book

Penetration Testing: A Survival Guide

Name: Penetration Testing: A Survival Guide
ISBN: 9781787287839

by Wolf Halton, Bo Weaver, Juned Ahmed Ansari, Srinivasa Rao Kotipalli, Mohammed A. Imran

January 2017

Beginner to intermediate

1045 pages

22h 24m

English

Packt Publishing

Read now

Unlock full access

Penetration Testing: A Survival Guide
Table of Contents
Penetration Testing: A Survival Guide
Penetration Testing: A Survival Guide
Credits
Preface
What this learning path covers
What you need for this learning path
Who this learning path is for
Reader feedback
Customer support

Downloading the example code
Errata
Piracy
Questions
I. Module 1
1. Sharpening the Saw
Installing Kali Linux to an encrypted USB drivePrerequisites for installationBooting UpInstalling configurationSetting up the driveBooting your new installation of Kali
Running Kali from the live CD
Installing and configuring applications
Gedit – the Gnome text editorTerminator – the terminal emulator for multitaskingEtherApe – the graphical protocol analysis tool
Setting up and configuring OpenVAS
Reporting the tests
KeepNote – the standalone document organizerDradis – the web-based document organizer
Running services on Kali Linux
Exploring the Kali Linux Top 10 and more
Summary
2. Information Gathering and Vulnerability Assessment
Footprinting the networkExploring the network with NmapZenmapThe difference verbosity makesScanning a network range
Where can you find instructions on this thing?
A return to OpenVAS
Using Maltego
Using Unicorn-Scan
Monitoring resource use with Htop
Monkeying around the network
Summary
3. Exploitation Tools (Pwnage)
Choosing the appropriate time and tool
Choosing the right version of Metasploit
Starting Metasploit
Creating workspaces to organize your attack
Using the hosts and services commands
Using advanced footprinting
Interpreting the scan and building on the resultExploiting poor patch managementFinding out whether anyone is home
Using the pivot
Mapping the network to pivot
Creating the attack path
Grabbing system on the targetSetting Up the routeExploring the inner networkAbusing the Windows NET USE commandAdding a Windows user from the command line
Summary
4. Web Application Exploitation
Surveying the webscapeConcept of Robots.txtConcept of .htaccessQuick solutions to cross-site scriptingReducing buffer overflowsAvoiding SQL injection
Arm yourself with Armitage
Working with a single known hostDiscovering new machines with NMap
Zinging Windows servers with OWASP ZAP
Using ZAP as an attack proxyReading the ZAP interface
Search and destroy with Burp Suite
Targeting the test subjectUsing Burp Suite as a ProxyInstalling the Burp Suite security certificateSpidering a site with Burp Spider
Summary
5. Sniffing and Spoofing
Sniffing and spoofing network traffic
Sniffing network traffic
Basic sniffing with tcpdumpMore basic sniffing with WinDump (Windows tcpdump)Packet hunting with WiresharkDissecting the packetSwimming with Wireshark
Spoofing network traffic
EttercapUsing Ettercap on the command line
Summary
6. Password Attacks
Password attack planningCracking the NTLM code (Revisited)Password listsCleaning a password list
My friend Johnny
John the Ripper (command line)
xHydra
Adding a tool to the main menu in Kali 2.x
Summary
7. Windows Privilege Escalation
Gaining access with Metasploit
Replacing the executable
Local privilege escalation with a standalone tool
Escalating privileges with physical access
Robbing the Hives with samdump2Owning the registry with chntpw
Weaseling in with Weevely
Preparing to use WeevelyCreating an agentTesting Weevely locallyTesting Weevely on a Windows serverGetting help in WeevelyGetting the system infoUsing filesystem commands in WeevelyWriting into files
Summary
8. Maintaining Remote Access
Maintaining accessCovering our tracks
Maintaining access with Ncat
Phoning Home with Metasploit
The Dropbox
Cracking the NAC (Network Access Controller)
Creating a Spear-Phishing Attack with the Social Engineering Toolkit
Using Backdoor-Factory to Evade Antivirus
Summary
9. Reverse Engineering and Stress Testing
Setting up a test environmentCreating your victim machine(s)Testing your testing environment
Reverse engineering theory
One general theory of reverse engineering
Working with Boolean logic
Reviewing a while loop structureReviewing the for loop structureUnderstanding the decision points
Practicing reverse engineering
Demystifying debuggersUsing the Valgrind Debugger to discover memory leaksTranslating your app to assembler with the EDB-DebuggerEDB-Debugger symbol mapperRunning OllyDbgIntroduction to disassemblersRunning JADCreate your own disassembling code with CapstoneSome miscellaneous reverse engineering toolsRunning Radare2Additional members of the Radare2 tool suiteRunning rasm2Running rahash2Running radiff2Running rafind2Running rax2
Stresstesting Windows
Dealing with DenialPutting the network under SiegeConfiguring your Siege engine
Summary
10. Forensics
Getting into Digital Forensics
Exploring Guymager
Starting Kali for ForensicsAcquiring a drive to be legal evidenceCloning With Guymager
Diving into Autopsy
Mounting image files
Summary
II. Module 2
1. Introduction to Penetration Testing and Web Applications
Proactive security testingWho is a hacker?Different testing methodologiesEthical hackingPenetration testingVulnerability assessmentSecurity audits
Rules of engagement
Black box testing or Gray box testingClient contact detailsClient IT team notificationsSensitive data handlingStatus meeting
The limitations of penetration testing
The need for testing web applications
Social engineering attacks
Training employees to defeat social engineering attacks
A web application overview for penetration testers
HTTP protocolRequest and response headerThe request headerThe response headerImportant HTTP methods for penetration testingThe GET/POST methodThe HEAD methodThe TRACE methodThe PUT and DELETE methodsThe OPTIONS methodSession tracking using cookiesCookieCookie flow between server and clientPersistent and non-persistent cookiesCookie parametersHTML data in HTTP responseMulti-tier web application
Summary
2. Setting up Your Lab with Kali Linux
Kali LinuxImprovements in Kali Linux 2.0Installing Kali LinuxUSB modeVMware and ARM images of Kali LinuxKali Linux on Amazon cloudInstalling Kali Linux on a hard driveKali Linux-virtualizing versus installing on physical hardware
Important tools in Kali Linux
Web application proxiesBurp proxyCustomizing client interceptionModifying requests on the flyBurp proxy with SSL-based websitesWebScarab and Zed Attack ProxyProxyStrikeWeb vulnerability scannerNiktoSkipfishWeb Crawler – DirbusterOpenVASDatabase exploitationCMS identification toolsWeb application fuzzers
Using Tor for penetration testing
Steps to set up Tor and connect anonymouslyVisualization of a web request through TorFinal words for Tor
Summary
3. Reconnaissance and Profiling the Web Server
ReconnaissancePassive reconnaissance versus active reconnaissanceReconnaissance – information gatheringDomain registration detailsWhois – extracting domain informationIdentifying hosts using DNSZone transfer using digBrute force DNS records using NmapThe Recon-ng tool – a framework for information gatheringDomain enumeration using recon-ngSub-level and top-level domain enumerationReporting modules
Scanning – probing the target
Port scanning using NmapDifferent options for port scanEvading firewalls and IPS using NmapSpotting a firewall using back checksum option in NmapIdentifying the operating system using NmapProfiling the serverApplication version fingerprintingThe Nmap version scanThe Amap version scanFingerprinting the web application frameworkThe HTTP headerThe Whatweb scannerIdentifying virtual hostsLocating virtual hosts using search enginesThe virtual host lookup module in Recon-ngIdentifying load balancersCookie-based load balancerOther ways of identifying load balancersScanning web servers for vulnerabilities and misconfigurationsIdentifying HTTP methods using NmapTesting web servers using auxiliary modules in MetasploitAutomating scanning using the WMAP web scanner pluginVulnerability scanning and graphical reports – the Skipfish web application scannerSpidering web applicationsThe Burp spiderApplication login
Summary
4. Major Flaws in Web Applications
Information leakageDirectory browsingDirectory browsing using DirBusterComments in HTML codeMitigation
Authentication issues
Authentication protocols and flawsBasic authenticationDigest authenticationIntegrated authenticationForm-based authenticationBrute forcing credentialsHydra – a brute force password cracker
Path traversal
Attacking path traversal using Burp proxyMitigation
Injection-based flaws
Command injectionSQL injection
Cross-site scripting
Attack potential of cross-site scripting attacks
Cross-site request forgery
Session-based flaws
Different ways to steal tokensBrute forcing tokensSniffing tokens and man-in-the-middle attacksStealing session tokens using XSS attackSession token sharing between application and browserTools to analyze tokensSession fixation attackMitigation for session fixation
File inclusion vulnerability
Remote file includeLocal file includeMitigation for file inclusion attacks
HTTP parameter pollution
Mitigation
HTTP response splitting
Mitigation
Summary
5. Attacking the Server Using Injection-based Flaws
Command injectionIdentifying parameters to inject dataError-based and blind command injectionMetacharacters for command separatorScanning for command injectionCreating a cookie file for authenticationExecuting WapitiExploiting command injection using MetasploitPHP shell and MetasploitExploiting shellshockOverview of shellshockScanning – dirbExploitation – Metasploit
SQL injection
SQL statementsThe UNION operatorThe SQL query exampleAttack potential of the SQL injection flawBlind SQL injectionSQL injection testing methodologyScanning for SQL injectionInformation gatheringSqlmap – automating exploitationBBQSQL – the blind SQL injection frameworkSqlsus – MySQL injectionSqlninja – MS SQL injection
Summary
6. Exploiting Clients Using XSS and CSRF Flaws
The origin of cross-site scriptingIntroduction to JavaScript
An overview of cross-site scripting
Types of cross-site scripting
Persistent XSSReflected XSSDOM-based XSSDefence against DOM-based XSSXSS using the POST Method
XSS and JavaScript – a deadly combination
Cookie stealingKey loggerWebsite defacing
Scanning for XSS flaws
Zed Attack ProxyScoping and selecting modesModes of operationScan policy and attackXsserFeaturesW3afPluginsGraphical interface
Cross-site request forgery
Attack dependenciesAttack methodologyTesting for CSRF flawsCSRF mitigation techniques
Summary
7. Attacking SSL-based Websites
Secure socket layerSSL in web applicationsSSL encryption processAsymmetric encryption versus symmetric encryptionAsymmetric encryption algorithmsSymmetric encryption algorithmHashing for message integrityIdentifying weak SSL implementationsOpenSSL command-line toolSSLScanSSLyzeTesting SSL configuration using NmapSSL man-in-the-middle attackSSL MITM tools in Kali LinuxSSLsplitSSLstripSSL stripping limitations
Summary
8. Exploiting the Client Using Attack Frameworks
Social engineering attacks
Social engineering toolkit
Spear-phishing attack
Website attack
Java applet attackCredential harvester attackWeb jacking attackMetasploit browser exploitTabnabbing attack
Browser exploitation framework
Introducing BeEFBeEF hook injectionBrowser reconnaissanceExploit modulesHost information gatheringPersistence moduleNetwork reconInter-protocol exploitation and communicationExploiting the mutillidae XSS flaw using BeEFInjecting the BeEF hook using MITM
Summary
9. AJAX and Web Services – Security Issues
Introduction to AJAXBuilding blocks of AJAXThe AJAX workflowAJAX security issuesIncrease in attack surfaceExposed programming logic of the applicationInsufficient access controlChallenges of pentesting AJAX applicationsCrawling AJAX applicationsAJAX crawling toolSprajaxAJAX spider – OWASP ZAPAnalyzing client-side code – FirebugThe Script panelThe Console panelThe Network panel
Web services
Introducing SOAP and RESTful web servicesSecuring web servicesInsecure direct object reference vulnerability
Summary
10. Fuzzing Web Applications
Fuzzing basics
Types of fuzzing techniques
Mutation fuzzingGeneration fuzzingApplications of fuzzingNetwork protocol fuzzingFile fuzzingUser interface fuzzingWeb application fuzzingWeb browser fuzzingFuzzer frameworksFuzzing stepsTesting web applications using fuzzingFuzzing input in web applicationsRequest URIHeadersForm fieldsDetecting result of fuzzingWeb application fuzzers in Kali LinuxFuzzing using Burp intruderPowerFuzzer tool
Summary
III. Module 3
1. Setting Up the Lab
Installing the required toolsJava
Android Studio
Setting up an AVD
Real deviceApktoolDex2jar/JD-GUIBurp Suite
Configuring the AVD
DrozerPrerequisitesQARK (No support for windows)Getting readyAdvanced REST Client for ChromeDroid ExplorerCydia Substrate and IntrospySQLite browserFridaSetting up Frida serverSetting up frida-clientTesting the setupVulnerable appsKali Linux
ADB Primer
Checking for connected devicesGetting a shellListing the packagesPushing files to the devicePulling files from the deviceInstalling apps using adbTroubleshooting adb connections
Summary
2. Android Rooting
What is rooting?Why would we root a device?Advantages of rootingUnlimited control over the deviceInstalling additional appsMore features and customizationDisadvantages of rootingIt compromises the security of your deviceBricking your deviceVoids warranty
Locked and unlocked boot loaders
Determining boot loader unlock status on Sony devicesUnlocking boot loader on Sony through a vendor specified methodRooting unlocked boot loaders on a Samsung device
Stock recovery and Custom recovery
Prerequisites
Rooting Process and Custom ROM installation
Installing recovery softwaresUsing OdinUsing Heimdall
Rooting a Samsung Note 2
Flashing the Custom ROM to the phone
Summary
3. Fundamental Building Blocks of Android Apps
Basics of Android appsAndroid app structureHow to get an APK file?Storage location of APK files/data/app//system/app//data/app-private/Example of extracting preinstalled appsExample of extracting user installed apps
Android app components
ActivitiesServicesBroadcast receiversContent providersAndroid app build process
Building DEX files from the command line
What happens when an app is run?
ART – the new Android Runtime
Understanding app sandboxing
UID per appApp sandboxingIs there a way to break out of this sandbox?
Summary
4. Overview of Attacking Android Apps
Introduction to Android appsWeb Based appsNative appsHybrid apps
Understanding the app's attack surface
Mobile application architecture
Threats at the client side
Threats at the backend
Guidelines for testing and securing mobile apps
OWASP Top 10 Mobile Risks (2014)M1: Weak Server-Side ControlsM2: Insecure Data StorageM3: Insufficient Transport Layer ProtectionM4: Unintended Data LeakageM5: Poor Authorization and AuthenticationM6: Broken CryptographyM7: Client-Side InjectionM8: Security Decisions via Untrusted InputsM9: Improper Session HandlingM10: Lack of Binary Protections
Automated tools
DrozerPerforming Android security assessments with DrozerInstalling testapp.apkListing out all the modulesRetrieving package information
Identifying the attack surface
Identifying and exploiting Android app vulnerabilities using DrozerAttacks on exported activitiesWhat is the problem here?
QARK (Quick Android Review Kit)
Running QARK in interactive modeReportingRunning QARK in seamless mode:
Summary
5. Data Storage and Its Security
What is data storage?Android local data storage techniquesShared preferencesSQLite databasesInternal storageExternal storage
Shared preferences
Real world application demo
SQLite databases
Internal storage
External storage
User dictionary cache
Insecure data storage – NoSQL database
NoSQL demo application functionality
Backup techniques
Backup the app data using adb backup commandConvert .ab format to tar format using Android backup extractorExtracting the TAR file using the pax or star utilityAnalyzing the extracted content for security issues
Being safe
Summary
6. Server-Side Attacks
Different types of mobile apps and their threat model
Mobile applications server-side attack surface
Mobile application architecture
Strategies for testing mobile backend
Setting up Burp Suite Proxy for testingProxy setting via APNProxy setting via Wi-FiBypass certificate warnings and HSTSHSTS – HTTP Strict Transport SecurityBypassing certificate pinningBypass SSL pinning using AndroidSSLTrustKillerSetting up a demo applicationInstalling OWASP GoatDroidThreats at the backendRelating OWASP top 10 mobile risks and web attacksAuthentication/authorization issuesAuthentication vulnerabilitiesAuthorization vulnerabilitiesSession managementInsufficient Transport Layer SecurityInput validation related issuesImproper error handlingInsecure data storageAttacks on the database
