My PTP Notes from eLearnSecurity PDFs with help by Netriders Academy

1* Architecture Fundamentals:-

CPU is used to execute the machine codes of programs.

The machine code is in hexadecimal. Then, it is translated to Assembly language or mnemonic. It is a readable language.

Netwide is an example of an assembly language.

Every CPU has its own ISA Instruction Set Architecture.

CPU registers with 32bit width uses x84 ISA

CPU registers with 64bit width uses X64 ISA

CPU uses registers to store data temporarily and communicate with memory (RAM). CPU deals with the registers as variables.

CPU registers Names:-

8* it is divided into two parts:-

AH and AL, CH and CL, DH and DL, BH and BL, SPL, BPL, SIL, DIL

16*:- AX, CX, DX, BX, SPX, BPX, SIX, DIX

32*:-EAX, ECX, EDX, EBX, ESPX, EBPX, ESIX, EDIX

64*:-RAX, RCX, RDX, RBX, RSPX, RBPX, RSIX, RDIX

CPU registers:-

EAX:- is used for arithmetic.

ECX:- is used for counter in loops…

EDX:- is used for data.

EBX:- is used as base to point to a data.

ESPX:-is used to point to a top of the stack.

EBPX;- is used to point to a base.

ESIX:- Source index

EDIX:- Destination index

EIP:- is used. to point to the next instruction.

CPU Architecture

Stack Functions:-

1* prologue:-used to prepare the stack for the processes before creating a new stack frame.

To store local variables to stack:- mov DWORD PTR SS: [ESPX + Y], ….

DWORD:-Double WORD; 32bits Windows CPU

PTR:-pointer

SS:-stack segment

[ESPX + Y]:- address where t store the value.

….:- the value

2* epilogue:- used to prepare the stack to prologue settings.

Endianness:- is a way to storing values to the memory.

Endianness types:-

big_indian:-MSB is the lowest and LSB is the highest.

little_indian:-LSB is the lowest and MSB is the highest.

MSB:- Most Significant Bits; the largest value usually in the right.

LSB:- Least Significant Bits; the lowest value usually in the left.

NOP-sled:- is a technique used to fill the stack of NOPs which is No Operation instruction and it is represented with Hexadecimal 0x90.

Security Implementations:-

2* Assemblers, Debuggers and Tools Arsenal:-

Assemblers are used to convert the assembly language (low level language, opcode, operational code) to machine code to be executed and vise versa.

NASM is an assembler used for windows programs.

Assembler also used to assign memory locations, variables and instructions.

The result files from assembling process are called object files which contain the binary representations of the programs.

To create an executable file we need to use a linker.

Commands that we use to run NASM:-

The compiler used to convert high level source code to low level(machine code) or directly to object files.

We can use the compilers in two ways:-

Every compiler may provide different machine code so different outputs.

The difference between the compilers and the interrupters is that:-

compilers convert all code at one time.

interrupters convert the code line by line.

Decompiler is reversed process of compiler. It converts low level(machine code) or object files to high level source code.

We can decompile by using this command:- objdump -d -Mintel HelloStudents.exe > disasm.txt

Debuggers are programs that help us to take control over other programs. It allows us to:-

  • Stop the program while it is running.
  • Analyze the stack and its data.
  • Inspect registers.
  • Change the program or program variables and more.

Immunity Debugger is a debugger.

3*Buffer Overflows:-

Understanding Buffer Overflows:-

Buffer refers to any area in memory where more than one piece of data is stored.

Buffer overflow refers when we try to fill more data than the buffer can handle.

strcpy is a function that copy one string to another. It has two arguments. One for destination and the another is for source. {strcpy(dest,src)}. It is vulnerable to BOF attacks.

strncpy is a function that replaces strcpy, and fixes the vulnerability. It has three arguments. Two strings one for destination and the another is for source and one integer for the length of required string.

Attackers force the program to execute specific code when they’re performing BOF attack, allowing them to take control of the program flow.

BOF attack causes to overwrite other important data in memory; such as EIP, EBP.

In order to perform BOF attack:-

To get the address location of a function we have two ways:-

To pass the address location we cannot use “Commands Prompt”. So we will use c++ or python programming language.

C++
Python
  • /X00 is called null byte. The strcpy function when it face null byte in the source function it will stop.
  • So, the payload that we will use it must be free of null byte, otherwise it won’t work.

Finding and Exploiting Buffer Overflows:-

we can find if the program is vulnerable to BOF in many ways:-

*if the program uses one of these unsafe method inappropriately; either not validate the inputs or not check for the boundaries:- strcpy, strcat, gets →used to the size of a array/ fgets, scanf / fscan, vsprintf, printf and memcpy

BOFs are problems of unsafe languages which use pointers to locate or access memory addresses.

The interpreted languages are save from BOFs.

If we have the source code, we can check if it’s vulnerable to BOFs manually or using tools such us splint.

If we don’t have the source code, we can check by using tools such as fuzzer or tracer or wait the program to crash then analyze the crash.

Not every vulnerable program can be exploited. Maybe we can do DOS attacks.

Ways to find how many values should be entered to crash the program:

  • We try to to enter values manually following this pattern:-

1500 if the program crash, try 1500 divide it by 2 if it’s not divide it by 2 add it to itself.

  • use IDA or immunity debugger.
  • use tools such as pattern create → sends random values to the vulnerable programs & pattern offset → defines how many values should be entered and what is the exact location of EIP→ these tools only work in metaspoit. (we will see how it’s work in metasploit module)
  • use mona with Immunity debugger.

To install mona in Immunity debugger:-

*The memory space is called offset

*Electra soft is FTP Client software and it’s vulnerable with BOF.

*I cannot open more than one FTP connections in a machine at the same time.

*EMIT is software that prevents vulnerabilities.

To perform the exploit:-

C++ Course (Bonus):-

  • Compiler → is a translator; translate the source code to the machine code. It’s platform dependent. It’s fast because it runs the code at once.
  • Interpreter → is an expression; no machine code. It’s platform independent. The devices must have their own interpreter. It’s slow because it runs line by line.
  • Intermediate → It combines compiler and interpreter. It generate the intermediate language (IL) from the source code and sends the IL to the destination devices, and the destination devices compile IL to machine code.
  • IDE → is Integrated Development Environment.
  • to disable automatic close of the console:-

1- system(“PAUSE”); 2-cin.ignore();

  • pointers variables hold memory addresses.
  • it stores 1 byte=8 bits.
  • &m → returns the address of the value of variable m.
  • m* → returns the value of the address of variable m.
  • we declare a pointer : int *m.

4*Shellcoding:-

Execution of a shellcode:-

The shellcode can be sent in two ways:-1- through local machine. 2- through networks.

Attackers can insert the shell code by overwriting the SEH (Structured Exception Handling messages addresses location.

Types of shellcodes:-

  • Local shellcode or Privilege Escalation shellcode → require to get physical access to the machine, and enable to get the higher privilege.
  • Remote shellcode or Network shellcode or RCE Remote Code Execution shellcode → require to be connected to a protocol. It provide remote access to a machine.

Types of RCE shellcode:-

  • reverse shellcode and bind shellcode is most common. but socket reuse shellcode is not widely use because of its complexity, and already fixed the vulnerability.
  • Staged shellcode:- when the size of the shellcode that attackers want to send is bigger than the allowed space.

Types of staged shellcode:-

Encoding of shellcodes:-

Encoding is converting the strings into executable codes → machine code → bytes. The shellcode must be in Alphanumeric format (Letters + numbers; not only numbers) and free of Null bytes → 0 byte → /x00 →null not (zero ;0). Null bytes cause to stop the shellcodes execution.

