Gray Hat Hacking: The Ethical Hacker's

Handbook 5th Edition Allen Harper

Visit to download the full and correct content document:
https://ebookmass.com/product/gray-hat-hacking-the-ethical-hackers-handbook-5th-e
dition-allen-harper/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Gray Hat Hacking: The Ethical Hacker's Handbook, 6th

Edition Allen Harper

https://ebookmass.com/product/gray-hat-hacking-the-ethical-
hackers-handbook-6th-edition-allen-harper/

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth

Edition Daniel Regalado

https://ebookmass.com/product/gray-hat-hacking-the-ethical-
hackers-handbook-sixth-edition-daniel-regalado-2/

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth

Edition Daniel Regalado

https://ebookmass.com/product/gray-hat-hacking-the-ethical-
hackers-handbook-sixth-edition-daniel-regalado/

Gray Hat Hacking: The Ethical Hacker's Handbook, Fifth

Edition Daniel Regalado

https://ebookmass.com/product/gray-hat-hacking-the-ethical-
hackers-handbook-fifth-edition-daniel-regalado/
CEH Certified Ethical Hacker Bundle, 5th Edition Walker

https://ebookmass.com/product/ceh-certified-ethical-hacker-
bundle-5th-edition-walker/

CEH Certified Ethical Hacker Practice Exams, 5th

Edition Matt Walker

https://ebookmass.com/product/ceh-certified-ethical-hacker-
practice-exams-5th-edition-matt-walker/

CEH Certified Ethical Hacker All-in-One Exam Guide, 5th

Edition Walker

https://ebookmass.com/product/ceh-certified-ethical-hacker-all-
in-one-exam-guide-5th-edition-walker/

CEH Certified Ethical Hacker All-in-One Exam Guide, 5th

Edition Matt Walker

https://ebookmass.com/product/ceh-certified-ethical-hacker-all-
in-one-exam-guide-5th-edition-matt-walker/

Gray Seas (Black Hat Bureau Book 8) Hailey Edwards

https://ebookmass.com/product/gray-seas-black-hat-bureau-
book-8-hailey-edwards/
 Praise for Gray Hat Hacking: The Ethical Hacker’s Handbook,
Fifth Edition

“The Gray Hat Hacking book series continue to provide an up-to-date and
detailed view on a large variety of offensive IT security disciplines. In this
fifth edition, a group of respected infosec professionals spared no effort to
share their experience and expertise on novel techniques to bypass security
mechanisms.
The exploit development chapters, written by Stephen Sims, reveal in great
detail what it takes to write an exploit for modern applications. In Chapter 14,
Stephen uses a recent vulnerability in a major web browser to demystify the
complexity of writing modern exploits for heap-related memory corruptions,
bypassing memory protections along the road.
This book is a must read for anyone who wants to step up and broaden their
skills in infosec.”
—Peter Van Eeckhoutte
Corelan Team (@corelanc0d3r)

“One of the few book series where I ALWAYS buy the updated version.
Learn updated exploit-dev techniques from the best instructors in the
business. The volume of new information available to the average
information security practitioner is staggering. The authors, who are some of
the best in their respective fields, help us stay up to date with current trends
and techniques. GHH’s updates on Red Team Ops, Bug Bounties,
PowerShell Techniques, and IoT & Embedded Devices are exactly what
infosec practitioners need to add to their tool kits.”
—Chris Gates
Sr. Security Engineer (Uber)

“Never before has there been so much technology to attack nor such high
levels of controls and prevention mechanisms. For example, the
advancements in modern operating systems and applications to protect
against exploitation are very impressive, yet time and time again with the
right conditions they are bypassed. Amongst a litany of modern and up-to-
date techniques, Gray Hat Hacking provides detailed and informative
walkthroughs of vulnerabilities and how controls like ASLR and DEP are
bypassed. Filled with real examples you can follow if you are seeking to
upgrade your understanding of the latest hacking techniques—this is the book
for you.”
—James Lyne
Global Research Advisor (Sophos) and Head of R&D (SANS Institute)
Copyright © 2018 by McGraw-Hill Education. All rights reserved. Except as
permitted under the United States Copyright Act of 1976, no part of this
publication may be reproduced or distributed in any form or by any means, or
stored in a database or retrieval system, without the prior written permission
of the publisher, with the exception that the program listings may be entered,
stored, and executed in a computer system, but they may not be reproduced
for publication.

ISBN: 978-1-26-010842-2
MHID: 1-26-010842-2

The material in this eBook also appears in the print version of this title:
ISBN: 978-1-26-010841-5,
MHID: 1-26-010841-4.

eBook conversion by codeMantra

Version 1.0

All trademarks are trademarks of their respective owners. Rather than put a
trademark symbol after every occurrence of a trademarked name, we use
names in an editorial fashion only, and to the benefit of the trademark owner,
with no intention of infringement of the trademark. Where such designations
appear in this book, they have been printed with initial caps.

McGraw-Hill Education ebooks are available at special quantity discounts to

use as premiums and sales promotions or for use in corporate training
programs. To contact a representative, please visit the Contact Us page at
www.mhprofessional.com.

All trademarks or copyrights mentioned herein are the possession of their

respective owners and McGraw-Hill Education makes no claim of ownership
by the mention of products that contain these marks.

Information has been obtained by McGraw-Hill Education from sources

believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill Education, or others,
McGraw-Hill Education does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or
omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and McGraw-Hill Education and its licensors

reserve all rights in and to the work. Use of this work is subject to these
terms. Except as permitted under the Copyright Act of 1976 and the right to
store and retrieve one copy of the work, you may not decompile, disassemble,
reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any
part of it without McGraw-Hill Education’s prior consent. You may use the
work for your own noncommercial and personal use; any other use of the
work is strictly prohibited. Your right to use the work may be terminated if
you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION

AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES
AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR
RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING
ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE
WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY
DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
McGraw-Hill Education and its licensors do not warrant or guarantee that the
functions contained in the work will meet your requirements or that its
operation will be uninterrupted or error free. Neither McGraw-Hill Education
nor its licensors shall be liable to you or anyone else for any inaccuracy, error
or omission, regardless of cause, in the work or for any damages resulting
therefrom. McGraw-Hill Education has no responsibility for the content of
any information accessed through the work. Under no circumstances shall
McGraw-Hill Education and/or its licensors be liable for any indirect,
incidental, special, punitive, consequential or similar damages that result
from the use of or inability to use the work, even if any of them has been
advised of the possibility of such damages. This limitation of liability shall
apply to any claim or cause whatsoever whether such claim or cause arises in
contract, tort or otherwise.
 In Memory of Shon Harris
In the previous edition, I spoke in memory of Shon Harris, my friend, mentor,
and a person I credit with jump-starting my career after my time in the
Marine Corps. Simply put, neither this book nor most of my professional
accomplishments would have happened without her. I continue to miss her
and I know I speak on behalf of the other authors that we wish she were still
with us. If you did not know Shon or have never heard of her, you owe it to
yourself to learn about her inspiring story in the last edition and elsewhere.
For those of us who knew her and have our own “Shon” stories, join me in
keeping her memory alive and share her story with anyone who will listen.
She was an amazing person and is loved and missed dearly. We dedicate this
book to her memory.
—Allen Harper
Lead author and friend of Shon Harris

To my brothers and sisters in Christ, keep running the race. Let your light
shine for Him, that others may be drawn to Him through you.
—Allen Harper

Dedicado a ti mamita Adelina Arias Cruz, cuando me pregunto de donde sale

mi garra de no dejarme de nadie o el sacrificio incansable para conseguir mis
metas, solo tengo que voltear a verte, para ti no hay imposibles, te adoro!
—Daniel Regalado

To Mom, who read to me when I was little, so I could achieve the level of
literacy I needed to become an author one day.
—Ryan Linn

To my lovely wife LeAnne and my daughter Audrey, thank you for your
ongoing support!
—Stephen Sims

To my lovely daughter Elysia, thank you for your unconditional love and
support. You inspire me in so many ways. I am, and will always be, your
biggest fan.
—Linda Martinez

To my family and friends for their unconditional support and making this life
funny and interesting.
—Branko Spasojevic

To my daughter Tiernan, thank you for your support and continuous

reminders to enjoy life and learning each and every day. I look forward to
seeing the wonderful woman you will become.
—Michael Baucom

To my son Aaron, thanks for all your love while I spend too much time at the
keyboard, and thanks for sharing your joy on all the projects we work on
together.
—Chris Eagle
 ABOUT THE AUTHORS

Dr. Allen Harper, CISSP. In 2007, Allen Harper retired from the military as
a Marine Corps Officer after a tour in Iraq. He has more than 30 years of
IT/security experience. He holds a PhD in IT with a focus in Information
Assurance and Security from Capella, an MS in Computer Science from the
Naval Postgraduate School, and a BS in Computer Engineering from North
Carolina State University. Allen led the development of the GEN III
honeywall CD-ROM, called roo, for the Honeynet Project. He has worked as
a security consultant for many Fortune 500 and government entities. His
interests include the Internet of Things, reverse engineering, vulnerability
discovery, and all forms of ethical hacking. Allen was the founder of
N2NetSecurity, Inc., served as the EVP and chief hacker at Tangible
Security, and now serves the Lord at Liberty University in Lynchburg,
Virginia.
Daniel Regalado, aka Danux, is a Mexican security researcher with more
than 16 years in the security field, dissecting or pen-testing malware, 0-day
exploits, ATMs, IoT devices, IV pumps, and car infotainment systems. He is
a former employee of widely respected companies like FireEye and Symantec
and is currently a principal security researcher at Zingbox. Daniel is probably
best known for his multiple discoveries and dissection of ATM malware
attacking banks worldwide, with the most notorious findings being Ploutus,
Padpin, and Ripper.
Ryan Linn has over 20 years in the security industry, ranging from
systems programmer to corporate security, to leading a global cybersecurity
consultancy. Ryan has contributed to a number of open source projects,
including Metasploit and the Browser Exploitation Framework (BeEF). Ryan
participates in Twitter as @sussurro, and he has presented his research at
numerous security conferences, including Black Hat and DEF CON, and has
provided training in attack techniques and forensics worldwide.
Stephen Sims is an industry expert with over 15 years of experience in
information technology and security. He currently works out of San
Francisco as a consultant performing reverse engineering, exploit
development, threat modeling, and penetration testing. Stephen has an MS in
information assurance from Norwich University and is a course author,
fellow, and curriculum lead for the SANS Institute, authoring courses on
advanced exploit development and penetration testing. He has spoken at
numerous conferences, including RSA, BSides, OWASP AppSec,
ThaiCERT, AISA, and many others. He may be reached on twitter:
@Steph3nSims
Branko Spasojevic is a security engineer on Google’s Detection and
Response team. Before that he worked as a reverse engineer for Symantec
and analyzed various threats and APT groups.
Linda Martinez is the Chief Information Security Officer (CISO) and Vice
President of Commercial Service Delivery at Tangible Security. Linda is a
proven information security executive and industry expert with over 18 years
of experience leading technical teams, developing technical business lines,
and providing high-quality consulting services to clients. She is responsible
for Tangible Security’s Commercial Division, where she leads the following
business lines: penetration testing, including red and purple team operations;
hardware hacking; product and supply chain security; governance, risk
management, and compliance; incident response and digital forensics. Linda
also leads a team of virtual Chief Information Security Officers (CISOs) in
providing expert guidance to many organizations. Prior to her current
position, Linda was the Vice President of Operations for N2 Net Security.
Before that, she co-founded and served as Chief Operating Officer (COO) for
Executive Instruments, an information security research and consulting firm.
Michael Baucom currently works for Tangible Security as the VP of
Tangible Labs. While at Tangible he has worked on a wide variety of
projects, including software security assessments, SDLC consulting, tool
development, and penetration tests. Prior to working at Tangible Security, he
served in the Marine Corps as a ground radio repairman. Additionally, he
worked for IBM, Motorola, and Broadcom in several capacities, including
test engineering, device driver development, and system software
development for embedded systems. In addition to his work activities,
Michael has been a trainer at Black Hat, speaker at several conferences, and
technical editor for Gray Hat Hacking: The Ethical Hacker’s Handbook. His
current interests are in automating pen-test activities, embedded system
security, and mobile phone security.
Chris Eagle is a senior lecturer in the computer science department at the
Naval Postgraduate School in Monterey, California. A computer
engineer/scientist for more than 30 years, he has authored several books,
served as the chief architect for DARPA’s Cyber Grand Challenge,
frequently speaks at security conferences, and has contributed several popular
open source tools to the security community.
The late Shon Harris is greatly missed. She was the president of Logical
Security, a security consultant, a former engineer in the Air Force’s
Information Warfare unit, an instructor, and an author. She authored the best-
selling CISSP Exam Guide (currently in its seventh edition), along with many
other books. Shon consulted for a variety of companies in many different
industries. Shon taught computer and information security to a wide range of
clients, including RSA, Department of Defense, Department of Energy, West
Point, National Security Agency (NSA), Bank of America, Defense
Information Systems Agency (DISA), BMC, and many more. Shon was
recognized as one of the top 25 women in the Information Security field by
Information Security Magazine.

Disclaimer: The views expressed in this book are those of the authors
and not of the U.S. government or any company mentioned herein.

About the Technical Editor

Heather Linn has over 20 years in the security industry and has held roles in
corporate security, penetration testing, and as part of a hunt team. She has
contributed to open source frameworks, including Metasploit, and has
contributed to course materials on forensics, penetration testing, and
information security taught around the globe.
Heather has presented at many security conferences, including multiple
BSides conferences, local ISSA chapter conferences, and student events
aimed at providing realistic expectations for new students entering the
information security field.
 CONTENTS AT A GLANCE

Part I Preparation
Chapter 1 Why Gray Hat Hacking? Ethics and Law
Chapter 2 Programming Survival Skills
Chapter 3 Next-Generation Fuzzing
Chapter 4 Next-Generation Reverse Engineering
Chapter 5 Software-Defined Radio

Part II Business of Hacking

Chapter 6 So You Want to Be a Pen Tester?
Chapter 7 Red Teaming Operations
Chapter 8 Purple Teaming
Chapter 9 Bug Bounty Programs

Part III Exploiting Systems

Chapter 10 Getting Shells Without Exploits
Chapter 11 Basic Linux Exploits
Chapter 12 Advanced Linux Exploits
Chapter 13 Windows Exploits
Chapter 14 Advanced Windows Exploitation
Chapter 15 PowerShell Exploitation
Chapter 16 Next-Generation Web Application Exploitation
Chapter 17 Next-Generation Patch Exploitation

Part IV Advanced Malware Analysis

Chapter 18 Dissecting Mobile Malware
Chapter 19 Dissecting Ransomware
Chapter 20 ATM Malware
Chapter 21 Deception: Next-Generation Honeypots

Part V Internet of Things

Chapter 22 Internet of Things to Be Hacked
Chapter 23 Dissecting Embedded Devices
Chapter 24 Exploiting Embedded Devices
Chapter 25 Fighting IoT Malware

Index
 CONTENTS

Preface
Acknowledgments
Introduction

Part I Preparation
Chapter 1 Why Gray Hat Hacking? Ethics and Law
Know Your Enemy
The Current Security Landscape
Recognizing an Attack
The Gray Hat Way
Emulating the Attack
Frequency and Focus of Testing
Evolution of Cyberlaw
Understanding Individual Cyberlaws
Summary
References
Chapter 2 Programming Survival Skills
C Programming Language
Basic C Language Constructs
Sample Program
Compiling with gcc
Computer Memory
Random Access Memory
Endian
Segmentation of Memory
Programs in Memory
 Buffers
Strings in Memory
Pointers
Putting the Pieces of Memory Together
Intel Processors
Registers
Assembly Language Basics
Machine vs. Assembly vs. C
AT&T vs. NASM
Addressing Modes
Assembly File Structure
Assembling
Debugging with gdb
gdb Basics
Disassembly with gdb
Python Survival Skills
Getting Python
“Hello, World!” in Python
Python Objects
Strings
Numbers
Lists
Dictionaries
Files with Python
Sockets with Python
Summary
For Further Reading
References
Chapter 3 Next-Generation Fuzzing
Introduction to Fuzzing
Types of Fuzzers
Mutation Fuzzers
Generation Fuzzers
 Genetic Fuzzing
Mutation Fuzzing with Peach
Lab 3-1: Mutation Fuzzing with Peach
Generation Fuzzing with Peach
Crash Analysis
Lab 3-2: Generation Fuzzing with Peach
Genetic or Evolutionary Fuzzing with AFL
Lab 3-3: Genetic Fuzzing with AFL
Summary
For Further Reading
Chapter 4 Next-Generation Reverse Engineering
Code Annotation
IDB Annotation with IDAscope
C++ Code Analysis
Collaborative Analysis
Leveraging Collaborative Knowledge Using FIRST
Collaboration with BinNavi
Dynamic Analysis
Automated Dynamic Analysis with Cuckoo Sandbox
Bridging the Static-Dynamic Tool Gap with Labeless
Summary
For Further Reading
References
Chapter 5 Software-Defined Radio
Getting Started with SDR
What to Buy
Not So Quick: Know the Rules
Learn by Example
Search
Capture
Replay
Analyze
Preview
 Execute
Summary
For Further Reading

Part II Business of Hacking

Chapter 6 So You Want to Be a Pen Tester?
The Journey from Novice to Expert
Pen Tester Ethos
Pen Tester Taxonomy
The Future of Hacking
Know the Tech
Know What Good Looks Like
Pen Tester Training
Practice
Degree Programs
Knowledge Transfer
Pen Tester Tradecraft
Personal Liability
Being the Trusted Advisor
Managing a Pen Test
Summary
For Further Reading
Chapter 7 Red Teaming Operations
Red Team Operations
Strategic, Operational, and Tactical Focus
Assessment Comparisons
Red Teaming Objectives
What Can Go Wrong
Limited Scope
Limited Time
Limited Audience
Overcoming Limitations
Communications
 Planning Meetings
Defining Measurable Events
Understanding Threats
Attack Frameworks
Testing Environment
Adaptive Testing
External Assessment
Physical Security Assessment
Social Engineering
Internal Assessment
Lessons Learned
Summary
References
Chapter 8 Purple Teaming
Introduction to Purple Teaming
Blue Team Operations
Know Your Enemy
Know Yourself
Security Program
Incident Response Program
Common Blue Teaming Challenges
Purple Teaming Operations
Decision Frameworks
Disrupting the Kill Chain
Kill Chain Countermeasure Framework
Communication
Purple Team Optimization
Summary
For Further Reading
References
Chapter 9 Bug Bounty Programs
History of Vulnerability Disclosure
Full Vendor Disclosure
 Full Public Disclosure
Responsible Disclosure
No More Free Bugs
Bug Bounty Programs
Types of Bug Bounty Programs
Incentives
Controversy Surrounding Bug Bounty Programs
Popular Bug Bounty Program Facilitators
Bugcrowd in Depth
Program Owner Web Interface
Program Owner API Example
Researcher Web Interface
Earning a Living Finding Bugs
Selecting a Target
Registering (If Required)
Understanding the Rules of the Game
Finding Vulnerabilities
Reporting Vulnerabilities
Cashing Out
Incident Response
Communication
Triage
Remediation
Disclosure to Users
Public Relations
Summary
For Further Reading
References

