Penetration Tester's Open Source Toolkit, 2nd Edition

Penetration Tester's Open Source Toolkit, 2nd Edition

by Chris Hurley, Jeremy Faircloth
Released November 2007
Publisher(s): Syngress
ISBN: 9780080556079

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Penetration testing a network requires a delicate balance of art and science. A penetration tester must be creative enough to think outside of the box to determine the best attack vector into his own network, and also be expert in using the literally hundreds of tools required to execute the plan. This second volume adds over 300 new pentesting applications included with BackTrack 2 to the pen tester's toolkit. It includes the latest information on Snort, Nessus, Wireshark, Metasploit, Kismet and all of the other major Open Source platforms.

• Perform Network Reconnaissance
Master the objectives, methodology, and tools of the least understood aspect of a penetration test.
• Demystify Enumeration and Scanning
Identify the purpose and type of the target systems, obtain specific information about the versions of the services that are running on the systems, and list the targets and services.
• Hack Database Services
Understand and identify common database service vulnerabilities, discover database services, attack database authentication mechanisms, analyze the contents of the database, and use the database to obtain access to the host operating system.
• Test Web Servers and Applications
Compromise the Web server due to vulnerabilities on the server daemon itself, its unhardened state, or vulnerabilities within the Web applications.
• Test Wireless Networks and Devices
Understand WLAN vulnerabilities, attack WLAN encryption, master information gathering tools, and deploy exploitation tools.
• Examine Vulnerabilities on Network Routers and Switches
Use Traceroute, Nmap, ike-scan, Cisco Torch, Finger, Nessus, onesixtyone, Hydra, Ettercap, and more to attack your network devices.
• Customize BackTrack 2
Torque BackTrack 2 for your specialized needs through module management, unique hard drive installations, and USB installations.
• Perform Forensic Discovery and Analysis with BackTrack 2
Use BackTrack in the field for forensic analysis, image acquisition, and file carving.
• Build Your Own PenTesting Lab
Everything you need to build your own fully functional attack lab.

