Jon Erickson
PRAISE FOR THE FIRST EDITION OF
HACKING: THE ART OF EXPLOITATION
“Most complete tutorial on hacking techniques. Finally a book that does not
just show how to use the exploits but how to develop them.”
he speaks, with usable code, tools and examples.”
is filled with real code and hacking techniques and explanations of how they work.”
level] should pick this book up and read it thoroughly.”
just show how to use the exploits but how to develop them.”
—PHRACK
“From all the books I’ve read so far, I would consider this the seminal hackers handbook.”
—SECURITY FORUMS
“I recommend this book for the programming section alone.”
—UNIX REVIEW
“I highly recommend this book. It is written by someone who knows of whathe speaks, with usable code, tools and examples.”
—IEEE CIPHER
“Erickson’s book, a compact and no-nonsense guide for novice hackers,is filled with real code and hacking techniques and explanations of how they work.”
—COMPUTER POWER USER (CPU) MAGAZINE
“This is an excellent book. Those who are ready to move on to [the nextlevel] should pick this book up and read it thoroughly.”
—ABOUT.COM INTERNET/NETWORK SECURITY
 |
| Hacking The Art of Exploitation 2nd Edition |
The goal of this book is to share the art of hacking with everyone. Understanding hacking techniques is often difficult, since it requires both breadth and depth of knowledge. Many hacking texts seem esoteric and confusing because of just a few gaps in this prerequisite education. This second edition of Hacking: The Art of Exploitation makes the world of hacking
more accessible by providing the complete picture—from programming to machine code to exploitation. In addition, this edition features a bootable LiveCD based on Ubuntu Linux that can be used in any computer with an x86 processor, without modifying the computer’s existing OS. This CD contains all the source code in the book and provides a development and
exploitation environment you can use to follow along with the book’s
examples and experiment along the way.
ACKNOWLEDGMENTS
I would like to thank Bill Pollock and everyone else at No Starch Press for making this book a possibility and allowing me to have so much creative control in the process. Also, I would like to thank my friends Seth Benson and Aaron Adams for proofreading and editing, Jack Matheson for helping me with assembly, Dr. Seidel for keeping me interested in the science of computer science, my
parents for buying that first Commodore VIC-20, and the hacker community
for the innovation and creativity that produced the techniques explained in this book.
0x100
Introduction
The idea of hacking may conjure stylized images of
electronic vandalism, espionage, dyed hair, and body
piercings. Most people associate hacking with breaking
the law and assume that everyone who engages in hacking
activities is a criminal. Granted, there are people out
there who use hacking techniques to break the law, but hacking isn’t really
about that. In fact, hacking is more about following the law than breaking it.
The essence of hacking is finding unintended or overlooked uses for the
laws and properties of a given situation and then applying them in new and
inventive ways to solve a problem—whatever it may be.
The following math problem illustrates the essence of hacking:
Use each of the numbers 1, 3, 4, and 6 exactly once with any
of the four basic math operations (addition, subtraction,
multiplication, and division) to total 24. Each number must be
used once and only once, and you may define the order of
operations; for example, 3 * (4 + 6) + 1 = 31 is valid, however
incorrect, since it doesn’t total 24.
The rules for this problem are well defined and simple, yet the answer
eludes many. Like the solution to this problem (shown on the last page of
this book), hacked solutions follow the rules of the system, but they use those
rules in counterintuitive ways. This gives hackers their edge, allowing them to
solve problems in ways unimaginable for those confined to conventional
thinking and methodologies.
Since the infancy of computers, hackers have been creatively solving
problems. In the late 1950s, the MIT model railroad club was given a donation
of parts, mostly old telephone equipment. The club’s members used this
equipment to rig up a complex system that allowed multiple operators to control
different parts of the track by dialing in to the appropriate sections. They
called this new and inventive use of telephone equipment hacking ; many
people consider this group to be the original hackers. The group moved on
to programming on punch cards and ticker tape for early computers like the
IBM 704 and the TX-0. While others were content with writing programs that
just solved problems, the early hackers were obsessed with writing programs
that solved problems well. A new program that could achieve the same result
as an existing one but used fewer punch cards was considered better, even
though it did the same thing. The key difference was how the program
achieved its results—elegance.
Being able to reduce the number of punch cards needed for a program
showed an artistic mastery over the computer. A nicely crafted table can hold
a vase just as well as a milk crate can, but one sure looks a lot better than the
other. Early hackers proved that technical problems can have artistic solutions,
and they thereby transformed programming from a mere engineering
task into an art form.
Like many other forms of art, hacking was often misunderstood. The few
who got it formed an informal subculture that remained intensely focused
on learning and mastering their art. They believed that information should
be free and anything that stood in the way of that freedom should be circumvented.
Such obstructions included authority figures, the bureaucracy of
college classes, and discrimination. In a sea of graduation-driven students,
this unofficial group of hackers defied conventional goals and instead pursued
knowledge itself. This drive to continually learn and explore transcended
even the conventional boundaries drawn by discrimination, evident in the
MIT model railroad club’s acceptance of 12-year-old Peter Deutsch when
he demonstrated his knowledge of the TX-0 and his desire to learn. Age,
race, gender, appearance, academic degrees, and social status were not
primary criteria for judging another’s worth—not because of a desire for
equality, but because of a desire to advance the emerging art of hacking.
The original hackers found splendor and elegance in the conventionally
dry sciences of math and electronics. They saw programming as a form of
artistic expression and the computer as an instrument of that art. Their desire
to dissect and understand wasn’t intended to demystify artistic endeavors; it
was simply a way to achieve a greater appreciation of them. These knowledgedriven
values would eventually be called the Hacker Ethic: the appreciation
of logic as an art form and the promotion of the free flow of information,
surmounting conventional boundaries and restrictions for the simple goal of
better understanding the world. This is not a new cultural trend; the
Pythagoreans in ancient Greece had a similar ethic and subculture, despite
not owning computers. They saw beauty in mathematics and discovered many
core concepts in geometry. That thirst for knowledge and its beneficial byproducts
would continue on through history, from the Pythagoreans to Ada
Lovelace to Alan Turing to the hackers of the MIT model railroad club.
Modern hackers like Richard Stallman and Steve Wozniak have continued
the hacking legacy, bringing us modern operating systems, programming
languages, personal computers, and many other technologies that we use every day.
How does one distinguish between the good hackers who bring us the
wonders of technological advancement and the evil hackers who steal our
credit card numbers? The term cracker was coined to distinguish evil hackers
from the good ones. Journalists were told that crackers were supposed to be
the bad guys, while hackers were the good guys. Hackers stayed true to the
Hacker Ethic, while crackers were only interested in breaking the law and
making a quick buck. Crackers were considered to be much less talented
than the elite hackers, as they simply made use of hacker-written tools and
scripts without understanding how they worked. Cracker was meant to be the
catch-all label for anyone doing anything unscrupulous with a computer—
pirating software, defacing websites, and worst of all, not understanding what
they were doing. But very few people use this term today.
The term’s lack of popularity might be due to its confusing etymology—
cracker originally described those who crack software copyrights and reverse
engineer copy-protection schemes. Its current unpopularity might simply
result from its two ambiguous new definitions: a group of people who engage
in illegal activity with computers or people who are relatively unskilled hackers.
Few technology journalists feel compelled to use terms that most of their
readers are unfamiliar with. In contrast, most people are aware of the mystery
and skill associated with the term hacker, so for a journalist, the decision to
use the term hacker is easy. Similarly, the term script kiddie is sometimes used
to refer to crackers, but it just doesn’t have the same zing as the shadowy
hacker. There are some who will still argue that there is a distinct line between
hackers and crackers, but I believe that anyone who has the hacker spirit is a
hacker, despite any laws he or she may break.
The current laws restricting cryptography and cryptographic research
further blur the line between hackers and crackers. In 2001, Professor Edward
Felten and his research team from Princeton University were about to publish
a paper that discussed the weaknesses of various digital watermarking schemes.
This paper responded to a challenge issued by the Secure Digital Music
Initiative (SDMI) in the SDMI Public Challenge, which encouraged the
public to attempt to break these watermarking schemes. Before Felten and
his team could publish the paper, though, they were threatened by both the
SDMI Foundation and the Recording Industry Association of America (RIAA).
The Digital Millennium Copyright Act (DCMA) of 1998 makes it illegal to
discuss or provide technology that might be used to bypass industry consumer
controls. This same law was used against Dmitry Sklyarov, a Russian
computer programmer and hacker. He had written software to circumvent
overly simplistic encryption in Adobe software and presented his findings at a
hacker convention in the United States. The FBI swooped in and arrested
him, leading to a lengthy legal battle. Under the law, the complexity of the
industry consumer controls doesn’t matter—it would be technically illegal to
reverse engineer or even discuss Pig Latin if it were used as an industry consumer
control. Who are the hackers and who are the crackers now? When
laws seem to interfere with free speech, do the good guys who speak their
minds suddenly become bad? I believe that the spirit of the hacker transcends
governmental laws, as opposed to being defined by them.
The sciences of nuclear physics and biochemistry can be used to kill,
yet they also provide us with significant scientific advancement and modern
medicine. There’s nothing good or bad about knowledge itself; morality lies
in the application of knowledge. Even if we wanted to, we couldn’t suppress
the knowledge of how to convert matter into energy or stop the continued
technological progress of society. In the same way, the hacker spirit can
never be stopped, nor can it be easily categorized or dissected. Hackers will
constantly be pushing the limits of knowledge and acceptable behavior,
forcing us to explore further and further.
Part of this drive results in an ultimately beneficial co-evolution of
security through competition between attacking hackers and defending
hackers. Just as the speedy gazelle adapted from being chased by the cheetah,
and the cheetah became even faster from chasing the gazelle, the competition
between hackers provides computer users with better and stronger
security, as well as more complex and sophisticated attack techniques. The
introduction and progression of intrusion detection systems (IDSs) is a prime
example of this co-evolutionary process. The defending hackers create IDSs
to add to their arsenal, while the attacking hackers develop IDS-evasion
techniques, which are eventually compensated for in bigger and better IDS
products. The net result of this interaction is positive, as it produces smarter
people, improved security, more stable software, inventive problem-solving
techniques, and even a new economy.
The intent of this book is to teach you about the true spirit of hacking.
We will look at various hacker techniques, from the past to the present,
dissecting them to learn how and why they work. Included with this book is
a bootable LiveCD containing all the source code used herein as well as a
preconfigured Linux environment. Exploration and innovation are critical
to the art of hacking, so this CD will let you follow along and experiment on
your own. The only requirement is an x86 processor, which is used by all
Microsoft Windows machines and the newer Macintosh computers—just
insert the CD and reboot. This alternate Linux environment will not disturb
your existing OS, so when you’re done, just reboot again and remove the CD.
This way, you will gain a hands-on understanding and appreciation for hacking
that may inspire you to improve upon existing techniques or even to invent
new ones. Hopefully, this book will stimulate the curious hacker nature in you
and prompt you to contribute to the art of hacking in some way, regardless of
which side of the fence you choose to be on.
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 6,666 KB |
Pages
|
492 p |
File Type
|
PDF format |
ISBN-10
ISBN-13 | 1-59327-144-1 978-1-59327-144-2 |
Copyright
| 2008 by Jon Erickson |
BRIEF CONTENTS
Preface ................................................................... xi
Acknowledgments ................................................... xii
0x100 Introduction ...............................................1
0x200 Programming ...........................................5
0x300 Exploitation ............................................115
0x400 Networking ...........................................195
0x500 Shellcode ..............................................281
0x600 Countermeasures....................................319
0x700 Cryptology ............................................393
0x800 Conclusion ............................................451
Index ...............................................................455
CONTENTS IN DETAIL
PREFACE xi
ACKNOWLEDGMENTS xii
0x100 INTRODUCTION 1
0x200 PROGRAMMING 5
0x210 What Is Programming? ................................................................................. 6
0x220 Pseudo-code ................................................................................................ 7
0x230 Control Structures ......................................................................................... 8
0x231 If-Then-Else...................................................................................... 8
0x232 While/Until Loops ........................................................................... 9
0x233 For Loops ..................................................................................... 10
0x240 More Fundamental Programming Concepts ................................................... 11
0x241 Variables ..................................................................................... 11
0x242 Arithmetic Operators ..................................................................... 12
0x243 Comparison Operators .................................................................. 14
0x244 Functions...................................................................................... 16
0x250 Getting Your Hands Dirty ............................................................................ 19
0x251 The Bigger Picture ......................................................................... 20
0x252 The x86 Processor ......................................................................... 23
0x253 Assembly Language....................................................................... 25
0x260 Back to Basics............................................................................................ 37
0x261 Strings ......................................................................................... 38
0x262 Signed, Unsigned, Long, and Short ................................................. 41
0x263 Pointers ........................................................................................ 43
0x264 Format Strings............................................................................... 48
0x265 Typecasting .................................................................................. 51
0x266 Command-Line Arguments .............................................................. 58
0x267 Variable Scoping .......................................................................... 62
0x270 Memory Segmentation ................................................................................ 69
0x271 Memory Segments in C .................................................................. 75
0x272 Using the Heap............................................................................. 77
0x273 Error-Checked malloc() ................................................................... 80
0x280 Building on Basics ...................................................................................... 81
0x281 File Access ................................................................................... 81
0x282 File Permissions ............................................................................. 87
0x283 User IDs ....................................................................................... 88
0x284 Structs.......................................................................................... 96
0x285 Function Pointers ......................................................................... 100
0x286 Pseudo-random Numbers ............................................................. 101
0x287 A Game of Chance ..................................................................... 102
0x300 EXPLOITATION 115
0x310 Generalized Exploit Techniques ................................................................. 118
0x320 Buffer Overflows ...................................................................................... 119
0x321 Stack-Based Buffer Overflow Vulnerabilities .................................... 122
0x330 Experimenting with BASH.......................................................................... 133
0x331 Using the Environment.................................................................. 142
0x340 Overflows in Other Segments .................................................................... 150
0x341 A Basic Heap-Based Overflow...................................................... 150
0x342 Overflowing Function Pointers ....................................................... 156
0x350 Format Strings.......................................................................................... 167
0x351 Format Parameters....................................................................... 167
0x352 The Format String Vulnerability...................................................... 170
0x353 Reading from Arbitrary Memory Addresses .................................... 172
0x354 Writing to Arbitrary Memory Addresses ......................................... 173
0x355 Direct Parameter Access ............................................................... 180
0x356 Using Short Writes ...................................................................... 182
0x357 Detours with .dtors....................................................................... 184
0x358 Another notesearch Vulnerability ................................................... 189
0x359 Overwriting the Global Offset Table .............................................. 190
0x400 NETWORKING 195
0x410 OSI Model .............................................................................................. 196
0x420 Sockets ................................................................................................... 198
0x421 Socket Functions.......................................................................... 199
0x422 Socket Addresses ........................................................................ 200
0x423 Network Byte Order .................................................................... 202
0x424 Internet Address Conversion ......................................................... 203
0x425 A Simple Server Example ............................................................. 203
0x426 A Web Client Example ................................................................ 207
0x427 A Tinyweb Server ........................................................................ 213
0x430 Peeling Back the Lower Layers.................................................................... 217
0x431 Data-Link Layer............................................................................ 218
0x432 Network Layer ............................................................................ 220
0x433 Transport Layer ........................................................................... 221
0x440 Network Sniffing ...................................................................................... 224
0x441 Raw Socket Sniffer....................................................................... 226
0x442 libpcap Sniffer ............................................................................ 228
0x443 Decoding the Layers .................................................................... 230
0x444 Active Sniffing............................................................................. 239
0x450 Denial of Service...................................................................................... 251
0x451 SYN Flooding ............................................................................. 252
0x452 The Ping of Death........................................................................ 256
0x453 Teardrop.................................................................................... 256
0x454 Ping Flooding ............................................................................. 257
0x455 Amplification Attacks ................................................................... 257
0x456 Distributed DoS Flooding.............................................................. 258
0x460 TCP/IP Hijacking...................................................................................... 258
0x461 RST Hijacking ............................................................................. 259
0x462 Continued Hijacking .................................................................... 263
0x470 Port Scanning .......................................................................................... 264
0x471 Stealth SYN Scan ........................................................................ 264
0x472 FIN, X-mas, and Null Scans .......................................................... 264
0x473 Spoofing Decoys ......................................................................... 265
0x474 Idle Scanning.............................................................................. 265
0x475 Proactive Defense (shroud)............................................................ 267
0x480 Reach Out and Hack Someone .................................................................. 272
0x481 Analysis with GDB....................................................................... 273
0x482 Almost Only Counts with Hand Grenades ...................................... 275
0x483 Port-Binding Shellcode ................................................................. 278
0x500 SHELLCODE 281
0x510 Assembly vs. C ........................................................................................ 282
0x511 Linux System Calls in Assembly ..................................................... 284
0x520 The Path to Shellcode................................................................................ 286
0x521 Assembly Instructions Using the Stack ............................................ 287
0x522 Investigating with GDB................................................................. 289
0x523 Removing Null Bytes .................................................................... 290
0x530 Shell-Spawning Shellcode.......................................................................... 295
0x531 A Matter of Privilege.................................................................... 299
0x532 And Smaller Still.......................................................................... 302
0x540 Port-Binding Shellcode .............................................................................. 303
0x541 Duplicating Standard File Descriptors............................................. 307
0x542 Branching Control Structures ......................................................... 309
0x550 Connect-Back Shellcode ............................................................................ 314
0x600 COUNTERMEASURES 319
0x610 Countermeasures That Detect ..................................................................... 320
0x620 System Daemons ...................................................................................... 321
0x621 Crash Course in Signals ............................................................... 322
0x622 Tinyweb Daemon ........................................................................ 324
0x630 Tools of the Trade..................................................................................... 328
0x631 tinywebd Exploit Tool................................................................... 329
0x640 Log Files.................................................................................................. 334
0x641 Blend In with the Crowd............................................................... 334
0x650 Overlooking the Obvious .......................................................................... 336
0x651 One Step at a Time ..................................................................... 336
0x652 Putting Things Back Together Again ............................................... 340
0x653 Child Laborers ............................................................................ 346
0x660 Advanced Camouflage ............................................................................. 348
0x661 Spoofing the Logged IP Address .................................................... 348
0x662 Logless Exploitation ..................................................................... 352
0x670 The Whole Infrastructure ........................................................................... 354
0x671 Socket Reuse .............................................................................. 355
0x680 Payload Smuggling .................................................................................. 359
0x681 String Encoding .......................................................................... 359
0x682 How to Hide a Sled..................................................................... 362
0x690 Buffer Restrictions ..................................................................................... 363
0x691 Polymorphic Printable ASCII Shellcode........................................... 366
0x6a0 Hardening Countermeasures...................................................................... 376
0x6b0 Nonexecutable Stack ................................................................................ 376
0x6b1 ret2libc ...................................................................................... 376
0x6b2 Returning into system().................................................................. 377
0x6c0 Randomized Stack Space .......................................................................... 379
0x6c1 Investigations with BASH and GDB ................................................ 380
0x6c2 Bouncing Off linux-gate ................................................................ 384
0x6c3 Applied Knowledge ..................................................................... 388
0x6c4 A First Attempt............................................................................. 388
0x6c5 Playing the Odds......................................................................... 390
0x700 CRYPTOLOGY 393
0x710 Information Theory ................................................................................... 394
0x711 Unconditional Security ................................................................. 394
0x712 One-Time Pads............................................................................ 395
0x713 Quantum Key Distribution............................................................. 395
0x714 Computational Security ................................................................ 396
0x720 Algorithmic Run Time ................................................................................ 397
0x721 Asymptotic Notation .................................................................... 398
0x730 Symmetric Encryption................................................................................ 398
0x731 Lov Grover’s Quantum Search Algorithm........................................ 399
0x740 Asymmetric Encryption .............................................................................. 400
0x741 RSA........................................................................................... 400
0x742 Peter Shor’s Quantum Factoring Algorithm ..................................... 404
0x750 Hybrid Ciphers ........................................................................................ 406
0x751 Man-in-the-Middle Attacks ............................................................ 406
0x752 Differing SSH Protocol Host Fingerprints ......................................... 410
0x753 Fuzzy Fingerprints ....................................................................... 413
0x760 Password Cracking................................................................................... 418
0x761 Dictionary Attacks ....................................................................... 419
0x762 Exhaustive Brute-Force Attacks....................................................... 422
0x763 Hash Lookup Table ...................................................................... 423
0x764 Password Probability Matrix ......................................................... 424
0x770 Wireless 802.11b Encryption .................................................................... 433
0x771 Wired Equivalent Privacy ............................................................. 434
0x772 RC4 Stream Cipher ..................................................................... 435
0x780 WEP Attacks............................................................................................ 436
0x781 Offline Brute-Force Attacks............................................................ 436
0x782 Keystream Reuse ......................................................................... 437
0x783 IV-Based Decryption Dictionary Tables ........................................... 438
0x784 IP Redirection.............................................................................. 438
0x785 Fluhrer, Mantin, and Shamir Attack ............................................... 439
0x800 CONCLUSION 451
0x810 References............................................................................................... 452
0x820 Sources ................................................................................................... 454
INDEX 455
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
