Ethical Hacking and Penetration Testing Guide. CRC Press

RAFAY BALOCH

Purchase Now !
Just with Paypal

Book Details

Price	3.50 USD
Pages	523 p
File Size	22,976 KB
File Type	PDF format
ISBN	978-1-4822-3162-5 (eBook - PDF)
Copyright	2015 by Taylor & Francis Group, LLC

About the Author

Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in

Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated

in various bug bounty programs and has helped several major Internet corporations such

as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was

successful in finding a remote code execution vulnerability along with several other high-risk

vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer

to work for PayPal. His major areas of research interest are in network security, bypassing modern

security defenses such as WAFs, DOM-based XSS, and other HTML 5–based attack vectors.

Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and

eWAPT certifications.

Acknowledgments

I am eternally indebted to the editor, Rich O’Hanley, for his encouragement and continuous support

and my dear friend Prakhar Prasad for his help at various stages of this book.

I also thank Mohammed Ramadan for his help and support and Soroush Dallili for his ideas

with file upload tricks. Many thanks to my friends Alex Infuhr and Giuseppe Trotta for their

help with various sections of the “Web Hacking” chapter, Shahmeer Amir for his help with the

“Wireless Hacking” chapter, and Tehseen Javed for his help with the “Linux Basics” chapter.

I also thank my mentors Prof. Asim Rizvi, David Vieira-Kurz, Ziaullah Mirza and last but not

least, I thank the following keypersons: Mario Heiderich, Deepankar Arora, Nir Goldshlager, Britto

Fleming Joe, Nishant Das Patnaik, Pepe Vila, Ray friedman, Armando Romeo, Tyler Borland,

Zeeshan Haider, Nehal hussain, Rafael Souza, and Fatima Hanif.

I also thank my family members and relatives for always being supportive.

Table of Contents

Preface.............................................................................................................................. xxiii

Acknowledgments..............................................................................................................xxv

Author..............................................................................................................................xxvii

1 Introduction to Hacking

Important Terminologies.................................................................................................... 2

Asset.......................................................................................................................... 2

Vulnerability.............................................................................................................. 3

Threat........................................................................................................................ 3

Exploit....................................................................................................................... 3

Risk........................................................................................................................... 3

What Is a Penetration Test?....................................................................................... 3

Vulnerability Assessments versus Penetration Test..................................................... 3

Preengagement.......................................................................................................... 3

Rules of Engagement................................................................................................. 4

Milestones................................................................................................................. 4

Penetration Testing Methodologies............................................................................ 5

OSSTMM................................................................................................................. 5

NIST......................................................................................................................... 6

OWASP..................................................................................................................... 7

Categories of Penetration Test............................................................................................. 7

Black Box.................................................................................................................. 7

White Box................................................................................................................. 7

Gray Box................................................................................................................... 7

Types of Penetration Tests......................................................................................... 7

Network Penetration Test................................................................................. 8

Web Application Penetration Test.................................................................... 8

Mobile Application Penetration Test................................................................ 8

Social Engineering Penetration Test................................................................. 8

Physical Penetration Test.................................................................................. 8

Report Writing.......................................................................................................... 8

Understanding the Audience..................................................................................... 9

Executive Class................................................................................................. 9

Management Class........................................................................................... 9

Technical Class................................................................................................. 9

Writing Reports.................................................................................................................10

Structure of a Penetration Testing Report..........................................................................10

Cover Page................................................................................................................10

Table of Contents.....................................................................................................10

Executive Summary..................................................................................................11

Remediation Report................................................................................................ 12

Vulnerability Assessment Summary.................................................................................. 12

Tabular Summary.....................................................................................................13

Risk Assessment.................................................................................................................14

Risk Assessment Matrix............................................................................................14

Methodology.....................................................................................................................14

Detailed Findings.....................................................................................................15

Description......................................................................................................15

Explanation.....................................................................................................16

Risk.................................................................................................................16

Recommendation............................................................................................16

Reports.....................................................................................................................17

Conclusion.........................................................................................................................17

2 Linux Basics

Major Linux Operating Systems........................................................................................19

File Structure inside of Linux............................................................................................ 20

File Permission in Linux.......................................................................................... 22

Group Permission........................................................................................... 22

Linux Advance/Special Permission................................................................. 22

Link Permission.............................................................................................. 23

Suid & Guid Permission................................................................................. 23

Stickybit Permission....................................................................................... 23

Chatter Permission......................................................................................... 24

Most Common and Important Commands............................................................. 24

Linux Scheduler (Cron Job)...............................................................................................25

Cron Permission...................................................................................................... 26

Cron Permission............................................................................................. 26

Cron Files....................................................................................................... 26

Users inside of Linux........................................................................................................ 28

Linux Services......................................................................................................... 29

Linux Password Storage........................................................................................... 29

Linux Logging......................................................................................................... 30

Common Applications of Linux....................................................................................... 30

What Is BackTrack?.......................................................................................................... 30

How to Get BackTrack 5 Running...........................................................................31

Installing BackTrack on Virtual Box........................................................................31

Installing BackTrack on a Portable USB...................................................................35

Installing BackTrack on Your Hard Drive............................................................... 39

BackTrack Basics..................................................................................................... 43

Changing the Default Screen Resolution.......................................................................... 43

