Dear PenTest Readers,
In this issue of our magazine we want to focus on the topic of binary exploitation, as we’ve heard from some of you that you need it! Our contributors will take you for the journey into this fascinating universe of text, data, and stack regions. If you’ve always wanted to find out more about buffer overflow, reverse engineering, useful tools and techniques, or even using Machine Learning in malware analysis, this issue is a perfect choice!
As usual, our authors also have articles related to various other topics from the realm of cybersecurity and ethical hacking. You can learn how to fetch Alexa’s recordings using Python, how to get a shell through LinkedIn, or about the holistic approach to SSDL in AI systems, for example.
Special thanks to every contributor, reviewer, and proofreader who helped in the creation of this issue.
Without further ado,
Let’s dive in the reading!
PenTest Magazine’s Editorial Team.
Table of Contents
Next-Generation Binary Exploitation
by Alcyon Junior (aka AlcyJones)
In this article, I propose to present a simple way of understanding the binary code to a basic enumeration of the program to start the binary exploitation. This modern technique is used for initial binary exploration, and aids in understanding how it works to perform one of the most commonly used methods in systems and programs known as Buffer Overflow.
Buffer Overflow Tutorial
by Mostafa Mahmoud
This tutorial covers binary exploits, it will cover the basics of memory corruption like buffer overflow, heap overflow, and format string and essential tools to develop exploits and execute shellcode.
Malware Analysis with Machine Learning (aka AI). Part 1. [FULL ARTICLE IN THE PREVIEW]
by Bruno Rodrigues
Machine Learning (ML) is one of the newest computing resource “on the block” and one of multiple security applications that modern Security Analysts use on a day to day basis. Malware analysis is just one of the uses we can put into practice in a very easy and efficient way.
Fetching Alexa's Recordings Using Python
by Michael Haephrati
Filing a formal request to Amazon led to an email "approving" my request, however, none of my recordings were including in the data. After inquiring with customer service, I was told that one can only hear or delete his/her recordings but there is no option to download them. In other words, if you use an Amazon Alexa device, Amazon holds all your recording files but you can't get them. Well, now you can with the Python script we developed that does exactly that.
Pentest: How to get a shell through LinkedIn
by Joas Antonio
Conducting a pentest service is labor-intensive, especially if the service is one Black Box service, where the attacker needs to collect enough information and perform a deep scan to compromise an organization. It is noteworthy that pentest services are within the confines of the law, are the only means we can simulate a real attack. After all, we have a contract signed with the company which hired these services. However, we have to take some precautions not to harm the company during our tests.
Secure Software Development Lifecycle for Artificial Intelligence Systems
by Pamela Gupta
I am proposing a holistic approach to Security, Privacy, Integrity and Transparency for building AI systems, AI SPIT. The way I would approach building such a framework is to leverage and enhance and industry standard used by practitioners - Cross-Industry Standard Process for Data Mining, CRISP-DM.
Why Cloud Networking Is a Must for Flexibility, Scalability, and Visibility
by Qurat-ul-Ain Ghazali
No matter what the size of an organization is, there is a constant pressure to cut down on costs. At the same time, they are required to be more efficient and productive, and networking is only way they can stay competitive in the market. Most companies are struggling to maintain a balance between keeping the expenses down and improving efficiency. A popular approach which most companies are turning to is cloud networking.
Threat Intelligence. How to catch the crabs.
by Victor de Queiroz
I dare say, because as I see it, that the sophistication of the attacks shapes the technologies. It's not new, but criminals flock to the internet for criminal operations, as well as in the world AFK.
Cyber Attack Detection & Prevention on Industrial Control Systems
by Dr Anil Lamba
In detail, a communication architecture among the different zones of ICSs is designed firstly, where the OpenFlow technique is used. And the flow table, which is used to manage the communication link, is defined. Then, a security inspection mechanism based on information entropy is presented for deeply analyzing the packet flow. And the flow table is updated according to the results. Finally, the availability and effectiveness are verified through a series of experiments.
Negative Security Effect of Biometrics Adopted in Cyberspace
by Hitoshi Kokumai
Biometrics has continuously contributed to providing a favorable environment to criminals, not to citizens, for nearly two decades and the public has been misled to believe that biometrics has provided better security for citizens. This false sense of security might well keep causing huge damages on our societal life for many more years unless somebody speaks out articulately.