My PTP Notes from eLearnSecurity PDFs with help by Netriders Academy

1* Architecture Fundamentals:-

CPU is used to execute the machine codes of programs.

The machine code is in hexadecimal. Then, it is translated to Assembly language or mnemonic. It is a readable language.

Netwide is an example of an assembly language.

Every CPU has its own ISA Instruction Set Architecture.

CPU registers with 32bit width uses x84 ISA

CPU registers with 64bit width uses X64 ISA

CPU uses registers to store data temporarily and communicate with memory (RAM). CPU deals with the registers as variables.

CPU registers Names:-

8* it is divided into two parts:-

AH and AL, CH and CL, DH and DL, BH and BL, SPL, BPL, SIL, DIL

16*:- AX, CX, DX, BX, SPX, BPX, SIX, DIX

32*:-EAX, ECX, EDX, EBX, ESPX, EBPX, ESIX, EDIX

64*:-RAX, RCX, RDX, RBX, RSPX, RBPX, RSIX, RDIX

CPU registers:-

EAX:- is used for arithmetic.

ECX:- is used for counter in loops…

EDX:- is used for data.

EBX:- is used as base to point to a data.

ESPX:-is used to point to a top of the stack.

EBPX;- is used to point to a base.

ESIX:- Source index

EDIX:- Destination index

EIP:- is used. to point to the next instruction.

CPU Architecture

Stack Functions:-

1* prologue:-used to prepare the stack for the processes before creating a new stack frame.

  1. push ebp →the top of old stack frame

To store local variables to stack:- mov DWORD PTR SS: [ESPX + Y], ….

DWORD:-Double WORD; 32bits Windows CPU

PTR:-pointer

SS:-stack segment

[ESPX + Y]:- address where t store the value.

….:- the value

2* epilogue:- used to prepare the stack to prologue settings.

  1. mov esp, ebp → to make the esp to the top of last stack frame.

Endianness:- is a way to storing values to the memory.

Endianness types:-

big_indian:-MSB is the lowest and LSB is the highest.

little_indian:-LSB is the lowest and MSB is the highest.

MSB:- Most Significant Bits; the largest value usually in the right.

LSB:- Least Significant Bits; the lowest value usually in the left.

NOP-sled:- is a technique used to fill the stack of NOPs which is No Operation instruction and it is represented with Hexadecimal 0x90.

Security Implementations:-

  1. Address Space Layout Randomization -ASLR-:-the OS loads the same executable at different locations in memory every time. DLL does not ASLR protection.

2* Assemblers, Debuggers and Tools Arsenal:-

Assemblers are used to convert the assembly language (low level language, opcode, operational code) to machine code to be executed and vise versa.

NASM is an assembler used for windows programs.

Assembler also used to assign memory locations, variables and instructions.

The result files from assembling process are called object files which contain the binary representations of the programs.

To create an executable file we need to use a linker.

Commands that we use to run NASM:-

  1. .\setpaths.bat:- to know the status of the NASM if it’s working or not.

The compiler used to convert high level source code to low level(machine code) or directly to object files.

We can use the compilers in two ways:-

  1. Use IDE compiler

Every compiler may provide different machine code so different outputs.

The difference between the compilers and the interrupters is that:-

compilers convert all code at one time.

interrupters convert the code line by line.

Decompiler is reversed process of compiler. It converts low level(machine code) or object files to high level source code.

We can decompile by using this command:- objdump -d -Mintel HelloStudents.exe > disasm.txt

Debuggers are programs that help us to take control over other programs. It allows us to:-

  • Stop the program while it is running.

Immunity Debugger is a debugger.

3*Buffer Overflows:-

Understanding Buffer Overflows:-

Buffer refers to any area in memory where more than one piece of data is stored.

Buffer overflow refers when we try to fill more data than the buffer can handle.

strcpy is a function that copy one string to another. It has two arguments. One for destination and the another is for source. {strcpy(dest,src)}. It is vulnerable to BOF attacks.

strncpy is a function that replaces strcpy, and fixes the vulnerability. It has three arguments. Two strings one for destination and the another is for source and one integer for the length of required string.

Attackers force the program to execute specific code when they’re performing BOF attack, allowing them to take control of the program flow.

BOF attack causes to overwrite other important data in memory; such as EIP, EBP.

In order to perform BOF attack:-

  1. We check if the program is vulnerable to BOF attack. * Run the program and pass to many A’s value. If the program crashes, then it’s vulnerable.

To get the address location of a function we have two ways:-

  1. Analyze the debugger. *Immunity debugger is for 32 bit CPU. *X64 dbg is for 64 bit CPU.

To pass the address location we cannot use “Commands Prompt”. So we will use c++ or python programming language.

C++
Python
  • /X00 is called null byte. The strcpy function when it face null byte in the source function it will stop.

Finding and Exploiting Buffer Overflows:-

we can find if the program is vulnerable to BOF in many ways:-

*if the program uses one of these unsafe method inappropriately; either not validate the inputs or not check for the boundaries:- strcpy, strcat, gets →used to the size of a array/ fgets, scanf / fscan, vsprintf, printf and memcpy

BOFs are problems of unsafe languages which use pointers to locate or access memory addresses.

The interpreted languages are save from BOFs.

If we have the source code, we can check if it’s vulnerable to BOFs manually or using tools such us splint.

If we don’t have the source code, we can check by using tools such as fuzzer or tracer or wait the program to crash then analyze the crash.

Not every vulnerable program can be exploited. Maybe we can do DOS attacks.

Ways to find how many values should be entered to crash the program:

  • We try to to enter values manually following this pattern:-

1500 if the program crash, try 1500 divide it by 2 if it’s not divide it by 2 add it to itself.

  • use IDA or immunity debugger.

To install mona in Immunity debugger:-

  1. clone the project by the command :- git clone https://github.com/corelan/mona.git.

*The memory space is called offset

*Electra soft is FTP Client software and it’s vulnerable with BOF.

*I cannot open more than one FTP connections in a machine at the same time.

*EMIT is software that prevents vulnerabilities.

To perform the exploit:-

  1. fill the junk data.

C++ Course (Bonus):-

  • Compiler → is a translator; translate the source code to the machine code. It’s platform dependent. It’s fast because it runs the code at once.

1- system(“PAUSE”); 2-cin.ignore();

  • pointers variables hold memory addresses.

4*Shellcoding:-

Execution of a shellcode:-

The shellcode can be sent in two ways:-1- through local machine. 2- through networks.

Attackers can insert the shell code by overwriting the SEH (Structured Exception Handling messages addresses location.

Types of shellcodes:-

  • Local shellcode or Privilege Escalation shellcode → require to get physical access to the machine, and enable to get the higher privilege.

Types of RCE shellcode:-

  1. connected back(reverse) shellcode:-the victim machine request connection to the attacker machine. It’s working with detection systems or firewalls.
  • reverse shellcode and bind shellcode is most common. but socket reuse shellcode is not widely use because of its complexity, and already fixed the vulnerability.

Types of staged shellcode:-

  1. Egg hunter:- divide the shellcode into two stages. the first one holds small piece of the shellcode and call the second stage.

Encoding of shellcodes:-

Encoding is converting the strings into executable codes → machine code → bytes. The shellcode must be in Alphanumeric format (Letters + numbers; not only numbers) and free of Null bytes → 0 byte → /x00 →null not (zero ;0). Null bytes cause to stop the shellcodes execution.

Encryptions is converting the strings into cypher text (not readable text). It requires key for encryption and decryption.

Manually creating shellcodes:-

For example; we want to make the system sleep for 5 seconds:-

  1. The sleep function is provided by kernel32.dll file. to get the address of sleep function, we have to open kernel32.dll file in the immunity debugger or using the tool which is called arwin.
  • If we write the shellcode string as usual string, it will not be executable. We must write it as binary codes.

A more advanced shellcodes:-

Shellcodes and payload generators:-

notes:-

  • if we have assembly code and we want the binary code of it, we generate the object file by (nasm -f win32 file.asm -o file.obj) the deassmpling it by (objdump -d -Mentil file.obj > file.txt.

5* Cryptography and passwords cracking:-

Cryptography provides 4 services:-

  1. Confidentiality:-insure that only authorized users can access the information.

Cryptography classifications:-

1\ Encryption:- It converts the clear text (Plaintext)to human unreadable language(Cyphertext) to get the cyphertext from a plaintext I need to decrypt the cyphertext with the correct key. it provides confidentiality. it is used when data in rest and in transfer.

Encryption classifications:-

1* By use of keys:-

1) Symmetric-key (private-key) encryption:-use only one key for encryption and decryption.

2) Asymmetric-key (public-key) encryption:- use to keys; encrypt by receiver public key and decrypt by receiver private key.

2* By handling the data:-

1) Block cypher:- handle data by blocks. each block with 8 bytes;

  1. EBC (Electronic Book code):- encrypt each block dependently .

2) Stream cypher:-handle all data at once byte by byte.

2\Hashing:- it produces a fixed length messages. it’s one way encryption. the output called hash or digest. it provide integrity. it is used in transfer. it has avalanche effect which means if one litter or space change, it produce different output.

3\ Public Key Infrastructure(PKI):- is a set of subjects (people, hardware, software, policies and procedures) need to create, manage, store, distribute and invoke digital certificates.

Certificate Authority is making sure that the identity of an individual or organization is certified and verified.

X509 is the standard for public Key certificates.

  • Public key algorithm is different from public key certificate.

Digital signature:- it is used to authenticate messages. It encrypts the hashing value of the message by private key ant decrypts by public key.

PGP (Pretty Group Privacy):- is a windows software that provides cryptographic authentications and digital signatures.

Examples of software:- GPG4Win \Kelupatra

SSH is more secure than telnet which are protocols to exchanges data between two network devices. It allows remote access to a device.

Cryptography attack:- is exploiting the weakness of algorithm to get the plaintext of ciphertext without knowing the key.

Cryptography attacks classifications based on data type:-

1- Known only attack:-

  1. known plaintext only attack:- the attacker knows the plaintext and ciphertext.

2- Chosen attack:-

  1. Chosen plaintext only attack:- the attacker knows the plaintext and ciphertext. the attacker can choose the plaintext

3- Adaptive chosen attack:-the attacker knows the plaintext and ciphertext. the attacker can choose the plaintext or the plaintext based on the result.

There are 5 common practical attacks:-

1- Brute force Attack:- attempts every combination of the key. It’s used the most in known plaintext or ciphertext only.

*if the CPU speed & memory increases the process can be done in less time. For that we can use GPU.

example of website show how many hours needed to crack a password using Brute force attack:- security.org password.kaspersky.com .

2- Dictionary attack:- attempts the most likely keys.

3- Rainbow table attack:- computes the ciphertext corresponding to a plaintext.

*They are commonly used.

4- Side Channel attack:-it uses the plaintext, ciphertext and the hardware used in encryption\decryption.

5- Birthday attack:- discovering collisions in hashing algorithms.

*The formats of passwords hash depends on the passwords length if the password less than 15 characters, it uses LM. If it’s more, it uses NT.

*The windows passwords hashes are stored in SAM file.

*The Linux passwords hashes are stored n shadow file.

After exploitation, we need to privilege escalation by accessing the hashes.

Created on 23 May 2021

Edited on 15 November 2021