Introduction and Grey Hat Hacking Book Review

Greetings! I’m Minh, one of the penetration testers at Perspective Risk. This is my first blog post and I feel it would be fitting to share a little about myself and my voyage with Perspective Risk. My first year at Perspective Risk has just come round and what a year it has been, filled with exciting work and the wonderful opportunity to collaborate with people from around the globe, Ghana being my favourite place I’ve worked. I joined Perspective Risk as their first employee and have watched the company grow from a 2 man venture into a 5 strong team of excellent testers. My background has mainly been in the field of computer forensics as I graduated with a Masters in the field. Perspective Risk has given me the opportunity and training to specialise in penetration testing and after achieving the CREST Registered Tester certification, I plan on going for the CREST Certified Tester certification next. As you may have seen, our blog posts contain some interesting and helpful information about penetration testing, however I will be going back to my forensic roots with some of my posts by including a mixture of forensics and penetration testing topics. I feel there is no better place to start my blogging venture than with a book I have just finished reading, Gray Hack Hacking by authors Shon Harris, Allen Harper, Chris Eagle and Jonathan Ness.

Gray Hat Hacking Introduction

At first glance the Gray Hat Hacking book appealed to me through its mixed content of penetration testing and computer forensic material, especially with the forensics content being heavily orientated around malware analysis, my current favourite topic of interest. The book starts off with your typical penetration testing material:

Intro and Ethical aspects

Penetration testing and tools

This can be skipped if you have any experience in penetration testing, you tend to see these exact topic at the start of every ethical hacking book. The second half is where the fun begins, however I must mention that this isn’t a typical penetration testing book but more a shellcoding and reverse engineering book, so bear that in mind before you start reading. Before I continue please note that if you are interested in reverse engineering and malware analysis, follow the links provided throughout the blog as they contain interesting articles and studies. The second half starts off with the basics of exploitation and finally builds up to vulnerability and malware analysis. I do find the book only touches on certain topics and does not go into enough depth. However, the book does include multiple references after each topic for you to expand further.

Exploitation

The exploitation section starts off well and eases the reader into the basics of exploitation. It contains the following sections:

Programming skills,

Basic & advanced Linux and Windows exploits,

Writing shell code,

Web application security.

I found the exploitation section to be a great extension from what I have learnt doing buffer overflows and manipulating shellcode in Offensive Security’s OSCP course. This section continues smoothly from the material that is taught in the course. The book also works a lot with assembly language, so I would advise that you brush up on your assembly language basics and experience of working with debuggers. If, like me, you’ve had web application security experience, then I highly advise skipping the web chapter as it only covers the basic. If your web security knowledge is slightly lacking, my advice would be to grab a copy of the “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto.

Vulnerability and Malware Analysis

The final two sections of the book, vulnerability and malware analysis, go hand in hand very nicely as they both heavily involve reverse engineering. These two final sections of the book are broken down into the following topics:

Passive and static vulnerability analysis,

Advanced reverse engineering,

Malware collection and analysis.

Vulnerability analysis is very similar to malware analysis and, as I’ve mentioned at the start of the blog, my current area of interest revolves around the synergy of pen testing and forensics. I would like to share with you guys some of the material I found particularly interesting relating to malware analysis and reverse engineering. Firstly, I must mention that I find the malware section doesn’t really touch on the fundamental processes involved in malware analysis. Therefore I would like to include a malware process diagram from securosis that I believe is a great “methodology at a glance” for malware analysis. (A detailed PDF containing initial malware analysis processes can also be found on the link):

Once you have a grasp on the initial processes of malware analysis, then the book flows smoothly into static and live malware analysis techniques.

Static analysis:

“The first thing you do with a foreign binary is determine what type of file it is”. This can be done by using many tools, PEiD being one of them. PEiD will analyse the binary to determine if it has been compressed, encrypted, packed or modified in anyway. If the binary has been packed, which in all likelihood it will be, then the associated packer would be required to unpack the binary. The next step would be to perform a “Strings” analysis on the binary to view any ASCII strings. Windows Strings tool can be downloaded from Windows sysinternals suite. An example of the strings command would be:

C:\>strings.exe D:\7e3b35c870d3b23f12a354d12655aaba0f > test.txt

C:\>more test.txt

<cut>

.text

.data

<cut>

InternetGetConnectedState

Wininet.dll

USERPROFILE

%s%s

C:\

Ware\m

<cut>

KERNAL.DLL

GetsystemTime

SetFileAttributesA

GettFileAttributesA

DeleteFileA CopyFileA

CreateMutexA

GetLastError

<cut>

lstrlenA

Sleep

<cut>

ReadFile CreateFileA

<cut>

RegOpenKeyExA

RegCloseKey

RegSetValueExA

Wsprintfa

<cut>

This example makes server windows API calls for directories, files, registries, network calls etc. The highlighted strings in bold represent the following:

Network activity,

File activity (searching, deleting & writing),

Registry activity,

System time check and wait (sleep) for some period,

Set a mutex, ensuring that only one copy of the work runs at a time.

The final step in this static analysis would be to reverse engineer the malware; however, the book does not go into much detail, so follow the link if you want to read more.

Live analysis:

The initial step of a live analysis is to make sure you have a repeatable process. This can be done by:

Setting up a file system (filemon), registry value (regshot), process(process explorer) and network monitoring (tcpview) toolkit to establish a baseline,

Saving the snapshot of the virtual environment,

Executing the malware,

Inspect the tool for system changes from the initial baseline reading,

Interact with the malware to fake DNS, e-mail IRC servers as required,

Revert to the snapshot and repeat the process until the malware is fully understood.

Now you have an understanding of the initial malware analysis techniques, the book talks about obfuscation and de-obfuscation techniques that can be used to analyse more sophisticated malware.

Encryption (anything from XOR to DES),

Hiding techniques in user space,

Rootkit Technology (“Autoruns”, Microsoft tool to enumerate each autostart extensibility point – ASEP),

Packers– sometimes unpacking malware isn’t as simple as using the same packer to unpack. First you need to find the packing tool (PEiD, Strings, objdump). In some cases assisted unpacking is required (LordPE, IDA pro), this involves debugging and sometimes bypassing anti-debugging techniques.

Reverse Engineering

The final section of the book briefly talks about what reverse engineering can be used for however there is no detailed information or techniques about the subject. The book just briefly touches on how reverse engineering can be used to gather such information as:

How malware installs itself,

Files associated with malware activity,

What hosts the malware communicates with,

Capabilities of the malware,

How to communicate with the malware,

Vulnerabilities in the malware.

Gray Hat Hacking Final Thoughts

My final thoughts about the book are that it was a great expansion on some of the learning material on regarding exploit manipulation and writing shellcode that was taught in the OSCP course. This book is a great intro into exploit development and vulnerability research and I would advise starting here if those areas take your interest. The malware analysis section was lacking in detail and covered only the basics that I already knew about, however it does give a great introduction to readers who have no forensics background and would like to know what the hype is all about. So this is definitely the place to start if reverse engineering, exploit development, vulnerability analysis and malware analysis tickles your fancy. This is also a great book if you have no previous knowledge about the above subjects. Finally if you guys want to know where my next stop is on the journey of vulnerability analysis and reverse engineering, then it will continue with “The Shellcoder’s Handbook: Discovering and Exploiting Security Holes” by authors Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan “noir” Eren, Neel Mehta, Riley Hassell. Hope you all enjoyed the brief introduction to myself and what I am currently doing on my quest for knowledge! Cheers, Minh [Certain extracts from this post have been taken from the “Gray hat Hacking, The Ethical Hacker’s Handbook, Third Edition ” book by authors “Shon Harris, Allen Harper, Chris Eagle and Jonathan Ness.” Published” McGraw-Hill Osborne Media; 3 edition (January 6, 2011)”]