Foreword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1

Transcription

1 Brief Contents Foreword by Katie Moussouris.... xv Acknowledgments... xvii Introduction...xix Chapter 1: The Basics of Networking... 1 Chapter 2: Capturing Application Traffic Chapter 3: Network Protocol Structures Chapter 4: Advanced Application Traffic Capture Chapter 5: Analysis from the Wire Chapter 6: Application Reverse Engineering Chapter 7: Network Protocol Security Chapter 8: Implementing the Network Protocol Chapter 9: The Root Causes of Vulnerabilities Chapter 10: Finding and Exploiting Security Vulnerabilities Appendix: Network Protocol Analysis Toolkit Index...293

2

3 Foreword by Katie Moussouris xv Acknowledgments xvii Introduction Why Read This Book?... xx What s in This Book?... xx How to Use This Book.... xxii Contact Me... xxii xix 1 The Basics of Networking 1 Network Architecture and Protocols... 1 The Internet Protocol Suite... 2 Data Encapsulation... 4 Headers, Footers, and Addresses... 4 Data Transmission... 6 Network Routing... 7 My Model for Network Protocol Analysis... 8 Final Words Capturing Application Traffic 11 Passive Network Traffic Capture Quick Primer for Wireshark Alternative Passive Capture Techniques System Call Tracing The strace Utility on Linux Monitoring Network Connections with DTrace Process Monitor on Windows Advantages and Disadvantages of Passive Capture Active Network Traffic Capture Network Proxies Port-Forwarding Proxy SOCKS Proxy HTTP Proxies Forwarding an HTTP Proxy Reverse HTTP Proxy Final Words... 35

4 3 Network Protocol Structures 37 Binary Protocol Structures Numeric Data Booleans Bit Flags Binary Endian Text and Human-Readable Data Variable Binary Length Data Dates and Times POSIX/Unix Time Windows FILETIME Tag, Length, Value Pattern Multiplexing and Fragmentation Network Address Information Structured Binary Formats Text Protocol Structures Numeric Data Text Booleans Dates and Times Variable-Length Data Structured Text Formats Encoding Binary Data Hex Encoding Base Final Words Advanced Application Traffic Capture 63 Rerouting Traffic Using Traceroute Routing Tables Configuring a Router Enabling Routing on Windows Enabling Routing on *nix Network Address Translation Enabling SNAT Configuring SNAT on Linux Enabling DNAT Forwarding Traffic to a Gateway DHCP Spoofing ARP Poisoning Final Words Analysis from the Wire 79 The Traffic-Producing Application: SuperFunkyChat Starting the Server Starting Clients Communicating Between Clients x

5 A Crash Course in Analysis with Wireshark Generating Network Traffic and Capturing Packets Basic Analysis Reading the Contents of a TCP Session Identifying Packet Structure with Hex Dump Viewing Individual Packets Determining the Protocol Structure Testing Our Assumptions Dissecting the Protocol with Python Developing Wireshark Dissectors in Lua Creating the Dissector The Lua Dissection Parsing a Message Packet Using a Proxy to Actively Analyze Traffic Setting Up the Proxy Protocol Analysis Using a Proxy Adding Basic Protocol Parsing Changing Protocol Behavior Final Words Application Reverse Engineering 111 Compilers, Interpreters, and Assemblers Interpreted Languages Compiled Languages Static vs. Dynamic Linking The x86 Architecture The Instruction Set Architecture CPU Registers Program Flow Operating System Basics Executable File Formats Sections Processes and Threads Operating System Networking Interface Application Binary Interface Static Reverse Engineering A Quick Guide to Using IDA Pro Free Edition Analyzing Stack Variables and Arguments Identifying Key Functionality Dynamic Reverse Engineering Setting Breakpoints Debugger Windows Where to Set Breakpoints? Reverse Engineering Managed Languages NET Applications Using ILSpy Java Applications Dealing with Obfuscation Reverse Engineering Resources Final Words xi

6 7 Network Protocol Security 145 Encryption Algorithms Substitution Ciphers XOR Encryption Random Number Generators Symmetric Key Cryptography Block Ciphers Block Cipher Modes Block Cipher Padding Padding Oracle Attack Stream Ciphers Asymmetric Key Cryptography RSA Algorithm RSA Padding Diffie Hellman Key Exchange Signature Algorithms Cryptographic Hashing Algorithms Asymmetric Signature Algorithms Message Authentication Codes Public Key Infrastructure X.509 Certificates Verifying a Certificate Chain Case Study: Transport Layer Security The TLS Handshake Initial Negotiation Endpoint Authentication Establishing Encryption Meeting Security Requirements Final Words Implementing the Network Protocol 179 Replaying Existing Captured Network Traffic Capturing Traffic with Netcat Using Python to Resend Captured UDP Traffic Repurposing Our Analysis Proxy Repurposing Existing Executable Code Repurposing Code in.net Applications Repurposing Code in Java Applications Unmanaged Executables Encryption and Dealing with TLS Learning About the Encryption In Use Decrypting the TLS Traffic Final Words xii

7 9 The Root Causes of Vulnerabilities 207 Vulnerability Classes Remote Code Execution Denial-of-Service Information Disclosure Authentication Bypass Authorization Bypass Memory Corruption Vulnerabilities Memory-Safe vs. Memory-Unsafe Programming Languages Memory Buffer Overflows Out-of-Bounds Buffer Indexing Data Expansion Attack Dynamic Memory Allocation Failures Default or Hardcoded Credentials User Enumeration Incorrect Resource Access Canonicalization Verbose Errors Memory Exhaustion Attacks Storage Exhaustion Attacks CPU Exhaustion Attacks Algorithmic Complexity Configurable Cryptography Format String Vulnerabilities Command Injection SQL Injection Text-Encoding Character Replacement Final Words Finding and Exploiting Security Vulnerabilities 233 Fuzz Testing The Simplest Fuzz Test Mutation Fuzzer Generating Test Cases Vulnerability Triaging Debugging Applications Improving Your Chances of Finding the Root Cause of a Crash Exploiting Common Vulnerabilities Exploiting Memory Corruption Vulnerabilities Arbitrary Memory Write Vulnerability Writing Shell Code Getting Started Simple Debugging Technique Calling System Calls xiii

8 Executing the Other Programs Generating Shell Code with Metasploit Memory Corruption Exploit Mitigations Data Execution Prevention Return-Oriented Programming Counter-Exploit Address Space Layout Randomization (ASLR) Detecting Stack Overflows with Memory Canaries Final Words Network Protocol Analysis Toolkit 277 Passive Network Protocol Capture and Analysis Tools Microsoft Message Analyzer TCPDump and LibPCAP Wireshark Active Network Capture and Analysis Canape Canape Core Mallory Network Connectivity and Protocol Testing Hping Netcat Nmap Web Application Testing Burp Suite Zed Attack Proxy (ZAP) Mitmproxy Fuzzing, Packet Generation, and Vulnerability Exploitation Frameworks American Fuzzy Lop (AFL) Kali Linux Metasploit Framework Scapy Sulley Network Spoofing and Redirection DNSMasq Ettercap Executable Reverse Engineering Java Decompiler (JD) IDA Pro Hopper ILSpy NET Reflector index 293 xiv