Ethical Hacking and Penetration Testing Guide

Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don‘t know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.

Introduction to HackingImportant Terminologies Asset Vulnerability Threat Exploit Risk What Is a Penetration Test? Vulnerability Assessments versus Penetration Test Pre-Engagement Rules of Engagement Milestones Penetration Testing Methodologies OSSTMM NIST OWASPCategories of Penetration Test Black Box White Box Gray Box Types of Penetration Tests Network Penetration Test Web Application Penetration Test Mobile Application Penetration Test Social Engineering Penetration Test Physical Penetration Test Report Writing Understanding the Audience Executive Class Management Class Technical ClassWriting ReportsStructure of a Penetration Testing Report Cover Page Table of Contents Executive Summary Remediation ReportVulnerability Assessment Summary Tabular SummaryRisk Assessment Risk Assessment MatrixMethodology Detailed Findings Description Explanation Risk Recommendation ReportsConclusionLinux BasicsMajor Linux Operating SystemsFile Structure inside of LinuxPermissions in LinuxSpecial PermissionsUsers inside of Linux Linux Services Linux Password Storage Linux LoggingCommon Applications of LinuxWhat Is BackTrack? How to Get BackTrack 5 Running? Installing BackTrack on Virtual Box Installing BackTrack on a Portable USB Installing BackTrack on Your Hard Drive BackTrack BasicsChanging the Default Screen Resolution Some Unforgettable Basics Changing the Password Clearing the Screen Listing the Contents of a Directory Displaying Contents of a Specific Directory Displaying the Contents of a File Creating a Directory Changing the Directories Windows Linux Creating a Text File Copying a File Current Working Directory Renaming a File Moving a File Removing a File Locating Certain Files inside BackTrackText Editors inside BackTrackGetting to Know Your Network DhclientServices MySQL SSHD PostgresqlOther Online ResourcesInformation Gathering TechniquesActive Information GatheringPassive Information GatheringSources of Information GatheringCopying Websites Locally Information Gathering with Whois Finding Other Websites Hosted on the Same ServerYouGetSignal.com Tracing the Location Traceroute ICMP Traceroute TCP Traceroute Usage UDP Traceroute UsageNeoTraceCheops-ng Enumerating and Fingerprinting the WebserversIntercepting a Response Acunetix Vulnerability ScannerWhatWebNetcraft Google HackingSome Basic Parameters SiteExampleTIP regarding Filetype Google Hacking DatabaseHackersforcharity.org/ghdbXcode Exploit Scanner File Analysis Foca Harvesting E-Mail Lists Gathering Wordlist from a Target Website Scanning for Subdomains TheHarvester Fierce in BackTrack Scanning for SSL Version DNS EnumerationInteracting with DNS ServersNslookupDIG Forward DNS LookupForward DNS Lookup with Fierce Reverse DNS Reverse DNS Lookup with DigReverse DNS Lookup with Fierce Zone TransfersZone Transfer with Host CommandAutomating Zone Transfers DNS Cache SnoopingWhat Is DNS Cache Snooping? Nonrecursive Method Recursive MethodWhat Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?Attack ScenarioAutomating DNS Cache Snooping Attacks Enumerating SNMPProblem with SNMPSniffing SNMP PasswordsOneSixtyOneSnmpenumSolarWinds ToolsetSNMP SweepSNMP Brute Force and DictionarySNMP Brute Force ToolSNMP Dictionary Attack ToolSMTP Enumeration Detecting Load Balancers Load Balancer Detector Determining Real IP behind Load Balancers Bypassing CloudFlare Protection Method 1: Resolvers Method 2: Subdomain Trick Method 3: Mail ServersIntelligence Gathering Using ShodanFurther ReadingConclusionTarget Enumeration and Port Scanning TechniquesHost DiscoveryScanning for Open Ports and ServicesTypes of Port ScanningUnderstanding the TCP Three-Way HandshakeTCP FlagsPort Status TypesTCP SYN ScanTCP Connect ScanNULL, FIN, and XMAS ScansNULL ScanFIN ScanXMAS ScanTCP ACK ScanResponsesUDP Port ScanAnonymous Scan TypesIDLE ScanScanning for a Vulnerable HostPerforming an IDLE Scan with NMAPTCP FTP Bounce ScanService Version DetectionOS FingerprintingPOFOutput Normal Format Grepable Format XML FormatAdvanced Firewall/IDS Evading TechniquesTiming TechniqueWireshark OutputFragmented PacketsWireshark OutputSource Port ScanSpecifying an MTUSending Bad ChecksumsDecoysZENMAPFurther ReadingVulnerability AssessmentWhat Are Vulnerability Scanners and How Do They Work?Pros and Cons of a Vulnerability ScannerVulnerability Assessment with NmapUpdating the DatabaseScanning MS08 _ 067 _ netapiTesting SCADA Environments with Nmap Installation UsageNessus Vulnerability Scanner Home Feed Professional FeedInstalling Nessus on BackTrackAdding a User Nessus Control Panel Reports Mobile Policies Users Configuration Default PoliciesCreating a New PolicySafe ChecksSilent Dependencies Avoid Sequential ScansPort Range Credentials Plug-InsPreferences Scanning the TargetNessus Integration with MetasploitImporting Nessus to Metasploit Scanning the Target Reporting OpenVasResource Vulnerability Data Resources Exploit DatabasesUsing Exploit-db with BackTrackSearching for Exploits inside BackTrackConclusionNetwork SniffingIntroductionTypes of Sniffing Active Sniffing Passive SniffingHubs versus SwitchesPromiscuous versus Nonpromiscuous ModeMITM AttacksARP Protocol BasicsHow ARP Works?ARP Attacks MAC Flooding Macof ARP PoisoningScenario—How It Works?Denial of Service AttacksTools in the Trade DsniffUsing ARP Spoof to Perform MITM Attacks UsageSniffing the Traffic with DsniffSniffing Pictures with DrifnetUrlsnarf and WebspySniffing with WiresharkEttercapARP Poisoning with EttercapHijacking Session with MITM AttackAttack ScenarioARP Poisoning with Cain and AbelSniffing Session Cookies with WiresharkHijacking the SessionSSL Strip: Stripping HTTPS TrafficRequirements UsageAutomating Man in the Middle Attacks UsageDNS Spoofing ARP Spoofing Attack Manipulating the DNS Records Using Ettercap to Launch DNS Spoofing AttackDHCP SpoofingConclusionRemote ExploitationUnderstanding Network Protocols Transmission Control Protocol User Datagram ProtocolInternet Control Messaging ProtocolServer Protocols Text-Based Protocols (Important) Binary Protocols FTP SMTP HTTPFurther ReadingResourcesAttacking Network Remote Services Overview of Brute Force Attacks Traditional Brute Force Dictionary Attacks Hybrid AttacksCommon Target ProtocolsTools of the Trade THC HydraBasic Syntax for Hydra Cracking Services with HydraHydra GUI MedusaBasic SyntaxOpenSSH Username Discovery BugCracking SSH with Medusa NcrackBasic SyntaxCracking an RDP with Ncrack Case Study of a Morto WormCombining Nmap and Ncrack for Optimal Results Attacking SMTPImportant CommandsReal-Life ExampleAttacking SQL Servers MySQL ServersFingerprinting MySQL VersionTesting for Weak AuthenticationMS SQL ServersFingerprinting the VersionBrute Forcing SA AccountUsing Null PasswordsIntroduction to MetasploitHistory of MetasploitMetasploit InterfacesMSFconsole MSFcli MSFGUI ArmitageMetasploit UtilitiesMSFPayloadMSFencodeMSFVenomMetasploit Basic CommandsSearch Feature in MetasploitUse CommandInfo CommandShow OptionsSet/Unset CommandReconnaissance with MetasploitPort Scanning with MetasploitMetasploit DatabasesStoring Information from Nmap into Metasploit DatabaseUseful Scans with Metasploit Port Scanners Specific ScannersCompromising a Windows Host with MetasploitMetasploit Autopwndb _ autopwn in ActionNessus and Autopwn ArmitageInterfaceLaunching ArmitageCompromising Your First Target