Index
- A
- Active Directory domain controller (AD DC), 459, 466
- active phase, 56–57, 67
- Active Server Pages (ASP), 204
- adapters, virtual network, 44–48
- Address of Host (A/AAAA), 93
- adjacent network, 546
- Advanced Encryption Standard (AES), 36, 528
- Advanced Research Projects Agency Network (ARPANET), 88
- Advanced RISC Machine (ARM processor), 24
- aggressive mode (IKE-scan), 265–267
- AMD-V, 25
- American National Standards Institute (ANSI), 359
- anonymous access, 289
- Anti-Malware Scan Interface (AMSI), 503–504
- antivirus (AV) software, 462–463
- Apache, 202–203
- Apache Tomcat, 238–240
- Apple File System (APFS), 284–285
- application layer protocol, 142
- application-specific integrated circuits (ASICs), 538
- Aptitude Package Manager (
apt), 34 - arbitrary size, 517
- Arch Linux, 28
- ASP.NET, 204, 207
- assessment
- B
- backup domain controllers (BDCs), 298, 460
- Bailiwicked, 130
- balancing the SQL query, 426
- banner grabbing, 152
- Bash, 226–227
- Basic Input Output System (BIOS), 25
- Bcrypt, 531–532
- BENIGNCERTAIN tool, 257
- Berkeley Internet Name Domain (BIND), 94, 120
- Berkeley Software Distribution (BSD), 26–27
- big endian, 337
- binary large objects (blobs), 356
- bind payload, 182
- BIND9, 95–97
- BIND10, 94
- Bing, 56–57
- Bitcoin, 192–193
- BitLocker, 32, 462
- BitTorrent client, 30
- Black Arch Linux, 29, 41
- Black Hat USA, 472, 473
- black team, 9
- blind SQL injection, 425
- blockchains, 192–193, 517–518
- BloodHound, 466
- Blowfish cipher, 531
- blue teams, 5
- board engagement, 11
- boot key, 462
- boot2root challenges, 53
- botnet, 121
- broken access controls, 439–440
- broken authentication, 434–436
- Browser Exploitation Framework (BeEF), 397, 445–450
- browsing, manual, 412–415
- brute-force attacks
- C
-
ccommand, 376 - C programming language, 204
- CaaS (cracking-as-a-service), 539
- cache poisoning, 129–131
- cache snooping, 131
- Cadaver, 207, 220
- Cain & Abel, 466, 519, 537
- Canonical Name (CNAME), 93
- Capital One, 3
- certificate of Authority (CA), 268
- CertUtil, 30
- CeWL, 165, 519, 537
- change mode, 286
-
CHAOSclass, 112 - CHAOSNET, 111–113
- Charoncmd utility, 267
- checksum, 31
- chief executive officer (CEO), 1, 2–3
- chief information security officer (CISO), 1, 2–3
-
chmodcommand, 286 - Chrome, 207
- Chromebooks, 24
- Cisco Type 7 method, 533–534
- Citadel, 136
- Classless Inter-Domain Routing (CIDR) notation, 308
- client name servers, crashing, 128
- cloudbursts, 54
- Cloudflare, 197–198
- code 301/302, 194
- Code of Conduct (Hacker House), 22
- collisions, 533
- colon (:), 63
- command injection attack, 323
- command injection vulnerability, 226, 227
- command-line web tools, 207
- comma-separated values (CSV) file, 356
- Common Desktop Environment (CDE), 351
- Common Gateway Interface (CGI), 225–226
- Common Internet File System (CIFS), 295
- Common UNIX Printing System (CUPS), 341–343
- Common Vulnerabilities Scoring System (CVSS), 545–548
- Common Vulnerability Reporting Framework (CVRF), 476
- Common Weakness Enumeration (CEW) resource, 436
- Complex Instruction Set Computer (CISC) processor, 24
- Computer Fraud & Abuse Act (1984), 14
- Computer Misuse Act (1990), 14, 18
- computers, breaking, 2–3
- confidentiality, 547–548
-
CONNECTmethod, 195 - content discovery tools, 207
- content management systems (CMSs), 220
- contract law, 14
- cookies, 198–200
- COPACOBANA, 528
-
COPYmethod, 211 - cost, of cybercrime, 21
- Costas, Danielle, 264
- Covenant, 466
- cracking
- art of, 538–539
- password hashes, 25
- passwords, 519–523
- crashing client name servers, 128
- crawlers, 206
- Create Virtual Hard Disk dialog box, 42
- crimeware, 20
- criminal hacking, 15
- Cron files, 319, 347–351
- cross-site scripting (XSS)
- "crown jewels." See data
-
crypt()function, 527, 531–532 - crypt-devices, 33
- "A Cryptanalytic Time-Memory Trade-Off" (Hellman), 524
- cryptocurrencies, 517–518
- cURL, 207, 228–231
- curly braces ({}), 166
- Cuthbert, Daniel (security consultant), 16–17, 220
- CVE-1999-0209 vulnerability, 329–330
- CVE-2007-0882 vulnerability, 322
- CVE-2010-4345 vulnerability, 180–185
- CVE-2010-4435 vulnerability, 329
