Free Ethical Hacking and penetration testing guide on October 03, 2019 Get link Facebook X Pinterest Email Other Apps Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don't know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications. In this book all the information is available you need to learn no matter you are a beginner or not. Contents Preface............................................................................................................................. xxiii Acknowledgments............................................................................................................. xxv Author.............................................................................................................................xxvii 1 Introduction to Hacking ..............................................................................................1 Important Terminologies................................................................................................... 2 Asset......................................................................................................................... 2 Vulnerability............................................................................................................. 3 Threat....................................................................................................................... 3 Exploit...................................................................................................................... 3 Risk .......................................................................................................................... 3 What Is a Penetration Test? ...................................................................................... 3 Vulnerability Assessments versus Penetration Test.................................................... 3 Preengagement.......................................................................................................... 3 Rules of Engagement................................................................................................ 4 Milestones ................................................................................................................ 4 Penetration Testing Methodologies........................................................................... 5 OSSTMM................................................................................................................ 5 NIST........................................................................................................................ 6 OWASP.................................................................................................................... 7 Categories of Penetration Test............................................................................................ 7 Black Box.................................................................................................................. 7 White Box ................................................................................................................ 7 Gray Box .................................................................................................................. 7 Types of Penetration Tests ........................................................................................ 7 Network Penetration Test................................................................................ 8 Web Application Penetration Test ................................................................... 8 Mobile Application Penetration Test ............................................................... 8 Social Engineering Penetration Test ................................................................ 8 Physical Penetration Test................................................................................. 8 Report Writing ......................................................................................................... 8 Understanding the Audience.................................................................................... 9 Executive Class................................................................................................ 9 Management Class .......................................................................................... 9 Technical Class................................................................................................ 9 Writing Reports................................................................................................................10 Structure of a Penetration Testing Report.........................................................................10 Cover Page...............................................................................................................10 Table of Contents ....................................................................................................10 Executive Summary.................................................................................................11 Remediation Report ............................................................................................... 12 Vulnerability Assessment Summary................................................................................. 12 Tabular Summary....................................................................................................13 Risk Assessment................................................................................................................14 Risk Assessment Matrix...........................................................................................14 Methodology ....................................................................................................................14 Detailed Findings....................................................................................................15 Description.....................................................................................................15 Explanation ....................................................................................................16 Risk ................................................................................................................16 Recommendation ...........................................................................................16 Reports....................................................................................................................17 Conclusion........................................................................................................................17 2 Linux Basics ...............................................................................................................19 Major Linux Operating Systems .......................................................................................19 File Structure inside of Linux........................................................................................... 20 File Permission in Linux ......................................................................................... 22 Group Permission.......................................................................................... 22 Linux Advance/Special Permission ................................................................ 22 Link Permission............................................................................................. 23 Suid & Guid Permission................................................................................ 23 Stickybit Permission ...................................................................................... 23 Chatter Permission ........................................................................................ 24 Most Common and Important Commands............................................................ 24 Linux Scheduler (Cron Job) ..............................................................................................25 Cron Permission ..................................................................................................... 26 Cron Permission ............................................................................................ 26 Cron Files...................................................................................................... 26 Users inside of Linux ....................................................................................................... 28 Linux Services......................................................................................................... 29 Linux Password Storage.......................................................................................... 29 Linux Logging ........................................................................................................ 30 Common Applications of Linux ...................................................................................... 30 What Is BackTrack?......................................................................................................... 30 How to Get BackTrack 5 Running..........................................................................31 Installing BackTrack on Virtual Box .......................................................................31 Installing BackTrack on a Portable USB..................................................................35 Installing BackTrack on Your Hard Drive.............................................................. 39 BackTrack Basics .................................................................................................... 43 Changing the Default Screen Resolution ......................................................................... 43 Some Unforgettable Basics...................................................................................... 44 Changing the Password ................................................................................. 44 Clearing the Screen ....................................................................................... 44 Listing the Contents of a Directory ............................................................... 44 Displaying Contents of a Specific Directory .................................................. 44 Displaying the Contents of a File....................................................................45 Creating a Directory.......................................................................................45 Changing the Directories ...............................................................................45 Windows ........................................................................................................45 Linux..............................................................................................................45 Creating a Text File........................................................................................45 Copying a File................................................................................................45 Current Working Directory............................................................................45 Renaming a File .............................................................................................45 Moving a File ................................................................................................ 46 Removing a File............................................................................................. 46 Locating Certain Files inside BackTrack................................................................. 46 Text Editors inside BackTrack.......................................................................................... 46 Getting to Know Your Network .......................................................................................47 Dhclient...................................................................................................................47 Services............................................................................................................................ 