Atjaunināt sīkdatņu piekrišanu

E-grāmata: Ethical Hacking and Penetration Testing Guide

4.07/5 (147 ratings by Goodreads)
  • Formāts: 532 pages
  • Izdošanas datums: 29-Sep-2017
  • Izdevniecība: Apple Academic Press Inc.
  • Valoda: eng
  • ISBN-13: 9781351381345
Citas grāmatas par šo tēmu:
  • Formāts - EPUB+DRM
  • Cena: 64,23 €*
  • * ši ir gala cena, t.i., netiek piemērotas nekādas papildus atlaides
  • Ielikt grozā
  • Pievienot vēlmju sarakstam
  • Šī e-grāmata paredzēta tikai personīgai lietošanai. E-grāmatas nav iespējams atgriezt un nauda par iegādātajām e-grāmatām netiek atmaksāta.
Ethical Hacking and Penetration Testing GuidePalielināt
  • Formāts: 532 pages
  • Izdošanas datums: 29-Sep-2017
  • Izdevniecība: Apple Academic Press Inc.
  • Valoda: eng
  • ISBN-13: 9781351381345
Citas grāmatas par šo tēmu:

DRM restrictions

  • Kopēšana (kopēt/ievietot):

    nav atļauts

  • Drukāšana:

    nav atļauts

  • Lietošana:

    Digitālo tiesību pārvaldība (Digital Rights Management (DRM))
    Izdevējs ir piegādājis šo grāmatu šifrētā veidā, kas nozīmē, ka jums ir jāinstalē bezmaksas programmatūra, lai to atbloķētu un lasītu. Lai lasītu šo e-grāmatu, jums ir jāizveido Adobe ID. Vairāk informācijas šeit. E-grāmatu var lasīt un lejupielādēt līdz 6 ierīcēm (vienam lietotājam ar vienu un to pašu Adobe ID).

    Nepieciešamā programmatūra
    Lai lasītu šo e-grāmatu mobilajā ierīcē (tālrunī vai planšetdatorā), jums būs jāinstalē šī bezmaksas lietotne: PocketBook Reader (iOS / Android)

    Lai lejupielādētu un lasītu šo e-grāmatu datorā vai Mac datorā, jums ir nepieciešamid Adobe Digital Editions (šī ir bezmaksas lietotne, kas īpaši izstrādāta e-grāmatām. Tā nav tas pats, kas Adobe Reader, kas, iespējams, jau ir jūsu datorā.)

    Jūs nevarat lasīt šo e-grāmatu, izmantojot Amazon Kindle.

Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but dont know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.
Preface xxiii
Acknowledgments xxv
Author xxvii
1 Introduction to Hacking 1(18)
Important Terminologies
2(5)
Asset
2(1)
Vulnerability
3(1)
Threat
3(1)
Exploit
3(1)
Risk
3(1)
What Is a Penetration Test?
3(1)
Vulnerability Assessments versus Penetration Test
3(1)
Preengagement
3(1)
Rules of Engagement
4(1)
Milestones
4(1)
Penetration Testing Methodologies
5(1)
OSSTMM
5(1)
NIST
6(1)
OWASP
7(1)
Categories of Penetration Test
7(3)
Black Box
7(1)
White Box
7(1)
Gray Box
7(1)
Types of Penetration Tests
7(1)
Network Penetration Test
8(1)
Web Application Penetration Test
8(1)
Mobile Application Penetration Test
8(1)
Social Engineering Penetration Test
8(1)
Physical Penetration Test
8(1)
Report Writing
8(1)
Understanding the Audience
9(1)
Executive Class
9(1)
Management Class
9(1)
Technical Class
9(1)
Writing Reports
10(1)
Structure of a Penetration Testing Report
10(2)
Cover Page
10(1)
Table of Contents
10(1)
Executive Summary
11(1)
Remediation Report
12(1)
Vulnerability Assessment Summary
12(2)
Tabular Summary
13(1)
Risk Assessment
14(1)
Risk Assessment Matrix
14(1)
Methodology
14(3)
Detailed Findings
15(2)
Description
15(1)
Explanation
16(1)
Risk
16(1)
Recommendation
16(1)
Reports
17(1)
Conclusion
17(2)
2 Linux Basics 19(34)
Major Linux Operating Systems
19(1)
File Structure inside of Linux
20(5)
File Permission in Linux
22(2)
Group Permission
22(1)
Linux Advance/Special Permission
22(1)
Link Permission
23(1)
Suid & Guid Permission
23(1)
Stickybit Permission
23(1)
Chatter Permission
24(1)
Most Common and Important Commands
24(1)
Linux Scheduler (Cron Job)
25(3)
Cron Permission
26(2)
Cron Permission
26(1)
Cron Files
26(2)
Users inside of Linux
28(2)
Linux Services
29(1)
Linux Password Storage
29(1)
Linux Logging
30(1)
Common Applications of Linux
30(1)
What Is BackTrack?
30(13)
How to Get BackTrack 5 Running
31(1)
Installing BackTrack on Virtual Box
31(4)
Installing BackTrack on a Portable USB
35(4)
Installing BackTrack on Your Hard Drive
39(4)
BackTrack Basics
43(1)
Changing the Default Screen Resolution
43(3)
Some Unforgettable Basics
44(2)
Changing the Password
44(1)
Clearing the Screen
44(1)
Listing the Contents of a Directory
44(1)
Displaying Contents of a Specific Directory
44(1)
Displaying the Contents of a File
45(1)
Creating a Directory
45(1)
Changing the Directories
45(1)
Windows
45(1)
Linux
45(1)
Creating a Text File
45(1)
Copying a File
45(1)
Current Working Directory
45(1)
Renaming a File
45(1)
Moving a File
46(1)
Removing a File
46(1)
Locating Certain Files inside BackTrack
46(1)
Text Editors inside BackTrack
46(1)
Getting to Know Your Network
47(1)
Dhclient
47(1)
Services
48(3)
MyS QL
48(1)
SSHD
48(2)
Postgresql
50(1)
Other Online Resources
51(2)
3 Information Gathering Techniques 53(44)
Active Information Gathering
53(1)
Passive Information Gathering
53(1)
Sources of Information Gathering
54(1)
Copying Websites Locally
54(2)
Information Gathering with Whois
55(1)
Finding Other Websites Hosted on the Same Server
56(1)
Yougetsignal.com
56(3)
Tracing the Location
57(1)
Traceroute
57(1)
ICMP Traceroute
58(1)
TCP Traceroute
58(1)
Usage
58(1)
UDP Traceroute
58(1)
Usage
58(1)
NeoTrace
59(1)
Cheops-ng
59(1)
Enumerating and Fingerprinting the Webservers
60(1)
Intercepting a Response
60(2)
Acunetix Vulnerability Scanner
62(1)
WhatWeb
62(1)
Netcraft
63(1)
Google Hacking
63(1)
Some Basic Parameters
64(1)
Site
64(1)
Example
64(1)
TIP regarding Filetype
65(2)
Google Hacking Database
66(1)
Hackersforcharity.org/ghdb
67(1)
Xcode Exploit Scanner
67(8)
File Analysis
68(1)
Foca
68(1)
Harvesting E-Mail Lists
69(2)
Gathering Wordlist from a Target Website
71(1)
Scanning for Subdomains
71(1)
TheHarvester
72(1)
Fierce in BackTrack
72(2)
Scanning for SSL Version
74(1)
DNS Enumeration
75(1)
Interacting with DNS Servers
75(1)
Nslookup
76(1)
DIG
76(1)
Forward DNS Lookup
77(1)
Forward DNS Lookup with Fierce
77(1)
Reverse DNS
78(1)
Reverse DNS Lookup with Dig
78(1)
Reverse DNS Lookup with Fierce
78(1)
Zone Transfers
79(1)
Zone Transfer with Host Command
79(1)
Automating Zone Transfers
80(1)
DNS Cache Snooping
80(1)
What Is DNS Cache Snooping?
81(2)
Nonrecursive Method
81(1)
Recursive Method
82(1)
What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?
83(1)
Attack Scenario
84(1)
Automating DNS Cache Snooping Attacks
84(1)
Enumerating SNMP
84(1)
Problem with SNMP
84(1)
Sniffing SNMP Passwords
84(1)
OneSixtyOne
85(1)
Snmpenum
85(1)
SolarWinds Toolset
85(1)
SNMP Sweep
86(1)
SNMP Brute Force and Dictionary
86(1)
SNMP Brute Force Tool
86(1)
SNMP Dictionary Attack Tool
87(1)
SMTP Enumeration
87(6)
Detecting Load Balancers
88(1)
Load Balancer Detector
89(1)
Determining Real IP behind Load Balancers
89(1)
Bypassing CloudFlare Protection
90(22)
Method 1: Resolvers
90(2)
Method 2: Subdomain Trick
92(1)
Method 3: Mail Servers
92(1)
Intelligence Gathering Using Shodan
93(2)
Further Reading
95(1)
Conclusion
95(2)
4 Target Enumeration and Port Scanning Techniques 97(24)
Host Discovery
97(3)
Scanning for Open Ports and Services
100(1)
Types of Port Scanning
100(1)
Understanding the TCP Three-Way Handshake
101(1)
TCP Flags
101(1)
Port Status Types
102(1)
TCP SYN Scan
102(1)
TCP Connect Scan
103(1)
NULL, FIN, and XMAS Scans
104(1)
NULL Scan
104(1)
FIN Scan
105(1)
XMAS Scan
105(1)
TCP ACK Scan
105(1)
Responses
106(1)
UDP Port Scan
106(1)
Anonymous Scan Types
107(1)
IDLE Scan
107(1)
Scanting for a Vulnerable Host
107(2)
Performing an IDLE Scan with NMAP
109(1)
TCP FTP Bounce Scan
109(1)
Service Version Detection
110(1)
OS Fingerprinting
111(1)
POF
111(1)
Output
112(1)
Normal Format
112(1)
Grepable Format
112(1)
XML Format
113(1)
Advanced Firewall/IDS Evading Techniques
113(1)
Timing Technique
114(1)
Wireshark Output
114(1)
Fragmented Packets
115(1)
Wireshark Output
115(1)
Source Port Scan
115(1)
Specifying an MTU
116(1)
Sending Bad Checksums
116(1)
Decoys
117(1)
ZENMAP
117(2)
Further Reading
119(2)
5 Vulnerability Assessment 121(18)
What Are Vulnerability Scanners and How Do They Work?
121(1)
Pros and Cons of a Vulnerability Scanner
122(1)
Vulnerability Assessment with Nmap
122(1)
Updating the Database
122(1)
Scanning MS08_067_netapi
123(1)
Testing SCADA Environments with Nmap
123(1)
Installation
124(1)
Usage
124(1)
Nessus Vulnerability Scanner
124(1)
Home Feed
125(1)
Professional Feed
125(1)
Installing Nessus on BackTrack
125(1)
Adding a User
125(3)
Nessus Control Panel
126(1)
Reports
126(1)
Mobile
126(1)
Scan
127(1)
Policies
127(1)
Users
127(1)
Configuration
127(1)
Default Policies
127(1)
Creating a New Policy
128(1)
Safe Checks
128(1)
Silent Dependencies
128(1)
Avoid Sequential Scans
128(1)
Port Range
129(1)
Credentials
129(1)
Plug-Ins
129(1)
Preferences
130(2)
Scanning the Target
130(2)
Nessus Integration with Metasploit
132(1)
Importing Nessus to Metasploit
132(2)
Scanning the Target
133(1)
Reporting
133(1)
OpenVas
133(1)
Resource
134(2)
Vulnerability Data Resources
134(1)
Exploit Databases
135(1)
Using Exploit-db with BackTrack
136(1)
Searching for Exploits inside BackTrack
137(1)
Conclusion
138(1)
6 Network Sniffing 139(24)
Introduction
139(1)
Types of Sniffing
140(1)
Active Sniffing
140(1)
Passive Sniffing
140(1)
Hubs versus Switches
140(1)
Promiscuous versus Nonpromiscuous Mode
141(1)
MITM Attacks
141(1)
ARP Protocol Basics
142(1)
How ARP Works
142(1)
ARP Attacks
143(1)
MAC Flooding
143(1)
Macof
143(1)
ARP Poisoning
144(1)
Scenario-How It Works
144(1)
Denial of Service Attacks
144(1)
Tools of the Trade
145(1)
Dsniff
145(1)
Using ARP Spoof to Perform MITM Attacks
145(2)
Usage
146(1)
Sniffing the Traffic with Dsniff
147(1)
Sniffing Pictures with Drifnet
147(1)
Urlsnarf and Webspy
148(1)
Sniffing with Wireshark
149(1)
Ettercap
150(1)
ARP Poisoning with Ettercap
150(2)
Hijacking Session with MITM Attack
152(1)
Attack Scenario
152(1)
ARP Poisoning with Cain and Abel
153(2)
Sniffing Session Cookies with Wireshark
155(1)
Hijacking the Session
156(1)
SSL Strip: Stripping HTTPS Traffic
157(1)
Requirements
157(1)
Usage
158(1)
Automating Man in the Middle Attacks
158(1)
Usage
158(1)
DNS Spoofing
159(1)
ARP Spoofing Attack
159(1)
Manipulating the DNS Records
160(1)
Using Ettercap to Launch DNS Spoofing Attack
160(1)
DHCP Spoofing
160(1)
Conclusion
161(2)
7 Remote Exploitation 163(34)
Understanding Network Protocols
163(1)
Transmission Control Protocol
164(1)
User Datagram Protocol
164(1)
Internet Control Messaging Protocol
164(1)
Server Protocols
164(1)
Text-Based Protocols (Important)
164(1)
Binary Protocols
164(2)
FTP
165(1)
SMTP
165(1)
HTTP
165(1)
Further Reading
165(1)
Resources
166(1)
Attacking Network Remote Services
166(1)
Overview of Brute Force Attacks
166(1)
Traditional Brute Force
166(1)
Dictionary Attacks
166(1)
Hybrid Attacks
167(1)
Common Target Protocols
167(1)
Tools of the Trade
167(1)
THC Hydra
167(1)
Basic Syntax for Hydra
168(2)
Cracking Services with Hydra
168(2)
Hydra GUI
170(1)
Medusa
170(1)
Basic Syntax
170(1)
OpenSSH Username Discovery Bug
170(1)
Cracking SSH with Medusa
171(1)
Ncrack
171(1)
Basic Syntax
171(1)
Cracking an RDP with Ncrack
172(1)
Case Study of a Morto Worm
172(1)
Combining Nmap and Ncrack for Optimal Results
172(2)
Attacking SMTP
173(1)
Important Commands
174(1)
Real-Life Example
174(1)
Attacking SQL Servers
175(1)
MySQL Servers
175(1)
Fingerprinting MySQL Version
175(1)
Testing for Weak Authentication
175(1)
MS SQL Servers
176(1)
Fingerprinting the Version
177(1)
Brute Forcing SA Account
177(1)
Using Null Passwords
178(1)
Introduction to Metasploit
178(1)
History of Metasploit
178(1)
Metasploit Interfaces
178(1)
MSFConsole
178(1)
MSFcli
179(1)
MSFGUI
179(1)
Armitage
179(1)
Metasploit Utilities
179(1)
MSFPayload
179(1)
MSFEncode
179(1)
MSFVenom
179(1)
Metasploit Basic Commands
180(1)
Search Feature in Metasploit
180(1)
Use Command
181(1)
Info Command
181(1)
Show Options
181(1)
Set/Unset Command
182(1)
Reconnaissance with Metasploit
182(1)
Port Scanning with Metasploit
182(1)
Metasploit Databases
182(1)
Storing Information from Nmap into Metasploit Database
183(1)
Useful Scans with Metasploit
184(1)
Port Scanners
184(1)
Specific Scanners
184(1)
Compromising a Windows Host with Metasploit
184(4)
Metasploit Autopwn
188(1)
db_autopwn in Action
188(1)
Nessus and Autopwn
189(1)
Armitage
189(1)
Interface
190(1)
Launching Armitage
190(1)
Compromising Your First Target from Armitage
191(1)
Enumerating and Fingerprinting the Target
191(1)
MSF Scans
192(1)
Importing Hosts
192(1)
Vulnerability Assessment
193(1)
Exploitation
193(2)
Check Feature
195(1)
Hail Mary
196(1)
Conclusion
196(1)
References
196(1)
8 Client Side Exploitation 197(34)
Client Side Exploitation Methods
197(4)
Attack Scenario 1: E-Mails Leading to Malicious Attachments
197(1)
Attack Scenario 2: E-Mails Leading to Malicious Links
197(1)
Attack Scenario 3: Compromising Client Side Update
198(1)
Attack Scenario 4: Malware Loaded on USB Sticks
198(1)
E-Mails with Malicious Attachments
198(3)
Creating a Custom Executable
198(1)
Creating a Backdoor with SET
198(3)
PDF Hacking
201(1)
Introduction
201(1)
Header
202(1)
Body
202(1)
Cross Reference Table
202(1)
Trailer
202(1)
PDF Launch Action
202(1)
Creating a PDF Document with a Launch Action
203(2)
Controlling the Dialog Boxes
205(1)
PDF Reconnaissance
205(1)
Tools of the Trade
205(2)
PDFINFO
205(1)
PDFINFO "Your PDF Document"
206(1)
PDFTK
206(1)
Origami Framework
207(1)
Installing Origami Framework on BackTrack
207(1)
Attacking with PDF
208(1)
Fileformat Exploits
208(1)
Browser Exploits
208(1)
Scenario from Real World
209(1)
Adobe PDF Embedded EXE
210(1)
Social Engineering Toolkit
211(3)
Attack Scenario 2: E-Mails Leading to Malicious Links
213(1)
Credential Harvester Attack
214(1)
Tabnabbing Attack
215(1)
Other Attack Vectors
216(1)
Browser Exploitation
217(1)
Attacking over the Internet with SET
217(1)
Attack Scenario over the Internet
217(3)
Using Windows Box as Router (Port Forwarding)
220(1)
Browser AutoPWN
220(1)
Why Use Browser AutoPWN?
221(1)
Problem with Browser AutoPWN
221(2)
VPS/Dedicated Server
223(1)
Attack Scenario 3: Compromising Client Side Update
223(1)
How Evilgrade Works
223(1)
Prerequisites
223(6)
Attack Vectors
223(1)
Internal Network Attack Vectors
223(1)
External Network Attack Vectors
224(1)
Evilgrade Console
224(1)
Attack Scenario
224(3)
Attack Scenario 4: Malware Loaded on USB Sticks
227(2)
Teensy USB
229(1)
Conclusion
229(1)
Further Reading
229(2)
9 Postexploitation 231(40)
Acquiring Situation Awareness
231(5)
Enumerating a Windows Machine
231(2)
Enumerating Local Groups and Users
233(1)
Enumerating a Linux Machine
233(2)
Enumerating with Meterpreter
235(1)
Identifying Processes
235(1)
Interacting with the System
235(1)
User Interface Command
235(1)
Privilege Escalation
236(1)
Maintaining Stability
236(1)
Escalating Privileges
237(4)
Bypassing User Access Control
238(1)
Impersonating the Token
239(2)
Escalating Privileges on a Linux Machine
241(1)
Maintaining Access
241(1)
Installing a Backdoor
241(1)
Cracking the Hashes to Gain Access to Other Services
241(1)
Backdoors
241(3)
Disabling the Firewall
242(1)
Killing the Antivirus
242(1)
Netcat
243(1)
MSFPayload/MSFEncode
244(2)
Generating a Backdoor with MSFPayload
244(1)
MSFEncode
245(1)
MSFVenom
246(5)
Persistence
247(2)
What Is a Hash?
249(1)
Hashing Algorithms
249(1)
Windows Hashing Methods
250(1)
LAN Manager (LM)
250(1)
NTLM/NTLM2
250(1)
Kerberos
250(1)
Where Are LM/NTLM Hashes Located?
250(1)
Dumping the Hashes
251(2)
Scenario 1-Remote Access
251(1)
Scenario 2-Local Access
251(1)
Ophcrack
252(1)
References
253(1)
Scenario 3-Offline System
253(1)
Ophcrack LiveCD
253(1)
Bypassing the Log-In
253(1)
References
253(1)
Cracking the Hashes
253(2)
Bruteforce
253(1)
Dictionary Attacks
254(1)
Password Salts
254(1)
Rainbow Tables
254(1)
John the Ripper
255(1)
Cracking LM/NTLM Passwords with JTR
255(1)
Cracking Linux Passwords with JTR
256(1)
Rainbow Crack
256(3)
Sorting the Tables
257(1)
Cracking the Hashes with rcrack
258(1)
Speeding Up the Cracking Process
258(1)
Gaining Access- to-Remote Services
258(1)
Enabling the Remote Desktop
259(1)
Adding Users to the Remote Desktop
259(1)
Data Mining
259(3)
Gathering OS Information
260(1)
Harvesting Stored Credentials
261(1)
Identifying and Exploiting Further Targets
262(7)
Mapping the Internal Network
263(1)
Finding Network Information
264(1)
Identifying Further Targets
265(1)
Pivoting
266(1)
Scanning Ports and Services and Detecting OS
267(1)
Compromising Other Hosts on the Network Having the Same Password
268(1)
psexec
269(1)
Exploiting Targets
270(1)
Conclusion
270(1)
10 Windows Exploit Development Basics 271(20)
Prerequisites
271(1)
What Is a Buffer Overflow?
271(1)
Vulnerable Application
272(1)
How to Find Buffer Overflows
273(1)
Methodology
273(1)
Getting the Software Up and Running
273(1)
Causing the Application to Crash
273(2)
Skeleton Exploit
275(6)
Determining the Offset
278(2)
Identifying Bad Characters
280(1)
Figuring Out Bad Characters with Mona
281(6)
Overwriting the Return Address
283(2)
NOP Sledges
285(1)
Generating the ShellCode
286(1)
Generating Metasploit Module
287(1)
Porting to Metasploit
288(2)
Conclusion
290(1)
Further Resources
290(1)
11 Wireless Hacking 291(22)
Introduction
291(1)
Requirements
291(2)
Introducing Aircrack-ng
293(1)
Uncovering Hidden SSIDs
293(1)
Turning on the Monitor Mode
294(1)
Monitoring Beacon Frames on Wireshark
294(1)
Monitoring with Airodump-ng
295(1)
Speeding Up the Process
296(2)
Bypassing MAC Filters on Wireless Networks
296(2)
Cracking a WEP Wireless Network with Aircrack-ng
298(1)
Placing Your Wireless Adapter in Monitor Mode
298(1)
Determining the Target with Airodump-ng
299(3)
Attacking the Target
299(1)
Speeding Up the Cracking Process
300(1)
Injecting ARP Packets
300(1)
Cracking the WEP
301(1)
Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng
302(1)
Capturing Packets
303(1)
Capturing the Four-Way Handshake
303(1)
Cracking WPA/WAP2
304(2)
Using Reaver to Crack WPS-Enabled Wireless Networks
305(1)
Reducing the Delay
306(1)
Further Reading
306(3)
Setting Up a Fake Access Point with SET to PWN Users
306(3)
Attack Scenario
309(2)
Evil Twin Attack
310(1)
Scanning the Neighbors
311(1)
Spoofing the MAC
311(1)
Setting Up a Fake Access Point
311(1)
Causing Denial of Service on the Original AP
311(1)
Conclusion
312(1)
12 Web Hacking 313(180)
Attacking the Authentication
313(2)
Username Enumeration
314(1)
Invalid Username with Invalid Password
314(1)
Valid Username with Invalid Password
314(1)
Enabling Browser Cache to Store Passwords
314(1)
Brute Force and Dictionary Attacks
315(1)
Types of Authentication
315(4)
HTTP Basic Authentication
315(1)
HTTP-Digest Authentication
316(1)
Form-Based Authentication
317(2)
Exploiting Password Reset Feature
319(1)
Etsy.com Password Reset Vulnerability
319(3)
Attacking Form-Based Authentication
320(2)
Brute Force Attack
322(4)
Attacking HTTP Basic Auth
323(3)
Further Reading
326(8)
Log-In Protection Mechanisms
326(1)
CAPTCHA Validation Flaw
326(2)
CAPTCHA Reset Flaw
328(1)
Manipulating User-Agents to Bypass CAPTCHA and Other Protections
329(1)
Real-World Example
330(1)
Authentication Bypass Attacks
330(1)
Authentication Bypass Using SQL Injection
330(3)
Testing for SQL Injection Auth Bypass
331(2)
Authentication Byp-ass Using XPATH Injection
333(1)
Testing for XPATH Injection
333(1)
Authentication Bypass Using Response Tampering
334(1)
Crawling Restricted Links
334(1)
Testing for the Vulnerability
335(1)
Automating It with Burp Suite
336(1)
Authentication Bypass with Insecure Cookie Handling
336(6)
Session Attacks
339(1)
Guessing Weak Session ID
339(2)
Session Fixation Attacks
341(1)
Requirements for This Attack
342(1)
How the Attack Works
342(2)
SQL Injection Attacks
342(1)
What Is an SQL Injection?
342(1)
Types of SQL Injection
342(1)
Union-Based SQL Injection
343(1)
Error-Based SQL Injection
343(1)
Blind SQL Injection
343(1)
Detecting SQL Injection
343(1)
Determining the Injection Type
343(1)
Union-Based SQL Injection (MySQL)
344(1)
Testing for SQL Injection
344(7)
Determining the Number of Columns
345(1)
Determining the Vulnerable Columns
346(1)
Fingerprinting the Database
347(1)
Enumeration Information
347(1)
Information_schema
348(1)
Information_schema Tables
348(1)
Enumerating All Available Databases
348(1)
Enumerating All Available Tables in the Database
349(1)
Extracting Columns from Tables
349(1)
Extracting Data from Columns
350(1)
Using group_concat
350(1)
MySQL Version < or = to 5
351(1)
Guessing Table Names
351(2)
Guessing Columns
352(1)
SQL Injection to Remote Command Execution
352(1)
Reading Files
353(1)
Writing Files
353(8)
Blind SQL Injection
355(1)
Boolean-Based SQLi
355(1)
True Statement
355(1)
False Statement
356(1)
Enumerating the DB User
356(2)
Enumerating the MYSQL Version
358(1)
Guessing Tables
358(1)
Guessing Columns in the Table
359(1)
Extracting Data from Columns
360(1)
Time-Based SQL Injection
361(1)
Vulnerable Application
361(1)
Testing for Time-Based SQL Injection
362(7)
Enumerating the DB User
362(1)
Guessing the Table Names
363(1)
Guessing the Columns
364(1)
Extracting Data from Columns
365(1)
Automating SQL Injections with Sqlmap
366(1)
Enumerating Databases
367(1)
Enumerating Tables
367(1)
Enumerating the Columns
367(1)
Extracting Data from the Columns
368(1)
HTTP Header-Based SQL Injection
368(1)
Operating System Takeover with Sqlmap
369(1)
OS-CMD
369(1)
OS-SHELL
369(1)
OS-PWN
370(1)
XSS (Cross-Site Scripting)
371(1)
How to Identify XSS Vulnerability
371(1)
Types of Cross-Site Scripting
371(1)
Reflected/Nonpersistent XSS
372(1)
Vulnerable Code
372(1)
Medium Security
373(1)
Vulnerable Code
373(1)
High Security
373(2)
Bypassing htmlspecialchars
374(1)
UTF-32 XSS Trick: Bypass 1
375(1)
Svg Craziness: Bypass 2
375(1)
Bypass 3: href Attribute
376(1)
Stored XSS/Persistent XSS
377(1)
Payloads
377(1)
Blind XSS
378(1)
DOM-Based XSS
378(12)
Detecting DOM-Based XSS
378(6)
Sources (Inputs)
378(1)
Sinks (Creating/Modifying HTML Elements)
378(6)
Static JS Analysis to Identify DOM-Based XSS
384(1)
How Does It Work?
385(1)
Setting Up JSPRIME
385(5)
Dominator: Dynamic Taint Analysis
390(4)
POC for Internet Explorer
394(1)
POC for Chrome
394(1)
Pros/Cons
395(1)
Cross Browser DOM XSS Detection
395(2)
Types of DOM-Based XSS
397(8)
Reflected DOM XSS
397(1)
Stored DOM XSS
397(2)
Exploiting XSS
399(1)
Cookie Stealing with XSS
399(3)
Exploiting XSS for Conducting Phishing Attacks
402(2)
Compromising Victim's Browser with XSS
404(1)
Exploiting XSS with BeEF
405(1)
Setting Up BeEF on BackTrack
405(3)
Demo Pages
408(5)
BeEF Modules
409(3)
Module: Replace HREFs
409(1)
Module: Getcookie
409(1)
Module: Tabnabbing
410(2)
BeEF in Action
412(1)
Cross-Site Request Forgery (CSRF)
413(1)
Why Does a CSRF Attack Work?
413(1)
How to Attack
413(1)
GET-Based CSRF
414(1)
POST-Based CSRF
414(1)
CSRF Protection Techniques
415(1)
Referrer-Based Checking
415(1)
Anti-CSRF Tokens
415(1)
Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm
416(1)
Tokens Not Validated upon Server
416(1)
Analyzing Weak Anti-CSRF Token Strength
417(2)
Bypassing CSRF with XSS
419(6)
File Upload Vulnerabilities
421(2)
Bypassing Client Side Restrictions
423(1)
Bypassing MIME Type Validation
423(2)
Real-World Example
425(1)
Bypassing Blacklist-Based Protections
425(1)
Case 1: Blocking Malicious Extensions
425(1)
Bypass
426(1)
Case 2: Case-Sensitive Bypass
426(1)
Bypass
426(1)
Real-World Example
426(5)
Vulnerable Code
426(1)
Case 3: When All Dangerous Extensions Are Blocked
426(3)
XSS via File Upload
427(1)
Flash-Based XSS via File Upload
428(1)
Case 4: Double Extensions Vulnerabilities
429(1)
Apache Double Extension Issues
429(1)
IIS 6 Double Extension Issues
429(1)
Case 5: Using Trailing Dots
429(1)
Case 6: Null Byte Trick
429(1)
Case 7: Bypassing Image Validation
429(1)
Case 8: Overwriting Critical Files
430(1)
Real-World Example
431(1)
File Inclusion Vulnerabilities
431(1)
Remote File Inclusion
432(1)
Patching File Inclusions on the Server Side
433(19)
Local File Inclusion
433(1)
Linux
434(1)
Windows
434(1)
LFI Exploitation Using /proc/self/environ
434(2)
Log File Injection
436(4)
Finding Log Files: Other Tricks
440(1)
Exploiting LFI Using PHP Input
440(1)
Exploiting LFI Using File Uploads
441(1)
Read Source Code via LFI
442(1)
Local File Disclosure Vulnerability
443(2)
Vulnerable Code
443(2)
Local File Disclosure Tricks
445(1)
Remote Command Execution
446(2)
Uploading Shells
448(4)
Server Side Include Injection
452(1)
Testing a Website for SSI Injection
452(1)
Executing System Commands
453(1)
Spawning a Shell
453(1)
SSRF Attacks
454(1)
Impact
455(8)
Example of a Vulnerable PHP Code
456(1)
Remote SSRF
457(6)
Simple SSRF
457(1)
Partial SSRF
458(5)
Denial of Service
463(4)
Denial of Service Using External Entity Expansion (XEE)
463(1)
Full SSRF
464(2)
dict://
464(1)
gopher://
465(1)
http://
465(1)
Causing the Crash
466(1)
Overwriting Return Address
467(1)
Generating Shellcode
467(2)
Server Hacking
469(1)
Apache Server
470(6)
Testing for Disabled Functions
470(2)
Open_basedir Misconfiguration
472(2)
Using CURL to Bypass Open_basedir Restrictions
474(1)
Open_basedir PHP 5.2.9 Bypass
475(1)
Reference
476(1)
Bypassing open_basedir Using CGI Shell
476(1)
Bypassing open_basedir Using Mod_Peri, Mod_Python
477(1)
Escalating Privileges Using Local Root Exploits
477(1)
Back Connecting
477(1)
Finding the Local Root Exploit
478(1)
Usage
478(1)
Finding a Writable Directory
479(1)
Bypassing Symlinks to Read Configuration Files
480(1)
Who Is Affected?
481(1)
Basic Syntax
481(4)
Why This Works
482(1)
Symlink Bypass: Example 1
482(1)
Finding the Username
482(2)
/etc/passwd File
483(1)
/etc/valiases File
483(1)
Path Disclosure
483(1)
Uploading .htaccess to Follow Symlinks
484(1)
Symlinking the Configuration Files
484(1)
Connecting to and Manipulating the Database
485(1)
Updating the Password
486(1)
Symlink the Root Directory
486(1)
Example 3: Compromising WHMCS Server
487(1)
Finding a WHMCS Server
487(1)
Symlinking the Configuration rile
488(3)
WHMCS Killer
488(2)
Disabling Security Mechanisms
490(1)
Disabling Mod_Security
490(1)
Disabling Open_basedir and Safe_mode
490(1)
Using CGI, PERL, or Python Shell to Bypass Symlinks
491(1)
Conclusion
491(2)
Index 493
Rafay Baloch is a globally renowned cybersecurity expert and white-hat hacker with a proven record of identifying critical zero-day security vulnerabilities in numerous web applications, products, and browsers. His discoveries have been instrumental in safeguarding the privacy and security of millions of users worldwide. Baloch has received various accolades, including being named one of the Top 5 Ethical Hackers of 2014 by Checkmarx, one of the 15 Most Successful Ethical Hackers Worldwide, and one of the Top 25 Threat Seekers by SC Magazine. In addition, Reflectiz listed him among the Top 21 Cybersecurity Experts You Must Follow on Twitter in 2021.

On March 23, 2022, the Inter-Services Public Relations (ISPR) recognized Balochs significant contributions to the field of cybersecurity with the Pride of Pakistan award. Baloch is also the author of Ethical Hacking and Penetration Testing Guide, published by Taylor & Francis in 2014.

Rafay has presented his research at various international cybersecurity conferences, including Black Hat, Hack In Paris, HEXCON, the 10th Information Security Conference in Greece, the CSAW Conference, and many others. He is frequently sought after for his insights and analysis on current cybersecurity topics, appearing in national and international mainstream media outlets such as Forbes, WSJ, Independent UK, BBC, Express Tribune, DAWN, and many others.

Baloch has also served as Senior Consultant for Cyber Security at the Pakistan Telecommunication Authority (PTA), the national telecom regulator. Currently, he runs a cybersecurity company REDSECLABS, offering cybersecurity consulting at the global level.

Rafay Baloch is the founder of REDSECLABS, a company specializing in security consulting, training, and a variety of other Cyber Security-related services. The book features several sample codes and 'extra mile' exercises designed to enhance learning. To apply these concepts practically, we encourage you to visit our website at https://www.redseclabs.com. On the site, you'll find blog posts that explore these exercises and other resources mentioned throughout the books, along with showcases of our research work.

.
Biežāk uzdotie jautājumi par e-grāmatām Biežāk uzdotie jautājumi par e-grāmatām
Permanent link: https://www.kriso.lv/db/97813513813456e.html
Keywords: