O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Ethical Hacking and Penetration Testing Guide

Ethical Hacking and Penetration Testing Guide

by Rafay Baloch
Publisher: Auerbach Publications
Release Date: September 2017
ISBN: 9781351381345
View table of contents
Start reading

Book Description

Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don‘t know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.

Table of Contents

  1. Cover
  2. Half Title
  3. Title
  4. Copyright
  5. Contents
  6. Preface
  7. Acknowledgments
  8. Author
  9. 1 Introduction to Hacking
    1. Important Terminologies
      1. Asset
      2. Vulnerability
      3. Threat
      4. Exploit
      5. Risk
      6. What Is a Penetration Test?
      7. Vulnerability Assessments versus Penetration Test
      8. Preengagement
      9. Rules of Engagement
      10. Milestones
      11. Penetration Testing Methodologies
      12. OSSTMM
      13. NIST
      14. OWASP
    2. Categories of Penetration Test
      1. Black Box
      2. White Box
      3. Gray Box
      4. Types of Penetration Tests
        1. Network Penetration Test
        2. Web Application Penetration Test
        3. Mobile Application Penetration Test
        4. Social Engineering Penetration Test
        5. Physical Penetration Test
      5. Report Writing
      6. Understanding the Audience
        1. Executive Class
        2. Management Class
        3. Technical Class
    3. Writing Reports
    4. Structure of a Penetration Testing Report
      1. Cover Page
      2. Table of Contents
      3. Executive Summary
      4. Remediation Report
    5. Vulnerability Assessment Summary
      1. Tabular Summary
    6. Risk Assessment
      1. Risk Assessment Matrix
    7. Methodology
      1. Detailed Findings
        1. Description
        2. Explanation
        3. Risk
        4. Recommendation
      2. Reports
    8. Conclusion
  10. 2 Linux Basics
    1. Major Linux Operating Systems
    2. File Structure inside of Linux
      1. File Permission in Linux
        1. Group Permission
        2. Linux Advance/Special Permission
        3. Link Permission
        4. Suid & Guid Permission
        5. Stickybit Permission
        6. Chatter Permission
    3. Most Common and Important Commands
    4. Linux Scheduler (Cron Job)
      1. Cron Permission
        1. Cron Permission
        2. Cron Files
    5. Users inside of Linux
      1. Linux Services
      2. Linux Password Storage
      3. Linux Logging
    6. Common Applications of Linux
    7. What Is BackTrack?
      1. How to Get BackTrack 5 Running
      2. Installing BackTrack on Virtual Box
      3. Installing BackTrack on a Portable USB
      4. Installing BackTrack on Your Hard Drive
      5. BackTrack Basics
    8. Changing the Default Screen Resolution
      1. Some Unforgettable Basics
        1. Changing the Password
        2. Clearing the Screen
        3. Listing the Contents of a Directory
        4. Displaying Contents of a Specific Directory
        5. Displaying the Contents of a File
        6. Creating a Directory
        7. Changing the Directories
        8. Windows
        9. Linux
        10. Creating a Text File
        11. Copying a File
        12. Current Working Directory
        13. Renaming a File
        14. Moving a File
        15. Removing a File
      2. Locating Certain Files inside BackTrack
    9. Text Editors inside BackTrack
    10. Getting to Know Your Network
      1. Dhclient
    11. Services
      1. MySQL
      2. SSHD
      3. Postgresql
    12. Other Online Resources
  11. 3 Information Gathering Techniques
    1. Active Information Gathering
    2. Passive Information Gathering
    3. Sources of Information Gathering
    4. Copying Websites Locally
      1. Information Gathering with Whois
      2. Finding Other Websites Hosted on the Same Server
    5. Yougetsignal.com
      1. Tracing the Location
      2. Traceroute
      3. ICMP Traceroute
      4. TCP Traceroute
        1. Usage
      5. UDP Traceroute
        1. Usage
    6. NeoTrace
    7. Cheops-ng
      1. Enumerating and Fingerprinting the Webservers
    8. Intercepting a Response
      1. Acunetix Vulnerability Scanner
    9. WhatWeb
    10. Netcraft
      1. Google Hacking
    11. Some Basic Parameters
      1. Site
    12. Example
    13. TIP regarding Filetype
      1. Google Hacking Database
    14. Hackersforcharity.org/ghdb
    15. Xcode Exploit Scanner
      1. File Analysis
      2. Foca
      3. Harvesting E-Mail Lists
      4. Gathering Wordlist from a Target Website
      5. Scanning for Subdomains
      6. TheHarvester
      7. Fierce in BackTrack
      8. Scanning for SSL Version
      9. DNS Enumeration
    16. Interacting with DNS Servers
    17. Nslookup
    18. DIG
      1. Forward DNS Lookup
    19. Forward DNS Lookup with Fierce
      1. Reverse DNS
      2. Reverse DNS Lookup with Dig
    20. Reverse DNS Lookup with Fierce
      1. Zone Transfers
    21. Zone Transfer with Host Command
    22. Automating Zone Transfers
      1. DNS Cache Snooping
    23. What Is DNS Cache Snooping?
      1. Nonrecursive Method
      2. Recursive Method
    24. What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?
    25. Attack Scenario
    26. Automating DNS Cache Snooping Attacks
      1. Enumerating SNMP
    27. Problem with SNMP
    28. Sniffing SNMP Passwords
    29. OneSixtyOne
    30. Snmpenum
    31. SolarWinds Toolset
    32. SNMP Sweep
    33. SNMP Brute Force and Dictionary
    34. SNMP Brute Force Tool
    35. SNMP Dictionary Attack Tool
    36. SMTP Enumeration
      1. Detecting Load Balancers
      2. Load Balancer Detector
      3. Determining Real IP behind Load Balancers
      4. Bypassing CloudFlare Protection
        1. Method 1: Resolvers
        2. Method 2: Subdomain Trick
        3. Method 3: Mail Servers
    37. Intelligence Gathering Using Shodan
    38. Further Reading
    39. Conclusion
  12. 4 Target Enumeration and Port Scanning Techniques
    1. Host Discovery
    2. Scanning for Open Ports and Services
    3. Types of Port Scanning
    4. Understanding the TCP Three-Way Handshake
    5. TCP Flags
    6. Port Status Types
    7. TCP SYN Scan
    8. TCP Connect Scan
    9. NULL, FIN, and XMAS Scans
    10. NULL Scan
    11. FIN Scan
    12. XMAS Scan
    13. TCP ACK Scan
    14. Responses
    15. UDP Port Scan
    16. Anonymous Scan Types
    17. IDLE Scan
    18. Scanning for a Vulnerable Host
    19. Performing an IDLE Scan with NMAP
    20. TCP FTP Bounce Scan
    21. Service Version Detection
    22. OS Fingerprinting
    23. POF
    24. Output
      1. Normal Format
      2. Grepable Format
      3. XML Format
    25. Advanced Firewall/IDS Evading Techniques
    26. Timing Technique
    27. Wireshark Output
    28. Fragmented Packets
    29. Wireshark Output
    30. Source Port Scan
    31. Specifying an MTU
    32. Sending Bad Checksums
    33. Decoys
    34. ZENMAP
    35. Further Reading
  13. 5 Vulnerability Assessment
    1. What Are Vulnerability Scanners and How Do They Work?
    2. Pros and Cons of a Vulnerability Scanner
    3. Vulnerability Assessment with Nmap
    4. Updating the Database
    5. Scanning MS08 _ 067 _ netapi
    6. Testing SCADA Environments with Nmap
      1. Installation
      2. Usage
    7. Nessus Vulnerability Scanner
      1. Home Feed
      2. Professional Feed
    8. Installing Nessus on BackTrack
    9. Adding a User
      1. Nessus Control Panel
        1. Reports
        2. Mobile
        3. Scan
        4. Policies
        5. Users
        6. Configuration
      2. Default Policies
    10. Creating a New Policy
    11. Safe Checks
    12. Silent Dependencies
      1. Avoid Sequential Scans
    13. Port Range
      1. Credentials
      2. Plug-Ins
    14. Preferences
      1. Scanning the Target
    15. Nessus Integration with Metasploit
    16. Importing Nessus to Metasploit
      1. Scanning the Target
      2. Reporting
      3. OpenVas
    17. Resource
      1. Vulnerability Data Resources
      2. Exploit Databases
    18. Using Exploit-db with BackTrack
    19. Searching for Exploits inside BackTrack
    20. Conclusion
  14. 6 Network Sniffing
    1. Introduction
    2. Types of Sniffing
      1. Active Sniffing
      2. Passive Sniffing
    3. Hubs versus Switches
    4. Promiscuous versus Nonpromiscuous Mode
    5. MITM Attacks
    6. ARP Protocol Basics
    7. How ARP Works
    8. ARP Attacks
      1. MAC Flooding
        1. Macof
      2. ARP Poisoning
    9. Scenario—How It Works
    10. Denial of Service Attacks
    11. Tools of the Trade
      1. Dsniff
    12. Using ARP Spoof to Perform MITM Attacks
      1. Usage
    13. Sniffing the Traffic with Dsniff
    14. Sniffing Pictures with Drifnet
    15. Urlsnarf and Webspy
    16. Sniffing with Wireshark
    17. Ettercap
    18. ARP Poisoning with Ettercap
    19. Hijacking Session with MITM Attack
    20. Attack Scenario
    21. ARP Poisoning with Cain and Abel
    22. Sniffing Session Cookies with Wireshark
    23. Hijacking the Session
    24. SSL Strip: Stripping HTTPS Traffic
    25. Requirements
      1. Usage
    26. Automating Man in the Middle Attacks
      1. Usage
    27. DNS Spoofing
      1. ARP Spoofing Attack
      2. Manipulating the DNS Records
      3. Using Ettercap to Launch DNS Spoofing Attack
    28. DHCP Spoofing
    29. Conclusion
  15. 7 Remote Exploitation
    1. Understanding Network Protocols
      1. Transmission Control Protocol
      2. User Datagram Protocol
      3. Internet Control Messaging Protocol
    2. Server Protocols
      1. Text-Based Protocols (Important)
      2. Binary Protocols
        1. FTP
        2. SMTP
        3. HTTP
    3. Further Reading
    4. Resources
    5. Attacking Network Remote Services
      1. Overview of Brute Force Attacks
        1. Traditional Brute Force
        2. Dictionary Attacks
        3. Hybrid Attacks
    6. Common Target Protocols
    7. Tools of the Trade
      1. THC Hydra
    8. Basic Syntax for Hydra
      1. Cracking Services with Hydra
    9. Hydra GUI
      1. Medusa
    10. Basic Syntax
    11. OpenSSH Username Discovery Bug
    12. Cracking SSH with Medusa
      1. Ncrack
    13. Basic Syntax
    14. Cracking an RDP with Ncrack
      1. Case Study of a Morto Worm
    15. Combining Nmap and Ncrack for Optimal Results
      1. Attacking SMTP
    16. Important Commands
    17. Real-Life Example
    18. Attacking SQL Servers
      1. MySQL Servers
    19. Fingerprinting MySQL Version
    20. Testing for Weak Authentication
    21. MS SQL Servers
    22. Fingerprinting the Version
    23. Brute Forcing SA Account
    24. Using Null Passwords
    25. Introduction to Metasploit
    26. History of Metasploit
    27. Metasploit Interfaces
    28. MSFConsole
      1. MSFcli
      2. MSFGUI
      3. Armitage
    29. Metasploit Utilities
    30. MSFPayload
    31. MSFEncode
    32. MSFVenom
    33. Metasploit Basic Commands
    34. Search Feature in Metasploit
    35. Use Command
    36. Info Command
    37. Show Options
    38. Set/Unset Command
    39. Reconnaissance with Metasploit
    40. Port Scanning with Metasploit
    41. Metasploit Databases
    42. Storing Information from Nmap into Metasploit Database
    43. Useful Scans with Metasploit
      1. Port Scanners
      2. Specific Scanners
    44. Compromising a Windows Host with Metasploit
    45. Metasploit Autopwn
    46. db _ autopwn in Action
    47. Nessus and Autopwn
      1. Armitage
    48. Interface
    49. Launching Armitage
    50. Compromising Your First Target from Armitage
    51. Enumerating and Fingerprinting the Target
    52. MSF Scans
    53. Importing Hosts
    54. Vulnerability Assessment
    55. Exploitation
    56. Check Feature
    57. Hail Mary
    58. Conclusion
    59. References
  16. 8 Client Side Exploitation
    1. Client Side Exploitation Methods
      1. Attack Scenario 1: E-Mails Leading to Malicious Attachments
      2. Attack Scenario 2: E-Mails Leading to Malicious Links
      3. Attack Scenario 3: Compromising Client Side Update
      4. Attack Scenario 4: Malware Loaded on USB Sticks
      5. E-Mails with Malicious Attachments
        1. Creating a Custom Executable
        2. Creating a Backdoor with SET
        3. PDF Hacking
    2. Introduction
      1. Header
      2. Body
      3. Cross Reference Table
      4. Trailer
    3. PDF Launch Action
    4. Creating a PDF Document with a Launch Action
      1. Controlling the Dialog Boxes
      2. PDF Reconnaissance
    5. Tools of the Trade
      1. PDFINFO
        1. PDFINFO “Your PDF Document”
      2. PDFTK
    6. Origami Framework
    7. Installing Origami Framework on BackTrack
    8. Attacking with PDF
      1. Fileformat Exploits
      2. Browser Exploits
    9. Scenario from Real World
    10. Adobe PDF Embedded EXE
    11. Social Engineering Toolkit
      1. Attack Scenario 2: E-Mails Leading to Malicious Links
    12. Credential Harvester Attack
    13. Tabnabbing Attack
    14. Other Attack Vectors
    15. Browser Exploitation
    16. Attacking over the Internet with SET
    17. Attack Scenario over the Internet
    18. Using Windows Box as Router (Port Forwarding)
      1. Browser AutoPWN
    19. Why Use Browser AutoPWN?
    20. Problem with Browser AutoPWN
    21. VPS/Dedicated Server
      1. Attack Scenario 3: Compromising Client Side Update
    22. How Evilgrade Works
    23. Prerequisites
      1. Attack Vectors
      2. Internal Network Attack Vectors
      3. External Network Attack Vectors
      4. Evilgrade Console
      5. Attack Scenario
      6. Attack Scenario 4: Malware Loaded on USB Sticks
    24. Teensy USB
    25. Conclusion
    26. Further Reading
  17. 9 Postexploitation
    1. Acquiring Situation Awareness
      1. Enumerating a Windows Machine
      2. Enumerating Local Groups and Users
      3. Enumerating a Linux Machine
      4. Enumerating with Meterpreter
        1. Identifying Processes
        2. Interacting with the System
        3. User Interface Command
    2. Privilege Escalation
      1. Maintaining Stability
    3. Escalating Privileges
      1. Bypassing User Access Control
      2. Impersonating the Token
      3. Escalating Privileges on a Linux Machine
    4. Maintaining Access
    5. Installing a Backdoor
    6. Cracking the Hashes to Gain Access to Other Services
    7. Backdoors
      1. Disabling the Firewall
      2. Killing the Antivirus
      3. Netcat
    8. MSFPayload/MSFEncode
      1. Generating a Backdoor with MSFPayload
      2. MSFEncode
    9. MSFVenom
      1. Persistence
      2. What Is a Hash?
      3. Hashing Algorithms
      4. Windows Hashing Methods
      5. LAN Manager (LM)
      6. NTLM/NTLM2
      7. Kerberos
      8. Where Are LM/NTLM Hashes Located?
    10. Dumping the Hashes
      1. Scenario 1—Remote Access
      2. Scenario 2—Local Access
      3. Ophcrack
    11. References
      1. Scenario 3—Offline System
      2. Ophcrack LiveCD
      3. Bypassing the Log-In
    12. References
    13. Cracking the Hashes
      1. Bruteforce
      2. Dictionary Attacks
      3. Password Salts
      4. Rainbow Tables
    14. John the Ripper
      1. Cracking LM/NTLM Passwords with JTR
      2. Cracking Linux Passwords with JTR
    15. Rainbow Crack
      1. Sorting the Tables
      2. Cracking the Hashes with rcrack
      3. Speeding Up the Cracking Process
      4. Gaining Access to Remote Services
      5. Enabling the Remote Desktop
      6. Adding Users to the Remote Desktop
    16. Data Mining
      1. Gathering OS Information
      2. Harvesting Stored Credentials
    17. Identifying and Exploiting Further Targets
      1. Mapping the Internal Network
      2. Finding Network Information
      3. Identifying Further Targets
      4. Pivoting
      5. Scanning Ports and Services and Detecting OS
      6. Compromising Other Hosts on the Network Having the Same Password
    18. psexec
      1. Exploiting Targets
    19. Conclusion
  18. 10 Windows Exploit Development Basics
    1. Prerequisites
    2. What Is a Buffer Overflow?
    3. Vulnerable Application
    4. How to Find Buffer Overflows
    5. Methodology
    6. Getting the Software Up and Running
    7. Causing the Application to Crash
    8. Skeleton Exploit
      1. Determining the Offset
      2. Identifying Bad Characters
    9. Figuring Out Bad Characters with Mona
      1. Overwriting the Return Address
      2. NOP Sledges
      3. Generating the ShellCode
    10. Generating Metasploit Module
    11. Porting to Metasploit
    12. Conclusion
    13. Further Resources
  19. 11 Wireless Hacking
    1. Introduction
    2. Requirements
    3. Introducing Aircrack-ng
    4. Uncovering Hidden SSIDs
    5. Turning on the Monitor Mode
    6. Monitoring Beacon Frames on Wireshark
    7. Monitoring with Airodump-ng
    8. Speeding Up the Process
      1. Bypassing MAC Filters on Wireless Networks
      2. Cracking a WEP Wireless Network with Aircrack-ng
    9. Placing Your Wireless Adapter in Monitor Mode
    10. Determining the Target with Airodump-ng
      1. Attacking the Target
      2. Speeding Up the Cracking Process
      3. Injecting ARP Packets
      4. Cracking the WEP
    11. Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng
    12. Capturing Packets
    13. Capturing the Four-Way Handshake
    14. Cracking WPA/WAP2
      1. Using Reaver to Crack WPS-Enabled Wireless Networks
    15. Reducing the Delay
    16. Further Reading
      1. Setting Up a Fake Access Point with SET to PWN Users
    17. Attack Scenario
      1. Evil Twin Attack
    18. Scanning the Neighbors
    19. Spoofing the MAC
    20. Setting Up a Fake Access Point
    21. Causing Denial of Service on the Original AP
    22. Conclusion
  20. 12 Web Hacking
    1. Attacking the Authentication
      1. Username Enumeration
      2. Invalid Username with Invalid Password
      3. Valid Username with Invalid Password
      4. Enabling Browser Cache to Store Passwords
    2. Brute Force and Dictionary Attacks
    3. Types of Authentication
      1. HTTP Basic Authentication
      2. HTTP-Digest Authentication
      3. Form-Based Authentication
      4. Exploiting Password Reset Feature
    4. Etsy.com Password Reset Vulnerability
      1. Attacking Form-Based Authentication
    5. Brute Force Attack
      1. Attacking HTTP Basic Auth
    6. Further Reading
      1. Log-In Protection Mechanisms
      2. CAPTCHA Validation Flaw
      3. CAPTCHA Reset Flaw
      4. Manipulating User-Agents to Bypass CAPTCHA and Other Protections
      5. Real-World Example
      6. Authentication Bypass Attacks
      7. Authentication Bypass Using SQL Injection
      8. Testing for SQL Injection Auth Bypass
      9. Authentication Bypass Using XPATH Injection
        1. Testing for XPATH Injection
      10. Authentication Bypass Using Response Tampering
    7. Crawling Restricted Links
    8. Testing for the Vulnerability
      1. Automating It with Burp Suite
    9. Authentication Bypass with Insecure Cookie Handling
      1. Session Attacks
      2. Guessing Weak Session ID
      3. Session Fixation Attacks
    10. Requirements for This Attack
    11. How the Attack Works
      1. SQL Injection Attacks
      2. What Is an SQL Injection?
      3. Types of SQL Injection
        1. Union-Based SQL Injection
        2. Error-Based SQL Injection
        3. Blind SQL Injection
      4. Detecting SQL Injection
      5. Determining the Injection Type
      6. Union-Based SQL Injection (MySQL)
    12. Testing for SQL Injection
      1. Determining the Number of Columns
      2. Determining the Vulnerable Columns
      3. Fingerprinting the Database
      4. Enumeration Information
      5. Information_schema
      6. Information_schema Tables
      7. Enumerating All Available Databases
      8. Enumerating All Available Tables in the Database
      9. Extracting Columns from Tables
      10. Extracting Data from Columns
      11. Using group _ concat
      12. MySQL Version ≤ 5
    13. Guessing Table Names
      1. Guessing Columns
      2. SQL Injection to Remote Command Execution
    14. Reading Files
    15. Writing Files
      1. Blind SQL Injection
        1. Boolean-Based SQLi
      2. True Statement
      3. False Statement
      4. Enumerating the DB User
      5. Enumerating the MYSQL Version
      6. Guessing Tables
      7. Guessing Columns in the Table
      8. Extracting Data from Columns
      9. Time-Based SQL Injection
    16. Vulnerable Application
    17. Testing for Time-Based SQL Injection
      1. Enumerating the DB User
      2. Guessing the Table Names
      3. Guessing the Columns
      4. Extracting Data from Columns
      5. Automating SQL Injections with Sqlmap
      6. Enumerating Databases
      7. Enumerating Tables
      8. Enumerating the Columns
      9. Extracting Data from the Columns
      10. HTTP Header–Based SQL Injection
      11. Operating System Takeover with Sqlmap
    18. OS-CMD
    19. OS-SHELL
    20. OS-PWN
    21. XSS (Cross-Site Scripting)
    22. How to Identify XSS Vulnerability
    23. Types of Cross-Site Scripting
    24. Reflected/Nonpersistent XSS
      1. Vulnerable Code
    25. Medium Security
      1. Vulnerable Code
    26. High Security
      1. Bypassing htmlspecialchars
    27. UTF-32 XSS Trick: Bypass 1
    28. Svg Craziness: Bypass 2
    29. Bypass 3: href Attribute
    30. Stored XSS/Persistent XSS
    31. Payloads
    32. Blind XSS
    33. DOM-Based XSS
      1. Detecting DOM-Based XSS
        1. Sources (Inputs)
        2. Sinks (Creating/Modifying HTML Elements)
      2. Static JS Analysis to Identify DOM-Based XSS
      3. How Does It Work?
      4. Setting Up JSPRIME
    34. Dominator: Dynamic Taint Analysis
    35. POC for Internet Explorer
    36. POC for Chrome
    37. Pros/Cons
    38. Cross Browser DOM XSS Detection
    39. Types of DOM-Based XSS
      1. Reflected DOM XSS
      2. Stored DOM XSS
      3. Exploiting XSS
      4. Cookie Stealing with XSS
      5. Exploiting XSS for Conducting Phishing Attacks
      6. Compromising Victim’s Browser with XSS
    40. Exploiting XSS with BeEF
    41. Setting Up BeEF on BackTrack
    42. Demo Pages
      1. BeEF Modules
        1. Module: Replace HREFs
        2. Module: Getcookie
        3. Module: Tabnabbing
      2. BeEF in Action
    43. Cross-Site Request Forgery (CSRF)
    44. Why Does a CSRF Attack Work?
    45. How to Attack
    46. GET-Based CSRF
    47. POST-Based CSRF
    48. CSRF Protection Techniques
    49. Referrer-Based Checking
    50. Anti-CSRF Tokens
    51. Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm
    52. Tokens Not Validated upon Server
    53. Analyzing Weak Anti-CSRF Token Strength
    54. Bypassing CSRF with XSS
      1. File Upload Vulnerabilities
      2. Bypassing Client Side Restrictions
      3. Bypassing MIME-Type Validation
    55. Real-World Example
      1. Bypassing Blacklist-Based Protections
      2. Case 1: Blocking Malicious Extensions
        1. Bypass
      3. Case 2: Case-Sensitive Bypass
        1. Bypass
    56. Real-World Example
      1. Vulnerable Code
      2. Case 3: When All Dangerous Extensions Are Blocked
        1. XSS via File Upload
        2. Flash-Based XSS via File Upload
      3. Case 4: Double Extensions Vulnerabilities
        1. Apache Double Extension Issues
        2. IIS 6 Double Extension Issues
      4. Case 5: Using Trailing Dots
      5. Case 6: Null Byte Trick
      6. Case 7: Bypassing Image Validation
      7. Case 8: Overwriting Critical Files
    57. Real-World Example
    58. File Inclusion Vulnerabilities
    59. Remote File Inclusion
    60. Patching File Inclusions on the Server Side
      1. Local File Inclusion
      2. Linux
      3. Windows
      4. LFI Exploitation Using /proc/self/environ
      5. Log File Injection
      6. Finding Log Files: Other Tricks
      7. Exploiting LFI Using PHP Input
      8. Exploiting LFI Using File Uploads
      9. Read Source Code via LFI
      10. Local File Disclosure Vulnerability
        1. Vulnerable Code
      11. Local File Disclosure Tricks
      12. Remote Command Execution
      13. Uploading Shells
      14. Server Side Include Injection
    61. Testing a Website for SSI Injection
    62. Executing System Commands
    63. Spawning a Shell
    64. SSRF Attacks
    65. Impact
      1. Example of a Vulnerable PHP Code
      2. Remote SSRF
        1. Simple SSRF
        2. Partial SSRF
    66. Denial of Service
      1. Denial of Service Using External Entity Expansion (XEE)
      2. Full SSRF
        1. dict://
        2. gopher://
        3. http://
      3. Causing the Crash
    67. Overwriting Return Address
    68. Generating Shellcode
    69. Server Hacking
    70. Apache Server
      1. Testing for Disabled Functions
      2. Open _ basedir Misconfiguration
      3. Using CURL to Bypass Open _ basedir Restrictions
      4. Open _ basedir PHP 5.2.9 Bypass
    71. Reference
      1. Bypassing open _ basedir Using CGI Shell
      2. Bypassing open _ basedir Using Mod _ Perl, Mod _ Python
    72. Escalating Privileges Using Local Root Exploits
    73. Back Connecting
    74. Finding the Local Root Exploit
    75. Usage
    76. Finding a Writable Directory
    77. Bypassing Symlinks to Read Configuration Files
    78. Who Is Affected?
    79. Basic Syntax
      1. Why This Works
      2. Symlink Bypass: Example 1
      3. Finding the Username
        1. /etc/passwd File
        2. /etc/valiases File
        3. Path Disclosure
      4. Uploading .htaccess to Follow Symlinks
      5. Symlinking the Configuration Files
    80. Connecting to and Manipulating the Database
    81. Updating the Password
      1. Symlink the Root Directory
      2. Example 3: Compromising WHMCS Server
    82. Finding a WHMCS Server
    83. Symlinking the Configuration File
      1. WHMCS Killer
      2. Disabling Security Mechanisms
      3. Disabling Mod _ Security
      4. Disabling Open _ basedir and Safe _ mode
      5. Using CGI, PERL, or Python Shell to Bypass Symlinks
    84. Conclusion
  21. Index