book

Penetration Testing: A Survival Guide

by Wolf Halton, Bo Weaver, Juned Ahmed Ansari, Srinivasa Rao Kotipalli, Mohammed A. Imran

January 2017

Beginner to intermediate

1045 pages

22h 24m

English

Packt Publishing

Read now

Unlock full access

What this learning path covers

Installing Kali Linux to an encrypted USB drivePrerequisites for installationBooting UpInstalling configurationSetting up the driveBooting your new installation of Kali
Gedit – the Gnome text editorTerminator – the terminal emulator for multitaskingEtherApe – the graphical protocol analysis tool
KeepNote – the standalone document organizerDradis – the web-based document organizer
Footprinting the networkExploring the network with NmapZenmapThe difference verbosity makesScanning a network range
Choosing the appropriate time and tool
Interpreting the scan and building on the resultExploiting poor patch managementFinding out whether anyone is home
Mapping the network to pivot
Grabbing system on the targetSetting Up the routeExploring the inner networkAbusing the Windows NET USE commandAdding a Windows user from the command line
Surveying the webscapeConcept of Robots.txtConcept of .htaccessQuick solutions to cross-site scriptingReducing buffer overflowsAvoiding SQL injection
Working with a single known hostDiscovering new machines with NMap
Using ZAP as an attack proxyReading the ZAP interface
Targeting the test subjectUsing Burp Suite as a ProxyInstalling the Burp Suite security certificateSpidering a site with Burp Spider
Sniffing and spoofing network traffic
Basic sniffing with tcpdumpMore basic sniffing with WinDump (Windows tcpdump)Packet hunting with WiresharkDissecting the packetSwimming with Wireshark
EttercapUsing Ettercap on the command line
Password attack planningCracking the NTLM code (Revisited)Password listsCleaning a password list
Gaining access with Metasploit
Robbing the Hives with samdump2Owning the registry with chntpw
Preparing to use WeevelyCreating an agentTesting Weevely locallyTesting Weevely on a Windows serverGetting help in WeevelyGetting the system infoUsing filesystem commands in WeevelyWriting into files
Maintaining accessCovering our tracks
Phoning Home with Metasploit
Setting up a test environmentCreating your victim machine(s)Testing your testing environment
One general theory of reverse engineering
Reviewing a while loop structureReviewing the for loop structureUnderstanding the decision points
Demystifying debuggersUsing the Valgrind Debugger to discover memory leaksTranslating your app to assembler with the EDB-DebuggerEDB-Debugger symbol mapperRunning OllyDbgIntroduction to disassemblersRunning JADCreate your own disassembling code with CapstoneSome miscellaneous reverse engineering toolsRunning Radare2Additional members of the Radare2 tool suiteRunning rasm2Running rahash2Running radiff2Running rafind2Running rax2
Dealing with DenialPutting the network under SiegeConfiguring your Siege engine
Getting into Digital Forensics
Starting Kali for ForensicsAcquiring a drive to be legal evidenceCloning With Guymager
Proactive security testingWho is a hacker?Different testing methodologiesEthical hackingPenetration testingVulnerability assessmentSecurity audits
Black box testing or Gray box testingClient contact detailsClient IT team notificationsSensitive data handlingStatus meeting
Training employees to defeat social engineering attacks
HTTP protocolRequest and response headerThe request headerThe response headerImportant HTTP methods for penetration testingThe GET/POST methodThe HEAD methodThe TRACE methodThe PUT and DELETE methodsThe OPTIONS methodSession tracking using cookiesCookieCookie flow between server and clientPersistent and non-persistent cookiesCookie parametersHTML data in HTTP responseMulti-tier web application
Kali LinuxImprovements in Kali Linux 2.0Installing Kali LinuxUSB modeVMware and ARM images of Kali LinuxKali Linux on Amazon cloudInstalling Kali Linux on a hard driveKali Linux-virtualizing versus installing on physical hardware
Web application proxiesBurp proxyCustomizing client interceptionModifying requests on the flyBurp proxy with SSL-based websitesWebScarab and Zed Attack ProxyProxyStrikeWeb vulnerability scannerNiktoSkipfishWeb Crawler – DirbusterOpenVASDatabase exploitationCMS identification toolsWeb application fuzzers
Steps to set up Tor and connect anonymouslyVisualization of a web request through TorFinal words for Tor
ReconnaissancePassive reconnaissance versus active reconnaissanceReconnaissance – information gatheringDomain registration detailsWhois – extracting domain informationIdentifying hosts using DNSZone transfer using digBrute force DNS records using NmapThe Recon-ng tool – a framework for information gatheringDomain enumeration using recon-ngSub-level and top-level domain enumerationReporting modules
Port scanning using NmapDifferent options for port scanEvading firewalls and IPS using NmapSpotting a firewall using back checksum option in NmapIdentifying the operating system using NmapProfiling the serverApplication version fingerprintingThe Nmap version scanThe Amap version scanFingerprinting the web application frameworkThe HTTP headerThe Whatweb scannerIdentifying virtual hostsLocating virtual hosts using search enginesThe virtual host lookup module in Recon-ngIdentifying load balancersCookie-based load balancerOther ways of identifying load balancersScanning web servers for vulnerabilities and misconfigurationsIdentifying HTTP methods using NmapTesting web servers using auxiliary modules in MetasploitAutomating scanning using the WMAP web scanner pluginVulnerability scanning and graphical reports – the Skipfish web application scannerSpidering web applicationsThe Burp spiderApplication login
Information leakageDirectory browsingDirectory browsing using DirBusterComments in HTML codeMitigation
Authentication protocols and flawsBasic authenticationDigest authenticationIntegrated authenticationForm-based authenticationBrute forcing credentialsHydra – a brute force password cracker
Attacking path traversal using Burp proxyMitigation
Command injectionSQL injection
Attack potential of cross-site scripting attacks
Different ways to steal tokensBrute forcing tokensSniffing tokens and man-in-the-middle attacksStealing session tokens using XSS attackSession token sharing between application and browserTools to analyze tokensSession fixation attackMitigation for session fixation
Remote file includeLocal file includeMitigation for file inclusion attacks
Mitigation
Mitigation
Command injectionIdentifying parameters to inject dataError-based and blind command injectionMetacharacters for command separatorScanning for command injectionCreating a cookie file for authenticationExecuting WapitiExploiting command injection using MetasploitPHP shell and MetasploitExploiting shellshockOverview of shellshockScanning – dirbExploitation – Metasploit
SQL statementsThe UNION operatorThe SQL query exampleAttack potential of the SQL injection flawBlind SQL injectionSQL injection testing methodologyScanning for SQL injectionInformation gatheringSqlmap – automating exploitationBBQSQL – the blind SQL injection frameworkSqlsus – MySQL injectionSqlninja – MS SQL injection
The origin of cross-site scriptingIntroduction to JavaScript
Persistent XSSReflected XSSDOM-based XSSDefence against DOM-based XSSXSS using the POST Method
Cookie stealingKey loggerWebsite defacing
Zed Attack ProxyScoping and selecting modesModes of operationScan policy and attackXsserFeaturesW3afPluginsGraphical interface
Attack dependenciesAttack methodologyTesting for CSRF flawsCSRF mitigation techniques
Secure socket layerSSL in web applicationsSSL encryption processAsymmetric encryption versus symmetric encryptionAsymmetric encryption algorithmsSymmetric encryption algorithmHashing for message integrityIdentifying weak SSL implementationsOpenSSL command-line toolSSLScanSSLyzeTesting SSL configuration using NmapSSL man-in-the-middle attackSSL MITM tools in Kali LinuxSSLsplitSSLstripSSL stripping limitations
Social engineering attacks
Java applet attackCredential harvester attackWeb jacking attackMetasploit browser exploitTabnabbing attack
Introducing BeEFBeEF hook injectionBrowser reconnaissanceExploit modulesHost information gatheringPersistence moduleNetwork reconInter-protocol exploitation and communicationExploiting the mutillidae XSS flaw using BeEFInjecting the BeEF hook using MITM
Introduction to AJAXBuilding blocks of AJAXThe AJAX workflowAJAX security issuesIncrease in attack surfaceExposed programming logic of the applicationInsufficient access controlChallenges of pentesting AJAX applicationsCrawling AJAX applicationsAJAX crawling toolSprajaxAJAX spider – OWASP ZAPAnalyzing client-side code – FirebugThe Script panelThe Console panelThe Network panel
Introducing SOAP and RESTful web servicesSecuring web servicesInsecure direct object reference vulnerability
Fuzzing basics
Mutation fuzzingGeneration fuzzingApplications of fuzzingNetwork protocol fuzzingFile fuzzingUser interface fuzzingWeb application fuzzingWeb browser fuzzingFuzzer frameworksFuzzing stepsTesting web applications using fuzzingFuzzing input in web applicationsRequest URIHeadersForm fieldsDetecting result of fuzzingWeb application fuzzers in Kali LinuxFuzzing using Burp intruderPowerFuzzer tool
Installing the required toolsJava
Real deviceApktoolDex2jar/JD-GUIBurp Suite
DrozerPrerequisitesQARK (No support for windows)Getting readyAdvanced REST Client for ChromeDroid ExplorerCydia Substrate and IntrospySQLite browserFridaSetting up Frida serverSetting up frida-clientTesting the setupVulnerable appsKali Linux
Checking for connected devicesGetting a shellListing the packagesPushing files to the devicePulling files from the deviceInstalling apps using adbTroubleshooting adb connections
What is rooting?Why would we root a device?Advantages of rootingUnlimited control over the deviceInstalling additional appsMore features and customizationDisadvantages of rootingIt compromises the security of your deviceBricking your deviceVoids warranty
Determining boot loader unlock status on Sony devicesUnlocking boot loader on Sony through a vendor specified methodRooting unlocked boot loaders on a Samsung device
Prerequisites
Installing recovery softwaresUsing OdinUsing Heimdall
Basics of Android appsAndroid app structureHow to get an APK file?Storage location of APK files/data/app//system/app//data/app-private/Example of extracting preinstalled appsExample of extracting user installed apps
ActivitiesServicesBroadcast receiversContent providersAndroid app build process
ART – the new Android Runtime
UID per appApp sandboxingIs there a way to break out of this sandbox?
Introduction to Android appsWeb Based appsNative appsHybrid apps
Mobile application architecture
OWASP Top 10 Mobile Risks (2014)M1: Weak Server-Side ControlsM2: Insecure Data StorageM3: Insufficient Transport Layer ProtectionM4: Unintended Data LeakageM5: Poor Authorization and AuthenticationM6: Broken CryptographyM7: Client-Side InjectionM8: Security Decisions via Untrusted InputsM9: Improper Session HandlingM10: Lack of Binary Protections
DrozerPerforming Android security assessments with DrozerInstalling testapp.apkListing out all the modulesRetrieving package information
Identifying and exploiting Android app vulnerabilities using DrozerAttacks on exported activitiesWhat is the problem here?
Running QARK in interactive modeReportingRunning QARK in seamless mode:
What is data storage?Android local data storage techniquesShared preferencesSQLite databasesInternal storageExternal storage
Real world application demo
NoSQL demo application functionality
Backup the app data using adb backup commandConvert .ab format to tar format using Android backup extractorExtracting the TAR file using the pax or star utilityAnalyzing the extracted content for security issues
Different types of mobile apps and their threat model
Mobile application architecture
Setting up Burp Suite Proxy for testingProxy setting via APNProxy setting via Wi-FiBypass certificate warnings and HSTSHSTS – HTTP Strict Transport SecurityBypassing certificate pinningBypass SSL pinning using AndroidSSLTrustKillerSetting up a demo applicationInstalling OWASP GoatDroidThreats at the backendRelating OWASP top 10 mobile risks and web attacksAuthentication/authorization issuesAuthentication vulnerabilitiesAuthorization vulnerabilitiesSession managementInsufficient Transport Layer SecurityInput validation related issuesImproper error handlingInsecure data storageAttacks on the database
Attacking application componentsAttacks on activitiesWhat does exported behavior mean to an activity?Intent filtersAttacks on servicesExtending the Binder class:Using a MessengerUsing AIDLAttacking AIDL servicesAttacks on broadcast receiversAttacks on content providersQuerying content providers:Exploiting SQL Injection in content providers using adbQuerying the content providerWriting a where condition:Testing for Injection:Finding the column numbers for further extractionRunning database functionsFinding out SQLite version:Finding out table names
Automated Android app assessments using DrozerListing out all the modulesRetrieving package informationFinding out the package name of your target applicationGetting information about a packageDumping the AndroidManifes.xml fileFinding out the attack surface:Attacks on activitiesAttacks on servicesBroadcast receiversContent provider leakage and SQL Injection using DrozerAttacking SQL Injection using DrozerPath traversal attacks in content providersReading /etc/hostsReading kernel versionExploiting debuggable apps
What is Frida?PrerequisitesSteps to perform dynamic hooking with Frida
Accessing sensitive local resources through file schemeOther WebView issues
What do Android malwares do?
Writing a simple reverse shell Trojan using socket programming
Writing a simple SMS stealerThe user interfaceCode for MainActivity.javaCode for reading SMSCode for the uploadData() methodComplete code for MainActivity.javaRegistering permissionsCode on the serverA note on infecting legitimate apps
Static analysisDisassembling Android apps using ApktoolExploring the AndroidManifest.xml fileExploring smali filesDecompiling Android apps using dex2jar and JD-GUIDynamic analysisAnalyzing HTTP/HTTPS traffic using BurpAnalysing network traffic using tcpdump and Wireshark
How to be safe from Android malwares?
MitM attacks
Bypassing pattern lock using adbRemoving the gesture.key fileCracking SHA1 hashes from the gesture.key fileBypassing password/PIN using adbBypassing screen locks using CVE-2013-6271

Content preview from Penetration Testing: A Survival Guide

Malware analysis

This section shows how to analyze Android malwares using both static and dynamic analysis techniques. We are going to use reverse engineering techniques that are commonly used in the real world to analyze malware using static analysis techniques. tcpdump is going to be used for dynamic analysis of the app to see the network calls being made by the app. We can also use tools such as introspy to capture the other sensitive API calls being made by the app. This section shows the analysis of the SMS stealer application that we used earlier.

Static analysis

Let's begin with static analysis using reverse engineering techniques. When an app has to be analyzed for malicious behavior, it is easier if we have access to its source code.