- Broschiertes Buch
- Merkliste
- Auf die Merkliste
- Bewerten Bewerten
- Teilen
- Produkt teilen
- Produkterinnerung
- Produkterinnerung
Up-to-date strategies for thwarting the latest, most insidious network attacks This fully updated, industry-standard security resource shows, step by step, how to fortify computer networks by learning and applying effective ethical hacking techniques. Based on curricula developed by the authors at major security conferences and colleges, the book features actionable planning and analysis methods as well as practical steps for identifying and combating both targeted and opportunistic attacks. Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition clearly explains the enemy's devious…mehr
Andere Kunden interessierten sich auch für
- Barak EngelThe Security Hippie39,99 €
- Joseph MennCult of the Dead Cow13,80 €
- Shimon BrathwaiteWhat To Do When You Get Hacked42,99 €
- Daniel ShoemakerTeaching Cybersecurity73,99 €
- Matt WalkerCEH Certified Ethical Hacker All-in-One Exam Guide34,99 €
- Matt HandEvading EDR42,99 €
- Shimon BrathwaiteWhat To Do When You Get Hacked86,99 €
-
-
-
Up-to-date strategies for thwarting the latest, most insidious network attacks This fully updated, industry-standard security resource shows, step by step, how to fortify computer networks by learning and applying effective ethical hacking techniques. Based on curricula developed by the authors at major security conferences and colleges, the book features actionable planning and analysis methods as well as practical steps for identifying and combating both targeted and opportunistic attacks. Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition clearly explains the enemy's devious weapons, skills, and tactics and offers field-tested remedies, case studies, and testing labs. You will get complete coverage of Internet of Things, mobile, and Cloud security along with penetration testing, malware analysis, and reverse engineering techniques. State-of-the-art malware, ransomware, and system exploits are thoroughly explained. * Fully revised content includes 7 new chapters covering the latest threats * Includes proof-of-concept code stored on the GitHub repository * Authors train attendees at major security conferences, including RSA, Black Hat, Defcon, and B-Sides
Hinweis: Dieser Artikel kann nur an eine deutsche Lieferadresse ausgeliefert werden.
Hinweis: Dieser Artikel kann nur an eine deutsche Lieferadresse ausgeliefert werden.
Produktdetails
- Produktdetails
- Verlag: McGraw-Hill Education
- 6 ed
- Seitenzahl: 704
- Erscheinungstermin: 29. März 2022
- Englisch
- Abmessung: 229mm x 188mm x 37mm
- Gewicht: 1218g
- ISBN-13: 9781264268948
- ISBN-10: 1264268947
- Artikelnr.: 62921092
- Herstellerkennzeichnung
- Libri GmbH
- Europaallee 1
- 36244 Bad Hersfeld
- gpsr@libri.de
- Verlag: McGraw-Hill Education
- 6 ed
- Seitenzahl: 704
- Erscheinungstermin: 29. März 2022
- Englisch
- Abmessung: 229mm x 188mm x 37mm
- Gewicht: 1218g
- ISBN-13: 9781264268948
- ISBN-10: 1264268947
- Artikelnr.: 62921092
- Herstellerkennzeichnung
- Libri GmbH
- Europaallee 1
- 36244 Bad Hersfeld
- gpsr@libri.de
Dr. Allen Harper, CISSP, is the founder of N2NetSecurity, Inc.; former EVP and chief hacker at Tangible Security; former program director at Liberty University; and now serves as EVP of Cybersecurity at T-Rex Solutions LLC.. Ryan Linn has over 20 years in the security industry, ranging from systems programmer to corporate security, to leading a global cybersecurity consultancy. Stephen Sims is an industry expert with over 15 years of experience in information technology and security. He currently works as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Michael Baucom has over 25 years of industry experience ranging from embedded systems development to leading the product security and research division at Tangible Security. Huáscar Tejeda is the co-founder and CEO of F2TC Cyber Security. He is a seasoned cybersecurity professional, thoroughly experienced with more than 20 years and notable achievements in IT and Telecommunications, developing carrier grade security solutions and business critical components for multiple broadband providers. He is also a member of the SANS Latin America Advisory Group, SANS Purple Team Summit Advisory Board, and contributing author of the SANS Institute's most advanced course, SEC760: Advanced Exploit Development for Penetration Testers. Daniel Fernandez is a security researcher with more than 15 years of experience in the field. His focus over the last years has been hypervisor exploitation, before that he exploited Windows and Linux Kernels mostly. Moses Frost is an author and instructor at the SANS Institute. His technology interests include Web Applications, Linux Systems Administration and Design and Designing hacking challenges. He currently works at McAfee.
Preface Acknowledgments Introduction
Part I. Preparation
Chapter 1. Gray Hat Hacking Gray Hat Hacking Overview History of Hacking
Ethics and Hacking Definition of Gray Hat Hacking History of Ethical
Hacking History of Vulnerability Disclosure Bug Bounty Programs Know the
Enemy: Black Hat Hacking Advanced Persistent Threats Lockheed Martin Cyber
Kill Chain Courses of Action for the Cyber Kill Chain MITRE ATT&CK
Framework Summary For Further Reading References
Chapter 2. Programming Survival Skills C Programming Language Basic C
Language Constructs Lab 2-1: Format Strings Lab 2-2: Loops Lab 2-3: if/else
Sample Programs Lab 2-4: hello.c Lab 2-5: meet.c Compiling with gcc Lab
2-6: Compiling meet.c Computer Memory Random Access Memory Endian
Segmentation of Memory Programs in Memory Buffers Strings in Memory
Pointers Putting the Pieces of Memory Together Lab 2-7: memory.c Intel
Processors Registers Assembly Language Basics Machine vs. Assembly vs. C
AT&T vs. NASM Addressing Modes Assembly File Structure Lab 2-8: Simple
Assembly Program Debugging with gdb gdb Basics Lab 2-9: Debugging Lab 2-10:
Disassembly with gdb Python Survival Skills Getting Python Lab 2-11:
Launching Python Lab 2-12: "Hello, World!" in Python Python Objects Lab
2-13: Strings Lab 2-14: Numbers Lab 2-15: Lists Lab 2-16: Dictionaries Lab
2-17: Files with Python Lab 2-18: Sockets with Python Summary For Further
Reading References
Chapter 3. Linux Exploit Development Tools Binary, Dynamic
