Penetration Tester's Open Source Toolkit

Front Cover
Penetration testing a network requires a delicate balance of art and science. A penetration tester must be creative enough to think outside of the box to determine the best attack vector into his own network, and also be expert in using the literally hundreds of tools required to execute the plan. This book provides both the art and the science.

The authors of the book are expert penetration testers who have developed many of the leading pen testing tools; such as the Metasploit framework. The authors allow the reader “inside their heads to unravel the mysteries of thins like identifying targets, enumerating hosts, application fingerprinting, cracking passwords, and attacking exposed vulnerabilities. Along the way, the authors provide an invaluable reference to the hundreds of tools included on the bootable-Linux CD for penetration testing.

* Covers both the methodology of penetration testing and all of the tools used by malicious hackers and penetration testers

* The book is authored by many of the tool developers themselves

* This is the only book that comes packaged with the "Auditor Security Collection"; a bootable Linux CD with over 300 of the most popular open source penetration testing tools
 

What people are saying - Write a review

We haven't found any reviews in the usual places.

Contents

Hydra
336
TFTPBruteforce
338
Cisco Global Exploiter
339
Internet Routing Protocol Attack Suite IRPAS
340
Ettercap
343
Case Studies The Tools in Action
344
Further Information
353
Common and Default Vendor Passwords
355

WHOIS
37
RWHOIS
38
Web Site Copiers
40
SMTP
44
Verification
46
IP Subnetting
47
Open Source Tools
50
Web Resources
51
nix CommandLine Tools
55
Open Source Windows Tools
65
WinBiLE wwwsensepostcomresearch
66
Footprinting Tools
67
Web Resources
68
nix Console Tools
69
Open Source Windows Tools
72
Verification Tools
73
Web Resources
74
nix Console Tools
77
Case Studies The Tools in Action
81
Footprinting
88
Verification
90
Enumeration and Scanning
95
Objectives
96
Approach
97
Enumeration
98
Core Technology
100
Port Scanning
101
Going Behind the Scenes with Enumeration
105
RPC Enumeration
106
Timing
107
Unusual Packet Formation
108
Ping Sweep
115
Port Scan
116
Port Scan
117
Enumeration
119
smbgetserverinfosmbdumpusers
125
Case Studies The Tools in Action
131
Internal
136
Stealthy
140
Noisy IDS Testing
143
Further Information
146
Introduction to Testing Databases
149
Objectives
150
Introduction
151
Context of Database Assessment
152
Core Technologies
153
Database Installation
155
Default Users and New Users
156
Roles and Privileges
158
Technical Details
161
Open Source Tools
163
Footprinting Scanning and Enumeration Tools
164
Enumeration Tools
166
Vulnerability Assessment and Exploit Tools
174
OScanner and OAT
176
SQLAT
177
WHAX Tools
178
Case Studies The Tools in Action
179
MS SQL Assessment
180
Oracle Assessment
183
Further Information
188
Web Server Web Application Testing
189
Objectives
190
Web Applications The New Challenge
191
Chapter Scope
192
Web Server Testing
193
CGI and Default Pages Testing
195
Web Application Testing
196
CGI and Default Page Exploitation
202
Web Application Assessment
204
Information Gathering Attacks
205
Database Query Injection Attacks
206
Crosssite Scripting
207
Open Source Tools
208
Scanning Tools
217
Assessment Tools
229
Authentication
231
Proxy
242
Exploitation Tools
245
Case Studies The Tools in Action
249
CGI and Default Page Exploitation
254
Web Application Assessment
263
Wireless Penetration Testing Using Auditor
277
Objectives
278
Approach
279
Evolution of WLAN Vulnerabilities
280
Core Technologies
281
WLAN Discovery
282
Choosing the Right Antenna
283
WLAN Encryption
284
WiFi Protected Access WPAWPA2
285
Virtual Private Network VPN
286
Attacks Against WPA
288
Attacks Against LEAP
289
Open Source Tools
290
Intelligence Gathering Tools
291
USENET Newsgroups
292
Scanning Tools
293
Kismet
295
Enumeration Tools
298
Vulnerability Assessment Tools
299
Exploitation Tools
301
Deauthentication with Void11
302
Cracking WEP with the Aircrack Suite
303
Cracking WPA with the CoWPAtty
306
Case Studies
307
Case Study Cracking WPAPSK
311
Further Information
314
Network Devices
317
Objectives
318
Core Technologies
319
OpenSource Tools
320
DNS
321
Nmap
322
ICMP
323
Ikescan
324
Scanning Tools
326
ASS
329
Cisco Torch
331
Snmpfuzzpl
332
Finger
334
Exploitation Tools
335
Modification of cgepl
356
Software
357
Writing Open Source Security Tools
359
Introduction
360
Solve the Right Problem by Asking the Right Questions
361
Breaking the Problem into Smaller Manageable Problems
362
Write Pseudocode
364
Implement the Actual Code
365
Programming Languages
366
BASIC
367
CC++
368
C
369
Python
370
Web Application Languages
371
Eclipse
372
KDevelop
382
Microsoft Visual Studio NET
388
Monodevelop
392
Quick Start Mini Guides
395
Basic File IO and Subroutines
398
Writing to a Socket and Using MySQL
401
Consuming a Web Service and Writing a CGI
406
C Mini Guide
412
Basic File IO and Databases
415
Writing to Sockets
419
Conclusion
423
PERL Code Snippets
427
Links to Resources in this Chapter Further Reading
428
Nessus
429
Introduction
430
Basic Components
431
The Plugins
434
The Knowledge Base
435
Running Nessus from Auditor
436
Analyzing Auditors startnessus Script
440
Nessus Without A Startup Script
442
Running Nessus on Windows
446
Maintaining Nessus
448
Method 1
449
Method 2
452
Updating the Nessus Program
456
Using Nessus
457
Plugins
458
Prefs The Preferences Tab
459
Scan Options
464
Target Selection
466
Summary
467
Links to Sites
469
Coding for Nessus
471
Introduction
472
Goals of NASL
473
Safety
474
Variables
475
Operators
478
Control Structures
483
Writing NASL Scripts
487
Writing PersonalUse Tools in NASL
488
String Manipulation Functions
489
Programming in the Nessus Framework
491
The Canonical NASL Script
494
Porting to and from NASL
497
Logic Analysis
498
Pseudo Code
499
Porting to NASL
500
Porting to NASL from CC++
501
Porting from NASL
507
Case Studies of Scripts
508
IIS HTR ISAPI Filter Applied CVE20020071
509
Microsoft IISSite Server codebrwsasp Arbitrary File Access
513
Codebrwsasp Source Disclosure Vulnerability CVE19990739
514
Microsoft SQL Server Bruteforcing
516
Microsofts SQL Server Bruteforce
517
ActivePerl perlIISdll Buffer Overflow Vulnerability
526
ActivePerl perlISdll Buffer Overflow
527
Microsoft FrontPageIIS CrossSite Scripting shtmldll Vulnerability
531
Summary
536
Solutions FastTrack
537
Links to Sites
539
Frequently Asked Questions
540
NASL Extensions and Custom Tests
543
Introduction
544
Extending the Capabilities of Tests Using Process Launching and Results Analysis
550
Extending the Capabilities of Tests
552
What Can We Do with TRUSTED Functions?
553
Creating a TRUSTED Test
554
Summary
562
Understanding the Extended Capabilities of the Nessus Environment
563
Introduction
564
Windows Testing Functionality Provided by the smb_hotfixesinc Include File
569
UNIX Testing Functionality Provided by the Local Testing Include Files
573
Summary
580
Extending Metasploit I
581
Introduction
582
The msfweb Interface
583
The msfconsole Interface
597
General msfconsole Commands
598
The MSF Environment
599
Exploiting with msfconsole
604
The msfcli Interface
613
Updating the MSF
619
Summary
621
Frequently Asked Questions
622
Extending Metasploit II
625
Introduction
626
Determining the Attack Vector
627
Finding the Offset
628
Selecting a Control Vector
634
Finding a Return Address
641
Using the Return Address
647
Determining Bad Characters
648
Determining Space Limitations
650
Nop Sleds
652
Choosing a Payload and Encoder
654
Integrating Exploits into the Framework
665
Understanding the Framework
666
Analyzing an Existing Exploit Module
667
Overwriting Methods
673
Summary
675
Links to Sites
676
Frequently Asked Questions
677
Index
687
Copyright

Other editions - View all

Common terms and phrases

About the author (2006)

Jeremy Faircloth (CISSP, Security+, CCNA, MCSE, MCP+I, A+) is an IT practitioner with a background in a wide variety of technologies as well as experience managing technical teams at multiple Fortune 50 companies. He is a member of the Society for Technical Communication and frequently acts as a technical resource for other IT professionals through teaching and writing, using his expertise to help others expand their knowledge. Described as a “Renaissance man of IT with over 20 years of real-world IT experience, he has become an expert in many areas including Web development, database administration, enterprise security, network design, large enterprise applications, and project management. Jeremy is also an author that has contributed to over a dozen technical books covering a variety of topics and teaches courses on many of those topics.

Bibliographic information