Quick and Easy Ebook Downloads – Start Now at ebookball.

com for Instant Access

Gray Hat Hacking the Ethical Hacker Handbook 3rd

Edition by Allen Harper, Shon Harris, Jonathan
Ness, Chris Eagle, Gideon Lenkey, Terron Williams
ISBN 9780071742566 0071742565

https://ebookball.com/product/gray-hat-hacking-the-ethical-
hacker-handbook-3rd-edition-by-allen-harper-shon-harris-
jonathan-ness-chris-eagle-gideon-lenkey-terron-williams-
isbn-9780071742566-0071742565-15676/

OR CLICK BUTTON

DOWLOAD NOW

Instantly Access and Download Textbook at https://ebookball.com

 Your digital treasures (PDF, ePub, MOBI) await
Download instantly and pick your perfect format...

Read anywhere, anytime, on any device!

Gray Hat Hacking The Ethical Hacker Handbook 5th Edition

by Daniel Regalado, Shon Harris, Allen Harper, Chris
Eagle, Jonathan Ness, Branko Spasojevic, Ryan Linn ISBN
1260108422 9781260108422
https://ebookball.com/product/gray-hat-hacking-the-ethical-hacker-
handbook-5th-edition-by-daniel-regalado-shon-harris-allen-harper-
chris-eagle-jonathan-ness-branko-spasojevic-ryan-linn-
isbn-1260108422-9781260108422-15942/
ebookball.com

Gray Hat Hacking The Ethical Hacker Handbook Fifth Edition

by Daniel Regalado, Shon Harris, Allen Harper
9781260108422 1260108422
https://ebookball.com/product/gray-hat-hacking-the-ethical-hacker-
handbook-fifth-edition-by-daniel-regalado-shon-harris-allen-
harper-9781260108422-1260108422-16938/

ebookball.com

(EBook PDF) Gray Hat Hacking The Ethical Hacker's Handbook

5th Edition by Allen Harper 0071742565 9780071742566 full
chapters
https://ebookball.com/product/ebook-pdf-gray-hat-hacking-the-ethical-
hacker-s-handbook-5th-edition-by-allen-
harper-0071742565-9780071742566-full-chapters-9764/

ebookball.com

Gray Hat Hacking The Ethical Hacker's Handbook 5th edition

by Allen Harper, Daniel Regalado, Ryan Linn, Stephen Sims,
Branko Spasojevic, Linda Martinez, Michael Baucom, Chris
Eagle, Shon Harris ISBN 1260108414 978-1260108415
https://ebookball.com/product/gray-hat-hacking-the-ethical-hacker-s-
handbook-5th-edition-by-allen-harper-daniel-regalado-ryan-linn-
stephen-sims-branko-spasojevic-linda-martinez-michael-baucom-chris-
eagle-shon-harris-isbn-126010841/
ebookball.com
Laboratory Manual for Anatomy and Physiology 3rd Edition
by Connie Allen, Valerie Harper ISBN B018OEJQX0
9780470395547
https://ebookball.com/product/laboratory-manual-for-anatomy-and-
physiology-3rd-edition-by-connie-allen-valerie-harper-
isbn-b018oejqx0-9780470395547-2776/

ebookball.com

The Ghidra Book The Definitive Guide 1st edition by Chris

Eagle, Kara Nance 9781718501034 171850103X

https://ebookball.com/product/the-ghidra-book-the-definitive-
guide-1st-edition-by-chris-eagle-kara-
nance-9781718501034-171850103x-18650/

ebookball.com

Hands On Ethical Hacking and Network Defense 3rd edition

by Michael Simpson, Nicholas Antill ISBN 1285454618
978-1285454610
https://ebookball.com/product/hands-on-ethical-hacking-and-network-
defense-3rd-edition-by-michael-simpson-nicholas-antill-
isbn-1285454618-978-1285454610-16438/

ebookball.com

The Basics of Hacking and Penetration Testing Ethical

Hacking and Penetration Testing Made Easy 2nd edition by
Patrick Engebretson ISBN 978-0124116443
https://ebookball.com/product/the-basics-of-hacking-and-penetration-
testing-ethical-hacking-and-penetration-testing-made-easy-2nd-edition-
by-patrick-engebretson-isbn-978-0124116443-16424/

ebookball.com

The Basics of Hacking and Penetration Testing Ethical

Hacking and Penetration Testing Made Easy 2nd edition by
Patrick Engebretson 9780124116412 0124116418
https://ebookball.com/product/the-basics-of-hacking-and-penetration-
testing-ethical-hacking-and-penetration-testing-made-easy-2nd-edition-
by-patrick-engebretson-9780124116412-0124116418-16968/

ebookball.com
www.it-ebooks.info
Gray Hat Hacking, Third Edition Reviews

“Bigger, better, and more thorough, the Gray Hat Hacking series is one that I’ve enjoyed
from the start. Always right on time information, always written by experts. The Third
Edition is a must-have update for new and continuing security experts.”
—Jared D. DeMott
Principle Security Researcher, Crucial Security, Inc.

“This book is a great reference for penetration testers and researchers who want to step up
and broaden their skills in a wide range of IT security disciplines.”
—Peter Van Eeckhoutte (corelanc0d3r)
Founder, Corelan Team

“I am often asked by people how to get started in the InfoSec world, and I point people
to this book. In fact, if someone is an expert in one arena and needs a leg up in another,
I still point them to this book. This is one book that should be in every security
professional’s library—the coverage is that good.”
—Simple Nomad
Hacker

“The Third Edition of Gray Hat Hacking builds upon a well-established foundation to
bring even deeper insight into the tools and techniques in an ethical hacker’s arsenal.
From software exploitation to SCADA attacks, this book covers it all. Gray Hat Hacking
is without doubt the definitive guide to the art of computer security published in this
decade.”
—Alexander Sotirov
Security Rockstar and Founder of the Pwnie Awards

“Gray Hat Hacking is an excellent ‘Hack-by-example’ book. It should be read by anyone

who wants to master security topics, from physical intrusions to Windows memory
protections.”
—Dr. Martin Vuagnoux
Cryptographer/Computer security expert

“Gray Hat Hacking is a must-read if you’re serious about INFOSEC. It provides a much-
needed map of the hacker’s digital landscape. If you’re curious about hacking or are
pursuing a career in INFOSEC, this is the place to start.”
—Johnny Long
Professional Hacker, Founder of Hackers for Charity.org

www.it-ebooks.info
This page intentionally left blank

www.it-ebooks.info
 Gray Hat
Hacking
The Ethical Hacker’s
Handbook Third Edition

Allen Harper, Shon Harris, Jonathan Ness,

Chris Eagle, Gideon Lenkey, and Terron Williams

New York • Chicago • San Francisco • Lisbon

London • Madrid • Mexico City • Milan • New Delhi
San Juan • Seoul • Singapore • Sydney • Toronto

www.it-ebooks.info
Copyright © 2011 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher.

ISBN: 978-0-07-174256-6

MHID: 0-07-174256-5

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174255-9,
MHID: 0-07-174255-7.

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at [email protected].

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the
work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve
one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use
the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may
be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not
warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or
error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of
cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed
through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the
possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises
in contract, tort or otherwise.

www.it-ebooks.info
 n^netsec

Swimming with the Sharks? Get Peace of Mind.

Are your information assets secure? Are you sure? N2NetSecurity's Information
Security and Compliance Services give you the peace of mind of knowing that you have
the best of the best in information Security on your side. Our deep technical knowledge
ensures that our solutions are innovative and efficient and our extensive experience
will help you avoid common and costly mistakes.
N2NetSecurity provides information security services to government and private industry.
We are a certified Payment Card Industry Qualified Security Assessor (PCI QSA). Our
talented team includes Black Hat Instructors, received a 2010 Department of Defense CIO
Award, and has coauthored seven leading IT books including Gray Hat Hacking: The
Ethical Hacker's Handbook and Security Information Event Management Implementation.
Contact us for a Free Gap Assessment and see how we can help you get peace of mind.

Get Back to Normal, Back to Business!

N2NetSecurity, Inc.
www.n2netsec.com [email protected] 800.456.0058

www.it-ebooks.info
 Stop Hackers in Their Tracks

Hacking Exposed, Hacking Exposed Hacking Exposed Computer 24 Deadly Sins of

6th Edition Malware & Rootkits Forensics, 2nd Edition Software Security

Hacking Exposed Wireless, Hacking Exposed: Hacking Exposed Windows, Hacking Exposed Linux,
2nd Edition Web Applications, 3rd Edition 3rd Edition 3rd Edition

Hacking Exposed Web 2.0 IT Auditing, IT Security Metrics Gray Hat Hacking,
2nd Edition 3rd Edition

Available in print and ebook formats

Follow us on Twitter @MHComputing
www.it-ebooks.info
 Boost Your Security Skills
(and Salary) with Expert Tn ming
for CISSP Certification
The Shon Harris ClSSP'-Solution is the perfect self-study training
package not only for the CISSP*0 candidate or those renewing
certification, but for any security pro who wants to increase their
security knowledge and earning potential.
Take advantage of this comprehensive multimedia package
that lets you learn at your own pace and in your own home
or office. This definitive set includes:

^ DVD set of computer-based training, over 34 hours of

instruction on the Common Body of Knowledge, the 10
domains required for certification.
In class instruction at your home
CISSP55 All-in-One 5th Edition, the 1193 page best-
" selling book by Shon Harris.

0 2,200+ page CISSP® Student Workbook developed by

Shon Harris.

^Multiple hours of Shon Harris' lectures explaining the

concepts in the CISSP® Student Workbook in MP3 format
Complex concepts fully explained
^Bonus MP3 files with extensive review sessions for
Everything you
each domain.
need to pass the
CISSP1 exam.
j Over 1,600 CISSP^ review questions to test your
knowledge.

300+ Question final practice exam.

more!
Learn from the best! Leading independent authority and recog-
nized CISSP'' training guru, Shon Harris, CISSPW, MCSE, delivers
this definitive certification program packaged together and avail-
able for the first time.

Order today! Complete info at

http://logicalsecurity.com/cissp
CISSP K a registered certification mark of the International Information Systems Settirily Certification Cunscrtiurn, Jnc., aTso known as (ISC)!.
No f ridersemant by, affiliation or association with (ISC)? ie impFiad.

www.it-ebooks.info
To my brothers and sisters in Christ, keep running the race. Let your light shine for Him,
that others may be drawn to Him through you. —Allen Harper

To my loving and supporting husband, David Harris, who has continual

patience with me as I take on all of these crazy projects! —Shon Harris

To Jessica, the most amazing and beautiful person I know. —Jonathan Ness

For my train-loving son Aaron, you bring us constant joy! —Chris Eagle

To Vincent Freeman, although I did not know you long, life has blessed us
with a few minutes to talk and laugh together. —Terron Williams

www.it-ebooks.info
 ABOUT THE AUTHORS
Allen Harper, CISSP, PCI QSA, is the president and owner of N2NetSecurity, Inc. in
North Carolina. He retired from the Marine Corps after 20 years and a tour in Iraq.
Additionally, he has served as a security analyst for the U.S. Department of the Treasury,
Internal Revenue Service, and Computer Security Incident Response Center (IRS CSIRC).
He regularly speaks and teaches at conferences such as Black Hat and Techno.

Shon Harris, CISSP, is the president of Logical Security, an author, educator, and secu-
rity consultant. She is a former engineer of the U.S. Air Force Information Warfare unit
and has published several books and articles on different disciplines within informa-
tion security. Shon was also recognized as one of the top 25 women in information
security by Information Security Magazine.

Jonathan Ness, CHFI, is a lead software security engineer in Microsoft’s Security

Response Center (MSRC). He and his coworkers ensure that Microsoft’s security up-
dates comprehensively address reported vulnerabilities. He also leads the technical
response of Microsoft’s incident response process that is engaged to address publicly
disclosed vulnerabilities and exploits targeting Microsoft software. He serves one week-
end each month as a security engineer in a reserve military unit.

Chris Eagle is a senior lecturer in the Computer Science Department at the Naval Post-
graduate School (NPS) in Monterey, California. A computer engineer/scientist for
25 years, his research interests include computer network attack and defense, computer
forensics, and reverse/anti-reverse engineering. He can often be found teaching at Black
Hat or spending late nights working on capture the flag at Defcon.

Gideon Lenkey, CISSP, is the president and co-founder of Ra Security Systems, Inc., a
New Jersey–based managed services company, where he specializes in testing the infor-
mation security posture of enterprise IT infrastructures. He has provided advanced
training to the FBI and served as the president of the FBI’s InfraGard program in New
Jersey. He has been recognized on multiple occasions by FBI director Robert Muller for
his contributions and is frequently consulted by both foreign and domestic govern-
ment agencies. Gideon is a regular contributor to the Internet Evolution website and a
participant in the EastWest Institute’s Cybersecurity initiative.

Terron Williams, NSA IAM-IEM, CEH, CSSLP, works for Elster Electricity as a Senior Test
Engineer, with a primary focus on smart grid security. He formerly worked at Nortel as a
Security Test Engineer and VoIP System Integration Engineer. Terron has served on the
editorial board for Hakin9 IT Security Magazine and has authored articles for it. His inter-
ests are in VoIP, exploit research, SCADA security, and emerging smart grid technologies.

Disclaimer: The views expressed in this book are those of the authors and not of the
U.S. government or the Microsoft Corporation.

www.it-ebooks.info
About the Technical Editor
Michael Baucom is the Vice President of Research and Development at N2NetSecurity,
Inc., in North Carolina. He has been a software engineer for 15 years and has worked
on a wide variety of software, from router forwarding code in assembly to Windows
applications and services. In addition to writing software, he has worked as a security
consultant performing training, source code audits, and penetration tests.

www.it-ebooks.info
 CONTENTS AT A GLANCE

Part I Introduction to Ethical Disclosure ..................... 1

Chapter 1 Ethics of Ethical Hacking ................................. 3
Chapter 2 Ethical Hacking and the Legal System ....................... 23
Chapter 3 Proper and Ethical Disclosure ............................. 47

Part II Penetration Testing and Tools ......................... 75

Chapter 4 Social Engineering Attacks ................................ 77
Chapter 5 Physical Penetration Attacks .............................. 93
Chapter 6 Insider Attacks ......................................... 109
Chapter 7 Using the BackTrack Linux Distribution ..................... 125
Chapter 8 Using Metasploit ....................................... 141
Chapter 9 Managing a Penetration Test .............................. 157

Part III Exploiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Chapter 10 Programming Survival Skills ............................... 173
Chapter 11 Basic Linux Exploits ..................................... 201
Chapter 12 Advanced Linux Exploits ................................. 225
Chapter 13 Shellcode Strategies ..................................... 251
Chapter 14 Writing Linux Shellcode ................................. 267
Chapter 15 Windows Exploits ...................................... 297
Chapter 16 Understanding and Detecting Content-Type Attacks ........... 341
Chapter 17 Web Application Security Vulnerabilities ..................... 361
Chapter 18 VoIP Attacks ........................................... 379
Chapter 19 SCADA Attacks ........................................ 395

viii

www.it-ebooks.info
 Contents

ix
Part IV Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Chapter 20 Passive Analysis ........................................ 413
Chapter 21 Advanced Static Analysis with IDA Pro ...................... 445
Chapter 22 Advanced Reverse Engineering ............................ 471
Chapter 23 Client-Side Browser Exploits .............................. 495
Chapter 24 Exploiting the Windows Access Control Model ............... 525
Chapter 25 Intelligent Fuzzing with Sulley ............................. 579
Chapter 26 From Vulnerability to Exploit .............................. 595
Chapter 27 Closing the Holes: Mitigation .............................. 617

Part V Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Chapter 28 Collecting Malware and Initial Analysis ...................... 635
Chapter 29 Hacking Malware ....................................... 657

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673

www.it-ebooks.info
 CONTENTS
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Part I Introduction to Ethical Disclosure ..................... 1

Chapter 1 Ethics of Ethical Hacking ................................. 3
Why You Need to Understand Your Enemy’s Tactics . . . . . . . . . . . . . . . 3
Recognizing the Gray Areas in Security . . . . . . . . . . . . . . . . . . . . . . . . . 8
How Does This Stuff Relate to an Ethical Hacking Book? . . . . . . . . . . 10
Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The Controversy of Hacking Books and Classes . . . . . . . . . . . . . . . . . . 15
The Dual Nature of Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Recognizing Trouble When It Happens . . . . . . . . . . . . . . . . . . . . 18
Emulating the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Where Do Attackers Have Most of Their Fun? . . . . . . . . . . . . . . . . . . . . 19
Security Does Not Like Complexity . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2 Ethical Hacking and the Legal System ....................... 23

The Rise of Cyberlaw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Understanding Individual Cyberlaws . . . . . . . . . . . . . . . . . . . . . . . . . . 25
18 USC Section 1029: The Access Device Statute . . . . . . . . . . . . 25
18 USC Section 1030 of the Computer Fraud and Abuse Act . . 29
18 USC Sections 2510, et. Seq., and 2701, et. Seq., of the
Electronic Communication Privacy Act . . . . . . . . . . . . . . . . . 38
Digital Millennium Copyright Act (DMCA) . . . . . . . . . . . . . . . . 42
Cyber Security Enhancement Act of 2002 . . . . . . . . . . . . . . . . . . 45
Securely Protect Yourself Against Cyber Trespass Act (SPY Act) . . . 46

Chapter 3 Proper and Ethical Disclosure ............................. 47

Different Teams and Points of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
How Did We Get Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
CERT’s Current Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Full Disclosure Policy—the RainForest Puppy Policy . . . . . . . . . . . . . . 52
Organization for Internet Safety (OIS) . . . . . . . . . . . . . . . . . . . . . . . . . 54
Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Conflicts Will Still Exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
“No More Free Bugs” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
x

www.it-ebooks.info
 Contents

xi
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Pros and Cons of Proper Disclosure Processes . . . . . . . . . . . . . . 67
Vendors Paying More Attention . . . . . . . . . . . . . . . . . . . . . . . . . . 71
So What Should We Do from Here on Out? . . . . . . . . . . . . . . . . . . . . . 72
iDefense and ZDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Part II Penetration Testing and Tools ......................... 75

Chapter 4 Social Engineering Attacks ................................ 77
How a Social Engineering Attack Works . . . . . . . . . . . . . . . . . . . . . . . . 77
Conducting a Social Engineering Attack . . . . . . . . . . . . . . . . . . . . . . . . 79
Common Attacks Used in Penetration Testing . . . . . . . . . . . . . . . . . . . 81
The Good Samaritan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
The Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Join the Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Preparing Yourself for Face-to-Face Attacks . . . . . . . . . . . . . . . . . . . . . . 89
Defending Against Social Engineering Attacks . . . . . . . . . . . . . . . . . . . 91

Chapter 5 Physical Penetration Attacks .............................. 93

Why a Physical Penetration Is Important . . . . . . . . . . . . . . . . . . . . . . . . 94
Conducting a Physical Penetration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Mental Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Common Ways into a Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Smokers’ Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Manned Checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Locked Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Physically Defeating Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Once You Are Inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Defending Against Physical Penetrations . . . . . . . . . . . . . . . . . . . . . . . . 108

Chapter 6 Insider Attacks ......................................... 109

Why Simulating an Insider Attack Is Important . . . . . . . . . . . . . . . . . . 109
Conducting an Insider Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Tools and Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Gaining Local Administrator Privileges . . . . . . . . . . . . . . . . . . . . 111
Disabling Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Raising Cain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Defending Against Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Chapter 7 Using the BackTrack Linux Distribution ..................... 125

BackTrack: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Installing BackTrack to DVD or USB Thumb Drive . . . . . . . . . . . . . . . . 126
Using the BackTrack ISO Directly Within a Virtual Machine . . . . . . . . 128
Creating a BackTrack Virtual Machine with VirtualBox . . . . . . . 128
Booting the BackTrack LiveDVD System . . . . . . . . . . . . . . . . . . . 129
Exploring the BackTrack X Windows Environment . . . . . . . . . . 130

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xii
Starting Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Persisting Changes to Your BackTrack Installation . . . . . . . . . . . . . . . . 131
Installing Full BackTrack to Hard Drive or USB Thumb Drive . . . 131
Creating a New ISO with Your One-time Changes . . . . . . . . . . . 134
Using a Custom File that Automatically Saves and
Restores Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Exploring the BackTrack Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Updating BackTrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Chapter 8 Using Metasploit ....................................... 141

Metasploit: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Getting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Using the Metasploit Console to Launch Exploits . . . . . . . . . . . . . . . . 142
Exploiting Client-Side Vulnerabilities with Metasploit . . . . . . . . . . . . . 147
Penetration Testing with Metasploit’s Meterpreter . . . . . . . . . . . . . . . . 149
Automating and Scripting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Going Further with Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Chapter 9 Managing a Penetration Test .............................. 157

