object, 557–558
USBDevice structure, 552–556
USBPort structure, 560
User Account Control (UAC)
bypassing, 319–320
PowerSploit, 316
system recon, 351
user-land debuggers for Windows kernel, 284
User-Mode Instruction Prevention (UMIP), 475
User Principal Names (UPNs) in Azure, 595
user-sensitive CPU instructions, 471
UserData field in AWS, 579
UserDataSwap tool, 580–582
users
Azure accounts, 587
Azure Active Directory lookups, 594–595
finding information on, 346–348
password searches, 359–360
recon, 344
SIDs, obtaining, 344–346
UUIDs (universally unique identifiers), 534
V
Vagrant for DetectionLab, 156–157
validated vulnerability scanning by red teams, 113
ValidateObjectAccess function, 388
Van Eeckhoutte, Peter, 258, 265
variable-size header hypercalls in Hyper-V, 531
variables in C language, 23–24
VAs (virtual addresses) in x86 virtualization, 477–478
vendor disclosure, 7
VEs (Virtualization Exceptions), 483
vfprintf() function, 204
VID (Virtualization Infrastructure Driver), 520
VID Notification Dispatcher (VND), 520
virtual addresses (VAs) in x86 virtualization, 477–478
virtual machine control structure (VMCS), 481–482, 488
Virtual Machine Extensions (VMX) instruction set, 480–482
virtual machine monitors (VMMs). See hypervisors
Virtual Machine User Login role in Azure, 591–592
Virtual Machine Worker Process (vmwp.exe), 520
virtual machines (VMs)
AWS, 586
generations, 522–524
Hyper-V, 519
hypervisors. See hypervisors
ProSSHD server exploitation, 259
Windows kernel debugging, 284–285
Virtual Trust Levels (VTLs) in Hyper-V, 519, 521–522
VirtualAlloc function
Go launchers, 144
ROP chains, 275
VirtualBox, 155–156
Virtualization Exceptions (VEs), 483
Virtualization Infrastructure Driver (VID), 520
Virtualization Service Consumers (VSCs), 520
Virtualization Service Providers (VSPs), 520
virtualization stacks in hypervisors, 488
VirtualProtect function
Go launchers, 144
Nim launchers, 146
ROP chains, 276–278
VM-Enter transitions, 480
VM-Exit transitions
attack surfaces, 488–489
EPTs, 483
fuzzers, 514
reasons, 482
VMCS, 481–482
VMX, 480–481
worker processes, 520
VMBus
channels, 534–537
device listing, 534
Hyper-V, 532–538
initiation, 532–533
offer requests, 533–534
ring-buffer communication, 537–538
VMCALL method
hypercall page MSRs, 525
x86 virtualization, 480
VMCS (virtual machine control structure), 481–482, 488
vmlinux file, 233
vmmap vuln command, 231
VMMs (virtual machine monitors). See hypervisors
VMs. See virtual machines (VMs)
vmwp.exe (Virtual Machine Worker Process), 520
VMX (Virtual Machine Extensions) instruction set, 480–482
VND (VID Notification Dispatcher), 520
volatile RAM, 31–32
VSCs (Virtualization Service Consumers), 520
VSPs (Virtualization Service Providers), 520
VTLs (Virtual Trust Levels) in Hyper-V, 519, 521–522
vulnerabilities
application diffing, 370
disclosures history, 6–7
penetration testing, 114–117
red team scanning for, 112–113
vulnerabilities analysis for embedded devices
dynamic, with emulation, 440–445
dynamic, with hardware, 436–440
readings, 446
references, 446
static, 427–435
summary, 445
VxWorks RTOS, 423
W
WAF (web application firewall), AWS triggering of, 574
WaitForSingleObject command, 141–142
Warner, Justin, 131
WDK (Windows Driver Kit), 283
WDM (Windows Driver Model), 286
weaponization in Cyber Kill Chain, 12
wearable items, 394
web, bootstrapping via, 311–313
web application firewall (WAF), AWS triggering of, 574
web application penetration testing, 115
web interface for Internet of Things, 397–400
Web Proxy Auto-Discovery protocol, 328–329
Wei, Xiao, 541
Well-known groups for Active Directory, 346
while loops in C language, 27–28
White Hat Bug Bounty Program, 10
white hat hackers, 4
white space in Python, 52
whoami command
Convenant, 135
domain information, 352
kernel exploits, 302
Linux root, 202
PACU, 578
privilege identification, 320, 344–346
shell user ID, 333
SIDs, 367
user recon, 344
WinRM, 339
WHQL (Windows Hardware Quality Labs) Release signatures, 286
Wi-Fi, 395
Wilhelm, Felix, 618
win32_logonsession class, 334
WinDbg debugger, 284–285
Windows Defender
kernel exploits, 302
node backdoors, 600
PowerSploit, 316
system recon, 348
Windows Defender Exploit Guard, 272
Windows Driver Kit (WDK), 283
Windows Driver Model (WDM), 286
Windows exploitation
attack vectors, 264–266
compiling programs, 250–252
crashing programs, 255–258
Data Execution Prevention, 274
debugging programs, 252–254
exploit building, 266–267
exploit debugging, 267–269
exploit development process, 258
instruction pointer, 260–262
introduction, 249–250
kernel. See Windows kernel exploits
memory bypassing, 271–272
offsets, 262–264
post-exploitation. See post-exploitation in modern Windows environments
ProSSHD server, 258–260
readings, 280
references, 280
return-oriented programming, 274–279
SafeSEH, 272–274
Structured Exception Handling, 270–271
summary, 280
Windows Hardware Quality Labs (WHQL) Release signatures, 286
Windows kernel exploits
debugging, 284–285
drivers, interacting with, 292–296
drivers, obtaining, 286–287
drivers, overview, 282–284
drivers, reverse engineering, 287–288
drivers, target selection, 285–286
kernel overview, 281–282
pointer read/write, 297–298
readings, 302
references, 303
summary, 302
token stealing, 296–297
writing, 298–302
Windows Management Instrumentation (WMI)
command execution, 337–338
system information, 334–336
Windows Update tool, 379
Winexe tool, 332–333
winlogbeat, 163–164
winPEAS (Privilege Escalation Awesome Script) tool, 357–358
WinRAR utility, 120
WinRM tool
command execution, 338–341
PowerShell Empire launch, 320–321
threat simulation and emulation, 118–119
wireless protocols, 394–395
WMI Query Language (WQL) queries, 334
WMI (Windows Management Instrumentation)
command execution, 337–338
system information, 334–336
words, memory, 31
worker processes in Hyper-V, 520
workflow in threat hunts, 175
workspace in Ghidra, 72
worms in Internet of Things, 404–405
WPAD server for Responder, 328–329
WQL (WMI Query Language) queries, 334
wredir option in Responder, 328
write_serial function, 492
writes, pointer, 297–298
X
x86 virtualization
dynamic binary translation, 476
introduction, 475
paravirtualization, 479–480
ring compression, 476–477
shadow paging, 477–479
XD feature in Data Execution Prevention, 274
XOR-based encryption, evading, 147
xor command, 38–39
xrefs (cross-references) in IDA Pro, 96–97
Y
YAddPrinterDriverEx function, 387
YImpersonateClient function, 386
YIsElevationRequired function, 386–387
Yosifovich, Pavel, 281
YRestrictDriverInstallationToAdministrators function, 385–386
Z
Z-Wave protocol, 395
Zatko, Peiter “Mudge,” 5
Zhang, Ziming, 541
Zigbee protocol, 395
zones in Kubernetes, 623