Introduction to Hacking
Important Terminologies
Asset
Vulnerability
Threat
Exploit
Risk
What Is a Penetration Test?
Vulnerability Assessments versus Penetration Test
Pre-Engagement
Rules of Engagement
Milestones
Penetration Testing Methodologies
OSSTMM
NIST
OWASP
Categories of Penetration Test
Black Box
White Box
Gray Box
Types of Penetration Tests
Network Penetration Test
Web Application Penetration Test
Mobile Application Penetration Test
Social Engineering Penetration Test
Physical Penetration Test
Report Writing
Understanding the Audience
Executive Class
Management Class
Technical Class
Writing Reports
Structure of a Penetration Testing Report
Cover Page
Table of Contents
Executive Summary
Remediation Report
Vulnerability Assessment Summary
Tabular Summary
Risk Assessment
Risk Assessment Matrix
Methodology
Detailed Findings
Description
Explanation
Risk
Recommendation
Reports
Conclusion
Linux Basics
Major Linux Operating Systems
File Structure inside of Linux
Permissions in Linux
Special Permissions
Users inside of Linux
Linux Services
Linux Password Storage
Linux Logging
Common Applications of Linux
What Is BackTrack?
How to Get BackTrack 5 Running?
Installing BackTrack on Virtual Box
Installing BackTrack on a Portable USB
Installing BackTrack on Your Hard Drive
BackTrack Basics
Changing the Default Screen Resolution
Some Unforgettable Basics
Changing the Password
Clearing the Screen
Listing the Contents of a Directory
Displaying Contents of a Specific Directory
Displaying the Contents of a File
Creating a Directory
Changing the Directories
Windows
Linux
Creating a Text File
Copying a File
Current Working Directory
Renaming a File
Moving a File
Removing a File
Locating Certain Files inside BackTrack
Text Editors inside BackTrack
Getting to Know Your Network
Dhclient
Services
MySQL
SSHD
Postgresql
Other Online Resources
Information Gathering Techniques
Active Information Gathering
Passive Information Gathering
Sources of Information Gathering
Copying Websites Locally
Information Gathering with Whois
Finding Other Websites Hosted on the Same Server
YouGetSignal.com
Tracing the Location
Traceroute
ICMP Traceroute
TCP Traceroute
Usage
UDP Traceroute
Usage
NeoTrace
Cheops-ng
Enumerating and Fingerprinting the Webservers
Intercepting a Response
Acunetix Vulnerability Scanner
WhatWeb
Netcraft
Google Hacking
Some Basic Parameters
Site
Example
TIP regarding Filetype
Google Hacking Database
Hackersforcharity.org/ghdb
Xcode Exploit Scanner
File Analysis
Foca
Harvesting E-Mail Lists
Gathering Wordlist from a Target Website
Scanning for Subdomains
TheHarvester
Fierce in BackTrack
Scanning for SSL Version
DNS Enumeration
Interacting with DNS Servers
Nslookup
DIG
Forward DNS Lookup
Forward DNS Lookup with Fierce
Reverse DNS
Reverse DNS Lookup with Dig
Reverse DNS Lookup with Fierce
Zone Transfers
Zone Transfer with Host Command
Automating Zone Transfers
DNS Cache Snooping
What Is DNS Cache Snooping?
Nonrecursive Method
Recursive Method
What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?