Some Unforgettable Basics....................................................................................... 44

Changing the Password.................................................................................. 44

Clearing the Screen........................................................................................ 44

Listing the Contents of a Directory................................................................ 44

Displaying Contents of a Specific Directory................................................... 44

Displaying the Contents of a File.....................................................................45

Creating a Directory........................................................................................45

Changing the Directories................................................................................45

Windows.........................................................................................................45

Linux...............................................................................................................45

Creating a Text File.........................................................................................45

Copying a File.................................................................................................45

Current Working Directory.............................................................................45

Renaming a File..............................................................................................45

Moving a File................................................................................................. 46

Removing a File.............................................................................................. 46

Locating Certain Files inside BackTrack.................................................................. 46

Text Editors inside BackTrack........................................................................................... 46

Getting to Know Your Network........................................................................................47

Dhclient....................................................................................................................47

Services............................................................................................................................. 48

MySQL.................................................................................................................... 48

SSHD...................................................................................................................... 48

Postgresql................................................................................................................. 50

Other Online Resources....................................................................................................51

3 Information Gathering Techniques

Active Information Gathering............................................................................................53

Passive Information Gathering...........................................................................................53

Sources of Information Gathering.................................................................................... 54

Copying Websites Locally................................................................................................. 54

Information Gathering with Whois..........................................................................55

Finding Other Websites Hosted on the Same Server............................................... 56

Yougetsignal.com.............................................................................................................. 56

Tracing the Location................................................................................................57

Traceroute.................................................................................................................57

ICMP Traceroute..................................................................................................... 58

TCP Traceroute....................................................................................................... 58

Usage.............................................................................................................. 58

UDP Traceroute...................................................................................................... 58

Usage.............................................................................................................. 58

NeoTrace...........................................................................................................................59

Cheops-ng.........................................................................................................................59

Enumerating and Fingerprinting the Webservers..................................................... 60

Intercepting a Response.................................................................................................... 60

Acunetix Vulnerability Scanner............................................................................... 62

WhatWeb......................................................................................................................... 62

Netcraft............................................................................................................................ 63

Google Hacking...................................................................................................... 63

Some Basic Parameters...................................................................................................... 64

Site........................................................................................................................... 64

Example............................................................................................................................ 64

TIP regarding Filetype......................................................................................................65

Google Hacking Database....................................................................................... 66

Hackersforcharity.org/ghdb...............................................................................................67

Xcode Exploit Scanner.......................................................................................................67

File Analysis............................................................................................................. 68

Foca......................................................................................................................... 68

Harvesting E-Mail Lists.......................................................................................... 69

Gathering Wordlist from a Target Website.............................................................. 71

Scanning for Subdomains........................................................................................ 71

TheHarvester........................................................................................................... 72

Fierce in BackTrack................................................................................................. 72

Scanning for SSL Version.........................................................................................74

DNS Enumeration................................................................................................... 75

Interacting with DNS Servers........................................................................................... 75

Nslookup...........................................................................................................................76

DIG...................................................................................................................................76

Forward DNS Lookup............................................................................................. 77

Forward DNS Lookup with Fierce.................................................................................... 77

Reverse DNS........................................................................................................... 78

Reverse DNS Lookup with Dig............................................................................... 78

Reverse DNS Lookup with Fierce..................................................................................... 78

Zone Transfers......................................................................................................... 79

Zone Transfer with Host Command................................................................................ 79

Automating Zone Transfers.............................................................................................. 80

DNS Cache Snooping.............................................................................................. 80

What Is DNS Cache Snooping?.........................................................................................81

Nonrecursive Method...............................................................................................81

Recursive Method.................................................................................................... 82

What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?........ 83

Attack Scenario................................................................................................................. 84

Automating DNS Cache Snooping Attacks...................................................................... 84

Sniffing SNMP Passwords................................................................................................ 84

OneSixtyOne.....................................................................................................................85

Snmpenum........................................................................................................................85

SolarWinds Toolset............................................................................................................85

SNMP Sweep.................................................................................................................... 86

SNMP Brute Force and Dictionary.................................................................................. 86

SNMP Brute Force Tool................................................................................................... 86

SNMP Dictionary Attack Tool......................................................................................... 87

SMTP Enumeration......................................................................................................... 87

Detecting Load Balancers........................................................................................ 88

Load Balancer Detector........................................................................................... 89

Determining Real IP behind Load Balancers.......................................................... 89

Bypassing CloudFlare Protection............................................................................. 90

Method 1: Resolvers....................................................................................... 90

Method 2: Subdomain Trick.......................................................................... 92

Method 3: Mail Servers.................................................................................. 92

Intelligence Gathering Using Shodan............................................................................... 93

Further Reading............................................................................................................... 95

Conclusion........................................................................................................................ 95

4 Target Enumeration and Port Scanning Techniques

Host Discovery................................................................................................................. 97

Scanning for Open Ports and Services............................................................................ 100

Types of Port Scanning................................................................................................... 100

Understanding the TCP Three-Way Handshake..............................................................101

TCP Flags........................................................................................................................101

Port Status Types.............................................................................................................102

TCP SYN Scan................................................................................................................102

TCP Connect Scan..........................................................................................................103

NULL, FIN, and XMAS Scans.......................................................................................104

NULL Scan.....................................................................................................................104

FIN Scan.........................................................................................................................105

XMAS Scan.....................................................................................................................105

TCP ACK Scan...............................................................................................................105

Responses........................................................................................................................106

UDP Port Scan................................................................................................................106

Anonymous Scan Types...................................................................................................107

IDLE Scan.......................................................................................................................107

Scanning for a Vulnerable Host.......................................................................................107

Performing an IDLE Scan with NMAP..........................................................................109

TCP FTP Bounce Scan...................................................................................................109

Service Version Detection................................................................................................110

OS Fingerprinting........................................................................................................... 111

POF................................................................................................................................. 111

Output.............................................................................................................................112

Normal Format.......................................................................................................112

Grepable Format.....................................................................................................112

XML Format..........................................................................................................113

Advanced Firewall/IDS Evading Techniques...................................................................113

Timing Technique...........................................................................................................114

Wireshark Output...........................................................................................................114

Fragmented Packets......................................................................................................... 115

Wireshark Output........................................................................................................... 115

Source Port Scan.............................................................................................................. 115

Specifying an MTU.........................................................................................................116

Sending Bad Checksums.................................................................................................116

Decoys.............................................................................................................................117

ZENMAP.......................................................................................................................117

Further Reading..............................................................................................................119

5 Vulnerability Assessment

What Are Vulnerability Scanners and How Do They Work?...........................................121

Pros and Cons of a Vulnerability Scanner....................................................................... 122

Vulnerability Assessment with Nmap............................................................................. 122

Updating the Database................................................................................................... 122

Scanning MS08 _ 067 _ netapi................................................................................ 123

Testing SCADA Environments with Nmap.................................................................... 123

Installation............................................................................................................ 124

Usage..................................................................................................................... 124

Nessus Vulnerability Scanner.......................................................................................... 124

Home Feed.............................................................................................................125

Professional Feed....................................................................................................125

Installing Nessus on BackTrack.......................................................................................125

Adding a User..................................................................................................................125

Nessus Control Panel............................................................................................. 126

Reports......................................................................................................... 126

Mobile.......................................................................................................... 126

Scan ............................................................................................................. 127

Policies.......................................................................................................... 127

Users............................................................................................................. 127

Configuration............................................................................................... 127

Default Policies...................................................................................................... 127

Creating a New Policy.................................................................................................... 128

Safe Checks.................................................................................................................... 128

Silent Dependencies........................................................................................................ 128

Avoid Sequential Scans.......................................................................................... 128

Port Range.......................................................................................................................129

Credentials.............................................................................................................129

Plug-Ins..................................................................................................................129

Preferences...................................................................................................................... 130

Scanning the Target............................................................................................... 130

Nessus Integration with Metasploit..................................................................................132

Importing Nessus to Metasploit.......................................................................................132

Scanning the Target................................................................................................133

Reporting...............................................................................................................133

OpenVas.................................................................................................................133

Resource......................................................................................................................... 134

Vulnerability Data Resources................................................................................. 134

Exploit Databases...................................................................................................135

Using Exploit-db with BackTrack................................................................................... 136

Searching for Exploits inside BackTrack..........................................................................137

Conclusion.......................................................................................................................138

6 Network Sniffing

Introduction....................................................................................................................139

Types of Sniffing..............................................................................................................140

Active Sniffing........................................................................................................140

Passive Sniffing.......................................................................................................140

Hubs versus Switches.......................................................................................................140

Promiscuous versus Nonpromiscuous Mode....................................................................141

MITM Attacks................................................................................................................141

ARP Protocol Basics........................................................................................................142

How ARP Works.............................................................................................................142

ARP Attacks....................................................................................................................143

MAC Flooding.......................................................................................................143

Macof............................................................................................................143

ARP Poisoning.......................................................................................................144

Scenario—How It Works................................................................................................144

Denial of Service Attacks.................................................................................................144

Tools of the Trade............................................................................................................145

Dsniff.....................................................................................................................145

Using ARP Spoof to Perform MITM Attacks.................................................................145

Usage......................................................................................................................146

Sniffing the Traffic with Dsniff........................................................................................147

Sniffing Pictures with Drifnet..........................................................................................147

Urlsnarf and Webspy.......................................................................................................148

Sniffing with Wireshark...................................................................................................149

Ettercap...........................................................................................................................150

ARP Poisoning with Ettercap..........................................................................................150

Hijacking Session with MITM Attack.............................................................................152

Attack Scenario................................................................................................................152

ARP Poisoning with Cain and Abel.................................................................................153

Sniffing Session Cookies with Wireshark.........................................................................155

Hijacking the Session.......................................................................................................156

SSL Strip: Stripping HTTPS Traffic................................................................................157

Requirements...................................................................................................................157

Usage......................................................................................................................158

Automating Man in the Middle Attacks..........................................................................158

Usage......................................................................................................................158

DNS Spoofing.................................................................................................................159

ARP Spoofing Attack.............................................................................................159

Manipulating the DNS Records.............................................................................160

Using Ettercap to Launch DNS Spoofing Attack....................................................160

DHCP Spoofing..............................................................................................................160

Conclusion.......................................................................................................................161

7 Remote Exploitation

Understanding Network Protocols...................................................................................163

Transmission Control Protocol...............................................................................164

User Datagram Protocol.........................................................................................164

Internet Control Messaging Protocol......................................................................164

Server Protocols...............................................................................................................164

Text-Based Protocols (Important)...........................................................................164

Binary Protocols.....................................................................................................164

FTP...............................................................................................................165

SMTP............................................................................................................165

HTTP...........................................................................................................165

Further Reading..............................................................................................................165

Resources.........................................................................................................................166

Attacking Network Remote Services................................................................................166

Overview of Brute Force Attacks............................................................................166

Traditional Brute Force.................................................................................166

Dictionary Attacks........................................................................................166

Hybrid Attacks..............................................................................................167

Common Target Protocols...............................................................................................167

Tools of the Trade............................................................................................................167

THC Hydra............................................................................................................167

Basic Syntax for Hydra....................................................................................................168

Cracking Services with Hydra................................................................................168

Hydra GUI......................................................................................................................170

Medusa...................................................................................................................170

Basic Syntax.....................................................................................................................170

OpenSSH Username Discovery Bug................................................................................170

Cracking SSH with Medusa............................................................................................171

Ncrack....................................................................................................................171

Basic Syntax.....................................................................................................................171

Cracking an RDP with Ncrack........................................................................................172

Case Study of a Morto Worm.................................................................................172

Combining Nmap and Ncrack for Optimal Results........................................................172

Attacking SMTP....................................................................................................173

Important Commands.....................................................................................................174

Real-Life Example...........................................................................................................174

Attacking SQL Servers.....................................................................................................175

MySQL Servers.......................................................................................................175

Fingerprinting MySQL Version.......................................................................................175

Testing for Weak Authentication.....................................................................................175

MS SQL Servers..............................................................................................................176

Fingerprinting the Version...............................................................................................177

Brute Forcing SA Account...............................................................................................177

Using Null Passwords......................................................................................................178

Introduction to Metasploit...............................................................................................178

History of Metasploit.......................................................................................................178

Metasploit Interfaces........................................................................................................178

MSFConsole....................................................................................................................178

MSFcli....................................................................................................................179

MSFGUI................................................................................................................179

Armitage.................................................................................................................179

Metasploit Utilities..........................................................................................................179

MSFPayload.....................................................................................................................179

MSFEncode.....................................................................................................................179

MSFVenom.....................................................................................................................179

Metasploit Basic Commands...........................................................................................180

Search Feature in Metasploit............................................................................................180

Use Command.................................................................................................................181

Info Command................................................................................................................181

Show Options..................................................................................................................181

Set/Unset Command.......................................................................................................182

Reconnaissance with Metasploit......................................................................................182

Port Scanning with Metasploit........................................................................................182

Metasploit Databases.......................................................................................................182

Storing Information from Nmap into Metasploit Database.............................................183

Useful Scans with Metasploit...........................................................................................184

Port Scanners..........................................................................................................184

Specific Scanners....................................................................................................184

Compromising a Windows Host with Metasploit............................................................184

Metasploit Autopwn........................................................................................................188

db _ autopwn in Action..............................................................................................188

Nessus and Autopwn.......................................................................................................189

Armitage.................................................................................................................189

Interface...........................................................................................................................190

Launching Armitage........................................................................................................190

Compromising Your First Target from Armitage.............................................................191

Enumerating and Fingerprinting the Target....................................................................191

MSF Scans.......................................................................................................................192

Importing Hosts..............................................................................................................192

Vulnerability Assessment.................................................................................................193

Exploitation.....................................................................................................................193

Check Feature..................................................................................................................195

Hail Mary........................................................................................................................196

Conclusion.......................................................................................................................196

References........................................................................................................................196

8 Client Side Exploitation

Client Side Exploitation Methods....................................................................................197

Attack Scenario 1: E-Mails Leading to Malicious Attachments..............................197

Attack Scenario 2: E-Mails Leading to Malicious Links.........................................197

Attack Scenario 3: Compromising Client Side Update...........................................198

Attack Scenario 4: Malware Loaded on USB Sticks................................................198

E-Mails with Malicious Attachments.....................................................................198

Creating a Custom Executable.......................................................................198

Creating a Backdoor with SET......................................................................198

PDF Hacking................................................................................................201

Introduction....................................................................................................................201

Header................................................................................................................... 202

Body...................................................................................................................... 202

Cross Reference Table............................................................................................ 202

Trailer.................................................................................................................... 202

PDF Launch Action........................................................................................................ 202

Creating a PDF Document with a Launch Action.......................................................... 203

Controlling the Dialog Boxes................................................................................ 205

PDF Reconnaissance............................................................................................. 205

Tools of the Trade........................................................................................................... 205

PDFINFO............................................................................................................. 205

PDFINFO “Your PDF Document”.............................................................. 206

PDFTK................................................................................................................. 206

Origami Framework....................................................................................................... 207

Installing Origami Framework on BackTrack................................................................. 207

Attacking with PDF........................................................................................................ 208

Fileformat Exploits................................................................................................ 208

Browser Exploits.................................................................................................... 208

Scenario from Real World............................................................................................... 209

Adobe PDF Embedded EXE............................................................................................210

Social Engineering Toolkit...............................................................................................211

Attack Scenario 2: E-Mails Leading to Malicious Links.........................................213

Credential Harvester Attack............................................................................................214

Tabnabbing Attack..........................................................................................................215

Other Attack Vectors.......................................................................................................216

Browser Exploitation........................................................................................................217

Attacking over the Internet with SET..............................................................................217

Attack Scenario over the Internet.....................................................................................217

Using Windows Box as Router (Port Forwarding).......................................................... 220

Browser AutoPWN................................................................................................ 220

Why Use Browser AutoPWN?.........................................................................................221

Problem with Browser AutoPWN....................................................................................221

VPS/Dedicated Server.................................................................................................... 223

Attack Scenario 3: Compromising Client Side Update.......................................... 223

How Evilgrade Works..................................................................................................... 223

Prerequisites.................................................................................................................... 223

Attack Vectors....................................................................................................... 223

Internal Network Attack Vectors........................................................................... 223

External Network Attack Vectors.......................................................................... 224

Evilgrade Console.................................................................................................. 224

Attack Scenario..................................................................................................... 224

Attack Scenario 4: Malware Loaded on USB Sticks............................................... 227

Teensy USB.................................................................................................................... 229

Conclusion...................................................................................................................... 229

Further Reading............................................................................................................. 229

9 Postexploitation

Acquiring Situation Awareness........................................................................................231

Enumerating a Windows Machine.........................................................................231

Enumerating Local Groups and Users....................................................................233

Enumerating a Linux Machine...............................................................................233

Enumerating with Meterpreter...............................................................................235

Identifying Processes.....................................................................................235

Interacting with the System...........................................................................235

User Interface Command..............................................................................235

Privilege Escalation......................................................................................................... 236

Maintaining Stability............................................................................................ 236

Escalating Privileges....................................................................................................... 237

Bypassing User Access Control.............................................................................. 238

Impersonating the Token....................................................................................... 239

Escalating Privileges on a Linux Machine...............................................................241

Maintaining Access.........................................................................................................241

Installing a Backdoor.......................................................................................................241

Cracking the Hashes to Gain Access to Other Services...................................................241

Backdoors........................................................................................................................241

Disabling the Firewall............................................................................................ 242

Killing the Antivirus.............................................................................................. 242

Netcat.................................................................................................................... 243

MSFPayload/MSFEncode............................................................................................... 244

Generating a Backdoor with MSFPayload............................................................. 244

MSFEncode............................................................................................................245

MSFVenom.................................................................................................................... 246

Persistence..............................................................................................................247

What Is a Hash?.....................................................................................................249

Hashing Algorithms...............................................................................................249

Windows Hashing Methods...................................................................................250

LAN Manager (LM)..............................................................................................250

NTLM/NTLM2....................................................................................................250

Kerberos.................................................................................................................250

Where Are LM/NTLM Hashes Located?...............................................................250

Dumping the Hashes.......................................................................................................251

Scenario 1—Remote Access....................................................................................251

Scenario 2—Local Access.......................................................................................251

Ophcrack................................................................................................................252

References........................................................................................................................253

Scenario 3—Offline System...................................................................................253

Ophcrack LiveCD..................................................................................................253

Bypassing the Log-In..............................................................................................253

References........................................................................................................................253

Cracking the Hashes........................................................................................................253

Bruteforce...............................................................................................................253

Dictionary Attacks................................................................................................ 254

Password Salts........................................................................................................ 254

Rainbow Tables..................................................................................................... 254

John the Ripper...............................................................................................................255

Cracking LM/NTLM Passwords with JTR............................................................255

Cracking Linux Passwords with JTR......................................................................256

Rainbow Crack................................................................................................................256

Sorting the Tables...................................................................................................257

Cracking the Hashes with rcrack............................................................................258

Speeding Up the Cracking Process.........................................................................258

Gaining Access to Remote Services........................................................................258

Enabling the Remote Desktop................................................................................259

Adding Users to the Remote Desktop.....................................................................259

Data Mining....................................................................................................................259

Gathering OS Information.................................................................................... 260

Harvesting Stored Credentials................................................................................261

Identifying and Exploiting Further Targets.................................................................... 262

Mapping the Internal Network.............................................................................. 263

Finding Network Information............................................................................... 264

Identifying Further Targets....................................................................................265

Pivoting................................................................................................................. 266

Scanning Ports and Services and Detecting OS......................................................267

Compromising Other Hosts on the Network Having the Same Password............. 268

psexec............................................................................................................................. 269

Exploiting Targets...................................................................................................270

Conclusion.......................................................................................................................270

10 Windows Exploit Development Basics

Prerequisites.....................................................................................................................271

What Is a Buffer Overflow?.............................................................................................271

Vulnerable Application................................................................................................... 272

How to Find Buffer Overflows........................................................................................ 273

Methodology.................................................................................................................. 273

Getting the Software Up and Running........................................................................... 273

Causing the Application to Crash................................................................................... 273

Skeleton Exploit...............................................................................................................275

Determining the Offset......................................................................................... 278

Identifying Bad Characters.................................................................................... 280

Figuring Out Bad Characters with Mona........................................................................281

Overwriting the Return Address............................................................................ 283

NOP Sledges......................................................................................................... 285

Generating the ShellCode...................................................................................... 286

Generating Metasploit Module....................................................................................... 287

Porting to Metasploit...................................................................................................... 288

Conclusion...................................................................................................................... 290

Further Resources........................................................................................................... 290

11 Wireless Hacking

Introduction....................................................................................................................291

Requirements...................................................................................................................291

Introducing Aircrack-ng...................................................................................................293

Uncovering Hidden SSIDs..............................................................................................293

Turning on the Monitor Mode....................................................................................... 294

Monitoring Beacon Frames on Wireshark...................................................................... 294

Monitoring with Airodump-ng....................................................................................... 295

Speeding Up the Process................................................................................................. 296

Bypassing MAC Filters on Wireless Networks....................................................... 296

Cracking a WEP Wireless Network with Aircrack-ng........................................... 298

Placing Your Wireless Adapter in Monitor Mode............................................................ 298

Determining the Target with Airodump-ng................................................................... 299

Attacking the Target.............................................................................................. 299

Speeding Up the Cracking Process........................................................................ 300

Injecting ARP Packets........................................................................................... 300

Cracking the WEP.................................................................................................301

Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng...................................... 302

Capturing Packets........................................................................................................... 303

Capturing the Four-Way Handshake.............................................................................. 303

Cracking WPA/WAP2................................................................................................... 304

Using Reaver to Crack WPS-Enabled Wireless Networks..................................... 305

Reducing the Delay........................................................................................................ 306

Further Reading............................................................................................................. 306

Setting Up a Fake Access Point with SET to PWN Users...................................... 306

Attack Scenario............................................................................................................... 309

Evil Twin Attack.....................................................................................................310

Scanning the Neighbors...................................................................................................311

Spoofing the MAC..........................................................................................................311

Setting Up a Fake Access Point........................................................................................311

Causing Denial of Service on the Original AP.................................................................311

Conclusion.......................................................................................................................312

12 Web Hacking

Attacking the Authentication...........................................................................................313

Username Enumeration..........................................................................................314

Invalid Username with Invalid Password................................................................314

Valid Username with Invalid Password...................................................................314

Enabling Browser Cache to Store Passwords...........................................................314

Brute Force and Dictionary Attacks................................................................................. 315

Types of Authentication................................................................................................... 315

HTTP Basic Authentication................................................................................... 315

HTTP-Digest Authentication.................................................................................316

Form-Based Authentication....................................................................................317

Exploiting Password Reset Feature.........................................................................319

Etsy.com Password Reset Vulnerability............................................................................319

Attacking Form-Based Authentication................................................................... 320

Brute Force Attack.......................................................................................................... 322

Attacking HTTP Basic Auth................................................................................. 323

Further Reading............................................................................................................. 326

Log-In Protection Mechanisms.............................................................................. 326

CAPTCHA Validation Flaw................................................................................. 326

CAPTCHA Reset Flaw......................................................................................... 328

Manipulating User-Agents to Bypass CAPTCHA and Other Protections..............329

Real-World Example.............................................................................................. 330

Authentication Bypass Attacks............................................................................... 330

Authentication Bypass Using SQL Injection.......................................................... 330

Testing for SQL Injection Auth Bypass...................................................................331

Authentication Bypass Using XPATH Injection.....................................................333

Testing for XPATH Injection........................................................................333

Authentication Bypass Using Response Tampering............................................... 334

Crawling Restricted Links.............................................................................................. 334

Testing for the Vulnerability............................................................................................335

Automating It with Burp Suite.............................................................................. 336

Authentication Bypass with Insecure Cookie Handling.................................................. 336

Session Attacks.......................................................................................................339

Guessing Weak Session ID.....................................................................................339

Session Fixation Attacks........................................................................................ 341

Requirements for This Attack......................................................................................... 342

How the Attack Works................................................................................................... 342

SQL Injection Attacks........................................................................................... 342

What Is an SQL Injection?.................................................................................... 342

Types of SQL Injection.......................................................................................... 342

Union-Based SQL Injection......................................................................... 343

Error-Based SQL Injection........................................................................... 343

Blind SQL Injection..................................................................................... 343

Detecting SQL Injection....................................................................................... 343

Determining the Injection Type............................................................................ 343

Union-Based SQL Injection (MySQL).................................................................. 344

Testing for SQL Injection............................................................................................... 344

Determining the Number of Columns...................................................................345

Determining the Vulnerable Columns................................................................... 346

Fingerprinting the Database.................................................................................. 347

Enumeration Information...................................................................................... 347

Information_schema.............................................................................................. 348

Information_schema Tables................................................................................... 348

Enumerating All Available Databases.................................................................... 348

Enumerating All Available Tables in the Database................................................. 349

Extracting Columns from Tables........................................................................... 349

Extracting Data from Columns..............................................................................350

Using group _ concat......................................................................................350

MySQL Version ≤ 5................................................................................................351

Guessing Table Names.....................................................................................................351

Guessing Columns.................................................................................................352

SQL Injection to Remote Command Execution.....................................................352

Reading Files...................................................................................................................353

Writing Files....................................................................................................................353

Blind SQL Injection...............................................................................................355

Boolean-Based SQLi......................................................................................355

True Statement.......................................................................................................355

False Statement.......................................................................................................356

Enumerating the DB User......................................................................................356

Enumerating the MYSQL Version..........................................................................358

Guessing Tables......................................................................................................358

Guessing Columns in the Table..............................................................................359

Extracting Data from Columns............................................................................. 360

Time-Based SQL Injection.....................................................................................361

Vulnerable Application....................................................................................................361

Testing for Time-Based SQL Injection........................................................................... 362

Enumerating the DB User..................................................................................... 362

Guessing the Table Names..................................................................................... 363

Guessing the Columns........................................................................................... 364

Extracting Data from Columns..............................................................................365

Automating SQL Injections with Sqlmap.............................................................. 366

Enumerating Databases..........................................................................................367

Enumerating Tables................................................................................................367

Enumerating the Columns.....................................................................................367

Extracting Data from the Columns....................................................................... 368

HTTP Header–Based SQL Injection.................................................................... 368

Operating System Takeover with Sqlmap.............................................................. 369

OS-CMD......................................................................................................................... 369

OS-SHELL..................................................................................................................... 369

OS-PWN..........................................................................................................................370

XSS (Cross-Site Scripting)...............................................................................................371

How to Identify XSS Vulnerability..................................................................................371

Types of Cross-Site Scripting...........................................................................................371

Reflected/Nonpersistent XSS...........................................................................................372

Vulnerable Code.....................................................................................................372

Medium Security.............................................................................................................373

Vulnerable Code.....................................................................................................373

High Security..................................................................................................................373

Bypassing htmlspecialchars.....................................................................................374

UTF-32 XSS Trick: Bypass 1...........................................................................................375

Svg Craziness: Bypass 2....................................................................................................375

Bypass 3: href Attribute...................................................................................................376

Stored XSS/Persistent XSS.............................................................................................. 377

Payloads.......................................................................................................................... 377

Blind XSS........................................................................................................................378

DOM-Based XSS............................................................................................................378

Detecting DOM-Based XSS...................................................................................378

Sources (Inputs).............................................................................................378

Sinks (Creating/Modifying HTML Elements)..............................................378

Static JS Analysis to Identify DOM-Based XSS..................................................... 384

How Does It Work?................................................................................................385

Setting Up JSPRIME.............................................................................................385

Dominator: Dynamic Taint Analysis.............................................................................. 390

POC for Internet Explorer.............................................................................................. 394

POC for Chrome............................................................................................................ 394

Pros/Cons........................................................................................................................395

Cross Browser DOM XSS Detection...............................................................................395

Types of DOM-Based XSS............................................................................................. 397

Reflected DOM XSS............................................................................................. 397

Stored DOM XSS.................................................................................................. 397

Exploiting XSS...................................................................................................... 399

Cookie Stealing with XSS...................................................................................... 399

Exploiting XSS for Conducting Phishing Attacks.................................................. 402

Compromising Victim’s Browser with XSS............................................................ 404

Exploiting XSS with BeEF.............................................................................................. 405

Setting Up BeEF on BackTrack...................................................................................... 405

Demo Pages.................................................................................................................... 408

BeEF Modules....................................................................................................... 409

Module: Replace HREFs.............................................................................. 409

Module: Getcookie....................................................................................... 409

Module: Tabnabbing.....................................................................................410

BeEF in Action.......................................................................................................412

Cross-Site Request Forgery (CSRF).................................................................................413

Why Does a CSRF Attack Work?....................................................................................413

How to Attack.................................................................................................................413

GET-Based CSRF............................................................................................................414

POST-Based CSRF..........................................................................................................414

CSRF Protection Techniques...........................................................................................415

Referrer-Based Checking.................................................................................................415

Anti-CSRF Tokens..........................................................................................................415

Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm........................................416

Tokens Not Validated upon Server..................................................................................416

Analyzing Weak Anti-CSRF Token Strength..................................................................417

Bypassing CSRF with XSS..............................................................................................419

File Upload Vulnerabilities.....................................................................................421

Bypassing Client Side Restrictions......................................................................... 423

Bypassing MIME-Type Validation........................................................................ 423

Real-World Example....................................................................................................... 425

Bypassing Blacklist-Based Protections................................................................... 425

Case 1: Blocking Malicious Extensions.................................................................. 425

Bypass.......................................................................................................... 426

Case 2: Case-Sensitive Bypass................................................................................ 426

Bypass.......................................................................................................... 426

Real-World Example....................................................................................................... 426

Vulnerable Code.................................................................................................... 426

Case 3: When All Dangerous Extensions Are Blocked.......................................... 426

XSS via File Upload...................................................................................... 427

Flash-Based XSS via File Upload.................................................................. 428

Case 4: Double Extensions Vulnerabilities............................................................. 429

Apache Double Extension Issues................................................................... 429

IIS 6 Double Extension Issues...................................................................... 429

Case 5: Using Trailing Dots.................................................................................. 429

Case 6: Null Byte Trick......................................................................................... 429

Case 7: Bypassing Image Validation....................................................................... 429

Case 8: Overwriting Critical Files.......................................................................... 430

Real-World Example........................................................................................................431

File Inclusion Vulnerabilities............................................................................................431

Remote File Inclusion..................................................................................................... 432

Patching File Inclusions on the Server Side..................................................................... 433

Local File Inclusion............................................................................................... 433

Linux..................................................................................................................... 434

Windows............................................................................................................... 434

