CONTENTS
Part I Introduction to Ethical Disclosure
Chapter 1 Ethics of Ethical Hacking
Why You Need to Understand Your Enemy’s Tactics
Recognizing the Gray Areas in Security
How Does This Stuff Relate to an Ethical Hacking Book?
The Controversy of Hacking Books and Classes
Recognizing Trouble When It Happens
Where Do Attackers Have Most of Their Fun?
Security Does Not Like Complexity
Chapter 2 Ethical Hacking and the Legal System
Understanding Individual Cyberlaws
18 USC Section 1029: The Access Device Statute
18 USC Section 1030 of the Computer Fraud and Abuse Act
18 USC Sections 2510, et. Seq., and 2701, et. Seq., of the Electronic Communication Privacy Act
Digital Millennium Copyright Act (DMCA)
Cyber Security Enhancement Act of 2002
Securely Protect Yourself Against Cyber Trespass Act (SPY Act)
Chapter 3 Proper and Ethical Disclosure
Different Teams and Points of View
Full Disclosure Policy—the RainForest Puppy Policy
Organization for Internet Safety (OIS)
Pros and Cons of Proper Disclosure Processes
So What Should We Do from Here on Out?
Part II Penetration Testing and Tools
Chapter 4 Social Engineering Attacks
How a Social Engineering Attack Works
Conducting a Social Engineering Attack
Common Attacks Used in Penetration Testing
Preparing Yourself for Face-to-Face Attacks
Defending Against Social Engineering Attacks
Chapter 5 Physical Penetration Attacks
Why a Physical Penetration Is Important
Conducting a Physical Penetration
Defending Against Physical Penetrations
Why Simulating an Insider Attack Is Important
Gaining Local Administrator Privileges
Defending Against Insider Attacks
Chapter 7 Using the BackTrack Linux Distribution
Installing BackTrack to DVD or USB Thumb Drive
Using the BackTrack ISO Directly Within a Virtual Machine
Creating a BackTrack Virtual Machine with VirtualBox
Booting the BackTrack LiveDVD System
Exploring the BackTrack X Windows Environment
Persisting Changes to Your BackTrack Installation
Installing Full BackTrack to Hard Drive or USB Thumb Drive
Creating a New ISO with Your One-time Changes
Using a Custom File that Automatically Saves and Restores Changes
Exploring the BackTrack Boot Menu
Using the Metasploit Console to Launch Exploits
Exploiting Client-Side Vulnerabilities with Metasploit
Penetration Testing with Metasploit’s Meterpreter
Automating and Scripting Metasploit
Chapter 9 Managing a Penetration Test
Locations of the Penetration Test
Organization of the Penetration Testing Team
Phases of the Penetration Test
Testing Plan for a Penetration Test
Structuring a Penetration Testing Agreement
Execution of a Penetration Test
Access During the Penetration Test
External and Internal Coordination
Information Sharing During a Penetration Test
Reporting the Results of a Penetration Test
Chapter 10 Programming Survival Skills
Putting the Pieces of Memory Together
Chapter 11 Basic Linux Exploits
Ramifications of Buffer Overflows
Local Buffer Overflow Exploits
Exploiting Stack Overflows from the Command Line
Exploiting Stack Overflows with Generic Exploit Code
Chapter 12 Advanced Linux Exploits
Chapter 13 Shellcode Strategies
Other Shellcode Considerations
Chapter 14 Writing Linux Shellcode
Shell-Spawning Shellcode with execve
Implementing Port-Binding Shellcode
Assembly Program to Establish a Socket
Implementing Reverse Connecting Shellcode
Reverse Connecting Assembly Program
Structure of Encoded Shellcode
Automating Shellcode Generation with Metasploit
Generating Shellcode with Metasploit
Encoding Shellcode with Metasploit
Compiling and Debugging Windows Programs
Debugging on Windows with OllyDbg
Exploit Development Process Review
Understanding Structured Exception Handling (SEH)
Understanding Windows Memory Protections (XP SP3, Vista, 7, and Server 2008)
Stack-Based Buffer Overrun Detection (/GS)
Safe Structured Exception Handling (SafeSEH)
SEH Overwrite Protection (SEHOP)
Data Execution Prevention (DEP)
Address Space Layout Randomization (ASLR)
Bypassing Windows Memory Protections
Summary of Memory Bypass Methods
Chapter 16 Understanding and Detecting Content-Type Attacks
How Do Content-Type Attacks Work?