from ArmitageEnumerating and Fingerprinting the TargetMSF ScansImporting HostsVulnerability AssessmentExploitationCheck FeatureHail MaryConclusionReferencesClient Side ExploitationClient Side Exploitation Methods Attack Scenario 1: E-Mails Leading to Malicious Attachments Attack Scenario 2: E-Mails Leading to Malicious Links Attack Scenario 3: Compromising Client Side Update Attack Scenario 4: Malware Loaded on USB Sticks E-Mails with Malicious Attachments Creating a Custom Executable Creating a Backdoor with SET PDF HackingIntroduction Header Body Cross Reference Table TrailerPDF Launch ActionCreating a PDF Document with a Launch Action Controlling the Dialog Boxes PDF ReconnaissanceTools in the Trade PDFINFO PDFINFO "Your PDF Document" PDFTKOrigami FrameworkInstalling Origami Framework on BackTrackAttacking with PDF Fileformat Exploits Browser ExploitsScenario from Real WorldAdobe PDF Embedded EXESocial Engineering Toolkit Attack Scenario 2: E-Mails Leading to Malicious LinksCredential Harvester AttackTabnabbing AttackOther Attack VectorsBrowser ExploitationAttacking over the Internet with SETAttack Scenario over the InternetUsing Windows Box as Router (Port Forwarding) Browser AutoPWNWhy Use Browser AutoPWN?Problem with Browser AutoPWNVPS/DEDICATED Server Attack Scenario 3: Compromising Client Side UpdateHow Evilgrade Works?Prerequisites Attack Vectors Internal Network Attack Vectors External Network Attack Vectors Evilgrade Console Attack Scenario Attack Scenario 4: Malware Loaded on USB SticksTeensy USBConclusionFurther ReadingPost-ExploitationAcquiring Situation Awareness Enumerating a Windows Machine Enumerating Local Groups and Users Enumerating a Linux Machine Enumerating with Meterpreter Identifying Processes Interacting with the System User Interface CommandPrivilege Escalation Maintaining StabilityEscalating Privileges Bypassing User Access Control Impersonating the Token Escalating Privileges on a Linux MachineMaintaining AccessInstalling a BackdoorCracking the Hashes to Gain Access to Other ServicesBackdoors Disabling the Firewall Killing the Antivirus NetcatMsfpayload/Msfencode Generating a Backdoor with MSFPayload MsfencodeMsfvenom Persistence What Is a Hash? Hashing Algorithms Windows Hashing Methods LAN Manager (LM) NTLM/NTLM2 Kerberos Where Are LM/NTLM Hashes Located?Dumping the Hashes Scenario 1—REMOTE ACCESS Scenario 2—LOCAL ACCESS OPH CrackReferences Scenario 3—OFFLINE SYSTEM OPHCrack LIVE CD Bypassing the Log-InReferencesCracking the Hashes BruteforceDictionary Attacks Password Salts Rainbow TablesJohn the Ripper Cracking LM/NTLM Passwords with JTR Cracking Linux Passwords with JTRRainbow Crack Sorting the Tables Cracking the Hashes with rcrack Speeding Up the Cracking Process Gaining Access to Remote Services Enabling the Remote Desktop Adding Users to the Remote DesktopData Mining Gathering OS Information Harvesting Stored CredentialsIdentifying and Exploiting Further Targets Mapping the Internal Network Finding Network Information Identifying Further Targets Pivoting Scanning Ports and Services and Detecting OS Compromising Other Hosts on the Network Having the Same Passwordpsexec Exploiting TargetsConclusionWindows Exploit Development BasicsPrerequisitesWhat Is a Buffer Overflow?Vulnerable ApplicationHow to Find Buffer Overflows?MethodologyGetting the Software Up and RunningCausing the Application to CrashSkeleton Exploit Determining the Offset Identifying Bad CharactersFiguring Out Bad Characters with Mona Overwriting the Return Address NOP Sledges Generating the ShellCodeGenerating Metasploit ModulePorting to MetasploitConclusionFurther ResourcesWireless HackingIntroductionRequirementsIntroducing Aircrack-ngUncovering Hidden SSIDsTurning on the Monitor ModeMonitoring