copyrighted material ios devices, mitigating mac flooding, 274 cli (command-line interface),...

bindex.indd 04/0½ 016 Page 575

Numbers007Shell, covert channel exploits, 2483DES (Triple DES) encryption, 78–79, 883G hot spots, 4124G hot spots, 412802.11. See Wi-Fi802.11i, 418802.3 (Ethernet), 45

Aaccess control

Android OS, 444–446Apple iOS, 446cloud computing, 495mobile device, 442–443physical. See physical security

access control lists (ACLs), 381, 470access points

broadcasting SSID, 413client misassociation attacks on, 428honeyspot attacks on, 428–429misconfiguration problem with, 428rogue access point attacks, 426–427wireless antennas and, 414–415wireless network, 411–412

account hijacking, cloud security threat, 490ACK flag, 134–135, 136–137ACK scanning, 143–144ACK sequence numbers, TCP/IP session hijacking,

344ACK tunneling, defying detection by firewall, 479AckCmd, 248, 479ACLs (access control lists), 381, 470active fingerprinting, of OS, 146–147active information gathering, footprinting, 106active online attacks, 198–199, 202–203active session hijacking attacks, 335–336active sniffing, 256

active wireless network attacks, 425ad hoc attacks, on Wi-Fi, 427administrator accounts, Windows OS, 60–61,

163–164administrators

application, 361server and network, 360

ADS (Alternate Data Streams), covering tracks, 216–217

adware, 227, 237AES (Advanced Encryption Standard), 79AES-256 encryption, Apple iOS, 446AH (Authentication Header), IPSec, 90aircrack-ng

breaking WEP, 420–421brute-force attacks, 425wireless tool for lab testing, 572

aireplay-ng, 420AirMagnet, 430AirMon, 453AirPcap

breaking WEP, 421–422hardware tool for lab testing, 573sniffing wireless networks, 260

algorithmsasymmetric, 80–86cryptography and, 77symmetric, 77–79types of hashing, 87

ALog reader, pentesting Android, 453alteration, breaking CIA triad, 16Alternate Data Streams (ADS), covering tracks,

216–217alternate sites, business continuity/disaster

recovery, 27–28Amitis, Trojan-creation tool, 243analysis and tracking phase, incident response, 24AnDOSid, pentesting Android, 451Android OS

with 83 percent of market share, 441common problems, 447–448countermeasures, 454–455

Index

COPYRIG

HTED M

ATERIAL


576 Android runtime (ART) – authentication

customized versions of, 445–446design of, 444–446overview of, 443–444pentesting, 450–454storage encryption on, 442vulnerabilities, 62

Android runtime (ART), 445Android Updates, 445Angry IP Scanner, 570Anna Kournikova computer worm, 5, 291anomaly-based IDS, 464–465anonymity, pentesting Android, 454Anonymous hacking group, 6, 8Anonymous logon group, Windows, 165antennas, wireless, 414–416antimalware applications

DoS/DDoS protection, 323installing for lab testing, 569mobile device countermeasures, 455

antivirus applicationsinstalling for lab testing, 569Phatbot terminating, 243polymorphic/metamorphic viruses

unidentifiable to, 230virus detection and elimination, 229web browser integration with, 295

AOKP (Android Open Kang Project), 445Apache Server, 361–362, 367App Scanner, pentesting Android, 452Apple iOS

with 14 percent of market share, 441common problems, 447–448countermeasures, 454–455overview of, 446–447

Apple iOS vs. Android, application provenance, 446

application administrators, 361application content, web applications, 369application developers, web applications, 361Application layer, OSI model

overview of, 46session hijacking at, 334SNMP functioning at, 178

application proxy firewalls, 56, 58–59application services, Android OS, 445application-level attacks, 310–314application-level firewalls, 469application-level hijacking

cross-site scripting, 338–341man-in-the-browser attacks, 338

man-in-the-middle attacks, 338predicting session tokens, 338session fixation attacks, 341session sniffing, 337web apps, 336–337

applicationsexecuting, 213–217mobile device countermeasures, 455security testing of, 554session hijacking and web, 336–337sources of Android OS, 445tools for building lab, 570–571web. See web servers/applications

AppThwack, testing security in cloud, 496architecture, cloud security controls, 494–495archived copies of website, footprinting, 110Archive.org, 110archiving, 63–64ARP (Address Resolution Protocol) requests, and

MAC addresses, 55ARP poisoning

overview of, 343pentesting mobile devices with, 450preventing, 273sniffing switched networks, 271–272

ART (Android runtime), 445AS (authentication server), Kerberos, 211–212Assange, Julian, 307association, defined, 414asymmetric (public key) cryptography

authenticating certificate, 83building PKI structure, 85–86how it works, 81–82how you know who owns key, 82–83overview of, 80–81PKI system, 83–85

attacksdefined, 13threats. See threats

attributes, protecting cookie, 379–380auditing, disabling to cover tracks, 215–216auditpol command, disabling auditing, 216authentication

biometric, 515–516certificate, 83cryptography for, 75–76as defense against session hijacking, 352on Microsoft platforms, 209–213multifactor, 198with SNMPv3, 178


Authentication Header (AH) – brute-force attacks 577

technologies, 418web application, 368wireless modes of, 416–417

Authentication Header (AH), IPSec, 90authentication server (AS), Kerberos, 211–212authorization, before pen testing, 556–557automated penetration testing, vs. manual,

561–562availability

balancing security with, 308breaking CIA triad, 16cloud security controls, 495preserving CIA triad, 15–16

awareness, as line of defense, 519

BB0CK, exploiting covert channels, 248Back Orifice 2000 (BO2K), 243–246backdoors

attacker access via, 246–247executing applications via, 213–214planting, 214–215, 561system administrators using, 287

back-end resources, DoS attacks on, 308backups

business continuity/disaster recovery via, 28overview of, 63–64securing, 519

bandwidthdefined, 414protecting from DoS/DDoS attacks, 323wireless networks and, 411

banner grabbingcountermeasures to, 151identifying services running on ports, 470overview of, 149–151as web server/application vulnerability, 373

basic service set identification (BSSID), 414, 423bastion host, firewall configuration, 468bat2com, creating viruses, 233batch execution, in SQL injection attacks, 392batch group, Windows, 165BCP (business continuity plan), 26–29Beast, Trojan-creation tool, 243BeEF (Browser Exploitation Framework),

200–201best evidence, defined, 30best practices, reporting security incident, 32

binary conversion, vs. hexadecimal, 49–50biometrics, 515–516black box pen tests, 14–15black hole filtering, 324Blackberry. See also mobile device security, 441black-box testing, 551black-hat hackers, 9, 11blacklists, 392, 404BlazeMeter, 496blind hijacking, 341, 345blind SQL injection, 401–402, 403blind testing, 552blocked scans, 144Blowfish, 79bluejacking attack, 433Bluepot, 433Bluesnarfer tool, 572bluesnarfing attack, 433Bluetooth, creating test setup, 568Bluetooth, hacking. See also Wi-Fi, hacking

current developments in, 4overview of, 431–432threats, 432–433as vulnerability in Mac OS X, 62

BO2K (Back Orifice 2000), 243–246bollards, protecting facilities, 517, 518boot-sector (or system) viruses, 229, 230Botbyl, Adam, hacker, 5botnets

DDoS attacks and, 318defensive strategies, 323–324rental of, 307tools for creating, 318–319

bots, 318bricked systems, caused by phlashing, 310bring your own device (BYOD), problems with,

440–441, 448–449broad network access, cloud computing, 487broadcast domains, 55browser defects, spyware delivery via, 236Browser Exploitation Framework (BeEF), 200–201browser-based web applications, 363–364brute-force attacks

on cryptographic systems, 88on directory services, 162in exploitation phase, 560in password cracking, 198on session ID in session hijacking, 333in syllable attacks, 198on WPA/WPA2 keys, 425


578 Brutus – cold sites

Brutus, password cracking with, 377–378, 571BSSID (basic service set identification), 414, 423buffer overflow attacks

as DoS attacks, 314heap and stack, 314–315NOP sled, 317smashing stack, 315–316on web servers/applications, 370–371

building a lab. See lab, buildingBurp Suite

man-in-the middle attacks, 200–201pentesting Android, 453testing web applications, 383

bus topology, 40–41business closure, from social engineering, 286business continuity plan (BCP), 26–29BusinessWire, competitive analysis data, 117BYOD (bring your own device), problems with,

440–441, 448–449

CC functions, buffer overflow vulnerability, 314C2DM (cloud-to device messaging), Android OS,

445cabling

at Physical layer of OSI model, 45protecting server rooms, 518

Cain & Abelbreaking WEP, 420sniffer tool for lab testing, 572

CAM tables, and MAC flooding, 270–271, 274–275

cameras, physical security, 517, 518CAN-SPAM Act, 227capture button, sniffers, 257CAs (certificate authorities), 82–85case locks, 519Catch Me If You Can movie, social engineering

in, 285categories, malware, 227–228cavity (file-writing) viruses, 231CCTV Scanner, pentesting Android, 452CEH credential, Code of Conduct and Ethics,

11–12ceiling, securing physical area, 516–517CER (crossover error rate), biometric accuracy,

515certificate authorities (CAs), 82–85

chain of custody, evidence, 30–31Check Point FireWall-1, 470choke points

firewall services at, 467gates as physical, 511

chosen plaintext/cipher-text attacks, oncryptographic systems, 89

CIA (confidentiality, integrity, and availability) triad, 15–17

cipher locks, physical access control, 513cipher text

in asymmetric algorithms, 80how cryptography works, 77PKI system, 83–85in symmetric algorithms, 77

ciphers, weaknesses in web applications, 380cipher-text-only attacks, on cryptographic

systems, 89circuit-level gateway firewall, 469circumstantial evidence, 30Cisco IOS devices, mitigating MAC flooding, 274CLI (command-line interface), Wireshark tools

using, 264client misassociation attack, on Wi-Fi, 428client-based web applications, 364clients, DoS attacks against specific, 308client-server relationship, 360–361, 364–365client-side technologies, 365, 394climate control, server rooms, 518cloud technologies

Android OS, 445cloud computing attacks, 490–494controls, 494–495forms of cloud services, 488–489overview of, 365–366, 486review, 496–497review answers, 546–547review questions, 498–500testing, 495–496threats, 489–490types of cloud solutions, 487–488understanding, 486–487understanding cloud computing, 485–487

cloud-to device messaging (C2DM), Android OS,445

cluster viruses, 231CNBC, competitive analysis data via, 117code injection, session fixation attack, 341Code of Ethics, 11–12, 33cold sites, 27

bindex.indd 04/0½ 016 79

collision domains – cryptography 579

collision domains, 55columns, database, 395command injection, in session hijacking, 334command-line interface (CLI), Wireshark tools

using, 264communication channels, disaster and

recovery, 29community cloud, 488CommView, wireless traffic analysis, 430companion (camouflage) viruses, 231competitive analysis, in footprinting, 118–119complex passwords, risk mitigation for WEP/

