March 02, 2008

A brief glossary from Hacking: The Art of Exploitation

In his introduction to spelunking for system hacks, Hacking: The Art of Exploitation, author Jon Erikson outlines a number of techniques for the readers. While his treatment is thorough and essential reading to understand how the hack works, I've outlined the majority of techniques listed in his book in glossary form.


Buffer Overflows
Inject a piece of code in a program buffer, causing it to overflow and transfer control to the injected code. When the corrupted piece of memory is a variable on the stack, this is called a Stack-based Overflow. Buffers allocated on the heap can also be subjected to the same corruption. So can the BSS segment by overflowing function pointers.

Format String Vulnerability
This particular exploit is related to using a function like printf in an unprescribed way such as printf(text) instead of printf ("%s", text). When text contains a format parameter, printf will add to the frame pointer to reference memory in the preceding stack frame. Thus, %s can be used to read from arbitrary memory addresses and %n can be used to write to the same. Code injection is now possible.

In addition two techniques: Direct Parameter Access using the $d feature of printfs and Short Writes using the %h feature can be used to simplify reading and writing memory addresses with this exploit.

Overwriting .dtors
This technique involves overwriting memory reserved for destructor functions (the .dtors section which is writeable) to spawn a root shell.

Overwriting the Global Offset Table
The GOT contains a jump entry for the exit() function. Overwriting this function in memory can be used to spawn a shell.


Network Sniffing

A network device can be set in promiscious mode to sniff packets sent to other computers on an unswitched network. Useful information (say a username and password from someone logging on) can be obtained in this way.

Raw Socket Sniffing
A programmatic technique to sniff packets at layers below 5 (session) in the OSI model. Somewhat unreliable in terms of capturing packets and requires logging in as root, but useful if session layer sniffing is not possible.

libpcap Sniffing
Using the cross-platform libpcap make life easier when sniffing raw sockets.

Active Sniffing
This technique - used on switched networks where packets are only sent to specific MAC addresses - involves inserting a proxy system between two MAC addresses and intercepting packets that go between them. The proxy system sends spoofed ARP replies to each MAC address (ARP cache poisoning).

Denial of Service
This form exploits put the system under attack in a state where it is unable to respond to requests from legitimate users. This can be done in two ways: by crashing a service via program exploits or by flooding a service with so many requests that it runs out of resource to handle them all.

Denial of Service - SYN Flooding
This technique exhausts the "reliable" connection states maintained by TCP/IP by flooding the system with SYN packets from a spoofed nonexistent source address.

Denial of Service - The Ping of Death
An ICMP echo message is sent with a payload that exceeds the permitted 65k of data. Although this is an old vulnerability that has been fixed it tends to show up in newer protocol implementations such as Bluetooth.

Denial of Service - Teardrop
This attack sends fragmented IP packets with no overlap, which is expected by all systems. However some systems do not check for this error condition and can crash.

Denial of Service - Ping Flooding
A deluge of pings is sent to a system, thus making it too busy to respond to any other requests.

Denial of Service - Amplification Attacks
Ping Flooding can take a lot of resources to maintain. Instead using spoofing and broadcast addressing a single stream of packets can be sent to a number of hosts with a spoofed address of the system under attack.

Denial of Service - Distributed DoS Flooding
A basic ping flood but launched from a large number of compromised systems in order to increase the deluge to the system under attack.

TCP/IP Hijacking
Carried out from the same network as the system under attack, the TCP packet sequence number from the header is spoofed (after discovery via sniffing by the attacker) and sent to gain trust with the system under attack.

TCP/IP Hijacking - RST Hijacking
This form of hijacking involves injecting a Reset packet in the header.

TCP/IP Hijacking - Continued Hijacking
The attacker sends a spoofed data packet to the host with a bogus sequence number. This causes the entire sequence incrementing and acknowledgment to get out of sync, causing a hung connection at the system under attack.

Port Scanning
This technique involves figuring out which ports are open, listening and accepting connections on the system under attack. This is usually a non-destructive way of getting information about where system vulnerabilities can be exploited by determining which network services are available on the system under attack.

Port Scanning - Stealth SYN (or Half Open) Scans
A SYN packet is sent by the attacker and the response (a SYN/ACK packet) from the system under attack is examined for validity. When validated it indicates a port that is open for business. A RST packet is sent to the port for a graceful shutdown of the sequence - thus leaving the system under attack none the wiser.

