book

Penetration Testing

Name: Penetration Testing
Author: Georgia Weidman
ISBN: 9781593275648

by Georgia Weidman

May 2014

Intermediate to advanced

528 pages

13h 27m

English

No Starch Press

Read now

Unlock full access

Dedication
About the Author
Foreword
Acknowledgments
Introduction
A Note of ThanksAbout This BookPart I: The BasicsPart II: AssessmentsPart III: AttacksPart IV: Exploit DevelopmentPart V: Mobile Hacking
Penetration Testing Primer
The Stages of the Penetration TestPre-engagementInformation GatheringThreat ModelingVulnerability AnalysisExploitationPost ExploitationReportingExecutive SummaryTechnical ReportSummary
I. The Basics
1. Setting Up Your Virtual Lab
Installing VMwareSetting Up Kali LinuxConfiguring the Network for Your Virtual MachineVMware Player on Microsoft WindowsVMware Fusion on Mac OSConnecting the Virtual Machine to the NetworkTesting Your Internet AccessInstalling NessusInstalling Additional SoftwareThe Ming C CompilerHyperionVeil-EvasionEttercapSetting Up Android EmulatorsSmartphone Pentest FrameworkTarget Virtual MachinesCreating the Windows XP TargetVMware Player on Microsoft WindowsVMware Fusion on Mac OSInstalling and Activating WindowsInstalling VMware ToolsVMware Player on Microsoft WindowsVMware Fusion on Mac OSTurning Off Windows FirewallSetting User PasswordsSetting a Static IP AddressMaking XP Act Like It’s a Member of a Windows DomainInstalling Vulnerable SoftwareZervit 0.4SLMail 5.53Com TFTP 2.0.1XAMPP 1.7.2Adobe Acrobat ReaderWar-FTPWinSCPInstalling Immunity Debugger and MonaSetting Up the Ubuntu 8.10 TargetCreating the Windows 7 TargetCreating a User AccountOpting Out of Automatic UpdatesSetting a Static IP AddressAdding a Second Network InterfaceInstalling Additional SoftwareSummary
2. Using Kali Linux
Linux Command LineThe Linux FilesystemChanging DirectoriesLearning About Commands: The Man PagesUser PrivilegesAdding a UserAdding a User to the sudoers FileSwitching Users and Using sudoCreating a New File or DirectoryCopying, Moving, and Removing FilesAdding Text to a FileAppending Text to a FileFile PermissionsEditing FilesSearching for TextEditing a File with viData ManipulationUsing grepUsing sedPattern Matching with awkManaging Installed PackagesProcesses and ServicesManaging NetworkingSetting a Static IP AddressViewing Network ConnectionsNetcat: The Swiss Army Knife of TCP/IP ConnectionsCheck to See If a Port Is ListeningOpening a Command Shell ListenerPushing a Command Shell Back to a ListenerAutomating Tasks with cron JobsSummary
3. Programming
Bash ScriptingPingA Simple Bash ScriptRunning Our ScriptAdding Functionality with if StatementsA for LoopStreamlining the ResultsPython ScriptingConnecting to a Portif Statements in PythonWriting and Compiling C ProgramsSummary

4. Using the Metasploit Framework
Starting MetasploitFinding Metasploit ModulesThe Module DatabaseBuilt-In SearchSetting Module OptionsRHOSTRPORTSMBPIPEExploit TargetPayloads (or Shellcode)Finding Compatible PayloadsA Test RunTypes of ShellsBind ShellsReverse ShellsSetting a Payload ManuallyMsfcliGetting HelpShowing OptionsPayloadsCreating Standalone Payloads with MsfvenomChoosing a PayloadSetting OptionsChoosing an Output FormatServing PayloadsUsing the Multi/Handler ModuleUsing an Auxiliary ModuleSummary
II. Assessments
5. Information Gathering
Open Source Intelligence GatheringNetcraftWhois LookupsDNS ReconnaissanceNslookupHostZone TransfersSearching for Email AddressesMaltegoPort ScanningManual Port ScanningPort Scanning with NmapA SYN ScanA Version ScanUDP ScansScanning a Specific PortSummary
6. Finding Vulnerabilities
From Nmap Version Scan to Potential VulnerabilityNessusNessus PoliciesScanning with NessusA Note About Nessus RankingsWhy Use Vulnerability Scanners?Exporting Nessus ResultsResearching VulnerabilitiesThe Nmap Scripting EngineRunning a Single NSE ScriptMetasploit Scanner ModulesMetasploit Exploit Check FunctionsWeb Application ScanningNiktoAttacking XAMPPDefault CredentialsManual AnalysisExploring a Strange PortFinding Valid UsernamesSummary
7. Capturing Traffic
Networking for Capturing TrafficUsing WiresharkCapturing TrafficFiltering TrafficFollowing a TCP StreamDissecting PacketsARP Cache PoisoningARP BasicsIP ForwardingARP Cache Poisoning with ArpspoofUsing ARP Cache Poisoning to Impersonate the Default GatewayDNS Cache PoisoningGetting StartedUsing DnsspoofSSL AttacksSSL BasicsUsing Ettercap for SSL Man-in-the-Middle AttacksSSL StrippingUsing SSLstripSummary
III. Attacks
8. Exploitation
Revisiting MS08-067Metasploit PayloadsStaged PayloadsInline PayloadsMeterpreterExploiting WebDAV Default CredentialsRunning a Script on the Target Web ServerUploading a Msfvenom PayloadExploiting Open phpMyAdminDownloading a File with TFTPDownloading Sensitive FilesDownloading a Configuration FileDownloading the Windows SAMExploiting a Buffer Overflow in Third-Party SoftwareExploiting Third-Party Web ApplicationsExploiting a Compromised ServiceExploiting Open NFS SharesSummary
9. Password Attacks
Password ManagementOnline Password AttacksWordlistsUser ListsPassword ListsGuessing Usernames and Passwords with HydraOffline Password AttacksRecovering Password Hashes from a Windows SAM FileDumping Password Hashes with Physical AccessLM vs. NTLM Hashing AlgorithmsThe Trouble with LM Password HashesJohn the RipperCracking Linux PasswordsCracking Configuration File PasswordsRainbow TablesOnline Password-Cracking ServicesDumping Plaintext Passwords from Memory with Windows Credential EditorSummary
10. Client-Side Exploitation
Bypassing Filters with Metasploit PayloadsAll PortsHTTP and HTTPS PayloadsClient-Side AttacksBrowser ExploitationRunning Scripts in a Meterpreter SessionAdvanced ParametersPDF ExploitsExploiting a PDF VulnerabilityPDF Embedded ExecutableJava ExploitsJava VulnerabilitySigned Java Appletbrowser_autopwnWinampSummary
11. Social Engineering
The Social-Engineer ToolkitSpear-Phishing AttacksChoosing a PayloadSetting OptionsNaming Your FileSingle or Mass EmailCreating the TemplateSetting the TargetSetting Up a ListenerWeb AttacksMass Email AttacksMultipronged AttacksSummary
12. Bypassing Antivirus Applications
TrojansMsfvenomHow Antivirus Applications WorkMicrosoft Security EssentialsVirusTotalGetting Past an Antivirus ProgramEncodingCustom Cross CompilingEncrypting Executables with HyperionEvading Antivirus with Veil-EvasionPython Shellcode Injection with Windows APIsCreating Encrypted Python-Generated Executables with Veil-EvasionHiding in Plain SightSummary
13. Post Exploitation
MeterpreterUsing the upload CommandgetuidOther Meterpreter CommandsMeterpreter ScriptsMetasploit Post-Exploitation ModulesRailgunLocal Privilege Escalationgetsystem on WindowsLocal Escalation Module for WindowsBypassing UAC on WindowsUdev Privilege Escalation on LinuxFinding a VulnerabilityFinding an ExploitCopying and Compiling the Exploit on the TargetAdding Code to the /tmp/run FileLocal Information GatheringSearching for FilesKeyloggingGathering Credentialsnet CommandsAnother Way InChecking Bash HistoryLateral MovementPSExecPass the HashSSHExecToken ImpersonationIncognitoSMB CapturePivotingAdding a Route in MetasploitMetasploit Port ScannersRunning an Exploit through a PivotSocks4a and ProxyChainsPersistenceAdding a UserMetasploit PersistenceCreating a Linux cron JobSummary
14. Web Application Testing
Using Burp ProxySQL InjectionTesting for SQL Injection VulnerabilitiesExploiting SQL Injection VulnerabilitiesUsing SQLMapXPath InjectionLocal File InclusionRemote File InclusionCommand ExecutionCross-Site ScriptingChecking for a Reflected XSS VulnerabilityLeveraging XSS with the Browser Exploitation FrameworkCross-Site Request ForgeryWeb Application Scanning with w3afSummary
15. Wireless Attacks
Setting UpViewing Available Wireless InterfacesScan for Access PointsMonitor ModeCapturing PacketsOpen WirelessWired Equivalent PrivacyWEP WeaknessesCracking WEP Keys with Aircrack-ngInjecting PacketsGenerating IVs with the ARP Request Relay AttackGenerating an ARP RequestCracking the KeyChallenges with WEP CrackingWi-Fi Protected AccessWPA2The Enterprise Connection ProcessThe Personal Connection ProcessThe Four-Way HandshakeCracking WPA/WPA2 KeysUsing Aircrack-ng to Crack WPA/WPA2 KeysWi-Fi Protected SetupProblems with WPSCracking WPS with BullySummary
IV. Exploit Development
16. A Stack-Based Buffer Overflow in Linux
Memory TheoryLinux Buffer OverflowA Vulnerable ProgramCausing a CrashRunning GDBCrashing the Program in GDBControlling EIPHijacking ExecutionEndiannessSummary
17. A Stack-Based Buffer Overflow in Windows
Searching for a Known Vulnerability in War-FTPCausing a CrashLocating EIPGenerating a Cyclical Pattern to Determine OffsetVerifying OffsetsHijacking ExecutionGetting a ShellSummary
18. Structured Exception Handler Overwrites
SEH Overwrite ExploitsPassing Control to SEHFinding the Attack String in MemoryPOP POP RETSafeSEHUsing a Short JumpChoosing a PayloadSummary
19. Fuzzing, Porting Exploits, and Metasploit Modules
Fuzzing ProgramsFinding Bugs with Code ReviewFuzzing a Trivial FTP ServerAttempting a CrashPorting Public Exploits to Meet Your NeedsFinding a Return AddressReplacing ShellcodeEditing the ExploitWriting Metasploit ModulesA Similar Exploit String ModulePorting Our Exploit CodeExploitation Mitigation TechniquesStack CookiesAddress Space Layout RandomizationData Execution PreventionMandatory Code SigningSummary
V. Mobile Hacking
20. Using the Smartphone Pentest Framework
Mobile Attack VectorsText MessagesNear Field CommunicationQR CodesThe Smartphone Pentest FrameworkSetting Up SPFAndroid EmulatorsAttaching a Mobile ModemBuilding the Android AppDeploying the AppAttaching the SPF Server and AppRemote AttacksDefault iPhone SSH LoginClient-Side AttacksClient-Side ShellUSSD Remote ControlMalicious AppsCreating Malicious SPF AgentsBackdooring Source CodeBackdooring APKsMobile Post ExploitationInformation GatheringRemote ControlPivoting Through Mobile DevicesPortscanning with NmapExploiting a System on the Local NetworkPrivilege EscalationSummary
A. Resources
Chapter 0: Penetration Testing PrimerChapter 2: Using Kali LinuxChapter 3: ProgrammingChapter 4: Using the Metasploit FrameworkChapter 5: Information GatheringChapter 6: Finding VulnerabilitiesChapter 7: Capturing TrafficChapter 8: ExploitationChapter 9: Password AttacksChapter 11: Social EngineeringChapter 12: Bypassing Antivirus ApplicationsChapter 13: Post ExploitationChapter 14: Web Application TestingChapter 15: Wireless AttacksChapters 16–19: Exploit DevelopmentChapter 20: Using the Smartphone Pentest FrameworkCourses
Downloading the Software to Build Your Virtual Lab
Index
About the Author
Copyright

Content preview from Penetration Testing

Chapter 18. Structured Exception Handler Overwrites

When something goes wrong and causes a program to crash, it has caused an exception. Accessing an invalid memory location is one type of exception a program can encounter.

Windows systems use a method called structured exception handlers (SEH) to deal with program exceptions as they arise. SEH are similar to try/catch blocks in Java: Code is executed, and if something goes wrong, the function stops executing and passes execution to SEH.

Each function can have its own SEH registration entry. An SEH registration record is eight bytes long, consisting of a pointer to the next SEH record (NSEH) followed by the memory address of the exception handler, as illustrated in Figure 18-1. The list of all the ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781457185342Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Penetration Testing

by Georgia Weidman

Chapter 18. Structured Exception Handler Overwrites

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.