book

Hacking and Security

Name: Hacking and Security
ISBN: 9781836647355

by Rheinwerk Publishing, Inc, Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, Matthias Wübbeling

September 2024

Intermediate to advanced

1144 pages

42h 42m

English

Packt Publishing

Read now

Unlock full access

Dear Reader
Notes on Usage
Table of Contents
Preface
What Hacking Has to Do with Security About this Book What’s New in the Third Edition Target Group Let’s Go! Foreword by Klaus Gebeshuber Foreword by Stefan Kania Greeting
1 Introduction
1.1 Hacking1.1.1 Hacking Contests, Capture the Flag1.1.2 Penetration Test versus Hacking1.1.3 Hacking Procedure1.1.4 Hacking Targets1.1.5 Hacking Tools
1.2 Security
1.2.1 Why Are IT Systems So Insecure?1.2.2 Attack Vectors1.2.3 Who Is Your Enemy?1.2.4 Intrusion Detection1.2.5 Forensics1.2.6 Ten Steps to Greater Safety1.2.7 Security Is Not Visible1.2.8 Security Is Inconvenient1.2.9 The Limits of This Book
1.3 Exploits
1.3.1 Zero-Day Exploits1.3.2 The Value of Exploits1.3.3 Exploit Types1.3.4 Finding Vulnerabilities and Exploits1.3.5 Common Vulnerabilities and Exposures1.3.6 Common Vulnerability Scoring System1.3.7 Vulnerability and Exploit Databases1.3.8 Vulnerability Scanner1.3.9 Exploit Collections
1.4 Authentication and Passwords
1.4.1 Password Rules1.4.2 Phishing1.4.3 Storage of Passwords (Hash Codes)1.4.4 Alternatives to Passwords1.4.5 Fast Identity Online
1.5 Security Risk IPv6
1.5.1 Security Complications
1.6 Legal Framework
1.6.1 Unauthorized Hacking Is Punishable by Law1.6.2 Negligent Handling of IT Security Is Also a Criminal Offense1.6.3 European General Data Protection Regulation1.6.4 Critical Infrastructure, Banks1.6.5 Security Guidelines and Standards

