Ethical Hacking and Penetration Testing Guide

by Rafay Baloch

Released September 2017

Publisher(s): Auerbach Publications

ISBN: 9781351381345

Start your free trial

Book description

Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end.

Cover
Half Title
Title
Copyright
Contents
Preface
Acknowledgments
Author
1 Introduction to Hacking
1. Important Terminologies
2. Categories of Penetration Test
3. Writing Reports
4. Structure of a Penetration Testing Report
5. Vulnerability Assessment Summary
  1. Tabular Summary
6. Risk Assessment
  1. Risk Assessment Matrix
7. Methodology
  1. Detailed Findings
  2. Reports
8. Conclusion
2 Linux Basics
1. Major Linux Operating Systems
2. File Structure inside of Linux
  1. File Permission in Linux
3. Most Common and Important Commands
4. Linux Scheduler (Cron Job)
  1. Cron Permission
    1. Cron Permission
    2. Cron Files
5. Users inside of Linux
6. Common Applications of Linux
7. What Is BackTrack?
8. Changing the Default Screen Resolution
  1. Some Unforgettable Basics
  2. Locating Certain Files inside BackTrack
9. Text Editors inside BackTrack
10. Getting to Know Your Network
  1. Dhclient
11. Services
  1. MySQL
  2. SSHD
  3. Postgresql
12. Other Online Resources
3 Information Gathering Techniques
1. Active Information Gathering
2. Passive Information Gathering
3. Sources of Information Gathering
4. Copying Websites Locally
  1. Information Gathering with Whois
  2. Finding Other Websites Hosted on the Same Server
5. Yougetsignal.com
  1. Tracing the Location
  2. Traceroute
  3. ICMP Traceroute
  4. TCP Traceroute
    1. Usage
  5. UDP Traceroute
    1. Usage
6. NeoTrace
7. Cheops-ng
  1. Enumerating and Fingerprinting the Webservers
8. Intercepting a Response
  1. Acunetix Vulnerability Scanner
9. WhatWeb
10. Netcraft
  1. Google Hacking
11. Some Basic Parameters
  1. Site
12. Example
13. TIP regarding Filetype
  1. Google Hacking Database
14. Hackersforcharity.org/ghdb
15. Xcode Exploit Scanner
  1. File Analysis
  2. Foca
  3. Harvesting E-Mail Lists
  4. Gathering Wordlist from a Target Website
  5. Scanning for Subdomains
  6. TheHarvester
  7. Fierce in BackTrack
  8. Scanning for SSL Version
  9. DNS Enumeration
16. Interacting with DNS Servers
17. Nslookup
18. DIG
  1. Forward DNS Lookup
19. Forward DNS Lookup with Fierce
  1. Reverse DNS
  2. Reverse DNS Lookup with Dig
20. Reverse DNS Lookup with Fierce
  1. Zone Transfers
21. Zone Transfer with Host Command
22. Automating Zone Transfers
  1. DNS Cache Snooping
23. What Is DNS Cache Snooping?
  1. Nonrecursive Method
  2. Recursive Method
24. What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?
25. Attack Scenario
26. Automating DNS Cache Snooping Attacks
  1. Enumerating SNMP
27. Problem with SNMP
28. Sniffing SNMP Passwords
29. OneSixtyOne
30. Snmpenum
31. SolarWinds Toolset
32. SNMP Sweep
33. SNMP Brute Force and Dictionary
34. SNMP Brute Force Tool
35. SNMP Dictionary Attack Tool
36. SMTP Enumeration
  1. Detecting Load Balancers
  2. Load Balancer Detector
  3. Determining Real IP behind Load Balancers
  4. Bypassing CloudFlare Protection
37. Intelligence Gathering Using Shodan
38. Further Reading
39. Conclusion
4 Target Enumeration and Port Scanning Techniques
1. Host Discovery
2. Scanning for Open Ports and Services
3. Types of Port Scanning
4. Understanding the TCP Three-Way Handshake
5. TCP Flags
6. Port Status Types
7. TCP SYN Scan
8. TCP Connect Scan
9. NULL, FIN, and XMAS Scans
10. NULL Scan
11. FIN Scan
12. XMAS Scan
13. TCP ACK Scan
14. Responses
15. UDP Port Scan
16. Anonymous Scan Types
17. IDLE Scan
18. Scanning for a Vulnerable Host
19. Performing an IDLE Scan with NMAP
20. TCP FTP Bounce Scan
21. Service Version Detection
22. OS Fingerprinting
23. POF
24. Output
  1. Normal Format
  2. Grepable Format
  3. XML Format
25. Advanced Firewall/IDS Evading Techniques
26. Timing Technique
27. Wireshark Output
28. Fragmented Packets
29. Wireshark Output
30. Source Port Scan
31. Specifying an MTU
32. Sending Bad Checksums
33. Decoys
34. ZENMAP
35. Further Reading
5 Vulnerability Assessment
1. What Are Vulnerability Scanners and How Do They Work?
2. Pros and Cons of a Vulnerability Scanner
3. Vulnerability Assessment with Nmap
4. Updating the Database
5. Scanning MS08 _ 067 _ netapi
6. Testing SCADA Environments with Nmap
  1. Installation
  2. Usage
7. Nessus Vulnerability Scanner
  1. Home Feed
  2. Professional Feed
8. Installing Nessus on BackTrack
9. Adding a User
  1. Nessus Control Panel
    1. Reports
    2. Mobile
    3. Scan
    4. Policies
    5. Users
    6. Configuration
  2. Default Policies
10. Creating a New Policy
11. Safe Checks
12. Silent Dependencies
  1. Avoid Sequential Scans
13. Port Range
  1. Credentials
  2. Plug-Ins
14. Preferences
  1. Scanning the Target
15. Nessus Integration with Metasploit
16. Importing Nessus to Metasploit
  1. Scanning the Target
  2. Reporting
  3. OpenVas
17. Resource
  1. Vulnerability Data Resources
  2. Exploit Databases
18. Using Exploit-db with BackTrack
19. Searching for Exploits inside BackTrack
20. Conclusion
6 Network Sniffing
1. Introduction
2. Types of Sniffing
  1. Active Sniffing
  2. Passive Sniffing
3. Hubs versus Switches
4. Promiscuous versus Nonpromiscuous Mode
5. MITM Attacks
6. ARP Protocol Basics
7. How ARP Works
8. ARP Attacks
  1. MAC Flooding
    1. Macof
  2. ARP Poisoning
9. Scenario—How It Works
10. Denial of Service Attacks
11. Tools of the Trade
  1. Dsniff
12. Using ARP Spoof to Perform MITM Attacks
  1. Usage
13. Sniffing the Traffic with Dsniff
14. Sniffing Pictures with Drifnet
15. Urlsnarf and Webspy
16. Sniffing with Wireshark
17. Ettercap
18. ARP Poisoning with Ettercap
19. Hijacking Session with MITM Attack
20. Attack Scenario
21. ARP Poisoning with Cain and Abel
22. Sniffing Session Cookies with Wireshark
23. Hijacking the Session
24. SSL Strip: Stripping HTTPS Traffic
25. Requirements
  1. Usage
26. Automating Man in the Middle Attacks
  1. Usage
27. DNS Spoofing
  1. ARP Spoofing Attack
  2. Manipulating the DNS Records
  3. Using Ettercap to Launch DNS Spoofing Attack
28. DHCP Spoofing
29. Conclusion
7 Remote Exploitation
1. Understanding Network Protocols
  1. Transmission Control Protocol
  2. User Datagram Protocol
  3. Internet Control Messaging Protocol
2. Server Protocols
  1. Text-Based Protocols (Important)
  2. Binary Protocols
    1. FTP
    2. SMTP
    3. HTTP
3. Further Reading
4. Resources
5. Attacking Network Remote Services
  1. Overview of Brute Force Attacks
6. Common Target Protocols
7. Tools of the Trade
  1. THC Hydra
8. Basic Syntax for Hydra
  1. Cracking Services with Hydra
9. Hydra GUI
  1. Medusa
10. Basic Syntax
11. OpenSSH Username Discovery Bug
12. Cracking SSH with Medusa
  1. Ncrack
13. Basic Syntax
14. Cracking an RDP with Ncrack
  1. Case Study of a Morto Worm
15. Combining Nmap and Ncrack for Optimal Results
  1. Attacking SMTP
16. Important Commands
17. Real-Life Example
18. Attacking SQL Servers
  1. MySQL Servers
19. Fingerprinting MySQL Version
20. Testing for Weak Authentication
21. MS SQL Servers
22. Fingerprinting the Version
23. Brute Forcing SA Account
24. Using Null Passwords
25. Introduction to Metasploit
26. History of Metasploit
27. Metasploit Interfaces
28. MSFConsole
  1. MSFcli
  2. MSFGUI
  3. Armitage
29. Metasploit Utilities
30. MSFPayload
31. MSFEncode
32. MSFVenom
33. Metasploit Basic Commands
34. Search Feature in Metasploit
35. Use Command
36. Info Command
37. Show Options
38. Set/Unset Command
39. Reconnaissance with Metasploit
40. Port Scanning with Metasploit
41. Metasploit Databases
42. Storing Information from Nmap into Metasploit Database
43. Useful Scans with Metasploit
  1. Port Scanners
  2. Specific Scanners
44. Compromising a Windows Host with Metasploit
45. Metasploit Autopwn
46. db _ autopwn in Action
47. Nessus and Autopwn
  1. Armitage
48. Interface
49. Launching Armitage
50. Compromising Your First Target from Armitage
51. Enumerating and Fingerprinting the Target
52. MSF Scans
53. Importing Hosts
54. Vulnerability Assessment
55. Exploitation
56. Check Feature
57. Hail Mary
58. Conclusion
59. References
8 Client Side Exploitation
1. Client Side Exploitation Methods
  1. Attack Scenario 1: E-Mails Leading to Malicious Attachments
  2. Attack Scenario 2: E-Mails Leading to Malicious Links
  3. Attack Scenario 3: Compromising Client Side Update
  4. Attack Scenario 4: Malware Loaded on USB Sticks
  5. E-Mails with Malicious Attachments
2. Introduction
  1. Header
  2. Body
  3. Cross Reference Table
  4. Trailer
3. PDF Launch Action
4. Creating a PDF Document with a Launch Action
  1. Controlling the Dialog Boxes
  2. PDF Reconnaissance
5. Tools of the Trade
  1. PDFINFO
    1. PDFINFO “Your PDF Document”
  2. PDFTK
6. Origami Framework
7. Installing Origami Framework on BackTrack
8. Attacking with PDF
  1. Fileformat Exploits
  2. Browser Exploits
9. Scenario from Real World
10. Adobe PDF Embedded EXE
11. Social Engineering Toolkit
  1. Attack Scenario 2: E-Mails Leading to Malicious Links
12. Credential Harvester Attack
13. Tabnabbing Attack
14. Other Attack Vectors
15. Browser Exploitation
16. Attacking over the Internet with SET
17. Attack Scenario over the Internet
18. Using Windows Box as Router (Port Forwarding)
  1. Browser AutoPWN
19. Why Use Browser AutoPWN?
20. Problem with Browser AutoPWN
21. VPS/Dedicated Server
  1. Attack Scenario 3: Compromising Client Side Update
22. How Evilgrade Works
23. Prerequisites
  1. Attack Vectors
  2. Internal Network Attack Vectors
  3. External Network Attack Vectors
  4. Evilgrade Console
  5. Attack Scenario
  6. Attack Scenario 4: Malware Loaded on USB Sticks
24. Teensy USB
25. Conclusion
26. Further Reading
9 Postexploitation
1. Acquiring Situation Awareness
2. Privilege Escalation
  1. Maintaining Stability
3. Escalating Privileges
4. Maintaining Access
5. Installing a Backdoor
6. Cracking the Hashes to Gain Access to Other Services
7. Backdoors
8. MSFPayload/MSFEncode
  1. Generating a Backdoor with MSFPayload
  2. MSFEncode
9. MSFVenom
10. Dumping the Hashes