Port Scanning - FIN, X-mas and Null Scans
Three ways to find out if a port is open for business. A nonsensical packet is sent to every port on the system under attack. If the port is listening, the packet will be ignored and lost. If the port is not listening, the attacker will get back a RST packet.

Port Scanning - Spoofing Decoys
This is a actually a countermeasure to avoid detection. The attacker simply hides attempts at port detection between connections from decoy IP addresses, thus making it harder to pin point the attacking IP.

Port Scanning - Idle Scanning
This involved port scanning technique is also a countermeasure that makes the attacker's IP undetectable. In this technique the attacker uses an idle host machine to perform proxy port scanning on the system under attack.

Port Scanning - Proactive Defense (shroud)
The author presents a number of defensive techniques to prevent accurate port scanning by an attacker.


Shell-Spawning Shellcode
Various techniques to transfer execution to shellcode in a program that spawns a shell.

Port-Binding Shellcode
Once spawned, the shell needs to bind itself to a port and listen for incoming connections.

Connect-back Shellcode
Port-binding shellcode is easily foiled by firewalls. In that case, shellcode that initiates the outbound connection (not filtered by firewalls) and spawns a shell can succeed.


In order to avoid detection after an exploit, a number of different things need to be considered. For example, your IP address can be logged in a file and traces of this must be erased or obfuscated. In addition, the loss of service itself might alert the system administrator of an intrusion - in which case the author shows an example of how to perform an exploit and keep the service running so no one is wiser.


Man-in-the-middle Attacks
The attacker sits between two systems both of whom believe they are communicating with the other. The attacker maintains two separate encrypted communication channels with two encyrption keys with each system under attack. This form an attack starts by redirecting traffic with a known technique like ARP cache poisoning.

Password Cracking
User passwords are hashed one-way, it is mathematically impossible to reverse the hash. When a user enters their passwords, the value is hashed again and compared to the pre-hashed stored value for authentication.

Password Cracking: Dictionary Attacks
In this technique, every word in the dictionary (potentially) is run through a one-way hash and compared with the user's password. User passwords are stored somewhere and must be available to the user in encrypted form first. If a match is found, the word hashed from the dictionary is the user's password. Custom dictionaries can be made using different languages, standard word modifications and appending numbers to words.

Password Cracking: Exhaustive Brute-Force Attacks
This is an academic technique in which every possible combination of words in a dictionary are used to compare with a hashed password in order to find a match. The sheer number of possible permutations makes this technique an unrealistic one in terms of yielding a result in a reasonable amount of time.

Password Cracking: Hash Lookup Table
A variation of the exhaustive brute force attack but all the hash values for words in a dictionary are precomputed and stored in a lookup table. This technique requires gobs of storage and only works for one salt value.

Password Cracking: Password Probability Matrix
In an effort to balance storage space required beforehand and computational power required at the time of the hack, a lossy form of compression can be used to create an inexact hash table. In this technique, each password hash will map to several thousand precomputed values which are then converged in real-time.

Wired Equivalent Privacy (WEP) Attacks

WEP Attacks: Offline Brute-Force Attacks
First a few packets are captured over wireless and then an attempt is made to decrypt them using every possible key. A practical cracking method has been devised that reduces a 40-bit keyspace down to 21 bits.

WEP Attacks: Keystream Reuse
A keystream is an encrypted seed that is used to produce encrypted packets. It consists of a WEP key and an Initialization Vector (IV). The encrypted packet is produced by XORing the plain text message with the keystream. If two packets have been encrypted with the same keystream, then XORing these two packets will yield the two plaintexts XORed with each other. If one plaintext is known, the other can be recovered.

WEP Attacks: IV-based Decryption Dictionary Tables
Once the keystream is known (using the technique above) it can be used to decrypt other packets with the same IV (IVs are 24bit). A table of keystreams can be saved for each IV and all subsequent packets can be easily decrypted.

WEP Attacks: IP Redirection
In this technique, an attacker will receive an encrypted packet from the access point and send it right back after modifying it to ensure the checksum remains the same. The attacker must know the destination IP address (which can be determined via keystream reuse due to IV collisions). The access point will decrypt this packet and send it back to the attacker's IP.

WEP Attacks: Fluhrer, Mantin, and Shamir (FMS) Attack
This commony used attack against WEP takes advantage of weak IV values that leak information about the secret key in the first byte of the keystream. Erikson's book contains a detailed explanation of how this attack works.