Showing posts with label Penetration Testing. Show all posts

Red Team Edition

Peter Kim


e-books shop

Purchase Now !
Just with Paypal



Book Details
 Price
 4.00
 Pages
 337 p
 File Size 
 8,923 KB
 File Type
 PDF format
 ISBN-13
 978-1980901754
 Copyright©   
 2018 by Secure Planet LLC 

About the Author
Peter Kim has been in the information security industry for more than 14 years
and has been running Penetration Testing/Red Teams for more than 12 years.
He has worked for multiple utility companies, Fortune 1000 entertainment
companies, government agencies, and large financial organizations. Although
he is most well-known for The Hacker Playbook series, his passions are building
a safe security community, mentoring students, and training others. He founded
and maintains one of Southern California's largest technical security clubs called
LETHAL (www.meetup.com/LETHAL), performs private training at his
warehouse LETHAL Security (lethalsecurity.com), and runs a boutique
penetration testing firm called Secure Planet (www.SecurePla.net).

Peter's main goal with The Hacker Playbook series is to instill passion into his
readers and get them to think outside the box. With the ever-changing
environment of security, he wants to help build the next generation of security professionals.
Feel free to contact Peter Kim for any of the following:
Questions about the book: book@thehackerplaybook.com
Inquiries on private training or Penetration Tests: secure@securepla.net
Twitter: @hackerplaybook

preface
This is the third iteration of The Hacker Playbook (THP) series. Below is an
overview of all the new vulnerabilities and attacks that will be discussed. In
addition to the new content, some attacks and techniques from the prior books
(which are still relevant today) are included to eliminate the need to refer back to
the prior books. So, what's new? Some of the updated topics from the past
couple of years include:
Abusing Active Directory
Abusing Kerberos
Advanced Web Attacks
Better Ways to Move Laterally
Cloud Vulnerabilities
Faster/Smarter Password Cracking
Living Off the Land
Lateral Movement Attacks
Multiple Custom Labs
Newer Web Language Vulnerabilities
Physical Attacks
Privilege Escalation
PowerShell Attacks
Ransomware Attacks
Red Team vs Penetration Testing
Setting Up Your Red Team Infrastructure
Usable Red Team Metrics
Writing Malware and Evading AV
And so much more
Additionally, I have attempted to incorporate all of the comments and
recommendations received from readers of the first and second books. I do want
to reiterate that I am not a professional author. I just love security and love
teaching security and this is one of my passion projects. I hope you enjoy it.

This book will also provide a more in-depth look into how to set up a lab
environment in which to test your attacks, along with the newest tips and tricks
of penetration testing. Lastly, I tried to make this version easier to follow since
many schools have incorporated my book into their curricula. Whenever
possible, I have added lab sections that help provide a way to test a vulnerability or exploit.

As with the other two books, I try to keep things as realistic, or “real world”, as
possible. I also try to stay away from theoretical attacks and focus on what I
have seen from personal experience and what actually worked. I think there has
been a major shift in the industry from penetration testers to Red Teamers, and I
want to show you rather than tell you why this is so. As I stated before, my
passion is to teach and challenge others. So, my goals for you through this book
are two-fold: first, I want you to get into the mindset of an attacker and
understand “the how” of the attacks; second, I want you to take the tools and
techniques you learn and expand upon them. Reading and repeating the labs is
only one part – the main lesson I teach to my students is to let your work speak
for your talents. Instead of working on your resume (of course, you should have
a resume), I really feel that having a strong public Github repo/technical blog
speaks volumes in security over a good resume. Whether you live in the blue
defensive or red offensive world, getting involved and sharing with our security
community is imperative.

For those who did not read either of my two prior books, you might be
wondering what my experience entails. My background includes more than 12
years of penetration testing/red teaming for major financial institutions, large
utility companies, Fortune 500 entertainment companies, and government
organizations. I have also spent years teaching offensive network security at
colleges, spoken at multiple security conferences, been referenced in many
security publications, taught courses all over the country, ran multiple public
CTF competitions, and started my own security school. One of my big passion
project was building a free and open security community in Southern California
called LETHAL (meetup.com/lethal). Now, with over 800+ members, monthly
meetings, CTF competitions, and more, it has become an amazing environment
for people to share, learn, and grow.

One important note is that I am using both commercial and open source tools.
For every commercial tool discussed, I try to provide an open source
counterpart. I occasionally run into some pentesters who claim they only use
open source tools. As a penetration tester, I find this statement hard to accept. If
you are supposed to emulate a “real world” attack, the “bad guys” do not have
these restrictions; therefore, you need to use any tool (commercial or open
source) that will get the job done.

A question I get often is, who is this book intended for? It is really hard to state
for whom this book is specifically intended as I truly believe anyone in security
can learn. Parts of this book might be too advanced for novice readers, some
parts might be too easy for advanced hackers, and other parts might not even be
in your field of security.

For those who are just getting into security, one of the most common things I
hear from readers is that they tend to gain the most benefit from the books after
reading them for the second or third time (making sure to leave adequate time
between reads). There is a lot of material thrown at you throughout this book
and sometimes it takes time to absorb it all. So, I would say relax, take a good
read, go through the labs/examples, build your lab, push your scripts/code to a
public Github repository, and start up a blog.

Lastly, being a Red Team member is half about technical ability and half about
having confidence. Many of the social engineering exercises require you to
overcome your nervousness and go outside your comfort zone. David Letterman
said it best, "Pretending to not be afraid is as good as actually not being afraid."
Although this should be taken with a grain of salt, sometimes you just have to
have confidence, do it, and don't look back.


Table of Contents
Contents
Preface
Notes and Disclaimer
Introduction
Penetration Testing Teams vs Red Teams
Summary
1 Pregame - The Setup
Assumed Breach Exercises
Setting Up Your Campaign
Setting Up Your External Servers
Tools of the Trade
Metasploit Framework
Cobalt Strike
PowerShell Empire
dnscat2
p0wnedShell
Pupy Shell
PoshC2
Merlin
Nishang
Conclusion
2 Before the Snap - Red Team Recon
Monitoring an Environment
Regular Nmap Diffing
Web Screenshots
Cloud Scanning
Network/Service Search Engines
Manually Parsing SSL Certificates
Subdomain Discovery
Github
Cloud
Emails
Additional Open Source Resources
Conclusion
3 The Throw - Web Application Exploitation
Bug Bounty Programs:
Web Attacks Introduction - Cyber Space Kittens
The Red Team Web Application Attacks
Chat Support Systems Lab
Cyber Space Kittens: Chat Support Systems
Setting Up Your Web Application Hacking Machine
Analyzing a Web Application
Web Discovery
Cross-Site Scripting XSS
Blind XSS
DOM Based XSS
Advanced XSS in NodeJS
XSS to Compromise
NoSQL Injections
Deserialization Attacks
Template Engine Attacks - Template Injections
JavaScript and Remote Code Execution
Server Side Request Forgery (SSRF)
XML eXternal Entities (XXE)
Advanced XXE - Out Of Band (XXE-OOB)
Conclusion
4 The Drive - Compromising the Network
Finding Credentials from Outside the Network
Advanced Lab
Moving Through the Network
Setting Up the Environment - Lab Network
On the Network with No Credentials
Responder
Better Responder (MultiRelay.py)
PowerShell Responder
User Enumeration Without Credentials
Scanning the Network with CrackMapExec (CME)
After Compromising Your Initial Host
Privilege Escalation
Privilege Escalation Lab
Pulling Clear Text Credentials from Memory
Getting Passwords from the Windows Credential Store and Browsers
Getting Local Creds and Information from OSX
Living Off of the Land in a Windows Domain Environment
Service Principal Names
Querying Active Directory
Bloodhound/Sharphound
Moving Laterally - Migrating Processes
Moving Laterally Off Your Initial Host
Lateral Movement with DCOM
Pass-the-Hash
Gaining Credentials from Service Accounts
Dumping the Domain Controller Hashes
Lateral Movement via RDP over the VPS
Pivoting in Linux
Privilege Escalation
Linux Lateral Movement Lab
Attacking the CSK Secure Network
Conclusion
5 The Screen - Social Engineering
Building Your Social Engineering (SE) Campaigns
Doppelganger Domains
How to Clone Authentication Pages
Credentials with 2FA
Phishing
Microsoft Word/Excel Macro Files
Non-Macro Office Files - DDE
Hidden Encrypted Payloads
Exploiting Internal Jenkins with Social Engineering
Conclusion
6 The Onside Kick - Physical Attacks
Card Reader Cloners
Physical Tools to Bypass Access Points
LAN Turtle (lanturtle.com)
Packet Squirrel
Bash Bunny
Breaking into Cyber Space Kittens
QuickCreds
BunnyTap
WiFi
Conclusion
7 The Quarterback Sneak - Evading AV and Network Detection
Writing Code for Red Team Campaigns
The Basics Building a Keylogger
Setting up your environment
Compiling from Source
Sample Framework
Obfuscation
THP Custom Droppers
Shellcode vs DLLs
Running the Server
Client
Configuring the Client and Server
Adding New Handlers
Further Exercises
Recompiling Metasploit/Meterpreter to Bypass AV and Network Detection
How to Build Metasploit/Meterpreter on Windows:
Creating a Modified Stage 0 Payload:
SharpShooter
Application Whitelisting Bypass
Code Caves
PowerShell Obfuscation
PowerShell Without PowerShell:
HideMyPS
Conclusion
8 Special Teams - Cracking, Exploits, and Tricks
Automation
Automating Metasploit with RC scripts
Automating Empire
Automating Cobalt Strike
The Future of Automation
Password Cracking
Gotta Crack Em All - Quickly Cracking as Many as You Can
Cracking the CyberSpaceKittens NTLM hashes:
Creative Campaigns
Disabling PS Logging
Windows Download File from Internet Command Line
Getting System from Local Admin
Retrieving NTLM Hashes without Touching LSASS
Building Training Labs and Monitor with Defensive Tools
Conclusion
9 Two-Minute Drill - From Zero to Hero
10 Post Game Analysis - Reporting
Continuing Education
About the Author
special thanks

Bookscreen
e-books shop

Introduction
In the last engagement (The Hacker Playbook 2), you were tasked with breaking
into the Cyber Kittens weapons facility. They are now back with their brand
new space division called Cyber Space Kittens (CSK). This new division took
all the lessons learned from the prior security assessment to harden their
systems, set up a local security operations center, and even create security
policies. They have hired you to see if all of their security controls have helped
their overall posture.

From the little details we have picked up, it looks like Cyber Space Kittens has
discovered a secret planet located in the Great Andromeda Nebula or
Andromeda Galaxy. This planet, located on one of the two spiral arms, is
referred to as KITT-3n. KITT-3n, whose size is double that of Earth, resides in
the binary system called OI 31337 with a star that is also twice the size of
Earth’s star. This creates a potentially habitable environment with oceans, lakes,
plants, and maybe even life…

With the hope of new life, water, and another viable planet, the space race is
real. CSK has hired us to perform a Red Team assessment to make sure they are
secure, and capable of detecting and stopping a breach. Their management has
seen and heard of all the major breaches in the last year and want to hire only the
best. This is where you come in...

Your mission, if you choose to accept it, is to find all the external and internal
vulnerabilities, use the latest exploits, use chained vulnerabilities, and see if their
defensive teams can detect or stop you.

What types of tactics, threats, and procedures are you going to have to employ?
In this campaign, you are going to need to do a ton of reconnaissance and
discovery, look for weaknesses in their external infrastructure, social engineer
employees, privilege escalate, gain internal network information, move laterally
throughout the network, and ultimately exfiltrate KITT-3n systems and databases.

RAFAY BALOCH


e-books shop

Purchase Now !
Just with Paypal



Book Details
 Price
 3.50 USD
 Pages
 523 p
 File Size
 22,976 KB
 File Type
 PDF format
 ISBN
 978-1-4822-3162-5 (eBook - PDF) 
 Copyright   
 2015 by Taylor & Francis Group, LLC 

About the Author
Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in
Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated
in various bug bounty programs and has helped several major Internet corporations such
as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was
successful in finding a remote code execution vulnerability along with several other high-risk
vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer
to work for PayPal. His major areas of research interest are in network security, bypassing modern
security defenses such as WAFs, DOM-based XSS, and other HTML 5–based attack vectors.
Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and
eWAPT certifications.

Acknowledgments
I am eternally indebted to the editor, Rich O’Hanley, for his encouragement and continuous support
and my dear friend Prakhar Prasad for his help at various stages of this book.
I also thank Mohammed Ramadan for his help and support and Soroush Dallili for his ideas
with file upload tricks. Many thanks to my friends Alex Infuhr and Giuseppe Trotta for their
help with various sections of the “Web Hacking” chapter, Shahmeer Amir for his help with the
“Wireless Hacking” chapter, and Tehseen Javed for his help with the “Linux Basics” chapter.
I also thank my mentors Prof. Asim Rizvi, David Vieira-Kurz, Ziaullah Mirza and last but not
least, I thank the following keypersons: Mario Heiderich, Deepankar Arora, Nir Goldshlager, Britto
Fleming Joe, Nishant Das Patnaik, Pepe Vila, Ray friedman, Armando Romeo, Tyler Borland,
Zeeshan Haider, Nehal hussain, Rafael Souza, and Fatima Hanif.
I also thank my family members and relatives for always being supportive.

Table of Contents
Preface.............................................................................................................................. xxiii
Acknowledgments..............................................................................................................xxv
Author..............................................................................................................................xxvii
1 Introduction to Hacking
Important Terminologies.................................................................................................... 2
Asset.......................................................................................................................... 2
Vulnerability.............................................................................................................. 3
Threat........................................................................................................................ 3
Exploit....................................................................................................................... 3
Risk........................................................................................................................... 3
What Is a Penetration Test?....................................................................................... 3
Vulnerability Assessments versus Penetration Test..................................................... 3
Preengagement.......................................................................................................... 3
Rules of Engagement................................................................................................. 4
Milestones................................................................................................................. 4
Penetration Testing Methodologies............................................................................ 5
OSSTMM................................................................................................................. 5
NIST......................................................................................................................... 6
OWASP..................................................................................................................... 7
Categories of Penetration Test............................................................................................. 7
Black Box.................................................................................................................. 7
White Box................................................................................................................. 7
Gray Box................................................................................................................... 7
Types of Penetration Tests......................................................................................... 7
Network Penetration Test................................................................................. 8
Web Application Penetration Test.................................................................... 8
Mobile Application Penetration Test................................................................ 8
Social Engineering Penetration Test................................................................. 8
Physical Penetration Test.................................................................................. 8
Report Writing.......................................................................................................... 8
Understanding the Audience..................................................................................... 9
Executive Class................................................................................................. 9
Management Class........................................................................................... 9
Technical Class................................................................................................. 9
Writing Reports.................................................................................................................10
Structure of a Penetration Testing Report..........................................................................10
Cover Page................................................................................................................10
Table of Contents.....................................................................................................10
Executive Summary..................................................................................................11
Remediation Report................................................................................................ 12
Vulnerability Assessment Summary.................................................................................. 12
Tabular Summary.....................................................................................................13
Risk Assessment.................................................................................................................14
Risk Assessment Matrix............................................................................................14
Methodology.....................................................................................................................14
Detailed Findings.....................................................................................................15
Description......................................................................................................15
Explanation.....................................................................................................16
Risk.................................................................................................................16
Recommendation............................................................................................16
Reports.....................................................................................................................17
Conclusion.........................................................................................................................17
2 Linux Basics
Major Linux Operating Systems........................................................................................19
File Structure inside of Linux............................................................................................ 20
File Permission in Linux.......................................................................................... 22
Group Permission........................................................................................... 22
Linux Advance/Special Permission................................................................. 22
Link Permission.............................................................................................. 23
Suid & Guid Permission................................................................................. 23
Stickybit Permission....................................................................................... 23
Chatter Permission......................................................................................... 24
Most Common and Important Commands............................................................. 24
Linux Scheduler (Cron Job)...............................................................................................25
Cron Permission...................................................................................................... 26
Cron Permission............................................................................................. 26
Cron Files....................................................................................................... 26
Users inside of Linux........................................................................................................ 28
Linux Services......................................................................................................... 29
Linux Password Storage........................................................................................... 29
Linux Logging......................................................................................................... 30
Common Applications of Linux....................................................................................... 30
What Is BackTrack?.......................................................................................................... 30
How to Get BackTrack 5 Running...........................................................................31
Installing BackTrack on Virtual Box........................................................................31
Installing BackTrack on a Portable USB...................................................................35
Installing BackTrack on Your Hard Drive............................................................... 39
BackTrack Basics..................................................................................................... 43
Changing the Default Screen Resolution.......................................................................... 43
Some Unforgettable Basics....................................................................................... 44
Changing the Password.................................................................................. 44
Clearing the Screen........................................................................................ 44
Listing the Contents of a Directory................................................................ 44
Displaying Contents of a Specific Directory................................................... 44
Displaying the Contents of a File.....................................................................45
Creating a Directory........................................................................................45
Changing the Directories................................................................................45
Windows.........................................................................................................45
Linux...............................................................................................................45
Creating a Text File.........................................................................................45
Copying a File.................................................................................................45
Current Working Directory.............................................................................45
Renaming a File..............................................................................................45
Moving a File................................................................................................. 46
Removing a File.............................................................................................. 46
Locating Certain Files inside BackTrack.................................................................. 46
Text Editors inside BackTrack........................................................................................... 46
Getting to Know Your Network........................................................................................47
Dhclient....................................................................................................................47
Services............................................................................................................................. 48
MySQL.................................................................................................................... 48
SSHD...................................................................................................................... 48
Postgresql................................................................................................................. 50
Other Online Resources....................................................................................................51
3 Information Gathering Techniques
Active Information Gathering............................................................................................53
Passive Information Gathering...........................................................................................53
Sources of Information Gathering.................................................................................... 54
Copying Websites Locally................................................................................................. 54
Information Gathering with Whois..........................................................................55
Finding Other Websites Hosted on the Same Server............................................... 56
Yougetsignal.com.............................................................................................................. 56
Tracing the Location................................................................................................57
Traceroute.................................................................................................................57
ICMP Traceroute..................................................................................................... 58
TCP Traceroute....................................................................................................... 58
Usage.............................................................................................................. 58
UDP Traceroute...................................................................................................... 58
Usage.............................................................................................................. 58
NeoTrace...........................................................................................................................59
Cheops-ng.........................................................................................................................59
Enumerating and Fingerprinting the Webservers..................................................... 60
Intercepting a Response.................................................................................................... 60
Acunetix Vulnerability Scanner............................................................................... 62
WhatWeb......................................................................................................................... 62
Netcraft............................................................................................................................ 63
Google Hacking...................................................................................................... 63
Some Basic Parameters...................................................................................................... 64
Site........................................................................................................................... 64
Example............................................................................................................................ 64
TIP regarding Filetype......................................................................................................65
Google Hacking Database....................................................................................... 66
Hackersforcharity.org/ghdb...............................................................................................67
Xcode Exploit Scanner.......................................................................................................67
File Analysis............................................................................................................. 68
Foca......................................................................................................................... 68
Harvesting E-Mail Lists.......................................................................................... 69
Gathering Wordlist from a Target Website.............................................................. 71
Scanning for Subdomains........................................................................................ 71
TheHarvester........................................................................................................... 72
Fierce in BackTrack................................................................................................. 72
Scanning for SSL Version.........................................................................................74
DNS Enumeration................................................................................................... 75
Interacting with DNS Servers........................................................................................... 75
Nslookup...........................................................................................................................76
DIG...................................................................................................................................76
Forward DNS Lookup............................................................................................. 77
Forward DNS Lookup with Fierce.................................................................................... 77
Reverse DNS........................................................................................................... 78
Reverse DNS Lookup with Dig............................................................................... 78
Reverse DNS Lookup with Fierce..................................................................................... 78
Zone Transfers......................................................................................................... 79
Zone Transfer with Host Command................................................................................ 79
Automating Zone Transfers.............................................................................................. 80
DNS Cache Snooping.............................................................................................. 80
What Is DNS Cache Snooping?.........................................................................................81
Nonrecursive Method...............................................................................................81
Recursive Method.................................................................................................... 82
What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?........ 83
Attack Scenario................................................................................................................. 84
Automating DNS Cache Snooping Attacks...................................................................... 84
