INDEX
Symbols and Numbers
- (minus sign), 55
+ (plus sign), 55
32-bit system, 263
64-bit system, 263
8086 CPU, 114
A
A5/1 stream cipher, 159
A5/2 stream cipher, 159
ABI (application binary interface), 123–124, 259–260
Abstract Syntax Notation 1 (ASN.1), 53–54
accept system call, 123
acknowledgment (DHCP packet), 72
acknowledgment flag (ACK), 41
active network capture, 20, 280–282. See also passive network capture
add() function, 124
ADD instruction, 115
add_longs() method, 198
add_numbers() method, 197
Address Resolution Protocol (ARP), 6–7, 74–77
addresses, 4
32-bit, 5
destination, 5
source, 5
address space layout randomization (ASLR)
bypassing with partial overwrites, 272–273
exploiting implementation flaws in, 271–272
memory information disclosure vulnerabilities, 270–271
Adleman, Leonard, 160
Advanced Encryption Standard (AES), 133, 150, 152
AJAX (Asynchronous JavaScript and XML), 57
algorithms
cryptographic hashing, 164–165
Diffie–Helman Key Exchange, 162–164
hash, 165
key-scheduling, 151
message digest (MD), 164
MD4, 165
secure hashing algorithm (SHA), 164, 202
SHA-2, 165
SHA-3, 168
signature, 146
asymmetric, 165
cryptographic hashing algorithms, 164–165
message authentication codes, 166–168
symmetric, 166
AMD, 114
AND instruction, 115
antivirus, 23
application, 3
content parsers, 4
network communication, 4
passive network traffic capture, 11
user interface, 4
application binary interface (ABI), 123–124, 259–260
application layer, 3
apt command line utility, 31
arbitrary writing of memory, 253–254
ASCII
character encoding, 42
code pages, 44
control characters, 43
printable characters, 43
text-encoding conversions, 229–230
ASLR. See address space layout randomization (ASLR)
ASN.1 (Abstract Syntax Notation 1), 53–54
assemblies, 138
assembly language, 113
asymmetric key cryptography, 159–164. See also symmetric key cryptography
private key, 160
public key, 160
RSA padding, 162
trapdoor functions, 160
asymmetric signature algorithms, 165
Asynchronous JavaScript and XML (AJAX), 57
AT&T syntax, 116
attributes (XML), 58
authentication bypass, 209
automated code, identifying, 133–134
B
base class library, 141
Berkeley packet filter (BPF), 180
Berkeley Sockets Distribution (BSD), 15
Berkeley Sockets model, 15, 121
Big-O notation, 225
binary protocols. See also protocols
bit flags, 41
Booleans, 41
variable binary length data, 47–49
bind system call, 15
bit flags, 41
bit format, 38
block ciphers. See also stream ciphers
common, 152
initialization vector, 154
cipher block chaining, 153–155
Electronic Code Book, 152
Galois Counter, 155
padding oracle attack, 156–158
Triple DES, 151
Blowfish, 152
BPF (Berkeley packet filter), 180
BSD (Berkeley Sockets Distribution), 15
bss data, 120
Bubble Sort, 224
bucket, 225
buffer overflows
bytes, 38
C
ca.crt file, 203
CALL instruction, 115
Camellia, 152
Canape Core, 21–22, 25, 103–105, 280–281
Canape.Cli, xxiv, 202
ca.pfx file, 203
capture.pcap file, 180
capturing network traffic
active method, 20
proxies
man-in-the-middle, 20
resending captured traffic, 182–183
system call tracing
strace, 16
carriage return, 56
carry flag, 117
CBC (cipher block chaining), 153–155
cdecl, 199
cdll, 199
certificate
pinning, 177
revocation list, 171
root, 170
store, 204
certmgr.msc, 203
CFLAGS environment variable, 243
change cipher spec (TLS), 176
char types, 212
character encoding
ASCII, 43
chat_server.csx script, 187
ChatClient.exe (SuperFunkyChat), 80–81, 200
ChatProgram namespace (.NET), 190
ChatServer.exe (SuperFunkyChat), 80
Chinese characters, 44
chosen plaintext attack, 162
CIL (common intermediate language), 137–138
Cipher and Hash algorithm, 202
cipher block chaining (CBC), 153–155
cipher feedback mode, 159
cipher text, 146
ciphers, 146
substitution, 147
CJK character sets, 44
C language, 112, 123, 132, 210, 212
Class files, 141
Class.forName() method (Java), 194
client certificate (TLS), 175
client random (TLS), 173
C library, 268
CLR (common language runtime), 137
CMD command, 255
code
error, 262
executable. See executable codes
message authentication. See message authentication codes (MACs)
pages (ASCII), 44
point, 44
section, 120
collision resistance (hashing algorithm), 165
command injection, 228
common intermediate language (CIL), 137–138
common language runtime (CLR), 137
Common Object Request Broker Architecture (CORBA), 22
compiled languages, 113
CONNECT HTTP method, 30
Connect() method, 185, 192–193
CONNECT proxy, 32
connect system call, 15
content parsers, 4
Content-Type values, 57
control characters (ASCII), 43
control flow, 118
control registers, 117
Conversations window (Wireshark), 84–85
CORBA (Common Object Request Broker Architecture), 22
counter mode, 159
CPU, 39
8086, 114
assembly language and, 113
instruction set architecture, 114–116
signed integers, 39
x86 architecture, 114–119, 125
crashes
finding root cause of, 243–245
CreateInstance() method (.NET), 191
cron jobs, 254
cross-site scripting (XSS), 58
Crypt32.dll, 132
CryptoAllPermissionCollection.class, 142
cryptanalysis, 146
cryptography
configurable, 226
libraries, 132
ctypes library (Python), 195
curl command line utility, 31
D
Dante, 27
data
controlling flow of, 2
endianness of, 41
formatting and encoding, 2
inbound, 92
integrity, 164
padded, 49
variable-length, 56
Data Encryption Standard (DES), 150–151
data execution prevention (DEP), 267–268
data expansion attack, 217
DataFrame, 108
datagram, 5
datagram socket, 122
Datagram Transport Layer Security (DTLS), 172
data section, 120
debuggers, 111, 134–137, 236–240, 243–245, 258–259
applications, 236
default or hardcoded credentials, 218
debugging symbols package (dSYM), 131
DEC instruction, 115
decimal numbers, 55
decompilation, 113
decryption. See also encryption
asymmetric, 160
block cipher, 150
breakpoints, 137
cipher block chaining, 155, 157–158
dealing with obfuscation, 143–144
Triple DES, 151
default credentials, 218
delimited text, 56
denial-of-service, 208
DEP (data execution prevention), 267–268
DER (Distinguished Encoding Rules), 53
DES (Data Encryption Standard), 150–151
DES cracker, 151
destination address, 5
destination network address translation (DNAT), 24, 68–71
DHCP. See Dynamic Host Configuration Protocol (DHCP)
Diffie, Whitfield, 162
Diffie–Hellman Key Exchange (DH), 162–164
Digital Signature Algorithm (DSA), 165
disassembly, 113
discover (DHCP packet), 71
dissector() function, 99
dissector.lua file, 98
dissectors
creating, 97
Lua, 99
message packet parsing, 100–103
Distinguished Encoding Rules (DER), 53
DNAT (destination network address translation), 24, 68–71
DNSMasq, 287
dnsspoof, 34
Domain Name System (DNS) protocol, 3
dotnet binary, 81
downgrade attack, 176
DSA (Digital Signature Algorithm), 165
dSYM (debugging symbols package), 131
Dynamic Host Configuration Protocol (DHCP), 63, 66
dynamic libraries, 130, 195–196
dynamic reverse engineering
defined, 134
general purpose registers, 136
E
EAX register, 116, 123, 242, 258, 270
ECDH (Elliptic Curve Diffie–Hellman), 202
EFAULT, 262
EFLAGS register, 117, 119, 136
Electronic Frontier Foundation, 151
elements (XML), 58
ELF (Executable Linking Format), 120, 131, 144
Elliptic Curve Diffie–Hellman (ECDH), 202
elliptic curves, 160
encoding
percent, 60
encryption, 20, 30. See also decryption
asymmetric, 160
block cipher, 150
breakpoints, 137
cipher block chaining, 153–155
Electronic Code Book, 153
HTTP connection to, 108
key, 146
libraries, 132
magic constants, 133
one-time pad, 148
padding, 155
public key. See asymmetric key cryptography
substitution ciphers, 147
Triple DES, 151
XOR, 108–109, 148–149, 153–154
encryption libraries, 132
errno, 262
errors
codes, 262
detecting and correcting, 2
off-by-one, 213
ESP register, 116–117, 124, 136, 270
eth0, 180
Ethernet, 3
passive network capture, 12–13
simple network, 6
executable codes
address space layout randomization, 272
function calls in, 123
memory corruption and, 210, 246
partial overwrites, 272
ROP gadgets, 269
system calls, 259
executable file formats, 119–120, 137
Executable Linking Format (ELF), 120, 131, 144
.exe extension, 120, 137–138, 189
Extensible Markup Language (XML), 58
Extensible Messaging and Presence Protocol (XMPP), 58
F
false, 55
fd argument, 261
Federal Information Processing Standard (FIPS), 151
Feistel network, 151
File Transfer Protocol (FTP), 24, 28
FILETIME (Windows), 50
Financial Information Exchange (FIX) protocol, 56
finished packet, 176
fixed-length buffer overflows, 211–213
Follow Stream button (Wireshark), 85
Follow TCP Stream view (Wireshark), 88–89
format string vulnerability, 227
forwarding HTTP proxy. See also reverse HTTP proxy
advantages and disadvantages of, 31
simple implementation of, 30–31
FreeBSD, 16
FreeCAP, 27
free-list, 251
frequency analysis, 147
FTP (File Transfer Protocol), 24, 28
function monitors, 111
fuzz testing
defined, 234
mutation fuzzer, 235
simplest, 234
tools
Kali Linux, 286
Metasploit, 286
Scapy, 287
Sulley, 287
G
Galois Counter Mode (GCM), 155
gateway
hops, 65
nodes, 64
GB2312, 44
GCC compiler, 196
GCM (Galois Counter Mode), 155
General Public License, 14
general purpose registers, 116–117, 136
GetConstructor method (.NET), 191
getDeclaredConstructor() (Java), 195
GetMethod() method (.NET), 192–193
guard pages, 245
GUI registry editor, 67
GVSP protocol, 182
gzip, 217
H
handshake, 172
hardcoded credentials, 218
hash table, 225
hashed message authentication codes (HMAC), 168–169
hashing algorithms
collision resistance, 164
nonlinearity of, 164
pre-image resistance, 164
SHA-2, 165
SHA-3, 168
HEAD, 29
Ethernet, 6
IP, 6
system call number, 260
UDP, 5
heap buffer overflows, 248–249
heap memory storage, 253
Hellman, Martin, 162
determining protocol structure in, 88–89
information columns in, 87
viewing individual packets in, 87
hex editor, 125
Hex Rays, 125
HMAC (hashed message authentication codes), 168–169
hops, 65
host order, 42
Hping, 282
HTTP (HyperText Transport Protocol), 3, 56
host header, 24
network protocol analysis, 8–10
proxies. See also protocols
I
IBM, 151
ICS (Internet Connection Sharing), 69
IDA Pro, 289
analyzing stack variables and arguments in, 128
analyzing strings in, 132
EIP window, 135
ESP window, 136
extracting symbolic information in, 129–131
graph view, 126
identifying automated code in, 133–134
main interface, 127
viewing imported libraries in, 131–132
IEEE Standard for Floating-Point Arithmetic (IEEE 754), 40
main interface, 139
Search window, 139
in-band method, 253
inbound data, 92
INC instruction, 115
incorrect resource access, 220–223
information disclosure, 209
initialization vector, 154
inner padding block, 168
instruction set architecture (ISA), 114–116
integers
signed, 39
text protocols, 55
unsigned, 38
Intel, 114
Intel syntax, 116
Internet Connection Sharing (ICS), 69
Internet layer, 3
Internet Protocol (IP), 2
Internet Protocol Suite (IPS)
defined, 3
layers, 3
interpreted languages, 112
interpreters, 112
Invoke() method (.NET), 192–193
IP (Internet Protocol), 2
IP address
32-bit, 24
DNS spoofing, 34
hosts file, 34
NAT, 68
reverse shell, 266
SNAT, 68
SOCKS connection, 25
ipconfig command, 69
iptables command, 69
IPS. See Internet Protocol Suite (IPS)
ISA (instruction set architecture), 114–116
J
Japanese characters, 44
reflection types, 194
Java archive (JAR), 141, 193–194
Java byte code, 137
Java Decompiler, 288
Java Runtime, 27
JavaScript, 252
JavaScript Object Notation (JSON), 57–58
Java TCP client, 27
Jcc instruction, 115
JD-GUI, 142
K
Kali Linux, 286
kernel mode, 14
key-scheduling algorithm, 151
Korean characters, 44
Krypto Analyzer, 134
L
least significant bit (LSB), 38
length-extension attacks, 166–168
length-prefixed data, 48
lengths, 107
line feed, 56
line oriented protocols, 56
Linux, 120
ASLR implementation flaws in, 272
configuring SNAT on, 69
cron jobs, 254
debug symbols, 129
dynamic libraries, 196
enabling routing on, 67
error codes, 262
executable file format, 131
loading library on, 197
SOCKS proxy, 27
strace, 16
Load() method (.NET), 190
LoadFrom() method (.NET), 190
local variables, corrupting, 274–275
localhost, 12
low-privileged file writes, 255
M
MAC (Media Access Control) addresses, 6–7, 8, 74–77
machine code, 112–114, 120, 125
debug symbols, 129
dynamic libraries, 196
enabling routing on, 67
MACs. See message authentication codes (MACs)
magic constants, 132
mail application, 3
main thread, 121
malware, 23
man 2 syscall_name command, 16
managed languages
man-in-the-middle proxy, 20, 201
masquerading, 68
master secret (TLS), 175
MD algorithm. See message digest (MD) algorithm
Media Access Control (MAC) addresses, 6–7, 8, 74–77
memory
heap memory storage, 253
information disclosure vulnerabilities, 270–271
wasted, 250
memory canaries (cookies)
bypassing by corrupting local variables, 274–275
bypassing with stack buffer underflow, 275–276
detecting stack overflows with, 273–276
memory corruption. See also vulnerabilities
data expansion attack, 217
dynamic memory allocation failures, 217
address space layout randomization, 270–273
data execution prevention, 266–267
return-oriented programming, 268–270
heap buffer overflows, 248–249
stack buffer overflows, 246–248
memory-safe vs. memory-unsafe languages, 210
off-by-one error, 213
out-of-bounds buffer indexing, 216–217
memory exhaustion attacks, 222–223
memory index registers, 117
memory sections, 120
memory-safe languages, 210
memory-unsafe languages, 210
Message Analyzer, 278
message authentication codes (MACs)
length-extension attacks, 166–168
message digest (MD) algorithm, 164
MD4, 165
Metasploit, 286
accessing payloads, 265
advantages and disadvantages of, 265–266
executing payloads, 266
generating shell code with, 265–266
MethodInfo type (.NET), 192
Microsoft, 170
Microsoft Message Analyzer, 278
MIME (Multipurpose Internet Mail Extensions), 56–57
minus sign (-), 55
mnemonic instruction, 114
modulo arithmetic, 214
mono binary, 80
Mono Project, 137
most significant bit (MSB), 38
MOV instruction, 115
Mozilla Firefox, 26
MSCORLIB, 141
MS-DOS, 119
multibyte character sets, 44
Multipurpose Internet Mail Extensions (MIME), 56–57
multitasking, 120
N
namespace, 193
name-value pairs (XML), 58
NAT. See network address translation (NAT)
.NET applications
base class library, 141
reflection binding types, 192
reflection types, 190
repurposing executable codes in
using Reflection APIs, 190
.NET Core, 80
NetClientTemplate class, 184–185
netstat -r command, 65
Netwide Assembler, 256
network, 1
connectivity and protocol testing tools
Hping, 282
Netcat, 282
monitoring connections with DTrace, 16–18
network address, 7, 20, 22, 52–53, 66, 71, 123
network address translation (NAT), 68–71
defined, 68
network communication, 4
Berkeley Sockets model, 15
layers, 3
man-in-the-middle attack on, 20
symmetric ciphers, 150
user-to-kernel, 15
client connection to TCP server, 122
TCP client connection to server, 121–122
Network News Transfer Protocol (NNTP), 59
network order, 42
newInstance() method (Java), 195
NNTP (Network News Transfer Protocol), 59
nodes, 1
gateway, 64
identifying through addressing, 2
no-execute (NX) mitigation, 267
nonlinearity, 165
nonpersistent denial-of-service, 208
numeric data
decimal numbers, 55
integers, 55
signed integers, 39
text protocols, 55
unsigned integers, 38
variable-length integers, 39–40
NX (no-execute) mitigation, 267
O
OAEP (Optimal Asymmetric Encryption Padding), 162
octet-stream, 57
off-by-one error, 213
offer (DHCP packet), 71
one-time pad encryption, 148
open system call, 18
OpenSSL, 132
operands, 115
operating system
application binary interface, 123–124
executable file formats, 119–120
sections, 120
Optimal Asymmetric Encryption Padding (OAEP), 162
OR instruction, 115
outbound bytes, 89
outbound traffic, 89
outer padding block, 168
out-of-band method, 253
out-of-bounds buffer indexing, 216–217
output feedback mode, 159
overflow flag, 117
P
package-private scoped classes, 193
packets, 6
calculating checksum of, 93–94
identifying structure with Hex Dump, 86–95
packing tools, 134
padded data, 49
padding
encryption, 155
inner block, 168
OAEP, 162
outer block, 168
parity flag, 117
parsing
binary conversion and, 90
decimal numbers and, 55
endianness of data and, 41
HTTP header, 33
mutation fuzzer and, 235
Python script for, 91
traffic, 183
URL, 230
variable-length integers, 40
passive network capture
advantages and disadvantages of, 19–20
strace, 16
tools
Microsoft Message Analyzer, 278
path, 220
$pc, 239
PDB (program database) file, 129–131
PDP-11, 42
PDU (protocol data unit), 4
PE (Portable Executable) format, 120, 134, 144
PEiD, 134
PEM format, 202
percent encoding, 60
perfect forward secrecy, 177
permutation boxes (P-Box), 152
persistent denial-of-service, 208
PGP (Pretty Good Privacy), 169
PHP, 255
PKI. See public key infrastructure (PKI)
plain, 57
plaintext, 146
plus sign (+), 54
Point-to-Point Protocol (PPP), 3
POP3 (Post Office Protocol 3), 4
POP instruction, 115
port, 2
port numbers, 5
Portable Executable (PE) format, 120, 134, 144
port-forwarding proxy. See also proxies
advantages and disadvantages of, 23–24
binding to network addresses, 22
simple implementation of, 21–22
POSIX, 15
POSIX/Unix time, 50
POST, 29
Post Office Protocol 3 (POP3), 4
PowerPC, 38
PPP (Point-to-Point Protocol), 3
Practical Packet Analysis, 14
pre-image resistance (hashing algorithm), 165
pre-master secret (TLS), 175
Pretty Good Privacy (PGP), 169
printable characters (ASCII), 43
printf function, 227
private Connect() method (.NET), 192
private exponent, 161
PRNGs (pseudorandom number generators), 149
processor architectures, 42
program database (PDB) file, 129–131
promiscuous mode, 12
PROT_EXEC flag, 257
protocol data unit (PDU), 4
protocol stack, 3
protocols
determining structure of, 88–89
functions of, 2
network connectivity and protocol testing
Hping, 282
Netcat, 282
structured binary formats, 53–54
tag, length, value (TLV) pattern, 50–51
unknown parts, 93
proxies
man-in-the-middle, 20
protocol analysis with, 105–106
traffic analysis with, 103–110
Proxifier, 27
pseudo registers, 239
pseudorandom number generators (PRNGs), 149
public Connect() method (.NET), 192
public exponent, 161
Public Key Cryptography Standard #1.5, 162
Public Key Cryptography Standard #7 (PKCS#7), 155–156
public key encryption. See asymmetric key cryptography
public key infrastructure (PKI), 169–172
certificate chain verification, 170–172
defined, 169
web of trust, 169
PublicClass class, 189
PublicMethod() method, 189
PUSH instruction, 115
Python, 210
calling functions with, 199
ctypes library, 195
data types, 198
dissecting protocol with, 90–95
loading library with, 197
resending captured UDP traffic with, 182–183
Q
R
rand() function, 149
random number generators, 149
RC4 stream cipher, 176
RDP (Remote Desktop Protocol), 51
read_bytes() function, 91
ReadData() function, 108
ReadOutbound() function, 109
Real Time Messaging Protocol (RTMP), 29
Receive() method (.NET), 193
recvfrom system call, 15
reflection, 189
registers
control, 117
memory index, 117
pseudo, 239
scratch, 123
selector, 118
SS, 116
remote code execution, 208
Remote Desktop Protocol (RDP), 51
Remote Method Invocation (RMI), 29
Remote Procedure Call (RPC), 22
request (DHCP packet), 72
Request for Comments (RFCs), 42, 56–57
request line, 30
RESP field, 25
RET instruction, 115
Ret2Libc, 269
RETN instruction, 115
return-oriented programming (ROP), 268–270
reverse engineering
resources, 144
tools
IDA Pro, 289
ILSpy, 290
Java Decompiler, 288
reverse HTTP proxy. See also forwarding HTTP proxy
advantages and disadvantages of, 35
redirecting traffic to, 34
simple implementation of, 33
reverse shell, 266
Rich Site Summary (RSS), 58
Rijndael, 152
Rivest, Ron, 160
RMI (Remote Method Invocation), 29
root certificate, 170
ROP (return-oriented programming), 268–270
route print command (Windows), 65
defined, 64
enabling DNAT, 70
routing
on Linux, 67
on macOS, 67
on Windows, 66
RPC (Remote Procedure Call), 22
RSA encryption, 149
signature algorithm, 165
RSS (Rich Site Summary), 58
Ruby, 210
Run() function, 187
runtime, 137
S
say_hello() method, 197
say_string() method, 197
say_struct() function, 199
Scan for Hosts (Ettercap), 76
Scapy, 287
scratch registers, 123
scripting languages, 112
sections (memory), 120
secure hashing algorithm (SHA), 164
SHA-2, 165
SHA-3, 168
Secure Sockets Layer (SSL). See Transport Layer Security (TLS)
public key infrastructure (PKI), 169–172
random number generators, 149
symmetric key cryptography, 149–159
Transport Layer Security, 172–177
SELECT statement, 229
selector registers, 118
self-signed certificate, 170
sendfrom system call, 15
Serpent, 152
server random (TLS), 173
session key, 162
session state, 2
set detach-on-fork off command, 237
setAccessible() (Java), 195
SGML (Standard Generalized Markup Language), 58
SHA. See secure hashing algorithm (SHA)
Shamir, Adi, 160
shared key, 163
shell code
accessing payloads, 265
generating with Metasploit, 265–266
relative address on 32- and 64-bit systems, 263
reverse shell, 266
setting breakpoint on, 258–259
system calls, 259
shell_bind_tcp, 265
Shift-JIS, 44
SHR instruction, 115
sign flag, 117
signature algorithms, 146, 164–169
asymmetric, 165
cryptographic hashing algorithms, 164–165
DSA, 165
message authentication codes, 166–168
RSA, 165
symmetric, 166
signed integers, 39
Simple Mail Transport Protocol (SMTP), 3–4, 56, 59
Simple Network Management Protocol (SNMP), 53
sketches, 150
sockaddr_in structure, 17, 122
socket system call, 15
SOCKS proxy, 103. See also proxies
advantages and disadvantages of, 28–29
Firefox proxy configuration, 26
Java TCP client, 27
overview, 24
simple implementation of, 25–26
socksProxyHost system property, 27
socksProxyPort system property, 27
SOH (Start of Header), 56
source address, 5
source code, 112
source network address translation (SNAT)
configuring on Linux, 69
$sp, 239
SPARC architecture, 42, 118, 137
spoofing
DNS, 34
sprintf string function, 212
SQL. See Structured Query Language (SQL)
SS register, 116
stack buffer overflows, 246–248, 273–276
stack buffer underflow, 275–276
stack variables, 128
Standard Generalized Markup Language (SGML), 58
start address, 120
Start of Header (SOH), 56
static reverse engineering, 125–134. See also reverse engineering
analyzing strings in, 133
extracting symbolic information in, 129–131
identifying key functionality in, 129–134
stack variables and arguments, 128
stdcall, 199
storage exhaustion attacks, 223–224
strace, 16
strcat string function, 212
strcpy string function, 212
strcpy_s string function, 212
stream ciphers, 158–159. See also block ciphers
analyzing, 132
Strip tool, 131
struct library (Python), 90
Structure class, 199
structured binary formats, 53–54
Structured Query Language (SQL)
Server, 229
structured text formats, 56–58
SUB instruction, 115
substitution boxes (S-Box), 152
substitution ciphers, 147
substitution-permutation network, 152
Sulley, 287
SuperFunkyChat
analysis proxy
simple network client, 184–186
ChatClient, 81, 83–84, 106, 200
commands, 81
communicating between clients, 81
parser code for, 107
starting the server, 80
UDP mode, 97
switch device, 6
symmetric key cryptography, 149. See also asymmetric key cryptography
symmetric signature algorithms, 166
synchronize flag (SYN), 41
system API, 268
System assembly, 141
system calls
accept, 123
bind, 15
connect, 15
open, 18
recvfrom, 15
sendfrom, 15
socket, 15
system function, 228
System.Activator class (.NET), 191
System.Reflection.Assembly class (.NET), 190
System.Reflection.ConstructorInfo class (.NET), 190
System.Reflection.FieldInfo class (.NET), 190
System.Reflection.MethodInfo class (.NET), 190
System.Reflection.PropertyInfo class (.NET), 190
System.Type class (.NET), 190
T
tag, length, value (TLV) pattern, 50–51, 89, 94–95
TCP. See Transmission Control Protocol (TCP)
TCP/IP Guide, 16
TcpNetworkListener (ILSpy), 140
terminated text, 56
testy virtual buffer (TVB), 99
text protocols, 54
Booleans, 55
dates, 55
numeric data, 55
structured text formats, 56–58
times, 55
variable-length data, 55
text-encoding character replacement, 229–231
TLS. See Transport Layer Security (TLS)
TLS Record protocol, 172
TLV (tag, length, value) pattern, 50–51, 89, 94–95
ToDataString() method, 186
token, 56
tools
for active network capture and analysis
Canape Core, 281
fuzz testing
Kali Linux, 286
Metasploit, 286
Scapy, 286
Sulley, 286
network connectivity and protocol testing
Hping, 282
Netcat, 282
for network spoofing and redirection
DNSMasq, 287
for passive network capture and analysis
Microsoft Message Analyzer, 278
reverse engineering
IDA Pro, 289
ILSpy, 290
Java Decompiler, 288
for web application testing
Zed Attack Proxy, 284
traceconnect.d file, 16
traffic
analysis using proxy, 103
capturing
active method, 20
man-in-the-middle, 20
capturing tools
strace, 16
outbound, 89
Transmission Control Protocol (TCP), 2–3, 21
bit flags, 41
client connection to server, 121–123
HTTP proxy, 30
port numbers, 5
port-forwarding proxy, 21–22, 201
reading contents of sessions, 85–86
Transport Layer Security (TLS)
certificate pinning, 177
client certificate, 175
endpoint authentication, 174–175
initial negotiation, 173
perfect forward secrecy, 177
replacing certificate in, 202–206
security requirements, 176–177
TLS Record protocol, 172
trapdoor functions, 160
Triple DES, 151
true, 55
trusted root certification authorities, 204
TVB (testy virtual buffer), 99
Twofish, 152
two’s complement, 39
U
UCS (Universal Character Set), 44–45
UDP. See User Datagram Protocol (UDP)
UI (user interface), 4
Unicode
UCS-2/UTF-16, 45
UCS-4/UTF-32, 45
Unicode Transformation Format (UTF), 44–45
Unified Sniffing mode (Ettercap), 76
Uniform Request Identifier (URI), 30, 32
uninitialized data, 120
Universal Character Set (UCS), 44–45
Unix-like systems, 5
ASLR implementation flaws in, 272
AT&T syntax, 116
command injection, 228
command line utilities on, 31
configuring DNAT on, 70
Dtrace, 16
enabling routing on, 67
error codes, 262
executable format, 120
hosts file, 23
read and write calls, 122
routing tables on, 65
traceroute, 64
unmanaged executables, 195–199
unsafe keyword, 210
unsigned integers, 38
UPX, 134
URI (Uniform Request Identifier), 30, 32
User Datagram Protocol (UDP), 3
payload and header, 5
port forwading, 21
socket, 122
user interface (UI), 4
user mode, 14
user-after-free vulnerability, 249–250
UTF (Unicode Transformation Format), 44–45
V
variable binary length data
length-prefixed data, 48
padded data, 49
variable-length buffer overflows, 211, 213–214
variable-length data, 56
variable-length integers, 39–40
Verisign, 170
virtual function table, 242, 248–249
virtual hosts, 24
virtual machine, 137
VirtualAlloc, 250
Visual C++, 129
vulnerabilities
authentication checking, 226
classes
authentication bypass, 209
denial-of-service, 208
information disclosure, 209
remote code execution, 208
command injection, 228
CPU exhaustion attacks
algorithmic complexity, 224–225
configurable cryptography, 224–225
default or hardcoded credentials, 218
exploiting
arbitrary writing of memory, 253–254
defined memory pool allocations, 252–253
heap layout manipulation, 249–250
heap memory storage, 253
high-privileged file writes, 254–256
low-privileged file writes, 255
user-after-free vulnerability, 249–250
format string, 227
incorrect resource access
memory corruption
data expansion attack, 217
dynamic memory allocation failures, 217
memory-safe vs. memory-unsafe languages, 210
out-of-bounds buffer indexing, 216–217
memory exhaustion attacks, 222–223
storage exhaustion attacks, 223–224
text-encoding character replacement, 229–231
W
W3C, 58
web application testing tools, 283–285
Zed Attack Proxy, 284
web of trust (WOT), 169
wget, 31
windll, 199
Windows
ASLR implementation flaws in, 272
calling functions with Python on, 199
certificate manager, 203
debug symbols, 129
dynamic link libraries, 196
enabling routing on, 67
FILETIME, 50
loading library on, 197
registry, 67
Winsock library, 121
XP SP2, 270
WinDump, 278
WinPcap, 278
Winsock, 121
capture interfaces dialog, 82–83
generating network traffic in, 83–84
main window, 82
reading contents of TCP sessions in, 85–86
Tshark command line version, 180–182
WOT (web of trust), 169
write system call, 15, 18, 122, 261–263
WriteData() function, 108
WritePackets() method, 22
ws2_32.dll Windows network library, 130–131
X
X.509 certificates, 53–54, 169–171, 173
X.680 series, 53
history, 114
instruction mnemonics, 115
instruction set architecture, 114–116
mnemonic forms, 115
xcalc, 228
XML Schema, 58
XOR encryption, 108–109, 148–149, 153–154
XOR instruction, 115
xp_cmdshell function, 229
Z
Zed Attack Proxy (ZAP), 284
zero flag, 117
ZLib compression library, 132