Beacon Frames on WiresharkMonitoring with Airodump-ngSpeeding Up the Process Bypassing MAC Filters on Wireless Networks Cracking a WEP Wireless Network with Aircrack-ngPlacing Your Wireless Adapter in Monitor ModeDetermining the Target with Airodump-ng Attacking the Target Speeding Up the Cracking Process Injecting ARP Packets Cracking the WEPCracking a WPA/WPA2 Wireless Network Using Aircrack-ngCapturing PacketsCapturing the Four-Way HandshakeCracking WPA/WAP2 Using Reaver to Crack WPS-Enabled Wireless NetworksReducing the DelayFurther Reading Setting Up a Fake Access Point with SET to PWN UsersAttack Scenario Evil Twin AttackScanning the NeighborsSpoofing the MACSetting Up a Fake Access PointCausing Denial of Service on the Original APConclusionWeb HackingAttacking the Authentication Username Enumeration Invalid Username with Invalid Password Valid Username with Invalid Password Enabling Browser Cache to Store PasswordsBrute Force and Dictionary AttacksTypes of Authentication HTTP Basic Authentication HTTP-Digest Authentication FORM-Based Authentication Exploiting Password Reset FeatureEtsy.com Password Reset Vulnerability Attacking FORM-Based AuthenticationBrute Force Attack Attacking HTTP BASIC AUTHFurther Reading Log-In Protection Mechanisms Captcha Validation Flaw Captcha RESET Flaw Manipulating User-Agents to Bypass Captcha and Other Protections Real-World Example Authentication Bypass Attacks Authentication Bypass Using SQL Injection Testing for SQL Injection Auth Bypass Authentication Bypass Using XPATH Injection Testing for XPATH Injection Authentication Bypass Using Response TamperingCrawling Restricted LinksTesting for the Vulnerability Automating It with Burp SuiteAuthentication Bypass with Insecure Cookie Handling Session Attacks Guessing Weak Session ID Session Fixation AttacksRequirements for This AttackHow the Attack Works? SQL Injection Attacks What Is an SQL Injection? Types of SQL Injection Union-Based SQL Injection Error-Based SQL Injection Blind SQL Injection Detecting SQL Injection Determining the Injection Type Union-Based SQL Injection (MySQL)Testing for SQL Injection Determining the Number of Columns Determining the Vulnerable Columns Fingerprinting the Database Enumeration Information Information_schema Information_schema Tables Enumerating All Available Databases Enumerating All Available Tables in the Database Extracting Columns from Tables Extracting Data from Columns Using group _ concat MySQL Version = 5Guessing Table Names Guessing Columns SQL Injection to Remote Command ExecutionReading FilesWriting Files Blind SQL Injection Boolean-Based SQLi True Statement False Statement Enumerating the DB USER Enumerating the MYSQL Version Guessing Tables Guessing Columns in the Table Extracting Data from Columns Time-Based SQL InjectionVulnerable ApplicationTesting for Time-Based SQL Injection Enumerating the DB USER Guessing the Table Names Guessing the Columns Extracting Data from Columns Automating SQL Injections with SQLMAP Enumerating Databases Enumerating Tables Enumerating the Columns Extracting Data from the Columns HTTP Header–Based SQL Injection Operating System Takeover with SqlmapOS-CMDOS-SHELLOS-PWNXSS (Cross-Site Scripting)How to Identify XSS Vulnerability?Types of Cross-Site ScriptingReflected/Nonpersistent XSS Vulnerable CodeMedium Security Vulnerable CodeHigh Security Bypassing htmlspecialcharsUTF-32 XSS Trick: Bypass 1Svg Craziness: Bypass 2Bypass 3: href AttributeStored XSS/Persistent XSSPayloadsBlind XSSDOM-Based XSS Detecting DOM-Based XSS Sources (Inputs) Sinks (Creating/Modifying HTML Elements) Static JS Analysis to Identify DOM-Based XSS How Does It Work? Setting Up JSPRIMEDominator: Dynamic Taint AnalysisPOC for Internet ExplorerPOC for