Table of contents

  1. Copyright
  2. Technical Editor and Contributing Author
  3. Contributing Authors
  4. 1. Reconnaissance
    1. Objectives
    2. Approach
      1. A Methodology for Reconnaissance
        1. Intelligence Gathering
          1. Real-World Intelligence
          2. HTTP Link Analysis
          3. Domain Name Expansion
          4. Vetting the Domains Found
          5. Summary
        2. Footprinting
          1. Attempt a DNS Zone Transfer
          2. Extract Domain Records
          3. Forward DNS Brute Force
          4. SMTP Mail Bounce
          5. Summary
        3. Verification
          1. WHOIS and the Internet Registries
          2. Exploring the Network Boundary
          3. Reverse DNS Verification
          4. Banners and Web Sites
          5. Summary
    3. Core Technologies
      1. Intelligence Gathering
        1. Search Engines
        2. WHOIS
        3. RWHOIS
        4. Domain Name Registries and Registrars
        5. Web Site Copiers
        6. Social Networking Services
      2. Footprinting
        1. DNS
        2. SMTP
      3. Verification
        1. Virtual Hosting
        2. IP Subnetting
        3. The Regional Internet Registries
    4. Open Source Tools
      1. Intelligence Gathering Tools
        1. Web Resources
          1. Google (www.google.com)
          2. Netcraft (www.netcraft.com)
          3. Kartoo (www.kartoo.com)
          4. WHOIS Proxies
        2. Linux/UNIX Command-Line Tools
          1. BiLE Software Suite
          2. BiLE Suite: BiLE.pl (www.sensepost.com/research/)
          3. BiLE Suite: BiLE-weigh.pl
          4. BiLE Suite: vet-IPrange.pl
          5. BiLE Suite: vet-mx.pl
          6. BiLE Suite: exp-tld.pl
          7. nslookup
          8. WHOIS
          9. Gnetutil 1.0 (www.culte.org/projets/developpement/gnetutil/)
          10. HTTrack (www.httrack.com)
          11. Greenwich (jodrell.net/projects/Greenwich)
        3. Open Source Windows Tools
          1. WinHTTrack (www.httrack.com)
          2. WinBiLE (www.sensepost.com/research)
          3. Maltego (www.paterva.com)
      2. Footprinting Tools
        1. Web Resources
          1. DNS Stuff (www.dnsstuff.com)
        2. Linux/UNIX Console Tools
          1. host
          2. jarf-dnsbrute (www.sensepost.com/research/)
          3. dig (Domain Information Groper)
        3. Open Source Windows Tools
          1. SpiderFoot (www.binarypool.com/spiderfoot/)
      3. Verification Tools
        1. Web Resources
          1. Regional Internet Registries
          2. Live.com: Virtual Host Enumeration (www.live.com)
        2. Linux/UNIX Console Tools
          1. IP WHOIS
          2. qtrace (www.sensepost.com/research/)
          3. rdns.pl (www.sensepost.com/research/)
          4. ipcalc.pl
          5. GTWhois (www.geektools.com)
          6. AWexploder (www.edge-security.com)
    5. Case Study: The Tools in Action
      1. Intelligence Gathering, Footprinting, and Verification of an Internet-Connected Network
        1. Footprinting
        2. Verification
  5. 2. Enumeration and Scanning
    1. Introduction
    2. Objectives
      1. Before You Start
      2. Why Do This?
    3. Approach
      1. Scanning
      2. Enumeration
        1. Notes and Documentation
        2. Active versus Passive
        3. Moving On
    4. Core Technology
      1. How Scanning Works
        1. Port Scanning
      2. Going behind the Scenes with Enumeration
        1. Service Identification
        2. RPC Enumeration
        3. Fingerprinting
      3. Being Loud, Quiet, and All That Lies Between
        1. Timing
        2. Bandwidth Issues
        3. Unusual Packet Formation
    5. Open Source Tools
      1. Scanning
        1. Nmap
          1. Nmap: Ping Sweep
          2. Nmap: ICMP Options
          3. Nmap: Output Options
          4. Nmap: Stealth Scanning
          5. Nmap: OS Fingerprinting
          6. Nmap: Scripting
          7. Nmap: Speed Options
        2. Netenum: Ping Sweep
        3. Unicornscan: Port Scan and Fuzzing
        4. Scanrand: Port Scan
      2. Enumeration
        1. Nmap: Banner Grabbing
        2. Netcat
        3. P0f: Passive OS Fingerprinting
        4. Xprobe2: OS Fingerprinting
        5. Httprint
        6. Ike-scan: VPN Assessment
        7. Amap: Application Version Detection
        8. Windows Enumeration: Smbgetserverinfo/smbdumpusers/smbclient
        9. Nbtscan
        10. Smb-nat: Windows/Samba SMB Session Brute Force
    6. Case Studies: The Tools in Action
      1. External
      2. Internal
      3. Stealthy
      4. Noisy (IDS) Testing
    7. Further Information
  6. 3. Hacking Database Services
    1. Introduction
    2. Objectives
    3. Approach
    4. Core Technologies
      1. Basic Terminology
      2. Database Installation
        1. Default Users and New Users
          1. Microsoft SQL Server Users
          2. Oracle Users
        2. Roles and Privileges
          1. SQL Server Roles and Permissions
          2. SQL Server Stored Procedures
          3. Oracle Roles and Privileges
          4. Oracle Stored Procedures
        3. Technical Details
          1. Communication
          2. Resources and Auditing
    5. Case Studies: Using Open Source and Closed Source Tools
      1. Microsoft SQL Server
        1. Discovering Microsoft SQL Servers
          1. Domain Name System (DNS) Reverse Resolution
          2. TCP and UDP Port Scanning
          3. NetBIOS and the Server Message Block (SMB) Protocol
        2. Identifying Vulnerable Microsoft SQL Server Services
          1. Metasploit Framework 3
          2. Nessus
        3. Attacking Microsoft SQL Server Authentication
          1. Microsoft SQL Server Authentication Modes
          2. Windows NT Authentication Mode (Default)
          3. Mixed Mode (Most Common)
        4. Microsoft SQL Server Password Creation Guidelines
        5. Microsoft SQL Default Usernames and Passwords
        6. Creating Username and Dictionary Files
        7. SQL Auditing Tools (SQLAT)
        8. Obtaining and Cracking Microsoft SQL Server Password Hashes
          1. Microsoft SQL Server 2000
          2. Microsoft SQL Server 2005
        9. Analyzing the Database
        10. Obtaining Access to the Host Operating System
        11. SQLAT: SQLExec (Sqlquery), TFTP, and fgdump.exe
      2. Oracle Database Management System
        1. Identifying and Enumerating Oracle Database with Nmap
        2. Penetration Testing Oracle Services with BackTrack
          1. Using Sidguess
          2. Using TNScmd
          3. Using Oracle Auditing Tools (OAT)
          4. Using OAT’s OracleTNSCtrl
          5. Using OAT’s OraclePWGuess
          6. Using OAT’s OracleQuery
        3. Cracking Oracle Database Hashes
        4. Privilege Escalation in Oracle from TNS Listener, No Password
      3. SQL Clients
        1. Shell Usage and History
        2. Arguments Viewable by All Users
        3. History and Trace Logs
    6. Further Information
  7. 4. Web Server and Web Application Testing
    1. Objectives
    2. Introduction
      1. Web Server Vulnerabilities: A Short History
      2. Web Applications: The New Challenge
      3. Chapter Scope
    3. Approach
      1. Web Server Testing
      2. CGI and Default Pages Testing
      3. Web Application Testing
    4. Core Technologies
      1. Web Server Exploit Basics
        1. What Are We Talking About?
          1. Stack-Based Overflows
          2. Heap-based Overflows
      2. CGI and Default Page Exploitation
      3. Web Application Assessment
        1. Information Gathering Attacks
        2. File System and Directory Traversal Attacks
        3. Command Execution Attacks
        4. Database Query Injection Attacks
        5. Cross-site Scripting Attacks
        6. Impersonation Attacks
        7. Parameter Passing Attacks
    5. Open Source Tools
      1. Intelligence Gathering Tools
      2. Scanning Tools
      3. Assessment Tools
        1. Authentication
        2. Proxy
      4. Exploitation Tools
        1. Metasploit
        2. SQL Injection Tools
          1. DNS Channel
          2. Timing Channel
          3. Requirements
          4. Supported Databases
          5. Example Usage
    6. Case Studies: The Tools in Action
      1. Web Server Assessments
      2. CGI and Default Page Exploitation
      3. Web Application Assessment
  8. 5. Wireless Penetration Testing Using BackTrack 2
    1. Introduction
    2. Approach
      1. Understanding WLAN Vulnerabilities
      2. Evolution of WLAN Vulnerabilities
    3. Core Technologies
      1. WLAN Discovery
        1. Choosing the Right Antenna
      2. WLAN Encryption
        1. No Encryption
        2. Wired Equivalent Privacy (WEP)
        3. Wi-Fi Protected Access (WPA/WPA2)
        4. Extensible Authentication Protocol (EAP)
        5. Virtual Private Network (VPN)
      3. WLAN Attacks
        1. Attacks against WEP
          1. Attacking WEP Using Weak Initialization Vectors (FMS Attacks)
          2. Attacking WEP Using Unique Initialization Vectors (Chopchop Attacks)
          3. Attacking WEP Using the Pychkine/Tews/Weinmann Attack (PTW Attack)
          4. Commonalities and Differences in the Attacks against WEP
        2. Attacks against WPA
        3. Attacks against LEAP
        4. Attacks against VPN
    4. Open Source Tools
      1. Information Gathering Tools
        1. Google (Internet Search Engines)
        2. WiGLE.net (Work Smarter, Not Harder)
        3. Usenet Newsgroups
      2. Scanning Tools
        1. Kismet
      3. Footprinting Tools
      4. Enumeration Tools
      5. Vulnerability Assessment Tools
      6. Exploitation Tools
        1. MAC Address Spoofing
        2. Deauthentication with Aireplay-ng
        3. Cracking WEP with the Aircrack-ng Suite
        4. Cracking WPA with CoWPAtty
      7. Bluetooth Vulnerabilities
        1. Bluetooth Discovery
        2. Exploiting Bluetooth Vulnerabilities
        3. The Future of Bluetooth
    5. Case Studies
      1. Case Study: Cracking WEP
      2. Case Study: Cracking WPA-PSK
      3. Case Study: Exploiting Bluetooth
    6. Summary
  9. 6. Network Devices
    1. Objectives
    2. Approach
    3. Core Technologies
    4. Open Source Tools
      1. Footprinting Tools
        1. Traceroute
        2. DNS
        3. Nmap
        4. ICMP
        5. ike-scan
      2. Scanning Tools
        1. Nmap
        2. ASS
        3. Cisco Torch
      3. Enumeration Tools
        1. SNMP
        2. Finger
      4. Vulnerability Assessment Tools
        1. Nessus
      5. Exploitation Tools
        1. onesixtyone
        2. Hydra
        3. TFTP Brute Force
        4. Cisco Global Exploiter
        5. Internet Routing Protocol Attack Suite (IRPAS)
        6. Ettercap
    5. Case Study: The Tools in Action
      1. Obtaining a Router Configuration by Brute Force
        1. Where to Go from Here?
    6. Further Information
      1. Common and Default Vendor Passwords
      2. Modification of cge.pl
      3. References
      4. Software
  10. 7. Customizing BackTrack 2
    1. Introduction
    2. Module Management
      1. Locating Modules
      2. Converting Modules from Different Formats
      3. Creating a Module from Source
      4. Adding Modules to Your BackTrack Live CD or HD Installation
    3. Hard Drive Installation
      1. Basic Hard Drive Installation
      2. Dual Boot Installation (Windows XP and BackTrack)
      3. Other Configurations
    4. USB Installation
      1. USB Thumb Drive Installation
        1. The Easiest Way to Install BackTrack to a USB Thumb Drive Using Windows
        2. Alternative Directions to Install BackTrack on a USB Thumb Drive Using Windows
        3. Installing BackTrack on a USB Thumb Drive Using Linux
      2. Saving a USB Configuration
        1. Directions to Save Your Changes on Your BackTrack USB Thumb Drive
        2. Directions to Save Your New Changes (and Keep Your Old Ones) on Your BackTrack USB Thumb Drive
        3. Directions to Write a Script to Save Your New Changes (and Keep Your Old Ones) on Your BackTrack USB Thumb Drive
      3. External USB Hard Drive Installation
    5. Installing Additional Open Source Tools
      1. Updating Scripts
      2. Installing aircrack-ptw
      3. Installing Nessus
      4. Installing Metasploit Framework 3.0 GUI
      5. Installing VMWare Server
      6. Installing Java for Firefox
    6. Further Information
      1. Quick Reference to Other Customizations
      2. Remote-Exploit Forums and BackTrack Wiki
      3. Credits
  11. 8. Forensic Discovery and Analysis Using Backtrack
    1. Introduction
    2. Digital Forensics
    3. Acquiring Images
      1. Linux dd
      2. Linux dcfldd
      3. dd_rescue
    4. Forensic Analysis
      1. Autopsy
      2. mboxgrep
      3. memfetch
      4. Memfetch Find
      5. pasco
      6. Rootkit Hunter
      7. The Sleuth Kit
      8. The Sleuth Kit Continued: Allin1 for The Sleuth Kit
      9. Vinetto
    5. File Carving
      1. Foremost
      2. Magicrescue
    6. Case Studies: Digital Forensics with the Backtrack Distribution
    7. Summary
  12. 9. Building Penetration Test Labs
    1. Introduction
    2. Setting Up a Penetration Test Lab
      1. Safety First
        1. Isolating the Network
        2. Concealing the Network Configuration
        3. Securing Install Disks
        4. Transferring Data
        5. Labeling
        6. Destruction and Sanitization
        7. Reports of Findings
        8. Final Word on Safety
      2. Types of Pen-Test Labs
        1. The Virtual Pen-Test Lab
        2. The Internal Pen-Test Lab
        3. The External Pen-Test Lab
        4. The Project-Specific Pen-Test Lab
        5. The Ad Hoc Lab
      3. Selecting the Right Hardware
        1. Focus on the “Most Common”
        2. Use What Your Clients Use
        3. Dual-Use Equipment
      4. Selecting the Right Software
        1. Open Source Tools
        2. Commercial Tools
    3. Running Your Lab
      1. Managing the Team
        1. Team “Champion”
        2. Project Manager
        3. Training and Cross-Training
        4. Metrics
      2. Selecting a Pen-Test Framework
        1. OSSTMM
        2. NIST SP 800-42
        3. ISSAF
    4. Targets in the Penetration Test Lab
      1. Foundstone
      2. De-ICE.net
        1. What Is a LiveCD?
        2. Advantages of Pen-test LiveCDs
        3. Disadvantages of Pen-test LiveCDs
      3. Building a LiveCD Scenario
        1. Difficulty Levels
        2. Real-World Scenarios
        3. Creating a Background Story
        4. Adding Content
        5. Final Comments on LiveCDs
      4. Using a LiveCD in a Penetration Test Lab
        1. Scenario
        2. Network Setup
        3. Open Source Tools
      5. Other Scenario Ideas
        1. Old Operating System Distributions
        2. Vulnerable Applications
        3. Capture the Flag Events
      6. What’s Next?
        1. Forensics
        2. Training
    5. Summary

Product information

  • Title: Penetration Tester's Open Source Toolkit, 2nd Edition
  • Author(s): Chris Hurley, Jeremy Faircloth
  • Release date: November 2007
  • Publisher(s): Syngress
  • ISBN: 9780080556079