Table of Contents

Penetration Testing: A Survival Guide
Penetration Testing: A Survival Guide
Credits
Preface
What this learning path covers
What you need for this learning path
Who this learning path is for
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
I. Module 1
1. Sharpening the Saw
Installing Kali Linux to an encrypted USB drive
Prerequisites for installation
Booting Up
Installing configuration
Setting up the drive
Booting your new installation of Kali
Running Kali from the live CD
Installing and configuring applications
Gedit – the Gnome text editor
Terminator – the terminal emulator for multitasking
EtherApe – the graphical protocol analysis tool
Setting up and configuring OpenVAS
Reporting the tests
KeepNote – the standalone document organizer
Dradis – the web-based document organizer
Running services on Kali Linux
Exploring the Kali Linux Top 10 and more
Summary
2. Information Gathering and Vulnerability Assessment
Footprinting the network
Exploring the network with Nmap
Zenmap
The difference verbosity makes
Scanning a network range
Where can you find instructions on this thing?
A return to OpenVAS
Using Maltego
Using Unicorn-Scan
Monitoring resource use with Htop
Monkeying around the network
Summary
3. Exploitation Tools (Pwnage)
Choosing the appropriate time and tool
Choosing the right version of Metasploit
Starting Metasploit
Creating workspaces to organize your attack
Using the hosts and services commands
Using advanced footprinting
Interpreting the scan and building on the result
Exploiting poor patch management
Finding out whether anyone is home
Using the pivot
Mapping the network to pivot
Creating the attack path
Grabbing system on the target
Setting Up the route
Exploring the inner network
Abusing the Windows NET USE command
Adding a Windows user from the command line
Summary
4. Web Application Exploitation
Surveying the webscape
Concept of Robots.txt
Concept of .htaccess
Quick solutions to cross-site scripting
Reducing buffer overflows
Avoiding SQL injection
Arm yourself with Armitage
Working with a single known host
Discovering new machines with NMap
Zinging Windows servers with OWASP ZAP
Using ZAP as an attack proxy
Reading the ZAP interface
Search and destroy with Burp Suite
Targeting the test subject
Using Burp Suite as a Proxy
Installing the Burp Suite security certificate
Spidering a site with Burp Spider
Summary
5. Sniffing and Spoofing
Sniffing and spoofing network traffic
Sniffing network traffic
Basic sniffing with tcpdump
More basic sniffing with WinDump (Windows tcpdump)
Packet hunting with Wireshark
Dissecting the packet
Swimming with Wireshark
Spoofing network traffic
Ettercap
Using Ettercap on the command line
Summary
6. Password Attacks
Password attack planning
Cracking the NTLM code (Revisited)
Password lists
Cleaning a password list
My friend Johnny
John the Ripper (command line)
xHydra
Adding a tool to the main menu in Kali 2.x
Summary
7. Windows Privilege Escalation
Gaining access with Metasploit
Replacing the executable
Local privilege escalation with a standalone tool
Escalating privileges with physical access
Robbing the Hives with samdump2
Owning the registry with chntpw
Weaseling in with Weevely
Preparing to use Weevely
Creating an agent
Testing Weevely locally
Testing Weevely on a Windows server
Getting help in Weevely
Getting the system info
Using filesystem commands in Weevely
Writing into files
Summary
8. Maintaining Remote Access
Maintaining access
Covering our tracks
Maintaining access with Ncat
Phoning Home with Metasploit
The Dropbox
Cracking the NAC (Network Access Controller)
Creating a Spear-Phishing Attack with the Social Engineering Toolkit
Using Backdoor-Factory to Evade Antivirus
Summary
9. Reverse Engineering and Stress Testing
Setting up a test environment
Creating your victim machine(s)
Testing your testing environment
Reverse engineering theory
One general theory of reverse engineering
Working with Boolean logic
Reviewing a while loop structure
Reviewing the for loop structure
Understanding the decision points
Practicing reverse engineering
Demystifying debuggers
Using the Valgrind Debugger to discover memory leaks
Translating your app to assembler with the EDB-Debugger
EDB-Debugger symbol mapper
Running OllyDbg
Introduction to disassemblers
Running JAD
Create your own disassembling code with Capstone
Some miscellaneous reverse engineering tools
Running Radare2
Additional members of the Radare2 tool suite
Running rasm2
Running rahash2
Running radiff2
Running rafind2
Running rax2
Stresstesting Windows
Dealing with Denial
Putting the network under Siege
Configuring your Siege engine
Summary
10. Forensics
Getting into Digital Forensics
Exploring Guymager
Starting Kali for Forensics
Acquiring a drive to be legal evidence
Cloning With Guymager
Diving into Autopsy
Mounting image files
Summary
II. Module 2
1. Introduction to Penetration Testing and Web Applications
Proactive security testing
Who is a hacker?
Different testing methodologies
Ethical hacking
Penetration testing
Vulnerability assessment
Security audits
Rules of engagement
Black box testing or Gray box testing
Client contact details
Client IT team notifications
Sensitive data handling
Status meeting
The limitations of penetration testing
The need for testing web applications
Social engineering attacks
Training employees to defeat social engineering attacks
A web application overview for penetration testers
HTTP protocol
Request and response header
The request header
The response header
Important HTTP methods for penetration testing
The GET/POST method
The HEAD method
The TRACE method
The PUT and DELETE methods
The OPTIONS method
Session tracking using cookies
Cookie
Cookie flow between server and client
Persistent and non-persistent cookies
Cookie parameters
HTML data in HTTP response
Multi-tier web application
Summary
2. Setting up Your Lab with Kali Linux
Kali Linux
Improvements in Kali Linux 2.0
Installing Kali Linux
USB mode
VMware and ARM images of Kali Linux
Kali Linux on Amazon cloud
Installing Kali Linux on a hard drive
Kali Linux-virtualizing versus installing on physical hardware
Important tools in Kali Linux
Web application proxies
Burp proxy
Customizing client interception
Modifying requests on the fly
Burp proxy with SSL-based websites
WebScarab and Zed Attack Proxy
ProxyStrike
Web vulnerability scanner
Nikto
Skipfish
Web Crawler – Dirbuster
OpenVAS
Database exploitation
CMS identification tools
Web application fuzzers
Using Tor for penetration testing
Steps to set up Tor and connect anonymously
Visualization of a web request through Tor
Final words for Tor
Summary
3. Reconnaissance and Profiling the Web Server
Reconnaissance
Passive reconnaissance versus active reconnaissance
Reconnaissance – information gathering
Domain registration details
Whois – extracting domain information
Identifying hosts using DNS
Zone transfer using dig
Brute force DNS records using Nmap
The Recon-ng tool – a framework for information gathering
Domain enumeration using recon-ng
Sub-level and top-level domain enumeration
Reporting modules
Scanning – probing the target
Port scanning using Nmap
Different options for port scan
Evading firewalls and IPS using Nmap
Spotting a firewall using back checksum option in Nmap
Identifying the operating system using Nmap
Profiling the server
Application version fingerprinting
The Nmap version scan
The Amap version scan
Fingerprinting the web application framework
The HTTP header
The Whatweb scanner
Identifying virtual hosts
Locating virtual hosts using search engines
The virtual host lookup module in Recon-ng
Identifying load balancers
Cookie-based load balancer
Other ways of identifying load balancers
Scanning web servers for vulnerabilities and misconfigurations
Identifying HTTP methods using Nmap
Testing web servers using auxiliary modules in Metasploit
Automating scanning using the WMAP web scanner plugin
Vulnerability scanning and graphical reports – the Skipfish web application scanner
Spidering web applications
The Burp spider
Application login
Summary
4. Major Flaws in Web Applications
Information leakage
Directory browsing
Directory browsing using DirBuster
Comments in HTML code
Mitigation
Authentication issues
Authentication protocols and flaws
Basic authentication
Digest authentication
Integrated authentication
Form-based authentication
Brute forcing credentials
Hydra – a brute force password cracker
Path traversal
Attacking path traversal using Burp proxy
Mitigation
Injection-based flaws
Command injection
SQL injection
Cross-site scripting
Attack potential of cross-site scripting attacks
Cross-site request forgery
Session-based flaws
Different ways to steal tokens
Brute forcing tokens
Sniffing tokens and man-in-the-middle attacks
Stealing session tokens using XSS attack
Session token sharing between application and browser
Tools to analyze tokens
Session fixation attack
Mitigation for session fixation
File inclusion vulnerability
Remote file include
Local file include
Mitigation for file inclusion attacks
HTTP parameter pollution
Mitigation
HTTP response splitting
Mitigation
Summary
5. Attacking the Server Using Injection-based Flaws
Command injection
Identifying parameters to inject data
Error-based and blind command injection
Metacharacters for command separator
Scanning for command injection
Creating a cookie file for authentication
Executing Wapiti
Exploiting command injection using Metasploit
PHP shell and Metasploit
Exploiting shellshock
Overview of shellshock
Scanning – dirb
Exploitation – Metasploit
SQL injection
SQL statements
The UNION operator
The SQL query example
Attack potential of the SQL injection flaw
Blind SQL injection
SQL injection testing methodology
Scanning for SQL injection
Information gathering
Sqlmap – automating exploitation
BBQSQL – the blind SQL injection framework
Sqlsus – MySQL injection
Sqlninja – MS SQL injection
Summary
6. Exploiting Clients Using XSS and CSRF Flaws
The origin of cross-site scripting
Introduction to JavaScript
An overview of cross-site scripting
Types of cross-site scripting
Persistent XSS
Reflected XSS
DOM-based XSS
Defence against DOM-based XSS
XSS using the POST Method
XSS and JavaScript – a deadly combination
Cookie stealing
Key logger
Website defacing
Scanning for XSS flaws
Zed Attack Proxy
Scoping and selecting modes
Modes of operation
Scan policy and attack
Xsser
Features
W3af
Plugins
Graphical interface
Cross-site request forgery
Attack dependencies
Attack methodology
Testing for CSRF flaws
CSRF mitigation techniques
Summary
7. Attacking SSL-based Websites
Secure socket layer
SSL in web applications
SSL encryption process
Asymmetric encryption versus symmetric encryption
Asymmetric encryption algorithms
Symmetric encryption algorithm
Hashing for message integrity
Identifying weak SSL implementations
OpenSSL command-line tool
SSLScan
SSLyze
Testing SSL configuration using Nmap
SSL man-in-the-middle attack
SSL MITM tools in Kali Linux
SSLsplit
SSLstrip
SSL stripping limitations
Summary
8. Exploiting the Client Using Attack Frameworks
Social engineering attacks
Social engineering toolkit
Spear-phishing attack
Website attack
Java applet attack
Credential harvester attack
Web jacking attack
Metasploit browser exploit
Tabnabbing attack
Browser exploitation framework
Introducing BeEF
BeEF hook injection
Browser reconnaissance
Exploit modules
Host information gathering
Persistence module
Network recon
Inter-protocol exploitation and communication
Exploiting the mutillidae XSS flaw using BeEF
Injecting the BeEF hook using MITM
Summary
9. AJAX and Web Services – Security Issues
Introduction to AJAX
Building blocks of AJAX
The AJAX workflow
AJAX security issues
Increase in attack surface
Exposed programming logic of the application
Insufficient access control
Challenges of pentesting AJAX applications
Crawling AJAX applications
AJAX crawling tool
Sprajax
AJAX spider – OWASP ZAP
Analyzing client-side code – Firebug
The Script panel
The Console panel
The Network panel
Web services
Introducing SOAP and RESTful web services
Securing web services
Insecure direct object reference vulnerability
Summary
10. Fuzzing Web Applications
Fuzzing basics
Types of fuzzing techniques
Mutation fuzzing
Generation fuzzing
Applications of fuzzing
Network protocol fuzzing
File fuzzing
User interface fuzzing
Web application fuzzing
Web browser fuzzing
Fuzzer frameworks
Fuzzing steps
Testing web applications using fuzzing
Fuzzing input in web applications
Request URI
Headers
Form fields
Detecting result of fuzzing
Web application fuzzers in Kali Linux
Fuzzing using Burp intruder
PowerFuzzer tool
Summary
III. Module 3
1. Setting Up the Lab
Installing the required tools
Java
Android Studio
Setting up an AVD
Real device
Apktool
Dex2jar/JD-GUI
Burp Suite
Configuring the AVD
Drozer
Prerequisites
QARK (No support for windows)
Getting ready
Advanced REST Client for Chrome
Droid Explorer
Cydia Substrate and Introspy
SQLite browser
Frida
Setting up Frida server
Setting up frida-client
Testing the setup
Vulnerable apps
Kali Linux
ADB Primer
Checking for connected devices
Getting a shell
Listing the packages
Pushing files to the device
Pulling files from the device
Installing apps using adb
Troubleshooting adb connections
Summary
2. Android Rooting
What is rooting?
Why would we root a device?
Advantages of rooting
Unlimited control over the device
Installing additional apps
More features and customization
Disadvantages of rooting
It compromises the security of your device
Bricking your device
Voids warranty
Locked and unlocked boot loaders
Determining boot loader unlock status on Sony devices
Unlocking boot loader on Sony through a vendor specified method
Rooting unlocked boot loaders on a Samsung device
Stock recovery and Custom recovery
Prerequisites
Rooting Process and Custom ROM installation
Installing recovery softwares
Using Odin
Using Heimdall
Rooting a Samsung Note 2
Flashing the Custom ROM to the phone
Summary
3. Fundamental Building Blocks of Android Apps
Basics of Android apps
Android app structure
How to get an APK file?
Storage location of APK files
/data/app/
/system/app/
/data/app-private/
Example of extracting preinstalled apps
Example of extracting user installed apps
Android app components
Activities
Services
Broadcast receivers
Content providers
Android app build process
Building DEX files from the command line
What happens when an app is run?
ART – the new Android Runtime
Understanding app sandboxing
UID per app
App sandboxing
Is there a way to break out of this sandbox?
Summary
4. Overview of Attacking Android Apps
Introduction to Android apps
Web Based apps
Native apps
Hybrid apps
Understanding the app's attack surface
Mobile application architecture
Threats at the client side
Threats at the backend
Guidelines for testing and securing mobile apps
OWASP Top 10 Mobile Risks (2014)
M1: Weak Server-Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client-Side Injection
M8: Security Decisions via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections
Automated tools
Drozer
Performing Android security assessments with Drozer
Installing testapp.apk
Listing out all the modules
Retrieving package information
Identifying the attack surface
Identifying and exploiting Android app vulnerabilities using Drozer
Attacks on exported activities
What is the problem here?
QARK (Quick Android Review Kit)
Running QARK in interactive mode
Reporting
Running QARK in seamless mode:
Summary
5. Data Storage and Its Security
What is data storage?
Android local data storage techniques
Shared preferences
SQLite databases
Internal storage
External storage
Shared preferences
Real world application demo
SQLite databases
Internal storage
External storage
User dictionary cache
Insecure data storage – NoSQL database
NoSQL demo application functionality
Backup techniques
Backup the app data using adb backup command
Convert .ab format to tar format using Android backup extractor
Extracting the TAR file using the pax or star utility
Analyzing the extracted content for security issues
Being safe
Summary
6. Server-Side Attacks
Different types of mobile apps and their threat model
Mobile applications server-side attack surface
Mobile application architecture
Strategies for testing mobile backend
Setting up Burp Suite Proxy for testing
Proxy setting via APN
Proxy setting via Wi-Fi
Bypass certificate warnings and HSTS
HSTS – HTTP Strict Transport Security
Bypassing certificate pinning
Bypass SSL pinning using AndroidSSLTrustKiller
Setting up a demo application
Installing OWASP GoatDroid
Threats at the backend
Relating OWASP top 10 mobile risks and web attacks
Authentication/authorization issues
Authentication vulnerabilities
Authorization vulnerabilities
Session management
Insufficient Transport Layer Security
Input validation related issues
Improper error handling
Insecure data storage
Attacks on the database
Summary
7. Client-Side Attacks – Static Analysis Techniques
Attacking application components
Attacks on activities
What does exported behavior mean to an activity?
Intent filters
Attacks on services
Extending the Binder class:
Using a Messenger
Using AIDL
Attacking AIDL services
Attacks on broadcast receivers
Attacks on content providers
Querying content providers:
Exploiting SQL Injection in content providers using adb
Querying the content provider
Writing a where condition:
Testing for Injection:
Finding the column numbers for further extraction
Running database functions
Finding out SQLite version:
Finding out table names
Static analysis using QARK:
Summary
8. Client-Side Attacks – Dynamic Analysis Techniques
Automated Android app assessments using Drozer
Listing out all the modules
Retrieving package information
Finding out the package name of your target application
Getting information about a package
Dumping the AndroidManifes.xml file
Finding out the attack surface:
Attacks on activities
Attacks on services
Broadcast receivers
Content provider leakage and SQL Injection using Drozer
Attacking SQL Injection using Drozer
Path traversal attacks in content providers
Reading /etc/hosts
Reading kernel version
Exploiting debuggable apps
Introduction to Cydia Substrate
Runtime monitoring and analysis using Introspy
Hooking using Xposed framework
Dynamic instrumentation using Frida
What is Frida?
Prerequisites
Steps to perform dynamic hooking with Frida
Logging based vulnerabilities
WebView attacks
Accessing sensitive local resources through file scheme
Other WebView issues
Summary
9. Android Malware
What do Android malwares do?
Writing Android malwares
Writing a simple reverse shell Trojan using socket programming
Registering permissions
Writing a simple SMS stealer
The user interface
Code for MainActivity.java
Code for reading SMS
Code for the uploadData() method
Complete code for MainActivity.java
Registering permissions
Code on the server
A note on infecting legitimate apps
Malware analysis
Static analysis
Disassembling Android apps using Apktool
Exploring the AndroidManifest.xml file
Exploring smali files
Decompiling Android apps using dex2jar and JD-GUI
Dynamic analysis
Analyzing HTTP/HTTPS traffic using Burp
Analysing network traffic using tcpdump and Wireshark
Tools for automated analysis
How to be safe from Android malwares?
Summary
10. Attacks on Android Devices
MitM attacks
Dangers with apps that provide network level access
Using existing exploits
Malware
Bypassing screen locks
Bypassing pattern lock using adb
Removing the gesture.key file
Cracking SHA1 hashes from the gesture.key file
Bypassing password/PIN using adb
Bypassing screen locks using CVE-2013-6271
Pulling data from the sdcard
Summary
A. Bibliography
Index