Index

Numbers

1G technology, 410

802.11, 424425

A

Absinthe, 417

access control, to the cloud, 552

access points, war driving, 130

ACK scans, 119, 122

AckCmd, 238

ACLs (access control lists), 476477

active fingerprinting, 131133

active machines, identifying, 115

active sniffing, 276277

active vulnerability assessments, 253254

activity blockers, 248

activity profiling, 312

Acunetix Web Vulnerability Scanner, 360

AD (Active Directory), 154

ad hoc mode, 423

ADMutate, 474

advantages, of cloud computing, 550

AES (Advanced Encryption Standard), 511512, 514

aireplay-ng tool, 432433

airmon-ng tool, 430

airodump-ng tool, 431

AirSnare, 447

ALE (annual loss expectancy), calculating, 12

algorithms, 508509

Amitis, 226

analyzing malware, 249

dynamic analysis, 251253

static analysis, 250251

Android devices, 414415

Device Administration API, 414415

malware, 412, 416

rooting, 416

UID, 415

vulnerabilities, 414415

AndroRAT, 416

anomaly-based analysis, 464465

anonymizers, 137

antivirus software, 246248

APIs, unprotected, 353356

AppDetectivePro, 383

appenders, 215

Application layer, 55

application layer (TCP/IP)

DHCP, 61

DNS, 6263

FTP, 61

ports, 6061

blocking, 61

session hijacking, 295

client-side attacks, 297298

man-in-the-browser attacks, 299

man-in-the-middle attacks, 296

predictable session token ID, 296

session fixation attacks, 299

session replay attacks, 299

session sniffing, 295296

SMTP, 62

SNMP, 62

Telnet, 62

tunneling, 237238, 485

application-level attacks, 307308

application-level gateways, 478

applications

testing, 22

vulnerabilities in, 10

approval process for penetration testing, 2728

APs (access points), site surveys, 445

ARO (annual rate of occurrence), calculating, 12

ARP (Address Resolution Protocol), 76, 278279

and TCP/IP, 278279

ARP poisoning, 279281

assessments, defining scope of, 24

assets, 8

EF, 12

asymmetric encryption algorithms, 506, 508510, 515

Diffie-Hellman, 516

ECC, 516517

ElGamal, 516

hashing, 517518

RSA, 516

attack evasion techniques, 472473

flooding, 470

insertion and evasion, 470

shellcode attacks, 471472

attribute command, 185

audits, 15, 53, 360

Auernheimer, Andrew, 17

authentication, 506507

basic, 374

certificate-based, 375

forms-based, 375

Kerberos, 175

Linux, 178180

MD5, 375

passwords, 508

Windows, 173175

wireless, 446

authentication system testing, 22

automated exploit tools

BeEF, 357

Canvas, 358

Core Impact, 358

Metasploit, 357

automated mapping, 136138

automated password guessing, 167

availability, 7

Avatar, 183

Azazel, 183

B

back-ups, performing to reduce risk, 1011

backdoors, 52

in-band SQL injection, 389

bandwidth, limiting, 313

BangleDoS, 311

banner grabbing, 134136, 483

Base64, 535

basic authentication, 374

bastion hosts, 479

BeEF (Browser Exploitation Framework), 357

BetterCAP, 281

Bing Maps, 93

BinText, 250

biometrics, characteristics of, 166167

BIOS infections, 214

BitLocker, 531

black box testing, 1314

black hat hackers, motivations, 16

black hole filtering, 313

black holes, 493

Blackberry, 418

BlackHole Rat, 225

BLE (Bluetooth Low Energy), 558

blind SQL injection, 389

block ciphers, 512

BlueBug, 421

Bluejacking, 420421

BlueScanner, 421

Bluesnarfing, 421

Bluesniff, 421

Bluetooth

classifications of, 419

technologies, 419420

vulnerabilities, 420421

Bluetooth Smart, 558

bogons, 476

bogus flag probes, 131

Booleans, using in SQL injection attacks, 394

botnets, 560561

countermeasures, 563566

crimeware kits, 562

fast-flux, 561

installation, 563

well-known, 562

Brain virus, 216217

broadcast MAC addresses, 75

Brown, Justin, Google Hacking for Penetration Testers, 101

browsers, 330332

cookies, 377

viewing, 377378

brute-force attacks, 176, 376

Brutus, 376, 536

Bryant, Darla, 487

BTCrack, 419

buffer overflows, 373374

exploiting, 171173

bump attacks, 413

Burger, Ralf, 216217

Burneye, 228

Burp Suite, 301, 376377

BYOD (bring your own device), 406, 414

bypassing

firewalls, 484488

switches

with ARP poisoning, 279281

with MAC flooding, 281283

C

C language, vulnerabilities to buffer overflow, 172, 373374

CA (Certificate authority), 526

Caesar’s cipher, 507508

Caffrey, Aaron, 225

Cain and Abel, 281

calculating, SLE, 12

Canvas, 358

CartoReso, 137

CBC (Cipher Block Chaining mode), 512

cell phones. See also mobile devices

cloning, 410

regulatory laws, 410411

technologies, 411

vulnerabilities, 410

cell tower “spoofing”, 413414

Cellebrite, 413414

CER (crossover error rate), 166

certificate-based authentication, 375

certifications, 26

of ethical hackers, 2021

CFAA (Computer Fraud and Abuse Act), 17

CFB (Cipher Feedback mode), 513

change point detection, 312

China, social credit system, 93

chosen cipher-text attacks, 532

chosen plain-text attacks, 532

Chrootkit, 184

CIA (confidentiality, integrity, and availability), 7

availability, 7

confidentiality, 7, 506

integrity, 7, 507

CIPA (Children’s Internet Protection Act), 33

cipher text, 508

cipher-text only attacks, 532

circuit-level gateways, 478

Citadel, 562

clickjacking, 372

client-side attacks, 296

cloning, 410

cloud computing, 550. See also IoT (Internet of Things)

access control, 552

advantages of using, 550

attacks, 554555

audits, 552

breaches, 553

characteristics of, 550

data classification used by provider, 553

deployment models, 550551

disaster recovery/business continuity plan of provider, 553

and encryption, 553

and fog computing, 556

IaaS, 551

IoT, 556

long-term viability of the provider, 553

PaaS, 551

regulatory requirements, 552

SaaS, 551

security, 555

separation of data, 553

SLA terms, 553

training of provider employees, 552

cluster viruses, 214

code of ethics, 2930

Code Red virus, 218

code signing, 383384

Cohen, Fred, 216217

commands

attribute, 185

enable secret, 104

enum4linux, 161

finger, 161

Linux, 179

nbstat, 159

net, 156157

netstat, 244

nmap, 125127

decoy switch, 125

switches, 124125

nslookup, 108109

ntpdate, 162

ntpdc, 162

ntpq, 162

ntptrace, 162

passwd encryption, 489

rcpclient, 161

rpinfo, 161

showmount, 161

telnet, 134135

comments in source code, 351

common ports and protocols, 117

communication system testing, 22

community cloud, 550

company directories, 9293

compliance

with ISO/IEC 27002, 2425

with laws, 2425

regulations, 3334

Computer Fraud and Abuse Act, 32

Conficker worm, 218

confidentiality, 7, 23, 506

Cookie Cadger, 301

cookie manipulation attacks, 348349

cookies, 377

viewing, 377378

Core Impact, 358

countermeasures

for botnets, 563566

for malware, 243

for sniffing, 290291

covering tracks, 5152

crackers, 16, 1819

crimeware kits, 562

CRL (Certificate revocation list), 526

Cross-Site Request Forgery attacks, 554

crypters, 229230

cryptographic attacks, 531532

cryptography, 7, 506

algorithms, 509

asymmetric encryption algorithms, 508510, 515

Diffie-Hellman, 516

ECC, 516517

ElGamal, 516

hashing, 517518

RSA, 516

authentication, 506507

cipher text, 508

encryption, 508

history of

Caesar’s cipher, 507508

Navajo code talkers, 509

integrity, 507

plain text, 508

Scytale, 507

substitution cipher, 508

symmetric encryption algorithms, 508511

AES, 514

DES, 511513

Rivest Cipher, 514

CryptoTool, 536

CSMA/CD (carrier sense multiple access with collision detection), 424

CSRF (cross-site request forgery) attacks, 371372

Cuckoo, 250251

CurrPorts, 244

CVSS (Common Vulnerability Scoring System), 255259

Cyber Security Enhancement Act, 32

cyberattacks, 9

cyberterrorists, 19

Cydia, 417

CypherX Crypter, 230

D

DAI (Dynamic ARP Inspection), 290

Dark Reading, website, 29

data exfiltration, 412

data hiding Trojans, 221

data link layer, 5657

sniffing, 276

databases. See also SQL (Structured Query Language)

hacking, 384385

SQL, fingerprinting, 389392

testing, 22

datagrams, fragmentation, 6869

overlapping fragmentation attacks, 70

DDoS (distributed denial of service) attacks, 19, 309310, 343. See also DoS (denial of service) attacks

countermeasures, 312314

options, 303304

tools, 310312

deauthentication attacks, 429430, 432433

decoy switch, 125

default ports and services, 134

Dendroid, 416

deny all concept, 50

DES (Data Encryption Standard), 511513

modes of, 512513

detecting

honeypots, 493

malware, 249

sniffers, 291

determining the network range, 112113

malware, 243246

traceroute, 114115

Device Administration API, 414415

DHCP (Dynamic Host Configuration Protocol), 61

DHCP snooping, 283284

dictionary attacks, 176, 375

differential backups, 11

Diffie-Hellman, 516

Dig, 111112

digital certificates, 524525

PKI, 525526

digital signatures, 518

lack of code signing, 383384

S/MIME, 529

steganography, 519524

digital watermark, 524

directory traversal, 345347

disabling

SMI, 488489

unneeded services, 359

disclosure of confidential information, 9

disgruntled employees, 18

distributed intelligence, 556

fog computing, 556

distributing malware

crypters, 229230

droppers, 229

packers, 229

wrappers, 228

DMZ (demilitarized zone), 479

DNS (Domain Name System), 6263, 278

amplification attacks, 344

cache poisoning, 285

enumeration, 163

hijacking, 343344

record types, 109

spoofing attacks, 285

structure of, 108

zone transfers, 110111

DNSSEC (DNS Security Extensions), 290

DNSSEC (Domain Name System Security Extensions), 63

domain names, registrar query, 104107

domain proxies, 107

DOM-based XSS attacks, 367368

DoS (denial of service) attacks, 7, 9, 19, 343

application-level, 307308

countermeasures, 312314

DDoS, 309310

ICMP, 306307

options, 303304

peer-to-peer, 307

permanent, 309

smurf, 307

SYN flood, 306

testing, 21

volumetric, 305306

DroidSheep, 416

droppers, 229

Dsniff, 289290

DSSS (Direct-sequence spread spectrum), 425

due diligence, as reason for penetration testing, 25

DumpSec, 157158

dumpster diving, 164

dynamic analysis, 251253

dynamic ports, 60

E

eavesdropping, 410

e-banking Trojans, 221

ECB (Electronic Code Book mode), 512

ECC (Elliptic Curve Cryptography), 516517

Economic Espionage Act, 33

EDGAR database, 9899

EF (exposure factor), 12

EFS (Encrypted File System), 531

egress filtering, 315, 564

Electronic Communication Privacy Act, 32

ElGamal, 516

elicitation, 210211

email servers, gathering information about, 93

employee and people searches, 9598

websites, 95

enable secret command, 104

encoded binary IP addresses, 486487

encrypted passwords, 104

encryption, 506, 508. See also cryptography

asymmetric encryption algorithms

Diffie-Hellman, 516

ECC, 516517

ElGamal, 516

hashing, 517518

RSA, 516

basic, 374375

in the cloud, 553

cracking tools, 536

digital certificates, 524525

digital signatures, 518

steganography, 519524

digital watermark, 524

tools, 521524

successful cracks, 533

symmetric encryption algorithms

AES, 514

DES, 511513

Rivest Cipher, 514

weak

Base64, 535

Uuencode, 535

XOR, 534535

enum4linux command, 161

enumeration, 4950, 152

DNS, 163

firewalls, 480484

IPsec, 162163

LDAP, 156157

Linux/UNIX, 161

NetBIOS, 155

DumpSec, 157158

Hyena, 158

NTP, 162

SMTP, 162

SNMP, 160

VoIP, 162163

web servers, 337341

Windows, 152

error checking, 171

error handling, improper, 352

escalation of privilege, 51

establishing, security testing goals, 2627

ethical hacking, 16, 1920

Andrew Auernheimer, 17

final reports, 2829

modes of, 2123

process, 52

required skills, 2021

rules for, 2223

scope of assessment, defining, 24

securing an organization, 5253

test plans, 2425

testing

approval process, 2728

reasons for, 2425

ethics, 2930

Ettercap, 281, 300

plug-ins, 300301

Evan’s Debugger, 250

evasion tools, 473474

evil twin attacks, 429

Exploit Database, website, 29, 4950

exploits, 11, 169170

of buffer overflows, 171173

of C language, 172

of Java, 172

StickyKeys, 171

external penetration testing, 21

external vulnerability assessments, 254

F

Facebook, 98

FaceNiff, 416

FakeToken, 416

Fall, Kevin, TCP/IP Illustrated, Volume 1: The Protocols, Second Edition, 69

false negatives, 462

false positives, 461, 472

FAR (false acceptance rate), 166

fast-flux botnets, 561

Federal Information Security Management Act, 32

federal laws, 3033

18 USC 1029, 411

compliance with, 2425

Electronic Communication Privacy Act, 32

relating to hacking, 3133

Federal Sentencing Guidelines, 33

FHSS (Frequency-hopping spread spectrum), 425

file hiding, 185186

file infections, 214

filters, Wireshark, 288289

FIN scans, 119, 131

final preparation

hands-on activities, 573574

suggested review and study plans, 574575

final reports, 2829

financial information, gathering, 9899

finding open ports and access points

Hping, 129

nmap, 124127

NSE, 125

port knocking, 129

SuperScan, 128

THC-Amap, 128129

war driving, 130

finger command, 161

fingerprinting services, default ports and services, 134

Firesheep, 301

firewalking, 481483

firewalls, 474475

application-level gateways, 478

bypassing, 484488

circuit-level gateways, 478

identifying, 480484

NAT, 475476

packet filters, 476478

stateful inspection, 479480

using Netcat to tunnel out through, 489490

vulnerabilities, 479480, 485486

FISMA (Federal Information Security Management Act), 32

flag probes, 131

flags, TCP, 65

Flawfinder, 382

flooding, 470

FOCA, 102

fog computing, 556

footprinting and scanning, 4849, 86, 90

determining the network range, 112113

traceroute, 114115

finding open ports and access points

Hping, 129

