Web Hacking Arsenal:
In the digital age, where web applications form the crux of our interconnected existence, Web Hacking Arsenal: A Practical Guide To Modern Web Pentesting emerges as an essential guide to mastering the art and science of web application pentesting. This book, penned by an expert in the field, ventures beyond traditional approaches, offering a unique blend of real-world penetration testing insights and comprehensive research. It's designed to bridge the critical knowledge gaps in cybersecurity, equipping readers with both theoretical understanding and practical skills. What sets this book apart is its focus on real-life challenges encountered in the field, moving beyond simulated scenarios to provide insights into real-world scenarios.
The core of Web Hacking Arsenal is its ability to adapt to the evolving nature of web security threats. It prepares the reader not just for the challenges of today but also for the unforeseen complexities of the future. This proactive approach ensures the book's relevance over time, empowering readers to stay ahead in the ever-changing cybersecurity landscape.
Key Features
- In-depth exploration of web application penetration testing, based on real-world scenarios and extensive field experience.
- Comprehensive coverage of contemporary and emerging web security threats, with strategies adaptable to future challenges.
- A perfect blend of theory and practice, including case studies and practical examples from actual penetration testing.
- Strategic insights for gaining an upper hand in the competitive world of bug bounty programs.
- Detailed analysis of up-to-date vulnerability testing techniques, setting it apart from existing literature in the field.
This book is more than a guide; it's a foundational tool that empowers readers at any stage of their journey. Whether you're just starting or looking to elevate your existing skills, this book lays a solid groundwork. Then it builds upon it, leaving you not only with substantial knowledge but also with a skillset primed for advancement. It's an essential read for anyone looking to make their mark in the ever-evolving world of web application security.
Ethical Hacking:
Requiring no prior hacking experience, Ethical Hacking and Penetration Testing Guide supplies a complete introduction to the steps required to complete a penetration test, or ethical hack, from beginning to end. You will learn how to properly utilize and interpret the results of modern-day hacking tools, which are required to complete a penetration test. The book covers a wide range of tools, including Backtrack Linux, Google reconnaissance, MetaGooFil, dig, Nmap, Nessus, Metasploit, Fast Track Autopwn, Netcat, and Hacker Defender rootkit. Supplying a simple and clean explanation of how to effectively utilize these tools, it details a four-step methodology for conducting an effective penetration test or hack.Providing an accessible introduction to penetration testing and hacking, the book supplies you with a fundamental understanding of offensive security. After completing the book you will be prepared to take on in-depth and advanced topics in hacking and penetration testing. The book walks you through each of the steps and tools in a structured, orderly manner allowing you to understand how the output from each tool can be fully utilized in the subsequent phases of the penetration test. This process will allow you to clearly see how the various tools and phases relate to each other. An ideal resource for those who want to learn about ethical hacking but don‘t know where to start, this book will help take your hacking skills to the next level. The topics described in this book comply with international standards and with what is being taught in international certifications.
Web Hacking Arsenal:
Chapter 1. Introduction to Web and Browser. Chapter 2. Intelligence Gathering and Enumeration. Chapter 3. Introduction to Server Side Injection Attacks. Chapter 4. Client-Side Injection Attacks. Chapter 5. Cross Site Request Forgery Attacks. Chapter 6. Webapp File System Attacks. Chapter 7. Authentication Authorization SSO Attacks. Chapter 8. Business Logic Flaws. Chapter 9. Exploring XXE SSRF and Request Smuggling Techniques. Chapter 10. Attacking Serialization. Chapter 11. Pentesting Web Services CloudServices. Chapter 12. Attacking HTML5. Chapter 13. Evading Web Application Firewalls WAF. Chapter 14. Report Writing.
Ethical Hacking:
Introduction to Hacking
Important Terminologies
Asset
Vulnerability
Threat
Exploit
Risk
What Is a Penetration Test?
