Penetration Testing · A Hands-On Introduction to Hacking by Weidman, Georgia -- Read -- Imperial Library of Trantor

Index

Penetration Testing: A Hands-On Introduction to Hacking Dedication About the Author Foreword Acknowledgments Introduction

A Note of Thanks About This Book

Part I: The Basics Part II: Assessments Part III: Attacks Part IV: Exploit Development Part V: Mobile Hacking

Penetration Testing Primer

The Stages of the Penetration Test

Pre-engagement Information Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting

Executive Summary Technical Report

Summary

I. The Basics

1. Setting Up Your Virtual Lab

Installing VMware Setting Up Kali Linux

Configuring the Network for Your Virtual Machine

VMware Player on Microsoft Windows VMware Fusion on Mac OS Connecting the Virtual Machine to the Network Testing Your Internet Access

Installing Nessus Installing Additional Software

The Ming C Compiler Hyperion Veil-Evasion Ettercap

Setting Up Android Emulators Smartphone Pentest Framework

Target Virtual Machines Creating the Windows XP Target

VMware Player on Microsoft Windows VMware Fusion on Mac OS Installing and Activating Windows Installing VMware Tools

VMware Player on Microsoft Windows VMware Fusion on Mac OS

Turning Off Windows Firewall Setting User Passwords Setting a Static IP Address Making XP Act Like It’s a Member of a Windows Domain Installing Vulnerable Software

Zervit 0.4 SLMail 5.5 3Com TFTP 2.0.1 XAMPP 1.7.2 Adobe Acrobat Reader War-FTP WinSCP

Installing Immunity Debugger and Mona

Setting Up the Ubuntu 8.10 Target Creating the Windows 7 Target

Creating a User Account Opting Out of Automatic Updates Setting a Static IP Address Adding a Second Network Interface Installing Additional Software

Summary

2. Using Kali Linux

Linux Command Line The Linux Filesystem

Changing Directories

Learning About Commands: The Man Pages User Privileges

Adding a User Adding a User to the sudoers File Switching Users and Using sudo Creating a New File or Directory Copying, Moving, and Removing Files Adding Text to a File Appending Text to a File

File Permissions Editing Files

Searching for Text Editing a File with vi

Data Manipulation

Using grep Using sed Pattern Matching with awk

Managing Installed Packages Processes and Services Managing Networking

Setting a Static IP Address Viewing Network Connections

Netcat: The Swiss Army Knife of TCP/IP Connections

Check to See If a Port Is Listening Opening a Command Shell Listener Pushing a Command Shell Back to a Listener

Automating Tasks with cron Jobs Summary

3. Programming

Bash Scripting

Ping A Simple Bash Script Running Our Script Adding Functionality with if Statements A for Loop Streamlining the Results

Python Scripting

Connecting to a Port if Statements in Python

Writing and Compiling C Programs Summary

4. Using the Metasploit Framework

Starting Metasploit Finding Metasploit Modules

The Module Database Built-In Search

Setting Module Options

RHOST RPORT SMBPIPE Exploit Target

Payloads (or Shellcode)

Finding Compatible Payloads A Test Run

Types of Shells

Bind Shells Reverse Shells

Setting a Payload Manually Msfcli

Getting Help Showing Options Payloads

Creating Standalone Payloads with Msfvenom

Choosing a Payload Setting Options Choosing an Output Format Serving Payloads Using the Multi/Handler Module

Using an Auxiliary Module Summary

II. Assessments

5. Information Gathering

Open Source Intelligence Gathering

Netcraft Whois Lookups DNS Reconnaissance

Nslookup Host Zone Transfers

Searching for Email Addresses Maltego

Port Scanning

Manual Port Scanning Port Scanning with Nmap

A SYN Scan A Version Scan UDP Scans Scanning a Specific Port

Summary

6. Finding Vulnerabilities

From Nmap Version Scan to Potential Vulnerability Nessus

Nessus Policies Scanning with Nessus A Note About Nessus Rankings Why Use Vulnerability Scanners? Exporting Nessus Results Researching Vulnerabilities

The Nmap Scripting Engine Running a Single NSE Script Metasploit Scanner Modules Metasploit Exploit Check Functions Web Application Scanning

Nikto Attacking XAMPP Default Credentials

Manual Analysis

Exploring a Strange Port Finding Valid Usernames

Summary

7. Capturing Traffic

Networking for Capturing Traffic Using Wireshark

Capturing Traffic Filtering Traffic Following a TCP Stream Dissecting Packets

ARP Cache Poisoning

ARP Basics IP Forwarding ARP Cache Poisoning with Arpspoof Using ARP Cache Poisoning to Impersonate the Default Gateway

DNS Cache Poisoning

Getting Started Using Dnsspoof

SSL Attacks

SSL Basics Using Ettercap for SSL Man-in-the-Middle Attacks

SSL Stripping

Using SSLstrip

Summary

III. Attacks

8. Exploitation

Revisiting MS08-067

Metasploit Payloads

Staged Payloads Inline Payloads

Meterpreter

Exploiting WebDAV Default Credentials

Running a Script on the Target Web Server Uploading a Msfvenom Payload

Exploiting Open phpMyAdmin

Downloading a File with TFTP

Downloading Sensitive Files

Downloading a Configuration File Downloading the Windows SAM

Exploiting a Buffer Overflow in Third-Party Software Exploiting Third-Party Web Applications Exploiting a Compromised Service Exploiting Open NFS Shares Summary

9. Password Attacks

Password Management Online Password Attacks

Wordlists

User Lists Password Lists

Guessing Usernames and Passwords with Hydra

Offline Password Attacks

Recovering Password Hashes from a Windows SAM File Dumping Password Hashes with Physical Access LM vs. NTLM Hashing Algorithms The Trouble with LM Password Hashes John the Ripper Cracking Linux Passwords Cracking Configuration File Passwords Rainbow Tables Online Password-Cracking Services

Dumping Plaintext Passwords from Memory with Windows Credential Editor Summary

10. Client-Side Exploitation

Bypassing Filters with Metasploit Payloads

All Ports HTTP and HTTPS Payloads

Client-Side Attacks

Browser Exploitation

Running Scripts in a Meterpreter Session Advanced Parameters

PDF Exploits

Exploiting a PDF Vulnerability PDF Embedded Executable

Java Exploits

Java Vulnerability Signed Java Applet

browser_autopwn Winamp

Summary

11. Social Engineering

The Social-Engineer Toolkit Spear-Phishing Attacks

Choosing a Payload Setting Options Naming Your File Single or Mass Email Creating the Template Setting the Target Setting Up a Listener

Web Attacks Mass Email Attacks Multipronged Attacks Summary

12. Bypassing Antivirus Applications

Trojans

Msfvenom

How Antivirus Applications Work Microsoft Security Essentials VirusTotal Getting Past an Antivirus Program

Encoding Custom Cross Compiling Encrypting Executables with Hyperion Evading Antivirus with Veil-Evasion

Python Shellcode Injection with Windows APIs Creating Encrypted Python-Generated Executables with Veil-Evasion

Hiding in Plain Sight Summary

13. Post Exploitation

Meterpreter

Using the upload Command getuid Other Meterpreter Commands

Meterpreter Scripts Metasploit Post-Exploitation Modules Railgun Local Privilege Escalation

getsystem on Windows Local Escalation Module for Windows Bypassing UAC on Windows Udev Privilege Escalation on Linux

Finding a Vulnerability Finding an Exploit Copying and Compiling the Exploit on the Target Adding Code to the /tmp/run File

Local Information Gathering

Searching for Files Keylogging Gathering Credentials net Commands Another Way In Checking Bash History

Lateral Movement

PSExec Pass the Hash SSHExec Token Impersonation Incognito SMB Capture

Pivoting

Adding a Route in Metasploit Metasploit Port Scanners Running an Exploit through a Pivot Socks4a and ProxyChains

Persistence

Adding a User Metasploit Persistence Creating a Linux cron Job

Summary

14. Web Application Testing

Using Burp Proxy SQL Injection

Testing for SQL Injection Vulnerabilities Exploiting SQL Injection Vulnerabilities Using SQLMap

XPath Injection Local File Inclusion Remote File Inclusion Command Execution Cross-Site Scripting

Checking for a Reflected XSS Vulnerability Leveraging XSS with the Browser Exploitation Framework

Cross-Site Request Forgery Web Application Scanning with w3af Summary

15. Wireless Attacks

Setting Up

Viewing Available Wireless Interfaces Scan for Access Points

Monitor Mode Capturing Packets Open Wireless Wired Equivalent Privacy

WEP Weaknesses Cracking WEP Keys with Aircrack-ng

Injecting Packets Generating IVs with the ARP Request Relay Attack Generating an ARP Request Cracking the Key Challenges with WEP Cracking

Wi-Fi Protected Access WPA2

The Enterprise Connection Process The Personal Connection Process The Four-Way Handshake Cracking WPA/WPA2 Keys

Using Aircrack-ng to Crack WPA/WPA2 Keys

Wi-Fi Protected Setup

Problems with WPS Cracking WPS with Bully

Summary

IV. Exploit Development

16. A Stack-Based Buffer Overflow in Linux

Memory Theory Linux Buffer Overflow

A Vulnerable Program Causing a Crash Running GDB Crashing the Program in GDB Controlling EIP Hijacking Execution Endianness

Summary

17. A Stack-Based Buffer Overflow in Windows

Searching for a Known Vulnerability in War-FTP Causing a Crash Locating EIP

Generating a Cyclical Pattern to Determine Offset Verifying Offsets

Hijacking Execution Getting a Shell Summary

18. Structured Exception Handler Overwrites

SEH Overwrite Exploits Passing Control to SEH Finding the Attack String in Memory POP POP RET SafeSEH Using a Short Jump Choosing a Payload Summary

19. Fuzzing, Porting Exploits, and Metasploit Modules

Fuzzing Programs

Finding Bugs with Code Review Fuzzing a Trivial FTP Server Attempting a Crash

Porting Public Exploits to Meet Your Needs

Finding a Return Address Replacing Shellcode Editing the Exploit

Writing Metasploit Modules

A Similar Exploit String Module Porting Our Exploit Code

Exploitation Mitigation Techniques

Stack Cookies Address Space Layout Randomization Data Execution Prevention Mandatory Code Signing

Summary

V. Mobile Hacking

20. Using the Smartphone Pentest Framework

Mobile Attack Vectors

Text Messages Near Field Communication QR Codes

The Smartphone Pentest Framework

Setting Up SPF Android Emulators Attaching a Mobile Modem Building the Android App Deploying the App Attaching the SPF Server and App

Remote Attacks

Default iPhone SSH Login

Client-Side Attacks

Client-Side Shell USSD Remote Control

Malicious Apps

Creating Malicious SPF Agents

Backdooring Source Code Backdooring APKs

Mobile Post Exploitation

Information Gathering Remote Control Pivoting Through Mobile Devices

Portscanning with Nmap Exploiting a System on the Local Network

Privilege Escalation

Summary

A. Resources

Chapter 0: Penetration Testing Primer Chapter 2: Using Kali Linux Chapter 3: Programming Chapter 4: Using the Metasploit Framework Chapter 5: Information Gathering Chapter 6: Finding Vulnerabilities Chapter 7: Capturing Traffic Chapter 8: Exploitation Chapter 9: Password Attacks Chapter 11: Social Engineering Chapter 12: Bypassing Antivirus Applications Chapter 13: Post Exploitation Chapter 14: Web Application Testing Chapter 15: Wireless Attacks Chapters 16–19: Exploit Development Chapter 20: Using the Smartphone Pentest Framework Courses

Downloading the Software to Build Your Virtual Lab Index About the Author Copyright

← Prev
Back
Next →

← Prev
Back
Next →