Foreword Credits Preface Part I. Legal and Ethics 1. Legal and Ethics Issues 1.1 Core Issues 1.2 Computer Trespass Laws: No "Hacking" Allowed 1.

Transcription

1 Foreword Credits Preface Part I. Legal and Ethics 1. Legal and Ethics Issues 1.1 Core Issues 1.2 Computer Trespass Laws: No "Hacking" Allowed 1.3 Reverse Engineering 1.4 Vulnerability Reporting 1.5 What to Do from Now On Part II. Reconnaissance 2. Network Scanning 2.1 How Scanners Work 2.2 Superuser Privileges 2.3 Three Network Scanners to Consider 2.4 Host Discovery 2.5 Port Scanning 2.6 Specifying Custom Ports 2.7 Specifying Targets to Scan 2.8 Different Scan Types 2.9 Tuning the Scan Speed 2.10 Application Fingerprinting 2.11 Operating System Detection 2.12 Saving Nmap Output 2.13 Resuming Nmap Scans 2.14 Avoiding Detection 2.15 Conclusion 3. Vulnerability Scanning 3.1 Nessus 3.2 Nikto 3.3 WebInspect 4. LAN Reconnaissance 4.1 Mapping the LAN 4.2 Using ettercap and arpspoof on a Switched Network 4.3 Dealing with Static ARP Tables 4.4 Getting Information from the LAN 4.5 Manipulating Packet Data 5. Wireless Reconnaissance 5.1 Get the Right Wardriving Gear Network Basics Frames 5.4 How Wireless Discovery Tools Work 5.5 Netstumbler 5.6 Kismet at a Glance 5.7 Using Kismet 5.8 Sorting the Kismet Network List 5.9 Using Network Groups with Kismet 5.10 Using Kismet to Find Networks by Probe Requests 5.11 Kismet GPS Support Using gpsd 5.12 Looking Closer at Traffic with Kismet 5.13 Capturing Packets and Decrypting Traffic with Kismet

2 5.14 Wireshark at a Glance 5.15 Using Wireshark 5.16 AirDefense Mobile 5.17 AirMagnet Analyzers 5.18 Other Wardriving Tools 6. Custom Packet Generation 6.1 Why Create Custom Packets? 6.2 Hping 6.3 Scapy 6.4 Packet-Crafting Examples with Scapy 6.5 Packet Mangling with Netfilter 6.6 References Part III. Penetration 7. Metasploit 7.1 Metasploit Interfaces 7.2 Updating Metasploit 7.3 Choosing an Exploit 7.4 Choosing a Payload 7.5 Setting Options 7.6 Running an Exploit 7.7 Managing Sessions and Jobs 7.8 The Meterpreter 7.9 Security Device Evasion 7.10 Sample Evasion Output 7.11 Evasion Using NOPs and Encoders 7.12 In Conclusion 8. Wireless Penetration 8.1 WEP and WPA Encryption 8.2 Aircrack 8.3 Installing Aircrack-ng 8.4 Running Aircrack-ng 8.5 Airpwn 8.6 Basic Airpwn Usage 8.7 Airpwn Configuration Files 8.8 Using Airpwn on WEP-Encrypted Networks 8.9 Scripting with Airpwn 8.10 Karma 8.11 Conclusion 9. Exploitation Framework Applications 9.1 Task Overview 9.2 Core Impact Overview 9.3 Network Reconnaissance with Core Impact 9.4 Core Impact Exploit Search Engine 9.5 Running an Exploit 9.6 Running Macros 9.7 Bouncing Off an Installed Agent 9.8 Enabling an Agent to Survive a Reboot 9.9 Mass Scale Exploitation 9.10 Writing Modules for Core Impact 9.11 The Canvas Exploit Framework 9.12 Porting Exploits Within Canvas

3 9.13 Using Canvas from the Command Line 9.14 Digging Deeper with Canvas 9.15 Advanced Exploitation with MOSDEF 9.16 Writing Exploits for Canvas 9.17 Exploiting Alternative Tools 10. Custom Exploitation 10.1 Understanding Vulnerabilities 10.2 Analyzing Shellcode 10.3 Testing Shellcode 10.4 Creating Shellcode 10.5 Disguising Shellcode 10.6 Execution Flow Hijacking 10.7 References Part IV. Control 11. Backdoors 11.1 Choosing a Backdoor 11.2 VNC 11.3 Creating and Packaging a VNC Backdoor 11.4 Connecting to and Removing the VNC Backdoor 11.5 Back Orifice Configuring a BO2k Server 11.7 Configuring a BO2k Client 11.8 Adding New Servers to the BO2k Workspace 11.9 Using the BO2k Backdoor BO2k Powertools Encryption for BO2k Communications Concealing the BO2k Protocol Removing BO2k A Few Unix Backdoors 12. Rootkits 12.1 Windows Rootkit: Hacker Defender 12.2 Linux Rootkit: Adore-ng 12.3 Detecting Rootkits Techniques 12.4 Windows Rootkit Detectors 12.5 Linux Rootkit Detectors 12.6 Cleaning an Infected System 12.7 The Future of Rootkits Part V. Defense 13. Proactive Defense: Firewalls 13.1 Firewall Basics 13.2 Network Address Translation 13.3 Securing BSD Systems with ipfw/natd 13.4 Securing GNU/Linux Systems with netfilter/iptables 13.5 Securing Windows Systems with Windows Firewall/Internet Connection Sharing 13.6 Verifying Your Coverage 14. Host Hardening 14.1 Controlling Services 14.2 Turning Off What You Do Not Need 14.3 Limiting Access 14.4 Limiting Damage 14.5 Bastille Linux

4 14.6 SELinux 14.7 Password Cracking 14.8 Chrooting 14.9 Sandboxing with OS Virtualization 15. Securing Communications 15.1 The SSH-2 Protocol 15.2 SSH Configuration 15.3 SSH Authentication 15.4 SSH Shortcomings 15.5 SSH Troubleshooting 15.6 Remote File Access with SSH 15.7 SSH Advanced Use 15.8 Using SSH Under Windows 15.9 File and Signing and Encryption GPG Create Your GPG Keys Encryption and Signature with GPG PGP Versus GPG Compatibility Encryption and Signature with S/MIME Stunnel Disk Encryption Windows Filesystem Encryption with PGP Disk Linux Filesystem Encryption with LUKS Conclusion 16. Security and Anti-Spam 16.1 Norton Antivirus 16.2 The ClamAV Project 16.3 ClamWin 16.4 Freshclam 16.5 Clamscan 16.6 clamd and clamdscan 16.7 ClamAV Virus Signatures 16.8 Procmail 16.9 Basic Procmail Rules Advanced Procmail Rules ClamAV with Procmail Unsolicited Spam Filtering with Bayesian Filters SpamAssassin SpamAssassin Rules Plug-ins for SpamAssassin SpamAssassin with Procmail Anti-Phishing Tools Conclusion 17. Device Security Testing 17.1 Replay Traffic with Tcpreplay 17.2 Traffic IQ Pro 17.3 ISIC Suite 17.4 Protos Part VI. Monitoring 18. Network Capture

5 18.1 tcpdump 18.2 Ethereal/Wireshark 18.3 pcap Utilities: tcpflow and Netdude 18.4 Python/Scapy Script Fixes Checksums 18.5 Conclusion 19. Network Monitoring 19.1 Snort 19.2 Implementing Snort 19.3 Honeypot Monitoring 19.4 Gluing the Stuff Together 20. Host Monitoring 20.1 Using File Integrity Checkers 20.2 File Integrity Hashing 20.3 The Do-It-Yourself Way with rpmverify 20.4 Comparing File Integrity Checkers 20.5 Prepping the Environment for Samhain and Tripwire 20.6 Database Initialization with Samhain and Tripwire 20.7 Securing the Baseline Storage with Samhain and Tripwire 20.8 Running Filesystem Checks with Samhain and Tripwire 20.9 Managing File Changes and Updating Storage Database with Samhain and Tripwire Recognizing Malicious Activity with Samhain and Tripwire Log Monitoring with Logwatch Improving Logwatch's Filters Host Monitoring in Large Environments with Prelude-IDS Conclusion Part VII. Discovery 21. Forensics 21.1 Netstat 21.2 The Forensic ToolKit 21.3 Sysinternals 22. Application Fuzzing 22.1 Which Fuzzer to Use 22.2 Different Types of Fuzzers for Different Tasks 22.3 Writing a Fuzzer with Spike 22.4 The Spike API 22.5 File-Fuzzing Apps 22.6 Fuzzing Web Applications 22.7 Configuring WebProxy 22.8 Automatic Fuzzing with WebInspect 22.9 Next-Generation Fuzzing Fuzzing or Not Fuzzing 23. Binary Reverse Engineering 23.1 Interactive Disassembler 23.2 Sysinternals 23.3 OllyDbg 23.4 Other Tools Index