Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
3D printing, 164–165
3DES encryption, 343
802.11 standards, 256–257, 279
A
access control, 20, 21, 398–399
access control list (ACL), 159
access points (APs), 279
rogue, 268
wireless, 258
ACK flag probe, 98
ACK segment, 9
active banner grabbing, 114
active biometrics, 193
active footprinting, 45–46, 48
active online attacks, 195–196, 211–212
active OS fingerprinting, 107
active reconnaissance, 26
active wiretapping, 141
ad hoc connection attack, 268
adaptive chosen plain-text attack, 368
Address Resolution Protocol. See ARP
address space layout randomization (ASLR), 238
administrative controls, 14
ADMmutate tool, 162
ADS (alternate data stream), 204, 205, 212
AES (Advanced Encryption Standard), 262, 263, 343
AfriNIC (African Network Information Center), 63
AH (Authentication Header) protocol, 328, 333
AirMagnet WiFi Analyzer, 272
AirPcapReplay application, 265
ALE (annualized loss expectancy), 15, 34
alerting services, 51
algorithms
asymmetric, 345
definition of, 341
hash, 345–350
symmetric, 343
alternate data stream (ADS), 204, 205, 212
American Registry for Internet Numbers (ARIN), 63
anagrams, 7
and (&&) operator, 151
Android platform, 274, 278, 282
Angry IP Scanner, 96
anomaly-based IDS, 153
anonymous footprinting, 45
antimalware programs, 444
anycast addresses, 140
Apache web servers, 223, 224–225, 226, 247
APNIC (Asia-Pacific Network Information Center), 63
Apple Inc., 142–143
Application layer, 7
Application layer protocols, 135
application log, 206
application-level attacks, 24, 321, 332
application-level firewalls, 160
application-level rootkits, 209
malicious, 395
See also web applications
APs. See access points
architecture
cloud computing, 290–291
Linux security, 187–191
web server, 223–229
Windows security, 178–183
ARIN (American Registry for Internet Numbers), 63
Armitage GUI for Metasploit, 202
ARO (annual rate of occurrence), 15, 34
arp -a command, 137
ARP (Address Resolution Protocol), 136–138
spoofing/poisoning, 146–147, 169, 441
Asia-Pacific Network Information Center (APNIC), 63
assets, 14
association, 260
asymmetric encryption, 344–345, 370
attacks
application-level, 24
authentication, 16
cloud computing, 298
collision, 347
denial-of-service, 18, 269, 320–324
distributed-denial-of-service, 320–324
malware, 306–318
misconfiguration, 25
mobile, 277–278
operating system, 24
pass-the-hash, 183
review questions/answers on, 334–337
session hijacking, 324–328
shrink-wrap code, 24–25
summary review of, 328–333
system, 177–216
tools for, 445–446
Trojan, 308–313
virus, 313–315
web application, 234–246
wireless network, 268–272, 441
worm, 316–317
zero-day, 13
See also system attacks
attributes, hidden, 231
audit policy, 207–208
Auditpool tool, 207–208
association vs, 260
biometric, 193
broken, 219
password, 194–195
token, 194
Windows system, 179–182
authentication attack, 16
Authentication Header (AH) protocol, 328, 333
authentication server, 260
authenticity, 18
authoritative servers, 61
authority support attack, 383
automated testing, 415–417, 423
AutoRuns tool, 312
B
Backstreet Browser, 56
banner grabbing, 114–115, 123, 431
baselines, 22
Basic Encryption Rules (BER), 119, 124
basic NAT, 159
basic service area (BSA), 258, 279
basic service set (BSS), 258, 279
bastion hosts, 160
BBProxy tool, 278
/bin directory, 187
biometric systems, 193, 398–400
birthday attack, 263
bit flipping, 18
black hats, 23
Black Widow tool, 56
Blackberry platform, 274
black-box testing, 30, 36, 413, 423
blackjacking attack, 278
blind SQL injection, 245
block ciphers, 341
Blooover tool, 279
Blowfish cipher, 343
Bluetooth technology, 276–277, 278, 282–283, 442
boot loader level rootkits, 208
bots, 13
Brandon, John, 293
Breach Level Index, 17
bricking a system, 322
broadcast protocol, 146
brute-force attacks, 199, 212, 369, 373
Brutus tool, 232
BSA (basic service area), 258, 279
BSS (basic service set), 258, 279
buffer overflow attacks, 237, 249
business continuity plan (BCP), 15, 34
Business Impact Analysis (BIA), 15, 34
C
Cain and Abel tool, 147, 197, 271
CAM table, 145–146
Campbell, Chris, 198
canary words, 237
cantenna, 259
CANVAS tool, 417
Capsa Network Analyzer, 152
CAPTCHAs, 240
Carter, Daniel, 297
CCMP (Cipher Block Chaining Message Authentication Code Protocol), 262–263
CCSP Certified Cloud Security Professional All-in-One Exam Guide (Carter), 297
CEH version 9 exam
overview of, 3–4
tips for taking, 4–5
Central Security Service (CSS), 346
CER (crossover error rate), 193, 400, 405
certificate authority (CA), 352, 371
Certificate of Cloud Security Knowledge (CCSK), 297
certificate revocation list (CRL), 352
Certified Cloud Security Professional (CCSP), 297
Certified Ethical Hacker exam. See CEH version 9 exam
chmod command, 189–190
chosen cipher attack, 368
chosen plain-text attack, 368
cipher block chaining message authentication code (CBC-MAC), 263
cipher text-only attack, 368
ciphers, 341
circuit-level gateway firewalls, 160, 171
clearing tracks, 438
clear-text messages, 135
CLOSE_WAIT port state, 86
cloud computing, 287–304
control layers, 295
definition of, 289
deployment models, 289–290
historical development of, 288
potential problems with, 293–294
reference architecture, 290–291
regulatory efforts, 291–292
review questions/answers on, 302–304
summary review of, 299–302
threats and attacks, 295–299
Cloud Security Alliance (CSA), 292, 300
CloudPassage Halo tool, 294–295, 300–301
Codenomicon toolkit, 414–415
collision attacks, 347–348
collision domains, 133–134, 168
Comey, James, 142
command injection, 235, 248–249
command shell Trojans, 309–310, 329
Common Criteria (CC), 19–20
communication
connectionless, 81
connection-oriented, 81–84
encrypted, 362–367
community cloud model, 290, 299
community strings, 118
competitive intelligence, 47, 72, 428
computer contaminants. See malware attacks
Computer Fraud and Abuse Act, 51
computer-based social engineering, 387–392
Conficker worm, 316
CONNECT method, 228
connectionless communication, 81, 120
connection-oriented communication, 81–84, 120
content addressable memory (CAM) table, 145
contractual compliance, 32
Cook, Tim, 142
Core Impact Pro framework, 416
corrective measures, 15
corrupting log files, 207
covering tracks, 27–28, 192, 206–208, 438
Covert Channel Tunneling Trojan (CCTT), 309
covert channels, 307
cracking passwords, 195–200, 211–212
cross-guest VM breach, 298, 302
crossover error rate (CER), 193, 400, 405
Cross-Site Request Forgery (CSRF), 220, 239, 240, 249
cross-site scripting (XSS), 219, 238–239, 249
cryptography, 339–377
attacks on, 368–369
definition of, 340
history of, 339–340
overview of, 340–351
review questions/answers on, 373–377
summary review of, 370–373
tools for, 439–440
See also encryption
CSA (Cloud Security Alliance), 292, 300
CSMA/CD (Carrier Sense Multiple Access/Collision Detection), 133
CSPP (Connection String Parameter Pollution), 231
CSRF (Cross-Site Request Forgery), 220, 239, 240, 249
CurrPorts tool, 86
cyberterrorist, 24
D
daisy chaining, 13
DameWare Remote Support tool, 203
data, 7
exposure of sensitive, 220
data execution prevention (DEP), 238
datagram, 10
DDoS attacks. See distributed-denial-of-service (DDoS) attacks
decimal numerals, 151
defacement attacks, 231–232
default passwords, 195
defense-in-depth measures, 263
DELETE method, 228
Demilitarized Zone (DMZ), 11–12, 34, 160
denial-of-service (DoS) attacks, 18, 269, 320–324, 331–333, 435–436
DES (Data Encryption Standard), 343
detective measures, 15
/dev folder, 187
Diffie-Hellman algorithm, 345
digital certificates, 355–358, 372
Digital Signature Algorithm (DSA), 359
Digital Signature Standard (DSS), 359
digital signatures, 358–359, 372
dipole antennas, 260
direct broadcast addresses, 91
direct object references, 219
directional antennas, 259, 260
Directory System Agent (DSA), 119, 124
directory traversal, 229–230, 248
disaster recovery plan (DRP), 15, 34
discovering wireless networks, 264–267, 441
discovery mode for Bluetooth, 277, 282
discretionary access control (DAC), 20
disgruntled employees, 386–387
distributed reflection denial-of-service (DRDoS) attacks, 320
distributed-denial-of-service (DDoS) attacks, 320–324, 331–333, 435–436
DLL hijacking, 201
DMZ (Demilitarized Zone), 11–12, 34, 160
DNS (Domain Naming System), 58–67
IP address management, 63
structure diagram, 59
DNSSEC (Domain Name System Security Extensions), 61
domain access, 182
Domain Naming System. See DNS
DoS attacks. See denial-of-service (DoS) attacks
dot-dot-slash attack, 229–230, 248
doxing, 13
Dreeke, Robin, 385
DroidSheep tool, 278
DROWN attack, 367
dsniff tools, 147
DSSS (direct-sequence spread spectrum), 257
Duckwall, Skip, 198
dumpster diving, 26, 48, 195, 382, 403
dynamic ports, 85
E
EAL (Evaluation Assurance Level), 19
Easter eggs, 54
See also sniffing
EFS (Encrypted File Systems), 362, 372
EISA (Enterprise Information Security Architecture), 14
El Gamal algorithm, 345
elevated pure insiders, 421
Elliptic Curve Cryptosystem (ECC), 345
footprinting, 57
phishing attacks, 196, 388–391
policy related to, 21
SMTP for carrying, 135
Encapsulating Security Payload (ESP) protocol, 328, 333
Encrypted File Systems (EFS), 362, 372
encryption, 339–377
algorithms for, 341–350
asymmetric, 344–345
attacks on, 368–369
communication, 362–367
data at rest, 360–362
hash algorithms and, 345–350
IDS and, 155
overview of, 340–351
PKI system, 351–359
review questions/answers on, 373–377
steganography and, 350–351
summary review of, 370–373
symmetric, 342–344
techniques for, 341–342
tools for, 439–440
wireless network, 261–264
enumeration, 111–120
banner grabbing as, 114–115
explanation of, 111
LDAP, 118–119
Linux systems and, 114
NetBIOS, 116–117
NTP and SMTP, 119
SNMP, 117–118
summary review of, 123–125
techniques of, 114–119
tools for, 114–117, 118, 119, 433–434
Windows systems and, 112–114
e-passports, 193
equal to (==) operator, 151
error-based SQL injection, 245
ESP (Encapsulating Security Payload) protocol, 328, 333
established port, 86
/etc folder, 188
Ethernet frames, 9–11
EtherPeek sniffer, 152
Ettercap sniffer, 152, 197, 327
evasion, 153–167
firewalls and, 159–161, 163–164
honeypots and, 165–167
intrusion detection systems and, 153–159, 161–162
review questions/answers on, 172–175
scanning and, 106–109
summary review of, 170–171
techniques for, 161–162
executing applications, 202–203, 212, 437
extended service set (ESS), 258
external assessments, 413, 422
F
fake antivirus programs, 314, 392
false acceptance rate (FAR), 193, 400, 405
false negatives, 153–154
false rejection rate (FRR), 193, 400, 405
Farook, Syed, 142
FBI phone cracking case, 142–143
file extension virus, 315, 331
files
integrity checkers for, 434–435
filters, Wireshark, 150–151, 170
FIN (Finish) flag, 82
finding wireless networks, 264–267
Firewalk tool, 164
firewalking, 164
Firewall Informer tool, 163
evasion of, 163–164
how they work, 159
HTTP tunneling and, 161
NAT implemented on, 159–160
placement of, 160
types of, 160
firmware rootkits, 208
folder integrity checkers, 434–435
footprinting, 44–77
anonymous, 45
e-mail, 57
explanation of, 44–46
focuses and benefits of, 45
Google hacking and, 51–55
network, 67–70
passive, 45–47
pseudonymous, 45
reconnaissance vs., 44
review questions/answers on, 74–77
scanning compared to, 80
search engines used for, 49, 51
social engineering and, 48
summary review of, 71–73
tools for, 49, 53, 56, 70–71, 428–430
website, 55–56
Fport tool, 312
fragmentation, 99, 161–162, 171
fragmentation attacks, 321, 331
fragmenting packets, 106–107
FREAK attack, 365
full disk encryption (FDE), 360, 372
G
gaining access phase, 27, 192, 193
GAK (government access to keys), 349
geek humor, 54
get-out-of-jail free card, 29
GFI LanGuard tool, 111
global scope, 140
GNU Wget tool, 56
Google Analytics, 273
Google Apps, 288
Google hacking, 51–55, 73, 430
gray hats, 23
gray-box testing, 31, 36, 413, 423
group IDs (GIDs), 113, 123, 190
guidelines, 22
Gzapper tool, 109
H
hackers
classifications for, 23–24, 35
common view of, 22
Hackerstorm Vulnerability Database Tool, 71
hacking
attack types, 24–25
ethical, 28–29
physical security, 402–403
registry, 184
systems, 177–216
terminology of, 22
web-based, 217–254
wireless network, 264–272
Hadnagy, Chris, 385
half-open scan, 98
halo effect, 384
Hamster.txt file, 197
hardware protocol analyzers, 135
hardware rootkits, 208
Harvey, Paul, 142
hash algorithms, 345–350, 370–371
hash function, 18
hash injection attacks, 195
hash tools, 439
HBSS (Host Based Security System), 154
HEAD method, 227
Heartbleed exploit, 364–365, 367, 373
hidden attribute, 231
Hidden Attribute check box, 206
hiding files, 203–206, 212–213
HIDS (host-based IDS), 96
hierarchical trust system, 354–355, 371
hijacking, session, 324–328
HIPAA (Health Insurance Portability and Accountability Act), 31, 36
HKEY_CLASSES_ROOT (HKCR) registry key, 184
HKEY_CURRENT_CONFIG (HKCC) registry key, 184
HKEY_CURRENT_USER (HKCU) registry key, 184
HKEY_LOCAL_MACHINE (HKLM) registry key, 184, 185, 312
HKEY_USERS (HKU) registry key, 184
/home folder, 188
Honeynet Project, 166
horizontal privilege escalation, 200, 212
host-based IDS (HIDS), 154
hosts file, 62
HTML (Hypertext Markup Language), 226–227
HTTP (Hypertext Transfer Protocol), 226, 227–228
HTTP requests, 9, 227–228, 247
HTTP response messages, 228–229
HTTP response splitting, 245, 250
httpd.conf file, 226
HTTrack tool, 56
hubs, 143
human-based social engineering, 381–387
Hunt tool, 327
Hyena tool, 117
hypertext, 226
hypervisor, 289
hypervisor level rootkits, 208
I
IaaS (Infrastructure as a Service), 289, 290, 299
IANA (Internet Assigned Numbers Authority), 63, 84
ICANN (Internet Corporation for Assigned Names and Numbers), 63
ICMP Echo scanning, 95
ICMP (Internet Control Message Protocol), 94–95, 96
IDEA (International Data Encryption Algorithm), 343
identity (ID) theft, 393–394
IDSInformer tool, 162
IDSs (intrusion detection systems), 153–159
anomaly-based, 153
evasion techniques, 161–162
host-based, 154
network-based, 154
ping sweeps and, 96
signature-based, 153
summary review of, 170–171
IETF (Internet Engineering Task Force), 218, 246
IKE (Internet Key Exchange) protocol, 328, 333
implicit deny principle, 159, 171
incident management process, 13
Incident Response Team (IRT), 13, 34
inference attack, 369
information audit policy, 21
information gathering. See footprinting
information protection policy, 21
information security policy, 21
Information Systems Audit and Control Association (ISACA), 32–33, 37
infowar, 25
infrastructure mode, 258
initialization vector (IV), 261
injection attacks, 235–237, 248–249
See also SQL injection
injection flaws, 219
insider associate, 421
insider attacks, 386–387
insider threats, 421
Institute for Security and Open Methodologies (ISECOM), 420
integrity check value (ICV), 261
internal assessments, 413, 422
International Telecommunications Union (ITU), 264
Internet Control Message Protocol (ICMP), 94–95, 96
Internet Engineering Task Force (IETF), 218, 246
Internet Everywhere, 88
Internet Information Services (IIS) servers, 223, 225, 247
Internet Key Exchange (IKE) protocol, 328, 333
Internet of Things, 88
Internet Relay Chat (IRC), 392
Internet Security Association Key Management Protocol, 328, 333
intrusion detection systems. See IDSs
Inundator tool, 162
inverse TCP flag scan, 98, 101
IP addresses
bits comprising, 89–92
management of, 63
IP packet header, 136
IPID (IP identifier), 99
IPSec protocol, 327–328, 333, 363, 373
IPv4
address depletion, 139
loopback address, 132
IPv6, 138–141
addresses and scopes, 139–141, 168
packet header, 140
ISACA (Information Systems Audit and Control Association), 32–33, 37
ISECOM (Institute for Security and Open Methodologies), 420
ISO/IEC 27001:2013 standard, 32, 33
IT Governance Institute (ITGI), 33, 37
J
jailbreaking, 274–275, 282, 443
jammers, 269–270
John the Ripper tool, 190, 200, 369
K
Kaminsky, Dan, 61
KerbCrack tool, 198
kernel level rootkits, 209
key escrow, 349
keyboard walks, 194
keys
registry, 183
KisMAC tool, 271
Kismet tool, 266–267, 272, 281
known plain-text attack, 368
Kundera, Milan, 45
L
LAND attacks, 322
Latin America and Caribbean Network Information Center (LACNIC), 63
law enforcement, 141–142
layered defense, 400–401
LC5 tool, 200
LDAP enumeration, 118–119, 124–125
LDAP injection attacks, 235–236, 249
legislative compliance, 32
library level rootkits, 209
libwhisker library, 153
Licklider, J.C.R., 288
limited broadcast addresses, 91
Lincoln, Abraham, 388
Linux systems
commands, 189
distributions, 447
enumeration on, 114
file structure, 188
important folders, 187–188
security architecture, 187–191
user and group IDs, 113
Windows systems vs., 185
listening port, 86
log files, 27–28, 106–107, 213
Long, Johnny, 51
loopback address
IPv4, 132
Low Orbit Ion Cannon (LOIC), 322–323
M
MAC addresses
ARP for discovering, 136–138
broadcast messages and, 132
filtering, 270
sections comprising, 137
spoofing, 148–149, 170, 270, 441
MAC filter, 270
madwifi project, 266
maintaining access phase, 27, 192
malicious apps, 395
malicious hackers, 29
Maltego tool, 70
malware attacks, 306–318
overview of, 306–308
protecting against, 318
review questions/answers on, 334–337
summary review of, 328–331
tools for, 444–445
Trojans as, 308–313
viruses as, 313–315
worms as, 316–317
Management Information Base (MIB), 117–118, 124
Management Network Zone (MNZ), 12, 34
mandatory access control (MAC), 20
man-in-the-browser (MIB) attack, 327
man-in-the-middle (MITM) attack, 197, 369
Matrix films, 87–88
maximum tolerable downtime (MTD), 15, 34
MD5 algorithm, 347
MDM tools, 443
memory management attacks, 238
message integrity codes (MICs), 262–263
MetaGoofil tool, 53
Metasploit tool, 202, 233–234, 248, 416–417
MGT P6 Wifi device, 269
MIB (Management Information Base), 117–118, 124
Microsoft Baseline Security Analyzer (MBSA), 110
Microsoft Management Consoles (MMCs), 187
Microsoft Windows. See Windows systems
mimikatz tool, 183
mis-association attacks, 268, 281
misconfiguration attacks, 25, 231, 248
/mnt folder, 188
Mobile Device Management (MDM), 275, 282
mobile device tracking, 443
mobile platforms, 272–279
growth of, 272–273
jailbreaking, 274–275
review questions/answers on, 284, 285, 286
spyware tools, 437
summary review of, 281–283
vulnerability of, 275–277
wireless discovery tools, 443
See also wireless networks
mobile-based social engineering, 394–396, 404
monitoring tools, 444–445
msconfig command, 312–313
multi-homed firewalls, 160, 171
N
name resolvers, 61
namespaces, 58
NAT overload, 159
National Computer Security Center (NCSC), 19
National Institute of Standards and Technology (NIST), 290, 300, 346
National Security Agency (NSA), 346
National Vulnerability Database (NVD), 71
nbtstat utility, 116–117
Nessus tool, 110, 111, 162, 167
net commands, 196
NetBIOS Auditing tool, 196
NetBIOS enumeration, 116–117, 124
Netcat tool, 115, 123, 309–310
netizens, 319
netstat command, 87, 311–312, 329
NetStumbler tool, 266, 272, 281
network address translation (NAT), 159–160, 328
network interface cards (NICs), 132–133, 168
network intrusion detection systems (NIDS), 96, 154
Network layer, 6
Network layer protocols, 136
network mapping tools, 432
Network Spoofer tool, 278
network tap, 156
Network Time Protocol (NTP), 119, 125
networks
footprinting, 67–70
security zones for, 11–12
sniffing and knowledge of, 132–134
See also wireless networks
Neverquest Trojan, 311
Nginx servers, 223–224
NICs (network interface cards), 132–133, 168
NIDS (network intrusion detection systems), 96, 154
NIDSbench tool, 162
Nmap tool, 95, 96, 97, 100–105, 121, 278
nohup command, 189
nondisclosure agreement (NDA), 29
non-electronic attacks, 195, 211
NSAuditor tool, 117
nslookup command, 65–67, 72–73
NTFS file streaming, 204–205, 212
NTLM hashes, 180
NTP (Network Time Protocol), 119, 125
O
object identifiers (OIDs), 118, 124
OFDM (orthogonal frequency-division multiplexing), 257
Oinkmaster standard, 157
omnidirectional antennas, 258–259
OmniPeek tool, 272
one-factor authentication, 194
Online Certificate Status Protocol (OCSP), 352
Open Web Application Security Project (OWASP), 219–220, 246–247, 420
OpenVAS tool, 111
operating system (OS) attacks, 24
operational measures, 397
or operator, 151
Orenstein, James, 142
organizational unique identifier, 137
OSSTMM (Open Source Security Testing Methodology Manual), 32, 420
overt channels, 307
OWASP (Open Web Application Security Project), 219–220, 246–247, 420
P
PaaS (Platform as a Service), 289, 290, 299
Packet Builder tool, 83
packet capture tools, 440
packet crafting/spoofing tools, 438
Packet Generator tool, 162, 164
packet sniffing tools, 442
packet-filtering firewalls, 160, 171
pairing mode for Bluetooth, 277, 282
parabolic grid antennas, 260
paranoid policy, 21
partial knowledge testing, 31
passive banner grabbing, 114
passive biometrics, 193
passive footprinting, 45–47
passive online attacks, 196–198, 212
passive OS fingerprinting, 107
passive reconnaissance, 26
passive wiretapping, 141
passports, biometric, 193
pass-the-hash attacks, 183
passwd file, 190
passwords
default, 195
hacking tools for, 435
problems with, 399
search links for, 435
strength of, 194
patches, 246
payload, 13
Payment Card Industry Data Security Standard (PCI-DSS), 32, 36–37
PCI Data Security Standard (PCI DSS), 292, 300
peer to peer attacks, 322, 332
penetration (pen) tests, 30–31, 35, 409–426
agreements related to, 50, 411–412
announced vs. unannounced, 413
automated tools for, 415–417
black-, white-, and gray-box, 413
defining the project scope for, 412
external vs. internal, 413
guidelines for, 420
methodology and steps for, 410–422
phases in conducting, 417–418
programs for conducting, 447
reporting findings from, 418, 419–420, 423
review questions/answers on, 424–426
security assessments and, 411–419
summary review of, 422–423
terminology related to, 420–422
war game scenarios for, 414
people search tools, 428
permissive policy, 21
personally identifiable information (PII), 13
phishing, 196, 277, 388–391, 404
PhishTank Toolbar, 391
phlashing attacks, 322
PhoneSnoop tool, 279
php.ini file, 226
phreaker, 22
Physical layer, 5
physical measures/controls, 14, 397
physical security, 396–403
access controls for, 398
biometrics for, 398–400
categories of measures for, 397
hacking process for, 402–403
layered defense for, 400–401
review questions/answers on, 405–408
risks of penetrating, 396
summary review of, 405
ping of death attacks, 322, 332
ping sweep, 95–97, 121, 430–431
PKI (public key infrastructure) systems, 345, 351–359, 371
digital certificates in, 355–358
digital signatures in, 358–359
overview of, 352–355
plain text, 340
plain-text attacks, 368
Platform as a Service (PaaS), 289, 290, 299
PNZ (Production Network Zone), 12, 34
policies
audit, 207–208
limitations of, 402
security, 20–21
polymorphic code virus, 315, 330
POODLE exploit, 365–366, 367, 373
port address translation, 159
Portable Penetrator tool, 271
ports
span, 144
post-assessment phase, 30
post-attack phase, 417–418, 423
preparation phase, 30
Presentation layer, 6–7
preventative measures, 15
private cloud model, 289–290, 299
privilege escalation, 27, 200–202, 212, 436
procedures, 22
Process Explorer, 312
Production Network Zone (PNZ), 12, 34
Project Honey Pot, 166
promiscuous policy, 21
protection profile (PP), 19
protection rings, 209
protocol data unit (PDU), 7, 34
protocols
routed vs. routing, 92
susceptible to sniffing, 135–141
See also specific protocols
proxy chains, 108
prudent policy, 21
pseudonymous footprinting, 45
PSH (Push) flag, 82
public key infrastructure. See PKI (public key infrastructure) systems
pure insider, 421
PUT method, 228
Q
Qualys FreeScan tool, 111
R
RC (Rivest Cipher), 343
See also footprinting
regional Internet registries (RIRs), 63, 64
registered ports, 85
registration authorities (RAs), 352
registry
hiding items in, 206
registry hacking, 184
registry tools, 434
relational databases, 241
reputation tracking tools, 428
resource identifiers (RIDs), 112–114, 123
Retina CS tool, 110
reverse social engineering, 384, 404
review questions/answers
on cloud computing, 302–304
on cryptography, 373–377
on footprinting, 74–77
on malware and other attacks, 334–337
on mobile platforms, 284, 285, 286
on penetration tests, 424–426
on physical security, 405–408
on scanning and enumeration, 125–129
on sniffing and evasion, 172–175
on social engineering, 405–408
on system attacks, 213–216
on web servers and applications, 250–254
on wireless networks, 283–286
RFCs (Request for Comments), 96, 218
RFID identity theft/skimming, 383–384
RIDs (resource identifiers), 112–114, 123
RIPE (Réseaux IP Européens) NCC, 63
risk analysis matrix, 14
Ritz, David, 58
rogue DHCP servers, 148
root account, 190
rooting/jailbreaking tools, 443
Roots of Trust (RoT), 294, 300
routed protocols, 92
routing protocols, 92
RSA algorithm, 345
RST (Reset) flag, 82
R-U-Dead-Yet tool, 322
rules
firewall, 159
S
S/MIME encryption, 363
SaaS (Software as a Service), 289, 290, 299
SAM (Security Accounts Manager) files, 114, 178–179, 210
Sarbanes-Oxley (SOX) Act, 32, 36
/sbin folder, 188
scanning, 93–111
evasion and, 106–109
footprinting vs., 80
identifying targets by, 94–97
Nmap tool for, 100–105
review questions/answers on, 125–129
steps in methodology of, 93
summary review of, 120–122
tools for, 95, 96, 100–106, 430–433
scanning and enumeration phase, 27
ScoopLM tool, 198
screen capture tools, 436
security, 12–22
basics of, 12–17
cloud computing, 292–295
history and terminology, 19–20
Linux architecture for, 187–191
misconfiguration of, 219
patching, 246
physical, 396–403
Windows architecture for, 178–183
Security, Functionality, Usability triangle, 12, 13
Security Accounts Manager (SAM) files, 114, 178–179, 210
security analysts, 23
security assessments, 411–419
deliverables from, 419
security context, 112
security controls, 14
security evaluation phase, 30
security identifiers (SIDs), 112–114, 123
