Dr. Allen Harper, CISSP, is the founder of N2NetSecurity, Inc.; former EVP and chief hacker at Tangible Security; former program director at Liberty University; and now serves as EVP of Cybersecurity at T-Rex Solutions LLC.. Ryan Linn has over 20 years in the security industry, ranging from systems programmer to corporate security, to leading a global cybersecurity consultancy. Stephen Sims is an industry expert with over 15 years of experience in information technology and security. He currently works as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing. Michael Baucom has over 25 years of industry experience ranging from embedded systems development to leading the product security and research division at Tangible Security. Huáscar Tejeda is the co-founder and CEO of F2TC Cyber Security. He is a seasoned cybersecurity professional, thoroughly experienced with more than 20 years and notable achievements in IT and Telecommunications, developing carrier grade security solutions and business critical components for multiple broadband providers. He is also a member of the SANS Latin America Advisory Group, SANS Purple Team Summit Advisory Board, and contributing author of the SANS Institute's most advanced course, SEC760: Advanced Exploit Development for Penetration Testers.

Daniel Fernandez is a security researcher with more than 15 years of experience in the field. His focus over the last years has been hypervisor exploitation, before that he exploited Windows and Linux Kernels mostly. Moses Frost is an author and instructor at the SANS Institute. His technology interests include Web Applications, Linux Systems Administration and Design and Designing hacking challenges. He currently works at McAfee.

Preface
Acknowledgments
Introduction

Part I. Preparation

Chapter 1. Gray Hat Hacking
Gray Hat Hacking Overview
History of Hacking
Ethics and Hacking
Definition of Gray Hat Hacking
History of Ethical Hacking
History of Vulnerability Disclosure
Bug Bounty Programs
Know the Enemy: Black Hat Hacking
Advanced Persistent Threats
Lockheed Martin Cyber Kill Chain
Courses of Action for the Cyber Kill Chain
MITRE ATT&CK Framework
Summary
For Further Reading
References

Chapter 2. Programming Survival Skills
C Programming Language
Basic C Language Constructs
Lab 2-1: Format Strings
Lab 2-2: Loops
Lab 2-3: if/else
Sample Programs
Lab 2-4: hello.c
Lab 2-5: meet.c
Compiling with gcc
Lab 2-6: Compiling meet.c
Computer Memory
Random Access Memory
Endian
Segmentation of Memory
Programs in Memory
Buffers
Strings in Memory
Pointers
Putting the Pieces of Memory Together
Lab 2-7: memory.c
Intel Processors
Registers
Assembly Language Basics
Machine vs. Assembly vs. C
AT&T vs. NASM
Addressing Modes
Assembly File Structure
Lab 2-8: Simple Assembly Program
Debugging with gdb
gdb Basics
Lab 2-9: Debugging
Lab 2-10: Disassembly with gdb
Python Survival Skills
Getting Python
Lab 2-11: Launching Python
Lab 2-12: "Hello, World!" in Python
Python Objects
Lab 2-13: Strings
Lab 2-14: Numbers
Lab 2-15: Lists
Lab 2-16: Dictionaries
Lab 2-17: Files with Python
Lab 2-18: Sockets with Python
Summary
For Further Reading
References

Chapter 3. Linux Exploit Development Tools
Binary, Dynamic Information-Gathering Tools
Lab 3-1: Hello.c
Lab 3-2: ldd
Lab 3-3: objdump
Lab 3-4: strace
Lab 3-5: ltrace
Lab 3-6: checksec
Lab 3-7: libc-database
Lab 3-8: patchelf
Lab 3-9: one_gadget
Lab 3-10: Ropper
Extending gdb with Python
Pwntools CTF Framework and Exploit Development Library
Summary of Features
Lab 3-11: leak-bof.c
HeapME (Heap Made Easy) Heap Analysis and Collaboration Tool
Installing HeapME
Lab 3-12: heapme_demo.c
Summary
For Further Reading
References

Chapter 4. Introduction to Ghidra
Creating Our First Project
Installation and QuickStart
Setting the Project Workspace
Functionality Overview
Lab 4-1: Improving Readability with Annotations
Lab 4-2: Binary Diffing and Patch Analysis
Summary
For Further Reading
References

Chapter 5. IDA Pro
Introduction to IDA Pro for Reverse Engineering
What Is Disassembly?
Navigating IDA Pro
IDA Pro Features and Functionality
Cross-References (Xrefs)
Function Calls
Proximity Browser
Opcodes and Addressing
Shortcuts
Comments
Debugging with IDA Pro
Summary
For Further Reading
References

Part II. Ethical Hacking

Chapter 6. Red and Purple Teams
Introduction to Red Teams
Vulnerability Scanning
Validated Vulnerability Scanning
Penetration Testing
Threat Simulation and Emulation
Purple Team
Making Money with Red Teaming
Corporate Red Teaming
Consultant Red Teaming
Purple Team Basics
Purple Team Skills
Purple Team Activities
Summary
For Further Reading
References

Chapter 7. Command and Control (C2)
Command and Control Systems
Metasploit
Lab 7-1: Creating a Shell with Metasploit
PowerShell Empire
Covenant
Lab 7-2: Using Covenant C2
Payload Obfuscation
msfvenom and Obfuscation
Lab 7-3: Obfuscating Payloads with msfvenom
Creating C# Launchers
Lab 7-4: Compiling and Testing C# Launchers
Creating Go Launchers
Lab 7-5: Compiling and Testing Go Launchers
Creating Nim Launchers
&n
bsp; Lab 7-6: Compiling and Testing Nim Launchers
Network Evasion
Encryption
Alternate Protocols
C2 Templates
EDR Evasion
Killing EDR Products
Bypassing Hooks
Summary
For Further Reading

Chapter 8. Building a Threat Hunting Lab
Threat Hunting and Labs
Options of Threat Hunting Labs
Method for the Rest of this Chapter
Basic Threat Hunting Lab: DetectionLab
Prerequisites
Lab 8-1: Install the Lab on Your Host
Lab 8-2: Install the Lab in the Cloud
Lab 8-3: Looking Around the Lab
Extending Your Lab
HELK
Lab 8-4: Install HELK
Lab 8-5: Install Winlogbeat
Lab 8-6: Kibana Basics
Lab 8-7: Mordor
Summary
For Further Reading
References

Chapter 9. Introduction to Threat Hunting
Threat Hunting Basics
Types of Threat Hunting
Workflow of a Threat Hunt
Normalizing Data Sources with OSSEM
Data Sources
OSSEM to the Rescue
Data-Driven Hunts Using OSSEM
MITRE ATT&CK Framework Refresher: T1003.002
Lab 9-1: Visualizing Data Sources with OSSEM
Lab 9-2: AtomicRedTeam Attacker Emulation
Exploring Hypothesis-Driven Hunts
Lab 9-3: Hypothesis that Someone Copied a SAM File
Crawl, Walk, Run
Enter Mordor
Lab 9-4: Hypothesis that Someone Other than an Admin Launched PowerShell
Threat Hunter Playbook
Departure from HELK for Now
Spark and Jupyter
Lab 9-5: Automated Playbooks and Sharing of Analytics
Summary
For Further Reading
References

Part III. Hacking Systems

Chapter 10. Basic Linux Exploits
Stack Operations and Function-Calling Procedures
Buffer Overflows
Lab 10-1: Overflowing meet.c
Ramifications of Buffer Overflows
Local Buffer Overflow Exploits
Lab 10-2: Components of the Exploit
Lab 10-3: Exploiting Stack Overflows from the Command Line
Lab 10-4: Writing the Exploit with Pwntools
Lab 10-5: Exploiting Small Buffers
Exploit Development Process
Lab 10-6: Building Custom Exploits
Summary
For Further Reading

Chapter 11. Advanced Linux Exploits
Lab 11-1: Vulnerable Program and Environment Setup
Lab 11-2: Bypassing Non-Executable Stack (NX) with Return-Oriented Programming (ROP)
Lab 11-3: Defeating Stack Canaries
Lab 11-4: ASLR Bypass with an Information Leak
Lab 11-5: PIE Bypass with an Information Leak
Summary
For Further Reading
References

Chapter 12. Linux Kernel Exploits
Lab 12-1: Environment Setup and Vulnerable procfs Module
Lab 12-2: ret2usr
Lab 12-3: Defeating Stack Canaries
Lab 12-4: Bypassing Supervisor Mode Execution Protection (SMEP) and Kernel Page-Table Isolation (KPTI)
Lab 12-5: Bypassing Supervisor Mode Access Prevention (SMAP)
Lab 12-6: Defeating Kernel Address Space Layout Randomization (KASLR)
Summary
For Further Reading
References

Chapter 13. Basic Windows Exploitation
Compiling and Debugging Windows Programs
Lab 13-1: Compiling on Windows
Debugging on Windows with Immunity Debugger
Lab 13-2: Crashing the Program
Writing Windows Exploits
Exploit Development Process Review
Lab 13-3: Exploiting ProSSHD Server
Understanding Structured Exception Handling
Understanding and Bypassing Common Windows Memory Protections
Safe Structured Exception Handling
Bypassing SafeSEH
Data Execution Prevention
Return-Oriented Programming
Gadgets
Building the ROP Chain
Summary
For Further Reading
References

Chapter 14. Windows Kernel Exploitation
The Windows Kernel
Kernel Drivers
Kernel Debugging
Lab 14-1: Setting Up Kernel Debugging
Picking a Target
Lab 14-2: Obtaining the Target Driver
Lab 14-3: Reverse Engineering the Driver
Lab 14-4: Interacting with the Driver
Token Stealing
Lab 14-5: Arbitrary Pointer Read/Write
Lab 14-6: Writing a Kernel Exploit
Summary
For Further Reading
References

Chapter 15. PowerShell Exploitation
Why PowerShell
Living off the Land
PowerShell Logging
PowerShell Portability
Loading PowerShell Scripts
Lab 15-1: The Failure Condition
Lab 15-2: Passing Commands on the Command Line
Lab 15-3: Encoded Commands
Lab 15-4: Bootstrapping via the Web
Exploitation and Post-Exploitation with PowerSploit
...