Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don¿t know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.

Introduction to Hacking
Important Terminologies
     Asset
     Vulnerability
     Threat
     Exploit
     Risk
     What Is a Penetration Test?
     Vulnerability Assessments versus Penetration Test
     Pre-Engagement
     Rules of Engagement
     Milestones
     Penetration Testing Methodologies
     OSSTMM
     NIST
     OWASP
Categories of Penetration Test
     Black Box
     White Box
     Gray Box
     Types of Penetration Tests
          Network Penetration Test
          Web Application Penetration Test
          Mobile Application Penetration Test
          Social Engineering Penetration Test
          Physical Penetration Test
     Report Writing
     Understanding the Audience
          Executive Class
          Management Class
          Technical Class
Writing Reports
Structure of a Penetration Testing Report
     Cover Page
     Table of Contents
     Executive Summary
     Remediation Report
Vulnerability Assessment Summary
     Tabular Summary
Risk Assessment
     Risk Assessment Matrix
Methodology
     Detailed Findings
          Description
          Explanation
          Risk
          Recommendation
     Reports
Conclusion

Linux Basics
Major Linux Operating Systems
File Structure inside of Linux
Permissions in Linux
Special Permissions
Users inside of Linux
     Linux Services
     Linux Password Storage
     Linux Logging
Common Applications of Linux
What Is BackTrack?
     How to Get BackTrack 5 Running?
     Installing BackTrack on Virtual Box
     Installing BackTrack on a Portable USB
     Installing BackTrack on Your Hard Drive
     BackTrack Basics
Changing the Default Screen Resolution
     Some Unforgettable Basics
          Changing the Password
          Clearing the Screen
          Listing the Contents of a Directory
          Displaying Contents of a Specific Directory
          Displaying the Contents of a File
          Creating a Directory
          Changing the Directories
          Windows
          Linux
          Creating a Text File
          Copying a File
          Current Working Directory
          Renaming a File
          Moving a File
          Removing a File
     Locating Certain Files inside BackTrack
Text Editors inside BackTrack
Getting to Know Your Network
     Dhclient
Services
     MySQL
     SSHD
     Postgresql
Other Online Resources

Information Gathering Techniques
Active Information Gathering
Passive Information Gathering
Sources of Information Gathering
Copying Websites Locally
     Information Gathering with Whois
     Finding Other Websites Hosted on the Same Server
YouGetSignal.com
     Tracing the Location
     Traceroute
     ICMP Traceroute
     TCP Traceroute
          Usage
     UDP Traceroute
          Usage
NeoTrace
Cheops-ng
     Enumerating and Fingerprinting the Webservers
Intercepting a Response
     Acunetix Vulnerability Scanner
WhatWeb
Netcraft
     Google Hacking
Some Basic Parameters
     Site
Example
TIP regarding Filetype
     Google Hacking Database
Hackersforcharity.org/ghdb
Xcode Exploit Scanner
     File Analysis
     Foca
     Harvesting E-Mail Lists
     Gathering Wordlist from a Target Website
     Scanning for Subdomains
     TheHarvester
     Fierce in BackTrack
     Scanning for SSL Version
     DNS Enumeration
Interacting with DNS Servers
Nslookup
DIG
     Forward DNS Lookup
Forward DNS Lookup with Fierce
     Reverse DNS
     Reverse DNS Lookup with Dig
Reverse DNS Lookup with Fierce
     Zone Transfers
Zone Transfer with Host Command
Automating Zone Transfers
     DNS Cache Snooping
What Is DNS Cache Snooping?
     Nonrecursive Method
     Recursive Method
What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?
Attack Scenario
Automating DNS Cache Snooping Attacks
     Enumerating SNMP
Problem with SNMP
Sniffing SNMP Passwords
OneSixtyOne
Snmpenum
SolarWinds Toolset
SNMP Sweep
SNMP Brute Force and Dictionary
SNMP Brute Force Tool
SNMP Dictionary Attack Tool
SMTP Enumeration
     Detecting Load Balancers
     Load Balancer Detector
     Determining Real IP behind Load Balancers
     Bypassing CloudFlare Protection
          Method 1: Resolvers
          Method 2: Subdomain Trick
          Method 3: Mail Servers
Intelligence Gathering Using Shodan
Further Reading
Conclusion

Target Enumeration and Port Scanning Techniques
Host Discovery
Scanning for Open Ports and Services
Types of Port Scanning
Understanding the TCP Three-Way Handshake
TCP Flags
Port Status Types
TCP SYN Scan
TCP Connect Scan
NULL, FIN, and XMAS Scans
NULL Scan
FIN Scan
XMAS Scan
TCP ACK Scan
Responses
UDP Port Scan
Anonymous Scan Types
IDLE Scan
Scanning for a Vulnerable Host
Performing an IDLE Scan with NMAP
TCP FTP Bounce Scan
Service Version Detection
OS Fingerprinting
POF
Output
     Normal Format
     Grepable Format
     XML Format
Advanced Firewall/IDS Evading Techniques
Timing Technique
Wireshark Output
Fragmented Packets
Wireshark Output
Source Port Scan
Specifying an MTU
Sending Bad Checksums
Decoys
ZENMAP
Further Reading

Vulnerability Assessment
What Are Vulnerability Scanners and How Do They Work?
Pros and Cons of a Vulnerability Scanner
Vulnerability Assessment with Nmap
Updating the Database
Scanning MS08 _ 067 _ netapi
Testing SCADA Environments with Nmap
     Installation
     Usage
Nessus Vulnerability Scanner
     Home Feed
     Professional Feed
Installing Nessus on BackTrack
Adding a User
     Nessus Control Panel
          Reports
          Mobile
          Policies
          Users
          Configuration
     Default Policies
Creating a New Policy
Safe Checks
Silent Dependencies
     Avoid Sequential Scans
Port Range
     Credentials
     Plug-Ins
Preferences
     Scanning the Target
Nessus Integration with Metasploit
Importing Nessus to Metasploit
     Scanning the Target
     Reporting
     OpenVas
Resource
     Vulnerability Data Resources
     Exploit Databases
Using Exploit-db with BackTrack
Searching for Exploits inside BackTrack
Conclusion

Network Sniffing
Introduction
Types of Sniffing
     Active Sniffing
     Passive Sniffing
Hubs versus Switches
Promiscuous versus Nonpromiscuous Mode
MITM Attacks
ARP Protocol Basics
How ARP Works?
ARP Attacks
     MAC Flooding
          Macof
     ARP Poisoning
Scenario¿How It Works?
Denial of Service Attacks
Tools in the Trade
     Dsniff
Using ARP Spoof to Perform MITM Attacks
     Usage
Sniffing the Traffic with Dsniff
Sniffing Pictures with Drifnet
Urlsnarf and Webspy
Sniffing with Wireshark
Ettercap
ARP Poisoning with Ettercap
Hijacking Session with MITM Attack
Attack Scenario
ARP Poisoning with Cain and Abel
Sniffing Session Cookies with Wireshark
Hijacking the Session
SSL Strip: Stripping HTTPS Traffic
Requirements
     Usage
Automating Man in the Middle Attacks
     Usage
DNS Spoofing
     ARP Spoofing Attack
     Manipulating the DNS Records
     Using Ettercap to Launch DNS Spoofing Attack
DHCP Spoofing
Conclusion

Remote Exploitation
Understanding Network Protocols
     Transmission Control Protocol
     User Datagram Protocol
     Internet Control Messaging Protocol
Server Protocols
     Text-Based Protocols (Important)
     Binary Protocols
          FTP
          SMTP
          HTTP
Further Reading
Resources
Attacking Network Remote Services
     Overview of Brute Force Attacks
          Traditional Brute Force
          Dictionary Attacks
          Hybrid Attacks
Common Target Protocols
Tools of the Trade
     THC Hydra
Basic Syntax for Hydra
     Cracking Services with Hydra
Hydra GUI
     Medusa
Basic Syntax
OpenSSH Username Discovery Bug
Cracking SSH with Medusa
     Ncrack
Basic Syntax
Cracking an RDP with Ncrack
     Case Study of a Morto Worm
Combining Nmap and Ncrack for Optimal Results
     Attacking SMTP
Important Commands
Real-Life Example
Attacking SQL Servers
     MySQL Servers
Fingerprinting MySQL Version
Testing for Weak Authentication
MS SQL Servers
Fingerprinting the Version
Brute Forcing SA Account
Using Null Passwords
Introduction to Metasploit
History of Metasploit
Metasploit Interfaces
MSFconsole
     MSFcli
     MSFGUI
     Armitage
Metasploit Utilities
MSFPayload
MSFencode
MSFVenom
Metasploit Basic Commands
Search Feature in Metasploit
Use Command
Info Command
Show Options
Set/Unset Command
Reconnaissance with Metasploit
Port Scanning with Metasploit
Metasploit Databases
Storing Information from Nmap into Metasploit Database
Useful Scans with Metasploit
     Port Scanners
     Specific Scanners
Compromising a Windows Host with Metasploit
Metasploit Autopwn
db _ autopwn in Action
Nessus and Autopwn
     Armitage
Interface
Launching Armitage
Compromising Your First Target from Armitage
Enumerating and Fingerprinting the Target
MSF Scans
Importing Hosts
Vulnerability Assessment
Exploitation
Check Feature
Hail Mary
Conclusion
References

Client Side Exploitation
Client Side Exploitation Methods
     Attack Scenario 1: E-Mails Leading to Malicious Attachments
     Attack Scenario 2: E-Mails Leading to Malicious Links
     Attack Scenario 3: Compromising Client Side Update
     Attack Scenario 4: Malware Loaded on USB Sticks
     E-Mails with Malicious Attachments
          Creating a Custom Executable
          Creating a Backdoor with SET
          PDF Hacking
Introduction
     Header
     Body
     Cross Reference Table
     Trailer
PDF Launch Action
Creating a PDF Document with a Launch Action
     Controlling the Dialog Boxes
     PDF Reconnaissance
Tools in the Trade
     PDFINFO
          PDFINFO "Your PDF Document"
     PDFTK
Origami Framework
Installing Origami Framework on BackTrack
Attacking with PDF
     Fileformat Exploits
     Browser Exploits
Scenario from Real World
Adobe PDF Embedded EXE
Social Engineering Toolkit
     Attack Scenario 2: E-Mails Leading to Malicious Links
Credential Harvester Attack
Tabnabbing Attack
Other Attack Vectors
Browser Exploitation
Attacking over the Internet with SET
Attack Scenario over the Internet
Using Windows Box as Router (Port Forwarding)
     Browser AutoPWN
Why Use Browser AutoPWN?
Problem with Browser AutoPWN
VPS/DEDICATED Server
     Attack Scenario 3: Compromising Client Side Update
How Evilgrade Works?
Prerequisites
     Attack Vectors
     Internal Network Attack Vectors
     External Network Attack Vectors
     Evilgrade Console
     Attack Scenario
     Attack Scenario 4: Malware Loaded on USB Sticks
Teensy USB
Conclusion
Further Reading

Post-Exploitation
Acquiring Situation Awareness
     Enumerating a Windows Machine
     Enumerating Local Groups and Users
     Enumerating a Linux Machine
     Enumerating with Meterpreter
          Identifying Processes
          Interacting with the System
          User Interface Command
Privilege Escalation
     Maintaining Stability
Escalating Privileges
     Bypassing User Access Control
     Impersonating the Token
     Escalating Privileges on a Linux Machine
Maintaining Access
Installing a Backdoor
Cracking the Hashes to Gain Access to Other Services
Backdoors
     Disabling the Firewall
     Killing the Antivirus
     Netcat
Msfpayload/Msfencode
     Generating a Backdoor with MSFPayload
     Msfencode
Msfvenom
     Persistence
     What Is a Hash?
     Hashing Algorithms
     Windows Hashing Methods
     LAN Manager (LM)
     NTLM/NTLM2
     Kerberos
     Where Are LM/NTLM Hashes Located?
Dumping the Hashes
     Scenario 1¿REMOTE ACCESS
     Scenario 2¿LOCAL ACCESS
     OPH Crack
References
     Scenario 3¿OFFLINE SYSTEM
     OPHCrack LIVE CD
     Bypassing the Log-In
References
Cracking the Hashes
     BruteforceDictionary Attacks
     Password Salts
     Rainbow Tables
John the Ripper
     Cracking LM/NTLM Passwords with JTR
     Cracking Linux Passwords with JTR
Rainbow Crack
     Sorting the Tables
     Cracking the Hashes with rcrack
     Speeding Up the Cracking Process
     Gaining Access to Remote Services
     Enabling the Remote Desktop
     Adding Users to the Remote Desktop
Data Mining
     Gathering OS Information
     Harvesting Stored Credentials
Identifying and Exploiting Further Targets
     Mapping the Internal Network
     Finding Network Information
     Identifying Further Targets
     Pivoting
     Scanning Ports and Services and Detecting OS
     Compromising Other Hosts on the Network Having the Same Password
psexec
     Exploiting Targets
Conclusion

Windows Exploit Development Basics
Prerequisites
What Is a Buffer Overflow?
Vulnerable Application
How to Find Buffer Overflows?
Methodology
Getting the Software Up and Running
Causing the Application to Crash
Skeleton Exploit
     Determining the Offset
     Identifying Bad Characters
Figuring Out Bad Characters with Mona
     Overwriting the Return Address
     NOP Sledges
     Generating the ShellCode
Generating Metasploit Module
Porting to Metasploit
Conclusion
Further Resources

Wireless Hacking
Introduction
Requirements
Introducing Aircrack-ng
Uncovering Hidden SSIDs
Turning on the Monitor Mode
Monitoring Beacon Frames on Wireshark
Monitoring with Airodump-ng
Speeding Up the Process
     Bypassing MAC Filters on Wireless Networks
     Cracking a WEP Wireless Network with Aircrack-ng
Placing Your Wireless Adapter in Monitor Mode
Determining the Target with Airodump-ng
     Attacking the Target
     Speeding Up the Cracking Process
     Injecting ARP Packets
     Cracking the WEP
Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng
Capturing Packets
Capturing the Four-Way Handshake
Cracking WPA/WAP2
     Using Reaver to Crack WPS-Enabled Wireless Networks
Reducing the Delay
Further Reading
     Setting Up a Fake Access Point with SET to PWN Users
Attack Scenario
     Evil Twin Attack
Scanning the Neighbors
Spoofing the MAC
Setting Up a Fake Access Point
Causing Denial of Service on the Original AP
Conclusion

Web Hacking
Attacking the Authentication
     Username Enumeration
     Invalid Username with Invalid Password
     Valid Username with Invalid Password
     Enabling Browser Cache to Store Passwords
Brute Force and Dictionary Attacks
Types of Authentication
     HTTP Basic Authentication
     HTTP-Digest Authentication
     FORM-Based Authentication
     Exploiting Password Reset Feature
Etsy.com Password Reset Vulnerability
     Attacking FORM-Based Authentication
Brute Force Attack
     Attacking HTTP BASIC AUTH
Further Reading
     Log-In Protection Mechanisms
     Captcha Validation Flaw
     Captcha RESET Flaw
     Manipulating User-Agents to Bypass Captcha and Other Protections
     Real-World Example
     Authentication Bypass Attacks
     Authentication Bypass Using SQL Injection
     Testing for SQL Injection Auth Bypass
     Authentication Bypass Using XPATH Injection
          Testing for XPATH Injection
     Authentication Bypass Using Response Tampering
Crawling Restricted Links
Testing for the Vulnerability
     Automating It with Burp Suite
Authentication Bypass with Insecure Cookie Handling
     Session Attacks
     Guessing Weak Session ID
     Session Fixation Attacks
Requirements for This Attack
How the Attack Works?
     SQL Injection Attacks
     What Is an SQL Injection?
     Types of SQL Injection
          Union-Based SQL Injection
          Error-Based SQL Injection
          Blind SQL Injection
     Detecting SQL Injection
     Determining the Injection Type
     Union-Based SQL Injection (MySQL)
Testing for SQL Injection
     Determining the Number of Columns
     Determining the Vulnerable Columns
     Fingerprinting the Database
     Enumeration Information
     Information_schema
     Information_schema Tables
     Enumerating All Available Databases
     Enumerating All Available Tables in the Database
     Extracting Columns from Tables
     Extracting Data from Columns
     Using group _ concat
     MySQL Version ¿ 5
Guessing Table Names
     Guessing Columns
     SQL Injection to Remote Command Execution
Reading Files
Writing Files
     Blind SQL Injection
          Boolean-Based SQLi
     True Statement
     False Statement
     Enumerating the DB USER
     Enumerating the MYSQL Version
     Guessing Tables
     Guessing Columns in the Table
     Extracting Data from Columns
     Time-Based SQL Injection
Vulnerable Application
Testing for Time-Based SQL Injection
     Enumerating the DB USER
     Guessing the Table Names
     Guessing the Columns
     Extracting Data from Columns
     Automating SQL Injections with SQLMAP
     Enumerating Databases
     Enumerating Tables
     Enumerating the Columns
     Extracting Data from the Columns
     HTTP Header¿Based SQL Injection
     Operating System Takeover with Sqlmap
OS-CMD
OS-SHELL
OS-PWN
XSS (Cross-Site Scripting)
How to Identify XSS Vulnerability?
Types of Cross-Site Scripting
Reflected/Nonpersistent XSS
     Vulnerable Code
Medium Security
     Vulnerable Code
High Security
     Bypassing htmlspecialchars
UTF-32 XSS Trick: Bypass 1
Svg Craziness: Bypass 2
Bypass 3: href Attribute
Stored XSS/Persistent XSS
Payloads
Blind XSS
DOM-Based XSS
     Detecting DOM-Based XSS
          Sources (Inputs)
          Sinks (Creating/Modifying HTML Elements)
     Static JS Analysis to Identify DOM-Based XSS
     How Does It Work?
     Setting Up JSPRIME
Dominator: Dynamic Taint Analysis
POC for Internet Explorer
POC for Chrome
Pros/Cons
Cross Browser DOM XSS Detection
Types of DOM-Based XSS
     Reflected DOM XSS
     Stored DOM XSS
     Exploiting XSS
     Cookie Stealing with XSS
     Exploiting XSS for Conducting Phishing Attacks
     Compromising Victim¿s Browser with XSS
Exploiting XSS with BEEF
Setting Up BEEF on BackTrack
Demo Pages
     Beef Modules
          Module: Replace HREFs
          Module: Getcookie
          Module: Tabnabbing
     BEEF in Action
Cross-Site Request Forgery (CSRF)
Why Does a CSRF Attack Work?
How to Attack?
GET-Based CSRF
POST-Based CSRF
CSRF Protection Techniques
Referrer-Based Checking
Anti-CSRF Tokens
Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm
Tokens Not Validated upon Server
Analyzing Weak Anti-CSRF Token Strength
Bypassing CSRF with XSS
     File Upload Vulnerabilities
     Bypassing Client Side Restrictions
     Bypassing MIME-Type Validation
Real-World Example
     Bypassing Blacklist-Based Protections
     Case 1: Blocking Malicious Extensions
          Bypass
     Case 2: Case-Sensitive Bypass
          Bypass
Real-World Example
     Vulnerable Code
     Case 3: When All Dangerous Extensions Are Blocked
          XSS via File Upload
          Flash-Based XSS via File Upload
     Case 4: Double Extensions Vulnerabilities
          Apache Double Extension Issues
          IIS 6 Double Extension Issues
     Case 5: Using Trailing Dots
     Case 6: Null Byte Trick
     Case 7: Bypassing Image Validation
     Case 8: Overwriting Critical Files
Real-World Example
File Inclusion Vulnerabilities
Remote File Inclusion
Patching File Inclusions on the Server Side
     Local File Inclusion
     Linux
     Windows
     LFI Exploitation Using /proc/self/environ
     Log File Injection
     Finding Log Files: Other Tricks
     Exploiting LFI Bby Using PHP Input
     Exploiting LFI Using File Uploads
     Read Source Code via LFI
     Local File Disclosure Vulnerability
          Vulnerable Code
     Local File Disclosure Tricks
     Remote Command Execution
     Uploading Shells
     Server Side Include Injection
Testing a Website for SSI Injection
Executing System Commands
Spawning a Shell
SSRF Attacks
Impact
     Example of a Vulnerable PHP CODE
     Remote SSRF
          Simple SSRF
          Partial SSRF
Denial of Service
     Denial of Service Using External Entity Expansion (XEE)
     Full SSRF
          dict:// 
          gopher://
          http:// 
     Causing the Crash
Overwriting Return Address
Generating Shellcode
Server Hacking
Apache Server
     Testing for Disabled Functions
     Open _ basedir Misconfiguration
     Using CURL to Bypass Open _ basedir Restrictions
     Open _ basedir PHP 5.2.9 Bypass
Reference
     Bypassing open _ basedir Using CGI Shell
     Bypassing open _ basedir Using Mod _ Perl, Mod _ Python
Escalating Privileges Using Local Root Exploits
Back Connecting
Finding the Local Root Exploit
Usage
Finding a Writable Directory
Bypassing Symlinks to Read Configuration Files
Who Is Affected?
Basic Syntax
     Why This Works?
     Symlink Bypass: Example 1
     Finding the Username
          /etc/passwd File
          /etc/valiases File
          Path Disclosure
     Uploading .htaccess to Follow Symlinks
     Symlinking the Configuration Files
Connecting to and Manipulating the Database
Updating the Password
     Symlink the Root Directory
     Example 3: Compromising WHMCS Server
Finding a WHMCS Server
Symlinking the Configuration File
     WHMCS Killer
     Disabling Security Mechanisms
     Disabling Mod _ Security
     Disabling Open _ basedir and Safe _ mode
     Using CGI, PERL, or Python Shell to Bypass Symlinks
Conclusion

Index

Rafay Baloch is the founder/CEO of RHA InfoSec. He runs one of the top security blogs in Pakistan with more than 25,000 subscribers (http://rafayhackingarticles.net). He has participated in various bug bounty programs and has helped several major Internet corporations such as Google, Facebook, Twitter, Yahoo!, eBay, etc., to improve their Internet security. Rafay was successful in finding a remote code execution vulnerability along with several other high-risk vulnerabilities inside PayPal, for which he was awarded a huge sum of money as well as an offer to work for PayPal. His major areas of research interest are in network security, bypassing modern security defenses such as WAFs, DOM-based XSS, and other HTML 5¿based attack vectors. Rafay holds CPTE, CPTC, CSWAE, CVA, CSS, OSCP, CCNA R & S, CCNP Route, and eWAPT certifications.