Ethical Hacking and Penetration Testing Guide. CRC Press

RAFAY BALOCH


e-books shop
e-books shop
Purchase Now !
Just with Paypal



Book Details
 Price
 3.50 USD
 Pages
 523 p
 File Size
 22,976 KB
 File Type
 PDF format
 ISBN
 978-1-4822-3162-5 (eBook - PDF) 
 Copyright   
 2015 by Taylor & Francis Group, LLC 

About the Author
Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in
Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated
in various bug bounty programs and has helped several major Internet corporations such
as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was
successful in finding a remote code execution vulnerability along with several other high-risk
vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer
to work for PayPal. His major areas of research interest are in network security, bypassing modern
security defenses such as WAFs, DOM-based XSS, and other HTML 5–based attack vectors.
Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and
eWAPT certifications.

Acknowledgments
I am eternally indebted to the editor, Rich O’Hanley, for his encouragement and continuous support
and my dear friend Prakhar Prasad for his help at various stages of this book.
I also thank Mohammed Ramadan for his help and support and Soroush Dallili for his ideas
with file upload tricks. Many thanks to my friends Alex Infuhr and Giuseppe Trotta for their
help with various sections of the “Web Hacking” chapter, Shahmeer Amir for his help with the
“Wireless Hacking” chapter, and Tehseen Javed for his help with the “Linux Basics” chapter.
I also thank my mentors Prof. Asim Rizvi, David Vieira-Kurz, Ziaullah Mirza and last but not
least, I thank the following keypersons: Mario Heiderich, Deepankar Arora, Nir Goldshlager, Britto
Fleming Joe, Nishant Das Patnaik, Pepe Vila, Ray friedman, Armando Romeo, Tyler Borland,
Zeeshan Haider, Nehal hussain, Rafael Souza, and Fatima Hanif.
I also thank my family members and relatives for always being supportive.

Table of Contents
Preface.............................................................................................................................. xxiii
Acknowledgments..............................................................................................................xxv
Author..............................................................................................................................xxvii
1 Introduction to Hacking
Important Terminologies.................................................................................................... 2
Asset.......................................................................................................................... 2
Vulnerability.............................................................................................................. 3
Threat........................................................................................................................ 3
Exploit....................................................................................................................... 3
Risk........................................................................................................................... 3
What Is a Penetration Test?....................................................................................... 3
Vulnerability Assessments versus Penetration Test..................................................... 3
Preengagement.......................................................................................................... 3
Rules of Engagement................................................................................................. 4
Milestones................................................................................................................. 4
Penetration Testing Methodologies............................................................................ 5
OSSTMM................................................................................................................. 5
NIST......................................................................................................................... 6
OWASP..................................................................................................................... 7
Categories of Penetration Test............................................................................................. 7
Black Box.................................................................................................................. 7
White Box................................................................................................................. 7
Gray Box................................................................................................................... 7
Types of Penetration Tests......................................................................................... 7
Network Penetration Test................................................................................. 8
Web Application Penetration Test.................................................................... 8
Mobile Application Penetration Test................................................................ 8
Social Engineering Penetration Test................................................................. 8
Physical Penetration Test.................................................................................. 8
Report Writing.......................................................................................................... 8
Understanding the Audience..................................................................................... 9
Executive Class................................................................................................. 9
Management Class........................................................................................... 9
Technical Class................................................................................................. 9
Writing Reports.................................................................................................................10
Structure of a Penetration Testing Report..........................................................................10
Cover Page................................................................................................................10
Table of Contents.....................................................................................................10
Executive Summary..................................................................................................11
Remediation Report................................................................................................ 12
Vulnerability Assessment Summary.................................................................................. 12
Tabular Summary.....................................................................................................13
Risk Assessment.................................................................................................................14
Risk Assessment Matrix............................................................................................14
Methodology.....................................................................................................................14
Detailed Findings.....................................................................................................15
Description......................................................................................................15
Explanation.....................................................................................................16
Risk.................................................................................................................16
Recommendation............................................................................................16
Reports.....................................................................................................................17
Conclusion.........................................................................................................................17
2 Linux Basics
Major Linux Operating Systems........................................................................................19
File Structure inside of Linux............................................................................................ 20
File Permission in Linux.......................................................................................... 22
Group Permission........................................................................................... 22
Linux Advance/Special Permission................................................................. 22
Link Permission.............................................................................................. 23
Suid & Guid Permission................................................................................. 23
Stickybit Permission....................................................................................... 23
Chatter Permission......................................................................................... 24
Most Common and Important Commands............................................................. 24
Linux Scheduler (Cron Job)...............................................................................................25
Cron Permission...................................................................................................... 26
Cron Permission............................................................................................. 26
Cron Files....................................................................................................... 26
Users inside of Linux........................................................................................................ 28
Linux Services......................................................................................................... 29
Linux Password Storage........................................................................................... 29
Linux Logging......................................................................................................... 30
Common Applications of Linux....................................................................................... 30
What Is BackTrack?.......................................................................................................... 30
How to Get BackTrack 5 Running...........................................................................31
Installing BackTrack on Virtual Box........................................................................31
Installing BackTrack on a Portable USB...................................................................35
Installing BackTrack on Your Hard Drive............................................................... 39
BackTrack Basics..................................................................................................... 43
Changing the Default Screen Resolution.......................................................................... 43
Some Unforgettable Basics....................................................................................... 44
Changing the Password.................................................................................. 44
Clearing the Screen........................................................................................ 44
Listing the Contents of a Directory................................................................ 44
Displaying Contents of a Specific Directory................................................... 44
Displaying the Contents of a File.....................................................................45
Creating a Directory........................................................................................45
Changing the Directories................................................................................45
Windows.........................................................................................................45
Linux...............................................................................................................45
Creating a Text File.........................................................................................45
Copying a File.................................................................................................45
Current Working Directory.............................................................................45
Renaming a File..............................................................................................45
Moving a File................................................................................................. 46
Removing a File.............................................................................................. 46
Locating Certain Files inside BackTrack.................................................................. 46
Text Editors inside BackTrack........................................................................................... 46
Getting to Know Your Network........................................................................................47
Dhclient....................................................................................................................47
Services............................................................................................................................. 48
MySQL.................................................................................................................... 48
SSHD...................................................................................................................... 48
Postgresql................................................................................................................. 50
Other Online Resources....................................................................................................51
3 Information Gathering Techniques
Active Information Gathering............................................................................................53
Passive Information Gathering...........................................................................................53
Sources of Information Gathering.................................................................................... 54
Copying Websites Locally................................................................................................. 54
Information Gathering with Whois..........................................................................55
Finding Other Websites Hosted on the Same Server............................................... 56
Yougetsignal.com.............................................................................................................. 56
Tracing the Location................................................................................................57
Traceroute.................................................................................................................57
ICMP Traceroute..................................................................................................... 58
TCP Traceroute....................................................................................................... 58
Usage.............................................................................................................. 58
UDP Traceroute...................................................................................................... 58
Usage.............................................................................................................. 58
NeoTrace...........................................................................................................................59
Cheops-ng.........................................................................................................................59
Enumerating and Fingerprinting the Webservers..................................................... 60
Intercepting a Response.................................................................................................... 60
Acunetix Vulnerability Scanner............................................................................... 62
WhatWeb......................................................................................................................... 62
Netcraft............................................................................................................................ 63
Google Hacking...................................................................................................... 63
Some Basic Parameters...................................................................................................... 64
Site........................................................................................................................... 64
Example............................................................................................................................ 64
TIP regarding Filetype......................................................................................................65
Google Hacking Database....................................................................................... 66
Hackersforcharity.org/ghdb...............................................................................................67
Xcode Exploit Scanner.......................................................................................................67
File Analysis............................................................................................................. 68
Foca......................................................................................................................... 68
Harvesting E-Mail Lists.......................................................................................... 69
Gathering Wordlist from a Target Website.............................................................. 71
Scanning for Subdomains........................................................................................ 71
TheHarvester........................................................................................................... 72
Fierce in BackTrack................................................................................................. 72
Scanning for SSL Version.........................................................................................74
DNS Enumeration................................................................................................... 75
Interacting with DNS Servers........................................................................................... 75
Nslookup...........................................................................................................................76
DIG...................................................................................................................................76
Forward DNS Lookup............................................................................................. 77
Forward DNS Lookup with Fierce.................................................................................... 77
Reverse DNS........................................................................................................... 78
Reverse DNS Lookup with Dig............................................................................... 78
Reverse DNS Lookup with Fierce..................................................................................... 78
Zone Transfers......................................................................................................... 79
Zone Transfer with Host Command................................................................................ 79
Automating Zone Transfers.............................................................................................. 80
DNS Cache Snooping.............................................................................................. 80
What Is DNS Cache Snooping?.........................................................................................81
Nonrecursive Method...............................................................................................81
Recursive Method.................................................................................................... 82
What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?........ 83
Attack Scenario................................................................................................................. 84
Automating DNS Cache Snooping Attacks...................................................................... 84
Sniffing SNMP Passwords................................................................................................ 84
OneSixtyOne.....................................................................................................................85
Snmpenum........................................................................................................................85
SolarWinds Toolset............................................................................................................85
SNMP Sweep.................................................................................................................... 86
SNMP Brute Force and Dictionary.................................................................................. 86
SNMP Brute Force Tool................................................................................................... 86
SNMP Dictionary Attack Tool......................................................................................... 87
SMTP Enumeration......................................................................................................... 87
Detecting Load Balancers........................................................................................ 88
Load Balancer Detector........................................................................................... 89
Determining Real IP behind Load Balancers.......................................................... 89
Bypassing CloudFlare Protection............................................................................. 90
Method 1: Resolvers....................................................................................... 90
Method 2: Subdomain Trick.......................................................................... 92
Method 3: Mail Servers.................................................................................. 92
Intelligence Gathering Using Shodan............................................................................... 93
Further Reading............................................................................................................... 95
Conclusion........................................................................................................................ 95
4 Target Enumeration and Port Scanning Techniques
Host Discovery................................................................................................................. 97
Scanning for Open Ports and Services............................................................................ 100
Types of Port Scanning................................................................................................... 100
Understanding the TCP Three-Way Handshake..............................................................101
TCP Flags........................................................................................................................101
Port Status Types.............................................................................................................102
TCP SYN Scan................................................................................................................102
TCP Connect Scan..........................................................................................................103
NULL, FIN, and XMAS Scans.......................................................................................104
NULL Scan.....................................................................................................................104
FIN Scan.........................................................................................................................105
XMAS Scan.....................................................................................................................105
