Index

A

Active information gathering, 53

Active sniffing, 140

Acunetix vulnerability scanner, 62

Address resolution protocol (ARP)

attack vectors, 143144

basics, 142

poisoning attack, 309

with Cain and Abel, 153155

with ettercap, 150152

spoofing attack

denial of service attack, 144145

Dsniff, 145

to perform MITM attacks, 145147

poisoning, 144

schematic illustration, 144

working of, 142

Adobe PDF Embedded Exe, 210211

Aircrack-ng

tools, 293

WEP with, 298

WPA/WPA2 using, 302

Airodump-ng, 295

ARP packets, 300301

attacking target, 299

speeding up cracking process, 300

target determination, 299302

WEP, 301302

Alpha card, 294

Apache server, hacking

bypassing open_basedir using CGI shell, 476477

bypassing open_basedir using mod_perl, mod_python, 477

open_basedir misconfiguration, 472474

open_basedir PHP 5.2.9 bypass, 475476

testing for disabled functions, 470472

using CURL to bypass open_basedir restrictions, 474475

Armitage, 189

enumerating target, 191192

feature, 190

fingerprinting target, 191192

interface for, 190

launching, 190191

Metasploit interfaces, 179

ARP, see Address resolution protocol (ARP)

Asset, hacking terminologies, 2

Attack phase, of NIST, 6

Authentication

attacking, 313, 330

browser cache to store passwords, 314

invalid password, 314

username enumeration, 314

vulnerabilities against, 313

base64-encoded form, 315316

Burp Suite, 315

bypass with insecure cookie handling, 336338

guessing weak session ID, 339341

requirements, 342

session attacks, 339

session fixation attacks, 341342

SQL injection (see SQL injection)

works, 342

exploiting password reset feature, 319

FORM-based, 317318

HTTP basic, 315316

HTTP-Digest, 316317

testing for SQL injection, 330333

using response tampering, 334

using XPATH injection, 333334

Autopwn

Armitage (see Armitage)

Metasploit, 188189

Nessus and, 189190

Avoid sequential scans, 128129

B

Backdoor

disabling firewall, 242

installation, 241

killing antivirus, 242243

with msfencode, 245246

with msfpayload, 244245

netcat, 243244

types, 247

BackTrack, 30

basics, 43

CEWL, 71

default list path, 169

default screen size

steps, 4344

unforgettable basics, 4446

Dhclient command, 4748

fierce in, 7274

Google hacking database, 66

on hard drive, 3942

load balancer detector, 89

MySQL service, 48

onesixtyone, 85

Origami framework on, 207208

on portable USB, 3538

postgresql, 5051

snmpenum, 85

snmp-user-enum, 87

solar winds toolset, 8586

SSHD service, 4850

TCP traceroute, 58

text editors, 4647

version, 182, 190

on virtual box, 3135

WhatWeb tool, 62

Whois database, 55

Bad guy, see Black hat hacker

Binary protocols, 164165

Black box penetration test, 7

Black hat hacker, 1

Blind SQL injection, 343

Boolean-based SQL injection attack, 355

Browser AutoPWN, 220

problem with, 221222

types, 221

Brute force attack, 253254, 315

authentication bypass

attacks, 330

testing for SQL injection, 331333

using response tampering, 334

using SQL injection, 330331

using XPATH injection, 333334

CAPTCHA

bypass, manipulating user-agents to, 329330

reset flaw, 328

validation flaw, 326327

dictionary, 166167

HTTP basic authentication, 323326

hybrid, 167

log-in protection mechanisms, 326

payload type to, 322323

on SA account, 177

traditional, 166

Buffer overflow, 271273

Burp Suite

attack type, 321

automation with, 336

definition, 315

intercepting response, 6061

C

Cheops-ng, 5960

Client side exploitation

compromising client side update, 198

attack vectors, 223224

DNSAnswerIP configuration, 225

DNS spoofing attacks, 227

Evilgrade, 223225

Metasploit, 226

module configuration, 225226

Windows binary with msfpayload, 224

e-mails leading to malicious attachments, 197

Adobe PDF Embedded Exe, 210211

PDF (see PDF)

