The Art and Science of Hacking Any Organization

Tyler Wrightson

Chapter 1 Introduction
Chapter 2 Empirical Data
Chapter 3 APT Hacker Methodology
Chapter 4 An APT Approach to Reconnaissance
Chapter 5 Reconnaissance: Nontechnical Data
Chapter 6 Spear Social Engineering
Chapter 7 Phase III: Remote Targeting
Chapter 8 Spear Phishing with Hardware Trojans
Chapter 9 Physical Infiltration
Chapter 10 APT Software Backdoors
Index

e-books shop

Purchase Now !
Just with Paypal



Book Details
 Price
 2.00 USD
 Pages
 434 p
 File Size
 10,835 KB
 File Type
 PDF format
 ISBN
 978-0-07-182837-6
 Copyright   
 2015 by McGraw-Hill Education 

About the Author
Tyler Wrightson is the author of Advanced Persistent Threats as well as Wireless Network
Security: A Beginner’s Guide. Tyler is the founder and president of Leet Systems, which provides
offensive security services such as penetration testing and red teaming to secure organizations against
real-world attackers. Tyler has over 13 years’ experience in the IT security field, with extensive
experience in all forms of offensive security and penetration testing. He holds industry certifications
for CISSP, CCSP, CCNA, CCDA, and MCSE. Tyler has also taught classes for CCNA certification,
wireless security, and network security. He has been a frequent speaker at industry conferences,
including Derbycon, BSides, Rochester Security Summit, NYS Cyber Security Conference, ISACA,
ISSA, and others. Follow his security blog at http://blog.leetsys.com.

About the Technical Editors
Reg Harnish is an entrepreneur, speaker, security specialist, and the chief security strategist for
GreyCastle Security. Reg has nearly 15 years of security experience, specializing in security
solutions for financial services, healthcare, higher education, and other industries. His security
expertise ranges from risk management, incident response, and regulatory compliance to network,
application, and physical security. Reg brings a unique, thought-provoking perspective to his work,
and he strives to promote awareness, establish security fundamentals, and reduce risk for GreyCastle
Security clients.
Reg attended Rensselaer Polytechnic Institute in Troy, New York, and has achieved numerous
security and industry certifications. He is a Certified Information Systems Security Professional
(CISSP), a Certified Information Security Manager (CISM), and a Certified Information Systems
Auditor (CISA). In addition, Reg is certified in Information Technology Infrastructure Library (ITIL)
Service Essentials. He is a member of InfraGard, the Information Systems Audit and Control
Association (ISACA), and the Information Systems Security Association (ISSA). In addition to deep
expertise in information security, Reg has achieved numerous physical security certifications,
including firearms instruction, range safety, and personal protection.
Reg is a frequent speaker and has presented at prominent events, including US Cyber Crime,
Symantec Vision, ISACA, ISSA, InfraGard, and more. His successes have been featured in several
leading industry journals, including Software Magazine, ComputerWorld, and InfoWorld.
Comrade has been in information security since the early 2000s. Comrade holds several industry
certifications, but believes the only one that really means anything in regard to this book is the OSCP
certification by the Offensive Security team. He currently performs penetration testing against all
attack vectors, network, application, physical, social, etc., for clients in all verticals, including many
Fortune 500 companies.


Acknowledgments
There are so many people I want to acknowledge and thank—whether you have helped me directly
with this book or are just a good friend, I’m glad to have you all share this with me. First, I have to
thank Erin. I love you so much, thank you for all of your unending support. I have to thank my mother
for being a great mother, a wonderful person and woman, super supportive and loving, always
understanding, and the best mom ever. I want to thank my stepfather for providing good stories, a
level head, and plenty of cognac to a much-younger Tyler.
I want to thank my father for being a great father, a role-model gentleman, and the best daddio
ever. Thank you to my future stepmother for making my dad very happy and being a genuinely great
person.
Thank you to Raeby for being the best little big sister, (usually) level headed, but always loving
and a little rock in my memory. Thank you to Donby for the endless artistic support, being a great
brother-in-law, and providing us with the best niece in the world.
Jenners, for always being excited and supportive, and the best little sister. Corby, for being a good
and kind person and a great brother. Bren, for being a little punk, but a good person and a great
brother. I love you all.
Thank you to all my friends who I couldn’t hang out with on more than a few occasions.
Thank you, Reg, for all of the help to make this book what I wanted it to be and all the fun and
education working together. I really did learn a lot working with you. Thank you, Stamas, for all the
good times, being a great teammate, and being a really sweet guy no matter how much you try to hide
it. We’ll definitely work together in the future.
Thank you, Steve and Bob, for being a huge help in so many different ways. I really can’t thank you
enough. You’ve gone well beyond what was necessary so many times, and it’s been really awesome
working with you.
I have to thank Stacks Espresso for not only providing a great place to do an absurd amount of the
writing for this book, but also providing the necessary caffeine to do it. Thank you to my new team at
Stacks: Ron, Lacy, Kevin, Jess, Jammella and John for being awesome and making this a really
enjoyable experience.
Thank you, Elo, for all the direct and indirect help. I’m so glad the fear of losing a vital organ
didn’t stop us from becoming friends. It’s been awesome sharing this love for hacking and this
awesome security journey with you. I love you no matter how much of a pain in the ass you are.
Last but absolutely not least, I have to thank everyone at McGraw-Hill Education who helped
make this book. Amy Jollymore, for seeing the vision and concept very early on. Brandi Shailer, for
truly helping me through so many issues and deadlines; many, many phone calls; and an absurd amount
of e-mails. Amanda Russell, for all your help and support. Thank you all so much.

Table of Contents
Acknowledgments
Introduction
Chapter 1 Introduction
Defining the Threat
Threats
Attacker Motives
Threat Capabilities
Threat Class
Threat History
APT Hacker: The New Black
Targeted Organizations
Constructs of Our Demise
The Impact of Our Youth
The Economics of (In)security
Psychology of (In)security
The Big Picture
The Vulnerability of Complexity
All Together Now
The Future of Our World
Don’t Forget
Chapter 2 Empirical Data
The Problem with Our Data Set
Threat Examples
Techno-Criminals Skimmer Evolution
Techno-Criminals: Hacking Power Systems
Unsophisticated Threat: Hollywood Hacker
Unsophisticated Threat: Neighbor from Hell
Smart Persistent Threats: Kevin Mitnick
APT: Nation-States
Stuxnet and Operation Olympic Games
Duqu: The APT Reconnaissance Worm
Flame: APT Cyber-espionage Worm
APT: RSA Compromise
APT Nation-State: Iran Spying on Citizens
Cell Phone Spying: Carrier IQ
Don’t Forget
Chapter 3 APT Hacker Methodology
AHM: Strong Enough for Penetration Testers, Made for a Hacker
AHM Components (Requirements, Skills, Soft Skills)
Elegant, Big-Picture Thinkers
Advanced: Echelons of Skill
Preparation
Patience
Social Omniscience
Always Target the Weakest Link
Efficacious, Not Elite
Exploitless Exploits
The Value of Information
APT Hacker’s Thought Process
Think Outside the Box
A Side Note
A Vaudeville Story
Look for Misdirection
Think Through the Pain
Avoid Tunnel Vision
No Rules
Keep It Simple, Stupid (KISS)
Quote
APT Hacking Core Steps
Reconnaissance
Enumeration
Exploitation
Maintaining Access
Clean Up
Progression
Exfiltration
APT Hacker Attack Phases
APT Hacker Foundational Tools
Anonymous Purchasing
Anonymous Internet Activity
Anonymous Phone Calls
APT Hacker Terms
Don’t Forget
Chapter 4 An APT Approach to Reconnaissance
Reconnaissance Data
Data Categories (Technical and Nontechnical)
Data Sources (Cyber and Physical)
Data Methods (Active and Passive)
Technical Data
Registrant Information
DNS Information and Records
DNS Zones
Border Gateway Protocol: An Overview
System and Service Identification
Web Service Enumeration
Large Data Sets
Geolocation Information
Data from the Phone System
Don’t Forget
Chapter 5 Reconnaissance: Nontechnical Data
Search Engine Terms and Tips
Search Engine Commands
Search Engine Scripting
Search Engine Alerts
HUMINT: Personnel
Personnel Directory Harvesting
Directory Harvesting: HTTP Requests
Directory Harvesting: Stateful HTTP
Analyzing Results
Directory Harvesting HTML Tables
Personnel Directory: Analyzing the Final Results
E-mail Harvesting
Technical E-mail Harvesting
Nontechnical E-mail Harvesting
Geographical Data
Reconnaissance on Individuals
Nontraditional Information Repositories
Automated Individual Reconnaissance
Our Current View
Don’t Forget
Chapter 6 Spear Social Engineering
Social Engineering
Social Engineering Strategies
Assumptions
Do What Works for You
Preparation
Legitimacy Triggers
Keep It Simple, Stupid
Don’t Get Caught
Don’t Lie
Be Congruent
Social Engineering Tactics
Like Likes Like
Personality Types
Events
Tell Me What I Know
Insider Information
Name Dropping
The Right Tactic
Why Don’t You Make Me?
Spear-Phishing Methods
Spear-Phishing Goals
Technical Spear-Phishing Exploitation Tactics
Building the Story
Phishing Website Tactics
Phishing Website: Back-End Functionality
Client-Side Exploits
Custom Trojan Backdoor
Don’t Forget
Chapter 7 Phase III: Remote Targeting
Remote Presence Reconnaissance
Social Spear Phishing
Wireless Phases
APT Wireless Tools
Wireless Reconnaissance
Active Wireless Attacks
Client Hacking: APT Access Point
Getting Clients to Connect
Attacking WPA-Enterprise Clients
Access Point Component Attacks
Access Point Core Attack Config
Access Point Logging Configuration
Access Point Protocol Manipulation
Access Point Fake Servers
Don’t Forget
Chapter 8 Spear Phishing with Hardware Trojans
Phase IV Spear Phishing with Hardware Trojans
Hardware Delivery Methods
Hardware Trojans: The APT Gift
APT Wakizashi Phone
Trojaned Hardware Devices
Hardware Device Trojans with Teensy
Don’t Forget
Chapter 9 Physical Infiltration
Phase V Physical Infiltration
APT Team Super Friends
It’s Official – Size Matters
Facility Reconnaissance Tactics
Example Target Facility Types
Headquarters
Choosing Facility Asset Targets
Physical Security Control Primer
Physical Infiltration Factors
Physical Security Concentric Circles
Physical Social Engineering
Physical Social Engineering Foundations
Physical Congruence
Body Language
Defeating Physical Security Controls
Preventative Physical Controls
Detective Physical Controls
Hacking Home Security
Hacking Hotel Security
Hacking Car Security
Intermediate Asset and Lily Pad Decisions
Plant Device
Steal Asset
Take and Return Asset
Backdoor Asset
Don’t Forget
Chapter 10 APT Software Backdoors
Software Backdoor Goals
APT Backdoor: Target Data
APT Backdoors: Necessary Functions
Rootkit Functionality
Know Thy Enemy
Thy Enemies’ Actions
Responding to Thy Enemy
Network Stealth Configurations
Deployment Scenarios
American Backdoor: An APT Hacker’s Novel
Backdoor Droppers
Backdoor Extensibility
Backdoor Command and Control
Backdoor Installer
Backdoor: Interactive Control
Data Collection
Backdoor Watchdog
Backdooring Legitimate Software
Don’t Forget
Index

Bookscreen
e-books shop

Introduction
Writing this book was a far more difficult task than I realized when I first set out. 
This book has actually been well over a decade in the making. 
Starting out as a simple thought experiment to determine how I might be able to hack into any organization, over the years, it turned into more of an obsession.
Finally, after many years of penetration testing, I felt that not only did I have a solid game plan to
successfully hack even the most secure organizations, but I also had plenty of firsthand experience that
gave me my own unique perspective.

Why This Book?
This book was written with one crystalized purpose: to prove that regardless of the defenses in place,
any organization can have their most valuable assets stolen due to the complete immersion of
technology with our world. The truly alarming fact is that not only is this possible, but it is probably
far easier than most people realize.

Who Should Read This Book?
This book was originally written for anyone tasked with ensuring the security of their organization,
from the CSO to junior systems administrators. However, much of the book will provide enlightening
information for anyone even remotely interested in security.
The people who will most likely gain the most from this book are the foot soldiers who must make
tactical security decisions every day. People like penetration testers, systems administrators, network
engineers, even physical security personnel will find this book particularly helpful. However, even
security managers and C-level personnel will find much of this information enlightening.

What This Book Covers
This book starts out at a very high level and quickly gets into the nitty-gritty of attacking an
organization and exploiting specific vulnerabilities. These examples are meant to be actionable,
hands-on examples that you can test yourself. However, it’s critical to understand that in no way
should this book be considered to contain every detail that is necessary to hack any organization.
Hopefully, every reader understands that to contain every detail, this book would quickly reach a size
that would not fit on any bookshelf. Instead, in an attempt to find balance, many things that are
believed to have been covered adequately by other books or that are assumed to be known by a
reader with a moderate understanding of hacking have been left out of this book.

In an attempt to give the most real, unabashed, and meaningful perspective, there has been no
tiptoeing around sensitive subjects, and nothing has been held from this book for fear of being too
controversial. This book has been written from the perspective of a criminal, with no other goal than
to take your organization’s most meaningful assets by any means necessary (aside from violence).
It is only with this perspective that we can meet Sun Tzu’s tenet of knowing thy enemy. And with
that perspective begin to adequately defend against these types of threats.

It is also important to understand the difference between the typical use of the word APT and the
meaning in this book. In this book, I attempt to commandeer the term APT to define a new type of
hacker able to infiltrate any organization despite a very small budget and surprisingly with very
accessible skills. As always with everything I do, there may be a small dash of tongue-in-cheek humor.

How Is This Book Organized?
In the first part, we stick to the high-level concepts that make every organization vulnerable. 
In Chapter 2, we discuss a few interesting real-world examples of both unsophisticated and
sophisticated threats.
In Chapter 3, we discuss the methodology you must follow to become capable of hacking any
organization. This methodology includes a few hard-set technical skills that you must obtain;
however, it is primarily dominated by the correct system and mental constructs necessary to hack any
organization.
Chapters 4 and 5 dive into the first tactical steps in the methodology and cover in detail the
technical and nontechnical types of data you should attempt to obtain about your target through active
and passive reconnaissance.
Chapter 6 begins with an in-depth discussion of strategic and tactical components of effective
social engineering. This is followed by tactical examples of spear phishing a target through remote
technical means such as e-mail and building effective phishing websites.
Chapter 7 moves on to targeting remote users at their homes and other locations. This chapter
focuses primarily on exploiting wireless vulnerabilities that can allow us to easily and anonymously
exploit these users. This includes targeting wireless networks and vulnerabilities, as well as creating
the most effective rogue access points and exploiting wireless clients and communications.
Chapter 8 demonstrates how to create and use traditional audio, video, and GPS bugs to monitor
key locations and individuals. This is followed by details on how to create and program nextgeneration
hardware-based backdoors such as the Teensy device, as well as backdoored hardware
such as laptops and smart phones.
Chapter 9 goes in depth into circumventing many of the most common physical security controls
and physically infiltrating target locations. 
Copious examples and useable tools and techniques are covered in detail.
Finally, Chapter 10 closes with a discussion of the types of software backdoors that can be used
throughout all of the previous attack phases to maximize the effectiveness of any attack. This includes
code examples as well as functionality that may seem somewhat low tech but will provide great results.

RAFAY BALOCH


e-books shop

Purchase Now !
Just with Paypal



Book Details
 Price
 3.50 USD
 Pages
 523 p
 File Size
 22,976 KB
 File Type
 PDF format
 ISBN
 978-1-4822-3162-5 (eBook - PDF) 
 Copyright   
 2015 by Taylor & Francis Group, LLC 

About the Author
Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in
Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated
in various bug bounty programs and has helped several major Internet corporations such
as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was
successful in finding a remote code execution vulnerability along with several other high-risk
vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer
to work for PayPal. His major areas of research interest are in network security, bypassing modern
security defenses such as WAFs, DOM-based XSS, and other HTML 5–based attack vectors.
Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and
eWAPT certifications.

Acknowledgments
I am eternally indebted to the editor, Rich O’Hanley, for his encouragement and continuous support
and my dear friend Prakhar Prasad for his help at various stages of this book.
I also thank Mohammed Ramadan for his help and support and Soroush Dallili for his ideas
with file upload tricks. Many thanks to my friends Alex Infuhr and Giuseppe Trotta for their
help with various sections of the “Web Hacking” chapter, Shahmeer Amir for his help with the
“Wireless Hacking” chapter, and Tehseen Javed for his help with the “Linux Basics” chapter.
I also thank my mentors Prof. Asim Rizvi, David Vieira-Kurz, Ziaullah Mirza and last but not
least, I thank the following keypersons: Mario Heiderich, Deepankar Arora, Nir Goldshlager, Britto
Fleming Joe, Nishant Das Patnaik, Pepe Vila, Ray friedman, Armando Romeo, Tyler Borland,
Zeeshan Haider, Nehal hussain, Rafael Souza, and Fatima Hanif.
I also thank my family members and relatives for always being supportive.

Table of Contents
Preface.............................................................................................................................. xxiii
Acknowledgments..............................................................................................................xxv
Author..............................................................................................................................xxvii
1 Introduction to Hacking
Important Terminologies.................................................................................................... 2
Asset.......................................................................................................................... 2
Vulnerability.............................................................................................................. 3
Threat........................................................................................................................ 3
Exploit....................................................................................................................... 3
Risk........................................................................................................................... 3
What Is a Penetration Test?....................................................................................... 3
Vulnerability Assessments versus Penetration Test..................................................... 3
Preengagement.......................................................................................................... 3
Rules of Engagement................................................................................................. 4
Milestones................................................................................................................. 4
Penetration Testing Methodologies............................................................................ 5
OSSTMM................................................................................................................. 5
NIST......................................................................................................................... 6
OWASP..................................................................................................................... 7
Categories of Penetration Test............................................................................................. 7
Black Box.................................................................................................................. 7
White Box................................................................................................................. 7
Gray Box................................................................................................................... 7
Types of Penetration Tests......................................................................................... 7
Network Penetration Test................................................................................. 8
Web Application Penetration Test.................................................................... 8
Mobile Application Penetration Test................................................................ 8
Social Engineering Penetration Test................................................................. 8
Physical Penetration Test.................................................................................. 8
Report Writing.......................................................................................................... 8
Understanding the Audience..................................................................................... 9
Executive Class................................................................................................. 9
Management Class........................................................................................... 9
Technical Class................................................................................................. 9
Writing Reports.................................................................................................................10
Structure of a Penetration Testing Report..........................................................................10
Cover Page................................................................................................................10
Table of Contents.....................................................................................................10
Executive Summary..................................................................................................11
Remediation Report................................................................................................ 12
Vulnerability Assessment Summary.................................................................................. 12
Tabular Summary.....................................................................................................13
Risk Assessment.................................................................................................................14
Risk Assessment Matrix............................................................................................14
Methodology.....................................................................................................................14
Detailed Findings.....................................................................................................15
Description......................................................................................................15
Explanation.....................................................................................................16
Risk.................................................................................................................16
Recommendation............................................................................................16
Reports.....................................................................................................................17
Conclusion.........................................................................................................................17
2 Linux Basics
Major Linux Operating Systems........................................................................................19
File Structure inside of Linux............................................................................................ 20
File Permission in Linux.......................................................................................... 22
Group Permission........................................................................................... 22
Linux Advance/Special Permission................................................................. 22
Link Permission.............................................................................................. 23
Suid & Guid Permission................................................................................. 23
Stickybit Permission....................................................................................... 23
Chatter Permission......................................................................................... 24
Most Common and Important Commands............................................................. 24
Linux Scheduler (Cron Job)...............................................................................................25
Cron Permission...................................................................................................... 26
Cron Permission............................................................................................. 26
Cron Files....................................................................................................... 26
Users inside of Linux........................................................................................................ 28
Linux Services......................................................................................................... 29
Linux Password Storage........................................................................................... 29
Linux Logging......................................................................................................... 30
Common Applications of Linux....................................................................................... 30
What Is BackTrack?.......................................................................................................... 30
How to Get BackTrack 5 Running...........................................................................31
Installing BackTrack on Virtual Box........................................................................31
Installing BackTrack on a Portable USB...................................................................35
Installing BackTrack on Your Hard Drive............................................................... 39
BackTrack Basics..................................................................................................... 43
Changing the Default Screen Resolution.......................................................................... 43
Some Unforgettable Basics....................................................................................... 44
Changing the Password.................................................................................. 44
Clearing the Screen........................................................................................ 44
Listing the Contents of a Directory................................................................ 44
Displaying Contents of a Specific Directory................................................... 44
Displaying the Contents of a File.....................................................................45
Creating a Directory........................................................................................45
Changing the Directories................................................................................45
Windows.........................................................................................................45
Linux...............................................................................................................45
Creating a Text File.........................................................................................45
Copying a File.................................................................................................45
Current Working Directory.............................................................................45
Renaming a File..............................................................................................45
Moving a File................................................................................................. 46
Removing a File.............................................................................................. 46
Locating Certain Files inside BackTrack.................................................................. 46
Text Editors inside BackTrack........................................................................................... 46
Getting to Know Your Network........................................................................................47
Dhclient....................................................................................................................47
Services............................................................................................................................. 48
MySQL.................................................................................................................... 48
SSHD...................................................................................................................... 48
Postgresql................................................................................................................. 50
Other Online Resources....................................................................................................51
3 Information Gathering Techniques
Active Information Gathering............................................................................................53
Passive Information Gathering...........................................................................................53
Sources of Information Gathering.................................................................................... 54
Copying Websites Locally................................................................................................. 54
Information Gathering with Whois..........................................................................55
Finding Other Websites Hosted on the Same Server............................................... 56
Yougetsignal.com.............................................................................................................. 56
Tracing the Location................................................................................................57
Traceroute.................................................................................................................57
ICMP Traceroute..................................................................................................... 58
TCP Traceroute....................................................................................................... 58
Usage.............................................................................................................. 58
UDP Traceroute...................................................................................................... 58
Usage.............................................................................................................. 58
NeoTrace...........................................................................................................................59
Cheops-ng.........................................................................................................................59
Enumerating and Fingerprinting the Webservers..................................................... 60
Intercepting a Response.................................................................................................... 60
Acunetix Vulnerability Scanner............................................................................... 62
WhatWeb......................................................................................................................... 62
Netcraft............................................................................................................................ 63
Google Hacking...................................................................................................... 63
Some Basic Parameters...................................................................................................... 64
Site........................................................................................................................... 64
Example............................................................................................................................ 64
TIP regarding Filetype......................................................................................................65
Google Hacking Database....................................................................................... 66
Hackersforcharity.org/ghdb...............................................................................................67
Xcode Exploit Scanner.......................................................................................................67
File Analysis............................................................................................................. 68
Foca......................................................................................................................... 68
Harvesting E-Mail Lists.......................................................................................... 69
Gathering Wordlist from a Target Website.............................................................. 71
Scanning for Subdomains........................................................................................ 71
TheHarvester........................................................................................................... 72
Fierce in BackTrack................................................................................................. 72
Scanning for SSL Version.........................................................................................74
DNS Enumeration................................................................................................... 75
Interacting with DNS Servers........................................................................................... 75
Nslookup...........................................................................................................................76
DIG...................................................................................................................................76
Forward DNS Lookup............................................................................................. 77
Forward DNS Lookup with Fierce.................................................................................... 77
Reverse DNS........................................................................................................... 78
Reverse DNS Lookup with Dig............................................................................... 78
Reverse DNS Lookup with Fierce..................................................................................... 78
Zone Transfers......................................................................................................... 79
Zone Transfer with Host Command................................................................................ 79
Automating Zone Transfers.............................................................................................. 80
DNS Cache Snooping.............................................................................................. 80
What Is DNS Cache Snooping?.........................................................................................81
Nonrecursive Method...............................................................................................81
Recursive Method.................................................................................................... 82
What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?........ 83
Attack Scenario................................................................................................................. 84
Automating DNS Cache Snooping Attacks...................................................................... 84
Sniffing SNMP Passwords................................................................................................ 84
OneSixtyOne.....................................................................................................................85
Snmpenum........................................................................................................................85
SolarWinds Toolset............................................................................................................85
SNMP Sweep.................................................................................................................... 86
SNMP Brute Force and Dictionary.................................................................................. 86
SNMP Brute Force Tool................................................................................................... 86
SNMP Dictionary Attack Tool......................................................................................... 87
SMTP Enumeration......................................................................................................... 87
Detecting Load Balancers........................................................................................ 88
Load Balancer Detector........................................................................................... 89
Determining Real IP behind Load Balancers.......................................................... 89
Bypassing CloudFlare Protection............................................................................. 90
Method 1: Resolvers....................................................................................... 90
Method 2: Subdomain Trick.......................................................................... 92
Method 3: Mail Servers.................................................................................. 92
Intelligence Gathering Using Shodan............................................................................... 93
Further Reading............................................................................................................... 95
Conclusion........................................................................................................................ 95
4 Target Enumeration and Port Scanning Techniques
Host Discovery................................................................................................................. 97
Scanning for Open Ports and Services............................................................................ 100
Types of Port Scanning................................................................................................... 100
Understanding the TCP Three-Way Handshake..............................................................101
TCP Flags........................................................................................................................101
Port Status Types.............................................................................................................102
TCP SYN Scan................................................................................................................102
TCP Connect Scan..........................................................................................................103
NULL, FIN, and XMAS Scans.......................................................................................104
NULL Scan.....................................................................................................................104
FIN Scan.........................................................................................................................105
XMAS Scan.....................................................................................................................105
TCP ACK Scan...............................................................................................................105
Responses........................................................................................................................106
UDP Port Scan................................................................................................................106
Anonymous Scan Types...................................................................................................107
IDLE Scan.......................................................................................................................107
Scanning for a Vulnerable Host.......................................................................................107
Performing an IDLE Scan with NMAP..........................................................................109
TCP FTP Bounce Scan...................................................................................................109
Service Version Detection................................................................................................110
OS Fingerprinting........................................................................................................... 111
POF................................................................................................................................. 111
Output.............................................................................................................................112
Normal Format.......................................................................................................112
Grepable Format.....................................................................................................112
XML Format..........................................................................................................113
Advanced Firewall/IDS Evading Techniques...................................................................113
Timing Technique...........................................................................................................114
Wireshark Output...........................................................................................................114
Fragmented Packets......................................................................................................... 115
Wireshark Output........................................................................................................... 115
Source Port Scan.............................................................................................................. 115
Specifying an MTU.........................................................................................................116
Sending Bad Checksums.................................................................................................116
Decoys.............................................................................................................................117
ZENMAP.......................................................................................................................117
Further Reading..............................................................................................................119
5 Vulnerability Assessment
What Are Vulnerability Scanners and How Do They Work?...........................................121
Pros and Cons of a Vulnerability Scanner....................................................................... 122
Vulnerability Assessment with Nmap............................................................................. 122
Updating the Database................................................................................................... 122
Scanning MS08 _ 067 _ netapi................................................................................ 123
Testing SCADA Environments with Nmap.................................................................... 123
Installation............................................................................................................ 124
Usage..................................................................................................................... 124
Nessus Vulnerability Scanner.......................................................................................... 124
Home Feed.............................................................................................................125
Professional Feed....................................................................................................125
Installing Nessus on BackTrack.......................................................................................125
Adding a User..................................................................................................................125
Nessus Control Panel............................................................................................. 126
Reports......................................................................................................... 126
Mobile.......................................................................................................... 126
Scan ............................................................................................................. 127
Policies.......................................................................................................... 127
Users............................................................................................................. 127
Configuration............................................................................................... 127
Default Policies...................................................................................................... 127
Creating a New Policy.................................................................................................... 128
Safe Checks.................................................................................................................... 128
Silent Dependencies........................................................................................................ 128
Avoid Sequential Scans.......................................................................................... 128
Port Range.......................................................................................................................129
Credentials.............................................................................................................129
Plug-Ins..................................................................................................................129
Preferences...................................................................................................................... 130
Scanning the Target............................................................................................... 130
Nessus Integration with Metasploit..................................................................................132
Importing Nessus to Metasploit.......................................................................................132
Scanning the Target................................................................................................133
Reporting...............................................................................................................133
OpenVas.................................................................................................................133
Resource......................................................................................................................... 134
Vulnerability Data Resources................................................................................. 134
Exploit Databases...................................................................................................135
Using Exploit-db with BackTrack................................................................................... 136
Searching for Exploits inside BackTrack..........................................................................137
Conclusion.......................................................................................................................138
6 Network Sniffing
Introduction....................................................................................................................139
Types of Sniffing..............................................................................................................140
Active Sniffing........................................................................................................140
Passive Sniffing.......................................................................................................140
Hubs versus Switches.......................................................................................................140
Promiscuous versus Nonpromiscuous Mode....................................................................141
MITM Attacks................................................................................................................141
ARP Protocol Basics........................................................................................................142
How ARP Works.............................................................................................................142
ARP Attacks....................................................................................................................143
MAC Flooding.......................................................................................................143
Macof............................................................................................................143
ARP Poisoning.......................................................................................................144
Scenario—How It Works................................................................................................144
Denial of Service Attacks.................................................................................................144
Tools of the Trade............................................................................................................145
Dsniff.....................................................................................................................145
Using ARP Spoof to Perform MITM Attacks.................................................................145
Usage......................................................................................................................146
Sniffing the Traffic with Dsniff........................................................................................147
Sniffing Pictures with Drifnet..........................................................................................147
Urlsnarf and Webspy.......................................................................................................148
Sniffing with Wireshark...................................................................................................149
Ettercap...........................................................................................................................150
ARP Poisoning with Ettercap..........................................................................................150
Hijacking Session with MITM Attack.............................................................................152
Attack Scenario................................................................................................................152
ARP Poisoning with Cain and Abel.................................................................................153
Sniffing Session Cookies with Wireshark.........................................................................155
Hijacking the Session.......................................................................................................156
SSL Strip: Stripping HTTPS Traffic................................................................................157
Requirements...................................................................................................................157
Usage......................................................................................................................158
Automating Man in the Middle Attacks..........................................................................158
Usage......................................................................................................................158
DNS Spoofing.................................................................................................................159
ARP Spoofing Attack.............................................................................................159
Manipulating the DNS Records.............................................................................160
Using Ettercap to Launch DNS Spoofing Attack....................................................160
DHCP Spoofing..............................................................................................................160
Conclusion.......................................................................................................................161
7 Remote Exploitation
Understanding Network Protocols...................................................................................163
Transmission Control Protocol...............................................................................164
User Datagram Protocol.........................................................................................164
Internet Control Messaging Protocol......................................................................164
Server Protocols...............................................................................................................164
Text-Based Protocols (Important)...........................................................................164
Binary Protocols.....................................................................................................164
FTP...............................................................................................................165
SMTP............................................................................................................165
HTTP...........................................................................................................165
Further Reading..............................................................................................................165
Resources.........................................................................................................................166
Attacking Network Remote Services................................................................................166
Overview of Brute Force Attacks............................................................................166
Traditional Brute Force.................................................................................166
Dictionary Attacks........................................................................................166
Hybrid Attacks..............................................................................................167
Common Target Protocols...............................................................................................167
Tools of the Trade............................................................................................................167
THC Hydra............................................................................................................167
Basic Syntax for Hydra....................................................................................................168
Cracking Services with Hydra................................................................................168
Hydra GUI......................................................................................................................170
Medusa...................................................................................................................170
Basic Syntax.....................................................................................................................170
OpenSSH Username Discovery Bug................................................................................170
Cracking SSH with Medusa............................................................................................171
Ncrack....................................................................................................................171
Basic Syntax.....................................................................................................................171
Cracking an RDP with Ncrack........................................................................................172
Case Study of a Morto Worm.................................................................................172
Combining Nmap and Ncrack for Optimal Results........................................................172
Attacking SMTP....................................................................................................173
Important Commands.....................................................................................................174
Real-Life Example...........................................................................................................174
Attacking SQL Servers.....................................................................................................175
MySQL Servers.......................................................................................................175
Fingerprinting MySQL Version.......................................................................................175
Testing for Weak Authentication.....................................................................................175
MS SQL Servers..............................................................................................................176
Fingerprinting the Version...............................................................................................177
Brute Forcing SA Account...............................................................................................177
Using Null Passwords......................................................................................................178
Introduction to Metasploit...............................................................................................178
History of Metasploit.......................................................................................................178
Metasploit Interfaces........................................................................................................178
MSFConsole....................................................................................................................178
MSFcli....................................................................................................................179
MSFGUI................................................................................................................179
Armitage.................................................................................................................179
Metasploit Utilities..........................................................................................................179
MSFPayload.....................................................................................................................179
MSFEncode.....................................................................................................................179
MSFVenom.....................................................................................................................179
Metasploit Basic Commands...........................................................................................180
Search Feature in Metasploit............................................................................................180
Use Command.................................................................................................................181
Info Command................................................................................................................181
Show Options..................................................................................................................181
Set/Unset Command.......................................................................................................182
Reconnaissance with Metasploit......................................................................................182
Port Scanning with Metasploit........................................................................................182
Metasploit Databases.......................................................................................................182
Storing Information from Nmap into Metasploit Database.............................................183
Useful Scans with Metasploit...........................................................................................184
Port Scanners..........................................................................................................184
Specific Scanners....................................................................................................184
Compromising a Windows Host with Metasploit............................................................184
Metasploit Autopwn........................................................................................................188
db _ autopwn in Action..............................................................................................188
Nessus and Autopwn.......................................................................................................189
Armitage.................................................................................................................189
Interface...........................................................................................................................190
Launching Armitage........................................................................................................190
Compromising Your First Target from Armitage.............................................................191
Enumerating and Fingerprinting the Target....................................................................191
MSF Scans.......................................................................................................................192
Importing Hosts..............................................................................................................192
Vulnerability Assessment.................................................................................................193
Exploitation.....................................................................................................................193
Check Feature..................................................................................................................195
Hail Mary........................................................................................................................196
Conclusion.......................................................................................................................196
References........................................................................................................................196
8 Client Side Exploitation
Client Side Exploitation Methods....................................................................................197
Attack Scenario 1: E-Mails Leading to Malicious Attachments..............................197
Attack Scenario 2: E-Mails Leading to Malicious Links.........................................197
Attack Scenario 3: Compromising Client Side Update...........................................198
Attack Scenario 4: Malware Loaded on USB Sticks................................................198
E-Mails with Malicious Attachments.....................................................................198
Creating a Custom Executable.......................................................................198
Creating a Backdoor with SET......................................................................198
PDF Hacking................................................................................................201
Introduction....................................................................................................................201
Header................................................................................................................... 202
Body...................................................................................................................... 202
Cross Reference Table............................................................................................ 202
Trailer.................................................................................................................... 202
PDF Launch Action........................................................................................................ 202
Creating a PDF Document with a Launch Action.......................................................... 203
Controlling the Dialog Boxes................................................................................ 205
PDF Reconnaissance............................................................................................. 205
Tools of the Trade........................................................................................................... 205
PDFINFO............................................................................................................. 205
PDFINFO “Your PDF Document”.............................................................. 206
PDFTK................................................................................................................. 206
Origami Framework....................................................................................................... 207
Installing Origami Framework on BackTrack................................................................. 207
Attacking with PDF........................................................................................................ 208
Fileformat Exploits................................................................................................ 208
Browser Exploits.................................................................................................... 208
Scenario from Real World............................................................................................... 209
Adobe PDF Embedded EXE............................................................................................210
Social Engineering Toolkit...............................................................................................211
Attack Scenario 2: E-Mails Leading to Malicious Links.........................................213
Credential Harvester Attack............................................................................................214
Tabnabbing Attack..........................................................................................................215
Other Attack Vectors.......................................................................................................216
Browser Exploitation........................................................................................................217
Attacking over the Internet with SET..............................................................................217
Attack Scenario over the Internet.....................................................................................217
Using Windows Box as Router (Port Forwarding).......................................................... 220
Browser AutoPWN................................................................................................ 220
Why Use Browser AutoPWN?.........................................................................................221
Problem with Browser AutoPWN....................................................................................221
VPS/Dedicated Server.................................................................................................... 223
Attack Scenario 3: Compromising Client Side Update.......................................... 223
How Evilgrade Works..................................................................................................... 223
Prerequisites.................................................................................................................... 223
Attack Vectors....................................................................................................... 223
Internal Network Attack Vectors........................................................................... 223
External Network Attack Vectors.......................................................................... 224
Evilgrade Console.................................................................................................. 224
Attack Scenario..................................................................................................... 224
Attack Scenario 4: Malware Loaded on USB Sticks............................................... 227
Teensy USB.................................................................................................................... 229
Conclusion...................................................................................................................... 229
Further Reading............................................................................................................. 229
9 Postexploitation
Acquiring Situation Awareness........................................................................................231
Enumerating a Windows Machine.........................................................................231
Enumerating Local Groups and Users....................................................................233
Enumerating a Linux Machine...............................................................................233
Enumerating with Meterpreter...............................................................................235
Identifying Processes.....................................................................................235
Interacting with the System...........................................................................235
User Interface Command..............................................................................235
Privilege Escalation......................................................................................................... 236
Maintaining Stability............................................................................................ 236
Escalating Privileges....................................................................................................... 237
Bypassing User Access Control.............................................................................. 238
Impersonating the Token....................................................................................... 239
Escalating Privileges on a Linux Machine...............................................................241
Maintaining Access.........................................................................................................241
Installing a Backdoor.......................................................................................................241
Cracking the Hashes to Gain Access to Other Services...................................................241
Backdoors........................................................................................................................241
Disabling the Firewall............................................................................................ 242
Killing the Antivirus.............................................................................................. 242
Netcat.................................................................................................................... 243
MSFPayload/MSFEncode............................................................................................... 244
Generating a Backdoor with MSFPayload............................................................. 244
MSFEncode............................................................................................................245
MSFVenom.................................................................................................................... 246
Persistence..............................................................................................................247
What Is a Hash?.....................................................................................................249
Hashing Algorithms...............................................................................................249
Windows Hashing Methods...................................................................................250
LAN Manager (LM)..............................................................................................250
NTLM/NTLM2....................................................................................................250
Kerberos.................................................................................................................250
Where Are LM/NTLM Hashes Located?...............................................................250
Dumping the Hashes.......................................................................................................251
Scenario 1—Remote Access....................................................................................251
Scenario 2—Local Access.......................................................................................251
Ophcrack................................................................................................................252
References........................................................................................................................253
Scenario 3—Offline System...................................................................................253
Ophcrack LiveCD..................................................................................................253
Bypassing the Log-In..............................................................................................253
References........................................................................................................................253
Cracking the Hashes........................................................................................................253
Bruteforce...............................................................................................................253
Dictionary Attacks................................................................................................ 254
Password Salts........................................................................................................ 254
Rainbow Tables..................................................................................................... 254
John the Ripper...............................................................................................................255
Cracking LM/NTLM Passwords with JTR............................................................255
Cracking Linux Passwords with JTR......................................................................256
Rainbow Crack................................................................................................................256
Sorting the Tables...................................................................................................257
Cracking the Hashes with rcrack............................................................................258
Speeding Up the Cracking Process.........................................................................258
Gaining Access to Remote Services........................................................................258
Enabling the Remote Desktop................................................................................259
Adding Users to the Remote Desktop.....................................................................259
Data Mining....................................................................................................................259
Gathering OS Information.................................................................................... 260
Harvesting Stored Credentials................................................................................261
Identifying and Exploiting Further Targets.................................................................... 262
Mapping the Internal Network.............................................................................. 263
Finding Network Information............................................................................... 264
Identifying Further Targets....................................................................................265
Pivoting................................................................................................................. 266
Scanning Ports and Services and Detecting OS......................................................267
Compromising Other Hosts on the Network Having the Same Password............. 268
psexec............................................................................................................................. 269
Exploiting Targets...................................................................................................270
Conclusion.......................................................................................................................270
10 Windows Exploit Development Basics
Prerequisites.....................................................................................................................271
What Is a Buffer Overflow?.............................................................................................271
Vulnerable Application................................................................................................... 272
How to Find Buffer Overflows........................................................................................ 273
Methodology.................................................................................................................. 273
Getting the Software Up and Running........................................................................... 273
Causing the Application to Crash................................................................................... 273
Skeleton Exploit...............................................................................................................275
Determining the Offset......................................................................................... 278
Identifying Bad Characters.................................................................................... 280
Figuring Out Bad Characters with Mona........................................................................281
Overwriting the Return Address............................................................................ 283
NOP Sledges......................................................................................................... 285
Generating the ShellCode...................................................................................... 286
Generating Metasploit Module....................................................................................... 287
Porting to Metasploit...................................................................................................... 288
Conclusion...................................................................................................................... 290
Further Resources........................................................................................................... 290
11 Wireless Hacking
Introduction....................................................................................................................291
Requirements...................................................................................................................291
Introducing Aircrack-ng...................................................................................................293
Uncovering Hidden SSIDs..............................................................................................293
Turning on the Monitor Mode....................................................................................... 294
Monitoring Beacon Frames on Wireshark...................................................................... 294
Monitoring with Airodump-ng....................................................................................... 295
Speeding Up the Process................................................................................................. 296
Bypassing MAC Filters on Wireless Networks....................................................... 296
Cracking a WEP Wireless Network with Aircrack-ng........................................... 298
Placing Your Wireless Adapter in Monitor Mode............................................................ 298
Determining the Target with Airodump-ng................................................................... 299
Attacking the Target.............................................................................................. 299
Speeding Up the Cracking Process........................................................................ 300
Injecting ARP Packets........................................................................................... 300
Cracking the WEP.................................................................................................301
Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng...................................... 302
Capturing Packets........................................................................................................... 303
Capturing the Four-Way Handshake.............................................................................. 303
Cracking WPA/WAP2................................................................................................... 304
Using Reaver to Crack WPS-Enabled Wireless Networks..................................... 305
Reducing the Delay........................................................................................................ 306
Further Reading............................................................................................................. 306
Setting Up a Fake Access Point with SET to PWN Users...................................... 306
Attack Scenario............................................................................................................... 309
Evil Twin Attack.....................................................................................................310
Scanning the Neighbors...................................................................................................311
Spoofing the MAC..........................................................................................................311
Setting Up a Fake Access Point........................................................................................311
Causing Denial of Service on the Original AP.................................................................311
Conclusion.......................................................................................................................312
12 Web Hacking
Attacking the Authentication...........................................................................................313
Username Enumeration..........................................................................................314
Invalid Username with Invalid Password................................................................314
Valid Username with Invalid Password...................................................................314
Enabling Browser Cache to Store Passwords...........................................................314
Brute Force and Dictionary Attacks................................................................................. 315
Types of Authentication................................................................................................... 315
HTTP Basic Authentication................................................................................... 315
HTTP-Digest Authentication.................................................................................316
Form-Based Authentication....................................................................................317
Exploiting Password Reset Feature.........................................................................319
Etsy.com Password Reset Vulnerability............................................................................319
Attacking Form-Based Authentication................................................................... 320
Brute Force Attack.......................................................................................................... 322
Attacking HTTP Basic Auth................................................................................. 323
Further Reading............................................................................................................. 326
Log-In Protection Mechanisms.............................................................................. 326
CAPTCHA Validation Flaw................................................................................. 326
CAPTCHA Reset Flaw......................................................................................... 328
Manipulating User-Agents to Bypass CAPTCHA and Other Protections..............329
Real-World Example.............................................................................................. 330
Authentication Bypass Attacks............................................................................... 330
Authentication Bypass Using SQL Injection.......................................................... 330
Testing for SQL Injection Auth Bypass...................................................................331
Authentication Bypass Using XPATH Injection.....................................................333
Testing for XPATH Injection........................................................................333
Authentication Bypass Using Response Tampering............................................... 334
Crawling Restricted Links.............................................................................................. 334
Testing for the Vulnerability............................................................................................335
Automating It with Burp Suite.............................................................................. 336
Authentication Bypass with Insecure Cookie Handling.................................................. 336
Session Attacks.......................................................................................................339
Guessing Weak Session ID.....................................................................................339
Session Fixation Attacks........................................................................................ 341
Requirements for This Attack......................................................................................... 342
How the Attack Works................................................................................................... 342
SQL Injection Attacks........................................................................................... 342
What Is an SQL Injection?.................................................................................... 342
Types of SQL Injection.......................................................................................... 342
Union-Based SQL Injection......................................................................... 343
Error-Based SQL Injection........................................................................... 343
Blind SQL Injection..................................................................................... 343
Detecting SQL Injection....................................................................................... 343
Determining the Injection Type............................................................................ 343
Union-Based SQL Injection (MySQL).................................................................. 344
Testing for SQL Injection............................................................................................... 344
Determining the Number of Columns...................................................................345
Determining the Vulnerable Columns................................................................... 346
Fingerprinting the Database.................................................................................. 347
Enumeration Information...................................................................................... 347
Information_schema.............................................................................................. 348
Information_schema Tables................................................................................... 348
Enumerating All Available Databases.................................................................... 348
Enumerating All Available Tables in the Database................................................. 349
Extracting Columns from Tables........................................................................... 349
Extracting Data from Columns..............................................................................350
Using group _ concat......................................................................................350
MySQL Version ≤ 5................................................................................................351
Guessing Table Names.....................................................................................................351
Guessing Columns.................................................................................................352
SQL Injection to Remote Command Execution.....................................................352
Reading Files...................................................................................................................353
Writing Files....................................................................................................................353
Blind SQL Injection...............................................................................................355
Boolean-Based SQLi......................................................................................355
True Statement.......................................................................................................355
False Statement.......................................................................................................356
Enumerating the DB User......................................................................................356
Enumerating the MYSQL Version..........................................................................358
Guessing Tables......................................................................................................358
Guessing Columns in the Table..............................................................................359
Extracting Data from Columns............................................................................. 360
Time-Based SQL Injection.....................................................................................361
Vulnerable Application....................................................................................................361
Testing for Time-Based SQL Injection........................................................................... 362
Enumerating the DB User..................................................................................... 362
Guessing the Table Names..................................................................................... 363
Guessing the Columns........................................................................................... 364
Extracting Data from Columns..............................................................................365
Automating SQL Injections with Sqlmap.............................................................. 366
Enumerating Databases..........................................................................................367
Enumerating Tables................................................................................................367
Enumerating the Columns.....................................................................................367
Extracting Data from the Columns....................................................................... 368
HTTP Header–Based SQL Injection.................................................................... 368
Operating System Takeover with Sqlmap.............................................................. 369
OS-CMD......................................................................................................................... 369
OS-SHELL..................................................................................................................... 369
OS-PWN..........................................................................................................................370
XSS (Cross-Site Scripting)...............................................................................................371
How to Identify XSS Vulnerability..................................................................................371
Types of Cross-Site Scripting...........................................................................................371
Reflected/Nonpersistent XSS...........................................................................................372
Vulnerable Code.....................................................................................................372
Medium Security.............................................................................................................373
Vulnerable Code.....................................................................................................373
High Security..................................................................................................................373
Bypassing htmlspecialchars.....................................................................................374
UTF-32 XSS Trick: Bypass 1...........................................................................................375
Svg Craziness: Bypass 2....................................................................................................375
Bypass 3: href Attribute...................................................................................................376
Stored XSS/Persistent XSS.............................................................................................. 377
Payloads.......................................................................................................................... 377
Blind XSS........................................................................................................................378
DOM-Based XSS............................................................................................................378
Detecting DOM-Based XSS...................................................................................378
Sources (Inputs).............................................................................................378
Sinks (Creating/Modifying HTML Elements)..............................................378
Static JS Analysis to Identify DOM-Based XSS..................................................... 384
How Does It Work?................................................................................................385
Setting Up JSPRIME.............................................................................................385
Dominator: Dynamic Taint Analysis.............................................................................. 390
POC for Internet Explorer.............................................................................................. 394
POC for Chrome............................................................................................................ 394
Pros/Cons........................................................................................................................395
Cross Browser DOM XSS Detection...............................................................................395
Types of DOM-Based XSS............................................................................................. 397
Reflected DOM XSS............................................................................................. 397
Stored DOM XSS.................................................................................................. 397
Exploiting XSS...................................................................................................... 399
Cookie Stealing with XSS...................................................................................... 399
Exploiting XSS for Conducting Phishing Attacks.................................................. 402
Compromising Victim’s Browser with XSS............................................................ 404
Exploiting XSS with BeEF.............................................................................................. 405
Setting Up BeEF on BackTrack...................................................................................... 405
Demo Pages.................................................................................................................... 408
BeEF Modules....................................................................................................... 409
Module: Replace HREFs.............................................................................. 409
Module: Getcookie....................................................................................... 409
Module: Tabnabbing.....................................................................................410
BeEF in Action.......................................................................................................412
Cross-Site Request Forgery (CSRF).................................................................................413
Why Does a CSRF Attack Work?....................................................................................413
How to Attack.................................................................................................................413
GET-Based CSRF............................................................................................................414
POST-Based CSRF..........................................................................................................414
CSRF Protection Techniques...........................................................................................415
Referrer-Based Checking.................................................................................................415
Anti-CSRF Tokens..........................................................................................................415
Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm........................................416
Tokens Not Validated upon Server..................................................................................416
Analyzing Weak Anti-CSRF Token Strength..................................................................417
Bypassing CSRF with XSS..............................................................................................419
File Upload Vulnerabilities.....................................................................................421
Bypassing Client Side Restrictions......................................................................... 423
Bypassing MIME-Type Validation........................................................................ 423
Real-World Example....................................................................................................... 425
Bypassing Blacklist-Based Protections................................................................... 425
Case 1: Blocking Malicious Extensions.................................................................. 425
Bypass.......................................................................................................... 426
Case 2: Case-Sensitive Bypass................................................................................ 426
Bypass.......................................................................................................... 426
Real-World Example....................................................................................................... 426
Vulnerable Code.................................................................................................... 426
Case 3: When All Dangerous Extensions Are Blocked.......................................... 426
XSS via File Upload...................................................................................... 427
Flash-Based XSS via File Upload.................................................................. 428
Case 4: Double Extensions Vulnerabilities............................................................. 429
Apache Double Extension Issues................................................................... 429
IIS 6 Double Extension Issues...................................................................... 429
Case 5: Using Trailing Dots.................................................................................. 429
Case 6: Null Byte Trick......................................................................................... 429
Case 7: Bypassing Image Validation....................................................................... 429
Case 8: Overwriting Critical Files.......................................................................... 430
Real-World Example........................................................................................................431
File Inclusion Vulnerabilities............................................................................................431
Remote File Inclusion..................................................................................................... 432
Patching File Inclusions on the Server Side..................................................................... 433
Local File Inclusion............................................................................................... 433
Linux..................................................................................................................... 434
Windows............................................................................................................... 434
LFI Exploitation Using /proc/self/environ.............................................................. 434
Log File Injection.................................................................................................. 436
Finding Log Files: Other Tricks............................................................................. 440
Exploiting LFI Using PHP Input........................................................................... 440
Exploiting LFI Using File Uploads........................................................................ 441
Read Source Code via LFI..................................................................................... 442
Local File Disclosure Vulnerability........................................................................ 443
Vulnerable Code........................................................................................... 443
Local File Disclosure Tricks................................................................................... 445
Remote Command Execution............................................................................... 446
Uploading Shells.................................................................................................... 448
Server Side Include Injection..................................................................................452
Testing a Website for SSI Injection..................................................................................452
Executing System Commands.........................................................................................453
Spawning a Shell..............................................................................................................453
SSRF Attacks...................................................................................................................454
Impact.............................................................................................................................455
Example of a Vulnerable PHP Code.......................................................................456
Remote SSRF.........................................................................................................457
Simple SSRF..................................................................................................457
Partial SSRF..................................................................................................458
Denial of Service............................................................................................................. 463
Denial of Service Using External Entity Expansion (XEE).................................... 463
Full SSRF.............................................................................................................. 464
dict://............................................................................................................ 464
gopher://........................................................................................................465
http://............................................................................................................465
Causing the Crash................................................................................................. 466
Overwriting Return Address........................................................................................... 467
Generating Shellcode...................................................................................................... 467
Server Hacking............................................................................................................... 469
Apache Server..................................................................................................................470
Testing for Disabled Functions...............................................................................470
Open _ basedir Misconfiguration....................................................................472
Using CURL to Bypass Open _ basedir Restrictions.......................................474
Open _ basedir PHP 5.2.9 Bypass...................................................................475
Reference.........................................................................................................................476
Bypassing open _ basedir Using CGI Shell.....................................................476
Bypassing open _ basedir Using Mod _ Perl, Mod _ Python............... 477
Escalating Privileges Using Local Root Exploits............................................................. 477
Back Connecting............................................................................................................ 477
Finding the Local Root Exploit.......................................................................................478
Usage...............................................................................................................................478
Finding a Writable Directory...........................................................................................479
Bypassing Symlinks to Read Configuration Files............................................................ 480
Who Is Affected?.............................................................................................................481
Basic Syntax.....................................................................................................................481
Why This Works.................................................................................................... 482
Symlink Bypass: Example 1................................................................................... 482
Finding the Username........................................................................................... 482
/etc/passwd File..................................................................................... 483
/etc/valiases File................................................................................. 483
Path Disclosure............................................................................................. 483
Uploading .htaccess to Follow Symlinks................................................................ 484
Symlinking the Configuration Files....................................................................... 484
Connecting to and Manipulating the Database.............................................................. 485
Updating the Password................................................................................................... 486
Symlink the Root Directory.................................................................................. 486
Example 3: Compromising WHMCS Server......................................................... 487
Finding a WHMCS Server............................................................................................. 487
Symlinking the Configuration File................................................................................. 488
WHMCS Killer..................................................................................................... 488
Disabling Security Mechanisms............................................................................. 490
Disabling Mod _ Security............................................................................... 490
Disabling Open _ basedir and Safe _ mode............................................ 490
Using CGI, PERL, or Python Shell to Bypass Symlinks.........................................491
Conclusion.......................................................................................................................491

Bookscreen
e-books shop

Preface
Ethical hacking strikes all of us as a subject that requires a great deal of prerequisite knowledge
about things like heavy duty software, languages that includes hordes of syntaxes, algorithms
that could be generated by maestros only. Well that’s not the case, to some extent. This book
introduces the steps required to complete a penetration test, or ethical hack. Requiring no prior
hacking experience, the book explains how to utilize and interpret the results of modern day
hacking tools that are required to complete a penetration test. Coverage includes Backtrack Linux,
Google Reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn,
Netcat, and Hacker Defender rootkit. Simple explanations of how to use these tools and a fourstep
methodology for conducting a penetration test provide readers with a better understanding
of offensive security.

Being an ethical hacker myself, I know how difficult it is for people who are new into hacking
to excel at this skill without having any prior knowledge and understanding of how things work.
Keeping this exigent thing in mind, I have provided those who are keen to learn ethical hacking
with the best possible explanations in the most easy and understandable manner so that they will
not only gain pleasure while reading, but they will have the urge to put into practice what have
they learned from it.

The sole aim and objective of writing this book is to target the beginners who look for a complete
guide to turn their dream of becoming an ethical hacker into a reality. This book elucidates
the building blocks of ethical hacking that will help readers to develop an insight of the matter in
hand. It will help them fathom what ethical hacking is all about and how one can actually run a
penetration test with great success.

I have put in a lot of hard work to make this book a success. I remember spending hours and
hours in front of my computer typing indefatigably, ignoring all the text messages of my friends
when they asked me to come along and spend some time with them, which left me despondent,
but now, when I see my book finally completed, it gives me immense pleasure that the efforts of a
whole year have finally paid off.

This book came out as a result of my own experiences during my ethical hacking journey.
Experiences that are worth sharing with all the passionate people out there.
It makes me elated to the core when I see my third book on the subject of hacking published,
and I hope and pray that everyone likes it.
Best of luck to everyone out there.
Rafay Baloch
Loading...
DMCA.com Protection Status