TCP ACK Scan...............................................................................................................105
Responses........................................................................................................................106
UDP Port Scan................................................................................................................106
Anonymous Scan Types...................................................................................................107
IDLE Scan.......................................................................................................................107
Scanning for a Vulnerable Host.......................................................................................107
Performing an IDLE Scan with NMAP..........................................................................109
TCP FTP Bounce Scan...................................................................................................109
Service Version Detection................................................................................................110
OS Fingerprinting........................................................................................................... 111
POF................................................................................................................................. 111
Output.............................................................................................................................112
Normal Format.......................................................................................................112
Grepable Format.....................................................................................................112
XML Format..........................................................................................................113
Advanced Firewall/IDS Evading Techniques...................................................................113
Timing Technique...........................................................................................................114
Wireshark Output...........................................................................................................114
Fragmented Packets......................................................................................................... 115
Wireshark Output........................................................................................................... 115
Source Port Scan.............................................................................................................. 115
Specifying an MTU.........................................................................................................116
Sending Bad Checksums.................................................................................................116
Decoys.............................................................................................................................117
ZENMAP.......................................................................................................................117
Further Reading..............................................................................................................119
5 Vulnerability Assessment
What Are Vulnerability Scanners and How Do They Work?...........................................121
Pros and Cons of a Vulnerability Scanner....................................................................... 122
Vulnerability Assessment with Nmap............................................................................. 122
Updating the Database................................................................................................... 122
Scanning MS08 _ 067 _ netapi................................................................................ 123
Testing SCADA Environments with Nmap.................................................................... 123
Installation............................................................................................................ 124
Usage..................................................................................................................... 124
Nessus Vulnerability Scanner.......................................................................................... 124
Home Feed.............................................................................................................125
Professional Feed....................................................................................................125
Installing Nessus on BackTrack.......................................................................................125
Adding a User..................................................................................................................125
Nessus Control Panel............................................................................................. 126
Reports......................................................................................................... 126
Mobile.......................................................................................................... 126
Scan ............................................................................................................. 127
Policies.......................................................................................................... 127
Users............................................................................................................. 127
Configuration............................................................................................... 127
Default Policies...................................................................................................... 127
Creating a New Policy.................................................................................................... 128
Safe Checks.................................................................................................................... 128
Silent Dependencies........................................................................................................ 128
Avoid Sequential Scans.......................................................................................... 128
Port Range.......................................................................................................................129
Credentials.............................................................................................................129
Plug-Ins..................................................................................................................129
Preferences...................................................................................................................... 130
Scanning the Target............................................................................................... 130
Nessus Integration with Metasploit..................................................................................132
Importing Nessus to Metasploit.......................................................................................132
Scanning the Target................................................................................................133
Reporting...............................................................................................................133
OpenVas.................................................................................................................133
Resource......................................................................................................................... 134
Vulnerability Data Resources................................................................................. 134
Exploit Databases...................................................................................................135
Using Exploit-db with BackTrack................................................................................... 136
Searching for Exploits inside BackTrack..........................................................................137
Conclusion.......................................................................................................................138
6 Network Sniffing
Introduction....................................................................................................................139
Types of Sniffing..............................................................................................................140
Active Sniffing........................................................................................................140
Passive Sniffing.......................................................................................................140
Hubs versus Switches.......................................................................................................140
Promiscuous versus Nonpromiscuous Mode....................................................................141
MITM Attacks................................................................................................................141
ARP Protocol Basics........................................................................................................142
How ARP Works.............................................................................................................142
ARP Attacks....................................................................................................................143
MAC Flooding.......................................................................................................143
Macof............................................................................................................143
ARP Poisoning.......................................................................................................144
Scenario—How It Works................................................................................................144
Denial of Service Attacks.................................................................................................144
Tools of the Trade............................................................................................................145
Dsniff.....................................................................................................................145
Using ARP Spoof to Perform MITM Attacks.................................................................145
Usage......................................................................................................................146
Sniffing the Traffic with Dsniff........................................................................................147
Sniffing Pictures with Drifnet..........................................................................................147
Urlsnarf and Webspy.......................................................................................................148
Sniffing with Wireshark...................................................................................................149
Ettercap...........................................................................................................................150
ARP Poisoning with Ettercap..........................................................................................150
Hijacking Session with MITM Attack.............................................................................152
Attack Scenario................................................................................................................152
ARP Poisoning with Cain and Abel.................................................................................153
Sniffing Session Cookies with Wireshark.........................................................................155
Hijacking the Session.......................................................................................................156
SSL Strip: Stripping HTTPS Traffic................................................................................157
Requirements...................................................................................................................157
Usage......................................................................................................................158
Automating Man in the Middle Attacks..........................................................................158
Usage......................................................................................................................158
DNS Spoofing.................................................................................................................159
ARP Spoofing Attack.............................................................................................159
Manipulating the DNS Records.............................................................................160
Using Ettercap to Launch DNS Spoofing Attack....................................................160
DHCP Spoofing..............................................................................................................160
Conclusion.......................................................................................................................161
7 Remote Exploitation
Understanding Network Protocols...................................................................................163
Transmission Control Protocol...............................................................................164
User Datagram Protocol.........................................................................................164
Internet Control Messaging Protocol......................................................................164
Server Protocols...............................................................................................................164
Text-Based Protocols (Important)...........................................................................164
Binary Protocols.....................................................................................................164
FTP...............................................................................................................165
SMTP............................................................................................................165
HTTP...........................................................................................................165
Further Reading..............................................................................................................165
Resources.........................................................................................................................166
Attacking Network Remote Services................................................................................166
Overview of Brute Force Attacks............................................................................166
Traditional Brute Force.................................................................................166
Dictionary Attacks........................................................................................166
Hybrid Attacks..............................................................................................167
Common Target Protocols...............................................................................................167
Tools of the Trade............................................................................................................167
THC Hydra............................................................................................................167
Basic Syntax for Hydra....................................................................................................168
Cracking Services with Hydra................................................................................168
Hydra GUI......................................................................................................................170
Medusa...................................................................................................................170
Basic Syntax.....................................................................................................................170
OpenSSH Username Discovery Bug................................................................................170
Cracking SSH with Medusa............................................................................................171
Ncrack....................................................................................................................171
Basic Syntax.....................................................................................................................171
Cracking an RDP with Ncrack........................................................................................172
Case Study of a Morto Worm.................................................................................172
Combining Nmap and Ncrack for Optimal Results........................................................172
Attacking SMTP....................................................................................................173
Important Commands.....................................................................................................174
Real-Life Example...........................................................................................................174
Attacking SQL Servers.....................................................................................................175
MySQL Servers.......................................................................................................175
Fingerprinting MySQL Version.......................................................................................175
Testing for Weak Authentication.....................................................................................175
MS SQL Servers..............................................................................................................176
Fingerprinting the Version...............................................................................................177
Brute Forcing SA Account...............................................................................................177
Using Null Passwords......................................................................................................178
Introduction to Metasploit...............................................................................................178
History of Metasploit.......................................................................................................178
Metasploit Interfaces........................................................................................................178
MSFConsole....................................................................................................................178
MSFcli....................................................................................................................179
MSFGUI................................................................................................................179
Armitage.................................................................................................................179
Metasploit Utilities..........................................................................................................179
MSFPayload.....................................................................................................................179
MSFEncode.....................................................................................................................179
MSFVenom.....................................................................................................................179
Metasploit Basic Commands...........................................................................................180
Search Feature in Metasploit............................................................................................180
Use Command.................................................................................................................181
Info Command................................................................................................................181
Show Options..................................................................................................................181
Set/Unset Command.......................................................................................................182
Reconnaissance with Metasploit......................................................................................182
Port Scanning with Metasploit........................................................................................182
Metasploit Databases.......................................................................................................182
Storing Information from Nmap into Metasploit Database.............................................183
Useful Scans with Metasploit...........................................................................................184
Port Scanners..........................................................................................................184
Specific Scanners....................................................................................................184
Compromising a Windows Host with Metasploit............................................................184
Metasploit Autopwn........................................................................................................188
db _ autopwn in Action..............................................................................................188
Nessus and Autopwn.......................................................................................................189
Armitage.................................................................................................................189
Interface...........................................................................................................................190
Launching Armitage........................................................................................................190
Compromising Your First Target from Armitage.............................................................191
Enumerating and Fingerprinting the Target....................................................................191
MSF Scans.......................................................................................................................192
Importing Hosts..............................................................................................................192
Vulnerability Assessment.................................................................................................193
Exploitation.....................................................................................................................193
Check Feature..................................................................................................................195
Hail Mary........................................................................................................................196
Conclusion.......................................................................................................................196
References........................................................................................................................196
8 Client Side Exploitation
Client Side Exploitation Methods....................................................................................197
Attack Scenario 1: E-Mails Leading to Malicious Attachments..............................197
Attack Scenario 2: E-Mails Leading to Malicious Links.........................................197
Attack Scenario 3: Compromising Client Side Update...........................................198
Attack Scenario 4: Malware Loaded on USB Sticks................................................198
E-Mails with Malicious Attachments.....................................................................198
Creating a Custom Executable.......................................................................198
Creating a Backdoor with SET......................................................................198
PDF Hacking................................................................................................201
Introduction....................................................................................................................201
Header................................................................................................................... 202
Body...................................................................................................................... 202
Cross Reference Table............................................................................................ 202
Trailer.................................................................................................................... 202
PDF Launch Action........................................................................................................ 202
Creating a PDF Document with a Launch Action.......................................................... 203
Controlling the Dialog Boxes................................................................................ 205
PDF Reconnaissance............................................................................................. 205
Tools of the Trade........................................................................................................... 205
PDFINFO............................................................................................................. 205
PDFINFO “Your PDF Document”.............................................................. 206
PDFTK................................................................................................................. 206
Origami Framework....................................................................................................... 207
Installing Origami Framework on BackTrack................................................................. 207
Attacking with PDF........................................................................................................ 208
Fileformat Exploits................................................................................................ 208
Browser Exploits.................................................................................................... 208
Scenario from Real World............................................................................................... 209
Adobe PDF Embedded EXE............................................................................................210
Social Engineering Toolkit...............................................................................................211
Attack Scenario 2: E-Mails Leading to Malicious Links.........................................213
Credential Harvester Attack............................................................................................214
Tabnabbing Attack..........................................................................................................215
Other Attack Vectors.......................................................................................................216
Browser Exploitation........................................................................................................217
Attacking over the Internet with SET..............................................................................217
Attack Scenario over the Internet.....................................................................................217
Using Windows Box as Router (Port Forwarding).......................................................... 220
Browser AutoPWN................................................................................................ 220
Why Use Browser AutoPWN?.........................................................................................221
Problem with Browser AutoPWN....................................................................................221
VPS/Dedicated Server.................................................................................................... 223
Attack Scenario 3: Compromising Client Side Update.......................................... 223
How Evilgrade Works..................................................................................................... 223
Prerequisites.................................................................................................................... 223
Attack Vectors....................................................................................................... 223
Internal Network Attack Vectors........................................................................... 223
External Network Attack Vectors.......................................................................... 224
Evilgrade Console.................................................................................................. 224
Attack Scenario..................................................................................................... 224
Attack Scenario 4: Malware Loaded on USB Sticks............................................... 227
Teensy USB.................................................................................................................... 229
Conclusion...................................................................................................................... 229
Further Reading............................................................................................................. 229
9 Postexploitation
Acquiring Situation Awareness........................................................................................231
Enumerating a Windows Machine.........................................................................231
Enumerating Local Groups and Users....................................................................233
Enumerating a Linux Machine...............................................................................233
Enumerating with Meterpreter...............................................................................235
Identifying Processes.....................................................................................235
Interacting with the System...........................................................................235
User Interface Command..............................................................................235
Privilege Escalation......................................................................................................... 236
Maintaining Stability............................................................................................ 236
Escalating Privileges....................................................................................................... 237
Bypassing User Access Control.............................................................................. 238
Impersonating the Token....................................................................................... 239
Escalating Privileges on a Linux Machine...............................................................241
Maintaining Access.........................................................................................................241
Installing a Backdoor.......................................................................................................241
Cracking the Hashes to Gain Access to Other Services...................................................241
Backdoors........................................................................................................................241
Disabling the Firewall............................................................................................ 242
Killing the Antivirus.............................................................................................. 242
Netcat.................................................................................................................... 243
MSFPayload/MSFEncode............................................................................................... 244
Generating a Backdoor with MSFPayload............................................................. 244
MSFEncode............................................................................................................245
MSFVenom.................................................................................................................... 246
Persistence..............................................................................................................247
What Is a Hash?.....................................................................................................249
Hashing Algorithms...............................................................................................249
Windows Hashing Methods...................................................................................250
LAN Manager (LM)..............................................................................................250
NTLM/NTLM2....................................................................................................250
Kerberos.................................................................................................................250
Where Are LM/NTLM Hashes Located?...............................................................250
Dumping the Hashes.......................................................................................................251
Scenario 1—Remote Access....................................................................................251
Scenario 2—Local Access.......................................................................................251
Ophcrack................................................................................................................252
References........................................................................................................................253
Scenario 3—Offline System...................................................................................253
Ophcrack LiveCD..................................................................................................253
Bypassing the Log-In..............................................................................................253
References........................................................................................................................253
Cracking the Hashes........................................................................................................253
Bruteforce...............................................................................................................253
Dictionary Attacks................................................................................................ 254
Password Salts........................................................................................................ 254
Rainbow Tables..................................................................................................... 254
John the Ripper...............................................................................................................255
Cracking LM/NTLM Passwords with JTR............................................................255
Cracking Linux Passwords with JTR......................................................................256
Rainbow Crack................................................................................................................256
Sorting the Tables...................................................................................................257
Cracking the Hashes with rcrack............................................................................258
Speeding Up the Cracking Process.........................................................................258
Gaining Access to Remote Services........................................................................258
Enabling the Remote Desktop................................................................................259
Adding Users to the Remote Desktop.....................................................................259
Data Mining....................................................................................................................259
Gathering OS Information.................................................................................... 260
Harvesting Stored Credentials................................................................................261
Identifying and Exploiting Further Targets.................................................................... 262
Mapping the Internal Network.............................................................................. 263
Finding Network Information............................................................................... 264
Identifying Further Targets....................................................................................265
Pivoting................................................................................................................. 266
Scanning Ports and Services and Detecting OS......................................................267
Compromising Other Hosts on the Network Having the Same Password............. 268
psexec............................................................................................................................. 269
Exploiting Targets...................................................................................................270
Conclusion.......................................................................................................................270
10 Windows Exploit Development Basics
Prerequisites.....................................................................................................................271
What Is a Buffer Overflow?.............................................................................................271
Vulnerable Application................................................................................................... 272
How to Find Buffer Overflows........................................................................................ 273
Methodology.................................................................................................................. 273
Getting the Software Up and Running........................................................................... 273
Causing the Application to Crash................................................................................... 273
Skeleton Exploit...............................................................................................................275
Determining the Offset......................................................................................... 278
Identifying Bad Characters.................................................................................... 280
Figuring Out Bad Characters with Mona........................................................................281
Overwriting the Return Address............................................................................ 283
NOP Sledges......................................................................................................... 285
Generating the ShellCode...................................................................................... 286
Generating Metasploit Module....................................................................................... 287
Porting to Metasploit...................................................................................................... 288
Conclusion...................................................................................................................... 290
Further Resources........................................................................................................... 290
11 Wireless Hacking
Introduction....................................................................................................................291
Requirements...................................................................................................................291
Introducing Aircrack-ng...................................................................................................293
Uncovering Hidden SSIDs..............................................................................................293
Turning on the Monitor Mode....................................................................................... 294
Monitoring Beacon Frames on Wireshark...................................................................... 294
Monitoring with Airodump-ng....................................................................................... 295
Speeding Up the Process................................................................................................. 296
Bypassing MAC Filters on Wireless Networks....................................................... 296
Cracking a WEP Wireless Network with Aircrack-ng........................................... 298
Placing Your Wireless Adapter in Monitor Mode............................................................ 298
Determining the Target with Airodump-ng................................................................... 299
Attacking the Target.............................................................................................. 299
Speeding Up the Cracking Process........................................................................ 300
Injecting ARP Packets........................................................................................... 300
Cracking the WEP.................................................................................................301
Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng...................................... 302
Capturing Packets........................................................................................................... 303
Capturing the Four-Way Handshake.............................................................................. 303
Cracking WPA/WAP2................................................................................................... 304
Using Reaver to Crack WPS-Enabled Wireless Networks..................................... 305
Reducing the Delay........................................................................................................ 306
Further Reading............................................................................................................. 306
Setting Up a Fake Access Point with SET to PWN Users...................................... 306
Attack Scenario............................................................................................................... 309
Evil Twin Attack.....................................................................................................310
Scanning the Neighbors...................................................................................................311
Spoofing the MAC..........................................................................................................311
Setting Up a Fake Access Point........................................................................................311
Causing Denial of Service on the Original AP.................................................................311
Conclusion.......................................................................................................................312
12 Web Hacking
Attacking the Authentication...........................................................................................313
Username Enumeration..........................................................................................314
Invalid Username with Invalid Password................................................................314
Valid Username with Invalid Password...................................................................314
Enabling Browser Cache to Store Passwords...........................................................314
Brute Force and Dictionary Attacks................................................................................. 315
Types of Authentication................................................................................................... 315
HTTP Basic Authentication................................................................................... 315
HTTP-Digest Authentication.................................................................................316
Form-Based Authentication....................................................................................317
Exploiting Password Reset Feature.........................................................................319
Etsy.com Password Reset Vulnerability............................................................................319
Attacking Form-Based Authentication................................................................... 320
Brute Force Attack.......................................................................................................... 322
Attacking HTTP Basic Auth................................................................................. 323
Further Reading............................................................................................................. 326
Log-In Protection Mechanisms.............................................................................. 326
CAPTCHA Validation Flaw................................................................................. 326
CAPTCHA Reset Flaw......................................................................................... 328
Manipulating User-Agents to Bypass CAPTCHA and Other Protections..............329
Real-World Example.............................................................................................. 330
Authentication Bypass Attacks............................................................................... 330
Authentication Bypass Using SQL Injection.......................................................... 330
Testing for SQL Injection Auth Bypass...................................................................331
Authentication Bypass Using XPATH Injection.....................................................333
Testing for XPATH Injection........................................................................333
Authentication Bypass Using Response Tampering............................................... 334
Crawling Restricted Links.............................................................................................. 334
Testing for the Vulnerability............................................................................................335
Automating It with Burp Suite.............................................................................. 336
Authentication Bypass with Insecure Cookie Handling.................................................. 336
Session Attacks.......................................................................................................339
Guessing Weak Session ID.....................................................................................339
Session Fixation Attacks........................................................................................ 341
Requirements for This Attack......................................................................................... 342
How the Attack Works................................................................................................... 342
SQL Injection Attacks........................................................................................... 342
What Is an SQL Injection?.................................................................................... 342
Types of SQL Injection.......................................................................................... 342
Union-Based SQL Injection......................................................................... 343
Error-Based SQL Injection........................................................................... 343
Blind SQL Injection..................................................................................... 343
Detecting SQL Injection....................................................................................... 343
Determining the Injection Type............................................................................ 343
Union-Based SQL Injection (MySQL).................................................................. 344
Testing for SQL Injection............................................................................................... 344
Determining the Number of Columns...................................................................345
Determining the Vulnerable Columns................................................................... 346
Fingerprinting the Database.................................................................................. 347
Enumeration Information...................................................................................... 347
Information_schema.............................................................................................. 348
Information_schema Tables................................................................................... 348
Enumerating All Available Databases.................................................................... 348
Enumerating All Available Tables in the Database................................................. 349
Extracting Columns from Tables........................................................................... 349
Extracting Data from Columns..............................................................................350
Using group _ concat......................................................................................350
MySQL Version ≤ 5................................................................................................351
Guessing Table Names.....................................................................................................351
Guessing Columns.................................................................................................352
SQL Injection to Remote Command Execution.....................................................352
Reading Files...................................................................................................................353
Writing Files....................................................................................................................353
Blind SQL Injection...............................................................................................355
Boolean-Based SQLi......................................................................................355
True Statement.......................................................................................................355
False Statement.......................................................................................................356
Enumerating the DB User......................................................................................356
Enumerating the MYSQL Version..........................................................................358
Guessing Tables......................................................................................................358
Guessing Columns in the Table..............................................................................359
Extracting Data from Columns............................................................................. 360
Time-Based SQL Injection.....................................................................................361
Vulnerable Application....................................................................................................361
Testing for Time-Based SQL Injection........................................................................... 362
Enumerating the DB User..................................................................................... 362
Guessing the Table Names..................................................................................... 363
Guessing the Columns........................................................................................... 364
Extracting Data from Columns..............................................................................365
Automating SQL Injections with Sqlmap.............................................................. 366
Enumerating Databases..........................................................................................367
Enumerating Tables................................................................................................367
Enumerating the Columns.....................................................................................367
Extracting Data from the Columns....................................................................... 368
HTTP Header–Based SQL Injection.................................................................... 368
Operating System Takeover with Sqlmap.............................................................. 369
OS-CMD......................................................................................................................... 369
OS-SHELL..................................................................................................................... 369
OS-PWN..........................................................................................................................370
XSS (Cross-Site Scripting)...............................................................................................371
How to Identify XSS Vulnerability..................................................................................371
Types of Cross-Site Scripting...........................................................................................371
Reflected/Nonpersistent XSS...........................................................................................372
Vulnerable Code.....................................................................................................372
Medium Security.............................................................................................................373
Vulnerable Code.....................................................................................................373
High Security..................................................................................................................373
Bypassing htmlspecialchars.....................................................................................374
UTF-32 XSS Trick: Bypass 1...........................................................................................375
Svg Craziness: Bypass 2....................................................................................................375
Bypass 3: href Attribute...................................................................................................376
Stored XSS/Persistent XSS.............................................................................................. 377
Payloads.......................................................................................................................... 377
Blind XSS........................................................................................................................378
DOM-Based XSS............................................................................................................378
Detecting DOM-Based XSS...................................................................................378
Sources (Inputs).............................................................................................378
Sinks (Creating/Modifying HTML Elements)..............................................378
Static JS Analysis to Identify DOM-Based XSS..................................................... 384
How Does It Work?................................................................................................385
Setting Up JSPRIME.............................................................................................385
Dominator: Dynamic Taint Analysis.............................................................................. 390
POC for Internet Explorer.............................................................................................. 394
POC for Chrome............................................................................................................ 394
Pros/Cons........................................................................................................................395
Cross Browser DOM XSS Detection...............................................................................395
Types of DOM-Based XSS............................................................................................. 397
Reflected DOM XSS............................................................................................. 397
Stored DOM XSS.................................................................................................. 397
Exploiting XSS...................................................................................................... 399
Cookie Stealing with XSS...................................................................................... 399
Exploiting XSS for Conducting Phishing Attacks.................................................. 402
Compromising Victim’s Browser with XSS............................................................ 404
Exploiting XSS with BeEF.............................................................................................. 405
Setting Up BeEF on BackTrack...................................................................................... 405
Demo Pages.................................................................................................................... 408
BeEF Modules....................................................................................................... 409
Module: Replace HREFs.............................................................................. 409
Module: Getcookie....................................................................................... 409
Module: Tabnabbing.....................................................................................410
BeEF in Action.......................................................................................................412
Cross-Site Request Forgery (CSRF).................................................................................413
Why Does a CSRF Attack Work?....................................................................................413
How to Attack.................................................................................................................413
GET-Based CSRF............................................................................................................414
POST-Based CSRF..........................................................................................................414
CSRF Protection Techniques...........................................................................................415
Referrer-Based Checking.................................................................................................415
Anti-CSRF Tokens..........................................................................................................415
Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm........................................416
Tokens Not Validated upon Server..................................................................................416
Analyzing Weak Anti-CSRF Token Strength..................................................................417
Bypassing CSRF with XSS..............................................................................................419
File Upload Vulnerabilities.....................................................................................421
Bypassing Client Side Restrictions......................................................................... 423
Bypassing MIME-Type Validation........................................................................ 423
Real-World Example....................................................................................................... 425
Bypassing Blacklist-Based Protections................................................................... 425
Case 1: Blocking Malicious Extensions.................................................................. 425
Bypass.......................................................................................................... 426
Case 2: Case-Sensitive Bypass................................................................................ 426
Bypass.......................................................................................................... 426
Real-World Example....................................................................................................... 426