48 MySQL................................................................................................................... 48 SSHD..................................................................................................................... 48 Postgresql................................................................................................................ 50 Other Online Resources ...................................................................................................51 3 Information Gathering Techniques............................................................................53 Active Information Gathering...........................................................................................53 Passive Information Gathering..........................................................................................53 Sources of Information Gathering ................................................................................... 54 Copying Websites Locally................................................................................................ 54 Information Gathering with Whois.........................................................................55 Finding Other Websites Hosted on the Same Server............................................... 56 Yougetsignal.com............................................................................................................. 56 Tracing the Location ...............................................................................................57 Traceroute................................................................................................................57 ICMP Traceroute.................................................................................................... 58 TCP Traceroute...................................................................................................... 58 Usage............................................................................................................. 58 UDP Traceroute..................................................................................................... 58 Usage............................................................................................................. 58 NeoTrace ..........................................................................................................................59 Cheops-ng.........................................................................................................................59 Enumerating and Fingerprinting the Webservers.................................................... 60 Intercepting a Response................................................................................................... 60 Acunetix Vulnerability Scanner.............................................................................. 62 WhatWeb ........................................................................................................................ 62 Netcraft ........................................................................................................................... 63 Google Hacking ..................................................................................................... 63 Some Basic Parameters..................................................................................................... 64 Site.......................................................................................................................... 64 Example........................................................................................................................... 64 TIP regarding Filetype......................................................................................................65 Google Hacking Database...................................................................................... 66 Hackersforcharity.org/ghdb...............................................................................................67 Xcode Exploit Scanner......................................................................................................67 File Analysis............................................................................................................ 68 Foca........................................................................................................................ 68 Harvesting E-Mail Lists ......................................................................................... 69 Gathering Wordlist from a Target Website............................................................. 71 Scanning for Subdomains....................................................................................... 71 TheHarvester.......................................................................................................... 72 Fierce in BackTrack ................................................................................................ 72 Scanning for SSL Version ........................................................................................74 DNS Enumeration.................................................................................................. 75 Interacting with DNS Servers.......................................................................................... 75 Nslookup ..........................................................................................................................76 DIG..................................................................................................................................76 Forward DNS Lookup............................................................................................ 77 Forward DNS Lookup with Fierce................................................................................... 77 Reverse DNS .......................................................................................................... 78 Reverse DNS Lookup with Dig .............................................................................. 78 Reverse DNS Lookup with Fierce.................................................................................... 78 Zone Transfers........................................................................................................ 79 Zone Transfer with Host Command ............................................................................... 79 Automating Zone Transfers............................................................................................. 80 DNS Cache Snooping............................................................................................. 80 What Is DNS Cache Snooping?........................................................................................81 Nonrecursive Method..............................................................................................81 Recursive Method................................................................................................... 82 What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries? ....... 83 Attack Scenario................................................................................................................ 84 Automating DNS Cache Snooping Attacks ..................................................................... 84 Enumerating SNMP............................................................................................... 84 Problem with SNMP ....................................................................................................... 84 Sniffing SNMP Passwords ............................................................................................... 84 OneSixtyOne....................................................................................................................85 Snmpenum .......................................................................................................................85 SolarWinds Toolset...........................................................................................................85 SNMP Sweep................................................................................................................... 86 SNMP Brute Force and Dictionary ................................................................................. 86 SNMP Brute Force Tool .................................................................................................. 86 SNMP Dictionary Attack Tool........................................................................................ 87 SMTP Enumeration ........................................................................................................ 87 Detecting Load Balancers....................................................................................... 88 Load Balancer Detector.......................................................................................... 89 Determining Real IP behind Load Balancers.......................................................... 89 Bypassing CloudFlare Protection............................................................................ 90 Method 1: Resolvers ...................................................................................... 90 Method 2: Subdomain Trick ......................................................................... 92 Method 3: Mail Servers................................................................................. 92 Intelligence Gathering Using Shodan .............................................................................. 93 Further Reading .............................................................................................................. 95 Conclusion....................................................................................................................... 95 4 Target Enumeration and Port Scanning Techniques..................................................97 Host Discovery ................................................................................................................ 97 Scanning for Open Ports and Services........................................................................... 100 Types of Port Scanning.................................................................................................. 100 Understanding the TCP Three-Way Handshake.............................................................101 TCP Flags.......................................................................................................................101 Port Status Types............................................................................................................102 TCP SYN Scan...............................................................................................................102 TCP Connect Scan.........................................................................................................103 NULL, FIN, and XMAS Scans......................................................................................104 NULL Scan ....................................................................................................................104 FIN Scan ........................................................................................................................105 XMAS Scan....................................................................................................................105 TCP ACK Scan ..............................................................................................................105 Responses .......................................................................................................................106 UDP Port Scan...............................................................................................................106 Anonymous Scan Types..................................................................................................107 IDLE Scan......................................................................................................................107 Scanning for a Vulnerable Host ......................................................................................107 Performing an IDLE Scan with NMAP .........................................................................109 TCP FTP Bounce Scan ..................................................................................................109 Service Version Detection ...............................................................................................110 OS Fingerprinting ..........................................................................................................111 POF................................................................................................................................111 Output............................................................................................................................112 Normal Format......................................................................................................112 Grepable Format....................................................................................................112 XML Format.........................................................................................................113 Advanced Firewall/IDS Evading Techniques..................................................................113 Timing Technique..........................................................................................................114 Wireshark Output ..........................................................................................................114 Fragmented Packets ........................................................................................................115 Wireshark Output ..........................................................................................................115 Source Port Scan.............................................................................................................115 Specifying an MTU........................................................................................................116 Sending Bad Checksums ................................................................................................116 Decoys............................................................................................................................117 ZENMAP.......................................................................................................................117 Further Reading .............................................................................................................119 5 Vulnerability Assessment..........................................................................................121 What Are Vulnerability Scanners and How Do They Work?..........................................121 Pros and Cons of a Vulnerability Scanner...................................................................... 122 Vulnerability Assessment with Nmap ............................................................................ 122 Updating the Database.................................................................................................. 122 Scanning MS08 _ 067 _ netapi ............................................................................... 123 Testing SCADA Environments with Nmap................................................................... 123 Installation ........................................................................................................... 124 Usage.................................................................................................................... 124 Nessus Vulnerability Scanner......................................................................................... 124 Home Feed ............................................................................................................125 Professional Feed ...................................................................................................125 Installing Nessus on BackTrack ......................................................................................125 Adding a User.................................................................................................................125 Nessus Control Panel............................................................................................ 126 Reports........................................................................................................ 126 Mobile......................................................................................................... 126 Scan ............................................................................................................ 127 Policies......................................................................................................... 127 Users............................................................................................................ 127 Configuration.............................................................................................. 127 Default Policies..................................................................................................... 127 Creating a New Policy ................................................................................................... 128 Safe Checks.................................................................................................................... 128 Silent Dependencies....................................................................................................... 128 Avoid Sequential Scans......................................................................................... 128 Port Range......................................................................................................................129 Credentials ............................................................................................................129 Plug-Ins .................................................................................................................129 Preferences..................................................................................................................... 130 Scanning the Target.............................................................................................. 130 Nessus Integration with Metasploit.................................................................................132 Importing Nessus to Metasploit......................................................................................132 Scanning the Target...............................................................................................133 Reporting ..............................................................................................................133 OpenVas ................................................................................................................133 Resource........................................................................................................................ 134 Vulnerability Data Resources................................................................................ 134 Exploit Databases ..................................................................................................135 Using Exploit-db with BackTrack .................................................................................. 136 Searching for Exploits inside BackTrack .........................................................................137 Conclusion......................................................................................................................138 6 Network Sniffing ......................................................................................................139 Introduction ...................................................................................................................139 Types of Sniffing.............................................................................................................140 Active Sniffing .......................................................................................................140 Passive Sniffing ......................................................................................................140 Hubs versus Switches......................................................................................................140 Promiscuous versus Nonpromiscuous Mode...................................................................141 MITM Attacks...............................................................................................................141 ARP Protocol Basics .......................................................................................................142 How ARP Works............................................................................................................142 ARP Attacks...................................................................................................................143 MAC Flooding ......................................................................................................143 Macof...........................................................................................................143 ARP Poisoning ......................................................................................................144 Scenario—How It Works ...............................................................................................144 Denial of Service Attacks................................................................................................144 Tools of the Trade...........................................................................................................145 Dsniff ....................................................................................................................145 Using ARP Spoof to Perform MITM Attacks.................................................................145 Usage.....................................................................................................................146 Sniffing the Traffic with Dsniff.......................................................................................147 Sniffing Pictures with Drifnet.........................................................................................147 Urlsnarf and Webspy ......................................................................................................148 Sniffing with Wireshark..................................................................................................149 Ettercap ..........................................................................................................................150 ARP Poisoning with Ettercap .........................................................................................150 Hijacking Session with MITM Attack............................................................................152 Attack Scenario...............................................................................................................152 ARP Poisoning with Cain and Abel................................................................................153 Sniffing Session Cookies with Wireshark........................................................................155 Hijacking the Session......................................................................................................156 SSL Strip: Stripping HTTPS Traffic ...............................................................................157 Requirements..................................................................................................................157 Usage.....................................................................................................................158 Automating Man in the Middle Attacks.........................................................................158 Usage.....................................................................................................................158 DNS Spoofing ................................................................................................................159 ARP Spoofing Attack ............................................................................................159 Manipulating the DNS Records............................................................................160 Using Ettercap to Launch DNS Spoofing Attack...................................................160 DHCP Spoofing .............................................................................................................160 Conclusion......................................................................................................................161 7 Remote Exploitation.................................................................................................163 Understanding Network Protocols..................................................................................163 Transmission Control Protocol ..............................................................................164 User Datagram Protocol ........................................................................................164 Internet Control Messaging Protocol.....................................................................164 Server Protocols ..............................................................................................................164 Text-Based Protocols (Important)..........................................................................164 Binary Protocols ....................................................................................................164 FTP..............................................................................................................165 SMTP...........................................................................................................165 HTTP ..........................................................................................................165 Further Reading .............................................................................................................165 Resources........................................................................................................................166 Attacking Network Remote Services...............................................................................166 Overview of Brute Force Attacks...........................................................................166 Traditional Brute Force ................................................................................166 Dictionary Attacks .......................................................................................166 Hybrid Attacks.............................................................................................167 Common Target Protocols..............................................................................................167 Tools of the Trade...........................................................................................................167 THC Hydra...........................................................................................................167 Basic Syntax for Hydra ...................................................................................................168 Cracking Services with Hydra ...............................................................................168 Hydra GUI.....................................................................................................................170 Medusa ..................................................................................................................170 Basic Syntax....................................................................................................................170 OpenSSH Username Discovery Bug...............................................................................170 Cracking SSH with Medusa ...........................................................................................171 Ncrack...................................................................................................................171 Basic Syntax....................................................................................................................171 Cracking an RDP with Ncrack.......................................................................................172 Case Study of a Morto Worm................................................................................172 Combining Nmap and Ncrack for Optimal Results .......................................................172 Attacking SMTP ...................................................................................................173 Important Commands....................................................................................................174 Real-Life Example ..........................................................................................................174 Attacking SQL Servers....................................................................................................175 MySQL Servers......................................................................................................175 Fingerprinting MySQL Version ......................................................................................175 Testing for Weak Authentication ....................................................................................175 MS SQL Servers .............................................................................................................176 Fingerprinting the Version..............................................................................................177 Brute Forcing SA Account ..............................................................................................177 Using Null Passwords.....................................................................................................178 Introduction to Metasploit..............................................................................................178 History of Metasploit......................................................................................................178 Metasploit Interfaces.......................................................................................................178 MSFConsole...................................................................................................................178 MSFcli...................................................................................................................179 MSFGUI...............................................................................................................179 Armitage................................................................................................................179 Metasploit Utilities .........................................................................................................179 MSFPayload....................................................................................................................179 MSFEncode....................................................................................................................179 MSFVenom ....................................................................................................................179 Metasploit Basic Commands ..........................................................................................180 Search Feature in Metasploit...........................................................................................180 Use Command................................................................................................................181 Info Command...............................................................................................................181 Show Options.................................................................................................................181 Set/Unset Command......................................................................................................182 Reconnaissance with Metasploit .....................................................................................182 Port Scanning with Metasploit .......................................................................................182 Metasploit Databases......................................................................................................182 Storing Information from Nmap into Metasploit Database ............................................183 Useful Scans with Metasploit..........................................................................................184 Port Scanners.........................................................................................................184 Specific Scanners ...................................................................................................184 Compromising a Windows Host with Metasploit...........................................................184 Metasploit Autopwn .......................................................................................................188 db _ autopwn in Action .............................................................................................188 Nessus and Autopwn ......................................................................................................189 Armitage................................................................................................................189 Interface..........................................................................................................................190 Launching Armitage.......................................................................................................190 Compromising Your First Target from Armitage............................................................191 Enumerating and Fingerprinting the Target ...................................................................191 MSF Scans......................................................................................................................192 Importing Hosts .............................................................................................................192 Vulnerability Assessment ................................................................................................193 Exploitation ....................................................................................................................193 Check Feature.................................................................................................................195 Hail Mary.......................................................................................................................196 Conclusion......................................................................................................................196 References.......................................................................................................................196 8 Client Side Exploitation ...........................................................................................197 Client Side Exploitation Methods...................................................................................197 Attack Scenario 1: E-Mails Leading to Malicious Attachments.............................197 Attack Scenario 2: E-Mails Leading to Malicious Links........................................197 Attack Scenario 3: Compromising Client Side Update..........................................198 Attack Scenario 4: Malware Loaded on USB Sticks...............................................198 E-Mails with Malicious Attachments ....................................................................198 Creating a Custom Executable......................................................................198 Creating a Backdoor with SET.....................................................................198 PDF Hacking ...............................................................................................201 Introduction ...................................................................................................................201 Header.................................................................................................................. 202 Body ..................................................................................................................... 202 Cross Reference Table........................................................................................... 202 Trailer................................................................................................................... 202 PDF Launch Action....................................................................................................... 202 Creating a PDF Document with a Launch Action......................................................... 203 Controlling the Dialog Boxes ............................................................................... 205 PDF Reconnaissance ............................................................................................ 205 Tools of the Trade.......................................................................................................... 205 PDFINFO............................................................................................................ 205 PDFINFO “Your PDF Document” ............................................................. 206 PDFTK ................................................................................................................ 206 Origami Framework ...................................................................................................... 207 Installing Origami Framework on BackTrack................................................................ 207 Attacking with PDF....................................................................................................... 208 Fileformat Exploits ............................................................................................... 208 Browser Exploits................................................................................................... 208 Scenario from Real World.............................................................................................. 209 Adobe PDF Embedded EXE...........................................................................................210 Social Engineering Toolkit..............................................................................................211 Attack Scenario 2: E-Mails Leading to Malicious Links........................................213 Credential Harvester Attack ...........................................................................................214 Tabnabbing Attack .........................................................................................................215 Other Attack Vectors......................................................................................................216 Browser Exploitation.......................................................................................................217 Attacking over the Internet with SET.............................................................................217 Attack Scenario over the Internet....................................................................................217 Using Windows Box as Router (Port Forwarding)......................................................... 220 Browser AutoPWN............................................................................................... 220 Why Use Browser AutoPWN?........................................................................................221 Problem with Browser AutoPWN...................................................................................221 VPS/Dedicated Server ................................................................................................... 223 Attack Scenario 3: Compromising Client Side Update......................................... 223 How Evilgrade Works.................................................................................................... 223 Prerequisites................................................................................................................... 223 Attack Vectors ...................................................................................................... 223 Internal Network Attack Vectors.......................................................................... 223 External Network Attack Vectors ......................................................................... 224 Evilgrade Console................................................................................................. 224 Attack Scenario..................................................................................................... 224 Attack Scenario 4: Malware Loaded on USB Sticks.............................................. 227 Teensy USB ................................................................................................................... 229 Conclusion..................................................................................................................... 229 Further Reading ............................................................................................................ 229 9 Postexploitation........................................................................................................231 Acquiring Situation Awareness........................................................................................231 Enumerating a Windows Machine ........................................................................231 Enumerating Local Groups and Users ...................................................................233 Enumerating a Linux Machine..............................................................................233 Enumerating with Meterpreter ..............................................................................235 Identifying Processes ....................................................................................235 Interacting with the System..........................................................................235 User Interface Command .............................................................................235 Privilege Escalation........................................................................................................ 236 Maintaining Stability ........................................................................................... 236 Escalating Privileges....................................................................................................... 237 Bypassing User Access Control ............................................................................. 238 Impersonating the Token...................................................................................... 239 Escalating Privileges on a Linux Machine..............................................................241 Maintaining Access.........................................................................................................241 Installing a Backdoor......................................................................................................241 Cracking the Hashes to Gain Access to Other Services ..................................................241 Backdoors.......................................................................................................................241 Disabling the Firewall........................................................................................... 242 Killing the Antivirus............................................................................................. 242 Netcat................................................................................................................... 243 MSFPayload/MSFEncode.............................................................................................. 244 Generating a Backdoor with MSFPayload ............................................................ 244 MSFEncode...........................................................................................................245 MSFVenom ................................................................................................................... 246 Persistence .............................................................................................................247 What Is a Hash? ....................................................................................................249 Hashing Algorithms ..............................................................................................249 Windows Hashing Methods..................................................................................250 LAN Manager (LM) .............................................................................................250 NTLM/NTLM2...................................................................................................250 Kerberos ................................................................................................................250 Where Are LM/NTLM Hashes Located?..............................................................250 Dumping the Hashes......................................................................................................251 Scenario 1—Remote Access...................................................................................251 Scenario 2—Local Access......................................................................................251 Ophcrack...............................................................................................................252 References.......................................................................................................................253 Scenario 3—Offline System ..................................................................................253 Ophcrack LiveCD .................................................................................................253 Bypassing the Log-In.............................................................................................253 References.......................................................................................................................253 Cracking the Hashes.......................................................................................................253 Bruteforce..............................................................................................................253 Dictionary Attacks ............................................................................................... 254 Password Salts....................................................................................................... 254 Rainbow Tables .................................................................................................... 