numbers and symbols - no starch press · numbers and symbols 3com tftp 2.0.1 ... goals for pentest,...
TRANSCRIPT
i n D e x
Numbers and Symbols3Com TFTP 2.0.1
downloading and installing, 42–43public exploit for transport mode
vulnerability, 427–4293CTftpSvc process, attaching, 424–4253CTftpSvc.exe, 2957-Zip programs, 10& (ampersand), for running commands
in browser, 328\\ (double backslashes), for escape, 186> symbol, for redirecting input, 61>> operator, 61, 81#include command (C), 84| (pipe), 65/ (slash), as delimiter character in
sed, 65
aabsolute path, 56Address Resolution Protocol (ARP)
basics, 161–163address space layout randomization
(ASLR), 364, 440adduser command, 58–59, 309administrative privileges
gaining to control domain, 296for Windows 7 applications, 285
Administrator password, for Windows, 33
Adobe Acrobat Reader, 225–226installing, 46
Advanced Execution Standard (AES), 269
Advanced Packaging Tool (apt), 66
Aircrack-ngcracking WEP keys with, 347–350cracking WPA/WPA2 keys with,
353–356Aireplay-ng
to force client reconnection, 354rebroadcasting ARP packets
with, 348airmon-ng check kill command, 342Airmon-ng script, 341–342airodump-ng command, 342–343, 347all users, permissions for, 62ampersand (&), for running commands
in browser, 328Android, 456
emulators, 449setting up, 22–27starting, 26–27
relationship with security updates, 457
scripting languages vs. C code, 468SDK manager, 23software
building, 449–450deploying, 450–451installing, 24
Virtual Device Manager, 24–25Android Master Key vulnerability, 459,
462–463anonymous user, on Windows XP
target, 157antivirus application avoidance,
257–275hiding in plain sight, 274Microsoft Security Essentials,
261–262
478 Index
antivirus application avoidance (continued)
payload hiding, 263–274Railgun, 283trojans, 258–259with Veil-Evasion, 270–274VirusTotal, 262–263
antivirus applicationshow they work, 260–261signatures for, 438
antivirus definitions, 260Apache server
default “It Works” page, 169–170installing, 44
APK file, 461–464APKTool, installing, 462appending text to file, 61apt (Advanced Packaging Tool), 66argument string, Perl for creating, 376ARP (Address Resolution Protocol)
basics, 161–163ARP cache poisoning, 160–166
with Arpspoof, 164–165as bottleneck, 166impersonating default gateway
with, 165–166ARP request
generating, 349relay attack, generating IVs with,
348–349Arpspoof, ARP cache poisoning with,
164–165ASLR (address space layout
randomization), 364, 440assembly instructions, converting to
shellcode, 398–399Atftpd TFTP server, 187attack string, finding in memory,
408–411Aurora exploit, 220–222authentication, fake, 347–348authorization, for penetration test, 3automatic security updates
opting out, in Windows 7, 50turning off, 34
AutoRunScript parameter, for Metasploit, 224–225
auxiliary/server/capture/smb module, 302
awk command (sed), 66
Bbackdoored code, 458–461
testing from, 193–194background command (Meterpreter), 311background job, killing in
Metasploit, 222BackTrack Linux, 55bar codes, QR (quick response)
codes, 447Bash command processor, 56Bash scripts, 75–81
else statement in, 78for loop in, 78–79if statement in, 77–78pinging hosts on network with, 76running, 77streamlining results, 79–81then statement in, 78
.bash_history file, 295–296BeEF (Browser Exploitation
Framework), 331–335bind payload, 307bind shell payload, 102–103bind shells, 71, 98, 180bitwise XOR operation, 344Bkhive, 205Blackboard, Java for, 241BookApp custom web application
attacking, 313–337installing, 53–54
bootingKali Linux, 11virtual machine delay in, 207
bootkey, 189, 205breakpoints in program, 368
running program to next, 370setting, 393
bridged network, for VMware connection, 13, 14, 16, 31, 48
Browser Exploitation Framework (BeEF), 331–335
browser_autopwn module, 235–237browsers
& for running commands in, 328attack for opening link in
mobile, 455autopwning, 237exploitation, 219–225
brute forcing, 198LM-hashed passwords, 208MD5 hashes, 212
Index 479
NTLM-hashed passwords, 210–211use in Hyperion, 269WPS pin, 356–357
buffer overflowin Linux, 364–378preventing exploits, 439–440in third-party software, exploiting,
190–191War-FTP crash due to, 384in Windows, 379–400
bugs, finding with code review, 422Bully, cracking WPS with, 357Burp Proxy, web application testing
with, 314–319Burp Repeater, 314Burp Spider, 314
CC programs, 84–85
for Android devices, 468causing crash, 366–367memory use, 363–364vulnerability to stack-based buffer
overflow, 365–366CA (certificate authority), 171Cadaver, 150–151, 182Cain and Abel for Windows, 304Cain password tool, 303calling conventions, 390canaries, 440capturing traffic, 155–175. See also
WiresharkARP cache poisoning, 160–166DNS cache poisoning, 167–169networking for, 156on wireless network, 342–343
cat command, 61cat /etc/shadow command, 194CCMP (Counter Mode with Cipher
Block Chaining Message Authentication Code Protocol), 351
cd command, 56CERTCN option, 234certificate, for Java applet, 234certificate authority (CA), 171ceWL custom wordlist generator,
200–201check function, in Metasploit
exploits, 147–148chmod command, 62
making script executable, 76
clientsAireplay-ng to force
reconnection, 354contact information for, 3exploiting vulnerability in, 88goals for pentest, 3
client-side attacksexploitation with, 218–239mobile hacking, 454–457
clipboard (Windows), stealing data from, 334
