Index
Numbers
1G technology, 410
A
Absinthe, 417
access control, to the cloud, 552
access points, war driving, 130
AckCmd, 238
ACLs (access control lists), 476–477
active fingerprinting, 131–133
active machines, identifying, 115
active vulnerability assessments, 253–254
activity blockers, 248
activity profiling, 312
Acunetix Web Vulnerability Scanner, 360
AD (Active Directory), 154
ad hoc mode, 423
ADMutate, 474
advantages, of cloud computing, 550
AES (Advanced Encryption Standard), 511–512, 514
airmon-ng tool, 430
airodump-ng tool, 431
AirSnare, 447
ALE (annual loss expectancy), calculating, 12
Amitis, 226
analyzing malware, 249
Device Administration API, 414–415
rooting, 416
UID, 415
AndroRAT, 416
anomaly-based analysis, 464–465
anonymizers, 137
AppDetectivePro, 383
appenders, 215
Application layer, 55
application layer (TCP/IP)
DHCP, 61
FTP, 61
blocking, 61
session hijacking, 295
man-in-the-browser attacks, 299
man-in-the-middle attacks, 296
predictable session token ID, 296
session fixation attacks, 299
session replay attacks, 299
SMTP, 62
SNMP, 62
Telnet, 62
application-level attacks, 307–308
application-level gateways, 478
applications
testing, 22
vulnerabilities in, 10
approval process for penetration testing, 27–28
APs (access points), site surveys, 445
ARO (annual rate of occurrence), calculating, 12
ARP (Address Resolution Protocol), 76, 278–279
assessments, defining scope of, 24
assets, 8
EF, 12
asymmetric encryption algorithms, 506, 508–510, 515
Diffie-Hellman, 516
ElGamal, 516
RSA, 516
attack evasion techniques, 472–473
flooding, 470
insertion and evasion, 470
attribute command, 185
Auernheimer, Andrew, 17
basic, 374
certificate-based, 375
forms-based, 375
Kerberos, 175
MD5, 375
passwords, 508
wireless, 446
authentication system testing, 22
automated exploit tools
BeEF, 357
Canvas, 358
Core Impact, 358
Metasploit, 357
automated password guessing, 167
availability, 7
Avatar, 183
Azazel, 183
B
back-ups, performing to reduce risk, 10–11
backdoors, 52
in-band SQL injection, 389
bandwidth, limiting, 313
BangleDoS, 311
Base64, 535
basic authentication, 374
bastion hosts, 479
BeEF (Browser Exploitation Framework), 357
BetterCAP, 281
Bing Maps, 93
BinText, 250
biometrics, characteristics of, 166–167
BIOS infections, 214
BitLocker, 531
black hat hackers, motivations, 16
black hole filtering, 313
black holes, 493
Blackberry, 418
BlackHole Rat, 225
BLE (Bluetooth Low Energy), 558
blind SQL injection, 389
block ciphers, 512
BlueBug, 421
BlueScanner, 421
Bluesnarfing, 421
Bluesniff, 421
Bluetooth
classifications of, 419
Bluetooth Smart, 558
bogons, 476
bogus flag probes, 131
Booleans, using in SQL injection attacks, 394
crimeware kits, 562
fast-flux, 561
installation, 563
well-known, 562
broadcast MAC addresses, 75
Brown, Justin, Google Hacking for Penetration Testers, 101
cookies, 377
Bryant, Darla, 487
BTCrack, 419
bump attacks, 413
Burneye, 228
BYOD (bring your own device), 406, 414
bypassing
switches
C
C language, vulnerabilities to buffer overflow, 172, 373–374
CA (Certificate authority), 526
Caffrey, Aaron, 225
Cain and Abel, 281
calculating, SLE, 12
Canvas, 358
CartoReso, 137
CBC (Cipher Block Chaining mode), 512
cell phones. See also mobile devices
cloning, 410
technologies, 411
vulnerabilities, 410
cell tower “spoofing”, 413–414
CER (crossover error rate), 166
certificate-based authentication, 375
certifications, 26
CFAA (Computer Fraud and Abuse Act), 17
CFB (Cipher Feedback mode), 513
change point detection, 312
China, social credit system, 93
chosen cipher-text attacks, 532
chosen plain-text attacks, 532
Chrootkit, 184
CIA (confidentiality, integrity, and availability), 7
availability, 7
CIPA (Children’s Internet Protection Act), 33
cipher text, 508
cipher-text only attacks, 532
circuit-level gateways, 478
Citadel, 562
clickjacking, 372
client-side attacks, 296
cloning, 410
cloud computing, 550. See also IoT (Internet of Things)
access control, 552
advantages of using, 550
audits, 552
breaches, 553
characteristics of, 550
data classification used by provider, 553
disaster recovery/business continuity plan of provider, 553
and encryption, 553
and fog computing, 556
IaaS, 551
IoT, 556
long-term viability of the provider, 553
PaaS, 551
regulatory requirements, 552
SaaS, 551
security, 555
separation of data, 553
SLA terms, 553
training of provider employees, 552
cluster viruses, 214
Code Red virus, 218
commands
attribute, 185
enable secret, 104
enum4linux, 161
finger, 161
Linux, 179
nbstat, 159
netstat, 244
decoy switch, 125
ntpdate, 162
ntpdc, 162
ntpq, 162
ntptrace, 162
passwd encryption, 489
rcpclient, 161
rpinfo, 161
showmount, 161
comments in source code, 351
common ports and protocols, 117
communication system testing, 22
community cloud, 550
compliance
Computer Fraud and Abuse Act, 32
Conficker worm, 218
Cookie Cadger, 301
cookie manipulation attacks, 348–349
cookies, 377
Core Impact, 358
countermeasures
for malware, 243
crimeware kits, 562
CRL (Certificate revocation list), 526
Cross-Site Request Forgery attacks, 554
cryptographic attacks, 531–532
algorithms, 509
asymmetric encryption algorithms, 508–510, 515
Diffie-Hellman, 516
ElGamal, 516
RSA, 516
cipher text, 508
encryption, 508
history of
Navajo code talkers, 509
integrity, 507
plain text, 508
Scytale, 507
substitution cipher, 508
symmetric encryption algorithms, 508–511
AES, 514
Rivest Cipher, 514
CryptoTool, 536
CSMA/CD (carrier sense multiple access with collision detection), 424
CSRF (cross-site request forgery) attacks, 371–372
CurrPorts, 244
CVSS (Common Vulnerability Scoring System), 255–259
Cyber Security Enhancement Act, 32
cyberattacks, 9
cyberterrorists, 19
Cydia, 417
CypherX Crypter, 230
D
DAI (Dynamic ARP Inspection), 290
Dark Reading, website, 29
data exfiltration, 412
data hiding Trojans, 221
sniffing, 276
databases. See also SQL (Structured Query Language)
testing, 22
datagrams, fragmentation, 68–69
overlapping fragmentation attacks, 70
DDoS (distributed denial of service) attacks, 19, 309–310, 343. See also DoS (denial of service) attacks
deauthentication attacks, 429–430, 432–433
decoy switch, 125
default ports and services, 134
Dendroid, 416
deny all concept, 50
DES (Data Encryption Standard), 511–513
detecting
honeypots, 493
malware, 249
sniffers, 291
determining the network range, 112–113
Device Administration API, 414–415
DHCP (Dynamic Host Configuration Protocol), 61
differential backups, 11
Diffie-Hellman, 516
digital signatures, 518
S/MIME, 529
digital watermark, 524
disabling
unneeded services, 359
disclosure of confidential information, 9
disgruntled employees, 18
distributed intelligence, 556
fog computing, 556
distributing malware
droppers, 229
packers, 229
wrappers, 228
DMZ (demilitarized zone), 479
DNS (Domain Name System), 62–63, 278
amplification attacks, 344
cache poisoning, 285
enumeration, 163
record types, 109
spoofing attacks, 285
structure of, 108
DNSSEC (DNS Security Extensions), 290
DNSSEC (Domain Name System Security Extensions), 63
domain names, registrar query, 104–107
domain proxies, 107
DOM-based XSS attacks, 367–368
DoS (denial of service) attacks, 7, 9, 19, 343
peer-to-peer, 307
permanent, 309
smurf, 307
SYN flood, 306
testing, 21
DroidSheep, 416
droppers, 229
DSSS (Direct-sequence spread spectrum), 425
due diligence, as reason for penetration testing, 25
dumpster diving, 164
dynamic ports, 60
E
eavesdropping, 410
e-banking Trojans, 221
ECB (Electronic Code Book mode), 512
ECC (Elliptic Curve Cryptography), 516–517
Economic Espionage Act, 33
EF (exposure factor), 12
EFS (Encrypted File System), 531
Electronic Communication Privacy Act, 32
ElGamal, 516
email servers, gathering information about, 93
employee and people searches, 95–98
websites, 95
enable secret command, 104
encoded binary IP addresses, 486–487
encrypted passwords, 104
encryption, 506, 508. See also cryptography
asymmetric encryption algorithms
Diffie-Hellman, 516
ElGamal, 516
RSA, 516
in the cloud, 553
cracking tools, 536
digital signatures, 518
digital watermark, 524
successful cracks, 533
symmetric encryption algorithms
AES, 514
Rivest Cipher, 514
weak
Base64, 535
Uuencode, 535
enum4linux command, 161
DNS, 163
Linux/UNIX, 161
NetBIOS, 155
Hyena, 158
NTP, 162
SMTP, 162
SNMP, 160
Windows, 152
error checking, 171
error handling, improper, 352
escalation of privilege, 51
establishing, security testing goals, 26–27
Andrew Auernheimer, 17
process, 52
scope of assessment, defining, 24
securing an organization, 52–53
testing
Evan’s Debugger, 250
evil twin attacks, 429
Exploit Database, website, 29, 49–50
of C language, 172
of Java, 172
StickyKeys, 171
external penetration testing, 21
external vulnerability assessments, 254
F
Facebook, 98
FaceNiff, 416
FakeToken, 416
Fall, Kevin, TCP/IP Illustrated, Volume 1: The Protocols, Second Edition, 69
false negatives, 462
FAR (false acceptance rate), 166
fast-flux botnets, 561
Federal Information Security Management Act, 32
18 USC 1029, 411
Electronic Communication Privacy Act, 32
Federal Sentencing Guidelines, 33
FHSS (Frequency-hopping spread spectrum), 425
file infections, 214
final preparation
suggested review and study plans, 574–575
financial information, gathering, 98–99
finding open ports and access points
Hping, 129
NSE, 125
port knocking, 129
SuperScan, 128
war driving, 130
finger command, 161
fingerprinting services, default ports and services, 134
Firesheep, 301
application-level gateways, 478
circuit-level gateways, 478
using Netcat to tunnel out through, 489–490
vulnerabilities, 479–480, 485–486
FISMA (Federal Information Security Management Act), 32
flag probes, 131
flags, TCP, 65
Flawfinder, 382
flooding, 470
FOCA, 102
fog computing, 556
footprinting and scanning, 48–49, 86, 90
determining the network range, 112–113
finding open ports and access points
Hping, 129
port knocking, 129
SuperScan, 128
war driving, 130
identifying active machines, 115
information gathering
documentation, 91
employee and people searches, 95–98
location information, 93
organization’s website information, 91–93
mapping the network attack surface
manual mapping, 136
OS fingerprinting, 130
active fingerprinting, 131–133
passive fingerprinting, 130–131
common ports and protocols, 117
form grabber, 562
forms-based authentication, 375
FPipe, 240
FQDNs (fully qualified domain names), 62
overlapping fragmentation attacks, 70
fraud
federal laws relating to, 31–33
sections of the U.S. Code relating to, 30–31
freeware, 224
FRR (false rejection rate), 166
FTP (File Transfer Protocol), 60–61
Trojans, 221
FTP bounce scans, 123
full backups, 11
Full Connect scans, 119
full-knowledge testing, 14
fuzzing, 383
G
Gardner, Bill, Google Hacking for Penetration Testers, 101
GDPR (General Data Protection Regulation), 24–25, 33
GFI LanGuard, 361
GHDB (Google Hacking Database), 101–102
Ghost Rat Trojan, 226
Gilmore, John, 533
GLBA (Gramm-Leach-Bliley Act), 24–25, 33
global threat correlation capabilities, 465
goals
of security, 7
Google Earth, 93
Google hacking
search terms, 99
social security numbers, 100–103
GPS mapping, 443
gray box testing, 14
gray hat hackers, motivations, 17
GrayFish, 183
Green, Julian, 225
H
hacker attacks, 9
HackerStorm, website, 29
HackerWatch, website, 29
hacking, 16
black hat, motivations, 16
cyberterrorists, 19
disgruntled employees, 18
escalation of privilege, 51
ethical hackers, process, 52
gray hat, motivations, 17
maintaining access, 51
methodology of, 17
phreakers, 18
scanning and enumeration, 49–50
script kiddies, 18
social engineering, 49
suicide, motivations, 17
system, 19
and usability, 6
white hat, motivations, 16
Hacking Web Applications (The Art of Hacking Series) LiveLessons, 573–574
Hamster, 301
hard-coded credentials, 352
hardening web servers, 358
hardware, in DDoS attacks, 310
hardware keyloggers, 241
Hashcat, 536
Heartbleed, 530
heuristic scanning, 247
heuristic-based analysis, 463
hiding files and covering tracks, 185–186
hierarchical database management system, 384
high-interaction honeypots, 492
hijacking
application layer, 295
client-side attacks, 296
man-in-the-browser attacks, 299
man-in-the-middle attacks, 296
predictable session token ID, 296
session fixation attacks, 299
session replay attacks, 299
Hikit, 226
HIPAA (Health Insurance Portability and Accountability Act), 24–25, 33
history
of cryptography
Navajo code talkers, 509
HOIC, 311
detecting, 493
Horse Pill, 183
HTML (HyperText Markup Language), analyzing, 341
HTTP (HyperText Transfer Protocol), 60, 328–330
clients, 328
cookies, 377
proxies, 335
response splitting, 348
status code messages, 332
tunneling, 485
Hunt, 301
hybrid cloud, 550
Hyena, 158
I
IaaS (Infrastructure as a Service), 551
IANA (Internet Assigned Numbers Authority), 104–105
IBM AppScan, 361
ICANN (Internet Corporation for Assigned Names and Numbers), 104–105
IceSword, 244
ICMP (Internet Control Message Protocol), 57, 66
embedded payloads, 234
source routing, 72
Type 3 codes, 71
types and codes, 70
ICMPSend, 238
IDA Pro, 250
identifying
active machines, 115
IDP (intrusion detection prevention), 474
IDS (intrusion detection systems), 49–50, 312, 458
anomaly-based analysis, 464–465
attack evasion techniques, 472–473
flooding, 470
insertion and evasion, 470
components, 458
false negatives, 462
heuristic-based analysis, 463
NIDS, 463
protocol analysis, 463
protocol decoding, 462
keywords, 467
stateful pattern-matching recognition, 461
true/false matrix, 459
ImageHide, 521
improper error handling, 352
incident response plans, 15–16
incremental backups, 11
inference-based vulnerability assessments, 255
information gathering, 21
record types, 109
documentation, 91
employee and people searches, 95–98
websites, 95
Google hacking
GHDB, 101
search terms, 101
organization’s website information, 91–93
insertion and evasion, 470
inSSIDer, 443
installing
botnets, 563
INSTEON, 559
integrity checking, 247
intercepting web traffic, 380–381
internal penetration testing, 21
internal vulnerability assessments, 254
Internet layer
bypassing firewalls, 484
ICMP
embedded payloads, 234
source routing, 72
Type 3 codes, 71
types and codes, 70
iOS, 417
jailbreaking applications, 417
IoT (Internet of Things), 556
distributed intelligence, 556
hacking tools, 560
IP (Internet Protocol), 66
IP forwarding, 280
IPID closed port, 122
IPID open port, 121
IPS (intrustion prevention systems), 458
anomaly-based analysis, 465
global threat correlation capabilities, 465
IPsec, 531
ISECOM (Institute for Security and Open Methodologies), OSSTMM, 23–24
ISN sampling, 131
ISO/IEC 27001:2013, 33
J
Jacobson, Van, 72
JAD (Java Application Descriptor) files, 418
jamming wireless signals, 433
Java, exploits, 172
job boards, gathering information from, 93–94
John the Ripper, 177, 180–181, 536
Jumper, 226
K
Kali Linux, 573
Kalman, Steve, Web Security Field Guide, 315
KARMA attacks, 441
KerbCrack, 168
KeyGhost Ltd, 169
hardware, 241
software, 241
Kimset, 447
known plain-text attacks, 532
Kocher, Paul, 533
KoreK, 427
L
LaBrea Tarpit, 493
LAN Turtle, 529
launching wireless attacks, 444
PCI-DSS, 34
sections of the U.S. Code relating to fraud, 30–31
legality of port scanning, 123
Let Me Rule, 226
Linux
commands, 179
enumeration, 161
hiding files and covering tracks, 181–182
nmap, 124
ping, 115
traceroute, 72
Whois, 105
LLC (logical link control) layer, 56–57
LLMNR (Link-Local Multicast Name Resolution) protocol, 163
load balancing, 312
location information, gathering, 93
location-based services, 412–413
logging, 379
LOIC, 311
Loki, 237
Long, Johnny, Google Hacking for Penetration Testers, 101
LoRaWAN (Long Range Wide Area Network), 559
LoriotPro, 114
LoWPAN (IPv6 over Low Power Wireless Personal Area Networks), 559
LRWPAN (Low Rate Wireless Personal Area Networks), 559
LSASS (Local Security Authority Server Service), 155
M
MAC (media access control) addresses, 75
MAC (media access control) layer, 56–57
macro infections, 214
maintaining access, 51
malware, 9
analyzing, 249
countermeasures, 243
distributing
droppers, 229
packers, 229
wrappers, 228
on mobile devices, 412
Android, 416
WannaCry, 231
spyware, 242
Trojans, 220
covert communication, 232
ports and communication methods, 221–222
viruses, 213
infection routine, 215
search routine, 215
worms, 213
man-in-the-browser attacks, 299
man-in-the-middle attacks, 280, 296, 347, 532
interceptions, 302
KARMA attacks, 441
mapping networks
attack surface
manual mapping, 136
subnetting, 113
master boot record infections, 214
McAfee Rootkit Device, 184
Mendax, 474
Merdinger, Shawn, 103
Metamorfo Banking Trojan, 562
Metasploit, 357
methodology
of hackers, 17
Michael, 427
Microsoft /GS, 382
mirroring, 276. See also spanning
misconfiguration, vulnerabilities in, 10
misconfiguration attacks, 347–348
mitigating, DDoS and DoS attacks, 312–314
mobile devices. See also wireless communication
Android, malware, 416
Blackberry, 418
bump attacks, 413
BYOD, 414
cell tower “spoofing”, 413–414
data exfiltration, 412
eavesdropping, 410
geolocation and location-based services, 412–413
iOS, 417
jailbreaking applications, 417
jailbreaking, 413
malware, 412
Windows Mobile Operating System, 417–418
modes of ethical hackers, 21–23
Mognet, 443
Morphine, 229
MoSucker, 227
motivations, of hackers, 16–17
MTU (maximum transmission unit), datagram fragmentation, 68–69
multicast MAC addresses, 75
multipartite viruses, 214
MyDoom virus, 218
N
NAT (Network Address Translation), 67, 475–476
National Vulnerability Database, website, 29
natural disasters, as security threat, 9
Navajo code talkers, 509
NBS (National Bureau of Standards), 511–512
nbstat command, 159
NDP (Network Discovery Protocol), 67
NeBIOS, enumeration, 155
Necurs, 183
NetBIOS, enumeration
Hyena, 158
NetBus, 226
Netcat, 74
using to tunnel out through a firewall, 489–490
Netsparker, 361
netstat command, 244
NetStumbler, 443
MAC addresses, 75
network evaluations, 15
network gear testing, 21
Network layer, 56
Network Performance Monitor, 160
Nexpose, 260
NIDS (network-based intrusion detection systems), 463
NIDSbench, 474
Night Dragon Operation, 9
Nikto, 383
Nimda worm, 218
NIST (National Institute of Standards and Technology), 511–512
Special Publication 800–115, 53
Special Publication (SP) 800–145, “The NIST Definition of Cloud Computing”, 550
NLog, 137
nmap, 133
decoy switch, 125
nonrepudiation, 507
nontechnical password attacks, 164–165
NRO (National Reconnaissance Office), 98
NSE (Nmap Scripting Engine), 125, 339–340
N-Stalker, 382
NTLM authentication, 175
NTP (Network Time Protocol), enumeration, 162
ntpdate command, 162
ntpdc command, 162
ntpq command, 162
ntptrace command, 162
NULL scans, 119
O
Obad, 416
obfuscated attacks, 378–379, 463–464, 472
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), 53–54
OFB (Output Feedback mode), 513
OFDM (Orthogonal frequency-division multiplexing), 425
OllyDBG, 250
online pwned databases, 164
open services, finding, 134–136
OpenPuff, 522
OpenVAS, 260
operating systems, vulnerabilities in, 10
OS fingerprinting
active fingerprinting, 131–133
finding open services, 134–136
fingerprinting services, default ports and services, 134
passive fingerprinting, 130–131
Winfingerprint, 133
Osborn, Mark, 461
OSI (Open Systems Interconnection) model, 55–57
OSSTMM (Open Source Security Testing Methodology Manual), 23–24, 54
out-of-band SQL injection, 389, 394–395
overlapping fragmentation attacks, 70
owning the box, 173
P
PaaS (Platform as a Service), 551
packers, 229
packets
TCP, 65
UDP, 66
Pandora, 311
parameter/form tampering, 362
partial-knowledge testing, 14
passing the hash, 168
passive fingerprinting, 130–131
passive vulnerability assessments, 253–254
passwd encryption command, 489
password cracking
John the Ripper, 177
RainbowCrack technique, 177–178
types of attacks, 176
web server, 349
patch management, 359
stateful pattern-matching recognition, 461
PCI-DSS (Payment Card Industry Data Security Standard), 33–34
peer-to-peer attacks, 307
due diligence as reason for, 25
external, 21
internal, 21
test phases, establishing goals, 26–27
permanent DoS attacks, 309
PewDiePie printer hack, 11
PGMP (Pretty Good Malware Protection), 230
PGP (Pretty Good Privacy), 529
Phatbot, 226
phreakers, 18
physical layer, 57
physical security testing, 22
PII (personally identifiable information), 7
Ping of Death, 307
PKI (Public Key Infrastructure), 525–526
placement of honeypots, 491–492
plain text, 508
poison apple attacks, 222
policies, developing, 52
Poodlebleed, 533
port knocking, 129
port redirection
FPipe, 240
port scanning
ACK scans, 122
common ports and protocols, 117
FTP bounce scans, 123
Hping, 129
legality of, 123
RPC scans, 123
SuperScan, 128
three-way handshake, 118
window scans, 123
port security, 283
ports, 60–61. See also scanning
blocking, 61
spanning, 276
well-known, 117
Windows, 155
PPTP (Point-to-Point Tunneling Protocol), 531
predictable session token ID, 296
preferred network lists, attacking, 433
PremiumSMS, 416
prependers, 215
Presentation layer, 56
pretexting, 211
preventing, session hijacking, 302–303
principle of least privilege, 61
private cloud, 550
Process Explorer, 252
Process Monitor, 244
Process Viewer, 244
protocol-decoding IDS, 462
protocols
EFS, 531
IPsec, 531
PGP, 529
PPTP, 531
S/MIME, 529
SSH, 530
SSL, 530
proxy trojans, 221
public cloud, 550
PwnageTool, 417
Q
qualitative risk assessment, 12
Qualys, 260
quantitative risk assessment, 12
Queso, 132
R
RA (Registration authority), 526
WannaCry, 231
Rapid7, 260
RATs (remote-access Trojans), 225–227
RATS (Rough Auditing Tool for Security), 382
rcpclient command, 161
Recon Dog, 102
RedSn0w, 417
redundant array of inexpensive disks (RAID, 7
registered ports, 60
Regshot, 244
for cloud computing, 552
PCI-DSS, 34
remote-access Trojans, 220–221
replay attacks, 532
required skills for ethical hackers, 20–21
researching, vulnerabilities, 29
Restorator, 230
Retina CS, 361
Reverse WWW Tunneling Shell, 238
RFID (radio-frequency identification) attacks, 422
RIDs (relative identifiers), 153–154
RIRs (Regional Internet Registries), 104–105
risk, 8. See also risk assessment
backing up data to reduce, 10–11
Rivest Cipher, 514
RMF (Risk Management Framework), 8
robust wireless authentication, 446
Roesch, Martin, 465
rogue access points, installing, 428–429
rooting, 416
RootKitRevealer, 184
RPC (Remote Procedure Call), 161
RPC scans, 123
rpinfo command, 161
RSA (Rivest, Shamir, Adelman), 516
RSA NetWitness, 289
rules, for ethical hackers, 22–23
rusers, 161
rwho, 161
Ryan, Thomas, 98
S
SaaS (Software as a Service), 551
Sage, Robin, 98
SAM (Security Accounts Manager), 154
sandbox, 413
SANS
Reading Room, website, 29
Sarbanes-Oxley (SOX), 33
Sasser worm, 218
heuristic, 463
web servers, 336
scoring systems, for vulnerability assessments, 255–259
script kiddies, 18
Scytale, 507
search terms, Google, 99
security. See also security policies; security testing
assets, 8
CIA triad, 7
availability, 7
confidentiality, 7
integrity, 7
for cloud computing, 555
confidentiality, 7
crackers, 16
exploits, 11
goals of, 7
hackers, 16
cyberterrorists, 19
disgruntled employees, 18
methodology of, 17
phreakers, 18
script kiddies, 18
system hackers/crackers, 19
risk, 8
backing up data to reduce, 10–11
researching, 29
world’s biggest data breaches as of December 2018, 7
Security and Exchange Commission, EDGAR database, 98–99
incident response plans, 15–16
security testing, 13
full-knowledge testing, 14
high-level assessments, 15
network evaluations, 15
partial-knowledge testing, 14
penetration testing, 15
external, 21
internal, 21
physical, 22
resources, 53
Security Tracker, website, 29
SecurityFocus, website, 29
security-software disablers, 221
session hijacking, 56
application layer, 295
client-side attacks, 296
man-in-the-browser attacks, 299
man-in-the-middle attacks, 296
predictable session token ID, 296
session fixation attacks, 299
session replay attacks, 299
Session layer, 56
session replay attacks, 299
sesson riding, 554
Sesson Thief, 301
SET (Social Engineering Toolkit), 204–209
SHA-1, 518
Shellshock, 101
shoulder surfing, 165, 212–213
showmount command, 161
shrinkwrap software, vulnerabilities in, 10
side-channel attacks, 532, 554
SIDs (security identifiers), 153
heuristic-based, 463
signature-scanning antivirus programs, 247
single-authority trust, 527
site surveys, 445
skills, of ethical hackers, 20–21
Slammer virus, 218
SLAs (service-level agreements), for cloud computing, 553
SLE (single loss expectancy), determining, 12
Slowloris, 308
SMAC, 284
SMB (Server Message Block), 155
SMI (Smart Install) protocol, disabling, 488–489
S/MIME (Secure/Multipurpose Internet Mail Extensions), 529
SMS phishing, 209
SMTP (Simple Mail Transfer Protocol), 60, 62
enumeration, 162
smurf attacks, 307
Sn0wbreeze, 417
detecting, 291
FaceNiff, 416
keywords, 467
SNMP (Simple Network Monitoring Protocol), 62
enumeration, 160
traps, 160
snmpwalk, 160
keywords, 467
SNScan, 160
SOA records, 109
social activism, hacktivists, 30
social credit system, 93
social engineering, 22, 49, 165, 199
motivation techniques, 212
phishing, 200
SMS phishing, 209
voice phishing, 210
whaling, 210
social networks
dangers of, 98
gathering information from, 97
social security numbers, gathering, 100–103
software
in DDoS attacks, 310
vulnerabilities in, 10
source code, comments in, 351
source routing, 72
spanning, 276
Special Publication 800–115, 53
spoofing, 56
spoofing attacks, countermeasures, 290–291
spread-spectrum technology, 425
SQL (Structured Query Language)
databases, fingerprinting, 389–392
out-of-band exploitation, 394–395
stored procedure, 396
time-delay technique, 396
use of Booleans, 394
injection hacking tools, 397–398
UNION exploitation attack, 392–393
SQL injection, 554
Squert, 468
SRI (Sub-resource Integrity), 384
SSH (Secure Shell), 530
SSID (service set ID), 424
SSL (Secure Sockets Layer), 530
SSLstrip, 301
StackGuard, 382
state laws, compliance with, 24–25
stateful pattern-matching recognition, 461
status code messages, HTTP, 332
digital watermark, 524
Stevens, Richard, TCP/IP Illustrated, Volume 1: The Protocols, Second Edition, 69
StickyKeys, 171
stolen equipment attacks, 22
S-Tools, 521
Stored DOM-based attacks, 348–349
stored procedure SQL injection, 396
Storm worm, 218
stream ciphers, 512
subnetting, 113
substitution cipher, 508
suggested review and study plans, 574–575
suicide hackers, motivations, 17
Super Bluetooth Hack, 421
switches
bypassing, 277
symmetric encryption algorithms, 506, 508–511
AES, 514
Rivest Cipher, 514
SYN scans, 119
system hacking, 19
cracking Windows passwords, 175–176
exploiting vulnerabilities, 169–170
nontechnical password attacks, 164–165
owning the box, 173
privilege escalation, 169
technical password attacks, 165
T
Talos File Reputation Online Tool, 248–249
Tamper IE, 301
TAN grabber, 562
Task Manager, 244
TCP (Transmission Control Protocol), 56, 64–66
three-way handshake, 118
TCPdump, 290
TCP/IP (Transmission Control Protocol/Internet Protocol), 57
DHCP, 61
FTP, 61
SMTP, 62
SNMP, 62
Telnet, 62
Internet layer
ARP, 76
MAC addresses, 75
port-scanning techniques, 119–120
Transport layer
UDP, 66
TCPView, 244
TCSEC (Trusted Computer System Evaluation Criteria), 232
Teardrop attacks, 307
technical password attacks
automated password guessing, 167
Teflon Oil Patch, 230
Tenable, 260
testing
penetration testing, due diligence as reason for, 25
TFN (Tribal Flood Network), 311
TFTP (Trivial FTP), bypassing firewalls, 487–488
THC-Amap, 129
THC-Wardrive, 443
TheHackerGiraffe, 11
three-way handshake, 118
throttling, 313
time-delay SQL injection technique, 396
Tini, 225
TKIP (Temporal Key Integrity Protocol), 427
ToE (target of evaluation), 13
traceback, 565
traffic-cleaning, 565
training, 53
of cloud provider employees, 552
Tramp.A, 416
transmission methods, of viruses and worms, 213–215
Transport layer, 56
UDP, 66
transport layer
traps, 160
tree-based vulnerability assessments, 255
Trend Micro RootkitBuster, 184
Trinoo, 311
Trojan Man, 230
Trojans, 220
covert communication, 232
Obad, 416
ports and communication methods, 221–222
trust models
single-authority trust, 527
TShark, 289
tumbling, 410
tunneling
via application layer, 237–238
Type 3 codes, 71
U
UDP (User Datagram Protocol), 56, 57, 66
UEFI (Unified Extensible Firmware Interface), 417
Ufasoft Snif, 281
UI redress attacks, 372
UID (user identifier), 415
unicast MAC addresses, 75
UNIX, enumeration, 161
unvalidated input, 362
UPX, 250
U.S. Code, sections relating to fraud, 30–31
USA PATRIOT Act, 32
usability, and security, 6
Uuencode, 535
V
infection routine, 215
search routine, 215
VisualRoute, 115
voice phishing, 210
VoIP (Voice over IP), enumeration, 162–163
VPNs (virtual private networks), 507
researching, 29
vulnerability assessments
external vs. internal, 254
inference-based, 255
tree-based, 255
vulnerability scanners, 50
W
W3AF, 382
WannaCry, 231
war driving, 130
watering holes, 224
WaveStumbler, 443
Wayback Machine, 92
weak encryption
Base64, 535
Uuencode, 535
web application hacking, 361
clickjacking, 372
cookies, 377
DOM-based XSS attacks, 367–368
intercepting web traffic, 380–381
logging, 379
parameter/form tampering, 362
securing web applications, 381–383
unvalidated input, 362
XSS evasion techniques, 368–369
web server hacking, 328
DoS/DDoS, 343
HTTP response splitting, 348
man-in-the-middle, 347
website defacement, 347
audits, 360
automated exploit tools
BeEF, 357
Canvas, 358
Core Impact, 358
Metasploit, 357
disabling unneeded services, 359
HTML, analyzing, 341
clients, 328
proxies, 335
status code messages, 332
locking down the file system, 360
password cracking, 349
patch management, 359
scanning web servers, 336
comments in source code, 351
hard-coded credentials, 352
hidden elements, 356
improper error handling, 352
lack of code signing, 356
web server vulnerability identification, 342
WebCracker, 376
WebInspect, 383
websites
defacement, 347
for employee and people searches, 95
ISECOM, 23
for researching vulnerabilities, 29
well-known viruses and worms, 217–219
WEP (Wired Equivalent Privacy), 407, 425–427
whaling, 210
white box testing, 14
white hat hackers, 16
motivations, 16
Wikto, 340
WinARPAttacker, 281
WinDNSSpoof, 285
window scans, 123
Windows
enumeration, 152
NeBIOS enumeration, 155
nmap, 124
owning the box, 173
ports, 155
SIDs, 153
Windows Mobile Operating System, 417–418
WinDump, 290
Winfingerprint, 133
wireless communication, 406–407
Bluetooth, 419
classifications of, 419
cell phone technologies, 411–412
GPS mapping, 443
launching wireless attacks, 444
mobile devices, security concerns, 412–413
RFID attacks, 422
spread-spectrum technology, 425
SSID, 424
wireless hacking tools, 443
wireless traffic analysis, 443–444
WLANs, 422
ad hoc mode, 423
airmon-ng tool, 430
airodump-ng tool, 431
attacking preferred network lists, 433
compromising the Wi-Fi network, 444–445
deauthentication attacks, 429–430, 432–433
evil twin attacks, 429
fragmentation attacks, 441–442
installing rogue access points, 428–429
jamming wireless signals, 433
KARMA attacks, 441
misuse detection, 447
robust wireless authentication, 446
site surveys, 445
war driving, 433
WPS, attacking, 441
wireless networks, testing, 21
ping capture, 235
WLANs (wireless LANs), 422
ad hoc mode, 423
airmon-ng tool, 430
airodump-ng tool, 431
attacking preferred network lists, 433
compromising the Wi-Fi network, 444–445
deauthentication attacks, 429–430, 432–433
evil twin attacks, 429
fragmentation attacks, 441–442
installing rogue access points, 428–429
jamming wireless signals, 433
KARMA attacks, 441
misuse detection, 447
robust wireless authentication, 446
site surveys, 445
spread-spectrum technology, 425
war driving, 433
wireless hacking tools, 443
WPA, 427
WPS, attacking, 441
world’s biggest data breaches as of December 2018, 7
worms, 213
WPA (Wi-Fi Protected Access), 427
WPA3, 428
WPS (Wi-Fi Protected Setup), attacking, 441
wrappers, 228
wrapping attacks, 555
WRP (Windows Resource Protection), 7
X
X.507, 525
XMAS scans, 120
basic authentication, 374
Xprobe, 133
XSS (cross-site scripting), 554
Y
Yahoo Boys, 18
Yarochkin, Fyodor, 124
Yoda’s Crypter, 229
Z
Zabasearch, 96
Zenmap, 127
Zeroaccess, 183
Zigbee, 558
Zombam.B, 227
zone files, 63