by Penetration Testing

(1)

BackTrack

4:

_{Assuring Security}

by

Penetration

_Testing

Master the

art

of

_{penetration testing}

with BackTrack

Shakeel

Ali Tedi

_Heriyanto

rPAfKTl°Pen

I

I llV.

I\ 1

J

community expe

source

experience distilled

PUBLISHING-!?

BIRMINGHAM-MUMBAI

(2)

Preparation

and

Testing

Procedures

Chapter

1:

_Beginning

with BackTrack 9

History

9

BackTrack purpose 9

Getting BackTrack 11

Using

BackTrack 12

Live DVD 12

Installing

to hard disk 13

Installation in real machine 13

Installationin VirtualBox 14

Portable BackTrack 19

Configuring

network connection 21

Ethernet setup 21

Wireless _setup 22

Starting

the network service 24

Updating

BackTrack 24

Updating

software

_applications

25

Updating the kernel 26

Installing additional weapons 29 Nessus

_{vulnerability}

scanner 30

WebSecurify

31

Customizing

BackTrack 32

Summary 34

Chapter 2: Penetration Testing

Methodology

37

Types

of

_{penetration testing}

Black-box

_testing

White-box_testing

Vulnerability

assessmentversus

penetration testing

38 38 39 39

(3)

Table_ofContents

Security

testing

methodologies

41

Open Source

_{Security Testing Methodology}

Manual

_(OSSTMM)

42

Keyfeaturesandbenefits 43

Information

_{Systems Security}

Assessment Framework

_(ISSAF)

44

Keyfeatures andbenefits 45

Open Web

_{Application Security Project (OWASP) Top}

Ten 46

Keyfeatures and benefits 48

Web

_{Application Security}

Consortium Threat Classification

_(WASC-TC)

49

Keyfeatures and benefits 50

BackTrack

_{testing methodology}

51

Target scoping

52 Information

_gathering

52

Target discovery

53 Enumerating target 53 Vulnerability

mapping

53 Social

_engineering

₅₄

Target exploitation

54

Privilege

escalation 54

Maintaining

access 55

Documentation and

_reporting

55

The ethics 55

Summary

56

PART II: Penetration Testers

_Armory

Chapter

3:Target

Scoping

_6j1

Gathering

client

_requirements

62

Customer_requirementsform 63 Deliverables assessment form ₆₄

Preparing the test

_plan

₆₄ Test _planchecklist 66

Profiling

testboundaries 67

Defining

business_objectives 68

Project

managementand

_scheduling

₆₉

Summary

70

Chapter

4: Information

_Gathering

73

Public resources 74 Document

_gathering

₇₅

Metagoofil

75 DNS information ₇₇ dnswalk ₇₈ dnsenum 79

dnsmap

81 [M]

(4)

dnsmap-bulk 83 dnsrecon 84 fierce ₈₅ Route information ₈₆ Otrace 86

dmitry

88 itrace ₉₀ tcpraceroute 91 tctrace ₉₂

Utilizing

search_engines 93

goorecon 93

theharvester ₉₅

All-in-one

_{intelligence gathering}

₉₆

Maltego

96

Documenting

the information 101

Dradis ₁₀₂

Summary 107

Chapter 5:Target

Discovery

109

Introduction ₁₀₉

Identifying

the_targetmachine 110

ping

110 arping 111

arping2

112

fping

113

genlist

115 hping2 116 hping3 117

lanmap

118 nbtscan ₁₁₉

nping

121 onesixtyone 122 OS

_{fingerprinting}

₁₂₂

pOf

123

xprobe2

124

Summary

126

Chapter

6: Enumerating

Target

₁₂₇

Port

_scanning

127

AutoScan 131

Netifera 134

Nmap 136

Nmap target specification 138

(5)

Table_ofContents

Nmap TCPscanoptions 139

NmapUDPscan options 140

Nmap port specification 141

Nmap output options 142

Nmaptimingoptions 143

Nmap scripting engine 144

Unicornscan 147 Zenmap 148 Service enumeration 152

Amap

152

Httprint

153

Httsquash

155 VPN enumeration 156 ike-scan 157

Summary

159

Chapter7: Vulnerability

Mapping

161

Types

of vulnerabilities 162

Local

_{vulnerability}

162 Remote

_{vulnerability}

163

Vulnerability taxonomy 164

Open Vulnerability

Assessment_{System (OpenVAS)} 165

OpenVAS integrated security

tools 166

Cisco

_analysis

169

Cisco_AuditingTool 169 Cisco Global _Exploiter 170 Cisco PasswdScanner 172

Fuzzy analysis

173 BED 173 Bunny 175 JBroFuzz 177 SMB

_analysis

180

Impacket Samrdump

180 Smb4k 181 SNMP

_analysis

182 ADMSnmp 183

Snmp

Enum 184 SNMP Walk 186

Web

_{application analysis}

188

Database assessment tools 188

DBPwAudit 189

Pblind 190

(6)