254 John the Ripper ..............................................................................................................255 Cracking LM/NTLM Passwords with JTR...........................................................255 Cracking Linux Passwords with JTR.....................................................................256 Rainbow Crack...............................................................................................................256 Sorting the Tables..................................................................................................257 Cracking the Hashes with rcrack ...........................................................................258 Speeding Up the Cracking Process ........................................................................258 Gaining Access to Remote Services .......................................................................258 Enabling the Remote Desktop...............................................................................259 Adding Users to the Remote Desktop....................................................................259 Data Mining...................................................................................................................259 Gathering OS Information ................................................................................... 260 Harvesting Stored Credentials...............................................................................261 Identifying and Exploiting Further Targets ................................................................... 262 Mapping the Internal Network............................................................................. 263 Finding Network Information.............................................................................. 264 Identifying Further Targets ...................................................................................265 Pivoting ................................................................................................................ 266 Scanning Ports and Services and Detecting OS.....................................................267 Compromising Other Hosts on the Network Having the Same Password............ 268 psexec ............................................................................................................................ 269 Exploiting Targets..................................................................................................270 Conclusion......................................................................................................................270 10 Windows Exploit Development Basics.....................................................................271 Prerequisites....................................................................................................................271 What Is a Buffer Overflow?.............................................................................................271 Vulnerable Application .................................................................................................. 272 How to Find Buffer Overflows....................................................................................... 273 Methodology ................................................................................................................. 273 Getting the Software Up and Running.......................................................................... 273 Causing the Application to Crash .................................................................................. 273 Skeleton Exploit..............................................................................................................275 Determining the Offset ........................................................................................ 278 Identifying Bad Characters................................................................................... 280 Figuring Out Bad Characters with Mona .......................................................................281 Overwriting the Return Address........................................................................... 283 NOP Sledges......................................................................................................... 285 Generating the ShellCode..................................................................................... 286 Generating Metasploit Module...................................................................................... 287 Porting to Metasploit..................................................................................................... 288 Conclusion..................................................................................................................... 290 Further Resources.......................................................................................................... 290 11 Wireless Hacking .....................................................................................................291 Introduction ...................................................................................................................291 Requirements..................................................................................................................291 Introducing Aircrack-ng..................................................................................................293 Uncovering Hidden SSIDs .............................................................................................293 Turning on the Monitor Mode ...................................................................................... 294 Monitoring Beacon Frames on Wireshark ..................................................................... 294 Monitoring with Airodump-ng...................................................................................... 295 Speeding Up the Process................................................................................................ 296 Bypassing MAC Filters on Wireless Networks...................................................... 296 Cracking a WEP Wireless Network with Aircrack-ng .......................................... 298 Placing Your Wireless Adapter in Monitor Mode........................................................... 298 Determining the Target with Airodump-ng................................................................... 299 Attacking the Target............................................................................................. 299 Speeding Up the Cracking Process ....................................................................... 300 Injecting ARP Packets.......................................................................................... 300 Cracking the WEP ................................................................................................301 Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng ..................................... 302 Capturing Packets.......................................................................................................... 303 Capturing the Four-Way Handshake............................................................................. 303 Cracking WPA/WAP2 .................................................................................................. 304 Using Reaver to Crack WPS-Enabled Wireless Networks .................................... 305 Reducing the Delay ....................................................................................................... 306 Further Reading ............................................................................................................ 306 Setting Up a Fake Access Point with SET to PWN Users..................................... 306 Attack Scenario.............................................................................................................. 309 Evil Twin Attack....................................................................................................310 Scanning the Neighbors..................................................................................................311 Spoofing the MAC..........................................................................................................311 Setting Up a Fake Access Point.......................................................................................311 Causing Denial of Service on the Original AP................................................................311 Conclusion......................................................................................................................312 12 Web Hacking............................................................................................................313 Attacking the Authentication..........................................................................................313 Username Enumeration.........................................................................................314 Invalid Username with Invalid Password...............................................................314 Valid Username with Invalid Password..................................................................314 Enabling Browser Cache to Store Passwords..........................................................314 Brute Force and Dictionary Attacks................................................................................315 Types of Authentication..................................................................................................315 HTTP Basic Authentication..................................................................................315 HTTP-Digest Authentication................................................................................316 Form-Based Authentication...................................................................................317 Exploiting Password Reset Feature ........................................................................319 Etsy.com Password Reset Vulnerability...........................................................................319 Attacking Form-Based Authentication.................................................................. 320 Brute Force Attack......................................................................................................... 322 Attacking HTTP Basic Auth................................................................................ 323 Further Reading ............................................................................................................ 326 Log-In Protection Mechanisms............................................................................. 326 CAPTCHA Validation Flaw................................................................................ 326 CAPTCHA Reset Flaw........................................................................................ 328 Manipulating User-Agents to Bypass CAPTCHA and Other Protections.............329 Real-World Example............................................................................................. 330 Authentication Bypass Attacks.............................................................................. 330 Authentication Bypass Using SQL Injection......................................................... 330 Testing for SQL Injection Auth Bypass..................................................................331 Authentication Bypass Using XPATH Injection ....................................................333 Testing for XPATH Injection .......................................................................333 Authentication Bypass Using Response Tampering .............................................. 334 Crawling Restricted Links ............................................................................................. 334 Testing for the Vulnerability ...........................................................................................335 Automating It with Burp Suite............................................................................. 336 Authentication Bypass with Insecure Cookie Handling................................................. 336 Session Attacks ......................................................................................................339 Guessing Weak Session ID ....................................................................................339 Session Fixation Attacks ....................................................................................... 341 Requirements for This Attack ........................................................................................ 342 How the Attack Works .................................................................................................. 342 SQL Injection Attacks .......................................................................................... 342 What Is an SQL Injection? ................................................................................... 342 Types of SQL Injection......................................................................................... 342 Union-Based SQL Injection ........................................................................ 343 Error-Based SQL Injection .......................................................................... 343 Blind SQL Injection .................................................................................... 343 Detecting SQL Injection ...................................................................................... 343 Determining the Injection Type........................................................................... 343 Union-Based SQL Injection (MySQL).................................................................. 344 Testing for SQL Injection .............................................................................................. 344 Determining the Number of Columns ..................................................................345 Determining the Vulnerable Columns.................................................................. 346 Fingerprinting the Database................................................................................. 347 Enumeration Information..................................................................................... 347 Information_schema............................................................................................. 348 Information_schema Tables.................................................................................. 348 Enumerating All Available Databases ................................................................... 348 Enumerating All Available Tables in the Database................................................ 349 Extracting Columns from Tables.......................................................................... 349 Extracting Data from Columns.............................................................................350 Using group _ concat .....................................................................................350 MySQL Version ≤ 5...............................................................................................351 Guessing Table Names....................................................................................................351 Guessing Columns.................................................................................................352 SQL Injection to Remote Command Execution ....................................................352 Reading Files ..................................................................................................................353 Writing Files...................................................................................................................353 Blind SQL Injection ..............................................................................................355 Boolean-Based SQLi.....................................................................................355 True Statement ......................................................................................................355 False Statement......................................................................................................356 Enumerating the DB User.....................................................................................356 Enumerating the MYSQL Version.........................................................................358 Guessing Tables.....................................................................................................358 Guessing Columns in the Table.............................................................................359 Extracting Data from Columns............................................................................ 360 Time-Based SQL Injection ....................................................................................361 Vulnerable Application ...................................................................................................361 Testing for Time-Based SQL Injection .......................................................................... 362 Enumerating the DB User.................................................................................... 362 Guessing the Table Names.................................................................................... 363 Guessing the Columns.......................................................................................... 364 Extracting Data from Columns.............................................................................365 Automating SQL Injections with Sqlmap ............................................................. 366 Enumerating Databases.........................................................................................367 Enumerating Tables...............................................................................................367 Enumerating the Columns ....................................................................................367 Extracting Data from the Columns...................................................................... 368 HTTP Header–Based SQL Injection ................................................................... 368 Operating System Takeover with Sqlmap ............................................................. 369 OS-CMD ........................................................................................................................ 369 OS-SHELL.................................................................................................................... 369 OS-PWN..........................................................................................................................370 XSS (Cross-Site Scripting) ..............................................................................................371 How to Identify XSS Vulnerability.................................................................................371 Types of Cross-Site Scripting ..........................................................................................371 Reflected/Nonpersistent XSS..........................................................................................372 Vulnerable Code....................................................................................................372 Medium Security ............................................................................................................373 Vulnerable Code....................................................................................................373 High Security .................................................................................................................373 Bypassing htmlspecialchars....................................................................................374 UTF-32 XSS Trick: Bypass 1..........................................................................................375 Svg Craziness: Bypass 2...................................................................................................375 Bypass 3: href Attribute ..................................................................................................376 Stored XSS/Persistent XSS ............................................................................................. 377 Payloads......................................................................................................................... 377 Blind XSS .......................................................................................................................378 DOM-Based XSS ...........................................................................................................378 Detecting DOM-Based XSS..................................................................................378 Sources (Inputs)............................................................................................378 Sinks (Creating/Modifying HTML Elements).............................................378 Static JS Analysis to Identify DOM-Based XSS.................................................... 384 How Does It Work?...............................................................................................385 Setting Up JSPRIME ............................................................................................385 Dominator: Dynamic Taint Analysis............................................................................. 390 POC for Internet Explorer............................................................................................. 394 POC for Chrome........................................................................................................... 394 Pros/Cons .......................................................................................................................395 Cross Browser DOM XSS Detection ..............................................................................395 Types of DOM-Based XSS ............................................................................................ 397 Reflected DOM XSS ............................................................................................ 397 Stored DOM XSS................................................................................................. 397 Exploiting XSS ..................................................................................................... 399 Cookie Stealing with XSS..................................................................................... 399 Exploiting XSS for Conducting Phishing Attacks................................................. 402 Compromising Victim’s Browser with XSS........................................................... 404 Exploiting XSS with BeEF............................................................................................. 405 Setting Up BeEF on BackTrack ..................................................................................... 405 Demo Pages................................................................................................................... 408 BeEF Modules...................................................................................................... 409 Module: Replace HREFs............................................................................. 409 Module: Getcookie...................................................................................... 