Vulnerability Assessments versus Penetration Test
Pre-Engagement
Rules of Engagement
Milestones
Penetration Testing Methodologies
OSSTMM
NIST
OWASP
Categories of Penetration Test
Black Box
White Box
Gray Box
Types of Penetration Tests
Network Penetration Test
Web Application Penetration Test
Mobile Application Penetration Test
Social Engineering Penetration Test
Physical Penetration Test
Report Writing
Understanding the Audience
Executive Class
Management Class
Technical Class
Writing Reports
Structure of a Penetration Testing Report
Cover Page
Table of Contents
Executive Summary
Remediation Report
Vulnerability Assessment Summary
Tabular Summary
Risk Assessment
Risk Assessment Matrix
Methodology
Detailed Findings
Description
Explanation
Risk
Recommendation
Reports
Conclusion
Linux Basics
Major Linux Operating Systems
File Structure inside of Linux
Permissions in Linux
Special Permissions
Users inside of Linux
Linux Services
Linux Password Storage
Linux Logging
Common Applications of Linux
What Is BackTrack?
How to Get BackTrack 5 Running?
Installing BackTrack on Virtual Box
Installing BackTrack on a Portable USB
Installing BackTrack on Your Hard Drive
BackTrack Basics
Changing the Default Screen Resolution
Some Unforgettable Basics
Changing the Password
Clearing the Screen
Listing the Contents of a Directory
Displaying Contents of a Specific Directory
Displaying the Contents of a File
Creating a Directory
Changing the Directories
Windows
Linux
Creating a Text File
Copying a File
Current Working Directory
Renaming a File
Moving a File
Removing a File
Locating Certain Files inside BackTrack
Text Editors inside BackTrack
Getting to Know Your Network
Dhclient
Services
MySQL
SSHD
Postgresql
Other Online Resources
Information Gathering Techniques
Active Information Gathering
Passive Information Gathering
Sources of Information Gathering
Copying Websites Locally
Information Gathering with Whois
Finding Other Websites Hosted on the Same Server
YouGetSignal.com
Tracing the Location
Traceroute
ICMP Traceroute
TCP Traceroute
Usage
UDP Traceroute
Usage
NeoTrace
Cheops-ng
Enumerating and Fingerprinting the Webservers
Intercepting a Response
Acunetix Vulnerability Scanner
WhatWeb
Netcraft
Google Hacking
Some Basic Parameters
Site
Example
TIP regarding Filetype
Google Hacking Database
Hackersforcharity.org/ghdb
Xcode Exploit Scanner
File Analysis
Foca
Harvesting E-Mail Lists
Gathering Wordlist from a Target Website
Scanning for Subdomains
TheHarvester
Fierce in BackTrack
Scanning for SSL Version
DNS Enumeration
Interacting with DNS Servers
Nslookup
DIG
Forward DNS Lookup
Forward DNS Lookup with Fierce
Reverse DNS
Reverse DNS Lookup with Dig
Reverse DNS Lookup with Fierce
Zone Transfers
Zone Transfer with Host Command
Automating Zone Transfers
DNS Cache Snooping
What Is DNS Cache Snooping?
Nonrecursive Method
Recursive Method
What Is the Likelihood of Name Servers Allowing Recursive/Nonrecursive Queries?
Attack Scenario
Automating DNS Cache Snooping Attacks
Enumerating SNMP
Problem with SNMP
Sniffing SNMP Passwords
OneSixtyOne
Snmpenum
SolarWinds Toolset
SNMP Sweep
SNMP Brute Force and Dictionary
SNMP Brute Force Tool
SNMP Dictionary Attack Tool
SMTP Enumeration
Detecting Load Balancers
Load Balancer Detector
Determining Real IP behind Load Balancers
Bypassing CloudFlare Protection
Method 1: Resolvers
Method 2: Subdomain Trick
Method 3: Mail Servers
Intelligence Gathering Using Shodan
Further Reading
Conclusion
Target Enumeration and Port Scanning Techniques
Host Discovery
Scanning for Open Ports and Services
Types of Port Scanning
Understanding the TCP Three-Way Handshake
TCP Flags
Port Status Types
TCP SYN Scan
TCP Connect Scan
NULL, FIN, and XMAS Scans
NULL Scan
FIN Scan
XMAS Scan
TCP ACK Scan
Responses
UDP Port Scan
Anonymous Scan Types
IDLE Scan
Scanning for a Vulnerable Host
Performing an IDLE Scan with NMAP
TCP FTP Bounce Scan
Service Version Detection
OS Fingerprinting
POF
Output
Normal Format
Grepable Format
XML Format
Advanced Firewall/IDS Evading Techniques
Timing Technique
Wireshark Output
Fragmented Packets
Wireshark Output
Source Port Scan
Specifying an MTU
Sending Bad Checksums
Decoys
ZENMAP
Further Reading
Vulnerability Assessment
What Are Vulnerability Scanners and How Do They Work?
