Post on 12-Jun-2018
bindex.indd 04/0½ 016 Page 575
Numbers007Shell, covert channel exploits, 2483DES (Triple DES) encryption, 78–79, 883G hot spots, 4124G hot spots, 412802.11. See Wi-Fi802.11i, 418802.3 (Ethernet), 45
Aaccess control
Android OS, 444–446Apple iOS, 446cloud computing, 495mobile device, 442–443physical. See physical security
access control lists (ACLs), 381, 470access points
broadcasting SSID, 413client misassociation attacks on, 428honeyspot attacks on, 428–429misconfiguration problem with, 428rogue access point attacks, 426–427wireless antennas and, 414–415wireless network, 411–412
account hijacking, cloud security threat, 490ACK flag, 134–135, 136–137ACK scanning, 143–144ACK sequence numbers, TCP/IP session hijacking,
344ACK tunneling, defying detection by firewall, 479AckCmd, 248, 479ACLs (access control lists), 381, 470active fingerprinting, of OS, 146–147active information gathering, footprinting, 106active online attacks, 198–199, 202–203active session hijacking attacks, 335–336active sniffing, 256
active wireless network attacks, 425ad hoc attacks, on Wi-Fi, 427administrator accounts, Windows OS, 60–61,
163–164administrators
application, 361server and network, 360
ADS (Alternate Data Streams), covering tracks, 216–217
adware, 227, 237AES (Advanced Encryption Standard), 79AES-256 encryption, Apple iOS, 446AH (Authentication Header), IPSec, 90aircrack-ng
breaking WEP, 420–421brute-force attacks, 425wireless tool for lab testing, 572
aireplay-ng, 420AirMagnet, 430AirMon, 453AirPcap
breaking WEP, 421–422hardware tool for lab testing, 573sniffing wireless networks, 260
algorithmsasymmetric, 80–86cryptography and, 77symmetric, 77–79types of hashing, 87
ALog reader, pentesting Android, 453alteration, breaking CIA triad, 16Alternate Data Streams (ADS), covering tracks,
216–217alternate sites, business continuity/disaster
recovery, 27–28Amitis, Trojan-creation tool, 243analysis and tracking phase, incident response, 24AnDOSid, pentesting Android, 451Android OS
with 83 percent of market share, 441common problems, 447–448countermeasures, 454–455
Index
COPYRIG
HTED M
ATERIAL
bindex.indd 04/0½ 016 Page 576
576 Android runtime (ART) – authentication
customized versions of, 445–446design of, 444–446overview of, 443–444pentesting, 450–454storage encryption on, 442vulnerabilities, 62
Android runtime (ART), 445Android Updates, 445Angry IP Scanner, 570Anna Kournikova computer worm, 5, 291anomaly-based IDS, 464–465anonymity, pentesting Android, 454Anonymous hacking group, 6, 8Anonymous logon group, Windows, 165antennas, wireless, 414–416antimalware applications
DoS/DDoS protection, 323installing for lab testing, 569mobile device countermeasures, 455
antivirus applicationsinstalling for lab testing, 569Phatbot terminating, 243polymorphic/metamorphic viruses
unidentifiable to, 230virus detection and elimination, 229web browser integration with, 295
AOKP (Android Open Kang Project), 445Apache Server, 361–362, 367App Scanner, pentesting Android, 452Apple iOS
with 14 percent of market share, 441common problems, 447–448countermeasures, 454–455overview of, 446–447
Apple iOS vs. Android, application provenance, 446
application administrators, 361application content, web applications, 369application developers, web applications, 361Application layer, OSI model
overview of, 46session hijacking at, 334SNMP functioning at, 178
application proxy firewalls, 56, 58–59application services, Android OS, 445application-level attacks, 310–314application-level firewalls, 469application-level hijacking
cross-site scripting, 338–341man-in-the-browser attacks, 338
man-in-the-middle attacks, 338predicting session tokens, 338session fixation attacks, 341session sniffing, 337web apps, 336–337
applicationsexecuting, 213–217mobile device countermeasures, 455security testing of, 554session hijacking and web, 336–337sources of Android OS, 445tools for building lab, 570–571web. See web servers/applications
AppThwack, testing security in cloud, 496architecture, cloud security controls, 494–495archived copies of website, footprinting, 110Archive.org, 110archiving, 63–64ARP (Address Resolution Protocol) requests, and
MAC addresses, 55ARP poisoning
overview of, 343pentesting mobile devices with, 450preventing, 273sniffing switched networks, 271–272
ART (Android runtime), 445AS (authentication server), Kerberos, 211–212Assange, Julian, 307association, defined, 414asymmetric (public key) cryptography
authenticating certificate, 83building PKI structure, 85–86how it works, 81–82how you know who owns key, 82–83overview of, 80–81PKI system, 83–85
attacksdefined, 13threats. See threats
attributes, protecting cookie, 379–380auditing, disabling to cover tracks, 215–216auditpol command, disabling auditing, 216authentication
biometric, 515–516certificate, 83cryptography for, 75–76as defense against session hijacking, 352on Microsoft platforms, 209–213multifactor, 198with SNMPv3, 178
bindex.indd 04/0½ 016 Page 577
Authentication Header (AH) – brute-force attacks 577
technologies, 418web application, 368wireless modes of, 416–417
Authentication Header (AH), IPSec, 90authentication server (AS), Kerberos, 211–212authorization, before pen testing, 556–557automated penetration testing, vs. manual,
561–562availability
balancing security with, 308breaking CIA triad, 16cloud security controls, 495preserving CIA triad, 15–16
awareness, as line of defense, 519
BB0CK, exploiting covert channels, 248Back Orifice 2000 (BO2K), 243–246backdoors
attacker access via, 246–247executing applications via, 213–214planting, 214–215, 561system administrators using, 287
back-end resources, DoS attacks on, 308backups
business continuity/disaster recovery via, 28overview of, 63–64securing, 519
bandwidthdefined, 414protecting from DoS/DDoS attacks, 323wireless networks and, 411
banner grabbingcountermeasures to, 151identifying services running on ports, 470overview of, 149–151as web server/application vulnerability, 373
basic service set identification (BSSID), 414, 423bastion host, firewall configuration, 468bat2com, creating viruses, 233batch execution, in SQL injection attacks, 392batch group, Windows, 165BCP (business continuity plan), 26–29Beast, Trojan-creation tool, 243BeEF (Browser Exploitation Framework),
200–201best evidence, defined, 30best practices, reporting security incident, 32
binary conversion, vs. hexadecimal, 49–50biometrics, 515–516black box pen tests, 14–15black hole filtering, 324Blackberry. See also mobile device security, 441black-box testing, 551black-hat hackers, 9, 11blacklists, 392, 404BlazeMeter, 496blind hijacking, 341, 345blind SQL injection, 401–402, 403blind testing, 552blocked scans, 144Blowfish, 79bluejacking attack, 433Bluepot, 433Bluesnarfer tool, 572bluesnarfing attack, 433Bluetooth, creating test setup, 568Bluetooth, hacking. See also Wi-Fi, hacking
current developments in, 4overview of, 431–432threats, 432–433as vulnerability in Mac OS X, 62
BO2K (Back Orifice 2000), 243–246bollards, protecting facilities, 517, 518boot-sector (or system) viruses, 229, 230Botbyl, Adam, hacker, 5botnets
DDoS attacks and, 318defensive strategies, 323–324rental of, 307tools for creating, 318–319
bots, 318bricked systems, caused by phlashing, 310bring your own device (BYOD), problems with,
440–441, 448–449broad network access, cloud computing, 487broadcast domains, 55browser defects, spyware delivery via, 236Browser Exploitation Framework (BeEF), 200–201browser-based web applications, 363–364brute-force attacks
on cryptographic systems, 88on directory services, 162in exploitation phase, 560in password cracking, 198on session ID in session hijacking, 333in syllable attacks, 198on WPA/WPA2 keys, 425
bindex.indd 04/0½ 016 Page 578
578 Brutus – cold sites
Brutus, password cracking with, 377–378, 571BSSID (basic service set identification), 414, 423buffer overflow attacks
as DoS attacks, 314heap and stack, 314–315NOP sled, 317smashing stack, 315–316on web servers/applications, 370–371
building a lab. See lab, buildingBurp Suite
man-in-the middle attacks, 200–201pentesting Android, 453testing web applications, 383
bus topology, 40–41business closure, from social engineering, 286business continuity plan (BCP), 26–29BusinessWire, competitive analysis data, 117BYOD (bring your own device), problems with,
440–441, 448–449
CC functions, buffer overflow vulnerability, 314C2DM (cloud-to device messaging), Android OS,
445cabling
at Physical layer of OSI model, 45protecting server rooms, 518
Cain & Abelbreaking WEP, 420sniffer tool for lab testing, 572
CAM tables, and MAC flooding, 270–271, 274–275
cameras, physical security, 517, 518CAN-SPAM Act, 227capture button, sniffers, 257CAs (certificate authorities), 82–85case locks, 519Catch Me If You Can movie, social engineering
in, 285categories, malware, 227–228cavity (file-writing) viruses, 231CCTV Scanner, pentesting Android, 452CEH credential, Code of Conduct and Ethics,
11–12ceiling, securing physical area, 516–517CER (crossover error rate), biometric accuracy,
515certificate authorities (CAs), 82–85
chain of custody, evidence, 30–31Check Point FireWall-1, 470choke points
firewall services at, 467gates as physical, 511
chosen plaintext/cipher-text attacks, oncryptographic systems, 89
CIA (confidentiality, integrity, and availability) triad, 15–17
cipher locks, physical access control, 513cipher text
in asymmetric algorithms, 80how cryptography works, 77PKI system, 83–85in symmetric algorithms, 77
ciphers, weaknesses in web applications, 380cipher-text-only attacks, on cryptographic
systems, 89circuit-level gateway firewall, 469circumstantial evidence, 30Cisco IOS devices, mitigating MAC flooding, 274CLI (command-line interface), Wireshark tools
using, 264client misassociation attack, on Wi-Fi, 428client-based web applications, 364clients, DoS attacks against specific, 308client-server relationship, 360–361, 364–365client-side technologies, 365, 394climate control, server rooms, 518cloud technologies
Android OS, 445cloud computing attacks, 490–494controls, 494–495forms of cloud services, 488–489overview of, 365–366, 486review, 496–497review answers, 546–547review questions, 498–500testing, 495–496threats, 489–490types of cloud solutions, 487–488understanding, 486–487understanding cloud computing, 485–487
cloud-to device messaging (C2DM), Android OS,445
cluster viruses, 231CNBC, competitive analysis data via, 117code injection, session fixation attack, 341Code of Ethics, 11–12, 33cold sites, 27
bindex.indd 04/0½ 016 Page 579
collision domains – cryptography 579
collision domains, 55columns, database, 395command injection, in session hijacking, 334command-line interface (CLI), Wireshark tools
using, 264communication channels, disaster and
recovery, 29community cloud, 488CommView, wireless traffic analysis, 430companion (camouflage) viruses, 231competitive analysis, in footprinting, 118–119complex passwords, risk mitigation for WEP/
WPA, 425compliance, cloud security controls, 495components
Android OS, 444–446web application, 367–368
computer crimecollecting evidence. See evidence collectionincident response for. See incident response
con artists, social engineers as, 283concatenating strings of texts, evading detection
via, 404conclusive evidence, 30confidentiality
CIA triad and, 15–16Code of Ethics for, 11ethical hacker responsibility for, 10, 13as primary goal of encryption, 75
construction kits, Trojan, 246contactless cards, securing physical area, 515contacts, social networking countermeasures,
292containment phase, incident response, 24contracts
contents of, 555–556ethical hacker responsibility for, 9–10getting help of lawyer, 10before starting testing activities, 13
controlscloud security, 494–495defense in depth, 520physical security, 503–505
convenience vs. security analysis, 14cookies
protecting, 379safely using, 367–368session hijacking and, 337web server/application session management
issues, 379
corroborative evidence, 30counterfeit devices, as Android OS
vulnerability, 62countermeasures
banner grabbing, 151identity theft, 297–298mobile device security, 454–455social networking, 291–293
covering your tracksAlternate Data Streams, 216–217data hiding, 216disabling auditing, 215–216in hacking process, 18overview of, 215
covert channelsdefined, 239tools to exploit, 247–248Trojans as biggest users of, 247
crackers, executing applications via, 214CRC32 (Cyclic Redundancy Check), WEP
vulnerability, 419Creator group, Windows, 165Creator owner group, Windows, 165credentials, threats to cloud security, 490credit card information, hacking of, 5, 296Creeper project, virus, 228crossover error rate (CER), biometric accuracy,
515cross-site request forgery (CSRF), against cloud,
491–492cross-site scripting. See XSS (cross-site scripting)crying wolf, defying detection by IDS, 476cryptanalysis
attacks against cloud, 494defined, 73
Cryptcat, tool for lab testing, 571cryptography
applications of, 89–94applied, 76asymmetric. See asymmetric (public key)
cryptographyencryption and, 73evolution of, 75–76hashing, 86–88history of, 73–75how it works, 77issues with, 88–89overview of, 72–73review, 94review answers, 528–529
bindex.indd 04/0½ 016 Page 580
580 cryptoviruses – differential backups
review questions, 95–97symmetric, 77–79
cryptoviruses, 232CSRF (cross-site request forgery), against cloud,
491–492customized Android versions, 445CyanogenMod, Android, 446cybercrime
current developments in, 4–5DoS attacks, 307famous hacks over time, 5–6generic examples of, 6–7
Ddaisy chaining, 13Dalvik virtual machine, Android, 444–445DameWare, planting backdoors, 214–215Dark Dante (Kevin Lee Poulsen), hacker, 5data
altering with SQL injection attack, 399–401breach attacks on cloud, 489–490covering tracks by hiding, 216executing blind SQL injection, 401–402loss, as threat to cloud security, 490loss, on mobile devices, 442storage security, 506–507theft on mobile devices, 442web application access, 369
Data Definition Language (DDL), Beastusing, 243
Data Encryption Standard (DES), 78, 88Data layer, web applications, 366Data Link layer, OSI model, 45, 54–55data sending Trojans, 240data store, web applications, 369databases
altering data with SQL injection attack,399–401
information gathering in SQL injection attack, 402–403
locating on network, 396overview of, 394–395protecting with IDS, 403server password cracking, 396
data-diddling, as cybercrime, 7DDL (Data Definition Language), Beast
using, 243
DDoS (distributed denial-of-service) attacksagainst cloud, 490, 494as cybercrime, 7overview of, 317–319tools, 320–322web servers/applications vulnerable to, 371
deauthentication attack, on WPA/WPA2, 424–425
debriefing and feedback phase, incident response, 24
decimal, hex/binary vs., 50decision-making, reporting security incident, 32decoys, honeypots as, 473–474defacement, website, 374–375default passwords
avoiding, 405obtaining, 207obtaining information through, 162
default scripts, causing attacks, 378defense in depth
physical security and, 519session hijacking protection, 352
defensive strategies, DoS, 323–324degaussing, hard drives/magnetic media, 508–509deliverables, in contract content, 556demilitarized zone (DMZ)
firewall configuration, 468–469honeypots as decoys in, 473–474
Department of Energy (DoE), SQL injection attack on, 391
DES (Data Encryption Standard), 78, 88descynchronizing connections, 343design
Android OS, 444–446cloud security controls, 494–495flawed web server/application, 369–370viruses, 228vulnerabilities of web servers/applications,
369–370destructive Trojans, 240detection
difficulty of social engineering, 283viruses and, 229
Dev@Cloud, 496developers, Android OS security and, 443device drivers, authentication of, 76devices, network, 53–55dial-up, as backup to existing technologies, 131dictionary attacks, 198differential backups, 63
bindex.indd 04/0½ 016 Page 581
dig command – dumpster diving 581
dig command, 175–176digital certificates, 83, 86digital rights management (DRM), 446–447digital signatures
in asymmetric cryptography, 81–83creating with digital certificates, 86creating/verifying with hash function, 81–82mobile device security via, 442
digital trespassing, as cybercrime, 6direct evidence, 30directional (Yagi) antenna, 415directory services
brute-force attacks on, 162and LDAP enumeration, 182–183
directory traversal attacks, web servers,381–383
DirecTV dish, 416disaster recovery plan (DRP), 26–29disclosure
breaking CIA triad, 16Code of Ethics for, 11
discoverable mode, Bluetooth, 431Dish Network dish, 416disruption (loss), breaking CIA triad, 16distributed computing, SETI programs, 206distributed databases, 395distributed denial-of-service attacks. See DDoS
(distributed denial-of-service) attacksDistributed Network Attack (DNA), password
cracking, 205–206DMZ (demilitarized zone)
firewall configuration, 468–469honeypots as decoys in, 473–474
DNA (Distributed Network Attack), password cracking, 205–206
DNS (Domain Name System)attacks against cloud, 494overview of, 53querying with nslookup, 119–120TCP 53 port for, 169UDP 53 port for, 169working with zone transfers, 162
DNS spoofing, 343, 351–352documentation, planning disaster and recovery,
29DoE (Department of Energy), SQL injection
attack on, 391Domain attribute, cookies, 380Domain Name System. See DNS (Domain Name
System)
DoS (denial-of-service) attacks. See also DDoS (distributed denial-of-service) attacks
in active session hijacking, 335against cloud, 490, 494as cybercrime, 7defensive strategies, 323–324defying detection by IDS, 475jamming attacks on WLANs, 428overview of, 306, 371pentesting Android, 451–452pen-testing considerations, 324review, 324–325review answers, 537–538review questions, 326–329targets, 308tools for, 319–320understanding, 306–308WEP vulnerability to, 419
DoS (denial-of-service) attacks, types ofapplication-level, 310buffer overflow, 314–317fraggle, 310ICMP flood, 309land, 310permanent DoS, 310ping of death, 309–310service request floods, 308smurf, 310SYN attack/floods, 309, 311–314teardrop, 310
DoSHTTP, DoS tool, 319double-blind testing, 552drivers, installing for lab testing, 569drives
disabling for protection, 519encrypting, 506–507wiping, 508
DRM (digital rights management), 446–447DroidSheep, pentesting Android, 451DroidSQLi, pentesting Android, 453Dropbox, as cloud computing, 487dropboxes, breaching wireless networks with, 427DRP (disaster recovery plan), 26–29Dsniff, sniffer, 259dSploit Scripts, pentesting Android suites, 454due diligence, cloud security and, 491DumpSec, enumeration tool for lab testing, 571dumpster diving
as cybercrime, 7preventing, 294
bindex.indd 04/0½ 016 Page 582
582 duration – ethical hacking
social engineering via, 121thwarting for discarded media, 508
duration, penetration test, 555dynamic content, in cross-site scripting, 339–341dynamic pages, in directory traversal attacks, 382dynamic ports, 51dynamic SQL, thwarting SQL injection, 404
EEAP wireless authentication, 418Easy Packet Blaster, pentesting Android, 451eavesdropping, social engineering and, 120, 293ECCouncil (International Council of Electronic
Commerce Consultants), 10, 11–12Echosec, social engineering via, 115–116, 292e-commerce, cryptography in, 75economic loss, from social engineering, 285EDGAR (Electronic Data-Gathering, Analysis,
and Retrieval) system, 117education, as line of defense, 519egress filtering, as DoS/DDoS prevention, 323Egyptian hieroglyphics, 74–75EIP (Extended Instruction Pointer) value, 315–317Electronic Data-Gathering, Analysis, and
Retrieval (EDGAR) system, 117elimination, virus, 229EliteWrap, distributing Trojans, 246Elk Cloner virus, 229email
cloud computing for, 487in footprinting process, 117–118law enforcement agencies and sniffing, 258performing enumeration on, 162SNMP enumeration, 184–186in social engineering via phishing, 120–121spyware delivery via attachments, 236
embezzlement, as cybercrime, 7employee profile, gathering job posting data, 117Encapsulating Security Payload (ESP), IPSec, 90encryption
in Apple iOS, 446cryptography and, 73as defense against session hijacking, 352defying detection by IDS, 477Egyptian hieroglyphics, 74–75mandating by law, 507physically securing drives, 506–508weaknesses in web applications, 380
encryption, wirelessmethods of, 417mobile device, 442, 505–506mobile device countermeasures, 455protocols, 417risk mitigation for WEP/WPA, 425WEP, 418–422WPA, 422–425
encryption viruses, 230, 231entryways, protecting, 517–518enum4linux command, 181–182enumeration
in hacking process, 17–18LDAP and directory service, 182–184Linux, 180–182NTP, 184review, 187–188review answers, 532review questions, 189–191as second phase of ethical hacking, 101–102SMTP, 184–186SNMP, 178–180tools for building lab, 571understanding, 161–163Unix, 180–182in vulnerability analysis phase, 559Windows, 163–167
error messagesacquiring target in SQL injection attacks via,
398extracting information from, 403suppressing detailed, 374, 402thwarting SQL injection by disabling, 405in web servers and applications, 374
escalation of privilege, in hacking process, 18ESP (Encapsulating Security Payload),
IPSec, 90EssentialNetTools, TamoSoft, 186/etc/passwd file, Linux user account, 168EtherApe, sniffer, 260ethical hacking, introduction to
business continuity plans, 26–28chain of custody, 30–31code of conduct and ethics, 11conflicting views about hackers, 3current developments, 4–5early days of hacking, 3–4ethics and the law, 33–34evidence types, 29–30evidence-collection techniques, 29
bindex.indd 04/0½ 016 Page 583
evasion – firewalking 583
evolution and growth of, 7–8exam objectives, 1as fun vs. criminal activity, 5–7hacking methodologies, 17–21incident response, 21–26overview of, 2–3penetration testing, 11–17recovering from security incident, 31–32recovering systems, 28–29reporting security incident, 32–33responsibilities of, 9–11review, 34–35review answers, 526–527review questions, 36–38role of ethical hacker, 9rules of evidence, 31steps of, 100–102types of hackers, 9vulnerability research and tools, 21
evasionfirewalls. See firewallshoneypots, 473–474IDS, 462–466, 475–477overview of, 462review, 480–481review answers, 544–546review questions, 482–484testing firewalls, 479–480testing IDS, 480
event-viewing tools, lab testing, 572Everyone group, Windows, 165evidence collection, 29–31evolution, of hacking, 4–8executive level report, on security incident, 33executives, as targets of social engineers, 286Expires attribute, cookies, 380exploitation