Sniffing SNMP Passwords................................................................................................ 84
OneSixtyOne.....................................................................................................................85
Snmpenum........................................................................................................................85
SolarWinds Toolset............................................................................................................85
SNMP Sweep.................................................................................................................... 86
SNMP Brute Force and Dictionary.................................................................................. 86
SNMP Brute Force Tool................................................................................................... 86
SNMP Dictionary Attack Tool......................................................................................... 87
SMTP Enumeration......................................................................................................... 87
Detecting Load Balancers........................................................................................ 88
Load Balancer Detector........................................................................................... 89
Determining Real IP behind Load Balancers.......................................................... 89
Bypassing CloudFlare Protection............................................................................. 90
Method 1: Resolvers....................................................................................... 90
Method 2: Subdomain Trick.......................................................................... 92
Method 3: Mail Servers.................................................................................. 92
Intelligence Gathering Using Shodan............................................................................... 93
Further Reading............................................................................................................... 95
Conclusion........................................................................................................................ 95
4 Target Enumeration and Port Scanning Techniques
Host Discovery................................................................................................................. 97
Scanning for Open Ports and Services............................................................................ 100
Types of Port Scanning................................................................................................... 100
Understanding the TCP Three-Way Handshake..............................................................101
TCP Flags........................................................................................................................101
Port Status Types.............................................................................................................102
TCP SYN Scan................................................................................................................102
TCP Connect Scan..........................................................................................................103
NULL, FIN, and XMAS Scans.......................................................................................104
NULL Scan.....................................................................................................................104
FIN Scan.........................................................................................................................105
XMAS Scan.....................................................................................................................105
TCP ACK Scan...............................................................................................................105
Responses........................................................................................................................106
UDP Port Scan................................................................................................................106
Anonymous Scan Types...................................................................................................107
IDLE Scan.......................................................................................................................107
Scanning for a Vulnerable Host.......................................................................................107
Performing an IDLE Scan with NMAP..........................................................................109
TCP FTP Bounce Scan...................................................................................................109
Service Version Detection................................................................................................110
OS Fingerprinting........................................................................................................... 111
POF................................................................................................................................. 111
Output.............................................................................................................................112
Normal Format.......................................................................................................112
Grepable Format.....................................................................................................112
XML Format..........................................................................................................113
Advanced Firewall/IDS Evading Techniques...................................................................113
Timing Technique...........................................................................................................114
Wireshark Output...........................................................................................................114
Fragmented Packets......................................................................................................... 115
Wireshark Output........................................................................................................... 115
Source Port Scan.............................................................................................................. 115
Specifying an MTU.........................................................................................................116
Sending Bad Checksums.................................................................................................116
Decoys.............................................................................................................................117
ZENMAP.......................................................................................................................117
Further Reading..............................................................................................................119
5 Vulnerability Assessment
What Are Vulnerability Scanners and How Do They Work?...........................................121
Pros and Cons of a Vulnerability Scanner....................................................................... 122
Vulnerability Assessment with Nmap............................................................................. 122
Updating the Database................................................................................................... 122
Scanning MS08 _ 067 _ netapi................................................................................ 123
Testing SCADA Environments with Nmap.................................................................... 123
Installation............................................................................................................ 124
Usage..................................................................................................................... 124
Nessus Vulnerability Scanner.......................................................................................... 124
Home Feed.............................................................................................................125
Professional Feed....................................................................................................125
Installing Nessus on BackTrack.......................................................................................125
Adding a User..................................................................................................................125
Nessus Control Panel............................................................................................. 126
Reports......................................................................................................... 126
Mobile.......................................................................................................... 126
Scan ............................................................................................................. 127
Policies.......................................................................................................... 127
Users............................................................................................................. 127
Configuration............................................................................................... 127
Default Policies...................................................................................................... 127
Creating a New Policy.................................................................................................... 128
Safe Checks.................................................................................................................... 128
Silent Dependencies........................................................................................................ 128
Avoid Sequential Scans.......................................................................................... 128
Port Range.......................................................................................................................129
Credentials.............................................................................................................129
Plug-Ins..................................................................................................................129
Preferences...................................................................................................................... 130
Scanning the Target............................................................................................... 130
Nessus Integration with Metasploit..................................................................................132
Importing Nessus to Metasploit.......................................................................................132
Scanning the Target................................................................................................133
Reporting...............................................................................................................133
OpenVas.................................................................................................................133
Resource......................................................................................................................... 134
Vulnerability Data Resources................................................................................. 134
Exploit Databases...................................................................................................135
Using Exploit-db with BackTrack................................................................................... 136
Searching for Exploits inside BackTrack..........................................................................137
Conclusion.......................................................................................................................138
6 Network Sniffing
Introduction....................................................................................................................139
Types of Sniffing..............................................................................................................140
Active Sniffing........................................................................................................140
Passive Sniffing.......................................................................................................140
Hubs versus Switches.......................................................................................................140
Promiscuous versus Nonpromiscuous Mode....................................................................141
MITM Attacks................................................................................................................141
ARP Protocol Basics........................................................................................................142
How ARP Works.............................................................................................................142
ARP Attacks....................................................................................................................143
MAC Flooding.......................................................................................................143
Macof............................................................................................................143
ARP Poisoning.......................................................................................................144
Scenario—How It Works................................................................................................144
Denial of Service Attacks.................................................................................................144
Tools of the Trade............................................................................................................145
Dsniff.....................................................................................................................145
Using ARP Spoof to Perform MITM Attacks.................................................................145
Usage......................................................................................................................146
Sniffing the Traffic with Dsniff........................................................................................147
Sniffing Pictures with Drifnet..........................................................................................147
Urlsnarf and Webspy.......................................................................................................148
Sniffing with Wireshark...................................................................................................149
Ettercap...........................................................................................................................150
ARP Poisoning with Ettercap..........................................................................................150
Hijacking Session with MITM Attack.............................................................................152
Attack Scenario................................................................................................................152
ARP Poisoning with Cain and Abel.................................................................................153
Sniffing Session Cookies with Wireshark.........................................................................155
Hijacking the Session.......................................................................................................156
SSL Strip: Stripping HTTPS Traffic................................................................................157
Requirements...................................................................................................................157
Usage......................................................................................................................158
Automating Man in the Middle Attacks..........................................................................158
Usage......................................................................................................................158
DNS Spoofing.................................................................................................................159
ARP Spoofing Attack.............................................................................................159
Manipulating the DNS Records.............................................................................160
Using Ettercap to Launch DNS Spoofing Attack....................................................160
DHCP Spoofing..............................................................................................................160
Conclusion.......................................................................................................................161
7 Remote Exploitation
Understanding Network Protocols...................................................................................163
Transmission Control Protocol...............................................................................164
User Datagram Protocol.........................................................................................164
Internet Control Messaging Protocol......................................................................164
Server Protocols...............................................................................................................164
Text-Based Protocols (Important)...........................................................................164
Binary Protocols.....................................................................................................164
FTP...............................................................................................................165
SMTP............................................................................................................165
HTTP...........................................................................................................165
Further Reading..............................................................................................................165
Resources.........................................................................................................................166
Attacking Network Remote Services................................................................................166
Overview of Brute Force Attacks............................................................................166
Traditional Brute Force.................................................................................166
Dictionary Attacks........................................................................................166
Hybrid Attacks..............................................................................................167
Common Target Protocols...............................................................................................167
Tools of the Trade............................................................................................................167
THC Hydra............................................................................................................167
Basic Syntax for Hydra....................................................................................................168
Cracking Services with Hydra................................................................................168
Hydra GUI......................................................................................................................170
Medusa...................................................................................................................170
Basic Syntax.....................................................................................................................170
OpenSSH Username Discovery Bug................................................................................170
Cracking SSH with Medusa............................................................................................171
Ncrack....................................................................................................................171
Basic Syntax.....................................................................................................................171
Cracking an RDP with Ncrack........................................................................................172
Case Study of a Morto Worm.................................................................................172
Combining Nmap and Ncrack for Optimal Results........................................................172
Attacking SMTP....................................................................................................173
Important Commands.....................................................................................................174
Real-Life Example...........................................................................................................174
Attacking SQL Servers.....................................................................................................175
MySQL Servers.......................................................................................................175
Fingerprinting MySQL Version.......................................................................................175
Testing for Weak Authentication.....................................................................................175
MS SQL Servers..............................................................................................................176
Fingerprinting the Version...............................................................................................177
Brute Forcing SA Account...............................................................................................177
Using Null Passwords......................................................................................................178
Introduction to Metasploit...............................................................................................178
History of Metasploit.......................................................................................................178
Metasploit Interfaces........................................................................................................178
MSFConsole....................................................................................................................178
MSFcli....................................................................................................................179
MSFGUI................................................................................................................179
Armitage.................................................................................................................179
Metasploit Utilities..........................................................................................................179
MSFPayload.....................................................................................................................179
MSFEncode.....................................................................................................................179
MSFVenom.....................................................................................................................179
Metasploit Basic Commands...........................................................................................180
Search Feature in Metasploit............................................................................................180
Use Command.................................................................................................................181
Info Command................................................................................................................181
Show Options..................................................................................................................181
Set/Unset Command.......................................................................................................182
Reconnaissance with Metasploit......................................................................................182
Port Scanning with Metasploit........................................................................................182
Metasploit Databases.......................................................................................................182
Storing Information from Nmap into Metasploit Database.............................................183
Useful Scans with Metasploit...........................................................................................184
Port Scanners..........................................................................................................184
Specific Scanners....................................................................................................184
Compromising a Windows Host with Metasploit............................................................184
Metasploit Autopwn........................................................................................................188
db _ autopwn in Action..............................................................................................188
Nessus and Autopwn.......................................................................................................189
Armitage.................................................................................................................189
Interface...........................................................................................................................190
Launching Armitage........................................................................................................190
Compromising Your First Target from Armitage.............................................................191
Enumerating and Fingerprinting the Target....................................................................191
MSF Scans.......................................................................................................................192
Importing Hosts..............................................................................................................192
Vulnerability Assessment.................................................................................................193
Exploitation.....................................................................................................................193
Check Feature..................................................................................................................195
Hail Mary........................................................................................................................196
Conclusion.......................................................................................................................196
References........................................................................................................................196
8 Client Side Exploitation
Client Side Exploitation Methods....................................................................................197
Attack Scenario 1: E-Mails Leading to Malicious Attachments..............................197
Attack Scenario 2: E-Mails Leading to Malicious Links.........................................197
Attack Scenario 3: Compromising Client Side Update...........................................198
Attack Scenario 4: Malware Loaded on USB Sticks................................................198
E-Mails with Malicious Attachments.....................................................................198
Creating a Custom Executable.......................................................................198
Creating a Backdoor with SET......................................................................198
PDF Hacking................................................................................................201
Introduction....................................................................................................................201
Header................................................................................................................... 202
Body...................................................................................................................... 202
Cross Reference Table............................................................................................ 202
Trailer.................................................................................................................... 202
PDF Launch Action........................................................................................................ 202
Creating a PDF Document with a Launch Action.......................................................... 203
Controlling the Dialog Boxes................................................................................ 205
PDF Reconnaissance............................................................................................. 205
Tools of the Trade........................................................................................................... 205
PDFINFO............................................................................................................. 205
PDFINFO “Your PDF Document”.............................................................. 206
PDFTK................................................................................................................. 206
Origami Framework....................................................................................................... 207
Installing Origami Framework on BackTrack................................................................. 207
Attacking with PDF........................................................................................................ 208
Fileformat Exploits................................................................................................ 208
Browser Exploits.................................................................................................... 208
Scenario from Real World............................................................................................... 209
Adobe PDF Embedded EXE............................................................................................210
Social Engineering Toolkit...............................................................................................211
Attack Scenario 2: E-Mails Leading to Malicious Links.........................................213
Credential Harvester Attack............................................................................................214
Tabnabbing Attack..........................................................................................................215
Other Attack Vectors.......................................................................................................216
Browser Exploitation........................................................................................................217
Attacking over the Internet with SET..............................................................................217
Attack Scenario over the Internet.....................................................................................217
Using Windows Box as Router (Port Forwarding).......................................................... 220
Browser AutoPWN................................................................................................ 220
Why Use Browser AutoPWN?.........................................................................................221
Problem with Browser AutoPWN....................................................................................221
VPS/Dedicated Server.................................................................................................... 223
Attack Scenario 3: Compromising Client Side Update.......................................... 223
How Evilgrade Works..................................................................................................... 223
Prerequisites.................................................................................................................... 223
Attack Vectors....................................................................................................... 223
Internal Network Attack Vectors........................................................................... 223
External Network Attack Vectors.......................................................................... 224
Evilgrade Console.................................................................................................. 224
Attack Scenario..................................................................................................... 224
Attack Scenario 4: Malware Loaded on USB Sticks............................................... 227
Teensy USB.................................................................................................................... 229
Conclusion...................................................................................................................... 229
Further Reading............................................................................................................. 229
9 Postexploitation
Acquiring Situation Awareness........................................................................................231
Enumerating a Windows Machine.........................................................................231
Enumerating Local Groups and Users....................................................................233
Enumerating a Linux Machine...............................................................................233
Enumerating with Meterpreter...............................................................................235
Identifying Processes.....................................................................................235
Interacting with the System...........................................................................235
User Interface Command..............................................................................235
Privilege Escalation......................................................................................................... 236
Maintaining Stability............................................................................................ 236
Escalating Privileges....................................................................................................... 237
Bypassing User Access Control.............................................................................. 238
Impersonating the Token....................................................................................... 239
Escalating Privileges on a Linux Machine...............................................................241
Maintaining Access.........................................................................................................241
Installing a Backdoor.......................................................................................................241
Cracking the Hashes to Gain Access to Other Services...................................................241
Backdoors........................................................................................................................241
Disabling the Firewall............................................................................................ 242
Killing the Antivirus.............................................................................................. 242
Netcat.................................................................................................................... 243
MSFPayload/MSFEncode............................................................................................... 244
Generating a Backdoor with MSFPayload............................................................. 244
MSFEncode............................................................................................................245
MSFVenom.................................................................................................................... 246
Persistence..............................................................................................................247
What Is a Hash?.....................................................................................................249
Hashing Algorithms...............................................................................................249
Windows Hashing Methods...................................................................................250
LAN Manager (LM)..............................................................................................250
NTLM/NTLM2....................................................................................................250
Kerberos.................................................................................................................250
Where Are LM/NTLM Hashes Located?...............................................................250
Dumping the Hashes.......................................................................................................251
Scenario 1—Remote Access....................................................................................251
Scenario 2—Local Access.......................................................................................251
Ophcrack................................................................................................................252
References........................................................................................................................253
Scenario 3—Offline System...................................................................................253
Ophcrack LiveCD..................................................................................................253
Bypassing the Log-In..............................................................................................253
References........................................................................................................................253
Cracking the Hashes........................................................................................................253
Bruteforce...............................................................................................................253
Dictionary Attacks................................................................................................ 254
Password Salts........................................................................................................ 254
Rainbow Tables..................................................................................................... 254
John the Ripper...............................................................................................................255
Cracking LM/NTLM Passwords with JTR............................................................255
Cracking Linux Passwords with JTR......................................................................256
Rainbow Crack................................................................................................................256
Sorting the Tables...................................................................................................257
Cracking the Hashes with rcrack............................................................................258
Speeding Up the Cracking Process.........................................................................258
Gaining Access to Remote Services........................................................................258
Enabling the Remote Desktop................................................................................259
Adding Users to the Remote Desktop.....................................................................259
Data Mining....................................................................................................................259
Gathering OS Information.................................................................................... 260
Harvesting Stored Credentials................................................................................261
Identifying and Exploiting Further Targets.................................................................... 262
Mapping the Internal Network.............................................................................. 263
Finding Network Information............................................................................... 264
Identifying Further Targets....................................................................................265
Pivoting................................................................................................................. 266
Scanning Ports and Services and Detecting OS......................................................267
Compromising Other Hosts on the Network Having the Same Password............. 268
psexec............................................................................................................................. 269
Exploiting Targets...................................................................................................270
Conclusion.......................................................................................................................270
10 Windows Exploit Development Basics
Prerequisites.....................................................................................................................271
What Is a Buffer Overflow?.............................................................................................271
Vulnerable Application................................................................................................... 272
How to Find Buffer Overflows........................................................................................ 273
Methodology.................................................................................................................. 273
Getting the Software Up and Running........................................................................... 273
Causing the Application to Crash................................................................................... 273
Skeleton Exploit...............................................................................................................275
Determining the Offset......................................................................................... 278
Identifying Bad Characters.................................................................................... 280
Figuring Out Bad Characters with Mona........................................................................281
Overwriting the Return Address............................................................................ 283
NOP Sledges......................................................................................................... 285
Generating the ShellCode...................................................................................... 286
Generating Metasploit Module....................................................................................... 287
Porting to Metasploit...................................................................................................... 288
Conclusion...................................................................................................................... 290
Further Resources........................................................................................................... 290
11 Wireless Hacking
Introduction....................................................................................................................291
Requirements...................................................................................................................291
Introducing Aircrack-ng...................................................................................................293
Uncovering Hidden SSIDs..............................................................................................293
Turning on the Monitor Mode....................................................................................... 294
Monitoring Beacon Frames on Wireshark...................................................................... 294
Monitoring with Airodump-ng....................................................................................... 295
Speeding Up the Process................................................................................................. 296
Bypassing MAC Filters on Wireless Networks....................................................... 296
Cracking a WEP Wireless Network with Aircrack-ng........................................... 298
Placing Your Wireless Adapter in Monitor Mode............................................................ 298
Determining the Target with Airodump-ng................................................................... 299
Attacking the Target.............................................................................................. 299
Speeding Up the Cracking Process........................................................................ 300
Injecting ARP Packets........................................................................................... 300
Cracking the WEP.................................................................................................301
Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng...................................... 302
Capturing Packets........................................................................................................... 303
Capturing the Four-Way Handshake.............................................................................. 303
Cracking WPA/WAP2................................................................................................... 304
Using Reaver to Crack WPS-Enabled Wireless Networks..................................... 305
Reducing the Delay........................................................................................................ 306
Further Reading............................................................................................................. 306
Setting Up a Fake Access Point with SET to PWN Users...................................... 306
Attack Scenario............................................................................................................... 309
Evil Twin Attack.....................................................................................................310
Scanning the Neighbors...................................................................................................311
Spoofing the MAC..........................................................................................................311
Setting Up a Fake Access Point........................................................................................311
Causing Denial of Service on the Original AP.................................................................311
Conclusion.......................................................................................................................312
12 Web Hacking
Attacking the Authentication...........................................................................................313
Username Enumeration..........................................................................................314
Invalid Username with Invalid Password................................................................314
Valid Username with Invalid Password...................................................................314
Enabling Browser Cache to Store Passwords...........................................................314
Brute Force and Dictionary Attacks................................................................................. 315
Types of Authentication................................................................................................... 315
HTTP Basic Authentication................................................................................... 315
HTTP-Digest Authentication.................................................................................316
Form-Based Authentication....................................................................................317
Exploiting Password Reset Feature.........................................................................319
Etsy.com Password Reset Vulnerability............................................................................319
Attacking Form-Based Authentication................................................................... 320
Brute Force Attack.......................................................................................................... 322
Attacking HTTP Basic Auth................................................................................. 323
Further Reading............................................................................................................. 326
Log-In Protection Mechanisms.............................................................................. 326
CAPTCHA Validation Flaw................................................................................. 326
CAPTCHA Reset Flaw......................................................................................... 328
Manipulating User-Agents to Bypass CAPTCHA and Other Protections..............329
Real-World Example.............................................................................................. 330
Authentication Bypass Attacks............................................................................... 330
Authentication Bypass Using SQL Injection.......................................................... 330
Testing for SQL Injection Auth Bypass...................................................................331
Authentication Bypass Using XPATH Injection.....................................................333
Testing for XPATH Injection........................................................................333
Authentication Bypass Using Response Tampering............................................... 334
Crawling Restricted Links.............................................................................................. 334
Testing for the Vulnerability............................................................................................335
Automating It with Burp Suite.............................................................................. 336
Authentication Bypass with Insecure Cookie Handling.................................................. 336
Session Attacks.......................................................................................................339
Guessing Weak Session ID.....................................................................................339
Session Fixation Attacks........................................................................................ 341
Requirements for This Attack......................................................................................... 342
How the Attack Works................................................................................................... 342
SQL Injection Attacks........................................................................................... 342
What Is an SQL Injection?.................................................................................... 342
Types of SQL Injection.......................................................................................... 342
Union-Based SQL Injection......................................................................... 343
Error-Based SQL Injection........................................................................... 343
Blind SQL Injection..................................................................................... 343
Detecting SQL Injection....................................................................................... 343
Determining the Injection Type............................................................................ 343
Union-Based SQL Injection (MySQL).................................................................. 344
Testing for SQL Injection............................................................................................... 344
Determining the Number of Columns...................................................................345
Determining the Vulnerable Columns................................................................... 346
Fingerprinting the Database.................................................................................. 347
Enumeration Information...................................................................................... 347
Information_schema.............................................................................................. 348
Information_schema Tables................................................................................... 348
Enumerating All Available Databases.................................................................... 348
Enumerating All Available Tables in the Database................................................. 349
Extracting Columns from Tables........................................................................... 349
Extracting Data from Columns..............................................................................350
Using group _ concat......................................................................................350
MySQL Version ≤ 5................................................................................................351
Guessing Table Names.....................................................................................................351
Guessing Columns.................................................................................................352
SQL Injection to Remote Command Execution.....................................................352
Reading Files...................................................................................................................353
Writing Files....................................................................................................................353
Blind SQL Injection...............................................................................................355
Boolean-Based SQLi......................................................................................355
True Statement.......................................................................................................355
False Statement.......................................................................................................356
Enumerating the DB User......................................................................................356
Enumerating the MYSQL Version..........................................................................358
Guessing Tables......................................................................................................358
Guessing Columns in the Table..............................................................................359
Extracting Data from Columns............................................................................. 360
Time-Based SQL Injection.....................................................................................361
Vulnerable Application....................................................................................................361
Testing for Time-Based SQL Injection........................................................................... 362
Enumerating the DB User..................................................................................... 362
Guessing the Table Names..................................................................................... 363
Guessing the Columns........................................................................................... 364
Extracting Data from Columns..............................................................................365
Automating SQL Injections with Sqlmap.............................................................. 366
Enumerating Databases..........................................................................................367
Enumerating Tables................................................................................................367
Enumerating the Columns.....................................................................................367
Extracting Data from the Columns....................................................................... 368
HTTP Header–Based SQL Injection.................................................................... 368
Operating System Takeover with Sqlmap.............................................................. 369
OS-CMD......................................................................................................................... 369
OS-SHELL..................................................................................................................... 369
OS-PWN..........................................................................................................................370
XSS (Cross-Site Scripting)...............................................................................................371
How to Identify XSS Vulnerability..................................................................................371
Types of Cross-Site Scripting...........................................................................................371
Reflected/Nonpersistent XSS...........................................................................................372
Vulnerable Code.....................................................................................................372
Medium Security.............................................................................................................373
Vulnerable Code.....................................................................................................373
High Security..................................................................................................................373
Bypassing htmlspecialchars.....................................................................................374
UTF-32 XSS Trick: Bypass 1...........................................................................................375
Svg Craziness: Bypass 2....................................................................................................375
Bypass 3: href Attribute...................................................................................................376
Stored XSS/Persistent XSS.............................................................................................. 377
Payloads.......................................................................................................................... 377
Blind XSS........................................................................................................................378
DOM-Based XSS............................................................................................................378
Detecting DOM-Based XSS...................................................................................378
Sources (Inputs).............................................................................................378
Sinks (Creating/Modifying HTML Elements)..............................................378
Static JS Analysis to Identify DOM-Based XSS..................................................... 384
How Does It Work?................................................................................................385
Setting Up JSPRIME.............................................................................................385
Dominator: Dynamic Taint Analysis.............................................................................. 390
POC for Internet Explorer.............................................................................................. 394
POC for Chrome............................................................................................................ 394
Pros/Cons........................................................................................................................395
Cross Browser DOM XSS Detection...............................................................................395
Types of DOM-Based XSS............................................................................................. 397
Reflected DOM XSS............................................................................................. 397
Stored DOM XSS.................................................................................................. 397
Exploiting XSS...................................................................................................... 399
Cookie Stealing with XSS...................................................................................... 399
Exploiting XSS for Conducting Phishing Attacks.................................................. 402
Compromising Victim’s Browser with XSS............................................................ 404
Exploiting XSS with BeEF.............................................................................................. 405
Setting Up BeEF on BackTrack...................................................................................... 405
Demo Pages.................................................................................................................... 408
BeEF Modules....................................................................................................... 409
Module: Replace HREFs.............................................................................. 409
Module: Getcookie....................................................................................... 409
Module: Tabnabbing.....................................................................................410
BeEF in Action.......................................................................................................412
Cross-Site Request Forgery (CSRF).................................................................................413
Why Does a CSRF Attack Work?....................................................................................413
How to Attack.................................................................................................................413
GET-Based CSRF............................................................................................................414
POST-Based CSRF..........................................................................................................414
CSRF Protection Techniques...........................................................................................415
Referrer-Based Checking.................................................................................................415
Anti-CSRF Tokens..........................................................................................................415
Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm........................................416
Tokens Not Validated upon Server..................................................................................416
Analyzing Weak Anti-CSRF Token Strength..................................................................417
Bypassing CSRF with XSS..............................................................................................419
File Upload Vulnerabilities.....................................................................................421
Bypassing Client Side Restrictions......................................................................... 423
Bypassing MIME-Type Validation........................................................................ 423
Real-World Example....................................................................................................... 425
Bypassing Blacklist-Based Protections................................................................... 425
Case 1: Blocking Malicious Extensions.................................................................. 425
Bypass.......................................................................................................... 426
Case 2: Case-Sensitive Bypass................................................................................ 426
Bypass.......................................................................................................... 426
Real-World Example....................................................................................................... 426
Vulnerable Code.................................................................................................... 426
Case 3: When All Dangerous Extensions Are Blocked.......................................... 426
XSS via File Upload...................................................................................... 427
Flash-Based XSS via File Upload.................................................................. 428
Case 4: Double Extensions Vulnerabilities............................................................. 429
Apache Double Extension Issues................................................................... 429
IIS 6 Double Extension Issues...................................................................... 429
Case 5: Using Trailing Dots.................................................................................. 429
Case 6: Null Byte Trick......................................................................................... 429
Case 7: Bypassing Image Validation....................................................................... 429
Case 8: Overwriting Critical Files.......................................................................... 430
Real-World Example........................................................................................................431
File Inclusion Vulnerabilities............................................................................................431
Remote File Inclusion..................................................................................................... 432
Patching File Inclusions on the Server Side..................................................................... 433
Local File Inclusion............................................................................................... 433
Linux..................................................................................................................... 434
Windows............................................................................................................... 434
LFI Exploitation Using /proc/self/environ.............................................................. 434
Log File Injection.................................................................................................. 436
Finding Log Files: Other Tricks............................................................................. 440
Exploiting LFI Using PHP Input........................................................................... 440
Exploiting LFI Using File Uploads........................................................................ 441
Read Source Code via LFI..................................................................................... 442
Local File Disclosure Vulnerability........................................................................ 443
Vulnerable Code........................................................................................... 443
Local File Disclosure Tricks................................................................................... 445
Remote Command Execution............................................................................... 446
Uploading Shells.................................................................................................... 448
Server Side Include Injection..................................................................................452
Testing a Website for SSI Injection..................................................................................452
Executing System Commands.........................................................................................453
Spawning a Shell..............................................................................................................453
SSRF Attacks...................................................................................................................454
Impact.............................................................................................................................455
Example of a Vulnerable PHP Code.......................................................................456
Remote SSRF.........................................................................................................457
Simple SSRF..................................................................................................457
Partial SSRF..................................................................................................458
Denial of Service............................................................................................................. 463
Denial of Service Using External Entity Expansion (XEE).................................... 463
Full SSRF.............................................................................................................. 464
dict://............................................................................................................ 464
gopher://........................................................................................................465
http://............................................................................................................465
Causing the Crash................................................................................................. 466
Overwriting Return Address........................................................................................... 467
Generating Shellcode...................................................................................................... 467
Server Hacking............................................................................................................... 469
Apache Server..................................................................................................................470
Testing for Disabled Functions...............................................................................470
Open _ basedir Misconfiguration....................................................................472
Using CURL to Bypass Open _ basedir Restrictions.......................................474
Open _ basedir PHP 5.2.9 Bypass...................................................................475
Reference.........................................................................................................................476
Bypassing open _ basedir Using CGI Shell.....................................................476
Bypassing open _ basedir Using Mod _ Perl, Mod _ Python............... 477
Escalating Privileges Using Local Root Exploits............................................................. 477
Back Connecting............................................................................................................ 477
Finding the Local Root Exploit.......................................................................................478
Usage...............................................................................................................................478
Finding a Writable Directory...........................................................................................479
Bypassing Symlinks to Read Configuration Files............................................................ 480
Who Is Affected?.............................................................................................................481
Basic Syntax.....................................................................................................................481
Why This Works.................................................................................................... 482
Symlink Bypass: Example 1................................................................................... 482
Finding the Username........................................................................................... 482
/etc/passwd File..................................................................................... 483
/etc/valiases File................................................................................. 483
Path Disclosure............................................................................................. 483
Uploading .htaccess to Follow Symlinks................................................................ 484
Symlinking the Configuration Files....................................................................... 484
Connecting to and Manipulating the Database.............................................................. 485
Updating the Password................................................................................................... 486
Symlink the Root Directory.................................................................................. 486
Example 3: Compromising WHMCS Server......................................................... 487
Finding a WHMCS Server............................................................................................. 487
Symlinking the Configuration File................................................................................. 488
WHMCS Killer..................................................................................................... 488
Disabling Security Mechanisms............................................................................. 490
Disabling Mod _ Security............................................................................... 490
Disabling Open _ basedir and Safe _ mode............................................ 490
Using CGI, PERL, or Python Shell to Bypass Symlinks.........................................491
Conclusion.......................................................................................................................491

Bookscreen
e-books shop

Preface
Ethical hacking strikes all of us as a subject that requires a great deal of prerequisite knowledge
about things like heavy duty software, languages that includes hordes of syntaxes, algorithms
that could be generated by maestros only. Well that’s not the case, to some extent. This book
introduces the steps required to complete a penetration test, or ethical hack. Requiring no prior
hacking experience, the book explains how to utilize and interpret the results of modern day
hacking tools that are required to complete a penetration test. Coverage includes Backtrack Linux,
Google Reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn,
Netcat, and Hacker Defender rootkit. Simple explanations of how to use these tools and a fourstep
methodology for conducting a penetration test provide readers with a better understanding
of offensive security.

Being an ethical hacker myself, I know how difficult it is for people who are new into hacking
to excel at this skill without having any prior knowledge and understanding of how things work.
Keeping this exigent thing in mind, I have provided those who are keen to learn ethical hacking
with the best possible explanations in the most easy and understandable manner so that they will
not only gain pleasure while reading, but they will have the urge to put into practice what have
they learned from it.

The sole aim and objective of writing this book is to target the beginners who look for a complete
guide to turn their dream of becoming an ethical hacker into a reality. This book elucidates
the building blocks of ethical hacking that will help readers to develop an insight of the matter in
hand. It will help them fathom what ethical hacking is all about and how one can actually run a
penetration test with great success.

I have put in a lot of hard work to make this book a success. I remember spending hours and
hours in front of my computer typing indefatigably, ignoring all the text messages of my friends
when they asked me to come along and spend some time with them, which left me despondent,
but now, when I see my book finally completed, it gives me immense pleasure that the efforts of a
whole year have finally paid off.

This book came out as a result of my own experiences during my ethical hacking journey.
Experiences that are worth sharing with all the passionate people out there.
It makes me elated to the core when I see my third book on the subject of hacking published,
and I hope and pray that everyone likes it.
Best of luck to everyone out there.
Rafay Baloch
Loading...
DMCA.com Protection Status