real-world scenario, 209210

SET, 198200

e-mails leading to malicious links, 197, 213

attack scenario over Internet, 217220

Browser AutoPWN, 220222

browser exploitation, 217

credential harvester attack, 214215

other attack vectors, 216

SET, 217

tabnabbing attack, 215216

using Windows box as router, 220

VPS/dedicated server, 223

malware loaded on USB sticks, 198, 227229

methods, 197

server side vs., 163

success, 197

CloudFlare protection

mail servers, 9293

resolvers, 9091

subdomain trick, 92

Command shell, 194

Cracker, see Black hat hacker

Crash, 273275, 466467

Credential harvester attack, 214215

Cron, 25

files, 2628

permission, 26

Cross browser DOM XSS detection, 395397

Cross-site request forgery (CSRF)

anti-CSRF tokens, 415416

analyzing weak, 417419

not validated upon server, 416417

predicting/brute forcing weak, 416

attacking work, 413

blocking malicious extensions, 425426

bypassing

blacklist-based protections, 425

client side restrictions, 423

image validation, 429430

MIME-type validation, 423425

with XSS, 419421

case-sensitive bypass, 426

dangerous extensions block, 426428

double extensions vulnerabilities, 429

file upload vulnerabilities, 421423

GET-based, 414

null byte trick, 429

overwriting critical files, 430431

POST-based, 414415

protection techniques, 415

referrer-based checking, 415

using trailing dots, 429

Cross-site scripting (XSS)

with BeEF, 405

in action, 412413

BeEF modules, 409412

demo pages, 408409

getcookie module, 409410

replace HREFs, 409

setting up, 405407

tabnabbing, 410412

blind, 378

compromising victim’s browser with, 404405

for conducting phishing attacks, 402403

cookie stealing with, 399402

DOM-based

chrome, POC for, 394

cross browser, 395397

detecting, 378379

document.cookie, 383384

document.referrer, 382383

dynamic taint analysis, 390394

internet explorer, POC for, 394

Jsprime, installing and setting up, 385390

location.hash, 379380

location.search, 381382

pros/cons, 395

reflected, 397

static JS analysis to identify, 384385

stored, 397399

tracking/analytics script, 380381

high security, 373374

href attribute, 376

htmlspecialchars, bypassing, 374

identification, 371

medium security, 373

payloads, 377

persistent, 377

reflected/nonpersistent, 372373

stored, 377

SVG craziness, 375376

types, 371

UTF-32, 375

via file upload, 427428

D

Data mining, 259

gathering OS information, 260261

harvesting stored credentials, 261262

postexploitation process, 259262

Decoys, 117

Dedicated server, 223

Denial of service attacks, 144145

on original AP, 311312

using XEE, 463464

Dhclient command, 4748

DHCP spoofing attack, see Dynamic Host Configuration Protocol (DHCP) spoofing attack

Dictionary attacks, 254, 315

DIG tool, 7677

Directory in Linux, 21

Direct static code injection, 450452

Discovery phase, of NIST, 6

DNSAnswerIP configuration, 225

DNS cache snooping, 8084

DNSenum, 80

DNS spoofing

ARP spoofing attack, 159

attacks, 227

DNS record manipulation, 160

ettercap usage, 160

DOM-based XSS

chrome, POC for, 394

cross browser, 395397

detecting, 378379

document.cookie, 383384

document.referrer, 382383

dynamic taint analysis, 390394

internet explorer, POC for, 394

Jsprime, installing and setting up, 385390

location.hash, 379380

location.search, 381382

pros/cons, 395

reflected, 397

static JS analysis to identify, 384385

stored, 397399

tracking/analytics script, 380381

Driftnet, 147148

Dsniff, 145, 147

Dynamic Host Configuration Protocol (DHCP) spoofing attack, 160161

E

Eavesdropping, see Network sniffing

Elite hacker, 2

Error-based SQL injection, 343

Ethical hacker, 2

Etsy.com password reset vulnerability, 319322

Ettercap, 150152

Evilgrade, 223225

Evil twin attack, 310

Exploitation

Armitage, 189

enumerating target, 191192

feature, 190

fingerprinting target, 191192

interface for, 190

launching, 190191

Metasploit interfaces, 179

brute force attacks, 166

dictionary, 166167

hybrid, 167

SA account, 177

traditional, 166

DATA commands, 174

definition of, 3

Hail Mary, 196

HELO commands, 174

hosts importation, 192

Hydra

cracking services with, 168169

GUI version, 170

syntax, 168169

THC hydra, 167168

info command, 181

Internet Control Messaging Protocol, 164

MAIL FROM commands, 174

Metasploit

Autopwn, 188189

check feature, 195

commands, 180

databases, 182183

history, 178

interfaces, 178179

port scanners, 182, 184

reconnaissance with, 182

search feature, 180

specific scanners, 184

utilities, 179180

Windows host with, 184187

MSF scans, 192

ms-sql-empty-password, 178

MS SQL servers, 176177

network protocols, 163164

OpenSSH, 170171

potential attack vectors, 193195

RCPT TO commands, 174

real-life example, 174175

request for comment, 165166

server protocols, 164165

server side vs. client side, 163

set/unset command, 182

show options command, 181, 186

SQL servers, 175

test for weak authentication, 175176

transmission control protocol, 164

use command, 181

User Datagram Protocol, 164

using null passwords, 178

vulnerability assessment, 193194

Exploit-db, 138

advantage of, 136

with BackTrack, 136

Offensive Security team, 135, 137

searchsploit, 137

F

File inclusion vulnerabilities, 431

patching file inclusions

exploiting LFI using file uploads, 441442

exploiting LFI using PHP input, 440441

finding log files, 440

LFI exploitation using /proc/self/environ, 434436

Linux, 434

local file disclosure, 443446

local file inclusion, 433434

log file injection, 436439

read source code via LFI, 442443

remote command execution, 446448

uploading shells, 448452

windows, 434

remote file inclusion, 432

File permission in Linux, 2224

File transfer protocol (FTP), 165

FIN scan, 105

Firewall evading techniques, 113

fragmented packets, 115

maximum transmission unit specification, 116

sending bad/incorrect checksums, 116117

source port scan, 115116

timing technique, 114

Forward DNS lookup

brute forcing technique, 77

with fierce, 7778

Four-way handshake, 302304

Freefloat FTP server, 273

Fuzzing, 273275

G

Gnome, 30

Google Chrome, POC for, 394

Google hacking, 63

database, 6667

Gray box penetration test, 7

Gray hat hacker, 1

H

Hacker, 1; see also Specific types

Hackersforcharity.org/ghdb, 67

Hacktivist, 2

Halberd tool, 8990

Hashes, 249

algorithm, 249

bruteforce, 253254

dictionary attacks, 254

dumping, 251

bypassing log-in, 253

local access, 251253

OPHCrack LIVE CD, 253

remote access, 251

to gain access to other services, 241

LAN Manager, 250

NT LAN Manager, 250

password salts, 254

rainbow tables, 254

Windows hashing methods, 250

Hazard risk assessment matrix, 14

Host discovery process, 98100

httrack tool, 54

Hydra

cracking services with, 168169

GUI version, 170

syntax, 168169

THC hydra, 167168

Hypertext Transfer Protocol (HTTP), 165

basic authentication, 323326

HTTP-digest authentication, 316317

I

IDLE scan

hping2, 107108

launching, prerequisites for, 107

with nmap, 109

IDS evading techniques, 113

fragmented packets, 115

maximum transmission unit specification, 116

sending bad/incorrect checksums, 116117

source port scan, 115116

timing technique, 114

Impersonation token, 239240

Information gathering techniques active, 53

attack scenarios, 84

Burp Suite, 6061

Cheops-ng, 5960

DIG tool, 7677

DNS cache snooping attack, 8084

forward DNS lookup

brute forcing technique, 77

with fierce, 7778

Hackersforcharity.org/ghdb, 67

httrack tool, 54

interacting with DNS servers, 75

intercepting response, 6062

NeoTrace, 59

Netcraft, 63

Nslookup, 76

passive, 5354

reverse IP lookup, 56

Shodan

Cisco IOS devices, 94

default password, 9495

description of, 9394

site parameter, 6465

SMTP enumeration, 87

CloudFlare protection, 9093

load balancers, 8890

SNMP (see Simple Network Mapping Protocol (SNMP))