Pros and Cons of a Vulnerability Scanner
Vulnerability Assessment with Nmap
Updating the Database
Scanning MS08 _ 067 _ netapi
Testing SCADA Environments with Nmap
Installation
Usage
Nessus Vulnerability Scanner
Home Feed
Professional Feed
Installing Nessus on BackTrack
Adding a User
Nessus Control Panel
Reports
Mobile
Policies
Users
Configuration
Default Policies
Creating a New Policy
Safe Checks
Silent Dependencies
Avoid Sequential Scans
Port Range
Credentials
Plug-Ins
Preferences
Scanning the Target
Nessus Integration with Metasploit
Importing Nessus to Metasploit
Scanning the Target
Reporting
OpenVas
Resource
Vulnerability Data Resources
Exploit Databases
Using Exploit-db with BackTrack
Searching for Exploits inside BackTrack
Conclusion
Network Sniffing
Introduction
Types of Sniffing
Active Sniffing
Passive Sniffing
Hubs versus Switches
Promiscuous versus Nonpromiscuous Mode
MITM Attacks
ARP Protocol Basics
How ARP Works?
ARP Attacks
MAC Flooding
Macof
ARP Poisoning
Scenario—How It Works?
Denial of Service Attacks
Tools in the Trade
Dsniff
Using ARP Spoof to Perform MITM Attacks
Usage
Sniffing the Traffic with Dsniff
Sniffing Pictures with Drifnet
Urlsnarf and Webspy
Sniffing with Wireshark
Ettercap
ARP Poisoning with Ettercap
Hijacking Session with MITM Attack
Attack Scenario
ARP Poisoning with Cain and Abel
Sniffing Session Cookies with Wireshark
Hijacking the Session
SSL Strip: Stripping HTTPS Traffic
Requirements
Usage
Automating Man in the Middle Attacks
Usage
DNS Spoofing
ARP Spoofing Attack
Manipulating the DNS Records
Using Ettercap to Launch DNS Spoofing Attack
DHCP Spoofing
Conclusion
Remote Exploitation
Understanding Network Protocols
Transmission Control Protocol
User Datagram Protocol
Internet Control Messaging Protocol
Server Protocols
Text-Based Protocols (Important)
Binary Protocols
FTP
SMTP
HTTP
Further Reading
Resources
Attacking Network Remote Services
Overview of Brute Force Attacks
Traditional Brute Force
Dictionary Attacks
Hybrid Attacks
Common Target Protocols
Tools of the Trade
THC Hydra
Basic Syntax for Hydra
Cracking Services with Hydra
Hydra GUI
Medusa
Basic Syntax
OpenSSH Username Discovery Bug
Cracking SSH with Medusa
Ncrack
Basic Syntax
Cracking an RDP with Ncrack
Case Study of a Morto Worm
Combining Nmap and Ncrack for Optimal Results
Attacking SMTP
Important Commands
Real-Life Example
Attacking SQL Servers
MySQL Servers
Fingerprinting MySQL Version
Testing for Weak Authentication
MS SQL Servers
Fingerprinting the Version
Brute Forcing SA Account
Using Null Passwords
Introduction to Metasploit
History of Metasploit
Metasploit Interfaces
MSFconsole
MSFcli
MSFGUI
Armitage
Metasploit Utilities
MSFPayload
MSFencode
MSFVenom
Metasploit Basic Commands
Search Feature in Metasploit
Use Command
Info Command
Show Options
Set/Unset Command
Reconnaissance with Metasploit
Port Scanning with Metasploit
Metasploit Databases
Storing Information from Nmap into Metasploit Database
Useful Scans with Metasploit
Port Scanners
Specific Scanners
Compromising a Windows Host with Metasploit
Metasploit Autopwn
db _ autopwn in Action
Nessus and Autopwn
Armitage
Interface
Launching Armitage
Compromising Your First Target from Armitage
Enumerating and Fingerprinting the Target
MSF Scans
Importing Hosts
Vulnerability Assessment
Exploitation
Check Feature
Hail Mary
Conclusion
References
Client Side Exploitation
Client Side Exploitation Methods
Attack Scenario 1: E-Mails Leading to Malicious Attachments
Attack Scenario 2: E-Mails Leading to Malicious Links
Attack Scenario 3: Compromising Client Side Update
Attack Scenario 4: Malware Loaded on USB Sticks
E-Mails with Malicious Attachments
Creating a Custom Executable
Creating a Backdoor with SET
PDF Hacking
Introduction
Header
Body
Cross Reference Table
Trailer
PDF Launch Action
Creating a PDF Document with a Launch Action
Controlling the Dialog Boxes
PDF Reconnaissance
Tools in the Trade
PDFINFO
PDFINFO "Your PDF Document"
PDFTK
Origami Framework
Installing Origami Framework on BackTrack
Attacking with PDF
Fileformat Exploits
Browser Exploits
Scenario from Real World
Adobe PDF Embedded EXE
Social Engineering Toolkit
Attack Scenario 2: E-Mails Leading to Malicious Links
Credential Harvester Attack
Tabnabbing Attack
Other Attack Vectors
Browser Exploitation
Attacking over the Internet with SET
Attack Scenario over the Internet
Using Windows Box as Router (Port Forwarding)
Browser AutoPWN
Why Use Browser AutoPWN?
Problem with Browser AutoPWN
VPS/DEDICATED Server
Attack Scenario 3: Compromising Client Side Update
How Evilgrade Works?
Prerequisites
Attack Vectors
Internal Network Attack Vectors
External Network Attack Vectors
Evilgrade Console
Attack Scenario
Attack Scenario 4: Malware Loaded on USB Sticks
Teensy USB
Conclusion
Further Reading
Post-Exploitation
Acquiring Situation Awareness
Enumerating a Windows Machine
Enumerating Local Groups and Users
Enumerating a Linux Machine
Enumerating with Meterpreter
Identifying Processes
Interacting with the System
User Interface Command
Privilege Escalation
Maintaining Stability
Escalating Privileges
Bypassing User Access Control
Impersonating the Token
Escalating Privileges on a Linux Machine
Maintaining Access
Installing a Backdoor
Cracking the Hashes to Gain Access to Other Services
Backdoors
Disabling the Firewall
Killing the Antivirus
Netcat
Msfpayload/Msfencode
Generating a Backdoor with MSFPayload
Msfencode
Msfvenom
Persistence
What Is a Hash?
Hashing Algorithms
Windows Hashing Methods
LAN Manager (LM)
NTLM/NTLM2
Kerberos
Where Are LM/NTLM Hashes Located?
Dumping the Hashes
Scenario 1—REMOTE ACCESS
Scenario 2—LOCAL ACCESS
OPH Crack
References
Scenario 3—OFFLINE SYSTEM
OPHCrack LIVE CD
Bypassing the Log-In
References
Cracking the Hashes
BruteforceDictionary Attacks
Password Salts
Rainbow Tables
John the Ripper
Cracking LM/NTLM Passwords with JTR
Cracking Linux Passwords with JTR
Rainbow Crack
Sorting the Tables
Cracking the Hashes with rcrack
Speeding Up the Cracking Process
Gaining Access to Remote Services
Enabling the Remote Desktop
Adding Users to the Remote Desktop
Data Mining
Gathering OS Information
Harvesting Stored Credentials
Identifying and Exploiting Further Targets
Mapping the Internal Network
Finding Network Information
Identifying Further Targets
Pivoting
Scanning Ports and Services and Detecting OS
Compromising Other Hosts on the Network Having the Same Password
psexec
Exploiting Targets
Conclusion
Windows Exploit Development Basics
Prerequisites
What Is a Buffer Overflow?
Vulnerable Application
How to Find Buffer Overflows?
Methodology
Getting the Software Up and Running
Causing the Application to Crash
Skeleton Exploit
Determining the Offset
Identifying Bad Characters
Figuring Out Bad Characters with Mona
Overwriting the Return Address
NOP Sledges
Generating the ShellCode
Generating Metasploit Module
Porting to Metasploit
Conclusion
Further Resources
Wireless Hacking
Introduction
Requirements
Introducing Aircrack-ng
Uncovering Hidden SSIDs
Turning on the Monitor Mode
Monitoring Beacon Frames on Wireshark
Monitoring with Airodump-ng
Speeding Up the Process
Bypassing MAC Filters on Wireless Networks
Cracking a WEP Wireless Network with Aircrack-ng
Placing Your Wireless Adapter in Monitor Mode
Determining the Target with Airodump-ng
Attacking the Target
Speeding Up the Cracking Process
Injecting ARP Packets
Cracking the WEP
Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng
Capturing Packets
Capturing the Four-Way Handshake
Cracking WPA/WAP2
Using Reaver to Crack WPS-Enabled Wireless Networks
Reducing the Delay
Further Reading
Setting Up a Fake Access Point with SET to PWN Users
Attack Scenario
Evil Twin Attack
Scanning the Neighbors
Spoofing the MAC
Setting Up a Fake Access Point
Causing Denial of Service on the Original AP
Conclusion
Web Hacking
Attacking the Authentication
Username Enumeration
Invalid Username with Invalid Password
Valid Username with Invalid Password
Enabling Browser Cache to Store Passwords
Brute Force and Dictionary Attacks
Types of Authentication
HTTP Basic Authentication
HTTP-Digest Authentication
FORM-Based Authentication
Exploiting Password Reset Feature
Etsy.com Password Reset Vulnerability
Attacking FORM-Based Authentication
Brute Force Attack
Attacking HTTP BASIC AUTH
Further Reading
Log-In Protection Mechanisms
Captcha Validation Flaw
Captcha RESET Flaw
Manipulating User-Agents to Bypass Captcha and Other Protections
Real-World Example
Authentication Bypass Attacks
Authentication Bypass Using SQL Injection
Testing for SQL Injection Auth Bypass
Authentication Bypass Using XPATH Injection
Testing for XPATH Injection
Authentication Bypass Using Response Tampering
Crawling Restricted Links
Testing for the Vulnerability
Automating It with Burp Suite
Authentication Bypass with Insecure Cookie Handling
Session Attacks
Guessing Weak Session ID
Session Fixation Attacks
Requirements for This Attack
How the Attack Works?
SQL Injection Attacks
What Is an SQL Injection?
Types of SQL Injection
Union-Based SQL Injection
Error-Based SQL Injection
Blind SQL Injection
Detecting SQL Injection
Determining the Injection Type
Union-Based SQL Injection (MySQL)
Testing for SQL Injection
Determining the Number of Columns
Determining the Vulnerable Columns
Fingerprinting the Database
Enumeration Information
Information_schema
Information_schema Tables
Enumerating All Available Databases
Enumerating All Available Tables in the Database
Extracting Columns from Tables
Extracting Data from Columns
Using group _ concat
MySQL Version ≤ 5
Guessing Table Names
Guessing Columns
SQL Injection to Remote Command Execution
Reading Files
Writing Files
Blind SQL Injection
Boolean-Based SQLi
True Statement
False Statement
Enumerating the DB USER
Enumerating the MYSQL Version
Guessing Tables
Guessing Columns in the Table
Extracting Data from Columns
Time-Based SQL Injection
Vulnerable Application
Testing for Time-Based SQL Injection
Enumerating the DB USER
Guessing the Table Names
Guessing the Columns
Extracting Data from Columns
Automating SQL Injections with SQLMAP
Enumerating Databases
Enumerating Tables
Enumerating the Columns
Extracting Data from the Columns
HTTP Header–Based SQL Injection
Operating System Takeover with Sqlmap
OS-CMD
OS-SHELL
OS-PWN
XSS (Cross-Site Scripting)
How to Identify XSS Vulnerability?
Types of Cross-Site Scripting
Reflected/Nonpersistent XSS
Vulnerable Code
Medium Security
Vulnerable Code
High Security
Bypassing htmlspecialchars
UTF-32 XSS Trick: Bypass 1
Svg Craziness: Bypass 2
Bypass 3: href Attribute
Stored XSS/Persistent XSS
Payloads
Blind XSS
DOM-Based XSS
Detecting DOM-Based XSS
Sources (Inputs)
Sinks (Creating/Modifying HTML Elements)
Static JS Analysis to Identify DOM-Based XSS
How Does It Work?
Setting Up JSPRIME
Dominator: Dynamic Taint Analysis
POC for Internet Explorer
POC for Chrome
Pros/Cons
Cross Browser DOM XSS Detection
Types of DOM-Based XSS
Reflected DOM XSS
Stored DOM XSS
Exploiting XSS
Cookie Stealing with XSS
Exploiting XSS for Conducting Phishing Attacks
Compromising Victim’s Browser with XSS
Exploiting XSS with BEEF
Setting Up BEEF on BackTrack
Demo Pages
Beef Modules
Module: Replace HREFs
Module: Getcookie
Module: Tabnabbing
BEEF in Action
Cross-Site Request Forgery (CSRF)
Why Does a CSRF Attack Work?
How to Attack?
GET-Based CSRF
POST-Based CSRF
CSRF Protection Techniques
Referrer-Based Checking
Anti-CSRF Tokens
Predicting/Brute Forcing Weak Anti-CSRF Token Algorithm
Tokens Not Validated upon Server
Analyzing Weak Anti-CSRF Token Strength
Bypassing CSRF with XSS
File Upload Vulnerabilities
Bypassing Client Side Restrictions
Bypassing MIME-Type Validation
Real-World Example
Bypassing Blacklist-Based Protections
Case 1: Blocking Malicious Extensions
Bypass
Case 2: Case-Sensitive Bypass
Bypass
Real-World Example
Vulnerable Code
Case 3: When All Dangerous Extensions Are Blocked
XSS via File Upload
Flash-Based XSS via File Upload
Case 4: Double Extensions Vulnerabilities
Apache Double Extension Issues
IIS 6 Double Extension Issues
Case 5: Using Trailing Dots
Case 6: Null Byte Trick
Case 7: Bypassing Image Validation
Case 8: Overwriting Critical Files
Real-World Example
File Inclusion Vulnerabilities
Remote File Inclusion
Patching File Inclusions on the Server Side
Local File Inclusion
Linux
Windows
LFI Exploitation Using /proc/self/environ
Log File Injection
Finding Log Files: Other Tricks
Exploiting LFI Bby Using PHP Input
Exploiting LFI Using File Uploads
Read Source Code via LFI
Local File Disclosure Vulnerability
Vulnerable Code
Local File Disclosure Tricks
Remote Command Execution
Uploading Shells
Server Side Include Injection
Testing a Website for SSI Injection
Executing System Commands
Spawning a Shell
SSRF Attacks
Impact
Example of a Vulnerable PHP CODE
Remote SSRF
Simple SSRF
Partial SSRF
Denial of Service
Denial of Service Using External Entity Expansion (XEE)
Full SSRF
dict://
gopher://
http://
Causing the Crash
Overwriting Return Address
Generating Shellcode
Server Hacking
Apache Server
Testing for Disabled Functions
Open _ basedir Misconfiguration
Using CURL to Bypass Open _ basedir Restrictions
Open _ basedir PHP 5.2.9 Bypass
Reference
Bypassing open _ basedir Using CGI Shell
Bypassing open _ basedir Using Mod _ Perl, Mod _ Python
Escalating Privileges Using Local Root Exploits
Back Connecting
Finding the Local Root Exploit
Usage
Finding a Writable Directory
Bypassing Symlinks to Read Configuration Files
Who Is Affected?
Basic Syntax
Why This Works?
Symlink Bypass: Example 1
Finding the Username
/etc/passwd File
/etc/valiases File
Path Disclosure
Uploading .htaccess to Follow Symlinks
Symlinking the Configuration Files
Connecting to and Manipulating the Database
Updating the Password
Symlink the Root Directory
Example 3: Compromising WHMCS Server
Finding a WHMCS Server
Symlinking the Configuration File
WHMCS Killer
Disabling Security Mechanisms
Disabling Mod _ Security
Disabling Open _ basedir and Safe _ mode
Using CGI, PERL, or Python Shell to Bypass Symlinks
Conclusion
Index
Height:
Width:
Spine:
Weight:453.00