Ethical Hacking Workshop E-Book

Ethical Hacking Workshop

Explore a practical approach to learning and applying ethical hacking techniques for effective cybersecurity

Rishalin Pillay

Mohammed Abutheraa

BIRMINGHAM—MUMBAI

Ethical Hacking Workshop

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Khushboo Samkaria

Senior Editor: Arun Nadar

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Sejal Dsilva

Production Designer: Shankar Kalbhor

Marketing Coordinators: Marylou De Mello and Shruthi Shetty

First published: October 2023

Production reference: 1051023

Published by

Packt Publishing Ltd.

Grosvenor House

11 St. Paul ’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-80461-259-0

www.packtpub.com

I dedicate this book to my wife, Rubleen, and my son, Kai. Without their love and support, all of this would not be possible. I love you dearly.

– Rishalin Pillay

To my parents, Abdullah and Safieh, for their love, support, and inspiration – this would not be possible without your belief and confidence in me.

– Mohammed Abutheraa

Contributors

About the authors

Rishalin Pillay is an offensive security engineer working across many disciplines in cybersecurity. He has been working in the industry for over 15 years and holds a number of certifications across the industry. His passion and specialty is offensive security. At present, he works at one of the largest cloud providers within an enterprise security and threat intelligence team. He has authored a number of books and online cybersecurity courses. He has contributed as a technical contributor to a number of books across the industry. He also holds a number of publishing awards for his contributions to the cybersecurity industry.

I want to thank the people who have been close to me and supported me, especially my wife, Rubleen, and my son, Kai. I also want to issue a special thanks to my co-author for embarking on this journey with me!

Mohammed Abutheraa is a cybersecurity specialist who has over 15 years of experience in IT security, risk management, security infrastructure, and technology implementation in both the private and public sector environments. He worked as an incident response and remediation advisor and has supported customers in remediating major incidents over the last few years. He has experience in threat intelligence and proactive services such as vulnerability assessments and red/purple teaming exercises.

I want to thank the people who have been close to me and supported me, especially my parents and siblings. I also want to issue a special thanks to my co-author for embarking on this journey with me!

About the reviewers

Omar Alayli is currently a customer engineer at Google Cloud, Qatar, focusing on security and networking on the cloud in general and Google Cloud Platform in particular. Born in Beirut, Lebanon, he studied computer and communications engineering at the American University of Beirut before earning an MSc from the University of Surrey in the UK. His work adventures are diverse, with hands-on experience in setting up Cisco networks, FortiGate UTMs, Palo Alto NGFWs, the TippingPoint IPS, Barracuda products, and Microsoft systems, with ethical hacking and penetration testing being the one constant thing throughout his 25-year career.

Omar Salama specializes in application and network penetration testing. He has performed dozens of ethical hacking engagements for clients in a wide variety of industries, including government, finance, retail, and manufacturing. Omar has had unique opportunities to assess the security of new applications and technologies, ranging from web-enabled e-business applications to proprietary applications.

His security career started in 2012, concentrating on network and application security. Omar has excelled in penetration testing, application assessments, social engineering (both physical and virtual), vulnerability assessments, and log analysis.

Redho Maland has six years of experience in the field of information security, with a focus on penetration testing and red teaming. As a team lead in a cybersecurity consulting company, he has demonstrated an exceptional ability to identify and mitigate security risks and vulnerabilities for clients across a wide range of industries.

He has also contributed to open source projects, including the development of the Distro DracOS Linux and automation tools, used to support penetration testing or bug-hunting activities such as TheFatRat, Sudomy, and Brutal.

To deepen his knowledge in technical security areas, he has obtained various certifications in this field, such as OSCP, OSWP, CPSA, CRT, CRTP, CRTE, CRTS, CRTO, EWPTX v2, and ECPTXv2.

Table of Contents

Preface

Part 1: Network Fundamentals

1

Networking Primer

Technical requirements

Why is networking crucial?

Networking concepts on-premises and in the cloud

Packets

MAC address

IP addresses

Cloud computing

Infrastructure-as-a-Service

Software-as-a-Service

Platform-as-a-Service

Networking tools and attacks

Packet capturing

MAC address spoofing

ARP spoofing

Setting up the lab

Putting what you have learned into practice

Best practices

Summary

2

Capturing and Analyzing Network Traffic

Technical requirements

Capturing network traffic

Capturing and analyzing wired network traffic

Working with network traffic in the cloud

Putting what you have learned into practice

Best practices

Summary

3

Cryptography Primer

Technical requirements

What is encryption?

The Caesar cipher

The Vigenère cipher

Overview of common encryption ciphers

Encryption algorithms

Symmetric encryption

Asymmetric encryption

Common types of encryption attacks

Encryption in the cloud

Putting what you have learned into practice

Summary

Part 2: Breaking and Entering

4

Reconnaissance

Technical requirements

What is reconnaissance?

Passive information gathering

Active information gathering

Performing recon on wireless networks

Performing recon in the cloud

Gitleaks

CloudBrute

Putting what you have learned into practice

DNS domain enumeration

Performing OSINT with Shodan

Conducting wireless reconnaissance

Best practices

Summary

5

Scanning

Technical requirements

Scanning techniques

Port scanning

Understanding Nmap

Vulnerability scanning

Nmap vulnerability scanning

OpenVAS

Wi-Fi and cloud scanning

Wireless scanning

Scanning exercises

Summary

6

Gaining Access

Technical requirements

Social engineering

Phishing

IP address sniffing and spoofing

Wireshark

macchanger

Code-based attacks

Buffer overflow

Format string attacks

Exploiting services

Password cracking

Pass the hash

Web app attacks

Exploiting cloud services

Exercises on gaining access

Summary

Part 3: Total Immersion

7

Post-Exploitation

Technical requirements

Privilege escalation

unix-privsec-check

LinPEAS

Lateral movement

Evil-WinRM

Backdoors and Trojan horses

Trojan horse

Rootkits

User-mode rootkits

Kernel-mode rootkits

Rootkit scanning

Maintaining access in the cloud environment

Post-exploitation exercises

Privilege escalation and lateral movement

Backdoors and Trojan horses

Embedded software backdoor

Rootkits

Summary

Index

Other Books You May Enjoy

Part 1:Network Fundamentals

This part will serve as a primer and introduction to the book. It will focus on the lab setup first, and then go into a quick refresher on networking and cryptography. It will also enable you to perform practical analysis of network traffic. It will teach you how to capture traffic, analyze it, and even spoof it if needed. It will also introduce additional hacking tools that are used for this purpose.

This part contains the following chapters:

1

Networking Primer

Welcome to the first chapter of this book. You are at the start of your journey toward ethical hacking, and by the time you complete this book, you will be well prepared to conduct an ethical hack.

Networking is the fundamental underlying backbone for all communication today. Back at the inception of the internet, networking was involved. When you pick up your mobile phone and dial someone, networking is involved. Watching videos on the internet, surfing the web, playing online games… the list goes on.

When it comes to hacking, networking is a crucial element. So, it is understandable that to get started with ethical hacking, you need to have a good understanding of networking. As you will learn in this chapter, networking is a key underlying feature that exists in all computer environments.

We will cover the following topics:

Technical requirements

To complete this chapter, you will require the following:

Why is networking crucial?

At the onset of this book, I mentioned just a few examples of how networking plays a role in our daily lives. I remember many years ago I purchased a cross-over network cable to play multi-player StarCraft with my brother sitting in the next room. This was a time when network switches were not so easy to come by. Back then, networking was relatively simple but looking at how it has evolved is amazing. In today’s world of big data, cloud networks, quantum computing, blockchain technology, smart homes, and more, we are surrounded by networks that range from simple to highly complex. If I had to sum up a few reasons why networking is crucial, here they are:

Networking concepts on-premises and in the cloud

Let’s dive into the building blocks of networks. Here, we will cover various components of networks that range from software, hardware, and standards. This chapter will not go into detail on networking because networking is such a broad topic, and some books just focus on networking. We will cover the necessities to ensure that you understand networking in the context of ethical hacking.

When you start to communicate on a network, the information that you are sending needs to be translated into something that computers can understand. Yes, ultimately, it’s all 0s and 1s, but let’s focus on the various pieces before that. We will begin by looking at packets.

Packets

When information is transmitted across a network or the internet, it needs to be formed into a unit that can be carried across a network. This is called a packet, or a network packet. This network packet contains information that ultimately gets routed to destinations on the internet. Think of a packet as an envelope that you would send using the postal service. You would put something inside that envelope, provide a return and destination address, and the postal service would sort and route it to the destination.

In terms of networking, the packet would contain a similar composition.

The contents inside the packet would be your data, the return address would be your Source MAC address and IP address, and the destination address would be your destination MAC and IP address. Now, there will be some routing involved, all of which is handled by hardware such as routers, which will make modifications to the different MAC and IP addresses.

MAC address

All devices that communicate on a network will have a networking interface card (NIC). This can be either an Ethernet or wireless adapter. Every single NIC has a unique identifier, which is called a media access control (MAC) address. This address aims to uniquely identify your machine on the network. MAC addresses are used by routers or switches (OSI Layer 2) to send packets to a specific destination. MAC addresses consist of 48-bit numbers that are written in hexadecimal format; for example, 00:00:5e:00:53:af. Every MAC address will have an organizationally unique identifier (OUI), which is the first 24 bits of the MAC address. The remaining 24 bits are used to uniquely identify the device. Looking at our example MAC address, if we had to break it down into the OUI and the device identifier, it would look like Figure 1.1:

Figure 1.1 – Breakdown of a MAC address

IP addresses

Internet Protocol (IP) addresses enable data to be transferred across networks (OSI Layer 3). They are crucial to networking because they contain information that enables devices to communicate. Such information may be things such as location information, which enable devices to communicate with each other in dissimilar environments.

Tip

If you are looking for a refresher on the OSI model, please take a look at this link: https://www.networkworld.com/article/3239677/the-osi-model-explained-and-how-to-easily-remember-its-7-layers.html.

The makeup of an IP address contains numerals that are separated by a period. For example, 192.168.1.1 is an example of an IP address. Within an IPv4 network, the numbers can vary from 0 to 255 for each piece of an IP address, which means that an IP address can range from 0.0.0.0 to 255.255.255.255. Some of the addresses within that range are reserved for various purposes; you can find more information about these reservations in the following note. In an Internet Protocol version 6 (IPv6) network, an IPv6 address is a 128-bit alphanumeric value. This 128-bit value is arranged into eight groups of 16 bits. Each group is separated by a colon. IPv6 is the successor to IPv4, a previous addressing infrastructure with limitations that IPv6 was created to remedy. In comparison to IPv4, IPv6 has significantly more address space. Consider the following example of an IPv6 address: 684D:1111:222:3333:4444:5555:6:77. Here, you will notice how it differs from IPv4. Due to its size, it allows a significantly larger IP address space.

Note

IP addresses are assigned by the Internet Assigned Numbers Authority (IANA).

IP addresses are split into two categories: public and private. Private consists of IP address ranges that are not routable on the internet. These are generally what you would have on your local network, such as your Wi-Fi network and so forth. Public IP addresses are routable on the internet. Your internet provider would assign you a public IP address on your home network for you to access the internet. You can easily check what your public IP address is by searching for what's my IP on Google Search.

Now that we have the very basics of networking covered, let’s move on to cloud computing.

Cloud computing

Today, the term cloud computing is not unheard of. Many people working in the IT industry know about cloud computing and probably make use of it daily. When you work on email services, social media, online gaming, and so forth, this is all cloud computing in action. Major software companies such as Google, Microsoft, and Amazon offer cloud computing and a range of cloud services.

Note

There are a lot of other providers who offer cloud services, apart from those that I have mentioned. Performing a quick internet search for Cloud Service Providers will give you a comprehensive list.

In terms of cloud computing, various types of cloud setups exist. The most common ones today are the public cloud, private cloud, and hybrid cloud. There are differences between them, as described next.

Public cloud

A public cloud is administered predominantly by a third party. These cloud environments provide easy access to the public (hence the term public cloud) via the internet. Resources that are available here entail storage, compute, applications, and more. The key here is that anyone who wants to use these services can make use of them. Public clouds are cost-effective, relieving you from the expensive costs of having to purchase hardware, manage it, and so forth. With the public cloud, anyone with an internet connection can make use of the services. There are several security concerns with public clouds, especially when it comes to data residency and who has access to the data. However, many public cloud providers provide solutions to address this.

Private cloud

Private clouds offer services either over the internet or via a private internal connection. These are limited to selected users and not the public. You may find the terms corporate cloud or internal cloud often used interchangeably with public cloud. This cloud setup aims to provide the benefits of a public cloud with additional controls and, to an extent, additional customization where possible. Private clouds are said to provide a higher level of security concerning data confidentiality – it limits access to third parties. The drawback of a private cloud is that it requires staff to maintain it.

Hybrid cloud

A hybrid cloud combines both public and private cloud solutions. It enables data to be shared between them. This cloud aims to enable organizations to scale where needed, but also provide limited access to restricted data where possible.

If I had to describe cloud computing in simple terms, it is the delivery of computing services that make use of servers, databases, networking, software, storage, and more. All of this is delivered across the internet, referred to as the public cloud. Cloud computing aims to offer faster innovation, flexibility when it comes to resources, and scalability, enabling you to up or downscale your resources with ease. Cloud computing offers various operating models:

Cloud computing providers often have a shared responsibility model that describes the responsibility and security tasks that are handled by the provider and the customer. These responsibilities and tasks change as you use different operating models.

The following figure is a sample of Microsoft’s shared responsibility model. Notice how the responsibilities change between SaaS to on-premises:

Figure 1.2 – Microsoft shared responsibility model (Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility)

All cloud providers will provide some type of responsibility matrix – for example, Amazon Web Services has theirs (https://aws.amazon.com/compliance/shared-responsibility-model/), and the same goes for Google Cloud (https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate).

Let’s cover these briefly so that you understand what each model offers. It is important to have a good understanding of these as you prepare for an ethical hack because it gives you insight into who handles the security of the target components such as the operating system and application updates and so forth.

Infrastructure-as-a-Service

IaaS is a standardized method of obtaining computing resources on demand. These services are delivered through the internet via a cloud provider. These services include storage facilities, networks, computing power, and virtual private servers. These are invoiced on a pay-as-you-go basis, which means you are billed based on different criteria, such as how much storage you use or how much processing power you utilize over a set period. Customers do not need to maintain infrastructure under this service model; instead, the provider is responsible for ensuring the contractual quantity of resources and availability.

Some of the advantages of IaaS include the following: