Pages

20190503

Gray Hat Hacking


  • It has been proven over and over again that it is important to understand one’s enemies, including their tactics, skills, tools, and motivations.
  • The more you know about what your enemy is up to, the better idea you have as to what protection mechanisms you need to put into place to defend yourself.
  • Attacks are not only getting more specific, but also increasing in sophistication.
  • Malware is still one of the main culprits that costs companies the most amount of money.
  • In 2006, Australia's CERT announced that 80 percent of antivirus software products commonly missed new malware attacks because attackers test their malware software against the most popular antivirus software products in the industry to hide from detection.
  • A conservative estimate from Gartner pegs the average hourly cost of downtime for computer networks at $42k.
  • Today, potentially millions of computers are infected with bots that are controlled by specific hackers.
  • A zero-day attack is one for which there is currently no fix available and whoever is running the particular software that contains that exploit vulnerability is exposed with little or no protection.
  • WIthin each and every organization, there is the all-too-familiar battle of functionality vs security.
  • Security officers are in charge of ensuring the overall security of the environment, which usually means reducing or shutting off many functionalities that users love.
  • A vulnerability assessment is usually carried out by a network scanner on steroids.
  • Vulnerability assessments are great for identifying the foundational security issues within an environment, but many times, it takes an ethical hacker to really test and qualify the level of risk specific vulnerabilities pose.
  • No security professional should ever try to embarrass a customer or make them feel inadequate for their lack of security.
  • The goal of a vulnerability test is to provide a listing of all the vulnerabilities within a network. The goal of a penetration test is to show the company how these vulnerabilities can be used against it by attackers.
  • Just because a client asks for it, doesn’t mean that it’s legal.
  • A computer is just a new tool to carry out old crimes.
  • Knowledge and the implementation of knowledge are the keys for any real security to be accomplished.
  • In most instances, the toolset used by malicious attackers is the same tools used by security professionals.
  • Nothing should be trusted until it is tested.
  • Hacking into a system or environment is almost always carried out by exploiting vulnerabilities in software.
  • Software, in general, is very complicated, and the more functionality that we try to shove into applications and operating systems, the more complex software will become. THe more complex software gets, the harder it is to predict properly how it will react in all possible scenarios, which makes it harder to secure.
  • A common estimate used in the industry is that there are between 5-50 bugs per 1,000 lines of code.
  • Every industry in the world is becoming more reliant on software and technology.
  • The hacker community’s skill sets are continually increasing.
  • Unfortunately, almost all of today’s software products are riddle with flaws.
  • CERT/CC is a federally funded research and development operation that focuses on internet security and related issues.
  • The Common Vulnerabilities and Exposures (CVE) list is a compilation of publicly known vulnerabilities.
  • Effective security cannot be based on obscurity.
  • A common but insecure practice for may software vendors is to ship software with backdoors, utilities, and administrative features that help the receiving administrator learn and implement the product.
  • Security should be a core discipline when designing the product, during specification and development phases, and during testing phases.
  • Highly trained developers create more secure products.
  • Social engineering is a way to get someone to do something they wouldn’t normally do for you [...] by creating a false trust relationship with them.
  • Emotion is what derails security policy and practices, by leading the human user to make an exception to the rules for what they believe is a good reason.
  • If the social engineer looks authoritative and unapproachable, the target usually takes the easy way out by doing what’s asked of them and avoiding a conflict.
  • No matter what emotional button the attacker is attempting to push, the premise is always the same: the intended victim will not sense the risk of their action or guess the real intentions of the attacker until it’s too late or, in many cases, not at all.
  • Google is probably the most effective way to start finding names, job titles, contact information, and more.
  • Finding employees with accounts on popular social media sites is a common practice among social engineers.
  • While natural charisma is a prized resource, a practiced phone voice and the ability to discuss convincingly a wide variety of not necessarily technical social topics will get you pretty far down the road.
  • A good place to start your reconnaissance after researching the company online is to begin targeting people of interest internally in an attempt to build a picture of who is who and, if possible, develop rapport with potential sources.
  • Planning an attack takes time, practice, and, above all, patience.
  • Port 443 is a common port to use as it is difficult to proxy and monitor, as the legitimate traffic that would typically flow over it is encrypted.
  • By being knowledgeable and conversant in company matters with the information you’ve collected from your social media assets, you can easily build rapport and trust with the employees at the target company online and in person while on site.
  • In order to successfully mount a face-to-face SEA, you must not only look the part you’re playing, but also appear as comfortable as you would if you were having a relaxed conversation with a friend. Ideally you want your attitude to put people at ease.
  • The most useful metric for determining how calm you are is your heart rate.
  • Try this exercise: As you walk in public and encounter people, look them directly in the eye and hold eye contact with them until they break it or you move past them.
  • It’s advisable to have  abase script to work from and then deviate as circumstances necessitate.
  • A common beginner mistake is to not have something to do with your hands.
  • Hardening your environment to withstand SEAs, especially targeted ones, is more a matter of training than a traditional security control.
  • An SEA goes right to the most vulnerable point in a company’s defenses: it’s employees.
  • The best defense against SEAs is awareness training and simulated targeted attacks.
  • Conducting an attack after hours is not recommended. Doing so is extremely dangerous because you might be met by a third party with an armed response or attack dogs.
  • You should always have a contact within the target organization who is aware of your activities and available to vouch for you should you be caught.
  • It’s a good idea to ask your client in advance to act as if they don’t know you if they encounter you on the premises.
  • You have to study any potential target prior to attempting a physical penetration.
  • Getting close enough to determine what kind of physical access controls are in place will be helpful in planning your attempt to subvert them.
  • The front entrance to any building is usually the most heavily guarded. It’s also the most heavily used, which can be an opportunity.
  • Secondary entrances such as doors leading to the smoker’s area and loading docks usually offer good ingress opportunities, as do freight elevators and service entrances.
  • When you survey the target site, note how people are entering and exiting the building.
  • You should closely examine the front door and lobby; choose someone from your team to walk in and drop off a handful of takeout menus from a nearby restaurant. This will give you some idea of how sophisticated their security controls are and where they’re located.
  • If you’ve encountered a professional security guard, he will remember your face, because he’s been trained to do so as part of his job.
  • Unless the target organization is large enough that it has its own cafeteria, employees will frequent local businesses for lunch or morning coffee. This is a great opportunity to see what their badges look like and how they wear them.
  • Because the smoker’s door is a relatively active area and mostly used for one specific purpose, it represents an excellent opportunity to enter a building unnoticed, or at least unchallenged.
  • If you wish to fully understand the lobby security process for a specific building prior to attempting to subvert it, make an appointment with another tenant in the building.
  • A mantrap is a two-door entry system. The entrant is allowed through the first door, which then closes and locks. Before the second or inner door unlocks and opens, the entrant must identify and authenticate himself. If he does not, he’s trapped between the two doors and must be released by the security guard.
  • Properly implemented and operated, a mantrap cannot be directly subverted except by impersonation.
  • When confronted with a mantrap, find a different way in or talk your way past it using the pretense that you are a visitor.
  • Every door opens for the fire inspector! Since these positions are often municipal and un-uniformed, they are easily impersonated.
  • Before you attempt to defeat a mechanical lock, it’s important to understand how a basic cylinder lock and key work.
  • Perhaps the single most effective policy to ensure that an introducer is noticed is one that requires employees to report or inquire about someone they don’t recognize.
  • With the exception of the very small company, hired employees are essentially strangers a company pays to perform a task.
  • The higher the privilege level of the user, the more trust that is placed in that person and the more risk that is incurred by the company.
  • An easy way to see what users are members of the local Administrators group of an individual machine is to use the built-in net command from the command prompt: net localgroup Administrators
  • The easiest way to gain access to the Administrator account is to reset its password.
  • Offline NT Password is a stripped-down version of Linux with a menu-driven interface. By default, it steps you through the process of removing the Administrator account password.
  • Despite widely publicized best practices, in more cases than not the LAN Manager (LM) hash for the Administrator account will still be present on the local machine. This hash can easily be cracked to reveal the local Administrator account password.
  • If you are having difficulty uninstalling the AV product, try booting into Safe Mode. This will limit which applications are loaded to a minimum, which in many cases will negate the active protective controls built into AV products allowing you to uninstall them.
  • You can use the Sysinternals Process Explorer, procexp, to identify and suspend the process related to the AV product.
  • Enumeration should be performed against domain controllers because these servers are responsible for authentication and contain lists of all users in each domain.
  • Google Desktop can also help pinpoint obscure file storage directories that may or may not have been noticed any other way during the testing process.
  • Because BackTrack [Kali] is a pen-testing distribution, networking services don't’ start by default at boot.
  • Metasploit can pair any Windows exploit with any Windows payload.
  • The Metasploit Meterpreter is a command interpreter payload that is injected into the memory of the exploited process and provides extensive and extendable features to the attacker. This payload never actually hits the disk on the victim host; everything is injected into process memory with no additional process created.
