Test and evaluate all aspects of the design and implementation
Michael McPhee
Purchase Now !
Just with Paypal
Just with Paypal
Book Details
Price
|
3.00 USD |
|---|---|
Pages
| 332 p |
File Size
|
35,308 KB |
File Type
|
PDF format |
ISBN
| 978-1-78439-507-0 |
Copyright
| 2017 Packt Publishing |
Michael McPhee is a systems engineer at Cisco in New York, where he has worked for the
last 4 years and has focused on cyber security, switching, and routing. Mike’s current role
sees him consulting on security and network infrastructures, and he frequently runs clinics
and delivers training to help get his customers up to speed. Suffering from a learning
addiction, Mike has obtained the following certifications along the way: CEH, CCIE R&S,
CCIE Security, CCIP, CCDP, ITILv3, and the Cisco Security White Belt. He is currently
working on his VCP6-DV certification, following his kids to soccer games and tournaments,
traveling with his wife and kids to as many places as possible, and scouting out his future
all-grain beer home brewing rig. He also spends considerable time breaking his home
network (for science!), much to the family's dismay.
Prior to joining Cisco, Mike spent 6 years in the U.S. Navy and another 10 working on
communications systems as a systems engineer and architect for defense contractors, where
he helped propose, design, and develop secure command and control networks and
electronic warfare systems for the US DoD and NATO allies.
Prior publication:
Penetration Testing with the Raspberry Pi – Second Edition (with Jason Beltrame), Packt
Publishing, November 2016.
To the Packt folks--thank you again for the support and for getting this book off the
ground! I am blessed with the coolest team at my day job, where I receive a ton of support
in pursuing all these extracurricular activities. The camaraderie from Eric Schickler and
the awesome support of my manager, Mike Kamm, are especially helpful in keeping me on
track and balancing my workload. In addition to my local teammates, any time I can get
with my good friends, Jason Beltrame and Dave Frohnapfel, is the highlight of my week,
and they have been a huge help in getting the gumption to tackle this topic. I’m lucky to
have learned security at the feet of some awesome teachers, especially Mark Cairns, Bob
Perciaccante, and Corey Schultz. For reasons that defy logic, Joey Muniz still sticks his
neck out to support me, and I am forever in his debt--thanks dude! Lastly, I need to thank
my family. Mom, you pretend to know what I am talking about and let me fortify your
home network, thanks for always being so supportive. Liam and Claire--you two give me
hope for the future. Keep asking questions, making jokes, and making us proud! Lastly, my
beautiful wife, Cathy, keeps me healthy and happy despite myself, and the best anyone can
hope for is to find a friend and partner as amazing as she is.
About the Reviewers
Aamir Lakhani is a leading senior security strategist. He is responsible for providing IT
security solutions to major enterprises and government organizations.
Mr. Lakhani creates technical security strategies and leads security implementation projects
for Fortune 500 companies. Industries of focus include healthcare providers, educational
institutions, financial institutions, and government organizations. He has also assisted
organizations in safeguarding IT and physical environments from attacks perpetrated by
underground cybercrime groups. Mr. Lakhani is considered to an industry leader for
creating detailed security architectures within complex computing environments. His areas
of expertise include cyber defense, mobile application threats, malware management,
Advanced Persistent Threat (APT) research, and investigations relating to the internet's
dark security movement. He is the author of or contributor to several books, and has
appeared on FOX Business News, National Public Radio, and other media outlets as an
expert on cyber security.
It was my pleasure working with the author and reviewing this book! They worked hard in putting
together a quality product I will easily recommend. I also want to thank my dad and mom, Mahmood
and Nasreen Lakhani, for always encouraging me to be my best. Thank you for always believing in me.
Dave Frohnapfel has over 10 years of experience in the engineering field and his diverse
background includes experience with a service provider, global enterprise, and engineering
design for a hardware manufacturer. In his current role at Cisco Systems, he is a leader in
network security. Moreover, he is passionate about helping organizations address the
evolving threat landscape and focusing on game-changing technology solutions. Before
Cisco, he had extensive enterprise experience in building and maintaining large data
centers and service delivery networks, and he managed an international operations staff.
Table of Contents
Preface 1
Chapter 1: Common Web Applications and Architectures 9
Common architectures 11
Standalone models 11
Three-tier models 12
Model-View-Controller design 14
Web application hosting 16
Physical hosting 17
Virtual hosting 18
Cloud hosting 18
Containers – a new trend 19
Application development cycles 19
Coordinating with development teams 21
Post deployment - continued vigilance 21
Common weaknesses – where to start 22
Web application defenses 24
Standard defensive elements 25
Additional layers 26
Summary 27
Chapter 2: Guidelines for Preparation and Testing 29
Picking your favorite testing framework 30
Frameworks through a product 30
Train like you play 32
The EC-Council approach 33
The GIAC/SANS approach 33
The Offensive Security approach 33
Open source methodologies and frameworks 34
ISECOM's OSSTMM 34
ISSAF 34
NIST publications 35
OWASP's OTG 36
Keeping it legal and ethical 36
What is legal? 37
What is ethical? 38
Labbing - practicing what we learn 39
Creating a virtualized environment 40
Our penetration testing host 40
Creating a target-rich environment 40
Finding gullible servers 41
Unwitting clients 42
Summary 42
Chapter 3: Stalking Prey Through Target Recon 44
The imitation game 46
Making (then smashing) a mirror with HTTrack 47
Making a stealthy initial archive 47
Tuning stealthier archives 48
Is the mirror complete and up-to-date? 51
Touring the target environment 52
Open source awesomeness 53
Open source Intel with Google and the Google hacking database 54
Tuning your Google search skills 55
Work smarter with the Google hacking DB and Netcraft 60
Mastering your own domain 62
Digging up the dirt 63
Digging record types 63
Getting fierce 66
Next steps with Nikto 67
Employing Maltego to organize 70
Being social with your target 71
Summary 74
Chapter 4: Scanning for Vulnerabilities with Arachni 76
Walking into spider webs 77
Optimal Arachni deployment tips 78
An encore for stacks and frameworks 79
The Arachni test scenario 81
Profiles for efficiency 82
Creating a new profile 82
Scoping and auditing options 83
Converting social engineering into user input and mobile platform emulation 84
Fingerprinting and determining platforms 86
Checks (please) 87
Plugging into Arachni extensions and third-party add-ons 88
Browser clusters 89
Kicking off our custom scan 91
Reviewing the results 92
Summary 94
Chapter 5: Proxy Operations with OWASP ZAP and Burp Suite 96
Pulling back the curtain with ZAP 98
Quick refresher on launching ZAP scans 99
Going active with ZAP 99
Passive ZAP scanning 101
Getting fuzzy with ZAP 104
Taking it to a new level with Burp Suite 107
Recon with Burp Suite 110
Stay on target! 110
Getting particular with proxy 114
Going active with Spider 115
Activating Burp Suite 117
Scanning for life (or vulnerabilities) 117
Passive scans are a no brainer 119
Active scanning – Use with care! 121
The flight of the intruder 124
Stop, enumerate, and listen! 125
Select, attack, highlight, and repeat! 129
Summary 131
Chapter 6: Infiltrating Sessions via Cross-Site Scripting 132
The low-down on XSS types 133
Should XSS stay or should it go? 134
Location, location, and location! 135
XSS targeting and the delivery 136
Seeing is believing 137
Don't run with XSSer(s)! 137
Stored XSS with BeEF 138
Here, phishy phishy! 144
Let's go Metasploiting 146
Building your own payload 146
Every good payload needs a handler 149
Seal the deal – Delivering shell access 150
Metasploit's web-focused cousin – Websploit 152
Summary 155
Chapter 7: Injection and Overflow Testing 156
Injecting some fun into your testing 157
Is SQL any good? 159
A crash course in DBs gone bad 160
Types of SQLI 161
In-band or classic SQLI 162
Blind SQLI 163
Stacked or compound SQLI 164
SQLI tool school 164
Old-school SQLI via browsers 165
Stepping it up with SQLMap 167
Cooking up some menu-driven SQLI with BBQSQL 172
SQLI goes high-class with Oracle 174
The X-factor - XML and XPath injections 175
XML injection 175
XPath injection 176
Credential Jedi mind tricks 183
Going beyond persuasion – Injecting for execution 183
Code injections 184
Overflowing fun 185
Commix - Not-so-funny command injections 187
Down with HTTP? 188
Summary 189
Chapter 8: Exploiting Trust Through Cryptography Testing 191
How secret is your secret? 193
Assessing encryption like a pro 195
SSLyze - it slices, it scans… 195
SSLscan can do it! 197
Nmap has SSL skills too 199
Exploiting the flaws 200
POODLE – all bark, no bite (usually) 200
Heartbleed-ing out 201
DROWNing HTTPS 204
Revisiting the classics 204
Hanging out as the Man-in-the-Middle 205
Scraping creds with SSLstrip 205
Looking legit with SSLsniff and SSLsplit 208
SSLsniff 208
SSLsplit 210
Alternate MITM motives 210
Summary 211
Chapter 9: Stress Testing Authentication and Session Management 212
Knock knock, who's there? 213
Does authentication have to be hard? 214
Authentication 2.0 - grabbing a golden ticket 215
The basic authentication 216
Form-based authentication 217
Digest-based authentication 217
Trust but verify 217
This is the session you are looking for 219
Munching on some cookies? 220
Don't eat fuzzy cookies 223
Jedi session tricks 227
Functional access level control 229
Refining a brute's vocabulary 230
Summary 235
Chapter 10: Launching Client-Side Attacks 236
Why are clients so weak? 237
DOM, Duh-DOM DOM DOM!! 238
Malicious misdirection 238
Catch me if you can! 239
Picking on the little guys 240
Sea-surfing on someone else's board 240
Simple account takeovers 242
Don't you know who I am? Account creation 246
Trust me, I know the way! 250
I don't need your validation 253
Trendy hacks come and go 254
Clickjacking (bWAPP) 254
Punycode 255
Forged or hijacked certificates 255
Summary 256
Chapter 11: Breaking the Application Logic 258
Speed-dating your target 259
Cashing in with e-commerce 261
Financial applications - Show me the money 263
Hacking human resources 264
Easter eggs of evil 265
So many apps to choose from… 266
Functional Feng Shui 266
Basic validation checks 267
Sometimes, less is more? 270
Forgery shenanigans 271
What does this button do? 272
Timing is everything 273
Reaching your functional limits 274
Do we dare to accept files? 276
Summary 276
Chapter 12: Educating the Customer and Finishing Up 278
Finishing up 279
Avoiding surprises with constant contact 280
Establishing periodic updates 281
When to hit the big red button 282
Weaving optimism with your action plan 283
The executive summary 285
Introduction 285
Highlights, scoring, and risk recap 286
More on risk 287
Guidance - earning your keep 288
Detailed findings 289
The Dradis framework 289
MagicTree 291
Other documentation and organization tools 292
Graphics for your reports 293
Bringing best practices 293
Baking in security 294
Honing the SDLC 295
Role-play - enabling the team 297
Picking a winner 299
Plans and programs 299
More on change management 301
Automate and adapt 301
Assessing the competition 303
Backbox Linux 303
Samurai web testing framework 305
Fedora Security Spin 306
Other Linux pen test distros 307
What About Windows and macOS? 307
Summary 307
Index 309
Bookscreen
Preface
Web applications are where customers and businesses meet. On the internet, a very large
proportion of the traffic is now between servers and clients, and the power and trust placed
in each application while exposing them to the outside world makes them a popular target
for adversaries to steal, eavesdrop, or cripple businesses and institutions. As penetration
testers, we need to think like the attacker to better understand, test, and make
recommendations for the improvement of those web apps. There are many tools to fit any
budget, but Kali Linux is a fantastic and industry-leading open source distribution that can
facilitate many of these functions for free. Tools Kali provides, along with standard
browsers and appropriate plugins, enable us to tackle most web penetration testing
scenarios. Several organizations provide wonderful training environments that can be
paired with a Kali pen testing box to train and hone their web pen testing skills in safe
environments. These can ensure low-risk experimentation with powerful tools and features
in Kali Linux that go beyond a typical script-kiddie approach. This approach assists ethical
hackers in responsibly exposing, identifying, and disclosing weaknesses and flaws in web
applications at all stages of development. One can safely test using these powerful tools,
understand how to better identify vulnerabilities, position and deploy exploits, compromise
authentication and authorization, and test the resilience and exposure applications possess.
At the end, the customers will be better served with actionable intelligence and guidance
that will help them secure their application and better protect their users, information, and
intellectual property.
What you need for this book
Hardware list:
The exercises performed in this book and the tools used can be deployed on any modern
Windows, Linux, or Mac OS machine capable of running a suitable virtualization platform
and a more recent version of the OS. Suggested minimum requirements should allow for at
least the following resources to be available to your virtual platforms:
4 virtual CPUs
4-8 GB of RAM
802.3 Gigabit Ethernet, shared with host machine
802.11a/g/n/ac WiFi link, shared with host machine
Software list:
Desktop/Laptop Core OS and Hypervisor:
Virtualization should be provided by one of Kali Linux's supported hypervisors, namely
one of the following options. The operating system and hardware will need to support the
minimum requirements, with an eye toward dedicating the previous hardware
recommendations to the guest virtual machines:
For Windows:
VMware Workstation Pro 12 or newer (Player does not support multiple VMs at
a time)--h t t p ://w w w . v m w a r e . c o m /p r o d u c t s /w o r k s t a t i o n . h t m l
VirtualBox 5.1 or newer--h t t p s ://w w w . v i r t u a l b o x . o r g /w i k i /D o w n l o a d s
For Mac OS:
VMware Fusion 7.X or newer--h t t p ://w w w . v m w a r e . c o m /p r o d u c t s /f u s i o n . h t m l
Parallels 12 for Mac--h t t p ://w w w . p a r a l l e l s . c o m /p r o d u c t s /d e s k t o p /
VirtualBox 5.1 or newer--h t t p s ://w w w . v i r t u a l b o x . o r g /w i k i /D o w n l o a d s
For Linux:
VMWare Workstation 12 or newer (Player does not support multiple VMs at a
time)--h t t p ://w w w . v m w a r e . c o m /p r o d u c t s /w o r k s t a t i o n - f o r - l i n u x . h t m l
VirtualBox 5.1 or newer--h t t p s ://w w w . v i r t u a l b o x . o r g /w i k i /D o w n l o a d s
For Barebones Hypervisors:
VMware ESXi/vSphere 5.5 or newer
Microsoft Hyper-V 2016
Redhat KVM/sVirt 5 or newer
Applications and virtual machines:
Essential:
Kali Linux VM (choose 64-bit VM, Vbox, or Hyper-V image)--h t t p s ://w w w . o f f e
n s i v e - s e c u r i t y . c o m /k a l i - l i n u x - v m w a r e - v i r t u a l b o x - i m a g e - d o w n l o ad /
Alternatives:
Kali Linux ISO (64 bit, for Virtual-Box or Parallels)--h t t p s ://w w w . k a l i . o r g /d o w nl o a d s /
Target VMs:
OWASP Broken Web Application: h t t p s ://w w w . o w a s p . o r g /i n d e x . p h p /O W A S P _ Br o k e n _ W e b _ A p p l i c a t i o n s _ P r o j e c t
Metasploitable 2--h t t p s ://s o u r c e f o r g e . n e t /p r o j e c t s /m e t a s p l o i t a b l e /f i l e s/M e t a s p l o i t a b l e 2/
Metasploitable 3--h t t p s ://c o m m u n i t y . r a p i d 7. c o m /c o m m u n i t y /m e t a s p l o i t /b l o
g /2016/11/15/t e s t - y o u r - m i g h t - w i t h - t h e - s h i n y - n e w - m e t a s p l o i t a b l e 3
Bee Box--h t t p ://w w w . i t s e c g a m e s . c o m
Damn Vulnerable Web Application (DVWA)--h t t p ://w w w . d v w a . c o . u k
OWASP Mutillidae 2--h t t p s ://s o u r c e f o r g e . n e t /p r o j e c t s /m u t i l l i d a e /f i l e s/
Windows Eval Mode OS + Browser--h t t p s ://d e v e l o p e r . m i c r o s o f t . c o m /e n - u s
/m i c r o s o f t - e d g e /t o o l s /v m s /
Who this book is for
This book is focused on IT pentesters, security consultants, and ethical hackers who want to
expand their knowledge and gain expertise on advanced web penetration techniques. Prior
knowledge of penetration testing will be beneficial.