Foreward | p. xvii |
Introduction | p. ixx |
Introduction to Ethical Disclosure | p. 1 |
Ethics of Ethical Hacking | p. 3 |
References | p. 8 |
How Does This Stuff Relate to an Ethical Hacking Book? | p. 8 |
Vulnerability Assessment | p. 9 |
Penetration Testing | p. 10 |
References | p. 11 |
The Controversy of Hacking Books and Classes | p. 11 |
The Dual Nature of Tools | p. 12 |
References | p. 14 |
Recognizing Trouble When It Happens | p. 14 |
Emulating the Attack | p. 15 |
Where Do Attackers Have Most of Their Fun? | p. 16 |
Security Does Not Like Complexity | p. 16 |
References | p. 17 |
Summary | p. 18 |
Questions | p. 18 |
Answers | p. 20 |
Ethical Hacking and the Legal System | p. 23 |
References | p. 24 |
Addressing Individual Laws | p. 24 |
18 USC Section 1029 | p. 24 |
References | p. 27 |
18 USC Section 1030 | p. 27 |
References | p. 32 |
A State Law Alternative | p. 32 |
References | p. 34 |
18 USC Sections 2510 and 2701 | p. 34 |
References | p. 36 |
Digital Millennium Copyright Act | p. 37 |
References | p. 38 |
Cyber Security Enhancement Act of 2002 | p. 38 |
Summary | p. 39 |
Questions | p. 40 |
Answers | p. 42 |
Proper and Ethical Disclosure | p. 45 |
Different Teams and Points of View | p. 46 |
How Did We Get Here? | p. 47 |
CERT's Current Process | p. 48 |
Full Disclosure Policy (RainForest Puppy Policy) | p. 50 |
Organization for Internet Safety (OIS) | p. 51 |
Discovery | p. 52 |
Notification | p. 53 |
Validation | p. 55 |
Resolution | p. 58 |
Release | p. 59 |
Conflicts Will Still Exist | p. 59 |
Case Studies | p. 60 |
Pros and Cons of Proper Disclosure Processes | p. 60 |
Vendors Paying More Attention | p. 64 |
So What Should We Do from Here on Out? | p. 65 |
iDefense | p. 66 |
References | p. 66 |
Summary | p. 67 |
Questions | p. 67 |
Answers | p. 69 |
Penetration Testing and Tools | p. 71 |
Pen-Testing Process | p. 73 |
Types of Tests | p. 73 |
References | p. 75 |
Ramping Up | p. 75 |
Building a Team | p. 75 |
Building a Lab | p. 76 |
Contracts, Safety, and Staying Out of Jail | p. 77 |
Assessment Process | p. 78 |
Assessment Planning | p. 78 |
On-Site Meeting with the Customer to Kick Off Assessment | p. 79 |
Penetration Test Process | p. 79 |
References | p. 81 |
Red Teaming Process | p. 81 |
System Test Process | p. 84 |
Footprinting with Isof | p. 86 |
References | p. 89 |
Reporting Out | p. 89 |
Summary | p. 90 |
Questions | p. 91 |
Answers | p. 92 |
Beyond Hacking Exposed: Advanced Tools for Today's Hacker | p. 95 |
Scanning in the "Good Old Days" | p. 96 |
Paketto Keiretsu (scanrand, paratrace) | p. 96 |
References | p. 107 |
Past and Present Forms of Fingerprinting | p. 108 |
xprobe2 | p. 109 |
References | p. 114 |
p0f | p. 114 |
References | p. 118 |
amap | p. 118 |
References | p. 122 |
Winfingerprint | p. 122 |
Sniffing Tools | p. 125 |
libpcap and WinPcap | p. 126 |
References | p. 127 |
Passive Sniffing vs. Active Sniffing | p. 127 |
References | p. 134 |
References | p. 137 |
Defenses Against Active Sniffing | p. 137 |
Sniffing for Usernames and Passwords | p. 138 |
References | p. 139 |
Sniffing and Hacking LAN Manager Logon Credentials | p. 140 |
Using the Challenge and Hashes (the Hard Way) | p. 143 |
Using ettercap (the Easy Way) | p. 144 |
References | p. 146 |
Sniffing and Cracking Kerberos | p. 146 |
Summary | p. 148 |
Questions | p. 150 |
Answers | p. 151 |
Automated Penetration Testing | p. 153 |
Python Survival Skills | p. 154 |
Getting Python | p. 154 |
Hello, World | p. 154 |
Python Objects | p. 155 |
References | p. 160 |
Automated Penetration Testing Tools | p. 161 |
Core IMPACT | p. 161 |
References | p. 164 |
Immunity CANVAS | p. 165 |
References | p. 169 |
Metasploit | p. 169 |
References | p. 177 |
Summary | p. 177 |
Questions | p. 177 |
Answers | p. 179 |
Exploits 101 | p. 181 |
Programming Survival Skills | p. 183 |
Programming | p. 184 |
The Problem-Solving Process | p. 184 |
Pseudo-code | p. 185 |
Programmers vs. Hackers | p. 187 |
References | p. 188 |
C Programming Language | p. 188 |
Basic C Language Constructs | p. 188 |
Sample Program | p. 193 |
Compiling with gcc | p. 193 |
References | p. 194 |
Computer Memory | p. 194 |
Random Access Memory (RAM) | p. 195 |
Endian | p. 195 |
Segmentation of Memory | p. 195 |
Programs in Memory | p. 196 |
Buffers | p. 197 |
Strings in Memory | p. 197 |
Pointers | p. 197 |
Putting the Pieces of Memory Together | p. 198 |
References | p. 198 |
Intel Processors | p. 199 |
Registers | p. 199 |
Arithmetic Logic Unit (ALU) | p. 199 |
Program Counter | p. 200 |
Control Unit | p. 200 |
Buses | p. 200 |
References | p. 202 |
Assembly Language Basics | p. 202 |
Machine vs. Assembly vs. C | p. 202 |
AT&T vs. NASM | p. 202 |
Addressing Modes | p. 204 |
Assembly File Structure | p. 205 |
Assembling | p. 206 |
References | p. 206 |
Debugging with gdb | p. 206 |
gdb Basics | p. 206 |
Disassembly with gdb | p. 208 |
References | p. 209 |
Summary | p. 209 |
Questions | p. 210 |
Answers | p. 212 |
Basic Linux Exploits | p. 213 |
Stack Operations | p. 213 |
Stack Data Structure | p. 214 |
Operational Implementation | p. 214 |
Function Calling Procedure | p. 214 |
References | p. 215 |
Buffer Overflows | p. 216 |
Example Buffer Overflow | p. 216 |
Overflow of meet.c | p. 217 |
Ramifications of Buffer Overflows | p. 220 |
References | p. 221 |
Local Buffer Overflow Exploits | p. 221 |
Components of the Exploit | p. 222 |
Exploiting Stack Overflows by Command Line | p. 223 |
Exploiting Stack Overflows with Generic Exploit Code | p. 225 |
Exploitation of meet.c | p. 226 |
Exploiting Small Buffers | p. 227 |
References | p. 229 |
Remote Buffer Overflow Exploits | p. 229 |
Client/Server Model | p. 229 |
Determining the Remote esp Value | p. 232 |
Manual Brute Force with Perl | p. 232 |
References | p. 234 |
Summary | p. 234 |
Questions | p. 235 |
Answers | p. 237 |
Advance Linux Exploits | p. 239 |
Format String Exploits | p. 239 |
The Problem | p. 240 |
Reading from Arbitrary Memory | p. 243 |
Writing to Arbitrary Memory | p. 245 |
Taking .dtors to root | p. 247 |
References | p. 250 |
Heap Overflow Exploits | p. 250 |
Heap Overflows | p. 251 |
Memory Allocators (malloc) | p. 252 |
dlmalloc | p. 253 |
Exploiting Heap Overflows | p. 257 |
Alternative Exploits | p. 261 |
References | p. 261 |
Memory Protection Schemes | p. 262 |
Libsafe | p. 262 |
GRSecurity Kernel Patches and Scripts | p. 262 |
Stackshield | p. 263 |
Bottom Line | p. 263 |
References | p. 264 |
Summary | p. 264 |
Questions | p. 265 |
Answers | p. 267 |
Writing Linux Shellcode | p. 269 |
Basic Linux Shellcode | p. 269 |
System Calls | p. 270 |
Exit System Call | p. 272 |
setreuid System Call | p. 274 |
Shell-Spawning Shellcode with execve | p. 276 |
References | p. 279 |
Port-Binding Shellcode | p. 279 |
Linux Socket Programming | p. 279 |
Assembly Program to Establish a Socket | p. 282 |
Test the Shellcode | p. 284 |
References | p. 287 |
Reverse Connecting Shellcode | p. 287 |
Reverse Connecting C Program | p. 287 |
Reverse Connecting Assembly Program | p. 288 |
References | p. 290 |
Summary | p. 290 |
Questions | p. 292 |
Answers | p. 294 |
Writing a Basic Windows Exploit | p. 295 |
Compiling and Debugging Windows Programs | p. 295 |
Compiling on Windows | p. 295 |
Debugging on Windows | p. 297 |
Building a Basic Windows Exploit | p. 306 |
Summary | p. 313 |
Questions | p. 314 |
Answers | p. 315 |
Vulnerability Analysis | p. 317 |
Passive Analysis | p. 319 |
Ethical Reverse Engineering | p. 319 |
References | p. 320 |
Why Reverse Engineering? | p. 320 |
Reverse Engineering Considerations | p. 321 |
Source Code Analysis | p. 321 |
Source Code Auditing Tools | p. 322 |
The Utility of Source Code Auditing Tools | p. 323 |
Manual Source Code Auditing | p. 325 |
References | p. 329 |
Binary Analysis | p. 329 |
Automated Binary Analysis Tools | p. 329 |
References | p. 332 |
Manual Auditing of Binary Code | p. 332 |
References | p. 345 |
Summary | p. 345 |
Questions | p. 346 |
Answers | p. 347 |
Advanced Reverse Engineering | p. 349 |
Why Try to Break Software? | p. 350 |
The Software Development Process | p. 350 |
Instrumentation Tools | p. 351 |
Debuggers | p. 352 |
Code Coverage Tools | p. 354 |
Profiling Tools | p. 354 |
Flow Analysis Tools | p. 354 |
Memory Monitoring Tools | p. 356 |
References | p. 361 |
Fuzzing | p. 361 |
Instrumented Fuzzing Tools and Techniques | p. 362 |
A Simple URL Fuzzer | p. 362 |
Fuzzing Unknown Protocols | p. 365 |
SPIKE | p. 365 |
SPIKE Proxy | p. 369 |
Sharefuzz | p. 369 |
References | p. 370 |
Summary | p. 371 |
Questions | p. 371 |
Answers | p. 373 |
From Vulnerability to Exploit | p. 375 |
Exploitability | p. 376 |
Debugging for Exploitation | p. 376 |
References | p. 380 |
Understanding the Problem | p. 380 |
Preconditions and Postconditions | p. 380 |
Repeatability | p. 381 |
References | p. 390 |
Documenting the Problem | p. 390 |
Background Information | p. 390 |
Circumstances | p. 391 |
Research Results | p. 391 |
Summary | p. 391 |
Questions | p. 392 |
Answers | p. 394 |
Closing the Holes: Mitigation | p. 397 |
Mitigation Alternatives | p. 397 |
Port Knocking | p. 398 |
References | p. 398 |
Migration | p. 398 |
References | p. 399 |
Patching | p. 400 |
Source Code Patching Considerations | p. 400 |
Binary Patching Considerations | p. 402 |
References | p. 406 |
Summary | p. 406 |
Questions | p. 406 |
Answers | p. 408 |
Index | p. 411 |
Table of Contents provided by Ingram. All Rights Reserved. |