Encryptions is converting the strings into cypher text (not readable text). It requires key for encryption and decryption.

Manually creating shellcodes:-

For example; we want to make the system sleep for 5 seconds:-

  • If we write the shellcode string as usual string, it will not be executable. We must write it as binary codes.
  • We can get created shellcode from exploit DB webpage

A more advanced shellcodes:-

Shellcodes and payload generators:-

notes:-

  • if we have assembly code and we want the binary code of it, we generate the object file by (nasm -f win32 file.asm -o file.obj) the deassmpling it by (objdump -d -Mentil file.obj > file.txt.
  • if we have assembly code and we want the executable, we generate the object file and then use the linker.

5* Cryptography and passwords cracking:-

Cryptography provides 4 services:-

Cryptography classifications:-

1\ Encryption:- It converts the clear text (Plaintext)to human unreadable language(Cyphertext) to get the cyphertext from a plaintext I need to decrypt the cyphertext with the correct key. it provides confidentiality. it is used when data in rest and in transfer.

Encryption classifications:-

1* By use of keys:-

1) Symmetric-key (private-key) encryption:-use only one key for encryption and decryption.

2) Asymmetric-key (public-key) encryption:- use to keys; encrypt by receiver public key and decrypt by receiver private key.

2* By handling the data:-

1) Block cypher:- handle data by blocks. each block with 8 bytes;

2) Stream cypher:-handle all data at once byte by byte.

2\Hashing:- it produces a fixed length messages. it’s one way encryption. the output called hash or digest. it provide integrity. it is used in transfer. it has avalanche effect which means if one litter or space change, it produce different output.

3\ Public Key Infrastructure(PKI):- is a set of subjects (people, hardware, software, policies and procedures) need to create, manage, store, distribute and invoke digital certificates.

Certificate Authority is making sure that the identity of an individual or organization is certified and verified.

X509 is the standard for public Key certificates.

  • Public key algorithm is different from public key certificate.
  • Public key algorithm is asymmetric encryption that uses two keys public & private. It encrypts by public key and decrypts by private key.
  • public key certificate is PKI that use digital certificate which includes the public key. It encrypts by private key ant decrypts by public key.

Digital signature:- it is used to authenticate messages. It encrypts the hashing value of the message by private key ant decrypts by public key.

PGP (Pretty Group Privacy):- is a windows software that provides cryptographic authentications and digital signatures.

Examples of software:- GPG4Win \Kelupatra

SSH is more secure than telnet which are protocols to exchanges data between two network devices. It allows remote access to a device.

Cryptography attack:- is exploiting the weakness of algorithm to get the plaintext of ciphertext without knowing the key.

Cryptography attacks classifications based on data type:-

1- Known only attack:-

2- Chosen attack:-

3- Adaptive chosen attack:-the attacker knows the plaintext and ciphertext. the attacker can choose the plaintext or the plaintext based on the result.

There are 5 common practical attacks:-

1- Brute force Attack:- attempts every combination of the key. It’s used the most in known plaintext or ciphertext only.

*if the CPU speed & memory increases the process can be done in less time. For that we can use GPU.

example of website show how many hours needed to crack a password using Brute force attack:- security.org password.kaspersky.com .

2- Dictionary attack:- attempts the most likely keys.

3- Rainbow table attack:- computes the ciphertext corresponding to a plaintext.

*They are commonly used.

4- Side Channel attack:-it uses the plaintext, ciphertext and the hardware used in encryption\decryption.

5- Birthday attack:- discovering collisions in hashing algorithms.

*The formats of passwords hash depends on the passwords length if the password less than 15 characters, it uses LM. If it’s more, it uses NT.

*The windows passwords hashes are stored in SAM file.

*The Linux passwords hashes are stored n shadow file.

After exploitation, we need to privilege escalation by accessing the hashes.

Created on 23 May 2021

Edited on 15 November 2021

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store