  • A good target is the user’s explorer.exe process. Explorer.exe is the process that manages the desktop and shell, so as long as the user is logged in, explorer.exe should remain alive.
  • When pen-testing, your goals will often be to elevate privileges, establish a stronger foothold, and expand across to other machines.
  • Administrators tend to reuse the same password on multiple computers, especially when they believe the password to be difficult to guess.
  • Scope is probably the most important issue when planning a penetration test.
  • Most organizations use a Statement of Work (SOW) when contracting outside work. The format of the SOW is not as important as its content.
  • Whenever possible, have the client give you a “get-out-of-jail-free letter”.
  • Bad news does not get better with time.
  • The Dradis Server is the best way to collect and provide information sharing during a penetration test.
  • The strcpy command is probably the most dangerous command used in C.
  • The .text section basically corresponds to the .text portion of the binary executable file. It contains the machine instructions to get the task done.
  • The .data section is used to store global initialized variables.
  • The below stack section (.bss) is used to store global non initialized variables.
  • The heap section is used to store dynamically allocated variables and grows from the lower-addressed memory to the higher-addressed memory. The allocation of memory is controlled through the malloc() and free() functions.
  • The stack section is used to keep track of function calls (recursively) and grows from the higher-addressed memory to the lower-addressed memory on most systems.
  • Local variables exist on the stack section.
  • The environment/arguments section is used to store a copy of system-level variables that may be required by the process during runtime.
  • The memory space of a process looks like this: text | data | bss | heap -> | unused | <- env="" li="" stack="">
  • The term buffer refers to a storage place used to receive and hold data until it can be handled by a process.
  • Simply put, strings are just contiguous arrays of character data in memory. The string is referenced in memory by the address of the first character. The string is terminated or ended by a null character.
  • Pointers are special pieces of memory that hold the address of other pieces of memory.
  • Moving data around inside of memoir is a relatively slow operation. It turns out that instead of moving data, it is much easier to keep track of the location of items in memory through pointers and simply change the pointers.
  • To read the value of the memory address pointed to by the pointer, you dereference a pointer with the * symbol.
  • Registers are used to store data temporarily.
  • The mov command is used to copy data from the source to the destination.
  • The add command is used to add the source to the destination and store the result in the destination.
  • The sub command is used to subtract the source from the destination and store the result in the destination.
  • The push and pop commands are used to push and pop items from the stack.
  • The call command is used to call a procedure (not jump to a label). The ret command is used at the end of a procedure to return the flow to the command after the call.
  • The lea command is used to load the effective address of the source into the destination.
  • The int command is used to throw a system interrupt signal to the processor. The common interrupt you will use is 0x80, which is used to signal a system call to the kernel.
  • Hacking tools (any many other applications) use Python because it is a breeze to learn and use, is quite powerful, and has a clear syntax that makes it easy to read.
  • Dictionaries are similar to lists except that objects stored in a dictionary are referenced by a key, not by the index of the object.
  • Dictionaries are a great way to store any values that you can associate with a key where the key is a more useful way to fetch the value than a list’s index.
  • In Python, white space matters, and indentation is used to mark code blocks.
  • The stack is one of the most interesting capabilities of an operating system.
  • In memory, each process maintains its own stack within the stack segment of memory.
  • Buffers themselves have no mechanism to keep you from putting too much data in the reserved space.
  • When dealing with buffer overflows, there are basically three things that can happen. The first is denial of service. The second thing that can happen when a buffer overflow occurs is that eip can be controlled to execute malicious code at the user level of access. This happens when the vulnerabile program is running at the user level of privilege. The third and absolute worst thing that can happen when a buffer overflow occurs is that the eip can be controlled to execute malicious code at the system or root level.
  • Local exploits are easier to perform than remote exploits because you have access to the system memory space and can debug your exploit more easily.
  • The basic concept of buffer overflow exploits is to overflow a vulnerability buffer and change eip for malicious purposes.
  • In assembly code, the NOP command simply means to do nothing but move to the next command.
  • If eip is pointed to a NOP sled, the processor will ride the sled right into the next component.
  • On x86 systems, the 0x90 opcode represents NOP.
  • The most important element of the exploit is the return address, which must be aligned perfectly and repeated until it overflows the saved eip value on the stack.
  • As a rule of thumb, it is a good idea to fill half of the attack buffer with NOPs.
  • What happens when the vulnerable buffer is too small? The answer lies in the use of environment variables. You would store your shellcode in an environment variable or somewhere else in memory, then point the return address to that environment variable.
  • Unlike buffer overflows, format string exploits are relatively easy to spot in source code and binary analysis.
  • In C/C++, the destructor (DTOR) section provides a way to ensure that some process is executed upon program exit.
  • It turns out that if we overwrite either an existing function pointer in the DTOR section or the ending marker with our target return address, the program will happily jump to that location and execute.
  • There are many other useful locations to overwrite; for example: global offset table, global function pointers, atexit handlers, stack values, program-specific authentication variables.
  • Libsafe is a dynamic library that allows for the safer implementation of [many] dangerous functions.
  • Libsafe overwrites dangerous libc functions, replacing the bounds and input scrubbing implementations, thereby eliminating most stack-based attacks.
  • StackShield is a replacement to the gcc compiler that catches unsafe operations at compile time.
  • In addition, when a function is called, StackShield copies the saved return address to a safe location and restores the return address upon returning from the function.
  • SSP [Stack Smashing Protector] has been incorporated in GCC (starting in version 4.1) and is on by default. It may be disabled with the -fno-stack-protector flag.
  • GCC has implemented a non-executable stack using the GNU_STACK ELF marking. This feature is on by default (starting in version 4.1) and may be disabled with the -z execstack flag.
  • Early on, developers realized that program stacks and heaps should not be executable and that user code should not be writeable once it is placed in memory.
  • The intent of ASLR is to randomize the following memory objects: executable image, brk()-managed heap, library images, mmap()-managed heap, user space stack, kernel space stack.
  • Systems that implement ASLR provide a high level of protection from “return to libc” exploits by randomizing the way the function pointers of libc are called. This is done through the randomization of the mmap() command and makes finding the pointer to system() and other functions nearly impossible.
  • “Return to libc” is a technique that was developed to get around non-executable stack memory protection schemes such as PaX and ExecShield. Basically, the technique uses the controlled eip to return execution into existing glibc functions instead of shellcode.
  • It turns out that functions like system() and exit() are automatically linked into binaries by the gcc compiler.
  • Reliable shellcode is at the heart of virtually every exploit that results in “arbitrary code execution”, a phrase used to indicate that a malicious user can cause a vulnerable program to execute instructions provided by the user rather than the program.
  • User-space is that portion of a computer’s memory space dedicated to running programs and storing data that has no need to deal with lower-level system issues. That lower-level behavior is provided by the computer’s operating system, much of which runs in what has come to be called kernel space, since it contains the core, or kernel, of the operating system code and data.
  • Programs that run in user space and require the services of the operating system must follow a prescribed method of interacting with the operating system, which differs from one operating system to another.
  • In generic terms, we say that user programs must perform “system calls” to request that the operating system perform some operation on their behalf.
  • Virtually all significant capabilities required by shellcode are controlled by the operating system, as such, it is important for shellcode authors to understand how to access these services on the platforms for which they are authoring shellcode.
  • Windows shellcode must go through a discovery process to locate each function that it needs to call before it can call those functions.
  • Regardless of the operating system that we are targeting, processes are provided three open files when they start. These files are typically referred to as the standard input (stdin), standard output (stdout), and standard error (stderr) files.
  • As an attacker, you must ensure that before you create a shell process, you have properly set up your input/output file descriptor(s) to become the stdin, stdout, and stderr that will be utilized by the command shell once it is launched.
  • In many cases, firewalls are less restrictive regarding outgoing traffic.
  • Reverse shellcode, also known as “callback shellcode”, exploits this fact by reversing the direction in which the second connection is made.
  • The most common technique used in shellcode for locating the proper socket descriptor is to enumerate all of the possible file descriptors in the vulnerable application, and to query each descriptor to see if it is remotely connected to our computer.
  • Multistage payloads generally consist of two or more stages of shellcode, with the sole purpose of the first (and possible later) stage being to read more shellcode and then pass control to the newly read-in second stage, which, we hope, contains sufficient functionality to carry out the majority of the work.
  • Launching new processes, creating new network connections, and creating new files are all actions that are easily detected by security-conscious system administrators.
  • A system call (or syscall) proxy is a small piece of shellcode that enables remote access to a target’s core operating system functionality without the need to start a new process like a command interpreter such as /bin/sh. The proxy code executes in a loop that accepts one request at a time from the attacker, executes that request on the target computer, and returns the results of the request to the attacker.