Attack Scenario
Automating DNS Cache Snooping Attacks
Enumerating SNMP
Problem with SNMP
Sniffing SNMP Passwords
OneSixtyOne
Snmpenum
SolarWinds Toolset
SNMP Sweep
SNMP Brute Force and Dictionary
SNMP Brute Force Tool
SNMP Dictionary Attack Tool
SMTP Enumeration
Detecting Load Balancers
Load Balancer Detector
Determining Real IP behind Load Balancers
Bypassing CloudFlare Protection
Method 1: Resolvers
Method 2: Subdomain Trick
Method 3: Mail Servers
Intelligence Gathering Using Shodan
Further Reading
Conclusion
Target Enumeration and Port Scanning Techniques
Host Discovery
Scanning for Open Ports and Services
Types of Port Scanning
Understanding the TCP Three-Way Handshake
TCP Flags
Port Status Types
TCP SYN Scan
TCP Connect Scan
NULL, FIN, and XMAS Scans
NULL Scan
FIN Scan
XMAS Scan
TCP ACK Scan
Responses
UDP Port Scan
Anonymous Scan Types
IDLE Scan
Scanning for a Vulnerable Host
Performing an IDLE Scan with NMAP
TCP FTP Bounce Scan
Service Version Detection
OS Fingerprinting
POF
Output
Normal Format
Grepable Format
XML Format
Advanced Firewall/IDS Evading Techniques
Timing Technique
Wireshark Output
Fragmented Packets
Wireshark Output
Source Port Scan
Specifying an MTU
Sending Bad Checksums
Decoys
ZENMAP
Further Reading
Vulnerability Assessment
What Are Vulnerability Scanners and How Do They Work?
Pros and Cons of a Vulnerability Scanner
Vulnerability Assessment with Nmap
Updating the Database
Scanning MS08 _ 067 _ netapi
Testing SCADA Environments with Nmap
Installation
Usage
Nessus Vulnerability Scanner
Home Feed
Professional Feed
Installing Nessus on BackTrack
Adding a User
Nessus Control Panel
Reports
Mobile
Policies
Users
Configuration
Default Policies
Creating a New Policy
Safe Checks
Silent Dependencies
Avoid Sequential Scans
Port Range
Credentials
Plug-Ins
Preferences
Scanning the Target
Nessus Integration with Metasploit
Importing Nessus to Metasploit
Scanning the Target
Reporting
OpenVas
Resource
Vulnerability Data Resources
Exploit Databases
Using Exploit-db with BackTrack
Searching for Exploits inside BackTrack
Conclusion
Network Sniffing
Introduction
Types of Sniffing
Active Sniffing
Passive Sniffing
Hubs versus Switches
Promiscuous versus Nonpromiscuous Mode
MITM Attacks
ARP Protocol Basics
How ARP Works?
ARP Attacks
MAC Flooding
Macof
ARP Poisoning
Scenario—How It Works?
Denial of Service Attacks
Tools in the Trade
Dsniff
Using ARP Spoof to Perform MITM Attacks
Usage
Sniffing the Traffic with Dsniff
Sniffing Pictures with Drifnet
Urlsnarf and Webspy
Sniffing with Wireshark
Ettercap
ARP Poisoning with Ettercap
Hijacking Session with MITM Attack
Attack Scenario
ARP Poisoning with Cain and Abel
Sniffing Session Cookies with Wireshark
Hijacking the Session
SSL Strip: Stripping HTTPS Traffic
Requirements
Usage
Automating Man in the Middle Attacks
Usage
DNS Spoofing
ARP Spoofing Attack
Manipulating the DNS Records
Using Ettercap to Launch DNS Spoofing Attack
DHCP Spoofing
Conclusion
Remote Exploitation
Understanding Network Protocols
Transmission Control Protocol
User Datagram Protocol
Internet Control Messaging Protocol
Server Protocols
Text-Based Protocols (Important)
Binary Protocols
FTP
SMTP
HTTP
Further Reading
Resources
Attacking Network Remote Services
Overview of Brute Force Attacks
Traditional Brute Force
Dictionary Attacks
Hybrid Attacks
Common Target Protocols
Tools of the Trade
THC Hydra
Basic Syntax for Hydra
Cracking Services with Hydra
Hydra GUI
Medusa
Basic Syntax
OpenSSH Username Discovery Bug
Cracking SSH with Medusa
Ncrack
Basic Syntax
Cracking an RDP with Ncrack
Case Study of a Morto Worm
Combining Nmap and Ncrack for Optimal Results
Attacking SMTP
Important Commands
Real-Life Example
Attacking SQL Servers
MySQL Servers
Fingerprinting MySQL Version
Testing for Weak Authentication
MS SQL Servers
Fingerprinting the Version
Brute Forcing SA Account
Using Null Passwords
Introduction to Metasploit
History of Metasploit
Metasploit Interfaces
MSFconsole
MSFcli
MSFGUI
Armitage
Metasploit Utilities
MSFPayload
MSFencode
MSFVenom
Metasploit Basic Commands
Search Feature in Metasploit
Use Command
Info Command
Show Options
Set/Unset Command
Reconnaissance with Metasploit
Port Scanning with Metasploit
Metasploit Databases
Storing Information from Nmap into Metasploit Database
Useful Scans with Metasploit
Port Scanners
Specific Scanners
Compromising a Windows Host with Metasploit
Metasploit Autopwn
db _ autopwn in Action
Nessus and Autopwn
Armitage
Interface
Launching Armitage
Compromising Your First Target from Armitage
Enumerating and Fingerprinting the Target
MSF Scans
Importing Hosts
Vulnerability Assessment
Exploitation
Check Feature
Hail Mary
Conclusion
References
Client Side Exploitation
Client Side Exploitation Methods
Attack Scenario 1: E-Mails Leading to Malicious Attachments
Attack Scenario 2: E-Mails Leading to Malicious Links
Attack Scenario 3: Compromising Client Side Update
Attack Scenario 4: Malware Loaded on USB Sticks
E-Mails with Malicious Attachments
Creating a Custom Executable
Creating a Backdoor with SET
PDF Hacking
Introduction
Header
Body
Cross Reference Table
Trailer
PDF Launch Action
Creating a PDF Document with a Launch Action
Controlling the Dialog Boxes
PDF Reconnaissance
Tools in the Trade
PDFINFO
PDFINFO "Your PDF Document"
PDFTK
Origami Framework
Installing Origami Framework on BackTrack
Attacking with PDF
Fileformat Exploits
Browser Exploits
Scenario from Real World
Adobe PDF Embedded EXE
Social Engineering Toolkit
Attack Scenario 2: E-Mails Leading to Malicious Links
Credential Harvester Attack
Tabnabbing Attack
Other Attack Vectors
Browser Exploitation
Attacking over the Internet with SET
Attack Scenario over the Internet
Using Windows Box as Router (Port Forwarding)
Browser AutoPWN
Why Use Browser AutoPWN?
Problem with Browser AutoPWN
VPS/DEDICATED Server
Attack Scenario 3: Compromising Client Side Update
How Evilgrade Works?
Prerequisites
Attack Vectors
Internal Network Attack Vectors
External Network Attack Vectors
Evilgrade Console
Attack Scenario
Attack Scenario 4: Malware Loaded on USB Sticks
Teensy USB
Conclusion
Further Reading
Post-Exploitation
Acquiring Situation Awareness
Enumerating a Windows Machine
Enumerating Local Groups and Users
Enumerating a Linux Machine
Enumerating with Meterpreter
Identifying Processes
Interacting with the System
User Interface Command
Privilege Escalation
Maintaining Stability
Escalating Privileges
Bypassing User Access Control
Impersonating the Token
Escalating Privileges on a Linux Machine
Maintaining Access
Installing a Backdoor
Cracking the Hashes to Gain Access to Other Services
Backdoors
Disabling the Firewall
Killing the Antivirus
Netcat
Msfpayload/Msfencode
Generating a Backdoor with MSFPayload
Msfencode
Msfvenom
Persistence
What Is a Hash?
Hashing Algorithms
Windows Hashing Methods
LAN Manager (LM)
NTLM/NTLM2
Kerberos
Where Are LM/NTLM Hashes Located?
Dumping the Hashes
Scenario 1—REMOTE ACCESS
Scenario 2—LOCAL ACCESS
OPH Crack
References
Scenario 3—OFFLINE SYSTEM
OPHCrack LIVE CD
Bypassing the Log-In
References
Cracking the Hashes
BruteforceDictionary Attacks
Password Salts
Rainbow Tables
John the Ripper
Cracking LM/NTLM Passwords with JTR
Cracking Linux Passwords with JTR
Rainbow Crack
Sorting the Tables
Cracking the Hashes with rcrack
Speeding Up the Cracking Process
Gaining Access to Remote Services
Enabling the Remote Desktop
Adding Users to the Remote Desktop
Data Mining
Gathering OS Information
Harvesting Stored Credentials
Identifying and Exploiting Further Targets
Mapping the Internal Network
Finding Network Information
Identifying Further Targets
Pivoting
Scanning Ports and Services and Detecting OS
Compromising Other Hosts on the Network Having the Same Password
psexec
Exploiting Targets
Conclusion
Windows Exploit Development Basics
Prerequisites
What Is a Buffer Overflow?
Vulnerable Application
How to Find Buffer Overflows?
Methodology
Getting the Software Up and Running
Causing the Application to Crash
Skeleton Exploit
Determining the Offset
Identifying Bad Characters
Figuring Out Bad Characters with Mona
Overwriting the Return Address
NOP Sledges
Generating the ShellCode
Generating Metasploit Module
Porting to Metasploit
Conclusion
Further Resources
Wireless Hacking
Introduction
Requirements
Introducing Aircrack-ng
Uncovering Hidden SSIDs
Turning on the Monitor Mode
Monitoring Beacon Frames on Wireshark
Monitoring with Airodump-ng
Speeding Up the Process
Bypassing MAC Filters on Wireless Networks
Cracking a WEP Wireless Network with Aircrack-ng
Placing Your Wireless Adapter in Monitor Mode
Determining the Target with Airodump-ng
Attacking the Target
Speeding Up the Cracking Process
Injecting ARP Packets
Cracking the WEP
Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng
Capturing Packets
Capturing the Four-Way Handshake
Cracking WPA/WAP2
Using Reaver to Crack WPS-Enabled Wireless Networks
Reducing the Delay
Further Reading
Setting Up a Fake Access Point with SET to PWN Users
Attack Scenario
Evil Twin Attack
Scanning the Neighbors
Spoofing the MAC
Setting Up a Fake Access Point
Causing Denial of Service on the Original AP
Conclusion
Web Hacking
Attacking the Authentication
Username Enumeration
Invalid Username with Invalid Password
Valid Username with Invalid Password
Enabling Browser Cache to Store Passwords
Brute Force and Dictionary Attacks
Types of Authentication
HTTP Basic Authentication
HTTP-Digest Authentication
FORM-Based Authentication
Exploiting Password Reset Feature
Etsy.com Password Reset Vulnerability
Attacking FORM-Based Authentication
Brute Force Attack
Attacking HTTP BASIC AUTH
Further Reading
Log-In Protection Mechanisms
Captcha Validation Flaw
Captcha RESET Flaw
Manipulating User-Agents to Bypass Captcha and Other Protections
Real-World Example
Authentication Bypass Attacks
Authentication Bypass Using SQL Injection
Testing for SQL Injection Auth Bypass
Authentication Bypass Using XPATH Injection
Testing for XPATH Injection
Authentication Bypass Using Response Tampering
Crawling Restricted Links
Testing for the Vulnerability
Automating It with Burp Suite
Authentication Bypass with Insecure Cookie Handling
Session Attacks
Guessing Weak Session ID
Session Fixation Attacks
Requirements for This Attack
How the Attack Works?
SQL Injection Attacks
What Is an SQL Injection?
Types of SQL Injection
Union-Based SQL Injection
Error-Based SQL Injection
Blind SQL Injection
Detecting SQL Injection
Determining the Injection Type
Union-Based SQL Injection (MySQL)
Testing for SQL Injection
Determining the Number of Columns
Determining the Vulnerable Columns
Fingerprinting the Database
Enumeration Information
Information_schema
Information_schema Tables
Enumerating All Available Databases
Enumerating All Available Tables in the Database
Extracting Columns from Tables
Extracting Data from Columns
Using group _ concat
MySQL Version ≤ 5
Guessing Table Names
Guessing Columns
SQL Injection to Remote Command Execution
Reading Files
Writing Files
Blind SQL Injection
Boolean-Based SQLi
True Statement
False Statement
Enumerating the DB USER
Enumerating the MYSQL Version
Guessing Tables
Guessing Columns in the Table
Extracting Data from Columns
Time-Based SQL Injection
Vulnerable Application
Testing for Time-Based SQL Injection
Enumerating the DB USER
Guessing the Table Names
Guessing the Columns
Extracting Data from Columns
Automating SQL Injections with SQLMAP
Enumerating Databases
Enumerating Tables
Enumerating the Columns
Extracting Data from the Columns
HTTP Header–Based SQL Injection
Operating System Takeover with Sqlmap
OS-CMD
OS-SHELL
OS-PWN
XSS (Cross-Site Scripting)
How to Identify XSS Vulnerability?
Types of Cross-Site Scripting
Reflected/Nonpersistent XSS
Vulnerable Code
Medium Security
Vulnerable Code
High Security
Bypassing htmlspecialchars
UTF-32 XSS Trick: Bypass 1
Svg Craziness: Bypass 2
Bypass 3: href Attribute
Stored XSS/Persistent XSS
Payloads
Blind XSS
DOM-Based XSS
Detecting DOM-Based XSS
Sources (Inputs)
Sinks (Creating/Modifying HTML Elements)
Static JS Analysis to Identify DOM-Based XSS
How Does It Work?
Setting Up JSPRIME
Dominator: Dynamic Taint Analysis
POC for Internet Explorer
POC for Chrome
Pros/Cons
Cross Browser DOM XSS Detection
Types of DOM-Based XSS
Reflected DOM XSS
Stored DOM XSS
Exploiting XSS
Cookie Stealing with XSS
Exploiting XSS for Conducting Phishing Attacks
Compromising Victim’s Browser with XSS
Exploiting XSS with BEEF
Setting Up BEEF on BackTrack
Demo Pages
Beef Modules
Module: Replace HREFs
Module: Getcookie
Module: Tabnabbing
BEEF in Action
Cross-Site Request Forgery (CSRF)
Why Does a CSRF Attack Work?
How to Attack?
GET-Based CSRF
POST-Based CSRF
CSRF Protection Techniques
Referrer-Based Checking
Anti-CSRF Tokens
Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm
Tokens Not Validated upon Server
Analyzing Weak Anti-CSRF Token Strength
Bypassing CSRF with XSS
File Upload Vulnerabilities
Bypassing Client Side Restrictions
Bypassing MIME-Type Validation
Real-World Example
Bypassing Blacklist-Based Protections
Case 1: Blocking Malicious Extensions
Bypass
Case 2: Case-Sensitive Bypass
Bypass
Real-World Example
Vulnerable Code
Case 3: When All Dangerous Extensions Are Blocked
XSS via File Upload
Flash-Based XSS via File Upload
Case 4: Double Extensions Vulnerabilities
Apache Double Extension Issues
IIS 6 Double Extension Issues
Case 5: Using Trailing Dots
Case 6: Null Byte Trick
Case 7: Bypassing Image Validation
Case 8: Overwriting Critical Files
Real-World Example
File Inclusion Vulnerabilities
Remote File Inclusion
Patching File Inclusions on the Server Side
Local File Inclusion
Linux
Windows
LFI Exploitation Using /proc/self/environ
Log File Injection
Finding Log Files: Other Tricks
Exploiting LFI Bby Using PHP Input
Exploiting LFI Using File Uploads
Read Source Code via LFI
Local File Disclosure Vulnerability
Vulnerable Code
Local File Disclosure Tricks
Remote Command Execution
Uploading Shells
Server Side Include Injection
Testing a Website for SSI Injection
Executing System Commands
Spawning a Shell
SSRF Attacks
Impact
Example of a Vulnerable PHP CODE
Remote SSRF
Simple SSRF
Partial SSRF
Denial of Service
Denial of Service Using External Entity Expansion (XEE)
Full SSRF
dict://
gopher://
http://
Causing the Crash
Overwriting Return Address
Generating Shellcode
Server Hacking
Apache Server
Testing for Disabled Functions
Open _ basedir Misconfiguration
Using CURL to Bypass Open _ basedir Restrictions
Open _ basedir PHP 5.2.9 Bypass
Reference
Bypassing open _ basedir Using CGI Shell
Bypassing open _ basedir Using Mod _ Perl, Mod _ Python
Escalating Privileges Using Local Root Exploits
Back Connecting
Finding the Local Root Exploit
Usage
Finding a Writable Directory
Bypassing Symlinks to Read Configuration Files
Who Is Affected?
Basic Syntax
Why This Works?
Symlink Bypass: Example 1
Finding the Username
/etc/passwd File
/etc/valiases File
Path Disclosure
Uploading .htaccess to Follow Symlinks
Symlinking the Configuration Files
Connecting to and Manipulating the Database
Updating the Password
Symlink the Root Directory
Example 3: Compromising WHMCS Server
Finding a WHMCS Server
Symlinking the Configuration File
WHMCS Killer
Disabling Security Mechanisms
Disabling Mod _ Security
Disabling Open _ basedir and Safe _ mode
Using CGI, PERL, or Python Shell to Bypass Symlinks
Conclusion
Index
Biography
Rafay Baloch is a globally renowned cybersecurity expert and white-hat hacker with a proven record of identifying critical zero-day security vulnerabilities in numerous web applications, products, and browsers. His discoveries have been instrumental in safeguarding the privacy and security of millions of users worldwide. Baloch has received various accolades, including being named one of the “Top 5 Ethical Hackers of 2014” by Checkmarx, one of the “15 Most Successful Ethical Hackers Worldwide,” and one of the “Top 25 Threat Seekers” by SC Magazine. In addition, Reflectiz listed him among the “Top 21 Cybersecurity Experts You Must Follow on Twitter in 2021.”
On March 23, 2022, the Inter-Services Public Relations (ISPR) recognized Baloch’s significant contributions to the field of cybersecurity with the Pride of Pakistan award. Baloch is also the author of “Ethical Hacking and Penetration Testing Guide,” published by Taylor & Francis in 2014.
Rafay has presented his research at various international cybersecurity conferences, including Black Hat, Hack In Paris, HEXCON, the 10th Information Security Conference in Greece, the CSAW Conference, and many others. He is frequently sought after for his insights and analysis on current cybersecurity topics, appearing in national and international mainstream media outlets such as Forbes, WSJ, Independent UK, BBC, Express Tribune, DAWN, and many others.
Baloch has also served as Senior Consultant for Cyber Security at the Pakistan Telecommunication Authority (PTA), the national telecom regulator. Currently, he runs a cybersecurity company REDSECLABS, offering cybersecurity consulting at the global level.
Rafay Baloch is the founder of REDSECLABS, a company specializing in security consulting, training, and a variety of other Cyber Security-related services. The book features several sample codes and 'extra mile' exercises designed to enhance learning. To apply these concepts practically, we encourage you to visit our website at https://www.redseclabs.com. On the site, you'll find blog posts that explore these exercises and other resources mentioned throughout the books, along with showcases of our research work.
.