- CVE-2014-0160: The Heartbleed bug, 172–180
- CVE-2014-3660 vulnerability, 437–439
- CVE-2017-0147 vulnerability, 477
- CVE-2017-3623 vulnerability, 330–331
- CVE-2017-5618 vulnerability, 278–281
- CVE-2017-7494 (SambaCry), 303–306, 476, 496
- CVE-2017-7692 vulnerability, 185–187
- CVE-2017-8495 vulnerability, 473
- CVE-2019-0734 vulnerability, 473
- Cyclic Redundancy Check (CRC) algorithm, 532
- Cyrus, 158, 160
-
- D
-
dcommand, 376 - daemon, 151
- DANDERSPRITZ tool, 467
- data, 4
-
DATAcommand, 155 - Data Encryption Standard (DES), 527, 528
- Data Protection Act (1998), 14
- Data Protection Act (2018), 14
- database management system (DBMS), 355
- database schema, 357
- databases
- about, 355
- common exploitations for, 360–361
- hacker toolbox for, 360
- MongoDB, 381
- MySQL, 362–374
- Oracle, 378–381
- port scanning servers, 361–362
- PostgreSQl, 374–376
- privilege escalation via, 384–392
- Redis, 381–384
- software for, 377–378
- Structured Query Language (SQL), 358–359
- types, 356–358
- user-defined functions (UDF), 359–360
- Datagram Transport Layer Security (DTLS), 255
- Debian, 28, 95, 540
- Debugging EBBSHAVE, 335–337
-
delcommand, 221 -
DELETEmethod, 195, 211 - delivering reports, 558
- delivery status notifications (DSNs), 138–141
- Dengguo Feng, 533
- denial-of-service (DoS) attacks, 124–128, 259, 548
- denial-of-service condition, 16
- derivation function, 532
-
describecommand, 368 - deserialization, insecure, 452
-
dhclientcommand, 48 - dial-up, 256
- diceware, 35
- Diffie, Whitefield, 254
- Diffie-Hellman group, 254
-
digcommand, 143 - Dig (domain information groper) tool
- Digital Millennium Copyright Act (1998), 14
- Dirb, 207, 218
- directories, 285
- directory traversal attacks, 219–220, 440–441
- DirtyCOW, privilege escalation using, 246–249
- disclosure, responsible, 19–20
- disk encryption, 31–33
- Distributed Computing Environment (DCE), 466
- distributed denial-of-service (DDoS) attacks, 88, 124–125
- distributed reflected-denial-of-service (DRDoS) attacks, 125
- distribution (distro), 27
- DJBDNS, 94
- DNS Security Extensions (DNSSEC), 131–132
- DNSenum tool, 98, 116–117
- DNSmasq tool, 94
- DNSrecon tool, 98, 116
- DNSspoof, 98, 128
-
doascommand, 34 - Docker, 226
- document metadata, 76–80
- dollar sign ($), 526
- domain controller, 459
- Domain Keys Identified Mail (DKIM), 144–145
- Domain Name System (DNS)
- about, 87
- basic query, 89–91
- cache poisoning, 129–131
- cache snooping, 131
- CHAOSNET, 111–113
- denial-of-service (DoS) attacks, 125–126, 126–128
- Dig, 106–111
- DNS Security Extensions (DNSSEC), 131–132
- exploits, 104
- finding hosts, 98
- finding Start of Authority (SOA) with Dig, 102–103
- fuzzing, 132–134
- hacking toolkit, 98
- hacking virtual name servers, 103–104
- hierarchy of, 88–89
- history of, 88
- implications of hacking, 87–88
- information-gathering tools, 114–117
- Metasploit, 121–125
- Microsoft, 469–470
- port scanning with Nmap, 104–106
- resource records, 92–94
- round-robin, 142
- searching for vulnerabilities/exploits, 118–120
- server, 53
- spoofing, 128–129
- traffic amplification attack, 120–121
- WHOIS, 98–101
- zone transfer requests, 113–114
- zones of authority, 92
- domain tree, 458
- Domain-based Message Authentication, Reporting, and Conformance (DMARC), 144–145
- domains, 298, 457, 458–461
- double greater-than symbols (>>), 350
- DOUBLEPULSAR tool, 467
- Dovecot, 136
-
dradiscommand, 554 - Dradis Community Edition (Dradis CE), 553–557
- Drake, Joshua, 184, 374
-
dropshellfunction, 280 - Drupageddon, 433
- Drupal, 65
- Dsniff, 98
- DuckDuckGo, 56–57, 206, 518
- Dug Song, 128, 322
- Dynamic Host Configuration Protocol (DHCP), 38
- dynamic library, 174
-
- E
- easy mode, 53
- EBBSHAVE tool, 319, 331–337
- Effective User ID (EUID), 309
- Electronic Communications Privacy Act (1986), 14
- Electronic Frontier Foundation (EFF), 21
- electronic mail. See email
- email
- about, 135
- brute-forcing Post Office Protocol (POP), 167–169
- CVE-2014-0160: The Heartbleed bug, 172–180
- delivery status notifications (DSNs), 138–141
- email chain, 135–136
- exploiting CVE-2010-4345, 180–185
- exploiting CVE-2017-7692, 185–187
- grabbing addresses from Google, 59–61
- hack boxes and, 36
- message headers, 137–138
- Nmap Scripting Engine, 169–172
- scanning mail servers, 145–148
- Sender Policy Framework (SPF), 143–145
- Simple Mail Transfer Protocol (SMTP), 141–143
- software, 158–162
- user enumeration via Finger, 162–167
- end characters, 297
- Enigma machine, 539
- Enigmail, 36
- Enterprise Administrator account, 461
- entry points, identifying, 418
- Enum4linux, 288, 299–303, 466, 479–489
- enumerating
- enum.exe, 466
- environment variables, 228
- environmental scores, 545
- Equation Group, 477
- error pages, 442
-
/etc/shadow, 526–529 - ETERNALBLUE exploit, 476–479
- ethical hacking
- about, 13–14
- authorization, 18–19
- bug bounty programs, 20–21
- compared with red teams, 6
- criminal hacking, 15
- defined, 3
- gray area, 16–17
- Hacker House Code of Conduct, 22
- legal advice/support, 21–22
- legalities, 14
- methodologies of, 17–18
- as part of company's immune system, 9–11
- as pursuit of knowledge, 10
- responsible disclosure, 19–20
- virtual name servers, 103–104
- Windows vs. Linux, 458–464
- written permission for, 15–16
- F
- F root name server, 91
- fbin, 322
- Federal Communications Commission, 66
- Fgdump, 466
- field-programmable gate arrays (FPGAs), 538
- Fierce tool, 98, 115
- file mode bits, 285–286
- file mode creation mask, 386
- file servers, port scanning, 288
- File Transfer Protocol (FTP), 220, 289–291
- files and file sharing
- about, 283–284
- Cron, 319, 347–351
- File Transfer Protocol (FTP), 220, 289–291
- local files, 347–351
- NAS hacking toolkit, 287–288
- Network File System (NFS), 308–309
- network-attached storage (NAS), 283, 284
- NFS privilege escalation, 309–311
- permissions, 284–287
- port scanning file servers, 288
- remote procedure calls (RPCs), 292–294
- RPCinfo, 294–295
- Rsync, 306–308
- searching for useful files, 311–312
- Server Message Block (SMB), 295–306
- Trivial File Transfer Protocol (TFTP), 291–292
- uploading files, 220–223
- FileVault, 32
- findsock payload, 182
- Finger, 319
- Fingerprinting Organizations with Collected Archives (FOCA), 77, 162–167
- Firefox, 207
- firewall, 34–35
- fixed size, 517
- flat-file databases, 356
- folders, 285
- forests, 458–461
- forward slash (/), 88, 206, 246, 527
- Fox, Brian, 226
- fragments, 200
- froot, 322, 323
- FTP over SSH protocol (SFTP), 289
- FTP Secure (FTPS), 289
- full virtualization, 25
- functions, user-defined (UDF), 359–360
- FUZZBUNCH tool, 467
- fuzzing, 132–134
- G
- GECOS field, 62
- General Data Protection Regulation (GRPD), 5
- general-purpose tools, 207
- Gentoo Linux, 27–28, 306
-
GETmethod, 195–196, 200–201, 210–211, 224, 230, 387, 438 -
getsystemcommand, 505 - GitHub, 77
- glue record, 107
- Gmail, 161
- GNU Compiler Collection (GCC), 247
- goal, of open source intelligence (OSINT), 57–58
- Gobuster, 218
- golden tickets, 472–473
- Gonzalex, Albert (hacker), 15
- Google, 56–57, 59–61
- Google dorking, 62
- Google hacking, 62
- Google Hacking Database (GHDB), 65–66
- graphical identification and authentication (GINA), 498
- Graphical User Interface (GUI), 33
- gray area, in ethical hacking, 16–17
- greater-than symbol (>), 271
- Grep, 67
- Group Policy, 494–496
- groups, Windows, 461
- guest additions, 51–52
- H
- hack boxes
- about, 23
- Berkeley Software Distribution (BSD), 26–27
- creating vulnerable servers, 53–54
- disk encryption, 31–33
- guest additions, 51–52
- hardware, 24–26
- host operating systems, 27–29
- Linux, 26–27
- setting up VirtualBox, 36–51
- software, 33–36
- testing virtual environment, 52–53
- verifying downloads, 29–31
- hacker, 13
- Hacker House, 14, 22, 125, 170
- HackerGiraffe, 343
- hacking. See ethical hacking
- handshakes, 232
- Happy Hacking Keyboard (HHK), 26
- Hard-Disk Drive (HDD), 25, 285
- hardware, for hacking, 24–26
- hardware security model (HSM), 540
- hash dumping, 505–506
- hash symbol (#), 200, 244
- hash tables, 519, 523–524
- Hashcat, 519, 520, 522
-
hashdumpcommand, 505–506 - hashes, 530–533, 535–537
- HashID tool, 519, 530
- hashing, 517–519
- Have I Been Pwned (HIBP), 66, 519
-
HEADmethod, 195, 211 - heap, 173
- heartbeat, 172
- Heartbleed bug, 157, 172–180, 233
