INDEX
Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
3D printing, 170–171
3DES encryption, 389
3G standard, 307
802.11 standards, 272–273
A
Absinthe, 259
access
covering tracks, 29
government access to keys, 396–397
maintaining, 29
access card attacks, 429
access control lists (ACLs), 118, 165, 166
Access Control Policy, 23
access control systems, 21–22
access controls, 21–22, 230, 445–448
access points (APs)
Cisco, 285
considerations, 274
detecting, 283
multiple, 274
open, 281
wireless, 274, 278, 281, 284–285
ACK scans, 102
acknowledgment. See ACK
ACLs (access control lists), 118, 165, 166
Active Directory Explorer, 124
active sniffing, 150–153
ad hoc connection attack, 285
adaptive chosen plain-text attack, 415
Address Resolution Protocol. See ARP
address space layout randomization (ASLR), 251
administrative controls, 16
administrators
changing account name, 204
enforcing password restrictions, 187
network monitoring, 160–161, 162
patches/software deployment, 211
privileges, 209–210
zone transfers, 71
ADMmutate tool, 168
ADS (alternate data stream), 212–214
Advanced Encryption Standard (AES), 279, 280, 390
AES (Advanced Encryption Standard), 279, 280, 390
African Network Information Center (AfriNIC), 68
AfriNIC (African Network Information Center), 68
AH (authentication header), 373, 410
air quality, 444
AirMagnet WiFi Analyzer, 289
AirPcap card, 283
AirPcap dongle, 282
ALE (annualized loss expectancy), 17
alexa.com, 51
algorithms, 387
alternate data stream (ADS), 212–214
Amazon Web Services. See AWS
“ambering out,” 155
American Registry for Internet Numbers (ARIN), 68, 72, 73
American Standard Code for Information Interchange (ASCII), 6–7
Android phones. See also mobile devices
applications, 300, 303, 305, 306
Device Administration API, 305
Stagefright bugs, 308
ZitMo malware, 442
Angry IP Scanner, 99–101
annual rate of occurrence (ARO), 17
annualized loss expectancy (ALE), 17
anonymizers, 114–115
anonymous footprinting, 49
Anonymous hackers, 369–370
antennas, wireless, 274–276
antivirus. See AV
APIs (application program interfaces), 305, 341
APNIC (Asia-Pacific Network Information Center), 68
Apple HFS file system, 212
Apple iOS, 303–304, 305. See also mobile devices
Apple TV, 303
application flaws, 13
Application layer, 6–7, 141–142
application level rootkits, 217
application logs, 215
application program interfaces (APIs), 305, 341
application servers, 235
application-level attacks
buffer overflows, 251–253
cross-site scripting, 251–253
executable code, 210–211
LDAP injection attacks, 249–250
mobile platform, 441–443
SQL injection, 254–259
web applications, 247–261
application-level rootkits, 217
applications
attacks on. See application-level attacks
executing, 210–211
fake security apps, 442
malicious, 442
mobile devices, 300, 303, 305, 306
repackaging, 442
security, 229–231
APs. See access points
ARIN (American Registry for Internet Numbers), 68, 72, 73
Armitage, 210
ARO (annual rate of occurrence), 17
ARP (Address Resolution Protocol), 10, 142–145, 278
ARP cache, 143–145
ARP entries, 144–145
ARP spoofing, 152–153
ARPspoof tool, 153
AS (authentication service), 187
ASCII (American Standard Code for Information Interchange), 6–7
Asia-Pacific Network Information Center (APNIC), 68
ASLR (address space layout randomization), 251
association, 276
asymmetric encryption, 391–392
AtomSync, 124
attacks. See also specific attacks
access card attacks, 429
on applications. See application-level attacks
authentication, 18
Bluetooth, 308–309
brute-force, 207–208, 416, 417
categories, 26–27
cipher-based, 416
collision, 395
cross-guest VM breach, 342
cross-site scripting, 251–253
cryptography, 415–417
evil twin, 284–285
fraggle, 367
honeypots and, 171–173
interference, 416
malware. See malware attacks
man-in-the-browser, 372
misconfiguration, 26
mobile devices, 299, 302, 303–309
on operating system, 26
password. See password cracking
phishing. See phishing
plain-text, 415
replay, 416
session hijacking, 369–374
session riding, 342
shrink-wrap code, 26
Smurf, 367
social engineering. See social engineering
source-routing, 112
SYN, 367
system. See system attacks
teardrop, 367
Trojan. See Trojans
web applications, 247–261
wireless. See wireless hacking
worms, 357–361
wrapping, 342
Attention Meter, 51
Auditpol tool, 216
authentication, 199–208
badges, 200
biometric, 199–200
vs. confidentiality, 18
DES, 185
described, 276
IoT devices, 314
LM, 187
mobile computing, 300
one-factor, 200
overview, 199–200
pre-boot, 408
three-factor, 200
two-factor, 200
web servers, 229
wireless networks, 276–277
authentication attacks, 18
authentication header (AH), 373, 410
authentication service (AS), 187
authenticity, 20
authoritative servers, 64
authority support social engineering, 429
AutoRuns, 356–357
AV (antivirus) programs. See also virus entries
fake AVprograms, 358, 437, 438–439
importance of, 363–364
malware attacks and, 350–352
AV signatures, 351
availability, 20
AWS (Amazon Web Services), 72, 330, 331, 332
AWS Greengrass, 332
Azure, 331
B
baby monitors, 315–316
backdoors. See also Trojans
leaving open, 29
mobile computing, 301
Trojans and, 352–357
worms and, 362
backtracking, 242
badges, 200
bandwidth, 366
banner grabbing, 96, 120–121, 168
baselines, 23
Bash, 247
Bashdoor, 247
Basic Encoding Rules (BER), 124
basic service area (BSA), 274
basic service set (BSS), 274
basic service set identifier (BSSID), 274
bastion hosts, 166
BBProxy, 309
BCP (business continuity plan), 17
BER (Basic Encoding Rules), 124
beSTORM, 318
Beyond Trust tools, 318
BIA (business impact analysis), 17
“big brother,” 396–397
binText tool, 363
biometric authentication, 199–200
biometric identifiers, 445–447
biometric passports, 200
biometrics, 445–447
bit flipping, 20
bitcoin, 393
BitLocker, 408
bits
encrypted, 387–390
frames, 8
salt, 396
subnetting and, 92–96
black hats, 25
Black Widow tool, 234
Blackberry phones, 303, 309. See also mobile devices
black-box testing, 32
Blackhole Exploit Kit, 352
blackjacking, 309
Bleeding Life, 352
blind/inferential injection, 259
block ciphers, 387, 388, 389–390
blockchain, 393–394
Bloover, 309
Blowfish encryption, 390
Blueborne attack, 316
Bluebugging, 309
Bluejacking, 309
Blueprinting, 309
BlueScanner, 309
Bluesmacking, 309
Bluesnarfing, 309
Bluesniffing, 309
Bluetooth
attacks, 308–309
hacking, 308–309
standard, 272
technology, 307
tools, 309
boot loader level rootkits, 217
boot sector viruses, 360
boot-n-root attack, 408
BootROM exploit, 304
botnets, 15, 260–261, 366, 439
Brandon, John, 336
“bricking,” 367
Bring Your Own Device (BYOD), 299, 302, 305–306
broadcast addressing, 94
brute-force attacks, 207–208, 416, 417
Brutus tool, 245
BSA (basic service area), 274
BSS (basic service set), 274
BSSID (basic service set identifier), 274
BT Browser, 309
btCrawler, 309
Bug Bear worm, 361
bump key, 449
Burp Suite, 234
Buscador, 76
business continuity plan (BCP), 17
business impact analysis (BIA), 17
Business Wire, 51
BYOD (Bring Your Own Device), 299, 302, 305–306
C
CA (certificate authority), 391, 400–402, 405–406
CAC (Common Access Card), 400
cache
ARP, 143–145
Google Cache, 61
web cache poisoning, 244
Cain and Abel tool
ARP flooding, 153
MAC address spoofing, 153
sniffing passwords, 205, 207, 288
WEP attacks, 288
caller ID, 70
CAM (content addressable memory) table, 152
canaries, 251
canary words, 251
cantennas, 275
CAPTCHAs, 254
Carrier Sense Multiple Access/Collision Detection (CSMA/CD), 139–141
cars. See vehicles
cavity viruses, 361
CBC-MAC (cipher block chaining message authentication code), 279
CC (Common Criteria), 21–22
CCMP (Cipher Block Chaining Message Authentication Code Protocol), 279
CCTT (Covert Channel Tunneling Trojan), 353
CEH (Certified Ethical Hacker) certification, 3, 29
cell phones. See smartphones
Censys tool, 318
Centralized Authentication, 276
CER (crossover error rate), 200, 446–447
certificate authority (CA), 391, 400–402, 405–406
certificate revocation list (CRL), 400
certification tests, 29
certification-level exams, 3–5
Certified Ethical Hacker (CEH) certification, 3, 29
chat channels, 439
chosen-cipher attacks, 415, 416
chosen-plain text attacks, 415
Chrome browser, 414
CIA (Confidentiality, Integrity, and Availability), 18–20
cipher block chaining message authentication code (CBC-MAC), 279
Cipher Block Chaining Message Authentication Code Protocol (CCMP), 279
cipher text, 386
cipher types, 387–388
cipher-text-only attacks, 416
Cisco, 285
Cline, Ernest, 59
cloud auditors, 335
cloud brokers, 334
cloud carriers, 334
cloud computing, 329–348
architecture, 334–335
attacks/threats, 339–342
community clouds, 333
data breach/loss, 339
horror stories, 336–337
hybrid clouds, 333
IoT and, 314
overview, 330–332
public vs. private clouds, 333
regulatory efforts, 335
roles in, 334–335
security, 335–339
tools, 338–339
Cloud Computing Guidelines, 335
cloud consumers, 334
cloud models, 333–334
Cloud Security Alliance (CSA), 335
CloudInspect, 338
CloudPassage Halo, 338
Cloudshark, 320
cluster viruses, 360
COBIT (Control Objects for Information and Related Technology), 35, 36
Code Red worm, 361
Codenomicon, 413
collision domains, 139–141, 150
command injection, 249
command shell Trojan, 353
Common Access Card (CAC), 400
Common Criteria (CC), 21–22
Common Vulnerability Scoring System (CVSS), 12
Communication Act of 1934, 286
Communications Decency Act, 37–38
community cloud model, 333
community strings, 124
companies
competitive intelligence, 51–52, 76–77
financial information, 52
compliance, 35
computer contaminant, 351
Computer Fraud and Abuse Act, 55
computer-based social engineering, 434–441
Conficker worm, 361
Confidentiality, Integrity, and Availability (CIA), 18–20
CONNECT method, 240
connection string parameter pollution (CSPP), 245
connectionless communication, 85
connection-oriented communication, 84–88
content addressable memory (CAM) table, 152
Control Objects for Information and Related Technology (COBIT), 35, 36
cookies, 60, 115, 205, 252, 253–254
copyrights, 37–38
corrective controls, 16
Covert Channel Tunneling Trojan (CCTT), 353
covert channels, 351
cracking passwords. See password cracking
Crimepack, 352
criminal activity, 49
CRL (certificate revocation list), 400
cross-certification, 402
cross-guest VM breach, 342
crossover error rate (CER), 200, 446–447
cross-site request forgery (CSRF), 253
cross-site scripting (XSS), 230
cryptanalysis, 386–387
crypters, 352
Cryptobench, 417
cryptographic systems, 387
cryptography, 385–424. See also encryption
algorithms/techniques, 387–399
defined, 386
digital certificates, 402–406
digital signatures, 391, 406–407
encrypted communication, 407–415
history, 385–387
mobile devices, 300
overview, 386–399
PKI system, 399–407
cryptography attacks, 415–417
CSA (Cloud Security Alliance), 335
CSMA/CD (Carrier Sense Multiple Access/Collision Detection), 139–141
CSPP (connection string parameter pollution), 245
CSRF (cross-site request forgery), 253
Currports tool, 90
CVSS (Common Vulnerability Scoring System), 12
cyberterrorists, 26
D
DAC (discretionary access control), 22
daisy-chaining networks, 15
DameWare Remote Support, 211
Dark Reading, 12
Darlloz worm, 362
DAST (Dynamic Application Security Testing), 230
data. See also information
availability, 20
considerations, 6–7
described, 7
disclosure, 18
encrypted. See encryption
handling of, 23
transfer/exchange, 85–87
data breach/loss, 339
Data Encryption Standard. See DES
data execution prevention (DEP), 251
data layers, 7
Data Link layer, 6, 7, 138, 142
database servers, 235
DDoS attacks, 260, 365–368, 370
Decrypting RSA with Obsolete and Weakened eNcryption (DROWN), 415
decryption, 278, 282, 386, 388–392. See also encryption
decryption keys. See private keys
default vulnerabilities, 13
DELETE method, 240
demilitarized zone (DMZ), 11, 166
denial-of-service attacks (DoS), 20, 285, 286, 365–369
DEP (data execution prevention), 251
Department of Defense (DoD), 21, 22, 160
DES (Data Encryption Standard), 389
DES authentication, 185
deserialization flaws, 230
design flaws, 13
detective controls, 16
DHCP (Dynamic Host Configuration Protocol), 153–154
DHCP starvation, 153–154
dictionary attacks, 206–207
Diffie-Hellman algorithm, 373, 392
dig command, 72
digital certificates, 402–406
Digital Signature Algorithm (DSA), 407
digital signatures, 391, 406–407
digital watermarks, 398
dipole antenna, 275
Directory System Agent (DSA), 124
directory traversal, 241–243
direct-sequence spread spectrum (DSSS), 273
disaster recovery, 17
disaster recovery plan (DRP), 17
discovery, 281–284
discretionary access control (DAC), 22
disgruntled employees, 55, 432–434
distributed reflection denial-of-service (DRDoS) attack, 366
distributed-denial-of-service attacks. See DDoS attacks
DLL hijacking, 209
DMZ (demilitarized zone), 11, 166
DNS (Domain Naming System)
basics, 63–72
for footprinting, 62–72
tools for, 62–72
DNS amplification, 241
DNS poisoning, 65, 66, 71, 155
DNSSEC (Domain Name System Security Extensions), 66, 69
DoD (Department of Defense), 21, 22, 160
domain controller, 187
Domain Name System Security Extensions (DNSSEC), 66, 69
domain names, 68
Domain Naming System. See DNS
DoS (denial-of-service attacks), 20, 285, 286, 365–369
dot-dot-slash attack, 241–243
doxing, 15
DRDoS (distributed reflection denial-of-service) attack, 366
drivers, 282
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), 415
DRP (disaster recovery plan), 17
DSA (Digital Signature Algorithm), 407
DSA (Directory System Agent), 124
dsniff tool, 153
DSSS (direct-sequence spread spectrum), 273
DUHK attack, 395
dumpster diving, 50, 51, 52, 201, 428
dust, 444
DYLIB hijacking, 209
Dyn, 260
Dyn attack, 315–316
Dynamic Application Security Testing (DAST), 230
Dynamic Host Configuration Protocol. See DHCP
dynamic web pages, 248
E
EAL (Evaluation Assurance Level), 21
EAP (Extensible Authentication Protocol), 278
Easter eggs, 59
eavesdropping, 137, 138. See also sniffing
ECC (Elliptic Curve Cryptosystem), 392
EC-Council (ECC), 4, 22, 23, 48, 231, 236
EDGAR Database, 51
edge computing networks, 331
EF (exposure factor), 17
Effland, Charlie, 340
EFS (Encrypted File Systems), 410
EISA (Enterprise Information Security Architecture), 15
El Gamal algorithm, 392
EliteWrap, 351
Elliptic Curve Cryptosystem (ECC), 392
contact, 66
executable code in, 210
S/MIME and, 411
tracking tools, 61
e-mail policy, 23
e-mail servers, 71
employees
privilege escalation and, 33
security policies, 23
social engineering and, 427–434
Encapsulating Security Payload (ESP), 373, 410
encrypted communication, 407–417
Encrypted File Systems (EFS), 410
encryption. See also cryptography
3DES, 389
AES, 390
algorithms, 387–398
asymmetric, 391–392
Blowfish, 390
cipher types, 387–388
data while communicating, 407–417
decryption, 278, 282, 386, 388–392
DES, 389
digital certificates, 402–406
digital signatures, 406–407
Endpoint Encryption, 408
hash algorithms, 392–398
IDEA, 390
IoT devices, 314
key, 387–392
laptops, 408
mobile devices, 408
overview, 386–399
PKI system, 402
RC, 390
shared key, 389–390
steganography, 398–399
symmetric, 389–390
techniques, 387–399
tools for, 396
Twofish, 390
wireless networks, 277–280, 287–289
encryption keys. See public keys
encryption viruses, 360
Endpoint Encryption, 408
Enterprise Information Security Architecture (EISA), 15
enumeration, 117–125
banner grabbing, 120–121
considerations, 117–125
described, 117
examples of, 28
Linux systems, 119
NetBIOS, 121–123
other options, 124–125
SNMP, 123–124
techniques, 120–125
Windows systems, 117–119
e-passports, 200
escalation of privileges, 29, 33, 208–210
ESP (Encapsulating Security Payload), 373, 410
ESS (extended service set), 274
Ethernet frames, 8–11
ethical hackers, 18, 25, 30–38
ethical hacking, 24–38. See also hacking
attack types, 26–27
classifications, 24–26
considerations, 108
hacking phases, 27–30
laws/standards, 33–38
overview, 24
white hats, 25
Ettercap sniffer, 159, 205–206, 372
Euromonitor, 51
Evaluation Assurance Level (EAL), 21
evasion, 159–173
firewalls, 165–167
intrusion detection systems. See IDS
overview, 159
via fragmentation, 168
evil twin attack, 284–285
exam, 3–5
exam tips, 4–5
exclusive-or. See XOR
Experian, 51
Exploit Database, 12
exploit kits, 352
exploits, 15
exposure factor (EF), 17
extended service set (ESS), 274
Extensible Authentication Protocol (EAP), 278
Extensible Markup Language (XML), 108, 239
External Blue exploit, 358, 360
F
FAA (Federal Aviation Administration), 286
Factoring Attack on RSA-EXPORT Keys (FREAK), 413
false acceptance rate (FAR), 200, 446
false negatives, 160
false positives, 160
false rejection rate (FRR), 200, 446
FAR (false acceptance rate), 200, 446
FCC (Federal Communications Commission), 279, 286, 287
FCC ID, 287
FDE (full disk encryption), 408
Federal Aviation Administration (FAA), 286
Federal Communications Commission (FCC), 279, 286, 287
Federal Risk and Authorization Management Program (FedRAMP), 335
FedRAMP (Federal Risk and Authorization Management Program), 335
file extension viruses, 361
file injection, 249
file system, 193, 212–213, 410
File Transfer Protocol (FTP), 141, 410
files
activity, 211–216
hiding, 211–214
hosts, 67
HTML, 239
log. See log files
signature, 363–364
steganographic, 398–399
verifying integrity of, 356–357
filters, 157–158
FIN flag, 86
FIN scans, 102
finger tool, 119
Firewalk tool, 170
firewalking, 168–170
Firewall Informer, 168
firewalls
application-level, 167
banner grabbing and, 168
bastion hosts, 166
circuit-level, 167
evasion, 168–169
hacking tools, 168–170
implicit deny principle, 165
multi-homed, 166
overview, 165–167
packet-filtering, 166–167
rules, 165
Firmalyzer, 320
firmware rootkits, 217
flow control, 6
footprinting, 48–77
anonymous, 49
benefits of, 49
DNS, 62–72
dumpster diving, 428
methods/tools, 53–77
network, 72–75
overview, 48–50
pseudonymous, 49
vs. reconnaissance, 48
vs. scanning, 84
search engines, 53–60
social engineering and, 51, 52
web mirroring, 60
web servers, 233–234
website, 60–61
Fport tool, 356
fraggle attacks, 367
fragmentation attacks, 366
fragmented packets, 111–112, 366
FREAK (Factoring Attack on RSA-EXPORT Keys), 413
FreeScan, 116–117
FRR (false rejection rate), 200, 446
FTP (File Transfer Protocol), 141, 410
fud (fully undetectable), 352
full disk encryption (FDE), 408
full open scan, 101
functionality, 14
fuzz testing, 257
G
GAK (government access to keys), 397
GET method, 240
GFI Languard, 14
Ghost Eye Worm, 361
GIDs (group IDs), 119
Gigabit Wi-Fi, 279
Gilisoft Full Disk Encryption, 408
Gizmodo, 319
Chrome browser, 414
cookies, 115
growth of, 331
IoT hacking and, 317
OpenSSL and, 412
Google Cache, 61
Google CAPTCHA, 58
Google hacking, 55–60
Google search queries, 59–60
Google servers, 414
government access to keys (GAK), 397
gray hats, 25
gray-box testing, 33
Grayfish rootkit, 217
the Great Firewall, 114
group IDs (GIDs), 119
Guardster, 115
guidelines, 23
Gzapper, 115
H
hack value, 14
hackers. See also pen testers
Anonymous, 369–370
black hats, 25
classifications, 24–26
described, 24
ethical. See ethical hackers
favorite tools, 77
good vs. bad, 30
gray hats, 25
honeypots, 171–173
IDS evasion, 161
interview with, 161–162
malicious, 30
vs. pen testers, 29
state-sponsored, 26
suicide hackers, 25
tips on, 161–162
white hats, 25
Hackerstorm, 12
hacking, 199–218. See also pen testing
Bluetooth, 308–309
Computer Fraud and Abuse Act, 55
covering tracks, 29
covering/clearing tracks, 198, 199, 215–216
ethical. See ethical hacking
Google hacking, 55–60
IoT devices, 317–320
learning about, 232–233
Linux. See Linux systems
maintaining access, 29, 197, 198, 199
mobile devices, 299, 302, 307–309
vs. pen testing, 53
privilege escalation, 29, 33, 208–210
reconnaissance. See reconnaissance
system. See system attacks
web-based. See web-based hacking
Windows. See Windows systems
wireless. See wireless hacking
HackRF. See vehicles
hacktivists/hacktivism, 25, 370
half-open scan, 102
halo effect, 430
hardware protocol analyzers, 141
hardware rootkits, 217
hash algorithms, 392–398
hash functions, 20
hash injection attacks, 202
hash values, 20, 185, 186, 187
hashing passwords, 185–189
Havij scanner, 259
HBSS (Host Based Security System), 160
HEAD method, 240
headers, 60
Health Insurance Portability and Accountability Act (HIPAA), 35
heap overflow, 251
Heartbleed exploit, 411, 412–413, 414
HFS file system, 212
hidden field, 243–244
HIDS (host-based IDS), 98–99, 160
hierarchical trust system, 402
hijacking, 369
hijacking sessions, 369–374
HIPAA (Health Insurance Portability and Accountability Act), 35
Hoare, Greg, 341
Honeynet, 260
honeyspot attacks, 285
Hoovers, 51
Horsepill rootkit, 217
Host Based Security System (HBSS), 160
host-based IDS (HIDS), 98–99, 160
hosts file, 67
hotspots, 285
HTML files, 239
HTTP (Hypertext Transfer Protocol), 142, 238–241
HTTP attacks, 259
HTTP beacons, 167
HTTP requests, 9, 238–240, 242, 244
HTTP response messages, 241
HTTP response splitting, 259
HTTP shell, 167
HTTP tunneling, 167
HTTPRecon, 233
HTTPrint, 233
HTTPS servers, 415
human-based social engineering, 427–434
humidity, 444
Hunt tool, 372
Hutchins, Marcus, 359
HVAC attacks, 316
hybrid cloud model, 333
Hyena, 123
hyperlinks, 238
hypertext, 238
Hypertext Transfer Protocol. See HTTP
hypervisor level rootkits, 217
I
IaaS (Infrastructure as a Service), 332
IANA (Internet Assigned Number Authority), 68, 89
iBoot exploit, 304
ICANN (Internet Corporation for Assigned Names and Numbers), 68
ICMP (Internet Control Message Protocol), 97–98, 99
ICMP Echo scanning, 98
ICMP floods, 367
ICMP message types, 97–98
ICMP packets, 98, 99, 100, 367
ICQ (Internet Chat Query), 366
ICV (integrity check value), 278
ID badges, 429
ID Serve, 233
IDA Pro, 363
IDEA (International Data Encryption Algorithm), 390
identity theft, 429–430, 440–441
IDSInformer tool, 168
IDSs (intrusion detection systems), 159–168
anomaly-based, 160
considerations, 160–161
evasion techniques, 167–173
network-based, 98–99, 160–161, 162
overview, 159–161
signature-based, 160
Snort, 161–165
Unicode characters and, 168
IEFT (Internet Engineering Task Force), 228
IIS (Internet Information Services) servers, 235–236, 237, 238
IKE (Internet Key Exchange), 373
IMAP, 142
impersonation, 428–429
implicit deny principle, 165
in-band SQL injection, 258
incident management, 15
incident response team (IRT), 15
Infinity, 352
information. See data
Information Audit Policy, 23
information gathering
company websites, 51–52
competitive intelligence, 51–52, 76–77
dumpster diving, 428
job boards, 54
shredded documents, 428
social networking sites, 52, 55
web-based hacking, 233–234
Information Protection Policy, 23
Information Security Policy, 23
Information Systems Audit and Control Association (ISACA), 36
information technology. See IT
infowar, 27
Infrastructure as a Service (IaaS), 332
infrastructure mode, 274
initial sequence number (ISN), 371
initialization vector (IV), 278
injection attacks, 229, 245, 249–250
insider threats, 432–434
installation vulnerabilities, 13
integrity check value (ICV), 278
interference attacks, 416
International Data Encryption Algorithm (IDEA), 390
International Telecommunications Union (ITU), 280, 313
Internet Assigned Number Authority (IANA), 68, 89
Internet Chat Query (ICQ), 366
Internet Control Message Protocol. See ICMP
Internet Corporation for Assigned Names and Numbers (ICANN), 68
Internet DMZ zone, 11
Internet Engineering Task Force (IEFT), 228
Internet Information Services (IIS) servers, 235–236, 237, 238
Internet Key Exchange (IKE), 373
Internet of Things. See IoT
The Internet of Useless Things, 319
Internet Protocol. See IP
Internet Protocol Security (IPSec), 410
Internet Relay Chat. See IRC
Internet Security Association Key Management Protocol, 373
Internet service providers (ISPs), 37, 369
Internet zone, 10
intranet zone, 12
intrusion detection systems. See IDSs
inverse TCP flag, 102
iOS, 303–304, 305. See also mobile devices
IoT (Internet of Things), 309–320
architecture, 310–313
authorization/authentication, 314
communication models, 312
considerations, 310, 311, 313, 319
data storage, 312
encryption, 314
hacking methodology, 317–320
HVAC attacks, 316
insecure communication, 314
privacy issues, 314
security issues, 313–316
software/firmware issues, 315
vulnerabilities/attacks, 298, 313–316
vulnerability scanning, 318–320
IoT devices, 316–320
baby monitors, 315–316
hacking, 317–320
overview, 309–310
requirements for, 311–312
thermostats, 311
IoT gateway, 312
IP (Internet Protocol), 142
IP Address Decoy, 112
IP addresses
broadcast, 92
described, 92
directed broadcast, 94
fragmented, 103
limited broadcast, 94
multicast, 92
network range, 72–73
rules, 93
unicast, 92
IP communication, 373
IP identifier (IPID), 103
IP packet header, 142
IP version 4. See IPv4
IP version 6 (IPv6), 145–147
iPhones. See also mobile devices
applications, 300, 303, 305, 306
iOS, 303–304, 305. See also mobile devices
IPID (IP identifier), 103
iPods, 303
IPSec (Internet Protocol Security), 373, 410
IPSec shell, 373
IPv4 (IP version 4), 145–147
IPv4 address depletion, 145
IPv4 addresses, 92
IPv4 loopback address, 138
IPv6 (IP version 6), 143–145
Iran nuclear worm, 362–363
IRC (Internet Relay Chat), 362, 366, 439
IRC channel, 351
IRDP spoofing, 155
IRT (incident response team), 15
ISACA (Information Systems Audit and Control Association), 36
ISN (initial sequence number), 371
ISO/IEC, 35
ISPs (Internet service providers), 37, 369
IT Governance Institute (ITGI), 36
ITGI (IT Governance Institute), 36
ITU (International Telecommunications Union), 280, 313
IV (initialization vector), 278
J
jamming devices, 285–287
Java, 438–439
JavaScript, 252
job boards, 54
JTAGulator, 320
JXplorer, 124
K
Kaminsky, Dan, 66
KDC (key distribution center), 187
KerbCrack, 206
Kerberos authentication, 185, 187–189
kernel-level rootkits, 217
key distribution, 389, 390, 392
network, 276–280
key distribution center (KDC), 187
key encryption, 387–392
key escrow, 397
key generation, 399
Key Reinstallation Attack (KRACK), 288–289
key sets, 399
keyboard walks, 201
keyloggers, 202
keylogging, 202
keys
government access to, 396–397
private. See private keys
public. See public keys
registry, 189–190
shared, 276–277
symmetric encryption, 389–390
temporal, 288
WPA2, 288–289
keystream, 278
KicMAC, 280
KillerBee, 320
KisMAC, 288
KRACK (Key Reinstallation Attack), 288–289
L
L0phtcrack tool, 208
LACNIC (Latin America and Caribbean Network Information Center), 68
LAND attack, 367
laptop computers, 408
Latin America and Caribbean Network Information Center (LACNIC), 68
lawful interception, 148
laws/standards, 33–38
LC5 tool, 208
LDAP (Lightweight Directory Access Protocol), 124
LDAP Admin Tool, 124
LDAP injection attacks, 249–250
Legion tool, 204
LexisNexis, 51
libpcap, 139
library-level rootkits, 217
libwhisker, 160
Licklider, J.C.R., 330
Lightweight Directory Access Protocol. See LDAP
Linux root, 193
