Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Security Power Tools
SPECIAL OFFER: Upgrade this ebook with O’Reilly Foreword Credits
About the Author
Preface
Audience Assumptions This Book Makes Contents of This Book
Legal and Ethics Reconnaissance Penetration Control Defense Monitoring Discovery
Conventions Used in This Book Using Code Examples We'd Like to Hear from You Safari® Books Online Acknowledgments
I. Legal and Ethics
1. Legal and Ethics Issues
Core Issues
Be Able to Identify These Legal Topics
Computer Trespass Laws: No "Hacking" Allowed
What Does It Mean to Access or Use a Computer? What Is Adequate Authorization to Access a Computer? Common Law Computer Trespass Case Study: Active Defense Law and Ethics: Protecting Yourself from Computer Trespass Claims
Reverse Engineering
Copyright Law and Reverse Engineering
What to do to protect yourself with fair use
Reverse Engineering, Contracts, and Trade Secret Law
What to do to protect yourself
Reverse Engineering and Anti-Circumvention Rules
What to do to protect yourself when working in DMCA
Vulnerability Reporting
What to do to protect yourself when reporting vulnerabilities
What to Do from Now On
II. Reconnaissance
2. Network Scanning
How Scanners Work
TCP Scanning UDP Scanning
Superuser Privileges Three Network Scanners to Consider Host Discovery
Dealing with Blocked Pings Choosing the Right Ports Combining Multiple Host Scan Techniques
Port Scanning
Default Port Ranges
Specifying Custom Ports
Nmap Unicornscan Scanrand
Specifying Targets to Scan Different Scan Types
UDP Scan Types TCP Scan Types Special TCP Scan Types in Nmap An Example of Using Multiple Scan Types
Tuning the Scan Speed
Nmap Unicornscan Scanrand
Application Fingerprinting Operating System Detection Saving Nmap Output Resuming Nmap Scans Avoiding Detection
Idle Scans Decoys
Conclusion
3. Vulnerability Scanning
Nessus
License Architecture Tenable Security Center Windows Configuration Linux Configuration Local Vulnerabilities Network Scan Scan Results Policy Configuration Plug-ins Plug-in Code Example Linux Command Line Windows Command Line
Nikto
Types of Vulnerabilities Command Line Evasion Techniques
WebInspect
Purpose WebInspect Scan Policy Tuning Settings Tuning Report Analysis False Positives Analysis WebInspect Tools Assessment Management Platform (AMP)
4. LAN Reconnaissance
Mapping the LAN Using ettercap and arpspoof on a Switched Network
Running ettercap Running arpspoof from the dsniff suite
Dealing with Static ARP Tables
Using macof to Stupefy a Switch Super-Stealthy Sniffing
Getting Information from the LAN
Logging Packet Data Filtering Incoming Packets Fingerprinting LAN Hosts Sniffing Plain-Text Passwords Shadow Browsing
Manipulating Packet Data
5. Wireless Reconnaissance
Get the Right Wardriving Gear 802.11 Network Basics 802.11 Frames How Wireless Discovery Tools Work Netstumbler Kismet at a Glance Using Kismet Sorting the Kismet Network List Using Network Groups with Kismet Using Kismet to Find Networks by Probe Requests Kismet GPS Support Using gpsd
Generating Maps Kismet Location Tracking
Looking Closer at Traffic with Kismet Capturing Packets and Decrypting Traffic with Kismet Wireshark at a Glance
Enabling rfmon Mode
Linux OpenBSD, NetBSD, and FreeBSD Mac OS X Windows
Using Wireshark AirDefense Mobile AirMagnet Analyzers Other Wardriving Tools
Airopeek KisMac
6. Custom Packet Generation
Why Create Custom Packets?