closinghandler, 228shell, 100
code review, finding bugs with, 422command line arguments, in C, 84command shell
opening listener, 70–71pushing back to listener, 71–72
commands. See also specific commandsexecuting, 327–329learning about, 57–58
Common Vulnerabilities and Exposures (CVE) system, 142
Common Vulnerability Scoring System (CVSS), 140
compromised service, exploitation of, 193–194
computer name, for Windows, 33Conficker worm, 90configuration file
cracking passwords, 212–213downloading, 188–189
connect function (Python), 83connect_ex function (Python), 83connect_udp function, 435contact information, for client, 3continue command (GDB), 370copying file, 60Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol (CCMP), 351
cp command, 60CPUs, registers in Intel-based,
362–363crashes, 151
attempting with fuzzing, 424–426causing, 382–384in GDB, 372–373in War-FTP, 397–398, 403
480 Index
CRC-32 (Cyclic Redundancy Check 32), 346
CreateThread API, 271Credential Harvester Attack Method,
251–252credentials, 174
brute force to find, 198for FTP server, 160gathering, 292–294in Nessus, 137stealing stored, 294
cron jobsautomating tasks with, 72–73creating, 311
crontab files, 72cross-site request forgery (CSRF), 335cross-site scripting (XSS), 329–335
checking for reflective vulnerability, 330
leveraging with BeEF, 331–335Crunch tool, 201CSRF (cross-site request forgery), 335Ctypes library (Python), 271custom cross compiling, 266–269cut command, 65, 80CVE (Common Vulnerabilities and
Exposures) system, 142CVE-2008-2992, 225–228CVSS (Common Vulnerability Scoring
System), 140Cyclic Redundancy Check 32
(CRC-32), 346cyclical pattern, generating to
determine offset, 385–388
Ddata execution prevention (DEP),
364, 441data manipulation, in Kali Linux,
64–66database
dumping with SQLMap, 322exploiting access to, 188finding name of first, 321for SPF, 448–449
debugger, installing, 46debugging information, for GDB, 366default gateway, 68
ARP cache poisoning for impersonating, 165–166
finding, 38default payload, for Metasploit, 97
default port, for Simple Mail Transfer Protocol (SMTP), 124
delegation token, 300–301deleting
files, 60final character from each line, sed
command for, 81demilitarized zone, 304denial-of-service (DoS) condition, 163DEP (data execution prevention),
364, 441deploying Android application, 450–451Destination Host Unreachable message, 39/dev/urandom file (Linux), 267DHCP (dynamic host configuration
protocol), 68dictionary attack, against WPA/
WPA2, 356dictionary words, in passwords, 198directories
changing, 56–57creating, 60displaying current, 56
disass command (GDB), 370–371DNS. See Domain Name System (DNS)DNS cache poisoning, 167–169Dnsspoof, 169documentation, 57. See also man pagesdomain
adding administrator account, 309getting administrative access to, 296setup for simulating, 39–40users, password hashes for, 302
Domain Name System (DNS)reconnaissance, 116–118zone transfers, 117–118
domain names, resolution, 167domain registrars, 115DoS (denial-of-service) condition, 163double backslashes (\\), for escape, 186downloading
3Com TFTP 2.0.1, 42–43Kali Linux, 10payload by users, 105sensitive files, 188–189SLMail 5.5, 41–42Smartphone Pentest Framework
(SPF), 27–28with TFTP, 187–188War-FTP, 46Windows SAM, 189WinSCP, 46
Index 481
dpkg command, 18dual-homed systems, 304dynamic analysis, 261dynamic host configuration protocol
(DHCP), 68
EEAX register, 362, 403EBP register, 362, 363, 369, 390EBX register, 362echo command, 61, 76ECX register, 363EDI register, 362, 390editing files, 62–64EDX register, 363EIP register, 362, 363
controlling, 373–375locating, 384–388verifying offset, 388–389, 390
else statement, in Bash scripts, 78email
searching for addresses, 118–119social-engineering attacks
with, 244emulator, Android, 449
setting up, 22–27starting, 26–27
encoders, 263–266encryption key, for Syskey utility, 189end, in Ruby, 434endianness, 376–378, 394enterprise connection process, in
WPA/WPA2, 351escape, double backslashes (\\)
for, 186ESI register, 362ESP register, 362, 363, 390–391
following on stack, 408–409/etc/crontab file, 72–73, 311/etc/john/john.conf file, 212/etc/network/interfaces file, 68–69/etc/proxychains.conf configuration
file, 307Ettercap
installing, 22for man-in-the-middle attacks, 171
exceptions. See structured exception handler
executablesembedded in PDF, 228–229Hyperion for encrypting, 269–270using return address from, 394
execute (x) permissions, 62execution
hijacking as goal, 373hijacking in Linux, 375–376hijacking in Windows, 390–395
executive summary of report, 5exploit code, repositories of, 88exploit command (Metasploit), 97Exploit Database, 88, 427exploit target, for Metasploit, 95exploit/multi/browser/java_signed_applet
module, 233–234exploitation, 179–196
of buffer overflow in third-party software, 190–191
with client-side attacks, 218–239of compromised service, 193–194with Java, 230–235mitigation techniques, 439–442of MS08-067 vulnerability,
180–182of open NFS shares, 194–196phase of penetration testing, 2, 4of phpMyAdmin, 186–188running through pivot, 306–307of third-party web applications,
191–193of WebDav default credentials,
182–183Exploit::Remote::UDP mixin, 435exploits
porting public, 427–432replacing shellcode, 430running, 100running through SPF agent, 468with SEH overwrites, 403–407writing, 361
exploit/windows/fileformat/adobe_pdf_embedded_exe module, 228
exploit/windows/fileformat/adobe_utilprintf module, 226
exploit/windows/fileformat/winamp_maki_bof module, 238
exploit/windows/local/ms11_080_afdjoinleaf module, 284
exploit/windows/smb/psexec module, 296exploit/windows/tftp/tftpd32_long_
filename.rb module, 435external penetration test, 2Ez7z program, 10
482 Index
FFacebook, 172factory restore, 456fake authentication, 347–348file permissions, 61–62filename for exploit, random
characters for, 438files
adding text, 61copying, moving, and removing, 60creating, 60editing, 62–64searching for text in, 65sending script results to, 81viewing list of, 18
FileZilla server.xml configuration file, 188–189
FileZilla services, installing, 44filters, bypassing with Metasploit
payloads, 216–218finding
attack string in memory, 408–411compatible payloads, 96–97return address, 429–430valid usernames, 153
firewalls, intrusion-detection and prevention systems on, 125
folders, sharing via FTP, 45for loop, in Bash scripts, 78–79formats, for Nmap log, 125four-way handshake, 351, 352–353
capturing, 354Wireshark for viewing, 355
Framework Android App, 451FSTENV instruction, 398FTP account, default password for, 213FTP server
access to file on, 146–147exploiting stack-based buffer
overflow in, 379–380logging in to, 157, 165
FTP user, adding, 45futuresoft_transfermode.rb module,
432–434fuzzing, 421–426
attempting crash, 424–426finding bugs with code review, 422for trivial FTP server, 422–423
GGCC (GNU Compiler Collection), 84,
289, 366gcc command, 289GDB (GNU debugger), 366
crashing program in, 372–373running, 367–372viewing source code, 368
getsystem command (Meterpreter), 283–286
getuid command (Meterpreter), 185, 279, 281
GNU Compiler Collection (GCC), 84, 289, 366
GNU debugger. See GDB (GNU debugger)
Google Play apps, signature for, 462Google search, on vulnerability, 142GoToMeeting, Java for, 241grep command, 65
filtering script output, 80greppable Nmap, 125group, permissions for, 62group transient key (GTK), 352
Hhandler, closing, 228Hardware dialog, 31hashdump command (Meterpreter), 204,
205, 298hashes
converting to plaintext, 203for domain users, 302dumping with physical access,
206–208example, 211LM vs. NTLM algorithms, 208rainbow table for precompleted, 213recovering from Windows SAM
files, 204–206reversing, 203, 298
heap in memory, 362“Hello World” C program, 84help
for Meterpreter commands, 278for Msfcli, 101for Msfconsole, 89–90
help upload command (Meterpreter), 279hidden directories, ls command to
show, 57–58
Index 483
hook.js script (BeEF), 332–333host utility for DNS queries, 117host-only network, 13, 117HTML, for attack email, 254HTTP GET request, capture by Burp
Proxy, 316HTTP payload, 217–218
exploiting Java vulnerability with, 231–232
HTTPS, 174payloads, 217–218
hub, and traffic capture, 156Hydra, guessing usernames and
passwords with, 202–203Hyperion
encrypting executables with, 269–270
installing, 21, 270
IIceweasel browser, proxy configuration,
315–316ICMP (Internet Control Message
Protocol) message, 76if statement
Bash, 77–78C, 84Python, 83
ifconfig command, 16, 67, 304–305IIS (Internet Information Services),
user privileges, 329Immunity Debugger, 381–382
installing, 46–47#include command (C), 84Incognito tool, 301–302incoming connection, listening on port
for, 70info command (Metasploit), 92–93information-gathering phase of
penetration testing, 2, 4, 113–132
local, 291–296on mobile device, 464–465open source intelligence (OSINT),
114–123initialization vector (IV), 344
generating with ARP request relay attack, 348–349
inline payloads, 181input, > symbol for redirecting, 61input function (Python), 82insert mode for vi, 64
installed packages, managing, 66installing
3Com TFTP 2.0.1, 42–43Adobe Acrobat Reader, 46Android emulators, 22–27Apache, 44APKTool, 462debugger, 46Ettercap, 22FileZilla services, 44Hyperion, 21, 270Immunity Debugger, 46–47Java 7 Update 6, 52Microsoft Security Essentials, 52Ming C Compiler, 20Mona, 47Mozilla Firefox, 52MySQL, 44Nessus, 17–20Python, 46SLMail 5.5, 41–42Smartphone Pentest Framework
(SPF), 27–28Veil-Evasion, 21VMware, 9–10vulnerable software, 40–47War-FTP, 46Winamp version 5.55, 52WinSCP, 46XAMPP 1.7.2, 43–45
Intel-based CPU registers, 362–363internal penetration test, 2Internet access, testing for Kali
Linux, 17Internet Control Message Protocol
(ICMP) message, 76Internet Explorer, vulnerability,
220–222Internet Information Services (IIS),
user privileges, 329Internet Protocol (TCP/IP) Properties
dialog, 39iOS, approach to preventing malicious
code, 441IP address, 67–68
DNS mapping to, 167–168mapping to MAC address, 161setting static, 38–39verifying, 16
IP forwarding, 163–164ipconfig command, 38
output from, 328
484 Index
iPhonedefault SSH login, 453–454jailbreaking, 219, 441running application on, 441
IV (initialization vector), 344generating with ARP request relay
attack, 348–349iwconfig command, 340–341iwlist wlan0 scan command, 341
JJava, signed Applet, 233–235Java 7 Update 6, installing, 52Java Applet Attack Method, 250Java Runtime Environment (JRE), 230java/meterpreter/reverse_http payload, 231JMP ESP instruction, 392
finding in USER32.dll, 429reliance on location, 440
John the Ripper tool, 210–211, 303wordlists, 200, 212
JRE (Java Runtime Environment), 230
KKali Linux, 55–73
booting, 11command line, 56data manipulation in, 64–66GUI, 13opening virtual machine, 11repository of exploit code, 288running Android emulators, 27setup, 10–28starting Burp Suite in, 314testing Internet access for, 17user privileges, 58–61
kaliinstall script, 28keyscan_dump command
(Meterpreter), 292keyscan_start command
(Meterpreter), 292key-scheduling algorithm, in WEP, 345keyspace brute-forcing, 201kill command (Metasploit), 222Kismet, 356
LLAN manager (LM) password
hashes, 208insecurity of, 209
lateral movement, 296–304
Incognito tool, 301–302PSExec technique, 296–297SMB capture, 302–304SSH Exec, 299–300token impersonation, 300–301
LHOST, 99–100setting, 184setting in Msfvenom, 104
license key, for Windows, 32Linksys WRT54G2, web interface, 340Linux. See also Kali Linux, Ubuntu 8.10
target machineadding code to /tmp/run file,
290–291copying and compiling exploit,
289–290cracking passwords, 212filesystem, 56–57finding an exploit, 288–289finding a vulnerability, 287–288learning kernel version, 287stack-based buffer overflow in,
361–378udev privilege escalation, 287–291VMware Player for, 9–10
listenerpushing command shell back to,
71–72setup on Kali Linux, 290
list_tokens command (Meterpreter), 301
little-endian architecture, 377LM (LAN manager) password
hashes, 208insecurity of, 209
load command (Meterpreter), 301local file inclusion, 324–327local information gathering, 291–296local privilege escalation, 283–291
for Windows, 284–285Local Security Authority Subsystem
Service (LSASS) process, 214
local users, listing all, 294login screen
for Kali Linux, 12of web application, SQL injection
issues in, 319–320LPORT option, 216ls command, 18, 56
man page for, 57
Index 485
LSASS (Local Security Authority Subsystem Service), 214
lsb_release command, 287
MMAC (Media Access Control) address,
mapping IP address to, 161MAC filtering, by access points, 350Mac OS, and VMware Fusion, 10, 16,
31–32, 36mail servers
for delivering attack email, 248–249valid usernames for, 153
main function, 84malicious code, asking users to
allow, 233Maltego, 119–123malware, techniques to avoid detection,
257–275man-in-the-middle attacks, 160–161
Ettercap for, 22, 171man ls command, 57man pages, 57–58mandatory code signing, 219, 441–442manual port scanning, 124mapping IP address, to MAC
address, 161mass email attacks, 253–255MD5 collision attack, 260MD5 hash
brute forcing, 212checking for trojans with, 260
md5sum program, 260MDM (Mobile Device
Management), 466Media Access Control (MAC) address,
mapping IP address to, 161memory
content display options, 369finding attack string in memory,
408–411theory of, 362–364
memory address, byte order in, 376message integrity code (MIC), 353Metasm utility, 398–399Metasploit
adding route in, 305–306auxiliary module and exploit
database, 91exploit check functions, 147–148killing background job in, 222
modules, 89, 281–283. See also specific modules
advanced parameters, 223–225auxiliary, 107–108database, 90–91finding, 90–94MS08-067, 90post-exploitation, 281–283scanner, 146–147setting options, 94–96verifying format
specifications, 438writing, 432–439
Msfconsole for, 89payloads, 96–98
bypassing filters with, 216–218port scanners in, 306search function, 91–94starting, 88–90support for encoders, 263test run, 97–98updating, 108
Metasploit Browser Exploit Method, 250Meterpreter, 181–182
help for commands, 278keylogger, 292for post-exploitation, 278–280scripts, 280–281searching for files with, 291–292session, 98
maintaining, 222placing in background, 311running scripts in, 223
shell command for dropping out of, 287
upload command, 279MIC (message integrity code), 353Michael, MAC algorithm, 350Microsoft Security Essentials, 261–262
installing, 52non-detection of malware, 270
Microsoft Windows. See WindowsMing C Compiler, installing, 20Mingw32 cross compiler, 268Mitnick, Kevin, 243mkdir command, 60, 207mobile browser, attack for opening link
in, 455Mobile Device Management
(MDM), 466
486 Index
mobile hacking, 445–472client-side attacks, 454–457malicious apps, 458–463near field communication (NFC),
446–447pivoting through devices, 466–470port scanning with Nmap, 467–468privilege escalation, 471remote attacks, 453–454remote control, 465–466with text messages, 446
Mobile Safari, 219Mode field in TFTP, 423modules. See Metasploit: modulesMona
finding pattern offsets in, 387–388generating cyclical pattern in,
385–388, 405installing, 47running SEH command in, 413
!mona findmsp command (Immunity Debugger), output, 390
mona pattern_create command (Immunity Debugger), 404–405
mona.py file, downloading, 46moving files, 60Mozilla Firefox, installing, 52MS08-067 vulnerability, 180–182Msfcli (command line interface), 89,
101–103showing options, 101–102SPF to interface with, 453
Msfconsole, 89handler for catching payload, 185help command for, 89–90setting up handler, 469
Msftidy tool, 438msfupdate command, 108, 225, 438Msfvenom, 258–259
creating standalone payloads with, 103–107
encoders, 264generating shellcode, 273–274,
396, 428multiencoding with, 265output format for, 104–105prebuilt templates for detection
signatures, 266serving payloads, 105, 183–185
multi/handler module, 105–107, 227, 469multi/ssh/sshexec module, 299multipronged attacks, 255
mv command, 60MySQL
database, for SPF, 447installing, 44server, privileges, 186
Nnano (file editor), 62–63NAT (network address translation), 13National Institute of Standards and
Technology (NIST), 141near field communication (NFC),
446–447negative feedback, 173–174Nessus (Tenable Security), 134–142
credentials in, 137detailed information on
vulnerability, 140exporting results, 141–142installing, 17–20login screen, 20–22, 135Policies tab, 134–138rankings, 140–141scanning with, 138–140starting, 18
net command (Windows), 294–295net localgroup command (Windows),
295, 309net use command (Windows), 303net user command (Windows), 309net users command (Windows),
294–295Netcat tool
to check for listening port, 70connecting to port with, 152for file transfer, 72for SMTP port connection, 124for TCP/IP connections, 69–72
Netcraft, 114–115netstat command, 69network
for capturing traffic, 156connecting virtual machine to,
16–17managing, 67–69viewing connections, 69
network adapterchanging settings, 15configuring for Windows XP, 31
network address translation (NAT), 13Network File System (NFS), 144–145
exploitation of open shares, 194–196
Index 487
network interface, 67adding second, 52
network mask, 68NFC (near field communication),
446–447NFS (Network File System), 144–145
exploitation of open shares, 194–196Nikto, 149NIST (National Institute of Standards
and Technology), 141Nmap port scanning, 125–131
for mobile devices, 467–468running through ProxyChains, 308scanning a specific port, 130–131SYN scan, 125–127UDP scan, 128–130version scan, 127–128
Nmap Scripting Engine (NSE), 142–144
default scripts output, 143–144running single script, 144–146
nondisclosure agreement, 4NOP sled, 428–429NSE. See Nmap Scripting Engine (NSE)nslookup, 116–117, 167NT LAN Manager (NTLM) hash, for
password hash, 208cracking with John the Ripper,
210–211
Ooffset
generating cyclical pattern to determine, 385–388
verifying, 388–389, 390Opcode field, in TFTP, 423open relay, 249open source intelligence (OSINT), 4
DNS reconnaissance, 116–118Maltego, 119–123Netcraft, 114–115port scanning, 123–131searching for email addresses,
118–119whois lookups, 115–116
Open Sourced Vulnerability Database (OSVDB), 149
Open Web Application Security Project (OWASP), 335
open wireless network, 343OSINT. See open source intelligence
OSVDB (Open Sourced Vulnerability Database), 149
output format, for Msfvenom, 104–105overflowtest.c file, functions in, 375OWASP (Open Web Application
Security Project), 335owner, permissions for, 62
Ppack method (Ruby), 435packages, managing installed, 66Packet Storm Security, 88pairwise master key (PMK), in WPA/
WPA2, 352pairwise transient key (PTK), 352pass the hash technique, 298–299passphrase, for WPA or WPA2, 353password attacks, 197–214
offline, 203–213online, 198–203
password hashesconverting to plaintext, 203for domain users, 302dumping with physical access,
206–208example, 211LM vs. NTLM algorithms, 208recovering from Windows SAM file,
204–206reversing, 203, 298
passwordscracking with John the Ripper, 210cracking Linux, 212default root for SSH, 453dumping plaintext with WCE,
213–214guessing with Hydra, 202–203lists of, 199–201managing, 197–198for Nessus, 20online services for cracking, 213recovering MD5 hashes, 188saving, 293setting in Windows 7 target
machine, 49setting in Windows XP, 37strong, 198system hashes, 194use of same on multiple systems, 296
PATH environmental variable, 77pattern matching, with awk, 66
488 Index
paused process, Immunity Debugger and, 381–382
payloads, 180–181avoiding special characters, 396creating standalone with Msfvenom,
103–107handler for, 227listing in Msfvenom, 104in Msfcli, 102–103serving, 105setting manually, 99–101for structured exception handler
overwrite, 418–419payment terms, 3PBKDF2 hashing algorithm, 352PDF (Portable Document Format)
software, exploitation with, 225–235
penetration testingbasics, 1–2data, tracking, 125–126stages, 2–6
Penetration Testing Execution Standard (PTES), 2
Perl scripting languagefor creating argument string, 376string generation by, 372
persistence, 309–311persistence script (Meterpreter), 310–311personal connection process, in WPA/
WPA2, 351phishing attack, 244
via email, automating, 253phpMyAdmin, 149–150
exploitation, 186–188ping command, 17, 38
limiting number of times, 78stopping, 39
ping sweep, script for, 76pipe (|), 65pivoting, 304–308
through mobile devices, 466–470Socks4a and ProxyChains, 307–308
plaintextconverting hashes to, 203for credentials, 174dumping passwords with Windows
Credential Editor, 213–214PMK (pairwise master key) in WPA/
WPA2, 352POP instruction, 363, 411–412
reliance on location, 440
port 4444, 98port scanning, 123–131
manual, 124in Metasploit, 306with Nmap, 125–131, 467–468with Python script, 82
Portable Document Format (PDF) software, exploitation with, 225–235
porting public exploits, 427–432ports, 69, 95
default, for Simple Mail Transfer Protocol (SMTP), 124
exploring, 151–152Netcat for connecting to, 152Nmap port scanning for specific,
130–131post-exploitation phase of penetration
testing, 2, 4–5, 277–311gathering credentials, 292–294keylogging, 292lateral movement, 296–304local information gathering, 291–296local privilege escalation, 283–291Metasploit modules, 281–283Meterpreter for, 278–280mobile, 463–471modules, 281–283persistence in, 309–311pivoting, 304–308
PostgreSQL database, 88post/windows/gather/enum_logged_on_users
module, 282post/windows/gather/hashdump
module, 298Powershell, in Windows 7, 329pre-engagement phase of penetration
testing, 2–4print command
Perl, 372Python, 83
printf function, 84private SSH keys, 194privilege escalation, in mobile devices,
470–471privileged commands, running, 59PRNG (pseudorandom number
generator), 267, 345processes, 67
Immunity Debugger and paused, 381–382
Index 489
programming, 75–85. See also Bash scripts; Python
breakpoints in, 368C programs, 84–85Ruby, for Metasploit modules, 432
proprietary data, loss of, 2protocol analyzer. See also WiresharkProxyChains, 307–308ps aux command, 290ps command (Meterpreter), 67, 295PSExec technique, 296–297, 298pseudorandom number generator
(PRNG), 267, 345PTES (Penetration Testing Execution
Standard), 2PTK (pairwise transient key), 352public exploits
porting, 427–432risks of working with, 142
public SSH key, 194publisher, trusted vs. unknown, 235PUSH ESP instruction, 393PUSH instruction, 363, 411pwd command, 56Python, 81
connecting to a port, 83Ctypes library, 271if statements, 83installing, 46porting exploit, 436variables in, 82VirtualAlloc injection, 271
Python-generated executables, creating encrypted with Veil-Evasion, 270–274
QQR (quick response) codes, 447query, Wireshark capture of, 166
RRADIUS (Remote Authentication
Dial-In User Service) server, 351
Radmin Viewer program, trojan and, 259
radmin.exe binary, embedding payload inside, 259
Railgun, 283rainbow tables, 213random variable, 267
randomize_va_space, 364–365rand_text_english function (Metasploit),
435, 438Rapid7, 87raw_input function (Python), 82RC4 (Rivest Cipher 4) stream
cipher, 343Rcrack tool, 213read (r) permissions, 62Ready to Create Virtual Machine
dialog, 30redirecting input, > symbol for, 61reflective DLL injection, 181reflective XSS attacks, 329
checking for vulnerability, 330registers
in Intel-based CPU, 362–363jumping to, 392
relative path, 56remote attacks, 453–454Remote Authentication Dial-In
User Service (RADIUS) server, 351
remote controlof mobile devices, 465–466USSD, 456–457
remote file inclusion, for web application testing, 327
remote systemlogging into, 298pinging, 76
removing files, 60reporting phase of penetration testing,
2, 5–6researching vulnerabilities, 142resource exhaustion attack, 471RET instruction, 411–412
reliance on location, 440return address, 363
finding, 429–430using from executable module, 394
return statement (C), 85return-oriented programming
(ROP), 441rev2self command (Meterpreter), 284reverse shells, 71, 98–99, 180reverse_https_proxy payload
(Meterpreter), 218RHOST option, for Metasploit module,
94–95risk profile, 5risks of public exploit code, 88
490 Index
Rivest Cipher 4 (RC4) stream cipher, 343
rm file command, 60rockyou.txt.gz file, 200root privileges, 56, 194, 287–291root@kali# prompt, 56ROP (return-oriented
programming), 441route command (Metasploit), 68,
305–306router, for wireless traffic, 339RPORT option, for Metasploit module, 95RtlMovememory API, 271Ruby, for Metasploit modules, 432run migrate command (Meterpreter), 280running processes, viewing, 67
SSafeSEH, 412–416SAM (Security Accounts Manager) file
downloading, 189recovering password hashes from,
204–206Samdump2, 205saving
passwords, 293text to file, 61
SCADA systems, 131scanner/portscan/tcp module, 306scanning
legality of, 124with w3af, 335–337web application, 148–151
scope of pentest, 3scripts. See also Bash scripts; Python
running automatically, 72running in Meterpreter, 223running on target web server, 183
search command (Meterpreter), 291–292
searchingMetasploit auxiliary module and
exploit database, 91for text, 63
searchsploit utility, 288Secure Socket Layer (SSL) attacks,
170–172stripping attacks, 173–174
Security Accounts Manager file. See SAM (Security Accounts Manager) file
security updates, turning off automatic, 34
SecurityFocus.com, 88, 380, 427sed command, 65
to delete final character from each line, 81
SEH chain, 401viewing, 402
SEH overwrites. See structured exception handler overwrites
SEH registration record, 401Select Guest Operating system
dialog, 29self-signed SSL certificates, social
engineering tests with, 173sensitive files, downloading, 188–189service command, 67services, 67session, bringing to foreground, 283SET (Social-Engineer Toolkit), 235,
244–245spear-phishing attacks, 245–250
set payload command (Metasploit), 99setoolkit command, 245shell command, for dropping out of
Meterpreter, 287shell scripts, 75shellcode
Msfvenom for generating, 273–274, 428
replacing, 430shellcode variable, in custom C code, 267shells, 395–400
closing, 100types of, 98–99
shikata_ga_nai encoder, 264short jump assembly instruction,
416–417show advanced command
(Metasploit), 223show options command (Metasploit), 94,
96, 99show payloads command (Metasploit),
96–97, 180, 190–191, 216–218
show targets command (Metasploit), 95–96, 234
signaturesfor antivirus applications, 438for apps, 462
signed Java Applet, 233–235
Index 491
Simple Mail Transfer Protocol (SMTP), default port for, 124
skins in Winamp, malicious code in, 239–240
slash (/), as delimiter character in sed, 65
SLMail 5.5, downloading and installing, 41–42
Smartphone Pentest Framework (SPF), 445, 447–452
Android emulators, 449attaching app, 452attaching to deployed agent,
460–461attaching mobile modem, 449backdooring APKs, 461–464building Andoid app, 449–450creating malicious agents, 458–463downloading and installing, 27–28running exploit through agent, 468setting up, 447–449starting, 448
SMB capture, 302–304SMBPIPE option, for Metasploit
module, 95SMS, for spam and phishing attacks, 446SMTP (Simple Mail Transfer Protocol),
default port for, 124Social-Engineer Toolkit (SET), 235,
244–245spear-phishing attacks, 245–250
social engineering, 243–255mass email attacks, 253–255multipronged attacks, 255tests, with self-signed SSL
certificates, 173web attacks, 250–252
socket library, 82Socks4a, 307–308software
installing vulnerable, 40–47investigating running, for
vulnerabilities, 295user account for, 58versions in banners, 124
source code, backdooring, 458–461spear-phishing attacks, 245–250
choosing a payload, 246–247listener setup, 249–250naming malicious file, 247setting options, 247setting target, 248–249
single vs. mass email, 247–248template for, 248
special characters, avoiding for payload, 396
Specify Disk Capacity dialog, 30SPF. See Smartphone Pentest
Framework (SPF)SQL commands, executing, 186SQL injection, 319–322SQLMap, 321–322SRVHOST option, 220SSH, default root password, 453.ssh directory, 194
vulnerability from access, 145–146SSH Exec, 299–300SSH key pair, generating, 195ssh-add command, 195ssh-keygen command, 195SSL (Secure Socket Layer) attacks,
170–172stripping attacks, 173–174
SSL certificate, warning of invalid, 19SSLstrip, 173–174stack, 362, 363
following ESP register on, 408–409as last-in, first-out (LIFO)
structure, 411stack-based buffer overflow in Linux,
361–378C program vulnerable to, 365–366causing crash, 366–367, 372–373EIP register control, 373–375hijacking execution, 375–376
stack-based buffer overflow in Windows, 379–400
causing crash, 382–384getting shell, 395–400hijacking execution, 390–395locating EIP register, 384–388searching for known vulnerability
in War-FTP, 380–382stack buffer, 379stack cookies, 439–440staged payloads, 181static analysis, 260static IP address
setting, 38–39, 68–69for Windows 7 target machine, 51
stdio library (C), 84stealing stored credentials, 294stopping keylogger, 292stored XSS attacks, 329
492 Index
strategic road map, 6strcpy function, 366–367, 422string, generating with Perl script, 372strong passwords, 198structured exception handler (SEH)
overwrites, 401–419choosing payload, 418–419exploits, 403–407finding attack string in memory,
408–411replacing with POP POP RET, 414, 415SafeSEH, 412–416short jump assembly instruction,
416–417structured exception handler, passing
control to, 407–408su command, 59–60sudo command, 59sudoers file, 59superuser (root) prompt, 16switches, and traffic capture, 156SYN scan, 125–127Syskey utility, encryption key for,
189, 205system() command (PHP), 186system password hashes, 194system privileges, session running
with, 297
TTabnabbing Attack Method, 251target virtual machines, 28–29. See also
Windows 7 target machine, Windows XP target machine, Ubuntu 8.10 target machine
TCP connectioncreating socket, 82Netcat tool for, 69–72three-way handshake, 125
TCP scan, 127TCP stream, Wireshark for
following, 159technical report, 6Temporal Key Integrity Protocol
(TKIP), 350Tenable Security, Nessus, 17, 134–142testing window, 3text
adding to file, 61searching for, 63, 65
text messages, mobile hacking with, 446text segment of memory, 362
TFTP (Trivial FTP) serverdownloading file with, 187–188fuzzing program, 424–426packet, 435packet format, 423writing to file, 438
Thawte (certificate authority), 171theHarvester (Python tool), 118–119then statement, in Bash scripts, 78third-party software, exploiting buffer
overflow in, 190–191third-party web applications,
exploitation, 191–193threat-modeling phase of penetration
testing, 2, 4TikiWiki CMS software, 191–192TKIP (Temporal Key Integrity
Protocol), 350TLS (Transport Layer Security)
encryption, 181/tmp/run file (Linux), adding code to,
290–291token impersonation, 300–301touch command, 60tr utility (Linux), 267training employees, about social
engineering, 244Transport Layer Security (TLS)
encryption, 181Trivial FTP server. See TFTP (Trivial
FTP) servertrojans, 258–259
MD5 hash to check for, 260TrustedSec, Social-Engineer
Toolkit, 244two-factor authentication, 198
UUAC (user account control), 285–287Ubuntu 8.10 target machine, 28. See
also Linuxsetup, 48
udev (device manager for Linux), 288UDP scans, 128–130, 295UDP socket, setting up, 435uname command, 287unstructured supplementary service
data (USSD), 456–457upload command (Meterpreter), 279uploading, Msfvenom payload,
183–185URIPATH option, 221
Index 493
user account control (UAC), 285–287user accounts
adding, 58–59adding, persistence and, 309adding to sudoers file, 59creating in Windows, 35, 48–49in Linux, 58for logging in to FTP, 165switching, 59–60
user lists, 199user password. See passwordsuser privileges, 58–61USER32.dll, 429–430usernames
finding, 118finding valid, 153guessing with Hydra, 202–203
users. See also social engineeringdownloading payload by, 105enticing to download and install
Android agent, 460listing all local, 294logging keystrokes by, 292sending messages to contacts, 465
/usr/share/exploitdb/platforms/linux/local/8572.c exploit, 288–289
/usr/share/metasploit-framework/modules/post/windows/gather/credentials module, 292
USSD (unstructured supplementary service data), 456–457
Vvariables, in Python, 82Veil-Evasion, 270–274
available payloads, 272installing, 21Python VirtualAlloc in, 273
VeriSign (certificate authority), 171version scan, 127–128Very Secure FTP (Vsftpd) 2.3.4,
133–134, 193–194, 258vi (file editor), 62
editing file, 63virtual lab setup, 9–54
installing VMware, 9–10installing vulnerable software,
40–47Kali Linux setup, 10–28target virtual machines, 28–29Ubuntu 8.10 target machine, 48
Windows 7 target machine, 48–54Windows XP target machine,
29–40Virtual Machine Settings dialog, 15virtual machines
configuring network for, 13–17connecting to network, 16–17to delay booting, 207target, 28–29
virtual networks, and traffic capture, 156
VirtualAlloc injection method, 271VirusTotal, 262–263
results for encoded binary, 265VMware, installing, 9–10VMware Fusion (Mac OS), 10, 16, 31–32
installing VMware Tools for, 36VMware Player (Windows), 9–10,
14–15, 35–36installing Windows XP on, 29–31
VMware Toolsinstalling on Windows XP target
machine, 35–36installing on Windows 7 target
machine, 48, 50VMware Workstation, 10.vmx configuration file, 207VRFY SMTP command, 153Vsftpd (Very Secure FTP) 2.3.4,
133–134, 193–194, 258vulnerabilities, 133–153
in Java, 230–233manual analysis, 151–153researching, 142searching for known, in War-FTP,
380–382web application scanning, 148–151
vulnerability analysis phase of penetration testing, 2, 4
vulnerability repository, 149vulnerability scanners
Nessus Home, 17reasons to use, 141
vulnerable software, installing, 40–47
Ww3af (Web Application Attack and
Audit Framework), 335–337War-FTP
crashing, 397–398, 403downloading and installing, 46Python exploit to crash, 383
494 Index
War-FTP (continued)searching for known vulnerability
in, 380–382USER buffer overflow, 439
warning, for PDF embedded executable, 229
Warning: system() [function.system]: Cannot execute a blank command in... message, 187
WCE (Windows Credential Editor), 213–214
Web Application Attack and Audit Framework (w3af), 335–337
web application testing, 313–337with Burp Proxy, 314–319command execution, 327–329cross-site request forgery, 335cross-site scripting (XSS), 329–335local file inclusion, 324–327remote file inclusion, 327scanning with w3af, 335–337signing up for account, 317–318SQL injection, 319–322XPath injection, 323–324
web applicationsaccess to server-side source
code, 326third-party, exploitation, 191–193vulnerability scanning, 148–151
web browsers. See browsersweb server
copying app to, 451running script on target, 183
web server software, system privileges and, 185
WebDAV (Web Distributed Authoring and Versioning) software, 150
exploiting default credentials, 182–183
WebEx, Java for, 241WebKit package, attacking, 454–456websites, for wordlists, 200WEP. See wired equivalent
privacy (WEP)wget command, 289whoami command, 71, 291whois lookups, 115–116Wi-Fi protected access (WPA), 350Wi-Fi Protected Setup (WPS), 356–357Wifite tool, 350, 356
Winampinstalling, 52replacing configuration file for,
237–239Windows
APIs, Railgun for accessing, 283clipboard, stealing data from, 334firewall
and response to ping, 51turning off, 37
Security Accounts Manager (SAM) file
downloading, 189recovering password hashes
from, 204–206Service Control Manager, remote
procedure call (RPC), 296Syskey utility, 189VMware Player, 9–10, 14–15
Windows 7 target machine, 48–54adding second network interface, 52bypassing UAC on, 285–287creating user account, 48–49dumping hashes with physical
attack, 206–207installing additional software,
52–54opting out of automatic updates, 50Powershell in, 329turning off real-time protection, 53
Windows 2000, LM hashes storage, 211Windows Credential Editor (WCE),
213–214Windows XP target machine, 28
activating, 34creating, 29–40installing, 32–35LM hashes storage, 211local privilege escalation, 284–285Nessus detection of
vulnerabilities, 139setup to behave as member of
Windows domain, 39–40windows/local/bypassuac exploit, 286windows/meterpreter/bind_tcp payload, 307windows/meterpreter/reverse_tcp payload,
247, 265, 273–274windows/smb/ms08_067_netapi
module, 306WinSCP, 292–294
downloading and installing, 46
Index 495
wired equivalent privacy (WEP), 343–350
challenges, 350cracking keys with Aircrack-ng,
347–350weaknesses, 346
wireless attacks, 339–357capturing packets, 342–343scanning for access points, 341setup, 339–341viewing available interfaces,
340–341Wi-Fi protected access, 350Wi-Fi Protected Setup (WPS),
356–357wired equivalent privacy (WEP),
343–350WPA2, 351–356
wireless networkmonitor mode, 341–342open, 343
Wireshark, 156–160capturing traffic, 156–158dissecting packets, 160filtering traffic, 158–159following TCP stream, 159for viewing WPA2 handshake, 355
wordlists for passwords, 199–201Workgroup settings, for Windows XP, 33WPA (Wi-Fi protected access), 350WPA2, 351–356
cracking keys, 353–356dictionary attack against, 356enterprise connection process, 351four-way handshake, 352–353personal connection process, 351
WPS (Wi-Fi Protected Setup), 356–357write (w) permissions, 62
Xx/16xw $esp command (GDB), 369XAMPP
Apache, default install location, 186attacking, 149–150default credentials, 150–151default login credentials for
WebDav, 182installing, 43–45starting control panel, 43
XMLattacks on, 323–324usernames and passwords in, 326
Xpath, 320injection, 323–324
xp_cmdshell() function, 188xp_cmdshell stored procedure, 322xphashes.txt file, 210XSS (cross-site scripting), 329–335
checking for reflective vulnerability, 330
leveraging with BeEF, 331–335
Zzero-day vulnerability, 220, 240Zervit server, 40–41
crashes from Nmap scan, 130, 131zone transfers, DNS, 117–118