Hackers Hut

Andries Brouwer, aeb@cwi.nl

1. Preliminary

• 1.1 Damage

2. Introduction

• 2.1 Fun
• 2.2 Profit
• 2.3 Crypto

3. Discovery

• 3.1 Tools
• 3.2 Information leaks
• 3.3 Flaw discovery
• 3.4 Social engineering attack

4. Password Cracking

• 4.1 Common passwords
• 4.2 Unix password algorithms
• 4.3 MySQL passwords
• 4.4 ZIP passwords
• 4.5 PDF passwords
• 4.6 Avoiding brute force
• 4.7 Time-memory tradeoff
• 4.8 Side channels and timing
• 4.9 Captchas - protection by image

5. Active data

• 5.1 Nostalgia
• 5.2 Terminals and terminal emulators
• 5.3 Editors
• 5.4 Formatters
• 5.5 printf - format string exploits

6. Data injection into scripts

• 6.1 SQL injection - first example
• 6.2 SQL injection
• 6.3 Escapes and multibyte characters

7. Options and whitespace

• 7.1 Options
• 7.2 Whitespace

8. Environment variables

• 8.1 Buffer overflow
• 8.2 HOME
• 8.3 LD_LIBRARY_PATH
• 8.4 LD_DEBUG
• 8.5 PATH
• 8.6 NLSPATH
• 8.7 IFS
• 8.8 Misleading trusting programs
• 8.9 system() and popen()
• 8.10 Setuid binaries

9. Race conditions

• 9.1 Time between test and execution
• 9.2 Temporary files

10. Smashing The Stack

• 10.1 Shellcodes
• 10.2 Programming details
• 10.3 Non-executable stack
• 10.4 Returning into libc
• 10.5 Returning into libc - getting root
• 10.6 Address randomization
• 10.7 Returning via linux-gate.so.1
• 10.8 Return-oriented programming
• 10.9 Printable shellcodes
• 10.10 Integer overflow
• 10.11 Stack/heap collision

11. Exploiting the heap

• 11.1 Malloc
• 11.2 Exploit free()
• 11.3 Overwrite a PLT entry
• 11.4 Adapted shellcode
• 11.5 glibc-2.3.3

12. Local root exploits

• 12.1 A Linux example - ptrace
• 12.2 A Linux example - prctl
• 12.3 A Linux example - a race in procfs
• 12.4 A Linux integer overflow - vmsplice
• 12.5 A Linux NULL pointer exploit
• 12.6 An Irix example
• 12.7 The Unix permission system
• 12.8 Modified system environment

13. Stealth

• 13.1 Integrity checking
• 13.2 A login backdoor
• 13.3 A kernel backdoor
• 13.4 A famous backdoor

14. ELF

• 14.1 An ELF virus
• 14.2 Defeating the 'noexec' mount option
• 14.3 ELF auxiliary vectors

15. Networking

• 15.1 Sender spoofing
• 15.2 ARP cache poisoning
• 15.3 TCP sequence numbers
• 15.4 Hijack a TCP session
• 15.5 DNS cache poisoning
• 15.6 NFS - No File Security
• 15.7 Exploiting scanners
• 15.8 Simple Denial of Service attacks

16. Remote root exploits

• 16.1 Windows DCOM RPC

17. Browsers

• 17.1 Unicode
• 17.2 Cross-site scripting
• 17.3 Hijack
• 17.4 Annoyances
• 17.5 The Java virtual machine

18. Viruses and Worms

• 18.1 Aggie
• 18.2 Linux viruses
• 18.3 Mydoom
• 18.4 Stuxnet

19. Wifi and War Driving

• 19.1 Amount of data needed
• 19.2 RC4
• 19.3 Examples

20. References

• 20.1 Literature / Fiction / History
• 20.2 Social engineering
• 20.3 Introductory
• 20.4 Black Hat Info
• 20.5 White Hat Info
• 20.6 Tools
• 20.7 Warning