Foreword xviiiIntroduction xxChapter 1 Hacking a Business Case 1All Computers are Broken 2The Stakes 4What's Stolen and Why It's Valuable 4The Internet of Vulnerable Things 4Blue, Red, and Purple Teams 5Blue Teams 5Red Teams 5Purple Teams 7Hacking is Part of Your Company's Immune System 9Summary 11Notes 12Chapter 2 Hacking Ethically and Legally 13Laws That Affect Your Work 14Criminal Hacking 15Hacking Neighborly 15Legally Gray 16Penetration Testing Methodologies 17Authorization 18Responsible Disclosure 19Bug Bounty Programs 20Legal Advice and Support 21Hacker House Code of Conduct 22Summary 22Chapter 3 Building Your Hack Box 23Hardware for Hacking 24Linux or BSD? 26Host Operating Systems 27Gentoo Linux 27Arch Linux 28Debian 28Ubuntu 28Kali Linux 29Verifying Downloads 29Disk Encryption 31Essential Software 33Firewall 34Password Manager 35Email 36Setting Up VirtualBox 36Virtualization Settings 37Downloading and Installing VirtualBox 37Host-Only Networking 37Creating a Kali Linux VM 40Creating a Virtual Hard Disk 42Inserting a Virtual CD 43Virtual Network Adapters 44Labs 48Guest Additions 51Testing Your Virtual Environment 52Creating Vulnerable Servers 53Summary 54Chapter 4 Open Source Intelligence Gathering 55Does Your Client Need an OSINT Review? 56What are You Looking For? 57Where Do You Find It? 58OSINT Tools 59Grabbing Email Addresses from Google 59Google Dorking the Shadows 62A Brief Introduction to Passwd and Shadow Files 62The Google Hacking Database 65Have You Been "Pwned" Yet? 66OSINT Framework Recon-ng 67Recon-ng Under the Hood 74Harvesting the Web 75Document Metadata 76Maltego 80Social Media Networks 81Shodan 83Protecting Against OSINT 85Summary 86Chapter 5 The Domain Name System 87The Implications of Hacking DNS 87A Brief History of DNS 88The DNS Hierarchy 88A Basic DNS Query 89Authority and Zones 92DNS Resource Records 92BIND9 95DNS Hacking Toolkit 98Finding Hosts 98WHOIS 98Brute-Forcing Hosts with Recon-ng 100Host 101Finding the SOA with Dig 102Hacking a Virtual Name Server 103Port Scanning with Nmap 104Digging for Information 106Specifying Resource Records 108Information Leak CHAOS 111Zone Transfer Requests 113Information-Gathering Tools 114Fierce 115Dnsrecon 116Dnsenum 116Searching for Vulnerabilities and Exploits 118Searchsploit 118Other Sources 119DNS Traffic Amplification 120Metasploit 121Carrying Out a Denial-of-Service Attack 125DoS Attacks with Metasploit 126DNS Spoofi ng 128DNS Cache Poisoning 129DNS Cache Snooping 131DNSSEC 131Fuzzing 132Summary 134Chapter 6 Electronic Mail 135The Email Chain 135Message Headers 137Delivery Status Notifications 138The Simple Mail Transfer Protocol 141Sender Policy Framework 143Scanning a Mail Server 145Complete Nmap Scan Results (TCP) 149Probing the SMTP Service 152Open Relays 153The Post Office Protocol 155The Internet Message Access Protocol 157Mail Software 158Exim 159Sendmail 159Cyrus 160PHP Mail 160Webmail 161User Enumeration via Finger 162Brute-Forcing the Post Office 167The Nmap Scripting Engine 169CVE-2014-0160: The Heartbleed Bug 172Exploiting CVE-2010-4345 180Got Root? 183Upgrading Your Shell 184Exploiting CVE-2017-7692 185Summary 188Chapter 7 The World Wide Web of Vulnerabilities 191The World Wide Web 192The Hypertext Transfer Protocol 193HTTP Methods and Verbs 195HTTP Response Codes 196Stateless 198Cookies 198Uniform Resource Identifiers 200LAMP: Linux, Apache, MySQL, and PHP 201Web Server: Apache 202Database: MySQL 203Server-Side Scripting: PHP 203Nginx 205Microsoft IIS 205Creepy Crawlers and Spiders 206The Web Server Hacker's Toolkit 206Port Scanning a Web Server 207Manual HTTP Requests 210Web Vulnerability Scanning 212Guessing Hidden Web Content 216Nmap 217Directory Busting 218Directory Traversal Vulnerabilities 219Uploading Files 220WebDAV 220Web Shell with Weevely 222HTTP Authentication 223Common Gateway Interface 225Shellshock 226Exploiting Shellshock Using Metasploit 227Exploiting Shellshock with cURL and Netcat 228SSL, TLS, and Heartbleed 232Web Administration Interfaces 238Apache Tomcat 238Webmin 240phpMyAdmin 241Web Proxies 242Proxychains 243Privilege Escalation 245Privilege Escalation Using DirtyCOW 246Summary 249Chapter 8 Virtual Private Networks 251What is a VPN? 251Internet Protocol Security 253Internet Key Exchange 253Transport Layer Security and VPNs 254User Databases and Authentication 255SQL Database 255RADIUS 255LDAP 256PAM 256TACACS+ 256The NSA and VPNs 257The VPN Hacker's Toolkit 257VPN Hacking Methodology 257Port Scanning a VPN Server 258Hping3 259UDP Scanning with Nmap 261IKE-scan 262Identifying Security Association Options 263Aggressive Mode 265OpenVPN 267LDAP 275OpenVPN and Shellshock 277Exploiting CVE-2017-5618 278Summary 281Chapter 9 Files and File Sharing 283What is Network-Attached Storage? 284File Permissions 284NAS Hacking Toolkit 287Port Scanning a File Server 288The File Transfer Protocol 289The Trivial File Transfer Protocol 291Remote Procedure Calls 292RPCinfo 294Server Message Block 295NetBIOS and NBT 296Samba Setup 298Enum4Linux 299SambaCry (CVE-2017-7494) 303Rsync 306Network File System 308NFS Privilege Escalation 309Searching for Useful Files 311Summary 312Chapter 10 UNIX 315UNIX System Administration 316Solaris 316UNIX Hacking Toolbox 318Port Scanning Solaris 319Telnet 320Secure Shell 324RPC 326CVE-2010-4435 329CVE-1999-0209 329CVE-2017-3623 330Hacker's Holy Grail EBBSHAVE 331EBBSHAVE Version 4 332EBBSHAVE Version 5 335Debugging EBBSHAVE 335R-services 338The Simple Network Management Protocol 339Ewok 341The Common UNIX Printing System 341The X Window System 343Cron and Local Files 347The Common Desktop Environment 351EXTREMEPARR 351Summary 353Chapter 11 Databases 355Types of Databases 356Flat-File Databases 356Relational Databases 356Nonrelational Databases 358Structured Query Language 358User-Defined Functions 359The Database Hacker's Toolbox 360Common Database Exploitation 360Port Scanning a Database Server 361MySQL 362Exploring a MySQL Database 362MySQL Authentication 373PostgreSQL 374Escaping Database Software 377Oracle Database 378MongoDB 381Redis 381Privilege Escalation via Databases 384Summary 392Chapter 12 Web Applications 395The OWASP Top 10 396The Web Application Hacker's Toolkit 397Port Scanning a Web Application Server 397Using an Intercepting Proxy 398Setting Up Burp Suite Community Edition 399Using Burp Suite Over HTTPS 407Manual Browsing and Mapping 412Spidering 415Identifying Entry Points 418Web Vulnerability Scanners 418Zed Attack Proxy 419Burp Suite Professional 420Skipfish 421Finding Vulnerabilities 421Injection 421SQL Injection 422SQLmap 427Drupageddon 433Protecting Against SQL Injection 433Other Injection Flaws 434Broken Authentication 434Sensitive Data Exposure 436XML External Entities 437CVE-2014-3660 437Broken Access Controls 439Directory Traversal 440Security Misconfiguration 441Error Pages and Stack Traces 442Cross-Site Scripting 442The Browser Exploitation Framework 445More about XSS Flaws 450XSS Filter Evasion 450Insecure Deserialization 452Known Vulnerabilities 453Insufficient Logging and Monitoring 453Privilege Escalation 454Summary 455Chapter 13 Microsoft Windows 457Hacking Windows vs. Linux 458Domains, Trees, and Forests 458Users, Groups, and Permissions 461Password Hashes 461Antivirus Software 462Bypassing User Account Control 463Setting Up a Windows VM 464A Windows Hacking Toolkit 466Windows and the NSA 467Port Scanning Windows Server 467Microsoft DNS 469Internet Information Services 470Kerberos 471Golden Tickets 472NetBIOS 473LDAP 474Server Message Block 474ETERNALBLUE 476Enumerating Users 479Microsoft RPC 489Task Scheduler 497Remote Desktop 497The Windows Shell 498PowerShell 501Privilege Escalation with PowerShell 502PowerSploit and AMSI 503Meterpreter 504Hash Dumping 505Passing the Hash 506Privilege Escalation 507Getting SYSTEM 508Alternative Payload Delivery Methods 509Bypassing Windows Defender 512Summary 514Chapter 14 Passwords 517Hashing 517The Password Cracker's Toolbox 519Cracking 519Hash Tables and Rainbow Tables 523Adding Salt 525Into the /etc/shadow 526Different Hash Types 530MD5 530SHA-1 531SHA-2 531SHA256 531SHA512 531bcrypt 531CRC16/CRC32 532PBKDF2 532Collisions 533Pseudo-hashing 533Microsoft Hashes 535Guessing Passwords 537The Art of Cracking 538Random Number Generators 539Summary 540Chapter 15 Writing Reports 543What is a Penetration Test Report? 544Common Vulnerabilities Scoring System 545Attack Vector 545Attack Complexity 546Privileges Required 546User Interaction 547Scope 547Confidentiality, Integrity, and Availability Impact 547Report Writing as a Skill 549What Should a Report Include? 549Executive Summary 550Technical Summary 551Assessment Results 551Supporting Information 552Taking Notes 553Dradis Community Edition 553Proofreading 557Delivery 558Summary 559Index 561
MATTHEW HICKEY is an expert in offensive security testing, discovering vulnerabilities used by malicious attackers, as well as a developer of exploits and security testing tools. He is a co-founder of Hacker House.JENNIFER ARCURI is an entrepreneur, public speaker and Certified Ethical Hacker. She is the CEO and founder of Hacker House.