security log, 206–207
security target (ST), 19
security zones, 11–12
SecurityFocus website, 71
Securitytracker website, 71
SELECT command, 241–242
self-signed certificates, 358, 372
semagrams, 206
semi-tethered jailbreaking, 275
Send-Safe Honeypot Hunter, 167
sensitive data exposure, 220
sequence numbers (SNs), 83, 325–327
servers
authentication, 260
authoritative, 61
Nginx, 223–224
rogue DHCP, 148
web, 218–234
service-level agreements (SLAs), 412
session fixation attacks, 239, 249
session hijacking, 324–328, 333, 438
Session layer, 6
session splicing, 161–162
SHA-1, SHA-2, and SHA-3 algorithms, 347
shadow file, 190
shadow IT, 296
shared key encryption, 342, 370
sheepdip computers, 318
Shellshock, 412–413
Shodan search engine, 71
shoulder surfing, 195, 383, 404
shrink-wrap code attacks, 24–25
side-channel attacks, 298, 302, 368
SIDs (security identifiers), 112–114, 123
signature-based IDS, 153
signed certificates, 358
sign-in seal, 391
SIGVERIF tool, 313
Simple Mail Transport Protocol. See SMTP
Simple Network Management Protocol (SNMP), 117–118
Simple Object Access Protocol. See SOAP
single key encryption, 342, 370
single-authority system, 354, 371
Sisyphus story, 232
SiteDigger tool, 53
Skydance tool, 324
Skyhook tool, 267
SLE (single loss expectancy), 15, 34
Slowloris tool, 322
smart TVs, 204–205
smartphones, 264, 273, 275, 276
smishing attacks, 395
SMS social engineering attacks, 395
SMTP (Simple Mail Transport Protocol), 119, 125, 135, 168
sniffers, 149–152
Ettercap, 152
function of, 132
tcpdump, 152
wireless network, 272
sniffing, 132–152
active, 143–144
collision domains and, 133–134
DHCP starvation and, 147–148
IPv6 and, 138–141
MAC flooding and, 145–146
network knowledge for, 132–134
passive, 143
protocols susceptible to, 135–141
review questions/answers on, 172–175
spoofing and, 148–149
summary review of, 167–170
techniques for, 144–149
tools for, 149–152, 436, 440–441
Sniff-O-Matic tool, 152
SNMP enumeration, 117–118, 124
Snort IDS, 152, 155–159, 170–171
SNs (sequence numbers), 83, 325–327
SOAP (Simple Object Access Protocol), 237, 301–302
social engineering, 380–396
active footprinting as, 48
certifications in, 384–385
cloud computing and, 298
computer-based attacks, 387–392
definition of, 380
films portraying, 386
four phases of successful, 381
human-based attacks, 381–387
mobile-based attacks, 394–396
password cracking by, 195
prevention of, 392
reasons for success of, 381
reverse, 384
review questions/answers on, 405–408
summary review of, 403–404
toolkit for, 447
Social Engineering Framework (SEF), 70
social media
security certification in, 384–385
social engineering using, 387–388
social networking, 51, 387–388
Software as a Service (SaaS), 289, 290, 299
sparse infector virus, 315, 330
spectrum analyzer, 259
Spoofcard tool, 65
spoofing
definition of, 148
MAC addresses, 17, 148–149, 170, 270
spyware tools, 437
SQL injection, 241–245, 250, 446
SQL (Structured Query Language), 241–242, 249–250
SQLBrute tool, 250
SSID (service set identifier), 260, 280
SSL encryption, 197–198, 362, 363, 372
sslsniff tool, 198
Stagefright bugs, 278
stateful inspection firewalls, 160, 171
state-sponsored hacker, 24
steganography, 206, 213, 340, 350–351, 371, 439–440
stream ciphers, 341
Structured Query Language. See SQL
Stuxnet worm, 317
suicide hackers, 24
Super Bluetooth Hack package, 279
SuperOneClick tool, 274
switch port stealing, 146, 169
active sniffing and, 143–144
collision domains and, 134
Hping tool, 106
symmetric encryption, 342–344, 370
SYN segment, 9
SYN/ACK segment, 9
system attacks, 177–216
application execution and, 202–203
authentication and, 193–195
covering tracks for, 206–208
diagram of phases in, 192
hiding files in, 203–206
Linux security architecture and, 187–191
methodology overview for, 191–193
password cracking and, 195–200
privilege escalation and, 200–202
review questions/answers on, 213–216
rootkits and, 208–209
steps in process of, 193–209
summary review of, 210–213
Windows security architecture and, 178–183
system hacking tools, 435–438
system log, 206
system virus, 314
T
target of evaluation (TOE), 19, 30
tautology, 245
TCP connect scan, 97
TCP state-exhaustion attacks, 321, 332
TCP (Transmission Control Protocol), 9
stream following, 150
tcpdump tool, 152
technical measures/controls, 14, 397–398
technorati, 319
Telport Pro tool, 56
terminology
hacking, 22
pen test, 420–422
security, 19–20
tethered jailbreaking, 275
text semagrams, 206
threat modeling, 13
threats
cloud computing, 295–298
identifying, 14
three-factor authentication, 194
three-way handshake, 10, 34, 82, 83
tiger team, 29
TIME_WAIT port state, 86
TLS protocol, 362, 365–366, 372
token authentication, 194, 399, 400
tools
encryption, 439–440
enumeration, 114–117, 118, 119
evasion, 162–163
footprinting, 49, 53, 56, 70–71, 428–430
sniffing, 149–152
web server attack, 232–234
Tor (The Onion Routing), 109, 122
TRACE method, 228
tracert command, 70
Transport layer, 6
Transport layer protocols, 135–136
trash intelligence, 382
Tribe Flood Network, 322
Trinity tool, 322
Tripwire tool, 313
command shell, 309–310
mobile device, 277
port numbers for, 310–311, 329
tools related to, 444–445
Trusted Computer System Evaluation Criteria (TCSEC), 19
Trusted Computing Group (TCG), 294, 300
Truth in Caller ID Act, 65
T-sight tool, 327
Twain, Mark, 388
two-factor authentication, 194
Twofish cipher, 343
U
Ubiquiti cards, 266
UDP (User Datagram Protocol), 10, 81
Ufasoft tool, 147
union query, 244–245
untethered jailbreaking, 274
unvalidated input attack, 230
URG (Urgent) flag, 82
URIs (Uniform Resource Identifiers), 226
URLs (Uniform Resource Locators), 226
SQL injection in, 243
/usr folder, 188
V
validation authority (VA), 352, 358
values, registry, 183–184
vertical privilege escalation, 200, 212
virus hoax, 314
vishing (voice phishing), 383
visual semagrams, 206
VPN/FW scanner, 447
vulnerabilities
identifying, 14
vulnerability assessments, 411
W
W3C (World Wide Web Consortium), 219, 246
war chalking, 260
war discovery options, 265
war game scenarios, 414
Wayback Machine, 56
web applications, 234–246
buffer overflow attacks, 237
cookies for attacking, 239–240
countermeasures for securing, 246
cross-site request forgery attacks, 239, 240
cross-site scripting attacks, 238–239
HTTP attacks, 245–246
injection attacks, 235–237
review questions/answers on, 250–254
SQL injection attacks, 241–245
summary review of, 248–250
web defacement attacks, 231–232
web mirroring, 55–56
web of trust system, 354
web organizations, 218–220, 246–247
web resources
cryptography and encryption tools, 439–440
footprinting tools, 428–430
miscellaneous tools, 446–447
scanning and enumeration tools, 430–435
sniffing tools, 440–441
system hacking tools, 435–438
Trojans and malware tools, 444–445
vulnerability research sites, 427–428
web attack tools, 445–446
wireless network tools, 441–443
web servers, 218–234
architecture overview, 223–229
attack vectors, 229–232
countermeasures for securing, 246
methodology for attacking, 222–223
review questions/answers on, 250–254
summary review of, 247–248
tools for attacking, 232–234, 445
web spiders, 70
web updates tools, 429
web-based hacking, 217–254
web applications and, 234–246
web servers and, 218–234
WebRipper tool, 56
Website Watcher, 57
websites
footprinting, 55–56
mirroring tools, 430
research tools, 429
See also web resources
WeFi tool, 267
well-known ports, 85
WEP/WPA cracking tools, 442
WEPAttack tool, 271
WEPCrack tool, 271
whaling, 391
white hats, 23
white-box testing, 31, 36, 413, 423
whois database, 63–64
whois tools, 429
WinArpAttacker tool, 147
Windows mobile platform, 274
Windows service monitoring tools, 434
Windows systems
enumeration on, 112–114
Linux systems vs., 185
MMCs, 187
Nmap scan of, 103
security architecture, 178–183
SIDs and RIDs, 112–114
WinDump tool, 152
Winfingerprint tool, 117
WinSniffer tool, 152
wireless networks, 256–272
802.11 standards, 256–257
antennas, 258–260
encryption options, 261–264
finding/discovering, 264–267
hacking, 264–272
modes for operating, 258
modulation methods, 257
review questions/answers on, 283–286
SSIDs for, 260
summary review of, 279–281
tools for hacking, 441–443
WEP attacks, 270–272
See also mobile platforms
Wireless Security Auditor tool, 271
Wireshark tool, 149–152, 170, 272
wiretapping, 132, 141–142, 168–169
World Wide Web Consortium (W3C), 219, 246
wrapping attack, 298
X
X.509 standard, 355
XArp tool, 146
XML tags, 226
XOR operations, 341–342
XSS (cross-site scripting), 219, 238–239, 249
Y
Yubikey token, 399
Z
Zatko, Peiter C., 327
zero-day attack, 13
zombie machines, 27
zones, network security, 11–12