Which File Formats Are Being Exploited Today?
Analyzing a Malicious PDF Exploit
Implementing Safeguards in Your Analysis Environment
Tools to Detect Malicious PDF Files
Tools to Test Your Protections Against Content-type Attacks
How to Protect Your Environment from Content-type Attacks
Disable JavaScript in Adobe Reader
Enable DEP for Microsoft Office Application and Adobe Reader
Chapter 17 Web Application Security Vulnerabilities
Overview of Top Web Application Security Vulnerabilities
Cross-Site Scripting Vulnerabilities
Testing Web Applications to Find SQL Injection Vulnerabilities
Cross-Site Scripting Vulnerabilities
Explaining Cross-Site Scripting
How to Protect Against VoIP Attacks
Which Protocols Does SCADA Use?
SCADA Fuzzing with TFTP Daemon Fuzzer
Stuxnet Malware (The New Wave in Cyberterrorism)
How to Protect Against SCADA Attacks
Part IV Vulnerability Analysis
Why Bother with Reverse Engineering?
Reverse Engineering Considerations
The Utility of Source Code Auditing Tools
Automated Source Code Analysis
Manual Auditing of Binary Code
Automated Binary Analysis Tools
Chapter 21 Advanced Static Analysis with IDA Pro
Statically Linked Programs and FLAIR
IDA Pro Plug-In Modules and the IDA Pro SDK
IDA Pro Loaders and Processor Modules
Chapter 22 Advanced Reverse Engineering
Overview of the Software Development Process
Instrumented Fuzzing Tools and Techniques
SPIKE Static Content Primitives
Chapter 23 Client-Side Browser Exploits
Why Client-Side Vulnerabilities Are Interesting
Client-Side Vulnerabilities Bypass Firewall Protections
Client-Side Applications Are Often Running with Administrative Privileges
Client-Side Vulnerabilities Can Easily Target Specific People or Organizations
Internet Explorer Security Concepts
Internet Explorer Security Zones
History of Client-Side Exploits and Latest Trends
Client-Side Vulnerabilities Rise to Prominence
Notable Vulnerabilities in the History of Client-Side Attacks
Finding New Browser-Based Vulnerabilities
Protecting Yourself from Client-Side Exploits
Keep Up-to-Date on Security Patches
Run Internet-Facing Applications with Reduced Privileges
Chapter 24 Exploiting the Windows Access Control Model
Why Access Control Is Interesting to a Hacker
Most People Don’t Understand Access Control
Vulnerabilities You Find Are Easy to Exploit
You’ll Find Tons of Security Vulnerabilities
How Windows Access Control Works
Tools for Analyzing Access Control Configurations
Dumping the Security Descriptor
Special SIDs, Special Access, and “Access Denied”
Analyzing Access Control for Elevation of Privilege
Attack Patterns for Each Interesting Object Type
Attacking Weak DACLs in the Windows Registry
Attacking Weak Directory DACLs
What Other Object Types Are Out There?
Enumerating Shared Memory Sections
Enumerating Other Named Kernel Objects (Semaphores, Mutexes, Events, Devices)
Chapter 25 Intelligent Fuzzing with Sulley
Monitoring the Process for Faults
Monitoring the Network Traffic
Postmortem Analysis of Crashes
Chapter 26 From Vulnerability to Exploit
Preconditions and Postconditions
Payload Construction Considerations
Chapter 27 Closing the Holes: Mitigation
Source Code Patching Considerations
Binary Patching Considerations
Third-Party Patching Initiatives
Chapter 28 Collecting Malware and Initial Analysis
Latest Trends in Honeynet Technology
Thwarting VMware Detection Technologies
Catching Malware: Setting the Trap