LFI Exploitation Using /proc/self/environ.............................................................. 434

Log File Injection.................................................................................................. 436

Finding Log Files: Other Tricks............................................................................. 440

Exploiting LFI Using PHP Input........................................................................... 440

Exploiting LFI Using File Uploads........................................................................ 441

Read Source Code via LFI..................................................................................... 442

Local File Disclosure Vulnerability........................................................................ 443

Vulnerable Code........................................................................................... 443

Local File Disclosure Tricks................................................................................... 445

Remote Command Execution............................................................................... 446

Uploading Shells.................................................................................................... 448

Server Side Include Injection..................................................................................452

Testing a Website for SSI Injection..................................................................................452

Executing System Commands.........................................................................................453

Spawning a Shell..............................................................................................................453

SSRF Attacks...................................................................................................................454

Impact.............................................................................................................................455

Example of a Vulnerable PHP Code.......................................................................456

Remote SSRF.........................................................................................................457

Simple SSRF..................................................................................................457

Partial SSRF..................................................................................................458

Denial of Service............................................................................................................. 463

Denial of Service Using External Entity Expansion (XEE).................................... 463

Full SSRF.............................................................................................................. 464

dict://............................................................................................................ 464

gopher://........................................................................................................465

http://............................................................................................................465

Causing the Crash................................................................................................. 466

Overwriting Return Address........................................................................................... 467

Generating Shellcode...................................................................................................... 467

Server Hacking............................................................................................................... 469

Apache Server..................................................................................................................470

Testing for Disabled Functions...............................................................................470

Open _ basedir Misconfiguration....................................................................472

Using CURL to Bypass Open _ basedir Restrictions.......................................474

Open _ basedir PHP 5.2.9 Bypass...................................................................475

Reference.........................................................................................................................476

Bypassing open _ basedir Using CGI Shell.....................................................476

Bypassing open _ basedir Using Mod _ Perl, Mod _ Python............... 477

Escalating Privileges Using Local Root Exploits............................................................. 477

Back Connecting............................................................................................................ 477

Finding the Local Root Exploit.......................................................................................478

Usage...............................................................................................................................478

Finding a Writable Directory...........................................................................................479

Bypassing Symlinks to Read Configuration Files............................................................ 480

Who Is Affected?.............................................................................................................481

Basic Syntax.....................................................................................................................481

Why This Works.................................................................................................... 482

Symlink Bypass: Example 1................................................................................... 482

Finding the Username........................................................................................... 482

/etc/passwd File..................................................................................... 483

/etc/valiases File................................................................................. 483

Path Disclosure............................................................................................. 483

Uploading .htaccess to Follow Symlinks................................................................ 484

Symlinking the Configuration Files....................................................................... 484

Connecting to and Manipulating the Database.............................................................. 485

Updating the Password................................................................................................... 486

Symlink the Root Directory.................................................................................. 486

Example 3: Compromising WHMCS Server......................................................... 487

Finding a WHMCS Server............................................................................................. 487

Symlinking the Configuration File................................................................................. 488

WHMCS Killer..................................................................................................... 488

Disabling Security Mechanisms............................................................................. 490

Disabling Mod _ Security............................................................................... 490

Disabling Open _ basedir and Safe _ mode............................................ 490

Using CGI, PERL, or Python Shell to Bypass Symlinks.........................................491

Conclusion.......................................................................................................................491

Bookscreen

Preface

Ethical hacking strikes all of us as a subject that requires a great deal of prerequisite knowledge

about things like heavy duty software, languages that includes hordes of syntaxes, algorithms

that could be generated by maestros only. Well that’s not the case, to some extent. This book

introduces the steps required to complete a penetration test, or ethical hack. Requiring no prior

hacking experience, the book explains how to utilize and interpret the results of modern day

hacking tools that are required to complete a penetration test. Coverage includes Backtrack Linux,

Google Reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn,

Netcat, and Hacker Defender rootkit. Simple explanations of how to use these tools and a fourstep

methodology for conducting a penetration test provide readers with a better understanding

of offensive security.

Being an ethical hacker myself, I know how difficult it is for people who are new into hacking

to excel at this skill without having any prior knowledge and understanding of how things work.

Keeping this exigent thing in mind, I have provided those who are keen to learn ethical hacking

with the best possible explanations in the most easy and understandable manner so that they will

not only gain pleasure while reading, but they will have the urge to put into practice what have

they learned from it.

The sole aim and objective of writing this book is to target the beginners who look for a complete

guide to turn their dream of becoming an ethical hacker into a reality. This book elucidates

the building blocks of ethical hacking that will help readers to develop an insight of the matter in

hand. It will help them fathom what ethical hacking is all about and how one can actually run a

penetration test with great success.

I have put in a lot of hard work to make this book a success. I remember spending hours and

hours in front of my computer typing indefatigably, ignoring all the text messages of my friends

when they asked me to come along and spend some time with them, which left me despondent,

but now, when I see my book finally completed, it gives me immense pleasure that the efforts of a

whole year have finally paid off.

This book came out as a result of my own experiences during my ethical hacking journey.

Experiences that are worth sharing with all the passionate people out there.

It makes me elated to the core when I see my third book on the subject of hacking published,

and I hope and pray that everyone likes it.

Best of luck to everyone out there.

Rafay Baloch