Penetration Tester's Open Source Toolkit Third Edition Jeremy Faircloth Neil Fryer, Technical Editor AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS. SAN DIEGO SAN FRANCISCO. SINGAPORE SYDNEY TOKYO SYNGRESS Syngrcss is an imprint of Elsevier
Contents Acknowledgments Introduction About the Author About the Technical Editor xiii xv xxi xxi CHAPTER 1 Tools of the Trade i 1.1 Objectives 1 1.2 Approach 2 1.3 Core technologies 4 1.3.1 LiveCDs 4 1.3.2 ISO images 6 1.3.3 Bootable USB drives 6 1.3.4 Creating a persistent LiveCD 8 1.4 Open source tools 9 1.4.1 Tools for building LiveCDs 9 1.4.2 Penetration testing toolkits 12 1.4.3 Penetration testing targets 20 1.5 Case study: the tools in action 23 1.6 Hands-on challenge 27 Summary 27 Endnote 28 49 CHAPTER 2 Reconnaissance 29 2.1 Objective 30 2.2 A methodology for reconnaissance 32 2.3 Intelligence gathering 33 2.3.1 Core technologies 34 2.3.2 Approach 36 2.3.3 Open source tools 40 2.3.4 Intelligence gathering summary 49 2.4 Footprinting 2.4.1 Core technologies 49 2.4.2 Approach 55 2.4.3 Open source tools 59 2.4.4 Footprinting summary 67 2.5 Human recon 67 2.5.1 Core technologies 68 2.5.2 Open source tools 71 2.5.3 Human recon summary 74 vii
viii Contents 2.6 Verification 74 2.6.1 Core technologies 74 2.6.2 Approach 76 2.6.3 Open source tools 82 2.6.4 Verification summary 84 2.7 Case study: the tools in action 85 2.7.1 Intelligence gathering, footprinting, and verification of an Internet-connected network 85 2.7.2 Case study summary 92 2.8 Hands-on challenge 92 Summary 93 Endnotes 93 CHAPTER 3 Scanning and Enumeration 95 3.1 Objectives 95 3.1.1 Before you start 96 3.1.2 Why do scanning and enumeration? 96 3.2 Scanning 97 3.2.1 Approach 97 3.2.2 Core technology 98 3.2.3 Open source tools 101 3.3 Enumeration 110 3.3.1 Approach 110 3.3.2 Core technology 111 3.3.3 Open source tools 115 3.4 Case studies: the tools in action 128 3.4.1 External 129 3.4.2 Internal 131 3.4.3 Stealthy 134 3.4.4 Noisy (IDS) testing 136 3.5 Hands-on challenge 138 Summary 138 CHAPTER 4 Client-Side Attacks and Human Weaknesses 141 4.1 Objective 141 4.2 Phishing 142 4.2.1 Approaches 142 4.2.2 Core technologies 146 4.2.3 Open source tools 150 4.3 Social network attacks 156 4.3.1 Approach 156 4.3.2 Core technologies 161 4.3.3 Open source tools 164
Contents ix 4.4 Custom malware 170 4.4.1 Approach 170 4.4.2 Core technologies 172 4.4.3 Open source tools 175 4.5 Case study, the tools in action 181 4.6 Hands-on challenge 187 Summary 187 Endnote 188 CHAPTER 5 Hacking Database Services 189 5.1 Objective 189 5.2 Core technologies 190 5.2.1 Basic terminology 190 5.2.2 Database installation 191 5.2.3 Communication 193 5.2.4 Resources and auditing 193 5.3 Microsoft SQL Server 194 5.3.1 Microsoft SQL Server users 194 5.3.2 SQL Server roles and permissions 195 5.3.3 SQL Server stored procedures 195 5.3.4 Open source tools 196 5.4 Oracle database management system 202 5.4.1 Oracle users 202 5.4.2 Oracle roles and privileges 204 5.4.3 Oracle stored procedures 204 5.4.4 Open source tools 204 5.5 Case study: the tools in action 212 5.6 Hands-on challenge 215 Summary 216 CHAPTER 6 Web Server and Web Application Testing 219 6.1 Objective 219 6.1.1 Web server vulnerabilities: a short history 220 6.1.2 Web applications: the new challenge 221 6.2 Approach 221 6.2.1 Web server testing 222 6.2.2 CGI and default pages testing 223 6.2.3 Web application testing 224 6.3 Core technologies 224 6.3.1 Web server exploit basics 225 6.3.2 CGI and default page exploitation 230 6.3.3 Web application assessment 231
X Contents 6.4 Open source tools 233 6.4.1 WAFWOOF 234 6.4.2 Nikto 236 6.4.3 Grendel-Scan 238 6.4.4 fimap 241 6.4.5 SQLiX 243 6.4.6 sqlmap 245 6.4.7 DirBuster 245 6.5 Case study: the tools in action 247 6.6 Hands-on challenge 255 Summary 256 Endnote 257 CHAPTER 7 Network Devices 259 7.1 Objectives 259 7.2 Approach 260 7.3 Core technologies 260 7.3.1 Switches 261 7.3.2 Routers 264 7.3.3 Firewalls 265 7.3.4 IPv6 266 7.4 Open source tools 267 7.4.1 Footprinting tools 267 7.4.2 Scanning tools 271 7.4.3 Enumeration tools 276 7.4.4 Exploitation tools 276 7.5 Case study: the tools in action 284 7.6 Hands-on challenge 289 Summary 290 CHAPTER 8 Enterprise Application Testing 291 8.1 Objective 291 8.2 Core technologies 292 8.2.1 What is an enterprise application? 292 8.2.2 Multi-tier architecture 293 8.2.3 Integrations 295 8.3 Approach 296 8.4 Open source tools 300 8.4.1 Nmap 300 8.4.2 Netstat 301 8.4.3 sapyto 303 8.4.4. soapui 306 8.4.5 Metasploit 313
Contents xi 8.5 Case study: the tools in action 313 8.6 Hands-on challenge 317 Summary 318 CHAPTER 9 Wireless Penetration Testing 319 9.1 Objective 319 9.2 Approach 320 9.3 Core technologies 321 9.3.1 Understanding WLAN vulnerabilities 321 9.3.2 Evolution of WLAN vulnerabilities 322 9.3.3 Wireless penetration testing tools 324 9.4 Open source tools 332 9.4.1 Information-gathering tools 332 9.4.2 Footprinting tools 338 9.4.3 Enumeration tool 342 9.4.4 Vulnerability assessment tool 342 9.4.5 Exploitation tools 343 9.4.6 Bluetooth vulnerabilities 362 9.5 Case study: the tools in action 367 9.6 Hands-on challenge 369 Summary 370 CHAPTER 10 Building Penetration Test Labs 371 10.1 Objectives 372 10.2 Approach 372 10.2.1 Designing your lab 372 10.2.2 Building your lab 385 10.2.3 Running your lab 388 10.3 Core technologies 390 10.3.1 Defining virtualization 391 10.3.2 Virtualization and penetration testing 391 10.3.3 Virtualization architecture 392 10.4 Open source tools 394 10.4.1 Xen 394 10.4.2 VirtualBox 395 10.4.3 GNS3/Dynagen/Dynamips 395 10.4.4 Other tools 396 10.5 Case study: the tools in action 397 10.6 Hands-on challenge 400 Summary 401 Index 403