book

Ethical Hacking and Penetration Testing Guide

by Rafay Baloch

September 2017

Beginner

532 pages

13h 31m

English

Auerbach Publications

Read now

Unlock full access

Important TerminologiesAssetVulnerabilityThreatExploitRiskWhat Is a Penetration Test?Vulnerability Assessments versus Penetration TestPreengagementRules of EngagementMilestonesPenetration Testing MethodologiesOSSTMMNISTOWASPCategories of Penetration TestBlack BoxWhite BoxGray BoxTypes of Penetration TestsNetwork Penetration TestWeb Application Penetration TestMobile Application Penetration TestSocial Engineering Penetration TestPhysical Penetration TestReport WritingUnderstanding the AudienceExecutive ClassManagement ClassTechnical ClassWriting ReportsStructure of a Penetration Testing ReportCover PageTable of ContentsExecutive SummaryRemediation ReportVulnerability Assessment SummaryTabular SummaryRisk AssessmentRisk Assessment MatrixMethodologyDetailed FindingsDescriptionExplanationRiskRecommendationReportsConclusion
Major Linux Operating SystemsFile Structure inside of LinuxFile Permission in LinuxGroup PermissionLinux Advance/Special PermissionLink PermissionSuid & Guid PermissionStickybit PermissionChatter PermissionMost Common and Important CommandsLinux Scheduler (Cron Job)Cron PermissionCron PermissionCron FilesUsers inside of LinuxLinux ServicesLinux Password StorageLinux LoggingCommon Applications of LinuxWhat Is BackTrack?How to Get BackTrack 5 RunningInstalling BackTrack on Virtual BoxInstalling BackTrack on a Portable USBInstalling BackTrack on Your Hard DriveBackTrack BasicsChanging the Default Screen ResolutionSome Unforgettable BasicsChanging the PasswordClearing the ScreenListing the Contents of a DirectoryDisplaying Contents of a Specific DirectoryDisplaying the Contents of a FileCreating a DirectoryChanging the DirectoriesWindowsLinuxCreating a Text FileCopying a FileCurrent Working DirectoryRenaming a FileMoving a FileRemoving a FileLocating Certain Files inside BackTrackText Editors inside BackTrackGetting to Know Your NetworkDhclientServicesMySQLSSHDPostgresqlOther Online Resources

Active Information GatheringPassive Information GatheringSources of Information GatheringCopying Websites LocallyInformation Gathering with WhoisFinding Other Websites Hosted on the Same ServerYougetsignal.comTracing the LocationTracerouteICMP TracerouteTCP TracerouteUsageUDP TracerouteUsageNeoTraceCheops-ngEnumerating and Fingerprinting the WebserversIntercepting a ResponseAcunetix Vulnerability ScannerWhatWebNetcraftGoogle HackingSome Basic ParametersSiteExampleTIP regarding FiletypeGoogle Hacking DatabaseHackersforcharity.org/ghdbXcode Exploit ScannerFile AnalysisFocaHarvesting E-Mail ListsGathering Wordlist from a Target WebsiteScanning for SubdomainsTheHarvesterFierce in BackTrackScanning for SSL VersionDNS EnumerationInteracting with DNS ServersNslookupDIGForward DNS LookupForward DNS Lookup with FierceReverse DNSReverse DNS Lookup with DigReverse DNS Lookup with FierceZone TransfersZone Transfer with Host CommandAutomating Zone TransfersDNS Cache SnoopingWhat Is DNS Cache Snooping?Nonrecursive MethodRecursive MethodWhat Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?Attack ScenarioAutomating DNS Cache Snooping AttacksEnumerating SNMPProblem with SNMPSniffing SNMP PasswordsOneSixtyOneSnmpenumSolarWinds ToolsetSNMP SweepSNMP Brute Force and DictionarySNMP Brute Force ToolSNMP Dictionary Attack ToolSMTP EnumerationDetecting Load BalancersLoad Balancer DetectorDetermining Real IP behind Load BalancersBypassing CloudFlare ProtectionMethod 1: ResolversMethod 2: Subdomain TrickMethod 3: Mail ServersIntelligence Gathering Using ShodanFurther ReadingConclusion
Host DiscoveryScanning for Open Ports and ServicesTypes of Port ScanningUnderstanding the TCP Three-Way HandshakeTCP FlagsPort Status TypesTCP SYN ScanTCP Connect ScanNULL, FIN, and XMAS ScansNULL ScanFIN ScanXMAS ScanTCP ACK ScanResponsesUDP Port ScanAnonymous Scan TypesIDLE ScanScanning for a Vulnerable HostPerforming an IDLE Scan with NMAPTCP FTP Bounce ScanService Version DetectionOS FingerprintingPOFOutputNormal FormatGrepable FormatXML FormatAdvanced Firewall/IDS Evading TechniquesTiming TechniqueWireshark OutputFragmented PacketsWireshark OutputSource Port ScanSpecifying an MTUSending Bad ChecksumsDecoysZENMAPFurther Reading
What Are Vulnerability Scanners and How Do They Work?Pros and Cons of a Vulnerability ScannerVulnerability Assessment with NmapUpdating the DatabaseScanning MS08 _ 067 _ netapiTesting SCADA Environments with NmapInstallationUsageNessus Vulnerability ScannerHome FeedProfessional FeedInstalling Nessus on BackTrackAdding a UserNessus Control PanelReportsMobileScanPoliciesUsersConfigurationDefault PoliciesCreating a New PolicySafe ChecksSilent DependenciesAvoid Sequential ScansPort RangeCredentialsPlug-InsPreferencesScanning the TargetNessus Integration with MetasploitImporting Nessus to MetasploitScanning the TargetReportingOpenVasResourceVulnerability Data ResourcesExploit DatabasesUsing Exploit-db with BackTrackSearching for Exploits inside BackTrackConclusion
IntroductionTypes of SniffingActive SniffingPassive SniffingHubs versus SwitchesPromiscuous versus Nonpromiscuous ModeMITM AttacksARP Protocol BasicsHow ARP WorksARP AttacksMAC FloodingMacofARP PoisoningScenario—How It WorksDenial of Service AttacksTools of the TradeDsniffUsing ARP Spoof to Perform MITM AttacksUsageSniffing the Traffic with DsniffSniffing Pictures with DrifnetUrlsnarf and WebspySniffing with WiresharkEttercapARP Poisoning with EttercapHijacking Session with MITM AttackAttack ScenarioARP Poisoning with Cain and AbelSniffing Session Cookies with WiresharkHijacking the SessionSSL Strip: Stripping HTTPS TrafficRequirementsUsageAutomating Man in the Middle AttacksUsageDNS SpoofingARP Spoofing AttackManipulating the DNS RecordsUsing Ettercap to Launch DNS Spoofing AttackDHCP SpoofingConclusion
Understanding Network ProtocolsTransmission Control ProtocolUser Datagram ProtocolInternet Control Messaging ProtocolServer ProtocolsText-Based Protocols (Important)Binary ProtocolsFTPSMTPHTTPFurther ReadingResourcesAttacking Network Remote ServicesOverview of Brute Force AttacksTraditional Brute ForceDictionary AttacksHybrid AttacksCommon Target ProtocolsTools of the TradeTHC HydraBasic Syntax for HydraCracking Services with HydraHydra GUIMedusaBasic SyntaxOpenSSH Username Discovery BugCracking SSH with MedusaNcrackBasic SyntaxCracking an RDP with NcrackCase Study of a Morto WormCombining Nmap and Ncrack for Optimal ResultsAttacking SMTPImportant CommandsReal-Life ExampleAttacking SQL ServersMySQL ServersFingerprinting MySQL VersionTesting for Weak AuthenticationMS SQL ServersFingerprinting the VersionBrute Forcing SA AccountUsing Null PasswordsIntroduction to MetasploitHistory of MetasploitMetasploit InterfacesMSFConsoleMSFcliMSFGUIArmitageMetasploit UtilitiesMSFPayloadMSFEncodeMSFVenomMetasploit Basic CommandsSearch Feature in MetasploitUse CommandInfo CommandShow OptionsSet/Unset CommandReconnaissance with MetasploitPort Scanning with MetasploitMetasploit DatabasesStoring Information from Nmap into Metasploit DatabaseUseful Scans with MetasploitPort ScannersSpecific ScannersCompromising a Windows Host with MetasploitMetasploit Autopwndb _ autopwn in ActionNessus and AutopwnArmitageInterfaceLaunching ArmitageCompromising Your First Target from ArmitageEnumerating and Fingerprinting the TargetMSF ScansImporting HostsVulnerability AssessmentExploitationCheck FeatureHail MaryConclusionReferences
Client Side Exploitation MethodsAttack Scenario 1: E-Mails Leading to Malicious AttachmentsAttack Scenario 2: E-Mails Leading to Malicious LinksAttack Scenario 3: Compromising Client Side UpdateAttack Scenario 4: Malware Loaded on USB SticksE-Mails with Malicious AttachmentsCreating a Custom ExecutableCreating a Backdoor with SETPDF HackingIntroductionHeaderBodyCross Reference TableTrailerPDF Launch ActionCreating a PDF Document with a Launch ActionControlling the Dialog BoxesPDF ReconnaissanceTools of the TradePDFINFOPDFINFO “Your PDF Document”PDFTKOrigami FrameworkInstalling Origami Framework on BackTrackAttacking with PDFFileformat ExploitsBrowser ExploitsScenario from Real WorldAdobe PDF Embedded EXESocial Engineering ToolkitAttack Scenario 2: E-Mails Leading to Malicious LinksCredential Harvester AttackTabnabbing AttackOther Attack VectorsBrowser ExploitationAttacking over the Internet with SETAttack Scenario over the InternetUsing Windows Box as Router (Port Forwarding)Browser AutoPWNWhy Use Browser AutoPWN?Problem with Browser AutoPWNVPS/Dedicated ServerAttack Scenario 3: Compromising Client Side UpdateHow Evilgrade WorksPrerequisitesAttack VectorsInternal Network Attack VectorsExternal Network Attack VectorsEvilgrade ConsoleAttack ScenarioAttack Scenario 4: Malware Loaded on USB SticksTeensy USBConclusionFurther Reading
Acquiring Situation AwarenessEnumerating a Windows MachineEnumerating Local Groups and UsersEnumerating a Linux MachineEnumerating with MeterpreterIdentifying ProcessesInteracting with the SystemUser Interface CommandPrivilege EscalationMaintaining StabilityEscalating PrivilegesBypassing User Access ControlImpersonating the TokenEscalating Privileges on a Linux MachineMaintaining AccessInstalling a BackdoorCracking the Hashes to Gain Access to Other ServicesBackdoorsDisabling the FirewallKilling the AntivirusNetcatMSFPayload/MSFEncodeGenerating a Backdoor with MSFPayloadMSFEncodeMSFVenomPersistenceWhat Is a Hash?Hashing AlgorithmsWindows Hashing MethodsLAN Manager (LM)NTLM/NTLM2KerberosWhere Are LM/NTLM Hashes Located?Dumping the HashesScenario 1—Remote AccessScenario 2—Local AccessOphcrackReferencesScenario 3—Offline SystemOphcrack LiveCDBypassing the Log-InReferencesCracking the HashesBruteforceDictionary AttacksPassword SaltsRainbow TablesJohn the RipperCracking LM/NTLM Passwords with JTRCracking Linux Passwords with JTRRainbow CrackSorting the TablesCracking the Hashes with rcrackSpeeding Up the Cracking ProcessGaining Access to Remote ServicesEnabling the Remote DesktopAdding Users to the Remote DesktopData MiningGathering OS InformationHarvesting Stored CredentialsIdentifying and Exploiting Further TargetsMapping the Internal NetworkFinding Network InformationIdentifying Further TargetsPivotingScanning Ports and Services and Detecting OSCompromising Other Hosts on the Network Having the Same PasswordpsexecExploiting TargetsConclusion
PrerequisitesWhat Is a Buffer Overflow?Vulnerable ApplicationHow to Find Buffer OverflowsMethodologyGetting the Software Up and RunningCausing the Application to CrashSkeleton ExploitDetermining the OffsetIdentifying Bad CharactersFiguring Out Bad Characters with MonaOverwriting the Return AddressNOP SledgesGenerating the ShellCodeGenerating Metasploit ModulePorting to MetasploitConclusionFurther Resources
IntroductionRequirementsIntroducing Aircrack-ngUncovering Hidden SSIDsTurning on the Monitor ModeMonitoring Beacon Frames on WiresharkMonitoring with Airodump-ngSpeeding Up the ProcessBypassing MAC Filters on Wireless NetworksCracking a WEP Wireless Network with Aircrack-ngPlacing Your Wireless Adapter in Monitor ModeDetermining the Target with Airodump-ngAttacking the TargetSpeeding Up the Cracking ProcessInjecting ARP PacketsCracking the WEPCracking a WPA/WPA2 Wireless Network Using Aircrack-ngCapturing PacketsCapturing the Four-Way HandshakeCracking WPA/WAP2Using Reaver to Crack WPS-Enabled Wireless NetworksReducing the DelayFurther ReadingSetting Up a Fake Access Point with SET to PWN UsersAttack ScenarioEvil Twin AttackScanning the NeighborsSpoofing the MACSetting Up a Fake Access PointCausing Denial of Service on the Original APConclusion
Attacking the AuthenticationUsername EnumerationInvalid Username with Invalid PasswordValid Username with Invalid PasswordEnabling Browser Cache to Store PasswordsBrute Force and Dictionary AttacksTypes of AuthenticationHTTP Basic AuthenticationHTTP-Digest AuthenticationForm-Based AuthenticationExploiting Password Reset FeatureEtsy.com Password Reset VulnerabilityAttacking Form-Based AuthenticationBrute Force AttackAttacking HTTP Basic AuthFurther ReadingLog-In Protection MechanismsCAPTCHA Validation FlawCAPTCHA Reset FlawManipulating User-Agents to Bypass CAPTCHA and Other ProtectionsReal-World ExampleAuthentication Bypass AttacksAuthentication Bypass Using SQL InjectionTesting for SQL Injection Auth BypassAuthentication Bypass Using XPATH InjectionTesting for XPATH InjectionAuthentication Bypass Using Response TamperingCrawling Restricted LinksTesting for the VulnerabilityAutomating It with Burp SuiteAuthentication Bypass with Insecure Cookie HandlingSession AttacksGuessing Weak Session IDSession Fixation AttacksRequirements for This AttackHow the Attack WorksSQL Injection AttacksWhat Is an SQL Injection?Types of SQL InjectionUnion-Based SQL InjectionError-Based SQL InjectionBlind SQL InjectionDetecting SQL InjectionDetermining the Injection TypeUnion-Based SQL Injection (MySQL)Testing for SQL InjectionDetermining the Number of ColumnsDetermining the Vulnerable ColumnsFingerprinting the DatabaseEnumeration InformationInformation_schemaInformation_schema TablesEnumerating All Available DatabasesEnumerating All Available Tables in the DatabaseExtracting Columns from TablesExtracting Data from ColumnsUsing group _ concatMySQL Version ≤ 5Guessing Table NamesGuessing ColumnsSQL Injection to Remote Command ExecutionReading FilesWriting FilesBlind SQL InjectionBoolean-Based SQLiTrue StatementFalse StatementEnumerating the DB UserEnumerating the MYSQL VersionGuessing TablesGuessing Columns in the TableExtracting Data from ColumnsTime-Based SQL InjectionVulnerable ApplicationTesting for Time-Based SQL InjectionEnumerating the DB UserGuessing the Table NamesGuessing the ColumnsExtracting Data from ColumnsAutomating SQL Injections with SqlmapEnumerating DatabasesEnumerating TablesEnumerating the ColumnsExtracting Data from the ColumnsHTTP Header–Based SQL InjectionOperating System Takeover with SqlmapOS-CMDOS-SHELLOS-PWNXSS (Cross-Site Scripting)How to Identify XSS VulnerabilityTypes of Cross-Site ScriptingReflected/Nonpersistent XSSVulnerable CodeMedium SecurityVulnerable CodeHigh SecurityBypassing htmlspecialcharsUTF-32 XSS Trick: Bypass 1Svg Craziness: Bypass 2Bypass 3: href AttributeStored XSS/Persistent XSSPayloadsBlind