1.7 Security Organizations and Government Institutions
2 Kali Linux
2.1 Kali Alternatives
2.2 Trying Out Kali Linux without Installation
2.2.1 Verifying the Download2.2.2 Verifying the Signature of the Checksum File2.2.3 Trying Kali Linux in VirtualBox2.2.4 Saving Data Permanently2.2.5 Forensic Mode
2.3 Installing Kali Linux in VirtualBox
2.3.1 Option 1: Using a Prebuilt VirtualBox Image2.3.2 Option 2: Installing Kali Linux Yourself2.3.3 Installation2.3.4 Login and sudo2.3.5 Time Zone and Time Display2.3.6 Network Connection2.3.7 Using Kali Linux via SSH2.3.8 Clipboard for Kali Linux and the Host Computer
2.4 Kali Linux and Hyper-V
2.5 Kali Linux in the Windows Subsystem for Linux
2.5.1 Kali Linux in Graphic Mode2.5.2 WSL1 versus WSL22.5.3 Practical Experience
2.6 Kali Linux on Raspberry Pi
2.7 Running Kali Linux on Apple PCs with ARM CPUs
2.8 Simple Application Examples
2.8.1 Address Scan on the Local Network2.8.2 Port Scan of a Server2.8.3 Hacking Metasploitable
2.9 Internal Details of Kali
2.9.1 Basic Coverage2.9.2 Package Sources2.9.3 Rolling Release2.9.4 Performing Updates2.9.5 Installing Software2.9.6 Python 22.9.7 Network Services and Firewall2.9.8 kali-tweaks2.9.9 Undercover Mode2.9.10 PowerShell
3 Setting Up the Learning Environment: Metasploitable, Juice Shop
3.1 Honeypots
3.2 Metasploitable 2
3.2.1 Installation in VirtualBox3.2.2 Network Settings3.2.3 Host-Only Network3.2.4 Using Metasploitable 23.2.5 Hacking Metasploitable 23.2.6 rlogin Exploit
3.3 Metasploitable 3 (Ubuntu Variant)
3.3.1 Why No Ready-Made Images?3.3.2 Requirements3.3.3 Installation3.3.4 Starting and Stopping Metasploitable 33.3.5 Administrating Metasploitable 33.3.6 Network Configuration3.3.7 Hacking Metasploitable 3
3.4 Metasploitable 3 (Windows Variant)
3.4.1 Administrating Metasploitable 33.4.2 SSH login3.4.3 Internal Details and Installation Variants3.4.4 Overview of Services in Metasploitable 3 (Windows Variant)3.4.5 Hacking Metasploitable 3
3.5 Juice Shop
3.5.1 Installation with Vagrant3.5.2 Installation with Docker3.5.3 Docker in Kali Linux3.5.4 Hacking Juice Shop
4 Hacking Tools
4.1 nmap4.1.1 Syntax4.1.2 Examples4.1.3 Variants and Alternatives
4.2 hydra
4.2.1 Syntax4.2.2 Password Lists4.2.3 Examples4.2.4 Attacks on Web Forms and Login Pages4.2.5 Alternatives
4.3 sslyze, sslscan, and testssl
4.3.1 sslscan and sslyze4.3.2 testssl4.3.3 Online Tests
4.4 whois, host, and dig
4.4.1 whois4.4.2 host4.4.3 dig4.4.4 dnsrecon
4.5 Wireshark
4.5.1 Installation4.5.2 Basic Functions4.5.3 Working Techniques4.5.4 Alternatives
4.6 tcpdump
4.6.1 Syntax4.6.2 Examples4.6.3 ngrep
4.7 Netcat (nc)
4.7.1 Syntax4.7.2 Examples4.7.3 socat
4.8 OpenVAS
4.8.1 Installation4.8.2 Starting and Updating OpenVAS4.8.3 Operation4.8.4 Alive Test4.8.5 Setting Up Tasks Yourself4.8.6 High Resource Requirements4.8.7 Alternatives
4.9 Metasploit Framework
4.9.1 Operation in Kali Linux4.9.2 Installation on Linux4.9.3 Installation on macOS4.9.4 Installation on Windows4.9.5 Updates4.9.6 The Metasploit Console (“msfconsole”)4.9.7 A Typical “msfconsole” Session4.9.8 Searching Modules4.9.9 Applying Modules4.9.10 Meterpreter
4.10 Empire Framework
4.10.1 Installation4.10.2 Getting to Know and Setting Up Listeners4.10.3 Selecting and Creating Stagers4.10.4 Creating and Managing Agents4.10.5 Finding the Right Module4.10.6 Obtaining Local Administrator Rights with the Empire Framework4.10.7 The Empire Framework as a Multiuser System4.10.8 Alternatives
4.11 The Koadic Postexploitation Framework
4.11.1 Installing the Server4.11.2 Using Helper Tools in the Program4.11.3 Creating Connections from a Client to the Server4.11.4 Creating a First Connection: Zombie 04.11.5 The Modules of Koadic4.11.6 Extending Rights and Reading Password Hashes4.11.7 Conclusion and Countermeasures
4.12 Social Engineer Toolkit
4.12.1 Syntax4.12.2 Example4.12.3 The dnstwist Command4.12.4 Other SET Modules4.12.5 Alternatives
4.13 Burp Suite
4.13.1 Installation and Setup4.13.2 Modules4.13.3 Burp Proxy4.13.4 Burp Scanner4.13.5 Burp Intruder4.13.6 Burp Repeater4.13.7 Burp Extensions4.13.8 Alternatives
4.14 Sliver
4.14.1 Installation4.14.2 Implants and Listeners4.14.3 Other C2 Frameworks
5 Offline Hacking
5.1 BIOS/EFI: Basic Principles5.1.1 The Boot Process5.1.2 EFI Settings and Password Protection5.1.3 UEFI Secure Boot5.1.4 When the EFI Is Insurmountable: Remove the Hard Drive
5.2 Accessing External Systems
5.2.1 Booting the Notebook with Kali Linux5.2.2 Reading the Windows File System5.2.3 Vault Files5.2.4 Write Access to the Windows File System5.2.5 Linux5.2.6 macOS5.2.7 Does That Mean That Login Passwords Are Useless?
5.3 Accessing External Hard Drives or SSDs