Information-Gathering Tools Lab 3-1: Hello.c Lab 3-2: ldd Lab 3-3: objdump
Lab 3-4: strace Lab 3-5: ltrace Lab 3-6: checksec Lab 3-7: libc-database
Lab 3-8: patchelf Lab 3-9: one_gadget Lab 3-10: Ropper Extending gdb with
Python Pwntools CTF Framework and Exploit Development Library Summary of
Features Lab 3-11: leak-bof.c HeapME (Heap Made Easy) Heap Analysis and
Collaboration Tool Installing HeapME Lab 3-12: heapme_demo.c Summary For
Further Reading References
Chapter 4. Introduction to Ghidra Creating Our First Project Installation
and QuickStart Setting the Project Workspace Functionality Overview Lab
4-1: Improving Readability with Annotations Lab 4-2: Binary Diffing and
Patch Analysis Summary For Further Reading References
Chapter 5. IDA Pro Introduction to IDA Pro for Reverse Engineering What Is
Disassembly? Navigating IDA Pro IDA Pro Features and Functionality
Cross-References (Xrefs) Function Calls Proximity Browser Opcodes and
Addressing Shortcuts Comments Debugging with IDA Pro Summary For Further
Reading References
Part II. Ethical Hacking
Chapter 6. Red and Purple Teams Introduction to Red Teams Vulnerability
Scanning Validated Vulnerability Scanning Penetration Testing Threat
Simulation and Emulation Purple Team Making Money with Red Teaming
Corporate Red Teaming Consultant Red Teaming Purple Team Basics Purple Team
Skills Purple Team Activities Summary For Further Reading References
Chapter 7. Command and Control (C2) Command and Control Systems Metasploit
Lab 7-1: Creating a Shell with Metasploit PowerShell Empire Covenant Lab
7-2: Using Covenant C2 Payload Obfuscation msfvenom and Obfuscation Lab
7-3: Obfuscating Payloads with msfvenom Creating C# Launchers Lab 7-4:
Compiling and Testing C# Launchers Creating Go Launchers Lab 7-5: Compiling
and Testing Go Launchers Creating Nim Launchers &n bsp; Lab 7-6: Compiling
and Testing Nim Launchers Network Evasion Encryption Alternate Protocols C2
Templates EDR Evasion Killing EDR Products Bypassing Hooks Summary For
Further Reading
Chapter 8. Building a Threat Hunting Lab Threat Hunting and Labs Options of
Threat Hunting Labs Method for the Rest of this Chapter Basic Threat
Hunting Lab: DetectionLab Prerequisites Lab 8-1: Install the Lab on Your
Host Lab 8-2: Install the Lab in the Cloud Lab 8-3: Looking Around the Lab
Extending Your Lab HELK Lab 8-4: Install HELK Lab 8-5: Install Winlogbeat
Lab 8-6: Kibana Basics Lab 8-7: Mordor Summary For Further Reading
References
Chapter 9. Introduction to Threat Hunting Threat Hunting Basics Types of
Threat Hunting Workflow of a Threat Hunt Normalizing Data Sources with
OSSEM Data Sources OSSEM to the Rescue Data-Driven Hunts Using OSSEM MITRE
ATT&CK Framework Refresher: T1003.002 Lab 9-1: Visualizing Data Sources
with OSSEM Lab 9-2: AtomicRedTeam Attacker Emulation Exploring
Hypothesis-Driven Hunts Lab 9-3: Hypothesis that Someone Copied a SAM File
Crawl, Walk, Run Enter Mordor Lab 9-4: Hypothesis that Someone Other than
an Admin Launched PowerShell Threat Hunter Playbook Departure from HELK for
Now Spark and Jupyter Lab 9-5: Automated Playbooks and Sharing of Analytics
Summary For Further Reading References
Part III. Hacking Systems
Chapter 10. Basic Linux Exploits Stack Operations and Function-Calling
Procedures Buffer Overflows Lab 10-1: Overflowing meet.c Ramifications of
Buffer Overflows Local Buffer Overflow Exploits Lab 10-2: Components of the
Exploit Lab 10-3: Exploiting Stack Overflows from the Command Line Lab
10-4: Writing the Exploit with Pwntools Lab 10-5: Exploiting Small Buffers
Exploit Development Process Lab 10-6: Building Custom Exploits Summary For
Further Reading
Chapter 11. Advanced Linux Exploits Lab 11-1: Vulnerable Program and
Environment Setup Lab 11-2: Bypassing Non-Executable Stack (NX) with
Return-Oriented Programming (ROP) Lab 11-3: Defeating Stack Canaries Lab
11-4: ASLR Bypass with an Information Leak Lab 11-5: PIE Bypass with an
Information Leak Summary For Further Reading References
Chapter 12. Linux Kernel Exploits Lab 12-1: Environment Setup and
Vulnerable procfs Module Lab 12-2: ret2usr Lab 12-3: Defeating Stack
Canaries Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP)
and Kernel Page-Table Isolation (KPTI) Lab 12-5: Bypassing Supervisor Mode
Access Prevention (SMAP) Lab 12-6: Defeating Kernel Address Space Layout
Randomization (KASLR) Summary For Further Reading References
Chapter 13. Basic Windows Exploitation Compiling and Debugging Windows
Programs Lab 13-1: Compiling on Windows Debugging on Windows with Immunity
Debugger Lab 13-2: Crashing the Program Writing Windows Exploits Exploit
Development Process Review Lab 13-3: Exploiting ProSSHD Server
Understanding Structured Exception Handling Understanding and Bypassing
Common Windows Memory Protections Safe Structured Exception Handling
Bypassing SafeSEH Data Execution Prevention Return-Oriented Programming
Gadgets Building the ROP Chain Summary For Further Reading References
Chapter 14. Windows Kernel Exploitation The Windows Kernel Kernel Drivers
Kernel Debugging Lab 14-1: Setting Up Kernel Debugging Picking a Target Lab
14-2: Obtaining the Target Driver Lab 14-3: Reverse Engineering the Driver
Lab 14-4: Interacting with the Driver Token Stealing Lab 14-5: Arbitrary
Pointer Read/Write Lab 14-6: Writing a Kernel Exploit Summary For Further
Reading References
Chapter 15. PowerShell Exploitation Why PowerShell Living off the Land
PowerShell Logging PowerShell Portability Loading PowerShell Scripts Lab
15-1: The Failure Condition Lab 15-2: Passing Commands on the Command Line
Lab 15-3: Encoded Commands Lab 15-4: Bootstrapping via the Web Exploitation
and Post-Exploitation with PowerSploit Lab 15-5: Setting Up PowerSploit Lab
15-6: Running Mimikatz Through PowerShell Using PowerShell Empire for C2
Lab 15-7: Setting Up Empire Lab 15-8: Staging an Empire C2 Lab 15-9: Using
Empire to Own the System Lab 15-10: Using WinRM to Launch Empire Summary
For Further Reading Reference
Chapter 16. Getting Shells Without Exploits Capturing Password Hashes
Understanding LLMNR and NBNS Understanding Windows NTLMv1 and NTLMv2
Authentication Using Responder Lab 16-1: Getting Passwords with Responder
Using Winexe Lab 16-2: Using Winexe to Access Remote Systems Lab 16-3:
Using Winexe to Gain Elevated Privileges Using WMI Lab 16-4: Querying
System Information with WMI Lab 16-5: Executing Commands with WMI Taking
Advantage of WinRM Lab 16-6: Executing Commands with WinRM Lab 16-7: Using
Evil-WinRM to Execute Code Summary For Further Reading Reference
Chapter 17. Post-Exploitation in Modern Windows Environments
Post-Exploitation Host Recon Lab 17-1: Using whoami to Identify Privileges
Lab 17-2: Using Seatbelt to Find User Information Lab 17-3: System Recon
with PowerShell Lab 17-4: System Recon with Seatbelt Lab 17-5: Getting
Domain Information with PowerShell Lab 17-6: Using PowerView for AD Recon
Lab 17-7: Gathering AD Data with SharpHound Escalation Lab 17-8: Profiling
Systems with winPEAS Lab 17-9: Using SharpUp to Escalate Privileges Lab
17-10: Searching for Passwords in User Objects Lab 17-11: Abusing Kerberos
to Gather Credentials Lab 17-12: Abusing Kerberos to Escalate Privileges
Active Directory Persistence Lab 17-13: Abusing AdminSDHolder Lab 17-14:
Abusing SIDHistory Summary For Further Reading
Chapter 18. Next-Generation Patch Exploitation Introduction to Binary
Diffing Application Diffing Patch Diffing Binary Diffing Tools BinDiff
turbodiff Lab 18-1: Our First Diff Patch Management Process Microsoft Patch
Tuesday Obtaining and Extracting Microsoft Patches Summary For Further
Reading References
Part IV. Hacking IoT
Chapter 19. Internet of Things to Be Hacked Internet of Things (IoT) Types
of Connected Things Wireless Protocols Communication Protocols Security
Concerns Shodan IoT Search Engine Web Interface Shodan Command-Line
Interface Lab 19-1: Using the Shodan Command Line Shodan API Lab 19-2:
Testing the Shodan API Lab 19-3: Playing with MQTT Implications of this
Unauthenticated Access to MQTT IoT Worms: It Was a Matter of Time
Prevention Summary For Further Reading References
Chapter 20. Dissecting Embedded Devices CPU Microprocessor Microcontrollers
System on Chip Common Processor Architectures Serial Interfaces UART SPI I
2C Debug Interfaces JTAG SWD Software Bootloader No Operating System
Real-Time Operating System General Operating System Summary For Further
Reading References
Chapter 21. Exploiting Embedded Devices Static Analysis of Vulnerabilities
in Embedded Devices Lab 21-1: Analyzing the Update Package Lab 21-2:
Performing Vulnerability Analysis Dynamic Analysis with Hardware The Test
Environment Setup Ettercap Dynamic Analysis with Emulation FirmAE Lab 21-3:
Setting Up FirmAE Lab 21-4: Emulating Firmware Lab 21-5: Exploiting
Firmware Summary For Further Reading References
Chapter 22. Software-Defined Radio Getting Started with SDR What to Buy Not
So Quick: Know the Rules Learn by Example Search Capture Replay Analyze
Preview Execute Summary For Further Reading
Part V. Hacking Hypervisors
Chapter 23. Hypervisors 101 What Is a Hypervisor? Popek and Goldberg
Virtualization Theorems Goldberg's Hardware Virtualizer Type-1 and Type-2
VMMs x86 Virtualization Dynamic Binary Translation Ring Compression Shadow
Paging Paravirtualization Hardware Assisted Virtualization VMX EPT Summary
References
Chapter 24. Creating a Research Framework Hypervisor Attack Surface The
Unikernel Lab 24-1: Booting and Communication Lab 24-2: Communication
Protocol Boot Message Implementation Handling Requests The Client (Python)
Communication Protocol (Python) Lab 24-3: Running the Guest (Python) Lab
24-4: Code Injection (Python) Fuzzing The Fuzzer Base Class Lab 24-5:
IO-Ports Fuzzer Lab 24-6: MSR Fuzzer Lab 24-7: Exception Handling Fuzzing
Tips and Improvements Summary References
Chapter 25. Inside Hyper-V Environment Setup Hyper-V Architecture Hyper-V
Components Virtual Trust Levels Generation-1 VMs Lab 25-1: Scanning PCI
Devices in a Generation-1 V
Part I. Preparation
Chapter 1. Gray Hat Hacking Gray Hat Hacking Overview History of Hacking
Ethics and Hacking Definition of Gray Hat Hacking History of Ethical
Hacking History of Vulnerability Disclosure Bug Bounty Programs Know the
Enemy: Black Hat Hacking Advanced Persistent Threats Lockheed Martin Cyber
Kill Chain Courses of Action for the Cyber Kill Chain MITRE ATT&CK
Framework Summary For Further Reading References
Chapter 2. Programming Survival Skills C Programming Language Basic C
Language Constructs Lab 2-1: Format Strings Lab 2-2: Loops Lab 2-3: if/else
Sample Programs Lab 2-4: hello.c Lab 2-5: meet.c Compiling with gcc Lab
2-6: Compiling meet.c Computer Memory Random Access Memory Endian
Segmentation of Memory Programs in Memory Buffers Strings in Memory
Pointers Putting the Pieces of Memory Together Lab 2-7: memory.c Intel
Processors Registers Assembly Language Basics Machine vs. Assembly vs. C
AT&T vs. NASM Addressing Modes Assembly File Structure Lab 2-8: Simple
Assembly Program Debugging with gdb gdb Basics Lab 2-9: Debugging Lab 2-10:
Disassembly with gdb Python Survival Skills Getting Python Lab 2-11:
Launching Python Lab 2-12: "Hello, World!" in Python Python Objects Lab
2-13: Strings Lab 2-14: Numbers Lab 2-15: Lists Lab 2-16: Dictionaries Lab
2-17: Files with Python Lab 2-18: Sockets with Python Summary For Further
Reading References
Chapter 3. Linux Exploit Development Tools Binary, Dynamic
Information-Gathering Tools Lab 3-1: Hello.c Lab 3-2: ldd Lab 3-3: objdump
Lab 3-4: strace Lab 3-5: ltrace Lab 3-6: checksec Lab 3-7: libc-database
Lab 3-8: patchelf Lab 3-9: one_gadget Lab 3-10: Ropper Extending gdb with
Python Pwntools CTF Framework and Exploit Development Library Summary of
Features Lab 3-11: leak-bof.c HeapME (Heap Made Easy) Heap Analysis and
Collaboration Tool Installing HeapME Lab 3-12: heapme_demo.c Summary For
Further Reading References
Chapter 4. Introduction to Ghidra Creating Our First Project Installation
and QuickStart Setting the Project Workspace Functionality Overview Lab
4-1: Improving Readability with Annotations Lab 4-2: Binary Diffing and
Patch Analysis Summary For Further Reading References
Chapter 5. IDA Pro Introduction to IDA Pro for Reverse Engineering What Is
Disassembly? Navigating IDA Pro IDA Pro Features and Functionality
Cross-References (Xrefs) Function Calls Proximity Browser Opcodes and
Addressing Shortcuts Comments Debugging with IDA Pro Summary For Further
Reading References
Part II. Ethical Hacking
Chapter 6. Red and Purple Teams Introduction to Red Teams Vulnerability
Scanning Validated Vulnerability Scanning Penetration Testing Threat
Simulation and Emulation Purple Team Making Money with Red Teaming
Corporate Red Teaming Consultant Red Teaming Purple Team Basics Purple Team
Skills Purple Team Activities Summary For Further Reading References
Chapter 7. Command and Control (C2) Command and Control Systems Metasploit
Lab 7-1: Creating a Shell with Metasploit PowerShell Empire Covenant Lab
7-2: Using Covenant C2 Payload Obfuscation msfvenom and Obfuscation Lab
7-3: Obfuscating Payloads with msfvenom Creating C# Launchers Lab 7-4:
Compiling and Testing C# Launchers Creating Go Launchers Lab 7-5: Compiling
and Testing Go Launchers Creating Nim Launchers &n bsp; Lab 7-6: Compiling
and Testing Nim Launchers Network Evasion Encryption Alternate Protocols C2
Templates EDR Evasion Killing EDR Products Bypassing Hooks Summary For
Further Reading
Chapter 8. Building a Threat Hunting Lab Threat Hunting and Labs Options of
Threat Hunting Labs Method for the Rest of this Chapter Basic Threat
Hunting Lab: DetectionLab Prerequisites Lab 8-1: Install the Lab on Your
Host Lab 8-2: Install the Lab in the Cloud Lab 8-3: Looking Around the Lab
Extending Your Lab HELK Lab 8-4: Install HELK Lab 8-5: Install Winlogbeat
Lab 8-6: Kibana Basics Lab 8-7: Mordor Summary For Further Reading
References
Chapter 9. Introduction to Threat Hunting Threat Hunting Basics Types of
Threat Hunting Workflow of a Threat Hunt Normalizing Data Sources with
OSSEM Data Sources OSSEM to the Rescue Data-Driven Hunts Using OSSEM MITRE
ATT&CK Framework Refresher: T1003.002 Lab 9-1: Visualizing Data Sources
with OSSEM Lab 9-2: AtomicRedTeam Attacker Emulation Exploring
Hypothesis-Driven Hunts Lab 9-3: Hypothesis that Someone Copied a SAM File
Crawl, Walk, Run Enter Mordor Lab 9-4: Hypothesis that Someone Other than
an Admin Launched PowerShell Threat Hunter Playbook Departure from HELK for
Now Spark and Jupyter Lab 9-5: Automated Playbooks and Sharing of Analytics
Summary For Further Reading References
Part III. Hacking Systems
Chapter 10. Basic Linux Exploits Stack Operations and Function-Calling
Procedures Buffer Overflows Lab 10-1: Overflowing meet.c Ramifications of
Buffer Overflows Local Buffer Overflow Exploits Lab 10-2: Components of the
Exploit Lab 10-3: Exploiting Stack Overflows from the Command Line Lab
10-4: Writing the Exploit with Pwntools Lab 10-5: Exploiting Small Buffers
Exploit Development Process Lab 10-6: Building Custom Exploits Summary For
Further Reading
Chapter 11. Advanced Linux Exploits Lab 11-1: Vulnerable Program and
Environment Setup Lab 11-2: Bypassing Non-Executable Stack (NX) with
Return-Oriented Programming (ROP) Lab 11-3: Defeating Stack Canaries Lab
11-4: ASLR Bypass with an Information Leak Lab 11-5: PIE Bypass with an
Information Leak Summary For Further Reading References
Chapter 12. Linux Kernel Exploits Lab 12-1: Environment Setup and
Vulnerable procfs Module Lab 12-2: ret2usr Lab 12-3: Defeating Stack
Canaries Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP)
and Kernel Page-Table Isolation (KPTI) Lab 12-5: Bypassing Supervisor Mode
Access Prevention (SMAP) Lab 12-6: Defeating Kernel Address Space Layout
Randomization (KASLR) Summary For Further Reading References
Chapter 13. Basic Windows Exploitation Compiling and Debugging Windows
Programs Lab 13-1: Compiling on Windows Debugging on Windows with Immunity
Debugger Lab 13-2: Crashing the Program Writing Windows Exploits Exploit
Development Process Review Lab 13-3: Exploiting ProSSHD Server
Understanding Structured Exception Handling Understanding and Bypassing
Common Windows Memory Protections Safe Structured Exception Handling
Bypassing SafeSEH Data Execution Prevention Return-Oriented Programming
Gadgets Building the ROP Chain Summary For Further Reading References
Chapter 14. Windows Kernel Exploitation The Windows Kernel Kernel Drivers
Kernel Debugging Lab 14-1: Setting Up Kernel Debugging Picking a Target Lab
14-2: Obtaining the Target Driver Lab 14-3: Reverse Engineering the Driver
Lab 14-4: Interacting with the Driver Token Stealing Lab 14-5: Arbitrary
Pointer Read/Write Lab 14-6: Writing a Kernel Exploit Summary For Further
Reading References
Chapter 15. PowerShell Exploitation Why PowerShell Living off the Land
PowerShell Logging PowerShell Portability Loading PowerShell Scripts Lab
15-1: The Failure Condition Lab 15-2: Passing Commands on the Command Line
Lab 15-3: Encoded Commands Lab 15-4: Bootstrapping via the Web Exploitation
and Post-Exploitation with PowerSploit Lab 15-5: Setting Up PowerSploit Lab
15-6: Running Mimikatz Through PowerShell Using PowerShell Empire for C2
Lab 15-7: Setting Up Empire Lab 15-8: Staging an Empire C2 Lab 15-9: Using
Empire to Own the System Lab 15-10: Using WinRM to Launch Empire Summary
For Further Reading Reference
Chapter 16. Getting Shells Without Exploits Capturing Password Hashes
Understanding LLMNR and NBNS Understanding Windows NTLMv1 and NTLMv2
Authentication Using Responder Lab 16-1: Getting Passwords with Responder
Using Winexe Lab 16-2: Using Winexe to Access Remote Systems Lab 16-3:
Using Winexe to Gain Elevated Privileges Using WMI Lab 16-4: Querying
System Information with WMI Lab 16-5: Executing Commands with WMI Taking
Advantage of WinRM Lab 16-6: Executing Commands with WinRM Lab 16-7: Using
Evil-WinRM to Execute Code Summary For Further Reading Reference
Chapter 17. Post-Exploitation in Modern Windows Environments
Post-Exploitation Host Recon Lab 17-1: Using whoami to Identify Privileges
Lab 17-2: Using Seatbelt to Find User Information Lab 17-3: System Recon
with PowerShell Lab 17-4: System Recon with Seatbelt Lab 17-5: Getting
Domain Information with PowerShell Lab 17-6: Using PowerView for AD Recon
Lab 17-7: Gathering AD Data with SharpHound Escalation Lab 17-8: Profiling
Systems with winPEAS Lab 17-9: Using SharpUp to Escalate Privileges Lab
17-10: Searching for Passwords in User Objects Lab 17-11: Abusing Kerberos
to Gather Credentials Lab 17-12: Abusing Kerberos to Escalate Privileges
Active Directory Persistence Lab 17-13: Abusing AdminSDHolder Lab 17-14:
Abusing SIDHistory Summary For Further Reading
Chapter 18. Next-Generation Patch Exploitation Introduction to Binary
Diffing Application Diffing Patch Diffing Binary Diffing Tools BinDiff
turbodiff Lab 18-1: Our First Diff Patch Management Process Microsoft Patch
Tuesday Obtaining and Extracting Microsoft Patches Summary For Further
Reading References
Part IV. Hacking IoT
Chapter 19. Internet of Things to Be Hacked Internet of Things (IoT) Types
of Connected Things Wireless Protocols Communication Protocols Security
Concerns Shodan IoT Search Engine Web Interface Shodan Command-Line
Interface Lab 19-1: Using the Shodan Command Line Shodan API Lab 19-2:
Testing the Shodan API Lab 19-3: Playing with MQTT Implications of this
Unauthenticated Access to MQTT IoT Worms: It Was a Matter of Time
Prevention Summary For Further Reading References
Chapter 20. Dissecting Embedded Devices CPU Microprocessor Microcontrollers
System on Chip Common Processor Architectures Serial Interfaces UART SPI I
2C Debug Interfaces JTAG SWD Software Bootloader No Operating System
Real-Time Operating System General Operating System Summary For Further
Reading References
Chapter 21. Exploiting Embedded Devices Static Analysis of Vulnerabilities
in Embedded Devices Lab 21-1: Analyzing the Update Package Lab 21-2:
Performing Vulnerability Analysis Dynamic Analysis with Hardware The Test
Environment Setup Ettercap Dynamic Analysis with Emulation FirmAE Lab 21-3:
Setting Up FirmAE Lab 21-4: Emulating Firmware Lab 21-5: Exploiting
Firmware Summary For Further Reading References
Chapter 22. Software-Defined Radio Getting Started with SDR What to Buy Not
So Quick: Know the Rules Learn by Example Search Capture Replay Analyze
Preview Execute Summary For Further Reading
Part V. Hacking Hypervisors
Chapter 23. Hypervisors 101 What Is a Hypervisor? Popek and Goldberg
Virtualization Theorems Goldberg's Hardware Virtualizer Type-1 and Type-2
VMMs x86 Virtualization Dynamic Binary Translation Ring Compression Shadow
Paging Paravirtualization Hardware Assisted Virtualization VMX EPT Summary
References
Chapter 24. Creating a Research Framework Hypervisor Attack Surface The
Unikernel Lab 24-1: Booting and Communication Lab 24-2: Communication
Protocol Boot Message Implementation Handling Requests The Client (Python)
Communication Protocol (Python) Lab 24-3: Running the Guest (Python) Lab
24-4: Code Injection (Python) Fuzzing The Fuzzer Base Class Lab 24-5:
IO-Ports Fuzzer Lab 24-6: MSR Fuzzer Lab 24-7: Exception Handling Fuzzing
Tips and Improvements Summary References
Chapter 25. Inside Hyper-V Environment Setup Hyper-V Architecture Hyper-V
Components Virtual Trust Levels Generation-1 VMs Lab 25-1: Scanning PCI
Devices in a Generation-1 V
Preface Acknowledgments Introduction
Part I. Preparation
Chapter 1. Gray Hat Hacking Gray Hat Hacking Overview History of Hacking
Ethics and Hacking Definition of Gray Hat Hacking History of Ethical
Hacking History of Vulnerability Disclosure Bug Bounty Programs Know the
Enemy: Black Hat Hacking Advanced Persistent Threats Lockheed Martin Cyber
Kill Chain Courses of Action for the Cyber Kill Chain MITRE ATT&CK
Framework Summary For Further Reading References
Chapter 2. Programming Survival Skills C Programming Language Basic C
Language Constructs Lab 2-1: Format Strings Lab 2-2: Loops Lab 2-3: if/else
Sample Programs Lab 2-4: hello.c Lab 2-5: meet.c Compiling with gcc Lab
2-6: Compiling meet.c Computer Memory Random Access Memory Endian
Segmentation of Memory Programs in Memory Buffers Strings in Memory
Pointers Putting the Pieces of Memory Together Lab 2-7: memory.c Intel
Processors Registers Assembly Language Basics Machine vs. Assembly vs. C
AT&T vs. NASM Addressing Modes Assembly File Structure Lab 2-8: Simple
Assembly Program Debugging with gdb gdb Basics Lab 2-9: Debugging Lab 2-10:
Disassembly with gdb Python Survival Skills Getting Python Lab 2-11:
Launching Python Lab 2-12: "Hello, World!" in Python Python Objects Lab
2-13: Strings Lab 2-14: Numbers Lab 2-15: Lists Lab 2-16: Dictionaries Lab
2-17: Files with Python Lab 2-18: Sockets with Python Summary For Further
Reading References
Chapter 3. Linux Exploit Development Tools Binary, Dynamic
Information-Gathering Tools Lab 3-1: Hello.c Lab 3-2: ldd Lab 3-3: objdump
Lab 3-4: strace Lab 3-5: ltrace Lab 3-6: checksec Lab 3-7: libc-database
Lab 3-8: patchelf Lab 3-9: one_gadget Lab 3-10: Ropper Extending gdb with
Python Pwntools CTF Framework and Exploit Development Library Summary of
Features Lab 3-11: leak-bof.c HeapME (Heap Made Easy) Heap Analysis and
Collaboration Tool Installing HeapME Lab 3-12: heapme_demo.c Summary For
Further Reading References
Chapter 4. Introduction to Ghidra Creating Our First Project Installation
and QuickStart Setting the Project Workspace Functionality Overview Lab
4-1: Improving Readability with Annotations Lab 4-2: Binary Diffing and
Patch Analysis Summary For Further Reading References
Chapter 5. IDA Pro Introduction to IDA Pro for Reverse Engineering What Is
Disassembly? Navigating IDA Pro IDA Pro Features and Functionality
Cross-References (Xrefs) Function Calls Proximity Browser Opcodes and
Addressing Shortcuts Comments Debugging with IDA Pro Summary For Further
Reading References
Part II. Ethical Hacking
Chapter 6. Red and Purple Teams Introduction to Red Teams Vulnerability
Scanning Validated Vulnerability Scanning Penetration Testing Threat
Simulation and Emulation Purple Team Making Money with Red Teaming
Corporate Red Teaming Consultant Red Teaming Purple Team Basics Purple Team
Skills Purple Team Activities Summary For Further Reading References
Chapter 7. Command and Control (C2) Command and Control Systems Metasploit
Lab 7-1: Creating a Shell with Metasploit PowerShell Empire Covenant Lab
7-2: Using Covenant C2 Payload Obfuscation msfvenom and Obfuscation Lab
7-3: Obfuscating Payloads with msfvenom Creating C# Launchers Lab 7-4:
Compiling and Testing C# Launchers Creating Go Launchers Lab 7-5: Compiling
and Testing Go Launchers Creating Nim Launchers &n bsp; Lab 7-6: Compiling
and Testing Nim Launchers Network Evasion Encryption Alternate Protocols C2
Templates EDR Evasion Killing EDR Products Bypassing Hooks Summary For
Further Reading
Chapter 8. Building a Threat Hunting Lab Threat Hunting and Labs Options of
Threat Hunting Labs Method for the Rest of this Chapter Basic Threat
Hunting Lab: DetectionLab Prerequisites Lab 8-1: Install the Lab on Your
Host Lab 8-2: Install the Lab in the Cloud Lab 8-3: Looking Around the Lab
Extending Your Lab HELK Lab 8-4: Install HELK Lab 8-5: Install Winlogbeat
Lab 8-6: Kibana Basics Lab 8-7: Mordor Summary For Further Reading
References
Chapter 9. Introduction to Threat Hunting Threat Hunting Basics Types of
Threat Hunting Workflow of a Threat Hunt Normalizing Data Sources with
OSSEM Data Sources OSSEM to the Rescue Data-Driven Hunts Using OSSEM MITRE
ATT&CK Framework Refresher: T1003.002 Lab 9-1: Visualizing Data Sources
with OSSEM Lab 9-2: AtomicRedTeam Attacker Emulation Exploring
Hypothesis-Driven Hunts Lab 9-3: Hypothesis that Someone Copied a SAM File
Crawl, Walk, Run Enter Mordor Lab 9-4: Hypothesis that Someone Other than
an Admin Launched PowerShell Threat Hunter Playbook Departure from HELK for
Now Spark and Jupyter Lab 9-5: Automated Playbooks and Sharing of Analytics
Summary For Further Reading References
Part III. Hacking Systems
Chapter 10. Basic Linux Exploits Stack Operations and Function-Calling
Procedures Buffer Overflows Lab 10-1: Overflowing meet.c Ramifications of
Buffer Overflows Local Buffer Overflow Exploits Lab 10-2: Components of the
Exploit Lab 10-3: Exploiting Stack Overflows from the Command Line Lab
10-4: Writing the Exploit with Pwntools Lab 10-5: Exploiting Small Buffers
Exploit Development Process Lab 10-6: Building Custom Exploits Summary For
Further Reading
Chapter 11. Advanced Linux Exploits Lab 11-1: Vulnerable Program and
Environment Setup Lab 11-2: Bypassing Non-Executable Stack (NX) with
Return-Oriented Programming (ROP) Lab 11-3: Defeating Stack Canaries Lab
11-4: ASLR Bypass with an Information Leak Lab 11-5: PIE Bypass with an
Information Leak Summary For Further Reading References
Chapter 12. Linux Kernel Exploits Lab 12-1: Environment Setup and
Vulnerable procfs Module Lab 12-2: ret2usr Lab 12-3: Defeating Stack
Canaries Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP)
and Kernel Page-Table Isolation (KPTI) Lab 12-5: Bypassing Supervisor Mode
Access Prevention (SMAP) Lab 12-6: Defeating Kernel Address Space Layout
Randomization (KASLR) Summary For Further Reading References
Chapter 13. Basic Windows Exploitation Compiling and Debugging Windows
Programs Lab 13-1: Compiling on Windows Debugging on Windows with Immunity
Debugger Lab 13-2: Crashing the Program Writing Windows Exploits Exploit
Development Process Review Lab 13-3: Exploiting ProSSHD Server
Understanding Structured Exception Handling Understanding and Bypassing
Common Windows Memory Protections Safe Structured Exception Handling
Bypassing SafeSEH Data Execution Prevention Return-Oriented Programming
Gadgets Building the ROP Chain Summary For Further Reading References
Chapter 14. Windows Kernel Exploitation The Windows Kernel Kernel Drivers
Kernel Debugging Lab 14-1: Setting Up Kernel Debugging Picking a Target Lab
14-2: Obtaining the Target Driver Lab 14-3: Reverse Engineering the Driver
Lab 14-4: Interacting with the Driver Token Stealing Lab 14-5: Arbitrary
Pointer Read/Write Lab 14-6: Writing a Kernel Exploit Summary For Further
Reading References
Chapter 15. PowerShell Exploitation Why PowerShell Living off the Land
PowerShell Logging PowerShell Portability Loading PowerShell Scripts Lab
15-1: The Failure Condition Lab 15-2: Passing Commands on the Command Line
Lab 15-3: Encoded Commands Lab 15-4: Bootstrapping via the Web Exploitation
and Post-Exploitation with PowerSploit Lab 15-5: Setting Up PowerSploit Lab
15-6: Running Mimikatz Through PowerShell Using PowerShell Empire for C2
Lab 15-7: Setting Up Empire Lab 15-8: Staging an Empire C2 Lab 15-9: Using
Empire to Own the System Lab 15-10: Using WinRM to Launch Empire Summary
For Further Reading Reference
Chapter 16. Getting Shells Without Exploits Capturing Password Hashes
Understanding LLMNR and NBNS Understanding Windows NTLMv1 and NTLMv2
Authentication Using Responder Lab 16-1: Getting Passwords with Responder
Using Winexe Lab 16-2: Using Winexe to Access Remote Systems Lab 16-3:
Using Winexe to Gain Elevated Privileges Using WMI Lab 16-4: Querying
System Information with WMI Lab 16-5: Executing Commands with WMI Taking
Advantage of WinRM Lab 16-6: Executing Commands with WinRM Lab 16-7: Using
Evil-WinRM to Execute Code Summary For Further Reading Reference
Chapter 17. Post-Exploitation in Modern Windows Environments
Post-Exploitation Host Recon Lab 17-1: Using whoami to Identify Privileges
Lab 17-2: Using Seatbelt to Find User Information Lab 17-3: System Recon
with PowerShell Lab 17-4: System Recon with Seatbelt Lab 17-5: Getting
Domain Information with PowerShell Lab 17-6: Using PowerView for AD Recon
Lab 17-7: Gathering AD Data with SharpHound Escalation Lab 17-8: Profiling
Systems with winPEAS Lab 17-9: Using SharpUp to Escalate Privileges Lab
17-10: Searching for Passwords in User Objects Lab 17-11: Abusing Kerberos
to Gather Credentials Lab 17-12: Abusing Kerberos to Escalate Privileges
Active Directory Persistence Lab 17-13: Abusing AdminSDHolder Lab 17-14:
Abusing SIDHistory Summary For Further Reading
Chapter 18. Next-Generation Patch Exploitation Introduction to Binary
Diffing Application Diffing Patch Diffing Binary Diffing Tools BinDiff
turbodiff Lab 18-1: Our First Diff Patch Management Process Microsoft Patch
Tuesday Obtaining and Extracting Microsoft Patches Summary For Further
Reading References
Part IV. Hacking IoT
Chapter 19. Internet of Things to Be Hacked Internet of Things (IoT) Types
of Connected Things Wireless Protocols Communication Protocols Security
Concerns Shodan IoT Search Engine Web Interface Shodan Command-Line
Interface Lab 19-1: Using the Shodan Command Line Shodan API Lab 19-2:
Testing the Shodan API Lab 19-3: Playing with MQTT Implications of this
Unauthenticated Access to MQTT IoT Worms: It Was a Matter of Time
Prevention Summary For Further Reading References
Chapter 20. Dissecting Embedded Devices CPU Microprocessor Microcontrollers
System on Chip Common Processor Architectures Serial Interfaces UART SPI I
2C Debug Interfaces JTAG SWD Software Bootloader No Operating System
Real-Time Operating System General Operating System Summary For Further
Reading References
Chapter 21. Exploiting Embedded Devices Static Analysis of Vulnerabilities
in Embedded Devices Lab 21-1: Analyzing the Update Package Lab 21-2:
Performing Vulnerability Analysis Dynamic Analysis with Hardware The Test
Environment Setup Ettercap Dynamic Analysis with Emulation FirmAE Lab 21-3:
Setting Up FirmAE Lab 21-4: Emulating Firmware Lab 21-5: Exploiting
Firmware Summary For Further Reading References
Chapter 22. Software-Defined Radio Getting Started with SDR What to Buy Not
So Quick: Know the Rules Learn by Example Search Capture Replay Analyze
Preview Execute Summary For Further Reading
Part V. Hacking Hypervisors
Chapter 23. Hypervisors 101 What Is a Hypervisor? Popek and Goldberg
Virtualization Theorems Goldberg's Hardware Virtualizer Type-1 and Type-2
VMMs x86 Virtualization Dynamic Binary Translation Ring Compression Shadow
Paging Paravirtualization Hardware Assisted Virtualization VMX EPT Summary
References
Chapter 24. Creating a Research Framework Hypervisor Attack Surface The
Unikernel Lab 24-1: Booting and Communication Lab 24-2: Communication
Protocol Boot Message Implementation Handling Requests The Client (Python)
Communication Protocol (Python) Lab 24-3: Running the Guest (Python) Lab
24-4: Code Injection (Python) Fuzzing The Fuzzer Base Class Lab 24-5:
IO-Ports Fuzzer Lab 24-6: MSR Fuzzer Lab 24-7: Exception Handling Fuzzing
Tips and Improvements Summary References
Chapter 25. Inside Hyper-V Environment Setup Hyper-V Architecture Hyper-V
Components Virtual Trust Levels Generation-1 VMs Lab 25-1: Scanning PCI
Devices in a Generation-1 V
Part I. Preparation
Chapter 1. Gray Hat Hacking Gray Hat Hacking Overview History of Hacking
Ethics and Hacking Definition of Gray Hat Hacking History of Ethical
Hacking History of Vulnerability Disclosure Bug Bounty Programs Know the
Enemy: Black Hat Hacking Advanced Persistent Threats Lockheed Martin Cyber
Kill Chain Courses of Action for the Cyber Kill Chain MITRE ATT&CK
Framework Summary For Further Reading References
Chapter 2. Programming Survival Skills C Programming Language Basic C
Language Constructs Lab 2-1: Format Strings Lab 2-2: Loops Lab 2-3: if/else
Sample Programs Lab 2-4: hello.c Lab 2-5: meet.c Compiling with gcc Lab
2-6: Compiling meet.c Computer Memory Random Access Memory Endian
Segmentation of Memory Programs in Memory Buffers Strings in Memory
Pointers Putting the Pieces of Memory Together Lab 2-7: memory.c Intel
Processors Registers Assembly Language Basics Machine vs. Assembly vs. C
AT&T vs. NASM Addressing Modes Assembly File Structure Lab 2-8: Simple
Assembly Program Debugging with gdb gdb Basics Lab 2-9: Debugging Lab 2-10:
Disassembly with gdb Python Survival Skills Getting Python Lab 2-11:
Launching Python Lab 2-12: "Hello, World!" in Python Python Objects Lab
2-13: Strings Lab 2-14: Numbers Lab 2-15: Lists Lab 2-16: Dictionaries Lab
2-17: Files with Python Lab 2-18: Sockets with Python Summary For Further
Reading References
Chapter 3. Linux Exploit Development Tools Binary, Dynamic
Information-Gathering Tools Lab 3-1: Hello.c Lab 3-2: ldd Lab 3-3: objdump
Lab 3-4: strace Lab 3-5: ltrace Lab 3-6: checksec Lab 3-7: libc-database
Lab 3-8: patchelf Lab 3-9: one_gadget Lab 3-10: Ropper Extending gdb with
Python Pwntools CTF Framework and Exploit Development Library Summary of
Features Lab 3-11: leak-bof.c HeapME (Heap Made Easy) Heap Analysis and
Collaboration Tool Installing HeapME Lab 3-12: heapme_demo.c Summary For
Further Reading References
Chapter 4. Introduction to Ghidra Creating Our First Project Installation
and QuickStart Setting the Project Workspace Functionality Overview Lab
4-1: Improving Readability with Annotations Lab 4-2: Binary Diffing and
Patch Analysis Summary For Further Reading References
Chapter 5. IDA Pro Introduction to IDA Pro for Reverse Engineering What Is
Disassembly? Navigating IDA Pro IDA Pro Features and Functionality
Cross-References (Xrefs) Function Calls Proximity Browser Opcodes and
Addressing Shortcuts Comments Debugging with IDA Pro Summary For Further
Reading References
Part II. Ethical Hacking
Chapter 6. Red and Purple Teams Introduction to Red Teams Vulnerability
Scanning Validated Vulnerability Scanning Penetration Testing Threat
Simulation and Emulation Purple Team Making Money with Red Teaming
Corporate Red Teaming Consultant Red Teaming Purple Team Basics Purple Team
Skills Purple Team Activities Summary For Further Reading References
Chapter 7. Command and Control (C2) Command and Control Systems Metasploit
Lab 7-1: Creating a Shell with Metasploit PowerShell Empire Covenant Lab
7-2: Using Covenant C2 Payload Obfuscation msfvenom and Obfuscation Lab
7-3: Obfuscating Payloads with msfvenom Creating C# Launchers Lab 7-4:
Compiling and Testing C# Launchers Creating Go Launchers Lab 7-5: Compiling
and Testing Go Launchers Creating Nim Launchers &n bsp; Lab 7-6: Compiling
and Testing Nim Launchers Network Evasion Encryption Alternate Protocols C2
Templates EDR Evasion Killing EDR Products Bypassing Hooks Summary For
Further Reading
Chapter 8. Building a Threat Hunting Lab Threat Hunting and Labs Options of
Threat Hunting Labs Method for the Rest of this Chapter Basic Threat
Hunting Lab: DetectionLab Prerequisites Lab 8-1: Install the Lab on Your
Host Lab 8-2: Install the Lab in the Cloud Lab 8-3: Looking Around the Lab
Extending Your Lab HELK Lab 8-4: Install HELK Lab 8-5: Install Winlogbeat
Lab 8-6: Kibana Basics Lab 8-7: Mordor Summary For Further Reading
References
Chapter 9. Introduction to Threat Hunting Threat Hunting Basics Types of
Threat Hunting Workflow of a Threat Hunt Normalizing Data Sources with
OSSEM Data Sources OSSEM to the Rescue Data-Driven Hunts Using OSSEM MITRE
ATT&CK Framework Refresher: T1003.002 Lab 9-1: Visualizing Data Sources
with OSSEM Lab 9-2: AtomicRedTeam Attacker Emulation Exploring
Hypothesis-Driven Hunts Lab 9-3: Hypothesis that Someone Copied a SAM File
Crawl, Walk, Run Enter Mordor Lab 9-4: Hypothesis that Someone Other than
an Admin Launched PowerShell Threat Hunter Playbook Departure from HELK for
Now Spark and Jupyter Lab 9-5: Automated Playbooks and Sharing of Analytics
Summary For Further Reading References
Part III. Hacking Systems
Chapter 10. Basic Linux Exploits Stack Operations and Function-Calling
Procedures Buffer Overflows Lab 10-1: Overflowing meet.c Ramifications of
Buffer Overflows Local Buffer Overflow Exploits Lab 10-2: Components of the
Exploit Lab 10-3: Exploiting Stack Overflows from the Command Line Lab
10-4: Writing the Exploit with Pwntools Lab 10-5: Exploiting Small Buffers
Exploit Development Process Lab 10-6: Building Custom Exploits Summary For
Further Reading
Chapter 11. Advanced Linux Exploits Lab 11-1: Vulnerable Program and
Environment Setup Lab 11-2: Bypassing Non-Executable Stack (NX) with
Return-Oriented Programming (ROP) Lab 11-3: Defeating Stack Canaries Lab
11-4: ASLR Bypass with an Information Leak Lab 11-5: PIE Bypass with an
Information Leak Summary For Further Reading References
Chapter 12. Linux Kernel Exploits Lab 12-1: Environment Setup and
Vulnerable procfs Module Lab 12-2: ret2usr Lab 12-3: Defeating Stack
Canaries Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP)
and Kernel Page-Table Isolation (KPTI) Lab 12-5: Bypassing Supervisor Mode
Access Prevention (SMAP) Lab 12-6: Defeating Kernel Address Space Layout
Randomization (KASLR) Summary For Further Reading References
Chapter 13. Basic Windows Exploitation Compiling and Debugging Windows
Programs Lab 13-1: Compiling on Windows Debugging on Windows with Immunity
Debugger Lab 13-2: Crashing the Program Writing Windows Exploits Exploit
Development Process Review Lab 13-3: Exploiting ProSSHD Server
Understanding Structured Exception Handling Understanding and Bypassing
Common Windows Memory Protections Safe Structured Exception Handling
Bypassing SafeSEH Data Execution Prevention Return-Oriented Programming
Gadgets Building the ROP Chain Summary For Further Reading References
Chapter 14. Windows Kernel Exploitation The Windows Kernel Kernel Drivers
Kernel Debugging Lab 14-1: Setting Up Kernel Debugging Picking a Target Lab
14-2: Obtaining the Target Driver Lab 14-3: Reverse Engineering the Driver
Lab 14-4: Interacting with the Driver Token Stealing Lab 14-5: Arbitrary
Pointer Read/Write Lab 14-6: Writing a Kernel Exploit Summary For Further
Reading References
Chapter 15. PowerShell Exploitation Why PowerShell Living off the Land
PowerShell Logging PowerShell Portability Loading PowerShell Scripts Lab
15-1: The Failure Condition Lab 15-2: Passing Commands on the Command Line
Lab 15-3: Encoded Commands Lab 15-4: Bootstrapping via the Web Exploitation
and Post-Exploitation with PowerSploit Lab 15-5: Setting Up PowerSploit Lab
15-6: Running Mimikatz Through PowerShell Using PowerShell Empire for C2
Lab 15-7: Setting Up Empire Lab 15-8: Staging an Empire C2 Lab 15-9: Using
Empire to Own the System Lab 15-10: Using WinRM to Launch Empire Summary
For Further Reading Reference
Chapter 16. Getting Shells Without Exploits Capturing Password Hashes
Understanding LLMNR and NBNS Understanding Windows NTLMv1 and NTLMv2
Authentication Using Responder Lab 16-1: Getting Passwords with Responder
Using Winexe Lab 16-2: Using Winexe to Access Remote Systems Lab 16-3:
Using Winexe to Gain Elevated Privileges Using WMI Lab 16-4: Querying
System Information with WMI Lab 16-5: Executing Commands with WMI Taking
Advantage of WinRM Lab 16-6: Executing Commands with WinRM Lab 16-7: Using
Evil-WinRM to Execute Code Summary For Further Reading Reference
Chapter 17. Post-Exploitation in Modern Windows Environments
Post-Exploitation Host Recon Lab 17-1: Using whoami to Identify Privileges
Lab 17-2: Using Seatbelt to Find User Information Lab 17-3: System Recon
with PowerShell Lab 17-4: System Recon with Seatbelt Lab 17-5: Getting
Domain Information with PowerShell Lab 17-6: Using PowerView for AD Recon
Lab 17-7: Gathering AD Data with SharpHound Escalation Lab 17-8: Profiling
Systems with winPEAS Lab 17-9: Using SharpUp to Escalate Privileges Lab
17-10: Searching for Passwords in User Objects Lab 17-11: Abusing Kerberos
to Gather Credentials Lab 17-12: Abusing Kerberos to Escalate Privileges
Active Directory Persistence Lab 17-13: Abusing AdminSDHolder Lab 17-14:
Abusing SIDHistory Summary For Further Reading
Chapter 18. Next-Generation Patch Exploitation Introduction to Binary
Diffing Application Diffing Patch Diffing Binary Diffing Tools BinDiff
turbodiff Lab 18-1: Our First Diff Patch Management Process Microsoft Patch
Tuesday Obtaining and Extracting Microsoft Patches Summary For Further
Reading References
Part IV. Hacking IoT
Chapter 19. Internet of Things to Be Hacked Internet of Things (IoT) Types
of Connected Things Wireless Protocols Communication Protocols Security
Concerns Shodan IoT Search Engine Web Interface Shodan Command-Line
Interface Lab 19-1: Using the Shodan Command Line Shodan API Lab 19-2:
Testing the Shodan API Lab 19-3: Playing with MQTT Implications of this
Unauthenticated Access to MQTT IoT Worms: It Was a Matter of Time
Prevention Summary For Further Reading References
Chapter 20. Dissecting Embedded Devices CPU Microprocessor Microcontrollers
System on Chip Common Processor Architectures Serial Interfaces UART SPI I
2C Debug Interfaces JTAG SWD Software Bootloader No Operating System
Real-Time Operating System General Operating System Summary For Further
Reading References
Chapter 21. Exploiting Embedded Devices Static Analysis of Vulnerabilities
in Embedded Devices Lab 21-1: Analyzing the Update Package Lab 21-2:
Performing Vulnerability Analysis Dynamic Analysis with Hardware The Test
Environment Setup Ettercap Dynamic Analysis with Emulation FirmAE Lab 21-3:
Setting Up FirmAE Lab 21-4: Emulating Firmware Lab 21-5: Exploiting
Firmware Summary For Further Reading References
Chapter 22. Software-Defined Radio Getting Started with SDR What to Buy Not
So Quick: Know the Rules Learn by Example Search Capture Replay Analyze
Preview Execute Summary For Further Reading
Part V. Hacking Hypervisors
Chapter 23. Hypervisors 101 What Is a Hypervisor? Popek and Goldberg
Virtualization Theorems Goldberg's Hardware Virtualizer Type-1 and Type-2
VMMs x86 Virtualization Dynamic Binary Translation Ring Compression Shadow
Paging Paravirtualization Hardware Assisted Virtualization VMX EPT Summary
References
Chapter 24. Creating a Research Framework Hypervisor Attack Surface The
Unikernel Lab 24-1: Booting and Communication Lab 24-2: Communication
Protocol Boot Message Implementation Handling Requests The Client (Python)
Communication Protocol (Python) Lab 24-3: Running the Guest (Python) Lab
24-4: Code Injection (Python) Fuzzing The Fuzzer Base Class Lab 24-5:
IO-Ports Fuzzer Lab 24-6: MSR Fuzzer Lab 24-7: Exception Handling Fuzzing
Tips and Improvements Summary References
Chapter 25. Inside Hyper-V Environment Setup Hyper-V Architecture Hyper-V
Components Virtual Trust Levels Generation-1 VMs Lab 25-1: Scanning PCI
Devices in a Generation-1 V