ChromePros/ConsCross Browser DOM XSS DetectionTypes of DOM-Based XSS Reflected DOM XSS Stored DOM XSS Exploiting XSS Cookie Stealing with XSS Exploiting XSS for Conducting Phishing Attacks Compromising Victim’s Browser with XSSExploiting XSS with BEEFSetting Up BEEF on BackTrackDemo Pages Beef Modules Module: Replace HREFs Module: Getcookie Module: Tabnabbing BEEF in ActionCross-Site Request Forgery (CSRF)Why Does a CSRF Attack Work?How to Attack?GET-Based CSRFPOST-Based CSRFCSRF Protection TechniquesReferrer-Based CheckingAnti-CSRF TokensPredicting/Brute Forcing Weak Anti-CSRF Token AlgorithmTokens Not Validated upon ServerAnalyzing Weak Anti-CSRF Token StrengthBypassing CSRF with XSS File Upload Vulnerabilities Bypassing Client Side Restrictions Bypassing MIME-Type ValidationReal-World Example Bypassing Blacklist-Based Protections Case 1: Blocking Malicious Extensions Bypass Case 2: Case-Sensitive Bypass BypassReal-World Example Vulnerable Code Case 3: When All Dangerous Extensions Are Blocked XSS via File Upload Flash-Based XSS via File Upload Case 4: Double Extensions Vulnerabilities Apache Double Extension Issues IIS 6 Double Extension Issues Case 5: Using Trailing Dots Case 6: Null Byte Trick Case 7: Bypassing Image Validation Case 8: Overwriting Critical FilesReal-World ExampleFile Inclusion VulnerabilitiesRemote File InclusionPatching File Inclusions on the Server Side Local File Inclusion Linux Windows LFI Exploitation Using /proc/self/environ Log File Injection Finding Log Files: Other Tricks Exploiting LFI Bby Using PHP Input Exploiting LFI Using File Uploads Read Source Code via LFI Local File Disclosure Vulnerability Vulnerable Code Local File Disclosure Tricks Remote Command Execution Uploading Shells Server Side Include InjectionTesting a Website for SSI InjectionExecuting System CommandsSpawning a ShellSSRF AttacksImpact Example of a Vulnerable PHP CODE Remote SSRF Simple SSRF Partial SSRFDenial of Service Denial of Service Using External Entity Expansion (XEE) Full SSRF dict:// gopher:// http:// Causing the CrashOverwriting Return AddressGenerating ShellcodeServer HackingApache Server Testing for Disabled Functions Open _ basedir Misconfiguration Using CURL to Bypass Open _ basedir Restrictions Open _ basedir PHP 5.2.9 BypassReference Bypassing open _ basedir Using CGI Shell Bypassing open _ basedir Using Mod _ Perl, Mod _ PythonEscalating Privileges Using Local Root ExploitsBack ConnectingFinding the Local Root ExploitUsageFinding a Writable DirectoryBypassing Symlinks to Read Configuration FilesWho Is Affected?Basic Syntax Why This Works? Symlink Bypass: Example 1 Finding the Username /etc/passwd File /etc/valiases File Path Disclosure Uploading .htaccess to Follow Symlinks Symlinking the Configuration FilesConnecting to and Manipulating the DatabaseUpdating the Password Symlink the Root Directory Example 3: Compromising WHMCS ServerFinding a WHMCS ServerSymlinking the Configuration File WHMCS Killer Disabling Security Mechanisms Disabling Mod _ Security Disabling Open _ basedir and Safe _ mode Using CGI, PERL, or Python Shell to Bypass SymlinksConclusionIndex

Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated in various bug bounty programs and has helped several major Internet corporations such as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was successful in finding a remote code execution vulnerability along with several other high-risk vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer to work for PayPal. His major areas of research interest are in network security, bypassing modern security defenses such as WAFs, DOM-based XSS, and other HTML 5–based attack vectors. Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and eWAPT certifications.