5.3.1 Hard Drives and SSDs Removed from Notebooks
5.4 Resetting the Windows Password
5.4.1 Tools5.4.2 Undesirable Side Effects5.4.3 Resetting the Local Windows Password Using chntpw5.4.4 Activating a Windows Administrator User via chntpw
5.5 Resetting Linux and macOS Passwords
5.5.1 Resetting a Linux Password5.5.2 Resetting a macOS Password
5.6 Encrypting Hard Drives
5.6.1 BitLocker5.6.2 Access to BitLocker File Systems on Linux (dislocker)5.6.3 BitLocker Security5.6.4 BitLocker Alternatives5.6.5 macOS: FileVault5.6.6 Linux: Linux Unified Key Setup5.6.7 Security Concerns Regarding LUKS5.6.8 File System Encryption on the Server
6 Passwords
6.1 Hash Procedures6.1.1 Hash Collisions6.1.2 SHA-2 and SHA-3 Hash Codes6.1.3 Checksums or Hash Codes for Downloads
6.2 Brute-Force Password Cracking
6.2.1 Estimating the Time Required for Password Cracking
6.3 Rainbow Tables
6.3.1 Password Salting
6.4 Dictionary Attacks
6.5 Password Tools
6.5.1 John the Ripper: Offline CPU Cracker6.5.2 hashcat: Offline GPU Cracker6.5.3 Crunch: Password List Generator6.5.4 hydra: Online Cracker6.5.5 makepasswd: Password Generator6.5.6 One-Time Secret: Send Passwords by Email
6.6 Default Passwords
6.7 Data Breaches
6.8 Multifactor Authentication
6.9 Implementing Secure Password Handling
6.9.1 Implementation Tips
7 IT Forensics
7.1 Methodical Analysis of Incidents7.1.1 Digital Traces7.1.2 Forensic Investigation7.1.3 Areas of IT Forensics7.1.4 Analysis of Security Incidents
7.2 Postmortem Investigation
7.2.1 Forensic Backup of Memory7.2.2 Recovering Deleted Files by File Carving7.2.3 Metadata and File Analysis7.2.4 System Analyses with Autopsy7.2.5 Basic System Information7.2.6 Reading the Last Activities7.2.7 Analyzing Web Activities7.2.8 Tracing Data Exchanges
7.3 Live Analysis
7.3.1 Finding User Data7.3.2 Called Domains and URLs7.3.3 Active Network Connections7.3.4 Extracting the TrueCrypt Password
7.4 Forensic Readiness
7.4.1 Strategic Preparations7.4.2 Operational Preparations7.4.3 Effective Logging7.4.4 Protection against Tampering7.4.5 Integrity Verification7.4.6 Digital Signatures
7.5 Summary
8 Wi-Fi, Bluetooth, and SDR
8.1 802.11x Systems: Wi-Fi8.1.1 Preparation and Infrastructure8.1.2 Wireless Equivalent Privacy8.1.3 WPA/WPA-2: Wireless Protected Access8.1.4 Wireless Protected Setup8.1.5 Wi-Fi Default Passwords8.1.6 WPA-2-KRACK Attack8.1.7 WPA-2 Enterprise8.1.8 Wi-Fi Client: Man-in-the-Middle8.1.9 WPA-3
8.2 Collecting WPA-2 Handshakes with Pwnagotchi
8.3 Bluetooth
8.3.1 Bluetooth Technology8.3.2 Identifying Bluetooth Classic Devices8.3.3 Hiding (and Still Finding) Bluetooth Devices8.3.4 Bluetooth Low Energy (BTLE)8.3.5 Listening In on Bluetooth Low Energy Communication8.3.6 Identifying Apple Devices via Bluetooth8.3.7 Bluetooth Attacks8.3.8 Modern Bluetooth Attacks
8.4 Software-Defined Radios
8.4.1 SDR Devices8.4.2 Decoding a Wireless Remote Control
9 Attack Vector USB Interface
9.1 USB Rubber Ducky9.1.1 Structure and Functionality9.1.2 DuckyScript9.1.3 Installing a Backdoor on Windows 119.1.4 Use With Duck Encoder to Create the Finished Payload
9.2 Digispark: A Wolf in Sheep’s Clothing
9.2.1 Downloading and Setting Up the Arduino Development Environment9.2.2 The Script Language of the Digispark9.2.3 Setting Up a Linux Backdoor with Digispark
9.3 Bash Bunny
9.3.1 Structure and Functionality9.3.2 Configuring the Bash Bunny9.3.3 Status LED9.3.4 Software Installation9.3.5 Connecting to the Bash Bunny9.3.6 Connecting the Bash Bunny to the Internet: Linux Host9.3.7 Connecting the Bash Bunny to the Internet: Windows Host9.3.8 Bunny Script: The Scripting Language of the Bash Bunny9.3.9 Using Custom Extensions and Functions9.3.10 Setting Up a macOS Backdoor with Bash Bunny9.3.11 The payload.txt Files for Switch1 and Switch29.3.12 Updating the Bash Bunny9.3.13 Key Takeaways
9.4 P4wnP1: The Universal Talent
9.4.1 Structure and Functionality9.4.2 Installation and Connectivity9.4.3 HID Scripts9.4.4 CLI Client9.4.5 An Attack Scenario with the P4wnP19.4.6 Creating a Dictionary9.4.7 Launching a Brute-Force Attack9.4.8 Setting Up a Trigger Action9.4.9 Deploying the P4wnP1 on the Target System9.4.10 Key Takeaways
9.5 MalDuino W
9.5.1 The Web Interface of the MalDuino W9.5.2 The Scripting Language and the CLI9.5.3 An Attack Scenario with the MalDuino W9.5.4 How Does the Attack Work?9.5.5 Key Takeaways
9.6 Countermeasures
9.6.1 Hardware Measures9.6.2 Software Measures
10 External Security Checks
10.1 Reasons for Professional Checks
10.2 Types of Security Checks
10.2.1 Open-Source Intelligence10.2.2 Vulnerability Scan10.2.3 Vulnerability Assessment10.2.4 Penetration Test10.2.5 Red Teaming10.2.6 Purple Teaming10.2.7 Bug Bounty Programs10.2.8 Type of Performance10.2.9 Depth of Inspection: Attacker Type10.2.10 Prior to the Order
10.3 Legal Protection
10.4 Objectives and Scope
10.4.1 Sample Objective10.4.2 Sample Worst-Case Scenarios10.4.3 Sample Scope
10.5 Implementation Methods
10.6 Reporting
10.7 Selecting the Right Provider
11 Penetration Testing
11.1 Gathering Information11.1.1 Searching for Information about a Company11.1.2 Using Metadata of Published Files11.1.3 Identifying the Structure of Email Addresses11.1.4 Database and Password Leaks11.1.5 Partial Automation with Maltego11.1.6 Automating Maltego Transforms11.1.7 Defense
11.2 Initial Access with Code Execution
11.2.1 Checking External IP Addresses of the PTA
11.3 Scanning Targets of Interest
11.3.1 Gathering Information via DNS11.3.2 Detecting Active Hosts11.3.3 Detecting Active Services with nmap11.3.4 Using nmap in Combination with Metasploit
11.4 Searching for Known Vulnerabilities Using nmap
11.5 Exploiting Known Vulnerabilities Using Metasploit
11.5.1 Example: GetSimple CMS
11.6 Attacking Using Known or Weak Passwords
11.7 Email Phishing Campaigns for Companies
11.7.1 Organizational Preparatory Measures11.7.2 Preparing a Phishing Campaign with Gophish
11.8 Phishing Attacks with Office Macros
11.9 Phishing Attacks with ISO and ZIP Files
11.9.1 Creating an Executable File with Metasploit11.9.2 Creating a File with ScareCrow to Bypass Virus Scanners11.9.3 Disguising and Deceiving: From EXE to PDF File11.9.4 Defense
11.10 Attack Vector USB Phishing
11.11 Network Access Control and 802.1X in Local Networks
11.11.1 Getting to Know the Network by Listening11.11.2 Network Access Control and 802.1X
11.12 Extending Rights on the System
11.12.1 Local Privilege Escalation11.12.2 Bypassing Windows User Account Control Using the Default Setting11.12.3 Bypassing UAC Using the Highest Setting
11.13 Collecting Credentials and Tokens
11.13.1 Reading Passwords from Local and Domain Accounts11.13.2 Bypassing Windows 10 Protection against mimikatz11.13.3 Stealing Windows Tokens to Impersonate a User11.13.4 Matching Users with DCSync11.13.5 Golden Ticket11.13.6 Reading Local Password Hashes11.13.7 Broadcasting within the Network by Means of Pass-the-Hash11.13.8 Man-in-the-Middle Attacks in Local Area Networks11.13.9 Basic Principles11.13.10 LLMNR/NBT-NS and SMB Relaying
11.14 SMB Relaying Attack on Ordinary Domain Users
11.14.1 Command-and-Control
12 Securing Windows Servers
12.1 Local Users, Groups, and Rights12.1.1 User and Password Properties12.1.2 Local Admin Password Solution
12.2 Manipulating the File System
12.2.1 Attacks on Virtualized Machines12.2.2 Protection12.2.3 Attacking through the Registry
12.3 Server Hardening
12.3.1 Ensure a Secure Foundation12.3.2 Harden New Installations12.3.3 Protect Privileged Users12.3.4 Threat Detection12.3.5 Secure Virtual Machines as Well12.3.6 Security Compliance Toolkit
12.4 Microsoft Defender
12.4.1 Defender Configuration12.4.2 Defender Administration via PowerShell
12.5 Windows Firewall
12.5.1 Basic Configuration12.5.2 Advanced Configuration12.5.3 IP Security
12.6 Windows Event Viewer
12.6.1 Classification of Events12.6.2 Log Types12.6.3 Linking Actions to Event Logs12.6.4 Windows Event Forwarding12.6.5 Event Viewer Tools
13 Active Directory
13.1 What Is Active Directory?13.1.1 Domains13.1.2 Partitions13.1.3 Access Control Lists13.1.4 Security Descriptor Propagator13.1.5 Standard Permissions13.1.6 The Confidentiality Attribute
13.2 Manipulating the Active Directory Database or its Data
13.2.1 ntdsutil Command13.2.2 dsamain Command13.2.3 Accessing the AD Database via Backups
13.3 Manipulating Group Policies
13.3.1 Configuration Files for Group Policies13.3.2 Example: Changing a Password
13.4 Domain Authentication: Kerberos
13.4.1 Kerberos: Basic Principles13.4.2 Kerberos in a Theme Park13.4.3 Kerberos on Windows13.4.4 Kerberos Tickets13.4.5 krbtgt Account13.4.6 TGS Request and Reply13.4.7 Older Authentication Protocols
13.5 Attacks against Authentication Protocols and LDAP
13.6 Pass-the-Hash Attacks: mimikatz
13.6.1 Setting up a Defender Exception13.6.2 Windows Credentials Editor13.6.3 mimikatz13.6.4 The mimikatz “sekurlsa” Module13.6.5 mimikatz and Kerberos13.6.6 PowerSploit
13.7 Golden Ticket and Silver Ticket
13.7.1 Creating a Golden Ticket Using mimikatz13.7.2 Silver Ticket and Trust Ticket13.7.3 BloodHound13.7.4 Deathstar
13.8 Reading Sensitive Data from the Active Directory Database
13.9 Basic Coverage
13.9.1 Core Server13.9.2 Roles in the Core Server13.9.3 Nano Server13.9.4 Updates13.9.5 Hardening the Domain Controller
13.10 More Security through Tiers