Planning a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Types of Penetration Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Scope of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Locations of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . 158
Organization of the Penetration Testing Team . . . . . . . . . . . . . . 158
Methodologies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Phases of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Testing Plan for a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . 161
Structuring a Penetration Testing Agreement . . . . . . . . . . . . . . . . . . . . . 161
Statement of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Get-Out-of-Jail-Free Letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Execution of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Kickoff Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Access During the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . 163
Managing Expectations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Managing Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Steady Is Fast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
External and Internal Coordination . . . . . . . . . . . . . . . . . . . . . . . 164
Information Sharing During a Penetration Test . . . . . . . . . . . . . . . . . . 164
Dradis Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Reporting the Results of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . 168
Format of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Out Brief of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Part III Exploiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Chapter 10 Programming Survival Skills ............................... 173
C Programming Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Basic C Language Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

www.it-ebooks.info
 Contents

xiii
Sample Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Compiling with gcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Random Access Memory (RAM) . . . . . . . . . . . . . . . . . . . . . . . . . 180
Endian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Segmentation of Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Programs in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Strings in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Putting the Pieces of Memory Together . . . . . . . . . . . . . . . . . . . . 183
Intel Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Assembly Language Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Machine vs. Assembly vs. C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
AT&T vs. NASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Addressing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Assembly File Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Assembling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Debugging with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
gdb Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Disassembly with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Python Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Getting Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Hello World in Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Python Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Files with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Sockets with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Chapter 11 Basic Linux Exploits ..................................... 201

Stack Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Function Calling Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Overflow of meet.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Ramifications of Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . 208
Local Buffer Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Components of the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Exploiting Stack Overflows from the Command Line . . . . . . . . 211
Exploiting Stack Overflows with Generic Exploit Code . . . . . . . 213
Exploiting Small Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Exploit Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xiv
Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Test the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Chapter 12 Advanced Linux Exploits ................................. 225

Format String Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Reading from Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . 229
Writing to Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Taking .dtors to root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Memory Protection Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Compiler Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Kernel Patches and Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Return to libc Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Chapter 13 Shellcode Strategies ..................................... 251

User Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Basic Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Port Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Reverse Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Find Socket Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Command Execution Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
File Transfer Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Multistage Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
System Call Proxy Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Process Injection Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Other Shellcode Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Shellcode Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Self-Corrupting Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Disassembling Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Kernel Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Kernel Space Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Chapter 14 Writing Linux Shellcode ................................. 267

Basic Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
System Calls by C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
System Calls by Assembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Exit System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
setreuid System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Shell-Spawning Shellcode with execve . . . . . . . . . . . . . . . . . . . . 272
Implementing Port-Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . 276
Linux Socket Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Assembly Program to Establish a Socket . . . . . . . . . . . . . . . . . . . 279
Test the Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

www.it-ebooks.info
 Contents

xv
Implementing Reverse Connecting Shellcode . . . . . . . . . . . . . . . . . . . . 284
Reverse Connecting C Program . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Reverse Connecting Assembly Program . . . . . . . . . . . . . . . . . . . . 285
Encoding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Simple XOR Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Structure of Encoded Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . 288
JMP/CALL XOR Decoder Example . . . . . . . . . . . . . . . . . . . . . . . . 288
FNSTENV XOR Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Putting the Code Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Automating Shellcode Generation with Metasploit . . . . . . . . . . . . . . . 294
Generating Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . 294
Encoding Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . . 295

Chapter 15 Windows Exploits ...................................... 297

Compiling and Debugging Windows Programs . . . . . . . . . . . . . . . . . . 297
Compiling on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Debugging on Windows with OllyDbg . . . . . . . . . . . . . . . . . . . . 299
Writing Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Exploit Development Process Review . . . . . . . . . . . . . . . . . . . . . 305
ProSSHD Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Debug the Exploit if Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Understanding Structured Exception Handling (SEH) . . . . . . . . . . . . . 316
Implementation of SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Understanding Windows Memory Protections (XP SP3, Vista, 7,
and Server 2008) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Stack-Based Buffer Overrun Detection (/GS) . . . . . . . . . . . . . . . 318
Safe Structured Exception Handling (SafeSEH) . . . . . . . . . . . . . 320
SEH Overwrite Protection (SEHOP) . . . . . . . . . . . . . . . . . . . . . . 320
Heap Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . 321
Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . 321
Bypassing Windows Memory Protections . . . . . . . . . . . . . . . . . . . . . . . 322
Bypassing /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Bypassing SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Bypassing ASLR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Bypassing DEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Bypassing SEHOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Summary of Memory Bypass Methods . . . . . . . . . . . . . . . . . . . . 338

Chapter 16 Understanding and Detecting Content-Type Attacks ........... 341

How Do Content-Type Attacks Work? . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Which File Formats Are Being Exploited Today? . . . . . . . . . . . . . . . . . . 343
Intro to the PDF File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xvi
Analyzing a Malicious PDF Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Implementing Safeguards in Your Analysis Environment . . . . . 350
Tools to Detect Malicious PDF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
PDFiD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
pdf-parser.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Tools to Test Your Protections Against Content-type Attacks . . . . . . . . 358
How to Protect Your Environment from Content-type Attacks . . . . . . 359
Apply All Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Disable JavaScript in Adobe Reader . . . . . . . . . . . . . . . . . . . . . . . 359
Enable DEP for Microsoft Office Application and
Adobe Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Chapter 17 Web Application Security Vulnerabilities ..................... 361

Overview of Top Web Application Security Vulnerabilities . . . . . . . . . 361
Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Cross-Site Scripting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 362
The Rest of the OWASP Top Ten . . . . . . . . . . . . . . . . . . . . . . . . . . 362
SQL Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
SQL Databases and Statements . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Testing Web Applications to Find SQL Injection
Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Cross-Site Scripting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Explaining “Scripting” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Explaining Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Chapter 18 VoIP Attacks ........................................... 379

What Is VoIP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Protocols Used by VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Megaco H.248 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
TLS and DTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
SRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
ZRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Types of VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
SIP Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Eavesdropping/Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
How to Protect Against VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Chapter 19 SCADA Attacks ........................................ 395

What Is SCADA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Which Protocols Does SCADA Use? . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
OPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
ICCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Modbus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
DNP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

www.it-ebooks.info
 Contents

xvii
SCADA Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
SCADA Fuzzing with Autodafé . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
SCADA Fuzzing with TFTP Daemon Fuzzer . . . . . . . . . . . . . . . . 405
Stuxnet Malware (The New Wave in Cyberterrorism) . . . . . . . . . . . . . . 408
How to Protect Against SCADA Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 408

Part IV Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411

Chapter 20 Passive Analysis ........................................ 413
Ethical Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Why Bother with Reverse Engineering? . . . . . . . . . . . . . . . . . . . . . . . . . 414
Reverse Engineering Considerations . . . . . . . . . . . . . . . . . . . . . . 415
Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Source Code Auditing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
The Utility of Source Code Auditing Tools . . . . . . . . . . . . . . . . . 418
Manual Source Code Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Automated Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . 425
Binary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Manual Auditing of Binary Code . . . . . . . . . . . . . . . . . . . . . . . . . 427
Automated Binary Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . 441

Chapter 21 Advanced Static Analysis with IDA Pro ...................... 445

Static Analysis Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Stripped Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Statically Linked Programs and FLAIR . . . . . . . . . . . . . . . . . . . . . 448
Data Structure Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Quirks of Compiled C++ Code . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Extending IDA Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Scripting with IDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
IDA Pro Plug-In Modules and the IDA Pro SDK . . . . . . . . . . . . . 464
Building IDA Pro Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
IDA Pro Loaders and Processor Modules . . . . . . . . . . . . . . . . . . 468

Chapter 22 Advanced Reverse Engineering ............................ 471

Why Try to Break Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Overview of the Software Development Process . . . . . . . . . . . . . . . . . . 472
Instrumentation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Code Coverage Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Profiling Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Flow Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Memory Use Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Instrumented Fuzzing Tools and Techniques . . . . . . . . . . . . . . . . . . . . 484
A Simple URL Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Fuzzing Unknown Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xviii
SPIKE Static Content Primitives . . . . . . . . . . . . . . . . . . . . . . . . . . 489
SPIKE Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Sharefuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Chapter 23 Client-Side Browser Exploits .............................. 495

Why Client-Side Vulnerabilities Are Interesting . . . . . . . . . . . . . . . . . . 495
Client-Side Vulnerabilities Bypass Firewall Protections . . . . . . . 495
Client-Side Applications Are Often Running with
Administrative Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Client-Side Vulnerabilities Can Easily Target Specific People
or Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Internet Explorer Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Internet Explorer Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . 498
History of Client-Side Exploits and Latest Trends . . . . . . . . . . . . . . . . . 499
Client-Side Vulnerabilities Rise to Prominence . . . . . . . . . . . . . 499
Notable Vulnerabilities in the History of Client-Side Attacks . . 500
Finding New Browser-Based Vulnerabilities . . . . . . . . . . . . . . . . . . . . . 506
mangleme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Mozilla Security Team Fuzzers . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
AxEnum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
AxFuzz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
AxMan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Heap Spray to Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
InternetExploiter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Protecting Yourself from Client-Side Exploits . . . . . . . . . . . . . . . . . . . . 522
Keep Up-to-Date on Security Patches . . . . . . . . . . . . . . . . . . . . . 522
Stay Informed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Run Internet-Facing Applications with Reduced Privileges . . . . 522

Chapter 24 Exploiting the Windows Access Control Model ............... 525

Why Access Control Is Interesting to a Hacker . . . . . . . . . . . . . . . . . . . 525
Most People Don’t Understand Access Control . . . . . . . . . . . . . 525
Vulnerabilities You Find Are Easy to Exploit . . . . . . . . . . . . . . . . 526
You’ll Find Tons of Security Vulnerabilities . . . . . . . . . . . . . . . . . 526
How Windows Access Control Works . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Security Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Access Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Security Descriptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
The Access Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Tools for Analyzing Access Control Configurations . . . . . . . . . . . . . . . 538
Dumping the Process Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Dumping the Security Descriptor . . . . . . . . . . . . . . . . . . . . . . . . 541
Special SIDs, Special Access, and “Access Denied” . . . . . . . . . . . . . . . . 543
Special SIDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Special Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Investigating “Access Denied” . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

www.it-ebooks.info
 Contents

xix
Analyzing Access Control for Elevation of Privilege . . . . . . . . . . . . . . . 553
Attack Patterns for Each Interesting Object Type . . . . . . . . . . . . . . . . . . 554
Attacking Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Attacking Weak DACLs in the Windows Registry . . . . . . . . . . . . 560
Attacking Weak Directory DACLs . . . . . . . . . . . . . . . . . . . . . . . . . 564
Attacking Weak File DACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
What Other Object Types Are Out There? . . . . . . . . . . . . . . . . . . . . . . . 573
Enumerating Shared Memory Sections . . . . . . . . . . . . . . . . . . . . 573
Enumerating Named Pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Enumerating Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Enumerating Other Named Kernel Objects (Semaphores,
Mutexes, Events, Devices) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576

Chapter 25 Intelligent Fuzzing with Sulley ............................. 579

Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Sulley Fuzzing Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Installing Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Powerful Fuzzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
Monitoring the Process for Faults . . . . . . . . . . . . . . . . . . . . . . . . 588
Monitoring the Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Controlling VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Postmortem Analysis of Crashes . . . . . . . . . . . . . . . . . . . . . . . . . 592
Analysis of Network Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Exploring Further . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

Chapter 26 From Vulnerability to Exploit .............................. 595

Exploitability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Debugging for Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Initial Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Understanding the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Preconditions and Postconditions . . . . . . . . . . . . . . . . . . . . . . . . 602
Repeatability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Payload Construction Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Payload Protocol Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Buffer Orientation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Self-Destructive Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Documenting the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Circumstances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Research Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

Chapter 27 Closing the Holes: Mitigation .............................. 617

Mitigation Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Port Knocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xx
Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Source Code Patching Considerations . . . . . . . . . . . . . . . . . . . . . 620
Binary Patching Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Binary Mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Third-Party Patching Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . 631

Part V Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Chapter 28 Collecting Malware and Initial Analysis ...................... 635
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Types of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Malware Defensive Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 636
Latest Trends in Honeynet Technology . . . . . . . . . . . . . . . . . . . . . . . . . 637
Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Why Honeypots Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Limitations of Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Low-Interaction Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
High-Interaction Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Types of Honeynets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Thwarting VMware Detection Technologies . . . . . . . . . . . . . . . . 642
Catching Malware: Setting the Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
VMware Host Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
VMware Guest Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Using Nepenthes to Catch a Fly . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Initial Analysis of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Live Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Norman SandBox Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . 653

Chapter 29 Hacking Malware ....................................... 657

Trends in Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Embedded Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Use of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
User Space Hiding Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
Use of Rootkit Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
Persistence Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
De-obfuscating Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Packer Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Unpacking Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Reverse-Engineering Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Malware Setup Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Malware Operation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Automated Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673

www.it-ebooks.info
 PREFACE

This book has been developed by and for security professionals who are dedicated to
working in an ethical and responsible manner to improve the overall security posture
of individuals, corporations, and nations.

xxi

www.it-ebooks.info
 ACKNOWLEDGMENTS

Each of the authors would like to thank the editors at McGraw-Hill. In particular, we
would like to thank Joya Anthony. You really kept us on track and helped us through
the process. Your dedication to this project was truly noteworthy. Thanks.
Allen Harper would like to thank his wonderful wife, Corann, and daughters,
Haley and Madison, for their support and understanding through this third edition. It
is wonderful to see our family grow stronger in Christ. I love you each dearly. In addi-
tion, Allen would like to thank the members of his Church for their love and support.
In particular, Rob Martin and Ronnie Jones have been true brothers in the Lord and
great friends. Also, Allen would like to thank other hackers who provided assistance
through the process: Alex Sotirov, Mark Dowd, Alexey Sintsov, Shuichiro Suzuki, Peter
Van Eeckhoutte, Stéfan Le Berre, and Damien Cauquil.
Shon Harris would like to thank the other authors and the team members for their
continued dedication to this project and continual contributions to the industry as a
whole. Shon would also like to thank the crazy Fairbairn sisters—Kathy Conlon, Diane
Marshall, and Kristy Gorenz for their lifelong support of Shon and her efforts.
Jonathan Ness would like to thank Jessica, his amazing wife, for tolerating the long
hours required for him to write this book (and hold his job, and his second job, and
third “job,” and all the side projects). Thanks also to Didier Stevens for the generous
help with Chapter 16 (and for providing the free PDF analysis tools at http://blog
.didierstevens.com/programs/pdf-tools). Big thanks also to Terry McCorkle for his
expert guidance and advice, which led to the current Chapter 17—you’re a life-saver,
Terry! Finally, Jonathan would like to thank the mentors, teachers, coworkers, pastors,
family, and friends who have guided him along his way, contributing more to his suc-
cess than they’ll ever know.
Chris Eagle would like to acknowledge all of the core members of the DDTEK
crew. The hard work they put in and the skills they bring to the table never cease to
amaze him.
Gideon Lenkey would like to thank his loving and supportive family and friends
who patiently tolerate his eccentric pursuits. He’d also like to thank all of the special
agents of the FBI, present and retired, who have kept boredom from his door!
Terron Williams would like to thank his lovely wife, Mekka, and his stepson, Christian
Morris. The two of you are the center of my life, and I appreciate each and every second
that we share together. God is truly good all of the time. In addition, Terron would like
to thank his mother, Christina Williams, and his sister, Sharon Williams-Scott. There is
not a moment that goes by that I am not grateful for the love and the support that you
have always shown to me.

xxii

www.it-ebooks.info
 INTRODUCTION
I have seen enough of one war never to wish to see another.
—Thomas Jefferson

I know not with what weapons World War III will be fought, but World War IV will be
fought with sticks and stones.
—Albert Einstein

The art of war is simple enough. Find out where your enemy is. Get at him as soon as you
can. Strike him as hard as you can, and keep moving on.
—Ulysses S. Grant

The goal of this book is to help produce more highly skilled security professionals
who are dedicated to protecting against malicious hacking activity. It has been proven
over and over again that it is important to understand one’s enemies, including their
tactics, skills, tools, and motivations. Corporations and nations have enemies that are
very dedicated and talented. We must work together to understand the enemies’ pro-
cesses and procedures to ensure that we can properly thwart their destructive and mali-
cious behavior.
The authors of this book want to provide the readers with something we believe the
industry needs: a holistic review of ethical hacking that is responsible and truly ethical
in its intentions and material. This is why we are starting this book with a clear defini-
tion of what ethical hacking is and is not—something society is very confused about.
We have updated the material from the first and second editions and have attempted
to deliver the most comprehensive and up-to-date assembly of techniques, procedures,
and material. Nine new chapters are presented and the other chapters have been
updated.
In Part I of this book we lay down the groundwork of the necessary ethics and ex-
pectations of a gray hat hacker. This section:
• Clears up the confusion about white, black, and gray hat definitions and
characteristics
• Reviews the slippery ethical issues that should be understood before carrying
out any type of ethical hacking activities
• Reviews vulnerability discovery reporting challenges and the models that can
be used to deal with those challenges
• Surveys legal issues surrounding hacking and many other types of malicious
activities
• Walks through proper vulnerability discovery processes and current models
that provide direction
In Part II, we introduce more advanced penetration methods and tools that no other
books cover today. Many existing books cover the same old tools and methods that have

xxiii

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

xxiv
been rehashed numerous times, but we have chosen to go deeper into the advanced mech-
anisms that real gray hats use today. We discuss the following topics in this section:
• Automated penetration testing methods and advanced tools used to carry out
these activities
• The latest tools used for penetration testing
• Physical, social engineering, and insider attacks
In Part III, we dive right into the underlying code and teach the reader how specific
components of every operating system and application work, and how they can be ex-
ploited. We cover the following topics in this section:
• Program Coding 101 to introduce you to the concepts you will need to
understand for the rest of the sections
• How to exploit stack operations and identify and write buffer overflows
• How to identify advanced Linux and Windows vulnerabilities and how they
are exploited
• How to create different types of shellcode to develop your own proof-of-
concept exploits and necessary software to test and identify vulnerabilities
• The latest types of attacks, including client-based, web server, VoIP, and
SCADA attacks
In Part IV, we go even deeper, by examining the most advanced topics in ethical
hacking that many security professionals today do not understand. In this section, we
examine the following:
• Passive and active analysis tools and methods
• How to identify vulnerabilities in source code and binary files
• How to reverse-engineer software and disassemble the components
• Fuzzing and debugging techniques
• Mitigation steps of patching binary and source code
In Part V, we have provided a section on malware analysis. At some time or another,
the ethical hacker will come across a piece of malware and may need to perform basic
analysis. In this section, you will learn about the following topics:
• Collection of your own malware specimen
• Analysis of malware, including a discussion of de-obfuscation techniques
If you are ready to take the next step to advance and deepen your understanding of
ethical hacking, this is the book for you.
We’re interested in your thoughts and comments. Please send us an e-mail at
[email protected]. Also, for additional technical information and re-
sources related to this book and ethical hacking, browse to www.grayhathackingbook
.com or www.mhprofessional.com/product.php?cat=112&isbn=0071742557.

www.it-ebooks.info
 PART I

Introduction to Ethical
Disclosure
■ Chapter 1 Ethics of Ethical Hacking
■ Chapter 2 Ethical Hacking and the Legal System
■ Chapter 3 Proper and Ethical Disclosure

www.it-ebooks.info
This page intentionally left blank

www.it-ebooks.info
 Ethics of Ethical Hacking
CHAPTER

1
This book has not been compiled and written to be used as a tool by individuals who
wish to carry out malicious and destructive activities. It is a tool for people who are
interested in extending or perfecting their skills to defend against such attacks and dam-
aging acts. In this chapter, we’ll discuss the following topics:

• Why you need to understand your enemy’s tactics

• Recognizing the gray areas in security
• How does this stuff relate to an ethical hacking book?
• The controversy of hacking books and classes
• Where do attackers have most of their fun?

Why You Need to Understand

Your Enemy’s Tactics
Let’s go ahead and get the commonly asked questions out of the way and move on from
there.
Was this book written to teach today’s hackers how to cause damage in more effective ways?
Answer: No. Next question.
Then why in the world would you try to teach people how to cause destruction and mayhem?
Answer: You cannot properly protect yourself from threats you do not understand.
The goal is to identify and prevent destruction and mayhem, not cause it.
I don’t believe you. I think these books are only written for profits and royalties.
Answer: This book was written to actually teach security professionals what the
bad guys already know and are doing. More royalties would be nice, too, so please
buy two copies.
Still not convinced? Why do militaries all over the world study their enemies’ tac-
tics, tools, strategies, technologies, and so forth? Because the more you know about
what your enemy is up to, the better idea you have as to what protection mechanisms
you need to put into place to defend yourself.

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

4
Most countries’ militaries carry out various scenario-based fighting exercises. For ex-
ample, pilot units split up into the “good guys” and the “bad guys.” The bad guys use the
same tactics, techniques, and methods of fighting as a specific enemy—Libya, Russia,
United States, Germany, North Korea, and so on. The goal of these exercises is to allow
the pilots to understand enemy attack patterns and to identify and be prepared for cer-
tain offensive actions, so they can properly react in the correct defensive manner.
This may seem like a large leap—from pilots practicing for wartime to corporations
trying to practice proper information security—but it is all about what the team is try-
ing to protect and the risks involved.
A military is trying to protect its nation and its assets. Many governments around
the world have also come to understand that the same assets they have spent millions
and perhaps billions of dollars to protect physically now face different types of threats.
The tanks, planes, and weaponry still have to be protected from being blown up, but
these same tanks, planes, and weaponry are now all run by and are dependent upon
software. This software can be hacked into, compromised, or corrupted. Coordinates of
where bombs are to be dropped can be changed. Individual military bases still need to
be protected by surveillance and military police; this is physical security. Satellites and
airplanes perform surveillance to watch for suspicious activities taking place from afar,
and security police monitor the entry points in and out of the base. These types of con-
trols are limited in monitoring all of the entry points into a military base. Because the
base is so dependent upon technology and software—as every organization is today—
and there are now so many communication channels present (Internet, extranets, wire-
less, leased lines, shared WAN lines, and so on), a different type of “security police” is
required to cover and monitor all of these entry points into and out of the base.
Okay, so your corporation does not hold top security information about the tactical
military troop movement through Afghanistan, you don’t have the speculative coordi-
nates of the location of bin Laden, and you are not protecting the launch codes of nu-
clear bombs—does that mean you do not need to have the same concerns and
countermeasures? Nope. Just as the military needs to protect its assets, you need to
protect yours.
An interesting aspect of the hacker community is that it is changing. Over the last
few years, their motivation has changed from just the thrill of figuring out how to ex-
ploit vulnerabilities to figuring out how to make revenue from their actions and getting
paid for their skills. Hackers who were out to “have fun” without any real target in mind
have, to a great extent, been replaced by people who are serious about gaining financial
benefits from their activities. Attacks are not only getting more specific, but also in-
creasing in sophistication. The following are just a few examples of this type of trend:

• One of three Indian defendants was sentenced in September 2008 for an

online brokerage hack, called one of the first federal prosecutions of a “hack,
pump, and dump” scheme, in which hackers penetrate online brokerage
accounts, buy large shares of penny stocks to inflate the price, and then net
the profits after selling shares.
• In December 2009, a Russian hacking group called the Russian Business
Network (BSN) stole tens of millions of dollars from Citibank through the

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

5
use of a piece of malware called “Black Energy.” According to Symantec, about
half of all phishing incidents in 2008 were credited to the RBN.

PART I
• A group of Russian, Estonian, and Moldovan hackers were indicted in
November 2009, after stealing more than $9 million from a credit card
processor in one day. The hackers were alleged to have broken the encryption
scheme used at Royal Bank of Scotland’s payment processor, and then they
raised account limits, created and distributed counterfeit debit cards, and
withdrew roughly $9.4 million from more than 2,100 ATMs worldwide—in
less than 12 hours.
• Hackers using a new kind of malware made off with at least 300,000 Euros
from German banks in August of 2009. The malware wrote new bank
statements as it took money from victims’ bank accounts, changing HTML
coding on an infected machine before a user could see it.

Criminals are also using online scams in a bid to steal donations made to help
those affected by the January 2010 earthquake in Haiti and other similar disasters.
Fraudsters have set up fictitious websites or are falsely using the names of genuine
charities to trick donors into sending them donations. If you can think of the crime, it
is probably already taking place within the digital world. You can learn more about
these types of crimes at www.cybercrime.gov.
Malware is still one of the main culprits that costs companies the most amount of
money. An interesting thing about malware is that many people seem to put it in a dif-
ferent category from hacking and intrusions. The fact is malware has evolved to become
one of the most sophisticated and automated forms of hacking. The attacker only has
to put some upfront effort into developing the software, and then with no more effort
required from the attacker, the malware can do its damage over and over again. The
commands and logic within the malware are the same components that attackers used
to have to carry out manually.
Sadly, many of us have a false sense of security when it comes to malware detection.
In 2006, Australia’s CERT announced that 80 percent of antivirus software products
commonly missed new malware attacks because attackers test their malware software
against the most popular antivirus software products in the industry to hide from detec-
tion. If you compare this type of statistic with the amount of malware that hits the In-
ternet hourly, you can get a sense of the level of vulnerability we are actually faced with.
In 2008, Symantec had to write new virus signatures every 20 seconds to keep up with
the onslaught of malware that was released. This increased to every 8 seconds by 2009.
As of this writing, close to 4 million malware signatures are required for antivirus soft-
ware to be up to date.
The company Alinean has put together the cost estimates, per minute, for different
organizations if their operations are interrupted. Even if an attack or compromise is not
totally successful for the attacker (he or she does not obtain the desired asset), this in
no way means that the company remains unharmed. Many times attacks and intrusions
cause more of a nuisance and can negatively affect production and the normal depart-
ment operations, which always correlates to costing the company more money in direct
or indirect ways. These costs are shown in Table 1-1.

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

6
Business Application Estimated Outage Cost per Minute
Supply chain management $11,000
E-commerce $10,000
Customer service $3,700
ATM/POS/EFT $3,500
Financial management $1,500
Human capital management $1,000
Messaging $1,000
Infrastructure $700
Table 1-1 Downtime Losses (Source: Alinean)

A conservative estimate from Gartner pegs the average hourly cost of downtime for
computer networks at $42,000. A company that suffers from worse than average down-
time of 175 hours a year can lose more than $7 million per year. Even when attacks are
not newsworthy enough to be reported on TV or talked about in security industry cir-
cles, they still negatively affect companies’ bottom lines.
As stated earlier, an interesting shift has taken place in the hacker community, from
joy riding to hacking as an occupation. Today, potentially millions of computers are
infected with bots that are controlled by specific hackers. If a hacker has infected 10,000
systems, this is her botnet, and she can use it to carry out DDoS attacks or even lease
these systems to others who do not want their activities linked to their true identities or
systems. (Botnets are commonly used to spread spam, phishing attacks, and pornogra-
phy.) The hacker who owns and runs a botnet is referred to as a bot herder. Since more
network administrators have configured their mail relays properly and blacklists have
been employed to block mail relays that are open, spammers have had to change tactics
(using botnets), which the hacking community has been more than willing to pro-
vide—for a price.
For example, the Zeus bot variant uses key-logging techniques to steal sensitive data
such as usernames, passwords, account numbers, and credit card numbers. It injects
fake HTML forms into online banking login pages to steal user data. Its botnet is esti-
mated to consist of 3.6 million compromised computers. Zeus’s creators are linked to
about $100 million in fraud in 2009 alone. Another botnet, the Koobface, is one of the
most efficient social engineering–driven botnets to date. It spreads via social network-
ing sites MySpace and Facebook with faked messages or comments from “friends.”
When a user clicks a provided link to view a video, the user is prompted to obtain a
necessary software update, like a CODEC—but the update is really malware that can
take control of the computer. By early 2010, 2.9 million computers have knowingly
been compromised. Of course, today many more computers have been compromised
than has been reported.

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

7
Security Compromises and Trends

PART I
The following are a few specific examples and trends of security compromises
that are taking place today:

• A massive joint operation between U.S. and Egyptian law enforcement,

called “Operation Phish Pry,” netted 100 accused defendants. The two-
year investigation led to the October 2009 indictment of both American
and Egyptian hackers who allegedly worked in both countries to hack
into American bank systems, after using phishing lures to collect
individual bank account information.
• Social networking site Twitter was the target of several attacks in 2009,
one of which shut service down for more than 30 million users. The
DoS attack that shut the site down also interrupted access to Facebook
and LinkedIn, affecting approximately 300 million users in total.
• Attackers maintaining the Zeus botnet broke into Amazon’s EC2
cloud computing service in December 2009, even after Amazon’s
service had received praise for its safety and performance. The virus
that was used acquired authentication credentials from an infected
computer, accessed one of the websites hosted on an Amazon server,
and connected to the Amazon cloud to install a command and control
infrastructure on the client grid. The high-performance platform let the
virus quickly broadcast commands across the network.
• In December 2009, a hacker posted an online-banking phishing
application in the open source, mobile phone operating system
Android. The fake software showed up in the application store, used
by a variety of phone companies, including Google’s Nexus One
phone. Once users downloaded the software, they entered personal
information into the application, which was designed to look like it
came from specific credit unions.
• Iraqi insurgents intercepted live video feeds from U.S. Predator drones
in 2008 and 2009. Shiite fighters attacked some nonsecure links in
drone systems, allowing them to see where U.S. surveillance was taking
place and other military operations. It is reported that the hackers used
cheap software available online to break into the drones’ systems.
• In early 2010, Google announced it was considering pulling its search
engine from China, in part because of rampant China-based hacker
attacks, which used malware and phishing to penetrate the Gmail
accounts of human rights activists.

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

8
Some hackers also create and sell zero-day attacks. A zero-day attack is one for which
there is currently no fix available and whoever is running the particular software that
contains that exploitable vulnerability is exposed with little or no protection. The code
for these types of attacks are advertised on special websites and sold to other hackers or
organized crime rings.

References
Alinean www.alinean.com/
Computer Crime & Intellectual Property Section, United States Department of
Justice www.cybercrime.gov
Federal Trade Commission, Identity Theft Site http://www.ftc.gov/bcp/edu/
microsites/idtheft/
Infonetics Research www.infonetics.com
Privacy Rights Clearinghouse, Chronology of Data Breaches, Security Breaches
2005-Present www.privacyrights.org/ar/ChronDataBreaches.htm#CP
Robot Wars: How Botnets Work (Massimiliano Romano, Simone Rosignoli,
and Ennio Giannini for hakin9) www.windowsecurity.com/articles/
Robot-Wars-How-Botnets-Work.html
Zero-Day Attack Prevention http://searchwindowssecurity.techtarget.com/
generic/0,295582,sid45_gci1230354,00.html

Recognizing the Gray Areas in Security

Since technology can be used by the good and bad guys, there is always a fine line that
separates the two. For example, BitTorrent is a peer-to-peer file sharing protocol that al-
lows individuals all over the world to share files whether they are the legal owners or
not. One website will have the metadata of the files that are being offered up, but in-
stead of the files being available on that site’s web farm, the files are located on the
user’s system who is offering up the files. This distributed approach ensures that one
web server farm is not overwhelmed with file requests, but it also makes it harder to
track down those who are offering up illegal material.
Various publishers and owners of copyrighted material have used legal means to
persuade sites that maintain such material to honor the copyrights. The fine line is that
sites that use the BitTorrent protocol are like windows for all the material others are
offering to the world; they don’t actually host this material on their physical servers. So
are they legally responsible for offering and spreading illegal content?
The entities that offer up files to be shared on a peer-to-peer sharing site are referred
to as BitTorrent trackers. Organizations such as Suprnova.org, TorrentSpy, LokiTorrent,
and Mininova are some of the BitTorrent trackers that have been sued and brought off-

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

9
line for their illegal distribution of copyrighted material. The problem is that many of
these entities just pop up on some other BitTorrent site a few days later. BitTorrent is a

PART I
common example of a technology that can be used for good and evil purposes.
Another common gray area in web-based technology is search engine optimization
(SEO). Today, all organizations and individuals want to be at the top of each search
engine result to get as much exposure as possible. Many simple to sophisticated ways
are available for carrying out the necessary tasks to climb to the top. The proper meth-
ods are to release metadata that directly relates to content on your site, update your
content regularly, and create legal links and backlinks to other sites, etc. But, for every
legitimate way of working with search engine algorithms, there are ten illegitimate
ways. Spamdexing offers a long list of ways to fool search engines into getting a specific
site up the ladder in a search engine listing. Then there’s keyword stuffing, in which a
malicious hacker or “black hat” will place hidden text within a page. For example, if
Bob has a website that carries out a phishing attack, he might insert hidden text within
his page that targets elderly people to help drive these types of victims to his site.
There are scraper sites that take (scrape) content from another website without au-
thorization. The malicious site will make this stolen content unique enough that it
shows up as new content on the Web, thus fooling the search engine into giving it a
higher ranking. These sites commonly contain mostly advertisements and links back to
the original sites.
There are several other ways of manipulating search engine algorithms as well, for
instance, creating link farms, hidden links, fake blogs, page hijacking, and so on. The
crux here is that some of these activities are the right way of doing things and some of
them are the wrong way of doing things. Our laws have not necessarily caught up with
defining what is legal and illegal all the way down to SEO algorithm activities.

NOTE We go into laws and legal issues pertaining to various hacking

activities in Chapter 2.

There are multiple instances of the controversial concept of hactivism. Both legal
and illegal methods can be used to portray political ideology. Is it right to try and influ-
ence social change through the use of technology? Is web defacement covered under
freedom of speech? Is it wrong to carry out a virtual “sit in” on a site that provides il-
legal content? During the 2009 Iran elections, was it unethical for an individual to set
up a site that showed upheaval about the potential corrupt government elections?
When Israeli invaded Gaza, there were many website defacements, DoS attacks, and
website highjackings. The claim of what is ethical versus not ethical probably depends
upon which side the individuals making these calls reside.

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

10
How Does This Stuff Relate to an
Ethical Hacking Book?
Corporations and individuals need to understand how the damage is being done so
they understand how to stop it. Corporations also need to understand the extent of the
threat that a vulnerability represents. Let’s take a very simplistic example. The company
FalseSenseOfSecurity, Inc., may allow its employees to share directories, files, and whole
hard drives. This is done so that others can quickly and easily access data as needed. The
company may understand that this practice could possibly put the files and systems at
risk, but they only allow employees to have unclassified files on their computers, so the
company is not overly concerned. The real security threat, which is something that
should be uncovered by an ethical hacker, is if an attacker can use this file-sharing ser-
vice as access into a computer itself. Once this computer is compromised, the attacker
will most likely plant a backdoor and work on accessing another, more critical system
via the compromised system.
The vast amount of functionality that is provided by an organization’s networking,
database, and desktop software can be used against them. Within each and every orga-
nization, there is the all-too-familiar battle of functionality vs. security. This is the rea-
son that, in most environments, the security officer is not the most well-liked
individual in the company. Security officers are in charge of ensuring the overall secu-
rity of the environment, which usually means reducing or shutting off many function-
alities that users love. Telling people that they cannot access social media sites, open
attachments, use applets or JavaScript via e-mail, or plug in their mobile devices to a
network-connected system and making them attend security awareness training does
not usually get you invited to the Friday night get-togethers at the bar. Instead, these
people are often called “Security Nazi” or “Mr. No” behind their backs. They are re-
sponsible for the balance between functionality and security within the company, and
it is a hard job.
The ethical hacker’s job is to find these things running on systems and networks,
and he needs to have the skill set to know how an enemy would use these things against
the organization. This work is referred to as a penetration test, which is different from
a vulnerability assessment, which we’ll discuss first.

Vulnerability Assessment
A vulnerability assessment is usually carried out by a network scanner on steroids. Some
type of automated scanning product is used to probe the ports and services on a range
of IP addresses. Most of these products can also test for the type of operating system
and application software running and the versions, patch levels, user accounts, and
services that are also running. These findings are matched up with correlating vulnera-
bilities in the product’s database. The end result is a large pile of reports that provides a
list of each system’s vulnerabilities and corresponding countermeasures to mitigate the
associated risks. Basically, the tool states, “Here is a list of your vulnerabilities and here
is a list of things you need to do to fix them.”

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

11
To the novice, this sounds like an open and shut case and an easy stroll into net-
work utopia where all of the scary entities can be kept out. This false utopia, unfortu-

PART I
nately, is created by not understanding the complexity of information security. The
problem with just depending upon this large pile of printouts is that it was generated
by an automated tool that has a hard time putting its findings into the proper context
of the given environment. For example, several of these tools provide an alert of “High”
for vulnerabilities that do not have a highly probable threat associated with them. The
tools also cannot understand how a small, seemingly insignificant, vulnerability can be
used in a large orchestrated attack.
Vulnerability assessments are great for identifying the foundational security issues
within an environment, but many times, it takes an ethical hacker to really test and
qualify the level of risk specific vulnerabilities pose.

Penetration Testing
A penetration test is when ethical hackers do their magic. They can test many of the vul-
nerabilities identified during the vulnerability assessment to quantify the actual threat
and risk posed by the vulnerability.
When ethical hackers are carrying out a penetration test, their ultimate goal is usu-
ally to break into a system and hop from system to system until they “own” the domain
or environment. They own the domain or environment when they either have root
privileges on the most critical Unix or Linux system or own the domain administrator
account that can access and control all of the resources on the network. They do this to
show the customer (company) what an actual attacker can do under the circumstances
and current security posture of the network.
Many times, while the ethical hacker is carrying out her procedures to gain total
control of the network, she will pick up significant trophies along the way. These tro-
phies can include the CEO’s passwords, company trade-secret documentation, admin-
istrative passwords to all border routers, documents marked “confidential” held on the
CFO’s and CIO’s laptops, or the combination to the company vault. The reason these
trophies are collected along the way is so the decision makers understand the ramifica-
tions of these vulnerabilities. A security professional can go on for hours to the CEO,
CIO, or COO about services, open ports, misconfigurations, and hacker potential with-
out making a point that this audience would understand or care about. But as soon as
you show the CFO his next year’s projections, or show the CIO all of the blueprints to
the next year’s product line, or tell the CEO that his password is “IAmWearingPanties,”
they will all want to learn more about the importance of a firewall and other counter-
measures that should be put into place.

CAUTION No security professional should ever try to embarrass a customer

or make them feel inadequate for their lack of security. This is why the security
professional has been invited into the environment. He is a guest and is there
to help solve the problem, not point fingers. Also, in most cases, any sensitive
data should not be read by the penetration team because of the possibilities
of future lawsuits pertaining to the use of confidential information.

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

12
The goal of a vulnerability test is to provide a listing of all of the vulnerabilities
within a network. The goal of a penetration test is to show the company how these
vulnerabilities can be used against it by attackers. From here, the security professional
(ethical hacker) provides advice on the necessary countermeasures that should be im-
plemented to reduce the threats of these vulnerabilities individually and collectively. In
this book, we will cover advanced vulnerability tools and methods as well as sophisti-
cated penetration techniques. Then we’ll dig into the programming code to show you
how skilled attackers identify vulnerabilities and develop new tools to exploit their
findings.
Let’s take a look at the ethical penetration testing process and see how it differs from
that of unethical hacker activities.

The Penetration Testing Process

1. Form two or three teams:
• Red team—The attack team
• White team—Network administration, the victim
• Blue team—Management coordinating and overseeing the test (optional)
2. Establish the ground rules:
• Testing objectives
• What to attack, what is hands-off
• Who knows what about the other team (Are both teams aware of the other?
Is the testing single blind or double blind?)
• Start and stop dates
• Legal issues
• Just because a client asks for it, doesn’t mean that it’s legal.
• The ethical hacker must know the relevant local, state, and federal laws
and how they pertain to testing procedures.
• Confidentiality/Nondisclosure
• Reporting requirements
• Formalized approval and written agreement with signatures and contact
information
• Keep this document handy during the testing. It may be needed as a
“get out of jail free” card

Penetration Testing Activities

3. Passive scanning Gather as much information about the target as possible
while maintaining zero contact between the penetration tester and the target.
Passive scanning can include interrogating:

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

13
• The company’s website and source code

PART I
• Social networking sites
• Whois database
• Edgar database
• Newsgroups
• ARIN, RIPE, APNIC, LACNIC databases
• Google, Monster.com, etc.
• Dumpster diving
4. Active scanning Probe the target’s public exposure with scanning tools,
which might include:
• Commercial scanning tools
• Banner grabbing
• Social engineering
• War dialing
• DNS zone transfers
• Sniffing traffic
• Wireless war driving
5. Attack surface enumeration Probe the target network to identify,
enumerate, and document each exposed device:
• Network mapping
• Router and switch locations
• Perimeter firewalls
• LAN, MAN, and WAN connections
6. Fingerprinting Perform a thorough probe of the target systems to identify:
• Operating system type and patch level
• Applications and patch level
• Open ports
• Running services
• User accounts
7. Target system selection Identify the most useful target(s).
8. Exploiting the uncovered vulnerabilities Execute the appropriate attack
tools targeted at the suspected exposures.
• Some may not work.
• Some may kill services or even kill the server.
• Some may be successful.

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

14
9. Escalation of privilege Escalate the security context so the ethical hacker has
more control.
• Gaining root or administrative rights
• Using cracked password for unauthorized access
• Carrying out buffer overflow to gain local versus remote control
10. Documentation and reporting Document everything found, how it was
found, the tools that were used, vulnerabilities that were exploited, the
timeline of activities, and successes, etc.

NOTE A more detailed approach to penetration methodology is presented

in Chapter 5.

What Would an Unethical Hacker Do Differently?

1. Target selection
• Motivations would be due to a grudge or for fun or profit.
• There are no ground rules, no hands-off targets, and the white team is
definitely blind to the upcoming attack.
2. Intermediaries
• The attacker launches his attack from a different system (intermediary) than
his own to make tracking back to him more difficult in case the attack is
detected.
• There may be several layers of intermediaries between the attacker and the
victim.
• Intermediaries are often victims of the attacker as well.
3. Next the attacker will proceed with penetration testing steps described
previously.
• Passive scanning
• Active scanning
• Footprinting
• Target system selection
• Fingerprinting
• Exploiting the uncovered vulnerabilities
• Escalation of privilege
4. Preserving access
• This involves uploading and installing a rootkit, backdoor, Trojan’ed
applications, and/or bots to assure that the attacker can regain access at
a later time.

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

15
5. Covering his tracks

PART I
• Scrubbing event and audit logs
• Hiding uploaded files
• Hiding the active processes that allow the attacker to regain access
• Disabling messages to security software and system logs to hide malicious
processes and actions
6. Hardening the system
• After taking ownership of a system, an attacker may fix the open
vulnerabilities so no other attacker can use the system for other purposes.

How the attacker uses the compromised systems depends upon what his overall
goals are, which could include stealing sensitive information, redirecting financial
transactions, adding the systems to his bot network, extorting a company, etc.
The crux is that ethical and unethical hackers carry out basically the same activities
only with different intentions. If the ethical hacker does not identify the hole in the
defenses first, the unethical hacker will surely slip in and make himself at home.

The Controversy of Hacking Books and Classes

When books on hacking first came out, a big controversy arose pertaining to whether
this was the right thing to do or not. One side said that such books only increased
the attackers’ skills and techniques and created new attackers. The other side stated
that the attackers already had these skills, and these books were written to bring the
security professionals and networking individuals up to speed. Who was right? They
both were.
The word “hacking” is sexy, exciting, seemingly seedy, and usually brings about
thoughts of complex technical activities, sophisticated crimes, and a look into the face
of electronic danger itself. Although some computer crimes may take on some of these
aspects, in reality it is not this grand or romantic. A computer is just a new tool to carry
out old crimes.
Attackers are only one component of information security. Unfortunately, when
most people think of security, their minds go right to packets, firewalls, and hackers.
Security is a much larger and more complex beast than these technical items. Real secu-
rity includes policies and procedures, liabilities and laws, human behavior patterns,
corporate security programs and implementation, and yes, the technical aspects—fire-
walls, intrusion detection systems, proxies, encryption, antivirus software, hacks, cracks,
and attacks.
Understanding how different types of hacking tools are used and how certain at-
tacks are carried out is just one piece of the puzzle. But like all pieces of a puzzle, it is a
very important one. For example, if a network administrator implements a packet filter-
ing firewall and sets up the necessary configurations, he may feel the company is now
safe and sound. He has configured his access control lists to allow only “established”
traffic into the network. This means an outside source cannot send a SYN packet to
initiate communication with an inside system. If the administrator does not realize that

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

16
there are tools that allow for ACK packets to be generated and sent, he is only seeing
part of the picture here. This lack of knowledge and experience allows for a false sense
of security, which seems to be pretty common in companies around the world today.
Let’s look at another example. A network engineer configures a firewall to review
only the first fragment of a packet and not the packet fragments that follow. The engi-
neer knows that this type of “cut through” configuration will increase network perfor-
mance. But if she is not aware that there are tools that can create fragments with
dangerous payloads, she could be allowing in malicious traffic. Once these fragments
reach the inside destination system and are reassembled, the packet can be put back
together and initiate an attack.
In addition, if a company’s employees are not aware of social engineering attacks
and how damaging they can be, they may happily give out useful information to attack-
ers. This information is then used to generate even more powerful and dangerous at-
tacks against the company. Knowledge and the implementation of knowledge are the
keys for any real security to be accomplished.
So where do we stand on hacking books and hacking classes? Directly on top of a
slippery banana peel. There are currently three prongs to the problem of today’s hack-
ing classes and books. First, marketing people love to use the word “hacking” instead of
more meaningful and responsible labels such as “penetration methodology.” This
means that too many things fall under the umbrella of hacking. All of these procedures
now take on the negative connotation that the word “hacking” has come to be associ-
ated with. Second is the educational piece of the difference between hacking and ethi-
cal hacking, and the necessity of ethical hacking (penetration testing) in the security
industry. The third issue has to do with the irresponsibility of many hacking books and
classes. If these items are really being developed to help out the good guys, then they
should be developed and structured to do more than just show how to exploit a vulner-
ability. These educational components should show the necessary countermeasures
required to fight against these types of attacks and how to implement preventive mea-
sures to help ensure these vulnerabilities are not exploited. Many books and courses
tout the message of being a resource for the white hat and security professional. If you
are writing a book or curriculum for black hats, then just admit it. You will make just as
much (or more) money, and you will help eliminate the confusion between the con-
cepts of hacking and ethical hacking.

The Dual Nature of Tools

In most instances, the toolset used by malicious attackers is the same toolset used by
security professionals. A lot of people do not seem to understand this. In fact, the
books, classes, articles, websites, and seminars on hacking could be legitimately re-
named to “security professional toolset education.” The problem is that marketing
people like to use the word “hacking” because it draws more attention and paying cus-
tomers.
As covered earlier, ethical hackers go through the same processes and procedures as
unethical hackers, so it only makes sense that they use the same basic toolset. It would
not be useful to prove that attackers could not get through the security barriers with

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

17
Tool A if attackers do not use Tool A. The ethical hacker has to know what the bad guys
are using, know the new exploits that are out in the underground, and continually keep

PART I
her skills and knowledgebase up to date. Why? Because the odds are against the com-
pany and against the security professional. The security professional has to identify and
address all of the vulnerabilities in an environment. The attacker only has to be really
good at one or two exploits, or really lucky. A comparison can be made to the U.S.
Homeland Security responsibilities. The CIA and FBI are responsible for protecting the
nation from the 10 million things terrorists could possibly think up and carry out. The
terrorist only has to be successful at one of these 10 million things.

How Are These Tools Used for Good Instead of Evil?

How would a company’s networking staff ensure that all of the employees are creating
complex passwords that meet the company’s password policy? They can set operating
system configurations to make sure the passwords are of a certain length, contain up-
per- and lowercase letters, contain numeric values, and keep a password history. But
these configurations cannot check for dictionary words or calculate how much protec-
tion is being provided from brute-force attacks. So the team can use a hacking tool to
carry out dictionary and brute-force attacks on individual passwords to actually test
their strength, as illustrated in Figure 1-1. The other choice is to go to each and every
employee and ask what his or her password is, write down the password, and eyeball it
to determine if it is good enough. Not a good alternative.

Figure 1-1 Password cracking software

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

18
NOTE A company’s security policy should state that this type of password-
testing activity is allowed by the IT staff and security team. Breaking employees’
passwords could be seen as intrusive and wrong if management does not
acknowledge and allow for such activities to take place. Make sure you get
permission before you undertake this type of activity.

The same network staff needs to make sure that their firewall and router configura-
tions will actually provide the protection level that the company requires. They could
read the manuals, make the configuration changes, implement ACLs, and then go and
get some coffee. Or they could implement the configurations and then run tests against
these settings to see if they are allowing malicious traffic into what they thought was a
controlled environment. These tests often require the use of hacking tools. The tools
carry out different types of attacks, which allow the team to see how the perimeter de-
vices will react in certain circumstances.
Nothing should be trusted until it is tested. There is an amazing number of cases
where a company does everything seemingly correct when it comes to their infrastruc-
ture security. They implement policies and procedures, roll out firewalls, IDS, and anti-
virus, have all of their employees attend security awareness training, and continually
patch their systems. It is unfortunate that these companies put forth all the right effort
and funds only to end up on CNN as the latest victim because all of their customers’
credit card numbers were stolen and posted on the Internet. And this can happen if
they do not carry out the necessary vulnerability and penetration tests.

Recognizing Trouble When It Happens

Network administrators, engineers, and security professionals need to be able to recog-
nize when an attack is underway or when one is about to take place. It may seem as
though recognizing an attack as it is happening should be easy. This is only true for the
very “noisy” or overwhelming attacks such as denial-of-service (DoS) attacks. Many at-
tackers fly under the radar and go unnoticed by security devices and staff members. It
is important to know how different types of attacks take place so they can be properly
recognized and stopped.
Security issues and compromises are not going to go away any time soon. People
who work in positions within corporations that touch security in any way should not
try to ignore it or treat security as though it is an island unto itself. The bad guys know
that to hurt an enemy is to take out what that victim depends upon most. Today the
world is only becoming more dependent upon technology, not less. Even though ap-
plication development and network and system configuration and maintenance are
complex, security is only going to become more entwined with them. When a network
staff has a certain level of understanding of security issues and how different compro-
mises take place, they can act more effectively and efficiently when the “all hands on
deck” alarm is sounded.
It is also important to know when an attack may be around the corner. If network
staff is educated on attacker techniques and they see a ping sweep followed a day later
by a port scan, they will know that most likely in three hours their systems will be at-
tacked. There are many activities that lead up to different attacks, so understanding

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

19
these items will help the company protect itself. The argument can be made that we
have more automated security products that identify these types of activities so that we

PART I
don’t have to see them coming. But depending upon software that does not have the
ability to put the activities in the necessary context and make a decision is very danger-
ous. Computers can outperform any human on calculations and performing repetitive
tasks, but we still have the ability to make some necessary judgment calls because we
understand the grays in life and do not just see things in 1s and 0s.
So it is important to understand that hacking tools are really just software tools that
carry out some specific type of procedure to achieve a desired result. The tools can be
used for good (defensive) purposes or for bad (offensive) purposes. The good and the
bad guys use the same exact toolset; the difference is their intent when operating these
utilities. It is imperative for the security professional to understand how to use these
tools and how attacks are carried out if he is going to be of any use to his customer and
to the industry.

Emulating the Attack

Once network administrators, engineers, and security professionals understand how
attackers work, then they can emulate their activities to carry out a useful penetration
test. But why would anyone want to emulate an attack? Because this is the only way to
truly test an environment’s security level—you must know how it will react when a real
attack is being carried out.
This book is laid out to walk you through these different steps so you can under-
stand how many types of attacks take place. It can help you develop methodologies for
emulating similar activities to test your company’s security posture.
There are already many elementary ethical hacking books available in every book-
store. The demand for these books and hacking courses over the years has reflected the
interest and the need in the market. It is also obvious that, although some people are
just entering this sector, many individuals are ready to move on to the more advanced
topic of ethical hacking. The goal of this book is to go through some of the basic ethical
hacking concepts quickly and then spend more time with the concepts that are not
readily available to you, but are unbelievably important.
Just in case you choose to use the information in this book for unintended pur-
poses (malicious activity), in the next chapters, we will also walk through several fed-
eral laws that have been put into place to scare you away from this activity. A wide range
of computer crimes are taken seriously by today’s court system, and attackers are receiv-
ing hefty fines and jail sentences for their activities. Don’t let that be you. There is just
as much fun and intellectual stimulation to be had working as a white hat—and no
threat of jail time!

Where Do Attackers Have Most of Their Fun?

Hacking into a system and environment is almost always carried out by exploiting vulner-
abilities in software. Only recently has the light started to shine on the root of the prob-
lem of successful attacks and exploits, which is flaws within software code. Most attack
methods described in this book can be carried out because of errors in the software.

www.it-ebooks.info
Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition

20
It is not fair to put all of the blame on the programmers, because they have done
exactly what their employers and market have asked them to: quickly build applica-
tions with tremendous functionality. Only over the last few years has the market started
screaming for functionality and security, and the vendors and programmers are scram-
bling to meet these new requirements and still stay profitable.

Security Does Not Like Complexity

Software, in general, is very complicated, and the more functionality that we try to
shove into applications and operating systems, the more complex software will be-
come. The more complex software gets, the harder it is to predict properly how it will
react in all possible scenarios, which makes it much harder to secure.
Today’s operating systems and applications are increasing in lines of code (LOC).
Windows operating systems have approximately 40 million LOC. Unix and Linux op-
erating systems have much less, usually around 2 million LOC. A common estimate
used in the industry is that there are between 5–50 bugs per 1,000 lines of code. So a
middle of the road estimate would be that Windows 7 has approximately 1,200,000
bugs. (Not a statement of fact; just a guesstimation.)
It is difficult enough to try to logically understand and secure 40 million LOC, but
the complexity does not stop there. The programming industry has evolved from tradi-
tional programming languages to object-oriented languages, which allow for a modu-
lar approach to developing software. This approach has a lot of benefits: reusable
components, faster to market times, decrease in programming time, and easier ways to
troubleshoot and update individual modules within the software. But applications and
operating systems use each other’s components, users download different types of mo-
bile code to extend functionality, DLLs are installed and shared, and instead of applica-
tion-to-operating system communication, today many applications communicate
directly with each other. The operating system cannot control this type of information
flow and provide protection against possible compromises.
If we peek under the covers even further, we see that thousands of protocols are
integrated into the different operating system protocol stacks, which allows for distrib-
uted computing. The operating systems and applications must rely on these protocols
for transmission to another system or application, even if the protocols contain their
own inherent security flaws. Device drivers are developed by different vendors and in-
stalled in the operating system. Many times these drivers are not well developed and
can negatively affect the stability of an operating system. And to get even closer to the
hardware level, injection of malicious code into firmware is an up-and-coming attack
avenue.
So is it all doom and gloom? Yep, for now. Until we understand that a majority of
the successful attacks are carried out because software vendors do not integrate security
into the design and specification phases, our programmers have not been properly
taught how to code securely, vendors are not being held liable for faulty code, and con-
sumers are not willing to pay more for properly developed and tested code, our stagger-
ing hacking and company compromise statistics will only increase.

www.it-ebooks.info
 Chapter 1: Ethics of of Ethical Hacking

21
Will it get worse before it gets better? Probably. Every industry in the world is be-
coming more reliant on software and technology. Software vendors have to carry out

PART I
the continual one-upmanship to ensure their survivability in the market. Although se-
curity is becoming more of an issue, functionality of software has always been the main
driving component of products, and it always will be. Attacks will also continue and
increase in sophistication because they are now revenue streams for individuals, com-
panies, and organized crime groups.
Will vendors integrate better security, ensure their programmers are properly trained
in secure coding practices, and put each product through more and more testing cycles?
Not until they have to. Once the market truly demands that this level of protection and
security is provided by software products and customers are willing to pay more for
security, then the vendors will step up to the plate. Currently, most vendors are only
integrating protection mechanisms because of the backlash and demand from their
customer bases. Unfortunately, just as September 11th awakened the United States to its
vulnerabilities, something large may have to take place in terms of software compro-
mise before the industry decides to address this issue properly.
So we are back to the original question: what does this have to do with ethical hack-
ing? A novice ethical hacker will use tools developed by others who have uncovered
specific vulnerabilities and methods to exploit them. A more advanced ethical hacker
will not just depend upon other people’s tools, she will have the skill set and under-
standing to look at the code itself. The more advanced ethical hacker will be able to
identify possible vulnerabilities and programming code errors and develop ways to rid
the software of these types of flaws.
If the software did not contain 5–50 exploitable bugs within every 1,000 lines of
code, we would not have to build the fortresses we are constructing today. Use this book
as a guide to bring you deeper and deeper under the covers to allow you to truly under-
stand where the security vulnerabilities reside and what should be done about them.

www.it-ebooks.info
This page intentionally left blank

www.it-ebooks.info
Another Random Scribd Document
with Unrelated Content
often spoken at home, to meet them. Cathalina was making a low
bow to her aunt and presenting her diploma.
“Have it framed, Auntie! Put it in Uncle Morris’s collection of
pictures; it has one of Greycliff on it.”
“You have earned it. I think we shall let you put it away among
the Van Buskirk archives,” returned Aunt Katherine.
But there was still packing to be done. After a lunch, rather more
elaborate than usual, the girls scattered to their rooms and the
exodus began. Another year at Greycliff was completed.

THE END
*** END OF THE PROJECT GUTENBERG EBOOK THE GIRLS OF
GREYCLIFF ***

Updated editions will replace the previous one—the old editions

will be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States
copyright in these works, so the Foundation (and you!) can copy
and distribute it in the United States without permission and
without paying copyright royalties. Special rules, set forth in the
General Terms of Use part of this license, apply to copying and
distributing Project Gutenberg™ electronic works to protect the
PROJECT GUTENBERG™ concept and trademark. Project
Gutenberg is a registered trademark, and may not be used if
you charge for an eBook, except by following the terms of the
trademark license, including paying royalties for use of the
Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is
very easy. You may use this eBook for nearly any purpose such
as creation of derivative works, reports, performances and
research. Project Gutenberg eBooks may be modified and
printed and given away—you may do practically ANYTHING in
the United States with eBooks not protected by U.S. copyright
law. Redistribution is subject to the trademark license, especially
commercial redistribution.

START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE
 PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK

To protect the Project Gutenberg™ mission of promoting the

free distribution of electronic works, by using or distributing this
work (or any other work associated in any way with the phrase
“Project Gutenberg”), you agree to comply with all the terms of
the Full Project Gutenberg™ License available with this file or
online at www.gutenberg.org/license.

Section 1. General Terms of Use and

Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand,
agree to and accept all the terms of this license and intellectual
property (trademark/copyright) agreement. If you do not agree
to abide by all the terms of this agreement, you must cease
using and return or destroy all copies of Project Gutenberg™
electronic works in your possession. If you paid a fee for
obtaining a copy of or access to a Project Gutenberg™
electronic work and you do not agree to be bound by the terms
of this agreement, you may obtain a refund from the person or
entity to whom you paid the fee as set forth in paragraph 1.E.8.

1.B. “Project Gutenberg” is a registered trademark. It may only

be used on or associated in any way with an electronic work by
people who agree to be bound by the terms of this agreement.
There are a few things that you can do with most Project
Gutenberg™ electronic works even without complying with the
full terms of this agreement. See paragraph 1.C below. There
are a lot of things you can do with Project Gutenberg™
electronic works if you follow the terms of this agreement and
help preserve free future access to Project Gutenberg™
electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright
law in the United States and you are located in the United
States, we do not claim a right to prevent you from copying,
distributing, performing, displaying or creating derivative works
based on the work as long as all references to Project
Gutenberg are removed. Of course, we hope that you will
support the Project Gutenberg™ mission of promoting free
access to electronic works by freely sharing Project Gutenberg™
works in compliance with the terms of this agreement for
keeping the Project Gutenberg™ name associated with the
work. You can easily comply with the terms of this agreement
by keeping this work in the same format with its attached full
Project Gutenberg™ License when you share it without charge
with others.

1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside
the United States, check the laws of your country in addition to
the terms of this agreement before downloading, copying,
displaying, performing, distributing or creating derivative works
based on this work or any other Project Gutenberg™ work. The
Foundation makes no representations concerning the copyright
status of any work in any country other than the United States.

1.E. Unless you have removed all references to Project

Gutenberg:

1.E.1. The following sentence, with active links to, or other

immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project
Gutenberg™ work (any work on which the phrase “Project
Gutenberg” appears, or with which the phrase “Project
Gutenberg” is associated) is accessed, displayed, performed,
viewed, copied or distributed:

This eBook is for the use of anyone anywhere in the United

States and most other parts of the world at no cost and
with almost no restrictions whatsoever. You may copy it,
give it away or re-use it under the terms of the Project
Gutenberg License included with this eBook or online at
www.gutenberg.org. If you are not located in the United
States, you will have to check the laws of the country
where you are located before using this eBook.

1.E.2. If an individual Project Gutenberg™ electronic work is

derived from texts not protected by U.S. copyright law (does not
contain a notice indicating that it is posted with permission of
the copyright holder), the work can be copied and distributed to
anyone in the United States without paying any fees or charges.
If you are redistributing or providing access to a work with the
phrase “Project Gutenberg” associated with or appearing on the
work, you must comply either with the requirements of
paragraphs 1.E.1 through 1.E.7 or obtain permission for the use
of the work and the Project Gutenberg™ trademark as set forth
in paragraphs 1.E.8 or 1.E.9.

1.E.3. If an individual Project Gutenberg™ electronic work is

posted with the permission of the copyright holder, your use and
distribution must comply with both paragraphs 1.E.1 through
1.E.7 and any additional terms imposed by the copyright holder.
Additional terms will be linked to the Project Gutenberg™
License for all works posted with the permission of the copyright
holder found at the beginning of this work.

1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files
 containing a part of this work or any other work associated with
Project Gutenberg™.

1.E.5. Do not copy, display, perform, distribute or redistribute

this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.

1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must,
at no additional cost, fee or expense to the user, provide a copy,
a means of exporting a copy, or a means of obtaining a copy
upon request, of the work in its original “Plain Vanilla ASCII” or
other form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or

providing access to or distributing Project Gutenberg™
electronic works provided that:

• You pay a royalty fee of 20% of the gross profits you derive
from the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
 payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt
that s/he does not agree to the terms of the full Project
Gutenberg™ License. You must require such a user to return or
destroy all copies of the works possessed in a physical medium
and discontinue all use of and all access to other copies of
Project Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite these
efforts, Project Gutenberg™ electronic works, and the medium
on which they may be stored, may contain “Defects,” such as,
but not limited to, incomplete, inaccurate or corrupt data,
transcription errors, a copyright or other intellectual property
infringement, a defective or damaged disk or other medium, a
computer virus, or computer codes that damage or cannot be
read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except

for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU AGREE
THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE, STRICT
LIABILITY, BREACH OF WARRANTY OR BREACH OF CONTRACT
EXCEPT THOSE PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE
THAT THE FOUNDATION, THE TRADEMARK OWNER, AND ANY
DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE
TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE
NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you

discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person
or entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.

1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you
do or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission

of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status
by the Internal Revenue Service. The Foundation’s EIN or
federal tax identification number is 64-6221541. Contributions
to the Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.

The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact
 Section 4. Information about Donations to
the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.

The Foundation is committed to complying with the laws

regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or determine
the status of compliance for any particular state visit
www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states

where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot

make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.

Please check the Project Gutenberg web pages for current

donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.

Section 5. General Information About

Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.

Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.
Welcome to Our Bookstore - The Ultimate Destination for Book Lovers
Are you passionate about books and eager to explore new worlds of
knowledge? At our website, we offer a vast collection of books that
cater to every interest and age group. From classic literature to
specialized publications, self-help books, and children’s stories, we
have it all! Each book is a gateway to new adventures, helping you
expand your knowledge and nourish your soul
Experience Convenient and Enjoyable Book Shopping Our website is more
than just an online bookstore—it’s a bridge connecting readers to the
timeless values of culture and wisdom. With a sleek and user-friendly
interface and a smart search system, you can find your favorite books
quickly and easily. Enjoy special promotions, fast home delivery, and
a seamless shopping experience that saves you time and enhances your
love for reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!

ebookball.com