Ethical Hacking and Penetration Testing Guide

Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don‘t know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.

Introduction to HackingImportant Terminologies Asset Vulnerability Threat Exploit Risk What Is a Penetration Test? Vulnerability Assessments versus Penetration Test Pre-Engagement Rules of Engagement Milestones Penetration Testing Methodologies OSSTMM NIST OWASPCategories of Penetration Test Black Box White Box Gray Box Types of Penetration Tests Network Penetration Test Web Application Penetration Test Mobile Application Penetration Test Social Engineering Penetration Test Physical Penetration Test Report Writing Understanding the Audience Executive Class Management Class Technical ClassWriting ReportsStructure of a Penetration Testing Report Cover Page Table of Contents Executive Summary Remediation ReportVulnerability Assessment Summary Tabular SummaryRisk Assessment Risk Assessment MatrixMethodology Detailed Findings Description Explanation Risk Recommendation ReportsConclusionLinux BasicsMajor Linux Operating SystemsFile Structure inside of LinuxPermissions in LinuxSpecial PermissionsUsers inside of Linux Linux Services Linux Password Storage Linux LoggingCommon Applications of LinuxWhat Is BackTrack? How to Get BackTrack 5 Running? Installing BackTrack on Virtual Box Installing BackTrack on a Portable USB Installing BackTrack on Your Hard Drive BackTrack BasicsChanging the Default Screen Resolution Some Unforgettable Basics Changing the Password Clearing the Screen Listing the Contents of a Directory Displaying Contents of a Specific Directory Displaying the Contents of a File Creating a Directory Changing the Directories Windows Linux Creating a Text File Copying a File Current Working Directory Renaming a File Moving a File Removing a File Locating Certain Files inside BackTrackText Editors inside BackTrackGetting to Know Your Network DhclientServices MySQL SSHD PostgresqlOther Online ResourcesInformation Gathering TechniquesActive Information GatheringPassive Information GatheringSources of Information GatheringCopying Websites Locally Information Gathering with Whois Finding Other Websites Hosted on the Same ServerYouGetSignal.com Tracing the Location Traceroute ICMP Traceroute TCP Traceroute Usage UDP Traceroute UsageNeoTraceCheops-ng Enumerating and Fingerprinting the WebserversIntercepting a Response Acunetix Vulnerability ScannerWhatWebNetcraft Google HackingSome Basic Parameters SiteExampleTIP regarding Filetype Google Hacking DatabaseHackersforcharity.org/ghdbXcode Exploit Scanner File Analysis Foca Harvesting E-Mail Lists Gathering Wordlist from a Target Website Scanning for Subdomains TheHarvester Fierce in BackTrack Scanning for SSL Version DNS EnumerationInteracting with DNS ServersNslookupDIG Forward DNS LookupForward DNS Lookup with Fierce Reverse DNS Reverse DNS Lookup with DigReverse DNS Lookup with Fierce Zone TransfersZone Transfer with Host CommandAutomating Zone Transfers DNS Cache SnoopingWhat Is DNS Cache Snooping? Nonrecursive Method Recursive MethodWhat Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?Attack ScenarioAutomating DNS Cache Snooping Attacks Enumerating SNMPProblem with SNMPSniffing SNMP PasswordsOneSixtyOneSnmpenumSolarWinds ToolsetSNMP SweepSNMP Brute Force and DictionarySNMP Brute Force ToolSNMP Dictionary Attack ToolSMTP Enumeration Detecting Load Balancers Load Balancer Detector Determining Real IP behind Load Balancers Bypassing CloudFlare Protection Method 1: Resolvers Method 2: Subdomain Trick Method 3: Mail ServersIntelligence Gathering Using ShodanFurther ReadingConclusionTarget Enumeration and Port Scanning TechniquesHost DiscoveryScanning for Open Ports and ServicesTypes of Port ScanningUnderstanding the TCP Three-Way HandshakeTCP FlagsPort Status TypesTCP SYN ScanTCP Connect ScanNULL, FIN, and XMAS ScansNULL ScanFIN ScanXMAS ScanTCP ACK ScanResponsesUDP Port ScanAnonymous Scan TypesIDLE ScanScanning for a Vulnerable HostPerforming an IDLE Scan with NMAPTCP FTP Bounce ScanService Version DetectionOS FingerprintingPOFOutput Normal Format Grepable Format XML FormatAdvanced Firewall/IDS Evading TechniquesTiming TechniqueWireshark OutputFragmented PacketsWireshark OutputSource Port ScanSpecifying an MTUSending Bad ChecksumsDecoysZENMAPFurther ReadingVulnerability AssessmentWhat Are Vulnerability Scanners and How Do They Work?Pros and Cons of a Vulnerability ScannerVulnerability Assessment with NmapUpdating the DatabaseScanning MS08 _ 067 _ netapiTesting SCADA Environments with Nmap Installation UsageNessus Vulnerability Scanner Home Feed Professional FeedInstalling Nessus on BackTrackAdding a User Nessus Control Panel Reports Mobile Policies Users Configuration Default PoliciesCreating a New PolicySafe ChecksSilent Dependencies Avoid Sequential ScansPort Range Credentials Plug-InsPreferences Scanning the TargetNessus Integration with MetasploitImporting Nessus to Metasploit Scanning the Target Reporting OpenVasResource Vulnerability Data Resources Exploit DatabasesUsing Exploit-db with BackTrackSearching for Exploits inside BackTrackConclusionNetwork SniffingIntroductionTypes of Sniffing Active Sniffing Passive SniffingHubs versus SwitchesPromiscuous versus Nonpromiscuous ModeMITM AttacksARP Protocol BasicsHow ARP Works?ARP Attacks MAC Flooding Macof ARP PoisoningScenario—How It Works?Denial of Service AttacksTools in the Trade DsniffUsing ARP Spoof to Perform MITM Attacks UsageSniffing the Traffic with DsniffSniffing Pictures with DrifnetUrlsnarf and WebspySniffing with WiresharkEttercapARP Poisoning with EttercapHijacking Session with MITM AttackAttack ScenarioARP Poisoning with Cain and AbelSniffing Session Cookies with WiresharkHijacking the SessionSSL Strip: Stripping HTTPS TrafficRequirements UsageAutomating Man in the Middle Attacks UsageDNS Spoofing ARP Spoofing Attack Manipulating the DNS Records Using Ettercap to Launch DNS Spoofing AttackDHCP SpoofingConclusionRemote ExploitationUnderstanding Network Protocols Transmission Control Protocol User Datagram ProtocolInternet Control Messaging ProtocolServer Protocols Text-Based Protocols (Important) Binary Protocols FTP SMTP HTTPFurther ReadingResourcesAttacking Network Remote Services Overview of Brute Force Attacks Traditional Brute Force Dictionary Attacks Hybrid AttacksCommon Target ProtocolsTools of the Trade THC HydraBasic Syntax for Hydra Cracking Services with HydraHydra GUI MedusaBasic SyntaxOpenSSH Username Discovery BugCracking SSH with Medusa NcrackBasic SyntaxCracking an RDP with Ncrack Case Study of a Morto WormCombining Nmap and Ncrack for Optimal Results Attacking SMTPImportant CommandsReal-Life ExampleAttacking SQL Servers MySQL ServersFingerprinting MySQL VersionTesting for Weak AuthenticationMS SQL ServersFingerprinting the VersionBrute Forcing SA AccountUsing Null PasswordsIntroduction to MetasploitHistory of MetasploitMetasploit InterfacesMSFconsole MSFcli MSFGUI ArmitageMetasploit UtilitiesMSFPayloadMSFencodeMSFVenomMetasploit Basic CommandsSearch Feature in MetasploitUse CommandInfo CommandShow OptionsSet/Unset CommandReconnaissance with MetasploitPort Scanning with MetasploitMetasploit DatabasesStoring Information from Nmap into Metasploit DatabaseUseful Scans with Metasploit Port Scanners Specific ScannersCompromising a Windows Host with MetasploitMetasploit Autopwndb _ autopwn in ActionNessus and Autopwn ArmitageInterfaceLaunching ArmitageCompromising Your First Target from ArmitageEnumerating and Fingerprinting the TargetMSF ScansImporting HostsVulnerability AssessmentExploitationCheck FeatureHail MaryConclusionReferencesClient Side ExploitationClient Side Exploitation Methods Attack Scenario 1: E-Mails Leading to Malicious Attachments Attack Scenario 2: E-Mails Leading to Malicious Links Attack Scenario 3: Compromising Client Side Update Attack Scenario 4: Malware Loaded on USB Sticks E-Mails with Malicious Attachments Creating a Custom Executable Creating a Backdoor with SET PDF HackingIntroduction Header Body Cross Reference Table TrailerPDF Launch ActionCreating a PDF Document with a La

Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated in various bug bounty programs and has helped several major Internet corporations such as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was successful in finding a remote code execution vulnerability along with several other high-risk vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer to work for PayPal. His major areas of research interest are in network security, bypassing modern security defenses such as WAFs, DOM-based XSS, and other HTML 5–based attack vectors. Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and eWAPT certifications.