You are previewing Penetration Testing.
O'Reilly logo
Penetration Testing

Book Description

In Penetration Testing, security researcher and trainer Georgia Weidman provides you with a survey of important skills that any aspiring pentester needs.

Table of Contents

  1. Dedication
  2. About the Author
  3. Foreword
  4. Acknowledgments
  5. Introduction
    1. A Note of Thanks
    2. About This Book
      1. Part I: The Basics
      2. Part II: Assessments
      3. Part III: Attacks
      4. Part IV: Exploit Development
      5. Part V: Mobile Hacking
  6. Penetration Testing Primer
    1. The Stages of the Penetration Test
      1. Pre-engagement
      2. Information Gathering
      3. Threat Modeling
      4. Vulnerability Analysis
      5. Exploitation
      6. Post Exploitation
      7. Reporting
        1. Executive Summary
        2. Technical Report
    2. Summary
  7. I. The Basics
    1. 1. Setting Up Your Virtual Lab
      1. Installing VMware
      2. Setting Up Kali Linux
        1. Configuring the Network for Your Virtual Machine
          1. VMware Player on Microsoft Windows
          2. VMware Fusion on Mac OS
          3. Connecting the Virtual Machine to the Network
          4. Testing Your Internet Access
        2. Installing Nessus
        3. Installing Additional Software
          1. The Ming C Compiler
          2. Hyperion
          3. Veil-Evasion
          4. Ettercap
        4. Setting Up Android Emulators
        5. Smartphone Pentest Framework
      3. Target Virtual Machines
      4. Creating the Windows XP Target
        1. VMware Player on Microsoft Windows
        2. VMware Fusion on Mac OS
        3. Installing and Activating Windows
        4. Installing VMware Tools
          1. VMware Player on Microsoft Windows
          2. VMware Fusion on Mac OS
        5. Turning Off Windows Firewall
        6. Setting User Passwords
        7. Setting a Static IP Address
        8. Making XP Act Like It’s a Member of a Windows Domain
        9. Installing Vulnerable Software
          1. Zervit 0.4
          2. SLMail 5.5
          3. 3Com TFTP 2.0.1
          4. XAMPP 1.7.2
          5. Adobe Acrobat Reader
          6. War-FTP
          7. WinSCP
        10. Installing Immunity Debugger and Mona
      5. Setting Up the Ubuntu 8.10 Target
      6. Creating the Windows 7 Target
        1. Creating a User Account
        2. Opting Out of Automatic Updates
        3. Setting a Static IP Address
        4. Adding a Second Network Interface
        5. Installing Additional Software
      7. Summary
    2. 2. Using Kali Linux
      1. Linux Command Line
      2. The Linux Filesystem
        1. Changing Directories
      3. Learning About Commands: The Man Pages
      4. User Privileges
        1. Adding a User
        2. Adding a User to the sudoers File
        3. Switching Users and Using sudo
        4. Creating a New File or Directory
        5. Copying, Moving, and Removing Files
        6. Adding Text to a File
        7. Appending Text to a File
      5. File Permissions
      6. Editing Files
        1. Searching for Text
        2. Editing a File with vi
      7. Data Manipulation
        1. Using grep
        2. Using sed
        3. Pattern Matching with awk
      8. Managing Installed Packages
      9. Processes and Services
      10. Managing Networking
        1. Setting a Static IP Address
        2. Viewing Network Connections
      11. Netcat: The Swiss Army Knife of TCP/IP Connections
        1. Check to See If a Port Is Listening
        2. Opening a Command Shell Listener
        3. Pushing a Command Shell Back to a Listener
      12. Automating Tasks with cron Jobs
      13. Summary
    3. 3. Programming
      1. Bash Scripting
        1. Ping
        2. A Simple Bash Script
        3. Running Our Script
        4. Adding Functionality with if Statements
        5. A for Loop
        6. Streamlining the Results
      2. Python Scripting
        1. Connecting to a Port