XSSDOM-Based XSSDetecting DOM-Based XSSSources (Inputs)Sinks (Creating/Modifying HTML Elements)Static JS Analysis to Identify DOM-Based XSSHow Does It Work?Setting Up JSPRIMEDominator: Dynamic Taint AnalysisPOC for Internet ExplorerPOC for ChromePros/ConsCross Browser DOM XSS DetectionTypes of DOM-Based XSSReflected DOM XSSStored DOM XSSExploiting XSSCookie Stealing with XSSExploiting XSS for Conducting Phishing AttacksCompromising Victim’s Browser with XSSExploiting XSS with BeEFSetting Up BeEF on BackTrackDemo PagesBeEF ModulesModule: Replace HREFsModule: GetcookieModule: TabnabbingBeEF in ActionCross-Site Request Forgery (CSRF)Why Does a CSRF Attack Work?How to AttackGET-Based CSRFPOST-Based CSRFCSRF Protection TechniquesReferrer-Based CheckingAnti-CSRF TokensPredicting/Brute Forcing Weak Anti-CSRF Token AlgorithmTokens Not Validated upon ServerAnalyzing Weak Anti-CSRF Token StrengthBypassing CSRF with XSSFile Upload VulnerabilitiesBypassing Client Side RestrictionsBypassing MIME-Type ValidationReal-World ExampleBypassing Blacklist-Based ProtectionsCase 1: Blocking Malicious ExtensionsBypassCase 2: Case-Sensitive BypassBypassReal-World ExampleVulnerable CodeCase 3: When All Dangerous Extensions Are BlockedXSS via File UploadFlash-Based XSS via File UploadCase 4: Double Extensions VulnerabilitiesApache Double Extension IssuesIIS 6 Double Extension IssuesCase 5: Using Trailing DotsCase 6: Null Byte TrickCase 7: Bypassing Image ValidationCase 8: Overwriting Critical FilesReal-World ExampleFile Inclusion VulnerabilitiesRemote File InclusionPatching File Inclusions on the Server SideLocal File InclusionLinuxWindowsLFI Exploitation Using /proc/self/environLog File InjectionFinding Log Files: Other TricksExploiting LFI Using PHP InputExploiting LFI Using File UploadsRead Source Code via LFILocal File Disclosure VulnerabilityVulnerable CodeLocal File Disclosure TricksRemote Command ExecutionUploading ShellsServer Side Include InjectionTesting a Website for SSI InjectionExecuting System CommandsSpawning a ShellSSRF AttacksImpactExample of a Vulnerable PHP CodeRemote SSRFSimple SSRFPartial SSRFDenial of ServiceDenial of Service Using External Entity Expansion (XEE)Full SSRFdict://gopher://http://Causing the CrashOverwriting Return AddressGenerating ShellcodeServer HackingApache ServerTesting for Disabled FunctionsOpen _ basedir MisconfigurationUsing CURL to Bypass Open _ basedir RestrictionsOpen _ basedir PHP 5.2.9 BypassReferenceBypassing open _ basedir Using CGI ShellBypassing open _ basedir Using Mod _ Perl, Mod _ PythonEscalating Privileges Using Local Root ExploitsBack ConnectingFinding the Local Root ExploitUsageFinding a Writable DirectoryBypassing Symlinks to Read Configuration FilesWho Is Affected?Basic SyntaxWhy This WorksSymlink Bypass: Example 1Finding the Username/etc/passwd File/etc/valiases FilePath DisclosureUploading .htaccess to Follow SymlinksSymlinking the Configuration FilesConnecting to and Manipulating the DatabaseUpdating the PasswordSymlink the Root DirectoryExample 3: Compromising WHMCS ServerFinding a WHMCS ServerSymlinking the Configuration FileWHMCS KillerDisabling Security MechanismsDisabling Mod _ SecurityDisabling Open _ basedir and Safe _ modeUsing CGI, PERL, or Python Shell to Bypass SymlinksConclusion

Content preview from Ethical Hacking and Penetration Testing Guide

Chapter 7Remote Exploitation

Finally, we’ve come to the exploitation chapter. We can now use the knowledge acquired so far to gain access to the target machine. Exploitation can be both server side and client side. Server side exploitation consists in having a direct contact with the server, and it does not involve any user interaction. Client side exploitation, on the other hand, is where you directly engage with the target in order to exploit it.

Server side exploitation will be the focus of this chapter. We’ll see client side exploitation in the next chapter. The main goal of this chapter is to familiarize the audience with the methodologies that can be used to hack into a target. The following topics will be covered: