diff --git a/README.md b/README.md index a5489c2..06e98b4 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ -Gray Hat C# =============== +Gray Hat C# +=============== @@ -17,103 +18,121 @@ Studio. However, every line of code should work across all platforms and this should Just Work(tm) in Visual Studio on Windows. -The Chapters ==== +The Chapters +==== -Chapter 1 - Crash Course -- In chapter one, we learn the basics of C# -object-oriented programming with very simple examples. We briefly cover -object-oriented principles such as inheritance, but also cover more advanced -features of the C# language such as delegates and Platform Invoke (P/Invoke). +Chapter 1 - Crash Course +-- +In chapter one, we learn the basics of C# object-oriented programming with very +simple examples. We briefly cover object-oriented principles such as +inheritance, but also cover more advanced features of the C# language such as +delegates and Platform Invoke (P/Invoke). -Chapter 2 - Fuzzing and Exploiting XSS and SQL Injection -- In chapter two, we -are introduced to the HTTP library used to communicate with web servers in order -to write small HTTP request fuzzers looking for XSS and SQL injection in a -variety of different data types. We also write exploits for two types of SQL -injection techniques; UNION and boolean-based. +Chapter 2 - Fuzzing and Exploiting XSS and SQL Injection +-- +In chapter two, we are introduced to the HTTP library used to communicate with +web servers in order to write small HTTP request fuzzers looking for XSS and SQL +injection in a variety of different data types. We also write exploits for two +types of SQL injection techniques; UNION and boolean-based. -Chapter 3 - Fuzzing SOAP Endpoints -- In chapter three, we take the concept of -the fuzzers in the previous chapter to the next level, and also introduce the -excellent XML libraries available in the standard library. We write a small -fuzzer that retrieves and parses a SOAP WSDL in order to automatically generate -HTTP requests in order to find potential SQL injections. +Chapter 3 - Fuzzing SOAP Endpoints +-- +In chapter three, we take the concept of the fuzzers in the previous chapter to +the next level, and also introduce the excellent XML libraries available in the +standard library. We write a small fuzzer that retrieves and parses a SOAP WSDL +in order to automatically generate HTTP requests in order to find potential SQL +injections. -Chapter 4 - Writing Connect-backs, Binds, and Metasploit Payloads -- In chapter -four, we break from the focus on HTTP and move onto payloads that we can create. -We first create a couple of simple payloads, one over TCP and one over UDP. Then -we learn how to generate x86/x86_64 shellcode in Metasploit to create -cross-platform and cross-architecture payloads. +Chapter 4 - Writing Connect-backs, Binds, and Metasploit Payloads +-- +In chapter four, we break from the focus on HTTP and move onto payloads that we +can create. We first create a couple of simple payloads, one over TCP and one +over UDP. Then we learn how to generate x86/x86_64 shellcode in Metasploit to +create cross-platform and cross-architecture payloads. -Chapter 5 - Automating Nessus -- In chapter five, we start back again with HTTP -in order to begin automating the Nessus vulnerability scanner. We go over how to -create, watch, and report on scans on CIDR ranges programmatically. +Chapter 5 - Automating Nessus +-- +In chapter five, we start back again with HTTP in order to begin automating the +Nessus vulnerability scanner. We go over how to create, watch, and report on +scans on CIDR ranges programmatically. -Chapter 6 - Automating Nexpose -- In chapter six, we maintain the focus on tool -automation by moving onto automating the Nexpose vulnerability scanner. -Nexpose, whose API is also HTTP based, can also achieve automated vulnerability -scans and reports and offers a free year license for their Community product, -very useful for home enthusiasts. +Chapter 6 - Automating Nexpose +-- +In chapter six, we maintain the focus on tool automation by moving onto +automating the Nexpose vulnerability scanner. Nexpose, whose API is also HTTP +based, can also achieve automated vulnerability scans and reports and offers a +free year license for their Community product, very useful for home enthusiasts. -Chapter 7 - Automating OpenVAS -- In chapter seven, we conclude the focus on -vulnerability scanner automation with OpenVAS, a free and open source -vulnerability scanner. OpenVAS has a fundamentally different kind of API than -both Nessus and Nexpose, and is also very useful for hobbyists or home -enthusiasts. +Chapter 7 - Automating OpenVAS +-- +In chapter seven, we conclude the focus on vulnerability scanner automation with +OpenVAS, a free and open source vulnerability scanner. OpenVAS has a fundamentally +different kind of API than both Nessus and Nexpose, and is also very useful for +hobbyists or home enthusiasts. -Chapter 8 - Automating the Cuckoo Sandbox -- In chapter eight, we move into the -incident response area and focus on automating the Cuckoo Sandbox. Using an easy -to consume RESTful JSON API, we automate submitting potential malware samples, -then reporting on the results. +Chapter 8 - Automating the Cuckoo Sandbox +-- +In chapter eight, we move into the incident response area and focus on automating +the Cuckoo Sandbox. Using an easy to consume RESTful JSON API, we automate +submitting potential malware samples, then reporting on the results. -Chapter 9 - Automating sqlmap -- In chapter nine, we move onto more than just -finding potential SQL injections with fuzzers and begin exploiting SQL -injections to their fullest extent by automating sqlmap. Using an easy to use -JSON API shipped with sqlmap, we first create small tools to submit single URLs. -Once done with the introduction, we integrate sqlmap into the SOAP WSDL fuzzer -from chapter three, so any potential SQL injection vulnerabilities can be -automatically exploited and validated. +Chapter 9 - Automating sqlmap +-- +In chapter nine, we move onto more than just finding potential SQL injections with +fuzzers and begin exploiting SQL injections to their fullest extent by automating +sqlmap. Using an easy to use JSON API shipped with sqlmap, we first create small +tools to submit single URLs. Once done with the introduction, we integrate sqlmap +into the SOAP WSDL fuzzer from chapter three, so any potential SQL injection +vulnerabilities can be automatically exploited and validated. -Chapter 10 - Automating ClamAV -- In chapter ten, we focus on interacting with -native, unmanaged libraries. ClamAV, a popular and open source antivirus -project, is not written in a .NET language, but we can still interface with its -core libraries as well as remotely via a TCP daemon. We cover how to automate -ClamAV in both scenarios. +Chapter 10 - Automating ClamAV +-- +In chapter ten, we focus on interacting with native, unmanaged libraries. ClamAV, +a popular and open source antivirus project, is not written in a .NET language, but +we can still interface with its core libraries as well as remotely via a TCP daemon. +We cover how to automate ClamAV in both scenarios. -Chapter 11 - Automating Metasploit -- In chapter eleven, we put the focus back -on Metasploit. We learn how to programmatically drive Metasploit via the MSGPACK -RPC that is shipped with the core framework in order to exploit and report on -shelled hosts. +Chapter 11 - Automating Metasploit +-- +In chapter eleven, we put the focus back on Metasploit. We learn how to +programmatically drive Metasploit via the MSGPACK RPC that is shipped with the core +framework in order to exploit and report on shelled hosts. -Chapter 12 - Automating Arachni -- In chapter twelve, we focus on automating the -blackbox web application scanner Arachni, a free and open source project, though -dual-licensed. Using both the simpler RESTful HTTP API and the more powerful -MSGPACK RPC that is the shipped with the project, we create small tools to -automatically scan a URL and report the findings as we scan. +Chapter 12 - Automating Arachni +-- +In chapter twelve, we focus on automating the blackbox web application scanner +Arachni, a free and open source project, though dual-licensed. Using both the +simpler REST HTTP API and the more powerful MSGPACK RPC that is the shipped +with the project, we create small tools to automatically scan a URL and report +the findings as we scan. -Chapter 13 - Decompiling and Reversing Managed Assemblies -- In chapter -thirteen, we move into reverse engineering. There are easy to use .NET +Chapter 13 - Decompiling and Reversing Managed Assemblies +-- +In chapter thirteen, we move into reverse engineering. There are easy to use .NET decompilers for Windows, but not for Mac or Linux, so we write a small one ourselves. We also discuss the useful ```monodis``` tool, which allows granular insight into the inner working of a .NET assembly. @@ -122,16 +141,19 @@ insight into the inner working of a .NET assembly. -Chapter 14 - Reading Offline Windows NT Registry Hives -- In chapter fourteen, -we move into the digital forensics area and focus on registry hives. Going over -the binary structure of the Windows registry, we learn how to parse and read -offline registry hives, which allows us to easily retrieve the system's boot -key, used to encrypt password hash information in the SAM registry hive. +Chapter 14 - Reading Offline Windows NT Registry Hives +-- +In chapter fourteen, we move into the digital forensics area and focus on registry +hives. Going over the binary structure of the Windows registry, we learn how to +parse and read offline registry hives, which allows us to easily retrieve the +system's boot key, used to encrypt password hash information in the SAM registry +hive. -Conclusion -- In the end, I want the reader to leave having a broad -understanding of the potential the C# programming language can have at their -home or organization, who may be struggling to enact and follow through with -mature vulnerability management or security-oriented SDLCs due to resource -constraints. +Conclusion +== +In the end, I want the reader to leave having a broad understanding of the +potential the C# programming language can have at their home or organization, who +may be struggling to enact and follow through with mature vulnerability management +or security-oriented SDLCs due to resource constraints.