pentesting mobile devices, 450phase of penetration testing, 560post-exploitation phase, 560–561
exploits, defined, 13EXPN command, SMTP enumeration,
185–186Extended Instruction Pointer (EIP) value,
315–317Extensible Markup Language (XML), 493, 494extensions, signs of host system intrusions, 466exterior, building for physical defense, 520external factors, and reports, 562–563extortion, DoS attacks for, 307
FFacebook
gathering information using, 288–289people search utility, 297social engineering via, 114
FaceNiff, pentesting Android, 451Fakegina keylogger, 248false ceilings, securing physical area, 516false rejection rate (FRR), biometric accuracy, 515false walls, securing physical area, 516FAR (false acceptance rate), biometric accuracy,
515fault tolerance, business continuity/disaster
recovery, 27FDDI (Fiber Distributed Data Interface), ring
topology, 42Federal Information Security Management Act
(FISMA), 2002, 34fences, securing physical area, 511Fiber Distributed Data Interface (FDDI), ring
topology, 42file (multipartite) viruses, 230, 232file integrity checker, 463File Transfer Protocol. See FTP (File Transfer
Protocol)file-allocation tables, cluster viruses altering, 231files, signs of host system intrusions, 465–466file-writing (cavity) viruses, 231filters, Wireshark, 263–264FIN flag, 137, 139–141FIN scan, 140–141financial fraud, embezzlement as, 7financial services
current developments in hacking/cybercrime,4–5
in footprinting process, 116researching data on companies via, 117
Fing, pentesting Android, 450finger command, Linux/Unix enumeration, 178,
180–181finger scan systems, biometrics, 516fingerprinting. See OS fingerprintingfire suppression, server rooms, 518Firekiller 2000, distributing Trojans, 246Firesheep, session hijacking, 337Firewalk, determining firewall configuration,
470–472firewalking, determining firewall configuration,
470–472
bindex.indd 04/0½ 016 Page 584
584 firewalls – grouping error messages
firewallsblocking ping requests, 134–135blocking scans, 144bypassing, 479–481configurations, 468–469determining configuration with firewalking,
470–472determining configuration with nmap, 472–
473evading with fragmenting, 144identifying, 470for mobile devices, 473overview of, 56–57, 467–468setting up security, 58–59testing, 479–480types of, 469
FISMA (Federal Information SecurityManagement Act), 2002, 34
flagsdefying detection by IDS, 476–477TCP, 136–137
flash drives, physical security of, 507–508flawed web design, web servers/applications,
369–370floors, securing physical area, 516–517folders, signs of host system intrusions, 465–466footprinting
competitive analysis in, 118–119email, 117–118as first step of ethical hacking, 17, 100–101information gathering via, 113–116, 160as intelligence gathering, 557–558job sites and job postings, 116–117location and geography in, 112–113network information gathering in, 119–120other phases of ethical hacking, 101–102overview of, 100pentesting mobile devices via, 449public and restricted websites, 111–112review, 121–122review answers, 529–530review questions, 123–125search engines, 108–111as social engineering phase, 120–121, 285terminology, 106–107threat modeling via in-depth, 557–558threats introduced by, 107understanding, 102–106
forwards, web server/application attacks from unvalidated, 376–377
fraggle attack, as DoS attack, 310fragmentation attacks
on Android devices, 448defying detection by firewalls, 478defying detection by IDSs, 476web servers/applications vulnerable to, 372
fragmenting packets, preventing detection, 144fragroute command, 144fragtest command, 144frames, securing door, 512fraud, as cybercrime, 7freeware, spyware delivery via, 236FRR (false rejection rate), in biometric accuracy,
515FTP (File Transfer Protocol)
easy sniffing of, 259TCP 21 port for, 169Trojans, 240vulnerable to man-in-the middle attack, 200
full backups, 63full-open scans, 135
Ggates, securing physical area, 511gateway host, firewalking, 470gateways, defense against session hijacking, 352geography, footprinting data on, 112–113Ghost Keylogger, 248GID (group identification number), Linux, 169Global Catalog Service, TCP/UDP 3268 port, 170Global System for Mobile Communications
(GSM), 414goals, of footprinting process, 103goodwill, social engineering impact on, 286Google Android OS. See Android OSGoogle Apps, 487Google Docs, 487Google Earth, 112Google hack, 108–111, 113Google Maps, 113Google Play store, 445, 473Google+, 114governance, cloud security controls, 495gray-box testing, 14–15, 551gray-hat hackers, 9, 11group identification number (GID), Linux, 169grouping error messages, extracting information
by, 403
bindex.indd 04/0½ 016 Page 585
groups – HTTP Tool 585
groupscapturing user, 162–163Linux, 169security identifiers for Windows, 166–167storing information in SAM, 167Windows, 164–165
GSM (Global System for Mobile Communications), 414
guest account, Windows OS, 163
Hhack value, 13hackers
ethical hackers vs., 10evolution of, 3–8methodologies of, 17–21
Hackode, pentesting Android suites, 454hactivism, DoS attacks based on, 307half-open (stealth) scan, 135–136hand geometry systems, biometrics, 516handler (master computer), DDoS attack setup,
318–319HAPs (hardware access points), 411hard drives
creating test setup, 568physical security of portable, 506–507
Hard-disk killer, Trojan-creation tool, 243hardening
network against sniffing, 273thwarting SQL injection, 404–405as vulnerability in Windows, 61
hardwareAndroid OS, 444gathering job posting data, 117planning disaster and recovery, 29protocol analyzers, 258tools for lab testing, 573–574
hardware access points (HAPs), 411hash function, 81–82, 86–88hash injection attacks, 202–203hashing
passwords, 203process of, 86–88rainbow tables attacks using precomputed,
203–205salting to strengthen password, 210
HAVAL, hashing algorithm, 87HAVING command, error messages, 403
heap, in buffer overflow attacks, 314–315help desk personnel, social engineering, 286hex coding, evading detection via, 404hexadecimal values
MAC addresses broken down into, 54reading sniffer output in IP addresses,
269–270vs. binary, 49–50
HFS (Hierarchical File System), Mac OS X, 216hidden field, session ID embedded in, 336hiding data, 216–217HIDS (host-based intrusion detection system), 463high-availability architecture, business continuity/
disaster recovery, 27high-interaction honeypots, 474history, of cryptography, 73–75hoaxes, 232Home Depot, tarnished through social
media, 290honeynets, 474honeypots
Bluetooth, 433purposes of, 473
honeyspot attacks, on Wi-Fi, 428–429horizontal privilege escalation, 212host, firewalking, 470host system intrusions, signs of, 465–466host-based intrusion detection system (HIDS),
463hostname, using Ping via, 133hot sites, 28, 29hot spots, 412, 414Hping2/hping3
checking for live systems, 134–135checking status of ports, 137ICMP flood attacks, 309scanner for lab testing, 571web servers/applications vulnerable to,
371–372HP’s Performance Insight, detecting sniffing
attacks, 275HTTP (HyperText Transport Protocol)
easy sniffing of, 258header response, 341listener, IIS, 363and SOAP, 494TCP 80 port for, 169tunneling, defying detection by firewall, 479
HTTP Injector tool, pentesting Android, 453HTTP Tool, pentesting Android, 453
bindex.indd 04/0½ 016 Page 586
586 HttpOnly attribute – Instant Messaging (IM)
HttpOnly attribute, cookies, 379HTTPRecon, fingerprinting website, 374HTTPrint, identifying sites, 374HTTPS, 367HTTP.sys file, 363hubs, switches vs., 56human beings
art of hacking, 120–121power of social engineering and nature of, 284
HUMINT (human intelligence), penetration testing, 558
hybrid attacks, password cracking via, 198hybrid cloud, 488hybrid topologies, 42–43
IIaaS (Infrastructure as a Service) model, cloud,
365, 489ICMP (Internet Control Message Protocol),
133–134ICMP Backdoor, 247ICMP flood attack, 309, 371–372ICMP tunneling, 479ICMP_TIME_EXCEEDED message, nmap, 472ID Serve, providing information about web server,
373IDEA (International Data Encryption Algorithm), 79identity theft, 75, 296–298idle scans, 142–143IDS (intrusion detection system)
detection methods, 464–465evading, 144, 403–404firewalls as form of, 467inner workings of, 462–463overview of, 57role of, 462signs of intrusion, 465–466testing, 480thwarting session hijacking via, 352thwarting SQL injection via, 403, 404types of, 462
IEEE 802.11 standard, 411–413ignorance, social engineers preying on, 283IGRP (Interior Gateway Routing Protocol), 45IIS (Internet Information Server)
countering banner grabbing, 151overview of, 362–363used by web applications, 367
IIS Lockdown, 151IKS Software Keylogger, 248illegal material, and cybercrime, 7IM (Instant Messaging), spyware delivery via, 236IMAP (Internet Message Access Protocol), 259incident response
business continuity plan, 26–28overview of, 21–22phases of, 22–25plans, 25–26policies, 22recovering from security incident, 31–32recovering systems, 28–29reporting security incident, 32team, 25
incident response policies (IRPs)in incident response plans, 25overview of, 22reporting security incident via, 32
Incognito, pentesting Android, 454incorporation, virus, 229incremental backups, 63industrial, scientific, and medical (ISM) band, 414inference
overview of, 288using corporate espionage, 119
informationdata-diddling of, 7gathering in SQL injection attack, 402–403leakage caused by footprinting, 107sharing too much on social media, 289–291,
296social networking countermeasures, 292–293unauthorized destruction/alteration of, 7
Infrastructure as a Service (IaaS), cloud, 365, 489ingress filtering, countering DoS/DDoS attacks,
323initial sequence number (ISN), 343initialization vectors (IVs), 419–420input strings, evading detection via, 404input validation
SQL injection attack from flawed/absent, 391thwarting SQL injection using, 392, 404web server/application attacks from flawed/
absent, 375insertion attack, defying detection by IDS, 475insider attacks, 555inSSIDer tool, 426, 572Instagram, social engineering via, 114Instant Messaging (IM), spyware delivery via, 236
bindex.indd 04/0½ 016 Page 587
integrity – job site/postings 587
integritybreaking CIA triad, 16cryptography used for information, 75preserving CIA triad, 15–16
Intelius, people search utility, 113, 298intellectual property, Code of Ethics for, 11intelligence gathering, in penetration testing,
557–558Interactive group, Windows, 165Intercepter-NG, pentesting Android, 451interference, Wi-Fi and, 411interior controls, as third layer of physical
defense, 520Interior Gateway Routing Protocol (IGRP),
Network layer of OSI, 45International Council of Electronic Commerce
Consultants (ECCouncil), 10, 11–12International Data Encryption Algorithm (IDEA),
79Internet
developments in hacking/cybercrime, 4–5evolution of hacking, 4footprinting, 107mobile device security issues, 447preventing threats, 294–296using SSL to exchange data over, 93–94
Internet Control Message Protocol. See ICMP(Internet Control Message Protocol)
Internet Information Server. See IIS (Internet Information Server)
Internet Message Access Protocol (IMAP), 259Internet Protocol security. See IPsec (Internet
Protocol security)Internet Protocol v6 (IPv6), 273Internet Relay Chat (IRC), spyware delivery, 236intrusion detection system. See IDS (intrusion
detection system)intrusion prevention system. See IPS (intrusion
prevention system)intrusions
signs of, 465–466testing web applications with Burp Suite, 383
investigation phase, incident response, 23investments, researching, 117IP address(es)
defying detection by firewall, 478–479DNS and, 53finding website, 104–105importance of, 53looking for live hosts via ping sweeps, 134
at Network layer of OSI model, 45routers and, 54smurf attack spoofing, 310using Ping via, 133
IP fragmentation, web server/applicationvulnerability, 372
IP ID (identification number), idle scans, 142–143IP spoofing
defying detection by firewall, 477leading to prison time, 346overview of, 341–342
IP subnetting, 49IP Tool, pentesting Android, 450iPlanet Web Server, Oracle, 367IPS (intrusion prevention system)
detecting/preventing network anomalies, 353IDS vs., 465overview of, 57
IPsec (Internet Protocol security)as cryptographic technology, 90defending against session hijacking, 352hardening network against sniffing, 273working with, 90–92
IPv6 (Internet Protocol v6), 273IRC (Internet Relay Chat), spyware delivery, 236iris recognition, biometrics, 516IRPs (incident response policies)
in incident response plans, 25overview of, 22reporting security incident via, 32
ISM (industrial, scientific, and medical) band, 414
ISN (initial sequence number), 343isolation
Apple iOS, 446mobile device security via, 442
ISPs (Internet Service Providers), 54IT audits, by ethical hackers, 15IVs (initialization vectors), 419–420
Jjailbreaking, 446–447jamming attacks, on Wi-Fi, 428JavaScript, in XSS, 339–340Jerusalem virus, 230JiWire, wireless traffic analysis, 429job site/postings, footprinting process,
116–117
bindex.indd 04/0½ 016 Page 588
588 John the Ripper tool – LIFO
John the Ripper tool, 571Jolt2, DoS tool, 319JPS Virus Maker, 233–234Juniper device, mitigating MAC flooding, 274JXplorer, searching LDAP directory, 183
KKali Linux
breaking WEP with, 420–422cracking WPA with, 423testing with, 63using Firewalk script with, 472
KDC (key distribution center), Kerberos, 211–212Kerberos, 211–212key pair, CA generating, 85keyboard dynamics, biometrics, 516KeyGrabber tool, 574keyloggers
active online attacks via, 202executing applications via, 214malware programs installing, 225planting in post-exploitation phase, 561types of keystroke recorders, 248
keysasymmetric algorithm, 80–86cryptosystem, 76how cryptography works, 77symmetric algorithm, 78–79
KisMAC, 426Kismet
pentesting mobile devices, 449tool for lab testing, 572wardriving with, 426wireless traffic analysis, 430
known plaintext attacks, on cryptographicsystems, 89
LL0phtCrack tool, passwords, 571lab, building
build process, 566–567creating test setup, 568–569enumeration tools, 571evaluating tools for, 566hardware tools, 573–574
installation process, 569installing tools, 570installing virtualized OS, 570logging/event-viewing tools, 572password-cracking tools, 571reasons for, 566scanner tools, 570–571sniffers, 572what you will need, 567–568wireless tools, 572
Lacroix, Cameron, hacker, 5laminated windows, 517Lan Manager (LM) hash, storing information in
SAM, 167, 209–210LAN Turtle tool, 573land attack, as DoS attack, 310LanDroid, pentesting Android, 450LAN-to-LAN wireless networks, 412large-storage-capacity hard drives, securing,
506–507last-in, first-out (LIFO) access, 314launch, of virus, 229law enforcement, reporting security incident
to, 32lawful interception (LI), or wiretapping, 258layers, web application, 366–367LDAP (Lightweight Directory Access Protocol),
170, 182–183LEAP (Lightweight Extensible Authentication
Protocol), wireless authentication, 418least privilege
mobile device security via isolation, 442thwarting SQL injection, 404–405
legal issuescreating/using malware, 225–226with data, 507getting advice of lawyers on, 17laws, regulations and directives, 33–34permission from client to perform
enumeration, 162purchasing lock-picking tools, 515sniffing, 258of social engineering, 286
legally permissible rule of evidence, 31Let Me Rule, Trojan-creation tool, 243LexisNexis, for competitive analysis data, 117LFM (log file monitor) IDS, 463LI (lawful interception), or wiretapping,
258LIFO (last-in, first-out) access, 314
bindex.indd 04/0½ 016 Page 589
Lightweight Directory Access Protocol (LDAP) – malware 589
Lightweight Directory Access Protocol (LDAP),170, 182–183
Lightweight Extensible Authentication Protocol(LEAP), wireless authentication, 418
limited discoverable mode, Bluetooth, 432Link Extractor, 111LinkedIn, 114, 297Linux OS
Android based on, 443banner grabbing tools, 150–151finding MAC address, 55macof MAC flood attacks, 270packet sniffing with tcpdump, 264–266passive fingerprinting of, 148–149using Kali Linux, 63vulnerabilities of, 62–63wireless penetration tools, 431
Linux OS enumerationcommonly exploited services,
170–172DNS zone transfers, 174–176finger command, 178NULL sessions, 173–174services/ports of interest, 169–170SuperScan, 174Unix and, 180–182users, 168–169
live systems, checking forin targeted environment, 130–131using hping3, 134–135using ping, 133–134using wardialing, 131–132
LM (Lan Manager) hash, storing information inSAM, 167, 209–210
LNS tool, finding ADS streamed files, 217LoadStorm, testing security in cloud, 496local service account, in Windows, 164location, footprinting data on, 112–113lock screens, physical security via, 504locks, securing physical area, 513–515, 519log file monitor (LFM) IDS, 463log file readers, pentesting Android, 453logging tools, lab testing, 572logic bombs, 230, 231logic function, web applications, 369Logic layer, web applications, 366logon
physical security via, 503web server/application attacks from insecure,
368, 377–378
logoutweb application, 369web server/application session management,
379LOIC (Low Orbit Ion Cannon)
in action, 320–322creating botnets, 318DDoS tool, 320pentesting Android, 451
Loki, exploiting covert channels, 247long-lived sessions, web servers/applications, 379low-interaction honeypots, 474LulzSec, 8
MMAC (media access control) address, 54–56MAC flooding, 270–271, 274–275Mac OS, vulnerabilities of, 61–62MAC spoofing, 272, 427macof MAC flood, Linux, 270macro viruses, 230–231maintenance, thwarting SQL injection, 404malicious activity
1980s hackers engage in, 4abusing cloud services via, 491current developments in hacking/cybercrime,
4–5ethical hackers using same tactics as, 13
malicious code, as cybercrime, 7Maltego, 116, 151malware
adware, 237categories of, 227–228executing applications via, 214mobile device countermeasures, 455mobile device security issues, 442–443, 447overt and covert channels used by, 247–249overview of, 224–226ransomware, 238removing in mopping up phase of pen testing,
563review, 249–250review answers, 533–534review questions, 251–253scareware, 237social engineering via Trojans, 293spyware, 236–237
bindex.indd 04/0½ 016 Page 590
590 Management Information Base (MIB) – multipartite (or file) viruses
strict laws against, 226–227Trojans. See Trojansviruses. See virusesworms, 234–236
Management Information Base (MIB), 178–180man-in-the-browser attacks, 338–339man-in-the-middle attacks. See MitM (man-in-
the-middle) attacksmantraps, securing physical area, 511–513manual penetration testing, 561–562mapping networks, 152–153Marshmallow, Android OS, 442, 505master boot record (MBR), boot-sector viruses
infecting, 230master computer (handler), DDoS attacks,
318–319Matchstick Men movie, social engineering in, 285MBR (master boot record), boot-sector viruses
infecting, 230McKinnon, Gary, 5MD2 (Message Digest 2), hashing algorithm, 87MD4 (Message Digest 4), hashing algorithm, 87MD5 (Message Digest 5), hashing algorithm, 87MD6 (Message Digest 6) hashing algorithm, 87measured service, cloud computing, 487mechanical locks, physical access control, 513Medusa, password-cracking tool, 571Melissa virus, 5, 231membership registration sites, databases in, 395memory, buffer overflow attacks on, 314–317mesh topology, 42–43<META> tag, code injection attacks, 341metadata, 364–365metamorphic viruses, 230MIB (Management Information Base), 178–180MicroSD cards, mobile device encryption, 505Microsoft Hyper-V, building lab with, 569Microsoft Proxy Server firewall, 470Microsoft Windows OS
Apple devices not playing well in, 62common vulnerabilities of, 60–61finding MAC address, 55
Microsoft Windows OS enumerationcommonly exploited services, 170–172DNS zone transfers, 174–176groups, 164–165NULL sessions, 173–174overview of, 163PsTools suite, 177security identifiers, 166–167
services and ports of interest, 169–170storing information in SAM file, 167SuperScan, 174users, 163–164
Minipwner tool, 573misconfiguration
attacks on web servers/applications, 375on Wi-Fi, 428
MitM (man-in-the-middle) attacksapplication-level hijacking via, 341on cryptographic systems, 89in exploitation phase, 560as passive online attacks, 200–201pentesting mobile devices via, 450performing, 347–351as session hijacks, 346TCP packet sequence numbers in, 47–48
Mitnick, Kevin, 346mnemonics, OSI layers, 46mobile apps, 363–364mobile device security
Android OS, 443–446Apple iOS, 446–447approaches to, 442–443countermeasures, 454–455cryptography in, 75firewalls for, 473goals of, 441–442OS models and architectures, 440–441overview of, 440penetration testing, 449–450penetration testing using Android,
450–454physical theft, 505–506problems, 447–449review, 455–456review answers, 544review questions, 457–460use of locks, 519
modems, 131–132modules, Apache web server/IIS, 363monitoring, session hijacking process, 334mopping up phase, penetration testing, 563moral obligation, social engineers prey on
victim’s, 283Morris, Robert T., Jr., as first hacker, 4–5MSN Sniffer, 260multifactor authentication, 198multihomed firewall configuration, 468multipartite (or file) viruses, 230, 232
bindex.indd 04/0½ 016 Page 591
multiple access points – Nmap 591
multiple access points, wireless networks, 412,429–430
multi-tenant environments, threats to cloudsecurity, 491
Myspace, people search utility, 297
NNAT (Network Address Translation), routers
using, 54nature, securing physical area, 509NBNS (NetBIOS Name Service), 170nbstat command, 171–172NBTScan, for lab testing, 571Nessus Vulnerability Scanner, 130, 380NetBIOS, 171, 174NetBIOS Name Service (NBNS), 170NetBIOS Session Service (SMB over NetBIOS),
port for, 170Netcat
for Android, 451enumeration tool for lab testing, 571planting backdoors, 215port redirection, 248–249providing information about web server, 374
Netcraftbanner grabbing with, 150finding information about URLs, 111providing information about web server, 374
NETGEAR device, mitigating MAC flooding,274–275
NetScan tools, 571NetScanTools Pro, 186netstat, detecting open ports, 241NetStumbler, 426, 572NetWitness NextGen, sniffer, 260Network Address Translation (NAT), routers
using, 54network cards, 411Network Discovery tool, pentesting Android, 450Network group, Windows, 165Network Handbook, pentesting Android, 450network interface cards (NICs), 54network intrusion detection system. See NIDS
(network intrusion detection system)Network layer, OSI model
IP subnetting, 49overview of, 45
routers at, 54session hijacking at, 334
network mappers, 152–153Network News Transfer Protocol (NNTP), 258network scans, 129network security, 58–59network service account, Windows, 164network session hijacking, 344network sniffing, against cloud, 494Network Time Protocol (NTP), and enumeration,
184network topologies
bus, 40–41hybrid, 42–43mesh, 42–43overview of, 40ring, 41star, 42
networking tools, pentesting tools for Android,450–451
NetworkMiner, lab testing tool, 572networks
administrator interaction with web servers,360
attacks caused by footprinting, 107attacks on mobile devices, 441defending against session hijacking, 352DoS attacks against specific, 308firewalls, 56–59information gathering on, 104–105, 119–120,
558intrusions, 6, 466proxies, 56routers and switches, 53–56
Nexpose, 130, 496NICs (network interface cards), 54NIDS (network intrusion detection system)
detecting sniffing attacks, 275overview of, 463targeting with DoS attack, 475
NirSoft Suite, 571Nmap
defying detection by firewall, 478defying detection by IDS, 476detecting Trojans and viruses, 240–241determining firewall configuration, 472–473FIN scan with, 141fragmenting packets, 144how it works, 141importance in CEH exam, 133–134
bindex.indd 04/0½ 016 Page 592
592 NNTP (Network News Transfer Protocol) – OSs (operating systems)
NULL scan with, 141OS detection with, 146–147pinging with, 133port scanning with, 129providing information about web server, 374as scanner for lab testing, 570stealth or half-open scan with, 139as vulnerability scanner, 152Xmas tree scan with, 140
NNTP (Network News Transfer Protocol), 258nondiscoverable mode, Bluetooth, 432nonpairing mode, Bluetooth, 432nonrepudiation
cryptography in, 76symmetric cryptography lacking, 78
non-repudiation, supporting CIA triad, 16–17nontechnical (or non-electronic) attacks
password cracking, 199social engineering, 282
NOP sled, buffer overflow attack, 317nslookup command, DNS, 119–120, 175–176NT LAN Manager (NTLM), 167, 209–210NTFS volumes, 217NTLM (NT LAN Manager), 167, 209–210Ntop tool, 572NTP (Network Time Protocol), in enumeration,
184NULL scan, 141–142NULL sessions, exploiting, 173–174numbers
decoding SID, 166–167TCP packet sequence, 47–48TCP/IP port, 50–52
Oobfuscated code, evading detection via, 404, 476object identifiers (OIDs), recognizing MIB
elements, 179object identifiers, recognizing MIB elements, 179objective, pre-engagement interactions, 553–554object-oriented programming databases, 395Office 365, cloud computing for, 487Office of Personal Management (OPM), threats to
cloud security, 490offline attacks
extracting hashes from system, 203overview of, 203
password cracking via, 199precomputed hashes/rainbow tables, 203–205on WPA/WPA2, 424
OIDs (object identifiers), recognizing MIBelements, 179
omnidirectional antennas, 415OmniPeek, sniffer, 259on-demand self-service, cloud computing, 486OneDrive, cloud computing, 487one-way hash function, 81–82online habits, changing, 295Open Signal tool, wireless traffic analysis, 429–430open source
information gathering via footprinting, 106Linux OS, 63
Open Web Application Security Project (OWASP), 380, 448
open-source intelligence (OSINT), 558OpenSSL, web application encryption, 380open-system authentication, Wi-Fi, 416operating systems. See OSs (operating systems)OphCrack tool, 571opinion evidence, defined, 30OPM (Office of Personal Management), threats to
cloud security, 490Oracle VM VirtualBox, building lab, 569Orbot, pentesting Android, 454order by statement, in SQL injection attack,
398organization data, in footprinting, 105–106Orweb, pentesting Android, 454OS fingerprinting
active, 146–147overview of, 145–146passive, 147–149
OS X, Apple iOS based on, 446OSI (Open Systems Interconnection) model
attacks caused by footprinting, 107overview of, 44–46session hijacking in, 334TCP/IP suite mapping to, 47–48
OSINT (open-source intelligence), 558OSs (operating systems)
Android, 62, 444Apple iOS. See Apple iOSchoosing for test setup, 568finding information in footprinting, 105Linux, 62–63Mac OS, 61–62Microsoft Windows, 60–61
bindex.indd 04/0½ 016 Page 593
output – penetration (pen) testing 593
output, reading sniffer, 266–270outside attacks, pre-engagement interactions, 555overt channels, 239OWASP (Open Web Application Security Project),
380, 448
Pp0f tool, Linux, 148–150P2P (Peer-to-Peer Networks), spyware delivery
via, 236PaaS (Platform as a Service), cloud, 366, 489Packet Capture tool, pentesting Android, 450packet capture, with sniffers. See snifferspacket crafters, 137Packet Generator, pentesting Android, 451packet sequencing, implementing TCP hijacking,
344–345packet sniffing, 199–200packet-filtering firewalls, 57, 469PacketShark, pentesting Android, 451Padding Oracle On Downgraded Legacy
Encryption (POODLE) attack, 381PageXchanger for IIS, 151pairing mode, Bluetooth, 432palm scan systems, biometrics, 516Parabolic Antenna tool, lab testing, 574parabolic grid antennas, 415–416Paranoid Android, 446parties involved, pre-engagement interactions,
553–554passive fingerprinting, OSs, 146–147passive information gathering, footprinting, 106passive online attacks
man-in-the middle, 200–201overview of, 199packet sniffing, 199–200password cracking, 198replay attack, 201–202
passive session hijacking attack, 335–336passive sniffing, 256passive wireless network attacks, 425passphrases, identity theft protection, 297passwd file, Linux, 168password cracking
as active online attack, 202–203of cloud services, 491of database server, 396
in distributed network attack, 205–206in exploitation phase, 560as offline attack, 203–205as passive online attack, 199–202performing, 377–378risk mitigation for WEP/WPA, 425techniques, 198–199understanding, 196–198
password guessingas active online attack, 202obtaining password via, 207
password-cracking backdoors, 247password-protected screensavers, 504passwords
adding additional security measures to, 504avoid saving of, 296biometric authentication replacing, 515capturing in post-exploitation phase, 561cybercrime of stealing, 6Linux user account, 168mobile device countermeasures, 454–455mobile device security issues, 447in multifactor authentication, 198physical security via, 503SNMP, 179social networking and, 289social networking countermeasures, 292–293storing information in SAM, 167as vulnerability in Windows, 61web server/application issues, 377–378, 379working with, 503
patchescreating test setup, 568installing for lab testing, 569mobile device security issues, 447as vulnerability in Windows, 60
Path attribute, cookies, 380Patriot Act, malware and, 226–227pattern matching, IDS signature detection, 464PBXs (private branch exchanges), wardialing, 132PDF printer, for lab testing, 569PDF viewer, for lab testing, 569PDQ Deploy, planting backdoors, 214peer CA, 85penetration (pen) testing
alternative methods of testing, 550–552Android OS, 450–454automated vs. manual, 561–562building lab for. See lab, buildingcontract contents for, 555–556
bindex.indd 04/0½ 016 Page 594
594 penetration testers – plain text/clear text
evaluating necessity of, 19–20evasion, 479–480exploitation, 560footprinting phase, 100–101frameworks, 549gaining permission, 556IDS, 480intelligence gathering, 557–558of mobile devices, 449–454mopping up, 563Penetration Testing Execution Standard,
552–553permissions/contracts before, 13post-exploitation, 560–562pre-engagement interactions, 553–555reporting, 562–563review, 563–564security in cloud, 495–496tests within, 20–21threat modeling, 558–559vulnerability analysis, 559–560web applications, 383–384
penetration testersethical hackers as, 2, 12–17prerequisites for, 10role of, 19–21
Penetration Testing Execution Standard. See PTES (Penetration Testing Execution Standard).
People Search, 297people search utilities, 113Performance Insight, detecting sniffing attacks,
275perimeter, building physical defense, 520permanent DoS attack, 310permissions
black hats functioning without, 11ethical hacker responsibility for, 9–10Linux group, 169mobile device access control via, 443before starting testing activity, 13, 556–557web applications, 369white hats functioning with, 11
personally identifiable information. See PII(personally identifiable information)
personally owned devices, in workplace, 440–441, 448–449
PGP (Pretty Good Privacy), 79, 92–93phases, social engineering, 285Phatbot, Trojan-creation tool, 243phishing, social engineering, 120–121, 293–294
phlashing, permanent DoS, 310phone taps, firewalls acting as, 467PhoneSweep wardialing program, NIKSUN, 132physical access, spyware delivery via, 236Physical layer, OSI model, 45physical security
biometrics, 515–516contactless cards, 515data storage, 506–509defense in depth, 519–520doors and mantraps, 511–513education and awareness, 519entryways, 517–518fences, 511gates, 511locks, 513–515mobile device issues, 505–506other items to consider, 519overview of, 502physical penetration test of, 554review, 520–521review answers, 547–548review questions, 522–524securing physical area, 510server rooms and networks, 518simple controls, 503–505walls, ceilings, and floors, 516–517windows, 517
picks, lock, 514PII (personally identifiable information)
footprinting causing threats to, 107preventing, 393preventing threats when posting, 296SQL injection attacks stealing, 391
PIN code problem, WPS, 422–423pin-and-tumbler locks, physical access control,
513ping of death, as DoS attack, 309–310ping utility
checking for live systems via, 133–134checking for live systems via hping, 134–135gaining information about target’s
network, 119ping sweeps, 134
pivot points, wardialing, 132PKI (public key infrastructure), 83–86plain text/clear text
in asymmetric algorithms, 80how cryptography works, 77PKI system, 83–85
bindex.indd 04/0½ 016 Page 595
plaintext attacks – PsTools suite 595
in symmetric algorithms, 77understanding hashing, 86–88
plaintext attacks, WEP vulnerability, 419plans, incident response, 25–26planting backdoors, 18Platform as a Service (PaaS), cloud, 366, 489PlugBot, creating botnets, 318points of failure, disaster and recovery plans, 29Poison Ivy, creating botnets, 318poison null byte attacks, scripting errors, 378policies
BYOD, 448capturing settings in enumeration phase for,
163firewall configuration via security, 467hardening network against sniffing, 273incident response. See IRPs (incident response
policies)lack of social engineering security, 283strong password, 503
PoliteMail tool, 117polycarbonate acrylic windows, 517polymorphic viruses, debut of, 230POODLE (Padding Oracle On Downgraded
Legacy Encryption) attack, 381poorly written/questionable scripts, causing
attacks, 378POP (Post Office Protocol), sniffing of, 258pop action, program stack, 314–315pop-up blockers, social engineering prevention,
294port mirroring, sniffing switched networks,
272–273Port Scanner, pentesting Android, 450port scanning
checking status of ports, 135–137detecting Trojans and viruses, 240–241determining type/brand of firewalls, 470overview of, 129
portables, securing, 519portals, as mantraps, 513ports
checking status of, 135–137hardening network by securing, 273knowing for exam, 169–170redirecting, 248–249TCP/IP, 50–53tracking usage with TCPView, 242–243using Firewalk, 471using netstat to detect open, 241
positive pressure, server rooms, 518post exploitation, pentesting mobile devices, 450Post Office Protocol (POP), sniffing of, 258Poulsen, Kevin Lee (Dark Dante), hacker, 5power outages
mesh topology and, 42–43star topology and, 42
preinstalled applications, Android OS, 445Presentation layer, OSI model, 46, 366preservation rule of evidence, 31Pretty Good Privacy (PGP), 79, 92–93primary (default) groups, Linux, 169printers, physical protection of, 519privacy
Code of Ethics for, 11ethical hacker responsibility for, 10footprinting causing loss of, 107with SNMPv3, 178social engineering impacting loss of, 285social networking countermeasures, 293
private branch exchanges (PBXs), wardialing, 132private browsing, preventing threats, 295private cloud, 488private keys, 80–86, 93privilege escalation, on Microsoft platforms,
211–212processes, running Windows, 164process-hiding backdoor, 247promiscuous client attacks, Wi-Fi, 428promiscuous mode, detecting sniffing
attacks, 275proper identification rule of evidence, 31protocol anomaly detection, IDS, 465protocol listeners, IIS, 363protocols, subject to sniffing, 258–259proxies
overview of, 56pentesting tools for Android OS, 453providing anonymity for scanning party,
153–154setting up web browser to use, 154–155testing web applications with Burp Suite,
383proxy Trojans, 240proxy-based firewalls, 469pseudonymous footprinting, 106–107PSH flag, 137, 139–140Psiphon, pentesting Android, 453pspv.exe tool, 208PsTools suite, planting backdoors, 214
bindex.indd 04/0½ 016 Page 596
596 PTES (Penetration Testing Execution Standard) – revenue
PTES (Penetration Testing Execution Standard).contents of contract, 555–556gaining permission, 556–557intelligence gathering, 557–558pre-engagement interactions, 553seven stages of, 552–553threat modeling, 558–559working with, 553
public cloud, 488public information, intelligence gathering for, 558public key infrastructure (PKI), 83–86public keys
in asymmetric cryptography, 80–86CA publication of, 85Pretty Good Privacy using, 92–93
public places, access to sensitive information in,295
public profiles, avoiding on social networks, 293public websites, in footprinting process, 111–112push action, program stack, 314–315push messaging, Android OS, 445pwdump command, extracting hashes, 203Pwn Pad, 430, 573Pwn Phone, 430, 573Pwnie Express, 430
RRA (Registration Authority), CA as, 85rack-mounted servers, server rooms, 518radio frequency ID (RFID), physical access
control, 515RADIUS (Remote Authentication Dial-In User
Service), 417–418rainbow table attacks, 203–205RainbowCrack, 571RAM, creating test setup, 568range
extending Bluetooth device, 432wireless networks and, 411
ransomware, 7, 238rapid elasticity, in cloud computing, 487Raspberry Pi, 427, 573RATs (Remote Access Trojans), 240RC2 symmetric algorithm, 79RC4 symmetric algorithm, 79RC5 symmetric algorithm, 79RC6 symmetric algorithm, 79RCPT TO command, SMTP enumeration, 186
reaper virus, 228Reaver, tool for lab testing, 572receptionists, as targets of social engineers, 286reconnaissance, ethical hacking. See footprintingrecords (rows), database, 395recovery
DRP. See disaster recovery plan (DRP)as incident response phase, 24
RECUB (Remote Encrypted Callback Unix Backdoor), Trojan-creation tool, 243
red team, pentester, 557redirects, web server/application attacks from
unvalidated, 376–377redundancy
disaster and recovery plans for, 28–29mesh topology providing high, 42–43ring topology providing, 42
reflected XSS attacks, 340registered ports, 51–52Registration Authority (RA), CA as, 85relational databases, 395Relay service, SMTP, 186relevance rule of evidence, 31reliability rule of evidence, 31religious law, ethics and, 33Remote Access Trojans (RATs), 240Remote Authentication Dial-In User Service
(RADIUS), 417–418Remote Encrypted Callback Unix Backdoor
(RECUB), Trojan-creation tool, 243Remote Procedure Call (RPC), TCP 135 port, 169remote wiping, 449, 455RemoteExec, planting backdoors, 214repair phase, incident response, 24replay attack, 201–202replication, 229reporting
in penetration testing, 562–563as responsibility of ethical hacker, 14security incident, 32
reputation filtering, protection from botnets, 324researching, viruses, 233–234resource pooling, cloud computing, 487response phase, incident response, 23responsibilities, ethical hacker, 9–10Restorator, distributing Trojans, 246Restricted group, Windows, 165restricted websites, footprinting, 111–112retina pattern systems, biometrics, 516revenue, footprinting and loss of, 107
bindex.indd 04/0½ 016 Page 597
reversal testing – scanning 597
reversal testing, 552reverse proxy, protecting from DoS/DDoS attacks,
323reverse SSH tunneling, breaching wireless
networks, 427Reverse World Wide Web (WWW) Tunneling
Shell, 248RFC 3704 filtering, protecting from botnets, 323RFID (radio frequency ID), physical access
control, 515rights, Linux group, 168Rijndael, 79ring topologies, 41RIP (Routing Information Protocol), 45RIPE-MD, hashing algorithm, 87risk
cloud controls managing, 495contract content stating perceived, 555increased wireless network, 410mobile device security, 440–441reporting security incident, 32
rlogin keystrokes, Telnet, 258rogue access point attacks, Wi-Fi, 426–427root CA, 85root directory, directory traversal attacks, 382rooting device, Android, 444rootkits, 227Rosetta stone, 74router throttling, protecting from DoS/DDoS,
323routers
evading with fragmenting, 144firewalls acting as, 467firewalls working in conjunction with, 468overview of, 53–54
Routing Information Protocol (RIP), 45rows (records), database, 395RPC (Remote Procedure Call), TCP 135 port, 169rpcinfo command, Linux/Unix, 181RST flag
ACK scanning and, 143defined, 137defying detection by IDS with, 477full-open scans, 138idle scans, 142–143stealth or half-open scans, 138–139
rule-based attacks, password cracking via, 198rules
of engagement, 13–14, 558of evidence, 31
firewall, 467for strong passwords, 197–198
runtime, Android application, 444–445
SSaaS (Software as a Service), cloud, 366, 488–489SAM (Security Accounts Manager)
authentication on Microsoft platforms,209–210
how passwords are stored within, 209–210user and group information stored in, 167
sample scripts, and scripting errors, 378sandboxing, access control via, 444SandroProxy, pentesting Android, 453sanitation methods, 508, 509SAPs (software access points), 411–412Saran Wrap, Trojans, 246Sarbanes–Oxley Act (SOX or SarBox), 2002, 34satellites, footprinting location data, 112save capture function, sniffers
overview of, 257–258reading captured output, 267–270Wireshark, 262
scalar objects, MIB, 179scale, DoS attacks vs. DDoS attacks, 317–318scams, social media, 290–291scanner, testing web applications with Burp Suite,
383scanners, lab testing tools, 570–571scanning
ACK scans, 143–144banner grabbing, 149–151checking for live systems, 130–135checking status of ports, 135–137ethical hacking and, 101FIN scans, 137–138full-open scans, 135idle scans, 142–143network mapping, 152–153NULL scans, 141–142OS fingerprinting, 145–149pentesting mobile devices, 449pentesting tools for Android, 452–453review, 155review answers, 530–531review questions, 156–158as second phase of ethical hacking, 17
bindex.indd 04/0½ 016 Page 598
598 scareware – session ID prediction
stealth or half-open scans, 135–136techniques used in, 161types of, 129–130types of information learned by, 130UDP scans, 144–145understanding, 128–129using proxies, 153–155in vulnerability analysis phase, 559vulnerability scanners, 129–130, 151–152when scan is blocked, 144Xmas tree scans, 136–137
scareware, 237, 284Schneier, Bruce, 79scope, pre-engagement interactions, 553screened subnet, firewall configuration, 468screensavers, physical security, 504script kiddies, 9scripting errors, in attacks on web servers/
applications, 378search engines, in footprinting, 108–111SEC (Securities and Exchange Commission), 117secondary evidence, 30secondary groups, Linux, 169secrecy, in cryptography, 75sector-specific data, intelligence gathering for, 558Secure attribute, cookies, 379Secure Hash Algorithm-0 (SHA-0), 87Secure Hash Algorithm-1 (SHA-1), 87Secure Hash Algorithm-2 (SHA-2), 87Secure Shell (SSH), hardening network, 273Secure Sockets Layer. See SSL (Secure Sockets
Layer)Securities and Exchange Commission (SEC), 117security
cryptography. See cryptographyearly Internet not designed for, 4footprinting. See footprintingnetwork, 58–59in pentesting, 13preserving CIA triad when planning, 16of private cloud, 488vs. convenience analysis, 14
security film windows, 517security identifiers (SIDs), 166–167security policies, and social engineering, 283security software disablers, Trojans as, 240Self group, Windows, 165SENA adapter, in test setup, 568Senna spy, Trojan construction kit, 246sequencer, Burp Suite, 383
SERP (search engine results page), footprinting, 108
server administrators, and web servers, 360Server Mask, countering banner grabbing, 151server rooms and networks, securing, 518server validation, 425server-side technologies
SQL injection and, 394understanding web applications, 365
Service group, Windows, 165service hijacking, against cloud, 490, 494service packs, Windows vulnerability, 60service providers
planning for disaster and recovery, 28as threat to cloud security, 491
service request flood, as DoS attack, 308service set identifier. See SSID (service set
identifier)service-level agreements (SLAs), 27, 29services
commonly exploited, 170–171and ports of interest, 169–170protecting from DoS/DDoS attacks by
degrading, 323protecting from DoS/DDoS attacks by
disabling, 323session desynchronization, session hijacking,
334session fixation attack, 341session hijacking
active and passive attacks, 335–336defensive strategies, 352–353DNS spoofing, 351–352in exploitation phase, 560key concepts, 341–343man-in-the-middle attack, 346–351network, 344–346overview of, 332pentesting tools for Android, 451review, 353–354review answers, 539–540review questions, 355–358in session fixation attack, 341spoofing vs. hijacking, 334TCP packet sequence numbers in, 47–48types of application-level, 337–341UDP, 352understanding, 332–334web apps and, 336–337
session ID prediction, session hijacking, 334
bindex.indd 04/0½ 016 Page 599
session IDs – social engineering 599
session IDssession hijacking at application level, 336–337session management issues, 379types of session hijacking, 333understanding, 334
Session layer, OSI model, 46session management, web servers and
applications, 378–379session riding (or CSRF), against cloud, 491–492session sniffing, 337session splicing, 476session tokens, 334, 338session tracking, web applications, 369SETI (Search for Extraterrestrial Intelligence)
project, 206SETI@home project, 206SFind tool, 217SHA-0 (Secure Hash Algorithm-0), 87SHA-1 (Secure Hash Algorithm-1), 87SHA-2 (Secure Hash Algorithm-2), 87shared key authentication, Wi-Fi, 416–417SharesFinder, pentesting Android, 451Shark, creating botnets, 318Shark for Root, pentesting Android, 451sheep-dip system, researching viruses, 233–234shell viruses, 232Shodan search engine, 297, 374Short Message Service (SMS), pentesting mobile
devices, 450shoulder surfing, 121, 293showmount command, Linux/Unix, 181shredding, physical security via, 508side channel attacks, on cloud, 492–493SIDs (security identifiers), 166–167signature wrapping attacks, on cloud, 493signature-based IDS, 464Simple Mail Transfer Protocol. See SMTP (Simple
Mail Transfer Protocol)Simple Network Management Protocol. See SNMP
(Simple Network Management Protocol)Simple Object Access Protocol (SOAP), 493, 494site survey tools, wireless networks, 426Skyhook, wireless traffic analysis, 429Slammer worm, SQL, 234–235SLAs (service-level agreements), 27, 29slaves (zombies), DDoS attack setup, 318–319SlimROM, Android, 445smart cards, supplementing passwords, 504smartphones
Android OS. See Android OS
Apple iOS. See Apple iOSbring your own device issues, 448–449hacking with Pwn Phone, 430
smashing stack, buffer overflow attacks, 315–316SMB over NetBIOS (NetBIOS Session Service),
port for, 170SMB over TCP (or Direct Host), port for, 170Smith, David L., hacker, 5SMS (Short Message Service), pentesting mobile
devices, 450SMTP (Simple Mail Transfer Protocol)
easy sniffing of, 258enumeration with, 162, 184–186TCP 25 port for, 169
smurf attacks, 310sniffers
on the defensive, 273detecting attacks, 275overview of, 256in passive session hijacking attacks, 335reading output, 266–270review, 275–276review answers, 534–536review questions, 277–280switched network, 270–275tcpdump, 264–266tools, 259–260, 572understanding, 256–258using, 259Wireshark, 260–264
sniffing, session hijacking process, 334, 352SNMP (Simple Network Management Protocol)
enumeration with, 162, 178–179MIB used as codebook by, 179–180UDP 161 and 162 ports for, 170
SNScan, 180SOAP (Simple Object Access Protocol), 493, 494SOASTA CloudTest, 495–496social engineering
commonly employed threats, 293–296on cryptographic systems, 89as cybercrime, 6footprinting as, 107, 120–121identity theft as, 296–298impact of, 285–286on mobile devices, 442phases of, 285power of, 284pre-engagement interactions, 554review, 298–299
bindex.indd 04/0½ 016 Page 600
600 social networking – stateful packet inspection (SPI)
review answers, 536–537review questions, 300–303social networking as, 287–291social networking countermeasures, 291–293targets of, 286–287understanding, 282–283why it works, 283–284
social networkingcountermeasures for, 291–293in footprinting process, 113–116gathering information via, 287–291strengthening your accounts from, 289–291
softwareadware installed with, 237encryption weaknesses in web applications,
380gathering job posting data, 117malicious. See malwaremobile device security issues, 447spyware installed with, 237tools for building lab, 570–571
Software as a Service (SaaS), cloud, 488–489software piracy, as cybercrime, 7software updates
installing for lab testing, 569mobile device countermeasures, 455
solar film windows, 517solid state drives (SSDs), problems with, 509Sony Corporation, SQL injection attack on, 391Source IP reputation filtering, protection from
botnets, 324source routing, 342SPAN (Switched Port Analyzer) port, sniffing
switched networks, 272–273sparse-infector viruses, 231spear phishing, 121Spector Pro keylogger, 248SPI (stateful packet inspection), in ACK scanning,
142–143Spider tool, testing web applications, 383Spokeo, people search utility, 113, 297spoofing
DNS, 343IP, 341–342MAC, 427pentesting mobile devices, 450vs. session hijacking, 334
spywareactive online attacks via, 202defined, 227
methods of infection, 236–237overview of, 236
SQL injectionaltering data with, 399–401anatomy of, 396–399blind, 401–402against cloud, 494countermeasures, 404–405database vulnerabilities, 394–396evading detection mechanisms, 403–404information from error messages and, 403information gathering and, 402–403introduction, 390–392lack of input validation allowing, 375overview of, 390pentesting tool for Android, 453prerequisites for, 390results of, 392–393review, 405review answers, 541–542review questions, 406–408web application anatomy and, 393–394
SQL Slammer worm, 234–235SQLite Editor, pentesting Android, 453sqlmapchik, pentesting Android, 453SQLPing 3.0, 396SQLRecon, 396SSDs (solid state drives), problems with, 509SSH (Secure Shell), hardening network, 273SSID (service set identifier)
access points broadcasting, 413changing default, 413open system authentication for Wi-Fi and, 416rogue access point attack on, 427wireless traffic analysis, 429–430
SSL (Secure Sockets Layer)defending against session hijacking, 352hardening network against sniffing, 273POODLE attack using, 381at Presentation layer of OSI model, 46securing information, 93–94
SSL Strip, 200–201, 451Stacheldraht, DDoS tool, 320stack
buffer overflow attacks and, 314–315smashing, 315–316
standard windows, 517star topology, 42stateful packet inspection (SPI), in ACK scanning,
142–143
bindex.indd 04/0½ 016 Page 601
statefull firewalls – system hacking 601
statefull firewallsmultilayer inspection, 469packet filtering, 57preventing port scans, 143
stateless, defined, 367stealing session ID, in session hijacking, 333stealth (half-open) scan, 135–136Stealth Tool, hiding Trojans, 246stolen equipment attack, 555stolen session. See session hijackingstored XSS attacks, 339–340strong passwords
physical security via, 503rules for, 197–198
Stunnel, 381Stuxnet virus, 6, 45subdomains
defined, 111footprinting restricted websites, 111–112revealing with Netcraft tool, 111
subnetting, IP, 49subordinate CA, 85suicide hackers, 9suites, pentesting Android, 454SuperScan
enumeration tool for lab testing, 571enumeration utilities of, 174scanner for lab testing, 570
Svechinskaya, Kristina Vladimirovna, 6switched networks, sniffing
ARP poisoning, 271–272MAC flooding, 270–271MAC spoofing, 272mitigating MAC flooding, 274–275port mirror or SPAN port, 272–273
Switched Port Analyzer (SPAN) port, sniffingswitched networks, 272–273
switchesbroadcast domains/collision domains, 55–56nbstat, 171–172nmap, 141overview of, 54–55tcpdump, 266
syllable attacks, password cracking via, 198symbols, Egyptian hieroglyphic, 74–75symmetric cryptography, 77–79SYN attack/flood
as DoS attack, 309performing, 311–314web servers/applications vulnerable to, 372
SYN flagchecking status of ports, 136–137passive fingerprinting of OS, 147–149performing idle scan, 142–143
SYN packet, TCP/IP suite, 47–48SYN scan, 138–139SYN sequence numbers, TCP/IP session hijacking,
344SYN-ACK response
passive fingerprinting of OS, 147–149performing idle scan, 142–143performing stealth or half-open scan, 138–139SYN attack/floods exploiting, 309TCP three-way handshake and, 47–48
Sysinternals Suite, for lab testing, 571SYSKEY, improving security of SAM, 209Syslog, pentesting Android, 453system (boot-sector) viruses, 229, 230system account, processes in Windows, 164system administrators
as targets of social engineers, 286tendency to use backdoor accounts, 287
system fundamentalsbackup/archiving, 63–64DNS, 53exam objectives, 39hexadecimal vs. binary, 49–50IP subnetting, 49IPS and IDS, 57network devices, 53–57network security, 58–59network topologies, 40–44operating systems, 60–63OSI model, 44–46review, 64–65review answers, 527–528review questions, 66–69TCP/IP ports, 50–53TCP/IP suite, 47–48
System group, Windows, 165system hacking
active online attacks, 202–203authentication on Microsoft platforms,
209–213covering tracks, 215–217distributed network attacks, 205–206executing applications, 213–214in hacking process, 18offline attacks, 203–205options for obtaining passwords, 207–208
bindex.indd 04/0½ 016 Page 602
602 system integrity verifier – thumbprint
overview of, 194, 196passive online attacks, 199–202password cracking, 196–199, 208–209as phase of ethical hacking, 102planting backdoors, 214–215previous phases of ethical hacking, 194–196review, 217–218review answers, 532–533review questions, 219–221
system integrity verifier, 463system knowledge, in contract content, 556system weaknesses, penetration testing, 558
Ttables, SQL injection attack on, 399tablets
bring your own device issues, 448–449hacking with Pwn Pad, 430using for lab testing, 574
tabular objects, MIB, 179tailgating, mantraps preventing, 512–513tandem testing, 552Targa, DoS tool, 319Target Corporation, data breach, 225, 489–490target of evaluation (TOE), 13targets
acquiring for SQL injection attack, 397–398DoS, 308of evaluation in contract, 555intelligence gathering to define, 557social engineering, 286–287
TCP (Transmission Control Protocol)Connect scan, 138defying detection by IDS, 476–477flags, 137port numbers, 169–170service request floods exploiting, 309session hijacking, 344–345, 346at Transport layer of OSI model, 46
TCP three-way handshakein blind hijacking, 341checking status of ports, 135–136descynchronizing connection, 343DNS, 351full-open scan completing, 138overview of, 47–48reading captured output of, 267SYN attack/floods exploiting, 309
tcpdump, snifferdefined, 259packet sniffing in Linux, 264–266sniffer tool for lab testing, 572
TCP/IP ports, 50–53TCP/IP suite, 47–48, 333TCPView, 242–243, 571teams, incident response, 25teardrop attack, as DoS attack, 310technology
evolution of hacking in response to, 4little impact on social engineering, 283
Teflon Oil Patch, distributing Trojans, 246telephone calls, law enforcement and sniffing, 258Telnet
banner grabbing with, 149–151easy sniffing of, 258enabling in modern Windows, 149TCP 23 port for, 169vulnerable to man-in-the middle attack, 200
telnet command, SNMP enumeration, 185tension wrenches, lock picking, 514Terminal Server User group, Windows, 165terminology
footprinting, 106–107wireless, 414
terrorism, and social engineering, 285testing. See penetration (pen) testingTFN2K, DDoS tool, 320TGS (ticket-granting server), Kerberos, 211–212TGT (ticket-granting ticket), Kerberos, 211–212The Italian Job movie, social engineering in, 285Onion Router (Tor), 154–155theft of access, as cybercrime, 6THE-SCAN wardialing program, 132threats. See also vulnerabilities
Bluetooth, 432–433BYOD, 448–449caused by footprinting, 107cloud security, 489–490, 491–493defined, 13mobile device, 441modeling in penetration testing, 558–559social engineering, 283, 293–294web servers/applications. See web servers/
applications, common flaws/attack methods
Wi-Fi. See Wi-Fi, threatsthree-way handshake, TCP, 47–48thumbprint, as one-way hash value, 87
bindex.indd 04/0½ 016 Page 603
ticket-granting server (TGS) – UDP (User Datagram Protocol) 603
ticket-granting server (TGS), Kerberos, 211–212ticket-granting ticket (TGT), Kerberos, 211–212time to live values. See TTL (time to live) valuestimeframe
in contract content, 555–556intelligence gathering for, 558
timeline of security incident, reporting, 32timing, of penetration test, 555TOE (target of evaluation), 13tokens, supplementing passwords with, 504ToneLoc wardialing program, 132tools
creating botnets, 318creating Trojans, 243–245DDoS, 320DoS, 319enumeration, 571evaluating when building lab, 566exploiting covert channels, 247–248hardware, 573–574installing, 570lock-picking, 514–515logging/event-viewing, 572password-cracking, 571scanner, 570–571sniffer, 259–260, 572wireless, 572
topologies, network, 40–44Tor (The Onion Router), 154–155Tracert utility
