My PTP Notes from eLearnSecurity PDFs with help by Netriders Academy
1* Architecture Fundamentals:-
CPU is used to execute the machine codes of programs.
The machine code is in hexadecimal. Then, it is translated to Assembly language or mnemonic. It is a readable language.
Netwide is an example of an assembly language.
Every CPU has its own ISA Instruction Set Architecture.
CPU registers with 32bit width uses x84 ISA
CPU registers with 64bit width uses X64 ISA
CPU uses registers to store data temporarily and communicate with memory (RAM). CPU deals with the registers as variables.
CPU registers Names:-
8* it is divided into two parts:-
AH and AL, CH and CL, DH and DL, BH and BL, SPL, BPL, SIL, DIL
16*:- AX, CX, DX, BX, SPX, BPX, SIX, DIX
32*:-EAX, ECX, EDX, EBX, ESPX, EBPX, ESIX, EDIX
64*:-RAX, RCX, RDX, RBX, RSPX, RBPX, RSIX, RDIX
CPU registers:-
EAX:- is used for arithmetic.
ECX:- is used for counter in loops…
EDX:- is used for data.
EBX:- is used as base to point to a data.
ESPX:-is used to point to a top of the stack.
EBPX;- is used to point to a base.
ESIX:- Source index
EDIX:- Destination index
EIP:- is used. to point to the next instruction.
Stack Functions:-
1* prologue:-used to prepare the stack for the processes before creating a new stack frame.
- push ebp →the top of old stack frame
- mov ebp, esp → the base of new stack frame.
- sub esp, X → create new stack space.
To store local variables to stack:- mov DWORD PTR SS: [ESPX + Y], ….
DWORD:-Double WORD; 32bits Windows CPU
PTR:-pointer
SS:-stack segment
[ESPX + Y]:- address where t store the value.
….:- the value
2* epilogue:- used to prepare the stack to prologue settings.
- mov esp, ebp → to make the esp to the top of last stack frame.
- pop ebp → overwrite ebp.
- ret →to return or jump to the location of ebp.
Endianness:- is a way to storing values to the memory.
Endianness types:-
big_indian:-MSB is the lowest and LSB is the highest.
little_indian:-LSB is the lowest and MSB is the highest.
MSB:- Most Significant Bits; the largest value usually in the right.
LSB:- Least Significant Bits; the lowest value usually in the left.
NOP-sled:- is a technique used to fill the stack of NOPs which is No Operation instruction and it is represented with Hexadecimal 0x90.
Security Implementations:-
- Address Space Layout Randomization -ASLR-:-the OS loads the same executable at different locations in memory every time. DLL does not ASLR protection.
- Data Execution Prevention-DEP-:-is a defensive hardware and software measure that prevents the execution of code from pages in memory that are not explicitly marked as executable.
- Stack Cookies-Canary-:-places a value next to the return address on the stack in the prologue function and check if it is there in epilogue function.
2* Assemblers, Debuggers and Tools Arsenal:-
Assemblers are used to convert the assembly language (low level language, opcode, operational code) to machine code to be executed and vise versa.
NASM is an assembler used for windows programs.
Assembler also used to assign memory locations, variables and instructions.
The result files from assembling process are called object files which contain the binary representations of the programs.
To create an executable file we need to use a linker.
Commands that we use to run NASM:-
- .\setpaths.bat:- to know the status of the NASM if it’s working or not.
- nasm -f win32 demo1.asm -o demo1.obj:- to run the assembler and create object file.
- GoLink.exe /entry _main demo1.obj kernel32.dll user32.dll :- to create an executable file from the object file.
The compiler used to convert high level source code to low level(machine code) or directly to object files.
We can use the compilers in two ways:-
- Use IDE compiler
- Or by command line using gcc compiler:- gcc -m32 HelloStudents.c -o HelloStudents.exe
Every compiler may provide different machine code so different outputs.
The difference between the compilers and the interrupters is that:-
compilers convert all code at one time.
interrupters convert the code line by line.
Decompiler is reversed process of compiler. It converts low level(machine code) or object files to high level source code.
We can decompile by using this command:- objdump -d -Mintel HelloStudents.exe > disasm.txt
Debuggers are programs that help us to take control over other programs. It allows us to:-
- Stop the program while it is running.
- Analyze the stack and its data.
- Inspect registers.
- Change the program or program variables and more.
Immunity Debugger is a debugger.
3*Buffer Overflows:-
Understanding Buffer Overflows:-
Buffer refers to any area in memory where more than one piece of data is stored.
Buffer overflow refers when we try to fill more data than the buffer can handle.
strcpy is a function that copy one string to another. It has two arguments. One for destination and the another is for source. {strcpy(dest,src)}. It is vulnerable to BOF attacks.
strncpy is a function that replaces strcpy, and fixes the vulnerability. It has three arguments. Two strings one for destination and the another is for source and one integer for the length of required string.
Attackers force the program to execute specific code when they’re performing BOF attack, allowing them to take control of the program flow.
BOF attack causes to overwrite other important data in memory; such as EIP, EBP.
In order to perform BOF attack:-
- We check if the program is vulnerable to BOF attack. * Run the program and pass to many A’s value. If the program crashes, then it’s vulnerable.
- Determine How many A’s value we should pass to reach EIP address location.
- Pass the address location of the desired function.
To get the address location of a function we have two ways:-
- Analyze the debugger. *Immunity debugger is for 32 bit CPU. *X64 dbg is for 64 bit CPU.
- De-assemble the executing file of the program by ; objdump -d -Mintel goodpwd.exe > deassemble.txt
To pass the address location we cannot use “Commands Prompt”. So we will use c++ or python programming language.
- /X00 is called null byte. The strcpy function when it face null byte in the source function it will stop.
- So, the payload that we will use it must be free of null byte, otherwise it won’t work.
Finding and Exploiting Buffer Overflows:-
we can find if the program is vulnerable to BOF in many ways:-
*if the program uses one of these unsafe method inappropriately; either not validate the inputs or not check for the boundaries:- strcpy, strcat, gets →used to the size of a array/ fgets, scanf / fscan, vsprintf, printf and memcpy
BOFs are problems of unsafe languages which use pointers to locate or access memory addresses.
The interpreted languages are save from BOFs.
If we have the source code, we can check if it’s vulnerable to BOFs manually or using tools such us splint.
If we don’t have the source code, we can check by using tools such as fuzzer or tracer or wait the program to crash then analyze the crash.
Not every vulnerable program can be exploited. Maybe we can do DOS attacks.
Ways to find how many values should be entered to crash the program:
- We try to to enter values manually following this pattern:-
1500 if the program crash, try 1500 divide it by 2 if it’s not divide it by 2 add it to itself.
- use IDA or immunity debugger.
- use tools such as pattern create → sends random values to the vulnerable programs & pattern offset → defines how many values should be entered and what is the exact location of EIP→ these tools only work in metaspoit. (we will see how it’s work in metasploit module)
- use mona with Immunity debugger.
To install mona in Immunity debugger:-
- clone the project by the command :- git clone https://github.com/corelan/mona.git.
- copy mona.py file to C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands.
- to configure mona work folder to save everything about mona we run this command inside immunity debugger !mona config -set workingfolder C:\ImmunityLogs\%p .
- open the vulnerable program in Immunity Debugger.
- create the data pattern by :!mona pc 100 .
- copy the pattern to the script(shellcode) as a payload.
- run the shell code.
- run the vulnerable program by Immunity Debugger.
- specify how many characters to reach the location of the EIP by !mona po EIP.
- To insert our shell code we have to find out the exact location of ESP. There are many ways to find out:- 1- by searching 2- by findjmmp2.py tool 3- by mona: !mona jmp -r esp -m kernel .
- put the result of !mona po EIP as junk data in the payload of the shell code then the ESP location then the shell code of the malware.
- create payload automatically with mona by : !mona suggest.
- to check for ASLR status: !mona noaslr.
- to check for all modules status: !mona modules.
*The memory space is called offset
*Electra soft is FTP Client software and it’s vulnerable with BOF.
*I cannot open more than one FTP connections in a machine at the same time.
*EMIT is software that prevents vulnerabilities.
To perform the exploit:-
- fill the junk data.
- rewrite the EIP.
- insert the payload(shell code){junk data + ESP Address + shell code of a malware or software)
C++ Course (Bonus):-
- Compiler → is a translator; translate the source code to the machine code. It’s platform dependent. It’s fast because it runs the code at once.
- Interpreter → is an expression; no machine code. It’s platform independent. The devices must have their own interpreter. It’s slow because it runs line by line.
- Intermediate → It combines compiler and interpreter. It generate the intermediate language (IL) from the source code and sends the IL to the destination devices, and the destination devices compile IL to machine code.
- IDE → is Integrated Development Environment.
- to disable automatic close of the console:-
1- system(“PAUSE”); 2-cin.ignore();
- pointers variables hold memory addresses.
- it stores 1 byte=8 bits.
- &m → returns the address of the value of variable m.
- m* → returns the value of the address of variable m.
- we declare a pointer : int *m.
4*Shellcoding:-
Execution of a shellcode:-
The shellcode can be sent in two ways:-1- through local machine. 2- through networks.
Attackers can insert the shell code by overwriting the SEH (Structured Exception Handling messages addresses location.
Types of shellcodes:-
- Local shellcode or Privilege Escalation shellcode → require to get physical access to the machine, and enable to get the higher privilege.
- Remote shellcode or Network shellcode or RCE Remote Code Execution shellcode → require to be connected to a protocol. It provide remote access to a machine.
Types of RCE shellcode:-
- connected back(reverse) shellcode:-the victim machine request connection to the attacker machine. It’s working with detection systems or firewalls.
- bind (normal) shellcode:-the attacker machine request connection to the victim machine. It’s not working with detection systems or firewalls.
- Socket reuse shellcode:- socket is IP + port used to establish connections. It sends a shellcode to an opened connection before it close.
- reverse shellcode and bind shellcode is most common. but socket reuse shellcode is not widely use because of its complexity, and already fixed the vulnerability.
- Staged shellcode:- when the size of the shellcode that attackers want to send is bigger than the allowed space.
Types of staged shellcode:-
- Egg hunter:- divide the shellcode into two stages. the first one holds small piece of the shellcode and call the second stage.
- Omelet:- divide the shellcode into multiple stages. the each of them holds small piece of the shellcode and send them separately.
- Download and Execute:-It connects to the internet then downloads the rest of the shellcode then executes.
Encoding of shellcodes:-
Encoding is converting the strings into executable codes → machine code → bytes. The shellcode must be in Alphanumeric format (Letters + numbers; not only numbers) and free of Null bytes → 0 byte → /x00 →null not (zero ;0). Null bytes cause to stop the shellcodes execution.
Encryptions is converting the strings into cypher text (not readable text). It requires key for encryption and decryption.
Manually creating shellcodes:-
For example; we want to make the system sleep for 5 seconds:-
- The sleep function is provided by kernel32.dll file. to get the address of sleep function, we have to open kernel32.dll file in the immunity debugger or using the tool which is called arwin.
- write the assembly code.
- assemble it then de-assemble the object file to get the binary code(machine code)
- then write the binary code in the shellcode string with prefix \x and with no spaces
- If we write the shellcode string as usual string, it will not be executable. We must write it as binary codes.
- We can get created shellcode from exploit DB webpage
A more advanced shellcodes:-
Shellcodes and payload generators:-
notes:-
- if we have assembly code and we want the binary code of it, we generate the object file by (nasm -f win32 file.asm -o file.obj) the deassmpling it by (objdump -d -Mentil file.obj > file.txt.
- if we have assembly code and we want the executable, we generate the object file and then use the linker.
5* Cryptography and passwords cracking:-
Cryptography provides 4 services:-
- Confidentiality:-insure that only authorized users can access the information.
- Authentication:-insure that this is the right subject by comparing its confidentialities with trusted system.
- Integrity:-insure that only authorized users can change or alter the information.
- Non-repudiation:-create a proof so the senders cannot delay on their sending messages.
Cryptography classifications:-
1\ Encryption:- It converts the clear text (Plaintext)to human unreadable language(Cyphertext) to get the cyphertext from a plaintext I need to decrypt the cyphertext with the correct key. it provides confidentiality. it is used when data in rest and in transfer.
Encryption classifications:-
1* By use of keys:-
1) Symmetric-key (private-key) encryption:-use only one key for encryption and decryption.
2) Asymmetric-key (public-key) encryption:- use to keys; encrypt by receiver public key and decrypt by receiver private key.
2* By handling the data:-
1) Block cypher:- handle data by blocks. each block with 8 bytes;
- EBC (Electronic Book code):- encrypt each block dependently .
- CBC (Cypher Book Chaining):- encrypt the block based on the previous block (independently).
2) Stream cypher:-handle all data at once byte by byte.
2\Hashing:- it produces a fixed length messages. it’s one way encryption. the output called hash or digest. it provide integrity. it is used in transfer. it has avalanche effect which means if one litter or space change, it produce different output.
3\ Public Key Infrastructure(PKI):- is a set of subjects (people, hardware, software, policies and procedures) need to create, manage, store, distribute and invoke digital certificates.
Certificate Authority is making sure that the identity of an individual or organization is certified and verified.
X509 is the standard for public Key certificates.
- Public key algorithm is different from public key certificate.
- Public key algorithm is asymmetric encryption that uses two keys public & private. It encrypts by public key and decrypts by private key.
- public key certificate is PKI that use digital certificate which includes the public key. It encrypts by private key ant decrypts by public key.
Digital signature:- it is used to authenticate messages. It encrypts the hashing value of the message by private key ant decrypts by public key.
PGP (Pretty Group Privacy):- is a windows software that provides cryptographic authentications and digital signatures.
Examples of software:- GPG4Win \Kelupatra
SSH is more secure than telnet which are protocols to exchanges data between two network devices. It allows remote access to a device.
Cryptography attack:- is exploiting the weakness of algorithm to get the plaintext of ciphertext without knowing the key.
Cryptography attacks classifications based on data type:-
1- Known only attack:-
- known plaintext only attack:- the attacker knows the plaintext and ciphertext.
- know ciphertext only attack:- the attacker only knows ciphertext.
2- Chosen attack:-
- Chosen plaintext only attack:- the attacker knows the plaintext and ciphertext. the attacker can choose the plaintext
- know ciphertext only attack:- the attacker only knows ciphertext and trying to know the plaintext.
3- Adaptive chosen attack:-the attacker knows the plaintext and ciphertext. the attacker can choose the plaintext or the plaintext based on the result.
There are 5 common practical attacks:-
1- Brute force Attack:- attempts every combination of the key. It’s used the most in known plaintext or ciphertext only.
*if the CPU speed & memory increases the process can be done in less time. For that we can use GPU.
example of website show how many hours needed to crack a password using Brute force attack:- security.org password.kaspersky.com .
2- Dictionary attack:- attempts the most likely keys.
3- Rainbow table attack:- computes the ciphertext corresponding to a plaintext.
*They are commonly used.
4- Side Channel attack:-it uses the plaintext, ciphertext and the hardware used in encryption\decryption.
5- Birthday attack:- discovering collisions in hashing algorithms.
*The formats of passwords hash depends on the passwords length if the password less than 15 characters, it uses LM. If it’s more, it uses NT.
*The windows passwords hashes are stored in SAM file.
*The Linux passwords hashes are stored n shadow file.
Created on 23 May 2021
Edited on 15 November 2021