409 Module: Tabnabbing ....................................................................................410 BeEF in Action......................................................................................................412 Cross-Site Request Forgery (CSRF)................................................................................413 Why Does a CSRF Attack Work?...................................................................................413 How to Attack ................................................................................................................413 GET-Based CSRF...........................................................................................................414 POST-Based CSRF.........................................................................................................414 CSRF Protection Techniques..........................................................................................415 Referrer-Based Checking ................................................................................................415 Anti-CSRF Tokens .........................................................................................................415 Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm .......................................416 Tokens Not Validated upon Server .................................................................................416 Analyzing Weak Anti-CSRF Token Strength .................................................................417 Bypassing CSRF with XSS .............................................................................................419 File Upload Vulnerabilities ....................................................................................421 Bypassing Client Side Restrictions........................................................................ 423 Bypassing MIME-Type Validation ....................................................................... 423 Real-World Example...................................................................................................... 425 Bypassing Blacklist-Based Protections................................................................... 425 Case 1: Blocking Malicious Extensions................................................................. 425 Bypass.......................................................................................................... 426 Case 2: Case-Sensitive Bypass............................................................................... 426 Bypass.......................................................................................................... 426 Real-World Example...................................................................................................... 426 Vulnerable Code................................................................................................... 426 Case 3: When All Dangerous Extensions Are Blocked ......................................... 426 XSS via File Upload..................................................................................... 427 Flash-Based XSS via File Upload ................................................................. 428 Case 4: Double Extensions Vulnerabilities............................................................ 429 Apache Double Extension Issues.................................................................. 429 IIS 6 Double Extension Issues ..................................................................... 429 Case 5: Using Trailing Dots ................................................................................. 429 Case 6: Null Byte Trick ........................................................................................ 429 Case 7: Bypassing Image Validation...................................................................... 429 Case 8: Overwriting Critical Files......................................................................... 430 Real-World Example.......................................................................................................431 File Inclusion Vulnerabilities...........................................................................................431 Remote File Inclusion .................................................................................................... 432 Patching File Inclusions on the Server Side.................................................................... 433 Local File Inclusion .............................................................................................. 433 Linux .................................................................................................................... 434 Windows .............................................................................................................. 434 LFI Exploitation Using /proc/self/environ............................................................. 434 Log File Injection.................................................................................................. 436 Finding Log Files: Other Tricks............................................................................ 440 Exploiting LFI Using PHP Input.......................................................................... 440 Exploiting LFI Using File Uploads ....................................................................... 441 Read Source Code via LFI.................................................................................... 442 Local File Disclosure Vulnerability....................................................................... 443 Vulnerable Code.......................................................................................... 443 Local File Disclosure Tricks.................................................................................. 445 Remote Command Execution............................................................................... 446 Uploading Shells................................................................................................... 448 Server Side Include Injection .................................................................................452 Testing a Website for SSI Injection .................................................................................452 Executing System Commands ........................................................................................453 Spawning a Shell.............................................................................................................453 SSRF Attacks..................................................................................................................454 Impact ............................................................................................................................455 Example of a Vulnerable PHP Code......................................................................456 Remote SSRF ........................................................................................................457 Simple SSRF.................................................................................................457 Partial SSRF.................................................................................................458 Denial of Service............................................................................................................ 463 Denial of Service Using External Entity Expansion (XEE)................................... 463 Full SSRF ............................................................................................................. 464 dict://........................................................................................................... 464 gopher://.......................................................................................................465 http://...........................................................................................................465 Causing the Crash ................................................................................................ 466 Overwriting Return Address.......................................................................................... 467 Generating Shellcode..................................................................................................... 467 Server Hacking .............................................................................................................. 469 Apache Server .................................................................................................................470 Testing for Disabled Functions..............................................................................470 Open _ basedir Misconfiguration...................................................................472 Using CURL to Bypass Open _ basedir Restrictions......................................474 Open _ basedir PHP 5.2.9 Bypass..................................................................475 Reference........................................................................................................................476 Bypassing open _ basedir Using CGI Shell....................................................476 Bypassing open _ basedir Using Mod _ Perl, Mod _ Python.............. 477 Escalating Privileges Using Local Root Exploits ............................................................ 477 Back Connecting ........................................................................................................... 477 Finding the Local Root Exploit ......................................................................................478 Usage..............................................................................................................................478 Finding a Writable Directory..........................................................................................479 Bypassing Symlinks to Read Configuration Files........................................................... 480 Who Is Affected? ............................................................................................................481 Basic Syntax....................................................................................................................481 Why This Works................................................................................................... 482 Symlink Bypass: Example 1.................................................................................. 482 Finding the Username.......................................................................................... 482 /etc/passwd File .................................................................................... 483 /etc/valiases File................................................................................ 483 Path Disclosure............................................................................................ 483 Uploading .htaccess to Follow Symlinks............................................................... 484 Symlinking the Configuration Files...................................................................... 484 Connecting to and Manipulating the Database............................................................. 485 Updating the Password .................................................................................................. 486 Symlink the Root Directory ................................................................................. 486 Example 3: Compromising WHMCS Server........................................................ 487 Finding a WHMCS Server............................................................................................ 487 Symlinking the Configuration File................................................................................ 488 WHMCS Killer.................................................................................................... 488 Disabling Security Mechanisms............................................................................ 490 Disabling Mod _ Security .............................................................................. 490 Disabling Open _ basedir and Safe _ mode ........................................... 490 Using CGI, PERL, or Python Shell to Bypass Symlinks........................................491 Conclusion......................................................................................................................491 CClick Here To Download The Book