Linux servers, 193
Linux systems
basic commands, 195
enumeration, 119
file structure, 193–194
file system, 193
hacking, 195–197
navigating, 195
security, 193–197
users/groups, 119
vs. Windows systems, 191–192
list scans, 98
“live” systems, 96
Lloyd, Kris, 341
LM authentication, 187
LM hashing, 186
Locky, 360
log files
application logs, 215
covering/clearing tracks, 198, 199, 215–216
deleting, 29
location of, 215–216
monitoring, 215
security logs, 215
SIGVERIF, 357
system logs, 215
logging/log files
web-based hacking, 231
LOIC (Low Orbit Ion Cannon), 367–368
Long, Johnny, 55–57
loop antenna, 276
lovebugs, 53
Low Orbit Ion Cannon (LOIC), 367–368
“low-hanging fruit,” 417
LTE networks, 286
M
MAC (mandatory access control), 22
MAC (Media Access Control), 138
MAC addresses
considerations, 10
filtering, 287
flooding, 151–152
multicast messages, 139
WPA and, 278
MAC duplication, 155
MAC filtering, 287
macro viruses, 360
madwifi project, 282
malicious applications, 442
malicious hackers, 30
Maltego tool, 76
malvertising, 351
malware attacks, 350–364
overview, 350–351
Trojans, 352–357
viruses, 357–361
worms, 357–361
malware authors, 232–233
Malwarebytes, 356
Management Information Base. See MIB
management network zone, 12
mandatory access control (MAC), 22
man-in-the-browser (MIB) attacks, 372
man-in-the-middle (MITM) attacks, 205, 416
mantraps, 447–448
Market Watch, 51
masking, 398
The Matrix, 297
maximum tolerable downtime (MTD), 17
MBSA (Microsoft Baseline Security Analyzer), 115, 261
MD4 algorithm, 185
MDM (Mobile Device Management), 306
Media Access Control. See MAC
Melissa virus, 360
Meltdown attacks, 373–374
memorization, 441
message integrity codes (MICs), 279
messenger channels, 439
Metagoofil, 58
metamorphic viruses, 360
Metasploit, 203, 209–210, 246–247
methodologies, 96
MIB (Management Information Base), 123
MIB (man-in-the-browser) attacks, 372
MIB entries, 123
Microsoft Baseline Security Analyzer (MBSA), 115, 261
Microsoft Management Consoles (MMCs), 192–193
Microsoft Vulnerability Research, 12
Microsoft Windows. See Windows systems
MICs (message integrity codes), 279
mis-association attack, 285
misconfiguration attacks, 26, 245
misconfiguration vulnerabilities, 13
MITM (man-in-the-middle) attacks, 205, 416
MMCs (Microsoft Management Consoles), 192–193
mobile computing, 298–309
authentication, 300
authorization, 301
backdoors, 301
code-level issues, 301
data storage, 300
insecure communication, 300, 314
overview, 298
OWASP top 10 risks, 299–302
platform issues/problems, 300
platforms, 303–307
rooting/jailbreaking, 303–304, 305
software bugs, 308
Mobile Device Management (MDM), 306
mobile devices
applications, 300, 303, 305, 306
as attack platform, 308
cryptography, 300
data storage, 300
encryption, 408
operating systems, 303–307
phishing, 307–308
smartphones. See smartphones
Trojans, 308
vulnerabilities/risks, 299–305
mobile platform
application-based attacks, 442
smartphones. See smartphones
social engineering attacks, 441–443
mobile platform attacks, 441–443
modulation, 273
MTD (maximum tolerable downtime), 17
Mudge, Raphael, 372
multicast, 146
multicast messages, 139
multipartite viruses, 360
multitier architecture, 237
N
name lookups, 66
name resolvers, 64
NAT (NetBIOS Auditing tool), 204
NAT (network address translation), 166, 373
National Computer Security Center (NCSC), 21
National Institutes of Standards and Technology. See NIST
National Vulnerability Database (NVD), 12–13
NBNSpoof, 203
NBT-NS, 203
nbtstat command, 122–123
NCSC (National Computer Security Center), 21
NDA (nondisclosure agreement), 31
NeoTrace tool, 74
Nest thermostat, 311
net commands, 204
NetBIOS Auditing tool (NAT), 204
NetBIOS enumeration, 121–123
NetBIOS traffic, 203
netcat tool, 121, 350, 353–354
Netcraft Toolbar, 438
NetCut, 308
netizens, 364
Netscan, 86
NetScanTools Pro, 108
network address translation (NAT), 166, 373
Network Basic Input/Output System. See NetBIOS
network diagrams, 96
network ID, 92, 93, 95, 96, 98
network interface cards (NICs), 138–139, 141, 274
network intrusion detection systems. See NIDSs
network tap, 162
Network Time Protocol, 124
networks
daisy-chaining, 15
edge computing, 331
footprinting, 72–75
LTE, 286
range, 72–73
security zones, 10–12
switched, 84
VANET, 312
wireless. See wireless networks
Neverquest Trojan, 353
New Technology File System. See NTFS
New York Times, 370
NgineX servers, 236
NICs (network interface cards), 138–139, 141, 274
NIDSbench tool, 168
NIDSs (network intrusion detection systems), 98–99, 160–162, 368
Nikto scanner, 234
Nimda worm, 361
Nirvanix, 336
NIST (National Institute of Standards and Technology), 334, 409
NIST reference architecture, 334–335
Nmap switches, 105–106, 107, 124
Nmap tool, 98, 99, 101, 104–109, 318
nonce, 289
nondisclosure agreement (NDA), 31
non-electronic password attacks, 201
noodling, 183–184
NOP sled, 251
NSAuditor, 123
nslookup command, 70–72
NT LAN Manager. See NTLM
NTFS (New Technology File System), 212–213
NTFS file streaming, 212–213
n-tier architecture, 237
NTLM hash, 186
NTP server, 124
NTPv3, 124
nuclear worm, 362–363
NULL scan, 102
NVD (National Vulnerability Database), 12–13
O
Oakley protocol, 373
object identifiers (OIDs), 123
OCSP (Online Certificate Status Protocol), 400
OFDM (orthogonal frequency-division multiplexing), 273
OIDs (object identifiers), 123
omnidirectional antenna, 274
OmniPeek sniffer, 289
one-factor authentication, 200
Online Certificate Status Protocol (OCSP), 400
open services, 13
Open Source Intelligence (OSINT), 75
Open Source Security Testing Methodology Manual (OSSTMM), 35
Open System Authentication, 276
Open System Interconnection (OSI) Reference Model, 5–7
Open Web Application Security Project. See OWASP
OpenPGP standard, 411
OpenSignalMaps, 281
OpUtils 5, 124
Orange Book, 21
organizational unique identifier, 138, 143
orthogonal frequency-division multiplexing (OFDM), 273
OS (operating system)
attacks, 26
baseline, 13
default installation, 13
design flaws, 13
fingerprinting, 96
misconfiguration, 13
OSI (Open System Interconnection) Reference Model, 5–7
OSINT (Open Source Intelligence), 75
OSRFramework, 75–76
OSSTMM (Open Source Security Testing Methodology Manual), 35
Ostinato tool, 86
out-of-band SQL injection, 259
overt channels, 351
OWASP (Open Web Application Security Project), 229, 299–302, 313–315
P
PaaS (Platform as a Service), 332
packers, 352
Packet, 331
packet capture, 156–158
packet generating tools, 168
Packet Generator, 168, 169, 170
packet header, 84
Packet Internet Groper. See ping
PacketBuilder, 86–87
packet-filtering firewalls, 166–167
packets
considerations, 9
identifying targets, 97–100
PING, 98
routing, 112
SYN, 367
SYN/ACK, 367
TCP, 371
Padding Oracle On Downgraded Legacy Encryption (POODLE), 411, 413–414
pair master key (PMK), 280
parabolic grid antenna, 275
parameter tampering, 242
paranoid policy, 23
pareidolia, 340
partial knowledge testing, 33
passive footprinting, 49, 50–52
passive sniffing, 150, 151, 159
pass-the-hash attack, 189
password cracking, 201–208
active online attacks, 202–204
brute-force attacks, 207–208, 417
Cain and Abel tool, 153, 205, 207, 288
cracking WEP, 287–289
cracking WPA, 287–289
dictionary attacks, 206–207
Ettercap, 205–206
hybrid attacks, 207
keylogging, 202
non-electronic attacks, 201
offline attacks, 206–207
passive online attacks, 205–206
resources, 208
rule-based attacks, 202
web servers, 245
Windows systems, 184–189, 203, 207
password guessing, 202
Password Policy, 23
passwords, 199–204
attacks. See password cracking
changing, 447
community string, 124
considerations, 141–142, 200, 448–449
cracking. See password cracking
death of, 446
forgotten, 257–258
hash values, 185–187
keyboard walks, 201
Linux systems, 194, 195, 196–197
obtaining by asking for, 427
stored in cookies, 254
strength, 200
tips for, 186
Windows systems, 184–189, 204, 207
payload, 15
Payment Card Industry Data Security Standard (PCI-DSS), 35, 335
PayPal, 369
PCI-DSS (Payment Card Industry Data Security Standard), 35, 335
PDQ Deploy, 211
PDU (protocol data unit), 7, 84
peer to peer attacks, 367
pen testers, 28, 29, 30, 31, 32, 161. See also hackers
pen testing. See also hacking
assessment, 32
black-box testing, 32
conclusion, 32
gray-box testing, 33
vs. hacking, 53
“no harm” clause, 29
overview, 31–33
pen test phases, 32
physical security and, 443
preparation phase, 32
reconnaissance, 28
target of evaluation, 32
types of, 32–33
vulnerabilities, 13–14
white-box testing, 33
penetration testing. See pen testing
permanent attacks, 367
permissive policy, 23
personal identification numbers (PINs), 447
personally identifiable information (PII), 15, 76
Petya, 360
PGPcrack, 417
pharming, 438
Phish Tank Toolbar, 438
phishing
mobile devices, 307–308
obtaining passwords via, 202
phlashing, 367
PhoneSnoop, 309
phreakers, 24
physical controls, 16
physical security, 443–449
access controls, 445–448
basics, 443–449
biometric identifiers, 445–447
bump key, 449
described, 443
hacks, 449
IoT devices, 315
mantraps, 447–448
operational measures, 444
pen testing and, 443
physical measures, 444
technical measures, 444
PII (personally identifiable information), 15, 76
ping of death, 367
PING packets, 98
PINs (personal identification numbers), 447
PKI (public key infrastructure), 392, 399–407
PKI system, 399–407
plain-text attacks, 415
Planning Tool for Resource Integration, Synchronization, and Management (PRISM), 148
Platform as a Service (PaaS), 332
PMK (pair master key), 280
PNZ (production network zone), 11
POC (point of contact), 70–73
point of contact (POC), 70–73
policies, security, 22–23
Polybius, 385
polymorphic viruses, 360
POODLE (Padding Oracle On Downgraded Legacy Encryption), 411, 413–414
POP3 (Post Office Protocol 3), 142
port address translation, 166
port numbers, 63, 88–91, 354–355
port sweeping, 107
Portable Penetrator, 288
ports
closed, 104
dynamic, 89
important port numbers, 89
listening for, 90
mirroring, 150
open, 96
registered, 89
scanning, 101–111
span, 150
states, 90–91
TCP/IP, 356
UDP, 356
POST method, 240
Post Office Protocol 3 (POP3), 142
power issues, 444
Pretty Good Privacy (PGP), 411
Pretty Park worm, 361
preventive controls, 16
PRISM (Planning Tool for Resource Integration, Synchronization, and Management), 148
privacy issues
health information, 35
IoT, 314
laws/standards, 33
Samsung smart TV, 212–213
U.S. government, 396–397
private cloud model, 333
private keys
asymmetric encryption, 391–392
described, 399
digital signatures and, 406–407
private zone, 166
privileges
administrator, 209–210
escalation of, 29, 33, 208–210
root, 209–210
procedures, 23
Process Explorer, 356
production network zone (PNZ), 11
promiscuous mode, 139
promiscuous policy, 23
protection rings, 217
protocol data unit (PDU), 7, 84
proxy chains, 113
prudent policy, 23
pseudonymous footprinting, 49
pseudorandom number, 86
PSH flag, 86
Psiphon, 115
public cloud model, 333
public key infrastructure. See PKI
public keys
asymmetric algorithms, 392
asymmetric encryption, 391–392
described, 399
digital signatures and, 406–407
public zone, 166
PUT method, 240
“pwning,” 245
Q
QoS (quality of service), 142
quality of service (QoS), 142
Qualys, 14
R
ransomware, 358–360
RAs (registration authorities), 400, 402
RC (Rivest Cipher), 390
RC4, 414
RC4 algorithm, 278
Ready Player One, 59
reconnaissance, 47–82
described, 28
vs. footprinting, 48
passive footprinting, 50–52
search engines, 53–60
regedit.exe, 192
regedt32.exe, 192
regional Internet registries (RIRs), 68
registration authorities (RAs), 400, 402
registry hacking, 190–192
registry information, 72
regulatory efforts, 335
Remote Exec, 211
Requests For Comments (RFCs), 228
Réseaux IP Européens (RIPE) NCC, 68
resource identifiers (RIDs), 118, 119
Responder, 203
reverse engineering, 301
reverse social engineering, 430
RFCs (Requests For Comments), 228
RFID features, 447
RFID identify theft, 429–430
RFID skimming, 429–430
RIDs (resource identifiers), 118, 119
RIoT Vulnerability Scanner, 318
RIPE (Réseaux IP Européens) NCC, 68
RIPEMD-160 hash, 395
RIRs (regional Internet registries), 68
risk. See also vulnerabilities
assessment, 13
management, 15–16
quantifying dangers of, 12–13
risk analysis matrix, 15–16
Ritz, David, 62
Rivest Cipher (RC), 390
Rivest, Ronald, 394
roaming, 274
rogue access points, 274, 283, 284–285
Rogue Security, 437
rolling code attack, 316
root privileges, 209–210
rootkits, 216–218
Rosenworcel, Jessica, 279
rpcclient tool, 119
rpcinfo tool, 119
RST flag, 86
R-U-Dead-Yet (RUDY), 368
RUDY (R-U-Dead-Yet), 368
rule-based attacks, 202
S
SaaS (Software as a Service), 333
Salesforce, 330
SAM database, 119
SAM (Security Accounts Manager) file, 184–187, 188
Sarbanes-Oxley (SOX) Act, 35
scalar objects, 123
scanning, 84–117
considerations, 99–101
described, 84
evasion, 111–115
examples of, 28
vs. footprinting, 84
fundamentals, 96–117
identifying targets, 97–101
naming conventions, 102
other tools, 109–111
port, 101–111
ZenMap, 98
scanning methodology, 96–117
SCAP (Security Content Automation Protocol), 13
Scientology website attacks, 367
screened subnet, 166
search engines, 53–60
footprinting and, 53–60
Google hacking, 55–60
listed, 53
mapping/location tools, 53
overview, 53
SEC Info, 51
Secure Shell (SSH), 410
Secure Sockets Layer. See SSL
Secure/Multipurpose Internet Mail Extensions (S/MIME), 411
security
applications, 229–231
auditing, 23
basics, 14–23
cloud, 335–339
considerations, 415
fundamentals, 2–23
laws/standards, 33–38
Linux systems, 193–197
mobile. See mobile computing
physical. See physical security
Windows systems, 184–193
wireless networks, 276–280
Security Accounts Manager. See SAM
security analysts, 25
Security Center, 115–116
Security Content Automation Protocol (SCAP), 13
security context, 118
security controls, 13, 16, 31–32
Security Focus, 12
Security, Functionality, and Usability triangle, 14, 26
security identifiers (SIDs), 118, 119
security incident and event management (SIEM), 29
security logs, 215
Security Magazine, 12
Security Operation Center (SOC), 29
security policies, 22–23
security zones, 10–12
SEF (Social Engineering Framework), 76
semagrams, 214
sequence attacks, 370–371
sequence numbers (SNs), 370–371
serial number, zone file, 66
servers
application, 235
authoritative, 64
e-mail, 71
Google, 414
HTTPS, 415
Linux, 193
name resolvers, 64
NgineX, 236
NTP, 124
sinkhole, 359
SOA, 71
unpatched, 13
web. See web servers
Service Oriented Architecture. See SOA
service set identifier (SSID), 276
session fixation attack, 253
session hijacking, 369–374
session IDs, 253
session management, 229
session riding, 342
session splicing, 168
SHA-3 algorithm, 395
shadow IT, 339
Shadowsocks, 114
Shared Key Authentication, 276
sheepdip system, 364
shell injection, 249
shell viruses, 360
ShellShock, 247
shredders, 428
shrink-wrap code attacks, 26
side-channel attacks, 342, 416
SIDs (security identifiers), 118, 119
SIEM (security incident and event management), 29
signature files, 363–364
signature list, 159
sign-in seal, 438
SIGVERIF log file, 357
Simple Mail Transfer Protocol (SMTP), 124, 125, 141
Simple Network Management Protocol. See SNMP
Simple Object Access Protocol (SOAP), 250
single authority system, 402
single loss expectancy (SLE), 17
sinkhole server, 359
Sirefef rootkit, 217
Sisyphean activities, 245–246
Sisyphus, King, 245–246
SiteDigger tool, 57
Skyhook tool, 284
Slammer worm, 361
SLE (single loss expectancy), 17
Slowloris tool, 368
SMAC tool, 287
smartcards, 447
smartphones. See also mobile devices
Android. See Android phones
attack methodologies, 299
considerations, 298
iPhone. See iPhones
vulnerabilities/risks, 299, 307
wireless hacking and, 272, 281
“smashing the stack,” 251–253
SMB vulnerability, 359
S/MIME (Secure/Multipurpose Internet Mail Extensions), 411
Smith, Zachary, 331
SMS messages, 442
SMS phishing, 307–308
SMTP (Simple Mail Transfer Protocol), 124, 125, 141
SMTP commands, 125
Smurf attacks, 367
sniffers
Cain and Abel tool, 153, 205, 288
IoT traffic, 320
promiscuous mode, 139
tcpdump tool, 158–159
Wireshark, 156–159
sniffing, 138–159
active, 150–153
ARP poisoning, 152–153
basics, 138–151
collision domains, 139–141, 150
described, 138
firewalls, 165–167
IPv6 and, 143–145
MAC flooding, 151–152
network devices and, 138–141
network interface cards and, 138–139
protocols, 141–147
techniques, 151–155
tools, 156–159
viewing ARP entries, 144–145
wireless, 289–290
wiretapping, 148–149
SNMP (Simple Network Management Protocol), 123–124, 141–142
SNMP enumeration, 123–124
SNMPScanner, 124
Snort IDS, 161–165
Snowden, Edward, 397
SNs (sequence numbers), 370–371
SNScan, 124
SOA (Service Oriented Architecture), 341
SOA records, 66
SOA server, 71
SOAP (Simple Object Access Protocol), 250
SOAP injection, 250
SOC (Security Operation Center), 29
social engineering, 426–443
authority support, 429
computer-based attacks, 434–441
defined, 426
described, 52
disgruntled employees, 55, 432–434
“halo effect,” 430
human-based attacks, 427–434
identity theft, 429–430, 440–441
impersonation, 428–429
insider threats, 432–434
mobile devices, 307–308
mobile-based attacks, 441–443
obtaining passwords, 201, 426–427
overview, 426–427
phases of, 427
phishing e-mail/attacks, 435–438, 439
piggybacking, 429
preventing, 439–441
real world, 431–432
reverse, 430
social networking and, 434
tailgating, 429
technical support, 428–429, 430
training users on, 439
whaling, 438
why it works, 427
Social Engineering Framework (SEF), 76
social networking, 434
social networking sites, 52, 55
social skills, 58–59
SOCKS5 protocol, 114
Softerra, 124
Software as a Service (SaaS), 333
Sony PlayStation network attacks, 368
source host, 66
source routing, 112
SOX (Sarbanes-Oxley) Act, 35
span ports, 150
sparse infector viruses, 361
spear phishing, 438
Spectre attacks, 373–374
spectrum analyzer, 274
spimming, 438
spoof attacks, 366
Spoofcard, 70
spoofing
considerations, 70
IP addresses, 112
IRDP, 155
MAC addresses, 152, 154–155, 287
overview, 154
spyware, 202
SQL (Structured Query Language), 255–256
SQL injection, 254–259
SQL Slammer worm, 361
SQLBrute, 259
sqlmap scanner, 259
sqlninja scanner, 259
“squirreling,” 331–332
SSH (Secure Shell), 410
SSID (service set identifier), 276
SSID cloaking, 276
SSL (Secure Sockets Layer), 205–206, 410, 411, 414, 415
SSL sites, 205–206
sslsniff tool, 206
SSLv2, 414–415
stack, 251
StackGuard, 251
Stagefright bugs, 308
Start of Authority record. See SOA
state-sponsored hackers, 26
Static Application Security Testing (SAST), 230
static electricity, 444
stealth viruses, 361
steganography, 214, 386, 398–399
Steinberg, Joseph, 412
Structured Query Language. See SQL
Stuxnet code, 362–363
subnet mask, 92
subnetting, 92–96
substitution, 387
suicide hackers, 25
Super Bluetooth Hack, 309
switch port stealing, 152
switched networks, 84
switches, 141, 150, 151, 152, 155
Sybil attack, 316
Symantec Drive Encryption, 408
symmetric encryption, 389–390
SYN (Synchronize segment), 9
SYN attacks, 367
SYN floods, 367
SYN packets, 367
SYN scan, 102
SYN segments, 168
SYN/ SYN/ACK, ACK handshake, 10
SYN/ACK packets, 367
Synchronize segment. See SYN
Syrian Electronic Army, 370
system administrators. See administrators
system attacks, 183–225. See also attacks
checking for live systems, 96
considerations, 198
covering/clearing tracks, 29, 198, 199, 215–216
enumeration. See enumeration
executing applications, 210–211
getting started, 184–199
maintaining access, 29, 197, 198, 199
methodology, 197–199
password cracking, 201–208
privilege escalation, 29, 33, 208–210
reconnaissance. See reconnaissance
scanning. See scanning
system logs, 215
system viruses, 360
systems
“bricking,” 367
causing permanent damage to, 367
“live,” 96
T
tabular objects, 123
tailgating, 429
Tails OS, 115
target of evaluation (TOE), 32
Task Manager, 356
TCG (Trusted Computing Group), 337
TCP (Transmission Control Protocol), 10, 85, 142
TCP communication, 370–372
TCP packets, 371
TCP segment structure, 86
TCP session hacking, 370–371
TCP state-exhaustion attacks, 367
TCP streams, 156
tcpdump tool, 158–159
TCP/IP networks, 5, 7–12, 84–88
TCP/IP ports, 356
tcptrace tool, 159
TCSEC (Trusted Computer System Evaluation Criteria), 21–22
teardrop attacks, 367
technical controls, 16
technical support social engineering, 428–429, 430
technorati, 364
temperature, 444
Temporal Key Integrity Protocol (TKIP), 278, 279
TGS (ticket granting service), 187, 188
TGT (ticket granting ticket), 187, 188
The Onion Routing (TOR), 113
thermostats, 311
Thingful tool, 318
Threat Analyzer, 363
threat modeling, 15
threats, 16
three-factor authentication, 200
three-way handshake, 10, 86, 87, 372
ticket granting service (TGS), 187, 188
ticket granting ticket (TGT), 187, 188
tiger team, 31
time to live (TTL), 66
TKIP (Temporal Key Integrity Protocol), 278, 279
TLS (Transport Layer Security), 410, 413, 415
TMAC tool, 287
TOE (target of evaluation), 32
Toolset, 124
TOR (The Onion Routing), 113
TRACE method, 240
tracert tool, 72–75
Transmission Control Protocol. See TCP
Transport Layer Security (TLS), 410, 413, 415
transport mode, 373–374
transposition, 387
trash intelligence, 428
Trend Micro, 12
Tribe Flood Network, 368
Trinity tool, 368
Tripwire, 356–357
Trojans, 352–357
vs. backdoors, 352
command shell, 353
considerations, 202, 353–354, 363
countermeasures, 356–357
described, 352
EliteWrap, 351
mobile devices, 308
monitoring services/processes, 356
port numbers, 354–355
tools for, 355–357
types of, 353–355
Windows systems, 356–357
trust model, 402
trust systems, 402
Trusted Computer System Evaluation Criteria (TCSEC), 21–22
trusted computing, 337
Trusted Computing Group (TCG), 337
Truth in Caller ID Act, 70
T-sight tool, 372
TTL (time to live), 66
tunnel mode, 373
tunneling viruses, 361
two-factor authentication, 200
Twofish encryption, 390
U
UBA (User Behavior Analytics), 17
Ubiquiti cards, 282
Ubuntu, 100
UDP (User Datagram Protocol), 10, 85, 142
UDP scan, 104
Ufasoft, 153
UIDs (user IDs), 119
unidirectional antenna, 275
Uniform Resource Identifier (URI), 238
Uniform Resource Locator. See URL
UPX tool, 363
URG flag, 86
URI (Uniform Resource Identifier), 238
URL (Uniform Resource Locator), 238, 248, 252
URL tampering, 242
U.S. Government, 362, 394, 396–397, 417
USB, bootable, 408
USB wireless adapter, 282
User Behavior Analytics (UBA), 17
User Datagram Protocol. See UDP
user IDs (UIDs), 119
Userland exploit, 304
V
V2V (vehicle-to-vehicle) data exchange, 312
VA (validation authority), 400, 406
validation authority (VA), 400, 406
VANET (Vehicle Ad Hoc Network), 312
Vehicle Ad Hoc Network (VANET), 312
vehicle-to-vehicle (V2V) data exchange, 312
virtual machines (VMs), 330, 332
VirtualBox, 100
virtualization, 330
virus hoax, 358
virus making software, 361
viruses, 357–361, 363. See also AV
VirusTotal, 363
Visual Trace tool, 74
VMs (virtual machines), 330, 332
voice recognition, 212
volumetric attacks, 366
vulnerabilities
categories of, 13
considerations, 13
insider threats, 432–434
mobile devices, 299–305
overview, 12–14
quantifying danger/risk of, 12–13
resources/tools, 12–14
scanning for, 96
web applications, 229–232
vulnerability scanning, 115–117
IoT, 318–320
overview, 115
web servers, 233–235
W
W3C (World Wide Web Consortium), 228–229
W3Techs, 235
Walker, Angie, 340
Wall Street Monitor, 51
WAN Killer, 86
war chalking, 276
war driving, 281
war walking, 281
waveforms, 273
Wayback Machine, 61
“wearables,” 310
web applications
architecture, 248
attack surface, 248
attacks on, 247–261
considerations, 248
entry points, 248
injection attacks, 229, 249–250
risks/vulnerabilities, 229–232
SQL injection, 254–259
testing, 259
types of attacks, 249–259
web cache poisoning, 244
web defacement attacks, 245
web front end servers, 235
web mirroring, 60
web of trust, 402
web organizations, 228–233
web servers, 228–247. See also servers
architecture, 235–241
attack methodology, 233–235
directory traversal, 241–243
footprinting, 233–234
parameter tampering, 242
password cracking, 245
protecting, 261
risks/vulnerabilities, 229–232, 238–241
types of attacks, 241–247
types of servers, 235
web-based hacking, 227–269
web applications, 247–261
webcrawlers, 54
WebGoat project, 231–232
website footprinting, 60–61
Website Watcher, 61
websites
company, 51–52
competitive intelligence on, 51–52, 76–77
defacement attacks, 245
dynamic web pages, 248
fake, 284
increase in attacks, 260
scanning targets, 50
traffic statistics, 51
Wayback Machine, 61
WeFi tool, 284
WEP (Wired Equivalent Privacy), 277–278, 280
WEP attacks, 287–289
WEP cracking, 287–289
WEPAttack, 288
WEPCrack, 288
WFETCH tool, 244
whaling, 438
white hats, 25
white-box testing, 33
whois tools, 68–70
WiFi Explorer, 281
WiFi Pilot, 289
Wi-Fi Protected Access. See WPA
WiFiFoFum, 281
WiFinder, 281
WikiLeaks, 370
WiMAX standard (802.16), 272
WINARPAttacker, 153
Windows 10, 118
Windows root, 193
Windows Server, 117
Windows Service Manager, 356
Windows systems
alternate data stream, 212–214
enumeration, 117–119
hashing passwords, 185–189
vs. Linux systems, 191–192
MMC, 192–193
NTFS file streaming, 212–213
password cracking, 184–189, 207
password recovery tools, 204
route tables, 193
security, 184–193
Trojans, 356–357
verifying integrity of, 357–358
Windows XP, 117
WinDump sniffer, 158
Winfingerprint, 123
WinPcap, 139
Wired Equivalent Privacy. See WEP
wireless access points, 274, 278, 281, 284–285
wireless adapters, 282
wireless antennas, 274–276
wireless cards, 282
wireless hacking, 280–290
discovery, 281–284
encryption attacks, 287–289
IoT, 313
MAC spoofing, 287
overview, 271–272
sniffing, 289–290
WEP attacks, 287–289
wireless jammers, 285–287
wireless networks, 271–295
802.11 standards, 272–273
access points, 274, 278, 281, 284–285
antennas, 274–276
architecture, 272–277
authentication, 276–277
basic setup, 273–274
basics, 272–277
Bluetooth, 272
considerations, 272
finding/discovery, 281–284
Gigabit Wi-Fi, 279
hacking. See wireless hacking
infrastructure mode, 274
modes, 273–274
security, 276–280
service set identifiers, 276
standards, 272–273
WEP. See WEP
wireless NICs, 274
Wireless Security Auditor tool, 288
wireless sniffing, 289–290
wireless standards, 272–273
Wireshark sniffer, 100, 124, 156–159, 289
World Wide Web Consortium (W3C), 228–229
WPA (Wi-Fi Protected Access), 278–280, 288–289
WPA2 Personal, 279
WPA2 standard, 278–280, 288–289
wrappers, 351
wrapping attacks, 342
X
X.509 standard, 402
XML (Extensible Markup Language), 108, 239
XML External Entities (XXE), 230
XML processors, 230
XOR ciphers, 389
XOR comparison, 93
XOR (exclusive-or) operation, 278, 388–389
XSS (cross-site scripting), 230, 251–253
XXE (XML External Entities), 230
Y
Yagi antenna, 275
Yahoo!, 370
Yubikey token, 446
Z
zero-day attack vector, 15
ZeuS-in-the-Mobile (ZitMo), 442
Zigbee Framework, 320
Zigbee standard (802.16), 272
ZitMo (ZeuS-in-the-Mobile), 442
zone file, 66
zones, security, 10–12
Z-Wave, 320