Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

by Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost
Released March 2022
Publisher(s): McGraw-Hill
ISBN: 9781264268955

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Up-to-date strategies for thwarting the latest, most insidious network attacks

This fully updated, industry-standard security resource shows, step by step, how to fortify computer networks by learning and applying effective ethical hacking techniques. Based on curricula developed by the authors at major security conferences and colleges, the book features actionable planning and analysis methods as well as practical steps for identifying and combating both targeted and opportunistic attacks.

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition clearly explains the enemy’s devious weapons, skills, and tactics and offers field-tested remedies, case studies, and testing labs. You will get complete coverage of Internet of Things, mobile, and Cloud security along with penetration testing, malware analysis, and reverse engineering techniques. State-of-the-art malware, ransomware, and system exploits are thoroughly explained.

  • Fully revised content includes 7 new chapters covering the latest threats
  • Includes proof-of-concept code stored on the GitHub repository
  • Authors train attendees at major security conferences, including RSA, Black Hat, Defcon, and Besides

Table of contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Contents
  5. Preface
  6. Acknowledgments
  7. Introduction
  8. Part I Preparation
    1. Chapter 1 Gray Hat Hacking
      1. Gray Hat Hacking Overview
        1. History of Hacking
        2. Ethics and Hacking
        3. Definition of Gray Hat Hacking
      2. History of Ethical Hacking
      3. History of Vulnerability Disclosure
        1. Bug Bounty Programs
      4. Know the Enemy: Black Hat Hacking
        1. Advanced Persistent Threats
        2. Lockheed Martin Cyber Kill Chain
        3. Courses of Action for the Cyber Kill Chain
        4. MITRE ATT&CK Framework
      5. Summary
      6. For Further Reading
      7. References
    2. Chapter 2 Programming Survival Skills
      1. C Programming Language
      2. Basic C Language Constructs
        1. Lab 2-1: Format Strings
        2. Lab 2-2: Loops
        3. Lab 2-3: if/else
      3. Sample Programs
        1. Lab 2-4: hello.c
        2. Lab 2-5: meet.c
      4. Compiling with gcc
        1. Lab 2-6: Compiling meet.c
      5. Computer Memory
      6. Random Access Memory
      7. Endian
      8. Segmentation of Memory
      9. Programs in Memory
      10. Buffers
      11. Strings in Memory
      12. Pointers
      13. Putting the Pieces of Memory Together
        1. Lab 2-7: memory.c
      14. Intel Processors
      15. Registers
      16. Assembly Language Basics
      17. Machine vs. Assembly vs. C
      18. AT&T vs. NASM
      19. Addressing Modes
      20. Assembly File Structure
        1. Lab 2-8: Simple Assembly Program
      21. Debugging with gdb
      22. gdb Basics
        1. Lab 2-9: Debugging
        2. Lab 2-10: Disassembly with gdb
      23. Python Survival Skills
      24. Getting Python
        1. Lab 2-11: Launching Python
        2. Lab 2-12: “Hello, World!” in Python
      25. Python Objects
        1. Lab 2-13: Strings
        2. Lab 2-14: Numbers
        3. Lab 2-15: Lists
        4. Lab 2-16: Dictionaries
        5. Lab 2-17: Files with Python
        6. Lab 2-18: Sockets with Python
      26. Summary
      27. For Further Reading
      28. References
    3. Chapter 3 Linux Exploit Development Tools
      1. Binary, Dynamic Information-Gathering Tools
        1. Lab 3-1: Hello.c
        2. Lab 3-2: ldd
        3. Lab 3-3: objdump
        4. Lab 3-4: strace
        5. Lab 3-5: ltrace
        6. Lab 3-6: checksec
        7. Lab 3-7: libc-database
        8. Lab 3-8: patchelf
        9. Lab 3-9: one_gadget
        10. Lab 3-10: Ropper
      2. Extending gdb with Python
      3. Pwntools CTF Framework and Exploit Development Library
      4. Summary of Features
        1. Lab 3-11: leak-bof.c
      5. HeapME (Heap Made Easy) Heap Analysis and Collaboration Tool
      6. Installing HeapME
        1. Lab 3-12: heapme_demo.c
      7. Summary
      8. For Further Reading
      9. References
    4. Chapter 4 Introduction to Ghidra
      1. Creating Our First Project
      2. Installation and QuickStart
      3. Setting the Project Workspace
      4. Functionality Overview
        1. Lab 4-1: Improving Readability with Annotations
        2. Lab 4-2: Binary Diffing and Patch Analysis
      5. Summary
      6. For Further Reading
      7. References
    5. Chapter 5 IDA Pro
      1. Introduction to IDA Pro for Reverse Engineering
      2. What Is Disassembly?
      3. Navigating IDA Pro
      4. IDA Pro Features and Functionality
      5. Cross-References (Xrefs)
      6. Function Calls
      7. Proximity Browser
      8. Opcodes and Addressing
      9. Shortcuts
      10. Comments
      11. Debugging with IDA Pro
      12. Summary
      13. For Further Reading
      14. References
  9. Part II Ethical Hacking
    1. Chapter 6 Red and Purple Teams
      1. Introduction to Red Teams
      2. Vulnerability Scanning
      3. Validated Vulnerability Scanning
      4. Penetration Testing
      5. Threat Simulation and Emulation
      6. Purple Team
      7. Making Money with Red Teaming
      8. Corporate Red Teaming
      9. Consultant Red Teaming
      10. Purple Team Basics
      11. Purple Team Skills
      12. Purple Team Activities
      13. Summary
      14. For Further Reading
      15. References
    2. Chapter 7 Command and Control (C2)
      1. Command and Control Systems
      2. Metasploit
        1. Lab 7-1: Creating a Shell with Metasploit
      3. PowerShell Empire
      4. Covenant
        1. Lab 7-2: Using Covenant C2
      5. Payload Obfuscation
      6. msfvenom and Obfuscation
        1. Lab 7-3: Obfuscating Payloads with msfvenom
      7. Creating C# Launchers
        1. Lab 7-4: Compiling and Testing C# Launchers
      8. Creating Go Launchers
        1. Lab 7-5: Compiling and Testing Go Launchers
      9. Creating Nim Launchers
        1. Lab 7-6: Compiling and Testing Nim Launchers
      10. Network Evasion
      11. Encryption
      12. Alternate Protocols
      13. C2 Templates
      14. EDR Evasion
      15. Killing EDR Products
      16. Bypassing Hooks
      17. Summary
      18. For Further Reading
    3. Chapter 8 Building a Threat Hunting Lab
      1. Threat Hunting and Labs
      2. Options of Threat Hunting Labs
      3. Method for the Rest of this Chapter
      4. Basic Threat Hunting Lab: DetectionLab
      5. Prerequisites
        1. Lab 8-1: Install the Lab on Your Host
        2. Lab 8-2: Install the Lab in the Cloud
        3. Lab 8-3: Looking Around the Lab
      6. Extending Your Lab
      7. HELK
        1. Lab 8-4: Install HELK
        2. Lab 8-5: Install Winlogbeat
        3. Lab 8-6: Kibana Basics
        4. Lab 8-7: Mordor
      8. Summary
      9. For Further Reading
      10. References
    4. Chapter 9 Introduction to Threat Hunting
      1. Threat Hunting Basics
        1. Types of Threat Hunting
        2. Workflow of a Threat Hunt
      2. Normalizing Data Sources with OSSEM
        1. Data Sources
        2. OSSEM to the Rescue
      3. Data-Driven Hunts Using OSSEM
        1. MITRE ATT&CK Framework Refresher: T1003.002
        2. Lab 9-1: Visualizing Data Sources with OSSEM
        3. Lab 9-2: AtomicRedTeam Attacker Emulation
      4. Exploring Hypothesis-Driven Hunts
        1. Lab 9-3: Hypothesis that Someone Copied a SAM File
        2. Crawl, Walk, Run
      5. Enter Mordor
        1. Lab 9-4: Hypothesis that Someone Other than an Admin Launched PowerShell
      6. Threat Hunter Playbook
        1. Departure from HELK for Now
        2. Spark and Jupyter
        3. Lab 9-5: Automated Playbooks and Sharing of Analytics
      7. Summary
      8. For Further Reading
      9. References
  10. Part III Hacking Systems
    1. Chapter 10 Basic Linux Exploits
      1. Stack Operations and Function-Calling Procedures
      2. Buffer Overflows
        1. Lab 10-1: Overflowing meet.c
      3. Ramifications of Buffer Overflows
      4. Local Buffer Overflow Exploits
        1. Lab 10-2: Components of the Exploit
        2. Lab 10-3: Exploiting Stack Overflows from the Command Line
        3. Lab 10-4: Writing the Exploit with Pwntools
        4. Lab 10-5: Exploiting Small Buffers
      5. Exploit Development Process
        1. Lab 10-6: Building Custom Exploits
      6. Summary
      7. For Further Reading
    2. Chapter 11 Advanced Linux Exploits
      1. Lab 11-1: Vulnerable Program and Environment Setup
      2. Lab 11-2: Bypassing Non-Executable Stack (NX) with Return-Oriented Programming (ROP)
      3. Lab 11-3: Defeating Stack Canaries
      4. Lab 11-4: ASLR Bypass with an Information Leak
      5. Lab 11-5: PIE Bypass with an Information Leak
      6. Summary
      7. For Further Reading
      8. References
    3. Chapter 12 Linux Kernel Exploits
      1. Lab 12-1: Environment Setup and Vulnerable procfs Module
      2. Lab 12-2: ret2usr
      3. Lab 12-3: Defeating Stack Canaries
      4. Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)
      5. Lab 12-5: Bypassing Supervisor Mode Access Prevention (SMAP)
      6. Lab 12-6: Defeating Kernel Address Space Layout Randomization (KASLR)
      7. Summary
      8. For Further Reading
      9. References
    4. Chapter 13 Basic Windows Exploitation
      1. Compiling and Debugging Windows Programs
        1. Lab 13-1: Compiling on Windows
      2. Debugging on Windows with Immunity Debugger
        1. Lab 13-2: Crashing the Program
      3. Writing Windows Exploits
      4. Exploit Development Process Review
        1. Lab 13-3: Exploiting ProSSHD Server
      5. Understanding Structured Exception Handling
      6. Understanding and Bypassing Common Windows Memory Protections
      7. Safe Structured Exception Handling
      8. Bypassing SafeSEH
      9. Data Execution Prevention
      10. Return-Oriented Programming
      11. Gadgets
      12. Building the ROP Chain
      13. Summary
      14. For Further Reading
      15. References
    5. Chapter 14 Windows Kernel Exploitation
      1. The Windows Kernel
      2. Kernel Drivers
      3. Kernel Debugging
        1. Lab 14-1: Setting Up Kernel Debugging
      4. Picking a Target
        1. Lab 14-2: Obtaining the Target Driver
        2. Lab 14-3: Reverse Engineering the Driver
        3. Lab 14-4: Interacting with the Driver
      5. Token Stealing
        1. Lab 14-5: Arbitrary Pointer Read/Write
        2. Lab 14-6: Writing a Kernel Exploit
      6. Summary
      7. For Further Reading
      8. References
    6. Chapter 15 PowerShell Exploitation
      1. Why PowerShell
      2. Living off the Land
      3. PowerShell Logging
      4. PowerShell Portability
      5. Loading PowerShell Scripts
        1. Lab 15-1: The Failure Condition
        2. Lab 15-2: Passing Commands on the Command Line
        3. Lab 15-3: Encoded Commands
        4. Lab 15-4: Bootstrapping via the Web
      6. Exploitation and Post-Exploitation with PowerSploit
        1. Lab 15-5: Setting Up PowerSploit
        2. Lab 15-6: Running Mimikatz Through PowerShell
      7. Using PowerShell Empire for C2
        1. Lab 15-7: Setting Up Empire
        2. Lab 15-8: Staging an Empire C2
        3. Lab 15-9: Using Empire to Own the System
        4. Lab 15-10: Using WinRM to Launch Empire
      8. Summary
      9. For Further Reading
      10. Reference
    7. Chapter 16 Getting Shells Without Exploits
      1. Capturing Password Hashes
      2. Understanding LLMNR and NBNS
      3. Understanding Windows NTLMv1 and NTLMv2 Authentication
      4. Using Responder
        1. Lab 16-1: Getting Passwords with Responder
      5. Using Winexe
        1. Lab 16-2: Using Winexe to Access Remote Systems
        2. Lab 16-3: Using Winexe to Gain Elevated Privileges
      6. Using WMI
        1. Lab 16-4: Querying System Information with WMI
        2. Lab 16-5: Executing Commands with WMI
      7. Taking Advantage of WinRM
        1. Lab 16-6: Executing Commands with WinRM
        2. Lab 16-7: Using Evil-WinRM to Execute Code
      8. Summary
      9. For Further Reading
      10. Reference
    8. Chapter 17 Post-Exploitation in Modern Windows Environments
      1. Post-Exploitation
      2. Host Recon
        1. Lab 17-1: Using whoami to Identify Privileges
        2. Lab 17-2: Using Seatbelt to Find User Information
        3. Lab 17-3: System Recon with PowerShell
        4. Lab 17-4: System Recon with Seatbelt
        5. Lab 17-5: Getting Domain Information with PowerShell
        6. Lab 17-6: Using PowerView for AD Recon
        7. Lab 17-7: Gathering AD Data with SharpHound
      3. Escalation
        1. Lab 17-8: Profiling Systems with winPEAS
        2. Lab 17-9: Using SharpUp to Escalate Privileges
        3. Lab 17-10: Searching for Passwords in User Objects
        4. Lab 17-11: Abusing Kerberos to Gather Credentials
        5. Lab 17-12: Abusing Kerberos to Escalate Privileges
      4. Active Directory Persistence
        1. Lab 17-13: Abusing AdminSDHolder
        2. Lab 17-14: Abusing SIDHistory
      5. Summary
      6. For Further Reading
    9. Chapter 18 Next-Generation Patch Exploitation
      1. Introduction to Binary Diffing
      2. Application Diffing
      3. Patch Diffing
      4. Binary Diffing Tools
      5. BinDiff
      6. turbodiff
        1. Lab 18-1: Our First Diff
      7. Patch Management Process
      8. Microsoft Patch Tuesday
      9. Obtaining and Extracting Microsoft Patches
      10. Summary
      11. For Further Reading
      12. References
  11. Part IV Hacking IoT
    1. Chapter 19 Internet of Things to Be Hacked
      1. Internet of Things (IoT)
      2. Types of Connected Things
      3. Wireless Protocols
      4. Communication Protocols
      5. Security Concerns
      6. Shodan IoT Search Engine
      7. Web Interface
      8. Shodan Command-Line Interface
        1. Lab 19-1: Using the Shodan Command Line
      9. Shodan API
        1. Lab 19-2: Testing the Shodan API
        2. Lab 19-3: Playing with MQTT
      10. Implications of this Unauthenticated Access to MQTT
      11. IoT Worms: It Was a Matter of Time
      12. Prevention
      13. Summary
      14. For Further Reading
      15. References
    2. Chapter 20 Dissecting Embedded Devices
      1. CPU
      2. Microprocessor
      3. Microcontrollers
      4. System on Chip
      5. Common Processor Architectures
      6. Serial Interfaces
      7. UART
      8. SPI
      9. I2C
      10. Debug Interfaces
      11. JTAG
      12. SWD
      13. Software
      14. Bootloader
      15. No Operating System
      16. Real-Time Operating System
      17. General Operating System
      18. Summary
      19. For Further Reading
      20. References
    3. Chapter 21 Exploiting Embedded Devices
      1. Static Analysis of Vulnerabilities in Embedded Devices
        1. Lab 21-1: Analyzing the Update Package
        2. Lab 21-2: Performing Vulnerability Analysis
      2. Dynamic Analysis with Hardware
      3. The Test Environment Setup
      4. Ettercap
      5. Dynamic Analysis with Emulation
      6. FirmAE
        1. Lab 21-3: Setting Up FirmAE
        2. Lab 21-4: Emulating Firmware
        3. Lab 21-5: Exploiting Firmware
      7. Summary
      8. For Further Reading
      9. References
    4. Chapter 22 Software-Defined Radio
      1. Getting Started with SDR
      2. What to Buy
      3. Not So Quick: Know the Rules
      4. Learn by Example
      5. Search
      6. Capture
      7. Replay
      8. Analyze
      9. Preview
      10. Execute
      11. Summary
      12. For Further Reading
  12. Part V Hacking Hypervisors
    1. Chapter 23 Hypervisors
      1. What Is a Hypervisor?
      2. Popek and Goldberg Virtualization Theorems
      3. Goldberg’s Hardware Virtualizer
      4. Type-1 and Type-2 VMMs
      5. x86 Virtualization
      6. Dynamic Binary Translation
      7. Ring Compression
      8. Shadow Paging
      9. Paravirtualization
      10. Hardware Assisted Virtualization
      11. VMX
      12. EPT
      13. Summary
      14. References
    2. Chapter 24 Creating a Research Framework
      1. Hypervisor Attack Surface
      2. The Unikernel
        1. Lab 24-1: Booting and Communication
        2. Lab 24-2: Communication Protocol
      3. Boot Message Implementation
      4. Handling Requests
      5. The Client (Python)
      6. Communication Protocol (Python)
        1. Lab 24-3: Running the Guest (Python)
        2. Lab 24-4: Code Injection (Python)
      7. Fuzzing
      8. The Fuzzer Base Class
        1. Lab 24-5: IO-Ports Fuzzer
        2. Lab 24-6: MSR Fuzzer
        3. Lab 24-7: Exception Handling
      9. Fuzzing Tips and Improvements
      10. Summary
      11. References
    3. Chapter 25 Inside Hyper-V
      1. Environment Setup
      2. Hyper-V Architecture
      3. Hyper-V Components
      4. Virtual Trust Levels
      5. Generation-1 VMs
        1. Lab 25-1: Scanning PCI Devices in a Generation-1 VM
      6. Generation 2 VMs
        1. Lab 25-2: Scanning PCI Devices in a Generation-2 VM
      7. Hyper-V Synthetic Interface
      8. Synthetic MSRs
        1. Lab 25-3: Setting Up the Hypercall Page and Dumping Its Contents
      9. Hypercalls
      10. VMBus
        1. Lab 25-4: Listing VMBus Devices
      11. Summary
      12. For Further Reading
      13. References
    4. Chapter 26 Hacking Hypervisors Case Study
      1. Bug Analysis
      2. USB Basics
        1. Lab 26-1: Patch Analysis Using GitHub API
      3. Developing a Trigger
      4. Setting Up the Target
        1. Lab 26-2: Scanning the PCI Bus
      5. The EHCI Controller
      6. Triggering the Bug
        1. Lab 26-3: Running the Trigger
      7. Exploitation
      8. Relative Write Primitive
      9. Relative Read Primitive
        1. Lab 26-4: Debugging the Relative Read Primitive
      10. Arbitrary Read
      11. Full Address-Space Leak Primitive
      12. Module Base Leak
      13. RET2LIB
        1. Lab 26-5: Finding Function Pointers with GDB
        2. Lab 26-6: Displaying IRQState with GDB
        3. Lab 26-7: Launching the Exploit
      14. Summary
      15. For Further Reading
      16. References
  13. Part VI Hacking the Cloud
    1. Chapter 27 Hacking in Amazon Web Services
      1. Amazon Web Services
      2. Services, Locations, and Infrastructure
      3. How Authorization Works in AWS
      4. Abusing AWS Best Practices
        1. Lab 27-1: Environment Setup
      5. Abusing Authentication Controls
      6. Types of Keys and Key Material
        1. Lab 27-2: Finding AWS Keys
      7. Attacker Tools
        1. Lab 27-3: Enumerating Permissions
        2. Lab 27-4: Leveraging Access to Perform Unauthorized Actions
        3. Lab 27-5: Persistence Through System Internals
      8. Summary
      9. For Further Reading
      10. References
    2. Chapter 28 Hacking in Azure
      1. Microsoft Azure
      2. Differences Between Azure and AWS
        1. Lab 28-1: Setup of Our Labs
        2. Lab 28-2: Additional User Steps
        3. Lab 28-3: Validating Access
      3. Microsoft Azure AD Overview
      4. Azure Permissions
      5. Constructing an Attack on Azure-Hosted Systems
        1. Lab 28-4: Azure AD User Lookups
        2. Lab 28-5: Azure AD Password Spraying
        3. Lab 28-6: Getting onto Azure
      6. Control Plane and Managed Identities
        1. Lab 28-7: System Assigned Identities
        2. Lab 28-8: Getting a Backdoor on a Node
      7. Summary
      8. For Further Reading
      9. References
    3. Chapter 29 Hacking Containers
      1. Linux Containers
      2. Container Internals
      3. Cgroups
        1. Lab 29-1: Setup of our Environment
        2. Lab 29-2: Looking at Cgroups
      4. Namespaces
      5. Storage
        1. Lab 29-3: Container Storage
      6. Applications
      7. What Is Docker?
        1. Lab 29-4: Looking for Docker Daemons
      8. Container Security
        1. Lab 29-5: Interacting with the Docker API
        2. Lab 29-6: Executing Commands Remotely
        3. Lab 29-7: Pivots
      9. Breaking Out of Containers
      10. Capabilities
        1. Lab 29-8: Privileged Pods
        2. Lab 29-9: Abusing Cgroups
      11. Summary
      12. For Further Reading
      13. References
    4. Chapter 30 Hacking on Kubernetes
      1. Kubernetes Architecture
      2. Fingerprinting Kubernetes API Servers
        1. Lab 30-1: Cluster Setup
      3. Finding Kubernetes API Servers
        1. Lab 30-2: Fingerprinting Kubernetes Servers
      4. Hacking Kubernetes from Within
        1. Lab 30-3: Kubestriker
        2. Lab 30-4: Attacking from Within
        3. Lab 30-5: Attacking the API Server
      5. Summary
      6. For Further Reading
      7. References
  14. Index

Product information

  • Title: Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition
  • Author(s): Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost
  • Release date: March 2022
  • Publisher(s): McGraw-Hill
  • ISBN: 9781264268955