BackTrack
4:
Assuring Security
by
Penetration
Testing
Master the
art
of
penetration testing
with BackTrack
Shakeel
Ali TediHeriyanto
rPAfKTl°Pen
I
I llV.I\ 1
J
community expesource
experience distilledPUBLISHING-!?
BIRMINGHAM-MUMBAITable of Contents
Preface 1
PART 1: Lab
Preparation
andTesting
ProceduresChapter
1:Beginning
with BackTrack 9History
9BackTrack purpose 9
Getting BackTrack 11
Using
BackTrack 12Live DVD 12
Installing
to hard disk 13Installation in real machine 13
Installationin VirtualBox 14
Portable BackTrack 19
Configuring
network connection 21Ethernet setup 21
Wireless setup 22
Starting
the network service 24Updating
BackTrack 24Updating
softwareapplications
25Updating the kernel 26
Installing additional weapons 29 Nessus
vulnerability
scanner 30WebSecurify
31Customizing
BackTrack 32Summary 34
Chapter 2: Penetration Testing
Methodology
37Types
ofpenetration testing
Black-boxtesting
White-boxtesting
Vulnerability
assessmentversuspenetration testing
38 38 39 39
TableofContents
Security
testingmethodologies
41Open Source
Security Testing Methodology
Manual(OSSTMM)
42Keyfeaturesandbenefits 43
Information
Systems Security
Assessment Framework(ISSAF)
44Keyfeatures andbenefits 45
Open Web
Application Security Project (OWASP) Top
Ten 46Keyfeatures and benefits 48
Web
Application Security
Consortium Threat Classification(WASC-TC)
49Keyfeatures and benefits 50
BackTrack
testing methodology
51Target scoping
52 Informationgathering
52Target discovery
53 Enumerating target 53 Vulnerabilitymapping
53 Socialengineering
54Target exploitation
54Privilege
escalation 54Maintaining
access 55Documentation and
reporting
55The ethics 55
Summary
56PART II: Penetration Testers
Armory
Chapter
3:TargetScoping
6j1
Gathering
clientrequirements
62Customerrequirementsform 63 Deliverables assessment form 64
Preparing the test
plan
64 Test planchecklist 66Profiling
testboundaries 67Defining
businessobjectives 68Project
managementandscheduling
69Summary
70Chapter
4: InformationGathering
73Public resources 74 Document
gathering
75Metagoofil
75 DNS information 77 dnswalk 78 dnsenum 79dnsmap
81 [M]dnsmap-bulk 83 dnsrecon 84 fierce 85 Route information 86 Otrace 86
dmitry
88 itrace 90 tcpraceroute 91 tctrace 92Utilizing
searchengines 93goorecon 93
theharvester 95
All-in-one
intelligence gathering
96Maltego
96Documenting
the information 101Dradis 102
Summary 107
Chapter 5:Target
Discovery
109Introduction 109
Identifying
thetargetmachine 110ping
110 arping 111arping2
112fping
113genlist
115 hping2 116 hping3 117lanmap
118 nbtscan 119nping
121 onesixtyone 122 OSfingerprinting
122pOf
123xprobe2
124Summary
126Chapter
6: EnumeratingTarget
127
Port
scanning
127AutoScan 131
Netifera 134
Nmap 136
Nmap target specification 138
TableofContents
Nmap TCPscanoptions 139
NmapUDPscan options 140
Nmap port specification 141
Nmap output options 142
Nmaptimingoptions 143
Nmap scripting engine 144
Unicornscan 147 Zenmap 148 Service enumeration 152
Amap
152Httprint
153Httsquash
155 VPN enumeration 156 ike-scan 157Summary
159Chapter7: Vulnerability
Mapping
161Types
of vulnerabilities 162Local
vulnerability
162 Remotevulnerability
163Vulnerability taxonomy 164
Open Vulnerability
AssessmentSystem (OpenVAS) 165OpenVAS integrated security
tools 166Cisco
analysis
169CiscoAuditingTool 169 Cisco Global Exploiter 170 Cisco PasswdScanner 172
Fuzzy analysis
173 BED 173 Bunny 175 JBroFuzz 177 SMBanalysis
180Impacket Samrdump
180 Smb4k 181 SNMPanalysis
182 ADMSnmp 183Snmp
Enum 184 SNMP Walk 186Web
application analysis
188Database assessment tools 188
DBPwAudit 189
Pblind 190
SQLiX 194
SQLMap 196
SQLNinja 199
Application assessment tools 202
BurpSuite 202 Grendel Scan 204 LBD 206 Nikto2 207 Paros Proxy 209 Ratproxy 210 W3AF 212 WAFWOOF 214 WebScarab 215
Summary
217Chapter
8: SocialEngineering
219Modeling human
psychology
220 Attack process 220 Attack methods 221Impersonation
221 Reciprocation 222 Influentialauthority
222Scarcity
223 Socialrelationship
223 Social Engineering Toolkit (SET) 224Targeted
phishing
attack 225Gathering
usercredentials 230Common User Passwords Profiler
(CUPP)
234Summary
235Chapter
9:Target
Exploitation 237Vulnerability
research 238Vulnerability
andexploit repositories
240Advanced exploitationtoolkit 241
MSFConsole 242 MSFCLI 244 Ninja 101 drills 246 Scenario #1 246 Scenario #2 248 Scenario #3 252 Scenario#4 261 Scenario#5 263
Writing
exploitmodule 268TableofContents
Chapter
10: Privilege Escalation 275Attacking
thepassword
276Offlineattacktools 277
Rainbowcrack 277 Samdump2 280 John 282 Ophcrack 284 Crunch 285 Wyd 286
Online attack tools 287
BruteSSH 287 Hydra 288 Network sniffers 289 Dsniff 290 Hamster 291
Tcpdump
294Tcpick
295 Wireshark 296Networkspoofing tools 298
Arpspoof 298
Ettercap 300
Summary
304Chapter
11: Maintaining Access 305Protocol
tunneling
305 DNS2tcp 306 Ptunnel 307 Stunnel4 308 Proxy 311 3proxy 311 Proxychains 312 End-to-end connection 313CryptCat
313 Sbd 314 Socat 315 Summary 319Chapter12: Documentation and Reporting 321 Documentation and results verification 322
Types
ofreports 323Executive report 323
Management report 324 Technical
report
325 Network penetrationtesting report
(sample contents) 326Table ofContents 326
Presentation 327
Post
testing
procedures 328Summary
329PART
111: Extra AmmunitionAppendixA:
Supplementary
Tools 333Vulnerability
scanner 333NeXpose
community
edition 334 NeXposeinstallation 334Starting NeXpose community 335
LogintoNeXpose community 336 Using NeXpose community 336
Web application fingerprinter 338
WhatWeb 338
BlindElephant
339Network Ballista 341
Netcat 341
Openconnection 342
Service bannergrabbing 342
Simple server 343 File transfer 343 Portscanning 344 BackdoorShell 344 Reverseshell 345
Summary
346Appendix
B:Key
Resources 347Vulnerability Disclosure and Tracking 347 Paid Incentive
Programs
349 ReverseEngineering
Resources 349Network ports 350
Index 357