Contents in Detail. Foreword by Peter Van Eeckhoutte

Size: px

Start display at page:

Download "Contents in Detail. Foreword by Peter Van Eeckhoutte"

Shanna Virginia Barber
5 years ago
Views:

1 Contents in Detail Foreword by Peter Van Eeckhoutte xix Acknowledgments xxiii Introduction xxv A Note of Thanks.... xxvi About This Book.... xxvi Part I: The Basics.... xxvii Part II: Assessments xxvii Part III: Attacks... xxvii Part IV: Exploit Development.... xxviii Part V: Mobile Hacking... xxviii 0 Penetration Testing Primer 1 The Stages of the Penetration Test... 2 Pre-engagement... 2 Information Gathering... 4 Threat Modeling... 4 Vulnerability Analysis... 4 Exploitation... 4 Post Exploitation... 4 Reporting... 5 Summary... 6 Part I The Basics 1 Setting Up Your Virtual Lab 9 Installing VMware... 9 Setting Up Kali Linux Configuring the Network for Your Virtual Machine Installing Nessus Installing Additional Software Setting Up Android Emulators Smartphone Pentest Framework Target Virtual Machines Creating the Windows XP Target VMware Player on Microsoft Windows VMware Fusion on Mac OS Installing and Activating Windows... 32

2 Installing VMware Tools Turning Off Windows Firewall Setting User Passwords Setting a Static IP Address Making XP Act Like It s a Member of a Windows Domain Installing Vulnerable Software Installing Immunity Debugger and Mona Setting Up the Ubuntu 8.10 Target Creating the Windows 7 Target Creating a User Account Opting Out of Automatic Updates Setting a Static IP Address Adding a Second Network Interface Installing Additional Software Summary Using Kali Linux 55 Linux Command Line The Linux Filesystem Changing Directories Learning About Commands: The Man Pages User Privileges Adding a User Adding a User to the sudoers File Switching Users and Using sudo Creating a New File or Directory Copying, Moving, and Removing Files Adding Text to a File Appending Text to a File File Permissions Editing Files Searching for Text Editing a File with vi Data Manipulation Using grep Using sed Pattern Matching with awk Managing Installed Packages Processes and Services Managing Networking Setting a Static IP Address Viewing Network Connections Netcat: The Swiss Army Knife of TCP/IP Connections Check to See If a Port Is Listening Opening a Command Shell Listener Pushing a Command Shell Back to a Listener Automating Tasks with cron Jobs Summary x Contents in Detail

3 3 Programming 75 Bash Scripting Ping A Simple Bash Script Running Our Script Adding Functionality with if Statements A for Loop Streamlining the Results Python Scripting Connecting to a Port if Statements in Python Writing and Compiling C Programs Summary Using the Metasploit Framework 87 Starting Metasploit Finding Metasploit Modules The Module Database Built-In Search Setting Module Options RHOST RPORT SMBPIPE Exploit Target Payloads (or Shellcode) Finding Compatible Payloads A Test Run Types of Shells Bind Shells Reverse Shells Setting a Payload Manually Msfcli Getting Help Showing Options Payloads Creating Standalone Payloads with Msfvenom Choosing a Payload Setting Options Choosing an Output Format Serving Payloads Using the Multi/Handler Module Using an Auxiliary Module Summary Contents in Detail xi

4 Part II Assessments 5 Information Gathering 113 Open Source Intelligence Gathering Netcraft Whois Lookups DNS Reconnaissance Searching for Addresses Maltego Port Scanning Manual Port Scanning Port Scanning with Nmap Summary Finding Vulnerabilities 133 From Nmap Version Scan to Potential Vulnerability Nessus Nessus Policies Scanning with Nessus A Note About Nessus Rankings Why Use Vulnerability Scanners? Exporting Nessus Results Researching Vulnerabilities The Nmap Scripting Engine Running a Single NSE Script Metasploit Scanner Modules Metasploit Exploit Check Functions Web Application Scanning Nikto Attacking XAMPP Default Credentials Manual Analysis Exploring a Strange Port Finding Valid Usernames Summary Capturing Traffic 155 Networking for Capturing Traffic Using Wireshark Capturing Traffic Filtering Traffic Following a TCP Stream Dissecting Packets xii Contents in Detail

5 ARP Cache Poisoning ARP Basics IP Forwarding ARP Cache Poisoning with Arpspoof Using ARP Cache Poisoning to Impersonate the Default Gateway DNS Cache Poisoning Getting Started Using Dnsspoof SSL Attacks SSL Basics Using Ettercap for SSL Man-in-the-Middle Attacks SSL Stripping Using SSLstrip Summary Part III Attacks 8 Exploitation 179 Revisiting MS Metasploit Payloads Meterpreter Exploiting WebDAV Default Credentials Running a Script on the Target Web Server Uploading a Msfvenom Payload Exploiting Open phpmyadmin Downloading a File with TFTP Downloading Sensitive Files Downloading a Configuration File Downloading the Windows SAM Exploiting a Buffer Overflow in Third-Party Software Exploiting Third-Party Web Applications Exploiting a Compromised Service Exploiting Open NFS Shares Summary Password Attacks 197 Password Management Online Password Attacks Wordlists Guessing Usernames and Passwords with Hydra Offline Password Attacks Recovering Password Hashes from a Windows SAM File Dumping Password Hashes with Physical Access LM vs. NTLM Hashing Algorithms The Trouble with LM Password Hashes Contents in Detail xiii

6 John the Ripper Cracking Linux Passwords Cracking Configuration File Passwords Rainbow Tables Online Password-Cracking Services Dumping Plaintext Passwords from Memory with Windows Credential Editor Summary Client-Side Exploitation 215 Bypassing Filters with Metasploit Payloads All Ports HTTP and HTTPS Payloads Client-Side Attacks Browser Exploitation PDF Exploits Java Exploits browser_autopwn Winamp Summary Social Engineering 243 The Social-Engineer Toolkit Spear-Phishing Attacks Choosing a Payload Setting Options Naming Your File Single or Mass Creating the Template Setting the Target Setting Up a Listener Web Attacks Mass Attacks Multipronged Attacks Summary Bypassing Antivirus Applications 257 Trojans Msfvenom How Antivirus Applications Work Microsoft Security Essentials VirusTotal Getting Past an Antivirus Program Encoding Custom Cross Compiling Encrypting Executables with Hyperion Evading Antivirus with Veil-Evasion xiv Contents in Detail

7 Hiding in Plain Sight Summary Post Exploitation 277 Meterpreter Using the upload Command getuid Other Meterpreter Commands Meterpreter Scripts Metasploit Post-Exploitation Modules Railgun Local Privilege Escalation getsystem on Windows Local Escalation Module for Windows Bypassing UAC on Windows Udev Privilege Escalation on Linux Local Information Gathering Searching for Files Keylogging Gathering Credentials net Commands Another Way In Checking Bash History Lateral Movement PSExec Pass the Hash SSHExec Token Impersonation Incognito SMB Capture Pivoting Adding a Route in Metasploit Metasploit Port Scanners Running an Exploit through a Pivot Socks4a and ProxyChains Persistence Adding a User Metasploit Persistence Creating a Linux cron Job Summary Web Application Testing 313 Using Burp Proxy SQL Injection Testing for SQL Injection Vulnerabilities Exploiting SQL Injection Vulnerabilities Using SQLMap XPath Injection Contents in Detail xv

8 Local File Inclusion Remote File Inclusion Command Execution Cross-Site Scripting Checking for a Reflected XSS Vulnerability Leveraging XSS with the Browser Exploitation Framework Cross-Site Request Forgery Web Application Scanning with w3af Summary Wireless Attacks 339 Setting Up Viewing Available Wireless Interfaces Scan for Access Points Monitor Mode Capturing Packets Open Wireless Wired Equivalent Privacy WEP Weaknesses Cracking WEP Keys with Aircrack-ng Wi-Fi Protected Access WPA The Enterprise Connection Process The Personal Connection Process The Four-Way Handshake Cracking WPA/WPA2 Keys Wi-Fi Protected Setup Problems with WPS Cracking WPS with Bully Summary Part IV Exploit Development 16 A Stack-Based Buffer Overflow in Linux 361 Memory Theory Linux Buffer Overflow A Vulnerable Program Causing a Crash Running GDB Crashing the Program in GDB xvi Contents in Detail

9 Controlling EIP Hijacking Execution Endianness Summary A Stack-Based Buffer Overflow in Windows 379 Searching for a Known Vulnerability in War-FTP Causing a Crash Locating EIP Generating a Cyclical Pattern to Determine Offset Verifying Offsets Hijacking Execution Getting a Shell Summary Structured Exception Handler Overwrites 401 SEH Overwrite Exploits Passing Control to SEH Finding the Attack String in Memory POP POP RET SafeSEH Using a Short Jump Choosing a Payload Summary Fuzzing, Porting Exploits, and Metasploit Modules 421 Fuzzing Programs Finding Bugs with Code Review Fuzzing a Trivial FTP Server Attempting a Crash Porting Public Exploits to Meet Your Needs Finding a Return Address Replacing Shellcode Editing the Exploit Writing Metasploit Modules A Similar Exploit String Module Porting Our Exploit Code Exploitation Mitigation Techniques Stack Cookies Address Space Layout Randomization Data Execution Prevention Mandatory Code Signing Summary Contents in Detail xvii

10 Part V Mobile Hacking 20 Using the Smartphone Pentest Framework 445 Mobile Attack Vectors Text Messages Near Field Communication QR Codes The Smartphone Pentest Framework Setting Up SPF Android Emulators Attaching a Mobile Modem Building the Android App Deploying the App Attaching the SPF Server and App Remote Attacks Default iphone SSH Login Client-Side Attacks Client-Side Shell USSD Remote Control Malicious Apps Creating Malicious SPF Agents Mobile Post Exploitation Information Gathering Remote Control Pivoting Through Mobile Devices Privilege Escalation Summary REsources 473 Index 477 xviii Contents in Detail

PENETRATION TESTING. A HattdA-Oti Introduction. to Hacking. by Georgia Weidman. <e> no starch. press. San Francisco

PENETRATION TESTING. A HattdA-Oti Introduction. to Hacking. by Georgia Weidman. <e> no starch. press. San Francisco PENETRATION TESTING A HattdA-Oti Introduction to Hacking by Georgia Weidman no starch press San Francisco CONTENTS IN DETAIL FOREWORD by Peter Van Eeckhoutte xix ACKNOWLEDGMENTS xxiii INTRODUCTION