Custom Packet Example: Ping of Death Hping Getting Started with Hping2 Hping2's Limitations
Scapy
Decode, Do Not Interpret Probe Once, Interpret Many Times Scapy's Limitations Working with Scapy Creating and Manipulating Packets with Scapy Navigating Between Layers Scapy Tips and Shortcuts
Looking only at the custom data in a packet Viewing computed data in a packet Decoding the packet payload differently Sprintf shortcut for creating custom packets Operations on packet lists Producing a simple diagram of packet flow Sending and interacting with Scapy Super-sockets
Building Custom Tools with Scapy Studying a New Protocol Writing Add-Ons
Examples of creating Scapy add-ons
Test Campaigns
Packet-Crafting Examples with Scapy
ARP Cache Poisoning Tracerouting: A Step-by-Step Example Traceroute and NAT Firewalking Sliced Network Scan Fuzzing
Packet Mangling with Netfilter
Transparent Proxying QUEUE and NFQUEUE
References
III. Penetration
7. Metasploit
Metasploit Interfaces
The Metasploit Console The Metasploit Command-Line Interface The Metasploit Web Interface
Updating Metasploit Choosing an Exploit Choosing a Payload
Metasploit Payloads Choosing a Payload Variant
Setting Options
Hidden Options
Running an Exploit
Debugging Exploitation
Managing Sessions and Jobs
Sessions Jobs
The Meterpreter
Some Useful Meterpreter Commands Meterpreter Session Example
Security Device Evasion Sample Evasion Output Evasion Using NOPs and Encoders
NOP Generators Payload Encoders
In Conclusion
8. Wireless Penetration
WEP and WPA Encryption Aircrack Installing Aircrack-ng
Windows Installation Linux Installation
Running Aircrack-ng Airpwn Basic Airpwn Usage
Command-Line Options
Airpwn Configuration Files Using Airpwn on WEP-Encrypted Networks Scripting with Airpwn Karma
Installing Karma Scanning for Victims Basic Configuration Proxy Network Traffic
Conclusion
9. Exploitation Framework Applications
Task Overview
Other Framework Advantages
Core Impact Overview
Running Core Impact Behind a NAT Automatic Network Penetration with Core Impact
Network Reconnaissance with Core Impact
Importing Module Information with Core Impact
Core Impact Exploit Search Engine Running an Exploit
Bypassing Core Impact's Exploit Version Restrictions
Running Macros
The Local Side Using the Mini-Shell
Bouncing Off an Installed Agent Enabling an Agent to Survive a Reboot Mass Scale Exploitation Writing Modules for Core Impact The Canvas Exploit Framework
The Covertness Bar
Porting Exploits Within Canvas Using Canvas from the Command Line Digging Deeper with Canvas Advanced Exploitation with MOSDEF Writing Exploits for Canvas Exploiting Alternative Tools
10. Custom Exploitation
Understanding Vulnerabilities
Performing a Simple Exploit
Analyzing Shellcode
Disassemblers The libopcode Disassembling Library The libdisasm Disassembling Library
Testing Shellcode
Inclusion into a C File A Shellcode Loader Debugging Shellcode
Creating Shellcode
nasm GNU Compiler Collection
Quick glance at the binary-building internals Building shellcode from assembly language Building shellcode in C
The SFlib Library
What SFLib looks like Using SFLib
ShellForge
Getting started Cross-platform generation Loaders Inline shellcoding
InlineEgg Metasploit Framework's msfpayload
Disguising Shellcode
alpha2 Metasploit Framework's msfencoder
Execution Flow Hijacking
Metasploit Framework's msfelfscan and msfpescan EEREAP Code Injection
References
IV. Control
11. Backdoors
Choosing a Backdoor VNC Creating and Packaging a VNC Backdoor
Consolidating the Backdoor Packaging VNC As a Backdoor
Connecting to and Removing the VNC Backdoor
Removing the Backdoor
Back Orifice 2000 Configuring a BO2k Server
Setting Variables Minimum Configuration
IO plug-in Encryption plug-in Authentication plug-in Control plug-ins
Configuring a BO2k Client Adding New Servers to the BO2k Workspace Using the BO2k Backdoor BO2k Powertools
Server Setup Client Setup
The BO Tools Connect To window Using the File Browser Using the Registry Editor
A Sneak Peek at the Backdoor's Desktop with BO Peep
BO Peep installation and configuration The VidStream listener The VidStream client The Hijack listener The Hijack client
Encryption for BO2k Communications Concealing the BO2k Protocol Removing BO2k A Few Unix Backdoors
A Simple Unix Backdoor Netcat A Simple Netcat Backdoor
Crontab and Netcat
Lots of Options
12. Rootkits
Windows Rootkit: Hacker Defender
Configuring hxdef
Making hxdef harder to detect
Connecting to Hacker Defender's Backdoor
Install/uninstall/reconfigure hxdef Uninstalling a process you cannot see
Linux Rootkit: Adore-ng
Installing Adore Using Adore
Detecting Rootkits Techniques
Signature Scanner Inspecting Dangerous Calls Differentiating Call Results Looking for Hooks System Integrity
Windows Rootkit Detectors
Rootkit Revealer IceSword
Functionalities of IceSword Finding a rootkit and killing it
Removing the rootkit with IceSword
Linux Rootkit Detectors
Kstat
Interface lookup Listing processes Investigating individual processes Examining the syscall table
Zeppoo Chkrootkit
Detecting new rootkits Using safe binaries In the cron
Cleaning an Infected System The Future of Rootkits
V. Defense
13. Proactive Defense: Firewalls
Firewall Basics
Router/Network Address Translation Router Endpoint/Host Transparent/Bridge Firewall The Tools Securing Concepts
Allowing limited inbound connections Tightening inbound connections by host
Further Investigation
Network Address Translation
Setting Up a Basic NAT Gateway NAT with Inbound Service Mapping
Securing BSD Systems with ipfw/natd
Initial Setup Inbound Connection Blocking with BSD ipfw/natd Allowing Inbound Connections with BSD ipfw2/natd Filtering Connections with BSD ipfw2/natd BSD ipfw2/natd NAT Gateway Inbound Service Mapping with BSD ipfw2/natd
Securing GNU/Linux Systems with netfilter/iptables
Initial Setup Inbound Connection Blocking with Netfilter Filtering Connections with Netfilter Allowing Inbound Connections with Netfilter Netfilter NAT Gateway Inbound Service Mapping with Netfilter Internet-in-a-Box: All Traffic to One Destination Using Netfilter
Securing Windows Systems with Windows Firewall/Internet Connection Sharing
Initial Setup Inbound Connection Blocking with Windows FW/ICS Allowing Inbound Connections with Windows FW/ICS Filtering Connections with Windows FW/ICS A Windows FW/ICS NAT Gateway Inbound Service Mapping with Windows FW/ICS
Verifying Your Coverage
14. Host Hardening
Controlling Services Turning Off What You Do Not Need Limiting Access
sudo sudowin
Issues with sudowin
Limiting Damage
Mounting Volumes As noexec Controlling the Linux Kernel Through /proc/sys
/proc/sys/kernel/cap-bound /proc/sys/net /proc/sys/kernel/modprobe
Bastille Linux SELinux
Enabling SELinux Transparent Usage of SELinux Tweaking SELinux's Policy Local SELinux Policy Generation Underlying SELinux Principle of Operations
Password Cracking
John the Ripper Rainbow Cracking
Chrooting Sandboxing with OS Virtualization
Cooperative Linux KVM OpenVZ: OS-Level Virtualization Parallels QEMU UserMode Linux: Paravirtualization VMWare Xen: Paravirtulization Virtualization Summary
15. Securing Communications
The SSH-2 Protocol
The Transport Layer The User Authentication Layer The Connection Layer
SSH Configuration
Server Configuration User Access Restriction SSH Client Connection Tune the Client's Configuration
SSH Authentication SSH Shortcomings
SSH Man-in-the-Middle Attacks Host Public Key Distribution with DNSSEC User's Public Key Distribution User's Key Operation Restrictions
SSH Troubleshooting
The Client Is Logged Out Just After Logging In File Permissions Restrictions to Users or Groups
Remote File Access with SSH
File Copy FTP Through SSH File Synchronization Remote Filesystem Source Code Transfer
SSH Advanced Use
Agent Forwarding X and Port Forwarding Escape Sequences Perpetual Tunneling with autossh Storing Your SSH Private Key on a USB Drive
Using SSH Under Windows
Cygwin PuTTY WinSCP SecureCRT
File and Email Signing and Encryption GPG
Theory of Operations How to Obtain Public Keys Web of Trust In Practice
Create Your GPG Keys
Adding Subkeys Different Keys for Different Addresses Modify Your Web of Trust Model Import of Public Keys Revoke a Key
Encryption and Signature with GPG
File Signature Email Encryption and Signature
PGP Versus GPG Compatibility Encryption and Signature with S/MIME
X.509 Certificate S/MIME Certificate Authority S/MIME Versus GPG/PGP
Stunnel
SSL Versus TLS Create an X.509 Certificate Client Encryption Server Encryption Client and Server Encryption Transparent Proxy
Disk Encryption Windows Filesystem Encryption with PGP Disk Linux Filesystem Encryption with LUKS
Comparing dm-crypt to cryptoloop and loop-AES
Conclusion
16. Email Security and Anti-Spam
Norton Antivirus
Installation Test Configuration Tuning
Failed tests Updates
The ClamAV Project ClamWin
Configuration
Freshclam
How to Run Freshclam Examples of Commands for Freshclam
Clamscan clamd and clamdscan
On-Access Scanning Clamd As a Network Server Clamd Commands Test clamscan and clamdscan/clamd clamscan or clamdscan?
ClamAV Virus Signatures
MD5 Signatures Hexadecimal Signatures Advanced Hexadecimal Signatures HTML Signatures
Procmail
Mail Delivery Chain
Basic Procmail Rules
Examples
Advanced Procmail Rules
Scoring
ClamAV with Procmail Unsolicited Email Spam Filtering with Bayesian Filters
Spamprobe Automate the Learning Phase Maintenance SpamProbe with Procmail Inconvenient
SpamAssassin
Configuration Files SpamAssassin Variables Administrator Settings
SpamAssassin Rules
Meta Tests Score Whitelist and Blacklist Language Bayesian Filter
Plug-ins for SpamAssassin
Collaborative Plug-ins SpamAssassin Network Tests
SpamAssassin with Procmail
SpamAssassin As a Daemon or Server ClamAV, SpamProbe, and SpamAssassin with Procmail
Anti-Phishing Tools
Email Filtering Toolbar for Web Browsers
Conclusion
17. Device Security Testing
Replay Traffic with Tcpreplay
What and How to Test tcpreplay Rewrite Packets with Tcpreplay
MAC address IP address TCP/UDP port
Tcpreplay with Two Interfaces flowreplay Tomahawk
Traffic IQ Pro
Setup Replay Traffic Files Attack Files Standard Traffic Files Scan Import Custom Packet Captures Packet Editing Conclusion
ISIC Suite
Network Setup esic isic, icmpsic, tcpsic, udpsic, and multisic Automation
Protos
VI. Monitoring
18. Network Capture
tcpdump
Basics Berkeley Packet Filter (BPF) Writing Packets to Disk Advanced BPF Filtering Advanced Dump Display Using tcpdump to Extract Packets
Ethereal/Wireshark
Basics Starting a Capture
Capture Display Options Name Resolution
Loading a Previously Created Capture Viewing a Capture Basic Wireshark Display Filters Advanced Wireshark Display Filters Saving Select Packets to Disk Packet Colorization Overriding Default Protocol Decoders TShark Techniques Wireshark Statistics Setting Useful Defaults
pcap Utilities: tcpflow and Netdude
tcpflow
Basics
Netdude
Basics Cleaning up a botched pcap file Editing packet payloads
Python/Scapy Script Fixes Checksums
Basics
Conclusion
19. Network Monitoring
Snort
Different Snort Modes Writing Signatures for Snort Passive Network Mapping Stealth Ethernet Disabling a Rule Changing the Default Port of a Service Snort Preprocessor Excluding Authorized Scans Log Analysis Updating Rules Blocking Port Scan From a NIDS to an ILDS
Protocols that should be monitored Limitations of Snort as an ILDS
Monitoring Network Usage
Implementing Snort
NIDS User Monitoring ILDS
Honeypot Monitoring
The Value of a Honeypot Using Honeyd to Emulate a Server Using Honeyd to Emulate a Network Using Honeyd As a Tar Pit Implementing Honeyd Writing New Scripts with Honeyd Jail HoneyView and Log Management
Gluing the Stuff Together
20. Host Monitoring
Using File Integrity Checkers File Integrity Hashing The Do-It-Yourself Way with rpmverify Comparing File Integrity Checkers
Afick Aide Integrit Remote Filesystem Checker (RFC) Samhain/Beltane Open Source Tripwire
Prepping the Environment for Samhain and Tripwire
Samhain Tripwire
Database Initialization with Samhain and Tripwire
Samhain Tripwire
Securing the Baseline Storage with Samhain and Tripwire
Samhain Tripwire
Running Filesystem Checks with Samhain and Tripwire
Samhain Tripwire
Managing File Changes and Updating Storage Database with Samhain and Tripwire
Samhain Tripwire
Recognizing Malicious Activity with Samhain and Tripwire
Tripwire Samhain
Log Monitoring with Logwatch Improving Logwatch's Filters Host Monitoring in Large Environments with Prelude-IDS
Log Correlation
Conclusion
VII. Discovery
21. Forensics
Netstat
Finding a Linux Backdoor with Netstat Finding a Windows Backdoor with Netstat
The Forensic ToolKit
Hfind.exe: Discover Hidden Files Sfind.exe: Discover Files Hidden in Alternate Data Streams FileStat.exe: Very Detailed Data on a Specific File
The Security Descriptor File streams Timestamps
Working with Alternate Data Streams
Sysinternals
Autoruns: What Runs Without Your Help?
Trimming down the list
RootkitRevealer: Rooting Out Rootkits
RootkitRevealer from the console
Streams: Find and Delete Data Hidden in Streams the Sysinternals Way TCPView: A Graphical Netstat Process Explorer: Powerful Process Management
Replacing the Task Manager with Process Explorer Run as...
Now What?
22. Application Fuzzing
Which Fuzzer to Use Different Types of Fuzzers for Different Tasks
Block-Based Fuzzers Riot Flipper Inline Fault Injection Setting Up a Network Fuzzer Test Bed
The client The fuzzer The server/target
Gathering Information of the Target's Side
Writing a Fuzzer with Spike The Spike API
Reversing a Protocol with Spike
File-Fuzzing Apps
PaiMei FileFuzz
Fuzzing Web Applications Configuring WebProxy Automatic Fuzzing with WebInspect Next-Generation Fuzzing Fuzzing or Not Fuzzing
23. Binary Reverse Engineering
Interactive Disassembler
Opening the Binary
Special cases
Searching in IDA
Searching for text strings Searching for immediate values
Defining Data Types
Structures and unions
An example
Enumerations
Annotating the Code
Setting comments Marking positions An example
Code Navigation Tracking the Flow of Execution
Cross-reference Flow charts Tracking function calls
Using Subview Windows
Functions window Strings window Names window Imports and exports windows
Debugging with IDA
Initial configuration Setting breakpoints and watchpoints Stepping through the program Examining data Tracing Taking a memory snapshot Remote debugging
Configuring the client Configuring the remote host
Finding the Bugs Making Scripts with IDC
IDC Hello World Functions and variables Expressions and statements Interacting with the IDA database Adding graphical interfaces Faking global variables with arrays Making hotkeys Automating large tasks
Using IDA Plug-ins
Sysinternals
RegMon FileMon Setting Filters
OllyDbg
The Basics
Setting breakpoints and watchpoints Stepping through the program Animated stepping Examining data
Navigating Through the Disassembly
Using bookmarks
Editing Data
Copying and pasting binary sections The patches window Undoing edits Saving your changes
Using OllyDbg with the FreeCiv Case Study
Finding the location of interest Making our changes Running the hack
Other Tools
SoftICE HT
Index About the Authors Colophon SPECIAL OFFER: Upgrade this ebook with O’Reilly
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab
.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion