--------
-Intro:
--------
Well since we're starting this blog I figured a good place to start is a simple overview on assembly and the high-level to low-level comparison. This is an article I wrote a couple years ago under a different handle but figured it got the point across so I would share it with you all. Without further ado, here is the good stuff.
------------
-Terminology
------------
Before we can just jump into the logic behind high-level to low-level conversions, we must first be familiarized with the instructions used in assembly language. Other articles cover certain ones, yet I felt the more important ones were over-looked; therefore here is a simplified list:
Conditional codes:
cmp --- Compare, simple enough, compares two values, whether they be variables, or constants.
je --- Jump if equal, will perform the jump if the preceding values are equal
jne --- Jump if not equal, performs the jump if values are not equal
jmp --- Unconditional jump, will jump regardless
Mathematical:
add, sub, mult, div --- Common sense, don't need an explanation
shl --- Shift to the left, performs a 'binary shift' to the left, which is equivalent to multiplying by 2
shr --- Shift to the right, performs another 'binary shift', which is dividing by 2
Calls:
calls require a bit of a note before I can introduce the actual instructions. Firstly, there are two types of commands, imported, and internal. Secondly, CALL instructions include prologues(the 'call' itself) and epilogues(a 'ret' instruction), which are what make them easily recognizable from a reversing point of view.
call codeaddress --- Sample of an internal function, where it will jump to the written address
call DWORD PTR [pointer] --- Sample of an external function, pointers are above the scope of this article, however it is enough to understand that it will jump to the code that the pointer points to, not the address of the pointer itself.
Registers:
If assembly language code were to access RAM every time it needed to store a variable or a value, then programs would run horrendously slow. To counter this, CPUs have their own internal memory, called registers. Typical IA-32 processors have 8 registers, all of which are generic. The functions of ESI, EDI, EBP, and ESP are unfortunately outside the scope of this article, however here is a list of those 8, and a list of their general use:
EAX, EBX, EDX --- Used for any integer/boolean/logical/memory operations
ECX --- Sometimes used as a counter, as those used in loops
ESI/EDI --- Used as source/destination pointers
EBP --- Used as a stack base counter
ESP --- Used as the CPU stack pointer
----------------
Logic: Branching
----------------
Ok, now that we've gotten the basics out of the way, let's move on to the actual logic. Ever wonder how high-level language statements are represented in assembly language? no? Well what are you doing reading this article! Suffice to say, assembly language is represented much more abstractly, and sometimes it may not be easy to recognize the similarities. However, I will attempt clarify the ambiguity, allowing you to recognize patterns, and then reconstruct the high-level code from the assembly language code.
** Single Branching **
Single branching refers to a fork, where when code reaches a point, it will either go in one direction, or the other. This is represented in high-level programming with an 'if' statement.
-- The high level representation --
if (variable == 10)
CallFunction();
-- Assembly language representation --
mov eax, [variable] ---> moves variable into eax
cmp eax, 10 ---> compares value with 10
jne Afterfunction ---> jumps to Afterfunction if not equal
call Function
Afterfunction ---> section it jumps to if not equal
As you can see, the code moves our inputted variable into eax, then will cmp eax with 10. Now if they are equal it will skip over the jne, and move to 'call Function', which will call up our function. If they are NOT equal however, once the code reaches 'jne Afterfunction', it will see that they are not equal, and jump to 'Afterfunction'.
** Two Way Conditional Branching **
Two way conditionals are similar to single branching. They are represented by an if-else statement in high-level coding.
-- The high level representation --
if (variable == 10)
Function();
else
OtherFunction();
-- Assembly language representation --
mov eax, [variable]
cmp eax, 10
jne OtherFunction
call Function
jmp AfterIfElse
call OtherFunction
AfterIfElse...
A quick summary about the assembly code: Moves our variable into eax, then compares it to 10. If it is not equal to 10, it will jump to 'call OtherFunction', which calls the respected function and then exits the conditional section. If it is equal to 10, it does not jump, moves on to 'call Function', which again calls the respected Function, then after the function is complete, returns, and unconditionally jumps out of the conditional section.
** Multiple-Alternative Branching **
This is essentially the same as two way, just instead of an else, it would be an else-if. I will therefore quickly go over this one and skip the summary.