Part III Exploiting Systems

Chapter 10 Getting Shells Without Exploits
Capturing Password Hashes
Understanding LLMNR and NBNS
 Understanding Windows NTLMv1 and NTLMv2
Authentication
Using Responder
Lab 10-1: Getting Passwords with Responder
Using Winexe
Lab 10-2: Using Winexe to Access Remote Systems
Lab 10-3: Using Winexe to Gain Elevated Privileges
Using WMI
Lab 10-4 : Querying System Information with WMI
Lab 10-5: Executing Commands with WMI
Taking Advantage of WinRM
Lab 10-6: Executing Commands with WinRM
Lab 10-7: Using WinRM to Run PowerShell
Remotely
Summary
For Further Reading
Reference
Chapter 11 Basic Linux Exploits
Stack Operations and Function-Calling Procedures
Buffer Overflows
Lab 11-1: Overflowing meet.c
Ramifications of Buffer Overflows
Local Buffer Overflow Exploits
Lab 11-2: Components of the Exploit
Lab 11-3: Exploiting Stack Overflows from the
Command Line
Lab 11-4: Exploiting Stack Overflows with Generic
Exploit Code
Lab 11-5: Exploiting Small Buffers
Exploit Development Process
Lab 11-6: Building Custom Exploits
Summary
For Further Reading
Chapter 12 Advanced Linux Exploits
Format String Exploits
Format Strings
Lab 12-1: Reading from Arbitrary Memory
Lab 12-2: Writing to Arbitrary Memory
Lab 12-3: Changing Program Execution
Memory Protection Schemes
Compiler Improvements
Lab 11-4: Bypassing Stack Protection
Kernel Patches and Scripts
Lab 12-5: Return to libc Exploits
Lab 12-6: Maintaining Privileges with ret2libc
Bottom Line
Summary
For Further Reading
References
Chapter 13 Windows Exploits
Compiling and Debugging Windows Programs
Lab 13-1: Compiling on Windows
Windows Compiler Options
Debugging on Windows with Immunity Debugger
Lab 13-2: Crashing the Program
Writing Windows Exploits
Exploit Development Process Review
Lab 13-3: Exploiting ProSSHD Server
Understanding Structured Exception Handling (SEH)
Understanding and Bypassing Windows Memory
Protections
Safe Structured Exception Handling (SafeSEH)
Bypassing SafeSEH
SEH Overwrite Protection (SEHOP)
Bypassing SEHOP
Stack-Based Buffer Overrun Detection (/GS)
 Bypassing /GS
Heap Protections
Summary
For Further Reading
References
Chapter 14 Advanced Windows Exploitation
Data Execution Prevention (DEP)
Address Space Layout Randomization (ASLR)
Enhanced Mitigation Experience Toolkit (EMET) and
Windows Defender Exploit Guard
Bypassing ASLR
Bypassing DEP and Avoiding ASLR
VirtualProtect
Return-Oriented Programming
Gadgets
Building the ROP Chain
Defeating ASLR Through a Memory Leak
Triggering the Bug
Tracing the Memory Leak
Weaponizing the Memory Leak
Building the RVA ROP Chain
Summary
For Further Reading
References
Chapter 15 PowerShell Exploitation
Why PowerShell
Living Off the Land
PowerShell Logging
PowerShell Portability
Loading PowerShell Scripts
Lab 15-1: The Failure Condition
Lab 15-2: Passing Commands on the Command Line
Lab 15-3: Encoded Commands
 Lab 15-4: Bootstrapping via the Web
Exploitation and Post-Exploitation with PowerSploit
Lab 15-5: Setting Up PowerSploit
Lab 15-6: Running Mimikatz Through PowerShell
Lab 15-7: Creating a Persistent Meterpreter Using
PowerSploit
Using PowerShell Empire for C2
Lab 15-8: Setting Up Empire
Lab 15-9: Staging an Empire C2
Lab 15-10: Using Empire to Own the System
Summary
For Further Reading
References
Chapter 16 Next-Generation Web Application Exploitation
The Evolution of Cross-Site Scripting (XSS)
Setting Up the Environment
Lab 16-1: XSS Refresher
Lab 16-2: XSS Evasion from Internet Wisdom
Lab 16-3: Changing Application Logic with XSS
Lab 16-4: Using the DOM for XSS
Framework Vulnerabilities
Setting Up the Environment
Lab 16-5: Exploiting CVE-2017-5638
Lab 16-6: Exploiting CVE-2017-9805
Padding Oracle Attacks
Lab 16-7: Changing Data with the Padding Oracle
Attack
Summary
For Further Reading
References
Chapter 17 Next-Generation Patch Exploitation
Introduction to Binary Diffing
Application Diffing
 Patch Diffing
Binary Diffing Tools
BinDiff
turbodiff
Lab 17-1: Our First Diff
Patch Management Process
Microsoft Patch Tuesday
Obtaining and Extracting Microsoft Patches
Lab 17-2: Diffing MS17-010
Patch Diffing for Exploitation
DLL Side-Loading Bugs
Lab 17-3: Diffing MS16-009
Summary
For Further Reading
References

Part IV Advanced Malware Analysis

Chapter 18 Dissecting Mobile Malware
The Android Platform
Android Application Package
Application Manifest
Analyzing DEX
Java Decompilation
DEX Decompilation
DEX Disassembling
Example 18-1: Running APK in Emulator
Malware Analysis
The iOS Platform
iOS Security
iOS Applications
Summary
For Further Reading
References
Chapter 19 Dissecting Ransomware
The Beginnings of Ransomware
Options for Paying the Ransom
Dissecting Ransomlock
Example 19-1: Dynamic Analysis
Example 19-2: Static Analysis
Wannacry
Example 19-3: Analyzing Wannacry Ransomware
Summary
For Further Reading
Chapter 20 ATM Malware
ATM Overview
XFS Overview
XFS Architecture
XFS Manager
ATM Malware Analysis
Types of ATM Malware
Techniques for Installing Malware on ATMs
Techniques for Dissecting the Malware
ATM Malware Countermeasures
Summary
For Further Reading
References
Chapter 21 Deception: Next-Generation Honeypots
Brief History of Deception
Honeypots as a Form of Deception
Deployment Considerations
Setting Up a Virtual Machine
Open Source Honeypots
Lab 21-1: Dionaea
Lab 21-2: ConPot
Lab 21-3: Cowrie
 Lab 21-4: T-Pot
Commercial Alternative: TrapX
Summary
For Further Reading
References

Part V Internet of Things

Chapter 22 Internet of Things to Be Hacked
Internet of Things (IoT)
Types of Connected Things
Wireless Protocols
Communication Protocols
Security Concerns
Shodan IoT Search Engine
Web Interface
Shodan Command-Line Interface
Lab 22-1: Using the Shodan Command Line
Shodan API
Lab 22-2: Testing the Shodan API
Lab 22-3: Playing with MQTT
Implications of This Unauthenticated Access to
MQTT
IoT Worms: It Was a Matter of Time
Lab 22-4: Mirai Lives
Prevention
Summary
For Further Reading
References
Chapter 23 Dissecting Embedded Devices
CPU
Microprocessor
Microcontrollers
System on Chip (SoC)
 Common Processor Architectures
Serial Interfaces
UART
SPI
I2C
Debug Interfaces
JTAG
SWD (Serial Wire Debug)
Software
Bootloader
No Operating System
Real-Time Operating System
General Operating System
Summary
For Further Reading
References
Chapter 24 Exploiting Embedded Devices
Static Analysis of Vulnerabilities in Embedded Devices
Lab 24-1: Analyzing the Update Package
Lab 24-2: Performing Vulnerability Analysis
Dynamic Analysis with Hardware
The Test Environment Setup
Ettercap
Dynamic Analysis with Emulation
FIRMADYNE
Lab 24-3: Setting Up FIRMADYNE
Lab 24-4: Emulating Firmware
Lab 24-5: Exploiting Firmware
Summary
Further Reading
References
Chapter 25 Fighting IoT Malware
Physical Access to the Device
 RS-232 Overview
RS-232 Pinout
Exercise 25-1: Troubleshooting a Medical Device’s
RS-232 Port
Setting Up the Threat Lab
ARM and MIPS Overview
Lab 25-1: Setting Up Systems with QEMU
Dynamic Analysis of IoT Malware
Lab 25-2: IoT Malware Dynamic Analysis
Platform for Architecture-Neutral Dynamic Analysis
(PANDA)
BeagleBone Black Board
Reverse Engineering IoT Malware
Crash-Course ARM/MIPS Instruction Set
Lab 25-3: IDA Pro Remote Debugging and Reversing
IoT Malware Reversing Exercise
Summary
For Further Reading

Index
 PREFACE

This book has been developed by and for security professionals who are
dedicated to working in an ethical and responsible manner to improve the
overall security posture of individuals, corporations, and nations.
 ACKNOWLEDGMENTS

Each of the authors would like to thank the staff at McGraw-Hill Education.
In particular, we would like to thank Wendy Rinaldi and Claire Yee. You
really went above and beyond, keeping us on track and greatly helping us
through the process. Your highest levels of professionalism and tireless
dedication to this project were truly noteworthy and bring great credit to your
publisher. Thanks.
Allen Harper would like to thank his wonderful wife Corann and beautiful
daughters Haley and Madison for their support and understanding as I chased
yet another dream.
It is wonderful to see our family and each of us individually grow stronger
in Christ each year. Madison and Haley, I love you both dearly and am proud
of the young ladies you have become. In addition, I would like to thank the
members of my former and current employer. To the friends at Tangible
Security, I am thankful for your impact on my life—you made me better. To
my brothers and sisters in Christ at Liberty University, I am excited for the
years ahead as we labor together and aim to train Champions for Christ!
Daniel Regalado le gustaría agradecer primero a Dios por la bendición de
estar vivo, a su esposa Diana por aguantarlo, por siempre motivarlo, por
festejar cada uno de sus triunfos como si fueran de ella, por ser tan bella y
atlética, te amo! A sus hijos Fercho y Andrick por ser la luz de la casa y su
motor de cada dia y finalmente pero no menos importante a la Familia
Regalado Arias: Fernando, Adelina, Susana Erwin y Belem, sin ellos, sus
triunfos no sabrían igual, los amo! Y a su Papa Fernando, hasta el ultimo dia
que respire, viviré con la esperanza de volver a abrazarte. Cape, Cone, Rober,
hermandad para siempre!
Branko Spasojevic would like to thank his family—Sanja, Sandra, Ana
Marija, Magdalena, Ilinka, Jevrem, Olga, Dragisa, Marija, and Branislav—
for all the support and knowledge they passed on.
Another big thanks goes to all my friends and colleagues who make work
and play fun. Some people who deserve special mention are Ante Gulam,
Antonio, Cedric, Clement, Domagoj, Drazen, Goran, Keith, Luka, Leon,
Matko, Santiago, Tory, and everyone in TAG, Zynamics, D&R, and Orca.
Ryan Linn would like to thank Heather for her support, encouragement,
and advice as well as his family and friends for their support and for putting
up with the long hours and infrequent communication while the book was
coming together.
Thanks also go out to Ed Skoudis for pushing me to do awesome things,
and to HD, Egypt, Nate, Shawn, and all the other friends and family who
have offered code assistance, guidance, and support when I’ve needed it the
most.
Stephen Sims would like to thank his wife LeAnne and daughter Audrey
for their ongoing support with the time needed to research, write, work,
teach, and travel.
He would also like to thank his parents, George and Mary, and sister, Lisa,
for their support from afar. Finally, a special thanks to all of the brilliant
security researchers who contribute so much to the community with
publications, lectures, and tools.
Chris Eagle would like to thank his wife Kristen for being the rock that
allows him to do all of the things he does. None of it would be possible
without her continued support.
Linda Martinez would like to thank her mom and dad for being truly
delightful people and always setting a great example to follow. Linda would
also like to thank her daughter Elysia for the years of encouragement that
allowed her to pursue her passions.
A big thanks to my friends and some of the brightest minds in the industry
—Allen, Zack, Rob, Ryan, Bill, and Shon, may she rest in peace.
Michael Baucom would like to thank his wife, Bridget, and daughter,
Tiernan, for their sacrifices and support in allowing him to pursue his
professional goals.
I’d also like to thank my parents for your love, support, and instilling in me
the work ethic that has carried me to this point. Additionally, I’d like to thank
the Marine Corps for giving me the courage and confidence to understand
that all things are possible. Finally, I’d like to thank my brother in Christ,
long-time friend, and colleague, Allen Harper. Nothing can be accomplished
without a great team.
 We, the authors, would also like to collectively thank Hex-Rays for the
generous use of their tool, IDA Pro.
 INTRODUCTION

History teaches that wars begin when governments believe the price of
aggression is cheap.
—Ronald Reagan

You can’t say civilization don’t advance…in every war they kill you in a
new way.
—Will Rogers

The supreme art of war is to subdue the enemy without fighting.

—Sun Tzu

The purpose of this book is to provide individuals the information once

held only by governments and a few black hat hackers. In this day and age,
individuals stand in the breach of cyberwar, not only against black hat
hackers, but sometimes against governments. If you find yourself in this
position, either alone or as a defender of your organization, we want you to
be equipped with as much knowledge of the attacker as possible. To that end,
we submit to you the mindset of the gray hat hacker, an ethical hacker that
uses offensive techniques for defensive purposes. The ethical hacker always
respects laws and the rights of others, but believes the adversary may be beat
to the punch by testing oneself first.
The authors of this book want to provide you, the reader, with something
we believe the industry and society in general needs: a holistic review of
ethical hacking that is responsible and truly ethical in its intentions and
material. This is why we keep releasing new editions of this book with a clear
definition of what ethical hacking is and is not—something our society is
very confused about.
We have updated the material from the fourth edition and have attempted to
deliver the most comprehensive and up-to-date assembly of techniques,
procedures, and material with real hands-on labs that can be replicated by the
readers. Thirteen new chapters are presented, and the other chapters have
been updated.
In Part I, we prepare you for the battle with all the necessary tools and
techniques to get the best understanding of the more advanced topics. This
section moves quite quickly but is necessary for those just starting out in the
field and others looking to move to the next level. This section covers the
following:

• White, black, and gray hat definitions and characteristics

• The slippery ethical issues that should be understood before carrying out
any type of ethical hacking activities
• Programming survival skills, which is a must-have skill for a gray hat
hacker to be able to create exploits or review source code
• Fuzzing, which is a wonderful skill for finding 0-day exploits
• Reverse engineering, which is a mandatory skill when dissecting
malware or researching vulnerabilities
• Exploiting with software-defined radios

In Part II, we discuss the business side of hacking. If you are looking to
move beyond hacking as a hobby and start paying the bills, this section is for
you. If you are a seasoned hacking professional, we hope to offer you a few
tips as well. In this section, we cover some of the softer skills required by an
ethical hacker to make a living:

• How to get into the penetration testing business

• How to improve the enterprise security posture through red teaming
• A novel approach to developing a purple team
• Bug bounty programs and how to get paid finding vulnerabilities,
ethically

In Part III, we discuss the skills required to exploit systems. Each of these
topics has been covered before, but the old exploits don’t work anymore;
therefore, we have updated the discussions to work past system protections.
We cover the following topics in this section:

• How to gain shell access without exploits

 • Basic and advanced Linux exploits
• Basic and advanced Windows exploits
• Using PowerShell to exploit systems
• Modern web exploits
• Using patches to develop exploits

In Part IV, we cover advanced malware analysis. In many ways, this is the
most advanced topic in the field of cybersecurity. On the front lines of
cyberwar is malware, and we aim to equip you with the tools and techniques
necessary to perform malware analysis. In this section, we cover the
following:

• Mobile malware analysis

• Recent ransomware analysis
• ATM malware analysis
• Using next-generation honeypots to find advanced attackers and
malware in the network

Finally, in Part V, we are proud to discuss the topic of Internet of Things

(IoT) hacking. The Internet of Things is exploding and, unfortunately, so are
the vulnerabilities therein. In this section, we discuss these latest topics:

• Internet of Things to be hacked

• Dissecting embedded devices
• Exploiting embedded devices
• Malware analysis of IoT devices

We do hope you will see the value of the new content that has been
provided and will also enjoy the newly updated chapters. If you are new to
the field or ready to take the next step to advance and deepen your
understanding of ethical hacking, this is the book for you.
NOTE To ensure your system is properly configured to perform the labs,
we have provided the files you will need. The lab materials and errata may be
downloaded from either the GitHub repository at
https://github.com/GrayHatHacking/GHHv5 or the publisher’s site, at
www.mhprofessional.com.
 PART I

Preparation

Chapter 1 Why Gray Hat Hacking? Ethics and Law

Chapter 2 Programming Survival Skills
Chapter 3 Next-Generation Fuzzing
Chapter 4 Next-Generation Reverse Engineering
Chapter 5 Software-Defined Radio
 1 CHAPTER

Why Gray Hat Hacking? Ethics and

Law
The purpose of this book is to support individuals who want to refine their
ethical hacking skills to better defend against malicious attackers. This book
is not written to be used as a tool by those who wish to perform illegal and
unethical activities.
In this chapter, we discuss the following topics:
• Know your enemy: understanding your enemy’s tactics
• The gray hat way and the ethical hacking process
• The evolution of cyberlaw

Know Your Enemy

“We cannot solve our problems with the same level of thinking that created
them.”
—Albert Eisenstein

The security challenges we face today will pale in comparison to those we’ll
face in the future. We already live in a world so highly integrated with
technology that cybersecurity has an impact on our financial markets, our
elections, our families, and our healthcare. Technology is advancing and the
threat landscape is increasing. On the one hand, vehicles that are capable of
autonomous driving are being mass-produced as smart cities are being
developed. On the other hand, hospitals are being held for ransom, power
grids are being shut down, intellectual property and secrets are being stolen,
and cybercrime is a booming industry. In order to defend and protect our
assets and our people, we must understand the enemy and how they operate.
Understanding how attacks are performed is one of the most challenging and
important aspects of defending the technology on which we rely. After all,
how can we possibly defend ourselves against the unknown?
This book was written to provide relevant security information to those
who are dedicated to stopping cyberthreats. The only way to address today
and tomorrow’s cyberthreats is with a knowledgeable security industry.
Learning offensive security allows you to test and refine your defenses.
Malicious actors know how to compromise systems and networks. Knowing
your enemies’ tactics is paramount to preparing offensive and defensive
strategies. Those who have accepted the responsibility of defending our
technology must learn how compromises occur in order to defend against
them.

The Current Security Landscape

Technology can be used for good or evil. The same technology that is used to
make organizations and countries more productive can be used to steal,
surveil, and do harm. This duality means that the technology we create to
help us will sometimes hurt us, that technology used to fight for human rights
can also be used to violate them, and that tools used to protect us can also be
used to attack us. The criminal community has evolved to abuse technology
on a scale that brings in enormous profits, costing the global economy an
estimated $450 billion a year.
Respect your enemy. Malicious actors have a variety of motivations and
tactics, and the scale and complexity of their attacks are increasing. Consider
the following:

• In February 2016, attackers targeted Swift, a global bank transfer

system, and fraudulently transferred $81 million from the Bangladesh
Bank’s account at the Federal Reserve Bank of New York. Most funds
were not recovered after being routed to accounts in the Philippines and
diverted to casinos there.1
• In July 2016, it was discovered that the Democratic National
Committee (DNC) was compromised and damaging e-mails from
officials were leaked on WikiLeaks. The attack was attributed to two
Russian adversary groups. The CIA concluded that Russia worked
during the 2016 US election to prevent Hillary Clinton from winning
 the US presidency.2
• In October 2016, millions of insecure Internet of Things (IOT) cameras
and digital video recorders (DVR) were used in a distributed denial-of-
service (DDOS) attack targeting Dyn, a DNS provider. The Mirai
botnet was used to take down the likes of Twitter, Netflix, Etsy,
GitHub, SoundCloud, and Spotify a month after its source code was
released to the public.3
• In December 2016, Ukraine’s capital Kiev experienced a power outage
caused by a cyberattack affecting over 225,000 people for multiple
days. The attackers sabotaged power-distribution equipment, thus
complicating attempts to restore power. The attack prompted
discussions about the vulnerabilities in industrial control systems
(ICSs) and was linked to Russia.4

In recent years, we’ve seen the Federal Bureau of Investigation (FBI),

Department of Homeland Security (DHS), Sony Entertainment, Equifax,
Federal Deposit Insurance Corporation (FDIC), and Internal Revenue Service
(IRS) all have major breaches—sometimes multiple large breaches. We’ve
seen hospitals like the infamous Hollywood Presbyterian Medical Center pay
ransoms to be able to continue to operate. While some attacks have a larger
impact than others, on average a cyberattack costs organizations about $4
million, with some breaches costing hundreds of millions of dollars.
The security industry is also evolving. Products designed to promote self-
healing networks competed in the first DARPA Cyber Grand Challenge.
Malware solutions based on machine learning are replacing signature-based
solutions. Integrated Security Operations Centers (ISOCs) are helping the
security field collaborate. Cybersecurity conferences, degree programs, and
training are increasingly popular. The security industry is responding to
increasing cyberattacks with new tools, ideas, and collaborations.
Attackers have different motivations. Some are financially motivated and
aim to make the biggest profit possible, some are politically motivated and
aim to undermine governments or steal state secrets, some are motivated by a
social cause and are called hacktivists, and some are angry and just want
revenge.

Recognizing an Attack
When an attack occurs, there are always the same questions. How did the
attacker get in? How long have they been inside the network? What could we
have done to prevent it? Attacks can be difficult to detect, and bad actors can
stay in the environment for a prolonged amount of time. Ethical hacking
helps you learn how to recognize when an attack is underway or about to
begin so you can better defend the assets you are protecting. Some attacks are
obvious. Denial-of-service and ransomware attacks announce themselves.
However, most attacks are stealth attacks intended to fly under the radar and
go unnoticed by security personnel and products alike. It is important to
know how different types of attacks take place so they can be properly
recognized and stopped.
Some attacks have precursors—activities that can warn you an attack is
imminent. A ping sweep followed by a port scan is a pretty good indication
that an attack has begun and can be used as an early warning sign. Although
tools exist to help detect certain activities, it takes a knowledgeable security
professional to maintain and monitor systems. Security tools can fail, and
many can be easily bypassed. Relying on tools alone will give you a false
sense of security.
Hacking tools are just IT tools that are good when used for sanctioned
purposes and bad when used for malicious purposes. The tools are the same,
just applied toward different ends. Ethical hackers understand how these tools
are used and how attacks are performed, and that’s what allows them to
defend against these attacks. Many tools will be mentioned throughout this
book. Tools that will help you recognize an attack are covered specifically in
Chapters 7 and 8 as well as dispersed throughout the book.

The Gray Hat Way

To get to the “ground truth” of their security posture and understand its risks,
many organizations choose to hire an ethical hacker, or penetration tester, to
perform attack simulations. A penetration tester will use the same tools and
tactics as a malicious attacker, but in a controlled and secure way. This
allows an organization to understand how a bad actor might get into the
environment, how they might move around inside of the environment, and
how they might exfiltrate data. This also enables the organization to
determine the impact of attacks and identify weaknesses. Emulating attacks
allows an organization to test the effectiveness of security defenses and
monitoring tools. Defense strategies can then be refined based on lessons
learned.
A penetration test is more than a vulnerability scan. During a vulnerability
scan, an automated scanning product is used to probe the ports and services
on a range of IP addresses. Most of these tools gather information about the
system and software and correlate the information with known
vulnerabilities. This results in a list of vulnerabilities, but it does not provide
an idea of the impact those vulnerabilities could have on the environment.
During a penetration test, attack emulations are performed to demonstrate the
potential business impact of an attack. Testers go beyond creating a list of
code and configuration vulnerabilities and use the perspective of a malicious
attacker to perform controlled attacks. A penetration tester will chain together
a series of attacks to demonstrate how a malicious attacker might enter the
environment, move throughout the environment, take control of systems and
data, and exfiltrate data out of the environment. They will use weaknesses in
code, users, processes, system configurations, or physical security to
understand how an attacker might cause harm. This includes creating proof-
of-concept attacks, using social engineering techniques, and picking locks
and cloning physical access badges.
In many instances, penetration tests demonstrate that an organization could
potentially lose control of its systems and, sometimes more importantly, its
data. This is especially significant in highly regulated environments or those
with industry compliance requirements where penetration testing is often
required. Penetration tests often justify the implementation of security
controls and can help prioritize security tasks.
Tests will vary, depending on the information you have about the
environment. Black box testing is when you begin with no prior knowledge
of the environment. White box testing is when you are provided detailed
information about the environment such as the IP address scheme and URLs.
Gray box testing is when you start with no information about the
environment and after demonstrating that you can penetrate the environment
you are given information to make your efforts more efficient.
Also, the nature and duration of tests will vary widely. Assessments can be
focused on a location, business division, compliance requirement, or product.
The methodologies used for exploiting embedded devices are different from
those used during red team assessments (both are described in later chapters).
Another random document with
no related content on Scribd:
 TRANSCRIBER NOTES

Misspelled words and printer errors have been corrected. Where

multiple spellings occur, majority use has been employed.
Punctuation has been maintained except where obvious printer
errors occur.
 *** END OF THE PROJECT GUTENBERG EBOOK TOM SWIFT
AND HIS GREAT OIL GUSHER ***

Updated editions will replace the previous one—the old editions will
be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying copyright
royalties. Special rules, set forth in the General Terms of Use part of
this license, apply to copying and distributing Project Gutenberg™
electronic works to protect the PROJECT GUTENBERG™ concept
and trademark. Project Gutenberg is a registered trademark, and
may not be used if you charge for an eBook, except by following the
terms of the trademark license, including paying royalties for use of
the Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is very
easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.

START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE
 PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK

To protect the Project Gutenberg™ mission of promoting the free

distribution of electronic works, by using or distributing this work (or
any other work associated in any way with the phrase “Project
Gutenberg”), you agree to comply with all the terms of the Full
Project Gutenberg™ License available with this file or online at
www.gutenberg.org/license.

Section 1. General Terms of Use and

Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand, agree
to and accept all the terms of this license and intellectual property
(trademark/copyright) agreement. If you do not agree to abide by all
the terms of this agreement, you must cease using and return or
destroy all copies of Project Gutenberg™ electronic works in your
possession. If you paid a fee for obtaining a copy of or access to a
Project Gutenberg™ electronic work and you do not agree to be
bound by the terms of this agreement, you may obtain a refund from
the person or entity to whom you paid the fee as set forth in
paragraph 1.E.8.

1.B. “Project Gutenberg” is a registered trademark. It may only be

used on or associated in any way with an electronic work by people
who agree to be bound by the terms of this agreement. There are a
few things that you can do with most Project Gutenberg™ electronic
works even without complying with the full terms of this agreement.
See paragraph 1.C below. There are a lot of things you can do with
Project Gutenberg™ electronic works if you follow the terms of this
agreement and help preserve free future access to Project
Gutenberg™ electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright law in
the United States and you are located in the United States, we do
not claim a right to prevent you from copying, distributing,
performing, displaying or creating derivative works based on the
work as long as all references to Project Gutenberg are removed. Of
course, we hope that you will support the Project Gutenberg™
mission of promoting free access to electronic works by freely
sharing Project Gutenberg™ works in compliance with the terms of
this agreement for keeping the Project Gutenberg™ name
associated with the work. You can easily comply with the terms of
this agreement by keeping this work in the same format with its
attached full Project Gutenberg™ License when you share it without
charge with others.

1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.

1.E. Unless you have removed all references to Project Gutenberg:

1.E.1. The following sentence, with active links to, or other

immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project Gutenberg™
work (any work on which the phrase “Project Gutenberg” appears, or
with which the phrase “Project Gutenberg” is associated) is
accessed, displayed, performed, viewed, copied or distributed:
 This eBook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this eBook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.

1.E.2. If an individual Project Gutenberg™ electronic work is derived

from texts not protected by U.S. copyright law (does not contain a
notice indicating that it is posted with permission of the copyright
holder), the work can be copied and distributed to anyone in the
United States without paying any fees or charges. If you are
redistributing or providing access to a work with the phrase “Project
Gutenberg” associated with or appearing on the work, you must
comply either with the requirements of paragraphs 1.E.1 through
1.E.7 or obtain permission for the use of the work and the Project
Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9.

1.E.3. If an individual Project Gutenberg™ electronic work is posted

with the permission of the copyright holder, your use and distribution
must comply with both paragraphs 1.E.1 through 1.E.7 and any
additional terms imposed by the copyright holder. Additional terms
will be linked to the Project Gutenberg™ License for all works posted
with the permission of the copyright holder found at the beginning of
this work.

1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files containing a
part of this work or any other work associated with Project
Gutenberg™.

1.E.5. Do not copy, display, perform, distribute or redistribute this

electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1 with
active links or immediate access to the full terms of the Project
Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if you
provide access to or distribute copies of a Project Gutenberg™ work
in a format other than “Plain Vanilla ASCII” or other format used in
the official version posted on the official Project Gutenberg™ website
(www.gutenberg.org), you must, at no additional cost, fee or expense
to the user, provide a copy, a means of exporting a copy, or a means
of obtaining a copy upon request, of the work in its original “Plain
Vanilla ASCII” or other form. Any alternate format must include the
full Project Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™ works
unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or providing

access to or distributing Project Gutenberg™ electronic works
provided that:

• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
 copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™

electronic work or group of works on different terms than are set
forth in this agreement, you must obtain permission in writing from
the Project Gutenberg Literary Archive Foundation, the manager of
the Project Gutenberg™ trademark. Contact the Foundation as set
forth in Section 3 below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on, transcribe
and proofread works not protected by U.S. copyright law in creating
the Project Gutenberg™ collection. Despite these efforts, Project
Gutenberg™ electronic works, and the medium on which they may
be stored, may contain “Defects,” such as, but not limited to,
incomplete, inaccurate or corrupt data, transcription errors, a
copyright or other intellectual property infringement, a defective or
damaged disk or other medium, a computer virus, or computer
codes that damage or cannot be read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except

for the “Right of Replacement or Refund” described in paragraph
1.F.3, the Project Gutenberg Literary Archive Foundation, the owner
of the Project Gutenberg™ trademark, and any other party
distributing a Project Gutenberg™ electronic work under this
agreement, disclaim all liability to you for damages, costs and
expenses, including legal fees. YOU AGREE THAT YOU HAVE NO
REMEDIES FOR NEGLIGENCE, STRICT LIABILITY, BREACH OF
WARRANTY OR BREACH OF CONTRACT EXCEPT THOSE
PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE THAT THE
FOUNDATION, THE TRADEMARK OWNER, AND ANY
DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE
TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE
NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you

discover a defect in this electronic work within 90 days of receiving it,
you can receive a refund of the money (if any) you paid for it by
sending a written explanation to the person you received the work
from. If you received the work on a physical medium, you must
return the medium with your written explanation. The person or entity
that provided you with the defective work may elect to provide a
replacement copy in lieu of a refund. If you received the work
electronically, the person or entity providing it to you may choose to
give you a second opportunity to receive the work electronically in
lieu of a refund. If the second copy is also defective, you may
demand a refund in writing without further opportunities to fix the
problem.

1.F.4. Except for the limited right of replacement or refund set forth in
paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of damages.
If any disclaimer or limitation set forth in this agreement violates the
law of the state applicable to this agreement, the agreement shall be
interpreted to make the maximum disclaimer or limitation permitted
by the applicable state law. The invalidity or unenforceability of any
provision of this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the
Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and distribution
of Project Gutenberg™ electronic works, harmless from all liability,
costs and expenses, including legal fees, that arise directly or
indirectly from any of the following which you do or cause to occur:
(a) distribution of this or any Project Gutenberg™ work, (b)
alteration, modification, or additions or deletions to any Project
Gutenberg™ work, and (c) any Defect you cause.

Section 2. Information about the Mission of

Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new computers.
It exists because of the efforts of hundreds of volunteers and
donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project Gutenberg™’s
goals and ensuring that the Project Gutenberg™ collection will
remain freely available for generations to come. In 2001, the Project
Gutenberg Literary Archive Foundation was created to provide a
secure and permanent future for Project Gutenberg™ and future
generations. To learn more about the Project Gutenberg Literary
Archive Foundation and how your efforts and donations can help,
see Sections 3 and 4 and the Foundation information page at
www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-profit
501(c)(3) educational corporation organized under the laws of the
state of Mississippi and granted tax exempt status by the Internal
Revenue Service. The Foundation’s EIN or federal tax identification
number is 64-6221541. Contributions to the Project Gutenberg
Literary Archive Foundation are tax deductible to the full extent
permitted by U.S. federal laws and your state’s laws.

The Foundation’s business office is located at 809 North 1500 West,

Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up
to date contact information can be found at the Foundation’s website
and official page at www.gutenberg.org/contact

Section 4. Information about Donations to

the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission of
increasing the number of public domain and licensed works that can
be freely distributed in machine-readable form accessible by the
widest array of equipment including outdated equipment. Many small
donations ($1 to $5,000) are particularly important to maintaining tax
exempt status with the IRS.

The Foundation is committed to complying with the laws regulating

charities and charitable donations in all 50 states of the United
States. Compliance requirements are not uniform and it takes a
considerable effort, much paperwork and many fees to meet and
keep up with these requirements. We do not solicit donations in
locations where we have not received written confirmation of
compliance. To SEND DONATIONS or determine the status of
compliance for any particular state visit www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states where

we have not met the solicitation requirements, we know of no
prohibition against accepting unsolicited donations from donors in
such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot make

any statements concerning tax treatment of donations received from
outside the United States. U.S. laws alone swamp our small staff.

Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.

Section 5. General Information About Project

Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could be
freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose network of
volunteer support.

Project Gutenberg™ eBooks are often created from several printed

editions, all of which are confirmed as not protected by copyright in
the U.S. unless a copyright notice is included. Thus, we do not
necessarily keep eBooks in compliance with any particular paper
edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg Literary
Archive Foundation, how to help produce our new eBooks, and how
to subscribe to our email newsletter to hear about new eBooks.