Hands on Hacking E-Book

Table of Contents

Cover

Foreword

Introduction

Who Should Read This Book

What You Will Learn

How This Book Is Organized

Hardware and Software Requirements

How to Use This Book

How to Contact the Authors

Chapter 1: Hacking a Business Case

All Computers Are Broken

The Stakes

Blue, Red, and Purple Teams

Hacking is Part of Your Company's Immune System

Summary

Chapter 2: Hacking Ethically and Legally

Laws That Affect Your Work

Criminal Hacking

Hacking Neighborly

Legally Gray

Penetration Testing Methodologies

Authorization

Responsible Disclosure

Bug Bounty Programs

Legal Advice and Support

Hacker House Code of Conduct

Summary

Chapter 3: Building Your Hack Box

Hardware for Hacking

Linux or BSD?

Host Operating Systems

Verifying Downloads

Disk Encryption

Essential Software

Setting Up VirtualBox

Guest Additions

Testing Your Virtual Environment

Creating Vulnerable Servers

Summary

Chapter 4: Open Source Intelligence Gathering

Does Your Client Need an OSINT Review?

What Are You Looking For?

Where Do You Find It?

OSINT Tools

Grabbing Email Addresses from Google

Google Dorking the Shadows

A Brief Introduction to Passwd and Shadow Files

The Google Hacking Database

Have You Been “Pwned” Yet?

OSINT Framework Recon-ng

Recon-ng Under the Hood

Harvesting the Web

Document Metadata

Maltego

Social Media Networks

Shodan

Protecting Against OSINT

Summary

Chapter 5: The Domain Name System

The Implications of Hacking DNS

A Brief History of DNS

The DNS Hierarchy

A Basic DNS Query

Authority and Zones

DNS Resource Records

BIND9

DNS Hacking Toolkit

Finding Hosts

Finding the SOA with Dig

Hacking a Virtual Name Server

Port Scanning with Nmap

Digging for Information

Information Leak CHAOS

Zone Transfer Requests

Information-Gathering Tools

Searching for Vulnerabilities and Exploits

DNS Traffic Amplification

Metasploit

Carrying Out a Denial-of-Service Attack

DoS Attacks with Metasploit

DNS Spoofing

DNS Cache Poisoning

DNS Cache Snooping

DNSSEC

Fuzzing

Summary

Chapter 6: Electronic Mail

The Email Chain

Message Headers

Delivery Status Notifications

The Simple Mail Transfer Protocol

Sender Policy Framework

Scanning a Mail Server

Mail Software

User Enumeration via Finger

Brute-Forcing the Post Office

The Nmap Scripting Engine

CVE-2014-0160: The Heartbleed Bug

Exploiting CVE-2010-4345

Exploiting CVE-2017-7692

Summary

Chapter 7: The World Wide Web of Vulnerabilities

The World Wide Web

The Hypertext Transfer Protocol

Uniform Resource Identifiers

LAMP: Linux, Apache, MySQL, and PHP

Creepy Crawlers and Spiders

The Web Server Hacker's Toolkit

Port Scanning a Web Server

Manual HTTP Requests

Web Vulnerability Scanning

Guessing Hidden Web Content

Uploading Files

HTTP Authentication

Common Gateway Interface

Shellshock

SSL, TLS, and Heartbleed

Web Administration Interfaces

Web Proxies

Privilege Escalation

Summary

Chapter 8: Virtual Private Networks

What Is a VPN?

Internet Protocol Security

Internet Key Exchange

Transport Layer Security and VPNs

User Databases and Authentication

The NSA and VPNs

The VPN Hacker's Toolkit

VPN Hacking Methodology

Port Scanning a VPN Server

IKE-scan

OpenVPN

LDAP

OpenVPN and Shellshock

Exploiting CVE-2017-5618

Summary

Chapter 9: Files and File Sharing

What Is Network-Attached Storage?