sources of, 54

TIP regarding filetype, 6567

Website Ripper Copier, 55

WhatWeb, 6263

Whois database, 5556

Xcode exploit scanner, 67

DNS enumeration, 75

fierce in BackTrack, 7274

file analysis, 68

Foca tool, 68

harvesting e-mail lists, 6971

scanning subdomains, 7172

for SSL version, 7475

TheHarvester, 72

Yougetsignal.com

exact location, tracing of, 57

ritx tool, 56

traceroute, 5758

zone transfer

automating, 80

with host command, 7980

reverse DNS lookup with fierce, 7879

Inj3ctor exploit database, 135

Internet

attack scenario over, 217220

POC for, 394

with SET, 217

Internet Control Messaging Protocol (ICMP), 58, 164

Inurl, 65

J

John the Ripper (JTR), 255

Linux passwords with, 256

LM/NTLM hashes with, 255256

K

Kerberos, 250

Knock.py, 74

L

LAN Manager (LM) hashes, 250, 255256

Linux

advance/special permission, 2223

applications, 30

BackTrack, 30

basics, 43

default screen size, 4346

Dhclient command, 4748

on hard drive, 3942

MySQL service, 48

on portable USB, 3538

postgresql, 5051

SSHD service, 4850

text editors, 4647

on virtual box, 3135

chatter permission, 24

commands, 2425

cron (see Cron)

directory, 21

enumeration, 233234

exceptions, 20

file permission in, 2224

file structure, 20

group permission, 22

link permission, 23

logging, 30

passwords

with JTR, 256

storage, 29

privilege escalation, 241

services, 29

setgid, 23

setuid, 23

stickybit permission, 23

types, 19

users inside, 2830

Load balancers

classification of, 88

load balancer detector, 89

real IP detection, 8990

Local root exploits

back connecting, 477478

escalating privileges using, 477

usage, 478479

writable directory, 479480

M

MAC filtering, on wireless networks, 296298

MAC flooding, 143

Macof, 143

MAC spoofing, 311

Man in the middle attacks (MITM), 141142

ARP spoof usage, 145147

automation of, 158159

hijacking session with, 152

Medusa

basic syntax, 170

cracking SSH with, 171

Metasploit

Autopwn, 188189

check feature, 195

client side exploitation, 226

commands, 180

databases, 182183

history, 178

info command, 181

interfaces

Armitage, 179

MSFcli, 179

MSFConsole, 178

MSFGUI, 179

module generation, 287288

Nessus vulnerability scanner, 132133

persistence, 247249

porting to, 288290

port scanners, 182, 184

reconnaissance with, 182

search feature, 180

set/unset command, 182

show options command, 181, 186

specific scanners, 184

utilities, 179180

Windows host with, 184187

Meterpreter

enumeration

identifying processes, 235

interacting with system, 235

user interface command, 235236

shell, 194

MITM, see Man in the middle attacks (MITM)

Mobile application penetration test, 8

Mona

bad characters with, 281282

NOP sledges, 285

overwriting return address, 283285

shellcode generation, 286287

Monitor mode

network card to, 294

wireless adapter in, 298

MSFConsole, 178179

Msfencode, 179, 245246

MSFGUI, 179

Msfpayload, 244245

MSF scans, 192

MSFVenom, 179180

MySQL servers, 175

N

Ncrack

basic syntax, 171

nmap and, 172174

remote desktop protocol with, 172

NeoTrace, 59

Nessus

and Autopwn, 189190

vulnerability scanner

adding user, 125126

approach, 124

avoid sequential scans, 128129

control panel, 126127

default policies, 127

home feed, 125

installation on BackTrack, 125

Metasploit, 132133

new custom policy, 128

port range, 129130

preferences, 130

professional feed, 125

Safe Check, 128

silent dependencies, 128129

target scanning, 130132

Netcraft, 63

Network orientation, traceroute for, 57

Network penetration test, 8

Network protocols, 163164

Network sniffing

ARP (see Address resolution protocol (ARP))

DHCP spoofing, 160161

DNS spoofing (see DNS spoofing)

driftnet, 147148

ettercap, 150152

goal of, 139

hubs vs. switches, 140141

MITM attack, 141142, 152

promiscuous vs. nonpromiscuous mode, 141

session cookies with wireshark, 155157

SSL strip, 157158

types of, 140

urlsnarf, 148149

webspy, 148

with Wireshark, 149150

NIST

phases of, 6

steps of, 1517

Nmap

basic command line format, 100

grepable format, 112113

IDLE scan, 109

maximum transmission unit, 116

into Metasploit database, 183

and ncrack, 172174

normal format, 112

OS fingerprinting database, 111

output formats, 112113

port scanning, 100101

port status types, 102

SCADA test, 123124

service version detection, 110

-sP flag in, 98

TCP connect scan, 104

timing technique, 114

XML format, 113

Nslookup, 76

NT LAN Manager (NTLM) hashes, 255256

NULL scan, 104

O

Open ports, see Port scanning

Open-source security testing methodology manual (OSSTMM), 56

OpenSSH, 170171

OpenVas, 133134

OPH crack program, 252253

Origami framework, 207208

OS fingerprinting database, 111

OWASP testing methodology, 7

P

Passive information gathering, 5354

Passive OS fingerprinting (POF), 111

Passive sniffing, 140

Password salts, 254

Paypal stored XSS, 135

PDF

browser exploits, 208209

document

with launch action, 203205

sections, 201202

fileformat exploits, 208

hacking, 201

launch action, 202205

Origami framework, 207208

PDFINFO command, 205206

PDFTK, 206207

PDFINFO command, 205206

PDFTK, 206207

Penetration test

Basecamp website, 5

black box, 7

definition of, 3

executive class, 9

GANTT chart, 5

gray box, 7

management class, 9

milestones, 45

NIST, 6

OSSTMM, 56

OWASP testing guide, 7

preengagement, 3

report writing

cover page, 10

executive summary, 11

factors, 89

remediation report, 12

table of contents, 10

rules of engagement, 4

technical class, 9

types of, 78

vs. vulnerability assessment, 3

white box, 7

Persistence, 247249

Phishing attacks, 309

credential harvester, 214

DNS spoofing attack, 159

exploiting for conducting, 402403

social engineering penetration test, 8

Physical penetration test, 8

Ping command, 57

Pivoting process, 262263, 266267

Planning phase, of NIST, 6

Port scanning

description of, 100

nmap, 100101

TCP (see Transmission control protocol (TCP))

UDP scanning, 100

Port status, types of, 102

Postexploitation process

backdoor

disabling firewall, 242

installation, 241

killing antivirus, 242243

with msfencode, 245246

with msfpayload, 244245

netcat, 243244

data mining, 259

gathering OS information, 260261

harvesting stored credentials, 261262

enumeration

Linux machine, 233234

local groups and users, 233

meterpreter, 235236

Windows machine, 231233

hashes

algorithm, 249

bruteforce, 253254

dictionary attacks, 254

dumping, 251253

LAN Manager, 250

NT LAN Manager, 250

password salts, 254

rainbow tables, 254

identifying and exploiting targets, 270

ARP scanner, 265266

finding network information, 264265

mapping internal network, 263264

network having same password, 268269

pivoting process, 262263, 266267

John the Ripper, 255256

maintaining access, 241

msfpayload/msfencode, backdoor with, 244246

msfvenom, 246247

network having same password, 268269

persistence, 247249

pivoting process, 262263, 266267

privilege escalation

impersonation token, 239240

on Linux machine, 241

maintaining stability, 236237

primary token, 239

user access control, 238239

psexec, 269

rainbow crack, 256

gaining access to remote services, 258

hashes with rcrack, 258

remote desktop, 259

sorting tables, 257

speeding up cracking process, 258

Privilege escalation

impersonation token, 239240

on Linux machine, 241

maintaining stability, 236237

primary token, 239

user access control, 238239

R

Rainbow crack, 256

gaining access to remote services, 258

hashes with rcrack, 258

remote desktop

adding users to, 259

enabling, 259

sorting tables, 257

speeding up cracking process, 258

Rainbow tables, 254

Remote desktop protocol (RDP), with ncrack, 172

Remote exploitation, see Exploitation

Reverse IP lookup method, 56

Risk

assessment of, 14

definition of, 3

S

Script kiddie, 2

Secure socket layer (SSL)

scanning for, 7475

strip, 157158

Server hacking, 469470; see also Apache server, hacking

Server protocols

binary protocols, 164165

text-based protocols, 164

Server side exploitation, 163

Server side include (SSI) injection

executing system commands, 453

spawning shell, 453454

testing website for, 452453

Server side request forgery (SSRF) attacks, 454455

causing crash, 466467

denial of service, 463464

full SSRF

dict://, 464465

gopher://, 465

http://, 465466

generating shellcode, 467469

impact, 455456

overwriting return address, 467

partial, 458459

port scanning, 463

reading files, 460462

reading local files via “php://”, 462463

remote, 457

simple, 457458

vulnerable PHP code, 456457

XXE injection vulnerability, 459460

SET, see Social engineering toolkit (SET)

Shellcode generation, 286287, 467469

Shodan

Cisco IOS devices, 94

default password, 9495

description of, 9394

Simple Mail Transfer Protocol (SMTP), 87, 165

attacking, 173174

CloudFlare protection, 9093

load balancers, 8890

Simple Network Mapping Protocol (SNMP)

brute force tool, 8687

dictionary attack tools, 8687

password detection, 84

problem with, 84

Snmpenum, 85

solarwinds toolset, 8586

sweep, 86

Site parameter, 6465

Skeleton exploit, 275277

determining offset, 278280

identifying bad characters, 280281

skid, see Script kiddie

SMTP, see Simple Mail Transfer Protocol (SMTP)

SNMP, see Simple Network Mapping Protocol (SNMP)

Social engineering penetration test, 8

Social engineering toolkit (SET)

backdoor creation, 198200

custom executable with, 198

e-mails leading to malicious links, 217

fake access point setting, 306309

PDF exploitation, 211213

SQL injection

attack types, 342343

authentication bypass using, 330331

automating with SQLmap (see SQLmap, automating SQL injection)

blind, 343, 355

Boolean-based, 355

DB user enumeration, 356357

detecting, 343

determining type, 343344

error-based, 343

extracting data from columns, 360

false statement, 356

guessing table, 351352, 358360

MYSQL version, 358

reading files, 353

to remote command execution, 352353

testing, 344345

authentication bypass, 330333

determining number of columns, 345346

determining vulnerable columns, 346347

enumerating all available databases, 348349

enumeration information, 347

extracting columns from tables, 349350

extracting data from columns, 350

fingerprinting database, 347

information_schema, 348

mysql version ≤ 5, 351

using group_concat, 350351

time-based (see Time-based SQL injection)

true statement, 355356

union-based, 343344

writing files, 353355

Sqlmap, automating SQL injection, 366

enumerating columns, 367368

enumerating databases, 367

enumerating tables, 367

extracting data from columns, 368

HTTP header-based SQL injection, 368

operating system, 369

os-cmd, 369

os-pwn, 370371

os-shell, 369370

SSI injection, see Server side include (SSI) injection

SSRF attacks, see Server side request forgery (SSRF) attacks

Stack-based overflow exploit, 273

Supervisory Control and Data Acquisition (SCADA), 123124

Swiss army knife of vulnerability scanners, see Nessus, vulnerability scanners

Symlink bypass

basic syntax, 481482

configuration files, 484485

connecting to and manipulating database, 485486

disabling

mod_security, 490

open_basedir and safe_mode, 490491

security mechanisms, 490

finding username, 482483

to read configuration files, 480481

root directory, 486487

shared hosting environment, 481

updating password, 486

uploading .htaccess to follow, 484

using CGI, PERL/Python Shell to, 491

WHMCS server

compromising, 487

configuration file, 488

finding, 487

killer, 488490

works, 482

T

Tabnabbing attack, 215216, 410412; see also Phishing attacks

TCP, see Transmission control protocol (TCP)

Teensy USB, 229

Text-based protocols, 164

THC hydra, 167168

Threat, 3

Time-based SQL injection

enumerating DB user, 362363

extracting data from columns, 365366

guessing columns, 364365

guessing table names, 363364

testing for, 362

vulnerable application, 361

Token

impersonation, 239240

primary, 239

Transmission Control Protocol (TCP), 164

port scanning, 100

ACK scan, 105106

connect scan, 103104

flags, 101102

FTP bounce scan, 109110

SYN scan, 102103

three-way handshake, 101

traceroute, 58

U

UDP, see User Datagram Protocol (UDP)

Union-based SQL injection, 343344

Urlsnarf, 148149

User access control (UAC), 238239

User Datagram Protocol (UDP)

advantage and disadvantage, 164

port scan, 106107

traceroute, 58

V

VPS server, 223

Vulnerability

assessment

security executives, 12

severity and percentage basis, 13

tabular summary, 13

vulnerabilities breakdown chart, 13

definition of, 3

scanners

advantage and disadvantage of, 122

data resources, 134135

description of, 121

exploit databases, 135138

MS08 _ 067 _ netapi, 123

Nessus (see Nessus, vulnerability scanners)

with nmap, 122

OpenVas, 133134

updation, of scripting engine, 122123

W

Web application penetration test, 8

Web hacking

authentication (see Authentication)

brute force attack (see Brute force attack)

crawling restricted links, 334336

cross-site scripting (see Cross-site scripting (XSS))

CSRF (see Cross-site request forgery (CSRF))

dictionary attacks, 315

Etsy.com, 319322

file inclusion vulnerabilities (see File inclusion vulnerabilities)

local root exploits, 477480

overwriting return address, 467

server hacking (see Server hacking)

shellcode generation, 286287, 467469

SQL injection (see SQL injection)

SSI injection, testing for, 452454

symlink bypass (see Symlink bypass)

time-based SQL injection, 361366

XEE, 463464

Website Ripper Copier, 55

Webspy, 148

WhatWeb, 6263

White box penetration test, 7

White hat hacker, 1

WHMCS server

compromising, 487

configuration file, 488

killer, 488490

locating, 487

Whois database, 5556

Windows exploit

buffer overflow, 271273

crash, 273275

freefloat FTP server, 273

fuzzing, 273275

Metasploit

module generation, 287288

porting to, 288290

methodology, 273

mona (see Mona)

NOP sledges, 285

prerequisites, 271

shellcode generation, 286287

skeleton exploit and, 275277

determining offset, 278280

identifying bad characters, 280281

vulnerable application, 272

Wired Equivalent Privacy (WEP)

with aircrack-ng, 298

with airodump-ng, 301302

Wireless networks

hacking

aircrack-ng (see Aircrack-ng)

airodump-ng (see Airodump-ng)

attack scenario, 309310

capturing packets, 303

denial of service attack, 311312

evil twin attack, 310

fake access point setting, 306209, 311

four-way handshake, 303304

monitoring beacon frames, 294295

reducing delay, 306

requirements, 291293

scanning neighbors, 311

spoofing MAC, 311

SSIDs, 293294

WPA/WAP2, 304306

MAC filtering on, 296298

reaver to crack WPS-enabled, 305306

WEP with aircrack-ng, 298

Wireshark, 103

monitoring beacon frames on, 294295

network sniffing, 149150

output, 114115

session cookies with, 155156

Wolframaplha, 74

WPA/WAP2, 301302, 304306

X

Xcode exploit scanner, 67

DNS enumeration, 75

fierce in BackTrack, 7274

file analysis, 68

Foca, 68

harvesting e-mail lists, 6971

scanning subdomains, 7172

for SSL version, 7475

TheHarvester, 72

wordlist collection, from target website, 71

XMAS scan, 105

XPATH injection, 333334

XSS, see Cross-site scripting (XSS)

XXE injection vulnerability, 459460

Y

Yamas, 158

Yougetsignal.com

exact location, tracing of, 57

ritx tool, 56

traceroute, 5758

Z

Zenmap, 117118; see also Nmap

Zone transfer

automating, 80

with host command, 7980

reverse DNS lookup with fierce, 7879

Find answers on the fly, or master something new. Subscribe today.