Summary
7. Client-Side Attacks – Static Analysis Techniques
Attacking application componentsAttacks on activitiesWhat does exported behavior mean to an activity?Intent filtersAttacks on servicesExtending the Binder class:Using a MessengerUsing AIDLAttacking AIDL servicesAttacks on broadcast receiversAttacks on content providersQuerying content providers:Exploiting SQL Injection in content providers using adbQuerying the content providerWriting a where condition:Testing for Injection:Finding the column numbers for further extractionRunning database functionsFinding out SQLite version:Finding out table names
Static analysis using QARK:
Summary
8. Client-Side Attacks – Dynamic Analysis Techniques
Automated Android app assessments using DrozerListing out all the modulesRetrieving package informationFinding out the package name of your target applicationGetting information about a packageDumping the AndroidManifes.xml fileFinding out the attack surface:Attacks on activitiesAttacks on servicesBroadcast receiversContent provider leakage and SQL Injection using DrozerAttacking SQL Injection using DrozerPath traversal attacks in content providersReading /etc/hostsReading kernel versionExploiting debuggable apps
Introduction to Cydia Substrate
Runtime monitoring and analysis using Introspy
Hooking using Xposed framework
Dynamic instrumentation using Frida
What is Frida?PrerequisitesSteps to perform dynamic hooking with Frida
Logging based vulnerabilities
WebView attacks
Accessing sensitive local resources through file schemeOther WebView issues
Summary
9. Android Malware
What do Android malwares do?
Writing Android malwares
Writing a simple reverse shell Trojan using socket programming
Registering permissions
Writing a simple SMS stealerThe user interfaceCode for MainActivity.javaCode for reading SMSCode for the uploadData() methodComplete code for MainActivity.javaRegistering permissionsCode on the serverA note on infecting legitimate apps
Malware analysis
Static analysisDisassembling Android apps using ApktoolExploring the AndroidManifest.xml fileExploring smali filesDecompiling Android apps using dex2jar and JD-GUIDynamic analysisAnalyzing HTTP/HTTPS traffic using BurpAnalysing network traffic using tcpdump and Wireshark
Tools for automated analysis
How to be safe from Android malwares?
Summary
10. Attacks on Android Devices
MitM attacks
Dangers with apps that provide network level access
Using existing exploits
Malware
Bypassing screen locks
Bypassing pattern lock using adbRemoving the gesture.key fileCracking SHA1 hashes from the gesture.key fileBypassing password/PIN using adbBypassing screen locks using CVE-2013-6271
Pulling data from the sdcard
Summary
A. Bibliography
Index

Content preview from Penetration Testing: A Survival Guide

Strategies for testing mobile backend

As we have discussed, backend testing is pretty much web application testing, however, there are a few things we need to set up, to be able to see HTTP/HTTPS traffic in our favorite proxy, Burp Suite.

Setting up Burp Suite Proxy for testing

In order to test server-side vulnerabilities present in mobile apps, a proxy is an indispensable tool in a tester's arsenal. There are quite a few ways to configure the proxy based on what network you are using and the availability of an emulator/physical device. In this section, we will explore two such options to configure Burp Suite via Wi-Fi and APNs.

First step in this process is to make our proxy listen on a port, in our case it's 8082:

Go to Proxy | Options from the ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781787287839Purchase Link

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Penetration Testing: A Survival Guide

by Wolf Halton, Bo Weaver, Juned Ahmed Ansari, Srinivasa Rao Kotipalli, Mohammed A. Imran

Strategies for testing mobile backend

Setting up Burp Suite Proxy for testing

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Penetration Testing and Network Defense

Practical Web Penetration Testing

Penetration Testing For Dummies

Advanced Penetration Testing

Publisher Resources