- Hellman, Martin, 254, 524
-
:helpcommand, 223 -
HELPcommand, 154 - hexadecimal characters, 297
- hidden web content, guessing, 216–220
- Hierarchical File System Plus (HFS+), 284–285
- hierarchy, of DNS, 88–89
- Homebrew, 30
- honey-trapping, 81
- hook, 446
- Host, 98, 101
- host key, 50
- Host Network Manager dialog box, 38
- host operating systems, 27–29
- host-only networking, 38–40
- hosts, 98, 100
- Hping3, 98, 259–261
- Human Rights Act (1998), 14
- Hunt, Troy, 66
- Hydra, 168, 326, 537
- HyperText Markup Language (HTML), 192–193
- Hypertext Transfer Protocol (HTTP)
- hack boxes
- I
- IACME, 464
-
idcommand, 184, 246, 391, 473, 500 -
ifconfigcommand, 182 - IKEMulti tool, 264–265
- IKE-scan, 257, 262–267
- impacket, 466
- incentives, lack of, 7
- industrial control system, 84
- information security (infosec), 2
- Information Systems Security Assessment Framework, 17
- information-gathering tools, 114–117
- injection
- insecure deserialization, 452
-
INSERTcommand, 389 - insufficient logging and monitoring, 453–454
- Integrated Drive Electronics (IDE), 44
- Integrated Services Digital Network (ISDN), 17
- integrity, 547–548
- Intel VT-x, 25
- intercepting proxies, 398–412
- International Standard for Organization (ISO), 40–41, 359
- Internet access, 25
- Internet Control Message Protocol (ICMP), 52, 260
- Internet Corporation for Assigned Names and Numbers (ICANN), 57
- Internet Information Services (IIS), 470–471
- Internet Key Exchange (IKE), 253–254
- Internet Message Access Protocol (IMAP), 136, 157–158
- Internet of Things (IoT), 4–5, 83
- Internet Protocol Security (IPsec), 253
- Internet Security Association and Key Management Protocol (ISAKMP), 253
- Internet Systems Consortium (ISC), 118, 120
-
ip addresscommand, 48, 182 - IP addresses, checking, 182
- issues, compared with vulnerabilities, 544
- L
- L0phtcrack, 519
- labs, 48–51
- LAMP stack, 202
- LAN Manager (LANMAN), 506, 524, 535
- The Last Stage of Delirium, 504
- lateral movement, 461, 493
- LCP, 519
- LDAP injection, 276
-
lddcommand, 174 - leased line, 251
- legal advice/support, 21–22
- legalities, 14
- length limitations, for passwords, 528–529
- libc library, 377
- Lightweight Directory Access Protocol (LDAP), 256, 275–277, 474
- LinkedIn, 67, 81–83
- Linux, 26–27, 458–464
- Linux, Apache, MySQL, and PHP (LAMP), 201–205
- Litchfield, David, 380–381
- local files, 347–351
- local privilege escalation (LPE), 185, 246
-
LOCKmethod, 211 - lockstep, 291
- Lodge, David, 212
- logging, insufficient, 453–454
- lookups, 90
- Love, Lauri (hacker), 15
- M
- Mach, 30
- MacPorts, 30
- Mail Exchange (MX), 94
- Mail() function, 186, 187
- mail server lab (website), 49
- mail servers, scanning, 145–148
- mail transfer agent (MTA), 135
- mail user agents (MUAs), 135
- Maildrop, 136
- mainstream OS, running, 29
- malformed packets, 133
- malicious hacker, 55
- Maltego, 80–81
- malware, 54
- managed service providers (MSPs), 135
- man-in-the-middle (MitM) attacks, 289
- man-in-the-middle proxy (Mitmproxy), 185, 397, 398
- manual browsing/mapping, 412–415
- manual HTTP requests, 210–212
- mapping, manual, 412–415
- MaraDNS, 94
- MariaDB, 203, 255, 362
- MD5 hash, 30, 522, 530
- message delivery agent (MDA), 135–136
- message headers, 137–138
- metadata, 76–80, 137
- Metagoofil, 77
- Metasploit, 121–128, 172, 177, 179, 182, 207, 227–228
- Meterpreter, 466, 504–505
- methodology
- Microsoft DNS, 469–470
- Microsoft Exchange, 136
- Microsoft hashes, 535–537
- Microsoft IIS, 203, 205
- Microsoft RPC protocols, 293, 466, 489–497
- Microsoft Security Bulletin, 475, 476
- Microsoft SQL Server, 203
- Microsoft Windows
- about, 457
- alternative payload delivery methods, 509–512
- bypassing Windows Defender, 512–514
- Domain Name System (DNS), 469–470
- enumerating users, 479–489
- ETERNALBLUE, 476–479
- golden tickets, 472–473
- hacking toolkit, 466
- hacking Windows vs. Linux, 458–464
- hash dumping, 505–506
- Internet Information Services, 470–471
- Kerberos, 471–472
- Lightweight Directory Access Protocol (LDAP), 474
- Meterpreter, 504–505
- Microsoft RPC, 489–497
- National Security Agency (NSA) and, 467
- NetBIOS, 473–474
- password hashes, 506–507
- port scanning server, 467–469
- PowerShell, 501–504
- privilege escalation, 507–508
- Remote Desktop Protocol (RDP), 497–498
- Server Message Block (SMB), 474–476
- setting up Virtual Machine (VM), 464–466
-
SYSTEM, 508–509 - Task Scheduler, 497
- Windows shell, 498–501
- Mikrotik's Router OS, 323–324
- Mimikatz, 466, 506
- MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), 17
- MongoDB, 381
- monitoring, insufficient, 453–454
- Mount, 288
- mountdaemon (mountd), 293
-
MOVEmethod, 211 - MPack, 20
- MSDNS, 94
- MSFconsole, 98
- multifactor authentication (MFA), 85–86
- multipurpose book lab (website), 49
- MySQL, 203, 255, 385
- MySQL database, 362–374
- N
- Name Server (NS), 94
- namespaces, within DNS, 92
- National Security Agency (NSA), 59, 257, 467
- National Vulnerability Database, 548
- NBTscan, 288, 296
- NetBIOS over TCP/IP (NBT) protocol, 296–298
- Netcat, 152, 163, 186, 187, 207, 212, 228–231, 247–248
- Network Address Translation (NAT), 44, 45
- Network Basic Input Output (NetBIOS), 296–298, 469, 473–474
- Network Computing Architecture Connection-Oriented Protocol (NCACN), 304
- Network File System (NFS), 293, 308–311
- network lock manager (nlockmgr), 293
- Network Time Protocol (NTP), 126, 259–260
- network-attached storage (NAS), 283, 284, 287–288
- networking, host-only, 38–40
- New Technology File System (NTFS), 284–285
- New Technology LAN Manager (NTLM), 506–507
- Nginx, 195, 203, 208
- Nikto, 207, 212, 216, 227, 397
- Nmap, 16, 98, 104–106, 149–152, 195, 207–209, 216–218, 261, 393. See also port scanning
- Nmap command, 146–147
- Nmap Scripting Engine (NSE), 147, 169–172
- Node.js, 204
- non-blind SQL injection, 425
- nonrelational databases, 358
- noptrix, 125
- NoSQL, 358
- notes, in reports, 553
- NSlookup, 98, 109, 131
- null device, 311
- NullSecurity, 125
- O
- obfuscation, 534
- Oechslin, Philippe, 524
- Ofcom, 66
- Offensive Security, 118
- 1Password, 35
- OneSixtyOne, 288, 319, 339
- one-time pad, 32
- Open Network Computing (ONC) RPC protocol, 293
- open relays, 153–155
- open resolver, 120–121, 130
- open source, 55
- open source intelligence (OSINT)
- about, 55–56
- client review, 56–57
- document metadata, 76–80
- goal of, 57–58
- Google dorking, 62
- Google Hacking Database (GHDB), 65–66
- grabbing email addresses from Google, 59–61
- harvesting the web, 75–76
- Have I Been Pwned (HIBP), 66
- locations for, 58
- Maltego, 80–81
- Passwd files, 62–65
- protecting against, 85–86
- Recon-ng, 67–74, 74–75
- shadow files, 62–65
- Shodan, 83–85
- social media networks, 81–83
- tools for, 59
- P
- P0wnedshell, 466
- package, 34
- packet sniffing, with Wireshark, 109–111
- Parallel, 166
- parameterized queries, 433–434
- Passwd files, 62–65
- password hashes, 25, 461–462, 506–507
- password manager, 35–36
- Password-Based Key Derivation Function (Version) 2 (PBKDF2), 532
- passwords
- about, 517
- art of cracking, 538–539
- cracking, 519–523
- default, 16
- guessing, 537–538
- hash tables, 523–524
- hash types, 530–533
- hashing, 517–519
- Microsoft hashes, 535–537
- pseudo-hashing, 533–535
- rainbow tables, 523–524
- random number generators, 539–540
- salt, 525–526
- shadow files, 526–529
- toolbox for hacking, 519
-
PATCHmethod, 195 - Paterva, 80
- payload, 181–182, 509–512
- penetration test report. See reports
- penetration testing. See ethical hacking
- Penetration Testing Execution Standard (PTES), 17
- Penetration Testing Guidance, 17
- pentesting (penetration testing). See ethical hacking
- Pentoo Linux, 29
- period (.), 89, 527
- Perl, 204
- permissions
- persistent XSS, 442–444
- personally identifiable information (PII), 18
- pesudorandom number generator, 525
- phenoelit toolset, 343
- phishing, 8, 141
- PHP: Hypertext Preprocessor (PHP), 160–161, 203–204
- PHP Mail, 160–161
- phpLDAPadmin, 276
- phpMyAdmin, 241–242
- physical attack vector, 546
-
pingcommand, 52 - ping sweep, 274
- Ping tool, 260
- Pluggable Authentication Modules (PAM), 256
- plus symbol (+), 424
- Pointer (PTR), 94
- Point-to-Point Protocol (PPP), 252
- Police & Justice Act (2006), 14
- port scanning
- PortSwigger CA, 410
- POSIX operating system, 228
-
POSTmethod, 195, 438 - Post Office Protocol (POP), 136, 155–157, 167–169
- post-exploitation phase, 185
- Postfix, 138
- PostgreSQL, 203, 374–376
- PowerDNS, 94
- power-on self-test (POST) messages, 37
- PowerShell/PowerShell Core
- PowerSploit, 466, 503–504, 508
- PowerTools, 466
- PowerUp, 508
- pre-authentication exploit, 374
- Preboot Execution Environment (PXE), 291
- prepared statements, 433–434
- Pre-Shared Key (PSK), 253
- Pretty Good Privacy (PGP), 19, 558
- primary domain controller (PDC), 298, 460
- primary key, 356–357
- Printer Job Language (PJL), 342
- private branch exchange (PBX), 17
- privilege escalation
- privileges required, 546
- probing SMTP service, 152–153
- Procmail, 136
- profile collector, 72
- program control, 337
- proofreading reports, 557–558
-
PROPFINDmethod, 211 -
PROPPATCHmethod, 211 - Protiviti's 2017 Security and Privacy Best Security Practices report, 10
- Proxychains, 207, 243–245
- pseudo-hashing, 533–535
- pseudorandom number generator, 540
- PSK-crack, 257
- Pth-toolkit, 466
- Public Key Infrastructure (PKI), 132, 144–145
- purple team, 3, 7–9
-
PUTmethod, 195, 205 - PuTTY, 511
- PwDump5, 462
- PwDump6, 462
- PwDump7, 462
- PwDumpX, 462
- PwDumpX14, 466
- Python, 184, 204
- Q
- query, DNS, 89–91
- R
- Racoon, 257
- Rain Forest Puppy's LibWhisker, 212
- rainbow tables, 519, 523–524
- RainbowCrack, 519
- RAM, 24
- random number generators, 539–540
- Raspberry Pi, 24
- "ready-to-be-breached" business mode, 8
- Recon-ng, 67–74, 74–75, 100
- record class, 97
- record data, 97
- record type, 97
- red teams, 5–7
- redirect response, 194, 247
- Redis, 381–384
- reduction function, 523–524
- reflected input, 443
- reflective XSS, 442
- relational database management systems (RDBMSs), 357
- relational databases, 356–358
- resource ID (RID) cycling, 300
- Remote Authentication Dial-In User Service (RADIUS), 255
- remote code execution (RCE) exploit, 257
- remote command execution, 185
- Remote Desktop Protocol (RDP), 497–498
- remote procedure call (RPC), 288, 292–294, 326–337
- reports
- about, 543–544
- assessment results, 551–552
- Common Vulnerabilities Scoring System (CVSS), 545–548
- components of, 549
- delivering, 558
- Dradis Community Edition (Dradis CE), 553–557
- executive summary, 550–551
- notes, 553
- proofreading, 557–558
- supporting information, 552
- technical summary, 551
- writing, as a skill, 549
- requirements, minimum, 24–25
- resolver, 130
- resolver cache, 130–131
- resource records, 92–94, 108
- resources, lack of, 7
- Responder tool, 474–475
- response codes, HTTP, 196–198
- restricted deletion flag, 287
- reverse payload, 182
- reverse sehll, 187
- RIDenum, 466
- risk, 544
- Rivest, Ron, 524
- Rivest-Shamir-Adelman (RSA) certificates, 233–237
- root exploit, 183–184
- root level, 206, 311
- root location, 211
- root name servers, 88, 90
- Rosetta Stone, 316
- Roundcube, 161
- round-robin DNS, 142
- RPCbind, 293
- RPCclient, 288, 301
- RPCinfo, 288, 294–295, 319
- R-services, 338–339
- Rsync, 288, 306–308
-
rsynccommand, 306–307 - Ruby, 204
- S
- SA (Security Association), 253
- salts, 524, 525–526
- SAM Lock Tool, 462
- Samba, 298–299
- SambaCry (CVE-2017-7494), 303–306, 476, 496
- SAMdump2, 466
- sanitize, 443
- Scalable Processor Architecture (SPARC), 316
- scanning. See also port scanning
- Scapy, 98
- schema, 357
- Schwartz, Aaron (hacker), 15
- scope, 18, 547
- Screen, 278–279
-
searchcommand, 227, 228 - Searchsploit, 98, 118–119, 207
- second-stage authentication, 275
- Secure Hash Algorithm Version 1 (SHA1), 253, 530, 531
- Secure Hash Algorithm Version 2 (SHA2), 531
- Secure Shell (SSH), Telnet and, 324–326
- Secure Sockets Layer (SSL), 138, 157, 232–237
- secure tunnel, 253
- Security Account Manager (SAM), 462, 535
- Security Association (SA), 253, 263–265
- security ID (SID), 300
- Security Identifier (SID), 482
- security misconfiguration, 441–442
- Security Technical Implementation Guides (STIGs), 8
- semicolon (;), 165, 365, 425
- Sender Policy Framework (SPF), 113, 143–145
- Sendmail, 159–160
- sensitive data exposure, 436
- Serial Advanced Technology Attachment (SATA), 44
- serial number, 97
- serialization, 452
- Serious Crime Act (2015), 14
- Server Message Block (SMB), 295–306, 474–476
- server-side scripted backdoor tools, 207
- Session Fixation, 199, 436
-
sessionscommand, 184–185 - Set Group ID (SGID), 287
- Set User ID (SUID), 287
- settings, virtualization, 37
- Settings dialog box, 46
- 7z tool, 558
- 7zip, 36
- Shadow Brokers, 205, 257
- shadow files, 62–65, 526–529
- shadowdump, 466
- Sharpsploit, 466
- shebang, 349
- shells
- Shellshock, 226–231, 277–278
- Shellter, 463, 510
- Shodan, 16, 83–85, 347
-
showcommand, 122, 368 -
show tablescommand, 371 - ShowMount, 288
-
showmounttool, 308 - Simple FTP (SFTP), 289
- Simple Mail Transfer Protocol (SMTP), 85, 135, 141–143, 152–153
- Simple Network Management Protocol (SNMP), 257, 288, 339–341
- Simple Service Discovery Protocol (SSDP), 126
- Single Instruction, Multiple Data (SIMD), 24
- single point of failure, 142
- single-board computers (SBCs), 24
- skill, report writing as a, 549
- Skipfish, 421
-
sleepcommand, 231 - smart devices, 4
- smartphones, 24
- SNMPcheck, 319, 340
- SNMPwalk, 288
- social engineering, 10–11
- social media networks, 81–83
- software
- Solaris, 316–320
- Solid State Drive (SSD), 25, 285, 358
-
spawnfunction, 184 - spear phishing, 8, 141
- special characters, 227
- spiders, 206, 415–418
- spoofing, 121, 128–129
- SQL (Structured Query Language), 357, 358–359
- SQL database, 255
- SQL injection, 359, 422–427
- SQLite, 357
- SQLmap, 427–433
- Squid, 243
- Squirrel Mail, 161, 185
- SSLscan, 174
-
sslscantool, 232 - stack traces, 442
- standard output, 166
- Standardized Information Gathering (SIG), 545
- Start of Authority (SOA), 92, 94, 102–103
-
STARTTLScommand, 157 - statd (status daemon), 293
- stateless HTTP, 198
- static binary, 247
- static library, 174
- statically linked binary, 247
- status daemon (statd), 293
- sticky bit, 287
- stop condition, 539
- storage area network (SAN), 284
- stored procedures, 361
- stored XSS, 442–444
-
stringscommand, 178 - strongSwan, 267
- Structured Query Language (SQL), 72, 355, 357, 358–359
-
sudocommand, 34, 47, 48 - suffixes, 297
- Sullo, Chris, 212
- superuser, 34
- supporting information, in reports, 552
- syskey, 462
- system administration, UNIX, 316
-
SYSTEMshell, 508–509
- T
- tablets, 24
- Tao Xie, 533
-
tarcommand, 164 - Task Scheduler, 497
- TCPdump, 208, 232
- technical summary, in reports, 551
- Telnet, 319, 320–326
- temporal scores, 545
- Terminal Access Controller Access-Control System (TACACS), 256
- testing, 52–53, 67
- Text (TXT), 94
- Themida tool, 510–511
- three-tier architecture, 204
- tick ('), 423
- ticket-granting tickets (TGTs), 471–472
- tilde (), 72
- time, limitations on, 7
- Time to Live (TTL), 90
- toolkit
- top-level domain (TLD) servers, 92
-
TRACEmethod, 195 - Traceroute tool, 147
- trade secrets law, 14
- traffic amplification attack, 120–121
- training, inadequacy of, 6
- transforms, 80, 263
- Transmission Control Protocol (TCP), 84, 105–106, 198
- transparency, importance of, 18–19
- Transport Layer Security (TLS), 157, 232–237, 254–255
- Travelex, 3
- trees, 458–461
- Trend Micro, 3
- Triple Data Encryption Algorithm (TDEA), 254
- Triple DES (3DES), 254
- Trivial File Transfer Protocol (TFTP), 291–292, 535
- Trivial FTP (TFTP), 289
- tunneling utilities, 207, 253
- two-factor authentication (2FA), 85–86, 273
- two-step authentication, 85–86
- U
- Ubuntu, 27, 28–29, 34, 95
- U.K., acts and laws in, 14
-
uname -acommand, 246 - unauthorized access, 13
- Un-complicated Firewall (
ufw), 34 - Unified Extensible Firmware Interface (UEFI), 25
- Uniform Resource Identifiers (URIs), 200–201
- Uniform Resource Locator (URL), 200–201
- United States, acts and laws in, 14
- Universal Naming Convention (UNC), 302, 475
- UNIX
- about, 315
- Common Desktop Environment (CDE), 351
- Common UNIC Printing System (CUPS), 341–343
- Cron files, 347–351
- Ewok, 341
- EXTREMEPARR, 351–353
- hacking toolbox, 318–319
- local files, 347–351
- port scanning, 319–320
- RPC, 326–337
- R-services, 338–339
- Secure Shell (SSH), 324–326
- Simple Network Management Protocol (SNMP), 339–341
- Solaris, 316–318, 319–320
- system administration, 316
- Telnet, 320–324
- X Window System (X11/X), 343–347
- Unix-privesc-check, 351
-
UNLOCKmethod, 211 -
unmaskcommand, 285, 386 - unsigned integer, 172
- upgrading shells, 184
- uploading files/shells, 220–223
-
usecommand, 130, 368 - User Account Control (UAC), bypassing, 463–464
- user databases, 255–256
- User Datagram Protocol (UDP), 105–106, 261
- user enumeration, via Finger, 162–167
- user interaction, 547
- user space. See userland
- user-defined functions (UDF), 359–360
- userland, 311
- userland privilege escalation, 278
- users, 461, 479–489
- V
- value, of data, 4
- verbosity level, 147, 431
- verbs, Hypertext Transfer Protocol (HTTP), 195–196
-
@@VERSIONfunction, 372, 426 - Vi text editor, 350
- virtual CDs, inserting, 43–44
- virtual environment, testing, 52–53
- virtual file system (VFS), 284–285
- virtual hard disks, creating, 42–43
- virtual LAN (VLAN), 362
- Virtual Machine (VM), 207, 464–466
- virtual name servers, 103–104
- virtual network adapters, 44–48
- virtual private networks (VPNs)
- about, 251–253
- authentication, 255–256
- exploiting CVE-2017-5618, 278–281
- hacker toolkit for, 257
- hacking methodology, 257–258
- Internet Key Exchange (IKE), 253–254, 262–267
- IPsec, 253
- LDAP, 275–277
- National Security Agency (NSA) and, 257
- OpenVPN, 267–275, 277–278
- post scanning servers, 258–261
- Shellshock, 277–278
- Transport Layer Security (TLS), 254–255
- user databases, 255–256
- W
- W3af, 397
- Wada, Eiiti (computer scientist), 26
- WannaCry ransomware, 303–304, 476, 478–479
- WASM tool, 504–505
- web administration interfaces
- web application archive (WAR), 238
- web applications
- about, 395–396
- broken access controls, 439–440
- broken authentication, 434–436
- cross-site scripting, 442–451
- directory traversal, 440–441
- error pages, 442
- finding vulnerabilities, 421
- hacking toolkit, 397
- injection, 421–434
- insecure deserialization, 452
- insufficient logging/monitoring, 453–454
- intercepting proxies, 398–412
- known vulnerabilities, 453
- manual browsing and mapping, 412–415
- Open Web Application Security Project (OWASP), 396–397
- port scanning servers, 397–398
- privilege escalation, 454–455
- security misconfiguration, 441–442
- sensitive data exposure, 436
- spidering, 415–418
- stack traces, 442
- vulnerability scanners, 418–421
- XML external entities, 437–439
- web browsers, 207
- Web Distributed Authoring and Versioning (WebDAV), 205, 207, 220–221
- web extension tools, 207
- web proxies, 242–243
- web server vulnerabilities
- about, 191–192
- Common Gateway Interface (CGI), 225–226
- crawlers, 206
- guessing hidden web content, 216–220
- Heartbleed, 232–237
- HTTP authentication, 223–225
- Hypertext Transfer Protocol (HTTP), 193–200
- Linux, Apache, MySQL, and PHP (LAMP), 201–205
- manual HTTP requests, 210–212
- port scanning web servers, 207–210
- privilege escalation, 245–249
- privilege escalation using DirtyCOW, 246–249
- Proxychains, 243–245
- scanning, 212–216
- Secure Sockets Layer (SSL), 232–237
- Shellshock, 226–231
- spiders, 206
- toolkit for, 206–207
- Transport Layer Security (TLS), 232–237
- Uniform Resource Identifiers (URIs), 200–201
- uploading files, 220–223
- Web administration interfaces, 238–242
- web proxies, 242–243
- World Wide Web (WWW), 192–193
- Webmail, 161–162
- Webmin, 240–241
- websites. See also specific websites
- Apache vulnerabilities, 203
- BIND vulnerabilities, 120
- bug bounty programs, 21
- fragments, 200
- harvesting the, 75–76
- phenoelit toolset, 343
- printer hacking, 342
- pseudorandom number generators, 525
- relational database management systems (RDBMSs), 357
- root name servers, 90–91
- traffic amplification attacks, 122
- vulnerabilities, 119
- Weevely, 207, 222–223
- Wget, 207
- whaling, 8
- Whatsapp, 2–3
- white-hat defenders, 5
-
whoamicommand, 473, 500 - WHOIS, 98–101
- Window Calculator program, 511
- Windows Defender, 462–463, 512–514
- Windows domains, 298
- Windows Registry, 462
- WinRM, 497
- WinZip, 20, 558
- Wireless Telegraphy Act (2006), 14
- Wireshark, 98, 109–111, 133, 208, 232
- word lists, 519
- World Wide Web (WWW), 192–193
- written permission, for ethical hacking, 15–16
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.