nmap, 124127

port knocking, 129

SuperScan, 128

THC-Amap, 128129

war driving, 130

identifying active machines, 115

information gathering

DNS enumeration, 107112

documentation, 91

EDGAR database, 9899

employee and people searches, 9598

Google hacking, 99103

job boards, 9394

location information, 93

organization’s website information, 9193

registrar query, 104107

Usenet, 103104

mapping the network attack surface

automated mapping, 136138

manual mapping, 136

OS fingerprinting, 130

active fingerprinting, 131133

passive fingerprinting, 130131

port scanning, 116117

common ports and protocols, 117

TCP, 118120

form grabber, 562

forms-based authentication, 375

FPipe, 240

FQDNs (fully qualified domain names), 62

fragmentation, 6869

overlapping fragmentation attacks, 70

fraud

federal laws relating to, 3133

sections of the U.S. Code relating to, 3031

freeware, 224

FRR (false rejection rate), 166

FTP (File Transfer Protocol), 6061

Trojans, 221

FTP bounce scans, 123

full backups, 11

Full Connect scans, 119

full-knowledge testing, 14

fuzzing, 383

G

gaining access, 5051

Gardner, Bill, Google Hacking for Penetration Testers, 101

GDPR (General Data Protection Regulation), 2425, 33

geolocation, 412413

GFI LanGuard, 361

GHDB (Google Hacking Database), 101102

Ghost Rat Trojan, 226

Gilmore, John, 533

GLBA (Gramm-Leach-Bliley Act), 2425, 33

global threat correlation capabilities, 465

goals

of security, 7

of Trojans, 222223

Google Earth, 93

Google hacking

search terms, 99

social security numbers, 100103

GPS mapping, 443

gray box testing, 14

gray hat hackers, motivations, 17

GrayFish, 183

Green, Julian, 225

H

hacker attacks, 9

HackerStorm, website, 29

HackerWatch, website, 29

hacking, 16

black hat, motivations, 16

covering tracks, 5152

cyberterrorists, 19

disgruntled employees, 18

escalation of privilege, 51

ethical, 1920

required skills, 2021

ethical hackers, process, 52

footprinting, 4849

gaining access, 5051

gray hat, motivations, 17

maintaining access, 51

methodology of, 17

motivations, 1617

phreakers, 18

planting backdoors, 5152

reconnaissance, 4849

scanning and enumeration, 4950

script kiddies, 18

social engineering, 49

suicide, motivations, 17

system, 19

and usability, 6

white hat, motivations, 16

Hacking Web Applications (The Art of Hacking Series) LiveLessons, 573574

hacktivists, 30, 305

Hamster, 301

hands-on activities, 573574

hard-coded credentials, 352

hardening web servers, 358

hardware, in DDoS attacks, 310

hardware keyloggers, 241

Hashcat, 536

hashing, 517518

Heartbleed, 530

heuristic scanning, 247

heuristic-based analysis, 463

hiding files and covering tracks, 185186

hierarchical database management system, 384

hierarchical trust, 527528

high-interaction honeypots, 492

hijacking

application layer, 295

client-side attacks, 296

man-in-the-browser attacks, 299

man-in-the-middle attacks, 296

predictable session token ID, 296

session fixation attacks, 299

session replay attacks, 299

session sniffing, 295296

DNS, 343344

preventing, 302303

tools, 299301

transport layer, 292295

Hikit, 226

HIPAA (Health Insurance Portability and Accountability Act), 2425, 33

history

of cryptography

Caesar’s cipher, 507508

Navajo code talkers, 509

of viruses, 216217

HOIC, 311

honeypots, 490491

detecting, 493

placement, 491492

types of, 492493

Horse Pill, 183

hping, 74, 129, 480481

HTML (HyperText Markup Language), analyzing, 341

HTTP (HyperText Transfer Protocol), 60, 328330

browsers, 330332

clients, 328

cookies, 377

viewing, 377378

proxies, 335

response splitting, 348

status code messages, 332

tunneling, 485

URLs, 332333

Hunt, 301

hybrid attacks, 176, 376

hybrid cloud, 550

Hyena, 158

I

IaaS (Infrastructure as a Service), 551

IANA (Internet Assigned Numbers Authority), 104105

IBM AppScan, 361

ICANN (Internet Corporation for Assigned Names and Numbers), 104105

IceSword, 244

ICMP (Internet Control Message Protocol), 57, 66

embedded payloads, 234

header, 233234

source routing, 72

traceroute, 7274

example of in Windows, 7374

tunneling, 233235

Type 3 codes, 71

types and codes, 70

ICMPSend, 238

IDA Pro, 250

identifying

active machines, 115

firewalls, 480484

IDP (intrusion detection prevention), 474

IDS (intrusion detection systems), 4950, 312, 458

anomaly-based analysis, 464465

attack evasion techniques, 472473

flooding, 470

insertion and evasion, 470

shellcode attacks, 471472

components, 458

evasion tools, 473474

false negatives, 462

false positives, 461, 472

heuristic-based analysis, 463

NIDS, 463

pattern matching, 461464

protocol analysis, 463

protocol decoding, 462

signatures, 461, 463464

Snort, 465466

alerts, 468470

keywords, 467

rules, 466468

stateful pattern-matching recognition, 461

true/false matrix, 459

ImageHide, 521

impersonation, 210211

improper error handling, 352

incident response plans, 1516

incremental backups, 11

inference attacks, 531532

inference-based vulnerability assessments, 255

information gathering, 21

DNS enumeration, 107112

record types, 109

zone transfers, 110111

documentation, 91

EDGAR database, 9899

employee and people searches, 9598

social networks, 9798

websites, 95

Google hacking

GHDB, 101

search terms, 101

job boards, 9394

organization’s website information, 9193

registrar query, 104107

Usenet, 103104

infrastructure mode, 423424

injection flaws, 362363

insertion and evasion, 470

inSSIDer, 443

installing

botnets, 563

rogue access points, 428429

INSTEON, 559

integrity, 7, 507

integrity checking, 247

intercepting web traffic, 380381

internal penetration testing, 21

internal vulnerability assessments, 254

Internet layer

bypassing firewalls, 484

ICMP

embedded payloads, 234

header, 233234

source routing, 72

traceroute, 7274

tunneling via, 233235

Type 3 codes, 71

types and codes, 70

IP, 6770

interrogation, 210211

iOS, 417

jailbreaking applications, 417

IoT (Internet of Things), 556

distributed intelligence, 556

hacking tools, 560

protocols, 558559

security challenges, 556557

IP (Internet Protocol), 66

IP forwarding, 280

iPhone, 417. See also iOS

IPID closed port, 122

IPID open port, 121

IPS (intrustion prevention systems), 458

anomaly-based analysis, 465

global threat correlation capabilities, 465

IPsec, 531

enumeration, 162163

IPv4 addressing, 6768

ISECOM (Institute for Security and Open Methodologies), OSSTMM, 2324

ISN sampling, 131

ISO/IEC 27001:2013, 33

ISO/IEC 27002, compliance with, 2425

J

Jacobson, Van, 72

JAD (Java Application Descriptor) files, 418

jailbreaking, 413, 417

jamming wireless signals, 433

Java, exploits, 172

job boards, gathering information from, 9394

Joe Sandbox, 250251

John the Ripper, 177, 180181, 536

Jumper, 226

K

Kali Linux, 573

Kalman, Steve, Web Security Field Guide, 315

KARMA attacks, 441

KerbCrack, 168

Kerberos, 168, 175

KeyGhost Ltd, 169

keylogging, 168169

keystroke loggers, 240241

hardware, 241

software, 241

Kimset, 447

known plain-text attacks, 532

Kocher, Paul, 533

KoreK, 427

KRACK attacks, 440441

L

LaBrea Tarpit, 493

LAN Turtle, 529

launching wireless attacks, 444

laws, 3033

compliance with, 2425

and ethics, 2930

federal, 3133

regulatory, 3334

PCI-DSS, 34

sections of the U.S. Code relating to fraud, 3031

LDAP enumeration, 156157

legality of port scanning, 123

Let Me Rule, 226

Linux

/etc/passwd file, 178180

authentication, 178180

commands, 179

enumeration, 161

hiding files and covering tracks, 181182

nmap, 124

password cracking, 180181

ping, 115

rootkits, 182184

traceroute, 72

Whois, 105

LLC (logical link control) layer, 5657

LLMNR (Link-Local Multicast Name Resolution) protocol, 163

LM authentication, 174175

load balancing, 312

location information, gathering, 93

location-based services, 412413

logging, 379

LOIC, 311

Loki, 237

Long, Johnny, Google Hacking for Penetration Testers, 101

LoRaWAN (Long Range Wide Area Network), 559

LoriotPro, 114

LoWPAN (IPv6 over Low Power Wireless Personal Area Networks), 559

LRWPAN (Low Rate Wireless Personal Area Networks), 559

LSASS (Local Security Authority Server Service), 155

M

MAC (media access control) addresses, 75

MAC (media access control) layer, 5657

MAC flooding, 281283

macro infections, 214

maintaining access, 51

malvertising, 201202

malware, 9

analyzing, 249

dynamic analysis, 251253

static analysis, 250251

countermeasures, 243

detecting, 243246, 249

distributing

crypters, 229230

droppers, 229

packers, 229

wrappers, 228

keystroke loggers, 240241

on mobile devices, 412

Android, 416

ransomware, 230231

WannaCry, 231

spyware, 242

Trojans, 220

covert communication, 232

distributing, 227228

effects of, 224225

goals of, 222223

infection mechanism, 223224

ports and communication methods, 221222

RATs, 225227

tools, 225227

viruses, 213

creation tools, 219220

history of, 216217

infection routine, 215

payloads, 215216

search routine, 215

transmission methods, 213215

well-known, 217219

worms, 213

transmission methods, 213215

well-known, 217219

man-in-the-browser attacks, 299

man-in-the-middle attacks, 280, 296, 347, 532

interceptions, 302

KARMA attacks, 441

Stingray device, 413414

mapping networks

attack surface

automated mapping, 136138

manual mapping, 136

subnetting, 113

master boot record infections, 214

McAfee Rootkit Device, 184

MD5, 375, 517518

Melissa virus, 217218

Mendax, 474

Merdinger, Shawn, 103

Metamorfo Banking Trojan, 562

Metasploit, 357

methodology

of hackers, 17

OSSTMM, 2324

Michael, 427

Microsoft /GS, 382

mirroring, 276. See also spanning

misconfiguration, vulnerabilities in, 10

misconfiguration attacks, 347348

mitigating, DDoS and DoS attacks, 312314

Mitnick, Kevin, 9293

mobile devices. See also wireless communication

Android, malware, 416

Blackberry, 418

bump attacks, 413

BYOD, 414

cell tower “spoofing”, 413414

Cellebrite, 413414

controls, 418419

data exfiltration, 412

eavesdropping, 410

geolocation and location-based services, 412413

iOS, 417

jailbreaking applications, 417

jailbreaking, 413

malware, 412

platforms, 413414

Android, 414415

security, 410, 412413

Stingray device, 413414

Windows Mobile Operating System, 417418

modes of ethical hackers, 2123

Mognet, 443

Morphine, 229

MoSucker, 227

motivations, of hackers, 1617

MTU (maximum transmission unit), datagram fragmentation, 6869

multicast MAC addresses, 75

multipartite viruses, 214

MyDoom virus, 218

N

NAT (Network Address Translation), 67, 475476

National Vulnerability Database, website, 29

natural disasters, as security threat, 9

Navajo code talkers, 509

NBS (National Bureau of Standards), 511512

nbstat command, 159

NDP (Network Discovery Protocol), 67

NeBIOS, enumeration, 155

Necurs, 183

Nessus, 260, 360, 474

NetBIOS, enumeration

DumpSec, 157158

Hyena, 158

NetBus, 226

Netcat, 74

banner grabbing, 135136

for port redirection, 238240

using to tunnel out through a firewall, 489490

Netcraft, 337338

Netsparker, 361

netstat command, 244

NetStumbler, 443

network access layer, 7475

MAC addresses, 75

network evaluations, 15

network gear testing, 21

Network layer, 56

Network Performance Monitor, 160

Nexpose, 260

NIDS (network-based intrusion detection systems), 463

NIDSbench, 474

Night Dragon Operation, 9

Nikto, 383

Nimda worm, 218

NIST (National Institute of Standards and Technology), 511512

Special Publication 800–115, 53

Special Publication (SP) 800–145, “The NIST Definition of Cloud Computing”, 550

NLog, 137

nmap, 133

decoy switch, 125

switches, 124125

no-knowledge testing, 1314

nonrepudiation, 507

nontechnical password attacks, 164165

NRO (National Reconnaissance Office), 98

NSE (Nmap Scripting Engine), 125, 339340

nslookup command, 108109

N-Stalker, 382

NTLM authentication, 175

NTP (Network Time Protocol), enumeration, 162

ntpdate command, 162

ntpdc command, 162

ntpq command, 162

ntptrace command, 162

NULL scans, 119

O

Obad, 416

obfuscated attacks, 378379, 463464, 472

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), 5354

OFB (Output Feedback mode), 513

OFDM (Orthogonal frequency-division multiplexing), 425

OllyDBG, 250

OmniPeek, 289, 443

online pwned databases, 164

open authentication, 434440

open port idle scans, 120121

open services, finding, 134136

OpenPuff, 522

OpenVAS, 260

operating systems, vulnerabilities in, 10

OphCrack, 177178

OS fingerprinting

active fingerprinting, 131133

finding open services, 134136

fingerprinting services, default ports and services, 134

passive fingerprinting, 130131

Winfingerprint, 133

Osborn, Mark, 461

OSI (Open Systems Interconnection) model, 5557

OSSTMM (Open Source Security Testing Methodology Manual), 2324, 54

out-of-band SQL injection, 389, 394395

overlapping fragmentation attacks, 70

owning the box, 173

P

PaaS (Platform as a Service), 551

packers, 229

packet filters, 476478

packets

TCP, 65

UDP, 66

Pandora, 311

parameter/form tampering, 362

partial-knowledge testing, 14

passing the hash, 168

passive fingerprinting, 130131

passive sniffing, 276277

passive vulnerability assessments, 253254

passwd encryption command, 489

password cracking

John the Ripper, 177

Linux, 178181

RainbowCrack technique, 177178

types of attacks, 176

web server, 349

web-based, 375377

Windows, 175176

password guessing, 165167

password sniffing, 167168

patch management, 359

pattern matching, 461464

stateful pattern-matching recognition, 461

PCI-DSS (Payment Card Industry Data Security Standard), 3334

peer-to-peer attacks, 307

penetration testing, 15, 19

approval process, 2728

due diligence as reason for, 25

external, 21

final reports, 2829

internal, 21

test phases, establishing goals, 2627

permanent DoS attacks, 309

PewDiePie printer hack, 11

PGMP (Pretty Good Malware Protection), 230

PGP (Pretty Good Privacy), 529

pharming, 200201

Phatbot, 226

phishing attacks, 18, 200

phreakers, 18

physical layer, 57

physical security testing, 22

PII (personally identifiable information), 7

Ping of Death, 307

ping sweeps, 115116

PKI (Public Key Infrastructure), 525526

placement of honeypots, 491492

plain text, 508

planting backdoors, 5152

poison apple attacks, 222

policies, developing, 52

Poodlebleed, 533

port knocking, 129

port redirection

FPipe, 240

Netcat, 238240

port scanning

ACK scans, 122

common ports and protocols, 117

FTP bounce scans, 123

Hping, 129

legality of, 123

nmap, 124127

RPC scans, 123

SuperScan, 128

TCP, 118120

shutdown, 118119

three-way handshake, 118

window scans, 123

port security, 283

ports, 6061. See also scanning

blocking, 61

spanning, 276

Trojans, 221222

well-known, 117

Windows, 155

PPTP (Point-to-Point Tunneling Protocol), 531

predictable session token ID, 296

preferred network lists, attacking, 433

PremiumSMS, 416

prependers, 215

Presentation layer, 56

pretexting, 211

preventing, session hijacking, 302303

principle of least privilege, 61

private cloud, 550

privilege escalation, 51, 169

Process Explorer, 252

Process Monitor, 244

Process Viewer, 244

protocol analysis, 302, 463

protocol-decoding IDS, 462

protocols

EFS, 531

IoT, 558559

IPsec, 531

PGP, 529

PPTP, 531

S/MIME, 529

SSH, 530

SSL, 530

proxies, 137, 335

proxy trojans, 221

public cloud, 550

PwnageTool, 417

Q

qualitative risk assessment, 12

Qualys, 260

quantitative risk assessment, 12

Queso, 132

R

RA (Registration authority), 526

race conditions, 352353

RainbowCrack, 177178

ransomware, 219, 230231

WannaCry, 231

Rapid7, 260

RATs (remote-access Trojans), 225227

RATS (Rough Auditing Tool for Security), 382

rcpclient command, 161

Recon Dog, 102

reconnaissance, 4849

records, DNS, 63, 109

RedSn0w, 417

redundant array of inexpensive disks (RAID, 7

reflected XSS, 364366

registered ports, 60

registrar query, 104107

Regshot, 244

regulatory laws, 3334

for cell phones, 410411

for cloud computing, 552

compliance with, 2425

PCI-DSS, 34

remote-access Trojans, 220221

replay attacks, 532

required skills for ethical hackers, 2021

researching, vulnerabilities, 29

RESTful APIs, 557558

Restorator, 230

Retina CS, 361

Reverse WWW Tunneling Shell, 238

RFID (radio-frequency identification) attacks, 422

RIDs (relative identifiers), 153154

RIRs (Regional Internet Registries), 104105

risk, 8. See also risk assessment

backing up data to reduce, 1011

risk assessment, 1213

Rivest Cipher, 514

RMF (Risk Management Framework), 8

robust wireless authentication, 446

Roesch, Martin, 465

rogue access points, installing, 428429

rooting, 416

RootKitRevealer, 184

rootkits, 51, 182184

RPC (Remote Procedure Call), 161

RPC scans, 123

rpinfo command, 161

RSA (Rivest, Shamir, Adelman), 516

RSA NetWitness, 289

rules, for ethical hackers, 2223

rusers, 161

rwho, 161

Ryan, Thomas, 98

S

SaaS (Software as a Service), 551

Sage, Robin, 98

SAM (Security Accounts Manager), 154

sandbox, 413

SANS

policy templates, 16, 37

Reading Room, website, 29

Sarbanes-Oxley (SOX), 33

Sasser worm, 218

scanning, 4950, 86

heuristic, 463

web servers, 336

scoring systems, for vulnerability assessments, 255259

script kiddies, 18

Scytale, 507

search terms, Google, 99

security. See also security policies; security testing

assets, 8

challenges for IoT, 556557

CIA triad, 7

availability, 7

confidentiality, 7

integrity, 7

for cloud computing, 555

confidentiality, 7

crackers, 16

exploits, 11

goals of, 7

hackers, 16

cyberterrorists, 19

disgruntled employees, 18

ethical, 1920

methodology of, 17

phreakers, 18

script kiddies, 18

software crackers, 1819

system hackers/crackers, 19

mobile devices, 410, 412413

controls, 418419

risk, 8

backing up data to reduce, 1011

risk assessment, 1213

threats, 89

vulnerabilities, 910

researching, 29

Windows, 154155

world’s biggest data breaches as of December 2018, 7

Security and Exchange Commission, EDGAR database, 9899

security policies, 1516

incident response plans, 1516

security testing, 13

final reports, 2829

full-knowledge testing, 14

high-level assessments, 15

network evaluations, 15

no-knowledge testing, 1314

partial-knowledge testing, 14

penetration testing, 15

external, 21

internal, 21

physical, 22

resources, 53

test phases, 2526

establishing goals, 2627

types of tests, 1416

Security Tracker, website, 29

SecurityFocus, website, 29

security-software disablers, 221

session hijacking, 56

application layer, 295

client-side attacks, 296

man-in-the-browser attacks, 299

man-in-the-middle attacks, 296

predictable session token ID, 296

session fixation attacks, 299

session replay attacks, 299

session sniffing, 295296

preventing, 302303

tools, 299301

transport layer, 292295

Session layer, 56

session replay attacks, 299

session sniffing, 295296

sesson riding, 554

Sesson Thief, 301

SET (Social Engineering Toolkit), 204209

SHA-1, 518

shellcode attacks, 471472

Shellshock, 101

Shodan, 102103

shoulder surfing, 165, 212213

showmount command, 161

shrinkwrap software, vulnerabilities in, 10

side-channel attacks, 532, 554

SIDs (security identifiers), 153

signatures, 461, 463464

heuristic-based, 463

signature-scanning antivirus programs, 247

single-authority trust, 527

site surveys, 445

skills, of ethical hackers, 2021

Slammer virus, 218

SLAs (service-level agreements), for cloud computing, 553

SLE (single loss expectancy), determining, 12

Slowloris, 308

SMAC, 284

SMB (Server Message Block), 155

SMI (Smart Install) protocol, disabling, 488489

S/MIME (Secure/Multipurpose Internet Mail Extensions), 529

SMS phishing, 209

SMTP (Simple Mail Transfer Protocol), 60, 62

enumeration, 162

smurf attacks, 307

Sn0wbreeze, 417

sniffing, 51, 5859, 276

active, 276277

countermeasures, 290291

detecting, 291

FaceNiff, 416

passive, 276277

session hijacking, 291292

Snort, 465466

alerts, 468470

keywords, 467

rules, 466468

tools, 289290

Wireshark, 286289

filters, 288289

SNMP (Simple Network Monitoring Protocol), 62

enumeration, 160

traps, 160

snmpwalk, 160

Snort, 465466

alerts, 468470

keywords, 467

rules, 466468

SNScan, 160

SOA records, 109

social activism, hacktivists, 30

social credit system, 93

social engineering, 22, 49, 165, 199

elicitation, 210211

impersonation, 210211

interrogation, 210211

malvertising, 201202

motivation techniques, 212

pharming, 200201

phishing, 200

shoulder surfing, 212213

SMS phishing, 209

spear phishing, 202203

techniques, 199200

USB key drop, 212213

voice phishing, 210

whaling, 210

social networks

dangers of, 98

gathering information from, 97

social security numbers, gathering, 100103

software

antivirus, 246248

crackers, 1819

in DDoS attacks, 310

vulnerabilities in, 10

source code, comments in, 351

source routing, 72

SOX (Sarbanes-Oxley), 2425

spanning, 276

Special Publication 800–115, 53

spoofing, 56

spoofing attacks, countermeasures, 290291

spread-spectrum technology, 425

spyware, 213, 240242

SQL (Structured Query Language)

databases, fingerprinting, 389392

injection attacks, 387391

mitigations, 396397

out-of-band exploitation, 394395

stored procedure, 396

time-delay technique, 396

use of Booleans, 394

injection hacking tools, 397398

statements, 385387

UNION exploitation attack, 392393

SQL injection, 554

Squert, 468

SRI (Sub-resource Integrity), 384

SSH (Secure Shell), 530

SSID (service set ID), 424

SSL (Secure Sockets Layer), 530

SSLstrip, 301

StackGuard, 382

state laws, compliance with, 2425

stateful inspection, 479480

stateful pattern-matching recognition, 461

static analysis, 250251

status code messages, HTTP, 332

steganography, 519524

digital watermark, 524

tools, 521524

Stevens, Richard, TCP/IP Illustrated, Volume 1: The Protocols, Second Edition, 69

StickyKeys, 171

Stingray device, 413414

stolen equipment attacks, 22

S-Tools, 521

Stored DOM-based attacks, 348349

stored procedure SQL injection, 396

stored XSS attacks, 366367

Storm worm, 218

stream ciphers, 512

subnetting, 113

substitution cipher, 508

suggested review and study plans, 574575

suicide hackers, motivations, 17

Super Bluetooth Hack, 421

switches

bypassing, 277

with ARP poisoning, 279281

with MAC flooding, 281283

nmap, 124125

symmetric encryption algorithms, 506, 508511

AES, 514

DES, 511513

Rivest Cipher, 514

SYN flood attacks, 306, 565

SYN scans, 119

system hacking, 19

cracking Windows passwords, 175176

exploiting vulnerabilities, 169170

applications, 170171

buffer overflows, 171173

file hiding, 185186

nontechnical password attacks, 164165

owning the box, 173

privilege escalation, 169

technical password attacks, 165

password guessing, 165167

T

Talos File Reputation Online Tool, 248249

Tamper IE, 301

TAN grabber, 562

Task Manager, 244

TCP (Transmission Control Protocol), 56, 6466

flags, 65, 118

open port idle scans, 120121

shutdown, 118119

three-way handshake, 118

tunneling, 236237

TCPdump, 290

TCP/IP (Transmission Control Protocol/Internet Protocol), 57

application layer, 5960

DHCP, 61

DNS, 6263

FTP, 61

ports, 6061

SMTP, 62

SNMP, 62

Telnet, 62

and ARP, 278279

Internet layer

ICMP, 7074

IP, 6770

network access layer, 7475

ARP, 76

MAC addresses, 75

port-scanning techniques, 119120

Transport layer

TCP, 6466

UDP, 66

TCPView, 244

TCSEC (Trusted Computer System Evaluation Criteria), 232

Teardrop attacks, 307

technical password attacks

automated password guessing, 167

keylogging, 228230

password guessing, 165167

password sniffing, 167168

Teflon Oil Patch, 230

Telnet, 58, 62, 483

telnet command, 134135

Tenable, 260

testing

penetration testing, due diligence as reason for, 25

reasons for, 2425

TFN (Tribal Flood Network), 311

TFTP (Trivial FTP), bypassing firewalls, 487488

THC-Amap, 129

THC-Hydra, 376, 536

THC-Wardrive, 443

TheHackerGiraffe, 11

ThreatExpert, 250251

threats, 89

three-way handshake, 118

throttling, 313

time-delay SQL injection technique, 396

Tini, 225

TKIP (Temporal Key Integrity Protocol), 427

ToE (target of evaluation), 13

traceback, 565

traceroute, 114115, 480

example of in Windows, 7374

traffic-cleaning, 565

training, 53

of cloud provider employees, 552

Tramp.A, 416

transmission methods, of viruses and worms, 213215

Transport layer, 56

TCP, 6466

tunneling via, 236237

UDP, 66

transport layer

bypassing firewalls, 484485

hijacking, 292295

traps, 160

tree-based vulnerability assessments, 255

Trend Micro RootkitBuster, 184

Trinoo, 311

Trojan Man, 230

Trojans, 220

covert communication, 232

distributing, 227228

effects of, 224225

goals of, 222223

infection mechanism, 223224

Obad, 416

ports and communication methods, 221222

RATs, 225227

tools, 225227

types of, 220221

trust models

hierarchical trust, 527528

single-authority trust, 527

web of trust, 528529

TShark, 289

tumbling, 410

tunneling

ICMP, 233235

TCP, 236237

via application layer, 237238

Type 3 codes, 71

U

UDP (User Datagram Protocol), 56, 57, 66

UEFI (Unified Extensible Firmware Interface), 417

Ufasoft Snif, 281

UI redress attacks, 372

UID (user identifier), 415

unicast MAC addresses, 75

UNIX, enumeration, 161

unprotected APIs, 353356

unvalidated input, 362

UPX, 250

URLs, 332333

obfuscating, 378379

U.S. Code, sections relating to fraud, 3031

USA PATRIOT Act, 32

usability, and security, 6

USB key drop, 212213

Usenet, 103104

user mode, 152153

Uuencode, 535

V

viruses, 9, 213

creation tools, 219220

history of, 216217

infection routine, 215

payloads, 215216

search routine, 215

transmission methods, 213215

well-known, 217219

VisualRoute, 115

voice phishing, 210

VoIP (Voice over IP), enumeration, 162163

volumetric attacks, 305306

VPNs (virtual private networks), 507

vulnerabilities, 910

researching, 29

scanning for, 259260

of web servers, 342, 349351

XSS, 363364

vulnerability assessments

CVSS, 255259

external vs. internal, 254

inference-based, 255

passive vs. active, 253254

scoring systems, 255259

tree-based, 255

vulnerability scanners, 50

W

W3AF, 382

WannaCry, 231

war driving, 130

watering holes, 224

WaveStumbler, 443

Wayback Machine, 92

weak encryption

Base64, 535

Uuencode, 535

XOR, 534535

web application hacking, 361

buffer overflows, 373374

clickjacking, 372

cookies, 377

viewing, 377378

CSRF attacks, 371372

DOM-based XSS attacks, 367368

injection flaws, 362363

intercepting web traffic, 380381

logging, 379

parameter/form tampering, 362

password cracking, 375377

reflected XSS, 364366

securing web applications, 381383

stored XSS, 366367

unvalidated input, 362

URL obfuscation, 378379

XSS evasion techniques, 368369

XSS mitigations, 369370

XSS vulnerabilities, 363364

web of trust, 528529

web server hacking, 328

attacks, 335336, 342343

cookie manipulation, 348349

directory traversal, 345347

DoS/DDoS, 343

HTTP response splitting, 348

man-in-the-middle, 347

misconfiguration, 347348

website defacement, 347

audits, 360

automated exploit tools

BeEF, 357

Canvas, 358

Core Impact, 358

Metasploit, 357

disabling unneeded services, 359

DNS hijacking, 343344

enumeration, 337341

HTML, analyzing, 341

HTTP, 328330

browsers, 330332

clients, 328

proxies, 335

status code messages, 332

URLs, 332333

locking down the file system, 360

password cracking, 349

patch management, 359

scanning web servers, 336

vulnerabilities, 349351

comments in source code, 351

hard-coded credentials, 352

hidden elements, 356

improper error handling, 352

lack of code signing, 356

race conditions, 352353

unprotected APIs, 353356

vulnerability scans, 360361

web server vulnerability identification, 342

WebCracker, 376

WebInspect, 383

websites

codes of ethics, 2930

defacement, 347

for employee and people searches, 95

Exploit Database, 4950

ISECOM, 23

for researching vulnerabilities, 29

well-known ports, 60, 117

well-known viruses and worms, 217219

WEP (Wired Equivalent Privacy), 407, 425427

attacking, 433435

whaling, 210

white box testing, 14

white hat hackers, 16

motivations, 16

Whois, 105107

Wikto, 340

WinARPAttacker, 281

WinDNSSpoof, 285

window scans, 123

Windows

architecture, 153154

authentication types, 173175

cracking passwords, 175176

enumeration, 152

LDAP enumeration, 156157

NeBIOS enumeration, 155

nmap, 124

owning the box, 173

ports, 155

RIDs, 153154

security, 154155

SIDs, 153

SmartWhois, 105106

traceroute, 7274

user mode, 152153

Windows Mobile Operating System, 417418

WinDump, 290

Winfingerprint, 133

wireless communication, 406407

Bluetooth, 419

classifications of, 419

technologies, 419420

vulnerabilities, 420421

cell phone technologies, 411412

GPS mapping, 443

launching wireless attacks, 444

mobile devices, security concerns, 412413

RFID attacks, 422

spread-spectrum technology, 425

SSID, 424

wireless hacking tools, 443

wireless traffic analysis, 443444

WLANs, 422

ad hoc mode, 423

airmon-ng tool, 430

airodump-ng tool, 431

attacking preferred network lists, 433

compromising the Wi-Fi network, 444445

deauthentication attacks, 429430, 432433

evil twin attacks, 429

fragmentation attacks, 441442

infrastructure mode, 423424

installing rogue access points, 428429

jamming wireless signals, 433

KARMA attacks, 441

KRACK attacks, 440441

misuse detection, 447

open authentication, 434440

robust wireless authentication, 446

site surveys, 445

war driving, 433

WEP, 425427

WEP, attacking, 433435

WPA, attacking, 435440

WPS, attacking, 441

wireless networks, testing, 21

Wireshark, 59, 286289, 564

filters, 288289

ping capture, 235

WLANs (wireless LANs), 422

ad hoc mode, 423

airmon-ng tool, 430

airodump-ng tool, 431

attacking preferred network lists, 433

compromising the Wi-Fi network, 444445

deauthentication attacks, 429430, 432433

evil twin attacks, 429

fragmentation attacks, 441442

infrastructure mode, 423424

installing rogue access points, 428429

jamming wireless signals, 433

KARMA attacks, 441

KRACK attacks, 440441

misuse detection, 447

open authentication, 434440

robust wireless authentication, 446

security, WEP, 425427

site surveys, 445

spread-spectrum technology, 425

war driving, 433

WEP, attacking, 433435

wireless hacking tools, 443

WPA, 427

attacking, 435440

WPS, attacking, 441

world’s biggest data breaches as of December 2018, 7

worms, 213

transmission methods, 213215

well-known, 217219

WPA (Wi-Fi Protected Access), 427

attacking, 435440

WPA3, 428

WPS (Wi-Fi Protected Setup), attacking, 441

wrappers, 228

wrapping attacks, 555

WRP (Windows Resource Protection), 7

X

X.507, 525

XMAS scans, 120

XOR, 426, 534535

basic authentication, 374

Xprobe, 133

XSS (cross-site scripting), 554

CSRF attacks, 371372

DOM-based attacks, 367368

evasion techniques, 368369

mitigations, 369370

reflected, 364366

stored, 366367

vulnerabilities, 363364

Y

Yahoo Boys, 18

Yarochkin, Fyodor, 124

Yoda’s Crypter, 229

Z

Zabasearch, 96

Zenmap, 127

Zeroaccess, 183

Zigbee, 558

Zombam.B, 227

zombie computers, 560561

zone files, 63

Z-Wave, 558559

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
35.172.230.21