https://DevOpsCloud.io -- Cloud Monk Losang Jinpa

Return to CEH, Ethical Hacking, Ethical Hacker, Pentesting, Pentester, Cybersecurity Topics, Bibliography

A hands-on guide to hacking computer systems from the ground up, from capturing traffic to crafting sneaky, successful trojans.

A crash course in modern hacking techniques, Ethical Hacking is already being used to prepare the next generation of offensive security experts. In its many hands-on labs, you’ll explore crucial skills for any aspiring penetration tester, security researcher, or malware analyst. You’ll begin with the basics: capturing a victim’s network traffic with an ARP spoofing attack and then viewing it in Wireshark. From there, you’ll deploy reverse shells that let you remotely run commands on a victim’s computer, encrypt files by writing your own ransomware in Python, and fake emails like the ones used in phishing attacks. In advanced chapters, you’ll learn how to fuzz for new vulnerabilities, craft trojans and rootkits, exploit websites with SQL injection, and escalate your privileges to extract credentials, which you’ll use to traverse a private network. You’ll work with a wide range of professional penetration testing tools—and learn to write your own tools in Python—as you practice tasks like:

• Deploying the Metasploit framework’s reverse shells and embedding them in innocent-seeming files
• Capturing passwords in a corporate Windows network using Mimikatz
• Scanning (almost) every device on the internet to find potential victims
• Installing Linux rootkits that modify a victim’s operating system
• Performing advanced Cross-Site Scripting (XSS) attacks that execute sophisticated JavaScript payloads

Along the way, you’ll gain a foundation in the relevant computing technologies. Discover how advanced fuzzers work behind the scenes, learn how internet traffic gets encrypted, explore the inner mechanisms of nation-state malware like Drovorub, and much more. Developed with feedback from cybersecurity students, Ethical Hacking addresses contemporary issues in the field not often covered in other books and will prepare you for a career in penetration testing. Most importantly, you’ll be able to think like an ethical hacker⁠: someone who can carefully analyze systems and creatively gain access to them.

About the Author:

Dr. Daniel G. Graham is an assistant professor of computer science at the University of Virginia in Charlottesville. His research interests include secure embedded systems and networks. Before teaching at UVA, Dr. Graham was a program manager at Microsoft. He publishes in IEEE journals relating to sensors and networks.

About the Technical Reviewer:

Dr. Ed Novak is an assistant professor of computer science at Franklin and Marshall College in Lancaster, Pennsylvania. He received a PhD from The College of William and Mary in 2016. His research interests revolve around security and privacy in smart mobile devices.

• Ethical Hacking - A Hands-on Introduction to Breaking In, by Daniel G. Graham, 2021

• ASIN ‏ : ‎B08Y5LH95M
• ISBN-10 ‏ : ‎ 1718501870
• ISBN-13‏ : ‎ 978-1718501874
• Publisher ‏ : ‎ No Starch Press
• Publication date ‏ : ‎ September 21, 2021
• Print length ‏ : ‎ 376 pages

BRIEF CONTENTS

Acknowledgments

Foreword

Introduction

Chapter 1: Setting Up

PART I: NETWORK FUNDAMENTALS

Chapter 2: Capturing Traffic with ARP Spoofing

Chapter 3: Analyzing Captured Traffic

Chapter 4: Crafting TCP Shells and Botnets

PART II: CRYPTOGRAPHY

Chapter 5: Cryptography and Ransomware

Chapter 6: TLS and Diffie-Hellman

PART III: SOCIAL ENGINEERING

Chapter 7: Phishing and Deepfakes

Chapter 8: Scanning Targets

PART IV: EXPLOITATION

Chapter 9: Fuzzing for Zero-Day Vulnerabilities

Chapter 10: Building Trojans

Chapter 11: Building and Installing Linux Rootkits

Chapter 12: Stealing and Cracking Passwords

Chapter 13: Serious Cross-Site Scripting Exploitation

PART V: CONTROLLING THE NETWORK

Chapter 14: Pivoting and Privilege Escalation

Chapter 15: Moving Through the Corporate Windows Network

Chapter 16: Next Steps

Index

CONTENTS IN DETAIL

ACKNOWLEDGMENTS

FOREWORD

INTRODUCTION

Why Read This Book?

Installing Python

What Is in the Book?

Part I: Networking Fundamentals

Part II: Cryptography

Part III: Social Engineering

Part IV: Exploitation

Part V: Controlling the Network

Reaching Out

1

SETTING UP

Virtual Lab

Setting Up VirtualBox

Setting Up pfSense

Setting Up the Internal Network

Configuring pfSense

Setting Up Metasploitable

Setting Up Kali Linux

Setting Up the Ubuntu Linux Desktop

Your First Hack: Exploiting a Backdoor in Metasploitable

Getting the IP Address of the Metasploitable Server

Using the Backdoor to Gain Access

PART I

NETWORK FUNDAMENTALS

2

CAPTURING TRAFFIC WITH ARP SPOOFING

How the Internet Transmits Data

Packets

MAC Addresses

IP Addresses

ARP Tables

ARP Spoofing Attacks

Performing an ARP Spoofing Attack

Detecting an ARP Spoofing Attack

Exercises

Inspect ARP Tables

Implement an ARP Spoofer in Python

MAC Flooding

3

ANALYZING CAPTURED TRAFFIC

Packets and the Internet Protocol Stack

The Five-Layer Internet Protocol Stack

Viewing Packets in Wireshark

Analyzing Packets Collected by Your Firewall

Capturing Traffic on Port 80

Exercises

pfSense

Exploring Packets in Wireshark

4

CRAFTING TCP SHELLS AND BOTNETS

Sockets and Process Communication

TCP Handshakes

A TCP Reverse Shell

Accessing the Victim Machine

Scanning for Open Ports

Exploiting a Vulnerable Service

Writing a Reverse Shell Client

Writing a TCP Server That Listens for Client Connections

Loading the Reverse Shell onto the Metasploitable Server

Botnets

Exercises

A Multiclient Bot Server

SYN Scans

Detecting XMas Scans

PART II

CRYPTOGRAPHY

5

CRYPTOGRAPHY AND RANSOMWARE

Encryption

One-Time Pad

Pseudorandom Generators

Insecure Block Ciphers Modes

Secure Block Ciphers Modes

Encrypting and Decrypting a File

Email Encryption

Public]]-Key Cryptography

Rivest–Shamir–Adleman Theory

The RSA Math

Encrypting a File with RSA

Optimal Asymmetric Encryption Padding

Writing Ransomware

Exercises

The Ransomware Server

Extending the Ransomware Client

Unsolved Codes

6

TLS AND DIFFIE-HELLMAN

Transport Layer Security

Message Authentication

Certificate Authorities and Signatures

Certificate Authorities

Using Diffie-Hellman to Compute a Shared Key

Step 1: Generating the Shared Parameters

Step 2: Generating the Public]]–Private Key Pair

Why Can’t a Hacker Calculate the Private Key?

Step 3: Exchanging Key Shares and Nonces

Step 4: Calculating the Shared Secret Key

Step 5: Key Derivation

Attacking Diffie-Hellman

Elliptic-Curve Diffie-Hellman

The Math of Elliptic Curves

The Double and Add Algorithm

Why Can’t a Hacker Use Gxy and axy to Calculate the Private Key A?

Writing TLS Sockets

The Secure Client Socket

The Secure Server Socket

SSL Stripping and HSTS Bypass

Exercise: Add Encryption to your Ransomware Server

PART III

SOCIAL ENGINEERING

7

PHISHING AND DEEPFAKES

A Sophisticated and Sneaky Social Engineering Attack

Faking Emails

Performing a DNS Lookup of a Mail Server

Communicating with SMTP

Writing an Email Spoofer

Spoofing SMTPS Emails

Faking Websites

Creating Deepfake Videos

Accessing Google Colab

Importing the Machine Learning Models

Exercises

Voice Cloning

Phishing at Scale

SMTP Auditing

8

SCANNING TARGETS

Link Analysis

Maltego

Leaked Credential Databases

SIM Jacking

Google Dorking

Scanning the Entire Internet

Masscan

Shodan

IPv6 and NAT Limitations

Internet Protocol Version 6 (IPv6)

NAT

Vulnerability Databases

Vulnerability Scanners

Exercises

nmap Scans

Discover

Writing Your Own OSINT Tool

PART IV

EXPLOITATION

9

FUZZING FOR ZERO-DAY VULNERABILITIES

Case Study: Exploiting the Heartbleed OpenSSL Vulnerability

Creating an Exploit

Starting the Program

Writing the Client Hello Message

Reading the Server Response

Crafting the Malicious Heartbeat Request

Reading the Leaked Memory Contents

Writing the Exploit Function

Putting It Together

Fuzzing

A Simplified Example

Writing Your Own Fuzzer

American Fuzzy Lop

Symbolic Execution

A Symbolic Execution of the Test Program

Limitations of Symbolic Execution

Dynamic Symbolic Execution

Using DSE to Crack a Passcode

Creating an Executable Binary

Installing and Running Angr

The Angr Program

Exercises

Capture the Flag Games with Angr

Fuzzing Web Protocols

Fuzzing an Open Source Project

Implement Your Own Concolic Execution Engine

10

BUILDING TROJANS

Case Study: Re-Creating Drovorub by Using Metasploit

Building the Attacker’s Server

Building the Victim Client

Uploading the Implant

Using the Attacker Agent

Why We Need a Victim Kernel Module

Hiding an Implant in a Legitimate File

Creating a Trojan

Hosting the Trojan

Downloading the Infected File

Controlling the Implant

Evading Antivirus by Using Encoders

The Base64 Encoder

Writing a Metasploit Module

Shikata Ga Nai Encoder

Creating a Windows Trojan

Hiding the Trojan in Minesweeper

Hiding the Trojan in a Word Document (or Another Innocent File)

Creating an Android Trojan

Deconstructing the APK to View the Implant

Rebuilding and Signing the APK

Testing the Android Trojan

Exercises

Evil-Droid

Writing Your Own Python Implant

Obfuscate Your Implant

Build a Platform-Specific Executable

11

BUILDING AND INSTALLING LINUX ROOTKITS

Writing a Linux Kernel Module

Backing Up Your Kali Linux Virtual Machine

Writing the Code

Compiling and Running Your Kernel Module

Modifying System Calls

How System Calls Work

Hooking Syscalls

Hooking the Shutdown Syscall

Hiding Files

The linux_dirent struct

Writing the Hooking Code

Using Armitage to Exploit a Host and Install a Rootkit

Scanning the Network

Exploiting a Host

Installing a Rootkit

Exercises

The Keylogger

Self-Hiding Module

12

STEALING AND CRACKING PASSWORDS

SQL Injection

Stealing Passwords from a Website’s Database

Enumerating Reachable Files on the Web Server

Performing SQL Injection

Writing Your Own SQL Injection Tool

Understanding HTTP Requests

Writing the Injection Program

Using SQLMap

Hashing Passwords

The Anatomy of the MD5 Hash

Cracking Hashes

Salting Hashes with a Nonce

Building a Salted Hash Cracker

Popular Hash Cracking and Brute-Forcing Tools

John the Ripper

Hashcat

Hydra

Exercises

NoSQL Injection

Brute-Forcing Web Logins

Burp Suite

13

SERIOUS CROSS-SITE SCRIPTING EXPLOITATION

Cross-Site Scripting

How JavaScript Can Be Malicious

Stored XSS Attacks

Reflected XSS Attacks

Finding Vulnerabilities with OWASP Zed Attack Proxy

Using Browser Exploitation Framework Payloads

Injecting the BeEF Hook

Performing a Social Engineering Attack

Moving from Browser to Machine

Case Study: Exploiting an Old Version of the Chrome Browser

Installing Rootkits via Website Exploitation

Exercise: Hunting for Bugs in a Bug Bounty Program

PART V

CONTROLLING THE NETWORK

14

PIVOTING AND PRIVILEGE ESCALATION

Pivoting from a Dual-Homed Device

Configuring a Dual-Homed Device

Connecting a Machine to Your Private Network

Pivoting with Metasploit

Writing an Attacker Proxy

Extracting Password Hashes on Linux

Where Linux Stores Usernames and Passwords

Performing a Dirty COW Privilege Escalation Attack

Exercises

Adding NAT to Your Dual-Homed Device

Suggested Reading on Windows Privilege Escalation

15

MOVING THROUGH THE CORPORATE WINDOWS NETWORK

Creating a Windows Virtual Lab

Extracting Password Hashes with Mimikatz

Passing the Hash with NT LAN Manager

Exploring the Corporate Windows Network

Attacking the DNS Service

Attacking Active Directory and LDAP Services

Writing an LDAP Query Client

Using SharpHound and Bloodhound for LDAP Enumeration

Attacking Kerberos

The Pass-the-Ticket Attack

The Golden Ticket and DC Sync Attacks

Exercise: Kerberoasting

16

NEXT STEPS

Setting Up a Hardened Hacking Environment

Remaining Anonymous with Tor and Tails

Setting Up a Virtual Private Server

Setting Up SSH

Installing Your Hacking Tools

Hardening the Server

Auditing Your Hardened Server

Other Topics

Software-Defined Radios

Attacking Cellular Infrastructure

Escaping the Air Gap

Reverse Engineering

Physical Hacking Tools

Forensics

Hacking Industrial Systems

Quantum Computation

Connect with Others

INDEX