A
Active information gathering, 53
Active sniffing, 140
Acunetix vulnerability scanner, 62
Address resolution protocol (ARP)
basics, 142
poisoning attack, 309
spoofing attack
denial of service attack, 144–145
Dsniff, 145
to perform MITM attacks, 145–147
poisoning, 144
schematic illustration, 144
working of, 142
Adobe PDF Embedded Exe, 210–211
Aircrack-ng
tools, 293
WEP with, 298
WPA/WPA2 using, 302
Airodump-ng, 295
attacking target, 299
speeding up cracking process, 300
Alpha card, 294
Apache server, hacking
bypassing open_basedir using CGI shell, 476–477
bypassing open_basedir using mod_perl, mod_python, 477
open_basedir misconfiguration, 472–474
open_basedir PHP 5.2.9 bypass, 475–476
testing for disabled functions, 470–472
using CURL to bypass open_basedir restrictions, 474–475
Armitage, 189
feature, 190
fingerprinting target, 191–192
interface for, 190
Metasploit interfaces, 179
ARP, see Address resolution protocol (ARP)
Asset, hacking terminologies, 2
Attack phase, of NIST, 6
Authentication
browser cache to store passwords, 314
invalid password, 314
username enumeration, 314
vulnerabilities against, 313
Burp Suite, 315
bypass with insecure cookie handling, 336–338
guessing weak session ID, 339–341
requirements, 342
session attacks, 339
session fixation attacks, 341–342
SQL injection (see SQL injection)
works, 342
exploiting password reset feature, 319
testing for SQL injection, 330–333
using response tampering, 334
using XPATH injection, 333–334
Autopwn
Armitage (see Armitage)
Avoid sequential scans, 128–129
Backdoor
disabling firewall, 242
installation, 241
types, 247
BackTrack, 30
basics, 43
CEWL, 71
default list path, 169
default screen size
Google hacking database, 66
load balancer detector, 89
MySQL service, 48
onesixtyone, 85
snmpenum, 85
snmp-user-enum, 87
TCP traceroute, 58
WhatWeb tool, 62
Whois database, 55
Bad guy, see Black hat hacker
Black box penetration test, 7
Black hat hacker, 1
Blind SQL injection, 343
Boolean-based SQL injection attack, 355
Browser AutoPWN, 220
types, 221
Brute force attack, 253–254, 315
authentication bypass
attacks, 330
testing for SQL injection, 331–333
using response tampering, 334
using XPATH injection, 333–334
CAPTCHA
bypass, manipulating user-agents to, 329–330
reset flaw, 328
HTTP basic authentication, 323–326
hybrid, 167
log-in protection mechanisms, 326
on SA account, 177
traditional, 166
Burp Suite
attack type, 321
automation with, 336
definition, 315
C
Client side exploitation
compromising client side update, 198
DNSAnswerIP configuration, 225
DNS spoofing attacks, 227
Metasploit, 226
Windows binary with msfpayload, 224
e-mails leading to malicious attachments, 197
Adobe PDF Embedded Exe, 210–211
PDF (see PDF)
e-mails leading to malicious links, 197, 213
attack scenario over Internet, 217–220
browser exploitation, 217
credential harvester attack, 214–215
other attack vectors, 216
SET, 217
using Windows box as router, 220
VPS/dedicated server, 223
malware loaded on USB sticks, 198, 227–229
methods, 197
server side vs., 163
success, 197
CloudFlare protection
subdomain trick, 92
Command shell, 194
Cracker, see Black hat hacker
Credential harvester attack, 214–215
Cron, 25
permission, 26
Cross browser DOM XSS detection, 395–397
Cross-site request forgery (CSRF)
not validated upon server, 416–417
predicting/brute forcing weak, 416
attacking work, 413
blocking malicious extensions, 425–426
bypassing
blacklist-based protections, 425
client side restrictions, 423
case-sensitive bypass, 426
dangerous extensions block, 426–428
double extensions vulnerabilities, 429
file upload vulnerabilities, 421–423
GET-based, 414
null byte trick, 429
overwriting critical files, 430–431
protection techniques, 415
referrer-based checking, 415
using trailing dots, 429
Cross-site scripting (XSS)
with BeEF, 405
replace HREFs, 409
blind, 378
compromising victim’s browser with, 404–405
for conducting phishing attacks, 402–403
DOM-based
chrome, POC for, 394
dynamic taint analysis, 390–394
internet explorer, POC for, 394
Jsprime, installing and setting up, 385–390
pros/cons, 395
reflected, 397
static JS analysis to identify, 384–385
tracking/analytics script, 380–381
href attribute, 376
htmlspecialchars, bypassing, 374
identification, 371
medium security, 373
payloads, 377
persistent, 377
reflected/nonpersistent, 372–373
stored, 377
types, 371
UTF-32, 375
D
Data mining, 259
gathering OS information, 260–261
harvesting stored credentials, 261–262
postexploitation process, 259–262
Decoys, 117
Dedicated server, 223
Denial of service attacks, 144–145
DHCP spoofing attack, see Dynamic Host Configuration Protocol (DHCP) spoofing attack
Directory in Linux, 21
Direct static code injection, 450–452
Discovery phase, of NIST, 6
DNSAnswerIP configuration, 225
DNSenum, 80
DNS spoofing
ARP spoofing attack, 159
attacks, 227
DNS record manipulation, 160
ettercap usage, 160
DOM-based XSS
chrome, POC for, 394
dynamic taint analysis, 390–394
internet explorer, POC for, 394
Jsprime, installing and setting up, 385–390
pros/cons, 395
reflected, 397
static JS analysis to identify, 384–385
tracking/analytics script, 380–381
Dynamic Host Configuration Protocol (DHCP) spoofing attack, 160–161
Eavesdropping, see Network sniffing
Elite hacker, 2
Error-based SQL injection, 343
Ethical hacker, 2
Etsy.com password reset vulnerability, 319–322
Evil twin attack, 310
Exploitation
Armitage, 189
feature, 190
fingerprinting target, 191–192
interface for, 190
Metasploit interfaces, 179
brute force attacks, 166
hybrid, 167
SA account, 177
traditional, 166
DATA commands, 174
definition of, 3
Hail Mary, 196
HELO commands, 174
hosts importation, 192
Hydra
cracking services with, 168–169
GUI version, 170
info command, 181
Internet Control Messaging Protocol, 164
MAIL FROM commands, 174
Metasploit
check feature, 195
commands, 180
history, 178
reconnaissance with, 182
search feature, 180
specific scanners, 184
MSF scans, 192
ms-sql-empty-password, 178
potential attack vectors, 193–195
RCPT TO commands, 174
server side vs. client side, 163
set/unset command, 182
show options command, 181, 186
SQL servers, 175
test for weak authentication, 175–176
transmission control protocol, 164
use command, 181
User Datagram Protocol, 164
using null passwords, 178
vulnerability assessment, 193–194
Exploit-db, 138
advantage of, 136
with BackTrack, 136
Offensive Security team, 135, 137
searchsploit, 137
F
File inclusion vulnerabilities, 431
patching file inclusions
exploiting LFI using file uploads, 441–442
exploiting LFI using PHP input, 440–441
finding log files, 440
LFI exploitation using /proc/self/environ, 434–436
Linux, 434
local file disclosure, 443–446
read source code via LFI, 442–443
remote command execution, 446–448
windows, 434
remote file inclusion, 432
File permission in Linux, 22–24
File transfer protocol (FTP), 165
FIN scan, 105
Firewall evading techniques, 113
fragmented packets, 115
maximum transmission unit specification, 116
sending bad/incorrect checksums, 116–117
timing technique, 114
Forward DNS lookup
brute forcing technique, 77
Freefloat FTP server, 273
G
Gnome, 30
Google Chrome, POC for, 394
Google hacking, 63
Gray box penetration test, 7
Gray hat hacker, 1
H
Hacker, 1; see also Specific types
Hackersforcharity.org/ghdb, 67
Hacktivist, 2
Hashes, 249
algorithm, 249
dictionary attacks, 254
dumping, 251
bypassing log-in, 253
OPHCrack LIVE CD, 253
remote access, 251
to gain access to other services, 241
LAN Manager, 250
NT LAN Manager, 250
password salts, 254
rainbow tables, 254
Windows hashing methods, 250
Hazard risk assessment matrix, 14
Host discovery process, 98–100
httrack tool, 54
Hydra
cracking services with, 168–169
GUI version, 170
Hypertext Transfer Protocol (HTTP), 165
HTTP-digest authentication, 316–317
I
IDLE scan
launching, prerequisites for, 107
with nmap, 109
IDS evading techniques, 113
fragmented packets, 115
maximum transmission unit specification, 116
sending bad/incorrect checksums, 116–117
timing technique, 114
Information gathering techniques active, 53
attack scenarios, 84
DNS cache snooping attack, 80–84
forward DNS lookup
brute forcing technique, 77
Hackersforcharity.org/ghdb, 67
httrack tool, 54
interacting with DNS servers, 75
NeoTrace, 59
Netcraft, 63
Nslookup, 76
reverse IP lookup, 56
Shodan
Cisco IOS devices, 94
SMTP enumeration, 87
SNMP (see Simple Network Mapping Protocol (SNMP))
sources of, 54
Website Ripper Copier, 55
Xcode exploit scanner, 67
DNS enumeration, 75
file analysis, 68
Foca tool, 68
harvesting e-mail lists, 69–71
TheHarvester, 72
Yougetsignal.com
exact location, tracing of, 57
ritx tool, 56
zone transfer
automating, 80
reverse DNS lookup with fierce, 78–79
Inj3ctor exploit database, 135
Internet
POC for, 394
with SET, 217
Internet Control Messaging Protocol (ICMP), 58, 164
Inurl, 65
J
John the Ripper (JTR), 255
Linux passwords with, 256
Kerberos, 250
Knock.py, 74
L
LAN Manager (LM) hashes, 250, 255–256
Linux
advance/special permission, 22–23
applications, 30
BackTrack, 30
basics, 43
MySQL service, 48
chatter permission, 24
cron (see Cron)
directory, 21
exceptions, 20
file structure, 20
group permission, 22
link permission, 23
logging, 30
passwords
with JTR, 256
storage, 29
privilege escalation, 241
services, 29
setgid, 23
setuid, 23
stickybit permission, 23
types, 19
Load balancers
classification of, 88
load balancer detector, 89
Local root exploits
escalating privileges using, 477
M
MAC filtering, on wireless networks, 296–298
MAC flooding, 143
Macof, 143
MAC spoofing, 311
Man in the middle attacks (MITM), 141–142
hijacking session with, 152
Medusa
basic syntax, 170
cracking SSH with, 171
Metasploit
check feature, 195
client side exploitation, 226
commands, 180
history, 178
info command, 181
interfaces
Armitage, 179
MSFcli, 179
MSFConsole, 178
MSFGUI, 179
Nessus vulnerability scanner, 132–133
reconnaissance with, 182
search feature, 180
set/unset command, 182
show options command, 181, 186
specific scanners, 184
Meterpreter
enumeration
identifying processes, 235
interacting with system, 235
user interface command, 235–236
shell, 194
MITM, see Man in the middle attacks (MITM)
Mobile application penetration test, 8
Mona
NOP sledges, 285
overwriting return address, 283–285
Monitor mode
network card to, 294
wireless adapter in, 298
MSFGUI, 179
MSF scans, 192
MySQL servers, 175
Ncrack
basic syntax, 171
remote desktop protocol with, 172
NeoTrace, 59
Nessus
vulnerability scanner
approach, 124
avoid sequential scans, 128–129
default policies, 127
home feed, 125
installation on BackTrack, 125
new custom policy, 128
preferences, 130
professional feed, 125
Safe Check, 128
Netcraft, 63
Network orientation, traceroute for, 57
Network penetration test, 8
Network sniffing
ARP (see Address resolution protocol (ARP))
DNS spoofing (see DNS spoofing)
goal of, 139
promiscuous vs. nonpromiscuous mode, 141
session cookies with wireshark, 155–157
types of, 140
webspy, 148
NIST
phases of, 6
Nmap
basic command line format, 100
IDLE scan, 109
maximum transmission unit, 116
into Metasploit database, 183
normal format, 112
OS fingerprinting database, 111
port status types, 102
service version detection, 110
-sP flag in, 98
TCP connect scan, 104
timing technique, 114
XML format, 113
Nslookup, 76
NT LAN Manager (NTLM) hashes, 255–256
NULL scan, 104
O
Open ports, see Port scanning
Open-source security testing methodology manual (OSSTMM), 5–6
OS fingerprinting database, 111
OWASP testing methodology, 7
P
Passive information gathering, 53–54
Passive OS fingerprinting (POF), 111
Passive sniffing, 140
Password salts, 254
Paypal stored XSS, 135
document
fileformat exploits, 208
hacking, 201
Penetration test
Basecamp website, 5
black box, 7
definition of, 3
executive class, 9
GANTT chart, 5
gray box, 7
management class, 9
NIST, 6
OWASP testing guide, 7
preengagement, 3
report writing
cover page, 10
executive summary, 11
remediation report, 12
table of contents, 10
rules of engagement, 4
technical class, 9
vs. vulnerability assessment, 3
white box, 7
Phishing attacks, 309
credential harvester, 214
DNS spoofing attack, 159
exploiting for conducting, 402–403
social engineering penetration test, 8
Physical penetration test, 8
Ping command, 57
Pivoting process, 262–263, 266–267
Planning phase, of NIST, 6
Port scanning
description of, 100
TCP (see Transmission control protocol (TCP))
UDP scanning, 100
Port status, types of, 102
Postexploitation process
backdoor
disabling firewall, 242
installation, 241
data mining, 259
gathering OS information, 260–261
harvesting stored credentials, 261–262
enumeration
local groups and users, 233
hashes
algorithm, 249
dictionary attacks, 254
LAN Manager, 250
NT LAN Manager, 250
password salts, 254
rainbow tables, 254
identifying and exploiting targets, 270
finding network information, 264–265
mapping internal network, 263–264
network having same password, 268–269
pivoting process, 262–263, 266–267
maintaining access, 241
msfpayload/msfencode, backdoor with, 244–246
network having same password, 268–269
pivoting process, 262–263, 266–267
privilege escalation
on Linux machine, 241
maintaining stability, 236–237
primary token, 239
psexec, 269
rainbow crack, 256
gaining access to remote services, 258
hashes with rcrack, 258
remote desktop, 259
sorting tables, 257
speeding up cracking process, 258
Privilege escalation
on Linux machine, 241
maintaining stability, 236–237
primary token, 239
R
Rainbow crack, 256
gaining access to remote services, 258
hashes with rcrack, 258
remote desktop
adding users to, 259
enabling, 259
sorting tables, 257
speeding up cracking process, 258
Rainbow tables, 254
Remote desktop protocol (RDP), with ncrack, 172
Remote exploitation, see Exploitation
Reverse IP lookup method, 56
Risk
assessment of, 14
definition of, 3
S
Script kiddie, 2
Secure socket layer (SSL)
Server hacking, 469–470; see also Apache server, hacking
text-based protocols, 164
Server side exploitation, 163
Server side include (SSI) injection
executing system commands, 453
Server side request forgery (SSRF) attacks, 454–455
full SSRF
gopher://, 465
overwriting return address, 467
port scanning, 463
reading local files via “php://”, 462–463
remote, 457
XXE injection vulnerability, 459–460
SET, see Social engineering toolkit (SET)
Shellcode generation, 286–287, 467–469
Shodan
Cisco IOS devices, 94
Simple Mail Transfer Protocol (SMTP), 87, 165
Simple Network Mapping Protocol (SNMP)
dictionary attack tools, 86–87
password detection, 84
problem with, 84
Snmpenum, 85
sweep, 86
identifying bad characters, 280–281
skid, see Script kiddie
SMTP, see Simple Mail Transfer Protocol (SMTP)
SNMP, see Simple Network Mapping Protocol (SNMP)
Social engineering penetration test, 8
Social engineering toolkit (SET)
custom executable with, 198
e-mails leading to malicious links, 217
fake access point setting, 306–309
SQL injection
authentication bypass using, 330–331
automating with SQLmap (see SQLmap, automating SQL injection)
Boolean-based, 355
detecting, 343
error-based, 343
extracting data from columns, 360
false statement, 356
guessing table, 351–352, 358–360
MYSQL version, 358
reading files, 353
to remote command execution, 352–353
authentication bypass, 330–333
determining number of columns, 345–346
determining vulnerable columns, 346–347
enumerating all available databases, 348–349
enumeration information, 347
extracting columns from tables, 349–350
extracting data from columns, 350
fingerprinting database, 347
information_schema, 348
time-based (see Time-based SQL injection)
Sqlmap, automating SQL injection, 366
enumerating databases, 367
enumerating tables, 367
extracting data from columns, 368
HTTP header-based SQL injection, 368
operating system, 369
os-cmd, 369
SSI injection, see Server side include (SSI) injection
SSRF attacks, see Server side request forgery (SSRF) attacks
Stack-based overflow exploit, 273
Supervisory Control and Data Acquisition (SCADA), 123–124
Swiss army knife of vulnerability scanners, see Nessus, vulnerability scanners
Symlink bypass
connecting to and manipulating database, 485–486
disabling
mod_security, 490
open_basedir and safe_mode, 490–491
security mechanisms, 490
to read configuration files, 480–481
shared hosting environment, 481
updating password, 486
uploading .htaccess to follow, 484
using CGI, PERL/Python Shell to, 491
WHMCS server
compromising, 487
configuration file, 488
finding, 487
works, 482
T
Tabnabbing attack, 215–216, 410–412; see also Phishing attacks
TCP, see Transmission control protocol (TCP)
Teensy USB, 229
Text-based protocols, 164
Threat, 3
Time-based SQL injection
extracting data from columns, 365–366
testing for, 362
vulnerable application, 361
Token
primary, 239
Transmission Control Protocol (TCP), 164
port scanning, 100
three-way handshake, 101
traceroute, 58
U
UDP, see User Datagram Protocol (UDP)
Union-based SQL injection, 343–344
User access control (UAC), 238–239
User Datagram Protocol (UDP)
advantage and disadvantage, 164
traceroute, 58
V
VPS server, 223
Vulnerability
assessment
security executives, 12
severity and percentage basis, 13
tabular summary, 13
vulnerabilities breakdown chart, 13
definition of, 3
scanners
advantage and disadvantage of, 122
description of, 121
MS08 _ 067 _ netapi, 123
Nessus (see Nessus, vulnerability scanners)
with nmap, 122
updation, of scripting engine, 122–123
W
Web application penetration test, 8
Web hacking
authentication (see Authentication)
brute force attack (see Brute force attack)
crawling restricted links, 334–336
cross-site scripting (see Cross-site scripting (XSS))
CSRF (see Cross-site request forgery (CSRF))
dictionary attacks, 315
file inclusion vulnerabilities (see File inclusion vulnerabilities)
overwriting return address, 467
server hacking (see Server hacking)
shellcode generation, 286–287, 467–469
SQL injection (see SQL injection)
SSI injection, testing for, 452–454
symlink bypass (see Symlink bypass)
time-based SQL injection, 361–366
Website Ripper Copier, 55
Webspy, 148
White box penetration test, 7
White hat hacker, 1
WHMCS server
compromising, 487
configuration file, 488
locating, 487
Windows exploit
freefloat FTP server, 273
Metasploit
methodology, 273
mona (see Mona)
NOP sledges, 285
prerequisites, 271
identifying bad characters, 280–281
vulnerable application, 272
Wired Equivalent Privacy (WEP)
with aircrack-ng, 298
Wireless networks
hacking
aircrack-ng (see Aircrack-ng)
airodump-ng (see Airodump-ng)
capturing packets, 303
denial of service attack, 311–312
evil twin attack, 310
fake access point setting, 306–209, 311
monitoring beacon frames, 294–295
reducing delay, 306
scanning neighbors, 311
spoofing MAC, 311
reaver to crack WPS-enabled, 305–306
WEP with aircrack-ng, 298
Wireshark, 103
monitoring beacon frames on, 294–295
Wolframaplha, 74
X
Xcode exploit scanner, 67
DNS enumeration, 75
file analysis, 68
Foca, 68
harvesting e-mail lists, 69–71
TheHarvester, 72
wordlist collection, from target website, 71
XMAS scan, 105
XSS, see Cross-site scripting (XSS)
XXE injection vulnerability, 459–460
Y
Yamas, 158
Yougetsignal.com
exact location, tracing of, 57
ritx tool, 56
Z
Zenmap, 117–118; see also Nmap
Zone transfer
automating, 80
Find answers on the fly, or master something new. Subscribe today. See pricing options.