Book description
Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don‘t know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.
Table of contents
- Cover
- Half Title
- Title
- Copyright
- Contents
- Preface
- Acknowledgments
- Author
- 1 Introduction to Hacking
-
2 Linux Basics
- Major Linux Operating Systems
- File Structure inside of Linux
- Most Common and Important Commands
- Linux Scheduler (Cron Job)
- Users inside of Linux
- Common Applications of Linux
- What Is BackTrack?
-
Changing the Default Screen Resolution
-
Some Unforgettable Basics
- Changing the Password
- Clearing the Screen
- Listing the Contents of a Directory
- Displaying Contents of a Specific Directory
- Displaying the Contents of a File
- Creating a Directory
- Changing the Directories
- Windows
- Linux
- Creating a Text File
- Copying a File
- Current Working Directory
- Renaming a File
- Moving a File
- Removing a File
- Locating Certain Files inside BackTrack
-
Some Unforgettable Basics
- Text Editors inside BackTrack
- Getting to Know Your Network
- Services
- Other Online Resources
-
3 Information Gathering Techniques
- Active Information Gathering
- Passive Information Gathering
- Sources of Information Gathering
- Copying Websites Locally
- Yougetsignal.com
- NeoTrace
- Cheops-ng
- Intercepting a Response
- WhatWeb
- Netcraft
- Some Basic Parameters
- Example
- TIP regarding Filetype
- Hackersforcharity.org/ghdb
- Xcode Exploit Scanner
- Interacting with DNS Servers
- Nslookup
- DIG
- Forward DNS Lookup with Fierce
- Reverse DNS Lookup with Fierce
- Zone Transfer with Host Command
- Automating Zone Transfers
- What Is DNS Cache Snooping?
- What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?
- Attack Scenario
- Automating DNS Cache Snooping Attacks
- Problem with SNMP
- Sniffing SNMP Passwords
- OneSixtyOne
- Snmpenum
- SolarWinds Toolset
- SNMP Sweep
- SNMP Brute Force and Dictionary
- SNMP Brute Force Tool
- SNMP Dictionary Attack Tool
- SMTP Enumeration
- Intelligence Gathering Using Shodan
- Further Reading
- Conclusion
-
4 Target Enumeration and Port Scanning Techniques
- Host Discovery
- Scanning for Open Ports and Services
- Types of Port Scanning
- Understanding the TCP Three-Way Handshake
- TCP Flags
- Port Status Types
- TCP SYN Scan
- TCP Connect Scan
- NULL, FIN, and XMAS Scans
- NULL Scan
- FIN Scan
- XMAS Scan
- TCP ACK Scan
- Responses
- UDP Port Scan
- Anonymous Scan Types
- IDLE Scan
- Scanning for a Vulnerable Host
- Performing an IDLE Scan with NMAP
- TCP FTP Bounce Scan
- Service Version Detection
- OS Fingerprinting
- POF
- Output
- Advanced Firewall/IDS Evading Techniques
- Timing Technique
- Wireshark Output
- Fragmented Packets
- Wireshark Output
- Source Port Scan
- Specifying an MTU
- Sending Bad Checksums
- Decoys
- ZENMAP
- Further Reading
-
5 Vulnerability Assessment
- What Are Vulnerability Scanners and How Do They Work?
- Pros and Cons of a Vulnerability Scanner
- Vulnerability Assessment with Nmap
- Updating the Database
- Scanning MS08 _ 067 _ netapi
- Testing SCADA Environments with Nmap
- Nessus Vulnerability Scanner
- Installing Nessus on BackTrack
- Adding a User
- Creating a New Policy
- Safe Checks
- Silent Dependencies
- Port Range
- Preferences
- Nessus Integration with Metasploit
- Importing Nessus to Metasploit
- Resource
- Using Exploit-db with BackTrack
- Searching for Exploits inside BackTrack
- Conclusion
-
6 Network Sniffing
- Introduction
- Types of Sniffing
- Hubs versus Switches
- Promiscuous versus Nonpromiscuous Mode
- MITM Attacks
- ARP Protocol Basics
- How ARP Works
- ARP Attacks
- Scenario—How It Works
- Denial of Service Attacks
- Tools of the Trade
- Using ARP Spoof to Perform MITM Attacks
- Sniffing the Traffic with Dsniff
- Sniffing Pictures with Drifnet
- Urlsnarf and Webspy
- Sniffing with Wireshark
- Ettercap
- ARP Poisoning with Ettercap
- Hijacking Session with MITM Attack
- Attack Scenario
- ARP Poisoning with Cain and Abel
- Sniffing Session Cookies with Wireshark
- Hijacking the Session
- SSL Strip: Stripping HTTPS Traffic
- Requirements
- Automating Man in the Middle Attacks
- DNS Spoofing
- DHCP Spoofing
- Conclusion
-
7 Remote Exploitation
- Understanding Network Protocols
- Server Protocols
- Further Reading
- Resources
- Attacking Network Remote Services
- Common Target Protocols
- Tools of the Trade
- Basic Syntax for Hydra
- Hydra GUI
- Basic Syntax
- OpenSSH Username Discovery Bug
- Cracking SSH with Medusa
- Basic Syntax
- Cracking an RDP with Ncrack
- Combining Nmap and Ncrack for Optimal Results
- Important Commands
- Real-Life Example
- Attacking SQL Servers
- Fingerprinting MySQL Version
- Testing for Weak Authentication
- MS SQL Servers
- Fingerprinting the Version
- Brute Forcing SA Account
- Using Null Passwords
- Introduction to Metasploit
- History of Metasploit
- Metasploit Interfaces
- MSFConsole
- Metasploit Utilities
- MSFPayload
- MSFEncode
- MSFVenom
- Metasploit Basic Commands
- Search Feature in Metasploit
- Use Command
- Info Command
- Show Options
- Set/Unset Command
- Reconnaissance with Metasploit
- Port Scanning with Metasploit
- Metasploit Databases
- Storing Information from Nmap into Metasploit Database
- Useful Scans with Metasploit
- Compromising a Windows Host with Metasploit
- Metasploit Autopwn
- db _ autopwn in Action
- Nessus and Autopwn
- Interface
- Launching Armitage
- Compromising Your First Target from Armitage
- Enumerating and Fingerprinting the Target
- MSF Scans
- Importing Hosts
- Vulnerability Assessment
- Exploitation
- Check Feature
- Hail Mary
- Conclusion
- References
-
8 Client Side Exploitation
- Client Side Exploitation Methods
- Introduction
- PDF Launch Action
- Creating a PDF Document with a Launch Action
- Tools of the Trade
- Origami Framework
- Installing Origami Framework on BackTrack
- Attacking with PDF
- Scenario from Real World
- Adobe PDF Embedded EXE
- Social Engineering Toolkit
- Credential Harvester Attack
- Tabnabbing Attack
- Other Attack Vectors
- Browser Exploitation
- Attacking over the Internet with SET
- Attack Scenario over the Internet
- Using Windows Box as Router (Port Forwarding)
- Why Use Browser AutoPWN?
- Problem with Browser AutoPWN
- VPS/Dedicated Server
- How Evilgrade Works
- Prerequisites
- Teensy USB
- Conclusion
- Further Reading
-
9 Postexploitation
- Acquiring Situation Awareness
- Privilege Escalation
- Escalating Privileges
- Maintaining Access
- Installing a Backdoor
- Cracking the Hashes to Gain Access to Other Services
- Backdoors
- MSFPayload/MSFEncode
- MSFVenom
- Dumping the Hashes
- References
- References
- Cracking the Hashes
- John the Ripper
- Rainbow Crack
- Data Mining
- Identifying and Exploiting Further Targets
- psexec
- Conclusion
-
10 Windows Exploit Development Basics
- Prerequisites
- What Is a Buffer Overflow?
- Vulnerable Application
- How to Find Buffer Overflows
- Methodology
- Getting the Software Up and Running
- Causing the Application to Crash
- Skeleton Exploit
- Figuring Out Bad Characters with Mona
- Generating Metasploit Module
- Porting to Metasploit
- Conclusion
- Further Resources
-
11 Wireless Hacking
- Introduction
- Requirements
- Introducing Aircrack-ng
- Uncovering Hidden SSIDs
- Turning on the Monitor Mode
- Monitoring Beacon Frames on Wireshark
- Monitoring with Airodump-ng
- Speeding Up the Process
- Placing Your Wireless Adapter in Monitor Mode
- Determining the Target with Airodump-ng
- Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng
- Capturing Packets
- Capturing the Four-Way Handshake
- Cracking WPA/WAP2
- Reducing the Delay
- Further Reading
- Attack Scenario
- Scanning the Neighbors
- Spoofing the MAC
- Setting Up a Fake Access Point
- Causing Denial of Service on the Original AP
- Conclusion
-
12 Web Hacking
- Attacking the Authentication
- Brute Force and Dictionary Attacks
- Types of Authentication
- Etsy.com Password Reset Vulnerability
- Brute Force Attack
-
Further Reading
- Log-In Protection Mechanisms
- CAPTCHA Validation Flaw
- CAPTCHA Reset Flaw
- Manipulating User-Agents to Bypass CAPTCHA and Other Protections
- Real-World Example
- Authentication Bypass Attacks
- Authentication Bypass Using SQL Injection
- Testing for SQL Injection Auth Bypass
- Authentication Bypass Using XPATH Injection
- Authentication Bypass Using Response Tampering
- Crawling Restricted Links
- Testing for the Vulnerability
- Authentication Bypass with Insecure Cookie Handling
- Requirements for This Attack
- How the Attack Works
-
Testing for SQL Injection
- Determining the Number of Columns
- Determining the Vulnerable Columns
- Fingerprinting the Database
- Enumeration Information
- Information_schema
- Information_schema Tables
- Enumerating All Available Databases
- Enumerating All Available Tables in the Database
- Extracting Columns from Tables
- Extracting Data from Columns
- Using group _ concat
- MySQL Version ≤ 5
- Guessing Table Names
- Reading Files
- Writing Files
- Vulnerable Application
-
Testing for Time-Based SQL Injection
- Enumerating the DB User
- Guessing the Table Names
- Guessing the Columns
- Extracting Data from Columns
- Automating SQL Injections with Sqlmap
- Enumerating Databases
- Enumerating Tables
- Enumerating the Columns
- Extracting Data from the Columns
- HTTP Header–Based SQL Injection
- Operating System Takeover with Sqlmap
- OS-CMD
- OS-SHELL
- OS-PWN
- XSS (Cross-Site Scripting)
- How to Identify XSS Vulnerability
- Types of Cross-Site Scripting
- Reflected/Nonpersistent XSS
- Medium Security
- High Security
- UTF-32 XSS Trick: Bypass 1
- Svg Craziness: Bypass 2
- Bypass 3: href Attribute
- Stored XSS/Persistent XSS
- Payloads
- Blind XSS
- DOM-Based XSS
- Dominator: Dynamic Taint Analysis
- POC for Internet Explorer
- POC for Chrome
- Pros/Cons
- Cross Browser DOM XSS Detection
- Types of DOM-Based XSS
- Exploiting XSS with BeEF
- Setting Up BeEF on BackTrack
- Demo Pages
- Cross-Site Request Forgery (CSRF)
- Why Does a CSRF Attack Work?
- How to Attack
- GET-Based CSRF
- POST-Based CSRF
- CSRF Protection Techniques
- Referrer-Based Checking
- Anti-CSRF Tokens
- Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm
- Tokens Not Validated upon Server
- Analyzing Weak Anti-CSRF Token Strength
- Bypassing CSRF with XSS
- Real-World Example
- Real-World Example
- Real-World Example
- File Inclusion Vulnerabilities
- Remote File Inclusion
-
Patching File Inclusions on the Server Side
- Local File Inclusion
- Linux
- Windows
- LFI Exploitation Using /proc/self/environ
- Log File Injection
- Finding Log Files: Other Tricks
- Exploiting LFI Using PHP Input
- Exploiting LFI Using File Uploads
- Read Source Code via LFI
- Local File Disclosure Vulnerability
- Local File Disclosure Tricks
- Remote Command Execution
- Uploading Shells
- Server Side Include Injection
- Testing a Website for SSI Injection
- Executing System Commands
- Spawning a Shell
- SSRF Attacks
- Impact
- Denial of Service
- Overwriting Return Address
- Generating Shellcode
- Server Hacking
- Apache Server
- Reference
- Escalating Privileges Using Local Root Exploits
- Back Connecting
- Finding the Local Root Exploit
- Usage
- Finding a Writable Directory
- Bypassing Symlinks to Read Configuration Files
- Who Is Affected?
- Basic Syntax
- Connecting to and Manipulating the Database
- Updating the Password
- Finding a WHMCS Server
- Symlinking the Configuration File
- Conclusion
- Index
Product information
- Title: Ethical Hacking and Penetration Testing Guide
- Author(s):
- Release date: September 2017
- Publisher(s): Auerbach Publications
- ISBN: 9781351381345
You might also like
book
Network Defense and Countermeasures: Principles and Practices, Third edition
All you need to know about defending networks, in one book Clearly explains concepts, terminology, challenges, …
book
Cybersecurity Blue Team Toolkit
A practical handbook to cybersecurity for both tech and non-tech professionals As reports of major data …
book
The Web Application Hacker's Handbook, 2nd Edition
The highly successful security book returns with a new edition, completely updated Web applications are the …
book
Computer Security Fundamentals, 4th Edition
Clearly explains core concepts, terminology, challenges, technologies, and skills Covers today's latest attacks and countermeasures The …