Gray hat hacking: The ethical hacker's handbook - Book review

The following is a brief [and biased] review of the pages of Grey Hat Hacking (2nd edition - 2007). In one sentence, I would borrow the book from a library to read it. Alternatively, I would buy it, read it and sell it afterwards. 

Disclaimer: These lines do not substitute the reading of the book. They are meant to provide a global overview of what the reader can find in the book. My kudos to the authors, writing a book is always a big effort. And even a greater effort if the books talks about a changing target as IT security / software analysis. 

The book: Gray hat hacking: The ethical hacker's handbook.
The authors: Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness .
Publication year:  2007 - Second edition.
Publisher: McGraw-Hill.

chapter 1 ethics of ethical hacking
A very generic chapter, useful to read across and set the global scene. If you need to justify work in IT security - well structured and referenced such for example page 10 - the origin of the word hacker and ethical hacker. Clear statements such as security does not like complexity [however, I would add, we live in a complex world].

chapter 2 ethical hacking and the legal system
A summary of US laws related to IT security, for example the US Federal computer crime statutes and some acts like:
18 USC 1029, 18 USC 1030, 18 USC 2510, 18 USC 2701, Digital Milenium Copyright Act and Cyber Security Enhancement Act.

chapter 3 proper and ethical disclosure
A helicopter overview about ethical disclosure. They mention the month of the PHP/Browser bugs, the story of Michael Lynn and CISCO and refer to the CERT/CC vulnerability disclosure process of 45 days. The Organisation for Internet Safety and the Zero Day Initiative (by Tipping Point, owned by 3Com).

chapter 4 metasploit
It is a nice approach to launch and to own a box by learning how to use metasploit. They provide a thorough description of the use of the console and auxiliary modules. They start with a simple example, an unpatched XP Service Pack 1 machine missing the RRAS security update, mentioning first the basic use of basic commands to start with:

show options
set RHOST ipaddress
show payloads
set PAYLOAD payload-name
show options
show targets
set TARGET 1
show auxiliary
use option
show options
sessions -l
sessions -i number

and - second, exploiting client-side (browsers, email apps, media players, client sw in general) vulnerabilities with metasploit

A useful hint, to return to the metasploit console prompt we can use ctrl-z.
I would also highlight a curious comment: they mention that this way you can attack workstations protected by a firewall

I find very interesting the description they provide of meterpreter, a command interpreter to inject payload into the memory of the exploited process.
Meterpreter has core commands, file system commands, networking commands, system commands, user interface commands, making ven possible to migrate from one process to another.

They conclude this chapter with the use of metasploit as a man in the middle password stealer, configuring metasploit as a malicious SMB server. They also touch briefly cain (the password stealing tool) and finally they briefly refer to the link with nmap or nessus with db_autopwn and provide a brief description of what is inside a metasploit module.

chapter 5 - using backtrack
They talk about backtrack2. This chapter shows us how quickly things happen in the security arena. Their point on the usefulness of isorecorder and how to make changes in the distribution and make them persistent is somehow now outdated.

Part 2 of the book is called pen testing and tools - This name is a little bit misleading.

chapter 6 programming survival skills
I took with me: the year 1972, when Dennis Ritchie invented C, that Intel processors are little endian and Motorola are big endian. And some memorty related concepts:

- bss section is the below the stack section - to store global non initialised variables - the size is fixed at runtime
- heap section - to store dynamically allocated variables, it grows from lower addressed memory to higher addressed memory allocation of memory is controlled through malloc() and free() functions
- stack - used to keep track of function calls and grows from higher addressed memory to lower addressed memory - local variables exist in stack section

[ I think there is a typo, a 5 should be an index variable in page 131]

I also read the ATT assembly is normally used in linux and NASM is used by many windows assemblers and debuggers.

The chapter ends with assembly and python. Python objects are data types such as strings, numbers, lists, dictionaries and files dictionaries are similar to lists but their objects are referenced by a key. I like the python part - easy and to the point

chapter 7 basic linux exploits
You can read that a stack is FILO and some points on the importance of address space layout randomisation. I also took with me that perl is interpreted [e.g. perl -e 'print "A" x 600'] and that python is an interpreted object oriented language.

