B R I E F C O N T E N T S
Preface ......................................................................................................................... xi
Acknowledgments ......................................................................................................... xii
0x100
Introduction .......................................................................................................1
0x200
Programming.....................................................................................................5
0x300
Exploitation ...................................................................................................115
0x400
Networking ...................................................................................................195
0x500
Shellcode ......................................................................................................281
0x600
Countermeasures............................................................................................319
0x700
Cryptology ....................................................................................................393
0x800
Conclusion ....................................................................................................451
Index .........................................................................................................................455
C O N T E N T S I N D E T A I L
PREFACE
xi
ACKNOWLEDGMENTS
xii
0x100
INTRODUCTION
1
0x200
PROGRAMMING
5
0x210
What Is Programming? ................................................................................. 6
0x220
Pseudo-code ................................................................................................ 7
0x230
Control Structures ......................................................................................... 8
0x231
If-Then-Else...................................................................................... 8
0x232
While/Until Loops ........................................................................... 9
0x233
For Loops ..................................................................................... 10
0x240
More Fundamental Programming Concepts ................................................... 11
0x241
Variables ..................................................................................... 11
0x242
Arithmetic Operators ..................................................................... 12
0x243
Comparison Operators .................................................................. 14
0x244
Functions...................................................................................... 16
0x250
Getting Your Hands Dirty ............................................................................ 19
0x251
The Bigger Picture ......................................................................... 20
0x252
The x86 Processor......................................................................... 23
0x253
Assembly Language....................................................................... 25
0x260
Back to Basics............................................................................................ 37
0x261
Strings ......................................................................................... 38
0x262
Signed, Unsigned, Long, and Short ................................................. 41
0x263
Pointers........................................................................................ 43
0x264
Format Strings............................................................................... 48
0x265
Typecasting .................................................................................. 51
0x266
Command-Line Arguments .............................................................. 58
0x267
Variable Scoping .......................................................................... 62
0x270
Memory Segmentation ................................................................................ 69
0x271
Memory Segments in C.................................................................. 75
0x272
Using the Heap............................................................................. 77
0x273
Error-Checked malloc()................................................................... 80
0x280
Building on Basics ...................................................................................... 81
0x281
File Access ................................................................................... 81
0x282
File Permissions............................................................................. 87
0x283
User IDs ....................................................................................... 88
0x284
Structs.......................................................................................... 96
0x285
Function Pointers ......................................................................... 100
0x286
Pseudo-random Numbers ............................................................. 101
0x287
A Game of Chance ..................................................................... 102
viii
Contents in Detail
0x300
EXPLOITATION
115
0x310
Generalized Exploit Techniques ................................................................. 118
0x320
Buffer Overflows ...................................................................................... 119
0x321
Stack-Based Buffer Overflow Vulnerabilities .................................... 122
0x330
Experimenting with BASH.......................................................................... 133
0x331
Using the Environment.................................................................. 142
0x340
Overflows in Other Segments .................................................................... 150
0x341
A Basic Heap-Based Overflow ...................................................... 150
0x342
Overflowing Function Pointers....................................................... 156
0x350
Format Strings.......................................................................................... 167
0x351
Format Parameters....................................................................... 167
0x352
The Format String Vulnerability...................................................... 170
0x353
Reading from Arbitrary Memory Addresses .................................... 172
0x354
Writing to Arbitrary Memory Addresses......................................... 173
0x355
Direct Parameter Access............................................................... 180
0x356
Using Short Writes ...................................................................... 182
0x357
Detours with .dtors....................................................................... 184
0x358
Another notesearch Vulnerability ................................................... 189
0x359
Overwriting the Global Offset Table .............................................. 190
0x400
NETWORKING
195
0x410
OSI Model .............................................................................................. 196
0x420
Sockets ................................................................................................... 198
0x421
Socket Functions.......................................................................... 199
0x422
Socket Addresses ........................................................................ 200
0x423
Network Byte Order .................................................................... 202
0x424
Internet Address Conversion ......................................................... 203
0x425
A Simple Server Example ............................................................. 203
0x426
A Web Client Example ................................................................ 207
0x427
A Tinyweb Server........................................................................ 213
0x430
Peeling Back the Lower Layers.................................................................... 217
0x431
Data-Link Layer............................................................................ 218
0x432
Network Layer ............................................................................ 220
0x433
Transport Layer ........................................................................... 221
0x440
Network Sniffing ...................................................................................... 224
0x441
Raw Socket Sniffer....................................................................... 226
0x442
libpcap Sniffer ............................................................................ 228
0x443
Decoding the Layers .................................................................... 230
0x444
Active Sniffing............................................................................. 239
0x450
Denial of Service...................................................................................... 251
0x451
SYN Flooding ............................................................................. 252
0x452
The Ping of Death........................................................................ 256
0x453
Teardrop.................................................................................... 256
0x454
Ping Flooding ............................................................................. 257
0x455
Amplification Attacks ................................................................... 257
0x456
Distributed DoS Flooding.............................................................. 258
0x460
TCP/IP Hijacking...................................................................................... 258
0x461
RST Hijacking ............................................................................. 259
0x462
Continued Hijacking .................................................................... 263
Contents in Detail
ix
0x470
Port Scanning .......................................................................................... 264
0x471
Stealth SYN Scan ........................................................................ 264
0x472
FIN, X-mas, and Null Scans .......................................................... 264
0x473
Spoofing Decoys......................................................................... 265
0x474
Idle Scanning.............................................................................. 265
0x475
Proactive Defense (shroud)............................................................ 267
0x480
Reach Out and Hack Someone .................................................................. 272
0x481
Analysis with GDB....................................................................... 273
0x482
Almost Only Counts with Hand Grenades ...................................... 275
0x483
Port-Binding Shellcode ................................................................. 278
0x500
SHELLCODE
281
0x510
Assembly vs. C ........................................................................................ 282
0x511
Linux System Calls in Assembly ..................................................... 284
0x520
The Path to Shellcode................................................................................ 286
0x521
Assembly Instructions Using the Stack ............................................ 287
0x522
Investigating with GDB................................................................. 289
0x523
Removing Null Bytes .................................................................... 290
0x530
Shell-Spawning Shellcode.......................................................................... 295
0x531
A Matter of Privilege.................................................................... 299
0x532
And Smaller Still.......................................................................... 302
0x540
Port-Binding Shellcode .............................................................................. 303
0x541
Duplicating Standard File Descriptors............................................. 307
0x542
Branching Control Structures......................................................... 309
0x550
Connect-Back Shellcode ............................................................................ 314
0x600
COUNTERMEASURES
319
0x610
Countermeasures That Detect ..................................................................... 320
0x620
System Daemons ...................................................................................... 321
0x621
Crash Course in Signals............................................................... 322
0x622
Tinyweb Daemon ........................................................................ 324
0x630
Tools of the Trade..................................................................................... 328
0x631
tinywebd Exploit Tool................................................................... 329
0x640
Log Files.................................................................................................. 334
0x641
Blend In with the Crowd............................................................... 334
0x650
Overlooking the Obvious .......................................................................... 336
0x651
One Step at a Time ..................................................................... 336
0x652
Putting Things Back Together Again............................................... 340
0x653
Child Laborers ............................................................................ 346
0x660
Advanced Camouflage ............................................................................. 348
0x661
Spoofing the Logged IP Address.................................................... 348
0x662
Logless Exploitation ..................................................................... 352
0x670
The Whole Infrastructure ........................................................................... 354
0x671
Socket Reuse .............................................................................. 355
0x680
Payload Smuggling .................................................................................. 359
0x681
String Encoding .......................................................................... 359
0x682
How to Hide a Sled..................................................................... 362
0x690
Buffer Restrictions ..................................................................................... 363
0x691
Polymorphic Printable ASCII Shellcode........................................... 366
x
Contents in Detail
0x6a0
Hardening Countermeasures...................................................................... 376
0x6b0
Nonexecutable Stack ................................................................................ 376
0x6b1
ret2libc ...................................................................................... 376
0x6b2
Returning into system().................................................................. 377
0x6c0
Randomized Stack Space .......................................................................... 379
0x6c1
Investigations with BASH and GDB ................................................ 380
0x6c2
Bouncing Off linux-gate ................................................................ 384
0x6c3
Applied Knowledge ..................................................................... 388
0x6c4
A First Attempt............................................................................. 388
0x6c5
Playing the Odds......................................................................... 390
0x700
CRYPTOLOGY
393
0x710
Information Theory ................................................................................... 394
0x711
Unconditional Security ................................................................. 394
0x712
One-Time Pads............................................................................ 395
0x713
Quantum Key Distribution............................................................. 395
0x714
Computational Security ................................................................ 396
0x720
Algorithmic Run Time ................................................................................ 397
0x721
Asymptotic Notation .................................................................... 398
0x730
Symmetric Encryption................................................................................ 398
0x731
Lov Grover’s Quantum Search Algorithm........................................ 399
0x740
Asymmetric Encryption.............................................................................. 400
0x741
RSA ........................................................................................... 400
0x742
Peter Shor’s Quantum Factoring Algorithm ..................................... 404
0x750
Hybrid Ciphers ........................................................................................ 406
0x751
Man-in-the-Middle Attacks ............................................................ 406
0x752
Differing SSH Protocol Host Fingerprints......................................... 410
0x753
Fuzzy Fingerprints ....................................................................... 413
0x760
Password Cracking................................................................................... 418
0x761
Dictionary Attacks ....................................................................... 419
0x762
Exhaustive Brute-Force Attacks....................................................... 422
0x763
Hash Lookup Table ...................................................................... 423
0x764
Password Probability Matrix ......................................................... 424
0x770
Wireless 802.11b Encryption.................................................................... 433
0x771
Wired Equivalent Privacy ............................................................. 434
0x772
RC4 Stream Cipher ..................................................................... 435
0x780
WEP Attacks............................................................................................ 436
0x781
Offline Brute-Force Attacks............................................................ 436
0x782
Keystream Reuse ......................................................................... 437
0x783
IV-Based Decryption Dictionary Tables ........................................... 438
0x784
IP Redirection.............................................................................. 438
0x785
Fluhrer, Mantin, and Shamir Attack ............................................... 439
0x800
CONCLUSION
451
0x810
References............................................................................................... 452
0x820
Sources................................................................................................... 454
INDEX
455