13.10.1 Group Policies for the Tier Model13.10.2 Authentication Policies and Silos
13.11 Protective Measures against Pass-the-Hash and Pass-the-Ticket Attacks
13.11.1 Kerberos Reset13.11.2 Kerberos Policies13.11.3 Kerberos Claims and Armoring13.11.4 Monitoring and Detection13.11.5 Microsoft Advanced Threat Analytics: Legacy13.11.6 Other Areas of Improvement in Active Directory
14 Securing Linux
14.1 Other Linux Chapters
14.2 Installation
14.2.1 Server Distributions14.2.2 Partitioning the Data Medium14.2.3 IPv6
14.3 Software Updates
14.3.1 Is a Restart Necessary?14.3.2 Automating Updates14.3.3 Configuring Automatic Updates on RHEL14.3.4 Configuring Automatic Updates on Ubuntu14.3.5 The Limits of Linux Update Systems
14.4 Kernel Updates: Live Patches
14.4.1 Kernel Live Patches14.4.2 Kernel Live Patches for RHEL14.4.3 Kernel Live Patches on Ubuntu
14.5 Securing SSH
14.5.1 sshd_config14.5.2 Blocking the Root Login14.5.3 Authentication with Keys14.5.4 Authenticating with Keys in the Cloud14.5.5 Blocking IPv6
14.6 2FA with Google Authenticator
14.6.1 Setting Up Google Authenticator14.6.2 2FA with Password and One-Time Code14.6.3 What Happens if the Smartphone Is Lost?14.6.4 Authy as an Alternative to the Google Authenticator App
14.7 2FA with YubiKey
14.7.1 PAM Configuration14.7.2 Mapping File14.7.3 SSH Configuration
14.8 Fail2ban
14.8.1 Installation14.8.2 Configuration14.8.3 Basic Parameters14.8.4 Securing SSH14.8.5 Securing Other Services14.8.6 Securing Custom Web Applications14.8.7 Fail2ban Client
14.9 Firewall
14.9.1 From Netfilter to ntftables14.9.2 Basic Principles14.9.3 Determining the Firewall Status14.9.4 Defining Rules14.9.5 Syntax for Firewall Rules14.9.6 Example: Simple Protection of a Web Server14.9.7 FirewallD: RHEL14.9.8 firewall-cmd Command14.9.9 ufw: Ubuntu14.9.10 Firewall Protection in the Cloud
14.10 SELinux
14.10.1 Concept14.10.2 The Right Security Context14.10.3 Process Context: Domain14.10.4 Policies14.10.5 SELinux Parameters: Booleans14.10.6 Status14.10.7 Fixing SELinux Issues
14.11 AppArmor
14.11.1 AppArmor on Ubuntu14.11.2 Rules: Profiles14.11.3 Structure of Rule Files14.11.4 Rule Parameters: Tunables14.11.5 Logging and Maintenance
14.12 Kernel Hardening
14.12.1 Changing Kernel Options Using sysctl14.12.2 Setting Kernel Boot Options in the GRUB Configuration
14.13 Apache
14.13.1 Certificates14.13.2 Certificate Files14.13.3 Apache Configuration14.13.4 HTTPS Is Not HTTPS
14.14 MySQL and MariaDB
14.14.1 MySQL versus MariaDB14.14.2 Login System14.14.3 MySQL and MariaDB on Debian/Ubuntu14.14.4 Securing MySQL on RHEL14.14.5 Securing MariaDB on RHEL14.14.6 Hash Codes in the “mysql.user” Table: Old MySQL and MariaDB Versions14.14.7 Privileges14.14.8 Server Configuration
14.15 Postfix
14.15.1 Postfix: Basic Settings14.15.2 Sending and Receiving Emails in Encrypted Form14.15.3 Spam and Virus Defense
14.16 Dovecot
14.16.1 Using Custom Certificates for IMAP and POP14.16.2 SMTP Authentication for Postfix
14.17 Rootkit Detection and Intrusion Detection
14.17.1 chkrootkit14.17.2 rkhunter14.17.3 Lynis14.17.4 ISPProtect14.17.5 Snort14.17.6 Verifying Files from Packages14.17.7 Scanning for Suspicious Ports and Processes
15 Security of Samba File Servers
15.1 Preliminary Considerations15.1.1 Compiling Samba, SerNet Packages
15.2 Basic CentOS Installation
15.2.1 Partitions15.2.2 Disabling IPv615.2.3 Installing Samba Packages on CentOS
15.3 Basic Debian Installation
15.3.1 The Partitions15.3.2 Disabling IPv615.3.3 Installing Samba Packages on Debian
15.4 Configuring the Samba Server
15.4.1 Configuring the Kerberos Client
15.5 Samba Server in Active Directory
15.5.1 Joining the Samba Server15.5.2 Testing the Server
15.6 Shares on the Samba Server
15.6.1 File System Rights on Linux15.6.2 File System Rights on Windows15.6.3 Special Shares on a Windows Server15.6.4 The Admin Share on Samba15.6.5 Creating the Admin Share15.6.6 Creating the User Shares
15.7 Changes to the Registry
15.7.1 Accessing the Registry from Windows
15.8 Samba Audit Functions
15.9 Firewall
15.9.1 Testing the Firewall Script15.9.2 Starting Firewall Script Automatically
15.10 Attack Scenarios on Samba File Servers
15.10.1 Known Vulnerabilities in Recent Years
15.11 Checking Samba File Servers
15.11.1 Tests with nmap15.11.2 Testing the Samba Protocols15.11.3 Testing the Open Ports15.11.4 smb-os-discovery15.11.5 smb2-capabilities15.11.6 ssh-brute
16 Intrusion Detection Systems
16.1 Intrusion Detection Methods16.1.1 Pattern Recognition: Static16.1.2 Anomaly Detection (Dynamic)
16.2 Host-Based versus Network-Based Intrusion Detection
16.2.1 Host-Based IDS16.2.2 Network-Based IDS16.2.3 NIDS Metadata16.2.4 NIDS Connection Contents
16.3 Responses
16.3.1 Automatic Intrusion Prevention16.3.2 Walled Garden16.3.3 Swapping Computers
16.4 Bypassing and Manipulating Intrusion Detection
16.4.1 Insertions16.4.2 Evasions16.4.3 Resource Consumption
16.5 Snort
16.5.1 Installation and Launch16.5.2 Getting Started16.5.3 IDS or IPS16.5.4 Configuration16.5.5 Modules16.5.6 Snort Event Logging
16.6 Snort Rules
16.6.1 Syntax of Snort Rules16.6.2 Service Rules16.6.3 General Rule Options16.6.4 Matching Options16.6.5 Hyperscan16.6.6 Inspector-Specific Options16.6.7 Managing Rule Sets with PulledPork
17 Security of Web Applications
17.1 Architecture of Web Applications17.1.1 Components of Web Applications17.1.2 Authentication and Authorization17.1.3 Session Management
17.2 Attacks against Web Applications
17.2.1 Attacks against Authentication17.2.2 Session Hijacking17.2.3 HTML Injection17.2.4 Cross-Site Scripting17.2.5 Session Fixation17.2.6 Cross-Site Request Forgery17.2.7 Directory Traversal17.2.8 Local File Inclusion17.2.9 Remote File Inclusion17.2.10 File Upload17.2.11 SQL Injection17.2.12 sqlmap17.2.13 Advanced SQL Injection: Blind SQL Injection (Boolean)17.2.14 Advanced SQL Injection: Blind SQL Injection (Time)17.2.15 Advanced SQL Injection: Out-of-Band Data Exfiltration17.2.16 Advanced SQL Injection: Error-Based SQL Injection17.2.17 Command Injection17.2.18 Clickjacking17.2.19 XML Attacks17.2.20 Server Side Request Forgery17.2.21 Angular Template Injection17.2.22 Attacks on Object Serialization17.2.23 Vulnerabilities in Content Management Systems
17.3 Practical Analysis of a Web Application
17.3.1 Information Gathering17.3.2 Testing SQL Injection17.3.3 Directory Traversal17.3.4 Port Knocking17.3.5 SSH Login17.3.6 Privilege Escalation17.3.7 Automatic Analysis via Burp
17.4 Protection Mechanisms and Defense against Web Attacks
17.4.1 Minimizing the Server Signature17.4.2 Turning Off the Directory Listing17.4.3 Restricted Operating System Account for the Web Server17.4.4 Running the Web Server in a “chroot” Environment17.4.5 Disabling Unneeded Modules17.4.6 Restricting HTTP Methods17.4.7 Restricting the Inclusion of External Content17.4.8 Protecting Cookies from Access17.4.9 Server Timeout17.4.10 Secure Socket Layer17.4.11 HTTP Strict Transport Security17.4.12 Input and Output Validation17.4.13 Web Application Firewall
17.5 Security Analysis of Web Applications
17.5.1 Code Analysis17.5.2 Analysis of Binary Files17.5.3 Fuzzing
18 Software Exploitation
18.1 Software Vulnerabilities18.1.1 Race Conditions18.1.2 Logic Error18.1.3 Format String Attacks18.1.4 Buffer Overflows18.1.5 Memory Leaks
18.2 Detecting Security Gaps
18.3 Executing Programs on x86 Systems
18.3.1 Memory Areas18.3.2 Stack Operations18.3.3 Calling Functions
18.4 Exploiting Buffer Overflows
18.4.1 Analysis of the Program Functionality18.4.2 Creating a Program Crash18.4.3 Reproducing the Program Crash18.4.4 Analysis of the Crash18.4.5 Offset Calculation18.4.6 Creating the Exploit Structure18.4.7 Generating Code18.4.8 Dealing with Prohibited Characters
18.5 Structured Exception Handling
18.6 Heap Spraying
18.7 Protective Mechanisms against Buffer Overflows
18.7.1 Address Space Layout Randomization18.7.2 Stack Canaries or Stack Cookies18.7.3 Data Execution Prevention18.7.4 SafeSEH and Structured Exception Handling Overwrite Protection18.7.5 Protection Mechanisms against Heap Spraying
18.8 Bypassing Protective Measures against Buffer Overflows
18.8.1 Bypassing Address Space Layout Randomization18.8.2 Bypassing Stack Cookies18.8.3 Bypassing SafeSEH and SEHOP18.8.4 Return-Oriented Programming18.8.5 DEP Bypass
18.9 Preventing Buffer Overflows as a Developer
18.10 Spectre and Meltdown
18.10.1 Meltdown18.10.2 Defense Measures18.10.3 Proof of Concept (Meltdown)18.10.4 Spectre18.10.5 Proof of Concept (Spectre)18.10.6 The Successors to Spectre and Meltdown
19 Bug Bounty Programs
19.1 The Idea Behind Bug Bounties19.1.1 Providers19.1.2 Variants19.1.3 Earning Opportunities
19.2 Reporting Vulnerabilities
19.2.1 Testing Activities
19.3 Tips and Tricks for Analysts
19.3.1 Scope19.3.2 Exploring the Response Quality of the Target Company19.3.3 Take Your Time19.3.4 Finding Errors in Systems or Systems with Errors19.3.5 Spend Money19.3.6 Get Tips, Learn from the Pros19.3.7 Companies Buy Companies19.3.8 Creating a Test Plan19.3.9 Automating Standard Processes
19.4 Tips for Companies
20 Security in the Cloud
20.1 Overview20.1.1 Arguments for the Cloud20.1.2 Cloud Risks and Attack Vectors20.1.3 Recommendations
20.2 Amazon Simple Storage Service
20.2.1 Basic Security and User Management20.2.2 The aws Command20.2.3 Encrypting Files20.2.4 Public Access to Amazon S3 Files20.2.5 Amazon S3 Hacking Tools
20.3 Nextcloud and ownCloud
20.3.1 Installing Nextcloud20.3.2 Blocking Access to the “data Folder”20.3.3 Performing Updates20.3.4 File Encryption20.3.5 Security Testing for ownCloud and Nextcloud Installations20.3.6 Brute-Force Attacks and Protection
21 Securing Microsoft 365
21.1 Identities and Access Management21.1.1 Azure Active Directory and Microsoft 36521.1.2 User Management in AAD21.1.3 Application Integration
21.2 Security Assessment
21.3 Multifactor Authentication
21.3.1 Preliminary Considerations21.3.2 Enabling Multifactor Authentication for a User Account21.3.3 User Configuration of Multifactor Authentication21.3.4 App Passwords for Incompatible Applications and Apps
21.4 Conditional Access
21.4.1 Creating Policies21.4.2 Conditions for Policies21.4.3 Access Controls
21.5 Identity Protection
21.5.1 Responding to Vulnerabilities
21.6 Privileged Identities
21.6.1 Enabling Privileged Identities21.6.2 Configuring a User as a Privileged Identity21.6.3 Requesting Administrator Permissions
21.7 Detecting Malicious Code
21.7.1 Protection for File Attachments21.7.2 Protection for Files in SharePoint Online and OneDrive for Business21.7.3 Protection for Links21.7.4 Protection for Links in Office Applications
21.8 Security in Data Centers
21.8.1 Encryption of Your Data21.8.2 Access Governance21.8.3 Audits and Privacy
22 Mobile Security
22.1 Android and iOS Security: Basic Principles22.1.1 Sandboxing22.1.2 Authorization Concept22.1.3 Protection against Brute-Force Attacks when the Screen Is Locked22.1.4 Device Encryption22.1.5 Patch Days
22.2 Threats to Mobile Devices
22.2.1 Theft or Loss of a Mobile Device22.2.2 Unsecured and Open Networks22.2.3 Insecure App Behavior at Runtime22.2.4 Abuse of Authorizations22.2.5 Insecure Network Communication22.2.6 Attacks on Data Backups22.2.7 Third-Party Stores
22.3 Malware and Exploits
22.3.1 Stagefright (Android)22.3.2 Pegasus (iOS)22.3.3 Spy Apps
22.4 Technical Analysis of Apps
22.4.1 Reverse Engineering of Apps22.4.2 Automated Vulnerability Analysis of Mobile Applications
22.5 Protective Measures for Android and iOS
22.5.1 Avoid Rooting or Jailbreaking22.5.2 Update Operating Systems and Apps22.5.3 Device Encryption22.5.4 Antitheft Protection and Activation Lock22.5.5 Lock Screen22.5.6 Antivirus Apps22.5.7 Two-Factor Authentication22.5.8 Critical Review of Permissions22.5.9 Installing Apps from Alternative App Stores22.5.10 Using VPN Connections22.5.11 Related Topic: WebAuthn and FIDO222.5.12 Using Android and iOS in the Enterprise
22.6 Apple Supervised Mode and Apple Configurator
22.6.1 Conclusion
22.7 Enterprise Mobility Management
22.7.1 Role and Authorization Management22.7.2 Device Management22.7.3 App Management22.7.4 System Settings22.7.5 Container Solutions Based on the Example of Android Enterprise22.7.6 Tracking Managed Devices22.7.7 Reporting22.7.8 Conclusion
23 Internet of Things Security
23.1 What Is the Internet of Things?
23.2 Finding IoT Vulnerabilities
23.2.1 Shodan Search Engine for Publicly Accessible IoT Devices23.2.2 Using Shodan23.2.3 For Professionals: Filtering Using Search Commands23.2.4 Printer Exploitation Toolkit23.2.5 RouterSploit23.2.6 AutoSploit23.2.7 Consumer Devices as a Gateway23.2.8 Attacks from the Inside via a Port Scanner23.2.9 Sample Port Scan of an Entertainment Device23.2.10 Local Network versus Internet23.2.11 Incident Scenarios with Cheap IoT Devices23.2.12 Danger from Network Operator Interfaces
23.3 Securing IoT Devices in Networks
23.4 IoT Protocols and Services
23.4.1 MQ Telemetry Transport23.4.2 Installing an MQTT Broker23.4.3 MQTT Example23.4.4 $SYS Topic Tree23.4.5 Securing the Mosquitto MQTT Broker
23.5 Wireless IoT Technologies
23.5.1 6LoWPAN23.5.2 Zigbee23.5.3 LoRaWAN23.5.4 NFC and RFID23.5.5 NFC Hacking
23.6 IoT from the Developer’s Perspective
23.6.1 Servers for IoT Operation23.6.2 Embedded Linux, Android, or Windows IoT Devices23.6.3 Embedded Devices and Controllers without Classic Operating Systems
23.7 Programming Languages for Embedded Controllers
23.7.1 C23.7.2 C++23.7.3 Lua
23.8 Rules for Secure IoT Programming
23.8.1 Processes as Simple as Possible23.8.2 Short, Testable Functions23.8.3 Transfer Values Must Be Checked in Their Entirety23.8.4 Returning Error Codes23.8.5 Fixed Boundaries in Loops23.8.6 No Dynamic Memory Allocation (or as Little as Possible)23.8.7 Make Dimensioning Buffers or Arrays Sufficiently Large23.8.8 Always Pass Buffer and Array Sizes23.8.9 Use Caution with Function Pointers23.8.10 Enabling Compiler Warnings23.8.11 String Copy for Few Resources23.8.12 Using Libraries
A The Authors
Index
Service Pages
Legal Notes

Overview

Explore hacking methodologies, tools, and defensive measures with this practical guide that covers topics like penetration testing, IT forensics, and security risks.

Key Features

Extensive hands-on use of Kali Linux and security tools
Practical focus on IT forensics, penetration testing, and exploit detection
Step-by-step setup of secure environments using Metasploitable

Book Description

This book provides a comprehensive guide to cybersecurity, covering hacking techniques, tools, and defenses. It begins by introducing key concepts, distinguishing penetration testing from hacking, and explaining hacking tools and procedures. Early chapters focus on security fundamentals, such as attack vectors, intrusion detection, and forensic methods to secure IT systems.

As the book progresses, readers explore topics like exploits, authentication, and the challenges of IPv6 security. It also examines the legal aspects of hacking, detailing laws on unauthorized access and negligent IT security. Readers are guided through installing and using Kali Linux for penetration testing, with practical examples of network scanning and exploiting vulnerabilities.

Later sections cover a range of essential hacking tools, including Metasploit, OpenVAS, and Wireshark, with step-by-step instructions. The book also explores offline hacking methods, such as bypassing protections and resetting passwords, along with IT forensics techniques for analyzing digital traces and live data. Practical application is emphasized throughout, equipping readers with the skills needed to address real-world cybersecurity threats.

Original Publishing Date: 2023-06-21

What you will learn

Master penetration testing
Understand security vulnerabilities
Apply forensics techniques
Use Kali Linux for ethical hacking
Identify zero-day exploits
Secure IT systems

Who this book is for

This book is ideal for cybersecurity professionals, ethical hackers, IT administrators, and penetration testers. A basic understanding of network protocols, operating systems, and security principles is recommended for readers to benefit from this guide fully.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781836647355

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills