Your SlideShare is downloading. ×
Gray hat hacking   the ethical hackers handbook (3rd edition, 2011)plusplus
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Gray hat hacking the ethical hackers handbook (3rd edition, 2011)plusplus

36,467
views

Published on

Gray hat hacking, third edition

Gray hat hacking, third edition

Published in: Technology, News & Politics

0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
36,467
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
8
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Gray Hat Hacking, Third Edition Reviews “Bigger, better, and more thorough, the Gray Hat Hacking series is one that I’ve enjoyed from the start. Always right on time information, always written by experts. The Third Edition is a must-have update for new and continuing security experts.” —Jared D. DeMott Principle Security Researcher, Crucial Security, Inc. “This book is a great reference for penetration testers and researchers who want to step up and broaden their skills in a wide range of IT security disciplines.” —Peter Van Eeckhoutte (corelanc0d3r) Founder, Corelan Team “I am often asked by people how to get started in the InfoSec world, and I point people to this book. In fact, if someone is an expert in one arena and needs a leg up in another, I still point them to this book. This is one book that should be in every security professional’s library—the coverage is that good.” —Simple Nomad Hacker “The Third Edition of Gray Hat Hacking builds upon a well-established foundation to bring even deeper insight into the tools and techniques in an ethical hacker’s arsenal. From software exploitation to SCADA attacks, this book covers it all. Gray Hat Hacking is without doubt the definitive guide to the art of computer security published in this decade.” —Alexander Sotirov Security Rockstar and Founder of the Pwnie Awards “Gray Hat Hacking is an excellent ‘Hack-by-example’ book. It should be read by anyone who wants to master security topics, from physical intrusions to Windows memory protections.” —Dr. Martin Vuagnoux Cryptographer/Computer security expert “Gray Hat Hacking is a must-read if you’re serious about INFOSEC. It provides a muchneeded map of the hacker’s digital landscape. If you’re curious about hacking or are pursuing a career in INFOSEC, this is the place to start.” —Johnny Long Professional Hacker, Founder of Hackers for Charity.org
  • 2. This page intentionally left blank
  • 3. Gray Hat Hacking The Ethical Hacker’s Handbook Third Edition Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams New York • Chicago • San Francisco • Lisbon London • Madrid • Mexico City • Milan • New Delhi San Juan • Seoul • Singapore • Sydney • Toronto
  • 4. Copyright © 2011 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-174256-6 MHID: 0-07-174256-5 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174255-9, MHID: 0-07-174255-7. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
  • 5. n^netsec Swimming with the Sharks? Get Peace of Mind. Are your information assets secure? Are you sure? N2NetSecurity's Information Security and Compliance Services give you the peace of mind of knowing that you have the best of the best in information Security on your side. Our deep technical knowledge ensures that our solutions are innovative and efficient and our extensive experience will help you avoid common and costly mistakes. N2NetSecurity provides information security services to government and private industry. We are a certified Payment Card Industry Qualified Security Assessor (PCI QSA). Our talented team includes Black Hat Instructors, received a 2010 Department of Defense CIO Award, and has coauthored seven leading IT books including Gray Hat Hacking: The Ethical Hacker's Handbook and Security Information Event Management Implementation. Contact us for a Free Gap Assessment and see how we can help you get peace of mind. Get Back to Normal, Back to Business! N2NetSecurity, Inc. www.n2netsec.com info@n2netsec.com 800.456.0058
  • 6. Stop Hackers in Their Tracks Hacking Exposed, 6th Edition Hacking Exposed Malware & Rootkits Hacking Exposed Computer Forensics, 2nd Edition 24 Deadly Sins of Software Security Hacking Exposed Wireless, 2nd Edition Hacking Exposed: Web Applications, 3rd Edition Hacking Exposed Windows, 3rd Edition Hacking Exposed Linux, 3rd Edition Hacking Exposed Web 2.0 IT Auditing, 2nd Edition IT Security Metrics Gray Hat Hacking, 3rd Edition Available in print and ebook formats Follow us on Twitter @MHComputing
  • 7. Boost Your Security Skills (and Salary) with Expert Tn ming for CISSP Certification The Shon Harris ClSSP'-Solution is the perfect self-study training package not only for the CISSP*0 candidate or those renewing certification, but for any security pro who wants to increase their security knowledge and earning potential. Take advantage of this comprehensive multimedia package that lets you learn at your own pace and in your own home or office. This definitive set includes: ^ DVD set of computer-based training, over 34 hours of instruction on the Common Body of Knowledge, the 10 domains required for certification. In class instruction at your home CISSP55 All-in-One 5th Edition, the 1193 page best" selling book by Shon Harris. 0 2,200+ page CISSP® Student Workbook developed by Shon Harris. ^Multiple hours of Shon Harris' lectures explaining the concepts in the CISSP® Student Workbook in MP3 format Complex concepts fully explained Everything you need to pass the CISSP1 exam. ^Bonus MP3 files with extensive review sessions for each domain. j Over 1,600 CISSP^ review questions to test your knowledge. 300+ Question final practice exam. more! Learn from the best! Leading independent authority and recognized CISSP'' training guru, Shon Harris, CISSPW, MCSE, delivers this definitive certification program packaged together and available for the first time. Order today! Complete info at http://logicalsecurity.com/cissp CISSP K a registered certification mark of the International Information Systems Settirily Certification Cunscrtiurn, Jnc., aTso known as (ISC)!. No f ridersemant by, affiliation or association with (ISC)? ie impFiad.
  • 8. To my brothers and sisters in Christ, keep running the race. Let your light shine for Him, that others may be drawn to Him through you. —Allen Harper To my loving and supporting husband, David Harris, who has continual patience with me as I take on all of these crazy projects! —Shon Harris To Jessica, the most amazing and beautiful person I know. —Jonathan Ness For my train-loving son Aaron, you bring us constant joy! —Chris Eagle To Vincent Freeman, although I did not know you long, life has blessed us with a few minutes to talk and laugh together. —Terron Williams
  • 9. ABOUT THE AUTHORS Allen Harper, CISSP, PCI QSA, is the president and owner of N2NetSecurity, Inc. in North Carolina. He retired from the Marine Corps after 20 years and a tour in Iraq. Additionally, he has served as a security analyst for the U.S. Department of the Treasury, Internal Revenue Service, and Computer Security Incident Response Center (IRS CSIRC). He regularly speaks and teaches at conferences such as Black Hat and Techno. Shon Harris, CISSP, is the president of Logical Security, an author, educator, and security consultant. She is a former engineer of the U.S. Air Force Information Warfare unit and has published several books and articles on different disciplines within information security. Shon was also recognized as one of the top 25 women in information security by Information Security Magazine. Jonathan Ness, CHFI, is a lead software security engineer in Microsoft’s Security Response Center (MSRC). He and his coworkers ensure that Microsoft’s security updates comprehensively address reported vulnerabilities. He also leads the technical response of Microsoft’s incident response process that is engaged to address publicly disclosed vulnerabilities and exploits targeting Microsoft software. He serves one weekend each month as a security engineer in a reserve military unit. Chris Eagle is a senior lecturer in the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, California. A computer engineer/scientist for 25 years, his research interests include computer network attack and defense, computer forensics, and reverse/anti-reverse engineering. He can often be found teaching at Black Hat or spending late nights working on capture the flag at Defcon. Gideon Lenkey, CISSP, is the president and co-founder of Ra Security Systems, Inc., a New Jersey–based managed services company, where he specializes in testing the information security posture of enterprise IT infrastructures. He has provided advanced training to the FBI and served as the president of the FBI’s InfraGard program in New Jersey. He has been recognized on multiple occasions by FBI director Robert Muller for his contributions and is frequently consulted by both foreign and domestic government agencies. Gideon is a regular contributor to the Internet Evolution website and a participant in the EastWest Institute’s Cybersecurity initiative. Terron Williams, NSA IAM-IEM, CEH, CSSLP, works for Elster Electricity as a Senior Test Engineer, with a primary focus on smart grid security. He formerly worked at Nortel as a Security Test Engineer and VoIP System Integration Engineer. Terron has served on the editorial board for Hakin9 IT Security Magazine and has authored articles for it. His interests are in VoIP, exploit research, SCADA security, and emerging smart grid technologies. Disclaimer: The views expressed in this book are those of the authors and not of the U.S. government or the Microsoft Corporation.
  • 10. About the Technical Editor Michael Baucom is the Vice President of Research and Development at N2NetSecurity, Inc., in North Carolina. He has been a software engineer for 15 years and has worked on a wide variety of software, from router forwarding code in assembly to Windows applications and services. In addition to writing software, he has worked as a security consultant performing training, source code audits, and penetration tests.
  • 11. CONTENTS AT A GLANCE Part I Introduction to Ethical Disclosure ..................... 1 ................................. 3 Chapter 1 Ethics of Ethical Hacking Chapter 2 Ethical Hacking and the Legal System Chapter 3 Proper and Ethical Disclosure Part II ....................... 23 ............................. 47 ......................... 75 ................................ 77 .............................. 93 ......................................... 109 Penetration Testing and Tools Chapter 4 Social Engineering Attacks Chapter 5 Physical Penetration Attacks Chapter 6 Insider Attacks Chapter 7 Using the BackTrack Linux Distribution Chapter 8 Using Metasploit Chapter 9 Managing a Penetration Test Part III Exploiting ..................... 125 ....................................... 141 .............................. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Chapter 10 Programming Survival Skills Chapter 11 Basic Linux Exploits Chapter 12 Advanced Linux Exploits Chapter 13 Shellcode Strategies Chapter 14 Writing Linux Shellcode Chapter 15 Windows Exploits Chapter 16 Understanding and Detecting Content-Type Attacks Chapter 17 Web Application Security Vulnerabilities Chapter 18 VoIP Attacks Chapter 19 viii 157 ............................... 173 ..................................... 201 SCADA Attacks ................................. 225 ..................................... 251 ................................. 267 ...................................... 297 ........... 341 ..................... 361 ........................................... 379 ........................................ 395
  • 12. Contents ix Part IV Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Chapter 20 Passive Analysis ........................................ Chapter 21 Advanced Static Analysis with IDA Pro Chapter 22 Advanced Reverse Engineering Chapter 23 Client-Side Browser Exploits Chapter 24 Exploiting the Windows Access Control Model Chapter 25 413 ...................... 445 ............................ 471 .............................. 495 ............... 525 Intelligent Fuzzing with Sulley ............................. 579 Chapter 26 From Vulnerability to Exploit .............................. 595 Chapter 27 Closing the Holes: Mitigation .............................. 617 Part V Malware Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Chapter 28 Collecting Malware and Initial Analysis ...................... 635 Chapter 29 Hacking Malware ....................................... 657 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
  • 13. CONTENTS Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Part I Chapter 1 Introduction to Ethical Disclosure 1 x 3 3 8 10 10 11 15 16 18 19 19 20 Ethical Hacking and the Legal System ....................... 23 The Rise of Cyberlaw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Individual Cyberlaws . . . . . . . . . . . . . . . . . . . . . . . . . . 18 USC Section 1029: The Access Device Statute . . . . . . . . . . . . 18 USC Section 1030 of the Computer Fraud and Abuse Act . . 18 USC Sections 2510, et. Seq., and 2701, et. Seq., of the Electronic Communication Privacy Act . . . . . . . . . . . . . . . . . Digital Millennium Copyright Act (DMCA) . . . . . . . . . . . . . . . . Cyber Security Enhancement Act of 2002 . . . . . . . . . . . . . . . . . . Securely Protect Yourself Against Cyber Trespass Act (SPY Act) . . . Chapter 3 ................................. Why You Need to Understand Your Enemy’s Tactics . . . . . . . . . . . . . . . Recognizing the Gray Areas in Security . . . . . . . . . . . . . . . . . . . . . . . . . How Does This Stuff Relate to an Ethical Hacking Book? . . . . . . . . . . Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Controversy of Hacking Books and Classes . . . . . . . . . . . . . . . . . . The Dual Nature of Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Recognizing Trouble When It Happens . . . . . . . . . . . . . . . . . . . . Emulating the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Where Do Attackers Have Most of Their Fun? . . . . . . . . . . . . . . . . . . . . Security Does Not Like Complexity . . . . . . . . . . . . . . . . . . . . . . . Chapter 2 Ethics of Ethical Hacking ..................... 23 25 25 29 Proper and Ethical Disclosure 38 42 45 46 ............................. 47 Different Teams and Points of View . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Did We Get Here? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CERT’s Current Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Full Disclosure Policy—the RainForest Puppy Policy . . . . . . . . . . . . . . Organization for Internet Safety (OIS) . . . . . . . . . . . . . . . . . . . . . . . . . Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conflicts Will Still Exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . “No More Free Bugs” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 49 50 52 54 54 55 57 59 61 62 63
  • 14. Contents xi Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pros and Cons of Proper Disclosure Processes . . . . . . . . . . . . . . Vendors Paying More Attention . . . . . . . . . . . . . . . . . . . . . . . . . . So What Should We Do from Here on Out? . . . . . . . . . . . . . . . . . . . . . iDefense and ZDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part II Chapter 4 67 67 71 72 72 Penetration Testing and Tools 75 ................................ 77 How a Social Engineering Attack Works . . . . . . . . . . . . . . . . . . . . . . . . Conducting a Social Engineering Attack . . . . . . . . . . . . . . . . . . . . . . . . Common Attacks Used in Penetration Testing . . . . . . . . . . . . . . . . . . . The Good Samaritan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Join the Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing Yourself for Face-to-Face Attacks . . . . . . . . . . . . . . . . . . . . . . Defending Against Social Engineering Attacks . . . . . . . . . . . . . . . . . . . Chapter 5 Social Engineering Attacks ......................... 77 79 81 81 86 88 89 91 93 94 94 95 97 97 98 99 102 103 107 108 Insider Attacks ......................................... 109 Why Simulating an Insider Attack Is Important . . . . . . . . . . . . . . . . . . Conducting an Insider Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tools and Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Orientation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gaining Local Administrator Privileges . . . . . . . . . . . . . . . . . . . . Disabling Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Raising Cain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defending Against Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 7 .............................. Why a Physical Penetration Is Important . . . . . . . . . . . . . . . . . . . . . . . . Conducting a Physical Penetration . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mental Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Common Ways into a Building . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Smokers’ Door . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manned Checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Locked Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Physically Defeating Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Once You Are Inside . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defending Against Physical Penetrations . . . . . . . . . . . . . . . . . . . . . . . . Chapter 6 Physical Penetration Attacks 109 110 110 111 111 115 116 123 Using the BackTrack Linux Distribution ..................... 125 BackTrack: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing BackTrack to DVD or USB Thumb Drive . . . . . . . . . . . . . . . . Using the BackTrack ISO Directly Within a Virtual Machine . . . . . . . . Creating a BackTrack Virtual Machine with VirtualBox . . . . . . . Booting the BackTrack LiveDVD System . . . . . . . . . . . . . . . . . . . Exploring the BackTrack X Windows Environment . . . . . . . . . . 125 126 128 128 129 130
  • 15. Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition xii Starting Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Persisting Changes to Your BackTrack Installation . . . . . . . . . . . . . . . . Installing Full BackTrack to Hard Drive or USB Thumb Drive . . . Creating a New ISO with Your One-time Changes . . . . . . . . . . . Using a Custom File that Automatically Saves and Restores Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exploring the BackTrack Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating BackTrack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 9 135 137 139 Using Metasploit ....................................... 141 Metasploit: The Big Picture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the Metasploit Console to Launch Exploits . . . . . . . . . . . . . . . . Exploiting Client-Side Vulnerabilities with Metasploit . . . . . . . . . . . . . Penetration Testing with Metasploit’s Meterpreter . . . . . . . . . . . . . . . . Automating and Scripting Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . Going Further with Metasploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 8 141 141 142 147 149 155 156 Chapter 10 .............................. 157 Planning a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Penetration Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scope of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Locations of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . Organization of the Penetration Testing Team . . . . . . . . . . . . . . Methodologies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . Phases of the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . Testing Plan for a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . Structuring a Penetration Testing Agreement . . . . . . . . . . . . . . . . . . . . . Statement of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Get-Out-of-Jail-Free Letter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Execution of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kickoff Meeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Access During the Penetration Test . . . . . . . . . . . . . . . . . . . . . . . Managing Expectations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Steady Is Fast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . External and Internal Coordination . . . . . . . . . . . . . . . . . . . . . . . Information Sharing During a Penetration Test . . . . . . . . . . . . . . . . . . Dradis Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reporting the Results of a Penetration Test . . . . . . . . . . . . . . . . . . . . . . Format of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Out Brief of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Part III Managing a Penetration Test 130 131 131 134 157 157 158 158 158 159 159 161 161 161 162 162 162 163 163 163 164 164 164 164 168 169 169 Exploiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Programming Survival Skills ............................... 173 C Programming Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic C Language Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 173
  • 16. Contents xiii Sample Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Compiling with gcc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Random Access Memory (RAM) . . . . . . . . . . . . . . . . . . . . . . . . . Endian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Segmentation of Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Programs in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strings in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pointers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Putting the Pieces of Memory Together . . . . . . . . . . . . . . . . . . . . Intel Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Registers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assembly Language Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Machine vs. Assembly vs. C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AT&T vs. NASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Addressing Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assembly File Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assembling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debugging with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . gdb Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disassembly with gdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Python Survival Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hello World in Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Python Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dictionaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sockets with Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 11 178 179 180 180 180 181 181 182 182 182 183 184 184 184 185 185 188 189 189 190 190 191 192 192 193 193 193 195 196 197 197 199 Basic Linux Exploits ..................................... 201 Stack Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Function Calling Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overflow of meet.c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ramifications of Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . Local Buffer Overflow Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Components of the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exploiting Stack Overflows from the Command Line . . . . . . . . Exploiting Stack Overflows with Generic Exploit Code . . . . . . . Exploiting Small Buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exploit Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 202 203 204 208 209 209 211 213 215 217 218 218
  • 17. Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition xiv Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Test the Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 12 225 225 225 229 231 233 236 236 240 241 249 Shellcode Strategies ..................................... 251 User Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Port Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reverse Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find Socket Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Execution Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . File Transfer Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multistage Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Call Proxy Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . Process Injection Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Shellcode Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shellcode Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Self-Corrupting Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disassembling Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kernel Space Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kernel Space Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 14 ................................. Format String Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reading from Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . Writing to Arbitrary Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . Taking .dtors to root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Memory Protection Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Compiler Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kernel Patches and Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Return to libc Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bottom Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 13 Advanced Linux Exploits 221 222 222 251 252 252 253 254 256 257 257 258 258 259 260 260 261 262 263 264 Writing Linux Shellcode ................................. 267 Basic Linux Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Calls by C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Calls by Assembly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exit System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . setreuid System Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shell-Spawning Shellcode with execve . . . . . . . . . . . . . . . . . . . . Implementing Port-Binding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . Linux Socket Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assembly Program to Establish a Socket . . . . . . . . . . . . . . . . . . . Test the Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 268 268 269 269 271 272 276 276 279 281
  • 18. Contents xv Implementing Reverse Connecting Shellcode . . . . . . . . . . . . . . . . . . . . Reverse Connecting C Program . . . . . . . . . . . . . . . . . . . . . . . . . . Reverse Connecting Assembly Program . . . . . . . . . . . . . . . . . . . . Encoding Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Simple XOR Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Structure of Encoded Shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . JMP/CALL XOR Decoder Example . . . . . . . . . . . . . . . . . . . . . . . . FNSTENV XOR Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Putting the Code Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automating Shellcode Generation with Metasploit . . . . . . . . . . . . . . . Generating Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . Encoding Shellcode with Metasploit . . . . . . . . . . . . . . . . . . . . . . Chapter 15 ...................................... 297 Compiling and Debugging Windows Programs . . . . . . . . . . . . . . . . . . Compiling on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debugging on Windows with OllyDbg . . . . . . . . . . . . . . . . . . . . Writing Windows Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exploit Development Process Review . . . . . . . . . . . . . . . . . . . . . ProSSHD Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Control eip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determine the Offset(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determine the Attack Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Build the Exploit Sandwich . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debug the Exploit if Needed . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Structured Exception Handling (SEH) . . . . . . . . . . . . . Implementation of SEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Windows Memory Protections (XP SP3, Vista, 7, and Server 2008) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stack-Based Buffer Overrun Detection (/GS) . . . . . . . . . . . . . . . Safe Structured Exception Handling (SafeSEH) . . . . . . . . . . . . . SEH Overwrite Protection (SEHOP) . . . . . . . . . . . . . . . . . . . . . . Heap Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . Bypassing Windows Memory Protections . . . . . . . . . . . . . . . . . . . . . . . Bypassing /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bypassing SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bypassing ASLR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bypassing DEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bypassing SEHOP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary of Memory Bypass Methods . . . . . . . . . . . . . . . . . . . . Chapter 16 Windows Exploits 284 284 285 287 287 288 288 289 291 294 294 295 297 297 299 304 305 305 306 308 309 312 314 316 316 318 318 320 320 320 321 321 322 323 323 324 325 331 338 Understanding and Detecting Content-Type Attacks ........... 341 How Do Content-Type Attacks Work? . . . . . . . . . . . . . . . . . . . . . . . . . . Which File Formats Are Being Exploited Today? . . . . . . . . . . . . . . . . . . Intro to the PDF File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 343 345
  • 19. Gray Hat Hacking, The Ethical Hacker’s Handbook, Third Edition xvi Analyzing a Malicious PDF Exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementing Safeguards in Your Analysis Environment . . . . . Tools to Detect Malicious PDF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . PDFiD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pdf-parser.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tools to Test Your Protections Against Content-type Attacks . . . . . . . . How to Protect Your Environment from Content-type Attacks . . . . . . Apply All Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disable JavaScript in Adobe Reader . . . . . . . . . . . . . . . . . . . . . . . Enable DEP for Microsoft Office Application and Adobe Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 18 360 Web Application Security Vulnerabilities ..................... 361 Overview of Top Web Application Security Vulnerabilities . . . . . . . . . Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cross-Site Scripting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . The Rest of the OWASP Top Ten . . . . . . . . . . . . . . . . . . . . . . . . . . SQL Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SQL Databases and Statements . . . . . . . . . . . . . . . . . . . . . . . . . . Testing Web Applications to Find SQL Injection Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cross-Site Scripting Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . Explaining “Scripting” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Explaining Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 17 361 361 362 362 362 365 367 373 373 374 ........................................... 379 What Is VoIP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Protocols Used by VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Megaco H.248 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TLS and DTLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SIP Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Eavesdropping/Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Protect Against VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 19 VoIP Attacks 348 350 351 351 355 358 359 359 359 379 380 381 382 382 383 384 384 384 384 386 386 387 393 SCADA Attacks ........................................ 395 What Is SCADA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Which Protocols Does SCADA Use? . . . . . . . . . . . . . . . . . . . . . . . . . . . OPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ICCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Modbus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNP3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 396 396 396 397 398
  • 20. Contents xvii SCADA Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SCADA Fuzzing with Autodafé . . . . . . . . . . . . . . . . . . . . . . . . . . . SCADA Fuzzing with TFTP Daemon Fuzzer . . . . . . . . . . . . . . . . Stuxnet Malware (The New Wave in Cyberterrorism) . . . . . . . . . . . . . . How to Protect Against SCADA Attacks . . . . . . . . . . . . . . . . . . . . . . . . . Part IV Chapter 20 Vulnerability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 ........................................ 413 Ethical Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why Bother with Reverse Engineering? . . . . . . . . . . . . . . . . . . . . . . . . . Reverse Engineering Considerations . . . . . . . . . . . . . . . . . . . . . . Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source Code Auditing Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Utility of Source Code Auditing Tools . . . . . . . . . . . . . . . . . Manual Source Code Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . Automated Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . Binary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manual Auditing of Binary Code . . . . . . . . . . . . . . . . . . . . . . . . . Automated Binary Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 21 Passive Analysis 399 399 405 408 408 413 414 415 416 416 418 420 425 427 427 441 ...................... 445 Static Analysis Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stripped Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Statically Linked Programs and FLAIR . . . . . . . . . . . . . . . . . . . . . Data Structure Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quirks of Compiled C++ Code . . . . . . . . . . . . . . . . . . . . . . . . . . Extending IDA Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scripting with IDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IDA Pro Plug-In Modules and the IDA Pro SDK . . . . . . . . . . . . . Building IDA Pro Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IDA Pro Loaders and Processor Modules . . . . . . . . . . . . . . . . . . Chapter 22 Advanced Static Analysis with IDA Pro 445 446 448 454 459 461 461 464 466 468 Advanced Reverse Engineering ............................ 471 Why Try to Break Software? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of the Software Development Process . . . . . . . . . . . . . . . . . . Instrumentation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debuggers . . . . . . . . . . . . . . . . . . . . . . .