File Permissions

NAS Hacking Toolkit

Port Scanning a File Server

The File Transfer Protocol

The Trivial File Transfer Protocol

Remote Procedure Calls

Server Message Block

Rsync

Network File System

NFS Privilege Escalation

Searching for Useful Files

Summary

Chapter 10: UNIX

UNIX System Administration

Solaris

UNIX Hacking Toolbox

Port Scanning Solaris

Telnet

Secure Shell

RPC

R-services

The Simple Network Management Protocol

The Common UNIX Printing System

The X Window System

Cron and Local Files

The Common Desktop Environment

Summary

Chapter 11: Databases

Types of Databases

Structured Query Language

User-Defined Functions

The Database Hacker's Toolbox

Common Database Exploitation

Port Scanning a Database Server

MySQL

PostgreSQL

Escaping Database Software

Oracle Database

MongoDB

Redis

Privilege Escalation via Databases

Summary

Chapter 12: Web Applications

The OWASP Top 10

The Web Application Hacker's Toolkit

Port Scanning a Web Application Server

Using an Intercepting Proxy

Manual Browsing and Mapping

Spidering

Identifying Entry Points

Web Vulnerability Scanners

Finding Vulnerabilities

Injection

Broken Authentication

Sensitive Data Exposure

XML External Entities

Broken Access Controls

Security Misconfiguration

Cross-Site Scripting

Insecure Deserialization

Known Vulnerabilities

Insufficient Logging and Monitoring

Privilege Escalation

Summary

Chapter 13: Microsoft Windows

Hacking Windows vs. Linux

Setting Up a Windows VM

A Windows Hacking Toolkit

Windows and the NSA

Port Scanning Windows Server

Microsoft DNS

Internet Information Services

Kerberos

Golden Tickets

NetBIOS

LDAP

Server Message Block

ETERNALBLUE

Enumerating Users

Microsoft RPC

Task Scheduler

Remote Desktop

The Windows Shell

PowerShell

Meterpreter

Hash Dumping

Passing the Hash

Privilege Escalation

Getting SYSTEM

Alternative Payload Delivery Methods

Bypassing Windows Defender

Summary

Chapter 14: Passwords

Hashing

The Password Cracker's Toolbox

Cracking

Hash Tables and Rainbow Tables

Adding Salt

Into the /etc/shadow

Different Hash Types

Pseudo-hashing

Microsoft Hashes

Guessing Passwords

The Art of Cracking

Random Number Generators

Summary

Chapter 15: Writing Reports

What Is a Penetration Test Report?

Common Vulnerabilities Scoring System

Report Writing as a Skill

What Should a Report Include?

Executive Summary

Technical Summary

Assessment Results

Supporting Information

Taking Notes

Proofreading

Delivery

Summary

Index

End User License Agreement

List of Tables

Chapter 5

Table 5.1 A Well-Presented DNS Zone File

Chapter 6

Table 6.1 DSN Information

Chapter 11

Table 11.1 Default Oracle Database usernames and passwords

List of Illustrations

Chapter 3

Figure 3.1 VirtualBox's Host Network Manager

Figure 3.2 The Host Network Manager showing a network named

vboxnet0

Figure 3.3 Enabling DHCP

Figure 3.4 Adapter settings

Figure 3.5 Creating a Kali Linux virtual machine

Figure 3.6 Creating a virtual hard disk

Figure 3.7 Virtual storage devices

Figure 3.8 Configuring virtual adapter 1

Figure 3.9 Configuring virtual adapter 2

Figure 3.10 Kali boot menu

Figure 3.11 Setting up a lab

Figure 3.12 The Hands-on Hacking live CD boot menu

Figure 3.13 The Hands-on Hacking mail server login prompt

Chapter 4

Figure 4.1 Google dorking the Higher Education Commission of Pakistan

Figure 4.2 Recon-ng OSINT HUMINT profile collector results

Figure 4.3 SQLite browser

Figure 4.4 Maltego email search

Chapter 5

Figure 5.1 The DNS hierarchy

Figure 5.2 DNS zones

Figure 5.3 A DNS query captured with Wireshark

Figure 5.4 A DNS response captured with Wireshark

Figure 5.5 A malformed DNS packet viewed with Wireshark

Chapter 6

Figure 6.1 The email chain

Figure 6.2 The Sendmail Wizard

Figure 6.3 Wizard source

Figure 6.4 Mail server web login

Figure 6.5 NSE script discoverer

Figure 6.6 The heartbleed bug

Chapter 7

Figure 7.1 A basic representation of the LAMP stack

Figure 7.2 Nmap scan results viewed in a web browser

Figure 7.3 Running the

id

command via PHP

Figure 7.4 HTTP authentication dialog

Figure 7.5 Webmin administrator panel

Figure 7.6 Webmin command injection viewed with Wireshark

Figure 7.7 phpMyAdmin administrator panel

Figure 7.8 A Squid error page

Chapter 8

Figure 8.1: A typical OpenVPN web login form

Figure 8.2: Our virtual VPN server's home page

Figure 8.3: A portal accessible after authenticating to the VPN

Figure 8.4: phpLDAPadmin

Chapter 9

Figure 9.1: Unix file permissions

Chapter 10

Figure 10.1: A typical Solaris desktop

Figure 10.2: A CUPS web interface

Figure 10.3: Editing a printer configuration file

Figure 10.4: Locked Solaris 10 desktop

Figure 10.5: The

id

command run via Xdotool

Chapter 12

Figure 12.1: Burp Suite initial screen

Figure 12.2: Burp Suite configuration

Figure 12.3: Burp Suite's default view

Figure 12.4: Burp Suite's dashboard

Figure 12.5: Burp Suite's Proxy tab

Figure 12.6: Burp Suite proxy options

Figure 12.8: Firefox connection settings

Figure 12.9: An intercepted HTTP request

Figure 12.10: An HTTP response viewed in Burp Suite

Figure 12.11: Burp Suite's Site Map tool

Figure 12.12: Burp Suite CA Certificate

Figure 12.13: Saving Burp Suite's CA Certificate

Figure 12.14: Firefox's Privacy & Security preferences

Figure 12.15: Firefox's Certificate Manager

Figure 12.16: Trusting PortSwigger CA

Figure 12.17: Potential security risk warning

Figure 12.18: Accept The Risk And Continue Button

Figure 12.19: The Book lab's web application (1)

Figure 12.20: The book lab's web application (2)

Figure 12.21: ZAP's main screen

Figure 12.22: ZAP Spider dialog box

Figure 12.23: ZAP's Spider sending HTTP requests

Figure 12.24: ZAP's Alerts tab

Figure 12.25: Derpy Pony Picture Viewer

Figure 12.26: BeEF control panel

Figure 12.27: Hooked browsers in BeEF

Figure 12.7: Firefox ESR preferences

Figure 12.28: Current browser commands

Chapter 13

Figure 13.1 Windows domain showing various hosts and services

Figure 13.2 A Windows domain tree

Figure 13.3 A Windows forest

Figure 13.4 Windows Server 2019

Figure 13.5 The default web page of Microsoft IIS

Figure 13.6 Wana Decrypt0r 2.0

Figure 13.7 Using Remmina to connect via RDP to a Windows Server host

Figure 13.8 Windows Services

Figure 13.9 Themida - a VM packing tool.

