Hacking and Security E-Book

Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, Dr. Matthias Wübbeling

Hacking & Security

The Comprehensive Guide to Penetration Testing and Cybersecurity

Imprint

This e-book is a publication many contributed to, specifically:

Editor   Kyrsten ColemanAcquisitions Editor   Hareem ShafiGerman Edition Editor   Christoph Meister, Anne ScheibeCopyeditor   Melinda RankinTranslation   Winema Language Services, Inc.Cover Design   Graham Geary    Shutterstock.com: 186627704/© Nneirda, 1472495273/© Alexander SupertrampProduction E-Book   Hannah LaneTypesetting E-Book   Satz-Pro, Germany

We hope that you liked this e-book. Please share your feedback with us and read the Service Pages to find out how to contact us.

The Library of Congress Cataloging-in-Publication Control Number for the printed edition is as follows: 2023019445

ISBN 978-1-4932-2425-8 (print)ISBN 978-1-4932-2426-5 (e-book)ISBN 978-1-4932-2427-2 (print and e-book)

© 2023 by Rheinwerk Publishing Inc., Boston (MA)1st edition 2023 3rd German edition published 2023 by Rheinwerk Verlag, Bonn, Germany

Dear Reader,

These days most websites require you to have a profile to use them fully, and the guidelines for creating a usable password have become more and more complex. It’s a joke within internet spheres that soon you’ll need a DNA sample just to be able to access your social media account successfully. Although comments like these are obviously a joke, the real fear of getting sensitive information stolen is evident in the rise of websites or browser add-ons with the main purpose of either saving or creating unique passwords.

As the age of technology moves forward at breakneck pace and storing sensitive information online becomes even more normalized, it’s more important than ever to stay informed if you’re a cybersecurity professional. Enter Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity, a guide to help beginners and seasoned professionals alike navigate the cyber landscape with confidence. Our expert author team will teach you to use ethical hacking and other cybersecurity techniques to uncover security vulnerabilities and harden your sensitive systems against attacks.

What did you think about our book? Your comments and suggestions are the most useful tools to help us make our books the best they can be. Please feel free to contact me and share any praise or criticism you may have.

Thank you for purchasing a book from SAP PRESS!

Kyrsten ColemanEditor, SAP PRESS

[email protected] Publishing • Boston, MA

Notes on Usage

This e-book is protected by copyright. By purchasing this e-book, you have agreed to accept and adhere to the copyrights. You are entitled to use this e-book for personal purposes. You may print and copy it, too, but also only for personal use. Sharing an electronic or printed copy with others, however, is not permitted, neither as a whole nor in parts. Of course, making them available on the internet or in a company network is illegal as well.

For detailed and legally binding usage conditions, please refer to the section Legal Notes.

Notes on the Screen Presentation

You are reading this e-book in a file format (EPUB or Mobi) that makes the book content adaptable to the display options of your reading device and to your personal needs. That’s a great thing; but unfortunately not every device displays the content in the same way and the rendering of features such as pictures and tables or hyphenation can lead to difficulties. This e-book was optimized for the presentation on as many common reading devices as possible.

If you want to zoom in on a figure (especially in iBooks on the iPad), tap the respective figure once. By tapping once again, you return to the previous screen. You can find more recommendations on the customization of the screen layout on the Service Pages.