SQLiX 194

SQLMap 196

SQLNinja 199

Application assessment tools 202

BurpSuite ₂₀₂ Grendel Scan 204 LBD 206 Nikto2 ₂₀₇ Paros Proxy 209 Ratproxy 210 W3AF 212 WAFWOOF 214 WebScarab 215

Summary

217

Chapter

8: Social

_Engineering

219

Modeling human

_psychology

220 Attack _process ₂₂₀ Attack methods 221

Impersonation

221 Reciprocation 222 Influential

_authority

222

Scarcity

223 Social

_relationship

223 Social _Engineering Toolkit _(SET) 224

Targeted

phishing

attack 225

Gathering

usercredentials 230

Common User Passwords Profiler

_(CUPP)

234

Summary

235

Chapter

9:

_Target

_Exploitation 237

Vulnerability

research 238

Vulnerability

and

_{exploit repositories}

240

Advanced _exploitationtoolkit 241

MSFConsole 242 MSFCLI 244 Ninja 101 drills 246 Scenario #1 246 Scenario #2 248 Scenario #3 252 Scenario#4 261 Scenario#5 263

Writing

exploitmodule 268

(7)

Table_ofContents

Chapter

10: Privilege Escalation 275

Attacking

the

_password

276

Offlineattacktools 277

Rainbowcrack 277 Samdump2 280 John 282 Ophcrack 284 Crunch 285 Wyd 286

Online attack tools 287

BruteSSH 287 Hydra 288 Network sniffers 289 Dsniff 290 Hamster 291

Tcpdump

294

Tcpick

295 Wireshark 296

Network_spoofing tools 298

Arpspoof 298

Ettercap 300

Summary

304

Chapter

11: Maintaining Access 305

Protocol

_tunneling

305 DNS2tcp 306 Ptunnel 307 Stunnel4 308 Proxy 311 3proxy 311 Proxychains 312 End-to-end connection 313

CryptCat

313 Sbd 314 Socat 315 Summary 319

Chapter12: Documentation and Reporting 321 Documentation and results verification 322

Types

of_reports 323

Executive _report 323

Management report 324 Technical

_report

325 Network penetration

testing report

(sample contents) 326

(8)

Table ofContents 326

Presentation 327

Post

_testing

_procedures 328

Summary

329

PART

111: Extra Ammunition

AppendixA:

_{Supplementary}

Tools 333

Vulnerability

scanner 333

NeXpose

community

edition 334 NeXposeinstallation 334

Starting NeXpose community 335

Loginto_{NeXpose community} 336 Using NeXpose community 336

Web _{application fingerprinter} 338

WhatWeb 338

BlindElephant

339

Network Ballista 341

Netcat 341

Openconnection 342

Service bannergrabbing 342

Simple server 343 File transfer 343 Portscanning 344 BackdoorShell 344 Reverseshell 345

Summary

346

Appendix

B:

_Key

Resources 347

Vulnerability Disclosure and _Tracking 347 Paid Incentive

_Programs

349 Reverse

_Engineering

Resources 349

Network _ports 350

Index 357

by Penetration Testing

BackTrack

4:

Assuring Security

by

Penetration

Testing

Master the

art

of

penetration testing

with BackTrack

Shakeel

Heriyanto

rPAfKTl°Pen

I

I\ 1

J

source

PUBLISHING-!?

Table of Contents

Preparation

Testing

Chapter

Beginning

History

Using

Installing

Configuring

Starting

Updating

Updating

applications

vulnerability

WebSecurify

Customizing

Methodology

Types

penetration testing

testing

Vulnerability

penetration testing

Security

methodologies

Security Testing Methodology

(OSSTMM)

Systems Security

(ISSAF)

Application Security Project (OWASP) Top

Application Security

(WASC-TC)

testing methodology

Target scoping

gathering

Target discovery

mapping

engineering

Target exploitation

Privilege

Maintaining

reporting

Summary

Armory

Chapter

Scoping

6j1

Gathering

requirements

plan

Profiling

Defining

Project

scheduling

Summary

Chapter

Gathering

gathering

Metagoofil

dnsmap

dmitry

_{Assuring Security}

_Testing

_{penetration testing}

_Heriyanto

_Beginning

_applications

_{vulnerability}

_{penetration testing}

_testing

_{Security Testing Methodology}

_(OSSTMM)

_{Systems Security}

_(ISSAF)

_{Application Security Project (OWASP) Top}

_{Application Security}

_(WASC-TC)

_{testing methodology}

_gathering

_engineering

_reporting

_Armory

_6j1

_requirements

_plan

_scheduling

_Gathering

_gathering

_{intelligence gathering}

_{fingerprinting}

₁₂₇

_scanning

_{vulnerability}

_{vulnerability}

_analysis

_analysis

_analysis

_{application analysis}

_Engineering

_psychology

_authority

_relationship

_(CUPP)

_Target

_{exploit repositories}

_password

_tunneling

_report

_testing