- A
- Active Directory domain controller (AD DC), 459, 466
- active phase, 56–57, 67
- Active Server Pages (ASP), 204
- adapters, virtual network, 44–48
- Address of Host (A/AAAA), 93
- adjacent network, 546
- Advanced Encryption Standard (AES), 36, 528
- Advanced Research Projects Agency Network (ARPANET), 88
- Advanced RISC Machine (ARM processor), 24
- aggressive mode (IKE-scan), 265–267
- AMD-V, 25
- American National Standards Institute (ANSI), 359
- anonymous access, 289
- Anti-Malware Scan Interface (AMSI), 503–504
- antivirus (AV) software, 462–463
- Apache, 202–203
- Apache Tomcat, 238–240
- Apple File System (APFS), 284–285
- application layer protocol, 142
- application-specific integrated circuits (ASICs), 538
- Aptitude Package Manager (
apt
), 34
- arbitrary size, 517
- Arch Linux, 28
- ASP.NET, 204, 207
- assessment
- defined, 98
- results, in reports, 551–552
- asterisk (*), 276, 308
- asymmetrical encryption, 232
- Asynchronous JavaScript and XML (Ajax), 193
- attack complexity, 546
- attack vector, 545–546
- authentication
- about, 255–256
- broken, 434–436
- HTTP, 223–225
- multifactor (MFA), 85–86
- MySQL database, 373–374
- second-stage, 275
- two-factor authentication (2FA), 85–86, 273
- two-step, 85–86
- authority, zones of, 92
- authorization, 18–19
- automated-tank-gauge, 84
- availability, 547–548
- B
- backup domain controllers (BDCs), 298, 460
- Bailiwicked, 130
- balancing the SQL query, 426
- banner grabbing, 152
- Bash, 226–227
- Basic Input Output System (BIOS), 25
- Bcrypt, 531–532
- BENIGNCERTAIN tool, 257
- Berkeley Internet Name Domain (BIND), 94, 120
- Berkeley Software Distribution (BSD), 26–27
- big endian, 337
- binary large objects (blobs), 356
- bind payload, 182
- BIND9, 95–97
- BIND10, 94
- Bing, 56–57
- Bitcoin, 192–193
- BitLocker, 32, 462
- BitTorrent client, 30
- Black Arch Linux, 29, 41
- Black Hat USA, 472, 473
- black team,
- blind SQL injection, 425
- blockchains, 192–193, 517–518
- BloodHound, 466
- Blowfish cipher, 531
- blue teams,
- board engagement, 11
- boot key, 462
- boot2root challenges, 53
- botnet, 121
- broken access controls, 439–440
- broken authentication, 434–436
- Browser Exploitation Framework (BeEF), 397, 445–450
- browsing, manual, 412–415
- brute-force attacks
- about, 268
- automating in Windows, 489
- Data Encryption Standard (DES), 528
- defined, 99
- hosts with Recon-ng, 100
- on Post Office Protocol (POP), 167
-
brute_hosts
module, 100
- buffer overflow, 172, 248, 329
- bug bounty programs, 20–21
- Bugtraq, 120
- Burp Suite
- about, 185, 397, 398–412
- identifying entry points, 418
- manual browsing/mapping, 412–415
- Burp Suite Decoder, 441
- Burp Suite Intruder, 451
- Burp Suite Professional, 420
- business case
- about, –2
- blue teams,
- breaking computers, –3
- hacking as part of company's immune system, –11
- purple team, –9
- red teams, –7
- stakes, –5
- C
-
c
command, 376
- C programming language, 204
- CaaS (cracking-as-a-service), 539
- cache poisoning, 129–131
- cache snooping, 131
- Cadaver, 207, 220
- Cain & Abel, 466, 519, 537
- Canonical Name (CNAME), 93
- Capital One,
- certificate of Authority (CA), 268
- CertUtil, 30
- CeWL, 165, 519, 537
- change mode, 286
-
CHAOS
class, 112
- CHAOSNET, 111–113
- Charoncmd utility, 267
- checksum, 31
- chief executive officer (CEO), , –3
- chief information security officer (CISO), , –3
-
chmod
command, 286
- Chrome, 207
- Chromebooks, 24
- Cisco Type method, 533–534
- Citadel, 136
- Classless Inter-Domain Routing (CIDR) notation, 308
- client name servers, crashing, 128
- cloudbursts, 54
- Cloudflare, 197–198
- code 301/302, 194
- Code of Conduct (Hacker House), 22
- collisions, 533
- colon (:), 63
- command injection attack, 323
- command injection vulnerability, 226, 227
- command-line web tools, 207
- comma-separated values (CSV) file, 356
- Common Desktop Environment (CDE), 351
- Common Gateway Interface (CGI), 225–226
- Common Internet File System (CIFS), 295
- Common UNIX Printing System (CUPS), 341–343
- Common Vulnerabilities Scoring System (CVSS), 545–548
- Common Vulnerability Reporting Framework (CVRF), 476
- Common Weakness Enumeration (CEW) resource, 436
- Complex Instruction Set Computer (CISC) processor, 24
- Computer Fraud & Abuse Act (1984), 14
- Computer Misuse Act (1990), 14, 18
- computers, breaking, –3
- confidentiality, 547–548
-
CONNECT
method, 195
- content discovery tools, 207
- content management systems (CMSs), 220
- contract law, 14
- cookies, 198–200
- COPACOBANA, 528
-
COPY
method, 211
- cost, of cybercrime, 21
- Costas, Danielle, 264
- Covenant, 466
- cracking
- art of, 538–539
- password hashes, 25
- passwords, 519–523
- crashing client name servers, 128
- crawlers, 206
- Create Virtual Hard Disk dialog box, 42
- crimeware, 20
- criminal hacking, 15
- Cron files, 319, 347–351
- cross-site scripting (XSS)
- about, 442–445
- Browser Exploitation Framework (BeEF), 445–450