-- The high level representation --
if (variable == 10)
Function();
else if (variable == 365)
OtherFunction();
-- Assembly language representation --
mov eax, [variable]
cmp eax, 10
jne OtherFunction
call Function
jmp Afterfunction
cmp eax, 365 ---> Where 'jne Otherfunction' jumps to
jne Afterfunction
call OtherFunction
Afterfunction...
** Compound Conditional Branching **
Compound Conditionals refer to when more than one condition must be satisfied before the condition is s
-- The high level representation --
if (variable == 10 &&
variable2 == 50)
Function();
-- Assembly language representation --
cmp [variable], 100
jne Afterfunction
cmp [variable2], 50
jne Afterfunction
call Function
Afterfunction...
The same kind of conditional can be built using OR's instead of AND's.
-- The high level representation --
if (variable == 10 ||
variable2 == 50)
Function();
-- Assembly language representation --
cmp [variable], 10
je Function
cmp [variable2], 50
je Function
jump Afterfunction
call Function
Afterfunction...
As you can see, the code checks if the first variable equals 10, and if it does, jumps to the 'call Function', disregarding the second variable. If, however, the first variable does not equal 10, then the code immediately check the second variable to see if it equals 50. If it is, it then jumps to the 'call Function'. Otherwise it then unconditionally jumps to after the function at Afterfunction.
-----------
Logic:Loops
-----------
Loops are an essential part of programming. Loops are essentially the same as the code we have been watching except that the code gets repeated. There are essentially two types of loops, Pre-tested loops, and Post-tested loops. As their names indicate, pre-tested check the conditions before the code is executed, and post-tested execute the code first, then check the conditions.
** Pre-Tested Loop **
Pre-tested loops are slightly less efficient then post-tested loops in the fact that they need two jumps: a conditional branch in the beginning, and an unconditional jump at the end that jumps back to the beginning.
-- The high level representation --
a = 0
while (a < 100)
{
array[a] = a;
c++;
}
-- Assembly language representation --
mov ecx, DWORD PTR [array]
xor eax,eax ---> xor's eax to zero
mov DWORD PTR [ecx+eax*4], eax ----> beginning of loop
add eax, 1
cmp eax, 100
jl ------------------> Jumps to beginning of loop if lower then 100
Ok, this code needs a bit of explaining. Firstly, you might be wondering why the conditional is at the beginning in the high-level code, yet at the end of the assembly language code? That is actually due to the compiler. It is slightly more efficient to put the test at the end of the code, since it will not require an unconditional JMP, so the compiler moved it there. I will go more in-depth later in the article. What the code is doing is firstly XORing eax, which is setting it to zero. Then the code will execute the loop, ADD 1 to eax, which is our counter. It will then CMP our counter to 100, and if it is less it will jump back to the beginning of the loop, essentially continuing until it reaches 100, where it will then exit the loop.
** Post-Tested Loop **
If a compiler already produces a post-tested loop from a pre-tested loop, you may be asking yourself what the compiler will do with a post-tested loop. If you answered "They would essentially be the same" you are right! The compiler basically re-arranges the code to make it the most efficient. So a sample would look like:
-- The high level representation --
c=1;
do
{
array[a] = c;
c++;
} while (c < 100);
-- Assembly language representation --
mov ecx, DWORD PTR [array]
mov DWORD PTR [ecx+eax*4], eax ----> beginning of loop
add eax, 1
cmp eax, 100
jl ------------------> Jumps if lower then 100
As you can see the only difference is that there is no XORing involved in the post-tested. Since the Pre-tested loop's conditional statement was moved to the end, the compiler added the XOR function to make sure 'a' was within the boundaries of the conditional. The only difference with the post-tested is that in the post-tested the code will run at least once, no matter what a is set as, therefore there is no need to modify a.
----------
Efficiency
----------
The code you have seen so far in this article is only one of many ways of interpreting a high-level language. The style is mostly dependent on the compiler you use, however most compilers will strive to achieve the highest efficiency. Efficiency can be accomplished by either generating the smallest possible program binaries, or the most high high-performance code possible. In this section I'll give examples of such Optimization.
Mathematically:
Multiplication and Division are considered 'Complex' operations by the CPU. To compensate for that, the CPU will perform a series of 'Simpler' operations. Although there may be many more operations to get the equivalent result, the net result will still be faster than the slower multiplication and division.
** Multiplication **
A sample of multiplying a variable by 32 in an efficient way:
lea eax, DWORD PTR [edx+edx] ----> lea is what the processor uses to make quick additions and shifts
add eax, eax
add eax, eax
add eax, eax
add eax, eax
As you can see, the first line will add your variable which is stored in edx with itself, then store the result in eax. Then the code will add eax with itself 4 times, resulting in 32 times the original edx value.
** Division **
Division is by far the slowest of the arithmical operations of a processor. Division is upwards 50 cycles slower then Addition and Subtraction, each of which is less than 1 cycle. As a result, the CPU treats divisions differently and attempts to streamline this operation using 'Reciprocal Division'. This is not ALWAYS possible, as is the case with unknown divisors, however whenever possible, reciprocal division is sought after. An example of a typical reciprocal-division that is dividing our value by 3 is:
mov ecx, eax ---> moves our number into ecx
mov eax ,0xaaaaaaab ---> moves 2/3 into eax
mul ecx ---> multiplies ecx by eax, so our value * (2/3)
shr edx, 2 ---> then divides our value by 2, so value * (2/3) / 2 = value * (1/3)
mov eax, edx ---> then moves our divided value back into eax
What is that 0xaaaaaab you might be asking? Well that is how Reciprocal-Division is used. In the above code, the function is dividing the value by 3. It is combining a reciprocal 0xaaaaaab, whose value in fractional is 2/3, with another divisor of 2, which comes out to being divided by 3. (2/3) / 2 = (1/3). Combining a fraction with a simple divisor, such as a binary shift, the CPU can create a division as efficiently as possible.
Branching Optimization:
** Branching **
Optimization and efficiency aren't only restricted to mathematical operations. Code segments such as branching can also be modified to operate more efficiently. The following is an example of more efficient/less efficient using a simple IF-OR statement like the one shown earlier in the article.
--- less efficient ---
cmp [variable], 10
je Function
cmp [variable2], 365
je Function
jmp Afterfunction
Call Function
Afterfunction...
--- more efficient ---
cmp [variable], 100
je Function
cmp [variable2], 365
jne Afterfunction
call Function
Afterfunction...
As you can see both codes execute the same branching conditional, however the section on the right has less instructions, and is therefore more efficient. The same can be said for pretty much all sections of code, there is almost always a way to make the code more efficient.
And that's it for the first installation. Hopefully you all enjoyed it. Comments and suggestions are welcome. Until next time,
padraignix
Saturday, August 20, 2011
FirstPost
Ironically my first post will consist of me sending you to a hundred other sites...
Let me explain. I am one for giving credit where it is due, so in effect thats what i intend to do with my first post here. Im gonna suggest places that have helped me along the way. I will try to keep them somewhat organized, but some of them may end up not having a perfect spot.
I want to take this opportunity to thank all those who helped me along the way, thanks to those who have dealt with my maniac addiction to Network Security, and the like. I may have annoyed you, and i may still be annoying you, with questions followed by more and more questions...but know this, it does not go unappreciated.
Network scanning and enumeration:
http://nmap.org/
Nmap Cheat Sheet
That says it all, very useful.
http://www.unicornscan.org/
Another great tool for network enumeration.
Buffer Overflows:
This has recently become my favorite topic of research/conversation.
http://en.wikipedia.org/wiki/Buffer_overflow
So you can get an idea of what a buffer overflow really is.
http://en.wikipedia.org/wiki/Assembly_language
Your definately gonna need atleast a minor grasp of assembly.
http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
And this is where the fun starts. This guy Lupin, has put out some good guides and has even created a "Vulnerable Server" especially for people to use for training. Give his blog a nice spot on you BookMarks tab. Youll be pleased you did.
http://www.tenouk.com/Bufferoverflowc/stackbasedbufferoverflow.html
Another great spot to learn a few things.
http://www.hackerscenter.com/index.php?/Downloads/Library/Application-Security/View-category.html
Another amazing resource.
Things your gonna need and how to use them.
http://www.immunityinc.com/products-immdbg.shtml
Immunity Debugger, this is my personal favorite. But try to play around with a few and find which you like the best.
http://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/
Good place to learn some of the usage and options that come along with Immunity
http://www.ollydbg.de/
Another option instead of Immuntiy.