finding IP address for website, 104–105footprinting using, 103gaining information about target’s network,
120traffic analysis, targeted Wi-Fi networks, 429–
430traffic filters, firewalls as, 468traffic sniffing, 560training
as line of defense in security, 519in preventing social engineering, 292–293as social engineering countermeasure, 283–
284Transmission Control Protocol. See TCP
(Transmission Control Protocol)Transport layer, OSI model, 46triage phase, incident response, 23Trinoo, DDoS tool, 320Triple DES (3DES) encryption, 78–79, 88Tripwire, 217, 463
TRK (Trinity Rescue Kit), 213, 571Trojan Construction Kit, 246Trojan Man, 246Trojans
active online attacks via, 202backdoors, 246–247behaviors of, 238–239BO2K, 244–245construction kits, 246defined, 227detecting, 240–243distributing, 245–247social engineering via, 284, 293systems of behaviors, 238–239tools for creating, 243–245types of, 240unknowing victims of, 239–240using covert and overt channels, 239, 247
trustethics and the law, 33social engineers preying on victim’s, 114, 283,
284trusted root CA, 85TTL (time to live) values
determining firewall configuration withFirewalk, 470–471
determining firewall configuration withNmap, 472–473
firewalking and, 470passive fingerprinting of OS, 147–149
Twittergathering information using, 288–289social engineering via, 114
TwoFish symmetric algorithm, 79type mismatch, and error messages, 403
UUAC (User Account Control), 60Ubertooth One, for lab testing, 573Ubuntu, overflowing CAM tables in, 271UD100 Bluetooth adapter, extending range, 432UDP (User Datagram Protocol)
in fraggle attack, 310port numbers, 169–170in session hijacking, 352SNMP functioning with, 178at Transport layer of OSI model, 46UDP-based scans, 144–145
bindex.indd 04/0½ 016 Page 604
604 UDPFlood – viruses
UDPFlood, DoS tool, 319UID, Linux user account, 168uniform resource identifier (URI), and web
applications, 367Universal Resource Locators. See URLs (Universal
Resource Locators)Unix OS enumeration, 180–182unsafe site warning, heeding, 295unvalidated redirects and forwards, attacks on
web servers/applications, 376–377updates
Android Updates, 445lab testing, 569mobile device, 447, 455test setup, 568as vulnerability in Windows, 60
upload bombing, from scripting errors, 378UPnP Scanner, pentesting Android, 451URG flag
defined, 137marking data as urgent, 477performing Xmas tree scan, 139–140
URI (uniform resource identifier), and webapplications, 367
URLs (Universal Resource Locators)defying detection by firewall using IP address
instead of, 478–479in directory traversal attacks, 382–383footprinting, 110–111session IDs embedded in, 336
U.S. Army, SQL injection attack on, 391U.S. Code of Fair Information Practices,
1973, 33U.S. Communications Assistance for Law
Enforcement Act, 1994, 34U.S. Computer Fraud and Abuse Act, 34, 226U.S. Electronic Communications Privacy Act,
1986, 34U.S. Kennedy - Kassebaum Health Insurance and
Portability Accountability Act (HIPAA),1966, 34
U.S. Medical Computer Crime Act, 1984, 34U.S military files, 2002 hacking of, 5U.S. National Information Infrastructure
Protection Act, 1996, 34U.S. Privacy Act, 1974, 34USA Freedom Act, 227USB (Universal Serial Bus)
password theft, 207–208physical security of external drives, 506–507
USB Rubber Duckyhardware tool for lab testing, 573stealing passwords, 208
User Account Control (UAC), 60User Datagram Protocol. See UDP (User
Datagram Protocol)user-installed applications, Android OS, 445usernames
cybercrime of stealing, 6Linux, 168
usersAndroid OS security for, 443–444interaction with web servers, 360Linux, 168–169removing accounts in mopping up phase, 563SQL injection attacks on current, 399as targets of social engineers, 286vs. administrative account, 60Windows, 163–167
Vvalidation
of certificates by CAs, 85input. See input validation
VBA (Visual Basic for Applications), macroviruses using, 230–231
Vega web application scanner, 384vehicles, protecting facility against, 517verbal agreements, never accepting from client, 14version information, SQL injection attacks, 398versions, SNMP, 178vertical privilege escalation, 212virtual machines. See VMs (virtual machines)virtual private networks (VPNs), hardening
network with, 273virtualization
advantages for testing, 566–567software options for building lab, 569
virusescreating, 232–233defined, 227detecting, 240–243kinds of, 230–232overview of, 228researching, 233–234understanding, 228–230as vulnerability in Mac OS X, 61–62as vulnerability in Windows, 61
bindex.indd 04/0½ 016 Page 605
Visual Basic for Applications (VBA) – web servers/applications 605
Visual Basic for Applications (VBA), macro viruses using, 230–231
VMs (virtual machines)creating test setup, 568installing/configuring for lab, 570in side channel attacks on cloud, 493
VMware Player, building lab, 569VMware Workstation, building lab, 569voice recognition, biometrics, 516voiding warranty, by jailbreaking, 447VPNs (virtual private networks), hardening
network with, 273VRFY command, SMTP enumeration, 185vulnerabilities
Android OS, 62bus topology, 42cryptographic, 88–89defined, 13enterprise, 58–59Linux OS, 62–63Mac OS, 61–62mobile device, 447–448web servers/applications, 369–374WEP, 419Windows OS, 60–61WPA, 422–423WPA/WPA2, 424–425
vulnerability analysis phase, penetration testing,559–560
vulnerability research, 21vulnerability scanning, 129–130, 151–152
WWabbit virus, 229WAITFOR DELAY command, blind SQL injection,
402walls, securing physical area, 516–517WAPs (wireless access points), hardening
networks, 273warballooning attacks, 426warchalking, 426warded locks, 513wardialing, 131–132wardriving attacks, 426, 429warflying attacks, 426warm sites, 27warning banners, physical security via,
504–505
warranty, voiding via jailbreaking, 447warwalking attacks, 426WaveStumbler, 426web applications, pentesting tools for Android, 453web browsers
preventing session hijacking, 352preventing social engineering, 294preventing threats, 294–295setting to use proxy, 154–155web applications based on, 363–364
web servers/applicationsApache, 361–362client/server and, 364–365cloud technologies, 365–366cookies, 367–368databases linked to web applications, 395DoS attacks against, 308exploring client-server relationship, 360–361IIS, 362–363individuals interacting with, 360–361layers of web applications, 366–367methods of attacking, 375–384overview of, 360–361review, 384review answers, 540–541review questions, 385–388session hijacking, 336–337SQL injection and, 393–394testing web applications, 383–384vandalizing, 374–375variations of, 363–364web application components, 368–369web servers, 361–363
web servers/applications, common flaws/attackmethods
cross-site scripting, 376directory traversal attacks, 381–383encryption weaknesses, 380–381input validation, 375–376insecure logon systems, 377–378misconfiguration, 375protecting cookies, 379–380scripting errors, 378session management issues, 378–379unvalidated redirects and forwards, 376–377
web servers/applications, vulnerabilitiesbanner grabbing, 373buffer overflow, 370–371DDoS attack, 371–372DoS attack, 371
bindex.indd 04/0½ 016 Page 606
606 web services – wireless card
error messages, 374flawed web design, 369–370using ID Serve, 373–374vandalizing web servers, 374–375
web services, signature wrapping attacks on, 493web-based attacks, on mobile devices, 441webcams, footprinting location data, 113websites
footprinting public/restricted, 111–112spyware delivery via, 236
wefi tool, wireless traffic analysis, 429well-known ports, 51–52WEP (Wired Equivalent Privacy) encryption
breaking, 419–420cracking with Kali Linux, 420–422defined, 417overview of, 418–419problems/vulnerabilities, 419RC4 algorithm in, 79risk mitigation, 425
white box pen tests, 15white-box testing, 551white-hat hackers, 9, 11whitelists, thwarting SQL injection, 392, 404whitespace, evading detection via liberal use of,
404Whois tool, 119WhoReadMe utility, 117Wi-Fi
authentication modes, 416–417at Data Link layer of OSI model, 45overview, 410–411as vulnerability in Mac OS X, 62wireless standards in use, 412–413
Wi-Fi, hackingauthentication technologies, 418choosing right wireless card, 430–431fine print, 411–412locating wireless networks, 429–430mitgating WEP and WPA cracking, 425overview of, 410, 425preventing threats to, 295review, 433–434review answers, 542–543review questions, 435–437sniffing with Wireshark, 260–264SSID, 413terminology, 414
understanding wireless networks, 410WEP encryption, 418–422wireless antennas, 414–416wireless encryption mechanisms, 417WPA encryption, 422–425
Wi-Fi, pentesting tools for Android, 453–454Wi-Fi, threats
ad hoc, 427client misassociation, 428honeyspot attacks, 428–429jamming attacks, 428MAC spoofing, 427misconfiguration, 428performing traffic analysis, 429–430promiscuous client, 428rogue access points, 426–427wardriving, 426ways to locate wireless networks, 429–430
WiFi Pineapplehardware tool for lab testing, 573as wireless honeyspot, 429
Wi-Fi Protected Access. See WPA (Wi-Fi Protected Access) encryption
WifiKill, pentesting Android, 453Wifite, 424–425, 453Wigle Wifi Wardriving, 429, 454WikiLeaks, 307windows, securing physical area, 517Windows OS. See also Microsoft Windows OS
creating virus in Notepad, 233disabling auditing in Security Log, 216enumeration, 163–167iPhone. See also mobile device security, 441
WinDump, sniffer, 259, 572Wink, people search utility, 113WinSSLMiM, 381wire reinforced windows, 517Wired Equivalent Privacy. See WEP (Wired
Equivalent Privacy) encryptionwireless access points (WAPs), hardening
networks, 273wireless adapters, creating test setup, 568wireless antennas, 414–416wireless card
breaking WEP, 420–421choosing right, 430–431in promiscuous client attacks, 428in wardriving attacks, 426
bindex.indd 04/0½ 016 Page 607
wireless connections – zone transfers 607
wireless connections, mobile device securityissues, 447
wireless LANs (WLANs), accessing, 413wireless networks. See Wi-Fiwireless tools, for building lab, 572Wireshark
overview of, 260–264reading captured output of, 267–270as sniffer, 259, 572wireless traffic analysis, 430
Wit, Jan de, hacker, 5WLANs (wireless LANs), accessing, 413worms
defined, 227first Internet, 5functions of computer, 235–236overview of, 234SQL Slammer worm, 234–235Stuxnet, 45
WPA (Wi-Fi Protected Access) encryptionattacking, cracking, 424–425cracking, 422–424defined, 417overview of, 422risk mitigation, 425
WPA2 encryptionattacking, cracking, 424–425defined, 417overview of, 424risk mitigation, 425
WPA2 Enterprise, 417, 424WPA2-Personal, 424WPScan, pentesting Android, 452–453wrapper programs, distributing Trojans, 245–246
XXamarin Test Cloud, 496Xmas tree scan, 136–137XML (Extensible Markup Language),
493, 494Xprobe, banner grabbing with, 150XSS (cross-site scripting)
application-level hijacking via, 339–340against cloud, 494against web server, 376
YYagi (directional) antenna, 415Yagi Antenna tool, 573
ZZabasearch, people search utility, 113, 297Zanti (for mobile phones), 454, 570Zenmap scanner, 571zero day threat/vulnerability, 13zeroization, cryptographic processes
and, 508Zimmermann, Philip, 93Zombam.B, Trojan-creation tool, 243zombies
DDoS attack setup, 318–319performing idle scan, 142–143
zone transfers, DNS, 174–176