Index
A
- access token theft
- used, for escalating agent to SYSTEM / Escalating your agent to SYSTEM via access token theft
- active network analysis
- with advanced Wireshark / Active network analysis with Wireshark
- Address Resolution Protocol (ARP) / Layer-2 attacks against the network
- address space layout randomization (ASLR)
- about / Stack smack – introducing buffer overflows, Understanding ASLR
- demonstrating, on Kali Linux with C program / Demonstrating ASLR on Kali Linux with C
- advanced Ettercap
- about / Advanced Ettercap – the man-in-the-middle Swiss Army Knife
- bridged sniffing / Bridged sniffing and the malicious access point
- malicious access point / Bridged sniffing and the malicious access point
- advanced Wireshark
- about / Advanced Wireshark – going beyond simple captures
- passive wireless analysis / Passive wireless analysis
- WLANs, targeting with Aircrack-ng suite / Targeting WLANs with the Aircrack-ng suite
- used, for WLAN analysis / WLAN analysis with Wireshark
- used, for active network analysis / Active network analysis with Wireshark
- Aircrack-ng suite
- used, for targeting WLANs / Targeting WLANs with the Aircrack-ng suite
- antimalware evasion / Antimalware evasion in Python
- antimalware evasion, Python
- Windows executables, creating for script / Creating Windows executables of your Python scripts
- raw payload, preparing / Preparing your raw payload
- payload retrieval, writing / Writing your payload retrieval and delivery in Python
- payload delivery / Writing your payload retrieval and delivery in Python
- Armitage
- advantages / Efficiency and attack organization with Armitage
- environment, working with / Getting familiar with your Armitage environment
- used, for enumeration / Enumeration with Armitage
- used, for ease of exploitation / Exploitation made ridiculously simple with Armitage
- about / A word about Armitage and the pen tester mentality
- working with / Climb the ladder with Armitage
- named pipes / Named pipes and security contexts
- security contexts / Named pipes and security contexts
- pipe client, security context impersonating / Impersonating the security context of a pipe client
- superfluous pipes / Superfluous pipes and pipe creation race conditions
- pipe creation race conditions / Superfluous pipes and pipe creation race conditions
- leveraging / Moving past the foothold with Armitage
- pivoting / Armitage pivoting
- ARP enumeration
- with meterpreter / ARP enumeration with meterpreter
- about / ARP enumeration with meterpreter
- ARP poisoning
- revisiting, with Python / Revisiting ARP poisoning with Python and Scapy
- revisiting, with Scapy / Revisiting ARP poisoning with Python and Scapy
- assembly
- pointers, dereferencing / Dereferencing pointers in C and assembly
- assembly language basics / Assembly language basics
- attack lab
- building / Building your attack lab
- Windows machines, finding / Finding Windows machines for your lab
- authentication capture / Authentication capture
- authentication mechanisms
- exploiting / Design weaknesses – exploiting weak authentication mechanisms
- captive portal authentication conversations, capturing / Capturing captive portal authentication conversations in the clear
- Layer-2 attack, against network / Layer-2 attacks against the network
- autoroute
- used, for launching Metasploit into hidden network / Launching Metasploit into the hidden network with autoroute
B
- Backdoor Factory (BDF)
- used, for shellcode injection / Injection with Backdoor Factory
- about / Injection with Backdoor Factory
- used, for Trojan engineering / Trojan engineering with BDF and IDA
- bare-bones FTP fuzzer service
- writing, in Python / Writing a bare-bones FTP fuzzer service in Python
- BetterCAP
- used, for spoofing / Getting better – spoofing with BetterCAP
- used, for ICMP redirection / ICMP redirection with BetterCAP
- BetterCAP ARP spoofing
- used, for HTTP downgrade attacks / HTTP downgrade attacks with BetterCAP ARP/DNS spoofing
- BetterCAP DNS spoofing
- used, for HTTP downgrade attacks / HTTP downgrade attacks with BetterCAP ARP/DNS spoofing
- BetterCAP proxy modules
- used, for binary injection / Binary injection with BetterCAP proxy modules
- binary injection
- with BetterCAP proxy modules / Binary injection with BetterCAP proxy modules
- bit flipping
- about / Flipping the bit – integrity attacks against CBC algorithms
- block ciphers / Block ciphers and modes of operation
- modes of operation / Block ciphers and modes of operation
- block chaining / Introducing block chaining
- initialization vector (IV), manipulating to generate predictable results / Manipulating the IV to generate predictable results
- bit flipping lab
- setting up / Setting up your bit-flipping lab
- block chaining / Introducing block chaining
- block ciphers / Block ciphers and modes of operation
- bridged sniffing / Bridged sniffing and the malicious access point
- buffer overflows / Stack smack – introducing buffer overflows
C
- C
- pointers, dereferencing / Dereferencing pointers in C and assembly
- CBC block
- decrypting, with PadBuster / Decrypting a CBC block with PadBuster
- cifs
- used, for network exfiltration / Exfiltration across the network with cifs
- Cipher Block Chaining (CBC) / Introducing block chaining
- Client/Server Runtime Subsystem (CSRSS) / The Win32k kernel-mode driver
- code injection fundamentals / Code injection fundamentals – fine-tuning with BDF
- collision / A crash course on hash algorithms
- commandlets (cmdlets) / PowerShell's own cmdlets and PowerShell scripting language
- connect-back listener
- creating, with Metasploit / Creating the payload and connect-back listener with Metasploit
D
- Data Execution Prevention (DEP)
- about / DEP and ASLR – the intentional and the unavoidable, Understanding DEP
- protection, testing with WinDbg / Testing DEP protection with WinDbg
- data injection
- with hash length extension attack / Data injection with the hash length extension attack
- Data Protection Manager (DPM) server / Dancing in the shadows – looting domain controllers with vssadmin
- datastore options / Building a simple Metasploit auxiliary module
- debuggers / Disassemblers, debuggers, and decompilers – oh my!
- debugging process / An introduction to debugging
- decompiler / Disassemblers, debuggers, and decompilers – oh my!
- dereferencing / Dereferencing pointers in C and assembly
- desktop virtualization
- Oracle, versus VMware Workstation / VMware versus Oracle for desktop virtualization
- destination index (DI) / Understanding registers
- dictionary / The two philosophies of password cracking
- disassembler / Disassemblers, debuggers, and decompilers – oh my!
- DNS spoofing
- used, for HSTS bypassing / Understanding HSTS bypassing with DNS spoofing
- Document Object Model (DOM) / Spoofing the HTTP User-Agent
- domain controllers
- looting, with vssadmin / Dancing in the shadows – looting domain controllers with vssadmin
- Duplicate Address Discovery (DAD) / Local IPv6 reconnaissance and the Neighbor Discovery Protocol
E
- Edge tester VMs
- downloading, for developers / Downloading Edge tester VMs for developers
- EIP offset
- calculating, with Metasploit toolset / Calculating the EIP offset with the Metasploit toolset
- Electronic Codebook (ECB) / Block ciphers and modes of operation
- Elevation of Privilege (EoP) / The Win32k kernel-mode driver
- encoder techniques / Encoder theory and techniques – what encoding is and isn't
- encoder theory / Encoder theory and techniques – what encoding is and isn't
- endianness / Lilliputian concerns – understanding endianness
- enumeration
- with post modules / Gathering goodies – enumeration with post modules
- error code
- passing, as pointer to xxxSendMessage() / Passing an error code as a pointer to xxxSendMessage()
- escalation
- with WMIC / Escalation with WMIC and PS Empire
- with PowerShell Empire / Escalation with WMIC and PS Empire
- Ettercap filters
- about / Ettercap filters – fine-tuning your analysis
- used, for killing SSH connection / Killing connections with Ettercap filters
- used, for killing SMTP connection / Killing connections with Ettercap filters
- evaluation copy of Windows Server
- downloading / Downloading an evaluation copy of Windows Server
- Execute Disable (XD) / Understanding DEP
- exploit Java
- malicious website, creating / Creating the malicious website to exploit Java
F
- forensic analysis
- with meterpreter / Forensic analysis with meterpreter – stealing deleted files
- fuzzing
- with Kali / Hands-on fuzzing with Kali and Python
- with Python / Hands-on fuzzing with Kali and Python
- fuzzing data
- converting, into exploit / Shellcode algebra – turning the fuzzing data into an exploit
- fuzzy registers / Fuzzy registers – the low-level perspective
G
- gadget information
- .bss address, finding / Finding the .bss address
- pop pop ret structure, finding / Finding a pop pop ret structure
- addresses, finding for system@plt / Finding addresses for system@plt and strcpy@plt functions
- addresses, finding for strcpy@plt functions / Finding addresses for system@plt and strcpy@plt functions
- target characters, finding in memory with ROPgadget / Finding target characters in memory with ROPgadget and Python
- target characters, finding in memory with Python / Finding target characters in memory with ROPgadget and Python
- gadget ROP chain
- about / Go, go, gadget ROP chain – bringing it together for the exploit
- offset, finding to return with gdb / Finding the offset to return with gdb
- Python exploit, writing / Writing the Python exploit
- gadgets / The basic unit of ROP – gadgets
- Global Offset Table (GOT) / Getting hands-on with the return-to-PLT attack
- GNU debugger (GBD) / Getting cozy with the Linux command-line debugger – GDB
- graphics device interface (GDI) / The Win32k kernel-mode driver
H
- Hardware Abstraction Layer (HAL) / Kernel fundamentals – understanding how kernel attacks work
- hash / Understanding Windows passwords
- hash algorithms
- crash course / A crash course on hash algorithms
- hash attack lab
- setting up / Setting up your hash attack lab
- hashdump
- used, for extracting credentials in pivot / Extracting credentials with hashdump
- hash length extension attacks
- about / Sneaking your data in – hash length extension attacks
- SHA-1's running state / Understanding SHA-1's running state and compression function
- compression function / Understanding SHA-1's running state and compression function
- used, for data injection / Data injection with the hash length extension attack
- heap
- versus stack / Memory allocation – stack versus heap
- heap spraying
- about / Taking out the guesswork – heap spraying
- fundamentals / Shellcode whac-a-mole – heap spraying fundamentals
- fine-tuning / Fine-tuning your attack and getting a shell
- shell, getting / Fine-tuning your attack and getting a shell
- Helter Skelter evading antivirus
- using, with Shellter / Helter Skelter evading antivirus with Shellter
- HSTS bypassing
- with DNS spoofing / Understanding HSTS bypassing with DNS spoofing
- HTTP downgrade attacks
- with sslstrip / HTTP downgrading attacks with sslstrip
- about / Removing the need for a certificate – HTTP downgrading
- with BetterCAP ARP spoofing / HTTP downgrade attacks with BetterCAP ARP/DNS spoofing
- with BetterCAP DNS spoofing / HTTP downgrade attacks with BetterCAP ARP/DNS spoofing
- HTTP Strict Transport Security (HSTS) / Removing the need for a certificate – HTTP downgrading
I
- ICMP enumeration, from pivot point
- with PowerShell / ICMP enumeration from a pivot point with PowerShell
- ICMP redirection
- with BetterCap / ICMP redirection with BetterCAP
- IDA disassembler
- used, for Trojan engineering / Trojan engineering with BDF and IDA
- initialization vector (IV)
- about / Introducing block chaining
- manipulating, to generate predictable results / Manipulating the IV to generate predictable results
- insert mode / Introducing Vim with Python syntax awareness
- integrated development environment (IDE) / Getting cozy with Python in your Kali environment
- Intel Architecture-32 (IA-32) / An introduction to debugging
- Inter-process Communication (IPC) / Named pipes and security contexts
- Internet Explorer
- debugging, with WinDbg / Debugging Internet Explorer with WinDbg
- enumeration / Internet Explorer enumeration – discovering internal web resources
- IPv4
- converting, to IPv6 for socat tool / Living in an IPv4 world – creating a local 4-to-6 proxy for your tools
- IPv6 addressing
- about / IPv6 for hackers
- basics / IPv6 addressing basics
- IPv6 reconnaissance / Local IPv6 reconnaissance and the Neighbor Discovery Protocol
- ISO file
- Windows, installing from / Installing Windows from an OEM disc or downloaded ISO file
- ISR Evilgrade
- exploring / Exploring ISR Evilgrade
J
- Java Network Launch Protocol (JNLP) / Shellcode whac-a-mole – heap spraying fundamentals
- Java vulnerability
- shellcode generation / Shellcode generation for the Java vulnerability
- John the Ripper cracking
- with wordlist / John the Ripper cracking with a wordlist
- with masking / John the Ripper cracking with masking
K
- Kali Linux
- kernel attacks, practical / Practical kernel attacks with Kali
- Python, using / Getting cozy with Python in your Kali environment
- Windows binary disassembly / Windows binary disassembly within Kali
- used, for fuzzing / Hands-on fuzzing with Kali and Python
- kernel attack
- practical, with Kali Linux / Practical kernel attacks with Kali
- Kernel attack vectors
- about / Kernel attack vectors
- APIs / Kernel attack vectors
- paddling upstream, from hardware / Kernel attack vectors
- boot process, undermining / Kernel attack vectors
- rootkits / Kernel attack vectors
- Kernel fundamentals
- about / Kernel fundamentals – understanding how kernel attacks work, It's just a program
- context switching / The kernel's role as time cop
L
- LAN Manager (LM) / Password hashing methods in Windows
- Last In, First Out (LIFO) / Understanding the stack, Memory allocation – stack versus heap
- libesedb
- used, for password hash extraction / Password hash extraction with libesedb and ntdsxtract
- LLMNR spoofing
- used, for capturing hash / Hash capture with LLMNR/NetBIOS NS spoofing
- LM hash flaws / If it ends with 1404EE, then it's easy for me – understanding LM hash flaws
- local exploits
- about / When the easy way fails—local exploits
- kernel pool overflow / Kernel pool overflow and the danger of data types
- data types, problems / Kernel pool overflow and the danger of data types
- Schlamperei privilege escalation, on Windows 7 / Let's get lazy – Schlamperei privilege escalation on Windows 7
M
- MAC filtering
- bypassing / Bypassing MAC filtering – considerations for the physical assessor
- Kali wireless access point, configuring / Configuring a Kali wireless access point to bypass MAC filtering
- malicious access point / Bridged sniffing and the malicious access point
- malicious website
- creating, to exploit Java / Creating the malicious website to exploit Java
- man-in-the-middle attack / IPv6 man-in-the-middle – attacking your neighbors
- masks
- used, for John the Ripper cracking / John the Ripper cracking with masking
- Maximum Segment Size (MSS) / Passive Operating system Fingerprinter
- memory
- examining, after heap spraying / Examining memory after spraying the heap
- Metasploit
- used, for creating payload / Creating the payload and connect-back listener with Metasploit
- used, for creating connect-back listener / Creating the payload and connect-back listener with Metasploit
- modules, exploring / Modules – the bread and butter of Metasploit
- Kernal attack, escalating to SYSTEM on Windows 7 / Escalating to SYSTEM on Windows 7 with Metasploit
- used, for network pivoting / Network pivoting with Metasploit
- launching, into hidden network with autoroute / Launching Metasploit into the hidden network with autoroute
- Metasploit auxiliary module
- Metasploit payloads
- using, with social engineering attacks / Social engineering attacks with Metasploit payloads
- Metasploit persistence
- about / Persistence with Metasploit and PowerShell Empire
- payload, creating / Creating a payload for Metasploit persister
- module, configuring / Configuring the Metasploit persistence module and firing away
- persistent Meterpreter backdoor, verifying / Verifying your persistent Meterpreter backdoor
- Metasploit shellcode delivery
- about / Understanding Metasploit shellcode delivery
- encoder theory / Encoder theory and techniques – what encoding is and isn't
- encoder techniques / Encoder theory and techniques – what encoding is and isn't
- Metasploit toolset
- used, for calculating EIP offset / Calculating the EIP offset with the Metasploit toolset
- meterpreter
- used, for ARP enumeration / ARP enumeration with meterpreter
- used, for forensic analysis / Forensic analysis with meterpreter – stealing deleted files
- used, for privileges enumeration / Privileges enumeration with meterpreter
- used, for uploading persistent netcat / Uploading and configuring persistent netcat with meterpreter
- used, for configuring persistent netcat / Uploading and configuring persistent netcat with meterpreter
- mixins / Building a simple Metasploit auxiliary module
- modes of operation / Block ciphers and modes of operation
- MSFrop / Getting cozy with our tools – MSFrop and ROPgadget, Metasploit Framework's ROP tool – MSFrop
- msfvenom command
- used, for generating shellcode / Generating shellcode with msfvenom
- mutation fuzzing
- with Taof proxying / Network fuzzing – mutation fuzzing with Taof proxying
N
- neighbor advertisement (NA) / IPv6 man-in-the-middle – attacking your neighbors
- Neighbor Discovery Protocol (NDP) / Local IPv6 reconnaissance and the Neighbor Discovery Protocol, IPv6 man-in-the-middle – attacking your neighbors
- neighbor solicitation (NS) / IPv6 man-in-the-middle – attacking your neighbors
- NetBIOS NS spoofing
- used, for capturing hash / Hash capture with LLMNR/NetBIOS NS spoofing
- netcat backdoors
- working with / Hack tunnels – netcat backdoors on the fly
- persistence, verifying / Verifying persistence is established
- netcat connections
- Windows Firewall, tweaking / Remotely tweaking Windows Firewall to allow inbound netcat connections
- network
- authenticating / Authenticating over the network–a different game altogether
- Windows passwords, capturing / Capturing Windows passwords on the network
- Network Address Translation (NAT) / Payload generation goes solo – working with msfvenom, Network address translation and VMnet subnets
- network configuration
- tricks / Network configuration tricks
- network exfiltration
- with cifs / Exfiltration across the network with cifs
- Network Interface Controller-specific (NIC-specific) / Confirming the Organizationally Unique Identifier
- network operating system / Password hashing methods in Windows
- network pivoting
- with Metasploit / Network pivoting with Metasploit
- NOP sledding / Grab your mittens, we're going a NOP sledding
- NTDS database
- extracting, from shadow copy / Extracting the NTDS database and SYSTEM hive from a shadow copy
- ntdsxtract
- used, for password hash extraction / Password hash extraction with libesedb and ntdsxtract
- NT LAN Manager (NTLM) / Password hashing methods in Windows
- NULL pointer dereferencing / Understanding NULL pointer dereferencing
O
- OEM disc
- Windows, installing from / Installing Windows from an OEM disc or downloaded ISO file
- operation code (opcode) / Assembly language basics
- oracle padding attack / Behind the scenes of the oracle padding attack
- Organizationally Unique Identifier (OUI) / Confirming the Organizationally Unique Identifier
P
- PadBuster
- used, for busting padding oracle / Busting the padding oracle with PadBuster
- used, for decrypting CBC block / Decrypting a CBC block with PadBuster
- padding oracle
- busting, with PadBuster / Busting the padding oracle with PadBuster
- interrogating / Interrogating the padding oracle
- Pass-the-Hash (PtH) attack / Quit stalling and pass the hash – exploiting password equivalents in Windows
- Passive Operating system Fingerprinter (p0f) / Passive Operating system Fingerprinter
- password hash extraction
- with libesedb / Password hash extraction with libesedb and ntdsxtract
- with ntdsxtract / Password hash extraction with libesedb and ntdsxtract
- payload
- creating, with Metasploit / Creating the payload and connect-back listener with Metasploit
- payload delivery
- payload generation
- about / How to get it right the first time – generating payloads
- Wine32, installing / Installing Wine32 and Shellter
- Shellter, installing / Installing Wine32 and Shellter
- msfvenom, working with / Payload generation goes solo – working with msfvenom
- nested payloads, creating / Creating nested payloads
- payload retrieval
- pen testing / A word about Armitage and the pen tester mentality
- persistence module
- installing, in PowerShell / Installing the persistence module in PowerShell
- persistent netcat
- uploading, with meterpreter / Uploading and configuring persistent netcat with meterpreter
- configuring, with meterpreter / Uploading and configuring persistent netcat with meterpreter
- philosophies, Windows password cracking
- dictionary attack / The two philosophies of password cracking
- brute-force attack / The two philosophies of password cracking
- pipe client
- security context, impersonating / Impersonating the security context of a pipe client
- pipe creation race conditions / Superfluous pipes and pipe creation race conditions
- pivot
- escalating / Escalating your pivot – passing attacks down the line
- credentials, extracting with hashdump / Extracting credentials with hashdump
- password equivalents, exploiting in Windows / Quit stalling and pass the hash – exploiting password equivalents in Windows
- Pass-the-Hash (PtH) attack / Quit stalling and pass the hash – exploiting password equivalents in Windows
- pointer issues / Pointing out the problem – pointer issues
- pointers
- dereferencing, in C / Dereferencing pointers in C and assembly
- dereferencing, in assembly / Dereferencing pointers in C and assembly
- Position Independent Executable (PIE) / No PIE for you – compiling your vulnerable executable without ASLR hardening
- post-exploitation
- with PowerShell / Post-exploitation with PowerShell
- post modules
- used, for enumeration / Gathering goodies – enumeration with post modules
- PowerShell
- fundamentals / Power to the shell – PowerShell fundamentals
- about / What is PowerShell?, PowerShell's own cmdlets and PowerShell scripting language
- working / What is PowerShell?
- registry, working with / Working with the registry
- pipelines / Pipelines and loops in PowerShell
- loops / Pipelines and loops in PowerShell
- used, for post-exploitation / Post-exploitation with PowerShell
- used, for ICMP enumeration from pivot point / ICMP enumeration from a pivot point with PowerShell
- used, as TCP-connect port scanner / PowerShell as a TCP-connect port scanner
- used, for delivering Trojan to target / Delivering a Trojan to your target via PowerShell
- persistence module, installing / Installing the persistence module in PowerShell
- PowerShell's ISE / It gets better – PowerShell's ISE
- PowerShell Empire
- framework / Offensive PowerShell – introducing the Empire framework
- installing / Installing and introducing PowerShell Empire
- about / Installing and introducing PowerShell Empire
- listeners, configuring / Configuring listeners
- stagers, configuring / Configuring stagers
- agents, working with / Your inside guy – working with agents
- used, for escalation / Escalation with WMIC and PS Empire
- security context, elevating / Elevating the security context of our Empire agent
- WMI subscription, creating for agent persistance / Creating a WMI subscription for stealthy persistence of your agent
- agent persistence, verifying / Verifying agent persistence
- PowerShell Empire agent
- creating, with WMIC / Create a PowerShell Empire agent with remote WMIC
- PowerShell Empire persistence / Persistence with Metasploit and PowerShell Empire, Not to be outdone – persistence in PS Empire
- PowerShell keylogging module
- configuring / Configuring a module for agent tasking
- PowerSploit
- used, for maintaining access / Maintaining access with PowerSploit
- meterpreter persistence, configuring / Configuring and executing meterpreter persistence
- meterpreter persistence, executing / Configuring and executing meterpreter persistence
- persistence, verifying / Lying in wait – verifying persistence
- persistence script, working / What did the persistence script do?
- privilege escalation / An introduction to privilege escalation
- privileges enumeration
- with meterpreter / Privileges enumeration with meterpreter
- Procedure Linkage Table (PLT) / Getting hands-on with the return-to-PLT attack
- Public Key Cryptography Standards / Behind the scenes of the oracle padding attack
- push / Understanding the stack
- Python
- working with / Incorporating Python into your work
- need for / Why Python?
- network analysis / Python network analysis
- modules, for networking / Python modules for networking
- antimalware evasion / Antimalware evasion in Python
- about / Python and Scapy – a classy pair
- used, for revisiting ARP poisoning / Revisiting ARP poisoning with Python and Scapy
- used, for fuzzing / Hands-on fuzzing with Kali and Python
- bare-bones FTP fuzzer service, writing / Writing a bare-bones FTP fuzzer service in Python
- Python client
- building / Building a Python client
- Python fuzzer
- used, for crashing target / Crashing the target with the Python fuzzer
- Python reverse shell script
- building / Building a Python reverse shell script
- Python scripts
- Windows executables, creating / Creating Windows executables of your Python scripts
- Python server
- building / Building a Python server
R
- race condition / The kernel's role as time cop
- raw payload
- preparing / Preparing your raw payload
- real-world pen test scenario / A real-world pen test scenario – the chatty printer
- registers
- about / Understanding registers
- examination, during execution / Examining the stack and registers during execution
- registry
- working with / Working with the registry
- return-oriented programming
- about / Introducing return-oriented programming
- code, borrowing / Borrowing chunks and returning to libc – turning the code against itself
- ROPgadget / The basic unit of ROP – gadgets, Getting cozy with our tools – MSFrop and ROPgadget
- MSFrop / Getting cozy with our tools – MSFrop and ROPgadget
- C program, creating without disabling protections / Creating our vulnerable C program without disabling protections
- vulnerable executable, compiling without ASLR hardening / No PIE for you – compiling your vulnerable executable without ASLR hardening
- ROP chain, generating / Generating a ROP chain
- return-to-libc attack / Borrowing chunks and returning to libc – turning the code against itself
- return-to-PLT attack
- hands-on / Getting hands-on with the return-to-PLT attack
- gadget information, extracting for building payload / Extracting gadget information for building your payload
- gadget ROP chain / Go, go, gadget ROP chain – bringing it together for the exploit
- root flipping / Flipping to root – privilege escalation via CBC bit-flipping
- ROPgadget / Getting cozy with our tools – MSFrop and ROPgadget, Your sophisticated ROP lab – ROPgadget
- Ruby file injection proxy module / The Ruby file injection proxy module – replace_file.rb
S
- Scapy
- about / Python and Scapy – a classy pair
- used, for revisiting ARP poisoning / Revisiting ARP poisoning with Python and Scapy
- Schlamperei / Let's get lazy – Schlamperei privilege escalation on Windows 7
- Security Account Manager (SAM) / Password hashing methods in Windows
- SHA-1's running state / Understanding SHA-1's running state and compression function
- shadow copy
- about / Dancing in the shadows – looting domain controllers with vssadmin
- SYSTEM hive, extracting / Extracting the NTDS database and SYSTEM hive from a shadow copy
- NTDS database, extracting / Extracting the NTDS database and SYSTEM hive from a shadow copy
- shellcode
- breaking, with bytes / Hunting bytes that break shellcode
- generating, with msfvenom command / Generating shellcode with msfvenom
- shellcode generation
- for Java vulnerability / Shellcode generation for the Java vulnerability
- shellcode injection
- with Backdoor Factory (BDF) / Injection with Backdoor Factory
- shellcoding / Introducing shellcoding
- Shellter
- installing / Installing Wine32 and Shellter
- used, for Helter Skelter evading antivirus / Helter Skelter evading antivirus with Shellter
- used, for creating Trojan / Creating a Trojan with Shellter
- SMB listener
- configuring / Configuring our SMB listener
- SMTP connection
- killing, with Ettercap filters / Killing connections with Ettercap filters
- software update mechanisms
- attacking / The evil upgrade – attacking software update mechanisms
- ISR Evilgrade, exploring / Exploring ISR Evilgrade
- payload, configuring / Configuring the payload and upgrade module
- upgrade module, configuring / Configuring the payload and upgrade module
- ARP spoofing / Spoofing ARP/DNS and injecting the payload
- DNS spoofing / Spoofing ARP/DNS and injecting the payload
- payload, injecting / Spoofing ARP/DNS and injecting the payload
- source index (SI) / Understanding registers
- spoofing
- with BetterCap / Getting better – spoofing with BetterCAP
- SSH connections
- killing, with Ettercap filters / Killing connections with Ettercap filters
- sslstrip
- used, for HTTP downgrading attacks / HTTP downgrading attacks with sslstrip
- stack
- breaking out / Breaking out of jail – masquerading the stack
- TCP / Following the rules spoils the fun – suppressing normal TCP replies
- fabricating, with Scapy / Fabricating the handshake with Scapy and Python
- fabricating, with Python / Fabricating the handshake with Scapy and Python
- about / Understanding the stack
- examination, during execution / Examining the stack and registers during execution
- versus heap / Memory allocation – stack versus heap
- subnetting / Just a quick review of subnetting
- superfluous pipes / Superfluous pipes and pipe creation race conditions
- SYSTEM hive
- extracting, from shadow copy / Extracting the NTDS database and SYSTEM hive from a shadow copy
T
- Taof proxy
- used, for mutation fuzzing / Network fuzzing – mutation fuzzing with Taof proxying
- configuring, to target remote service / Configuring the Taof proxy to target the remote service
- legitimate traffic, creating / Fuzzing by proxy – generating legitimate traffic
- time-to-live (TTL) / Passive Operating system Fingerprinter
- Trojan
- creating, with Shelter / Creating a Trojan with Shellter
- malicious USB drive, preparing for delivery / Preparing a malicious USB drive for Trojan delivery
- delivering, tp target via PowerShell / Delivering a Trojan to your target via PowerShell
- Trojan engineering
- with Backdoor Factory (BDF) / Trojan engineering with BDF and IDA
- with IDA disassembler / Trojan engineering with BDF and IDA
U
- Universal Coded Character Set (UCS) / Kernel pool overflow and the danger of data types
- User Account Control (UAC) / Not to be outdone – persistence in PS Empire
V
- validation checks
- bypassing / Bypassing validation checks
- Organizationally Unique Identifier (OUI), confirming / Confirming the Organizationally Unique Identifier
- Passive OS fingerprinting / Passive Operating system Fingerprinter
- HTTP User-Agent, spoofing / Spoofing the HTTP User-Agent
- Vim
- with Python syntax awareness / Introducing Vim with Python syntax awareness
- virtual machines (VMs) / Getting familiar with VMware Workstation
- Virtual Network Editor
- using / Using the Virtual Network Editor
- VMnet subnets / Network address translation and VMnet subnets
- VMware Workstation
- working with / Getting familiar with VMware Workstation
- VMware Workstation, versus Oracle
- for desktop virtualization / VMware versus Oracle for desktop virtualization
- vssadmin
- used, for looting domain controllers / Dancing in the shadows – looting domain controllers with vssadmin
- vulnerable FTP client
- vulnerable FTP server
W
- Win32k kernel-mode driver / The Win32k kernel-mode driver
- WinDbg
- Internet Explorer, debugging / Debugging Internet Explorer with WinDbg
- Windows
- installing, from OEM disc / Installing Windows from an OEM disc or downloaded ISO file
- installing, from downloaded ISO file / Installing Windows from an OEM disc or downloaded ISO file
- Windows 7
- Kernal attack, escalating to SYSTEM on Metasploit / Escalating to SYSTEM on Windows 7 with Metasploit
- Schlamperei privilege escalation / Let's get lazy – Schlamperei privilege escalation on Windows 7
- Windows binary disassembly
- within Kali Linux / Windows binary disassembly within Kali
- Windows Debugger (WinDbg) / Debugging Internet Explorer with WinDbg
- Windows Firewall
- tweaking, to allow inbound netcat connections / Remotely tweaking Windows Firewall to allow inbound netcat connections
- Windows hashes
- cracking / Let it rip – cracking Windows hashes
- Windows kernel exploit module
- Windows machines
- finding, for attack lab / Finding Windows machines for your lab
- Windows passwords
- about / Understanding Windows passwords
- crash course, on hash algorithms / A crash course on hash algorithms
- hashing methods / Password hashing methods in Windows
- LM hash flaws / If it ends with 1404EE, then it's easy for me – understanding LM hash flaws
- network, authenticating / Authenticating over the network–a different game altogether
- capturing, on network / Capturing Windows passwords on the network
- real-world pen test scenario / A real-world pen test scenario – the chatty printer
- SMB listener, configuring / Configuring our SMB listener
- authentication capture / Authentication capture
- hash, capturing with LLMNR spoofing / Hash capture with LLMNR/NetBIOS NS spoofing
- hash, capturing with NetBIOS NS spoofing / Hash capture with LLMNR/NetBIOS NS spoofing
- cracking, philosophies / The two philosophies of password cracking
- progress, reviewing with show flag / Reviewing your progress with the show flag
- Wine32
- installing / Installing Wine32 and Shellter
- WLAN analysis
- with advanced Wireshark / WLAN analysis with Wireshark
- WMIC
- used, for escalation / Escalation with WMIC and PS Empire
- used, for spawning processes / Quietly spawning processes with WMIC
- used, for creating PowerShell Empire agent / Create a PowerShell Empire agent with remote WMIC
- wordlist
- about / The two philosophies of password cracking
- used, for John the Ripper cracking / John the Ripper cracking with a wordlist
X
- xxxSendMessage()
- error code, passing as error code / Passing an error code as a pointer to xxxSendMessage()