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Corelan has a whole series of tutorials devoted to Exploit writing. I suggest you nestle this into your bookmarks. I personally am constantly going back to find something else useful that i had missed before.
And i could not go on without mentioning SecurityTube.net not only does Vivek have an entire video series devoted to Buffer Overflows, but also many other things. I will link to his site several times.
http://www.securitytube.net/groups?operation=view&groupId=7
ShellCode
Your gonna need some shell code around to get your exploit on. So load up, here is some places to start. Also dont forget, you can generate shell code through msfpayload / msfencode.
http://www.shell-storm.org/shellcode/
http://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
Another great tutorial from Corelan
http://projectshellcode.com/?q=node/12
An entire Database for dedicated to shell code.
Metasploit
I believe it was HD Moore who said that Metasploit is the fastest way to go from boot to remote root. That statement is so true. This is a great framework. So useful with its Auxiliary modules, exploitation modules, and post exploitation. Tis amazing! I would suggest getting to know the framework very well.
http://metasploit.com/
Metasploit is available for Windows and Linux variations. I suggest spending a bit of time here.
http://www.securitytube.net/groups?operation=view&groupId=8
Again i link to Securitytube.net, this is another entire series that Vivek has put together on Metasploit, from basic commands and scanning to post exploitation and cleanup.
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Offensive-security has put out a great and free resource for getting your feet wet with Metasploit. Check it out. While your there, browse over to the training courses that Muts offers there.
http://www.irongeek.com/i.php?page=videos/metasploit-class
This is Adrian Crenshaws website, he and Relik, pureh@te and some others put on a free training session. And now there also giving out the videos from it. This link will take you to the options for download or streaming. I recommend checking it out. He has some great guides and tutorials.
ReverseEngineering
Vivek makes another appearance on my list of places to visit.
http://www.securitytube.net/video/572
http://www.woodmann.com/crackz/
Everything Reverse Engineering
http://pentest.cryptocity.net/reverse-engineering/
For those of us who like videos.
http://tuts4you.com/download.php?list.17
An entire database of Reverse Engineering tuts. Also, i need to mention if you download the reversing with Lena pack. There are several "CrackMe" programs along with the interactive tutorials to test you new found skills on.
Exploit Databases
Your going to need a friend to call on when you need to know if a particular service or piece of software is vulnerable...heres a list of friends to put in for all your phone-a-friend needs.
http://www.exploit-db.com/
Great place to start looking for your vulnerable software. Also sometimes there is an option to download the exploitable software or the like to aid in the exploit development process.
http://packetstormsecurity.org/files/tags/exploit/
Another place to look...
http://www.cvedetails.com/
For the more professional hacker in you.
http://itunes.apple.com/app/iassurance/id351884692?mt=8
An iphone app for searching down vulnerabilities even while on the move.
Fuzzing
http://www.fuzzware.net/tutorial-1-basic-fuzzing
To start you off with your fuzzing needs.
http://www.thetazzone.com/tutorial-application-fuzzing/
Some more fuzzing resources.
http://peachfuzzer.com/TutorialNetworkServer
For learning to fuzz with Peach. Although not yet officially supported this is useable on Backtrack by using Wine.
https://www.owasp.org/index.php/Fuzzing_with_WebScarab
OWASP put out a great resource for using WebScarab to fuzz. Check it out.
http://www.youtube.com/watch?v=6sooEScW07Y
A good little video explaining usage of the Sulley fuzzing framework.
Vulnerable By Design
After you have learned all these nasty skills, you need a place to put it into action. You need to train for war without going to jail. Here is how. Vulnerable by design, these are VMs that you can run inside VMWare or VirtualBox, or even boot as live CD...then attack attack attack, without harming your system. These are great.
http://g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html
This is g0tmi1ks blog, this link will take you directly to the his vulnerable by design post. I have yet to find anything as extensive a collection as his. Please stick around on his site for his videos on exploiting the VMs and many other things.
http://samhacked.blogspot.com/2011/07/pentest-lab-vulnerable-servers.html
Another quick selection of vulnerable by design live CDs and VMs.
http://www.thoughtpolice.co.uk/
This is a HUGE selection of VMs in case you want to make your own vulnerable by design or just need a virtual machine to fool with.
Places i visit often and or find interesting.
http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3
Want to avoid anti-virus. irongeek has an amazing tutorial for this. Forget buying crypters or paying for the service. Learn it yourself.
http://www.secmaniac.com/
I havent mentioned the social engineering toolkit as of yet. But here is the blog from the man who designed it. Certainly worth checking out. Also quick side not, he is co-sponsoring DerbyCon in lousiville late this year. Here is a link to the details.
http://www.derbycon.com/
Make sure that you glance at the presenters. Its a star lineup and sure to be a great event.
http://www.offensive-security.com/
This is a great place to continue your education into pentesting, make sure you check out the online and live training options.
http://www.backtrack-linux.org/forums/
Backtrack linux forums is a wealth of knowledge. Make sure to get yourself an account and add to the community.
http://www.backtrack-linux.org/downloads/
For download backtrack 5. Great pentesting OS, so much so it has replaced my main operating system.
http://www.backtrack-linux.org/wiki/index.php/Main_Page
Think Wikapedia except for all things Backtrack. Woot
Python
http://en.wikibooks.org/wiki/Subject:Python_programming_language
Im knee deep in Python on a daily basis. Heres where i go for all things Python.
http://learnpythonthehardway.org/book/
And
http://www.onlinecomputerbooks.com/free-python-books.php
And I strongly recommend this book.
http://oreilly.com/catalog/9781593271923
A great post for privilege escalation in Linux.
http://g0tmi1k.blogspot.com/2011/08/basic-linux-privilege-escalation.html
A video showing how to use Metasploit as a payload for your post exploitation exploitations.
http://www.securitytube.net/video/711
Several good YouTube videos on different aspects of penetration testing.
http://www.youtube.com/user/xsploitedsecurity
A ton of videos of Defcon, Schmoocon, BlackHat, etc etc presentations. A very extensive list. I would bookmark this as its not only educational, but very entertaining.
http://www.youtube.com/user/ChRiStIaAn008
A few more books i can recommend:
http://www.amazon.com/Kingpin-Hacker-Billion-Dollar-Cybercrime-Underground/dp/0307588688
If you want an exciting book to read, thats also teaching you a few things along the way. Then this book is for you. Written by Kevin Poulsen who is a reformed hacker himself and currently runs a blog over at Wired.com Its always a good read. Check it out at:
http://www.wired.com/threatlevel/
Recently Relik, Muts, Jim Gorman, and Devon Kearns released this book, its very informative. Get it here:
http://nostarch.com/metasploit.htm
Download a sample chapter here:
http://www.nostarch.com/download/metasploit_ch8.pdf
Download the vulnerable examples discussed in the book here:
http://www.secmaniac.com/files/nostarch1.zip
Now this is not a complete or perfect list. Although I will be editing and adding to as things progress, it will never fit perfectly for all your needs. I encourage you to research research research. You will learn so much on the quest to find that one small nugget of info your looking for. And for that i give you this final link,
http://www.google.com
Myself and my cohort Padraignix will be adding content, and there will certainly be our own tutorials and guides. But we will not be providing a step-by-script-kiddie-step tutorial. With copy and paste remote exploit potential. We will be doing our best to keep this informational and professional. Saying that, I would like to invite anyone to comment, correct me in any place i was wrong. If you would like to see your site and or tutorial on here, just let us know and we will make it happen. Also if anyone has any great resources of web-app testing, please let me know. As i have not dealt with this much. Thanks for reading...
pop
pop
ret g11tch
Let me explain. I am one for giving credit where it is due, so in effect thats what i intend to do with my first post here. Im gonna suggest places that have helped me along the way. I will try to keep them somewhat organized, but some of them may end up not having a perfect spot.
I want to take this opportunity to thank all those who helped me along the way, thanks to those who have dealt with my maniac addiction to Network Security, and the like. I may have annoyed you, and i may still be annoying you, with questions followed by more and more questions...but know this, it does not go unappreciated.
Network scanning and enumeration:
http://nmap.org/
Nmap Cheat Sheet
That says it all, very useful.
http://www.unicornscan.org/
Another great tool for network enumeration.
Buffer Overflows:
This has recently become my favorite topic of research/conversation.
http://en.wikipedia.org/wiki/Buffer_overflow
So you can get an idea of what a buffer overflow really is.
http://en.wikipedia.org/wiki/Assembly_language
Your definately gonna need atleast a minor grasp of assembly.
http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
And this is where the fun starts. This guy Lupin, has put out some good guides and has even created a "Vulnerable Server" especially for people to use for training. Give his blog a nice spot on you BookMarks tab. Youll be pleased you did.
http://www.tenouk.com/Bufferoverflowc/stackbasedbufferoverflow.html
Another great spot to learn a few things.
http://www.hackerscenter.com/index.php?/Downloads/Library/Application-Security/View-category.html
Another amazing resource.
Things your gonna need and how to use them.
http://www.immunityinc.com/products-immdbg.shtml
Immunity Debugger, this is my personal favorite. But try to play around with a few and find which you like the best.
http://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/
Good place to learn some of the usage and options that come along with Immunity
http://www.ollydbg.de/
Another option instead of Immuntiy.
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Corelan has a whole series of tutorials devoted to Exploit writing. I suggest you nestle this into your bookmarks. I personally am constantly going back to find something else useful that i had missed before.
And i could not go on without mentioning SecurityTube.net not only does Vivek have an entire video series devoted to Buffer Overflows, but also many other things. I will link to his site several times.
http://www.securitytube.net/groups?operation=view&groupId=7
ShellCode
Your gonna need some shell code around to get your exploit on. So load up, here is some places to start. Also dont forget, you can generate shell code through msfpayload / msfencode.
http://www.shell-storm.org/shellcode/
http://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
Another great tutorial from Corelan
http://projectshellcode.com/?q=node/12
An entire Database for dedicated to shell code.
Metasploit
I believe it was HD Moore who said that Metasploit is the fastest way to go from boot to remote root. That statement is so true. This is a great framework. So useful with its Auxiliary modules, exploitation modules, and post exploitation. Tis amazing! I would suggest getting to know the framework very well.
http://metasploit.com/
Metasploit is available for Windows and Linux variations. I suggest spending a bit of time here.
http://www.securitytube.net/groups?operation=view&groupId=8
Again i link to Securitytube.net, this is another entire series that Vivek has put together on Metasploit, from basic commands and scanning to post exploitation and cleanup.
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Offensive-security has put out a great and free resource for getting your feet wet with Metasploit. Check it out. While your there, browse over to the training courses that Muts offers there.
http://www.irongeek.com/i.php?page=videos/metasploit-class
This is Adrian Crenshaws website, he and Relik, pureh@te and some others put on a free training session. And now there also giving out the videos from it. This link will take you to the options for download or streaming. I recommend checking it out. He has some great guides and tutorials.
ReverseEngineering
Vivek makes another appearance on my list of places to visit.
http://www.securitytube.net/video/572
http://www.woodmann.com/crackz/
Everything Reverse Engineering
http://pentest.cryptocity.net/reverse-engineering/
For those of us who like videos.
http://tuts4you.com/download.php?list.17
An entire database of Reverse Engineering tuts. Also, i need to mention if you download the reversing with Lena pack. There are several "CrackMe" programs along with the interactive tutorials to test you new found skills on.
Exploit Databases
Your going to need a friend to call on when you need to know if a particular service or piece of software is vulnerable...heres a list of friends to put in for all your phone-a-friend needs.
http://www.exploit-db.com/
Great place to start looking for your vulnerable software. Also sometimes there is an option to download the exploitable software or the like to aid in the exploit development process.
http://packetstormsecurity.org/files/tags/exploit/
Another place to look...
http://www.cvedetails.com/
For the more professional hacker in you.
http://itunes.apple.com/app/iassurance/id351884692?mt=8
An iphone app for searching down vulnerabilities even while on the move.
Fuzzing
http://www.fuzzware.net/tutorial-1-basic-fuzzing
To start you off with your fuzzing needs.
http://www.thetazzone.com/tutorial-application-fuzzing/
Some more fuzzing resources.
http://peachfuzzer.com/TutorialNetworkServer
For learning to fuzz with Peach. Although not yet officially supported this is useable on Backtrack by using Wine.
https://www.owasp.org/index.php/Fuzzing_with_WebScarab
OWASP put out a great resource for using WebScarab to fuzz. Check it out.
http://www.youtube.com/watch?v=6sooEScW07Y
A good little video explaining usage of the Sulley fuzzing framework.
Vulnerable By Design
After you have learned all these nasty skills, you need a place to put it into action. You need to train for war without going to jail. Here is how. Vulnerable by design, these are VMs that you can run inside VMWare or VirtualBox, or even boot as live CD...then attack attack attack, without harming your system. These are great.
http://g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html
This is g0tmi1ks blog, this link will take you directly to the his vulnerable by design post. I have yet to find anything as extensive a collection as his. Please stick around on his site for his videos on exploiting the VMs and many other things.
http://samhacked.blogspot.com/2011/07/pentest-lab-vulnerable-servers.html
Another quick selection of vulnerable by design live CDs and VMs.
http://www.thoughtpolice.co.uk/
This is a HUGE selection of VMs in case you want to make your own vulnerable by design or just need a virtual machine to fool with.
Places i visit often and or find interesting.
http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3
Want to avoid anti-virus. irongeek has an amazing tutorial for this. Forget buying crypters or paying for the service. Learn it yourself.
http://www.secmaniac.com/
I havent mentioned the social engineering toolkit as of yet. But here is the blog from the man who designed it. Certainly worth checking out. Also quick side not, he is co-sponsoring DerbyCon in lousiville late this year. Here is a link to the details.
http://www.derbycon.com/
Make sure that you glance at the presenters. Its a star lineup and sure to be a great event.
http://www.offensive-security.com/
This is a great place to continue your education into pentesting, make sure you check out the online and live training options.
http://www.backtrack-linux.org/forums/
Backtrack linux forums is a wealth of knowledge. Make sure to get yourself an account and add to the community.
http://www.backtrack-linux.org/downloads/
For download backtrack 5. Great pentesting OS, so much so it has replaced my main operating system.
http://www.backtrack-linux.org/wiki/index.php/Main_Page
Think Wikapedia except for all things Backtrack. Woot
Python
http://en.wikibooks.org/wiki/Subject:Python_programming_language
Im knee deep in Python on a daily basis. Heres where i go for all things Python.
http://learnpythonthehardway.org/book/
And
http://www.onlinecomputerbooks.com/free-python-books.php
And I strongly recommend this book.
http://oreilly.com/catalog/9781593271923
A great post for privilege escalation in Linux.
http://g0tmi1k.blogspot.com/2011/08/basic-linux-privilege-escalation.html
A video showing how to use Metasploit as a payload for your post exploitation exploitations.
http://www.securitytube.net/video/711
Several good YouTube videos on different aspects of penetration testing.
http://www.youtube.com/user/xsploitedsecurity
A ton of videos of Defcon, Schmoocon, BlackHat, etc etc presentations. A very extensive list. I would bookmark this as its not only educational, but very entertaining.
http://www.youtube.com/user/ChRiStIaAn008
A few more books i can recommend:
http://www.amazon.com/Kingpin-Hacker-Billion-Dollar-Cybercrime-Underground/dp/0307588688
If you want an exciting book to read, thats also teaching you a few things along the way. Then this book is for you. Written by Kevin Poulsen who is a reformed hacker himself and currently runs a blog over at Wired.com Its always a good read. Check it out at:
http://www.wired.com/threatlevel/
Recently Relik, Muts, Jim Gorman, and Devon Kearns released this book, its very informative. Get it here:
http://nostarch.com/metasploit.htm
Download a sample chapter here:
http://www.nostarch.com/download/metasploit_ch8.pdf
Download the vulnerable examples discussed in the book here:
http://www.secmaniac.com/files/nostarch1.zip
Now this is not a complete or perfect list. Although I will be editing and adding to as things progress, it will never fit perfectly for all your needs. I encourage you to research research research. You will learn so much on the quest to find that one small nugget of info your looking for. And for that i give you this final link,
http://www.google.com
Myself and my cohort Padraignix will be adding content, and there will certainly be our own tutorials and guides. But we will not be providing a step-by-script-kiddie-step tutorial. With copy and paste remote exploit potential. We will be doing our best to keep this informational and professional. Saying that, I would like to invite anyone to comment, correct me in any place i was wrong. If you would like to see your site and or tutorial on here, just let us know and we will make it happen. Also if anyone has any great resources of web-app testing, please let me know. As i have not dealt with this much. Thanks for reading...
pop
pop
ret g11tch
Subscribe to:
Posts (Atom)