        2. if Statements in Python
      3. Writing and Compiling C Programs
      4. Summary
    4. 4. Using the Metasploit Framework
      1. Starting Metasploit
      2. Finding Metasploit Modules
        1. The Module Database
        2. Built-In Search
      3. Setting Module Options
        1. RHOST
        2. RPORT
        3. SMBPIPE
        4. Exploit Target
      4. Payloads (or Shellcode)
        1. Finding Compatible Payloads
        2. A Test Run
      5. Types of Shells
        1. Bind Shells
        2. Reverse Shells
      6. Setting a Payload Manually
      7. Msfcli
        1. Getting Help
        2. Showing Options
        3. Payloads
      8. Creating Standalone Payloads with Msfvenom
        1. Choosing a Payload
        2. Setting Options
        3. Choosing an Output Format
        4. Serving Payloads
        5. Using the Multi/Handler Module
      9. Using an Auxiliary Module
      10. Summary
  8. II. Assessments
    1. 5. Information Gathering
      1. Open Source Intelligence Gathering
        1. Netcraft
        2. Whois Lookups
        3. DNS Reconnaissance
          1. Nslookup
          2. Host
          3. Zone Transfers
        4. Searching for Email Addresses
        5. Maltego
      2. Port Scanning
        1. Manual Port Scanning
        2. Port Scanning with Nmap
          1. A SYN Scan
          2. A Version Scan
          3. UDP Scans
          4. Scanning a Specific Port
      3. Summary
    2. 6. Finding Vulnerabilities
      1. From Nmap Version Scan to Potential Vulnerability
      2. Nessus
        1. Nessus Policies
        2. Scanning with Nessus
        3. A Note About Nessus Rankings
        4. Why Use Vulnerability Scanners?
        5. Exporting Nessus Results
        6. Researching Vulnerabilities
      3. The Nmap Scripting Engine
      4. Running a Single NSE Script
      5. Metasploit Scanner Modules
      6. Metasploit Exploit Check Functions
      7. Web Application Scanning
        1. Nikto
        2. Attacking XAMPP
        3. Default Credentials
      8. Manual Analysis
        1. Exploring a Strange Port
        2. Finding Valid Usernames
      9. Summary
    3. 7. Capturing Traffic
      1. Networking for Capturing Traffic
      2. Using Wireshark
        1. Capturing Traffic
        2. Filtering Traffic
        3. Following a TCP Stream
        4. Dissecting Packets
      3. ARP Cache Poisoning
        1. ARP Basics
        2. IP Forwarding
        3. ARP Cache Poisoning with Arpspoof
        4. Using ARP Cache Poisoning to Impersonate the Default Gateway
      4. DNS Cache Poisoning
        1. Getting Started
        2. Using Dnsspoof
      5. SSL Attacks
        1. SSL Basics
        2. Using Ettercap for SSL Man-in-the-Middle Attacks
      6. SSL Stripping
        1. Using SSLstrip
      7. Summary
  9. III. Attacks
    1. 8. Exploitation
      1. Revisiting MS08-067
        1. Metasploit Payloads
          1. Staged Payloads
          2. Inline Payloads
        2. Meterpreter
      2. Exploiting WebDAV Default Credentials
        1. Running a Script on the Target Web Server
        2. Uploading a Msfvenom Payload
      3. Exploiting Open phpMyAdmin
        1. Downloading a File with TFTP
      4. Downloading Sensitive Files
        1. Downloading a Configuration File
        2. Downloading the Windows SAM
      5. Exploiting a Buffer Overflow in Third-Party Software
      6. Exploiting Third-Party Web Applications
      7. Exploiting a Compromised Service
      8. Exploiting Open NFS Shares
      9. Summary
    2. 9. Password Attacks
      1. Password Management
      2. Online Password Attacks
        1. Wordlists
          1. User Lists
          2. Password Lists
        2. Guessing Usernames and Passwords with Hydra
      3. Offline Password Attacks
        1. Recovering Password Hashes from a Windows SAM File
        2. Dumping Password Hashes with Physical Access
        3. LM vs. NTLM Hashing Algorithms
        4. The Trouble with LM Password Hashes
        5. John the Ripper
        6. Cracking Linux Passwords
        7. Cracking Configuration File Passwords
        8. Rainbow Tables
        9. Online Password-Cracking Services
      4. Dumping Plaintext Passwords from Memory with Windows Credential Editor
      5. Summary
    3. 10. Client-Side Exploitation
      1. Bypassing Filters with Metasploit Payloads
        1. All Ports
        2. HTTP and HTTPS Payloads
      2. Client-Side Attacks
        1. Browser Exploitation
          1. Running Scripts in a Meterpreter Session
          2. Advanced Parameters
        2. PDF Exploits
          1. Exploiting a PDF Vulnerability
          2. PDF Embedded Executable
        3. Java Exploits
          1. Java Vulnerability
          2. Signed Java Applet
        4. browser_autopwn
        5. Winamp
      3. Summary
    4. 11. Social Engineering
      1. The Social-Engineer Toolkit
      2. Spear-Phishing Attacks
        1. Choosing a Payload
        2. Setting Options
        3. Naming Your File
        4. Single or Mass Email
        5. Creating the Template
        6. Setting the Target
        7. Setting Up a Listener
      3. Web Attacks
      4. Mass Email Attacks
      5. Multipronged Attacks
      6. Summary
    5. 12. Bypassing Antivirus Applications
      1. Trojans
        1. Msfvenom
      2. How Antivirus Applications Work
      3. Microsoft Security Essentials
      4. VirusTotal
      5. Getting Past an Antivirus Program
        1. Encoding
        2. Custom Cross Compiling
        3. Encrypting Executables with Hyperion
        4. Evading Antivirus with Veil-Evasion
          1. Python Shellcode Injection with Windows APIs
          2. Creating Encrypted Python-Generated Executables with Veil-Evasion
      6. Hiding in Plain Sight
      7. Summary
    6. 13. Post Exploitation
      1. Meterpreter
        1. Using the upload Command
        2. getuid
        3. Other Meterpreter Commands
      2. Meterpreter Scripts
      3. Metasploit Post-Exploitation Modules
      4. Railgun
      5. Local Privilege Escalation
        1. getsystem on Windows
        2. Local Escalation Module for Windows
        3. Bypassing UAC on Windows
        4. Udev Privilege Escalation on Linux
          1. Finding a Vulnerability
          2. Finding an Exploit
          3. Copying and Compiling the Exploit on the Target
          4. Adding Code to the /tmp/run File
      6. Local Information Gathering
        1. Searching for Files
        2. Keylogging
        3. Gathering Credentials
        4. net Commands
        5. Another Way In
        6. Checking Bash History
      7. Lateral Movement
        1. PSExec
        2. Pass the Hash
        3. SSHExec
        4. Token Impersonation
        5. Incognito
        6. SMB Capture
      8. Pivoting
        1. Adding a Route in Metasploit
        2. Metasploit Port Scanners
        3. Running an Exploit through a Pivot
        4. Socks4a and ProxyChains
      9. Persistence
        1. Adding a User
        2. Metasploit Persistence
        3. Creating a Linux cron Job
      10. Summary
    7. 14. Web Application Testing
      1. Using Burp Proxy
      2. SQL Injection
        1. Testing for SQL Injection Vulnerabilities
        2. Exploiting SQL Injection Vulnerabilities
        3. Using SQLMap
      3. XPath Injection
      4. Local File Inclusion
      5. Remote File Inclusion
      6. Command Execution
      7. Cross-Site Scripting
        1. Checking for a Reflected XSS Vulnerability
        2. Leveraging XSS with the Browser Exploitation Framework
      8. Cross-Site Request Forgery
      9. Web Application Scanning with w3af
      10. Summary
    8. 15. Wireless Attacks
      1. Setting Up
        1. Viewing Available Wireless Interfaces
        2. Scan for Access Points
      2. Monitor Mode
      3. Capturing Packets
      4. Open Wireless
      5. Wired Equivalent Privacy
        1. WEP Weaknesses
        2. Cracking WEP Keys with Aircrack-ng
          1. Injecting Packets
          2. Generating IVs with the ARP Request Relay Attack
          3. Generating an ARP Request
          4. Cracking the Key
          5. Challenges with WEP Cracking
      6. Wi-Fi Protected Access
      7. WPA2
        1. The Enterprise Connection Process
        2. The Personal Connection Process
        3. The Four-Way Handshake
        4. Cracking WPA/WPA2 Keys
          1. Using Aircrack-ng to Crack WPA/WPA2 Keys
      8. Wi-Fi Protected Setup
        1. Problems with WPS
        2. Cracking WPS with Bully
      9. Summary
  10. IV. Exploit Development
    1. 16. A Stack-Based Buffer Overflow in Linux
      1. Memory Theory
      2. Linux Buffer Overflow
        1. A Vulnerable Program
        2. Causing a Crash
        3. Running GDB
        4. Crashing the Program in GDB
        5. Controlling EIP
        6. Hijacking Execution
        7. Endianness
      3. Summary
    2. 17. A Stack-Based Buffer Overflow in Windows
      1. Searching for a Known Vulnerability in War-FTP
      2. Causing a Crash
      3. Locating EIP
        1. Generating a Cyclical Pattern to Determine Offset
        2. Verifying Offsets
      4. Hijacking Execution
      5. Getting a Shell
      6. Summary
    3. 18. Structured Exception Handler Overwrites
      1. SEH Overwrite Exploits
      2. Passing Control to SEH
      3. Finding the Attack String in Memory
      4. POP POP RET
      5. SafeSEH
      6. Using a Short Jump
      7. Choosing a Payload
      8. Summary
    4. 19. Fuzzing, Porting Exploits, and Metasploit Modules
      1. Fuzzing Programs
        1. Finding Bugs with Code Review
        2. Fuzzing a Trivial FTP Server
        3. Attempting a Crash
      2. Porting Public Exploits to Meet Your Needs
        1. Finding a Return Address
        2. Replacing Shellcode
        3. Editing the Exploit
      3. Writing Metasploit Modules
        1. A Similar Exploit String Module
        2. Porting Our Exploit Code
      4. Exploitation Mitigation Techniques
        1. Stack Cookies
        2. Address Space Layout Randomization
        3. Data Execution Prevention
        4. Mandatory Code Signing
      5. Summary
  11. V. Mobile Hacking
    1. 20. Using the Smartphone Pentest Framework
      1. Mobile Attack Vectors
        1. Text Messages
        2. Near Field Communication
        3. QR Codes
      2. The Smartphone Pentest Framework
        1. Setting Up SPF
        2. Android Emulators
        3. Attaching a Mobile Modem
        4. Building the Android App
        5. Deploying the App
        6. Attaching the SPF Server and App
      3. Remote Attacks
        1. Default iPhone SSH Login
      4. Client-Side Attacks
        1. Client-Side Shell
        2. USSD Remote Control
      5. Malicious Apps
        1. Creating Malicious SPF Agents
          1. Backdooring Source Code
          2. Backdooring APKs
      6. Mobile Post Exploitation
        1. Information Gathering
        2. Remote Control
        3. Pivoting Through Mobile Devices
          1. Portscanning with Nmap
          2. Exploiting a System on the Local Network
        4. Privilege Escalation
      7. Summary
  12. A. Resources
    1. Chapter 0: Penetration Testing Primer
    2. Chapter 2: Using Kali Linux
    3. Chapter 3: Programming
    4. Chapter 4: Using the Metasploit Framework
    5. Chapter 5: Information Gathering
    6. Chapter 6: Finding Vulnerabilities
    7. Chapter 7: Capturing Traffic
    8. Chapter 8: Exploitation
    9. Chapter 9: Password Attacks
    10. Chapter 11: Social Engineering
    11. Chapter 12: Bypassing Antivirus Applications
    12. Chapter 13: Post Exploitation
    13. Chapter 14: Web Application Testing
    14. Chapter 15: Wireless Attacks
    15. Chapters 16–19: Exploit Development
    16. Chapter 20: Using the Smartphone Pentest Framework
    17. Courses
  13. Downloading the Software to Build Your Virtual Lab
  14. Index
  15. About the Author
  16. Copyright