sign in sign up
<<
Home , Rooting (Android)

Index

active wireless network attacks, 425 Numbers ad hoc attacks, on Wi-Fi, 427 007Shell, covert channel exploits, 248 administrator accounts, Windows OS, 60–61, 3DES (Triple DES) encryption, 78–79, 88 163–164 hot spots, 412 administrators hot spots, 412 application, 361 802.11. See Wi-Fi server and network, 360 802.11i, 418 ADS (Alternate Data Streams), covering tracks, 802.3 (Ethernet), 45 216–217 adware, 227, 237 AES (Advanced Encryption Standard), 79 AES-256 encryption, Apple iOS, 446 A AH (Authentication Header), IPSec, 90 aircrack-ng access control breaking WEP, 420–421 Android OS, 444–446 brute-force attacks, 425 Apple iOS, 446 wireless tool for lab testing, 572 cloud computing, 495 aireplay-ng, 420 mobile device, 442–443 AirMagnet, 430 physical. See physical security AirMon, 453 access control lists (ACLs), 381, 470 AirPcap access points breaking WEP, 421–422 broadcasting SSID, 413 hardware tool for lab testing, 573 client misassociation attacks on, 428 sniffing wireless networks, 260 honeyspot attacks on, 428–429 algorithms misconfiguration problem with, 428 asymmetric, 80–86 rogue access point attacks, 426–427 cryptography and, 77 wireless antennas and, 414–415 symmetric, 77–79 wireless network, 411–412 types of hashing, 87 account hijacking, cloud security threat, 490 ALog reader, pentesting Android, 453 ACK flag, 134–135, 136–137 alteration, breaking CIA triad, 16 ACK scanning, 143–144 Alternate Data Streams (ADS), covering tracks, ACK sequence numbers, TCP/IP session hijacking, 216–217 344 COPYRIGHTEDalternate MATERIAL sites, business continuity/disaster ACK tunneling, defying detection by firewall, 479 recovery, 27–28 AckCmd, 248, 479 Amitis, Trojan-creation tool, 243 ACLs (access control lists), 381, 470 analysis and tracking phase, incident response, 24 active fingerprinting, of OS, 146–147 AnDOSid, pentesting Android, 451 active information gathering, footprinting, 106 Android OS active online attacks, 198–199, 202–203 with 83 percent of market share, 441 active session hijacking attacks, 335–336 common problems, 447–448 active sniffing, 256 countermeasures, 454–455

bindex.indd 04/0½ 016 Page 575 576 (ART) – authentication

customized versions of, 445–446 man-in-the-middle attacks, 338 design of, 444–446 predicting session tokens, 338 overview of, 443–444 session fixation attacks, 341 pentesting, 450–454 session sniffing, 337 storage encryption on, 442 web apps, 336–337 vulnerabilities, 62 applications Android runtime (ART), 445 executing, 213–217 Android Updates, 445 mobile device countermeasures, 455 Angry IP Scanner, 570 security testing of, 554 Anna Kournikova computer worm, 5, 291 session hijacking and web, 336–337 anomaly-based IDS, 464–465 sources of Android OS, 445 anonymity, pentesting Android, 454 tools for building lab, 570–571 Anonymous hacking group, 6, 8 web. See web servers/applications Anonymous logon group, Windows, 165 AppThwack, testing security in cloud, 496 antennas, wireless, 414–416 architecture, cloud security controls, 494–495 antimalware applications archived copies of website, footprinting, 110 DoS/DDoS protection, 323 Archive.org, 110 installing for lab testing, 569 archiving, 63–64 mobile device countermeasures, 455 ARP (Address Resolution Protocol) requests, and antivirus applications MAC addresses, 55 installing for lab testing, 569 ARP poisoning Phatbot terminating, 243 overview of, 343 polymorphic/metamorphic viruses pentesting mobile devices with, 450 unidentifiable to, 230 preventing, 273 virus detection and elimination, 229 sniffing switched networks, 271–272 web browser integration with, 295 ART (Android runtime), 445 AOKP (Android Open Kang Project), 445 AS (authentication server), Kerberos, 211–212 Apache Server, 361–362, 367 Assange, Julian, 307 App Scanner, pentesting Android, 452 association, defined, 414 Apple iOS asymmetric (public key) cryptography with 14 percent of market share, 441 authenticating certificate, 83 common problems, 447–448 building PKI structure, 85–86 countermeasures, 454–455 how it works, 81–82 overview of, 446–447 how you know who owns key, 82–83 Apple iOS vs. Android, application provenance, overview of, 80–81 446 PKI system, 83–85 application administrators, 361 attacks application content, web applications, 369 defined, 13 application developers, web applications, 361 threats. See threats Application layer, OSI model attributes, protecting cookie, 379–380 overview of, 46 auditing, disabling to cover tracks, 215–216 session hijacking at, 334 auditpol command, disabling auditing, 216 SNMP functioning at, 178 authentication application proxy firewalls, 56, 58–59 biometric, 515–516 application services, Android OS, 445 certificate, 83 application-level attacks, 310–314 cryptography for, 75–76 application-level firewalls, 469 as defense against session hijacking, 352 application-level hijacking on Microsoft platforms, 209–213 cross-site scripting, 338–341 multifactor, 198 man-in-the-browser attacks, 338 with SNMPv3, 178

bindex.indd 04/0½ 016 Page 576 Authentication Header (AH) – brute-force attacks 577

technologies, 418 binary conversion, vs. hexadecimal, 49–50 web application, 368 biometrics, 515–516 wireless modes of, 416–417 black box pen tests, 14–15 Authentication Header (AH), IPSec, 90 black hole filtering, 324 authentication server (AS), Kerberos, 211–212 Blackberry. See also mobile device security, 441 authorization, before pen testing, 556–557 black-box testing, 551 automated penetration testing, vs. manual, black-hat hackers, 9, 11 561–562 blacklists, 392, 404 availability BlazeMeter, 496 balancing security with, 308 blind hijacking, 341, 345 breaking CIA triad, 16 blind SQL injection, 401–402, 403 cloud security controls, 495 blind testing, 552 preserving CIA triad, 15–16 blocked scans, 144 awareness, as line of defense, 519 Blowfish, 79 bluejacking attack, 433 Bluepot, 433 Bluesnarfer tool, 572 B bluesnarfing attack, 433 B0CK, exploiting covert channels, 248 Bluetooth, creating test setup, 568 Back Orifice 2000 (BO2K), 243–246 Bluetooth, hacking. See also Wi-Fi, hacking backdoors current developments in, 4 attacker access via, 246–247 overview of, 431–432 executing applications via, 213–214 threats, 432–433 planting, 214–215, 561 as vulnerability in Mac OS X, 62 system administrators using, 287 BO2K (Back Orifice 2000), 243–246 back-end resources, DoS attacks on, 308 bollards, protecting facilities, 517, 518 backups boot-sector (or system) viruses, 229, 230 business continuity/disaster recovery via, 28 Botbyl, Adam, hacker, 5 overview of, 63–64 botnets securing, 519 DDoS attacks and, 318 bandwidth defensive strategies, 323–324 defined, 414 rental of, 307 protecting from DoS/DDoS attacks, 323 tools for creating, 318–319 wireless networks and, 411 bots, 318 banner grabbing bricked systems, caused by phlashing, 310 countermeasures to, 151 bring your own device (BYOD), problems with, identifying services running on ports, 470 440–441, 448–449 overview of, 149–151 broad network access, cloud computing, 487 as web server/application vulnerability, 373 broadcast domains, 55 basic service set identification (BSSID), 414, 423 browser defects, spyware delivery via, 236 bastion host, firewall configuration, 468 Browser Exploitation Framework (BeEF), 200–201 bat2com, creating viruses, 233 browser-based web applications, 363–364 batch execution, in SQL injection attacks, 392 brute-force attacks batch group, Windows, 165 on cryptographic systems, 88 BCP (business continuity plan), 26–29 on directory services, 162 Beast, Trojan-creation tool, 243 in exploitation phase, 560 BeEF (Browser Exploitation Framework), in password cracking, 198 200–201 on session ID in session hijacking, 333 best evidence, defined, 30 in syllable attacks, 198 best practices, reporting security incident, 32 on WPA/WPA2 keys, 425

bindex.indd 04/0½ 016 Page 577 578 Brutus – cold sites

Brutus, password cracking with, 377–378, 571 chain of custody, evidence, 30–31 BSSID (basic service set identification), 414, 423 Check Point FireWall-1, 470 buffer overflow attacks choke points as DoS attacks, 314 firewall services at, 467 heap and stack, 314–315 gates as physical, 511 NOP sled, 317 chosen plaintext/cipher-text attacks, on smashing stack, 315–316 cryptographic systems, 89 on web servers/applications, 370–371 CIA (confidentiality, integrity, and availability) building a lab. See lab, building triad, 15–17 Burp Suite cipher locks, physical access control, 513 man-in-the middle attacks, 200–201 cipher text pentesting Android, 453 in asymmetric algorithms, 80 testing web applications, 383 how cryptography works, 77 bus topology, 40–41 PKI system, 83–85 business closure, from social engineering, 286 in symmetric algorithms, 77 business continuity plan (BCP), 26–29 ciphers, weaknesses in web applications, 380 BusinessWire, competitive analysis data, 117 cipher-text-only attacks, on cryptographic BYOD (bring your own device), problems with, systems, 89 440–441, 448–449 circuit-level gateway firewall, 469 circumstantial evidence, 30 Cisco IOS devices, mitigating MAC flooding, 274 CLI (command-line interface), Wireshark tools using, 264 C functions, buffer overflow vulnerability, 314 client misassociation attack, on Wi-Fi, 428 C2DM (cloud-to device messaging), Android OS, client-based web applications, 364 445 clients, DoS attacks against specific, 308 cabling client-server relationship, 360–361, 364–365 at Physical layer of OSI model, 45 client-side technologies, 365, 394 protecting server rooms, 518 climate control, server rooms, 518 Cain & Abel cloud technologies breaking WEP, 420 Android OS, 445 sniffer tool for lab testing, 572 cloud computing attacks, 490–494 CAM , and MAC flooding, 270–271, controls, 494–495 274–275 forms of cloud services, 488–489 cameras, physical security, 517, 518 overview of, 365–366, 486 CAN-SPAM Act, 227 review, 496–497 capture button, sniffers, 257 review answers, 546–547 CAs (certificate authorities), 82–85 review questions, 498–500 case locks, 519 testing, 495–496 Catch Me If You Can movie, social engineering threats, 489–490 in, 285 types of cloud solutions, 487–488 categories, malware, 227–228 understanding, 486–487 cavity (file-writing) viruses, 231 understanding cloud computing, 485–487 CCTV Scanner, pentesting Android, 452 cloud-to device messaging (C2DM), Android OS, CEH credential, Code of Conduct and Ethics, 445 11–12 cluster viruses, 231 ceiling, securing physical area, 516–517 CNBC, competitive analysis data via, 117 CER (crossover error rate), biometric accuracy, code injection, session fixation attack, 341 515 Code of Ethics, 11–12, 33 certificate authorities (CAs), 82–85 cold sites, 27

bindex.indd 04/0½ 016 Page 578 collision domains – cryptography 579

collision domains, 55 corroborative evidence, 30 columns, , 395 counterfeit devices, as Android OS command injection, in session hijacking, 334 vulnerability, 62 command-line interface (CLI), Wireshark tools countermeasures using, 264 banner grabbing, 151 communication channels, disaster and identity theft, 297–298 recovery, 29 mobile device security, 454–455 community cloud, 488 social networking, 291–293 CommView, wireless traffic analysis, 430 covering your tracks companion (camouflage) viruses, 231 Alternate Data Streams, 216–217 competitive analysis, in footprinting, 118–119 data hiding, 216 complex passwords, risk mitigation for WEP/ disabling auditing, 215–216 WPA, 425 in hacking process, 18 compliance, cloud security controls, 495 overview of, 215 components covert channels Android OS, 444–446 defined, 239 web application, 367–368 tools to exploit, 247–248 computer crime Trojans as biggest users of, 247 collecting evidence. See evidence collection crackers, executing applications via, 214 incident response for. See incident response CRC32 (Cyclic Redundancy Check), WEP con artists, social engineers as, 283 vulnerability, 419 concatenating strings of texts, evading detection Creator group, Windows, 165 via, 404 Creator owner group, Windows, 165 conclusive evidence, 30 credentials, threats to cloud security, 490 confidentiality credit card information, hacking of, 5, 296 CIA triad and, 15–16 Creeper project, virus, 228 Code of Ethics for, 11 crossover error rate (CER), biometric accuracy, ethical hacker responsibility for, 10, 13 515 as primary goal of encryption, 75 cross-site request forgery (CSRF), against cloud, construction kits, Trojan, 246 491–492 contactless cards, securing physical area, 515 cross-site scripting. See XSS (cross-site scripting) contacts, social networking countermeasures, crying wolf, defying detection by IDS, 476 292 cryptanalysis containment phase, incident response, 24 attacks against cloud, 494 contracts defined, 73 contents of, 555–556 Cryptcat, tool for lab testing, 571 ethical hacker responsibility for, 9–10 cryptography getting help of lawyer, 10 applications of, 89–94 before starting testing activities, 13 applied, 76 controls asymmetric. See asymmetric (public key) cloud security, 494–495 cryptography defense in depth, 520 encryption and, 73 physical security, 503–505 evolution of, 75–76 convenience vs. security analysis, 14 hashing, 86–88 cookies history of, 73–75 protecting, 379 how it works, 77 safely using, 367–368 issues with, 88–89 session hijacking and, 337 overview of, 72–73 web server/application session management review, 94 issues, 379 review answers, 528–529

bindex.indd 04/0½ 016 Page 579 580 cryptoviruses – differential backups

review questions, 95–97 DDoS (distributed denial-of-service) attacks symmetric, 77–79 against cloud, 490, 494 cryptoviruses, 232 as cybercrime, 7 CSRF (cross-site request forgery), against cloud, overview of, 317–319 491–492 tools, 320–322 customized Android versions, 445 web servers/applications vulnerable to, 371 CyanogenMod, Android, 446 deauthentication attack, on WPA/WPA2, 424– cybercrime 425 current developments in, 4–5 debriefing and feedback phase, incident response, DoS attacks, 307 24 famous hacks over time, 5–6 decimal, hex/binary vs., 50 generic examples of, 6–7 decision-making, reporting security incident, 32 decoys, honeypots as, 473–474 defacement, website, 374–375 default passwords avoiding, 405 D obtaining, 207 daisy chaining, 13 obtaining information through, 162 virtual machine, Android, 444–445 default scripts, causing attacks, 378 DameWare, planting backdoors, 214–215 defense in depth Dark Dante (Kevin Lee Poulsen), hacker, 5 physical security and, 519 data session hijacking protection, 352 altering with SQL injection attack, 399–401 defensive strategies, DoS, 323–324 breach attacks on cloud, 489–490 degaussing, hard drives/magnetic media, 508–509 covering tracks by hiding, 216 deliverables, in contract content, 556 executing blind SQL injection, 401–402 demilitarized zone (DMZ) loss, as threat to cloud security, 490 firewall configuration, 468–469 loss, on mobile devices, 442 honeypots as decoys in, 473–474 storage security, 506–507 Department of Energy (DoE), SQL injection theft on mobile devices, 442 attack on, 391 web application access, 369 DES (Data Encryption Standard), 78, 88 Data Definition Language (DDL), Beast descynchronizing connections, 343 using, 243 design Data Encryption Standard (DES), 78, 88 Android OS, 444–446 Data layer, web applications, 366 cloud security controls, 494–495 Data Link layer, OSI model, 45, 54–55 flawed web server/application, 369–370 data sending Trojans, 240 viruses, 228 data store, web applications, 369 vulnerabilities of web servers/applications, 369–370 altering data with SQL injection attack, destructive Trojans, 240 399–401 detection information gathering in SQL injection attack, difficulty of social engineering, 283 402–403 viruses and, 229 locating on network, 396 Dev@Cloud, 496 overview of, 394–395 developers, Android OS security and, 443 protecting with IDS, 403 device drivers, authentication of, 76 server password cracking, 396 devices, network, 53–55 data-diddling, as cybercrime, 7 dial-up, as backup to existing technologies, 131 DDL (Data Definition Language), Beast dictionary attacks, 198 using, 243 differential backups, 63

bindex.indd 04/0½ 016 Page 580 dig command – dumpster diving 581

dig command, 175–176 DoS (denial-of-service) attacks. See also DDoS digital certificates, 83, 86 (distributed denial-of-service) attacks digital rights management (DRM), 446–447 in active session hijacking, 335 digital signatures against cloud, 490, 494 in asymmetric cryptography, 81–83 as cybercrime, 7 creating with digital certificates, 86 defensive strategies, 323–324 creating/verifying with hash function, 81–82 defying detection by IDS, 475 mobile device security via, 442 jamming attacks on WLANs, 428 digital trespassing, as cybercrime, 6 overview of, 306, 371 direct evidence, 30 pentesting Android, 451–452 directional (Yagi) antenna, 415 pen-testing considerations, 324 directory services review, 324–325 brute-force attacks on, 162 review answers, 537–538 and LDAP enumeration, 182–183 review questions, 326–329 directory traversal attacks, web servers, targets, 308 381–383 tools for, 319–320 DirecTV dish, 416 understanding, 306–308 disaster recovery plan (DRP), 26–29 WEP vulnerability to, 419 disclosure DoS (denial-of-service) attacks, types of breaking CIA triad, 16 application-level, 310 Code of Ethics for, 11 buffer overflow, 314–317 discoverable mode, Bluetooth, 431 fraggle, 310 Dish Network dish, 416 ICMP flood, 309 disruption (loss), breaking CIA triad, 16 land, 310 distributed computing, SETI programs, 206 permanent DoS, 310 distributed databases, 395 ping of death, 309–310 distributed denial-of-service attacks. See DDoS service request floods, 308 (distributed denial-of-service) attacks smurf, 310 Distributed Network Attack (DNA), password SYN attack/floods, 309, 311–314 cracking, 205–206 teardrop, 310 DMZ (demilitarized zone) DoSHTTP, DoS tool, 319 firewall configuration, 468–469 double-blind testing, 552 honeypots as decoys in, 473–474 drivers, installing for lab testing, 569 DNA (Distributed Network Attack), password drives cracking, 205–206 disabling for protection, 519 DNS (Domain Name System) encrypting, 506–507 attacks against cloud, 494 wiping, 508 overview of, 53 DRM (digital rights management), 446–447 querying with nslookup, 119–120 DroidSheep, pentesting Android, 451 TCP 53 port for, 169 DroidSQLi, pentesting Android, 453 UDP 53 port for, 169 Dropbox, as cloud computing, 487 working with zone transfers, 162 dropboxes, breaching wireless networks with, 427 DNS spoofing, 343, 351–352 DRP (disaster recovery plan), 26–29 documentation, planning disaster and recovery, Dsniff, sniffer, 259 29 dSploit Scripts, pentesting Android suites, 454 DoE (Department of Energy), SQL injection due diligence, cloud security and, 491 attack on, 391 DumpSec, enumeration tool for lab testing, 571 Domain attribute, cookies, 380 dumpster diving Domain Name System. See DNS (Domain Name as cybercrime, 7 System) preventing, 294

bindex.indd 04/0½ 016 Page 581 582 duration – ethical hacking

social engineering via, 121 encryption, wireless thwarting for discarded media, 508 methods of, 417 duration, penetration test, 555 mobile device, 442, 505–506 dynamic content, in cross-site scripting, 339–341 mobile device countermeasures, 455 dynamic pages, in directory traversal attacks, 382 protocols, 417 dynamic ports, 51 risk mitigation for WEP/WPA, 425 dynamic SQL, thwarting SQL injection, 404 WEP, 418–422 WPA, 422–425 encryption viruses, 230, 231 entryways, protecting, 517–518 E enum4linux command, 181–182 EAP wireless authentication, 418 enumeration Easy Packet Blaster, pentesting Android, 451 in hacking process, 17–18 eavesdropping, social engineering and, 120, 293 LDAP and directory service, 182–184 ECCouncil (International Council of Electronic , 180–182 Commerce Consultants), 10, 11–12 NTP, 184 Echosec, social engineering via, 115–116, 292 review, 187–188 e-commerce, cryptography in, 75 review answers, 532 economic loss, from social engineering, 285 review questions, 189–191 EDGAR (Electronic Data-Gathering, Analysis, as second phase of ethical hacking, 101–102 and Retrieval) system, 117 SMTP, 184–186 education, as line of defense, 519 SNMP, 178–180 egress filtering, as DoS/DDoS prevention, 323 tools for building lab, 571 Egyptian hieroglyphics, 74–75 understanding, 161–163 EIP (Extended Instruction Pointer) value, 315–317 Unix, 180–182 Electronic Data-Gathering, Analysis, and in vulnerability analysis phase, 559 Retrieval (EDGAR) system, 117 Windows, 163–167 elimination, virus, 229 error EliteWrap, distributing Trojans, 246 acquiring target in SQL injection attacks via, Elk Cloner virus, 229 398 email extracting information from, 403 cloud computing for, 487 suppressing detailed, 374, 402 in footprinting process, 117–118 thwarting SQL injection by disabling, 405 law enforcement agencies and sniffing, 258 in web servers and applications, 374 performing enumeration on, 162 escalation of privilege, in hacking process, 18 SNMP enumeration, 184–186 ESP (Encapsulating Security Payload), in social engineering via phishing, 120–121 IPSec, 90 spyware delivery via attachments, 236 EssentialNetTools, TamoSoft, 186 embezzlement, as cybercrime, 7 /etc/passwd file, Linux user account, 168 employee profile, gathering job posting data, 117 EtherApe, sniffer, 260 Encapsulating Security Payload (ESP), IPSec, 90 ethical hacking, introduction to encryption business continuity plans, 26–28 in Apple iOS, 446 chain of custody, 30–31 cryptography and, 73 code of conduct and ethics, 11 as defense against session hijacking, 352 conflicting views about hackers, 3 defying detection by IDS, 477 current developments, 4–5 Egyptian hieroglyphics, 74–75 early days of hacking, 3–4 mandating by law, 507 ethics and the law, 33–34 physically securing drives, 506–508 evidence types, 29–30 weaknesses in web applications, 380 evidence-collection techniques, 29

bindex.indd 04/0½ 016 Page 582 evasion – firewalking 583

evolution and growth of, 7–8 exam objectives, 1 F as fun vs. criminal activity, 5–7 Facebook hacking methodologies, 17–21 gathering information using, 288–289 incident response, 21–26 people search utility, 297 overview of, 2–3 social engineering via, 114 penetration testing, 11–17 FaceNiff, pentesting Android, 451 recovering from security incident, 31–32 Fakegina keylogger, 248 recovering systems, 28–29 false ceilings, securing physical area, 516 reporting security incident, 32–33 false rejection rate (FRR), biometric accuracy, 515 responsibilities of, 9–11 false walls, securing physical area, 516 review, 34–35 FAR (false acceptance rate), biometric accuracy, review answers, 526–527 515 review questions, 36–38 fault tolerance, business continuity/disaster role of ethical hacker, 9 recovery, 27 rules of evidence, 31 FDDI (Fiber Distributed Data Interface), ring steps of, 100–102 topology, 42 types of hackers, 9 Federal Information Security Management Act vulnerability research and tools, 21 (FISMA), 2002, 34 evasion fences, securing physical area, 511 firewalls. See firewalls Fiber Distributed Data Interface (FDDI), ring honeypots, 473–474 topology, 42 IDS, 462–466, 475–477 file (multipartite) viruses, 230, 232 overview of, 462 file integrity checker, 463 review, 480–481 File Transfer Protocol. See FTP (File Transfer review answers, 544–546 Protocol) review questions, 482–484 file-allocation tables, cluster viruses altering, 231 testing firewalls, 479–480 , signs of host system intrusions, 465–466 testing IDS, 480 file-writing (cavity) viruses, 231 event-viewing tools, lab testing, 572 filters, Wireshark, 263–264 Everyone group, Windows, 165 FIN flag, 137, 139–141 evidence collection, 29–31 FIN scan, 140–141 evolution, of hacking, 4–8 financial fraud, embezzlement as, 7 executive level report, on security incident, 33 financial services executives, as targets of social engineers, 286 current developments in hacking/cybercrime, Expires attribute, cookies, 380 4–5 exploitation in footprinting process, 116 pentesting mobile devices, 450 researching data on companies via, 117 phase of penetration testing, 560 Fing, pentesting Android, 450 post-exploitation phase, 560–561 finger command, Linux/Unix enumeration, 178, exploits, defined, 13 180–181 EXPN command, SMTP enumeration, finger scan systems, biometrics, 516 185–186 fingerprinting. See OS fingerprinting Extended Instruction Pointer (EIP) value, fire suppression, server rooms, 518 315–317 Firekiller 2000, distributing Trojans, 246 Extensible Markup Language (XML), 493, 494 Firesheep, session hijacking, 337 extensions, signs of host system intrusions, 466 Firewalk, determining firewall configuration, exterior, building for physical defense, 520 470–472 external factors, and reports, 562–563 firewalking, determining firewall configuration, extortion, DoS attacks for, 307 470–472

bindex.indd 04/0½ 016 Page 583 584 firewalls – grouping error messages

firewalls fraggle attack, as DoS attack, 310 blocking ping requests, 134–135 fragmentation attacks blocking scans, 144 on Android devices, 448 bypassing, 479–481 defying detection by firewalls, 478 configurations, 468–469 defying detection by IDSs, 476 determining configuration with firewalking, web servers/applications vulnerable to, 372 470–472 fragmenting packets, preventing detection, 144 determining configuration with nmap, 472– fragroute command, 144 473 fragtest command, 144 evading with fragmenting, 144 frames, securing door, 512 identifying, 470 fraud, as cybercrime, 7 for mobile devices, 473 freeware, spyware delivery via, 236 overview of, 56–57, 467–468 FRR (false rejection rate), in biometric accuracy, setting up security, 58–59 515 testing, 479–480 FTP (File Transfer Protocol) types of, 469 easy sniffing of, 259 FISMA (Federal Information Security TCP 21 port for, 169 Management Act), 2002, 34 Trojans, 240 flags vulnerable to man-in-the middle attack, 200 defying detection by IDS, 476–477 full backups, 63 TCP, 136–137 full-open scans, 135 flash drives, physical security of, 507–508 flawed web design, web servers/applications, 369–370 floors, securing physical area, 516–517 G folders, signs of host system intrusions, 465–466 gates, securing physical area, 511 footprinting gateway host, firewalking, 470 competitive analysis in, 118–119 gateways, defense against session hijacking, 352 email, 117–118 geography, footprinting data on, 112–113 as first step of ethical hacking, 17, 100–101 Ghost Keylogger, 248 information gathering via, 113–116, 160 GID (group identification number), Linux, 169 as intelligence gathering, 557–558 Global Catalog Service, TCP/UDP 3268 port, 170 job sites and job postings, 116–117 Global System for Mobile Communications location and geography in, 112–113 (GSM), 414 network information gathering in, 119–120 goals, of footprinting process, 103 other phases of ethical hacking, 101–102 goodwill, social engineering impact on, 286 overview of, 100 Google Android OS. See Android OS pentesting mobile devices via, 449 Google Apps, 487 public and restricted websites, 111–112 , 487 review, 121–122 , 112 review answers, 529–530 Google hack, 108–111, 113 review questions, 123–125 , 113 search engines, 108–111 store, 445, 473 as social engineering phase, 120–121, 285 Google+, 114 terminology, 106–107 governance, cloud security controls, 495 threat modeling via in-depth, 557–558 gray-box testing, 14–15, 551 threats introduced by, 107 gray-hat hackers, 9, 11 understanding, 102–106 group identification number (GID), Linux, 169 forwards, web server/application attacks from grouping error messages, extracting information unvalidated, 376–377 by, 403

bindex.indd 04/0½ 016 Page 584 groups – HTTP Tool 585

groups heap, in buffer overflow attacks, 314–315 capturing user, 162–163 help desk personnel, social engineering, 286 Linux, 169 hex coding, evading detection via, 404 security identifiers for Windows, 166–167 hexadecimal values storing information in SAM, 167 MAC addresses broken down into, 54 Windows, 164–165 reading sniffer output in IP addresses, GSM (Global System for Mobile 269–270 Communications), 414 vs. binary, 49–50 guest account, Windows OS, 163 HFS (Hierarchical File System), Mac OS X, 216 hidden field, session ID embedded in, 336 hiding data, 216–217 HIDS (host-based intrusion detection system), 463 H high-availability architecture, business continuity/ hack value, 13 disaster recovery, 27 hackers high-interaction honeypots, 474 ethical hackers vs., 10 history, of cryptography, 73–75 evolution of, 3–8 hoaxes, 232 methodologies of, 17–21 Home Depot, tarnished through social Hackode, pentesting Android suites, 454 media, 290 hactivism, DoS attacks based on, 307 honeynets, 474 half-open (stealth) scan, 135–136 honeypots hand geometry systems, biometrics, 516 Bluetooth, 433 handler (master computer), DDoS attack setup, purposes of, 473 318–319 honeyspot attacks, on Wi-Fi, 428–429 HAPs (hardware access points), 411 horizontal , 212 hard drives host, firewalking, 470 creating test setup, 568 host system intrusions, signs of, 465–466 physical security of portable, 506–507 host-based intrusion detection system (HIDS), Hard-disk killer, Trojan-creation tool, 243 463 hardening hostname, using Ping via, 133 network against sniffing, 273 hot sites, 28, 29 thwarting SQL injection, 404–405 hot spots, 412, 414 as vulnerability in Windows, 61 Hping2/hping3 hardware checking for live systems, 134–135 Android OS, 444 checking status of ports, 137 gathering job posting data, 117 ICMP flood attacks, 309 planning disaster and recovery, 29 scanner for lab testing, 571 protocol analyzers, 258 web servers/applications vulnerable to, tools for lab testing, 573–574 371–372 hardware access points (HAPs), 411 HP’s Performance Insight, detecting sniffing hash function, 81–82, 86–88 attacks, 275 hash injection attacks, 202–203 HTTP (HyperText Transport Protocol) hashing easy sniffing of, 258 passwords, 203 header response, 341 process of, 86–88 listener, IIS, 363 rainbow tables attacks using precomputed, and SOAP, 494 203–205 TCP 80 port for, 169 salting to strengthen password, 210 tunneling, defying detection by firewall, 479 HAVAL, hashing algorithm, 87 HTTP Injector tool, pentesting Android, 453 HAVING command, error messages, 403 HTTP Tool, pentesting Android, 453

bindex.indd 04/0½ 016 Page 585 586 HttpOnly attribute – Instant Messaging (IM)

HttpOnly attribute, cookies, 379 IIS Lockdown, 151 HTTPRecon, fingerprinting website, 374 IKS Keylogger, 248 HTTPrint, identifying sites, 374 illegal material, and cybercrime, 7 HTTPS, 367 IM (Instant Messaging), spyware delivery via, 236 HTTP.sys file, 363 IMAP (Internet Message Access Protocol), 259 hubs, switches vs., 56 incident response human beings business continuity plan, 26–28 art of hacking, 120–121 overview of, 21–22 power of social engineering and nature of, 284 phases of, 22–25 HUMINT (human intelligence), penetration plans, 25–26 testing, 558 policies, 22 hybrid attacks, password cracking via, 198 recovering from security incident, 31–32 hybrid cloud, 488 recovering systems, 28–29 hybrid topologies, 42–43 reporting security incident, 32 team, 25 incident response policies (IRPs) in incident response plans, 25 I overview of, 22 IaaS (Infrastructure as a Service) model, cloud, reporting security incident via, 32 365, 489 Incognito, pentesting Android, 454 ICMP (Internet Control Message Protocol), incorporation, virus, 229 133–134 incremental backups, 63 ICMP Backdoor, 247 industrial, scientific, and medical (ISM) band, 414 ICMP flood attack, 309, 371–372 inference ICMP tunneling, 479 overview of, 288 ICMP_TIME_EXCEEDED message, nmap, 472 using corporate espionage, 119 ID Serve, providing information about web server, information 373 data-diddling of, 7 IDEA (International Data Encryption Algorithm), 79 gathering in SQL injection attack, 402–403 identity theft, 75, 296–298 leakage caused by footprinting, 107 idle scans, 142–143 sharing too much on social media, 289–291, IDS (intrusion detection system) 296 detection methods, 464–465 social networking countermeasures, 292–293 evading, 144, 403–404 unauthorized destruction/alteration of, 7 firewalls as form of, 467 Infrastructure as a Service (IaaS), cloud, 365, 489 inner workings of, 462–463 ingress filtering, countering DoS/DDoS attacks, overview of, 57 323 role of, 462 initial sequence number (ISN), 343 signs of intrusion, 465–466 initialization vectors (IVs), 419–420 testing, 480 input strings, evading detection via, 404 thwarting session hijacking via, 352 input validation thwarting SQL injection via, 403, 404 SQL injection attack from flawed/absent, 391 types of, 462 thwarting SQL injection using, 392, 404 IEEE 802.11 standard, 411–413 web server/application attacks from flawed/ ignorance, social engineers preying on, 283 absent, 375 IGRP (Interior Gateway Routing Protocol), 45 insertion attack, defying detection by IDS, 475 IIS (Internet Information Server) insider attacks, 555 countering banner grabbing, 151 inSSIDer tool, 426, 572 overview of, 362–363 Instagram, social engineering via, 114 used by web applications, 367 Instant Messaging (IM), spyware delivery via, 236

bindex.indd 04/0½ 016 Page 586 integrity – job site/postings 587

integrity at Network layer of OSI model, 45 breaking CIA triad, 16 routers and, 54 cryptography used for information, 75 smurf attack spoofing, 310 preserving CIA triad, 15–16 using Ping via, 133 Intelius, people search utility, 113, 298 IP fragmentation, web server/application intellectual property, Code of Ethics for, 11 vulnerability, 372 intelligence gathering, in penetration testing, IP ID (identification number), idle scans, 142–143 557–558 IP spoofing Interactive group, Windows, 165 defying detection by firewall, 477 Intercepter-NG, pentesting Android, 451 leading to prison time, 346 interference, Wi-Fi and, 411 overview of, 341–342 interior controls, as third layer of physical IP subnetting, 49 defense, 520 IP Tool, pentesting Android, 450 Interior Gateway Routing Protocol (IGRP), iPlanet Web Server, Oracle, 367 Network layer of OSI, 45 IPS (intrusion prevention system) International Council of Electronic Commerce detecting/preventing network anomalies, 353 Consultants (ECCouncil), 10, 11–12 IDS vs., 465 International Data Encryption Algorithm (IDEA), overview of, 57 79 IPsec (Internet Protocol security) Internet as cryptographic technology, 90 developments in hacking/cybercrime, 4–5 defending against session hijacking, 352 evolution of hacking, 4 hardening network against sniffing, 273 footprinting, 107 working with, 90–92 mobile device security issues, 447 IPv6 (Internet Protocol v6), 273 preventing threats, 294–296 IRC (Internet Relay Chat), spyware delivery, 236 using SSL to exchange data over, 93–94 iris recognition, biometrics, 516 Internet Control Message Protocol. See ICMP IRPs (incident response policies) (Internet Control Message Protocol) in incident response plans, 25 Internet Information Server. See IIS (Internet overview of, 22 Information Server) reporting security incident via, 32 Internet Message Access Protocol (IMAP), 259 ISM (industrial, scientific, and medical) band, Internet Protocol security. See IPsec (Internet 414 Protocol security) ISN (initial sequence number), 343 Internet Protocol v6 (IPv6), 273 isolation Internet Relay Chat (IRC), spyware delivery, 236 Apple iOS, 446 intrusion detection system. See IDS (intrusion mobile device security via, 442 detection system) ISPs (Internet Service Providers), 54 intrusion prevention system. See IPS (intrusion IT audits, by ethical hackers, 15 prevention system) IVs (initialization vectors), 419–420 intrusions signs of, 465–466 testing web applications with Burp Suite, 383 investigation phase, incident response, 23 J investments, researching, 117 jailbreaking, 446–447 IP address(es) jamming attacks, on Wi-Fi, 428 defying detection by firewall, 478–479 JavaScript, in XSS, 339–340 DNS and, 53 Jerusalem virus, 230 finding website, 104–105 JiWire, wireless traffic analysis, 429 importance of, 53 job site/postings, footprinting process, looking for live hosts via ping sweeps, 134 116–117

bindex.indd 04/0½ 016 Page 587 588 John the Ripper tool – LIFO

John the Ripper tool, 571 installation process, 569 Jolt2, DoS tool, 319 installing tools, 570 JPS Virus Maker, 233–234 installing virtualized OS, 570 Juniper device, mitigating MAC flooding, 274 logging/event-viewing tools, 572 JXplorer, searching LDAP directory, 183 password-cracking tools, 571 reasons for, 566 scanner tools, 570–571 sniffers, 572 K what you will need, 567–568 wireless tools, 572 Kali Linux Lacroix, Cameron, hacker, 5 breaking WEP with, 420–422 laminated windows, 517 cracking WPA with, 423 Lan Manager (LM) hash, storing information in testing with, 63 SAM, 167, 209–210 using Firewalk script with, 472 LAN Turtle tool, 573 KDC (key distribution center), Kerberos, 211–212 land attack, as DoS attack, 310 Kerberos, 211–212 LanDroid, pentesting Android, 450 key pair, CA generating, 85 LAN-to-LAN wireless networks, 412 keyboard dynamics, biometrics, 516 large-storage-capacity hard drives, securing, KeyGrabber tool, 574 506–507 keyloggers last-in, first-out (LIFO) access, 314 active online attacks via, 202 launch, of virus, 229 executing applications via, 214 law enforcement, reporting security incident malware programs installing, 225 to, 32 planting in post-exploitation phase, 561 lawful interception (LI), or wiretapping, 258 types of keystroke recorders, 248 layers, web application, 366–367 keys LDAP (Lightweight Directory Access Protocol), asymmetric algorithm, 80–86 170, 182–183 cryptosystem, 76 LEAP (Lightweight Extensible Authentication how cryptography works, 77 Protocol), wireless authentication, 418 symmetric algorithm, 78–79 least privilege KisMAC, 426 mobile device security via isolation, 442 Kismet thwarting SQL injection, 404–405 pentesting mobile devices, 449 legal issues tool for lab testing, 572 creating/using malware, 225–226 wardriving with, 426 with data, 507 wireless traffic analysis, 430 getting advice of lawyers on, 17 known plaintext attacks, on cryptographic laws, regulations and directives, 33–34 systems, 89 permission from client to perform enumeration, 162 purchasing lock-picking tools, 515 L sniffing, 258 of social engineering, 286 L0phtCrack tool, passwords, 571 legally permissible rule of evidence, 31 lab, building Let Me Rule, Trojan-creation tool, 243 build process, 566–567 LexisNexis, for competitive analysis data, 117 creating test setup, 568–569 LFM (log file monitor) IDS, 463 enumeration tools, 571 LI (lawful interception), or wiretapping, evaluating tools for, 566 258 hardware tools, 573–574 LIFO (last-in, first-out) access, 314

bindex.indd 04/0½ 016 Page 588 Lightweight Directory Access Protocol (LDAP) – malware 589

Lightweight Directory Access Protocol (LDAP), logout 170, 182–183 web application, 369 Lightweight Extensible Authentication Protocol web server/application session management, (LEAP), wireless authentication, 418 379 limited discoverable mode, Bluetooth, 432 LOIC (Low Orbit Ion Cannon) Link Extractor, 111 in action, 320–322 LinkedIn, 114, 297 creating botnets, 318 Linux OS DDoS tool, 320 Android based on, 443 pentesting Android, 451 banner grabbing tools, 150–151 Loki, exploiting covert channels, 247 finding MAC address, 55 long-lived sessions, web servers/applications, 379 macof MAC flood attacks, 270 low-interaction honeypots, 474 packet sniffing with tcpdump, 264–266 LulzSec, 8 passive fingerprinting of, 148–149 using Kali Linux, 63 vulnerabilities of, 62–63 wireless penetration tools, 431 M Linux OS enumeration commonly exploited services, MAC (media access control) address, 54–56 170–172 MAC flooding, 270–271, 274–275 DNS zone transfers, 174–176 Mac OS, vulnerabilities of, 61–62 finger command, 178 MAC spoofing, 272, 427 NULL sessions, 173–174 macof MAC flood, Linux, 270 services/ports of interest, 169–170 macro viruses, 230–231 SuperScan, 174 maintenance, thwarting SQL injection, 404 Unix and, 180–182 malicious activity users, 168–169 1980s hackers engage in, 4 live systems, checking for abusing cloud services via, 491 in targeted environment, 130–131 current developments in hacking/cybercrime, using hping3, 134–135 4–5 using ping, 133–134 ethical hackers using same tactics as, 13 using wardialing, 131–132 malicious code, as cybercrime, 7 LM (Lan Manager) hash, storing information in Maltego, 116, 151 SAM, 167, 209–210 malware LNS tool, finding ADS streamed files, 217 adware, 237 LoadStorm, testing security in cloud, 496 categories of, 227–228 local service account, in Windows, 164 executing applications via, 214 location, footprinting data on, 112–113 mobile device countermeasures, 455 lock screens, physical security via, 504 mobile device security issues, 442–443, 447 locks, securing physical area, 513–515, 519 overt and covert channels used by, 247–249 log file monitor (LFM) IDS, 463 overview of, 224–226 log file readers, pentesting Android, 453 ransomware, 238 logging tools, lab testing, 572 removing in mopping up phase of pen testing, logic bombs, 230, 231 563 logic function, web applications, 369 review, 249–250 Logic layer, web applications, 366 review answers, 533–534 logon review questions, 251–253 physical security via, 503 scareware, 237 web server/application attacks from insecure, social engineering via Trojans, 293 368, 377–378 spyware, 236–237

bindex.indd 04/0½ 016 Page 589 590 Management Information Base (MIB) – multipartite (or file) viruses

strict laws against, 226–227 services and ports of interest, 169–170 Trojans. See Trojans storing information in SAM file, 167 viruses. See viruses SuperScan, 174 worms, 234–236 users, 163–164 Management Information Base (MIB), 178–180 Minipwner tool, 573 man-in-the-browser attacks, 338–339 misconfiguration man-in-the-middle attacks. See MitM (man-in- attacks on web servers/applications, 375 the-middle) attacks on Wi-Fi, 428 mantraps, securing physical area, 511–513 MitM (man-in-the-middle) attacks manual penetration testing, 561–562 application-level hijacking via, 341 mapping networks, 152–153 on cryptographic systems, 89 Marshmallow, Android OS, 442, 505 in exploitation phase, 560 master boot record (MBR), boot-sector viruses as passive online attacks, 200–201 infecting, 230 pentesting mobile devices via, 450 master computer (handler), DDoS attacks, performing, 347–351 318–319 as session hijacks, 346 Matchstick Men movie, social engineering in, 285 TCP packet sequence numbers in, 47–48 MBR (master boot record), boot-sector viruses Mitnick, Kevin, 346 infecting, 230 mnemonics, OSI layers, 46 McKinnon, Gary, 5 mobile apps, 363–364 MD2 (Message Digest 2), hashing algorithm, 87 mobile device security MD4 (Message Digest 4), hashing algorithm, 87 Android OS, 443–446 MD5 (Message Digest 5), hashing algorithm, 87 Apple iOS, 446–447 MD6 (Message Digest 6) hashing algorithm, 87 approaches to, 442–443 measured service, cloud computing, 487 countermeasures, 454–455 mechanical locks, physical access control, 513 cryptography in, 75 Medusa, password-cracking tool, 571 firewalls for, 473 Melissa virus, 5, 231 goals of, 441–442 membership registration sites, databases in, 395 OS models and architectures, 440–441 memory, buffer overflow attacks on, 314–317 overview of, 440 mesh topology, 42–43 penetration testing, 449–450 tag, code injection attacks, 341 penetration testing using Android, metadata, 364–365 450–454 metamorphic viruses, 230 physical theft, 505–506 MIB (Management Information Base), 178–180 problems, 447–449 MicroSD cards, mobile device encryption, 505 review, 455–456 Microsoft Hyper-V, building lab with, 569 review answers, 544 Microsoft Proxy Server firewall, 470 review questions, 457–460 Microsoft Windows OS use of locks, 519 Apple devices not playing well in, 62 modems, 131–132 common vulnerabilities of, 60–61 modules, Apache web server/IIS, 363 finding MAC address, 55 monitoring, session hijacking process, 334 Microsoft Windows OS enumeration mopping up phase, penetration testing, 563 commonly exploited services, 170–172 moral obligation, social engineers prey on DNS zone transfers, 174–176 victim’s, 283 groups, 164–165 Morris, Robert T., Jr., as first hacker, 4–5 NULL sessions, 173–174 MSN Sniffer, 260 overview of, 163 multifactor authentication, 198 PsTools suite, 177 multihomed firewall configuration, 468 security identifiers, 166–167 multipartite (or file) viruses, 230, 232

bindex.indd 04/0½ 016 Page 590 multiple access points – Nmap 591

multiple access points, wireless networks, 412, routers at, 54 429–430 session hijacking at, 334 multi-tenant environments, threats to cloud network mappers, 152–153 security, 491 Network News Transfer Protocol (NNTP), 258 Myspace, people search utility, 297 network scans, 129 network security, 58–59 network service account, Windows, 164 network session hijacking, 344 network sniffing, against cloud, 494 N Network Time Protocol (NTP), and enumeration, NAT (Network Address Translation), routers 184 using, 54 network topologies nature, securing physical area, 509 bus, 40–41 NBNS (NetBIOS Name Service), 170 hybrid, 42–43 nbstat command, 171–172 mesh, 42–43 NBTScan, for lab testing, 571 overview of, 40 Nessus Vulnerability Scanner, 130, 380 ring, 41 NetBIOS, 171, 174 star, 42 NetBIOS Name Service (NBNS), 170 networking tools, pentesting tools for Android, NetBIOS Session Service (SMB over NetBIOS), 450–451 port for, 170 NetworkMiner, lab testing tool, 572 Netcat networks for Android, 451 administrator interaction with web servers, enumeration tool for lab testing, 571 360 planting backdoors, 215 attacks caused by footprinting, 107 port redirection, 248–249 attacks on mobile devices, 441 providing information about web server, 374 defending against session hijacking, 352 Netcraft DoS attacks against specific, 308 banner grabbing with, 150 firewalls, 56–59 finding information about URLs, 111 information gathering on, 104–105, 119–120, providing information about web server, 374 558 NETGEAR device, mitigating MAC flooding, intrusions, 6, 466 274–275 proxies, 56 NetScan tools, 571 routers and switches, 53–56 NetScanTools Pro, 186 Nexpose, 130, 496 netstat, detecting open ports, 241 NICs (network interface cards), 54 NetStumbler, 426, 572 NIDS (network intrusion detection system) NetWitness NextGen, sniffer, 260 detecting sniffing attacks, 275 Network Address Translation (NAT), routers overview of, 463 using, 54 targeting with DoS attack, 475 network cards, 411 NirSoft Suite, 571 Network Discovery tool, pentesting Android, 450 Nmap Network group, Windows, 165 defying detection by firewall, 478 Network Handbook, pentesting Android, 450 defying detection by IDS, 476 network interface cards (NICs), 54 detecting Trojans and viruses, 240–241 network intrusion detection system. See NIDS determining firewall configuration, 472–473 (network intrusion detection system) FIN scan with, 141 Network layer, OSI model fragmenting packets, 144 IP subnetting, 49 how it works, 141 overview of, 45 importance in CEH exam, 133–134

bindex.indd 04/0½ 016 Page 591 592 NNTP (Network News Transfer Protocol) – OSs (operating systems)

NULL scan with, 141 password cracking via, 199 OS detection with, 146–147 precomputed hashes/rainbow tables, 203–205 pinging with, 133 on WPA/WPA2, 424 port scanning with, 129 OIDs (object identifiers), recognizing MIB providing information about web server, 374 elements, 179 as scanner for lab testing, 570 omnidirectional antennas, 415 stealth or half-open scan with, 139 OmniPeek, sniffer, 259 as vulnerability scanner, 152 on-demand self-service, cloud computing, 486 Xmas tree scan with, 140 OneDrive, cloud computing, 487 NNTP (Network News Transfer Protocol), 258 one-way hash function, 81–82 nondiscoverable mode, Bluetooth, 432 online habits, changing, 295 nonpairing mode, Bluetooth, 432 Open Signal tool, wireless traffic analysis, 429–430 nonrepudiation open source cryptography in, 76 information gathering via footprinting, 106 symmetric cryptography lacking, 78 Linux OS, 63 non-repudiation, supporting CIA triad, 16–17 Open Web Application Security Project (OWASP), nontechnical (or non-electronic) attacks 380, 448 password cracking, 199 open-source intelligence (OSINT), 558 social engineering, 282 OpenSSL, web application encryption, 380 NOP sled, buffer overflow attack, 317 open-system authentication, Wi-Fi, 416 nslookup command, DNS, 119–120, 175–176 operating systems. See OSs (operating systems) NT LAN Manager (NTLM), 167, 209–210 OphCrack tool, 571 NTFS volumes, 217 opinion evidence, defined, 30 NTLM (NT LAN Manager), 167, 209–210 OPM (Office of Personal Management), threats to Ntop tool, 572 cloud security, 490 NTP (Network Time Protocol), in enumeration, Oracle VM VirtualBox, building lab, 569 184 Orbot, pentesting Android, 454 NULL scan, 141–142 order by statement, in SQL injection attack, NULL sessions, exploiting, 173–174 398 numbers organization data, in footprinting, 105–106 decoding SID, 166–167 Orweb, pentesting Android, 454 TCP packet sequence, 47–48 OS fingerprinting TCP/IP port, 50–52 active, 146–147 overview of, 145–146 passive, 147–149 OS X, Apple iOS based on, 446 O OSI (Open Systems Interconnection) model attacks caused by footprinting, 107 obfuscated code, evading detection via, 404, 476 overview of, 44–46 object identifiers (OIDs), recognizing MIB session hijacking in, 334 elements, 179 TCP/IP suite mapping to, 47–48 object identifiers, recognizing MIB elements, 179 OSINT (open-source intelligence), 558 objective, pre-engagement interactions, 553–554 OSs (operating systems) object-oriented programming databases, 395 Android, 62, 444 Office 365, cloud computing for, 487 Apple iOS. See Apple iOS Office of Personal Management (OPM), threats to choosing for test setup, 568 cloud security, 490 finding information in footprinting, 105 offline attacks Linux, 62–63 extracting hashes from system, 203 Mac OS, 61–62 overview of, 203 Microsoft Windows, 60–61

bindex.indd 04/0½ 016 Page 592 output – penetration (pen) testing 593

output, reading sniffer, 266–270 in distributed network attack, 205–206 outside attacks, pre-engagement interactions, 555 in exploitation phase, 560 overt channels, 239 as offline attack, 203–205 OWASP (Open Web Application Security Project), as passive online attack, 199–202 380, 448 performing, 377–378 risk mitigation for WEP/WPA, 425 techniques, 198–199 understanding, 196–198 password guessing P as active online attack, 202 p0f tool, Linux, 148–150 obtaining password via, 207 P2P (Peer-to-Peer Networks), spyware delivery password-cracking backdoors, 247 via, 236 password-protected screensavers, 504 PaaS (Platform as a Service), cloud, 366, 489 passwords Packet Capture tool, pentesting Android, 450 adding additional security measures to, 504 packet capture, with sniffers. See sniffers avoid saving of, 296 packet crafters, 137 biometric authentication replacing, 515 Packet Generator, pentesting Android, 451 capturing in post-exploitation phase, 561 packet sequencing, implementing TCP hijacking, cybercrime of stealing, 6 344–345 Linux user account, 168 packet sniffing, 199–200 mobile device countermeasures, 454–455 packet-filtering firewalls, 57, 469 mobile device security issues, 447 PacketShark, pentesting Android, 451 in multifactor authentication, 198 Padding Oracle On Downgraded Legacy physical security via, 503 Encryption (POODLE) attack, 381 SNMP, 179 PageXchanger for IIS, 151 social networking and, 289 pairing mode, Bluetooth, 432 social networking countermeasures, 292–293 palm scan systems, biometrics, 516 storing information in SAM, 167 Parabolic Antenna tool, lab testing, 574 as vulnerability in Windows, 61 parabolic grid antennas, 415–416 web server/application issues, 377–378, 379 Paranoid Android, 446 working with, 503 parties involved, pre-engagement interactions, patches 553–554 creating test setup, 568 passive fingerprinting, OSs, 146–147 installing for lab testing, 569 passive information gathering, footprinting, 106 mobile device security issues, 447 passive online attacks as vulnerability in Windows, 60 man-in-the middle, 200–201 Path attribute, cookies, 380 overview of, 199 Patriot Act, malware and, 226–227 packet sniffing, 199–200 pattern matching, IDS signature detection, 464 password cracking, 198 PBXs (private branch exchanges), wardialing, 132 replay attack, 201–202 PDF printer, for lab testing, 569 passive session hijacking attack, 335–336 PDF viewer, for lab testing, 569 passive sniffing, 256 PDQ Deploy, planting backdoors, 214 passive wireless network attacks, 425 peer CA, 85 passphrases, identity theft protection, 297 penetration (pen) testing passwd file, Linux, 168 alternative methods of testing, 550–552 password cracking Android OS, 450–454 as active online attack, 202–203 automated vs. manual, 561–562 of cloud services, 491 building lab for. See lab, building of database server, 396 contract contents for, 555–556

bindex.indd 04/0½ 016 Page 593 594 penetration testers – plain text/clear text

evaluating necessity of, 19–20 phlashing, permanent DoS, 310 evasion, 479–480 phone taps, firewalls acting as, 467 exploitation, 560 PhoneSweep wardialing program, NIKSUN, 132 footprinting phase, 100–101 physical access, spyware delivery via, 236 frameworks, 549 Physical layer, OSI model, 45 gaining permission, 556 physical security IDS, 480 biometrics, 515–516 intelligence gathering, 557–558 contactless cards, 515 of mobile devices, 449–454 data storage, 506–509 mopping up, 563 defense in depth, 519–520 Penetration Testing Execution Standard, doors and mantraps, 511–513 552–553 education and awareness, 519 permissions/contracts before, 13 entryways, 517–518 post-exploitation, 560–562 fences, 511 pre-engagement interactions, 553–555 gates, 511 reporting, 562–563 locks, 513–515 review, 563–564 mobile device issues, 505–506 security in cloud, 495–496 other items to consider, 519 tests within, 20–21 overview of, 502 threat modeling, 558–559 physical penetration test of, 554 vulnerability analysis, 559–560 review, 520–521 web applications, 383–384 review answers, 547–548 penetration testers review questions, 522–524 ethical hackers as, 2, 12–17 securing physical area, 510 prerequisites for, 10 server rooms and networks, 518 role of, 19–21 simple controls, 503–505 Penetration Testing Execution Standard. See PTES walls, ceilings, and floors, 516–517 (Penetration Testing Execution Standard). windows, 517 People Search, 297 picks, lock, 514 people search utilities, 113 PII (personally identifiable information) Performance Insight, detecting sniffing attacks, footprinting causing threats to, 107 275 preventing, 393 perimeter, building physical defense, 520 preventing threats when posting, 296 permanent DoS attack, 310 SQL injection attacks stealing, 391 permissions PIN code problem, WPS, 422–423 black hats functioning without, 11 pin-and-tumbler locks, physical access control, ethical hacker responsibility for, 9–10 513 Linux group, 169 ping of death, as DoS attack, 309–310 mobile device access control via, 443 ping utility before starting testing activity, 13, 556–557 checking for live systems via, 133–134 web applications, 369 checking for live systems via hping, 134–135 white hats functioning with, 11 gaining information about target’s personally identifiable information. See PII network, 119 (personally identifiable information) ping sweeps, 134 personally owned devices, in workplace, 440– pivot points, wardialing, 132 441, 448–449 PKI (public key infrastructure), 83–86 PGP (Pretty Good Privacy), 79, 92–93 plain text/clear text phases, social engineering, 285 in asymmetric algorithms, 80 Phatbot, Trojan-creation tool, 243 how cryptography works, 77 phishing, social engineering, 120–121, 293–294 PKI system, 83–85

bindex.indd 04/0½ 016 Page 594 plaintext attacks – PsTools suite 595

in symmetric algorithms, 77 positive pressure, server rooms, 518 understanding hashing, 86–88 post exploitation, pentesting mobile devices, 450 plaintext attacks, WEP vulnerability, 419 Post Office Protocol (POP), sniffing of, 258 plans, incident response, 25–26 Poulsen, Kevin Lee (Dark Dante), hacker, 5 planting backdoors, 18 power outages Platform as a Service (PaaS), cloud, 366, 489 mesh topology and, 42–43 PlugBot, creating botnets, 318 star topology and, 42 points of failure, disaster and recovery plans, 29 preinstalled applications, Android OS, 445 Poison Ivy, creating botnets, 318 Presentation layer, OSI model, 46, 366 poison null byte attacks, scripting errors, 378 preservation rule of evidence, 31 policies Pretty Good Privacy (PGP), 79, 92–93 BYOD, 448 primary (default) groups, Linux, 169 capturing settings in enumeration phase for, printers, physical protection of, 519 163 privacy firewall configuration via security, 467 Code of Ethics for, 11 hardening network against sniffing, 273 ethical hacker responsibility for, 10 incident response. See IRPs (incident response footprinting causing loss of, 107 policies) with SNMPv3, 178 lack of social engineering security, 283 social engineering impacting loss of, 285 strong password, 503 social networking countermeasures, 293 PoliteMail tool, 117 private branch exchanges (PBXs), wardialing, 132 polycarbonate acrylic windows, 517 private browsing, preventing threats, 295 polymorphic viruses, debut of, 230 private cloud, 488 POODLE (Padding Oracle On Downgraded private keys, 80–86, 93 Legacy Encryption) attack, 381 privilege escalation, on Microsoft platforms, poorly written/questionable scripts, causing 211–212 attacks, 378 processes, running Windows, 164 POP (Post Office Protocol), sniffing of, 258 process-hiding backdoor, 247 pop action, program stack, 314–315 promiscuous client attacks, Wi-Fi, 428 pop-up blockers, social engineering prevention, promiscuous mode, detecting sniffing 294 attacks, 275 port mirroring, sniffing switched networks, proper identification rule of evidence, 31 272–273 protocol anomaly detection, IDS, 465 Port Scanner, pentesting Android, 450 protocol listeners, IIS, 363 port scanning protocols, subject to sniffing, 258–259 checking status of ports, 135–137 proxies detecting Trojans and viruses, 240–241 overview of, 56 determining type/brand of firewalls, 470 pentesting tools for Android OS, 453 overview of, 129 providing anonymity for scanning party, portables, securing, 519 153–154 portals, as mantraps, 513 setting up web browser to use, 154–155 ports testing web applications with Burp Suite, checking status of, 135–137 383 hardening network by securing, 273 proxy Trojans, 240 knowing for exam, 169–170 proxy-based firewalls, 469 redirecting, 248–249 pseudonymous footprinting, 106–107 TCP/IP, 50–53 PSH flag, 137, 139–140 tracking usage with TCPView, 242–243 Psiphon, pentesting Android, 453 using Firewalk, 471 pspv.exe tool, 208 using netstat to detect open, 241 PsTools suite, planting backdoors, 214

bindex.indd 04/0½ 016 Page 595 596 PTES (Penetration Testing Execution Standard) – revenue

PTES (Penetration Testing Execution Standard). reaper virus, 228 contents of contract, 555–556 Reaver, tool for lab testing, 572 gaining permission, 556–557 receptionists, as targets of social engineers, 286 intelligence gathering, 557–558 reconnaissance, ethical hacking. See footprinting pre-engagement interactions, 553 records (rows), database, 395 seven stages of, 552–553 recovery threat modeling, 558–559 DRP. See disaster recovery plan (DRP) working with, 553 as incident response phase, 24 public cloud, 488 RECUB (Remote Encrypted Callback Unix public information, intelligence gathering for, 558 Backdoor), Trojan-creation tool, 243 public key infrastructure (PKI), 83–86 red team, pentester, 557 public keys redirects, web server/application attacks from in asymmetric cryptography, 80–86 unvalidated, 376–377 CA publication of, 85 redundancy Pretty Good Privacy using, 92–93 disaster and recovery plans for, 28–29 public places, access to sensitive information in, mesh topology providing high, 42–43 295 ring topology providing, 42 public profiles, avoiding on social networks, 293 reflected XSS attacks, 340 public websites, in footprinting process, 111–112 registered ports, 51–52 push action, program stack, 314–315 Registration Authority (RA), CA as, 85 push messaging, Android OS, 445 relational databases, 395 pwdump command, extracting hashes, 203 Relay service, SMTP, 186 Pwn Pad, 430, 573 relevance rule of evidence, 31 Pwn Phone, 430, 573 reliability rule of evidence, 31 Pwnie Express, 430 religious law, ethics and, 33 Remote Access Trojans (RATs), 240 Remote Authentication Dial-In User Service (RADIUS), 417–418 R Remote Encrypted Callback Unix Backdoor RA (Registration Authority), CA as, 85 (RECUB), Trojan-creation tool, 243 rack-mounted servers, server rooms, 518 Remote Procedure Call (RPC), TCP 135 port, 169 radio frequency ID (RFID), physical access remote wiping, 449, 455 control, 515 RemoteExec, planting backdoors, 214 RADIUS (Remote Authentication Dial-In User repair phase, incident response, 24 Service), 417–418 replay attack, 201–202 rainbow table attacks, 203–205 replication, 229 RainbowCrack, 571 reporting RAM, creating test setup, 568 in penetration testing, 562–563 range as responsibility of ethical hacker, 14 extending Bluetooth device, 432 security incident, 32 wireless networks and, 411 reputation filtering, protection from botnets, 324 ransomware, 7, 238 researching, viruses, 233–234 rapid elasticity, in cloud computing, 487 resource pooling, cloud computing, 487 Raspberry Pi, 427, 573 response phase, incident response, 23 RATs (Remote Access Trojans), 240 responsibilities, ethical hacker, 9–10 RC2 symmetric algorithm, 79 Restorator, distributing Trojans, 246 RC4 symmetric algorithm, 79 Restricted group, Windows, 165 RC5 symmetric algorithm, 79 restricted websites, footprinting, 111–112 RC6 symmetric algorithm, 79 retina pattern systems, biometrics, 516 RCPT TO command, SMTP enumeration, 186 revenue, footprinting and loss of, 107

bindex.indd 04/0½ 016 Page 596 reversal testing – scanning 597

reversal testing, 552 firewall, 467 reverse proxy, protecting from DoS/DDoS attacks, for strong passwords, 197–198 323 runtime, Android application, 444–445 reverse SSH tunneling, breaching wireless networks, 427 Reverse World Wide Web (WWW) Tunneling Shell, 248 RFC 3704 filtering, protecting from botnets, 323 S RFID (radio frequency ID), physical access SaaS (Software as a Service), cloud, 366, 488–489 control, 515 SAM (Security Accounts Manager) rights, Linux group, 168 authentication on Microsoft platforms, Rijndael, 79 209–210 ring topologies, 41 how passwords are stored within, 209–210 RIP (Routing Information Protocol), 45 user and group information stored in, 167 RIPE-MD, hashing algorithm, 87 sample scripts, and scripting errors, 378 risk sandboxing, access control via, 444 cloud controls managing, 495 SandroProxy, pentesting Android, 453 contract content stating perceived, 555 sanitation methods, 508, 509 increased wireless network, 410 SAPs (software access points), 411–412 mobile device security, 440–441 Saran Wrap, Trojans, 246 reporting security incident, 32 Sarbanes–Oxley Act (SOX or SarBox), 2002, 34 rlogin keystrokes, Telnet, 258 satellites, footprinting location data, 112 rogue access point attacks, Wi-Fi, 426–427 save capture function, sniffers root CA, 85 overview of, 257–258 root directory, directory traversal attacks, 382 reading captured output, 267–270 device, Android, 444 Wireshark, 262 rootkits, 227 scalar objects, MIB, 179 Rosetta stone, 74 scale, DoS attacks vs. DDoS attacks, 317–318 router throttling, protecting from DoS/DDoS, scams, social media, 290–291 323 scanner, testing web applications with Burp Suite, routers 383 evading with fragmenting, 144 scanners, lab testing tools, 570–571 firewalls acting as, 467 scanning firewalls working in conjunction with, 468 ACK scans, 143–144 overview of, 53–54 banner grabbing, 149–151 Routing Information Protocol (RIP), 45 checking for live systems, 130–135 rows (records), database, 395 checking status of ports, 135–137 RPC (Remote Procedure Call), TCP 135 port, 169 ethical hacking and, 101 rpcinfo command, Linux/Unix, 181 FIN scans, 137–138 RST flag full-open scans, 135 ACK scanning and, 143 idle scans, 142–143 defined, 137 network mapping, 152–153 defying detection by IDS with, 477 NULL scans, 141–142 full-open scans, 138 OS fingerprinting, 145–149 idle scans, 142–143 pentesting mobile devices, 449 stealth or half-open scans, 138–139 pentesting tools for Android, 452–453 rule-based attacks, password cracking via, 198 review, 155 rules review answers, 530–531 of engagement, 13–14, 558 review questions, 156–158 of evidence, 31 as second phase of ethical hacking, 17

bindex.indd 04/0½ 016 Page 597 598 scareware – session ID prediction

stealth or half-open scans, 135–136 SERP (search engine results page), footprinting, techniques used in, 161 108 types of, 129–130 server administrators, and web servers, 360 types of information learned by, 130 Server Mask, countering banner grabbing, 151 UDP scans, 144–145 server rooms and networks, securing, 518 understanding, 128–129 server validation, 425 using proxies, 153–155 server-side technologies in vulnerability analysis phase, 559 SQL injection and, 394 vulnerability scanners, 129–130, 151–152 understanding web applications, 365 when scan is blocked, 144 Service group, Windows, 165 Xmas tree scans, 136–137 service hijacking, against cloud, 490, 494 scareware, 237, 284 service packs, Windows vulnerability, 60 Schneier, Bruce, 79 service providers scope, pre-engagement interactions, 553 planning for disaster and recovery, 28 screened subnet, firewall configuration, 468 as threat to cloud security, 491 screensavers, physical security, 504 service request flood, as DoS attack, 308 script kiddies, 9 service set identifier. See SSID (service set scripting errors, in attacks on web servers/ identifier) applications, 378 service-level agreements (SLAs), 27, 29 search engines, in footprinting, 108–111 services SEC (Securities and Exchange Commission), 117 commonly exploited, 170–171 secondary evidence, 30 and ports of interest, 169–170 secondary groups, Linux, 169 protecting from DoS/DDoS attacks by secrecy, in cryptography, 75 degrading, 323 sector-specific data, intelligence gathering for, 558 protecting from DoS/DDoS attacks by Secure attribute, cookies, 379 disabling, 323 Secure Hash Algorithm-0 (SHA-0), 87 session desynchronization, session hijacking, Secure Hash Algorithm-1 (SHA-1), 87 334 Secure Hash Algorithm-2 (SHA-2), 87 session fixation attack, 341 Secure Shell (SSH), hardening network, 273 session hijacking Secure Sockets Layer. See SSL (Secure Sockets active and passive attacks, 335–336 Layer) defensive strategies, 352–353 Securities and Exchange Commission (SEC), 117 DNS spoofing, 351–352 security in exploitation phase, 560 cryptography. See cryptography key concepts, 341–343 early Internet not designed for, 4 man-in-the-middle attack, 346–351 footprinting. See footprinting network, 344–346 network, 58–59 overview of, 332 in pentesting, 13 pentesting tools for Android, 451 preserving CIA triad when planning, 16 review, 353–354 of private cloud, 488 review answers, 539–540 vs. convenience analysis, 14 review questions, 355–358 security film windows, 517 in session fixation attack, 341 security identifiers (SIDs), 166–167 spoofing vs. hijacking, 334 security policies, and social engineering, 283 TCP packet sequence numbers in, 47–48 security software disablers, Trojans as, 240 types of application-level, 337–341 Self group, Windows, 165 UDP, 352 SENA adapter, in test setup, 568 understanding, 332–334 Senna spy, Trojan construction kit, 246 web apps and, 336–337 sequencer, Burp Suite, 383 session ID prediction, session hijacking, 334

bindex.indd 04/0½ 016 Page 598 session IDs – social engineering 599

session IDs Apple iOS. See Apple iOS session hijacking at application level, 336–337 bring your own device issues, 448–449 session management issues, 379 hacking with Pwn Phone, 430 types of session hijacking, 333 smashing stack, buffer overflow attacks, 315–316 understanding, 334 SMB over NetBIOS (NetBIOS Session Service), Session layer, OSI model, 46 port for, 170 session management, web servers and SMB over TCP (or Direct Host), port for, 170 applications, 378–379 Smith, David L., hacker, 5 session riding (or CSRF), against cloud, 491–492 SMS (Short Message Service), pentesting mobile session sniffing, 337 devices, 450 session splicing, 476 SMTP (Simple Mail Transfer Protocol) session tokens, 334, 338 easy sniffing of, 258 session tracking, web applications, 369 enumeration with, 162, 184–186 SETI (Search for Extraterrestrial Intelligence) TCP 25 port for, 169 project, 206 smurf attacks, 310 SETI@home project, 206 sniffers SFind tool, 217 on the defensive, 273 SHA-0 (Secure Hash Algorithm-0), 87 detecting attacks, 275 SHA-1 (Secure Hash Algorithm-1), 87 overview of, 256 SHA-2 (Secure Hash Algorithm-2), 87 in passive session hijacking attacks, 335 shared key authentication, Wi-Fi, 416–417 reading output, 266–270 SharesFinder, pentesting Android, 451 review, 275–276 Shark, creating botnets, 318 review answers, 534–536 Shark for Root, pentesting Android, 451 review questions, 277–280 sheep-dip system, researching viruses, 233–234 switched network, 270–275 shell viruses, 232 tcpdump, 264–266 Shodan search engine, 297, 374 tools, 259–260, 572 Short Message Service (SMS), pentesting mobile understanding, 256–258 devices, 450 using, 259 shoulder surfing, 121, 293 Wireshark, 260–264 showmount command, Linux/Unix, 181 sniffing, session hijacking process, 334, 352 shredding, physical security via, 508 SNMP (Simple Network Management Protocol) side channel attacks, on cloud, 492–493 enumeration with, 162, 178–179 SIDs (security identifiers), 166–167 MIB used as codebook by, 179–180 signature wrapping attacks, on cloud, 493 UDP 161 and 162 ports for, 170 signature-based IDS, 464 SNScan, 180 Simple Mail Transfer Protocol. See SMTP (Simple SOAP (Simple Object Access Protocol), 493, 494 Mail Transfer Protocol) SOASTA CloudTest, 495–496 Simple Network Management Protocol. See SNMP social engineering (Simple Network Management Protocol) commonly employed threats, 293–296 Simple Object Access Protocol (SOAP), 493, 494 on cryptographic systems, 89 site survey tools, wireless networks, 426 as cybercrime, 6 Skyhook, wireless traffic analysis, 429 footprinting as, 107, 120–121 Slammer worm, SQL, 234–235 identity theft as, 296–298 SLAs (service-level agreements), 27, 29 impact of, 285–286 slaves (zombies), DDoS attack setup, 318–319 on mobile devices, 442 SlimROM, Android, 445 phases of, 285 smart cards, supplementing passwords, 504 power of, 284 pre-engagement interactions, 554 Android OS. See Android OS review, 298–299

bindex.indd 04/0½ 016 Page 599 600 social networking – stateful packet inspection (SPI)

review answers, 536–537 methods of infection, 236–237 review questions, 300–303 overview of, 236 social networking as, 287–291 SQL injection social networking countermeasures, 291–293 altering data with, 399–401 targets of, 286–287 anatomy of, 396–399 understanding, 282–283 blind, 401–402 why it works, 283–284 against cloud, 494 social networking countermeasures, 404–405 countermeasures for, 291–293 database vulnerabilities, 394–396 in footprinting process, 113–116 evading detection mechanisms, 403–404 gathering information via, 287–291 information from error messages and, 403 strengthening your accounts from, 289–291 information gathering and, 402–403 software introduction, 390–392 adware installed with, 237 lack of input validation allowing, 375 encryption weaknesses in web applications, overview of, 390 380 pentesting tool for Android, 453 gathering job posting data, 117 prerequisites for, 390 malicious. See malware results of, 392–393 mobile device security issues, 447 review, 405 spyware installed with, 237 review answers, 541–542 tools for building lab, 570–571 review questions, 406–408 Software as a Service (SaaS), cloud, 488–489 web application anatomy and, 393–394 software piracy, as cybercrime, 7 SQL Slammer worm, 234–235 software updates SQLite Editor, pentesting Android, 453 installing for lab testing, 569 sqlmapchik, pentesting Android, 453 mobile device countermeasures, 455 SQLPing 3.0, 396 solar film windows, 517 SQLRecon, 396 solid state drives (SSDs), problems with, 509 SSDs (solid state drives), problems with, 509 Corporation, SQL injection attack on, 391 SSH (Secure Shell), hardening network, 273 Source IP reputation filtering, protection from SSID (service set identifier) botnets, 324 access points broadcasting, 413 source routing, 342 changing default, 413 SPAN (Switched Port Analyzer) port, sniffing open system authentication for Wi-Fi and, 416 switched networks, 272–273 rogue access point attack on, 427 sparse-infector viruses, 231 wireless traffic analysis, 429–430 spear phishing, 121 SSL (Secure Sockets Layer) Spector Pro keylogger, 248 defending against session hijacking, 352 SPI (stateful packet inspection), in ACK scanning, hardening network against sniffing, 273 142–143 POODLE attack using, 381 Spider tool, testing web applications, 383 at Presentation layer of OSI model, 46 Spokeo, people search utility, 113, 297 securing information, 93–94 spoofing SSL Strip, 200–201, 451 DNS, 343 Stacheldraht, DDoS tool, 320 IP, 341–342 stack MAC, 427 buffer overflow attacks and, 314–315 pentesting mobile devices, 450 smashing, 315–316 vs. session hijacking, 334 standard windows, 517 spyware star topology, 42 active online attacks via, 202 stateful packet inspection (SPI), in ACK scanning, defined, 227 142–143

bindex.indd 04/0½ 016 Page 600 statefull firewalls – system hacking 601

statefull firewalls SYN flag multilayer inspection, 469 checking status of ports, 136–137 packet filtering, 57 passive fingerprinting of OS, 147–149 preventing port scans, 143 performing idle scan, 142–143 stateless, defined, 367 SYN packet, TCP/IP suite, 47–48 stealing session ID, in session hijacking, 333 SYN scan, 138–139 stealth (half-open) scan, 135–136 SYN sequence numbers, TCP/IP session hijacking, Stealth Tool, hiding Trojans, 246 344 stolen equipment attack, 555 SYN-ACK response stolen session. See session hijacking passive fingerprinting of OS, 147–149 stored XSS attacks, 339–340 performing idle scan, 142–143 strong passwords performing stealth or half-open scan, 138–139 physical security via, 503 SYN attack/floods exploiting, 309 rules for, 197–198 TCP three-way handshake and, 47–48 Stunnel, 381 Sysinternals Suite, for lab testing, 571 Stuxnet virus, 6, 45 SYSKEY, improving security of SAM, 209 subdomains Syslog, pentesting Android, 453 defined, 111 system (boot-sector) viruses, 229, 230 footprinting restricted websites, 111–112 system account, processes in Windows, 164 revealing with Netcraft tool, 111 system administrators subnetting, IP, 49 as targets of social engineers, 286 subordinate CA, 85 tendency to use backdoor accounts, 287 suicide hackers, 9 system fundamentals suites, pentesting Android, 454 backup/archiving, 63–64 SuperScan DNS, 53 enumeration tool for lab testing, 571 exam objectives, 39 enumeration utilities of, 174 hexadecimal vs. binary, 49–50 scanner for lab testing, 570 IP subnetting, 49 Svechinskaya, Kristina Vladimirovna, 6 IPS and IDS, 57 switched networks, sniffing network devices, 53–57 ARP poisoning, 271–272 network security, 58–59 MAC flooding, 270–271 network topologies, 40–44 MAC spoofing, 272 operating systems, 60–63 mitigating MAC flooding, 274–275 OSI model, 44–46 port mirror or SPAN port, 272–273 review, 64–65 Switched Port Analyzer (SPAN) port, sniffing review answers, 527–528 switched networks, 272–273 review questions, 66–69 switches TCP/IP ports, 50–53 broadcast domains/collision domains, 55–56 TCP/IP suite, 47–48 nbstat, 171–172 System group, Windows, 165 nmap, 141 system hacking overview of, 54–55 active online attacks, 202–203 tcpdump, 266 authentication on Microsoft platforms, syllable attacks, password cracking via, 198 209–213 symbols, Egyptian hieroglyphic, 74–75 covering tracks, 215–217 symmetric cryptography, 77–79 distributed network attacks, 205–206 SYN attack/flood executing applications, 213–214 as DoS attack, 309 in hacking process, 18 performing, 311–314 offline attacks, 203–205 web servers/applications vulnerable to, 372 options for obtaining passwords, 207–208

bindex.indd 04/0½ 016 Page 601 602 system integrity verifier – thumbprint

overview of, 194, 196 tcpdump, sniffer passive online attacks, 199–202 defined, 259 password cracking, 196–199, 208–209 packet sniffing in Linux, 264–266 as phase of ethical hacking, 102 sniffer tool for lab testing, 572 planting backdoors, 214–215 TCP/IP ports, 50–53 previous phases of ethical hacking, 194–196 TCP/IP suite, 47–48, 333 review, 217–218 TCPView, 242–243, 571 review answers, 532–533 teams, incident response, 25 review questions, 219–221 teardrop attack, as DoS attack, 310 system integrity verifier, 463 technology system knowledge, in contract content, 556 evolution of hacking in response to, 4 system weaknesses, penetration testing, 558 little impact on social engineering, 283 Teflon Oil Patch, distributing Trojans, 246 telephone calls, law enforcement and sniffing, 258 Telnet T banner grabbing with, 149–151 tables, SQL injection attack on, 399 easy sniffing of, 258 tablets enabling in modern Windows, 149 bring your own device issues, 448–449 TCP 23 port for, 169 hacking with Pwn Pad, 430 vulnerable to man-in-the middle attack, 200 using for lab testing, 574 telnet command, SNMP enumeration, 185 tabular objects, MIB, 179 tension wrenches, lock picking, 514 tailgating, mantraps preventing, 512–513 Terminal Server User group, Windows, 165 tandem testing, 552 terminology Targa, DoS tool, 319 footprinting, 106–107 Target Corporation, data breach, 225, 489–490 wireless, 414 target of evaluation (TOE), 13 terrorism, and social engineering, 285 targets testing. See penetration (pen) testing acquiring for SQL injection attack, 397–398 TFN2K, DDoS tool, 320 DoS, 308 TGS (ticket-granting server), Kerberos, 211–212 of evaluation in contract, 555 TGT (ticket-granting ticket), Kerberos, 211–212 intelligence gathering to define, 557 The Italian Job movie, social engineering in, 285 social engineering, 286–287 Onion Router (Tor), 154–155 TCP (Transmission Control Protocol) theft of access, as cybercrime, 6 Connect scan, 138 THE-SCAN wardialing program, 132 defying detection by IDS, 476–477 threats. See also vulnerabilities flags, 137 Bluetooth, 432–433 port numbers, 169–170 BYOD, 448–449 service request floods exploiting, 309 caused by footprinting, 107 session hijacking, 344–345, 346 cloud security, 489–490, 491–493 at Transport layer of OSI model, 46 defined, 13 TCP three-way handshake mobile device, 441 in blind hijacking, 341 modeling in penetration testing, 558–559 checking status of ports, 135–136 social engineering, 283, 293–294 descynchronizing connection, 343 web servers/applications. See web servers/ DNS, 351 applications, common flaws/attack full-open scan completing, 138 methods overview of, 47–48 Wi-Fi. See Wi-Fi, threats reading captured output of, 267 three-way handshake, TCP, 47–48 SYN attack/floods exploiting, 309 thumbprint, as one-way hash value, 87

bindex.indd 04/0½ 016 Page 602 ticket-granting server (TGS) – UDP (User Datagram Protocol) 603

ticket-granting server (TGS), Kerberos, 211–212 TRK (Trinity Rescue Kit), 213, 571 ticket-granting ticket (TGT), Kerberos, 211–212 Trojan Construction Kit, 246 time to live values. See TTL (time to live) values Trojan Man, 246 timeframe Trojans in contract content, 555–556 active online attacks via, 202 intelligence gathering for, 558 backdoors, 246–247 timeline of security incident, reporting, 32 behaviors of, 238–239 timing, of penetration test, 555 BO2K, 244–245 TOE (target of evaluation), 13 construction kits, 246 tokens, supplementing passwords with, 504 defined, 227 ToneLoc wardialing program, 132 detecting, 240–243 tools distributing, 245–247 creating botnets, 318 social engineering via, 284, 293 creating Trojans, 243–245 systems of behaviors, 238–239 DDoS, 320 tools for creating, 243–245 DoS, 319 types of, 240 enumeration, 571 unknowing victims of, 239–240 evaluating when building lab, 566 using covert and overt channels, 239, 247 exploiting covert channels, 247–248 trust hardware, 573–574 ethics and the law, 33 installing, 570 social engineers preying on victim’s, 114, 283, lock-picking, 514–515 284 logging/event-viewing, 572 trusted root CA, 85 password-cracking, 571 TTL (time to live) values scanner, 570–571 determining firewall configuration with sniffer, 259–260, 572 Firewalk, 470–471 wireless, 572 determining firewall configuration with topologies, network, 40–44 Nmap, 472–473 Tor (The Onion Router), 154–155 firewalking and, 470 Tracert utility passive fingerprinting of OS, 147–149 finding IP address for website, 104–105 Twitter footprinting using, 103 gathering information using, 288–289 gaining information about target’s network, social engineering via, 114 120 TwoFish symmetric algorithm, 79 traffic analysis, targeted Wi-Fi networks, 429– type mismatch, and error messages, 403 430 traffic filters, firewalls as, 468 traffic sniffing, 560 training U as line of defense in security, 519 UAC (User Account Control), 60 in preventing social engineering, 292–293 Ubertooth One, for lab testing, 573 as social engineering countermeasure, 283– Ubuntu, overflowing CAM tables in, 271 284 UD100 Bluetooth adapter, extending range, 432 Transmission Control Protocol. See TCP UDP (User Datagram Protocol) (Transmission Control Protocol) in fraggle attack, 310 Transport layer, OSI model, 46 port numbers, 169–170 triage phase, incident response, 23 in session hijacking, 352 Trinoo, DDoS tool, 320 SNMP functioning with, 178 Triple DES (3DES) encryption, 78–79, 88 at Transport layer of OSI model, 46 Tripwire, 217, 463 UDP-based scans, 144–145

bindex.indd 04/0½ 016 Page 603 604 UDPFlood – viruses

UDPFlood, DoS tool, 319 USB Rubber Ducky UID, Linux user account, 168 hardware tool for lab testing, 573 uniform resource identifier (URI), and web stealing passwords, 208 applications, 367 User Account Control (UAC), 60 Universal Resource Locators. See URLs (Universal User Datagram Protocol. See UDP (User Resource Locators) Datagram Protocol) Unix OS enumeration, 180–182 user-installed applications, Android OS, 445 unsafe site warning, heeding, 295 usernames unvalidated redirects and forwards, attacks on cybercrime of stealing, 6 web servers/applications, 376–377 Linux, 168 updates users Android Updates, 445 Android OS security for, 443–444 lab testing, 569 interaction with web servers, 360 mobile device, 447, 455 Linux, 168–169 test setup, 568 removing accounts in mopping up phase, 563 as vulnerability in Windows, 60 SQL injection attacks on current, 399 upload bombing, from scripting errors, 378 as targets of social engineers, 286 UPnP Scanner, pentesting Android, 451 vs. administrative account, 60 URG flag Windows, 163–167 defined, 137 marking data as urgent, 477 performing Xmas tree scan, 139–140 URI (uniform resource identifier), and web V applications, 367 validation URLs (Universal Resource Locators) of certificates by CAs, 85 defying detection by firewall using IP address input. See input validation instead of, 478–479 VBA (Visual Basic for Applications), macro in directory traversal attacks, 382–383 viruses using, 230–231 footprinting, 110–111 Vega web application scanner, 384 session IDs embedded in, 336 vehicles, protecting facility against, 517 U.S. Army, SQL injection attack on, 391 verbal agreements, never accepting from client, 14 U.S. Code of Fair Information Practices, version information, SQL injection attacks, 398 1973, 33 versions, SNMP, 178 U.S. Communications Assistance for Law vertical privilege escalation, 212 Enforcement Act, 1994, 34 virtual machines. See VMs (virtual machines) U.S. Computer Fraud and Abuse Act, 34, 226 virtual private networks (VPNs), hardening U.S. Electronic Communications Privacy Act, network with, 273 1986, 34 virtualization U.S. Kennedy - Kassebaum Health Insurance and advantages for testing, 566–567 Portability Accountability Act (HIPAA), software options for building lab, 569 1966, 34 viruses U.S. Medical Computer Crime Act, 1984, 34 creating, 232–233 U.S military files, 2002 hacking of, 5 defined, 227 U.S. National Information Infrastructure detecting, 240–243 Protection Act, 1996, 34 kinds of, 230–232 U.S. Privacy Act, 1974, 34 overview of, 228 USA Freedom Act, 227 researching, 233–234 USB (Universal Serial Bus) understanding, 228–230 password theft, 207–208 as vulnerability in Mac OS X, 61–62 physical security of external drives, 506–507 as vulnerability in Windows, 61

bindex.indd 04/0½ 016 Page 604 Visual Basic for Applications (VBA) – web servers/applications 605

Visual Basic for Applications (VBA), macro warranty, voiding via jailbreaking, 447 viruses using, 230–231 warwalking attacks, 426 VMs (virtual machines) WaveStumbler, 426 creating test setup, 568 web applications, pentesting tools for Android, 453 installing/configuring for lab, 570 web browsers in side channel attacks on cloud, 493 preventing session hijacking, 352 VMware Player, building lab, 569 preventing social engineering, 294 VMware Workstation, building lab, 569 preventing threats, 294–295 voice recognition, biometrics, 516 setting to use proxy, 154–155 voiding warranty, by jailbreaking, 447 web applications based on, 363–364 VPNs (virtual private networks), hardening web servers/applications network with, 273 Apache, 361–362 VRFY command, SMTP enumeration, 185 client/server and, 364–365 vulnerabilities cloud technologies, 365–366 Android OS, 62 cookies, 367–368 bus topology, 42 databases linked to web applications, 395 cryptographic, 88–89 DoS attacks against, 308 defined, 13 exploring client-server relationship, 360–361 enterprise, 58–59 IIS, 362–363 Linux OS, 62–63 individuals interacting with, 360–361 Mac OS, 61–62 layers of web applications, 366–367 mobile device, 447–448 methods of attacking, 375–384 web servers/applications, 369–374 overview of, 360–361 WEP, 419 review, 384 Windows OS, 60–61 review answers, 540–541 WPA, 422–423 review questions, 385–388 WPA/WPA2, 424–425 session hijacking, 336–337 vulnerability analysis phase, penetration testing, SQL injection and, 393–394 559–560 testing web applications, 383–384 vulnerability research, 21 vandalizing, 374–375 vulnerability scanning, 129–130, 151–152 variations of, 363–364 web application components, 368–369 web servers, 361–363 web servers/applications, common flaws/attack W methods Wabbit virus, 229 cross-site scripting, 376 WAITFOR DELAY command, blind SQL injection, directory traversal attacks, 381–383 402 encryption weaknesses, 380–381 walls, securing physical area, 516–517 input validation, 375–376 WAPs (wireless access points), hardening insecure logon systems, 377–378 networks, 273 misconfiguration, 375 warballooning attacks, 426 protecting cookies, 379–380 warchalking, 426 scripting errors, 378 warded locks, 513 session management issues, 378–379 wardialing, 131–132 unvalidated redirects and forwards, 376–377 wardriving attacks, 426, 429 web servers/applications, vulnerabilities warflying attacks, 426 banner grabbing, 373 warm sites, 27 buffer overflow, 370–371 warning banners, physical security via, DDoS attack, 371–372 504–505 DoS attack, 371

bindex.indd 04/0½ 016 Page 605 606 web services – wireless card

error messages, 374 understanding wireless networks, 410 flawed web design, 369–370 WEP encryption, 418–422 using ID Serve, 373–374 wireless antennas, 414–416 vandalizing web servers, 374–375 wireless encryption mechanisms, 417 web services, signature wrapping attacks on, 493 WPA encryption, 422–425 web-based attacks, on mobile devices, 441 Wi-Fi, pentesting tools for Android, 453–454 webcams, footprinting location data, 113 Wi-Fi, threats websites ad hoc, 427 footprinting public/restricted, 111–112 client misassociation, 428 spyware delivery via, 236 honeyspot attacks, 428–429 wefi tool, wireless traffic analysis, 429 jamming attacks, 428 well-known ports, 51–52 MAC spoofing, 427 WEP (Wired Equivalent Privacy) encryption misconfiguration, 428 breaking, 419–420 performing traffic analysis, 429–430 cracking with Kali Linux, 420–422 promiscuous client, 428 defined, 417 rogue access points, 426–427 overview of, 418–419 wardriving, 426 problems/vulnerabilities, 419 ways to locate wireless networks, 429–430 RC4 algorithm in, 79 WiFi Pineapple risk mitigation, 425 hardware tool for lab testing, 573 white box pen tests, 15 as wireless honeyspot, 429 white-box testing, 551 Wi-Fi Protected Access. See WPA (Wi-Fi white-hat hackers, 9, 11 Protected Access) encryption whitelists, thwarting SQL injection, 392, 404 WifiKill, pentesting Android, 453 whitespace, evading detection via liberal use of, Wifite, 424–425, 453 404 Wigle Wifi Wardriving, 429, 454 Whois tool, 119 WikiLeaks, 307 WhoReadMe utility, 117 windows, securing physical area, 517 Wi-Fi Windows OS. See also Microsoft Windows OS authentication modes, 416–417 creating virus in Notepad, 233 at Data Link layer of OSI model, 45 disabling auditing in Security Log, 216 overview, 410–411 enumeration, 163–167 as vulnerability in Mac OS X, 62 iPhone. See also mobile device security, 441 wireless standards in use, 412–413 WinDump, sniffer, 259, 572 Wi-Fi, hacking Wink, people search utility, 113 authentication technologies, 418 WinSSLMiM, 381 choosing right wireless card, 430–431 wire reinforced windows, 517 fine print, 411–412 Wired Equivalent Privacy. See WEP (Wired locating wireless networks, 429–430 Equivalent Privacy) encryption mitgating WEP and WPA cracking, 425 wireless access points (WAPs), hardening overview of, 410, 425 networks, 273 preventing threats to, 295 wireless adapters, creating test setup, 568 review, 433–434 wireless antennas, 414–416 review answers, 542–543 wireless card review questions, 435–437 breaking WEP, 420–421 sniffing with Wireshark, 260–264 choosing right, 430–431 SSID, 413 in promiscuous client attacks, 428 terminology, 414 in wardriving attacks, 426

bindex.indd 04/0½ 016 Page 606 wireless connections – zone transfers 607

wireless connections, mobile device security issues, 447 X wireless LANs (WLANs), accessing, 413 Xamarin Test Cloud, 496 wireless networks. See Wi-Fi Xmas tree scan, 136–137 wireless tools, for building lab, 572 XML (Extensible Markup Language), Wireshark 493, 494 overview of, 260–264 Xprobe, banner grabbing with, 150 reading captured output of, 267–270 XSS (cross-site scripting) as sniffer, 259, 572 application-level hijacking via, 339–340 wireless traffic analysis, 430 against cloud, 494 Wit, Jan de, hacker, 5 against web server, 376 WLANs (wireless LANs), accessing, 413 worms defined, 227 first Internet, 5 Y functions of computer, 235–236 overview of, 234 Yagi (directional) antenna, 415 SQL Slammer worm, 234–235 Yagi Antenna tool, 573 Stuxnet, 45 WPA (Wi-Fi Protected Access) encryption attacking, cracking, 424–425 cracking, 422–424 Z defined, 417 Zabasearch, people search utility, 113, 297 overview of, 422 Zanti (for mobile phones), 454, 570 risk mitigation, 425 Zenmap scanner, 571 WPA2 encryption zero day threat/vulnerability, 13 attacking, cracking, 424–425 zeroization, cryptographic processes defined, 417 and, 508 overview of, 424 Zimmermann, Philip, 93 risk mitigation, 425 Zombam.B, Trojan-creation tool, 243 WPA2 Enterprise, 417, 424 zombies WPA2-Personal, 424 DDoS attack setup, 318–319 WPScan, pentesting Android, 452–453 performing idle scan, 142–143 wrapper programs, distributing Trojans, 245–246 zone transfers, DNS, 174–176

bindex.indd 04/0½ 016 Page 607