Penetration Testing: A Survival Guide. A Survival Guide - Helion
Tytuł oryginału: Penetration Testing: A Survival Guide. A Survival Guide
ISBN: 9781787287839
Format: ebook
Data wydania: 2017-01-18
Księgarnia: Helion
Cena książki: 319,00 zł
The need for penetration testers has grown well over what the IT industry ever anticipated. Running just a vulnerability scanner is no longer an effective method to determine whether a business is truly secure. This learning path will help you develop the most effective penetration testing skills to protect your Windows, web applications, and Android devices.
The first module focuses on the Windows platform, which is one of the most common OSes, and managing its security spawned the discipline of IT security. Kali Linux is the premier platform for testing and maintaining Windows security. Employs the most advanced tools and techniques to reproduce the methods used by sophisticated hackers. In this module first,you’ll be introduced to Kali's top ten tools and other useful reporting tools. Then, you will find your way around your target network and determine known vulnerabilities so you can exploit a system remotely. You’ll not only learn to penetrate in the machine, but will also learn to work with Windows privilege escalations.
The second module will help you get to grips with the tools used in Kali Linux 2.0 that relate to web application hacking. You will get to know about scripting and input validation flaws, AJAX, and security issues related to AJAX. You will also use an automated technique called fuzzing so you can identify flaws in a web application. Finally, you’ll understand the web application vulnerabilities and the ways they can be exploited.
In the last module, you’ll get started with Android security. Android, being the platform with the largest consumer base, is the obvious primary target for attackers. You’ll begin this journey with the absolute basics and will then slowly gear up to the concepts of Android rooting, application security assessments, malware, infecting APK files, and fuzzing. You’ll gain the skills necessary to perform Android application vulnerability assessments and to create an Android pentesting lab.
This Learning Path is a blend of content from the following Packt products:
• Kali Linux 2: Windows Penetration Testing by Wolf Halton and Bo Weaver
• Web Penetration Testing with Kali Linux, Second Edition by Juned Ahmed Ansari
• Hacking Android by Srinivasa Rao Kotipalli and Mohammed A. Imran
Osoby które kupowały "Penetration Testing: A Survival Guide. A Survival Guide", wybierały także:
- Windows Media Center. Domowe centrum rozrywki 66,67 zł, (8,00 zł -88%)
- Ruby on Rails. Ćwiczenia 18,75 zł, (3,00 zł -84%)
- Przywództwo w świecie VUCA. Jak być skutecznym liderem w niepewnym środowisku 58,64 zł, (12,90 zł -78%)
- Scrum. O zwinnym zarządzaniu projektami. Wydanie II rozszerzone 58,64 zł, (12,90 zł -78%)
- Od hierarchii do turkusu, czyli jak zarządzać w XXI wieku 58,64 zł, (12,90 zł -78%)
Spis treści
Penetration Testing: A Survival Guide. A Survival Guide eBook -- spis treści
- Penetration Testing: A Survival Guide
- Table of Contents
- Penetration Testing: A Survival Guide
- Penetration Testing: A Survival Guide
- Credits
- Preface
- What this learning path covers
- What you need for this learning path
- Who this learning path is for
- Reader feedback
- Customer support
- Downloading the example code
- Errata
- Piracy
- Questions
- I. Module 1
- 1. Sharpening the Saw
- Installing Kali Linux to an encrypted USB drive
- Prerequisites for installation
- Booting Up
- Installing configuration
- Setting up the drive
- Booting your new installation of Kali
- Running Kali from the live CD
- Installing and configuring applications
- Gedit the Gnome text editor
- Terminator the terminal emulator for multitasking
- EtherApe the graphical protocol analysis tool
- Setting up and configuring OpenVAS
- Reporting the tests
- KeepNote the standalone document organizer
- Dradis the web-based document organizer
- Running services on Kali Linux
- Exploring the Kali Linux Top 10 and more
- Summary
- Installing Kali Linux to an encrypted USB drive
- 2. Information Gathering and Vulnerability Assessment
- Footprinting the network
- Exploring the network with Nmap
- Zenmap
- The difference verbosity makes
- Scanning a network range
- Where can you find instructions on this thing?
- A return to OpenVAS
- Using Maltego
- Using Unicorn-Scan
- Monitoring resource use with Htop
- Monkeying around the network
- Summary
- Footprinting the network
- 3. Exploitation Tools (Pwnage)
- Choosing the appropriate time and tool
- Choosing the right version of Metasploit
- Starting Metasploit
- Creating workspaces to organize your attack
- Using the hosts and services commands
- Using advanced footprinting
- Interpreting the scan and building on the result
- Exploiting poor patch management
- Finding out whether anyone is home
- Using the pivot
- Mapping the network to pivot
- Creating the attack path
- Grabbing system on the target
- Setting Up the route
- Exploring the inner network
- Abusing the Windows NET USE command
- Adding a Windows user from the command line
- Summary
- 4. Web Application Exploitation
- Surveying the webscape
- Concept of Robots.txt
- Concept of .htaccess
- Quick solutions to cross-site scripting
- Reducing buffer overflows
- Avoiding SQL injection
- Arm yourself with Armitage
- Working with a single known host
- Discovering new machines with NMap
- Zinging Windows servers with OWASP ZAP
- Using ZAP as an attack proxy
- Reading the ZAP interface
- Search and destroy with Burp Suite
- Targeting the test subject
- Using Burp Suite as a Proxy
- Installing the Burp Suite security certificate
- Spidering a site with Burp Spider
- Summary
- Surveying the webscape
- 5. Sniffing and Spoofing
- Sniffing and spoofing network traffic
- Sniffing network traffic
- Basic sniffing with tcpdump
- More basic sniffing with WinDump (Windows tcpdump)
- Packet hunting with Wireshark
- Dissecting the packet
- Swimming with Wireshark
- Spoofing network traffic
- Ettercap
- Using Ettercap on the command line
- Ettercap
- Summary
- 6. Password Attacks
- Password attack planning
- Cracking the NTLM code (Revisited)
- Password lists
- Cleaning a password list
- My friend Johnny
- John the Ripper (command line)
- xHydra
- Adding a tool to the main menu in Kali 2.x
- Summary
- Password attack planning
- 7. Windows Privilege Escalation
- Gaining access with Metasploit
- Replacing the executable
- Local privilege escalation with a standalone tool
- Escalating privileges with physical access
- Robbing the Hives with samdump2
- Owning the registry with chntpw
- Weaseling in with Weevely
- Preparing to use Weevely
- Creating an agent
- Testing Weevely locally
- Testing Weevely on a Windows server
- Getting help in Weevely
- Getting the system info
- Using filesystem commands in Weevely
- Writing into files
- Summary
- 8. Maintaining Remote Access
- Maintaining access
- Covering our tracks
- Maintaining access with Ncat
- Phoning Home with Metasploit
- The Dropbox
- Cracking the NAC (Network Access Controller)
- Creating a Spear-Phishing Attack with the Social Engineering Toolkit
- Using Backdoor-Factory to Evade Antivirus
- Summary
- Maintaining access
- 9. Reverse Engineering and Stress Testing
- Setting up a test environment
- Creating your victim machine(s)
- Testing your testing environment
- Reverse engineering theory
- One general theory of reverse engineering
- Working with Boolean logic
- Reviewing a while loop structure
- Reviewing the for loop structure
- Understanding the decision points
- Practicing reverse engineering
- Demystifying debuggers
- Using the Valgrind Debugger to discover memory leaks
- Translating your app to assembler with the EDB-Debugger
- EDB-Debugger symbol mapper
- Running OllyDbg
- Introduction to disassemblers
- Running JAD
- Create your own disassembling code with Capstone
- Some miscellaneous reverse engineering tools
- Running Radare2
- Additional members of the Radare2 tool suite
- Running rasm2
- Running rahash2
- Running radiff2
- Running rafind2
- Running rax2
- Demystifying debuggers
- Stresstesting Windows
- Dealing with Denial
- Putting the network under Siege
- Configuring your Siege engine
- Summary
- Setting up a test environment
- 10. Forensics
- Getting into Digital Forensics
- Exploring Guymager
- Starting Kali for Forensics
- Acquiring a drive to be legal evidence
- Cloning With Guymager
- Diving into Autopsy
- Mounting image files
- Summary
- 1. Sharpening the Saw
- II. Module 2
- 1. Introduction to Penetration Testing and Web Applications
- Proactive security testing
- Who is a hacker?
- Different testing methodologies
- Ethical hacking
- Penetration testing
- Vulnerability assessment
- Security audits
- Rules of engagement
- Black box testing or Gray box testing
- Client contact details
- Client IT team notifications
- Sensitive data handling
- Status meeting
- The limitations of penetration testing
- The need for testing web applications
- Social engineering attacks
- Training employees to defeat social engineering attacks
- A web application overview for penetration testers
- HTTP protocol
- Request and response header
- The request header
- The response header
- Important HTTP methods for penetration testing
- The GET/POST method
- The HEAD method
- The TRACE method
- The PUT and DELETE methods
- The OPTIONS method
- Session tracking using cookies
- Cookie
- Cookie flow between server and client
- Persistent and non-persistent cookies
- Cookie parameters
- HTML data in HTTP response
- Multi-tier web application
- Summary
- Proactive security testing
- 2. Setting up Your Lab with Kali Linux
- Kali Linux
- Improvements in Kali Linux 2.0
- Installing Kali Linux
- USB mode
- VMware and ARM images of Kali Linux
- Kali Linux on Amazon cloud
- Installing Kali Linux on a hard drive
- Kali Linux-virtualizing versus installing on physical hardware
- Important tools in Kali Linux
- Web application proxies
- Burp proxy
- Customizing client interception
- Modifying requests on the fly
- Burp proxy with SSL-based websites
- WebScarab and Zed Attack Proxy
- ProxyStrike
- Burp proxy
- Web vulnerability scanner
- Nikto
- Skipfish
- Web Crawler Dirbuster
- OpenVAS
- Database exploitation
- CMS identification tools
- Web application fuzzers
- Web application proxies
- Using Tor for penetration testing
- Steps to set up Tor and connect anonymously
- Visualization of a web request through Tor
- Final words for Tor
- Summary
- Kali Linux
- 3. Reconnaissance and Profiling the Web Server
- Reconnaissance
- Passive reconnaissance versus active reconnaissance
- Reconnaissance information gathering
- Domain registration details
- Whois extracting domain information
- Identifying hosts using DNS
- Zone transfer using dig
- Brute force DNS records using Nmap
- The Recon-ng tool a framework for information gathering
- Domain enumeration using recon-ng
- Sub-level and top-level domain enumeration
- Reporting modules
- Domain enumeration using recon-ng
- Domain registration details
- Scanning probing the target
- Port scanning using Nmap
- Different options for port scan
- Evading firewalls and IPS using Nmap
- Spotting a firewall using back checksum option in Nmap
- Identifying the operating system using Nmap
- Profiling the server
- Application version fingerprinting
- The Nmap version scan
- The Amap version scan
- Fingerprinting the web application framework
- The HTTP header
- The Whatweb scanner
- Identifying virtual hosts
- Locating virtual hosts using search engines
- The virtual host lookup module in Recon-ng
- Identifying load balancers
- Cookie-based load balancer
- Other ways of identifying load balancers
- Scanning web servers for vulnerabilities and misconfigurations
- Identifying HTTP methods using Nmap
- Testing web servers using auxiliary modules in Metasploit
- Automating scanning using the WMAP web scanner plugin
- Vulnerability scanning and graphical reports the Skipfish web application scanner
- Spidering web applications
- The Burp spider
- Application login
- Application version fingerprinting
- Port scanning using Nmap
- Summary
- Reconnaissance
- 4. Major Flaws in Web Applications
- Information leakage
- Directory browsing
- Directory browsing using DirBuster
- Comments in HTML code
- Mitigation
- Directory browsing
- Authentication issues
- Authentication protocols and flaws
- Basic authentication
- Digest authentication
- Integrated authentication
- Form-based authentication
- Brute forcing credentials
- Hydra a brute force password cracker
- Authentication protocols and flaws
- Path traversal
- Attacking path traversal using Burp proxy
- Mitigation
- Attacking path traversal using Burp proxy
- Injection-based flaws
- Command injection
- SQL injection
- Cross-site scripting
- Attack potential of cross-site scripting attacks
- Cross-site request forgery
- Session-based flaws
- Different ways to steal tokens
- Brute forcing tokens
- Sniffing tokens and man-in-the-middle attacks
- Stealing session tokens using XSS attack
- Session token sharing between application and browser
- Tools to analyze tokens
- Session fixation attack
- Mitigation for session fixation
- Different ways to steal tokens
- File inclusion vulnerability
- Remote file include
- Local file include
- Mitigation for file inclusion attacks
- HTTP parameter pollution
- Mitigation
- HTTP response splitting
- Mitigation
- Summary
- Information leakage
- 5. Attacking the Server Using Injection-based Flaws
- Command injection
- Identifying parameters to inject data
- Error-based and blind command injection
- Metacharacters for command separator
- Scanning for command injection
- Creating a cookie file for authentication
- Executing Wapiti
- Exploiting command injection using Metasploit
- PHP shell and Metasploit
- Exploiting shellshock
- Overview of shellshock
- Scanning dirb
- Exploitation Metasploit
- SQL injection
- SQL statements
- The UNION operator
- The SQL query example
- Attack potential of the SQL injection flaw
- Blind SQL injection
- SQL injection testing methodology
- Scanning for SQL injection
- Information gathering
- Sqlmap automating exploitation
- BBQSQL the blind SQL injection framework
- Sqlsus MySQL injection
- Sqlninja MS SQL injection
- SQL statements
- Summary
- Command injection
- 6. Exploiting Clients Using XSS and CSRF Flaws
- The origin of cross-site scripting
- Introduction to JavaScript
- An overview of cross-site scripting
- Types of cross-site scripting
- Persistent XSS
- Reflected XSS
- DOM-based XSS
- Defence against DOM-based XSS
- XSS using the POST Method
- XSS and JavaScript a deadly combination
- Cookie stealing
- Key logger
- Website defacing
- Scanning for XSS flaws
- Zed Attack Proxy
- Scoping and selecting modes
- Modes of operation
- Scan policy and attack
- Xsser
- Features
- W3af
- Plugins
- Graphical interface
- Zed Attack Proxy
- Cross-site request forgery
- Attack dependencies
- Attack methodology
- Testing for CSRF flaws
- CSRF mitigation techniques
- Summary
- The origin of cross-site scripting
- 7. Attacking SSL-based Websites
- Secure socket layer
- SSL in web applications
- SSL encryption process
- Asymmetric encryption versus symmetric encryption
- Asymmetric encryption algorithms
- Symmetric encryption algorithm
- Hashing for message integrity
- Identifying weak SSL implementations
- OpenSSL command-line tool
- SSLScan
- SSLyze
- Testing SSL configuration using Nmap
- SSL man-in-the-middle attack
- SSL MITM tools in Kali Linux
- SSLsplit
- SSLstrip
- SSL stripping limitations
- SSL MITM tools in Kali Linux
- Summary
- Secure socket layer
- 8. Exploiting the Client Using Attack Frameworks
- Social engineering attacks
- Social engineering toolkit
- Spear-phishing attack
- Website attack
- Java applet attack
- Credential harvester attack
- Web jacking attack
- Metasploit browser exploit
- Tabnabbing attack
- Browser exploitation framework
- Introducing BeEF
- BeEF hook injection
- Browser reconnaissance
- Exploit modules
- Host information gathering
- Persistence module
- Network recon
- Inter-protocol exploitation and communication
- Exploiting the mutillidae XSS flaw using BeEF
- Injecting the BeEF hook using MITM
- Summary
- 9. AJAX and Web Services Security Issues
- Introduction to AJAX
- Building blocks of AJAX
- The AJAX workflow
- AJAX security issues
- Increase in attack surface
- Exposed programming logic of the application
- Insufficient access control
- Challenges of pentesting AJAX applications
- Crawling AJAX applications
- AJAX crawling tool
- Sprajax
- AJAX spider OWASP ZAP
- Analyzing client-side code Firebug
- The Script panel
- The Console panel
- The Network panel
- Web services
- Introducing SOAP and RESTful web services
- Securing web services
- Insecure direct object reference vulnerability
- Summary
- Introduction to AJAX
- 10. Fuzzing Web Applications
- Fuzzing basics
- Types of fuzzing techniques
- Mutation fuzzing
- Generation fuzzing
- Applications of fuzzing
- Network protocol fuzzing
- File fuzzing
- User interface fuzzing
- Web application fuzzing
- Web browser fuzzing
- Fuzzer frameworks
- Fuzzing steps
- Testing web applications using fuzzing
- Fuzzing input in web applications
- Request URI
- Headers
- Form fields
- Detecting result of fuzzing
- Fuzzing input in web applications
- Web application fuzzers in Kali Linux
- Fuzzing using Burp intruder
- PowerFuzzer tool
- Summary
- 1. Introduction to Penetration Testing and Web Applications
- III. Module 3
- 1. Setting Up the Lab
- Installing the required tools
- Java
- Android Studio
- Setting up an AVD
- Real device
- Apktool
- Dex2jar/JD-GUI
- Burp Suite
- Configuring the AVD
- Drozer
- Prerequisites
- QARK (No support for windows)
- Getting ready
- Advanced REST Client for Chrome
- Droid Explorer
- Cydia Substrate and Introspy
- SQLite browser
- Frida
- Setting up Frida server
- Setting up frida-client
- Testing the setup
- Vulnerable apps
- Kali Linux
- Drozer
- ADB Primer
- Checking for connected devices
- Getting a shell
- Listing the packages
- Pushing files to the device
- Pulling files from the device
- Installing apps using adb
- Troubleshooting adb connections
- Summary
- Installing the required tools
- 2. Android Rooting
- What is rooting?
- Why would we root a device?
- Advantages of rooting
- Unlimited control over the device
- Installing additional apps
- More features and customization
- Disadvantages of rooting
- It compromises the security of your device
- Bricking your device
- Voids warranty
- Locked and unlocked boot loaders
- Determining boot loader unlock status on Sony devices
- Unlocking boot loader on Sony through a vendor specified method
- Rooting unlocked boot loaders on a Samsung device
- Stock recovery and Custom recovery
- Prerequisites
- Rooting Process and Custom ROM installation
- Installing recovery softwares
- Using Odin
- Using Heimdall
- Installing recovery softwares
- Rooting a Samsung Note 2
- Flashing the Custom ROM to the phone
- Summary
- What is rooting?
- 3. Fundamental Building Blocks of Android Apps
- Basics of Android apps
- Android app structure
- How to get an APK file?
- Storage location of APK files
- /data/app/
- /system/app/
- /data/app-private/
- Example of extracting preinstalled apps
- Example of extracting user installed apps
- Android app structure
- Android app components
- Activities
- Services
- Broadcast receivers
- Content providers
- Android app build process
- Building DEX files from the command line
- What happens when an app is run?
- ART the new Android Runtime
- Understanding app sandboxing
- UID per app
- App sandboxing
- Is there a way to break out of this sandbox?
- Summary
- Basics of Android apps
- 4. Overview of Attacking Android Apps
- Introduction to Android apps
- Web Based apps
- Native apps
- Hybrid apps
- Understanding the apps attack surface
- Mobile application architecture
- Threats at the client side
- Threats at the backend
- Guidelines for testing and securing mobile apps
- OWASP Top 10 Mobile Risks (2014)
- M1: Weak Server-Side Controls
- M2: Insecure Data Storage
- M3: Insufficient Transport Layer Protection
- M4: Unintended Data Leakage
- M5: Poor Authorization and Authentication
- M6: Broken Cryptography
- M7: Client-Side Injection
- M8: Security Decisions via Untrusted Inputs
- M9: Improper Session Handling
- M10: Lack of Binary Protections
- Automated tools
- Drozer
- Performing Android security assessments with Drozer
- Installing testapp.apk
- Listing out all the modules
- Retrieving package information
- Identifying the attack surface
- Identifying and exploiting Android app vulnerabilities using Drozer
- Attacks on exported activities
- What is the problem here?
- Attacks on exported activities
- Identifying and exploiting Android app vulnerabilities using Drozer
- QARK (Quick Android Review Kit)
- Running QARK in interactive mode
- Reporting
- Running QARK in seamless mode:
- Running QARK in interactive mode
- Summary
- Introduction to Android apps
- 5. Data Storage and Its Security
- What is data storage?
- Android local data storage techniques
- Shared preferences
- SQLite databases
- Internal storage
- External storage
- Android local data storage techniques
- Shared preferences
- Real world application demo
- SQLite databases
- Internal storage
- External storage
- User dictionary cache
- Insecure data storage NoSQL database
- NoSQL demo application functionality
- Backup techniques
- Backup the app data using adb backup command
- Convert .ab format to tar format using Android backup extractor
- Extracting the TAR file using the pax or star utility
- Analyzing the extracted content for security issues
- Being safe
- Summary
- What is data storage?
- 6. Server-Side Attacks
- Different types of mobile apps and their threat model
- Mobile applications server-side attack surface
- Mobile application architecture
- Strategies for testing mobile backend
- Setting up Burp Suite Proxy for testing
- Proxy setting via APN
- Proxy setting via Wi-Fi
- Bypass certificate warnings and HSTS
- HSTS HTTP Strict Transport Security
- Bypassing certificate pinning
- Bypass SSL pinning using AndroidSSLTrustKiller
- Setting up a demo application
- Installing OWASP GoatDroid
- Setting up a demo application
- Threats at the backend
- Relating OWASP top 10 mobile risks and web attacks
- Authentication/authorization issues
- Authentication vulnerabilities
- Authorization vulnerabilities
- Session management
- Insufficient Transport Layer Security
- Input validation related issues
- Improper error handling
- Insecure data storage
- Attacks on the database
- Setting up Burp Suite Proxy for testing
- Summary
- 7. Client-Side Attacks Static Analysis Techniques
- Attacking application components
- Attacks on activities
- What does exported behavior mean to an activity?
- Intent filters
- Attacks on services
- Extending the Binder class:
- Using a Messenger
- Using AIDL
- Attacking AIDL services
- Attacks on broadcast receivers
- Attacks on content providers
- Querying content providers:
- Exploiting SQL Injection in content providers using adb
- Querying the content provider
- Writing a where condition:
- Testing for Injection:
- Finding the column numbers for further extraction
- Running database functions
- Finding out SQLite version:
- Finding out table names
- Attacks on activities
- Static analysis using QARK:
- Summary
- Attacking application components
- 8. Client-Side Attacks Dynamic Analysis Techniques
- Automated Android app assessments using Drozer
- Listing out all the modules
- Retrieving package information
- Finding out the package name of your target application
- Getting information about a package
- Dumping the AndroidManifes.xml file
- Finding out the attack surface:
- Attacks on activities
- Attacks on services
- Broadcast receivers
- Content provider leakage and SQL Injection using Drozer
- Attacking SQL Injection using Drozer
- Path traversal attacks in content providers
- Reading /etc/hosts
- Reading kernel version
- Exploiting debuggable apps
- Introduction to Cydia Substrate
- Runtime monitoring and analysis using Introspy
- Hooking using Xposed framework
- Dynamic instrumentation using Frida
- What is Frida?
- Prerequisites
- Steps to perform dynamic hooking with Frida
- What is Frida?
- Logging based vulnerabilities
- WebView attacks
- Accessing sensitive local resources through file scheme
- Other WebView issues
- Summary
- Automated Android app assessments using Drozer
- 9. Android Malware
- What do Android malwares do?
- Writing Android malwares
- Writing a simple reverse shell Trojan using socket programming
- Registering permissions
- Writing a simple SMS stealer
- The user interface
- Code for MainActivity.java
- Code for reading SMS
- Code for the uploadData() method
- Complete code for MainActivity.java
- Registering permissions
- Code on the server
- A note on infecting legitimate apps
- The user interface
- Writing a simple SMS stealer
- Malware analysis
- Static analysis
- Disassembling Android apps using Apktool
- Exploring the AndroidManifest.xml file
- Exploring smali files
- Decompiling Android apps using dex2jar and JD-GUI
- Disassembling Android apps using Apktool
- Dynamic analysis
- Analyzing HTTP/HTTPS traffic using Burp
- Analysing network traffic using tcpdump and Wireshark
- Static analysis
- Tools for automated analysis
- How to be safe from Android malwares?
- Summary
- 10. Attacks on Android Devices
- MitM attacks
- Dangers with apps that provide network level access
- Using existing exploits
- Malware
- Bypassing screen locks
- Bypassing pattern lock using adb
- Removing the gesture.key file
- Cracking SHA1 hashes from the gesture.key file
- Bypassing password/PIN using adb
- Bypassing screen locks using CVE-2013-6271
- Bypassing pattern lock using adb
- Pulling data from the sdcard
- Summary
- 1. Setting Up the Lab
- A. Bibliography
- Index