They mention sticky bits and the fact that shell code is actually binary. They keep providing valuable input regarding the memory:

- environment and arguments are stored in an area above the stack
- eip poins to the next instruction to be executed
- in metasploit we can find locations of opcodes with msfelfscan

chapter 8 advanced linux exploits
This chapter shows how to calculate the locations to overwrite the heap with buffer overflow exploits. They show how these techniques require time and effort. They explore the Windows debugger - from page 250 - and some point in OllyDbg on page 255. Important point, OllyDBg only works in userspace. For kernel space, we need to use another debugger like WinDbg. The end briefly mentioning the metasploit opcode database.

chapter 9 shellcode strategies
This is a very verbose and theoretical chapter. They include the use of gdb (debugger) and gcc (compiler) and mention the important role of objdump to get the shellcode.

chapter 10 writing linux shellcode
Interesting tips, the use of nasm -f elf, ld -0 and I think there is a typo on page 231.

chapter 11 basic windows exploits
This chapter states that Linux and Windows are driven by the same assembly language. The Microsoft C/C++ optimizing compiler and linker is touched upon,
cl.exe, together with cdb, ntsd and windbg.

chapter 12 basic passive analysis
The text turns now to present source code audit tools such as ITS4, rats, flowfinder and plint and a decompiler for Java named Jreversepro, stressing the importance of checking all user supplied data.

Code analysis tools mentioned in this chapter are:

- IDA pro as a powerful disassembler
- hex-ray (an IDA pro plug-in) as a decompiler
- binnavi - a graph-based analysis and debugging tool- binary code reverse engineering tool that was built to assist vulnerability researchers who look for vulnerabilities in disassembled code

and some other tools like:
- bugspam (an IDA plugin)
- chevarista (a static analyser)
- bindiff (useful to compare binaries and patched binaries)

chapter 13 advanced static analysis with IDA Pro
This chapter shows us that stripping a binary means removing all symbol information. We can also read that to learn what dynamic libraries an executable depends on, we can use dumpbin in WIndows, ldd in Linux and otool in Mac OS X. Additionally, this chapter also mentions:
- the fast library acquisition for identification and recognition (flair)
- the use of pelf and sigmake
- how to perform a manual load of program headers
- IDA's scripting language, IDC
- IDA plug-ins
- and finally, a brief reference to pro loaders and processor modules

chapter 14 advanced reverse engineering
This chapter starts with a nice statement: stress testing for SW developers is what vulnerability researchers call fuzzing. The tools they propose to use are:
- debuggers like gdb
- code coverage tools like process stalker
- profiling tools
- flow analysis tools
- menory use monitoring tools like valgrind, a memory debugging and profiling system
- and finally, fuzzers like SPIKE

chapter 15 client side browser exploits
This chapter mentions the concept of spear phishing (APT or targeted attacks are now the trendy name). As fuzzing tools, they propose:
- mangleme from
- axfuzz and axenum - to check appearances of install, writeregval, runcmd, gethostname, rebootmachine
- AxMan and Internetexploiter
As a little detail, they use something called the "mark of the web" to make Internet Explorer behave as if we would be browsing external Internet zones.

chapter 16 exploiting Windows access control model for local elevation of privileges
These pages talk about SIDs and Access Tokens, Access Control Entries, SYstem ACLs and discretionary ACL while using some of the not so popular sysinternals tools.

chapter 17 Intelligent fuzzing with Scully
This chapter refers to the importance of protocol analysis in effective fuzzing. For that, they porpose the use of the Sulley fuzzing framework.

chapter 18 from vulnerability to exploit
As the title indicates, this chapter refers to the steps necessary to construct payloads (and the need to find the eip, the instruction pointer).

chapter 19 closing the holes: mitigation
Three concepts are described and discussed in this chapter: patching, binary mutation and third party patching.

chapter 20 collecting malware and initial analysis
They talk about malware and honeypots, the possibilities to avoid VM detection and the usefulness of honeyd and nepenthest. Names of tools proposed in this chapter for malware analysis are PEiD, UPX, strings, regshot, filemon, process explorer, process monitor (they don't mention this one but I do, together with capturebat log viewer), norman sandbox and map (malcode analysis software tool) from idefense.

chapter 21 hacking malware
More content yet on unpacking using PEiD, LordPE, IDA and Olly plugins and additional content on malware analysis.

Happy grey hacking reading!