11. References
12. References
13. Cracking the Hashes
14. John the Ripper
  1. Cracking LM/NTLM Passwords with JTR
  2. Cracking Linux Passwords with JTR
15. Rainbow Crack
16. Data Mining
  1. Gathering OS Information
  2. Harvesting Stored Credentials
17. Identifying and Exploiting Further Targets
18. psexec
  1. Exploiting Targets
19. Conclusion
10 Windows Exploit Development Basics
1. Prerequisites
2. What Is a Buffer Overflow?
3. Vulnerable Application
4. How to Find Buffer Overflows
5. Methodology
6. Getting the Software Up and Running
7. Causing the Application to Crash
8. Skeleton Exploit
  1. Determining the Offset
  2. Identifying Bad Characters
9. Figuring Out Bad Characters with Mona
10. Generating Metasploit Module
11. Porting to Metasploit
12. Conclusion
13. Further Resources
11 Wireless Hacking
1. Introduction
2. Requirements
3. Introducing Aircrack-ng
4. Uncovering Hidden SSIDs
5. Turning on the Monitor Mode
6. Monitoring Beacon Frames on Wireshark
7. Monitoring with Airodump-ng
8. Speeding Up the Process
  1. Bypassing MAC Filters on Wireless Networks
  2. Cracking a WEP Wireless Network with Aircrack-ng
9. Placing Your Wireless Adapter in Monitor Mode
10. Determining the Target with Airodump-ng
  1. Attacking the Target
  2. Speeding Up the Cracking Process
  3. Injecting ARP Packets
  4. Cracking the WEP
11. Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng
12. Capturing Packets
13. Capturing the Four-Way Handshake
14. Cracking WPA/WAP2
  1. Using Reaver to Crack WPS-Enabled Wireless Networks
15. Reducing the Delay
16. Further Reading
  1. Setting Up a Fake Access Point with SET to PWN Users
17. Attack Scenario
  1. Evil Twin Attack
18. Scanning the Neighbors
19. Spoofing the MAC
20. Setting Up a Fake Access Point
21. Causing Denial of Service on the Original AP
22. Conclusion
12 Web Hacking
1. Attacking the Authentication
  1. Username Enumeration
  2. Invalid Username with Invalid Password
  3. Valid Username with Invalid Password
  4. Enabling Browser Cache to Store Passwords
2. Brute Force and Dictionary Attacks
3. Types of Authentication
  1. HTTP Basic Authentication
  2. HTTP-Digest Authentication
  3. Form-Based Authentication
  4. Exploiting Password Reset Feature
4. Etsy.com Password Reset Vulnerability
  1. Attacking Form-Based Authentication
5. Brute Force Attack
  1. Attacking HTTP Basic Auth
6. Further Reading
  1. Log-In Protection Mechanisms
  2. CAPTCHA Validation Flaw
  3. CAPTCHA Reset Flaw
  4. Manipulating User-Agents to Bypass CAPTCHA and Other Protections
  5. Real-World Example
  6. Authentication Bypass Attacks
  7. Authentication Bypass Using SQL Injection
  8. Testing for SQL Injection Auth Bypass
  9. Authentication Bypass Using XPATH Injection
    1. Testing for XPATH Injection
  10. Authentication Bypass Using Response Tampering
7. Crawling Restricted Links
8. Testing for the Vulnerability
  1. Automating It with Burp Suite
9. Authentication Bypass with Insecure Cookie Handling
  1. Session Attacks
  2. Guessing Weak Session ID
  3. Session Fixation Attacks
10. Requirements for This Attack
11. How the Attack Works
  1. SQL Injection Attacks
  2. What Is an SQL Injection?
  3. Types of SQL Injection
  4. Detecting SQL Injection
  5. Determining the Injection Type
  6. Union-Based SQL Injection (MySQL)
12. Testing for SQL Injection
  1. Determining the Number of Columns
  2. Determining the Vulnerable Columns
  3. Fingerprinting the Database
  4. Enumeration Information
  5. Information_schema
  6. Information_schema Tables
  7. Enumerating All Available Databases
  8. Enumerating All Available Tables in the Database
  9. Extracting Columns from Tables
  10. Extracting Data from Columns
  11. Using group _ concat
  12. MySQL Version ≤ 5
13. Guessing Table Names
  1. Guessing Columns
  2. SQL Injection to Remote Command Execution
14. Reading Files
15. Writing Files
  1. Blind SQL Injection
    1. Boolean-Based SQLi
  2. True Statement
  3. False Statement
  4. Enumerating the DB User
  5. Enumerating the MYSQL Version
  6. Guessing Tables
  7. Guessing Columns in the Table
  8. Extracting Data from Columns
  9. Time-Based SQL Injection
16. Vulnerable Application
17. Testing for Time-Based SQL Injection
  1. Enumerating the DB User
  2. Guessing the Table Names
  3. Guessing the Columns
  4. Extracting Data from Columns
  5. Automating SQL Injections with Sqlmap
  6. Enumerating Databases
  7. Enumerating Tables
  8. Enumerating the Columns
  9. Extracting Data from the Columns
  10. HTTP Header–Based SQL Injection
  11. Operating System Takeover with Sqlmap
18. OS-CMD
19. OS-SHELL
20. OS-PWN
21. XSS (Cross-Site Scripting)
22. How to Identify XSS Vulnerability
23. Types of Cross-Site Scripting
24. Reflected/Nonpersistent XSS
  1. Vulnerable Code
25. Medium Security
  1. Vulnerable Code
26. High Security
  1. Bypassing htmlspecialchars
27. UTF-32 XSS Trick: Bypass 1
28. Svg Craziness: Bypass 2
29. Bypass 3: href Attribute
30. Stored XSS/Persistent XSS
31. Payloads
32. Blind XSS
33. DOM-Based XSS
  1. Detecting DOM-Based XSS
    1. Sources (Inputs)
    2. Sinks (Creating/Modifying HTML Elements)
  2. Static JS Analysis to Identify DOM-Based XSS
  3. How Does It Work?
  4. Setting Up JSPRIME
34. Dominator: Dynamic Taint Analysis
35. POC for Internet Explorer
36. POC for Chrome
37. Pros/Cons
38. Cross Browser DOM XSS Detection
39. Types of DOM-Based XSS
  1. Reflected DOM XSS
  2. Stored DOM XSS
  3. Exploiting XSS
  4. Cookie Stealing with XSS
  5. Exploiting XSS for Conducting Phishing Attacks
  6. Compromising Victim’s Browser with XSS
40. Exploiting XSS with BeEF
41. Setting Up BeEF on BackTrack
42. Demo Pages
  1. BeEF Modules
  2. BeEF in Action
43. Cross-Site Request Forgery (CSRF)
44. Why Does a CSRF Attack Work?
45. How to Attack
46. GET-Based CSRF
47. POST-Based CSRF
48. CSRF Protection Techniques
49. Referrer-Based Checking
50. Anti-CSRF Tokens
51. Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm
52. Tokens Not Validated upon Server
53. Analyzing Weak Anti-CSRF Token Strength
54. Bypassing CSRF with XSS
  1. File Upload Vulnerabilities
  2. Bypassing Client Side Restrictions
  3. Bypassing MIME-Type Validation
55. Real-World Example
  1. Bypassing Blacklist-Based Protections
  2. Case 1: Blocking Malicious Extensions
    1. Bypass
  3. Case 2: Case-Sensitive Bypass
    1. Bypass
56. Real-World Example
  1. Vulnerable Code
  2. Case 3: When All Dangerous Extensions Are Blocked
    1. XSS via File Upload
    2. Flash-Based XSS via File Upload
  3. Case 4: Double Extensions Vulnerabilities
    1. Apache Double Extension Issues
    2. IIS 6 Double Extension Issues
  4. Case 5: Using Trailing Dots
  5. Case 6: Null Byte Trick
