Ethical Hacking and Penetration Testing Guide

Ethical Hacking and Penetration Testing Guide

By: Rafay Baloch (author)Paperback

Only 2 in stock

£44.64 RRP £46.99  You save £2.35 (5%) With FREE Saver Delivery

Description

Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don t know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.

About Author

Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated in various bug bounty programs and has helped several major Internet corporations such as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was successful in finding a remote code execution vulnerability along with several other high-risk vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer to work for PayPal. His major areas of research interest are in network security, bypassing modern security defenses such as WAFs, DOM-based XSS, and other HTML 5-based attack vectors. Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and eWAPT certifications.

Contents

Introduction to Hacking Important Terminologies Asset Vulnerability Threat Exploit Risk What Is a Penetration Test? Vulnerability Assessments versus Penetration Test Pre-Engagement Rules of Engagement Milestones Penetration Testing Methodologies OSSTMM NIST OWASP Categories of Penetration Test Black Box White Box Gray Box Types of Penetration Tests Network Penetration Test Web Application Penetration Test Mobile Application Penetration Test Social Engineering Penetration Test Physical Penetration Test Report Writing Understanding the Audience Executive Class Management Class Technical Class Writing Reports Structure of a Penetration Testing Report Cover Page Table of Contents Executive Summary Remediation Report Vulnerability Assessment Summary Tabular Summary Risk Assessment Risk Assessment Matrix Methodology Detailed Findings Description Explanation Risk Recommendation Reports Conclusion Linux Basics Major Linux Operating Systems File Structure inside of Linux Permissions in Linux Special Permissions Users inside of Linux Linux Services Linux Password Storage Linux Logging Common Applications of Linux What Is BackTrack? How to Get BackTrack 5 Running? Installing BackTrack on Virtual Box Installing BackTrack on a Portable USB Installing BackTrack on Your Hard Drive BackTrack Basics Changing the Default Screen Resolution Some Unforgettable Basics Changing the Password Clearing the Screen Listing the Contents of a Directory Displaying Contents of a Specific Directory Displaying the Contents of a File Creating a Directory Changing the Directories Windows Linux Creating a Text File Copying a File Current Working Directory Renaming a File Moving a File Removing a File Locating Certain Files inside BackTrack Text Editors inside BackTrack Getting to Know Your Network Dhclient Services MySQL SSHD Postgresql Other Online Resources Information Gathering Techniques Active Information Gathering Passive Information Gathering Sources of Information Gathering Copying Websites Locally Information Gathering with Whois Finding Other Websites Hosted on the Same Server YouGetSignal.com Tracing the Location Traceroute ICMP Traceroute TCP Traceroute Usage UDP Traceroute Usage NeoTrace Cheops-ng Enumerating and Fingerprinting the Webservers Intercepting a Response Acunetix Vulnerability Scanner WhatWeb Netcraft Google Hacking Some Basic Parameters Site Example TIP regarding Filetype Google Hacking Database Hackersforcharity.org/ghdb Xcode Exploit Scanner File Analysis Foca Harvesting E-Mail Lists Gathering Wordlist from a Target Website Scanning for Subdomains TheHarvester Fierce in BackTrack Scanning for SSL Version DNS Enumeration Interacting with DNS Servers Nslookup DIG Forward DNS Lookup Forward DNS Lookup with Fierce Reverse DNS Reverse DNS Lookup with Dig Reverse DNS Lookup with Fierce Zone Transfers Zone Transfer with Host Command Automating Zone Transfers DNS Cache Snooping What Is DNS Cache Snooping? Nonrecursive Method Recursive Method What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries? Attack Scenario Automating DNS Cache Snooping Attacks Enumerating SNMP Problem with SNMP Sniffing SNMP Passwords OneSixtyOne Snmpenum SolarWinds Toolset SNMP Sweep SNMP Brute Force and Dictionary SNMP Brute Force Tool SNMP Dictionary Attack Tool SMTP Enumeration Detecting Load Balancers Load Balancer Detector Determining Real IP behind Load Balancers Bypassing CloudFlare Protection Method 1: Resolvers Method 2: Subdomain Trick Method 3: Mail Servers Intelligence Gathering Using Shodan Further Reading Conclusion Target Enumeration and Port Scanning Techniques Host Discovery Scanning for Open Ports and Services Types of Port Scanning Understanding the TCP Three-Way Handshake TCP Flags Port Status Types TCP SYN Scan TCP Connect Scan NULL, FIN, and XMAS Scans NULL Scan FIN Scan XMAS Scan TCP ACK Scan Responses UDP Port Scan Anonymous Scan Types IDLE Scan Scanning for a Vulnerable Host Performing an IDLE Scan with NMAP TCP FTP Bounce Scan Service Version Detection OS Fingerprinting POF Output Normal Format Grepable Format XML Format Advanced Firewall/IDS Evading Techniques Timing Technique Wireshark Output Fragmented Packets Wireshark Output Source Port Scan Specifying an MTU Sending Bad Checksums Decoys ZENMAP Further Reading Vulnerability Assessment What Are Vulnerability Scanners and How Do They Work? Pros and Cons of a Vulnerability Scanner Vulnerability Assessment with Nmap Updating the Database Scanning MS08 067 netapi Testing SCADA Environments with Nmap Installation Usage Nessus Vulnerability Scanner Home Feed Professional Feed Installing Nessus on BackTrack Adding a User Nessus Control Panel Reports Mobile Policies Users Configuration Default Policies Creating a New Policy Safe Checks Silent Dependencies Avoid Sequential Scans Port Range Credentials Plug-Ins Preferences Scanning the Target Nessus Integration with Metasploit Importing Nessus to Metasploit Scanning the Target Reporting OpenVas Resource Vulnerability Data Resources Exploit Databases Using Exploit-db with BackTrack Searching for Exploits inside BackTrack Conclusion Network Sniffing Introduction Types of Sniffing Active Sniffing Passive Sniffing Hubs versus Switches Promiscuous versus Nonpromiscuous Mode MITM Attacks ARP Protocol Basics How ARP Works? ARP Attacks MAC Flooding Macof ARP Poisoning Scenario-How It Works? Denial of Service Attacks Tools in the Trade Dsniff Using ARP Spoof to Perform MITM Attacks Usage Sniffing the Traffic with Dsniff Sniffing Pictures with Drifnet Urlsnarf and Webspy Sniffing with Wireshark Ettercap ARP Poisoning with Ettercap Hijacking Session with MITM Attack Attack Scenario ARP Poisoning with Cain and Abel Sniffing Session Cookies with Wireshark Hijacking the Session SSL Strip: Stripping HTTPS Traffic Requirements Usage Automating Man in the Middle Attacks Usage DNS Spoofing ARP Spoofing Attack Manipulating the DNS Records Using Ettercap to Launch DNS Spoofing Attack DHCP Spoofing Conclusion Remote Exploitation Understanding Network Protocols Transmission Control Protocol User Datagram Protocol Internet Control Messaging Protocol Server Protocols Text-Based Protocols (Important) Binary Protocols FTP SMTP HTTP Further Reading Resources Attacking Network Remote Services Overview of Brute Force Attacks Traditional Brute Force Dictionary Attacks Hybrid Attacks Common Target Protocols Tools of the Trade THC Hydra Basic Syntax for Hydra Cracking Services with Hydra Hydra GUI Medusa Basic Syntax OpenSSH Username Discovery Bug Cracking SSH with Medusa Ncrack Basic Syntax Cracking an RDP with Ncrack Case Study of a Morto Worm Combining Nmap and Ncrack for Optimal Results Attacking SMTP Important Commands Real-Life Example Attacking SQL Servers MySQL Servers Fingerprinting MySQL Version Testing for Weak Authentication MS SQL Servers Fingerprinting the Version Brute Forcing SA Account Using Null Passwords Introduction to Metasploit History of Metasploit Metasploit Interfaces MSFconsole MSFcli MSFGUI Armitage Metasploit Utilities MSFPayload MSFencode MSFVenom Metasploit Basic Commands Search Feature in Metasploit Use Command Info Command Show Options Set/Unset Command Reconnaissance with Metasploit Port Scanning with Metasploit Metasploit Databases Storing Information from Nmap into Metasploit Database Useful Scans with Metasploit Port Scanners Specific Scanners Compromising a Windows Host with Metasploit Metasploit Autopwn db autopwn in Action Nessus and Autopwn Armitage Interface Launching Armitage Compromising Your First Target from Armitage Enumerating and Fingerprinting the Target MSF Scans Importing Hosts Vulnerability Assessment Exploitation Check Feature Hail Mary Conclusion References Client Side Exploitation Client Side Exploitation Methods Attack Scenario 1: E-Mails Leading to Malicious Attachments Attack Scenario 2: E-Mails Leading to Malicious Links Attack Scenario 3: Compromising Client Side Update Attack Scenario 4: Malware Loaded on USB Sticks E-Mails with Malicious Attachments Creating a Custom Executable Creating a Backdoor with SET PDF Hacking Introduction Header Body Cross Reference Table Trailer PDF Launch Action Creating a PDF Document with a Launch Action Controlling the Dialog Boxes PDF Reconnaissance Tools in the Trade PDFINFO PDFINFO "Your PDF Document" PDFTK Origami Framework Installing Origami Framework on BackTrack Attacking with PDF Fileformat Exploits Browser Exploits Scenario from Real World Adobe PDF Embedded EXE Social Engineering Toolkit Attack Scenario 2: E-Mails Leading to Malicious Links Credential Harvester Attack Tabnabbing Attack Other Attack Vectors Browser Exploitation Attacking over the Internet with SET Attack Scenario over the Internet Using Windows Box as Router (Port Forwarding) Browser AutoPWN Why Use Browser AutoPWN? Problem with Browser AutoPWN VPS/DEDICATED Server Attack Scenario 3: Compromising Client Side Update How Evilgrade Works? Prerequisites Attack Vectors Internal Network Attack Vectors External Network Attack Vectors Evilgrade Console Attack Scenario Attack Scenario 4: Malware Loaded on USB Sticks Teensy USB Conclusion Further Reading Post-Exploitation Acquiring Situation Awareness Enumerating a Windows Machine Enumerating Local Groups and Users Enumerating a Linux Machine Enumerating with Meterpreter Identifying Processes Interacting with the System User Interface Command Privilege Escalation Maintaining Stability Escalating Privileges Bypassing User Access Control Impersonating the Token Escalating Privileges on a Linux Machine Maintaining Access Installing a Backdoor Cracking the Hashes to Gain Access to Other Services Backdoors Disabling the Firewall Killing the Antivirus Netcat Msfpayload/Msfencode Generating a Backdoor with MSFPayload Msfencode Msfvenom Persistence What Is a Hash? Hashing Algorithms Windows Hashing Methods LAN Manager (LM) NTLM/NTLM2 Kerberos Where Are LM/NTLM Hashes Located? Dumping the Hashes Scenario 1-REMOTE ACCESS Scenario 2-LOCAL ACCESS OPH Crack References Scenario 3-OFFLINE SYSTEM OPHCrack LIVE CD Bypassing the Log-In References Cracking the Hashes BruteforceDictionary Attacks Password Salts Rainbow Tables John the Ripper Cracking LM/NTLM Passwords with JTR Cracking Linux Passwords with JTR Rainbow Crack Sorting the Tables Cracking the Hashes with rcrack Speeding Up the Cracking Process Gaining Access to Remote Services Enabling the Remote Desktop Adding Users to the Remote Desktop Data Mining Gathering OS Information Harvesting Stored Credentials Identifying and Exploiting Further Targets Mapping the Internal Network Finding Network Information Identifying Further Targets Pivoting Scanning Ports and Services and Detecting OS Compromising Other Hosts on the Network Having the Same Password psexec Exploiting Targets Conclusion Windows Exploit Development Basics Prerequisites What Is