WPA, 425compliance, cloud security controls, 495components

Android OS, 444–446web application, 367–368

computer crimecollecting evidence. See evidence collectionincident response for. See incident response

con artists, social engineers as, 283concatenating strings of texts, evading detection

via, 404conclusive evidence, 30confidentiality

CIA triad and, 15–16Code of Ethics for, 11ethical hacker responsibility for, 10, 13as primary goal of encryption, 75

construction kits, Trojan, 246contactless cards, securing physical area, 515contacts, social networking countermeasures,

292containment phase, incident response, 24contracts

contents of, 555–556ethical hacker responsibility for, 9–10getting help of lawyer, 10before starting testing activities, 13

controlscloud security, 494–495defense in depth, 520physical security, 503–505

convenience vs. security analysis, 14cookies

protecting, 379safely using, 367–368session hijacking and, 337web server/application session management

issues, 379

corroborative evidence, 30counterfeit devices, as Android OS

vulnerability, 62countermeasures

banner grabbing, 151identity theft, 297–298mobile device security, 454–455social networking, 291–293

covering your tracksAlternate Data Streams, 216–217data hiding, 216disabling auditing, 215–216in hacking process, 18overview of, 215

covert channelsdefined, 239tools to exploit, 247–248Trojans as biggest users of, 247

crackers, executing applications via, 214CRC32 (Cyclic Redundancy Check), WEP

vulnerability, 419Creator group, Windows, 165Creator owner group, Windows, 165credentials, threats to cloud security, 490credit card information, hacking of, 5, 296Creeper project, virus, 228crossover error rate (CER), biometric accuracy,

515cross-site request forgery (CSRF), against cloud,

491–492cross-site scripting. See XSS (cross-site scripting)crying wolf, defying detection by IDS, 476cryptanalysis

attacks against cloud, 494defined, 73

Cryptcat, tool for lab testing, 571cryptography

applications of, 89–94applied, 76asymmetric. See asymmetric (public key)

cryptographyencryption and, 73evolution of, 75–76hashing, 86–88history of, 73–75how it works, 77issues with, 88–89overview of, 72–73review, 94review answers, 528–529


580 cryptoviruses – differential backups

review questions, 95–97symmetric, 77–79

cryptoviruses, 232CSRF (cross-site request forgery), against cloud,

491–492customized Android versions, 445CyanogenMod, Android, 446cybercrime

current developments in, 4–5DoS attacks, 307famous hacks over time, 5–6generic examples of, 6–7

Ddaisy chaining, 13Dalvik virtual machine, Android, 444–445DameWare, planting backdoors, 214–215Dark Dante (Kevin Lee Poulsen), hacker, 5data

altering with SQL injection attack, 399–401breach attacks on cloud, 489–490covering tracks by hiding, 216executing blind SQL injection, 401–402loss, as threat to cloud security, 490loss, on mobile devices, 442storage security, 506–507theft on mobile devices, 442web application access, 369

Data Definition Language (DDL), Beastusing, 243

Data Encryption Standard (DES), 78, 88Data layer, web applications, 366Data Link layer, OSI model, 45, 54–55data sending Trojans, 240data store, web applications, 369databases

altering data with SQL injection attack,399–401

information gathering in SQL injection attack, 402–403

locating on network, 396overview of, 394–395protecting with IDS, 403server password cracking, 396

data-diddling, as cybercrime, 7DDL (Data Definition Language), Beast

using, 243

DDoS (distributed denial-of-service) attacksagainst cloud, 490, 494as cybercrime, 7overview of, 317–319tools, 320–322web servers/applications vulnerable to, 371

deauthentication attack, on WPA/WPA2, 424–425

debriefing and feedback phase, incident response, 24

decimal, hex/binary vs., 50decision-making, reporting security incident, 32decoys, honeypots as, 473–474defacement, website, 374–375default passwords

avoiding, 405obtaining, 207obtaining information through, 162

default scripts, causing attacks, 378defense in depth

physical security and, 519session hijacking protection, 352

defensive strategies, DoS, 323–324degaussing, hard drives/magnetic media, 508–509deliverables, in contract content, 556demilitarized zone (DMZ)

firewall configuration, 468–469honeypots as decoys in, 473–474

Department of Energy (DoE), SQL injection attack on, 391

DES (Data Encryption Standard), 78, 88descynchronizing connections, 343design

Android OS, 444–446cloud security controls, 494–495flawed web server/application, 369–370viruses, 228vulnerabilities of web servers/applications,

369–370destructive Trojans, 240detection

difficulty of social engineering, 283viruses and, 229

Dev@Cloud, 496developers, Android OS security and, 443device drivers, authentication of, 76devices, network, 53–55dial-up, as backup to existing technologies, 131dictionary attacks, 198differential backups, 63


dig command – dumpster diving 581

dig command, 175–176digital certificates, 83, 86digital rights management (DRM), 446–447digital signatures

in asymmetric cryptography, 81–83creating with digital certificates, 86creating/verifying with hash function, 81–82mobile device security via, 442

digital trespassing, as cybercrime, 6direct evidence, 30directional (Yagi) antenna, 415directory services

brute-force attacks on, 162and LDAP enumeration, 182–183

directory traversal attacks, web servers,381–383

DirecTV dish, 416disaster recovery plan (DRP), 26–29disclosure

breaking CIA triad, 16Code of Ethics for, 11

discoverable mode, Bluetooth, 431Dish Network dish, 416disruption (loss), breaking CIA triad, 16distributed computing, SETI programs, 206distributed databases, 395distributed denial-of-service attacks. See DDoS

(distributed denial-of-service) attacksDistributed Network Attack (DNA), password

cracking, 205–206DMZ (demilitarized zone)

firewall configuration, 468–469honeypots as decoys in, 473–474

DNA (Distributed Network Attack), password cracking, 205–206

DNS (Domain Name System)attacks against cloud, 494overview of, 53querying with nslookup, 119–120TCP 53 port for, 169UDP 53 port for, 169working with zone transfers, 162

DNS spoofing, 343, 351–352documentation, planning disaster and recovery,

29DoE (Department of Energy), SQL injection

attack on, 391Domain attribute, cookies, 380Domain Name System. See DNS (Domain Name

System)

DoS (denial-of-service) attacks. See also DDoS (distributed denial-of-service) attacks

in active session hijacking, 335against cloud, 490, 494as cybercrime, 7defensive strategies, 323–324defying detection by IDS, 475jamming attacks on WLANs, 428overview of, 306, 371pentesting Android, 451–452pen-testing considerations, 324review, 324–325review answers, 537–538review questions, 326–329targets, 308tools for, 319–320understanding, 306–308WEP vulnerability to, 419

DoS (denial-of-service) attacks, types ofapplication-level, 310buffer overflow, 314–317fraggle, 310ICMP flood, 309land, 310permanent DoS, 310ping of death, 309–310service request floods, 308smurf, 310SYN attack/floods, 309, 311–314teardrop, 310

DoSHTTP, DoS tool, 319double-blind testing, 552drivers, installing for lab testing, 569drives

disabling for protection, 519encrypting, 506–507wiping, 508

DRM (digital rights management), 446–447DroidSheep, pentesting Android, 451DroidSQLi, pentesting Android, 453Dropbox, as cloud computing, 487dropboxes, breaching wireless networks with, 427DRP (disaster recovery plan), 26–29Dsniff, sniffer, 259dSploit Scripts, pentesting Android suites, 454due diligence, cloud security and, 491DumpSec, enumeration tool for lab testing, 571dumpster diving

as cybercrime, 7preventing, 294


582 duration – ethical hacking

social engineering via, 121thwarting for discarded media, 508

duration, penetration test, 555dynamic content, in cross-site scripting, 339–341dynamic pages, in directory traversal attacks, 382dynamic ports, 51dynamic SQL, thwarting SQL injection, 404

EEAP wireless authentication, 418Easy Packet Blaster, pentesting Android, 451eavesdropping, social engineering and, 120, 293ECCouncil (International Council of Electronic

Commerce Consultants), 10, 11–12Echosec, social engineering via, 115–116, 292e-commerce, cryptography in, 75economic loss, from social engineering, 285EDGAR (Electronic Data-Gathering, Analysis,

and Retrieval) system, 117education, as line of defense, 519egress filtering, as DoS/DDoS prevention, 323Egyptian hieroglyphics, 74–75EIP (Extended Instruction Pointer) value, 315–317Electronic Data-Gathering, Analysis, and

Retrieval (EDGAR) system, 117elimination, virus, 229EliteWrap, distributing Trojans, 246Elk Cloner virus, 229email

cloud computing for, 487in footprinting process, 117–118law enforcement agencies and sniffing, 258performing enumeration on, 162SNMP enumeration, 184–186in social engineering via phishing, 120–121spyware delivery via attachments, 236

embezzlement, as cybercrime, 7employee profile, gathering job posting data, 117Encapsulating Security Payload (ESP), IPSec, 90encryption

in Apple iOS, 446cryptography and, 73as defense against session hijacking, 352defying detection by IDS, 477Egyptian hieroglyphics, 74–75mandating by law, 507physically securing drives, 506–508weaknesses in web applications, 380

encryption, wirelessmethods of, 417mobile device, 442, 505–506mobile device countermeasures, 455protocols, 417risk mitigation for WEP/WPA, 425WEP, 418–422WPA, 422–425

encryption viruses, 230, 231entryways, protecting, 517–518enum4linux command, 181–182enumeration

in hacking process, 17–18LDAP and directory service, 182–184Linux, 180–182NTP, 184review, 187–188review answers, 532review questions, 189–191as second phase of ethical hacking, 101–102SMTP, 184–186SNMP, 178–180tools for building lab, 571understanding, 161–163Unix, 180–182in vulnerability analysis phase, 559Windows, 163–167

error messagesacquiring target in SQL injection attacks via,

398extracting information from, 403suppressing detailed, 374, 402thwarting SQL injection by disabling, 405in web servers and applications, 374

escalation of privilege, in hacking process, 18ESP (Encapsulating Security Payload),

IPSec, 90EssentialNetTools, TamoSoft, 186/etc/passwd file, Linux user account, 168EtherApe, sniffer, 260ethical hacking, introduction to

business continuity plans, 26–28chain of custody, 30–31code of conduct and ethics, 11conflicting views about hackers, 3current developments, 4–5early days of hacking, 3–4ethics and the law, 33–34evidence types, 29–30evidence-collection techniques, 29


evasion – firewalking 583

evolution and growth of, 7–8exam objectives, 1as fun vs. criminal activity, 5–7hacking methodologies, 17–21incident response, 21–26overview of, 2–3penetration testing, 11–17recovering from security incident, 31–32recovering systems, 28–29reporting security incident, 32–33responsibilities of, 9–11review, 34–35review answers, 526–527review questions, 36–38role of ethical hacker, 9rules of evidence, 31steps of, 100–102types of hackers, 9vulnerability research and tools, 21

evasionfirewalls. See firewallshoneypots, 473–474IDS, 462–466, 475–477overview of, 462review, 480–481review answers, 544–546review questions, 482–484testing firewalls, 479–480testing IDS, 480

event-viewing tools, lab testing, 572Everyone group, Windows, 165evidence collection, 29–31evolution, of hacking, 4–8executive level report, on security incident, 33executives, as targets of social engineers, 286Expires attribute, cookies, 380exploitation

pentesting mobile devices, 450phase of penetration testing, 560post-exploitation phase, 560–561

exploits, defined, 13EXPN command, SMTP enumeration,

185–186Extended Instruction Pointer (EIP) value,

315–317Extensible Markup Language (XML), 493, 494extensions, signs of host system intrusions, 466exterior, building for physical defense, 520external factors, and reports, 562–563extortion, DoS attacks for, 307

FFacebook

gathering information using, 288–289people search utility, 297social engineering via, 114

FaceNiff, pentesting Android, 451Fakegina keylogger, 248false ceilings, securing physical area, 516false rejection rate (FRR), biometric accuracy, 515false walls, securing physical area, 516FAR (false acceptance rate), biometric accuracy,

515fault tolerance, business continuity/disaster

recovery, 27FDDI (Fiber Distributed Data Interface), ring

topology, 42Federal Information Security Management Act

(FISMA), 2002, 34fences, securing physical area, 511Fiber Distributed Data Interface (FDDI), ring

topology, 42file (multipartite) viruses, 230, 232file integrity checker, 463File Transfer Protocol. See FTP (File Transfer

Protocol)file-allocation tables, cluster viruses altering, 231files, signs of host system intrusions, 465–466file-writing (cavity) viruses, 231filters, Wireshark, 263–264FIN flag, 137, 139–141FIN scan, 140–141financial fraud, embezzlement as, 7financial services

current developments in hacking/cybercrime,4–5

in footprinting process, 116researching data on companies via, 117

Fing, pentesting Android, 450finger command, Linux/Unix enumeration, 178,

180–181finger scan systems, biometrics, 516fingerprinting. See OS fingerprintingfire suppression, server rooms, 518Firekiller 2000, distributing Trojans, 246Firesheep, session hijacking, 337Firewalk, determining firewall configuration,

470–472firewalking, determining firewall configuration,

470–472


584 firewalls – grouping error messages

firewallsblocking ping requests, 134–135blocking scans, 144bypassing, 479–481configurations, 468–469determining configuration with firewalking,

470–472determining configuration with nmap, 472–

473evading with fragmenting, 144identifying, 470for mobile devices, 473overview of, 56–57, 467–468setting up security, 58–59testing, 479–480types of, 469

FISMA (Federal Information SecurityManagement Act), 2002, 34

flagsdefying detection by IDS, 476–477TCP, 136–137

flash drives, physical security of, 507–508flawed web design, web servers/applications,

369–370floors, securing physical area, 516–517folders, signs of host system intrusions, 465–466footprinting

competitive analysis in, 118–119email, 117–118as first step of ethical hacking, 17, 100–101information gathering via, 113–116, 160as intelligence gathering, 557–558job sites and job postings, 116–117location and geography in, 112–113network information gathering in, 119–120other phases of ethical hacking, 101–102overview of, 100pentesting mobile devices via, 449public and restricted websites, 111–112review, 121–122review answers, 529–530review questions, 123–125search engines, 108–111as social engineering phase, 120–121, 285terminology, 106–107threat modeling via in-depth, 557–558threats introduced by, 107understanding, 102–106

forwards, web server/application attacks from unvalidated, 376–377

fraggle attack, as DoS attack, 310fragmentation attacks

on Android devices, 448defying detection by firewalls, 478defying detection by IDSs, 476web servers/applications vulnerable to, 372

fragmenting packets, preventing detection, 144fragroute command, 144fragtest command, 144frames, securing door, 512fraud, as cybercrime, 7freeware, spyware delivery via, 236FRR (false rejection rate), in biometric accuracy,

515FTP (File Transfer Protocol)

easy sniffing of, 259TCP 21 port for, 169Trojans, 240vulnerable to man-in-the middle attack, 200

full backups, 63full-open scans, 135

Ggates, securing physical area, 511gateway host, firewalking, 470gateways, defense against session hijacking, 352geography, footprinting data on, 112–113Ghost Keylogger, 248GID (group identification number), Linux, 169Global Catalog Service, TCP/UDP 3268 port, 170Global System for Mobile Communications

(GSM), 414goals, of footprinting process, 103goodwill, social engineering impact on, 286Google Android OS. See Android OSGoogle Apps, 487Google Docs, 487Google Earth, 112Google hack, 108–111, 113Google Maps, 113Google Play store, 445, 473Google+, 114governance, cloud security controls, 495gray-box testing, 14–15, 551gray-hat hackers, 9, 11group identification number (GID), Linux, 169grouping error messages, extracting information

by, 403


groups – HTTP Tool 585

groupscapturing user, 162–163Linux, 169security identifiers for Windows, 166–167storing information in SAM, 167Windows, 164–165

GSM (Global System for Mobile Communications), 414

guest account, Windows OS, 163

Hhack value, 13hackers

ethical hackers vs., 10evolution of, 3–8methodologies of, 17–21

Hackode, pentesting Android suites, 454hactivism, DoS attacks based on, 307half-open (stealth) scan, 135–136hand geometry systems, biometrics, 516handler (master computer), DDoS attack setup,

318–319HAPs (hardware access points), 411hard drives

creating test setup, 568physical security of portable, 506–507

Hard-disk killer, Trojan-creation tool, 243hardening

network against sniffing, 273thwarting SQL injection, 404–405as vulnerability in Windows, 61

hardwareAndroid OS, 444gathering job posting data, 117planning disaster and recovery, 29protocol analyzers, 258tools for lab testing, 573–574

hardware access points (HAPs), 411hash function, 81–82, 86–88hash injection attacks, 202–203hashing

passwords, 203process of, 86–88rainbow tables attacks using precomputed,

203–205salting to strengthen password, 210

HAVAL, hashing algorithm, 87HAVING command, error messages, 403

heap, in buffer overflow attacks, 314–315help desk personnel, social engineering, 286hex coding, evading detection via, 404hexadecimal values

MAC addresses broken down into, 54reading sniffer output in IP addresses,

269–270vs. binary, 49–50

HFS (Hierarchical File System), Mac OS X, 216hidden field, session ID embedded in, 336hiding data, 216–217HIDS (host-based intrusion detection system), 463high-availability architecture, business continuity/

disaster recovery, 27high-interaction honeypots, 474history, of cryptography, 73–75hoaxes, 232Home Depot, tarnished through social

media, 290honeynets, 474honeypots

Bluetooth, 433purposes of, 473

honeyspot attacks, on Wi-Fi, 428–429horizontal privilege escalation, 212host, firewalking, 470host system intrusions, signs of, 465–466host-based intrusion detection system (HIDS),

463hostname, using Ping via, 133hot sites, 28, 29hot spots, 412, 414Hping2/hping3

checking for live systems, 134–135checking status of ports, 137ICMP flood attacks, 309scanner for lab testing, 571web servers/applications vulnerable to,

371–372HP’s Performance Insight, detecting sniffing

attacks, 275HTTP (HyperText Transport Protocol)

easy sniffing of, 258header response, 341listener, IIS, 363and SOAP, 494TCP 80 port for, 169tunneling, defying detection by firewall, 479

HTTP Injector tool, pentesting Android, 453HTTP Tool, pentesting Android, 453


586 HttpOnly attribute – Instant Messaging (IM)

HttpOnly attribute, cookies, 379HTTPRecon, fingerprinting website, 374HTTPrint, identifying sites, 374HTTPS, 367HTTP.sys file, 363hubs, switches vs., 56human beings

art of hacking, 120–121power of social engineering and nature of, 284

HUMINT (human intelligence), penetration testing, 558

hybrid attacks, password cracking via, 198hybrid cloud, 488hybrid topologies, 42–43

IIaaS (Infrastructure as a Service) model, cloud,

365, 489ICMP (Internet Control Message Protocol),

133–134ICMP Backdoor, 247ICMP flood attack, 309, 371–372ICMP tunneling, 479ICMP_TIME_EXCEEDED message, nmap, 472ID Serve, providing information about web server,

373IDEA (International Data Encryption Algorithm), 79identity theft, 75, 296–298idle scans, 142–143IDS (intrusion detection system)

detection methods, 464–465evading, 144, 403–404firewalls as form of, 467inner workings of, 462–463overview of, 57role of, 462signs of intrusion, 465–466testing, 480thwarting session hijacking via, 352thwarting SQL injection via, 403, 404types of, 462

IEEE 802.11 standard, 411–413ignorance, social engineers preying on, 283IGRP (Interior Gateway Routing Protocol), 45IIS (Internet Information Server)

countering banner grabbing, 151overview of, 362–363used by web applications, 367

IIS Lockdown, 151IKS Software Keylogger, 248illegal material, and cybercrime, 7IM (Instant Messaging), spyware delivery via, 236IMAP (Internet Message Access Protocol), 259incident response

business continuity plan, 26–28overview of, 21–22phases of, 22–25plans, 25–26policies, 22recovering from security incident, 31–32recovering systems, 28–29reporting security incident, 32team, 25

incident response policies (IRPs)in incident response plans, 25overview of, 22reporting security incident via, 32

Incognito, pentesting Android, 454incorporation, virus, 229incremental backups, 63industrial, scientific, and medical (ISM) band, 414inference

overview of, 288using corporate espionage, 119

informationdata-diddling of, 7gathering in SQL injection attack, 402–403leakage caused by footprinting, 107sharing too much on social media, 289–291,

296social networking countermeasures, 292–293unauthorized destruction/alteration of, 7

Infrastructure as a Service (IaaS), cloud, 365, 489ingress filtering, countering DoS/DDoS attacks,

323initial sequence number (ISN), 343initialization vectors (IVs), 419–420input strings, evading detection via, 404input validation

SQL injection attack from flawed/absent, 391thwarting SQL injection using, 392, 404web server/application attacks from flawed/

absent, 375insertion attack, defying detection by IDS, 475insider attacks, 555inSSIDer tool, 426, 572Instagram, social engineering via, 114Instant Messaging (IM), spyware delivery via, 236


integrity – job site/postings 587

integritybreaking CIA triad, 16cryptography used for information, 75preserving CIA triad, 15–16

Intelius, people search utility, 113, 298intellectual property, Code of Ethics for, 11intelligence gathering, in penetration testing,

557–558Interactive group, Windows, 165Intercepter-NG, pentesting Android, 451interference, Wi-Fi and, 411interior controls, as third layer of physical

defense, 520Interior Gateway Routing Protocol (IGRP),

Network layer of OSI, 45International Council of Electronic Commerce

Consultants (ECCouncil), 10, 11–12International Data Encryption Algorithm (IDEA),

79Internet

developments in hacking/cybercrime, 4–5evolution of hacking, 4footprinting, 107mobile device security issues, 447preventing threats, 294–296using SSL to exchange data over, 93–94

Internet Control Message Protocol. See ICMP(Internet Control Message Protocol)

Internet Information Server. See IIS (Internet Information Server)

Internet Message Access Protocol (IMAP), 259Internet Protocol security. See IPsec (Internet

Protocol security)Internet Protocol v6 (IPv6), 273Internet Relay Chat (IRC), spyware delivery, 236intrusion detection system. See IDS (intrusion

detection system)intrusion prevention system. See IPS (intrusion

prevention system)intrusions

signs of, 465–466testing web applications with Burp Suite, 383

investigation phase, incident response, 23investments, researching, 117IP address(es)

defying detection by firewall, 478–479DNS and, 53finding website, 104–105importance of, 53looking for live hosts via ping sweeps, 134

at Network layer of OSI model, 45routers and, 54smurf attack spoofing, 310using Ping via, 133

IP fragmentation, web server/applicationvulnerability, 372

IP ID (identification number), idle scans, 142–143IP spoofing

defying detection by firewall, 477leading to prison time, 346overview of, 341–342

IP subnetting, 49IP Tool, pentesting Android, 450iPlanet Web Server, Oracle, 367IPS (intrusion prevention system)

detecting/preventing network anomalies, 353IDS vs., 465overview of, 57

IPsec (Internet Protocol security)as cryptographic technology, 90defending against session hijacking, 352hardening network against sniffing, 273working with, 90–92

IPv6 (Internet Protocol v6), 273IRC (Internet Relay Chat), spyware delivery, 236iris recognition, biometrics, 516IRPs (incident response policies)

in incident response plans, 25overview of, 22reporting security incident via, 32

ISM (industrial, scientific, and medical) band, 414

ISN (initial sequence number), 343isolation

Apple iOS, 446mobile device security via, 442

ISPs (Internet Service Providers), 54IT audits, by ethical hackers, 15IVs (initialization vectors), 419–420

Jjailbreaking, 446–447jamming attacks, on Wi-Fi, 428JavaScript, in XSS, 339–340Jerusalem virus, 230JiWire, wireless traffic analysis, 429job site/postings, footprinting process,

116–117


588 John the Ripper tool – LIFO

John the Ripper tool, 571Jolt2, DoS tool, 319JPS Virus Maker, 233–234Juniper device, mitigating MAC flooding, 274JXplorer, searching LDAP directory, 183

KKali Linux

breaking WEP with, 420–422cracking WPA with, 423testing with, 63using Firewalk script with, 472

KDC (key distribution center), Kerberos, 211–212Kerberos, 211–212key pair, CA generating, 85keyboard dynamics, biometrics, 516KeyGrabber tool, 574keyloggers

active online attacks via, 202executing applications via, 214malware programs installing, 225planting in post-exploitation phase, 561types of keystroke recorders, 248

keysasymmetric algorithm, 80–86cryptosystem, 76how cryptography works, 77symmetric algorithm, 78–79

KisMAC, 426Kismet

pentesting mobile devices, 449tool for lab testing, 572wardriving with, 426wireless traffic analysis, 430

known plaintext attacks, on cryptographicsystems, 89

LL0phtCrack tool, passwords, 571lab, building

build process, 566–567creating test setup, 568–569enumeration tools, 571evaluating tools for, 566hardware tools, 573–574

installation process, 569installing tools, 570installing virtualized OS, 570logging/event-viewing tools, 572password-cracking tools, 571reasons for, 566scanner tools, 570–571sniffers, 572what you will need, 567–568wireless tools, 572

Lacroix, Cameron, hacker, 5laminated windows, 517Lan Manager (LM) hash, storing information in

SAM, 167, 209–210LAN Turtle tool, 573land attack, as DoS attack, 310LanDroid, pentesting Android, 450LAN-to-LAN wireless networks, 412large-storage-capacity hard drives, securing,

506–507last-in, first-out (LIFO) access, 314launch, of virus, 229law enforcement, reporting security incident

to, 32lawful interception (LI), or wiretapping, 258layers, web application, 366–367LDAP (Lightweight Directory Access Protocol),

170, 182–183LEAP (Lightweight Extensible Authentication

Protocol), wireless authentication, 418least privilege

mobile device security via isolation, 442thwarting SQL injection, 404–405

legal issuescreating/using malware, 225–226with data, 507getting advice of lawyers on, 17laws, regulations and directives, 33–34permission from client to perform

enumeration, 162purchasing lock-picking tools, 515sniffing, 258of social engineering, 286

legally permissible rule of evidence, 31Let Me Rule, Trojan-creation tool, 243LexisNexis, for competitive analysis data, 117LFM (log file monitor) IDS, 463LI (lawful interception), or wiretapping,

258LIFO (last-in, first-out) access, 314


Lightweight Directory Access Protocol (LDAP) – malware 589

Lightweight Directory Access Protocol (LDAP),170, 182–183

Lightweight Extensible Authentication Protocol(LEAP), wireless authentication, 418

limited discoverable mode, Bluetooth, 432Link Extractor, 111LinkedIn, 114, 297Linux OS

Android based on, 443banner grabbing tools, 150–151finding MAC address, 55macof MAC flood attacks, 270packet sniffing with tcpdump, 264–266passive fingerprinting of, 148–149using Kali Linux, 63vulnerabilities of, 62–63wireless penetration tools, 431

Linux OS enumerationcommonly exploited services,

170–172DNS zone transfers, 174–176finger command, 178NULL sessions, 173–174services/ports of interest, 169–170SuperScan, 174Unix and, 180–182users, 168–169

live systems, checking forin targeted environment, 130–131using hping3, 134–135using ping, 133–134using wardialing, 131–132

LM (Lan Manager) hash, storing information inSAM, 167, 209–210

LNS tool, finding ADS streamed files, 217LoadStorm, testing security in cloud, 496local service account, in Windows, 164location, footprinting data on, 112–113lock screens, physical security via, 504locks, securing physical area, 513–515, 519log file monitor (LFM) IDS, 463log file readers, pentesting Android, 453logging tools, lab testing, 572logic bombs, 230, 231logic function, web applications, 369Logic layer, web applications, 366logon

physical security via, 503web server/application attacks from insecure,

368, 377–378

logoutweb application, 369web server/application session management,

379LOIC (Low Orbit Ion Cannon)

in action, 320–322creating botnets, 318DDoS tool, 320pentesting Android, 451

Loki, exploiting covert channels, 247long-lived sessions, web servers/applications, 379low-interaction honeypots, 474LulzSec, 8

MMAC (media access control) address, 54–56MAC flooding, 270–271, 274–275Mac OS, vulnerabilities of, 61–62MAC spoofing, 272, 427macof MAC flood, Linux, 270macro viruses, 230–231maintenance, thwarting SQL injection, 404malicious activity

1980s hackers engage in, 4abusing cloud services via, 491current developments in hacking/cybercrime,

4–5ethical hackers using same tactics as, 13

malicious code, as cybercrime, 7Maltego, 116, 151malware

adware, 237categories of, 227–228executing applications via, 214mobile device countermeasures, 455mobile device security issues, 442–443, 447overt and covert channels used by, 247–249overview of, 224–226ransomware, 238removing in mopping up phase of pen testing,

563review, 249–250review answers, 533–534review questions, 251–253scareware, 237social engineering via Trojans, 293spyware, 236–237


590 Management Information Base (MIB) – multipartite (or file) viruses

strict laws against, 226–227Trojans. See Trojansviruses. See virusesworms, 234–236

Management Information Base (MIB), 178–180man-in-the-browser attacks, 338–339man-in-the-middle attacks. See MitM (man-in-

the-middle) attacksmantraps, securing physical area, 511–513manual penetration testing, 561–562mapping networks, 152–153Marshmallow, Android OS, 442, 505master boot record (MBR), boot-sector viruses

infecting, 230master computer (handler), DDoS attacks,

318–319Matchstick Men movie, social engineering in, 285MBR (master boot record), boot-sector viruses

infecting, 230McKinnon, Gary, 5MD2 (Message Digest 2), hashing algorithm, 87MD4 (Message Digest 4), hashing algorithm, 87MD5 (Message Digest 5), hashing algorithm, 87MD6 (Message Digest 6) hashing algorithm, 87measured service, cloud computing, 487mechanical locks, physical access control, 513Medusa, password-cracking tool, 571Melissa virus, 5, 231membership registration sites, databases in, 395memory, buffer overflow attacks on, 314–317mesh topology, 42–43<META> tag, code injection attacks, 341metadata, 364–365metamorphic viruses, 230MIB (Management Information Base), 178–180MicroSD cards, mobile device encryption, 505Microsoft Hyper-V, building lab with, 569Microsoft Proxy Server firewall, 470Microsoft Windows OS

Apple devices not playing well in, 62common vulnerabilities of, 60–61finding MAC address, 55

Microsoft Windows OS enumerationcommonly exploited services, 170–172DNS zone transfers, 174–176groups, 164–165NULL sessions, 173–174overview of, 163PsTools suite, 177security identifiers, 166–167

services and ports of interest, 169–170storing information in SAM file, 167SuperScan, 174users, 163–164

Minipwner tool, 573misconfiguration

attacks on web servers/applications, 375on Wi-Fi, 428

MitM (man-in-the-middle) attacksapplication-level hijacking via, 341on cryptographic systems, 89in exploitation phase, 560as passive online attacks, 200–201pentesting mobile devices via, 450performing, 347–351as session hijacks, 346TCP packet sequence numbers in, 47–48

Mitnick, Kevin, 346mnemonics, OSI layers, 46mobile apps, 363–364mobile device security

Android OS, 443–446Apple iOS, 446–447approaches to, 442–443countermeasures, 454–455cryptography in, 75firewalls for, 473goals of, 441–442OS models and architectures, 440–441overview of, 440penetration testing, 449–450penetration testing using Android,

450–454physical theft, 505–506problems, 447–449review, 455–456review answers, 544review questions, 457–460use of locks, 519

modems, 131–132modules, Apache web server/IIS, 363monitoring, session hijacking process, 334mopping up phase, penetration testing, 563moral obligation, social engineers prey on

victim’s, 283Morris, Robert T., Jr., as first hacker, 4–5MSN Sniffer, 260multifactor authentication, 198multihomed firewall configuration, 468multipartite (or file) viruses, 230, 232


multiple access points – Nmap 591

multiple access points, wireless networks, 412,429–430

multi-tenant environments, threats to cloudsecurity, 491

Myspace, people search utility, 297

NNAT (Network Address Translation), routers

using, 54nature, securing physical area, 509NBNS (NetBIOS Name Service), 170nbstat command, 171–172NBTScan, for lab testing, 571Nessus Vulnerability Scanner, 130, 380NetBIOS, 171, 174NetBIOS Name Service (NBNS), 170NetBIOS Session Service (SMB over NetBIOS),

port for, 170Netcat

for Android, 451enumeration tool for lab testing, 571planting backdoors, 215port redirection, 248–249providing information about web server, 374

Netcraftbanner grabbing with, 150finding information about URLs, 111providing information about web server, 374

NETGEAR device, mitigating MAC flooding,274–275

NetScan tools, 571NetScanTools Pro, 186netstat, detecting open ports, 241NetStumbler, 426, 572NetWitness NextGen, sniffer, 260Network Address Translation (NAT), routers

using, 54network cards, 411Network Discovery tool, pentesting Android, 450Network group, Windows, 165Network Handbook, pentesting Android, 450network interface cards (NICs), 54network intrusion detection system. See NIDS

(network intrusion detection system)Network layer, OSI model

IP subnetting, 49overview of, 45

routers at, 54session hijacking at, 334

network mappers, 152–153Network News Transfer Protocol (NNTP), 258network scans, 129network security, 58–59network service account, Windows, 164network session hijacking, 344network sniffing, against cloud, 494Network Time Protocol (NTP), and enumeration,

184network topologies

bus, 40–41hybrid, 42–43mesh, 42–43overview of, 40ring, 41star, 42

networking tools, pentesting tools for Android,450–451

NetworkMiner, lab testing tool, 572networks

administrator interaction with web servers,360

attacks caused by footprinting, 107attacks on mobile devices, 441defending against session hijacking, 352DoS attacks against specific, 308firewalls, 56–59information gathering on, 104–105, 119–120,

558intrusions, 6, 466proxies, 56routers and switches, 53–56

Nexpose, 130, 496NICs (network interface cards), 54NIDS (network intrusion detection system)

detecting sniffing attacks, 275overview of, 463targeting with DoS attack, 475

NirSoft Suite, 571Nmap

defying detection by firewall, 478defying detection by IDS, 476detecting Trojans and viruses, 240–241determining firewall configuration, 472–473FIN scan with, 141fragmenting packets, 144how it works, 141importance in CEH exam, 133–134


592 NNTP (Network News Transfer Protocol) – OSs (operating systems)

NULL scan with, 141OS detection with, 146–147pinging with, 133port scanning with, 129providing information about web server, 374as scanner for lab testing, 570stealth or half-open scan with, 139as vulnerability scanner, 152Xmas tree scan with, 140

NNTP (Network News Transfer Protocol), 258nondiscoverable mode, Bluetooth, 432nonpairing mode, Bluetooth, 432nonrepudiation

cryptography in, 76symmetric cryptography lacking, 78

non-repudiation, supporting CIA triad, 16–17nontechnical (or non-electronic) attacks

password cracking, 199social engineering, 282

NOP sled, buffer overflow attack, 317nslookup command, DNS, 119–120, 175–176NT LAN Manager (NTLM), 167, 209–210NTFS volumes, 217NTLM (NT LAN Manager), 167, 209–210Ntop tool, 572NTP (Network Time Protocol), in enumeration,

184NULL scan, 141–142NULL sessions, exploiting, 173–174numbers

decoding SID, 166–167TCP packet sequence, 47–48TCP/IP port, 50–52

Oobfuscated code, evading detection via, 404, 476object identifiers (OIDs), recognizing MIB

elements, 179object identifiers, recognizing MIB elements, 179objective, pre-engagement interactions, 553–554object-oriented programming databases, 395Office 365, cloud computing for, 487Office of Personal Management (OPM), threats to

cloud security, 490offline attacks

extracting hashes from system, 203overview of, 203

password cracking via, 199precomputed hashes/rainbow tables, 203–205on WPA/WPA2, 424

OIDs (object identifiers), recognizing MIBelements, 179

omnidirectional antennas, 415OmniPeek, sniffer, 259on-demand self-service, cloud computing, 486OneDrive, cloud computing, 487one-way hash function, 81–82online habits, changing, 295Open Signal tool, wireless traffic analysis, 429–430open source

information gathering via footprinting, 106Linux OS, 63

Open Web Application Security Project (OWASP), 380, 448

open-source intelligence (OSINT), 558OpenSSL, web application encryption, 380open-system authentication, Wi-Fi, 416operating systems. See OSs (operating systems)OphCrack tool, 571opinion evidence, defined, 30OPM (Office of Personal Management), threats to

cloud security, 490Oracle VM VirtualBox, building lab, 569Orbot, pentesting Android, 454order by statement, in SQL injection attack,

398organization data, in footprinting, 105–106Orweb, pentesting Android, 454OS fingerprinting

active, 146–147overview of, 145–146passive, 147–149

OS X, Apple iOS based on, 446OSI (Open Systems Interconnection) model

attacks caused by footprinting, 107overview of, 44–46session hijacking in, 334TCP/IP suite mapping to, 47–48

OSINT (open-source intelligence), 558OSs (operating systems)

Android, 62, 444Apple iOS. See Apple iOSchoosing for test setup, 568finding information in footprinting, 105Linux, 62–63Mac OS, 61–62Microsoft Windows, 60–61


output – penetration (pen) testing 593

output, reading sniffer, 266–270outside attacks, pre-engagement interactions, 555overt channels, 239OWASP (Open Web Application Security Project),

380, 448

Pp0f tool, Linux, 148–150P2P (Peer-to-Peer Networks), spyware delivery

via, 236PaaS (Platform as a Service), cloud, 366, 489Packet Capture tool, pentesting Android, 450packet capture, with sniffers. See snifferspacket crafters, 137Packet Generator, pentesting Android, 451packet sequencing, implementing TCP hijacking,

344–345packet sniffing, 199–200packet-filtering firewalls, 57, 469PacketShark, pentesting Android, 451Padding Oracle On Downgraded Legacy

Encryption (POODLE) attack, 381PageXchanger for IIS, 151pairing mode, Bluetooth, 432palm scan systems, biometrics, 516Parabolic Antenna tool, lab testing, 574parabolic grid antennas, 415–416Paranoid Android, 446parties involved, pre-engagement interactions,

553–554passive fingerprinting, OSs, 146–147passive information gathering, footprinting, 106passive online attacks

man-in-the middle, 200–201overview of, 199packet sniffing, 199–200password cracking, 198replay attack, 201–202

passive session hijacking attack, 335–336passive sniffing, 256passive wireless network attacks, 425passphrases, identity theft protection, 297passwd file, Linux, 168password cracking

as active online attack, 202–203of cloud services, 491of database server, 396

in distributed network attack, 205–206in exploitation phase, 560as offline attack, 203–205as passive online attack, 199–202performing, 377–378risk mitigation for WEP/WPA, 425techniques, 198–199understanding, 196–198

password guessingas active online attack, 202obtaining password via, 207

password-cracking backdoors, 247password-protected screensavers, 504passwords

adding additional security measures to, 504avoid saving of, 296biometric authentication replacing, 515capturing in post-exploitation phase, 561cybercrime of stealing, 6Linux user account, 168mobile device countermeasures, 454–455mobile device security issues, 447in multifactor authentication, 198physical security via, 503SNMP, 179social networking and, 289social networking countermeasures, 292–293storing information in SAM, 167as vulnerability in Windows, 61web server/application issues, 377–378, 379working with, 503

patchescreating test setup, 568installing for lab testing, 569mobile device security issues, 447as vulnerability in Windows, 60

Path attribute, cookies, 380Patriot Act, malware and, 226–227pattern matching, IDS signature detection, 464PBXs (private branch exchanges), wardialing, 132PDF printer, for lab testing, 569PDF viewer, for lab testing, 569PDQ Deploy, planting backdoors, 214peer CA, 85penetration (pen) testing

alternative methods of testing, 550–552Android OS, 450–454automated vs. manual, 561–562building lab for. See lab, buildingcontract contents for, 555–556


594 penetration testers – plain text/clear text

evaluating necessity of, 19–20evasion, 479–480exploitation, 560footprinting phase, 100–101frameworks, 549gaining permission, 556IDS, 480intelligence gathering, 557–558of mobile devices, 449–454mopping up, 563Penetration Testing Execution Standard,

552–553permissions/contracts before, 13post-exploitation, 560–562pre-engagement interactions, 553–555reporting, 562–563review, 563–564security in cloud, 495–496tests within, 20–21threat modeling, 558–559vulnerability analysis, 559–560web applications, 383–384

penetration testersethical hackers as, 2, 12–17prerequisites for, 10role of, 19–21

Penetration Testing Execution Standard. See PTES (Penetration Testing Execution Standard).

People Search, 297people search utilities, 113Performance Insight, detecting sniffing attacks,

275perimeter, building physical defense, 520permanent DoS attack, 310permissions

black hats functioning without, 11ethical hacker responsibility for, 9–10Linux group, 169mobile device access control via, 443before starting testing activity, 13, 556–557web applications, 369white hats functioning with, 11

personally identifiable information. See PII(personally identifiable information)

personally owned devices, in workplace, 440–441, 448–449

PGP (Pretty Good Privacy), 79, 92–93phases, social engineering, 285Phatbot, Trojan-creation tool, 243phishing, social engineering, 120–121, 293–294

phlashing, permanent DoS, 310phone taps, firewalls acting as, 467PhoneSweep wardialing program, NIKSUN, 132physical access, spyware delivery via, 236Physical layer, OSI model, 45physical security

biometrics, 515–516contactless cards, 515data storage, 506–509defense in depth, 519–520doors and mantraps, 511–513education and awareness, 519entryways, 517–518fences, 511gates, 511locks, 513–515mobile device issues, 505–506other items to consider, 519overview of, 502physical penetration test of, 554review, 520–521review answers, 547–548review questions, 522–524securing physical area, 510server rooms and networks, 518simple controls, 503–505walls, ceilings, and floors, 516–517windows, 517

picks, lock, 514PII (personally identifiable information)

footprinting causing threats to, 107preventing, 393preventing threats when posting, 296SQL injection attacks stealing, 391

PIN code problem, WPS, 422–423pin-and-tumbler locks, physical access control,

513ping of death, as DoS attack, 309–310ping utility

checking for live systems via, 133–134checking for live systems via hping, 134–135gaining information about target’s

network, 119ping sweeps, 134

pivot points, wardialing, 132PKI (public key infrastructure), 83–86plain text/clear text

in asymmetric algorithms, 80how cryptography works, 77PKI system, 83–85


plaintext attacks – PsTools suite 595

in symmetric algorithms, 77understanding hashing, 86–88

plaintext attacks, WEP vulnerability, 419plans, incident response, 25–26planting backdoors, 18Platform as a Service (PaaS), cloud, 366, 489PlugBot, creating botnets, 318points of failure, disaster and recovery plans, 29Poison Ivy, creating botnets, 318poison null byte attacks, scripting errors, 378policies

BYOD, 448capturing settings in enumeration phase for,

163firewall configuration via security, 467hardening network against sniffing, 273incident response. See IRPs (incident response

policies)lack of social engineering security, 283strong password, 503

PoliteMail tool, 117polycarbonate acrylic windows, 517polymorphic viruses, debut of, 230POODLE (Padding Oracle On Downgraded

Legacy Encryption) attack, 381poorly written/questionable scripts, causing

attacks, 378POP (Post Office Protocol), sniffing of, 258pop action, program stack, 314–315pop-up blockers, social engineering prevention,

294port mirroring, sniffing switched networks,

272–273Port Scanner, pentesting Android, 450port scanning

checking status of ports, 135–137detecting Trojans and viruses, 240–241determining type/brand of firewalls, 470overview of, 129

portables, securing, 519portals, as mantraps, 513ports

checking status of, 135–137hardening network by securing, 273knowing for exam, 169–170redirecting, 248–249TCP/IP, 50–53tracking usage with TCPView, 242–243using Firewalk, 471using netstat to detect open, 241

positive pressure, server rooms, 518post exploitation, pentesting mobile devices, 450Post Office Protocol (POP), sniffing of, 258Poulsen, Kevin Lee (Dark Dante), hacker, 5power outages

mesh topology and, 42–43star topology and, 42

preinstalled applications, Android OS, 445Presentation layer, OSI model, 46, 366preservation rule of evidence, 31Pretty Good Privacy (PGP), 79, 92–93primary (default) groups, Linux, 169printers, physical protection of, 519privacy

Code of Ethics for, 11ethical hacker responsibility for, 10footprinting causing loss of, 107with SNMPv3, 178social engineering impacting loss of, 285social networking countermeasures, 293

private branch exchanges (PBXs), wardialing, 132private browsing, preventing threats, 295private cloud, 488private keys, 80–86, 93privilege escalation, on Microsoft platforms,

211–212processes, running Windows, 164process-hiding backdoor, 247promiscuous client attacks, Wi-Fi, 428promiscuous mode, detecting sniffing

attacks, 275proper identification rule of evidence, 31protocol anomaly detection, IDS, 465protocol listeners, IIS, 363protocols, subject to sniffing, 258–259proxies

overview of, 56pentesting tools for Android OS, 453providing anonymity for scanning party,

153–154setting up web browser to use, 154–155testing web applications with Burp Suite,

383proxy Trojans, 240proxy-based firewalls, 469pseudonymous footprinting, 106–107PSH flag, 137, 139–140Psiphon, pentesting Android, 453pspv.exe tool, 208PsTools suite, planting backdoors, 214


596 PTES (Penetration Testing Execution Standard) – revenue

PTES (Penetration Testing Execution Standard).contents of contract, 555–556gaining permission, 556–557intelligence gathering, 557–558pre-engagement interactions, 553seven stages of, 552–553threat modeling, 558–559working with, 553

public cloud, 488public information, intelligence gathering for, 558public key infrastructure (PKI), 83–86public keys

in asymmetric cryptography, 80–86CA publication of, 85Pretty Good Privacy using, 92–93

public places, access to sensitive information in,295

public profiles, avoiding on social networks, 293public websites, in footprinting process, 111–112push action, program stack, 314–315push messaging, Android OS, 445pwdump command, extracting hashes, 203Pwn Pad, 430, 573Pwn Phone, 430, 573Pwnie Express, 430

RRA (Registration Authority), CA as, 85rack-mounted servers, server rooms, 518radio frequency ID (RFID), physical access

control, 515RADIUS (Remote Authentication Dial-In User

Service), 417–418rainbow table attacks, 203–205RainbowCrack, 571RAM, creating test setup, 568range

extending Bluetooth device, 432wireless networks and, 411

ransomware, 7, 238rapid elasticity, in cloud computing, 487Raspberry Pi, 427, 573RATs (Remote Access Trojans), 240RC2 symmetric algorithm, 79RC4 symmetric algorithm, 79RC5 symmetric algorithm, 79RC6 symmetric algorithm, 79RCPT TO command, SMTP enumeration, 186

reaper virus, 228Reaver, tool for lab testing, 572receptionists, as targets of social engineers, 286reconnaissance, ethical hacking. See footprintingrecords (rows), database, 395recovery

DRP. See disaster recovery plan (DRP)as incident response phase, 24

RECUB (Remote Encrypted Callback Unix Backdoor), Trojan-creation tool, 243

red team, pentester, 557redirects, web server/application attacks from

unvalidated, 376–377redundancy

disaster and recovery plans for, 28–29mesh topology providing high, 42–43ring topology providing, 42

reflected XSS attacks, 340registered ports, 51–52Registration Authority (RA), CA as, 85relational databases, 395Relay service, SMTP, 186relevance rule of evidence, 31reliability rule of evidence, 31religious law, ethics and, 33Remote Access Trojans (RATs), 240Remote Authentication Dial-In User Service

(RADIUS), 417–418Remote Encrypted Callback Unix Backdoor

(RECUB), Trojan-creation tool, 243Remote Procedure Call (RPC), TCP 135 port, 169remote wiping, 449, 455RemoteExec, planting backdoors, 214repair phase, incident response, 24replay attack, 201–202replication, 229reporting

in penetration testing, 562–563as responsibility of ethical hacker, 14security incident, 32

reputation filtering, protection from botnets, 324researching, viruses, 233–234resource pooling, cloud computing, 487response phase, incident response, 23responsibilities, ethical hacker, 9–10Restorator, distributing Trojans, 246Restricted group, Windows, 165restricted websites, footprinting, 111–112retina pattern systems, biometrics, 516revenue, footprinting and loss of, 107


reversal testing – scanning 597

reversal testing, 552reverse proxy, protecting from DoS/DDoS attacks,

323reverse SSH tunneling, breaching wireless

networks, 427Reverse World Wide Web (WWW) Tunneling

Shell, 248RFC 3704 filtering, protecting from botnets, 323RFID (radio frequency ID), physical access

control, 515rights, Linux group, 168Rijndael, 79ring topologies, 41RIP (Routing Information Protocol), 45RIPE-MD, hashing algorithm, 87risk

cloud controls managing, 495contract content stating perceived, 555increased wireless network, 410mobile device security, 440–441reporting security incident, 32

rlogin keystrokes, Telnet, 258rogue access point attacks, Wi-Fi, 426–427root CA, 85root directory, directory traversal attacks, 382rooting device, Android, 444rootkits, 227Rosetta stone, 74router throttling, protecting from DoS/DDoS,

323routers

evading with fragmenting, 144firewalls acting as, 467firewalls working in conjunction with, 468overview of, 53–54

Routing Information Protocol (RIP), 45rows (records), database, 395RPC (Remote Procedure Call), TCP 135 port, 169rpcinfo command, Linux/Unix, 181RST flag

ACK scanning and, 143defined, 137defying detection by IDS with, 477full-open scans, 138idle scans, 142–143stealth or half-open scans, 138–139

rule-based attacks, password cracking via, 198rules

of engagement, 13–14, 558of evidence, 31

firewall, 467for strong passwords, 197–198

runtime, Android application, 444–445

SSaaS (Software as a Service), cloud, 366, 488–489SAM (Security Accounts Manager)

authentication on Microsoft platforms,209–210

how passwords are stored within, 209–210user and group information stored in, 167

sample scripts, and scripting errors, 378sandboxing, access control via, 444SandroProxy, pentesting Android, 453sanitation methods, 508, 509SAPs (software access points), 411–412Saran Wrap, Trojans, 246Sarbanes–Oxley Act (SOX or SarBox), 2002, 34satellites, footprinting location data, 112save capture function, sniffers

overview of, 257–258reading captured output, 267–270Wireshark, 262

scalar objects, MIB, 179scale, DoS attacks vs. DDoS attacks, 317–318scams, social media, 290–291scanner, testing web applications with Burp Suite,

383scanners, lab testing tools, 570–571scanning

ACK scans, 143–144banner grabbing, 149–151checking for live systems, 130–135checking status of ports, 135–137ethical hacking and, 101FIN scans, 137–138full-open scans, 135idle scans, 142–143network mapping, 152–153NULL scans, 141–142OS fingerprinting, 145–149pentesting mobile devices, 449pentesting tools for Android, 452–453review, 155review answers, 530–531review questions, 156–158as second phase of ethical hacking, 17


598 scareware – session ID prediction

stealth or half-open scans, 135–136techniques used in, 161types of, 129–130types of information learned by, 130UDP scans, 144–145understanding, 128–129using proxies, 153–155in vulnerability analysis phase, 559vulnerability scanners, 129–130, 151–152when scan is blocked, 144Xmas tree scans, 136–137

scareware, 237, 284Schneier, Bruce, 79scope, pre-engagement interactions, 553screened subnet, firewall configuration, 468screensavers, physical security, 504script kiddies, 9scripting errors, in attacks on web servers/

applications, 378search engines, in footprinting, 108–111SEC (Securities and Exchange Commission), 117secondary evidence, 30secondary groups, Linux, 169secrecy, in cryptography, 75sector-specific data, intelligence gathering for, 558Secure attribute, cookies, 379Secure Hash Algorithm-0 (SHA-0), 87Secure Hash Algorithm-1 (SHA-1), 87Secure Hash Algorithm-2 (SHA-2), 87Secure Shell (SSH), hardening network, 273Secure Sockets Layer. See SSL (Secure Sockets

Layer)Securities and Exchange Commission (SEC), 117security

cryptography. See cryptographyearly Internet not designed for, 4footprinting. See footprintingnetwork, 58–59in pentesting, 13preserving CIA triad when planning, 16of private cloud, 488vs. convenience analysis, 14

security film windows, 517security identifiers (SIDs), 166–167security policies, and social engineering, 283security software disablers, Trojans as, 240Self group, Windows, 165SENA adapter, in test setup, 568Senna spy, Trojan construction kit, 246sequencer, Burp Suite, 383

SERP (search engine results page), footprinting, 108

server administrators, and web servers, 360Server Mask, countering banner grabbing, 151server rooms and networks, securing, 518server validation, 425server-side technologies

SQL injection and, 394understanding web applications, 365

Service group, Windows, 165service hijacking, against cloud, 490, 494service packs, Windows vulnerability, 60service providers

planning for disaster and recovery, 28as threat to cloud security, 491

service request flood, as DoS attack, 308service set identifier. See SSID (service set

identifier)service-level agreements (SLAs), 27, 29services

commonly exploited, 170–171and ports of interest, 169–170protecting from DoS/DDoS attacks by

degrading, 323protecting from DoS/DDoS attacks by

disabling, 323session desynchronization, session hijacking,

334session fixation attack, 341session hijacking

active and passive attacks, 335–336defensive strategies, 352–353DNS spoofing, 351–352in exploitation phase, 560key concepts, 341–343man-in-the-middle attack, 346–351network, 344–346overview of, 332pentesting tools for Android, 451review, 353–354review answers, 539–540review questions, 355–358in session fixation attack, 341spoofing vs. hijacking, 334TCP packet sequence numbers in, 47–48types of application-level, 337–341UDP, 352understanding, 332–334web apps and, 336–337

session ID prediction, session hijacking, 334


session IDs – social engineering 599

session IDssession hijacking at application level, 336–337session management issues, 379types of session hijacking, 333understanding, 334

Session layer, OSI model, 46session management, web servers and

applications, 378–379session riding (or CSRF), against cloud, 491–492session sniffing, 337session splicing, 476session tokens, 334, 338session tracking, web applications, 369SETI (Search for Extraterrestrial Intelligence)

project, 206SETI@home project, 206SFind tool, 217SHA-0 (Secure Hash Algorithm-0), 87SHA-1 (Secure Hash Algorithm-1), 87SHA-2 (Secure Hash Algorithm-2), 87shared key authentication, Wi-Fi, 416–417SharesFinder, pentesting Android, 451Shark, creating botnets, 318Shark for Root, pentesting Android, 451sheep-dip system, researching viruses, 233–234shell viruses, 232Shodan search engine, 297, 374Short Message Service (SMS), pentesting mobile

devices, 450shoulder surfing, 121, 293showmount command, Linux/Unix, 181shredding, physical security via, 508side channel attacks, on cloud, 492–493SIDs (security identifiers), 166–167signature wrapping attacks, on cloud, 493signature-based IDS, 464Simple Mail Transfer Protocol. See SMTP (Simple

Mail Transfer Protocol)Simple Network Management Protocol. See SNMP

(Simple Network Management Protocol)Simple Object Access Protocol (SOAP), 493, 494site survey tools, wireless networks, 426Skyhook, wireless traffic analysis, 429Slammer worm, SQL, 234–235SLAs (service-level agreements), 27, 29slaves (zombies), DDoS attack setup, 318–319SlimROM, Android, 445smart cards, supplementing passwords, 504smartphones

Android OS. See Android OS

Apple iOS. See Apple iOSbring your own device issues, 448–449hacking with Pwn Phone, 430

smashing stack, buffer overflow attacks, 315–316SMB over NetBIOS (NetBIOS Session Service),

port for, 170SMB over TCP (or Direct Host), port for, 170Smith, David L., hacker, 5SMS (Short Message Service), pentesting mobile

devices, 450SMTP (Simple Mail Transfer Protocol)

easy sniffing of, 258enumeration with, 162, 184–186TCP 25 port for, 169

smurf attacks, 310sniffers

on the defensive, 273detecting attacks, 275overview of, 256in passive session hijacking attacks, 335reading output, 266–270review, 275–276review answers, 534–536review questions, 277–280switched network, 270–275tcpdump, 264–266tools, 259–260, 572understanding, 256–258using, 259Wireshark, 260–264

sniffing, session hijacking process, 334, 352SNMP (Simple Network Management Protocol)

enumeration with, 162, 178–179MIB used as codebook by, 179–180UDP 161 and 162 ports for, 170

SNScan, 180SOAP (Simple Object Access Protocol), 493, 494SOASTA CloudTest, 495–496social engineering

commonly employed threats, 293–296on cryptographic systems, 89as cybercrime, 6footprinting as, 107, 120–121identity theft as, 296–298impact of, 285–286on mobile devices, 442phases of, 285power of, 284pre-engagement interactions, 554review, 298–299


600 social networking – stateful packet inspection (SPI)

review answers, 536–537review questions, 300–303social networking as, 287–291social networking countermeasures, 291–293targets of, 286–287understanding, 282–283why it works, 283–284

social networkingcountermeasures for, 291–293in footprinting process, 113–116gathering information via, 287–291strengthening your accounts from, 289–291

softwareadware installed with, 237encryption weaknesses in web applications,

380gathering job posting data, 117malicious. See malwaremobile device security issues, 447spyware installed with, 237tools for building lab, 570–571

Software as a Service (SaaS), cloud, 488–489software piracy, as cybercrime, 7software updates

installing for lab testing, 569mobile device countermeasures, 455

solar film windows, 517solid state drives (SSDs), problems with, 509Sony Corporation, SQL injection attack on, 391Source IP reputation filtering, protection from

botnets, 324source routing, 342SPAN (Switched Port Analyzer) port, sniffing

switched networks, 272–273sparse-infector viruses, 231spear phishing, 121Spector Pro keylogger, 248SPI (stateful packet inspection), in ACK scanning,

142–143Spider tool, testing web applications, 383Spokeo, people search utility, 113, 297spoofing

DNS, 343IP, 341–342MAC, 427pentesting mobile devices, 450vs. session hijacking, 334

spywareactive online attacks via, 202defined, 227

methods of infection, 236–237overview of, 236

SQL injectionaltering data with, 399–401anatomy of, 396–399blind, 401–402against cloud, 494countermeasures, 404–405database vulnerabilities, 394–396evading detection mechanisms, 403–404information from error messages and, 403information gathering and, 402–403introduction, 390–392lack of input validation allowing, 375overview of, 390pentesting tool for Android, 453prerequisites for, 390results of, 392–393review, 405review answers, 541–542review questions, 406–408web application anatomy and, 393–394

SQL Slammer worm, 234–235SQLite Editor, pentesting Android, 453sqlmapchik, pentesting Android, 453SQLPing 3.0, 396SQLRecon, 396SSDs (solid state drives), problems with, 509SSH (Secure Shell), hardening network, 273SSID (service set identifier)

access points broadcasting, 413changing default, 413open system authentication for Wi-Fi and, 416rogue access point attack on, 427wireless traffic analysis, 429–430

SSL (Secure Sockets Layer)defending against session hijacking, 352hardening network against sniffing, 273POODLE attack using, 381at Presentation layer of OSI model, 46securing information, 93–94

SSL Strip, 200–201, 451Stacheldraht, DDoS tool, 320stack

buffer overflow attacks and, 314–315smashing, 315–316

standard windows, 517star topology, 42stateful packet inspection (SPI), in ACK scanning,

142–143


statefull firewalls – system hacking 601

statefull firewallsmultilayer inspection, 469packet filtering, 57preventing port scans, 143

stateless, defined, 367stealing session ID, in session hijacking, 333stealth (half-open) scan, 135–136Stealth Tool, hiding Trojans, 246stolen equipment attack, 555stolen session. See session hijackingstored XSS attacks, 339–340strong passwords

physical security via, 503rules for, 197–198

Stunnel, 381Stuxnet virus, 6, 45subdomains

defined, 111footprinting restricted websites, 111–112revealing with Netcraft tool, 111

subnetting, IP, 49subordinate CA, 85suicide hackers, 9suites, pentesting Android, 454SuperScan

enumeration tool for lab testing, 571enumeration utilities of, 174scanner for lab testing, 570

Svechinskaya, Kristina Vladimirovna, 6switched networks, sniffing

ARP poisoning, 271–272MAC flooding, 270–271MAC spoofing, 272mitigating MAC flooding, 274–275port mirror or SPAN port, 272–273

Switched Port Analyzer (SPAN) port, sniffingswitched networks, 272–273

switchesbroadcast domains/collision domains, 55–56nbstat, 171–172nmap, 141overview of, 54–55tcpdump, 266

syllable attacks, password cracking via, 198symbols, Egyptian hieroglyphic, 74–75symmetric cryptography, 77–79SYN attack/flood

as DoS attack, 309performing, 311–314web servers/applications vulnerable to, 372

SYN flagchecking status of ports, 136–137passive fingerprinting of OS, 147–149performing idle scan, 142–143

SYN packet, TCP/IP suite, 47–48SYN scan, 138–139SYN sequence numbers, TCP/IP session hijacking,

344SYN-ACK response

passive fingerprinting of OS, 147–149performing idle scan, 142–143performing stealth or half-open scan, 138–139SYN attack/floods exploiting, 309TCP three-way handshake and, 47–48

Sysinternals Suite, for lab testing, 571SYSKEY, improving security of SAM, 209Syslog, pentesting Android, 453system (boot-sector) viruses, 229, 230system account, processes in Windows, 164system administrators

as targets of social engineers, 286tendency to use backdoor accounts, 287

system fundamentalsbackup/archiving, 63–64DNS, 53exam objectives, 39hexadecimal vs. binary, 49–50IP subnetting, 49IPS and IDS, 57network devices, 53–57network security, 58–59network topologies, 40–44operating systems, 60–63OSI model, 44–46review, 64–65review answers, 527–528review questions, 66–69TCP/IP ports, 50–53TCP/IP suite, 47–48

System group, Windows, 165system hacking

active online attacks, 202–203authentication on Microsoft platforms,

209–213covering tracks, 215–217distributed network attacks, 205–206executing applications, 213–214in hacking process, 18offline attacks, 203–205options for obtaining passwords, 207–208


602 system integrity verifier – thumbprint

overview of, 194, 196passive online attacks, 199–202password cracking, 196–199, 208–209as phase of ethical hacking, 102planting backdoors, 214–215previous phases of ethical hacking, 194–196review, 217–218review answers, 532–533review questions, 219–221

system integrity verifier, 463system knowledge, in contract content, 556system weaknesses, penetration testing, 558

Ttables, SQL injection attack on, 399tablets

bring your own device issues, 448–449hacking with Pwn Pad, 430using for lab testing, 574

tabular objects, MIB, 179tailgating, mantraps preventing, 512–513tandem testing, 552Targa, DoS tool, 319Target Corporation, data breach, 225, 489–490target of evaluation (TOE), 13targets

acquiring for SQL injection attack, 397–398DoS, 308of evaluation in contract, 555intelligence gathering to define, 557social engineering, 286–287

TCP (Transmission Control Protocol)Connect scan, 138defying detection by IDS, 476–477flags, 137port numbers, 169–170service request floods exploiting, 309session hijacking, 344–345, 346at Transport layer of OSI model, 46

TCP three-way handshakein blind hijacking, 341checking status of ports, 135–136descynchronizing connection, 343DNS, 351full-open scan completing, 138overview of, 47–48reading captured output of, 267SYN attack/floods exploiting, 309

tcpdump, snifferdefined, 259packet sniffing in Linux, 264–266sniffer tool for lab testing, 572

TCP/IP ports, 50–53TCP/IP suite, 47–48, 333TCPView, 242–243, 571teams, incident response, 25teardrop attack, as DoS attack, 310technology

evolution of hacking in response to, 4little impact on social engineering, 283

Teflon Oil Patch, distributing Trojans, 246telephone calls, law enforcement and sniffing, 258Telnet

banner grabbing with, 149–151easy sniffing of, 258enabling in modern Windows, 149TCP 23 port for, 169vulnerable to man-in-the middle attack, 200

telnet command, SNMP enumeration, 185tension wrenches, lock picking, 514Terminal Server User group, Windows, 165terminology

footprinting, 106–107wireless, 414

terrorism, and social engineering, 285testing. See penetration (pen) testingTFN2K, DDoS tool, 320TGS (ticket-granting server), Kerberos, 211–212TGT (ticket-granting ticket), Kerberos, 211–212The Italian Job movie, social engineering in, 285Onion Router (Tor), 154–155theft of access, as cybercrime, 6THE-SCAN wardialing program, 132threats. See also vulnerabilities

Bluetooth, 432–433BYOD, 448–449caused by footprinting, 107cloud security, 489–490, 491–493defined, 13mobile device, 441modeling in penetration testing, 558–559social engineering, 283, 293–294web servers/applications. See web servers/

applications, common flaws/attack methods

Wi-Fi. See Wi-Fi, threatsthree-way handshake, TCP, 47–48thumbprint, as one-way hash value, 87


ticket-granting server (TGS) – UDP (User Datagram Protocol) 603

ticket-granting server (TGS), Kerberos, 211–212ticket-granting ticket (TGT), Kerberos, 211–212time to live values. See TTL (time to live) valuestimeframe

in contract content, 555–556intelligence gathering for, 558

timeline of security incident, reporting, 32timing, of penetration test, 555TOE (target of evaluation), 13tokens, supplementing passwords with, 504ToneLoc wardialing program, 132tools

creating botnets, 318creating Trojans, 243–245DDoS, 320DoS, 319enumeration, 571evaluating when building lab, 566exploiting covert channels, 247–248hardware, 573–574installing, 570lock-picking, 514–515logging/event-viewing, 572password-cracking, 571scanner, 570–571sniffer, 259–260, 572wireless, 572

topologies, network, 40–44Tor (The Onion Router), 154–155Tracert utility

finding IP address for website, 104–105footprinting using, 103gaining information about target’s network,

120traffic analysis, targeted Wi-Fi networks, 429–

430traffic filters, firewalls as, 468traffic sniffing, 560training

as line of defense in security, 519in preventing social engineering, 292–293as social engineering countermeasure, 283–

284Transmission Control Protocol. See TCP

(Transmission Control Protocol)Transport layer, OSI model, 46triage phase, incident response, 23Trinoo, DDoS tool, 320Triple DES (3DES) encryption, 78–79, 88Tripwire, 217, 463

TRK (Trinity Rescue Kit), 213, 571Trojan Construction Kit, 246Trojan Man, 246Trojans

active online attacks via, 202backdoors, 246–247behaviors of, 238–239BO2K, 244–245construction kits, 246defined, 227detecting, 240–243distributing, 245–247social engineering via, 284, 293systems of behaviors, 238–239tools for creating, 243–245types of, 240unknowing victims of, 239–240using covert and overt channels, 239, 247

trustethics and the law, 33social engineers preying on victim’s, 114, 283,

284trusted root CA, 85TTL (time to live) values

determining firewall configuration withFirewalk, 470–471

determining firewall configuration withNmap, 472–473

firewalking and, 470passive fingerprinting of OS, 147–149

Twittergathering information using, 288–289social engineering via, 114

TwoFish symmetric algorithm, 79type mismatch, and error messages, 403

UUAC (User Account Control), 60Ubertooth One, for lab testing, 573Ubuntu, overflowing CAM tables in, 271UD100 Bluetooth adapter, extending range, 432UDP (User Datagram Protocol)

in fraggle attack, 310port numbers, 169–170in session hijacking, 352SNMP functioning with, 178at Transport layer of OSI model, 46UDP-based scans, 144–145


604 UDPFlood – viruses

UDPFlood, DoS tool, 319UID, Linux user account, 168uniform resource identifier (URI), and web

applications, 367Universal Resource Locators. See URLs (Universal

Resource Locators)Unix OS enumeration, 180–182unsafe site warning, heeding, 295unvalidated redirects and forwards, attacks on

web servers/applications, 376–377updates

Android Updates, 445lab testing, 569mobile device, 447, 455test setup, 568as vulnerability in Windows, 60

upload bombing, from scripting errors, 378UPnP Scanner, pentesting Android, 451URG flag

defined, 137marking data as urgent, 477performing Xmas tree scan, 139–140

URI (uniform resource identifier), and webapplications, 367

URLs (Universal Resource Locators)defying detection by firewall using IP address

instead of, 478–479in directory traversal attacks, 382–383footprinting, 110–111session IDs embedded in, 336

U.S. Army, SQL injection attack on, 391U.S. Code of Fair Information Practices,

1973, 33U.S. Communications Assistance for Law

Enforcement Act, 1994, 34U.S. Computer Fraud and Abuse Act, 34, 226U.S. Electronic Communications Privacy Act,

1986, 34U.S. Kennedy - Kassebaum Health Insurance and

Portability Accountability Act (HIPAA),1966, 34

U.S. Medical Computer Crime Act, 1984, 34U.S military files, 2002 hacking of, 5U.S. National Information Infrastructure

Protection Act, 1996, 34U.S. Privacy Act, 1974, 34USA Freedom Act, 227USB (Universal Serial Bus)

password theft, 207–208physical security of external drives, 506–507

USB Rubber Duckyhardware tool for lab testing, 573stealing passwords, 208

User Account Control (UAC), 60User Datagram Protocol. See UDP (User

Datagram Protocol)user-installed applications, Android OS, 445usernames

cybercrime of stealing, 6Linux, 168

usersAndroid OS security for, 443–444interaction with web servers, 360Linux, 168–169removing accounts in mopping up phase, 563SQL injection attacks on current, 399as targets of social engineers, 286vs. administrative account, 60Windows, 163–167

Vvalidation

of certificates by CAs, 85input. See input validation

VBA (Visual Basic for Applications), macroviruses using, 230–231

Vega web application scanner, 384vehicles, protecting facility against, 517verbal agreements, never accepting from client, 14version information, SQL injection attacks, 398versions, SNMP, 178vertical privilege escalation, 212virtual machines. See VMs (virtual machines)virtual private networks (VPNs), hardening

network with, 273virtualization

advantages for testing, 566–567software options for building lab, 569

virusescreating, 232–233defined, 227detecting, 240–243kinds of, 230–232overview of, 228researching, 233–234understanding, 228–230as vulnerability in Mac OS X, 61–62as vulnerability in Windows, 61


Visual Basic for Applications (VBA) – web servers/applications 605

Visual Basic for Applications (VBA), macro viruses using, 230–231

VMs (virtual machines)creating test setup, 568installing/configuring for lab, 570in side channel attacks on cloud, 493

VMware Player, building lab, 569VMware Workstation, building lab, 569voice recognition, biometrics, 516voiding warranty, by jailbreaking, 447VPNs (virtual private networks), hardening

network with, 273VRFY command, SMTP enumeration, 185vulnerabilities

Android OS, 62bus topology, 42cryptographic, 88–89defined, 13enterprise, 58–59Linux OS, 62–63Mac OS, 61–62mobile device, 447–448web servers/applications, 369–374WEP, 419Windows OS, 60–61WPA, 422–423WPA/WPA2, 424–425

vulnerability analysis phase, penetration testing,559–560

vulnerability research, 21vulnerability scanning, 129–130, 151–152

WWabbit virus, 229WAITFOR DELAY command, blind SQL injection,

402walls, securing physical area, 516–517WAPs (wireless access points), hardening

networks, 273warballooning attacks, 426warchalking, 426warded locks, 513wardialing, 131–132wardriving attacks, 426, 429warflying attacks, 426warm sites, 27warning banners, physical security via,

504–505

warranty, voiding via jailbreaking, 447warwalking attacks, 426WaveStumbler, 426web applications, pentesting tools for Android, 453web browsers

preventing session hijacking, 352preventing social engineering, 294preventing threats, 294–295setting to use proxy, 154–155web applications based on, 363–364

web servers/applicationsApache, 361–362client/server and, 364–365cloud technologies, 365–366cookies, 367–368databases linked to web applications, 395DoS attacks against, 308exploring client-server relationship, 360–361IIS, 362–363individuals interacting with, 360–361layers of web applications, 366–367methods of attacking, 375–384overview of, 360–361review, 384review answers, 540–541review questions, 385–388session hijacking, 336–337SQL injection and, 393–394testing web applications, 383–384vandalizing, 374–375variations of, 363–364web application components, 368–369web servers, 361–363

web servers/applications, common flaws/attackmethods

cross-site scripting, 376directory traversal attacks, 381–383encryption weaknesses, 380–381input validation, 375–376insecure logon systems, 377–378misconfiguration, 375protecting cookies, 379–380scripting errors, 378session management issues, 378–379unvalidated redirects and forwards, 376–377

web servers/applications, vulnerabilitiesbanner grabbing, 373buffer overflow, 370–371DDoS attack, 371–372DoS attack, 371


606 web services – wireless card

error messages, 374flawed web design, 369–370using ID Serve, 373–374vandalizing web servers, 374–375

web services, signature wrapping attacks on, 493web-based attacks, on mobile devices, 441webcams, footprinting location data, 113websites

footprinting public/restricted, 111–112spyware delivery via, 236

wefi tool, wireless traffic analysis, 429well-known ports, 51–52WEP (Wired Equivalent Privacy) encryption

breaking, 419–420cracking with Kali Linux, 420–422defined, 417overview of, 418–419problems/vulnerabilities, 419RC4 algorithm in, 79risk mitigation, 425

white box pen tests, 15white-box testing, 551white-hat hackers, 9, 11whitelists, thwarting SQL injection, 392, 404whitespace, evading detection via liberal use of,

404Whois tool, 119WhoReadMe utility, 117Wi-Fi

authentication modes, 416–417at Data Link layer of OSI model, 45overview, 410–411as vulnerability in Mac OS X, 62wireless standards in use, 412–413

Wi-Fi, hackingauthentication technologies, 418choosing right wireless card, 430–431fine print, 411–412locating wireless networks, 429–430mitgating WEP and WPA cracking, 425overview of, 410, 425preventing threats to, 295review, 433–434review answers, 542–543review questions, 435–437sniffing with Wireshark, 260–264SSID, 413terminology, 414

understanding wireless networks, 410WEP encryption, 418–422wireless antennas, 414–416wireless encryption mechanisms, 417WPA encryption, 422–425

Wi-Fi, pentesting tools for Android, 453–454Wi-Fi, threats

ad hoc, 427client misassociation, 428honeyspot attacks, 428–429jamming attacks, 428MAC spoofing, 427misconfiguration, 428performing traffic analysis, 429–430promiscuous client, 428rogue access points, 426–427wardriving, 426ways to locate wireless networks, 429–430

WiFi Pineapplehardware tool for lab testing, 573as wireless honeyspot, 429

Wi-Fi Protected Access. See WPA (Wi-Fi Protected Access) encryption

WifiKill, pentesting Android, 453Wifite, 424–425, 453Wigle Wifi Wardriving, 429, 454WikiLeaks, 307windows, securing physical area, 517Windows OS. See also Microsoft Windows OS

creating virus in Notepad, 233disabling auditing in Security Log, 216enumeration, 163–167iPhone. See also mobile device security, 441

WinDump, sniffer, 259, 572Wink, people search utility, 113WinSSLMiM, 381wire reinforced windows, 517Wired Equivalent Privacy. See WEP (Wired

Equivalent Privacy) encryptionwireless access points (WAPs), hardening

networks, 273wireless adapters, creating test setup, 568wireless antennas, 414–416wireless card

breaking WEP, 420–421choosing right, 430–431in promiscuous client attacks, 428in wardriving attacks, 426


wireless connections – zone transfers 607

wireless connections, mobile device securityissues, 447

wireless LANs (WLANs), accessing, 413wireless networks. See Wi-Fiwireless tools, for building lab, 572Wireshark

overview of, 260–264reading captured output of, 267–270as sniffer, 259, 572wireless traffic analysis, 430

Wit, Jan de, hacker, 5WLANs (wireless LANs), accessing, 413worms

defined, 227first Internet, 5functions of computer, 235–236overview of, 234SQL Slammer worm, 234–235Stuxnet, 45

WPA (Wi-Fi Protected Access) encryptionattacking, cracking, 424–425cracking, 422–424defined, 417overview of, 422risk mitigation, 425

WPA2 encryptionattacking, cracking, 424–425defined, 417overview of, 424risk mitigation, 425

WPA2 Enterprise, 417, 424WPA2-Personal, 424WPScan, pentesting Android, 452–453wrapper programs, distributing Trojans, 245–246

XXamarin Test Cloud, 496Xmas tree scan, 136–137XML (Extensible Markup Language),

493, 494Xprobe, banner grabbing with, 150XSS (cross-site scripting)

application-level hijacking via, 339–340against cloud, 494against web server, 376

YYagi (directional) antenna, 415Yagi Antenna tool, 573

ZZabasearch, people search utility, 113, 297Zanti (for mobile phones), 454, 570Zenmap scanner, 571zero day threat/vulnerability, 13zeroization, cryptographic processes

and, 508Zimmermann, Philip, 93Zombam.B, Trojan-creation tool, 243zombies

DDoS attack setup, 318–319performing idle scan, 142–143

zone transfers, DNS, 174–176

copyrighted material ios devices, mitigating mac flooding, 274 cli (command-line interface),...

Documents