Chapter 14

Figure 14.1: GPU cracking with John the Ripper

Figure 14.2: FPGA used for cracking hashes

Figure 14.3: A German Enigma machine

Chapter 15

Figure 15.1: NIST NVD CVSS v3.1 calculator results

Figure 15.2: Dradis Community Edition

Figure 15.3: Logging in to Dradis CE

Figure 15.4: Dradis CE Project Summary view

Figure 15.5: Methodologies in Dradis CE

Figure 15.6: Exporting results from Dradis CE

Guide

Cover

Table of Contents

Begin Reading

Pages

i

xviii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

ii

iii

iv

v

vi

vii

581

Hands on Hacking

with

Foreword

This foreword was written by Rey Bango, who is a security advocate at Microsoft focused on helping the community build secure systems and being a voice for the security practitioners within Microsoft. Rey transitioned to cybersecurity after nearly 30 years as a software developer.

I never envisioned becoming a cybersecurity professional. I had been a software developer for so long that the thought of shifting careers hadn't really crossed my mind. I think that I was similar to other developers in that security was an IT problem—not a software problem—so why should I worry about it? Boy, was I ever wrong.

The reality is that the efforts of bad actors continue to evolve as they attempt to bypass the defenses that companies put up. As companies push toward cloud-native managed solutions, focusing on infrastructure attacks has become more costly and time-consuming. In the world of cybercrime, time is money. So, finding easier entry points is a much wiser investment for many cybercriminals.

This is where web services come in. Developers are bound to make mistakes (we're human, after all) as they build systems, whether it's poorly sanitized input or accidentally leaving an API key exposed in a public git repo. These mistakes can be costly, and it's what got me to look into the security field.

I always envisioned bad actors who focused on the infrastructure side, poking holes in operating systems and system services to gain network access or using misconfigurations to glean valuable information. More and more, though, articles started appearing about how these same bad actors were leveraging poorly designed applications and software frameworks to compromise systems—even gaining full network access! This both scared me and piqued my interest. I wanted to learn more.

The Internet holds a wealth of information on how to “hack something,” but trying to piece together all of this information into something digestible for someone new to security can be a daunting task. The glut of information can easily overwhelm beginners and make them question whether cybersecurity is the right choice for them. This happened to me. I was quickly overwhelmed by the volume of security blog posts, videos, and tools that were great in and of themselves but that didn't offer a cohesive layout as to where they fit into the security picture. I wanted a structured way of learning the techniques used by security professionals to test their systems. That's where Hacker House came in.

Hacker House provided a curriculum that allowed me to develop the foundational skills necessary to understand how bad actors work. They answered not only “how” certain attacks are launched but also “why” specific techniques and tools are used in different scenarios.

The first time I popped a shell in class, I got that “aha!” moment that I sorely needed to grok how someone could remotely control another system. It allowed me to see how easily a network could be taken over by not properly sanitizing an upload and allowing a webshell to be installed. This was the reality check that I needed as a developer to understand that security touches everything.

I've since moved into a cybersecurity role at Microsoft, and one of the things that I've learned is that the cybersecurity field is a never-ending learning opportunity with many disciplines to dive into. You'll always be challenged because bad actors will continue to push the boundaries. However, breaking into it will be the biggest challenge you face. I urge you to take the time to find a course that will set you up for success and a mentor who will take an interest in your career. I was fortunate to have Hacker House to guide me down my path.

Introduction

Welcome to our book on hacking. We believe there aren't too many books quite like this one. Yes, there are countless books out there about hacking (and information security, penetration testing, and so forth), but how many of those books give you everything that you need to start hacking your first computer systems, in a safe way, right from the get-go? Three labs are provided with this book—hacking sandboxes if you will—that you can run on your existing laptop or desktop computer. By using these labs, you will be able to try out various tools and techniques—the same ones as those used by malicious hackers today—without risk either to yourself or to the outside world. We will show you exactly how to hack these systems using open source tools that can be downloaded for free. You do not need to purchase anything else to try all of the practical exercises that we have included.

This book comes to you from the people behind Hacker House, a company specializing in online cybersecurity training and penetration testing services. Since its humble beginnings in east London in 2014, one of the reoccurring themes of Hacker House gatherings (we used to do a lot of meetups and events) has been how to properly identify talent and endorse cyber skills. We wanted to understand how we could capture the rebellious spirit of hacking—the one that causes hackers to question authority and the ways in which systems work. It was Jennifer Arcuri who first set about creating a company that could harness the potential of computer hacking and make it a usable asset for companies looking to bolster security, later joined by co-founder Matthew Hickey, who created content and technical resources to facilitate the Hacker House mission.

It's a rare day where there isn't some big “hack” that costs a company millions of dollars in losses or where identities are stolen or some other data theft takes place. One of the biggest reasons why companies are failing at security is because they don't have the right cyber skills on their IT teams. Even if they hire an outside consultant, there is still no guarantee that the missing patches and security flaws that have been pointed out have now been resolved and that the company's data is indeed secure and protected from further attack.

We wrote this book with a vision toward a better way of developing cyber skills. Training consultants to become well versed in theory hasn't actually helped the landscape of attacks—we are still thousands of jobs short for what is an industry that is growing faster than we can keep up with it.

The content of this book started life as a training course, comprising 12 modules taught over 4 days in a classroom environment. That course can now be accessed online by anyone with an Internet connection from anywhere in the world. This book takes the hacking techniques and tools covered in that course and presents them as a written guide, with an emphasis on practical skills—that is, actually trying things out. We have taken the numerous labs used in our course and given you everything that you need in three labs. The same tools used by students in the course are also available to you. Unlike the training course, however, this book assumes less prior knowledge and gives you a deeper insight into the background theory of each technology that we hack. Instead of 12 modules, there are 15 chapters that closely follow the format of our tried-and-tested training course, but with additional content, including a chapter dedicated to report writing, a chapter for executives, and a chapter explaining how to configure your own computer system for the purpose of hacking.

The concepts taught in this book explain the mindset used by adversaries, the tools used, and the steps taken when attempting to breach a company and steal data. This knowledge could be seen as dual use: improving better defenders with the skills needed to stop adversaries yet also teaching the skills used by malicious adversaries. We won't teach you how not to get caught, but everything in this book has been designed to showcase how attackers target networks and access information. Many of the attacks demonstrated are based on real systems that our team has breached and encompass a broad spectrum of information security problems.

Our hope is that after learning about a different way of approaching computer security, you will contribute to the next generation of solutions within industry. We seek not only to teach and train you to be ready for employment but also to instill techniques that will shape the way that new tools and exploits are used to protect companies' digital assets.

Information security is an industry with many fun and exciting opportunities, and we encourage all those who want to try something that is relevant to our society to explore this book. Whatever your job in technology, isn't it time you learned how to protect yourself against modern cyber threats?

Who Should Read This Book

The book is aimed not only at those seeking an introduction to the world of ethical hacking and penetration testing, but for every single network or system administrator and Chief Information Security Officer (CISO) out there who is ready to take security seriously. We believe that to comprehend fully how a company will be targeted and breached, one must think and act like the assailant. Some readers will be happy reading through this book and gaining unique insight into the mind of an adversary. For those who want to take it further, there are practical exercises throughout. Those who fully master the content will have learned the skills required to conduct penetration tests, either within the company for which they work or for external clients, and find critical security flaws.

Hands on Hacking is essential reading for anyone who has recently taken on information security responsibilities in their workplace. Readers may not yet have started their career in IT, but this book will give them a thorough understanding of issues that affect any computer user. Readers will need a healthy interest in computing to get the most from the content, but little practical experience is actually required. We will delve into the various technologies—the protocols that make up the Internet, the World Wide Web, and internal networks—before looking at how to hack them.

We focus on Linux in this book, but even if you have little knowledge or experience with this operating system, we'll hold your hand throughout, and soon you'll become competent with the Linux command-line interface. We will even show you how to install Linux on your current computer without affecting your existing operating system—whether that be Windows or macOS.

What You Will Learn

You will learn how to approach a target organization from the point of view of a penetration tester or ethical hacker using the same skills and techniques that a malicious hacker would use. Your journey will begin in the realm of open source intelligence gathering, moving on to the external network infrastructure of a typical organization. We'll look for flaws and weaknesses and eventually break into the company's internal network through a Virtual Private Network (VPN) server, explaining everything as we go. Those who don't necessarily want to carry out the attacks themselves will witness exactly how information is gathered about their company and how attackers probe for holes and weaknesses before hacking in.

Once we've exposed the internal infrastructure, we'll find machines running Linux, UNIX, and Windows—each with their own flaws.

Using a range of tools, we'll exploit various vulnerabilities. We will also look at how those tools work and what they're doing under the hood so that readers can understand how to exploit vulnerabilities manually.

We'll gain access to a number of different computer systems and ultimately obtain Administrator permissions, allowing us to take over compromised systems completely. Along the way, we'll be collecting loot from the servers we visit. Among these will be a number of hashed passwords, which you'll learn how to crack towards the last chapter!

Finally, we'll show readers how they can formalize the entire process covered by writing reports of their findings that are suitable for company executives, clients, or colleagues—regardless of their technical understanding—and how an engagement with an external client is structured.

Readers will be able to practice many of the skills they come across using labs—sandbox environments designed for safe, legal hacking. These labs are made freely available to those purchasing the book. For those who want to understand what an attacker can do to their company, exploits are described in a way that makes sense and will help you realize the damage a missing patch can cause.

How This Book Is Organized

The book begins with a chapter that addresses the needs and concerns of company executives, followed by an important look at the legal and ethical aspects of computer hacking. Chapter 3, “Building Your Hack Box,” is the first practical chapter. In it, we show you how to set your computer up for carrying out the activities in the rest of the book. Chapter 4, “Open Source Intelligence Gathering,” details the passive, intelligence-gathering process undertaken before actively hacking into an organization's network. Chapters 5–13 address specific areas of a typical organization's infrastructure and introduce new tools and techniques as they are required. Chapter 14, “Passwords,” focuses solely on the storage of passwords and how to retrieve them, with Chapter 15, “Writing Reports,” the final chapter, looking at how to write up the results of your hacking so that problems can be fixed.

Chapter 1

: Hacking a Business Case

Translating computer security problems to businesses and understanding their mission objectives is a crucial element of how to use hacking effectively. This chapter is all about board rooms, risk, and understanding how to communicate information from the trenches of the computer networks back to those responsible for business decisions.

Chapter 2

: Hacking Ethically and Legally

We provide a brief introduction to the legal and ethical aspects of hacking. Not every hacker is a criminal—quite the contrary. We'll provide some pointers on staying on the right side of the law and how to conduct your hacking professionally.

Chapter 3

: Building You Hack Box

It's time to get practical. In this chapter, you will learn how to set up your own computer system step-by-step so that it is ready to start hacking, without hindering you from using it for your everyday work and leisure activities. We'll also show you how to set up your first lab in a virtual machine (VM) so that you have a target that can safely be explored and exploited.

Chapter 4

: Open Source Intelligence Gathering

Before you start hacking computer systems, you will learn how to gather information passively about your target. We use real-world examples in this chapter, as we are searching for and using publicly available information, but perhaps differently than what you've witnessed before.

Chapter 5

: The Domain Name System

The Domain Name System (DNS) is something on which we all rely, and yet many of us have little insight into how it works. In this chapter, you'll learn exactly what DNS is and how organizations, as well as individuals, rely on it. Then you'll learn some practical techniques for gathering information and searching for vulnerabilities before eventually exploiting them. We'll introduce some important tools in this chapter, including Nmap and Metasploit, which is crucial reading for understanding the rest of the book.

Chapter 6

: Electronic Mail

Through this chapter, you'll understand how email servers work and how to hack them. This chapter covers e-mail protocol basics, mail relays, mailboxes, web mail and all the tricks of the trade that can be used to compromise email systems. We walk you through the process of hacking into e-mail servers.

Chapter 7

: The World Wide Web of Vulnerabilities

It could be argued that the World Wide Web, invented by Tim Berners Lee in 1990, is now fundamental to our existence. You will learn how it is based on aging protocols and how to hack the infrastructure that supports your favorite websites and web applications.

Chapter 8

: Virtual Private Networks

VPNs are an increasingly popular solution for both personal and corporate use, with countless employees logging into their company's internal network remotely using this technology. We'll pick apart some of the ways in which common VPNs work and, of course, how to approach them like a hacker.

Chapter 9

: Files and File Sharing

Up to this point, you will have looked at a typical organization from an external perspective. Now it's time to step inside the internal perimeter and see what resides on the internal network, starting with file servers. In this chapter, we'll cover the theory necessary to get a better handle on the Linux file system and how to use files and file sharing technology to get a foothold in systems.

Chapter 10

: UNIX

Switching from Linux, which up to this point has been our focus, in this chapter we take a look at a UNIX operating system. We'll show you some of the quirks of these operating systems, including vulnerabilities for you to explore and exploit.

Chapter 11

: Databases

In this chapter, we start by showing you how to perform basic database administration, using the Structured Query Language (SQL), before demonstrating attacks that utilize this and other features of databases. This chapter serves as a crucial basis for understanding how high-profile data leaks actually work and how to exploit them, which we will continue to explain in the subsequent chapter.

Chapter 12

: Web Applications

Web applications are a huge part of everyday business for almost every organization—and they're also a huge target. We cover the essentials of web applications in this chapter, focusing on the most dangerous types of attacks that continue to plague small and huge companies across the globe. You'll find that everything you've learned so far really comes together in this introduction to web application hacking.

Chapter 13

: Microsoft Windows

Thus far, you've seen the myriad of flaws in the Linux and UNIX operating systems. Now it's time to shine the spotlight on Microsoft's Windows operating system. The focus is Windows Server, which is the technology powering countless organizations' IT infrastructure. Like Linux, Windows Server can host DNS, email, web, and file sharing services. We'll help you transfer your Linux and UNIX hacking skills over to Windows in this part of the book.

Chapter 14

: Passwords

Throughout the book, we have referenced passwords and their hashes. In this chapter, you have the chance to understand how passwords are hashed and the inherent problems in many algorithms that people rely on every day for securing their data. We'll give you guidelines on cracking password hashes—that is, recovering plaintext passwords from the data you've accessed in the labs you've been hacking thus far.

Chapter 15

: Writing Reports

You won't get far as an ethical hacker or penetration tester if you are unable to convey your findings to your client, colleagues, or superiors. Writing a penetration test report utilizes a whole new skill set, and we'll show you what you need to do to communicate effectively using a sample report as a guideline.

Hardware and Software Requirements

To follow along with the exercises in this book, you will need either a laptop or a desktop computer running Windows, macOS, or a mainstream Linux distribution with enough hard drive or solid-state drive space for the software and tools demonstrated within the chapters. You'll also need enough main memory (RAM) to run VMs and an Internet connection for downloading everything you will need. We cover hardware and software requirements in Chapter 3, “Building Your Hack Box,” and walk you through all of the steps required to get hacking. Here are the minimum requirements:

A modern Intel or AMD CPU (with Streaming SIMD Extensions 2 [SSE2], which almost all processors have)

4 GB of RAM

50–100 GB of hard disk drive (HDD) or solid-state drive (SSD) capacity

Internet access for downloading software and running certain demonstrations

How to Use This Book

This book was designed to be read through from start to finish, with practical activities in almost every chapter that you can work through as you go. The book can be read without carrying out any of the activities, and it will still make sense. Or perhaps you are the type of reader who likes to read content once first and then go back to try the practical elements? Either way, to get the most out of Hands on Hacking, you will want to attempt the practical hacking exercises, and we'll show you exactly how to do this.

Even though most chapters address a particular area of an organization's network infrastructure, skipping to the chapter in which you are most interested may give you a headache. This is because we introduce many concepts early on in the book that you will need to use later and that apply across different areas of hacking. In later chapters, you will find only small reminders to previously introduced tools and techniques, with ways in which you can apply them in a new setting.

To carry out the practical activities, which start in Chapter 3, “Building Your Hack Box,” you will need to ensure that you have access to the downloadable content found at www.hackerhousebook.com. You will need to use the username “student” and password “student” to access the /files content. (The only purpose of this authentication is to stop search engines from flagging our website as malicious. There's a lot of potentially malicious code in the files that you'll learn how to use responsibly.) This link will allow you to download a single files.tgz compressed archive containing a large number of tools. The website also hosts three labs: the mail server and UNIX lab from Hacker House, along with a purpose-built lab created exclusively for this book that contains numerous labs in a single download. The content is mirrored on Wiley's website, at www.wiley.com/go/handsonhacking. The details of setting up your own computer to carry out the practical activities are covered in Chapter 3, “Building Your Hack Box,” but you should read through Chapter 1 and Chapter 2 first.

The other software and tools that we reference are generally open source, are freely available, and can be downloaded from the relevant developer's website.

How to Contact the Authors

You can contact the book authors via [email protected]. If you spot any errors or omissions or you have any feedback in general, we'd love to hear from you. If you're interested in our online training, which complements the contents of this book, head to hacker.house/training. Any updates and labs accompanying this book will be posted at www.hackerhousebook.com. You can learn more about Hacker House and our services on our home page hacker.house.

Chapter 1Hacking a Business Case

If you're communicating with a business owner, chief executive officer (CEO),chief information security officer (CISO), or just someone who needs to make a case to upper management on why hacking is beneficial to companies, then this chapter is for you. The chapter is not packed with practical hacking exercises like the remaining chapters are; rather, it focuses on the reasons why companies need hackers. We explain why we believe that the best route to improving an organization's cybersecurity is for you, your team, and your employer, to adopt a purple team mentality and begin thinking like malicious hackers. The purple team way of thinking is the amalgamation of traditional blue and red teams—the defenders and the attackers.

If you know the enemy and know yourself, you need not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

Sun Tzu, The Art of War

To be a CISO is to lead an army. To be effective, that army needs to know itself and know its enemy. In other words, you need a team trained to think like hackers. You need a team that proactively works to identify all the ways that the enemy could attack and then build stronger infrastructures—from patching software vulnerabilities to creating security policies and cultures. Businesses need hackers, and that is the subject and focus of this chapter.

All Computers Are Broken

At Hacker House, we have a saying: “All computers are broken.” A hacker does not “break” a computer, network, or software; rather, the computer was already broken to begin with, and the hacker shows you just how broken it is. Modern-day computing is built on a foundation of trust and naivety that predates modern commerce. Security simply wasn't there by design in the beginning, and (almost) everything since then had to be built on this unstable base.

Being accountable for the security of information within any organization today is a bold task. That job typically resides with an organization's CISO. The CISO is responsible for ensuring that an organization's IT infrastructure and data (including digital and nondigital data, such as paper records) are adequately protected from disaster, whether it be a system failure, natural phenomena, or malicious cyberattack. In smaller organizations, the official job title of CISO may not exist, in which case the business owner or CEO will probably take on this role. It is a huge responsibility to keep company assets safe from the relentless, invisible, and ubiquitous attacks that constitute cybercrime. If something goes wrong (which sadly it so often does), it can go badly wrong. A data breach can result in grave financial and reputational losses for businesses, and CISOs can lose their career or business—all from the click of a mouse and a few keystrokes of a tech-savvy attacker.

CISOs practice information security, often shortened to infosec, a term that is used to describe an entire industry sector. Infosec means protecting data and preventing access to computer systems from unauthorized entities. Infosec involves balancing the usability of computer systems and their software with security. A completely secure system, if such a thing could exist, would likely be totally unusable for most businesses and users. For example, imagine a computer unplugged from the Internet, locked in a vault, and buried beneath the surface of the earth in a faraday cage to prevent external interaction.

Since organizations must open themselves up and allow the public (and employees) to connect to their services, a completely secure system isn't a possibility except for extreme edge cases. Let's look at a few of the challenges that a CISO may face.

In 2019, there were many high-profile cases of large organizations getting hacked.

Whatsapp, an instant messaging application, was found to be vulnerable to an attack that would allow the attacker to take control of a victim's smartphone and negate the effects of Whatsapp's end-to-end encryption. This encryption allowed users to send private messages to one another (Whatsapp's greatest selling point).

Security company Trend Micro had customer records stolen by its own employee. Those records were used to make scam calls to customers to defraud them. This case highlights the importance of internal security controls and not just the protection of public-facing services.

Credit card provider Capital One had the personal details of more than 100 million customers stolen by a malicious hacker who supposedly exploited a misconfigured web application firewall—a technology designed to

protect

websites from attack! The stolen records consisted of names, physical addresses, Social Security numbers, and bank details. After the news hit in July 2019, Capital One projected attack-related costs of up to $150 million.

In December 2019, UK company Travelex hit the headlines when it was affected by a ransomware attack. In a ransomware attack, attackers effectively steal data and demand a ransom for its return. The ransom in this case was $6 million, although it appears that Travelex was able to recover its data without paying the criminals. This cannot be said of all organizations and individuals that have been affected by ransomware.

These are just a tiny fraction of the breaches that take place all the time. If you think the frequency and impact of these hacks is scary, then consider that this situation is only projected to become worse. The number of potential vulnerabilities within companies and the volume of data, as well as our legal and moral responsibilities to that data, are increasing at exponential rates.

Moreover, these threats are increasing much faster than traditional infosec's ability to handle them, with its reliance on expensive external penetration testers— that is, those with specialized skills designed to find and report an organization's computer security vulnerabilities. Consequently, CISOs find themselves in an almost impossible position—trying to protect more with diminishing resources. Something has to change.

Thankfully, it has. You're about to discover how purple teaming—the act of developing highly skilled internal security teams and strong corporate security cultures—is not only possible but also practical, simple, and cost-effective.

Purple teaming is the modern and efficient approach to corporate cybersecurity, and it is desperately needed in every business, whether small corporate outfits or multinational conglomerates. To put it another way, purple teams are essential for every company as they provide you with insight to how attackers operate and guidance on how to prevent attacks from succeeding.

The Stakes

Before we dive in to find out what purple teaming is and how it works, let's take a closer look at the hazardous context in which most CISOs and businesses currently operate.

What's Stolen and Why It's Valuable

Data is valuable. Data can be used to manipulate perceptions, transfer exorbitant amounts of money, win elections, take down competitors, get executives hired or fired, hold people and assets hostage, perhaps even start wars … the list goes on and on. To put it briefly, data is the new wealth generation for businesses. It's a big business.

Unfortunately, many companies (except the CIOs and CISOs in them, of course) do not realize the value of their data. “Why would anyone want to steal our photos or the login details used by receptionists?” Does this sound familiar? A better question to ask today is, “Why wouldn't they want to steal this data?” It really is best not to presume which data is or isn't valuable—it all is to an attacker. Malicious hackers value data because it can easily be traded on the black market for a quick buck if need be. Often, that's the only motivation an individual or group needs to steal data.

Data is defined as information in raw format that can be manipulated into usable information. Data is everywhere: payroll, sales figures, bank and credit card details, personal identification, emails, analytics, passwords, surveillance, statistics, government files, medical records, scientific reports, legal documents, subscription information, competitor websites, financial records … the list goes on, and on, and on. Of course, the “smarter” we get (smartphones, smartwatches, virtual assistants, smart plugs, smart thermostats, smart refrigerators, video doorbells, electric cars, smart door locks … again, it's a long list), the more data there is, or rather, the more unsecured data there is.

The Internet of Vulnerable Things

Unfortunately, as smart as devices have become, when it comes to security, the majority are not smart at all. Whether it's because manufacturers are unaware of or overwhelmed by the risks, or simply because they choose to ignore them (security investment impacts profit margins after all), millions of smart devices are being churned out every year absent of effective built-in security. These devices—billions of them—are used in homes and businesses every single day, and most of them put our valuable data at risk.

The reality, which CISOs know all too well, is that we do not have an Internet of Things (IoT)—we have an “Internet of Vulnerable Things.” CISOs now have to think twice before agreeing to the installation of smart thermostats throughout the company's property portfolio or whether board members should be wearing smartwatches (and that's if anyone even thinks to run those decisions by them first).

To top it off, companies are becoming increasingly accountable in a legal sense for the data that they hold and process (and rightfully so). For example, the European Union's General Data Protection Regulation (GDPR) legislation means that companies need to implement the same level of protection for data, such as an individual's IP address or cookie data, as they do for names and addresses. Some of the key privacy and data protection requirements of GDPR include obtaining consent from subjects for data processing, anonymizing collected data to protect privacy, providing data breach notifications, safely handling the transfer of data across borders, and requiring certain companies to appoint a data protection officer to oversee GDPR compliance.

Blue, Red, and Purple Teams

Traditional infosec is based on the premise of blue teaming and red teaming (although not all companies have, or necessarily require, either in their strictest form). For the sake of clarity, let's quickly summarize what that looks like.

Blue Teams

Blue teams are the “white-hat” defenders—those who work on a systems-oriented approach, performing analyses of information systems to ensure security, identify security flaws, verify the effectiveness of security measures, and make sure that all security measures continue to be effective after implementation. Blue team members typically comprise IT help-desk staff, system patchers, backup and restore staff, basic security tool managers, and so on. Data centers of larger companies may hire network administrators to watch over their network and to respond after intrusions. Ideally, a blue team will be able to see whether an attack is taking place and take steps to mitigate the attack before any real damage is done.

Red Teams

When it comes to more in-depth security, most CISOs have had little choice but to bring in red teams, which are independent groups of professionals who challenge an organization to improve its effectiveness by assuming the role of adversary (attacker). Red teams use the same tools and techniques that real, malicious hackers use. Attack campaigns can last several weeks to months. There will usually be a specific objective of the operation, such as the “theft” of valuable data from the company. At the end of the engagement, the red team should work with their client's blue team to address the issues found and suggest remedial action.

Red teams should not be confused with penetration testers. A penetration tester performs a security assessment of an organization's computer network and is the subject of this book. This security assessment will typically last several days. At the end, a report is issued that points out security flaws and vulnerabilities. A penetration tester will often work alone and is not expected to perform the same in-depth attack as a red team would. That being said, penetration testers should adopt the same kinds of methods used by a traditional red team and use the same techniques that malicious hackers would use.

NOTE Not every company is able to hire active threat hunters to watch over the network (blue team), nor does every company require tactical, targeted red teaming. The latter is essential for companies that process numerous financial transactions per second, are constantly under attack, and where even an information disclosure from a log file can expose the movement of money, such as banks and gambling companies. Some companies have their own internal red team and/or penetration testers as well, and these companies frequently do not need to outsource these roles except for compliance purposes.

Large private businesses (especially those heavily invested as government/defense contractors, such as IBM and SAIC) and U.S. government agencies (such as the CIA) have long used red teams. Smaller organizations will use a penetration tester, often on an annual basis, to give them an indication of their security posture.

Once the engagement is over, it's up to the organization's blue team or other skilled external consultants to take action on the suggestions of the red team or those specified in the penetration tester's report. At this point, some problems may arise. Once upon a time, this disjointed approach to infosec may have been OK, getting the job done to a functioning degree. Now, however, it rarely succeeds.

One of the biggest problems involves taking action on the red team's recommendations or a penetration tester's reports. This step often isn't completed (or even started) due to the reasons described next, and thus the reports may then become little more than a box-checking exercise to appease shareholders. The reasons why this may be the case include the following:

Inadequate training:

Blue teams often don't know how to act upon the reports due to a lack of skills outside of common tasks such as reconfiguring firewalls, updating software, and changing passwords.

Lack of resources:

Many corporations say that their cybersecurity teams are understaffed, and since a huge amount of the budget is spent on penetration testing, there is often little scope for bringing in more resources.

Limited time:

It is difficult for companies to redirect staff resources to go through long technical reports and patch vulnerabilities, especially when blue teams are often fighting fires on several fronts.

Lack of incentives:

It can be challenging for CISOs to motivate staff to go through a lengthy penetration test report, created by someone else (who was likely paid significantly more money), and patch vulnerabilities.

Sometimes, when red teams or penetration testers (whether internal or external) point out flaws, blue team members get defensive; finger-pointing, animosity, and internal chaos ensue. Subsequently, CISOs may find themselves dealing with HR issues as much as they do technology.

Fundamentally, the gap between traditional blue and red teams, attackers and defenders, is too wide. CISOs need people on board who understand the tactics, techniques, and procedures used by cyber-enabled attackers and how to build better defenses against them. CISOs need an internal team that is able to dig out potential problems and patch them proactively, whether that's a case of updating the operating system on workstations or catching wind of an idea to install Internet-connected thermostats throughout the company's buildings and be able to assess whether that would, or wouldn't, be a good idea.

Purple Teams

When considering the security of their data and computer systems, a small business owner may be thinking something along these lines:

“I need effective and inexpensive cybersecurity to protect my company's data so that I can relax and put my efforts into growing my business.”

Both of these scenarios are possible by adopting the purple team mentality.

Purple teaming is the simple and obvious solution to the explosive growth in breaches and data loss. In purple teaming, a team of experts takes on the role of both the red team and the blue team with the intention of anticipating attacks and addressing vulnerabilities and weaknesses before they can be exploited by malicious third parties. Purple teams are responsible for a company's overall security posture. They are proactively engaged with understanding and evaluating risk through technical simulations. They know what a company's digital assets (the true value of every organization) are, where they are stored, and how to protect them by building better networks and systems.

This approach enables traditional blue team IT staff to understand how underlying vulnerabilities are exploited by hackers (and/or red teams). Purple teams are better trained to “turn on the human firewall” by being better educated in the common methods of social engineering used by cybercriminals and malicious insiders, such as phishing, a technique whereby emails are sent to employees to have them click a malicious link. There are many variations of this type of attack, but all social engineering attacks rely on first exploiting the human factor rather than the computer system itself.

NOTEPhishing is the process of luring a victim into providing sensitive information, such as their username and password or credit card details, usually through a fake website designed to look like a legitimate site. Email and instant messaging are commonly used by malicious hackers as a means to provide the victim with a link to a fraudulent site that they control. There are variations on phishing, such as spear phishing, which tends to target an individual whose behaviors are researched in advance, and whaling, which targets CEOs and other executives with a view to having them use their privileged position to process a financial transaction that appears legitimate quickly but is in fact fraudulent.

The best way to close the skills gap for any red or blue team is to merge them into a single purple team where all members gain the necessary skills and understanding in information technology (IT), software development lifecycles, social engineering, penetration testing, vulnerability management, patching, system configuration, and hardening to standards such as the Security Technical Implementation Guides (STIGs) from www.nist.gov. A purple team is always in “ready-to-be-breached” business mode.

This is absolutely necessary. If we are to implement truly effective security practices, companies must empower their own people to understand cybersecurity risks. It's as simple as that. This shift toward making security an operational core of the business means that CISOs are no longer looking—and spending—outside of the company.

With a purple team in place, there is no longer any need to pay external consultants to run a prolonged penetration exercise against a company's infrastructure, which could cost tens to hundreds of thousands of dollars. Companies can get the same results from their purple team, while not having to ask the chief financial officer (CFO) for funding. There will no longer be delays waiting for reports that may or may not be understood and implemented anyway. There will no longer be clocks ticking on the careers of CISOs. Instead, time, money, and energy are focused on innovation and growth.

For a purple team to work, everyone needs to have an understanding—a practical understanding—of what malicious hackers can do to a network. Everyone also needs to have an understanding of how internal systems—the hardware, operating systems, off-the shelf software, and bespoke software—work and how they can be fixed and patched to mitigate risks. We are not saying that the whole team must be experts in all of these areas, but they must know enough about each other team member's areas of expertise to be able to work together effectively and to empathize with one another.

NOTE