Dear Reader

Notes on Usage

Table of Contents

Preface

1   Introduction

1.1   Hacking

1.1.1   Hacking Contests, Capture the Flag

1.1.2   Penetration Test versus Hacking

1.1.3   Hacking Procedure

1.1.4   Hacking Targets

1.1.5   Hacking Tools

1.2   Security

1.2.1   Why Are IT Systems So Insecure?

1.2.2   Attack Vectors

1.2.3   Who Is Your Enemy?

1.2.4   Intrusion Detection

1.2.5   Forensics

1.2.6   Ten Steps to Greater Safety

1.2.7   Security Is Not Visible

1.2.8   Security Is Inconvenient

1.2.9   The Limits of This Book

1.3   Exploits

1.3.1   Zero-Day Exploits

1.3.2   The Value of Exploits

1.3.3   Exploit Types

1.3.4   Finding Vulnerabilities and Exploits

1.3.5   Common Vulnerabilities and Exposures

1.3.6   Common Vulnerability Scoring System

1.3.7   Vulnerability and Exploit Databases

1.3.8   Vulnerability Scanner

1.3.9   Exploit Collections

1.4   Authentication and Passwords

1.4.1   Password Rules

1.4.2   Phishing

1.4.3   Storage of Passwords (Hash Codes)

1.4.4   Alternatives to Passwords

1.4.5   Fast Identity Online

1.5   Security Risk IPv6

1.5.1   Security Complications

1.6   Legal Framework

1.6.1   Unauthorized Hacking Is Punishable by Law

1.6.2   Negligent Handling of IT Security Is Also a Criminal Offense

1.6.3   European General Data Protection Regulation

1.6.4   Critical Infrastructure, Banks

1.6.5   Security Guidelines and Standards

1.7   Security Organizations and Government Institutions

2   Kali Linux

2.1   Kali Alternatives

2.2   Trying Out Kali Linux without Installation

2.2.1   Verifying the Download

2.2.2   Verifying the Signature of the Checksum File

2.2.3   Trying Kali Linux in VirtualBox

2.2.4   Saving Data Permanently

2.2.5   Forensic Mode

2.3   Installing Kali Linux in VirtualBox

2.3.1   Option 1: Using a Prebuilt VirtualBox Image

2.3.2   Option 2: Installing Kali Linux Yourself

2.3.3   Installation

2.3.4   Login and sudo

2.3.5   Time Zone and Time Display

2.3.6   Network Connection

2.3.7   Using Kali Linux via SSH

2.3.8   Clipboard for Kali Linux and the Host Computer

2.4   Kali Linux and Hyper-V

2.5   Kali Linux in the Windows Subsystem for Linux

2.5.1   Kali Linux in Graphic Mode

2.5.2   WSL1 versus WSL2

2.5.3   Practical Experience

2.6   Kali Linux on Raspberry Pi

2.7   Running Kali Linux on Apple PCs with ARM CPUs

2.8   Simple Application Examples

2.8.1   Address Scan on the Local Network

2.8.2   Port Scan of a Server

2.8.3   Hacking Metasploitable

2.9   Internal Details of Kali

2.9.1   Basic Coverage

2.9.2   Package Sources

2.9.3   Rolling Release

2.9.4   Performing Updates

2.9.5   Installing Software

2.9.6   Python 2

2.9.7   Network Services and Firewall

2.9.8   kali-tweaks

2.9.9   Undercover Mode

2.9.10   PowerShell

3   Setting Up the Learning Environment: Metasploitable, Juice Shop

3.1   Honeypots

3.2   Metasploitable 2

3.2.1   Installation in VirtualBox

3.2.2   Network Settings

3.2.3   Host-Only Network

3.2.4   Using Metasploitable 2

3.2.5   Hacking Metasploitable 2

3.2.6   rlogin Exploit

3.3   Metasploitable 3 (Ubuntu Variant)

3.3.1   Why No Ready-Made Images?

3.3.2   Requirements

3.3.3   Installation

3.3.4   Starting and Stopping Metasploitable 3

3.3.5   Administrating Metasploitable 3

3.3.6   Network Configuration

3.3.7   Hacking Metasploitable 3

3.4   Metasploitable 3 (Windows Variant)

3.4.1   Administrating Metasploitable 3

3.4.2   SSH login

3.4.3   Internal Details and Installation Variants

3.4.4   Overview of Services in Metasploitable 3 (Windows Variant)

3.4.5   Hacking Metasploitable 3

3.5   Juice Shop

3.5.1   Installation with Vagrant

3.5.2   Installation with Docker

3.5.3   Docker in Kali Linux

3.5.4   Hacking Juice Shop

4   Hacking Tools

4.1   nmap

4.1.1   Syntax

4.1.2   Examples

4.1.3   Variants and Alternatives

4.2   hydra

4.2.1   Syntax

4.2.2   Password Lists

4.2.3   Examples

4.2.4   Attacks on Web Forms and Login Pages

4.2.5   Alternatives

4.3   sslyze, sslscan, and testssl

4.3.1   sslscan and sslyze

4.3.2   testssl

4.3.3   Online Tests

4.4   whois, host, and dig

4.4.1   whois

4.4.2   host

4.4.3   dig

4.4.4   dnsrecon

4.5   Wireshark

4.5.1   Installation

4.5.2   Basic Functions

4.5.3   Working Techniques

4.5.4   Alternatives

4.6   tcpdump

4.6.1   Syntax

4.6.2   Examples

4.6.3   ngrep

4.7   Netcat (nc)

4.7.1   Syntax

4.7.2   Examples

4.7.3   socat

4.8   OpenVAS

4.8.1   Installation

4.8.2   Starting and Updating OpenVAS

4.8.3   Operation

4.8.4   Alive Test

4.8.5   Setting Up Tasks Yourself

4.8.6   High Resource Requirements

4.8.7   Alternatives

4.9   Metasploit Framework

4.9.1   Operation in Kali Linux

4.9.2   Installation on Linux

4.9.3   Installation on macOS

4.9.4   Installation on Windows

4.9.5   Updates

4.9.6   The Metasploit Console (“msfconsole”)

4.9.7   A Typical “msfconsole” Session

4.9.8   Searching Modules

4.9.9   Applying Modules

4.9.10   Meterpreter

4.10   Empire Framework

4.10.1   Installation

4.10.2   Getting to Know and Setting Up Listeners

4.10.3   Selecting and Creating Stagers

4.10.4   Creating and Managing Agents

4.10.5   Finding the Right Module

4.10.6   Obtaining Local Administrator Rights with the Empire Framework

4.10.7   The Empire Framework as a Multiuser System

4.10.8   Alternatives

4.11   The Koadic Postexploitation Framework

4.11.1   Installing the Server

4.11.2   Using Helper Tools in the Program

4.11.3   Creating Connections from a Client to the Server

4.11.4   Creating a First Connection: Zombie 0

4.11.5   The Modules of Koadic

4.11.6   Extending Rights and Reading Password Hashes

4.11.7   Conclusion and Countermeasures

4.12   Social Engineer Toolkit

4.12.1   Syntax

4.12.2   Example

4.12.3   The dnstwist Command

4.12.4   Other SET Modules

4.12.5   Alternatives

4.13   Burp Suite

4.13.1   Installation and Setup

4.13.2   Modules

4.13.3   Burp Proxy

4.13.4   Burp Scanner

4.13.5   Burp Intruder

4.13.6   Burp Repeater

4.13.7   Burp Extensions

4.13.8   Alternatives

4.14   Sliver

4.14.1   Installation

4.14.2   Implants and Listeners

4.14.3   Other C2 Frameworks

5   Offline Hacking

5.1   BIOS/EFI: Basic Principles

5.1.1   The Boot Process

5.1.2   EFI Settings and Password Protection

5.1.3   UEFI Secure Boot

5.1.4   When the EFI Is Insurmountable: Remove the Hard Drive

5.2   Accessing External Systems

5.2.1   Booting the Notebook with Kali Linux

5.2.2   Reading the Windows File System

5.2.3   Vault Files

5.2.4   Write Access to the Windows File System

5.2.5   Linux

5.2.6   macOS

5.2.7   Does That Mean That Login Passwords Are Useless?

5.3   Accessing External Hard Drives or SSDs

5.3.1   Hard Drives and SSDs Removed from Notebooks

5.4   Resetting the Windows Password

5.4.1   Tools

5.4.2   Undesirable Side Effects

5.4.3   Resetting the Local Windows Password Using chntpw

5.4.4   Activating a Windows Administrator User via chntpw

5.5   Resetting Linux and macOS Passwords

5.5.1   Resetting a Linux Password

5.5.2   Resetting a macOS Password

5.6   Encrypting Hard Drives

5.6.1   BitLocker

5.6.2   Access to BitLocker File Systems on Linux (dislocker)

5.6.3   BitLocker Security

5.6.4   BitLocker Alternatives

5.6.5   macOS: FileVault

5.6.6   Linux: Linux Unified Key Setup

5.6.7   Security Concerns Regarding LUKS

5.6.8   File System Encryption on the Server

6   Passwords

6.1   Hash Procedures

6.1.1   Hash Collisions

6.1.2   SHA-2 and SHA-3 Hash Codes

6.1.3   Checksums or Hash Codes for Downloads

6.2   Brute-Force Password Cracking

6.2.1   Estimating the Time Required for Password Cracking

6.3   Rainbow Tables

6.3.1   Password Salting

6.4   Dictionary Attacks

6.5   Password Tools

6.5.1   John the Ripper: Offline CPU Cracker

6.5.2   hashcat: Offline GPU Cracker

6.5.3   Crunch: Password List Generator

6.5.4   hydra: Online Cracker

6.5.5   makepasswd: Password Generator

6.5.6   One-Time Secret: Send Passwords by Email

6.6   Default Passwords

6.7   Data Breaches

6.8   Multifactor Authentication

6.9   Implementing Secure Password Handling

6.9.1   Implementation Tips

7   IT Forensics

7.1   Methodical Analysis of Incidents

7.1.1   Digital Traces

7.1.2   Forensic Investigation

7.1.3   Areas of IT Forensics

7.1.4   Analysis of Security Incidents

7.2   Postmortem Investigation

7.2.1   Forensic Backup of Memory

7.2.2   Recovering Deleted Files by File Carving

7.2.3   Metadata and File Analysis

7.2.4   System Analyses with Autopsy

7.2.5   Basic System Information

7.2.6   Reading the Last Activities

7.2.7   Analyzing Web Activities

7.2.8   Tracing Data Exchanges

7.3   Live Analysis

7.3.1   Finding User Data

7.3.2   Called Domains and URLs

7.3.3   Active Network Connections

7.3.4   Extracting the TrueCrypt Password

7.4   Forensic Readiness

7.4.1   Strategic Preparations

7.4.2   Operational Preparations

7.4.3   Effective Logging

7.4.4   Protection against Tampering

7.4.5   Integrity Verification

7.4.6   Digital Signatures

7.5   Summary

8   Wi-Fi, Bluetooth, and SDR

8.1   802.11x Systems: Wi-Fi

8.1.1   Preparation and Infrastructure

8.1.2   Wireless Equivalent Privacy

8.1.3   WPA/WPA-2: Wireless Protected Access

8.1.4   Wireless Protected Setup

8.1.5   Wi-Fi Default Passwords

8.1.6   WPA-2-KRACK Attack

8.1.7   WPA-2 Enterprise

8.1.8   Wi-Fi Client: Man-in-the-Middle

8.1.9   WPA-3

8.2   Collecting WPA-2 Handshakes with Pwnagotchi

8.3   Bluetooth

8.3.1   Bluetooth Technology

8.3.2   Identifying Bluetooth Classic Devices

8.3.3   Hiding (and Still Finding) Bluetooth Devices

8.3.4   Bluetooth Low Energy (BTLE)

8.3.5   Listening In on Bluetooth Low Energy Communication

8.3.6   Identifying Apple Devices via Bluetooth

8.3.7   Bluetooth Attacks

8.3.8   Modern Bluetooth Attacks

8.4   Software-Defined Radios

8.4.1   SDR Devices

8.4.2   Decoding a Wireless Remote Control

9   Attack Vector USB Interface

9.1   USB Rubber Ducky

9.1.1   Structure and Functionality

9.1.2   DuckyScript

9.1.3   Installing a Backdoor on Windows 11

9.1.4   Use With Duck Encoder to Create the Finished Payload

9.2   Digispark: A Wolf in Sheep’s Clothing

9.2.1   Downloading and Setting Up the Arduino Development Environment

9.2.2   The Script Language of the Digispark

9.2.3   Setting Up a Linux Backdoor with Digispark

9.3   Bash Bunny

9.3.1   Structure and Functionality

9.3.2   Configuring the Bash Bunny

9.3.3   Status LED

9.3.4   Software Installation

9.3.5   Connecting to the Bash Bunny

9.3.6   Connecting the Bash Bunny to the Internet: Linux Host

9.3.7   Connecting the Bash Bunny to the Internet: Windows Host

9.3.8   Bunny Script: The Scripting Language of the Bash Bunny

9.3.9   Using Custom Extensions and Functions

9.3.10   Setting Up a macOS Backdoor with Bash Bunny

9.3.11   The payload.txt Files for Switch1 and Switch2

9.3.12   Updating the Bash Bunny

9.3.13   Key Takeaways

9.4   P4wnP1: The Universal Talent

9.4.1   Structure and Functionality

9.4.2   Installation and Connectivity

9.4.3   HID Scripts

9.4.4   CLI Client

9.4.5   An Attack Scenario with the P4wnP1

9.4.6   Creating a Dictionary

9.4.7   Launching a Brute-Force Attack

9.4.8   Setting Up a Trigger Action

9.4.9   Deploying the P4wnP1 on the Target System

9.4.10   Key Takeaways

9.5   MalDuino W

9.5.1   The Web Interface of the MalDuino W

9.5.2   The Scripting Language and the CLI

9.5.3   An Attack Scenario with the MalDuino W

9.5.4   How Does the Attack Work?

9.5.5   Key Takeaways

9.6   Countermeasures

9.6.1   Hardware Measures

9.6.2   Software Measures

10   External Security Checks

10.1   Reasons for Professional Checks

10.2   Types of Security Checks

10.2.1   Open-Source Intelligence

10.2.2   Vulnerability Scan

10.2.3   Vulnerability Assessment

10.2.4   Penetration Test

10.2.5   Red Teaming

10.2.6   Purple Teaming

10.2.7   Bug Bounty Programs

10.2.8   Type of Performance

10.2.9   Depth of Inspection: Attacker Type

10.2.10   Prior to the Order

10.3   Legal Protection

10.4   Objectives and Scope

10.4.1   Sample Objective

10.4.2   Sample Worst-Case Scenarios

10.4.3   Sample Scope

10.5   Implementation Methods

10.6   Reporting

10.7   Selecting the Right Provider

11   Penetration Testing

11.1   Gathering Information

11.1.1   Searching for Information about a Company

11.1.2   Using Metadata of Published Files

11.1.3   Identifying the Structure of Email Addresses

11.1.4   Database and Password Leaks

11.1.5   Partial Automation with Maltego

11.1.6   Automating Maltego Transforms

11.1.7   Defense

11.2   Initial Access with Code Execution

11.2.1   Checking External IP Addresses of the PTA

11.3   Scanning Targets of Interest

11.3.1   Gathering Information via DNS

11.3.2   Detecting Active Hosts

11.3.3   Detecting Active Services with nmap

11.3.4   Using nmap in Combination with Metasploit

11.4   Searching for Known Vulnerabilities Using nmap

11.5   Exploiting Known Vulnerabilities Using Metasploit

11.5.1   Example: GetSimple CMS

11.6   Attacking Using Known or Weak Passwords

11.7   Email Phishing Campaigns for Companies

11.7.1   Organizational Preparatory Measures

11.7.2   Preparing a Phishing Campaign with Gophish

11.8   Phishing Attacks with Office Macros

11.9   Phishing Attacks with ISO and ZIP Files

11.9.1   Creating an Executable File with Metasploit

11.9.2   Creating a File with ScareCrow to Bypass Virus Scanners

11.9.3   Disguising and Deceiving: From EXE to PDF File

11.9.4   Defense

11.10   Attack Vector USB Phishing

11.11   Network Access Control and 802.1X in Local Networks

11.11.1   Getting to Know the Network by Listening

11.11.2   Network Access Control and 802.1X

11.12   Extending Rights on the System

11.12.1   Local Privilege Escalation

11.12.2   Bypassing Windows User Account Control Using the Default Setting

11.12.3   Bypassing UAC Using the Highest Setting

11.13   Collecting Credentials and Tokens

11.13.1   Reading Passwords from Local and Domain Accounts

11.13.2   Bypassing Windows 10 Protection against mimikatz

11.13.3   Stealing Windows Tokens to Impersonate a User

11.13.4   Matching Users with DCSync

11.13.5   Golden Ticket

11.13.6   Reading Local Password Hashes

11.13.7   Broadcasting within the Network by Means of Pass-the-Hash

11.13.8   Man-in-the-Middle Attacks in Local Area Networks

11.13.9   Basic Principles

11.13.10   LLMNR/NBT-NS and SMB Relaying

11.14   SMB Relaying Attack on Ordinary Domain Users

11.14.1   Command-and-Control

12   Securing Windows Servers

12.1   Local Users, Groups, and Rights

12.1.1   User and Password Properties

12.1.2   Local Admin Password Solution

12.2   Manipulating the File System

12.2.1   Attacks on Virtualized Machines

12.2.2   Protection

12.2.3   Attacking through the Registry

12.3   Server Hardening

12.3.1   Ensure a Secure Foundation

12.3.2   Harden New Installations

12.3.3   Protect Privileged Users

12.3.4   Threat Detection

12.3.5   Secure Virtual Machines as Well

12.3.6   Security Compliance Toolkit

12.4   Microsoft Defender

12.4.1   Defender Configuration

12.4.2   Defender Administration via PowerShell

12.5   Windows Firewall

12.5.1   Basic Configuration

12.5.2   Advanced Configuration

12.5.3   IP Security

12.6   Windows Event Viewer

12.6.1   Classification of Events

12.6.2   Log Types

12.6.3   Linking Actions to Event Logs

12.6.4   Windows Event Forwarding

12.6.5   Event Viewer Tools

13   Active Directory

13.1   What Is Active Directory?

13.1.1   Domains

13.1.2   Partitions

13.1.3   Access Control Lists

13.1.4   Security Descriptor Propagator

13.1.5   Standard Permissions

13.1.6   The Confidentiality Attribute

13.2   Manipulating the Active Directory Database or its Data

13.2.1   ntdsutil Command

13.2.2   dsamain Command

13.2.3   Accessing the AD Database via Backups

13.3   Manipulating Group Policies

13.3.1   Configuration Files for Group Policies

13.3.2   Example: Changing a Password

13.4   Domain Authentication: Kerberos

13.4.1   Kerberos: Basic Principles

13.4.2   Kerberos in a Theme Park

13.4.3   Kerberos on Windows

13.4.4   Kerberos Tickets

13.4.5   krbtgt Account

13.4.6   TGS Request and Reply

13.4.7   Older Authentication Protocols

13.5   Attacks against Authentication Protocols and LDAP

13.6   Pass-the-Hash Attacks: mimikatz

13.6.1   Setting up a Defender Exception

13.6.2   Windows Credentials Editor

13.6.3   mimikatz

13.6.4   The mimikatz “sekurlsa” Module

13.6.5   mimikatz and Kerberos

13.6.6   PowerSploit

13.7   Golden Ticket and Silver Ticket

13.7.1   Creating a Golden Ticket Using mimikatz

13.7.2   Silver Ticket and Trust Ticket

13.7.3   BloodHound

13.7.4   Deathstar

13.8   Reading Sensitive Data from the Active Directory Database

13.9   Basic Coverage

13.9.1   Core Server

13.9.2   Roles in the Core Server

13.9.3   Nano Server

13.9.4   Updates

13.9.5   Hardening the Domain Controller

13.10   More Security through Tiers

13.10.1   Group Policies for the Tier Model

13.10.2   Authentication Policies and Silos

13.11   Protective Measures against Pass-the-Hash and Pass-the-Ticket Attacks

13.11.1   Kerberos Reset

13.11.2   Kerberos Policies

13.11.3   Kerberos Claims and Armoring

13.11.4   Monitoring and Detection

13.11.5   Microsoft Advanced Threat Analytics: Legacy

13.11.6   Other Areas of Improvement in Active Directory

14   Securing Linux

14.1   Other Linux Chapters

14.2   Installation

14.2.1   Server Distributions

14.2.2   Partitioning the Data Medium

14.2.3   IPv6

14.3   Software Updates

14.3.1   Is a Restart Necessary?

14.3.2   Automating Updates

14.3.3   Configuring Automatic Updates on RHEL

14.3.4   Configuring Automatic Updates on Ubuntu

14.3.5   The Limits of Linux Update Systems

14.4   Kernel Updates: Live Patches

14.4.1   Kernel Live Patches

14.4.2   Kernel Live Patches for RHEL

14.4.3   Kernel Live Patches on Ubuntu

14.5   Securing SSH

14.5.1   sshd_config

14.5.2   Blocking the Root Login

14.5.3   Authentication with Keys

14.5.4   Authenticating with Keys in the Cloud

14.5.5   Blocking IPv6

14.6   2FA with Google Authenticator

14.6.1   Setting Up Google Authenticator

14.6.2   2FA with Password and One-Time Code

14.6.3   What Happens if the Smartphone Is Lost?

14.6.4   Authy as an Alternative to the Google Authenticator App

14.7   2FA with YubiKey

14.7.1   PAM Configuration

14.7.2   Mapping File

14.7.3   SSH Configuration

14.8   Fail2ban

14.8.1   Installation

14.8.2   Configuration

14.8.3   Basic Parameters

14.8.4   Securing SSH

14.8.5   Securing Other Services

14.8.6   Securing Custom Web Applications

14.8.7   Fail2ban Client

14.9   Firewall

14.9.1   From Netfilter to ntftables

14.9.2   Basic Principles

14.9.3   Determining the Firewall Status

14.9.4   Defining Rules

14.9.5   Syntax for Firewall Rules

14.9.6   Example: Simple Protection of a Web Server

14.9.7   FirewallD: RHEL

14.9.8   firewall-cmd Command

14.9.9   ufw: Ubuntu

14.9.10   Firewall Protection in the Cloud

14.10   SELinux

14.10.1   Concept

14.10.2   The Right Security Context

14.10.3   Process Context: Domain

14.10.4   Policies

14.10.5   SELinux Parameters: Booleans

14.10.6   Status

14.10.7   Fixing SELinux Issues

14.11   AppArmor

14.11.1   AppArmor on Ubuntu

14.11.2   Rules: Profiles

14.11.3   Structure of Rule Files

14.11.4   Rule Parameters: Tunables

14.11.5   Logging and Maintenance

14.12   Kernel Hardening

14.12.1   Changing Kernel Options Using sysctl

14.12.2   Setting Kernel Boot Options in the GRUB Configuration

14.13   Apache

14.13.1   Certificates

14.13.2   Certificate Files

14.13.3   Apache Configuration

14.13.4   HTTPS Is Not HTTPS

14.14   MySQL and MariaDB

14.14.1   MySQL versus MariaDB

14.14.2   Login System

14.14.3   MySQL and MariaDB on Debian/Ubuntu

14.14.4   Securing MySQL on RHEL

14.14.5   Securing MariaDB on RHEL

14.14.6   Hash Codes in the “mysql.user” Table: Old MySQL and MariaDB Versions

14.14.7   Privileges

14.14.8   Server Configuration

14.15   Postfix

14.15.1   Postfix: Basic Settings

14.15.2   Sending and Receiving Emails in Encrypted Form

14.15.3   Spam and Virus Defense

14.16   Dovecot

14.16.1   Using Custom Certificates for IMAP and POP

14.16.2   SMTP Authentication for Postfix

14.17   Rootkit Detection and Intrusion Detection

14.17.1   chkrootkit

14.17.2   rkhunter

14.17.3   Lynis

14.17.4   ISPProtect

14.17.5   Snort

14.17.6   Verifying Files from Packages

14.17.7   Scanning for Suspicious Ports and Processes

15   Security of Samba File Servers

15.1   Preliminary Considerations

15.1.1   Compiling Samba, SerNet Packages

15.2   Basic CentOS Installation

15.2.1   Partitions

15.2.2   Disabling IPv6

15.2.3   Installing Samba Packages on CentOS

15.3   Basic Debian Installation

15.3.1   The Partitions

15.3.2   Disabling IPv6

15.3.3   Installing Samba Packages on Debian

15.4   Configuring the Samba Server

15.4.1   Configuring the Kerberos Client

15.5   Samba Server in Active Directory

15.5.1   Joining the Samba Server

15.5.2   Testing the Server

15.6   Shares on the Samba Server

15.6.1   File System Rights on Linux

15.6.2   File System Rights on Windows

15.6.3   Special Shares on a Windows Server

15.6.4   The Admin Share on Samba

15.6.5   Creating the Admin Share

15.6.6   Creating the User Shares

15.7   Changes to the Registry

15.7.1   Accessing the Registry from Windows

15.8   Samba Audit Functions

15.9   Firewall

15.9.1   Testing the Firewall Script

15.9.2   Starting Firewall Script Automatically

15.10   Attack Scenarios on Samba File Servers

15.10.1   Known Vulnerabilities in Recent Years

15.11   Checking Samba File Servers

15.11.1   Tests with nmap

15.11.2   Testing the Samba Protocols

15.11.3   Testing the Open Ports

15.11.4   smb-os-discovery

15.11.5   smb2-capabilities

15.11.6   ssh-brute

16   Intrusion Detection Systems

16.1   Intrusion Detection Methods

16.1.1   Pattern Recognition: Static

16.1.2   Anomaly Detection (Dynamic)

16.2   Host-Based versus Network-Based Intrusion Detection

16.2.1   Host-Based IDS

16.2.2   Network-Based IDS

16.2.3   NIDS Metadata

16.2.4   NIDS Connection Contents

16.3   Responses

16.3.1   Automatic Intrusion Prevention

16.3.2   Walled Garden

16.3.3   Swapping Computers

16.4   Bypassing and Manipulating Intrusion Detection

16.4.1   Insertions

16.4.2   Evasions

16.4.3   Resource Consumption

16.5   Snort

16.5.1   Installation and Launch

16.5.2   Getting Started

16.5.3   IDS or IPS

16.5.4   Configuration

16.5.5   Modules

16.5.6   Snort Event Logging

16.6   Snort Rules

16.6.1   Syntax of Snort Rules

16.6.2   Service Rules

16.6.3   General Rule Options

16.6.4   Matching Options

16.6.5   Hyperscan

16.6.6   Inspector-Specific Options

16.6.7   Managing Rule Sets with PulledPork

17   Security of Web Applications

17.1   Architecture of Web Applications

17.1.1   Components of Web Applications

17.1.2   Authentication and Authorization

17.1.3   Session Management

17.2   Attacks against Web Applications

17.2.1   Attacks against Authentication

17.2.2   Session Hijacking

17.2.3   HTML Injection

17.2.4   Cross-Site Scripting

17.2.5   Session Fixation

17.2.6   Cross-Site Request Forgery

17.2.7   Directory Traversal

17.2.8   Local File Inclusion

17.2.9   Remote File Inclusion

17.2.10   File Upload

17.2.11   SQL Injection

17.2.12   sqlmap

17.2.13   Advanced SQL Injection: Blind SQL Injection (Boolean)

17.2.14   Advanced SQL Injection: Blind SQL Injection (Time)

17.2.15   Advanced SQL Injection: Out-of-Band Data Exfiltration

17.2.16   Advanced SQL Injection: Error-Based SQL Injection

17.2.17   Command Injection

17.2.18   Clickjacking

17.2.19   XML Attacks

17.2.20   Server Side Request Forgery

17.2.21   Angular Template Injection

17.2.22   Attacks on Object Serialization

17.2.23   Vulnerabilities in Content Management Systems

17.3   Practical Analysis of a Web Application

17.3.1   Information Gathering

17.3.2   Testing SQL Injection

17.3.3   Directory Traversal

17.3.4   Port Knocking

17.3.5   SSH Login

17.3.6   Privilege Escalation

17.3.7   Automatic Analysis via Burp

17.4   Protection Mechanisms and Defense against Web Attacks

17.4.1   Minimizing the Server Signature

17.4.2   Turning Off the Directory Listing

17.4.3   Restricted Operating System Account for the Web Server

17.4.4   Running the Web Server in a “chroot” Environment

17.4.5   Disabling Unneeded Modules

17.4.6   Restricting HTTP Methods

17.4.7   Restricting the Inclusion of External Content

17.4.8   Protecting Cookies from Access

17.4.9   Server Timeout

17.4.10   Secure Socket Layer

17.4.11   HTTP Strict Transport Security

17.4.12   Input and Output Validation

17.4.13   Web Application Firewall

17.5   Security Analysis of Web Applications

17.5.1   Code Analysis

17.5.2   Analysis of Binary Files

17.5.3   Fuzzing

18   Software Exploitation

18.1   Software Vulnerabilities

18.1.1   Race Conditions

18.1.2   Logic Error

18.1.3   Format String Attacks

18.1.4   Buffer Overflows

18.1.5   Memory Leaks

18.2   Detecting Security Gaps

18.3   Executing Programs on x86 Systems

18.3.1   Memory Areas

18.3.2   Stack Operations

18.3.3   Calling Functions

18.4   Exploiting Buffer Overflows

18.4.1   Analysis of the Program Functionality

18.4.2   Creating a Program Crash

18.4.3   Reproducing the Program Crash

18.4.4   Analysis of the Crash

18.4.5   Offset Calculation

18.4.6   Creating the Exploit Structure

18.4.7   Generating Code

18.4.8   Dealing with Prohibited Characters

18.5   Structured Exception Handling

18.6   Heap Spraying

18.7   Protective Mechanisms against Buffer Overflows

18.7.1   Address Space Layout Randomization

18.7.2   Stack Canaries or Stack Cookies

18.7.3   Data Execution Prevention

18.7.4   SafeSEH and Structured Exception Handling Overwrite Protection

18.7.5   Protection Mechanisms against Heap Spraying

18.8   Bypassing Protective Measures against Buffer Overflows

18.8.1   Bypassing Address Space Layout Randomization

18.8.2   Bypassing Stack Cookies

18.8.3   Bypassing SafeSEH and SEHOP

18.8.4   Return-Oriented Programming

18.8.5   DEP Bypass

18.9   Preventing Buffer Overflows as a Developer

18.10   Spectre and Meltdown

18.10.1   Meltdown

18.10.2   Defense Measures

18.10.3   Proof of Concept (Meltdown)

18.10.4   Spectre

18.10.5   Proof of Concept (Spectre)

18.10.6   The Successors to Spectre and Meltdown

19   Bug Bounty Programs

19.1   The Idea Behind Bug Bounties

19.1.1   Providers

19.1.2   Variants

19.1.3   Earning Opportunities

19.2   Reporting Vulnerabilities

19.2.1   Testing Activities

19.3   Tips and Tricks for Analysts

19.3.1   Scope

19.3.2   Exploring the Response Quality of the Target Company

19.3.3   Take Your Time

19.3.4   Finding Errors in Systems or Systems with Errors

19.3.5   Spend Money

19.3.6   Get Tips, Learn from the Pros

19.3.7   Companies Buy Companies

19.3.8   Creating a Test Plan

19.3.9   Automating Standard Processes

19.4   Tips for Companies

20   Security in the Cloud

20.1   Overview

20.1.1   Arguments for the Cloud

20.1.2   Cloud Risks and Attack Vectors

20.1.3   Recommendations

20.2   Amazon Simple Storage Service

20.2.1   Basic Security and User Management

20.2.2   The aws Command

20.2.3   Encrypting Files

20.2.4   Public Access to Amazon S3 Files

20.2.5   Amazon S3 Hacking Tools

20.3   Nextcloud and ownCloud

20.3.1   Installing Nextcloud

20.3.2   Blocking Access to the “data Folder”

20.3.3   Performing Updates

20.3.4   File Encryption

20.3.5   Security Testing for ownCloud and Nextcloud Installations

20.3.6   Brute-Force Attacks and Protection

21   Securing Microsoft 365

21.1   Identities and Access Management

21.1.1   Azure Active Directory and Microsoft 365

21.1.2   User Management in AAD

21.1.3   Application Integration

21.2   Security Assessment

21.3   Multifactor Authentication

21.3.1   Preliminary Considerations

21.3.2   Enabling Multifactor Authentication for a User Account

21.3.3   User Configuration of Multifactor Authentication

21.3.4   App Passwords for Incompatible Applications and Apps

21.4   Conditional Access

21.4.1   Creating Policies

21.4.2   Conditions for Policies

21.4.3   Access Controls

21.5   Identity Protection

21.5.1   Responding to Vulnerabilities

21.6   Privileged Identities

21.6.1   Enabling Privileged Identities

21.6.2   Configuring a User as a Privileged Identity

21.6.3   Requesting Administrator Permissions

21.7   Detecting Malicious Code

21.7.1   Protection for File Attachments

21.7.2   Protection for Files in SharePoint Online and OneDrive for Business

21.7.3   Protection for Links

21.7.4   Protection for Links in Office Applications

21.8   Security in Data Centers

21.8.1   Encryption of Your Data

21.8.2   Access Governance

21.8.3   Audits and Privacy

22   Mobile Security

22.1   Android and iOS Security: Basic Principles

22.1.1   Sandboxing

22.1.2   Authorization Concept

22.1.3   Protection against Brute-Force Attacks when the Screen Is Locked

22.1.4   Device Encryption

22.1.5   Patch Days

22.2   Threats to Mobile Devices

22.2.1   Theft or Loss of a Mobile Device

22.2.2   Unsecured and Open Networks

22.2.3   Insecure App Behavior at Runtime

22.2.4   Abuse of Authorizations

22.2.5   Insecure Network Communication

22.2.6   Attacks on Data Backups

22.2.7   Third-Party Stores

22.3   Malware and Exploits

22.3.1   Stagefright (Android)

22.3.2   Pegasus (iOS)

22.3.3   Spy Apps

22.4   Technical Analysis of Apps

22.4.1   Reverse Engineering of Apps

22.4.2   Automated Vulnerability Analysis of Mobile Applications

22.5   Protective Measures for Android and iOS

22.5.1   Avoid Rooting or Jailbreaking

22.5.2   Update Operating Systems and Apps

22.5.3   Device Encryption

22.5.4   Antitheft Protection and Activation Lock

22.5.5   Lock Screen

22.5.6   Antivirus Apps

22.5.7   Two-Factor Authentication

22.5.8   Critical Review of Permissions

22.5.9   Installing Apps from Alternative App Stores

22.5.10   Using VPN Connections

22.5.11   Related Topic: WebAuthn and FIDO2

22.5.12   Using Android and iOS in the Enterprise

22.6   Apple Supervised Mode and Apple Configurator

22.6.1   Conclusion

22.7   Enterprise Mobility Management

22.7.1   Role and Authorization Management

22.7.2   Device Management

22.7.3   App Management

22.7.4   System Settings

22.7.5   Container Solutions Based on the Example of Android Enterprise

22.7.6   Tracking Managed Devices

22.7.7   Reporting

22.7.8   Conclusion

23   Internet of Things Security

23.1   What Is the Internet of Things?

23.2   Finding IoT Vulnerabilities

23.2.1   Shodan Search Engine for Publicly Accessible IoT Devices

23.2.2   Using Shodan

23.2.3   For Professionals: Filtering Using Search Commands

23.2.4   Printer Exploitation Toolkit

23.2.5   RouterSploit

23.2.6   AutoSploit

23.2.7   Consumer Devices as a Gateway

23.2.8   Attacks from the Inside via a Port Scanner

23.2.9   Sample Port Scan of an Entertainment Device

23.2.10   Local Network versus Internet

23.2.11   Incident Scenarios with Cheap IoT Devices

23.2.12   Danger from Network Operator Interfaces

23.3   Securing IoT Devices in Networks

23.4   IoT Protocols and Services

23.4.1   MQ Telemetry Transport

23.4.2   Installing an MQTT Broker

23.4.3   MQTT Example

23.4.4   $SYS Topic Tree

23.4.5   Securing the Mosquitto MQTT Broker

23.5   Wireless IoT Technologies

23.5.1   6LoWPAN

23.5.2   Zigbee

23.5.3   LoRaWAN

23.5.4   NFC and RFID

23.5.5   NFC Hacking

23.6   IoT from the Developer’s Perspective

23.6.1   Servers for IoT Operation

23.6.2   Embedded Linux, Android, or Windows IoT Devices

23.6.3   Embedded Devices and Controllers without Classic Operating Systems

23.7   Programming Languages for Embedded Controllers

23.7.1   C

23.7.2   C++

23.7.3   Lua

23.8   Rules for Secure IoT Programming

23.8.1   Processes as Simple as Possible

23.8.2   Short, Testable Functions

23.8.3   Transfer Values Must Be Checked in Their Entirety

23.8.4   Returning Error Codes

23.8.5   Fixed Boundaries in Loops

23.8.6   No Dynamic Memory Allocation (or as Little as Possible)

23.8.7   Make Dimensioning Buffers or Arrays Sufficiently Large

23.8.8   Always Pass Buffer and Array Sizes

23.8.9   Use Caution with Function Pointers

23.8.10   Enabling Compiler Warnings

23.8.11   String Copy for Few Resources

23.8.12   Using Libraries

A   The Authors

Index

Service Pages

Legal Notes

Preface

News coverage of hacking attacks and security breaches affecting millions, sometimes billions, of devices is ubiquitous. It has brought the topics of hacking and IT security increasingly to the fore in recent years and has also created an awareness among “normal users” that the security of IT infrastructure affects everyone.

Many computer, smartphone, or, more generally, internet users are in danger of resigning themselves to the many risks. It’s clear to most that “proper” passwords should be used and that updates should be applied regularly—but beyond that, users feel largely unprotected against the dangers of increasing digitization.

In fact, it’s primarily the task of administrators, IT managers, and software developers to ensure greater security. Increasingly stringent legal requirements and the loss of image associated with security breaches are forcing companies to take a more intensive look at security. It’s no longer enough for a device to simply work, for software to look “fancy,” or for smartphones to be packaged in stylish, ever-thinner cases. The hardware and software, along with the associated server and cloud infrastructure, must also be secure—at least as secure as is currently technically possible.

What Hacking Has to Do with Security

Hacking is the colloquial term for finding ways to bypass the security measures of a program or system or to exploit known security gaps. The goal is usually to read or manipulate private or secret data.

Hacking often has a negative context, but it’s not always a bad thing: when a company commissions a so-called penetration test to verify the security of its own IT infrastructure by external persons, the penetration testers use the same tools as criminal hackers. The same is true for security researchers trying to find new vulnerabilities. This is often done on behalf of or in collaboration with large IT companies, universities, or government security agencies. Whether a hacker is “good” or “bad” depends on how he or she behaves once a vulnerability has been discovered.

If you’re an administrator or IT manager responsible for the security of a system, you need to know the tools that hackers use. To defend yourself or your company, you need to know how attackers operate. In that respect, this book is very concerned with giving you an overview of the most important hacking tools and techniques. However, we don’t stop at that point. Rather, we’ll focus on how you can defend yourself against attackers, what defensive actions you can take, and where you can improve the configuration of your systems. To put it another way:for this book, hacking is the means, rather than the end. The goal is to achieve a higher level of safety.

About this Book

In this work, we want to provide a broad introduction to the topics of hacking and IT security. With almost 1,200 pages on offer, it may sound like an understatement to speak of an “introduction.” But the reality is that both hacking and security are immeasurably large areas of knowledge.

One could write a separate book on almost every topic we address in this book. In addition, there are all the special topics that we don’t even touch upon in our book. In a nutshell: don’t expect this book to be all-encompassing or that by reading it you will already be a hacking and security expert.

That being said, there has to be a starting point if you want to get into hacking and security. We tried our best to give you a good starting point with this book. Specifically, after an introduction to our range of topics, we’ll address the following subjects:

Kali Linux (distribution with a huge collection of hacking tools)

Metasploitable and Juice Shop (virtual test systems for trying out hacking)

Hacking tools (nmap, hydra, Metasploit, Empire, OpenVAS, SET, Burp, Wireshark, and so on)

Offline hacking; access to other people’s notebooks/hard drives

IT forensics

Password hacking; secure handling of passwords

Wi-Fi, Bluetooth, and radio communication

USB hacking and security

Implementation of external security checks

Penetration testing

Basic coverage of Windows and Linux, Active Directory, and Samba

Intrusion detection systems and Snort

Exploit basics of buffer overflows, fuzzing, heap spraying, microarchitecture vulnerabilities (Meltdown and Spectre).

Cloud security, focusing on Amazon S3, Nextcloud/ownCloud, Microsoft 365

Hacking and security of smartphones and other mobile devices

Attacking and securing web applications

Securing and secure development of IoT devices

Bug bounty programs

The wide range of topics explains why this book has not one author, but 11. A brief introduction to our team can be found at the end of the book.

What’s New in the Third Edition

For this edition, we’ve comprehensively updated the book and added much new content. This includes, in particular, the following:

IT forensics

Intrusion detection systems and Snort

Bug bounty programs

Sliver, Starkiller, and MalDuino

Purple teaming

Linux kernel hardening

Target Group

This book is intended for system administrators, security managers, developers, and IT professionals in general who already have some basic knowledge. To put it bluntly: you should at least know what PowerShell or a terminal is. And you must be willing to think across operating systems: neither hacking nor IT security is limited to Windows or Linux computers today.

Pure IT users, on the other hand, are not in the focus. Of course, training computer users is an indispensable aspect of improving IT security both at home and in businesses. However, a compilation of more or less trivial rules and tips on how to use computers, smartphones, and the internet in general safely and responsibly does not seem to us to serve a purpose in this technically oriented book.

Let’s Go!

Don’t be put off by the size of the subject area! We’ve tried to divide our book into manageable chapters. You can read most of them largely independently to learn the ropes step by step, gain hacking expertise, and develop a better understanding of how to better secure your own systems. You’ll quickly discover that a more in-depth look at hacking and security techniques is incredibly fascinating.

With our book, we hope to contribute to better management of IT security in the future than has been the case so far!

—Michael Kofler, on behalf of the entire team of authors

Foreword by Klaus Gebeshuber

Experience from numerous penetration tests shows that many administrators of computer systems and networks hardly know about the capabilities and audacity of hackers. An attacker needs exactly one vulnerability to penetrate a system; a defender needs to prevent many of the possible attacks. There are no rules; no path is off-limits to a hacker.

I’ve always been fascinated by the extreme creativity of and technical capabilities and variants that have been implemented by hackers. I’ve always wanted to know what the bad guys can do so I can use the knowledge to strengthen the good side. The book The Art of Intrusion by Kevin Mitnick (Wiley 2005) sparked my curiosity about the subject even more.

It is also a great concern of mine to show young people the fascinating technical possibilities on the one hand while also motivating their future work on the good side. The European Cyber Security Challenge, with local qualifications for pupils and students in 24 European countries and a European final, provides a great opportunity to discover and promote young security talents.

Foreword by Stefan Kania

I have often noticed that some aspects of security are ignored when it comes to Samba servers. Frequently, Samba shares are given permissions to prevent unauthorized access, but the security of the operating system is then sometimes neglected. A Linux host with Samba as a file server must always be viewed from two angles. I always address this in my seminars as well. For a long time, I wanted to describe this view of Samba systems in more detail.

That’s when I got the request from Rheinwerk Publishing for this book, which was exactly what I had imagined. It’s not just about configuring a Samba server, but about setting up a Samba server as securely as possible. The framework of the book covering various tools, services, and devices is also just right for the topic. So here’s a book that I myself have always wanted. I’m very pleased that I can now contribute to it with my chapter. I hope you, reader, will enjoy this book as much as I did.

Greeting

IT security is a topic that no one can ignore. The German public is regularly startled by hacking incidents: In 2020, a cyberattack on Duesseldorf University Hospital led to the hospital having to sign off on emergency care and cancel surgeries. In 2021, Bitkom reported that annual damages from hacker attacks had exceeded 220 billion euros. At the same time, the highest number of new malware variants ever measured was recorded. And recently, since the start of the war against Ukraine in February 2022, the full implications of cyberwar are also being felt.

Thus the motto is: IT security must be at the top of the priority list—for companies, organizations, and the public sector. But IT security should also play a more prominent role for private users.

Attacks on IT systems are very attractive for perpetrators. From online payments and business processes to cloud-based services and the Internet of Things (IoT), digital infrastructures offer a large field of attack. The anonymity of the web lowers the inhibition threshold for attempting such attacks.

Anyone who cuts corners when it comes to IT and data security is ill-advised. If, on the other hand, you succeed in teaching your own employees how hackers think and act, you’re already a big step closer to a robustly secured IT infrastructure. Those who understand their attackers are better defenders.

This compendium therefore goes in exactly the right direction with its concern: “For this book, hacking is the means, rather than the end. The goal is to achieve a higher level of safety,” the preface states. I can only support this: as managing director of SySS GmbH, I am responsible for 90 IT security consultants who do nothing else every day but “hack” our customers’ systems on demand.

Such penetration tests quickly and efficiently detect security gaps. IT managers can then fix them—before illegal hackers exploit them. At the same time, such a test and the associated final report also show our customers in detail how we act to detect and exploit weaknesses.

It is precisely such knowledge that is of inestimable importance when it comes to making one’s own systems ever more secure. The book Hacking and Security provides this know-how for practical use. I can only warmly recommend to anyone who is professionally involved in IT security to read it. Stay one step ahead of the “bad” hackers.

—Sebastian Schreiber, Managing Director SySS GmbH

1    Introduction

This chapter provides a first introduction to the huge topic of hacking and security and answers the following basic questions:

What is hacking? Are there good and bad hackers?

What is security?

Why is software so insecure?

What are attack vectors? Which attack vectors exist?

What are (zero-day) exploits?

What is the purpose of penetration testing?

What laws and standards apply to hacking and security?

Because you bought this book, you’re obviously interested in these topics and probably have prior knowledge. Nevertheless, we advise you to take a closer look at this relatively nontechnical chapter. It introduces terms and concepts used throughout the book. Even IT professionals, mostly specialists in a rather narrow field, are rarely familiar with the diverse terminology of the security world. Thus, not only is this chapter an introduction, but it also aims to provide a linguistic basis for a better understanding of all subsequent chapters.

1.1    Hacking

Wikipedia defines a hack as an action to break or bypass the security mechanisms of a system. A hack in this context is therefore an unintended way of breaking into a system, changing, manipulating, or destroying data. (A hack can also be a messy, quickly created solution to a problem or the misuse of a device to perform other tasks. But that’s not the subject of this book).

Accordingly, hacking is the search for hacks and a hacker is the person who deals with them. In the media, the term hacking is usually used in a negative or criminal context, but that’s not correct. Hacking in itself is value-neutral. Just as a knife can be used equally to cut vegetables or kill someone, finding a hack can be used to improve the security of a system or to attack the system and cause damage.

Rules also apply to hackers. On the one hand, laws prohibit any unauthorized data manipulation, sometimes including even the attempt to penetrate a computer system. On the other hand, the hacking community has repeatedly defined its own ethical rules. Admittedly, there’s no international standard for this. Rather, what a hacker may or should do depends heavily on cultural and political contexts. From this point of view, hackers are sometimes divided into three groups, although the boundaries cannot always be drawn exactly:

Responsible hackers abide by both laws and hacker ethics. They use their knowledge to improve the security of computer systems, share discovered security vulnerabilities with affected manufacturers, and so on. The term ethical hacking is used for this type of hacking.

Criminal or malicious hackers use their knowledge for criminal activities and accept that their activities cause damage.

In between there are hackers who don’t play by the rules but pursue higher goals, such as improving society or using technology more responsibly. There’s a large gray area here that makes a clear distinction between good and evil difficult or dependent on one’s social or political position.

The derogatory term script kiddies refers to people who, without in-depth knowledge, carry out hacking attacks with programs or scripts that are easy to find on the internet and sometimes cause great damage. But it’s debatable whether script kiddies also count as hackers. In any case, the term cracker, which was suggested for better differentiation, has not caught on.

1.1.1    Hacking Contests, Capture the Flag

Hacking needs to be learned. Of course, you can read books like this one and try the techniques presented here yourself. Much more entertaining, and especially popular in IT student circles, are hacking competitions. In these competitions, participants are given access to specially prepared computer systems, usually in the form of virtual machines. The objective is often to penetrate the system and find hidden “treasures” (“flags”) in it as quickly as possible. The collective name for such competitions is capture the flag (CTF). Frequently, participants are not only individuals, but entire teams.

There are also variants of the classic CTF competitions in which, for example, each team receives a server. The goal then is to protect your own server against the attacks of the other teams and at the same time to attack and “conquer” the servers of the other teams. Individual subtasks are rewarded with points. The team that scores the most points is the winner.

There are various sites on the internet where virtual machines from former hacking competitions are available for download (search for “hacking ctf images”, for example). With these downloads, you can try the former competition content for yourself and see how far you would get. Often, there are also more or less concrete solution instructions (search for “hacking ctf writeups”).

1.1.2    Penetration Test versus Hacking

A penetration test (pen test for short) is a comprehensive security test for a computer system (see also Chapter 10 and Chapter 11). Often a person or organization from outside the company is commissioned to do this. The pen testers try to act like hackers—that is, attack the system and find security gaps. This means that the same working techniques are applied. The main difference between hackers and pen testers is therefore not so much in the way they work as in the fact that pen testers have an explicit mandate for their work, and they do not manipulate or destroy data as part of their tests but report the defects they find so that they can then be fixed.

But pen testers have a big advantage over hackers: they don’t need to operate in secret. A hacker usually won’t start his attack with a large scan because its intensive tests will set all alarm bells ringing on a well-secured server. A pen tester acting in agreement with the company, on the other hand, can use such tools without any problem.

1.1.3    Hacking Procedure

When it comes to accessing foreign data, manipulating it, or otherwise causing damage to IT systems, there are many paths that lead to the goal:

Network hackingIn a sense, this is the “classic” type of hacking; it’s done via network connections. For example, it exploits insecure passwords, sloppy configuration, or known bugs to perform the attack. The goal is mostly to gain unrestricted access to the computer either directly or by guessing/listening to a password or password hash (root access).Variants of this are fictitious websites for password entry (phishing) or the exploitation of programming errors in order to execute one’s own code or SQL statements on websites (HTML injections, SQL injections, and so on; see Chapter 17).

Password hackingKnowing the correct password provides the easiest way into the attacked computer. Accordingly, many techniques are aimed at finding a password. These include systematic cracking, logging of all keystrokes by software or hardware (key logging), reading and reusing password hashes, and so on. However, most of these methods already require access to the computer, either via the network or physically (e.g., to apply a USB key logger or to tap the wireless keyboard).

BackdoorsAn attacker can save himself all hacking effort if he knows about a so-called backdoor into a program or even installs it himself. In the simplest case, this is a combination of a login name and password known only to the manufacturer, as is common for many routers, mainboards, and the like. It’s rarely possible to prevent these passwords from being discovered and published on the internet sooner or later. However, the backdoor also can use a much more sophisticated mechanism.

With open-source software, permanent backdoors can almost be ruled out; they would be conspicuous in the publicly accessible code. However, there have been cases in which a hacker has offered a modified version of an open-source program for download. Such manipulations are easy to accomplish and are often noticed only after some time has passed. That’s why it’s recommended to download software only from official websites in general and take the trouble to check the checksums. (In real life, of course, one must assume that at best only a few enthusiasts with an affinity for security will make this effort.)

The situation is quite different for commercial software for which source code isn’t available. There are countless conspiracy theories floating around the web that manufacturers or intelligence agencies routinely build backdoors into operating systems and communications software. After the Snowden revelations, this can’t be ruled out entirely. And as neither the existence nor the nonexistence of a backdoor can be proven due to the lack of source code, this uncertainty will prevail

BugdoorsIt’s even more difficult to prove the existence of so-called bugdoors. These are errors—bugs—that pose a security problem and make it appear as if they were intentionally built in.Software contains errors; that’s incontrovertible wisdom. It’s impossible to say whether bugs were inserted on purpose without knowing the developers’ intentions. For this reason, it’s very difficult to work with this category. However, a bad taste remains when you look at the quality of the code that led to security vulnerabilities

Viruses, worms, and other malicious softwareA piece of malicious software (malware) is a program that performs unwanted functions on a computer or device. Depending on how such software spreads or is disguised, it can take the form of viruses, worms, Trojan horses, or backdoors.

The technical design adapts over time to the IT infrastructure currently in use. Whereas the first viruses were spread via floppy disks, email has become the most popular means of transfer in the last decade.

Malware is also extremely commonly encountered on smartphones (see Chapter 22). A classic example is a flashlight app in which, behind its intrinsically useful function, other functions for spying on the user are hidden. Today, the disguise is mostly better, but the idea has remained the same.

The objectives of malware also change and are subject to fashion trends. Encryption programs (ransomware) that first encrypt as many files on the hard drive as possible have been particularly popular recently. This has been driven to perfection by the Emotet malware, which has caused hundreds of millions of dollars in damage worldwide in recent years.

The key required to restore one’s own data after a ransomware attack can be purchased (ransomed) from the blackmailers. This business model works so well that criminals can combine predefined components and buy their own encryption Trojan on corresponding websites with just a few clicks (cybercrime as a service).

Denial of Service (DoS): Denial-of-serviceattacks have a completely different approach. Their sole purpose is to disrupt the operation of a company or access to a disliked website by sending so many requests that regular operation is no longer possible. DoS attacks work particularly well if a software bug can be exploited at the same time to specifically crash the server’s software.

Botnets are often used for DoS attacks. A botnet is a network of computers or devices that have been previously brought under the hacker’s control using other methods. A botnet can be used to coordinate and send hundreds of thousands of requests per second to a particular server until it becomes overwhelmed by the onslaught and stops responding properly. This type of attack is referred to as a distributed denial of service (DDoS).

Individual companies are usually not in a position to defend themselves against a targeted DDoS attack. This requires the help of the companies responsible for the internet infrastructure. These companies can, for example, intervene in large network nodes with filters or firewalls.

1.1.4    Hacking Targets

The number of hacking targets has increased dramatically in recent years. While “classic” hacking was directed against computers or servers, it’s now also necessary to keep an eye on smartphones and all networked devices. These include network routers, switches, firewalls, printers, TVs, Wi-Fi- or Bluetooth-enabled loudspeakers, automatic vacuum cleaners, web cameras, other electronic devices and gadgets (Internet of Things [IoT] devices), heating, ventilation, and shading systems (home automation), electronic doors and locks, cars, airplanes, medical equipment, industrial facilities, and much more.

The cloud is a topic in itself. By its very nature, the cloud consists of computers or virtual machines that can be attacked as such. At the same time, however, the cloud system as a whole is also a target for attack: countless secret documents have already been downloaded from the Amazon cloud because an administrator overlooked the fact that the directories in question were publicly accessible without any protection. (However, it’s debatable whether taking advantage of such negligence has anything to do with hacking).

Attacks on subcomponents of a device, such as a Wi-Fi chip or a CPU, go in a completely different direction. For example, in the fall of 2017, it emerged that many Intel CPUs produced over a two-year period have a mini operating system with management functions at the lowest level—the management engine. (Strictly speaking, this is an adapted Minix—that is, a tiny Unix variant developed for training purposes).

One might argue about who needs such functions at all, but the matter becomes disastrous when it turns out that the CPU and any software running on it can be attacked via these management functions due to basic and partly trivial errors. It’s no wonder that some critics even suspect a backdoor here.

In early 2018, the next CPU-level security disaster was revealed: A flaw in several CPU architectures, which is particularly severe in Intel models, allows processes to access isolated memory areas of other processes. The error is so elementary that there is a whole range of attack variants. The two most important ones were given the names Meltdown and Spectre (see Chapter 18, Section 18.10).

These bugs affect billions of devices. Updates on the CPU level (via microcode updates) are only partially possible. For this reason, all operating systems (Windows, macOS, Linux, iOS, Android) and web browsers have to be adapted so that their code virtually bypasses the CPU bug—at the price of reduced system performance. Because many devices will never receive the required updates, this bug will probably have an impact for years to come.

Meltdown and Spectre were unfortunately just the beginning. Once on the right track, security researchers found a whole series of related vulnerabilities. Although there are bug fixes for these as well, they are associated with further speed losses.

Similarly problematic to CPU errors are errors in GPUs or in network chips. For example, the Kr00k security gap, which affects Wi-Fi chips made by Broadcom and Cypress, was discovered at the beginning of 2020. These chips are estimated to be installed in more than 1 billion devices (mainly smartphones)! While software updates are available, it’s unclear how many devices will ever receive these updates.

You can see that errors at the hardware or firmware level are becoming more and more frequent, and their scope is enormous—on the one hand, such errors can be exploited regardless of the operating system, and on the other hand, they are particularly difficult to fix through updates. Although firmware updates are possible for most chips, their implementation is complicated in many operating systems, and not provided for at all with others. For employees responsible for the security of a company or organization, this is a nightmare: Do all PCs, smartphones, routers, and so on that do not have a firmware update available now have to be taken out of service? Who will pay or justify the associated costs?

Instead of attacking hardware components, hackers can also exploit flaws in software components, such as programming errors in libraries or design flaws in application programming interfaces (APIs). In this context, the best known example from the recent past is named Log4Shell. The hack is based on the very popular open-source library Log4j, which is used in many Java programs to log messages. Unfortunately, in 2021 it was found that many programs that use Log4j use it to provide an almost trivially easy way to execute foreign code—a paradise for any hacker.

In this case, it’s even debatable whether the library is or was defective at all: in fact, using a particularly elegant logging syntax, the library has worked exactly as described since 2013. The fact that the mechanism can also be misused did not become known until eight years later.

The error behavior (or the too universal application possibility) of the library was quickly fixed after it became known. Nevertheless, countless vulnerable programs are still in use today. Every program that uses Log4j must be recompiled and then updated on the customer’s side or on each respective computer or device. And this is precisely where the problem lies: there is a lot of software that is no longer maintained or for which the distribution of updates (e.g., in IoT devices) is very costly.

1.1.5    Hacking Tools

To facilitate hacking, countless programs have been developed. The range extends from simple scripts for a network scan to comprehensive analysis tools that systematically scan a server or device for all known security gaps and problems.

In addition, there are programs that were originally designed to analyze network, Wi-Fi, or Bluetooth issues or for similar tasks, but which can of course be perfectly misused for other purposes. Much of this software is available free of charge on the internet, often even in source code (open-source concept).

In addition, there are companies that focus on this segment and sell software for very specific hacking tasks, sometimes in an upscale price segment for elite target groups (police, intelligence agencies, military, international security companies).

In this book, we’ll focus on common tools that are available for free and are correspondingly common in practice (see Chapter 4). Instead of searching for and downloading each hacking tool separately, many hackers and pen testers turn to complete toolboxes that provide a huge collection of tools in the form of a toolkit. The best known toolkit in this context is Kali Linux (see Chapter 2), a Linux distribution that bundles several thousand hacking programs that run on Linux.