- flaws in, 450
- types, 442
- XSS Filter Evasion, 450–451
- "crown jewels." See data
-
crypt()
function, 527, 531–532
- crypt-devices, 33
- "A Cryptanalytic Time-Memory Trade-Off" (Hellman), 524
- cryptocurrencies, 517–518
- cURL, 207, 228–231
- curly braces ({}), 166
- Cuthbert, Daniel (security consultant), 16–17, 220
- CVE-1999-0209 vulnerability, 329–330
- CVE-2007-0882 vulnerability, 322
- CVE-2010-4345 vulnerability, 180–185
- CVE-2010-4435 vulnerability, 329
- CVE-2014-0160: The Heartbleed bug, 172–180
- CVE-2014-3660 vulnerability, 437–439
- CVE-2017-0147 vulnerability, 477
- CVE-2017-3623 vulnerability, 330–331
- CVE-2017-5618 vulnerability, 278–281
- CVE-2017-7494 (SambaCry), 303–306, 476, 496
- CVE-2017-7692 vulnerability, 185–187
- CVE-2017-8495 vulnerability, 473
- CVE-2019-0734 vulnerability, 473
- Cyclic Redundancy Check (CRC) algorithm, 532
- Cyrus, 158, 160
- D
-
d
command, 376
- daemon, 151
- DANDERSPRITZ tool, 467
- data,
-
DATA
command, 155
- Data Encryption Standard (DES), 527, 528
- Data Protection Act (1998), 14
- Data Protection Act (2018), 14
- database management system (DBMS), 355
- database schema, 357
- databases
- about, 355
- common exploitations for, 360–361
- hacker toolbox for, 360
- MongoDB, 381
- MySQL, 362–374
- Oracle, 378–381
- port scanning servers, 361–362
- PostgreSQl, 374–376
- privilege escalation via, 384–392
- Redis, 381–384
- software for, 377–378
- Structured Query Language (SQL), 358–359
- types, 356–358
- user-defined functions (UDF), 359–360
- Datagram Transport Layer Security (DTLS), 255
- Debian, 28, 95, 540
- Debugging EBBSHAVE, 335–337
-
del
command, 221
-
DELETE
method, 195, 211
- delivering reports, 558
- delivery status notifications (DSNs), 138–141
- Dengguo Feng, 533
- denial-of-service (DoS) attacks, 124–128, 259, 548
- denial-of-service condition, 16
- derivation function, 532
-
describe
command, 368
- deserialization, insecure, 452
-
dhclient
command, 48
- dial-up, 256
- diceware, 35
- Diffie, Whitefield, 254
- Diffie-Hellman group, 254
-
dig
command, 143
- Dig (domain information groper) tool
- about, 97, 98
- for cache snooping, 131
- finding Start of Authority (SOA) with, 102–103
- using, 106–111
- Digital Millennium Copyright Act (1998), 14
- Dirb, 207, 218
- directories, 285
- directory traversal attacks, 219–220, 440–441
- DirtyCOW, privilege escalation using, 246–249
- disclosure, responsible, 19–20
- disk encryption, 31–33
- Distributed Computing Environment (DCE), 466
- distributed denial-of-service (DDoS) attacks, 88, 124–125
- distributed reflected-denial-of-service (DRDoS) attacks, 125
- distribution (distro), 27
- DJBDNS, 94
- DNS Security Extensions (DNSSEC), 131–132
- DNSenum tool, 98, 116–117
- DNSmasq tool, 94
- DNSrecon tool, 98, 116
- DNSspoof, 98, 128
-
doas
command, 34
- Docker, 226
- document metadata, 76–80
- dollar sign ($), 526
- domain controller, 459
- Domain Keys Identified Mail (DKIM), 144–145
- Domain Name System (DNS)
- about, 87
- basic query, 89–91
- cache poisoning, 129–131
- cache snooping, 131
- CHAOSNET, 111–113
- denial-of-service (DoS) attacks, 125–126, 126–128
- Dig, 106–111
- DNS Security Extensions (DNSSEC), 131–132
- exploits, 104
- finding hosts, 98
- finding Start of Authority (SOA) with Dig, 102–103
- fuzzing, 132–134
- hacking toolkit, 98
- hacking virtual name servers, 103–104
- hierarchy of, 88–89
- history of, 88
- implications of hacking, 87–88
- information-gathering tools, 114–117
- Metasploit, 121–125
- Microsoft, 469–470
- port scanning with Nmap, 104–106
- resource records, 92–94
- round-robin, 142
- searching for vulnerabilities/exploits, 118–120
- server, 53
- spoofing, 128–129
- traffic amplification attack, 120–121
- WHOIS, 98–101
- zone transfer requests, 113–114
- zones of authority, 92
- domain tree, 458
- Domain-based Message Authentication, Reporting, and Conformance (DMARC), 144–145
- domains, 298, 457, 458–461
- double greater-than symbols (>>), 350
- DOUBLEPULSAR tool, 467
- Dovecot, 136
-
dradis
command, 554
- Dradis Community Edition (Dradis CE), 553–557
- Drake, Joshua, 184, 374
-
dropshell
function, 280
- Drupageddon, 433
- Drupal, 65
- Dsniff, 98
- DuckDuckGo, 56–57, 206, 518
- Dug Song, 128, 322
- Dynamic Host Configuration Protocol (DHCP), 38
- dynamic library, 174
- E
- easy mode, 53
- EBBSHAVE tool, 319, 331–337
- Effective User ID (EUID), 309
- Electronic Communications Privacy Act (1986), 14
- Electronic Frontier Foundation (EFF), 21
- electronic mail. See email
- email
- about, 135
- brute-forcing Post Office Protocol (POP), 167–169
- CVE-2014-0160: The Heartbleed bug, 172–180
- delivery status notifications (DSNs), 138–141
- email chain, 135–136
- exploiting CVE-2010-4345, 180–185
- exploiting CVE-2017-7692, 185–187
- grabbing addresses from Google, 59–61
- hack boxes and, 36
- message headers, 137–138
- Nmap Scripting Engine, 169–172
- scanning mail servers, 145–148
- Sender Policy Framework (SPF), 143–145
- Simple Mail Transfer Protocol (SMTP), 141–143
- software, 158–162
- user enumeration via Finger, 162–167
- email chain, 135–136
- Empire, 466
- encryption
- about, 232
- hashing compared with, 518
- end characters, 297
- Enigma machine, 539
- Enigmail, 36
- Enterprise Administrator account, 461
- entry points, identifying, 418
- Enum4linux, 288, 299–303, 466, 479–489
- enumerating
- defined, 120
- users, 479–489
- via Finger, 162–167
- enum.exe, 466
- environment variables, 228
- environmental scores, 545
- Equation Group, 477
- error pages, 442
-
/etc/shadow
, 526–529
- ETERNALBLUE exploit, 476–479
- ethical hacking
- about, 13–14
- authorization, 18–19
- bug bounty programs, 20–21
- compared with red teams,
- criminal hacking, 15
- defined,
- gray area, 16–17
- Hacker House Code of Conduct, 22
- legal advice/support, 21–22
- legalities, 14
- methodologies of, 17–18
- as part of company's immune system, –11
- as pursuit of knowledge, 10
- responsible disclosure, 19–20
- virtual name servers, 103–104
- Windows vs. Linux, 458–464
- written permission for, 15–16
- European Digital Rights, 21
- Ewok, 319, 341
- Exchangeable Image File Format (Exif) data, 76
- exclamation mark (!), 311
- executive summary, in reports, 550–551
- Exiftool, 77–80
- Exim, 151, 158, 159, 185
- exiting Vi text editor, 350
- Exploit Database, 118
- exploiting
- CVE-2010-4345, 180–185
- CVE-2017-5618, 278–281
- CVE-2017-7692, 185–187
- for databases, 360–361
- Domain Name System (DNS), 104
- searching for, 118–120
- Shellshock using Metasploit, 227–228
- Shellshock with cURL and Netcat, 228–231
-
EXPN
command, 154
- extended file system (ext), 284
- Extensible Markup Language (XML), 193, 437–439
- External Data Representation (XDR) format, 316–317
- EXTRABACON tool, 257
- EXTREMEPARR exploit, 351–353
- F
- F root name server, 91
- fbin, 322
- Federal Communications Commission, 66
- Fgdump, 466
- field-programmable gate arrays (FPGAs), 538
- Fierce tool, 98, 115
- file mode bits, 285–286
- file mode creation mask, 386
- file servers, port scanning, 288
- File Transfer Protocol (FTP), 220, 289–291
- files and file sharing
- about, 283–284
- Cron, 319, 347–351
- File Transfer Protocol (FTP), 220, 289–291
- local files, 347–351
- NAS hacking toolkit, 287–288
- Network File System (NFS), 308–309
- network-attached storage (NAS), 283, 284
- NFS privilege escalation, 309–311
- permissions, 284–287
- port scanning file servers, 288
- remote procedure calls (RPCs), 292–294
- RPCinfo, 294–295
- Rsync, 306–308
- searching for useful files, 311–312
- Server Message Block (SMB), 295–306
- Trivial File Transfer Protocol (TFTP), 291–292
- uploading files, 220–223
- FileVault, 32
- findsock payload, 182
- Finger, 319
- Fingerprinting Organizations with Collected Archives (FOCA), 77, 162–167
- Firefox, 207
- firewall, 34–35
- fixed size, 517
- flat-file databases, 356
- folders, 285
- forests, 458–461
- forward slash (/), 88, 206, 246, 527
- Fox, Brian, 226
- fragments, 200
- froot, 322, 323
- FTP over SSH protocol (SFTP), 289
- FTP Secure (FTPS), 289
- full virtualization, 25
- functions, user-defined (UDF), 359–360
- FUZZBUNCH tool, 467
- fuzzing, 132–134
- G
- GECOS field, 62
- General Data Protection Regulation (GRPD),
- general-purpose tools, 207
- Gentoo Linux, 27–28, 306
-
GET
method, 195–196, 200–201, 210–211, 224, 230, 387, 438
-
getsystem
command, 505
- GitHub, 77
- glue record, 107
- Gmail, 161
- GNU Compiler Collection (GCC), 247
- goal, of open source intelligence (OSINT), 57–58
- Gobuster, 218
- golden tickets, 472–473
- Gonzalex, Albert (hacker), 15
- Google, 56–57, 59–61
- Google dorking, 62
- Google hacking, 62
- Google Hacking Database (GHDB), 65–66
- graphical identification and authentication (GINA), 498
- Graphical User Interface (GUI), 33
- gray area, in ethical hacking, 16–17
- greater-than symbol (>), 271
- Grep, 67
- Group Policy, 494–496
- groups, Windows, 461
- guest additions, 51–52
- H
- hack boxes
- about, 23
- Berkeley Software Distribution (BSD), 26–27
- creating vulnerable servers, 53–54
- disk encryption, 31–33
- guest additions, 51–52
- hardware, 24–26
- host operating systems, 27–29
- Linux, 26–27
- setting up VirtualBox, 36–51
- software, 33–36
- testing virtual environment, 52–53
- verifying downloads, 29–31
- hacker, 13
- Hacker House, 14, 22, 125, 170
- HackerGiraffe, 343
- hacking. See ethical hacking
- handshakes, 232
- Happy Hacking Keyboard (HHK), 26
- Hard-Disk Drive (HDD), 25, 285
- hardware, for hacking, 24–26
- hardware security model (HSM), 540
- hash dumping, 505–506
- hash symbol (#), 200, 244
- hash tables, 519, 523–524
- Hashcat, 519, 520, 522
-
hashdump
command, 505–506
- hashes, 530–533, 535–537
- HashID tool, 519, 530
- hashing, 517–519
- Have I Been Pwned (HIBP), 66, 519
-
HEAD
method, 195, 211
- heap, 173
- heartbeat, 172
- Heartbleed bug, 157, 172–180, 233
- Hellman, Martin, 254, 524
-
:help
command, 223
-
HELP
command, 154
- hexadecimal characters, 297
- hidden web content, guessing, 216–220
- Hierarchical File System Plus (HFS+), 284–285
- hierarchy, of DNS, 88–89
- Homebrew, 30
- honey-trapping, 81
- hook, 446
- Host, 98, 101
- host key, 50
- Host Network Manager dialog box, 38
- host operating systems, 27–29
- host-only networking, 38–40
- hosts, 98, 100
- Hping3, 98, 259–261
- Human Rights Act (1998), 14
- Hunt, Troy, 66
- Hydra, 168, 326, 537
- HyperText Markup Language (HTML), 192–193
- Hypertext Transfer Protocol (HTTP)
- about, 136, 192–193, 193–195
- cookies, 198–200
- methods and verbs, 195–196
- parameter tampering, 201
- response codes, 196–198
- stateless, 198
- Hypertext Transfer Protocol Secure (HTTPS), 30, 31, 407–412
- Hyper-V, 37
- hypervisor escapes, 54
- I
- IACME, 464
-
id
command, 184, 246, 391, 473, 500
-
ifconfig
command, 182
- IKEMulti tool, 264–265
- IKE-scan, 257, 262–267
- impacket, 466
- incentives, lack of,
- industrial control system, 84
- information security (infosec),
- Information Systems Security Assessment Framework, 17
- information-gathering tools, 114–117
- injection
- about, 421–422
- blind SQL, 425
- Drupageddon, 433
- LDAP, 276
- protecting against SQL, 433–434
- SQL, 359, 422–427
- SQLmap, 427–433
- insecure deserialization, 452
-
INSERT
command, 389
- insufficient logging and monitoring, 453–454
- Integrated Drive Electronics (IDE), 44
- Integrated Services Digital Network (ISDN), 17
- integrity, 547–548
- Intel VT-x, 25
- intercepting proxies, 398–412
- International Standard for Organization (ISO), 40–41, 359
- Internet access, 25
- Internet Control Message Protocol (ICMP), 52, 260
- Internet Corporation for Assigned Names and Numbers (ICANN), 57
- Internet Information Services (IIS), 470–471
- Internet Key Exchange (IKE), 253–254
- Internet Message Access Protocol (IMAP), 136, 157–158
- Internet of Things (IoT), –5, 83
- Internet Protocol Security (IPsec), 253
- Internet Security Association and Key Management Protocol (ISAKMP), 253
- Internet Systems Consortium (ISC), 118, 120
-
ip address
command, 48, 182
- IP addresses, checking, 182
- issues, compared with vulnerabilities, 544
- J
- Java, 238
- Java Runtime Environment, 238
- Java Virtual Machine (JVM), 238
- JavaScript Object Notation (JSON), 193
- JavaServer Pages (JSP), 238
- John the Ripper, 519, 520, 522, 529, 536, 537
- K
- Kali Linux, 29, 40–48
- Kaminsky, Dan, 129
- KeePassX, 35–36
- Kerberoasting, 473
- Kerberos, 471–472
- kernel, 30
- key derivation function, 532
- keyboards, 26
- keyfile, 36
-
keyscan_start
command, 505
- key-stretching, 532
- knowledge, hacking as pursuit of, 10
- L
- L0phtcrack, 519
- labs, 48–51
- LAMP stack, 202
- LAN Manager (LANMAN), 506, 524, 535
- The Last Stage of Delirium, 504
- lateral movement, 461, 493
- LCP, 519
- LDAP injection, 276
-
ldd
command, 174
- leased line, 251
- legal advice/support, 21–22
- legalities, 14
- length limitations, for passwords, 528–529
- libc library, 377
- Lightweight Directory Access Protocol (LDAP), 256, 275–277, 474
- LinkedIn, 67, 81–83
- Linux, 26–27, 458–464
- Linux, Apache, MySQL, and PHP (LAMP), 201–205
- Litchfield, David, 380–381
- local files, 347–351
- local privilege escalation (LPE), 185, 246
-
LOCK
method, 211
- lockstep, 291
- Lodge, David, 212
- logging, insufficient, 453–454
- lookups, 90
- Love, Lauri (hacker), 15
- M
- Mach, 30
- MacPorts, 30
- Mail Exchange (MX), 94
- Mail() function, 186, 187
- mail server lab (website), 49
- mail servers, scanning, 145–148
- mail transfer agent (MTA), 135
- mail user agents (MUAs), 135
- Maildrop, 136
- mainstream OS, running, 29
- malformed packets, 133
- malicious hacker, 55
- Maltego, 80–81
- malware, 54
- managed service providers (MSPs), 135
- man-in-the-middle (MitM) attacks, 289
- man-in-the-middle proxy (Mitmproxy), 185, 397, 398
- manual browsing/mapping, 412–415
- manual HTTP requests, 210–212
- mapping, manual, 412–415
- MaraDNS, 94
- MariaDB, 203, 255, 362
- MD5 hash, 30, 522, 530
- message delivery agent (MDA), 135–136
- message headers, 137–138
- metadata, 76–80, 137
- Metagoofil, 77
- Metasploit, 121–128, 172, 177, 179, 182, 207, 227–228
- Meterpreter, 466, 504–505
- methodology
- of ethical hacking, 17–18
- for hacking VPNs, 257–258
- Hypertext Transfer Protocol (HTTP), 195–196
- Microsoft DNS, 469–470
- Microsoft Exchange, 136
- Microsoft hashes, 535–537
- Microsoft IIS, 203, 205
- Microsoft RPC protocols, 293, 466, 489–497
- Microsoft Security Bulletin, 475, 476
- Microsoft SQL Server, 203
- Microsoft Windows
- about, 457
- alternative payload delivery methods, 509–512
- bypassing Windows Defender, 512–514
- Domain Name System (DNS), 469–470
- enumerating users, 479–489
- ETERNALBLUE, 476–479
- golden tickets, 472–473
- hacking toolkit, 466
- hacking Windows vs. Linux, 458–464
- hash dumping, 505–506
- Internet Information Services, 470–471
- Kerberos, 471–472
- Lightweight Directory Access Protocol (LDAP), 474
- Meterpreter, 504–505
- Microsoft RPC, 489–497
- National Security Agency (NSA) and, 467
- NetBIOS, 473–474
- password hashes, 506–507
- port scanning server, 467–469
- PowerShell, 501–504
- privilege escalation, 507–508
- Remote Desktop Protocol (RDP), 497–498
- Server Message Block (SMB), 474–476
- setting up Virtual Machine (VM), 464–466
-
SYSTEM
, 508–509
- Task Scheduler, 497
- Windows shell, 498–501
- Mikrotik's Router OS, 323–324
- Mimikatz, 466, 506
- MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), 17
- MongoDB, 381
- monitoring, insufficient, 453–454
- Mount, 288
- mountdaemon (mountd), 293
-
MOVE
method, 211
- MPack, 20
- MSDNS, 94
- MSFconsole, 98
- multifactor authentication (MFA), 85–86
- multipurpose book lab (website), 49
- MySQL, 203, 255, 385
- MySQL database, 362–374
- N
- Name Server (NS), 94
- namespaces, within DNS, 92
- National Security Agency (NSA), 59, 257, 467
- National Vulnerability Database, 548
- NBTscan, 288, 296
- NetBIOS over TCP/IP (NBT) protocol, 296–298
- Netcat, 152, 163, 186, 187, 207, 212, 228–231, 247–248
- Network Address Translation (NAT), 44, 45
- Network Basic Input Output (NetBIOS), 296–298, 469, 473–474
- Network Computing Architecture Connection-Oriented Protocol (NCACN), 304
- Network File System (NFS), 293, 308–311
- network lock manager (nlockmgr), 293
- Network Time Protocol (NTP), 126, 259–260
- network-attached storage (NAS), 283, 284, 287–288
- networking, host-only, 38–40
- New Technology File System (NTFS), 284–285
- New Technology LAN Manager (NTLM), 506–507
- Nginx, 195, 203, 208
- Nikto, 207, 212, 216, 227, 397
- Nmap, 16, 98, 104–106, 149–152, 195, 207–209, 216–218, 261, 393. See also port scanning
- Nmap command, 146–147
- Nmap Scripting Engine (NSE), 147, 169–172
- Node.js, 204
- non-blind SQL injection, 425
- nonrelational databases, 358
- noptrix, 125
- NoSQL, 358
- notes, in reports, 553
- NSlookup, 98, 109, 131
- null device, 311
- NullSecurity, 125
- O
- obfuscation, 534
- Oechslin, Philippe, 524
- Ofcom, 66
- Offensive Security, 118
- Password, 35
- OneSixtyOne, 288, 319, 339
- one-time pad, 32
- Open Network Computing (ONC) RPC protocol, 293
- open relays, 153–155
- open resolver, 120–121, 130
- open source, 55
- open source intelligence (OSINT)
- about, 55–56
- client review, 56–57
- document metadata, 76–80
- goal of, 57–58
- Google dorking, 62
- Google Hacking Database (GHDB), 65–66
- grabbing email addresses from Google, 59–61
- harvesting the web, 75–76
- Have I Been Pwned (HIBP), 66
- locations for, 58
- Maltego, 80–81
- Passwd files, 62–65
- protecting against, 85–86
- Recon-ng, 67–74, 74–75
- shadow files, 62–65
- Shodan, 83–85
- social media networks, 81–83
- tools for, 59
- Open Source Security Testing Methodology Manual (OSSTM), 17
- Open Systems Interconnection (OSI) model, 110, 142
- Open Web Application Security Project (OWASP), 17, 396–397, 452
- OpenPGP, 19, 36
- OpenSolaris, 317
- OpenSSL, 172, 174, 175, 257
- openssl versio command, 174
- OpenVPN
- about, 252
- Access Server, 268
- Shellshock and, 277–278
- VPNs and, 267–275
-
openvpn
command, 268
- Ophcrack, 519, 524, 537
-
OPTIONS
command, 195, 205
- Oracle, 203, 378–381
- Oreans Technology, 510
- Orpheus' Lyre vulnerability, 473
- owner, of files, 285
- P
- P0wnedshell, 466
- package, 34
- packet sniffing, with Wireshark, 109–111
- Parallel, 166
- parameterized queries, 433–434
- Passwd files, 62–65
- password hashes, 25, 461–462, 506–507
- password manager, 35–36
- Password-Based Key Derivation Function (Version) (PBKDF2), 532
- passwords
- about, 517
- art of cracking, 538–539
- cracking, 519–523
- default, 16
- guessing, 537–538
- hash tables, 523–524
- hash types, 530–533
- hashing, 517–519
- Microsoft hashes, 535–537
- pseudo-hashing, 533–535
- rainbow tables, 523–524
- random number generators, 539–540
- salt, 525–526
- shadow files, 526–529
- toolbox for hacking, 519
-
PATCH
method, 195
- Paterva, 80
- payload, 181–182, 509–512
- penetration test report. See reports
- penetration testing. See ethical hacking
- Penetration Testing Execution Standard (PTES), 17
- Penetration Testing Guidance, 17
- pentesting (penetration testing). See ethical hacking
- Pentoo Linux, 29
- period (.), 89, 527
- Perl, 204
- permissions
- accessing services without, 16
- file, 284–287
- Windows, 461
- written, 15–16
- persistent XSS, 442–444
- personally identifiable information (PII), 18
- pesudorandom number generator, 525
- phenoelit toolset, 343
- phishing, , 141
- PHP: Hypertext Preprocessor (PHP), 160–161, 203–204
- PHP Mail, 160–161
- phpLDAPadmin, 276
- phpMyAdmin, 241–242
- physical attack vector, 546
-
ping
command, 52
- ping sweep, 274
- Ping tool, 260
- Pluggable Authentication Modules (PAM), 256
- plus symbol (+), 424
- Pointer (PTR), 94
- Point-to-Point Protocol (PPP), 252
- Police & Justice Act (2006), 14
- port scanning
- database servers, 361–362
- file servers, 288
- with Nmap, 104–106
- Solaris, 319–320
- VPN servers, 258–261
- web application servers, 397–398
- web servers, 207–210
- Windows Server, 467–469
- PortSwigger CA, 410
- POSIX operating system, 228
-
POST
method, 195, 438
- Post Office Protocol (POP), 136, 155–157, 167–169
- post-exploitation phase, 185
- Postfix, 138
- PostgreSQL, 203, 374–376
- PowerDNS, 94
- power-on self-test (POST) messages, 37
- PowerShell/PowerShell Core
- about, 471, 501–502
- Anti-Malware Scan Interface (AMSI), 503–504
- PowerSploit, 503–504
- privilege escalation with, 502–503
- Windows and, 508
- PowerSploit, 466, 503–504, 508
- PowerTools, 466
- PowerUp, 508
- pre-authentication exploit, 374
- Preboot Execution Environment (PXE), 291
- prepared statements, 433–434
- Pre-Shared Key (PSK), 253
- Pretty Good Privacy (PGP), 19, 558
- primary domain controller (PDC), 298, 460
- primary key, 356–357
- Printer Job Language (PJL), 342
- private branch exchange (PBX), 17
- privilege escalation
- about, 245–246
- Microsoft Windows, 507–508
- network file system (NFS), 309–311
- with PowerShell, 502–503
- using DirtyCOW, 246–249
- via databases, 384–392
- web applications and, 454–455
- privileges required, 546
- probing SMTP service, 152–153
- Procmail, 136
- profile collector, 72
- program control, 337
- proofreading reports, 557–558
-
PROPFIND
method, 211
-
PROPPATCH
method, 211
- Protiviti's 2017 Security and Privacy Best Security Practices report, 10
- Proxychains, 207, 243–245
- pseudo-hashing, 533–535
- pseudorandom number generator, 540
- PSK-crack, 257
- Pth-toolkit, 466
- Public Key Infrastructure (PKI), 132, 144–145
- purple team, , –9
-
PUT
method, 195, 205
- PuTTY, 511
- PwDump5, 462
- PwDump6, 462
- PwDump7, 462
- PwDumpX, 462
- PwDumpX14, 466
- Python, 184, 204
- R
- Racoon, 257
- Rain Forest Puppy's LibWhisker, 212
- rainbow tables, 519, 523–524
- RainbowCrack, 519
- RAM, 24
- random number generators, 539–540
- Raspberry Pi, 24
- "ready-to-be-breached" business mode,
- Recon-ng, 67–74, 74–75, 100
- record class, 97
- record data, 97
- record type, 97
- red teams, –7
- redirect response, 194, 247
- Redis, 381–384
- reduction function, 523–524
- reflected input, 443
- reflective XSS, 442
- relational database management systems (RDBMSs), 357
- relational databases, 356–358
- resource ID (RID) cycling, 300
- Remote Authentication Dial-In User Service (RADIUS), 255
- remote code execution (RCE) exploit, 257
- remote command execution, 185
- Remote Desktop Protocol (RDP), 497–498
- remote procedure call (RPC), 288, 292–294, 326–337
- reports
- about, 543–544
- assessment results, 551–552
- Common Vulnerabilities Scoring System (CVSS), 545–548
- components of, 549
- delivering, 558
- Dradis Community Edition (Dradis CE), 553–557
- executive summary, 550–551
- notes, 553
- proofreading, 557–558
- supporting information, 552
- technical summary, 551
- writing, as a skill, 549
- requirements, minimum, 24–25
- resolver, 130
- resolver cache, 130–131
- resource records, 92–94, 108
- resources, lack of,
- Responder tool, 474–475
- response codes, HTTP, 196–198
- restricted deletion flag, 287
- reverse payload, 182
- reverse sehll, 187
- RIDenum, 466
- risk, 544
- Rivest, Ron, 524
- Rivest-Shamir-Adelman (RSA) certificates, 233–237
- root exploit, 183–184
- root level, 206, 311
- root location, 211
- root name servers, 88, 90
- Rosetta Stone, 316
- Roundcube, 161
- round-robin DNS, 142
- RPCbind, 293
- RPCclient, 288, 301
- RPCinfo, 288, 294–295, 319
- R-services, 338–339
- Rsync, 288, 306–308
-
rsync
command, 306–307
- Ruby, 204
- S
- SA (Security Association), 253
- salts, 524, 525–526
- SAM Lock Tool, 462
- Samba, 298–299
- SambaCry (CVE-2017-7494), 303–306, 476, 496
- SAMdump2, 466
- sanitize, 443
- Scalable Processor Architecture (SPARC), 316
- scanning. See also port scanning
- mail servers, 145–148
- web vulnerabilities, 212–216
- Scapy, 98
- schema, 357
- Schwartz, Aaron (hacker), 15
- scope, 18, 547
- Screen, 278–279
-
search
command, 227, 228
- Searchsploit, 98, 118–119, 207
- second-stage authentication, 275
- Secure Hash Algorithm Version (SHA1), 253, 530, 531
- Secure Hash Algorithm Version (SHA2), 531
- Secure Shell (SSH), Telnet and, 324–326
- Secure Sockets Layer (SSL), 138, 157, 232–237
- secure tunnel, 253
- Security Account Manager (SAM), 462, 535
- Security Association (SA), 253, 263–265
- security ID (SID), 300
- Security Identifier (SID), 482
- security misconfiguration, 441–442
- Security Technical Implementation Guides (STIGs),
- semicolon (;), 165, 365, 425
- Sender Policy Framework (SPF), 113, 143–145
- Sendmail, 159–160
- sensitive data exposure, 436
- Serial Advanced Technology Attachment (SATA), 44
- serial number, 97
- serialization, 452
- Serious Crime Act (2015), 14
- Server Message Block (SMB), 295–306, 474–476
- server-side scripted backdoor tools, 207
- Session Fixation, 199, 436
-
sessions
command, 184–185
- Set Group ID (SGID), 287
- Set User ID (SUID), 287
- settings, virtualization, 37
- Settings dialog box, 46
- z tool, 558
- zip, 36
- Shadow Brokers, 205, 257
- shadow files, 62–65, 526–529
- shadowdump, 466
- Sharpsploit, 466
- shebang, 349
- shells
- upgrading, 184
- uploading, 222–223
- Windows, 498–501
- Shellshock, 226–231, 277–278
- Shellter, 463, 510
- Shodan, 16, 83–85, 347
-
show
command, 122, 368
-
show tables
command, 371
- ShowMount, 288
-
showmount
tool, 308
- Simple FTP (SFTP), 289
- Simple Mail Transfer Protocol (SMTP), 85, 135, 141–143, 152–153
- Simple Network Management Protocol (SNMP), 257, 288, 339–341
- Simple Service Discovery Protocol (SSDP), 126
- Single Instruction, Multiple Data (SIMD), 24
- single point of failure, 142
- single-board computers (SBCs), 24
- skill, report writing as a, 549
- Skipfish, 421
-
sleep
command, 231
- smart devices,
- smartphones, 24
- SNMPcheck, 319, 340
- SNMPwalk, 288
- social engineering, 10–11
- social media networks, 81–83
- software
- antvirus (AV), 462–463
- electronic mail, 158–162
- for ethical hacking, 33–36
- for hacking databases, 377–378
- Solaris, 316–320
- Solid State Drive (SSD), 25, 285, 358
-
spawn
function, 184
- spear phishing, , 141
- special characters, 227
- spiders, 206, 415–418
- spoofing, 121, 128–129
- SQL (Structured Query Language), 357, 358–359
- SQL database, 255
- SQL injection, 359, 422–427
- SQLite, 357
- SQLmap, 427–433
- Squid, 243
- Squirrel Mail, 161, 185
- SSLscan, 174
-
sslscan
tool, 232
- stack traces, 442
- standard output, 166
- Standardized Information Gathering (SIG), 545
- Start of Authority (SOA), 92, 94, 102–103
-
STARTTLS
command, 157
- statd (status daemon), 293
- stateless HTTP, 198
- static binary, 247
- static library, 174
- statically linked binary, 247
- status daemon (statd), 293
- sticky bit, 287
- stop condition, 539
- storage area network (SAN), 284
- stored procedures, 361
- stored XSS, 442–444
-
strings
command, 178
- strongSwan, 267
- Structured Query Language (SQL), 72, 355, 357, 358–359
-
sudo
command, 34, 47, 48
- suffixes, 297
- Sullo, Chris, 212
- superuser, 34
- supporting information, in reports, 552
- syskey, 462
- system administration, UNIX, 316
-
SYSTEM
shell, 508–509
- T
- tablets, 24
- Tao Xie, 533
-
tar
command, 164
- Task Scheduler, 497
- TCPdump, 208, 232
- technical summary, in reports, 551
- Telnet, 319, 320–326
- temporal scores, 545
- Terminal Access Controller Access-Control System (TACACS), 256
- testing, 52–53, 67
- Text (TXT), 94
- Themida tool, 510–511
- three-tier architecture, 204
- tick ('), 423
- ticket-granting tickets (TGTs), 471–472
- tilde (), 72
- time, limitations on,
- Time to Live (TTL), 90
- toolkit
- for database hacking, 360
- for hacking web applications, 397
- for password cracking, 519
- for UNIX, 318–319
- for VPN hacking, 257
- for web server hacking, 206–207
- for Windows hacking, 466
- tools
- command-line web, 207
- information-gathering, 114–117
- for open source intelligence (OSINT), 59
- top-level domain (TLD) servers, 92
-
TRACE
method, 195
- Traceroute tool, 147
- trade secrets law, 14
- traffic amplification attack, 120–121
- training, inadequacy of,
- transforms, 80, 263
- Transmission Control Protocol (TCP), 84, 105–106, 198
- transparency, importance of, 18–19
- Transport Layer Security (TLS), 157, 232–237, 254–255
- Travelex,
- trees, 458–461
- Trend Micro,
- Triple Data Encryption Algorithm (TDEA), 254
- Triple DES (3DES), 254
- Trivial File Transfer Protocol (TFTP), 291–292, 535
- Trivial FTP (TFTP), 289
- tunneling utilities, 207, 253
- two-factor authentication (2FA), 85–86, 273
- two-step authentication, 85–86
- U
- Ubuntu, 27, 28–29, 34, 95
- U.K., acts and laws in, 14
-
uname -a
command, 246
- unauthorized access, 13
- Un-complicated Firewall (
ufw
), 34
- Unified Extensible Firmware Interface (UEFI), 25
- Uniform Resource Identifiers (URIs), 200–201
- Uniform Resource Locator (URL), 200–201
- United States, acts and laws in, 14
- Universal Naming Convention (UNC), 302, 475
- UNIX
- about, 315
- Common Desktop Environment (CDE), 351
- Common UNIC Printing System (CUPS), 341–343
- Cron files, 347–351
- Ewok, 341
- EXTREMEPARR, 351–353
- hacking toolbox, 318–319
- local files, 347–351
- port scanning, 319–320
- RPC, 326–337
- R-services, 338–339
- Secure Shell (SSH), 324–326
- Simple Network Management Protocol (SNMP), 339–341
- Solaris, 316–318, 319–320
- system administration, 316
- Telnet, 320–324
- X Window System (X11/X), 343–347
- Unix-privesc-check, 351
-
UNLOCK
method, 211
-
unmask
command, 285, 386
- unsigned integer, 172
- upgrading shells, 184
- uploading files/shells, 220–223
-
use
command, 130, 368
- User Account Control (UAC), bypassing, 463–464
- user databases, 255–256
- User Datagram Protocol (UDP), 105–106, 261
- user enumeration, via Finger, 162–167
- user interaction, 547
- user space. See userland
- user-defined functions (UDF), 359–360
- userland, 311
- userland privilege escalation, 278
- users, 461, 479–489
- V
- value, of data,
- verbosity level, 147, 431
- verbs, Hypertext Transfer Protocol (HTTP), 195–196
-
@@VERSION
function, 372, 426
- Vi text editor, 350
- virtual CDs, inserting, 43–44
- virtual environment, testing, 52–53
- virtual file system (VFS), 284–285
- virtual hard disks, creating, 42–43
- virtual LAN (VLAN), 362
- Virtual Machine (VM), 207, 464–466
- virtual name servers, 103–104
- virtual network adapters, 44–48
- virtual private networks (VPNs)
- about, 251–253
- authentication, 255–256
- exploiting CVE-2017-5618, 278–281
- hacker toolkit for, 257
- hacking methodology, 257–258
- Internet Key Exchange (IKE), 253–254, 262–267
- IPsec, 253
- LDAP, 275–277
- National Security Agency (NSA) and, 257
- OpenVPN, 267–275, 277–278
- post scanning servers, 258–261
- Shellshock, 277–278
- Transport Layer Security (TLS), 254–255
- user databases, 255–256
- VirtualBox, 36–51
- VirtualBox Disk Image (VDI), 42
- virtualization, 25, 37
- Visual Studio Community, 464
- VMware, 24, 37
- Volume Shadow Copy Service (VSS), 462
-
VRFY
command, 155
- vulnerabilities
- command injection, 227
- compared with issues, 544
- directory traversal attacks, 219–220
- finding, 421
- known, 453
- searching for, 118–120
- vulnerable servers, creating, 53–54
- VulnHub, 53
- W
- W3af, 397
- Wada, Eiiti (computer scientist), 26
- WannaCry ransomware, 303–304, 476, 478–479
- WASM tool, 504–505
- web administration interfaces
- about, 238
- Apache Tomcat, 238–240
- phpMyAdmin, 241–242
- Webmin, 240–241
- web application archive (WAR), 238
- web applications
- about, 395–396
- broken access controls, 439–440
- broken authentication, 434–436
- cross-site scripting, 442–451
- directory traversal, 440–441
- error pages, 442
- finding vulnerabilities, 421
- hacking toolkit, 397
- injection, 421–434
- insecure deserialization, 452
- insufficient logging/monitoring, 453–454
- intercepting proxies, 398–412
- known vulnerabilities, 453
- manual browsing and mapping, 412–415
- Open Web Application Security Project (OWASP), 396–397
- port scanning servers, 397–398
- privilege escalation, 454–455
- security misconfiguration, 441–442
- sensitive data exposure, 436
- spidering, 415–418
- stack traces, 442
- vulnerability scanners, 418–421
- XML external entities, 437–439
- web browsers, 207
- Web Distributed Authoring and Versioning (WebDAV), 205, 207, 220–221
- web extension tools, 207
- web proxies, 242–243
- web server vulnerabilities
- about, 191–192
- Common Gateway Interface (CGI), 225–226
- crawlers, 206
- guessing hidden web content, 216–220
- Heartbleed, 232–237
- HTTP authentication, 223–225
- Hypertext Transfer Protocol (HTTP), 193–200
- Linux, Apache, MySQL, and PHP (LAMP), 201–205
- manual HTTP requests, 210–212
- port scanning web servers, 207–210
- privilege escalation, 245–249
- privilege escalation using DirtyCOW, 246–249
- Proxychains, 243–245
- scanning, 212–216
- Secure Sockets Layer (SSL), 232–237
- Shellshock, 226–231
- spiders, 206
- toolkit for, 206–207
- Transport Layer Security (TLS), 232–237
- Uniform Resource Identifiers (URIs), 200–201
- uploading files, 220–223
- Web administration interfaces, 238–242
- web proxies, 242–243
- World Wide Web (WWW), 192–193
- web servers, 206–210
- web service, 202–203
- web vulnerability scanners
- about, 418–419
- Burp Suite Professional, 420
- Skipfish, 421
- Zed Attack Proxy (ZAP), 419–420
- Webmail, 161–162
- Webmin, 240–241
- websites. See also specific websites
- Apache vulnerabilities, 203
- BIND vulnerabilities, 120
- bug bounty programs, 21
- fragments, 200
- harvesting the, 75–76
- phenoelit toolset, 343
- printer hacking, 342
- pseudorandom number generators, 525
- relational database management systems (RDBMSs), 357
- root name servers, 90–91
- traffic amplification attacks, 122
- vulnerabilities, 119
- Weevely, 207, 222–223
- Wget, 207
- whaling,
- Whatsapp, –3
- white-hat defenders,
-
whoami
command, 473, 500
- WHOIS, 98–101
- Window Calculator program, 511
- Windows Defender, 462–463, 512–514
- Windows domains, 298
- Windows Registry, 462
- WinRM, 497
- WinZip, 20, 558
- Wireless Telegraphy Act (2006), 14
- Wireshark, 98, 109–111, 133, 208, 232
- word lists, 519
- World Wide Web (WWW), 192–193
- written permission, for ethical hacking, 15–16
- X
- X Certificate and Key Management (XCA), 270
- X Window System (X11/X), 318, 343–347
- Xdotool, 319, 345–346
- XDR RPC overflow, 330–331
- XML external entity (XXE), 437–439
- Xspy, 319
- XSS Filter Evasion, 450–451
- XSS Polyglot, 451
- Xwd, 319
-
xwd
command, 344
- Xwininfo, 319
- Z
- Zalewski, Michael, 226
- Zed Attack Proxy (ZAP), 397, 415–418, 419–420
- zero-day vulnerability, 19, 120
- ZIP files, 558
- zone file, 96
- zone name, 96
- zone transfer requests, 113–114
- zones of authority, 92
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.