  6. Case 7: Bypassing Image Validation
  7. Case 8: Overwriting Critical Files
57. Real-World Example
58. File Inclusion Vulnerabilities
59. Remote File Inclusion
60. Patching File Inclusions on the Server Side
  1. Local File Inclusion
  2. Linux
  3. Windows
  4. LFI Exploitation Using /proc/self/environ
  5. Log File Injection
  6. Finding Log Files: Other Tricks
  7. Exploiting LFI Using PHP Input
  8. Exploiting LFI Using File Uploads
  9. Read Source Code via LFI
  10. Local File Disclosure Vulnerability
    1. Vulnerable Code
  11. Local File Disclosure Tricks
  12. Remote Command Execution
  13. Uploading Shells
  14. Server Side Include Injection
61. Testing a Website for SSI Injection
62. Executing System Commands
63. Spawning a Shell
64. SSRF Attacks
65. Impact
  1. Example of a Vulnerable PHP Code
  2. Remote SSRF
    1. Simple SSRF
    2. Partial SSRF
66. Denial of Service
  1. Denial of Service Using External Entity Expansion (XEE)
  2. Full SSRF
  3. Causing the Crash
67. Overwriting Return Address
68. Generating Shellcode
69. Server Hacking
70. Apache Server
  1. Testing for Disabled Functions
  2. Open _ basedir Misconfiguration
  3. Using CURL to Bypass Open _ basedir Restrictions
  4. Open _ basedir PHP 5.2.9 Bypass
71. Reference
  1. Bypassing open _ basedir Using CGI Shell
  2. Bypassing open _ basedir Using Mod _ Perl, Mod _ Python
72. Escalating Privileges Using Local Root Exploits
73. Back Connecting
74. Finding the Local Root Exploit
75. Usage
76. Finding a Writable Directory
77. Bypassing Symlinks to Read Configuration Files
78. Who Is Affected?
79. Basic Syntax
  1. Why This Works
  2. Symlink Bypass: Example 1
  3. Finding the Username
  4. Uploading .htaccess to Follow Symlinks
  5. Symlinking the Configuration Files
80. Connecting to and Manipulating the Database
81. Updating the Password
  1. Symlink the Root Directory
  2. Example 3: Compromising WHMCS Server
82. Finding a WHMCS Server
83. Symlinking the Configuration File
  1. WHMCS Killer
  2. Disabling Security Mechanisms
  3. Disabling Mod _ Security
  4. Disabling Open _ basedir and Safe _ mode
  5. Using CGI, PERL, or Python Shell to Bypass Symlinks
84. Conclusion
Index

Product information

Title: Ethical Hacking and Penetration Testing Guide
Author(s): Rafay Baloch
Release date: September 2017
Publisher(s): Auerbach Publications
ISBN: 9781351381345

book

CEH v11 Certified Ethical Hacker Study Guide

by Ric Messier

As protecting information continues to be a growing concern for today’s businesses, certifications in IT security …

book

Ethical Hacking

by Daniel G. Graham

A crash course in modern hacking techniques, Ethical Hacking is already being used to prepare the …

book

Cyber Security and Network Security

by Sabyasachi Pramanik, Debabrata Samanta, M. Vinay, Abhijit Guha

CYBER SECUTIRY AND NETWORK SECURITY Written and edited by a team of experts in the field, …

book

Penetration Testing

by Georgia Weidman

In Penetration Testing, security researcher and trainer Georgia Weidman provides you with a survey of important …

Ethical Hacking and Penetration Testing Guide

Book description

Table of contents

Product information

You might also like

CEH v11 Certified Ethical Hacker Study Guide

Ethical Hacking

Cyber Security and Network Security

Penetration Testing

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly