Ethical Hacking and Penetration Testing Guide: 1st Edition (Paperback) book cover

Ethical Hacking and Penetration Testing Guide

1st Edition

By Rafay Baloch

Auerbach Publications

531 pages | 835 B/W Illus.

Purchasing Options:$ = USD
Paperback: 9781482231618
pub: 2014-07-28
SAVE ~$10.19
$67.95
$57.76
x
Hardback: 9781138436824
pub: 2017-07-12
SAVE ~$30.75
$205.00
$174.25
x
eBook (VitalSource) : 9781315145891
pub: 2017-09-29
from $32.98


FREE Standard Shipping!

Description

Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don�t know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.

Table of Contents

Introduction to Hacking

Important Terminologies

Asset

Vulnerability

Threat

Exploit

Risk

What Is a Penetration Test?

Vulnerability Assessments versus Penetration Test

Pre-Engagement

Rules of Engagement

Milestones

Penetration Testing Methodologies

OSSTMM

NIST

OWASP

Categories of Penetration Test

Black Box

White Box

Gray Box

Types of Penetration Tests

Network Penetration Test

Web Application Penetration Test

Mobile Application Penetration Test

Social Engineering Penetration Test

Physical Penetration Test

Report Writing

Understanding the Audience

Executive Class

Management Class

Technical Class

Writing Reports

Structure of a Penetration Testing Report

Cover Page

Table of Contents

Executive Summary

Remediation Report

Vulnerability Assessment Summary

Tabular Summary

Risk Assessment

Risk Assessment Matrix

Methodology

Detailed Findings

Description

Explanation

Risk

Recommendation

Reports

Conclusion

Linux Basics

Major Linux Operating Systems

File Structure inside of Linux

Permissions in Linux

Special Permissions

Users inside of Linux

Linux Services

Linux Password Storage

Linux Logging

Common Applications of Linux

What Is BackTrack?

How to Get BackTrack 5 Running?

Installing BackTrack on Virtual Box

Installing BackTrack on a Portable USB

Installing BackTrack on Your Hard Drive

BackTrack Basics

Changing the Default Screen Resolution

Some Unforgettable Basics

Changing the Password

Clearing the Screen

Listing the Contents of a Directory

Displaying Contents of a Specific Directory

Displaying the Contents of a File

Creating a Directory

Changing the Directories

Windows

Linux

Creating a Text File

Copying a File

Current Working Directory

Renaming a File

Moving a File

Removing a File

Locating Certain Files inside BackTrack

Text Editors inside BackTrack

Getting to Know Your Network

Dhclient

Services

MySQL

SSHD

Postgresql

Other Online Resources

Information Gathering Techniques

Active Information Gathering

Passive Information Gathering

Sources of Information Gathering

Copying Websites Locally

Information Gathering with Whois

Finding Other Websites Hosted on the Same Server

YouGetSignal.com

Tracing the Location

Traceroute

ICMP Traceroute

TCP Traceroute

Usage

UDP Traceroute

Usage

NeoTrace

Cheops-ng

Enumerating and Fingerprinting the Webservers

Intercepting a Response

Acunetix Vulnerability Scanner

WhatWeb

Netcraft

Google Hacking

Some Basic Parameters

Site

Example

TIP regarding Filetype

Google Hacking Database

Hackersforcharity.org/ghdb

Xcode Exploit Scanner

File Analysis

Foca

Harvesting E-Mail Lists

Gathering Wordlist from a Target Website

Scanning for Subdomains

TheHarvester

Fierce in BackTrack

Scanning for SSL Version

DNS Enumeration

Interacting with DNS Servers

Nslookup

DIG

Forward DNS Lookup

Forward DNS Lookup with Fierce

Reverse DNS

Reverse DNS Lookup with Dig

Reverse DNS Lookup with Fierce

Zone Transfers

Zone Transfer with Host Command

Automating Zone Transfers

DNS Cache Snooping

What Is DNS Cache Snooping?

Nonrecursive Method

Recursive Method

What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?

Attack Scenario

Automating DNS Cache Snooping Attacks

Enumerating SNMP

Problem with SNMP

Sniffing SNMP Passwords

OneSixtyOne

Snmpenum

SolarWinds Toolset

SNMP Sweep

SNMP Brute Force and Dictionary

SNMP Brute Force Tool

SNMP Dictionary Attack Tool

SMTP Enumeration

Detecting Load Balancers

Load Balancer Detector

Determining Real IP behind Load Balancers

Bypassing CloudFlare Protection

Method 1: Resolvers

Method 2: Subdomain Trick

Method 3: Mail Servers

Intelligence Gathering Using Shodan

Further Reading

Conclusion

Target Enumeration and Port Scanning Techniques

Host Discovery

Scanning for Open Ports and Services

Types of Port Scanning

Understanding the TCP Three-Way Handshake

TCP Flags

Port Status Types

TCP SYN Scan

TCP Connect Scan

NULL, FIN, and XMAS Scans

NULL Scan

FIN Scan

XMAS Scan

TCP ACK Scan

Responses

UDP Port Scan

Anonymous Scan Types

IDLE Scan

Scanning for a Vulnerable Host

Performing an IDLE Scan with NMAP

TCP FTP Bounce Scan

Service Version Detection

OS Fingerprinting

POF

Output

Normal Format

Grepable Format

XML Format

Advanced Firewall/IDS Evading Techniques

Timing Technique

Wireshark Output

Fragmented Packets

Wireshark Output

Source Port Scan

Specifying an MTU

Sending Bad Checksums

Decoys

ZENMAP

Further Reading

Vulnerability Assessment

What Are Vulnerability Scanners and How Do They Work?

Pros and Cons of a Vulnerability Scanner

Vulnerability Assessment with Nmap

Updating the Database

Scanning MS08 _ 067 _ netapi

Testing SCADA Environments with Nmap

Installation

Usage

Nessus Vulnerability Scanner

Home Feed

Professional Feed

Installing Nessus on BackTrack

Adding a User

Nessus Control Panel

Reports

Mobile

Policies

Users

Configuration

Default Policies

Creating a New Policy

Safe Checks

Silent Dependencies

Avoid Sequential Scans

Port Range

Credentials

Plug-Ins

Preferences

Scanning the Target

Nessus Integration with Metasploit

Importing Nessus to Metasploit

Scanning the Target

Reporting

OpenVas

Resource

Vulnerability Data Resources

Exploit Databases

Using Exploit-db with BackTrack

Searching for Exploits inside BackTrack

Conclusion

Network Sniffing

Introduction

Types of Sniffing

Active Sniffing

Passive Sniffing

Hubs versus Switches

Promiscuous versus Nonpromiscuous Mode

MITM Attacks

ARP Protocol Basics

How ARP Works?

ARP Attacks

MAC Flooding

Macof

ARP Poisoning

Scenario—How It Works?

Denial of Service Attacks

Tools in the Trade

Dsniff

Using ARP Spoof to Perform MITM Attacks

Usage

Sniffing the Traffic with Dsniff

Sniffing Pictures with Drifnet

Urlsnarf and Webspy

Sniffing with Wireshark

Ettercap

ARP Poisoning with Ettercap

Hijacking Session with MITM Attack

Attack Scenario

ARP Poisoning with Cain and Abel

Sniffing Session Cookies with Wireshark

Hijacking the Session

SSL Strip: Stripping HTTPS Traffic

Requirements

Usage

Automating Man in the Middle Attacks

Usage

DNS Spoofing

ARP Spoofing Attack

Manipulating the DNS Records

Using Ettercap to Launch DNS Spoofing Attack

DHCP Spoofing

Conclusion

Remote Exploitation

Understanding Network Protocols

Transmission Control Protocol

User Datagram Protocol

Internet Control Messaging Protocol

Server Protocols

Text-Based Protocols (Important)

Binary Protocols

FTP

SMTP

HTTP

Further Reading

Resources

Attacking Network Remote Services

Overview of Brute Force Attacks

Traditional Brute Force

Dictionary Attacks

Hybrid Attacks

Common Target Protocols

Tools of the Trade

THC Hydra

Basic Syntax for Hydra

Cracking Services with Hydra

Hydra GUI

Medusa

Basic Syntax

OpenSSH Username Discovery Bug

Cracking SSH with Medusa

Ncrack

Basic Syntax

Cracking an RDP with Ncrack

Case Study of a Morto Worm

Combining Nmap and Ncrack for Optimal Results

Attacking SMTP

Important Commands

Real-Life Example

Attacking SQL Servers

MySQL Servers

Fingerprinting MySQL Version

Testing for Weak Authentication

MS SQL Servers

Fingerprinting the Version

Brute Forcing SA Account

Using Null Passwords

Introduction to Metasploit

History of Metasploit

Metasploit Interfaces

MSFconsole

MSFcli

MSFGUI

Armitage

Metasploit Utilities

MSFPayload

MSFencode

MSFVenom

Metasploit Basic Commands

Search Feature in Metasploit

Use Command

Info Command

Show Options

Set/Unset Command

Reconnaissance with Metasploit

Port Scanning with Metasploit

Metasploit Databases

Storing Information from Nmap into Metasploit Database

Useful Scans with Metasploit

Port Scanners

Specific Scanners

Compromising a Windows Host with Metasploit

Metasploit Autopwn

db _ autopwn in Action

Nessus and Autopwn

Armitage

Interface

Launching Armitage

Compromising Your First Target from Armitage

Enumerating and Fingerprinting the Target

MSF Scans

Importing Hosts

Vulnerability Assessment

Exploitation

Check Feature

Hail Mary

Conclusion

References

Client Side Exploitation

Client Side Exploitation Methods

Attack Scenario 1: E-Mails Leading to Malicious Attachments

Attack Scenario 2: E-Mails Leading to Malicious Links

Attack Scenario 3: Compromising Client Side Update

Attack Scenario 4: Malware Loaded on USB Sticks

E-Mails with Malicious Attachments

Creating a Custom Executable

Creating a Backdoor with SET

PDF Hacking

Introduction

Header

Body

Cross Reference Table

Trailer

PDF Launch Action

Creating a PDF Document with a Launch Action

Controlling the Dialog Boxes

PDF Reconnaissance

Tools in the Trade

PDFINFO

PDFINFO "Your PDF Document"

PDFTK

Origami Framework

Installing Origami Framework on BackTrack

Attacking with PDF

Fileformat Exploits

Browser Exploits

Scenario from Real World

Adobe PDF Embedded EXE

Social Engineering Toolkit

Attack Scenario 2: E-Mails Leading to Malicious Links

Credential Harvester Attack

Tabnabbing Attack

Other Attack Vectors

Browser Exploitation

Attacking over the Internet with SET

Attack Scenario over the Internet

Using Windows Box as Router (Port Forwarding)

Browser AutoPWN

Why Use Browser AutoPWN?

Problem with Browser AutoPWN

VPS/DEDICATED Server

Attack Scenario 3: Compromising Client Side Update

How Evilgrade Works?

Prerequisites

Attack Vectors

Internal Network Attack Vectors

External Network Attack Vectors

Evilgrade Console

Attack Scenario

Attack Scenario 4: Malware Loaded on USB Sticks

Teensy USB

Conclusion

Further Reading

Post-Exploitation

Acquiring Situation Awareness

Enumerating a Windows Machine

Enumerating Local Groups and Users

Enumerating a Linux Machine

Enumerating with Meterpreter

Identifying Processes

Interacting with the System

User Interface Command

Privilege Escalation

Maintaining Stability

Escalating Privileges

Bypassing User Access Control

Impersonating the Token

Escalating Privileges on a Linux Machine

Maintaining Access

Installing a Backdoor

Cracking the Hashes to Gain Access to Other Services

Backdoors

Disabling the Firewall

Killing the Antivirus

Netcat

Msfpayload/Msfencode

Generating a Backdoor with MSFPayload

Msfencode

Msfvenom

Persistence

What Is a Hash?

Hashing Algorithms

Windows Hashing Methods

LAN Manager (LM)

NTLM/NTLM2

Kerberos

Where Are LM/NTLM Hashes Located?

Dumping the Hashes

Scenario 1—REMOTE ACCESS

Scenario 2—LOCAL ACCESS

OPH Crack

References

Scenario 3—OFFLINE SYSTEM

OPHCrack LIVE CD

Bypassing the Log-In

References

Cracking the Hashes

BruteforceDictionary Attacks

Password Salts

Rainbow Tables

John the Ripper

Cracking LM/NTLM Passwords with JTR

Cracking Linux Passwords with JTR

Rainbow Crack

Sorting the Tables

Cracking the Hashes with rcrack

Speeding Up the Cracking Process

Gaining Access to Remote Services

Enabling the Remote Desktop

Adding Users to the Remote Desktop

Data Mining

Gathering OS Information

Harvesting Stored Credentials

Identifying and Exploiting Further Targets

Mapping the Internal Network

Finding Network Information

Identifying Further Targets

Pivoting

Scanning Ports and Services and Detecting OS

Compromising Other Hosts on the Network Having the Same Password

psexec

Exploiting Targets

Conclusion

Windows Exploit Development Basics

Prerequisites

What Is a Buffer Overflow?

Vulnerable Application

How to Find Buffer Overflows?

Methodology

Getting the Software Up and Running

Causing the Application to Crash

Skeleton Exploit

Determining the Offset

Identifying Bad Characters

Figuring Out Bad Characters with Mona

Overwriting the Return Address

NOP Sledges

Generating the ShellCode

Generating Metasploit Module

Porting to Metasploit

Conclusion

Further Resources

Wireless Hacking

Introduction

Requirements

Introducing Aircrack-ng

Uncovering Hidden SSIDs

Turning on the Monitor Mode

Monitoring Beacon Frames on Wireshark

Monitoring with Airodump-ng

Speeding Up the Process

Bypassing MAC Filters on Wireless Networks

Cracking a WEP Wireless Network with Aircrack-ng

Placing Your Wireless Adapter in Monitor Mode

Determining the Target with Airodump-ng

Attacking the Target

Speeding Up the Cracking Process

Injecting ARP Packets

Cracking the WEP

Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng

Capturing Packets

Capturing the Four-Way Handshake

Cracking WPA/WAP2

Using Reaver to Crack WPS-Enabled Wireless Networks

Reducing the Delay

Further Reading

Setting Up a Fake Access Point with SET to PWN Users

Attack Scenario

Evil Twin Attack

Scanning the Neighbors

Spoofing the MAC

Setting Up a Fake Access Point

Causing Denial of Service on the Original AP

Conclusion

Web Hacking

Attacking the Authentication

Username Enumeration

Invalid Username with Invalid Password

Valid Username with Invalid Password

Enabling Browser Cache to Store Passwords

Brute Force and Dictionary Attacks

Types of Authentication

HTTP Basic Authentication

HTTP-Digest Authentication

FORM-Based Authentication

Exploiting Password Reset Feature

Etsy.com Password Reset Vulnerability

Attacking FORM-Based Authentication

Brute Force Attack

Attacking HTTP BASIC AUTH

Further Reading

Log-In Protection Mechanisms

Captcha Validation Flaw

Captcha RESET Flaw

Manipulating User-Agents to Bypass Captcha and Other Protections

Real-World Example

Authentication Bypass Attacks

Authentication Bypass Using SQL Injection

Testing for SQL Injection Auth Bypass

Authentication Bypass Using XPATH Injection

Testing for XPATH Injection

Authentication Bypass Using Response Tampering

Crawling Restricted Links

Testing for the Vulnerability

Automating It with Burp Suite

Authentication Bypass with Insecure Cookie Handling

Session Attacks

Guessing Weak Session ID

Session Fixation Attacks

Requirements for This Attack

How the Attack Works?

SQL Injection Attacks

What Is an SQL Injection?

Types of SQL Injection

Union-Based SQL Injection

Error-Based SQL Injection

Blind SQL Injection

Detecting SQL Injection

Determining the Injection Type

Union-Based SQL Injection (MySQL)

Testing for SQL Injection

Determining the Number of Columns

Determining the Vulnerable Columns

Fingerprinting the Database

Enumeration Information

Information_schema

Information_schema Tables

Enumerating All Available Databases

Enumerating All Available Tables in the Database

Extracting Columns from Tables

Extracting Data from Columns

Using group _ concat

MySQL Version ≤ 5

Guessing Table Names

Guessing Columns

SQL Injection to Remote Command Execution

Reading Files

Writing Files

Blind SQL Injection

Boolean-Based SQLi

True Statement

False Statement

Enumerating the DB USER

Enumerating the MYSQL Version

Guessing Tables

Guessing Columns in the Table

Extracting Data from Columns

Time-Based SQL Injection

Vulnerable Application

Testing for Time-Based SQL Injection

Enumerating the DB USER

Guessing the Table Names

Guessing the Columns

Extracting Data from Columns

Automating SQL Injections with SQLMAP

Enumerating Databases

Enumerating Tables

Enumerating the Columns

Extracting Data from the Columns

HTTP Header–Based SQL Injection

Operating System Takeover with Sqlmap

OS-CMD

OS-SHELL

OS-PWN

XSS (Cross-Site Scripting)

How to Identify XSS Vulnerability?

Types of Cross-Site Scripting

Reflected/Nonpersistent XSS

Vulnerable Code

Medium Security

Vulnerable Code

High Security

Bypassing htmlspecialchars

UTF-32 XSS Trick: Bypass 1

Svg Craziness: Bypass 2

Bypass 3: href Attribute

Stored XSS/Persistent XSS

Payloads

Blind XSS

DOM-Based XSS

Detecting DOM-Based XSS

Sources (Inputs)

Sinks (Creating/Modifying HTML Elements)

Static JS Analysis to Identify DOM-Based XSS

How Does It Work?

Setting Up JSPRIME

Dominator: Dynamic Taint Analysis

POC for Internet Explorer

POC for Chrome

Pros/Cons

Cross Browser DOM XSS Detection

Types of DOM-Based XSS

Reflected DOM XSS

Stored DOM XSS

Exploiting XSS

Cookie Stealing with XSS

Exploiting XSS for Conducting Phishing Attacks

Compromising Victim’s Browser with XSS

Exploiting XSS with BEEF

Setting Up BEEF on BackTrack

Demo Pages

Beef Modules

Module: Replace HREFs

Module: Getcookie

Module: Tabnabbing

BEEF in Action

Cross-Site Request Forgery (CSRF)

Why Does a CSRF Attack Work?

How to Attack?

GET-Based CSRF

POST-Based CSRF

CSRF Protection Techniques

Referrer-Based Checking

Anti-CSRF Tokens

Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm

Tokens Not Validated upon Server

Analyzing Weak Anti-CSRF Token Strength

Bypassing CSRF with XSS

File Upload Vulnerabilities

Bypassing Client Side Restrictions

Bypassing MIME-Type Validation

Real-World Example

Bypassing Blacklist-Based Protections

Case 1: Blocking Malicious Extensions

Bypass

Case 2: Case-Sensitive Bypass

Bypass

Real-World Example

Vulnerable Code

Case 3: When All Dangerous Extensions Are Blocked

XSS via File Upload

Flash-Based XSS via File Upload

Case 4: Double Extensions Vulnerabilities

Apache Double Extension Issues

IIS 6 Double Extension Issues

Case 5: Using Trailing Dots

Case 6: Null Byte Trick

Case 7: Bypassing Image Validation

Case 8: Overwriting Critical Files

Real-World Example

File Inclusion Vulnerabilities

Remote File Inclusion

Patching File Inclusions on the Server Side

Local File Inclusion

Linux

Windows

LFI Exploitation Using /proc/self/environ

Log File Injection

Finding Log Files: Other Tricks

Exploiting LFI Bby Using PHP Input

Exploiting LFI Using File Uploads

Read Source Code via LFI

Local File Disclosure Vulnerability

Vulnerable Code

Local File Disclosure Tricks

Remote Command Execution

Uploading Shells

Server Side Include Injection

Testing a Website for SSI Injection

Executing System Commands

Spawning a Shell

SSRF Attacks

Impact

Example of a Vulnerable PHP CODE

Remote SSRF

Simple SSRF

Partial SSRF

Denial of Service

Denial of Service Using External Entity Expansion (XEE)

Full SSRF

dict://

gopher://

http://

Causing the Crash

Overwriting Return Address

Generating Shellcode

Server Hacking

Apache Server

Testing for Disabled Functions

Open _ basedir Misconfiguration

Using CURL to Bypass Open _ basedir Restrictions

Open _ basedir PHP 5.2.9 Bypass

Reference

Bypassing open _ basedir Using CGI Shell

Bypassing open _ basedir Using Mod _ Perl, Mod _ Python

Escalating Privileges Using Local Root Exploits

Back Connecting

Finding the Local Root Exploit

Usage

Finding a Writable Directory

Bypassing Symlinks to Read Configuration Files

Who Is Affected?

Basic Syntax

Why This Works?

Symlink Bypass: Example 1

Finding the Username

/etc/passwd File

/etc/valiases File

Path Disclosure

Uploading .htaccess to Follow Symlinks

Symlinking the Configuration Files

Connecting to and Manipulating the Database

Updating the Password

Symlink the Root Directory

Example 3: Compromising WHMCS Server

Finding a WHMCS Server

Symlinking the Configuration File

WHMCS Killer

Disabling Security Mechanisms

Disabling Mod _ Security

Disabling Open _ basedir and Safe _ mode

Using CGI, PERL, or Python Shell to Bypass Symlinks

Conclusion

Index

About the Author

Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated in various bug bounty programs and has helped several major Internet corporations such as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was successful in finding a remote code execution vulnerability along with several other high-risk vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer to work for PayPal. His major areas of research interest are in network security, bypassing modern security defenses such as WAFs, DOM-based XSS, and other HTML 5–based attack vectors. Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and eWAPT certifications.

Subject Categories

BISAC Subject Codes/Headings:
COM043000
COMPUTERS / Networking / General
COM053000
COMPUTERS / Security / General
LAW041000
LAW / Forensic Science