a Buffer Overflow? Vulnerable Application How to Find Buffer Overflows? Methodology Getting the Software Up and Running Causing the Application to Crash Skeleton Exploit Determining the Offset Identifying Bad Characters Figuring Out Bad Characters with Mona Overwriting the Return Address NOP Sledges Generating the ShellCode Generating Metasploit Module Porting to Metasploit Conclusion Further Resources Wireless Hacking Introduction Requirements Introducing Aircrack-ng Uncovering Hidden SSIDs Turning on the Monitor Mode Monitoring Beacon Frames on Wireshark Monitoring with Airodump-ng Speeding Up the Process Bypassing MAC Filters on Wireless Networks Cracking a WEP Wireless Network with Aircrack-ng Placing Your Wireless Adapter in Monitor Mode Determining the Target with Airodump-ng Attacking the Target Speeding Up the Cracking Process Injecting ARP Packets Cracking the WEP Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng Capturing Packets Capturing the Four-Way Handshake Cracking WPA/WAP2 Using Reaver to Crack WPS-Enabled Wireless Networks Reducing the Delay Further Reading Setting Up a Fake Access Point with SET to PWN Users Attack Scenario Evil Twin Attack Scanning the Neighbors Spoofing the MAC Setting Up a Fake Access Point Causing Denial of Service on the Original AP Conclusion Web Hacking Attacking the Authentication Username Enumeration Invalid Username with Invalid Password Valid Username with Invalid Password Enabling Browser Cache to Store Passwords Brute Force and Dictionary Attacks Types of Authentication HTTP Basic Authentication HTTP-Digest Authentication FORM-Based Authentication Exploiting Password Reset Feature Etsy.com Password Reset Vulnerability Attacking FORM-Based Authentication Brute Force Attack Attacking HTTP BASIC AUTH Further Reading Log-In Protection Mechanisms Captcha Validation Flaw Captcha RESET Flaw Manipulating User-Agents to Bypass Captcha and Other Protections Real-World Example Authentication Bypass Attacks Authentication Bypass Using SQL Injection Testing for SQL Injection Auth Bypass Authentication Bypass Using XPATH Injection Testing for XPATH Injection Authentication Bypass Using Response Tampering Crawling Restricted Links Testing for the Vulnerability Automating It with Burp Suite Authentication Bypass with Insecure Cookie Handling Session Attacks Guessing Weak Session ID Session Fixation Attacks Requirements for This Attack How the Attack Works? SQL Injection Attacks What Is an SQL Injection? Types of SQL Injection Union-Based SQL Injection Error-Based SQL Injection Blind SQL Injection Detecting SQL Injection Determining the Injection Type Union-Based SQL Injection (MySQL) Testing for SQL Injection Determining the Number of Columns Determining the Vulnerable Columns Fingerprinting the Database Enumeration Information Information schema Information schema Tables Enumerating All Available Databases Enumerating All Available Tables in the Database Extracting Columns from Tables Extracting Data from Columns Using group concat MySQL Version 5 Guessing Table Names Guessing Columns SQL Injection to Remote Command Execution Reading Files Writing Files Blind SQL Injection Boolean-Based SQLi True Statement False Statement Enumerating the DB USER Enumerating the MYSQL Version Guessing Tables Guessing Columns in the Table Extracting Data from Columns Time-Based SQL Injection Vulnerable Application Testing for Time-Based SQL Injection Enumerating the DB USER Guessing the Table Names Guessing the Columns Extracting Data from Columns Automating SQL Injections with SQLMAP Enumerating Databases Enumerating Tables Enumerating the Columns Extracting Data from the Columns HTTP Header-Based SQL Injection Operating System Takeover with Sqlmap OS-CMD OS-SHELL OS-PWN XSS (Cross-Site Scripting) How to Identify XSS Vulnerability? Types of Cross-Site Scripting Reflected/Nonpersistent XSS Vulnerable Code Medium Security Vulnerable Code High Security Bypassing htmlspecialchars UTF-32 XSS Trick: Bypass 1 Svg Craziness: Bypass 2 Bypass 3: href Attribute Stored XSS/Persistent XSS Payloads Blind XSS DOM-Based XSS Detecting DOM-Based XSS Sources (Inputs) Sinks (Creating/Modifying HTML Elements) Static JS Analysis to Identify DOM-Based XSS How Does It Work? Setting Up JSPRIME Dominator: Dynamic Taint Analysis POC for Internet Explorer POC for Chrome Pros/Cons Cross Browser DOM XSS Detection Types of DOM-Based XSS Reflected DOM XSS Stored DOM XSS Exploiting XSS Cookie Stealing with XSS Exploiting XSS for Conducting Phishing Attacks Compromising Victim's Browser with XSS Exploiting XSS with BEEF Setting Up BEEF on BackTrack Demo Pages Beef Modules Module: Replace HREFs Module: Getcookie Module: Tabnabbing BEEF in Action Cross-Site Request Forgery (CSRF) Why Does a CSRF Attack Work? How to Attack? GET-Based CSRF POST-Based CSRF CSRF Protection Techniques Referrer-Based Checking Anti-CSRF Tokens Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm Tokens Not Validated upon Server Analyzing Weak Anti-CSRF Token Strength Bypassing CSRF with XSS File Upload Vulnerabilities Bypassing Client Side Restrictions Bypassing MIME-Type Validation Real-World Example Bypassing Blacklist-Based Protections Case 1: Blocking Malicious Extensions Bypass Case 2: Case-Sensitive Bypass Bypass Real-World Example Vulnerable Code Case 3: When All Dangerous Extensions Are Blocked XSS via File Upload Flash-Based XSS via File Upload Case 4: Double Extensions Vulnerabilities Apache Double Extension Issues IIS 6 Double Extension Issues Case 5: Using Trailing Dots Case 6: Null Byte Trick Case 7: Bypassing Image Validation Case 8: Overwriting Critical Files Real-World Example File Inclusion Vulnerabilities Remote File Inclusion Patching File Inclusions on the Server Side Local File Inclusion Linux Windows LFI Exploitation Using /proc/self/environ Log File Injection Finding Log Files: Other Tricks Exploiting LFI Bby Using PHP Input Exploiting LFI Using File Uploads Read Source Code via LFI Local File Disclosure Vulnerability Vulnerable Code Local File Disclosure Tricks Remote Command Execution Uploading Shells Server Side Include Injection Testing a Website for SSI Injection Executing System Commands Spawning a Shell SSRF Attacks Impact Example of a Vulnerable PHP CODE Remote SSRF Simple SSRF Partial SSRF Denial of Service Denial of Service Using External Entity Expansion (XEE) Full SSRF dict:// gopher:// http:// Causing the Crash Overwriting Return Address Generating Shellcode Server Hacking Apache Server Testing for Disabled Functions Open basedir Misconfiguration Using CURL to Bypass Open basedir Restrictions Open basedir PHP 5.2.9 Bypass Reference Bypassing open basedir Using CGI Shell Bypassing open basedir Using Mod Perl, Mod Python Escalating Privileges Using Local Root Exploits Back Connecting Finding the Local Root Exploit Usage Finding a Writable Directory Bypassing Symlinks to Read Configuration Files Who Is Affected? Basic Syntax Why This Works? Symlink Bypass: Example 1 Finding the Username /etc/passwd File /etc/valiases File Path Disclosure Uploading .htaccess to Follow Symlinks Symlinking the Configuration Files Connecting to and Manipulating the Database Updating the Password Symlink the Root Directory Example 3: Compromising WHMCS Server Finding a WHMCS Server Symlinking the Configuration File WHMCS Killer Disabling Security Mechanisms Disabling Mod Security Disabling Open basedir and Safe mode Using CGI, PERL, or Python Shell to Bypass Symlinks Conclusion Index

Product Details

  • ISBN13: 9781482231618
  • Format: Paperback
  • Number Of Pages: 531
  • ID: 9781482231618
  • weight: 998
  • ISBN10: 1482231611

Delivery Information

  • Saver Delivery: Yes
  • 1st Class Delivery: Yes
  • Courier Delivery: Yes
  • Store Delivery: Yes

Prices are for internet purchases only. Prices and availability in WHSmith Stores may vary significantly

Close