  • Conceptually, it is as if the hostile program were actually running on the target computer, yet no file has been uploaded to the target, and no new process has been created on the target, as the system call proxy payload can continue to run in the context of the exploited process.
  • Process injection shellcode allows the loading of entire libraries of code running under a seperate thread of execution within the context of an existing process on the target computer.
  • Whenever we attempt to exploit a vulnerable application, it is important that we understand any restrictions that we must adhere to when it comes to the structure of our input data.
  • Determining exactly which characters must be avoided typically is accomplished through a combined process of reverse-engineering an application and observing the behavior of the application in a debugging environment.
  • The purpose of a shellcode encoder is to transform the bytes of a shellcode payload into a new set of bytes that adheres to any restrictions imposed by our target application.
  • A very important thing to understand about shellcode is that, like any other code, it requires storage space while executing.
  • Stability becomes a huge concern when developing kernel-level exploits.
  • Any shellcode you use needs to take into account the effect your exploit will have on the threat that you exploited.
  • Proper cleanup is a very important piece of any kernel exploit.
  • The purpose of the operating system is to serve as a bridge between the user (process) and the hardware.
  • If there are any null characters, the shellcode will fail when we place it into a string for injection during an exploit.
  • Sockets are defined as the binding of a port and an IP address to a process.
  • The XOR function is interesting because it is reversible, meaning if you XOR a number with another number twice, you get the original number back as a result.
  • The reversible characteristics of the XOR function make it a great candidate for encoding and basic encryption.
  • When shellcode is encoded, a decoder needs to be placed on the front of the shellcode.
  • One of the most common GETPC techniques is the JMP/CALL technique. We start with a JMP instruction forward to a CALL instruction, which is located just before the start of the encoded shellcode. The CALL instruction will push the address of the next address of the next address onto the stack and jump back to the next instruction. At that point, we can pop the location of the encoded shellcode off the stack and store it in a register for use when decoding.
  • Another popular GETPC technique is to use the FNSTENV assembly instruction as described by noir. The FNSTENV instruction writes a 32-byte floating-point unit (FPU) environment record to the memory address specified by the operand.
  • The msfpayload command is supplied with Metasploit and automates the generation of shellcode.
  • The /GS switch enables Microsoft’s implementation of stack canary protection, which is quite effective in stopping buffer overflow attacks.
  • Recall that the exploit development process is as follows: control eip, determine the offsets, determine the attack vector, build the exploit sandwich, test the exploit, debug the exploit if needed.
  • When [Windows] programs crash, the operating system provides a mechanism to try to recover operations, called structured exception handling (SEH). This is often implemented in the source code with try/catch or try/exception blocks.
  • Windows keeps track of SEH records by using a special structure.
  • The /GS compiler option is the Microsoft implementation of a stack canary concept, whereby a secret value is placed on the stack above the saved ebp and saved RETURN address. Then, upon return of the function, the stack canary value is checked to see if it has been changed.
  • The purpose of the SafeSEH protection is to prevent the overwrite and use of SEH structures stored on the stack.
  • In the past, a traditional heap exploit would overwrite the heap chunk headers and attempt to create a fake chunk that would be used during the memory-free routine to write an arbitrary 4 bytes at any memory address.
  • Data Execution Prevention (DEP) is meant to prevent the execution of code placed in the heap, stack, or data sections of memory.
  • The DEP settings for an application are stored in the Flags bitfield of the KPROCESS structure, in the kernel.
  • The purpose of address space layout randomization (ASLR) is to introduce randomness (entropy) into the memory addresses used by a process. This makes attacking much more difficult, as memory addresses keep changing.
  • The /GS protection mechanism uses several weak entropy sources that may be calculated by an attacker and used to predict (or guess) the cookie value.
  • It turns out that the /GS protection does not protect the SEH structures placed on the stack.
  • The easiest way to bypass ASLR is to return into modules that are not linked with ASLR protection.
  • PDF is now the most commonly attacked content file type.
  • Most PDF-based vulnerabilities in the wild exploit coding errors made by Adobe Reader’s JavaScript engine.
  • You should always change the file extension of potentially malicious samples. When handling malicious EXE samples, changing the file extension prevents accidental execution.
  • Remember that real-world exploits are binary, obfuscated, compressed, and jumbled up.
  • The vast majority of content-type attacks attempt to exploit already-patched vulnerabilities.
  • Simply applying all security updates blocks most content-type attacks [...].
  • Data Execution Prevention (DEP) is an effective mitigation against many real-world exploits.
  • Web application injection vulnerabilities result from poor input validation.
  • Applications are vulnerable to cross-site scripting (XSS) when they permit untrusted, attacker-provided data to be actively displayed or rendered on a web page without being escaped or encoded.
  • Any web application that accepts user input as the basis for taking action or performing a database query may be vulnerable to a SQL injection.
  • Strict input validation prevents injection vulnerabilities.
  • A common character used as a simple check for SQL injection is a single quote.
  • Databases store data in a structured manner that allows easy retrieval and cross-referencing. Organizing the data in a “relational” manner makes it easier to query and retrieve any data in the database. Relational databases store data in tables organized by rows and columns. Entries in different tables can cross-reference each other via a unique identifier for each row.
  • XSS vulnerabilities primarily impact the users of the web application, not the web application itself.
  • VoIP, or Voice over Internet Protocol, is a type of transmissions medium that is responsible for the devliery of real-time voice and data communication.
  • Enumeration is the process of gathering informain about a target system or network entity for reconnaissance and potential exploitation.
  • One type of attack that can consuem resources and cause outages is the SIP invite flood.
  • In our opinion, VoIPER is one of the most comprehensive open source VoIP test tools ebcause it is based on the concept of fuzzing, a technique that is used to inject irregular message content and data inputs in an effort to test the robustness of a system.
  • Test your system thouroughly via penetration testing and implement a strategy of defense in depth that encompasses the entire system.
  • Almost everything is connected to the vast realm of the internet, and SCADA devices are no exception.
  • SCADA stands for supervisory control and data acquisition.
  • SCADA networks control and monitor the critical utility and process contro infrastructures for manufacturing, production, and power generation for utility companies, including electricity, natural gas, oil, water, sewage, and railroads.
  • Since the inception of telemetry, SCADA networks have become popular to control electrical and other infrastructure systems.
  • SCADA uses several protocols. The most common protocols are: object linking and embedding for process control (OPC), inter-control center protocol (ICCP), modbus, and distributed network protocl version 3 (DNP3).
  • Modbus is a protocol specification designed for building automation equpiment used to interface with various devices over RS485 serial and TCP/IP interfaces.
  • SCADA devices are prone to the same common vulnerabiltites--such as enumeration, password cracking, network evasdropping, and denial of service--that are found in any other types of network devices.
  • Fuzzing provides an intelligent approach to injecting irregular message content and data inputs in an effort to qualify the robustness of a system.
  • The key here [to fuzzing] is to try every kind of malformed message trigger that we can think of, to see if we can cause some sort of abnormality or disruption.
  • Just about any protocl has the potential to be reverse engineered and used for malicious intent.
  • Many programming lanauges allow the programmer to ignore the values returned by functions. This is a dangerous practice because function return values are often used to indicate error conditions.
  • Preconditions are a set of one or more conditions that must be true upon entry into a particular portoin of a program.
  • Postconditions are a set of conditions tht most hold upon exit from a particular section of a program.
  • The strcpy() function is dangrous because it copies data into a destination buffer without any regard for the size of the buffer and therefore may overflowthe buffer.
  • It is important to make sure that proper validation of input data is taking place.
  • For all but the most trivial of programs, it is virtualy impossible to formally prove that a program is secure.
  • The level of effort requied to determine whether a potential trouble spot is vulnerable is generally much higher than the level of effort the white hat will expend fixing that same trouble spot.
  • Since most vulnearbilites are exploited when programs fail to properly handle user input, it is important to understand first how data is passed to an application, and second what happens with that data.
  • To locate vulnerabilities, you need to determine which types of input, if any, result in user-supplied data being manipulated in an insecure fashion.
  • Proficiency at reverse engineering binaries rquires patience, practice, and a good collection of reference material.
  • The purpose of a disassembler is to attempt to geenrate assembly lanauge from a compiled binary, while the purpose of a decompiler is to attempt to generate source code from a compiled binary.
  • Decompilation is perhaps the holy grail of binary auditing.
  • Two common executable file formats are the Portable Executable (PE) file format used for Microsoft Windows executables, and the Executable and Linking Format (ELF) used by Linux and other Unix variants.
  • A particulalry impressive feature of IDA Pro is its ability to track program stack usage within each recognized function.
  • Dissassemblies are made more readable when strucutre names are used rather than register plus offset syntax.
  • The process of manually searching for vulnerabilties using IDA Pro is similar in many respects to searching for vulnerabilites in source code. A good start is to locate the places in which the program accepts user-provided input, and then attempt to undetstand how that input is used.
  • BinNavi from Zynamics is a tool that provides for graph-based analysis and debugging of binaries.
  • BinDiff, as its name implies, displays the differences between two versions of the same binary.
  • BinDiff combines disassembly with graph comparison algorithms to compare the control flow graphs of successive versions of functions and highlights the newly introduced code in a display format similar to that of BinNavi.
  • The process of “stripping” a binary invovles removing all symbol information that is no longer required once the binary has been built.
  • A significant amount of initialization must take place before control can be transfered to main.
  • Programs that use shared libraries are said to be dynamicaly linked, while programs that use static libraries are said to be statically linked.
  • Dynamic linking results in smaller executables and easier upgrading of library components at the expense of some extra overhead when launching the binary, and the chance that the binary will not run if any required libraries are missing.
  • Static linking results in much larger binaries becauyse library code is merged with program code to create a single executable file that has no external dependies, making the binary easier to distribute.
  • The last thing you want to do is spend your time reversing library code that is generally accepted to be fairly secure.
  • One consequence of compilation being a lossy operation is that we lose acces to data declarations and structure definitions, which makes it far more difficult to understand the memory layout in dissasmbled code.
  • There are two important steps in determining the layout of data structures in compiled code. The first step is to determine the size of the data structure. The second step is to determine how the structure is subdivided into fields and what type is associated with each field.
  • There are two methods for determing the size fo a structure. The first and easietst method is to find locations at which a strucutre is dynamically allocated using malloc or new. The seoncd method of determining the size of a structure is to observe the offesets used in every referenceto the structure and to compute the maximum size required to house that data that is referenced.
  • To understand the layout of the bytes within a strucutre, we must determine the types of data that are used at each observable offset within the structure.
  • C++ is a somewhat more complex language than C, offering member functions and polymorphism, among other things. These two features require implemention dtails that make compiled C++ code look rather different from compiled C code when they are used. First, all nonstatic member functions require a ‘this’ pointer; and second, polymorphism is impleented through the use fo vtables.
  • Virtual tables (vtables) are the mechanis underlying virtual functions and polymorphism in C++.
  • A vtable contains an entry for each virtual function in a class, and the compiler files each entry with a pointer to the virtual function’s implementation. Subclasses that override any virtual functions each receive their own vtable.
  • By examining similaraties among vtables, it is possible to understand inheretance relationships among classes in a C++ program.
  • A security conscious end user should always assuem that there are problems that have avoided detection all the way through the testing phase.
  • A tremoudous number of software bugs are found simply because a user provided unexpected input to a program.
  • Fuzzing is one of the main tecniques used in black/gray box testing. To fuzz effectively, two types of tools are required, instrumentation tools and fuzzing tools. Instrumentation tools are used to pinpoint problem ares in programs either at runtime or during post-crash analysis. Fuzzing tools are used to automatically generate large numbers of interesting input cases and feed them to programs.
  • The challenge to the tester is to ensure that all code paths behave predicteibley under all input cases. To do this, test cases must be developed that force the program to execute all possible instructions within the program.
  • Threaded programs and programs that fork can be difficult for debuggers to follow.
  • Following a fork operation, you must decide whether to follow and debug the child process or to stick with and continue debugging the parent process.
  • A core dump is simply a snapshot of a process’s state, including memory contents and CPU register values, at the time an exception occurs in a process.
  • To monitor kernel-level software such as device drrivers, kernel-level debuggers are required.
  • Code coverage tools give developers an idea of what portions of their programs are actually getting executed. Such tools are excelletn aids for test case development.
  • Some of the most usefyul tools for black box testing are those that monitor the way that a program uses memory at runtime.
  • A double free condition occurs wen the free function is called a second time for a poitner that has already been freed. The second call to free corrupts heap management information that can result in an exploitable condition.
  • Should you choose to fuzz a program, Valgrind can be a critical peice of instrumentation that can help to quicly isolate memory problems, in particular heap-based buffer overflows, which manifest themselves as invalid reads and writs in Valgrind.
  • The real challenge of fuzzer development is building them in such a way that they generate intersting input in an intelligenct, efficient manner.
  • To reach the many possible code paths for a given problem, a fuzzer usually needs to be somewhat “protocol aware”.
  • Fuzzing should generally be performed with some form of instrumentation in place.
  • The goal of fuzzing is to induce an observable error condition in a program.
  • Without resorting to reverse enginering a program binary, one of the few ways you can hope to learn about an unknown protocol is by observing communicaionts to and from the program.
  • Vulnerable SUID root binaries can provide an easy means for local privelage escalation attacks.
  • Client-side vulnerabilites exploited for code execution result in attack code exeecuting at the same pirvlege level as the client-side application executes normally.
  • The Windows heap manager itself by default does not zero out memory between uses. It could, but that would incur a performance hit.
  • It’s important to point out that most real-world compromises are not due to zero-day attacks. Most compromises are the result of unpatched workstations.
  • Access control is about the science of protecting things.
  • Not all vulnerabilities in access control are this easy to exploit, but once you undrestand the concepts, you’ll quickly understand the path to privelege escalation, even if you don’t yet know how to take control of execution via a buffer overrun.
  • Windows access tokens work in a similar manner as an employee badge. The access token is a container of all a user’s security information and is checked when that user requests access to a secured resource.
  • Every process gets its own token describing the user context under which the process is running.
  • Having per-process tokens is a powerful feature that enables scenarioes that would otherwise be impossible.
  • The two easiest ways to dump the access token of a process or thread are Process Explorer and the !token debugger command.
  • Any program that autostarts is interesting to us because it will likely be autostarted in the security context of a highly privileged account.
  • Shared memory sections are blocks of memeory set aside to be shared between two applications. This is an especially handy way to share data between a kernel-mode process and a user-mode process.
  • The problem with basic fuzzing is that you often only scratch the surface of a server’s interfaces and raregly get deep inside the server to find bugs.
  • Crashability and exploitability are vastly different things.
  • During [crash] analysis, the instruction pointer is often a good place to start looking for problems.
  • For the purposes of debugging, remeber that eip is always pointing at the next instruction to be executed.
  • If you haven’t managed to take control of eip, the next step is to determine what damage you can do using other available registers.
  • Common overwrite locations include saved return addresses, jump table pointers, import table pointers, and funciton pointers.
  • Preconditions are those conditions that must be satisfied to properly inject your shellcode into a vulnerable application.
  • Postconditions are the things that must take place to trigger execution of your code once it is in place.
  • Locating a ‘jmp esp’ or other jump to register is your best defense against a shifting stack, including ASLR-associated shifts.
  • The basic idea behind a return-to-libc exploit is to overwrite a saved return address on the stack with the address of an interesting library function.
  • If you can return to a function such as system(), you can execute virtually any program available on the victim system.
  • It is always wisest to assume that someone will discover or learn of the same vulnerability we are investigating before the vulnerability is patched.
  • Port knocking is a defensive technique that can be used with any network service but is most effective when a service is intended to be accessed by a limited number of users.
  • Port knocking is probably best described as a network cipher lock.
  • The basic idea behind port knocking is that the port on which a network service listens remains closed until a user steps through a required knock sequence. A knock sequence is simply a list of ports that a user attempts to connect to before being granted permission to connect to the desired service.
  • The only sure way to secure a vulnerable application is to shut it down or patch it.
  • One tool for generating and applying binary patches is named Xdelta. Xdelta combines the functionality of diff and patch into a single tool capable of being used on binary files.
  • One of the toughest problems to overcome when patching a binary is finding space to insert new code.
  • An absolute address is an unambiguous location assigned to an instruction or to data.
  • A relative offset describes a location as the distance from some reference location.
  • In the case of a heap overflow, the attacker’s goal is to overwrite heap control structures with specially chosen values that will cause the heap management routines to write a value of the attacker’s choosing into a location of the attacker’s choosing.
  • Malware can be defined as any unintended and unsolicited installation of software on a system without the user knowing or wanting it.
  • One of the most important aspects of a piece of malware is its persistence after reboots and its longevity.
  • Packers are used to “pack” or compress the Windows PE file format.
  • Any time you introduce another system onto the network, you impose a new risk on the network.
  • The first thing you need to do with a foreign binary is determine what type of file it is.
  • The PEiD tool is very useful in telling you if the file is a Windows binary and if the file is compressed, encrypted, or otherwise modified.
  • The ultimate form of static analysis is reverse engineering.
  • The FileMon program is very useful in finding changes to the file system.
  • The Process Explorer tool is very useful in examining running processes.
  • Recovery of any decryption keys is an essential step for reverse-engineering any encrypted malware.
  • One of the most prevalent features of modern malware is obfuscation.
  • Obfuscation is the process of modifying something so as to hide its true purpose.
  • Debuggers rely on the ability to process specific CPU exceptions.
  • The first actions that most malware takes generally center on survival.
  • Automated malware analysis is a difficult problem.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)