Vulnerable Code.................................................................................................... 426
Case 3: When All Dangerous Extensions Are Blocked.......................................... 426
XSS via File Upload...................................................................................... 427
Flash-Based XSS via File Upload.................................................................. 428
Case 4: Double Extensions Vulnerabilities............................................................. 429
Apache Double Extension Issues................................................................... 429
IIS 6 Double Extension Issues...................................................................... 429
Case 5: Using Trailing Dots.................................................................................. 429
Case 6: Null Byte Trick......................................................................................... 429
Case 7: Bypassing Image Validation....................................................................... 429
Case 8: Overwriting Critical Files.......................................................................... 430
Real-World Example........................................................................................................431
File Inclusion Vulnerabilities............................................................................................431
Remote File Inclusion..................................................................................................... 432
Patching File Inclusions on the Server Side..................................................................... 433
Local File Inclusion............................................................................................... 433
Linux..................................................................................................................... 434
Windows............................................................................................................... 434
LFI Exploitation Using /proc/self/environ.............................................................. 434
Log File Injection.................................................................................................. 436
Finding Log Files: Other Tricks............................................................................. 440
Exploiting LFI Using PHP Input........................................................................... 440
Exploiting LFI Using File Uploads........................................................................ 441
Read Source Code via LFI..................................................................................... 442
Local File Disclosure Vulnerability........................................................................ 443
Vulnerable Code........................................................................................... 443
Local File Disclosure Tricks................................................................................... 445
Remote Command Execution............................................................................... 446
Uploading Shells.................................................................................................... 448
Server Side Include Injection..................................................................................452
Testing a Website for SSI Injection..................................................................................452
Executing System Commands.........................................................................................453
Spawning a Shell..............................................................................................................453
SSRF Attacks...................................................................................................................454
Impact.............................................................................................................................455
Example of a Vulnerable PHP Code.......................................................................456
Remote SSRF.........................................................................................................457
Simple SSRF..................................................................................................457
Partial SSRF..................................................................................................458
Denial of Service............................................................................................................. 463
Denial of Service Using External Entity Expansion (XEE).................................... 463
Full SSRF.............................................................................................................. 464
dict://............................................................................................................ 464
gopher://........................................................................................................465
http://............................................................................................................465
Causing the Crash................................................................................................. 466
Overwriting Return Address........................................................................................... 467
Generating Shellcode...................................................................................................... 467
Server Hacking............................................................................................................... 469
Apache Server..................................................................................................................470
Testing for Disabled Functions...............................................................................470
Open _ basedir Misconfiguration....................................................................472
Using CURL to Bypass Open _ basedir Restrictions.......................................474
Open _ basedir PHP 5.2.9 Bypass...................................................................475
Reference.........................................................................................................................476
Bypassing open _ basedir Using CGI Shell.....................................................476
Bypassing open _ basedir Using Mod _ Perl, Mod _ Python............... 477
Escalating Privileges Using Local Root Exploits............................................................. 477
Back Connecting............................................................................................................ 477
Finding the Local Root Exploit.......................................................................................478
Usage...............................................................................................................................478
Finding a Writable Directory...........................................................................................479
Bypassing Symlinks to Read Configuration Files............................................................ 480
Who Is Affected?.............................................................................................................481
Basic Syntax.....................................................................................................................481
Why This Works.................................................................................................... 482
Symlink Bypass: Example 1................................................................................... 482
Finding the Username........................................................................................... 482
/etc/passwd File..................................................................................... 483
/etc/valiases File................................................................................. 483
Path Disclosure............................................................................................. 483
Uploading .htaccess to Follow Symlinks................................................................ 484
Symlinking the Configuration Files....................................................................... 484
Connecting to and Manipulating the Database.............................................................. 485
Updating the Password................................................................................................... 486
Symlink the Root Directory.................................................................................. 486
Example 3: Compromising WHMCS Server......................................................... 487
Finding a WHMCS Server............................................................................................. 487
Symlinking the Configuration File................................................................................. 488
WHMCS Killer..................................................................................................... 488
Disabling Security Mechanisms............................................................................. 490
Disabling Mod _ Security............................................................................... 490
Disabling Open _ basedir and Safe _ mode............................................ 490
Using CGI, PERL, or Python Shell to Bypass Symlinks.........................................491
Conclusion.......................................................................................................................491

Bookscreen
e-books shop

Preface
Ethical hacking strikes all of us as a subject that requires a great deal of prerequisite knowledge
about things like heavy duty software, languages that includes hordes of syntaxes, algorithms
that could be generated by maestros only. Well that’s not the case, to some extent. This book
introduces the steps required to complete a penetration test, or ethical hack. Requiring no prior
hacking experience, the book explains how to utilize and interpret the results of modern day
hacking tools that are required to complete a penetration test. Coverage includes Backtrack Linux,
Google Reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn,
Netcat, and Hacker Defender rootkit. Simple explanations of how to use these tools and a fourstep
methodology for conducting a penetration test provide readers with a better understanding
of offensive security.

Being an ethical hacker myself, I know how difficult it is for people who are new into hacking
to excel at this skill without having any prior knowledge and understanding of how things work.
Keeping this exigent thing in mind, I have provided those who are keen to learn ethical hacking
with the best possible explanations in the most easy and understandable manner so that they will
not only gain pleasure while reading, but they will have the urge to put into practice what have
they learned from it.

The sole aim and objective of writing this book is to target the beginners who look for a complete
guide to turn their dream of becoming an ethical hacker into a reality. This book elucidates
the building blocks of ethical hacking that will help readers to develop an insight of the matter in
hand. It will help them fathom what ethical hacking is all about and how one can actually run a
penetration test with great success.

I have put in a lot of hard work to make this book a success. I remember spending hours and
hours in front of my computer typing indefatigably, ignoring all the text messages of my friends
when they asked me to come along and spend some time with them, which left me despondent,
but now, when I see my book finally completed, it gives me immense pleasure that the efforts of a
whole year have finally paid off.

This book came out as a result of my own experiences during my ethical hacking journey.
Experiences that are worth sharing with all the passionate people out there.
It makes me elated to the core when I see my third book on the subject of hacking published,
and I hope and pray that everyone likes it.
Best of luck to everyone out there.
Rafay Baloch
Loading...
DMCA.com Protection Status