Penetration Testing Essentials E-Book

PENETRATION TESTINGESSENTIALS

Development Editor: Kim Wimpsett Technical Editor: Raymond Blockmon Production Editor: Christine O’Connor Copy Editor: Elizabeth Welch Editorial Manager: Mary Beth Wakefield Production Manager: Kathleen Wisor Executive Editor: Jim Minatel Book Designer: Maureen Forys, Happenstance Type-O-Rama Proofreader: Josh Chase, Word One New York Indexer: Ted Laux Project Coordinator, Cover: Brent Savage Cover Designer: Wiley Cover Image: shutterstock.com/besfoto77

Copyright © 2017 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-119-23530-9 ISBN: 978-1-119-32398-3 (ebk.) ISBN: 978-1-119-23533-0 (ebk.) Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2016958766

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

This book is for my Mom and Dad, who instilled in me my core values that have been so valuable in my development as an adult. Although my Dad is no longer with us, I can still feel his influence in everything I do and in fact feel myself sometimes laughing boldly and proudly just like he always used to do. My Mom is still around (and we are keeping it that way), and I am thankful for her support in pushing me to get into science and technology as well as instilling in me a love of sci-fi, bad jokes, and the desire to do the right thing. I love you both. And I first dedicate this book to you.

I also want to dedicate this to the military, which graciously blessed me with the opportunity to attend Officer Candidate School (OCS), even though I was immature and self-centered. While the hell and abuse they put me through sucked at the time, it helped get me on track with my life and realize that I was capable of so much more. It also helped me realize that it’s not you that is important; it’s the people whose lives you impact. I hope this is something that those of you reading this reflect on. COL K, LtCol A, CPT M, CPT D, CPT J, and CPT A, I am forever grateful for your patience, heart-to-hearts, and straight-up, blunt assessments of me. I hope I have turned into the CW2 that you are proud of. This book is also dedicated to you.

I finally also want to dedicate this book to my staff, who have shown that you can make chicken salad out of chicken poop. You guys have never ceased to amaze me over the last year. You’ve made me look good, but I refuse to take credit. I didn’t do the heavy lifting; you did. I didn’t do the improvisation and creativity; you did. I didn’t show that what others thought was impossible is indeed possible if you have your act together. I wish I could take credit and say I had something to do with it, but this is all you, and I expect great things from all of you. SSG E, SSG L, SSG S, and CW2 N, keep kicking ass and taking names. I should also take a moment to thank my commander Lt Col L for having faith in my abilities and giving me the support to get things done.

Finally, I want to dedicate this to Lisa. You know who you are and though I have said it many times, I do love you and appreciate you. So deal with it and no flowers or chocolate . . . don’t make it weird.

ACKNOWLEDGMENTS

Once again, there are so many people to thank. I sincerely hope I don’t forget anyone.

First, thanks to Jim Minatel for the opportunity to do this book, and I look to others in the future.

Second, thanks to Kim Wimpsett. You are without a doubt the primary reason I don’t look stupid because of poor language or unclear passages. I really don’t know how to say how much I value you as part of the team, and I want you with me on all my future projects.

Third, I have to acknowledge all of the troops of the US military no matter where you are. Though not all of you will make it home (though I sincerely hope you all do), none of you will ever be forgotten, and when I put on my uniform, it is not only for my job but to commemorate your sacrifice.

ABOUT THE AUTHOR

Sean Oriyano is a longtime security professional and entrepreneur. Over the past 25 years he has divided his time between performing security research, consulting, and delivering training both in the field of general IT and cybersecurity. In addition, he has become a best-selling author with many years’ experience in both digital and print media. Sean has published several books over the last decade and has expanded his reach even further by appearing on shows on both TV and radio. To date, Sean has appeared on more than a dozen TV programs and radio shows discussing different cybersecurity topics and technologies. When in front of the camera, Sean has been noted for his casual demeanor and praised for his ability to explain complex topics in an easy-to-understand manner.

Outside his own business activities, he is a Chief Warrant Officer (CWO) and commands a unit specializing in cybersecurity, training, development, and strategy. Additionally, as a CWO he is recognized as a subject matter expert in his field and is frequently called upon to provide expertise, training, and mentoring wherever and whenever needed.

When not working, Sean is an avid obstacle course racer and has completed numerous races, a world championship race, and four Spartan Trifectas. He also enjoys traveling, bodybuilding, MMA, Metroid, and “The Legend of Zelda.”

INTRODUCTION

Security is one of the topics that gets a lot of attention in today’s world. Because of our increasing reliance on different forms of technology, gadgets, and many other types of systems and devices, more attention is being turned to the topic of how secure and safe these devices and systems actually are. In response to the increase in cybercrimes such as identity theft, information theft, disruption of services, hactivism, and even the spectre of terrorism, many organizations—both public and private—face the challenge of having to test, evaluate, and fix potential security issues before they become the victim of a cybercrime as well as potential lawsuits. It is in response to these situations in the past, present, and future that many organizations are scrambling or pursuing various security solutions.

So enters the penetration tester, who represents one of the best and most effective ways of locating, analyzing, presenting, and recommending strategies to reduce potential risk resulting from security incidents. Pentesters are those people who take their in-depth understanding of technology and its vulnerabilities, as well as strengths, and use them at the request of a client to locate and evaluate security problems before those who don’t have the organization’s best interests at heart.

Who Should Read This Book?

The audience for this book includes those individuals who are already in possession of a technical background and are looking to move into the penetration testing world. Unlike many other books that cover the topic of pen testing, this book strives to introduce you to the topic in a simple and easy-to-understand way. The goal is to help you, as the reader, gain a better understanding of the pen testing process as well as gain experience and knowledge through hands-on exercises and through the exploration of the various theories that form the basis of pen testing.

Upon completion of this book, you should have a better understanding of what it means to be a pentester and the skills, tools, and general knowledge it takes to be successful. Once you finish this book and have practiced what you learned, you will find yourself in possession of the tools needed to pursue more advanced techniques, testing methods, and skills.

What You Need

If you are intending to get the most out of this book, then you should have a few things handy. Before you get started, you should have access to a computer that is capable of running the latest version of Microsoft Windows or Kali Linux that has at least 8 GB of RAM. Additionally, you should have access to virtualization software such as Oracle’s VirtualBox or one of VMware’s offerings; which virtualization software you choose to use is up to your personal preference and your wallet.

As you read through this book, you will be introduced to a diverse set of hardware and software-based tools used to accomplish a wide array of tasks. When you go through the chapters and exercises, you will be presented with links to download or otherwise acquire the tools of your choosing.

What’s Covered in This Book

This book covers a broad range of topics for the beginning pentester. The following is a list of the chapters with a brief description of what each focuses on.

Chapter 1, “Introduction to Penetration Testing”:

Focuses on the general rationale for penetration testing as well as giving an idea of the skills and knowledge required to be successful.

Chapter 2, “Introduction to Operating Systems and Networking”:

A firm understanding of the structure of an operating system and the network it attaches to is required to be a pentester. In this chapter, the fundamentals of both are explored in order to establish a foundation to build upon.

Chapter 3, “Introduction to Cryptography”:

Without cryptography, a lot of the countermeasures used to protect against inadvertent disclosure of information would not work. Additionally, without an understanding of cryptography, meeting various laws and regulations becomes very difficult. In this chapter, a primer on the functioning and mechanics is covered as well as how it is applied.

Chapter 4, “Outlining the Pen Testing Methodology”:

Pen testing has a process and methodology that must be followed in order to get the most complete and effective results reliably. In this chapter we will cover one of the more popular methods for performing a pen test.

Chapter 5, “Gathering Intelligence”:

The first step in the process of pen testing is gathering information about your target. In this

chapter

the various means for gathering information are explored and how they fit in to the overall process.

Chapter 6, “Scanning and Enumeration”:

Once you have gathered sufficient intelligence about a target, you can start probing and finding out which information can be extracted. Usernames, groups, security policies, and more are on the table in this chapter.

Chapter 7, “Conducting Vulnerability Scanning”:

Want to take a different approach to finding out about your target? Well, you can use the process of manual or automatic vulnerability scanning to locate weaknesses in an environment for later exploitation.

Chapter 8, “Cracking Passwords”:

Since passwords are the front line of defense in many environments and applications, time must be allocated to the process of obtaining these valuable pieces of information. Enumeration already gave us usernames, so we can focus on those usernames to gather passwords.

Chapter 9, “Retaining Access with Backdoors and Malware”:

Investigate, explore, compromise, and now you are in the system. However, once you have gained access and established that beachhead, how do you keep it? In this chapter we will explore precisely that.

Chapter 10, “Reporting”:

Remember you are working for a client under contract with the goal of finding and reporting on your findings. In this chapter you will see the general format and layout of a report.

Chapter 11, “Working with Defensive and Detection Systems”:

Of course not all systems are open and waiting to be penetrated. In fact, many systems will have several layers of defense in different forms waiting for you to get in. In this case intrusion detection and prevention systems are your nemesis and here you will learn how to deal with them.

Chapter 12, “Covering Your Tracks and Evading Detection”:

Leaving clues at the scene of a crime is a sure way to get caught and thwarted. In this chapter you’ll learn how to clean up after yourself so hopefully all but the most determined will find you.

Chapter 13, “Detecting and Targeting Wireless”:

Wireless is ubiquitous and therefore you will have to deal with it in just about any environment you explore. If those environments include mobile devices, you are guaranteed to encounter these networks, which you can then target.

Chapter 14, “Dealing with Mobile Device Security”:

No matter how you look at it, mobile devices are not only here to stay but they are taking new forms, tasks, form factors, and are part of our everyday lives. Since they have been integrated into the business environment and the lines between business and personal use have been blurred, you must learn how to deal with mobile devices.

Chapter 15, “Performing Social Engineering”:

In every system there is that one element that represents the weakest link, and in many cases this weakest link is a human being. As a pentester you can use your quick talking, psychology, and clever wording to guide a conversation toward those topics that will give you useful information.

Chapter 16, “Hardening a Host System”:

Countermeasures of all types are available to slow down or stop an attack. One of the first lines of defense is frequently locking down or hardening a system to reduce the chances of it being compromised

Chapter 17, “Hardening Your Network”:

Much like with host hardening, countermeasures are available to slow down or stop an attack on networks. Removing protocols, implementing firewalls, and other mechanisms can slow down and frustrate an attacker.

Chapter 18, “Navigating the Path to Job Success”:

In this chapter, consider yourself a graduate. Now you are looking to a future in penetration testing. This chapter will provide a guide to what to do next to keep developing your skills even further.

Chapter 19, “Building a Test Lab for Penetration Testing”:

A good pentester needs to practice on equipment that they own. In this chapter we will explore how to set up a basic lab that you can use to practice and experiment.

CONTENTS

ACKNOWLEDGMENTS

ABOUT THE AUTHOR

INTRODUCTION

CHAPTER 1 Introduction to Penetration Testing

Defining Penetration Testing

Preserving Confidentiality, Integrity, and Availability

Appreciating the Evolution of Hacking

CHAPTER 2 Introduction to Operating Systems and Networking

Comparing Common Operating Systems

Exploring Networking Concepts

CHAPTER 3 Introduction to Cryptography

Recognizing the Four Goals of Cryptography

The History of Encryption

Speaking Intelligently About Cryptography

Comparing Symmetric and Asymmetric Cryptography

Transforming Data via Hashing

A Hybrid System: Using Digital Signatures

Working with PKI

CHAPTER 4 Outlining the Pen Testing Methodology

Determining the Objective and Scope of the Job

Choosing the Type of Test to Perform

Gaining Permission via a Contract

Following the Law While Testing

CHAPTER 5 Gathering Intelligence

Introduction to Intelligence Gathering

Examining a Company’s Web Presence

Finding Websites That Don’t Exist Anymore

Gathering Information with Search Engines

Targeting Employees with People Searches

Discovering Location

Do Some Social Networking

Looking via Financial Services

Investigating Job Boards

Searching Email

Extracting Technical Information

CHAPTER 6 Scanning and Enumeration

Introduction to Scanning

Checking for Live Systems

Performing Port Scanning

Identifying an Operating System

Scanning for Vulnerabilities

Using Proxies (Or Keeping Your Head Down)

Performing Enumeration

CHAPTER 7 Conducting Vulnerability Scanning

Introduction to Vulnerability Scanning

Recognizing the Limitations of Vulnerability Scanning

Outlining the Vulnerability Scanning Process

Types of Scans That Can Be Performed

CHAPTER 8 Cracking Passwords

Recognizing Strong Passwords

Choosing a Password-Cracking Technique

Executing a Passive Online Attack

Executing an Active Online Attack

Executing an Offline Attack

Using Nontechnical Methods

Escalating Privileges

CHAPTER 9 Retaining Access with Backdoors and Malware

Deciding How to Attack

Installing a Backdoor with PsTools

Opening a Shell with LAN Turtle

Recognizing Types of Malware

Launching Viruses

Launching Worms

Launching Spyware

Inserting Trojans

Installing Rootkits

CHAPTER 10 Reporting

Reporting the Test Parameters

Collecting Information

Highlighting the Important Information

Adding Supporting Documentation

Conducting Quality Assurance

CHAPTER 11 Working with Defensive and Detection Systems

Detecting Intrusions

Recognizing the Signs of an Intrusion

Evading an IDS

Breaching a Firewall

Using Honeypots: The Wolf in Sheep’s Clothing

CHAPTER 12 Covering Your Tracks and Evading Detection

Recognizing the Motivations for Evasion

Getting Rid of Log Files

Hiding Files

Evading Antivirus Software

Evading Defenses by Entering Through a Backdoor

Using Rootkits for Evasion

CHAPTER 13 Detecting and Targeting Wireless

An Introduction to Wireless

Breaking Wireless Encryption Technologies

Conducting a Wardriving Attack

Conducting Other Types of Attack

Choosing Tools to Attack Wireless

Knocking Out Bluetooth

Hacking the Internet of Things (IoT)

CHAPTER 14 Dealing with Mobile Device Security

Recognizing Current-Generation Mobile Devices

Working with Android OS

Working with Apple iOS

Finding Security Holes in Mobile Devices

Encountering Bring Your Own Device (BYOD)

Choosing Tools to Test Mobile Devices

CHAPTER 15 Performing Social Engineering

Introduction to Social Engineering

Exploiting Human Traits

Acting Like a Social Engineer

Targeting Specific Victims

Leveraging Social Networking

Conducting Safer Social Networking

CHAPTER 16 Hardening a Host System

Introduction to Hardening

Three Tenets of Defense

Creating a Security Baseline

Hardening with Group Policy

Hardening Desktop Security

Backing Up a System

CHAPTER 17 Hardening Your Network

Introduction to Network Hardening

Intrusion Detection Systems

Firewalls

Physical Security Controls

CHAPTER 18 Navigating the Path to Job Success

Choosing Your Career Path

Build a Library

Practice Technical Writing

Display Your Skills

CHAPTER 19 Building a Test Lab for Penetration Testing

Deciding to Build a Lab

Considering Virtualization

Getting Starting and What You Will Need

Installing Software

APPENDIX Answers to Review Questions

Chapter 1: Introduction to Penetration Testing

Chapter 2: Introduction to Operating Systems and Networking

Chapter 3: Introduction to Cryptography

Chapter 4: Outlining the Pentesting Methodology

Chapter 5: Gathering Intelligence

Chapter 6: Scanning and Enumeration

Chapter 7: Conducting Vulnerability Scanning

Chapter 8: Cracking Passwords

Chapter 9: Retaining Access with Backdoors and Malware

Chapter 10: Reporting

Chapter 11: Working with Defensive and Detection Systems

Chapter 12: Covering Your Tracks and Evading Detection

Chapter 13: Detecting and Targeting Wireless

Chapter 14: Dealing with Mobile Device Security

Chapter 15: Performing Social Engineering

Chapter 16: Hardening a Host System

Chapter 17: Hardening Your Network

Chapter 18: Navigating the Path to Job Success

Chapter 19: Building a Test Lab for Penetration Testing

EULA

List of Tables

CHAPTER 2

TABLE 2.1

TABLE 2.2

TABLE 2.3

TABLE 2.4

CHAPTER 4

TABLE 4.1

CHAPTER 6

TABLE 6.1

TABLE 6.2

TABLE 6.3

TABLE 6.4

TABLE 6.5

CHAPTER 13

TABLE 13.1

TABLE 13.2

List of Illustrations

CHAPTER 1

FIGURE 1.1

The CIA triad

FIGURE 1.2

The anti-CIA triad

CHAPTER 2

FIGURE 2.1

The Windows Desktop

FIGURE 2.2

The Mac OS desktop

FIGURE 2.3

The Ubuntu Linux desktop

FIGURE 2.4

The Unix desktop

FIGURE 2.5

The IP address of a client

FIGURE 2.6

Results of the

ipconfig

command

CHAPTER 3

FIGURE 3.1

Example of a symmetric system using a single key

CHAPTER 5

FIGURE 5.1

A typical business website

FIGURE 5.2

BlackWidow

FIGURE 5.3

Google Alerts page

FIGURE 5.4

Google Street View

FIGURE 5.5

Echosec

FIGURE 5.6

Sample search in Echosec

CHAPTER 6

FIGURE 6.1

Results of the

ping

command

FIGURE 6.2

Angry IP

FIGURE 6.5

Sockets on two systems

FIGURE 6.6

The TCP three-way handshake

FIGURE 6.7

Closed and open port responses

FIGURE 6.8

Half-open against closed and open ports

FIGURE 6.9

Xmas tree scan

FIGURE 6.10

A FIN scan against a closed and an open port, respectively

FIGURE 6.11

A NULL scan against a closed and an open port, respectively

FIGURE 6.12

An ACK scan in progress

FIGURE 6.13

A fragmented packet

FIGURE 6.14

The results of a banner grab

CHAPTER 8

FIGURE 8.1

The Wireshark Packet Sniffer

FIGURE 8.2

A man in the middle attack

FIGURE 8.3

Utility for creating rainbow tables

FIGURE 8.4

A sample rainbow table

FIGURE 8.5

The USB Rubber Ducky and with accompanying accessories

CHAPTER 9

FIGURE 9.1

A hardware key logger

FIGURE 9.2

Another hardware key logger

FIGURE 9.3

The LAN Turtle

FIGURE 9.4

A virus creation kit with various options displayed

FIGURE 9.5

A virus creation kit used to create batch viruses

FIGURE 9.6

A browser hijacker changing a home page

FIGURE 9.7

A macro virus dialog

CHAPTER 11

FIGURE 11.1

Placement of an NIDS

CHAPTER 12

FIGURE 12.1

The Windows Security event log

FIGURE 12.2

The WinZapper interface

FIGURE 12.3

Log Parser Lizard

FIGURE 12.4

Original Image

FIGURE 12.5

Image with embedded PDF

FIGURE 12.6

Original Image

FIGURE 12.7

File with hidden Word doc

FIGURE 12.8

Analysis of two images containing hidden data

CHAPTER 13

FIGURE 13.1

One type of wireless access point

FIGURE 13.2

802.11ac access point

FIGURE 13.3

Yagi antenna

FIGURE 13.4

Omnidirectional antenna

FIGURE 13.5

Parabolic antenna

FIGURE 13.6

A panel antenna

FIGURE 13.7

An example of a cantenna

FIGURE 13.8

An example of a 4G hotspot

FIGURE 13.9

An example of a deployment of a wireless access point

FIGURE 13.10

An example of multiple access point deployment

FIGURE 13.11

Some warchalking examples

FIGURE 13.12

The MiniPwner access point

FIGURE 13.13

Industrial Bluetooth adapter

CHAPTER 14

FIGURE 14.1

Android 6.0

FIGURE 14.2

Kali NetHunter

FIGURE 14.3

The iOS interface

Guide

Cover

Table of Contents

Chapter

Pages

v

vii

xvii

xviii

xix

xx

1

2

3

4

5

6

7

8

9

10

11

12

13

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

CHAPTER 1Introduction to Penetration Testing

So, you have decided to become a penetration tester (commonly known as a pentester). Not sure where to start? This book helps you learn what it means to become a penetration tester and the responsibilities you will be assuming both technically and ethically when you take on this role. You will build the skills necessary to be successful in the world of penetration and hands-on security.

Specifically, you will encounter many hacking methods that are currently being used on the front lines. You will also encounter techniques that you can use during your pen test to gain information or establish a foothold from which to launch more advanced attacks.

In addition, understanding the motivations of hackers can aid you in understanding the scope of an attack or perhaps even aid in discovering details of the attack. In fact, you need to empathize with hackers in order to establish why they may be carrying out an attack and then use that experience to test a client’s network.

In this chapter, you’ll learn to:

Define what penetration testing is and what a pentester does

Learn why you want to preserve confidentiality, integrity, and availability

Appreciate the history of hacking and penetration testing

Defining Penetration Testing

Being a pentester has become more important in today’s world as organizations have had to take a more serious look at their security posture and how to improve it. Several high-profile incidents such as the ones involving retail giant Target and entertainment juggernaut Sony have drawn attention to the need for better trained and more skilled security professionals who understand the weaknesses in systems and how to locate them. Through a program that combines technological, administrative, and physical measures, many organizations have learned to fend off their vulnerabilities.

Technology controls such as virtual private networks (VPNs), cryptographic protocols, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), access control lists (ACLs), biometrics, smart cards, and other devices have helped security.

Administrative controls such as policies, procedures, and other rules have also been strengthened and implemented over the past decade.

Physical controls include devices such as cable locks, device locks, alarm systems, and other similar devices.

As a pentester, you must be prepared to test environments that include any or all of the technologies listed here as well as an almost endless number of other types. So, what is a penetration tester anyway?

Defining What a Penetration Tester Does

A penetration tester, or pentester, is employed by an organization either as an internal employee or as an external entity such as a contractor hired on a per-job or per-project basis. In either case, pentesters conduct a penetration test, meaning they survey, assess, and test the security of a given organization by using the same techniques, tactics, and tools that a malicious hacker would use. The main differences between a malicious hacker and a pentester are intent and the permission that they get, both legal and otherwise, from the owner of the system that will be evaluated. Additionally, pentesters are never to reveal the results of a test to anyone except those designated by the client. As a safeguard for both parties, a nondisclosure agreement (NDA) is usually signed by both the hiring firm and the pentester. This protects company property and allows the pentester access to internal resources. Finally, the pentester works under contract for a company, and the contract specifies what is off-limits and what the pentester is expected to deliver at the end of the test. All of the contractual details depend on the specific needs of a given organization.

Some other commonly encountered terms for pentester are penetration tester, ethical hacker, and white-hat hacker. All three terms are correct and describe the same type of individual (though some may debate these apparent similarities in some cases). Typically the most commonly used name is pentester. EC-Council uses ethical hacker when referencing its own credential, the Certified Ethical Hacker.

In some situations, what constitutes a hacker is a topic ripe for argument. I have had many interesting conversations over the years addressing the question of whether the term hacker is good or bad. Many hackers are simply bad news all-around and have no useful function, and that’s how hackers are usually portrayed in movies, TV, books, and other media. However, hackers have evolved, and the term can no longer be applied to just those who engage in criminal actions. In fact, many hackers have shown that while they have the skill to commit crimes and wreak havoc, they are more interested in engaging with clients and others to improve security or perform research.

To be safe, a professional who does not want to cause confusion should avoid the term hacker so as to head off any fears clients may have. The term pentester is preferred.

Recognizing Your Opponents

In the real world, you can categorize hackers to differentiate their skills and intent.

Script Kiddies These hackers have limited or no training and know how to use basic tools or techniques. They may not even understand any or all of what they are doing.

White-Hat Hackers These hackers think like the attacking party but work for the good guys. They typically are characterized by having what is commonly considered to be a code of ethics that says they will cause no harm. This group is also known as pentesters.

Gray-Hat Hackers These hackers straddle the line between the good and bad sides and have decided to reform and become the good side. Once they are reformed, they may not be fully trusted, however. Additionally, in the modern era of security these types of individuals also find and exploit vulnerabilities and provide their results to the vendor either for free or for some form of payment.

Black-Hat Hackers These hackers are the bad guys who operate on the wrong side of the law. They may have an agenda or no agenda at all. In most cases, black-hat hackers and outright criminal activity are not too far removed from one another.

Cyberterrorists Cyberterrorists are a new form of attacker that tries to knock out a target without regard to being stealthy. The attacker essentially is not worried about getting caught or doing prison time to prove a point.

Preserving Confidentiality, Integrity, and Availability

Any organization that is security minded is trying to maintain the CIA triad—or the core principles of confidentiality, integrity, and availability. The following list describes the core concepts. You should keep these concepts in mind when performing the tasks and responsibilities of a pentester.

Confidentiality This refers to the safeguarding of information, keeping it away from those not otherwise authorized to possess it. Examples of controls that preserve confidentiality are permissions and encryption.

Integrity This deals with keeping information in a format that retains its original purposes, meaning that the data the receiver opens is the same the creator intended.

Availability This deals with keeping information and resources available to those who need to use it. Simply put, information or resources, no matter how safe, are not useful unless they are ready and available when called upon.

CIA is one of the most important if not the most important set of goals to preserve when assessing and planning security for a system. An aggressor will attempt to break or disrupt these goals when targeting a system. Figure 1.1 illustrates the “balance” of the CIA triad.

FIGURE 1.1 The CIA triad

Why is the CIA triad so important? Well, consider what could result if an investment firm or defense contractor suffered a disclosure incident at the hands of a malicious party. The results would be catastrophic, not to mention it could put either organization at serious risk of civil and criminal actions. As a pentester, you will be working toward finding holes in the client’s environment that would disrupt the CIA triad and how it functions. Another way of looking at this is through the use of something I call the anti-CIA triad (Figure 1.2).

FIGURE 1.2 The anti-CIA triad

Improper Disclosure This is the inadvertent, accidental, or malicious revealing or accessing of information or resources to an outside party. Simply put, if you are not someone who is supposed to have access to an object, you should never have access to it.

Unauthorized Alteration This is the counter to integrity as it deals with the unauthorized or other forms of modifying information. This modification can be corruption, accidental access, or malicious in nature.

Disruption (aka Loss) This means that access to information or resources has been lost when it otherwise should not have. Essentially, information is useless if it is not there when it is needed. While information or other resources can never be 100 percent available, some organizations spend the time and money to get 99.999 percent uptime, which averages about six minutes of downtime per year.

Appreciating the Evolution of Hacking

The role of the pentester tends to be one of the more misunderstood positions in the IT security industry. To understand the role of this individual, let’s first look back at the evolution of the hacker from which the pentester evolved.

The term hacker is an old one that can trace its origin back about 50 years to technology enthusiasts of the 1960s. These individuals were not like the hackers of today; they were simply those who were curious and passionate about new technologies and spent time exploring the inner workings and limitations of early systems. In the early days, these hackers would seek out systems and try to push the envelope by making the systems do new things or finding undocumented or unknown things that the technology of the day could do. While the technology has become more advanced, the mind-set of these early hackers has lived on.

Hacker has a double meaning within the technology industry in that it has been known to describe both software programmers and those who break into computers and networks uninvited. The former meaning tends to be the more positive of the two, with the latter being the more negative connotation. The news media adds to the confusion by using the term liberally whenever a computer or other piece of technology is involved. Essentially the news media, movies, and TV consider anyone who alters technology or has a high level of knowledge to be a hacker.

When we take a look back at these early technology enthusiasts, we find that they seem to fit a common profile, a curiosity about new technology and an eagerness to learn new things. The original hackers had their curiosity piqued by the mainframes that were available at the time in locations such as college and university campuses as well as some businesses. As time moved on, the PC drew their attention as it was a new, shiny piece of technology to be explored, dissected, and used. The early PC, in fact, allowed many more individuals to take on the mantle of technology enthusiast and hacker than would have been possible a few short years earlier. When the 1990s rolled around, the Internet offered up an irresistible lure for hackers who could spread their activities far and wide with greater ease than ever before. Now, post-2016, we have many more possibilities than were possible at any point in time previously. The explosion of technologies such as Wi-Fi, Bluetooth, tablets, smartphones, and much more has only added to the confusion and amount of devices that can be hacked and attacked. As technology evolved, so did the hackers, with their attacks the result of increasing skill sets and creativity.

Attacks also have become easier as manufacturers of consumer products are not focused on security as much as they are focused on features. When it comes down to it, often a manufacturer shipping a new product such as a tablet, PC, or other item is focused on its functionality and not on whether the device is secure. Although this attitude may have been changed somewhat over the past handful of years, with some vendors securing their products more than they have in the past, don’t be fooled—many are still vulnerable by default.

The Role of the Internet

Hackers became more prolific and more dangerous not too long after the availability of the Internet to the general public. At first many of the attacks that were carried out on the Internet were of the mischievous type such as the defacing of web pages or similar types of activity. Although initially, many of these first types of attacks on the Internet may have been pranks or mischievous in nature, later attacks became much more malicious.

In fact, attacks that have been perpetrated since the year 2000 have become increasingly more sophisticated and aggressive as well as more publicized. One example from August 2014 is the massive data breach against Apple’s iCloud, which was responsible for the public disclosure of hundreds of celebrity pictures in various intimate moments. Unfortunately, Apple’s terms and conditions for customers using iCloud cannot hold Apple accountable for data breaches and other issues. This breach has so far resulted in lawsuits by many of those who had their pictures stolen as well as a lot of negative publicity for Apple. The photos that were stolen as a result of this breach can be found all over the Internet and have spread like wildfire much to the chagrin of those in the photos.

Another example of the harm malicious hackers have caused is the Target data breach in September 2014. This breach was responsible for the disclosure of an estimated 56 million credit card accounts. This single breach took place less than a year after the much publicized Target data breach, which itself was responsible for 40 million customer accounts being compromised.

A final example comes from information provided by the U.S. government in March 2016. It was revealed that the 18-month period ending in March 2015 had a reported 316 cybersecurity incidents of varying levels of seriousness against the Obamacare website. This website is used by millions of Americans to search for and acquire healthcare and is used in all but 12 states and Washington, DC. While the extensive analysis of the incidents did not reveal any personal information such as Social Security numbers or home addresses, it did show that the site is possibly considered a valid target for stealing this information. Somewhat disconcerting is the fact that there are thought to be numerous other serious issues such as unpatched systems and poorly integrated systems.

All of these attacks are examples of the types of malicious attacks that are occurring and how the general public is victimized in such attacks.

Many factors have contributed to the increase in hacking and cybercrime, with the amount of data available on the Internet and the spread of new technology and gadgets two of the leading causes. Since the year 2000, more and more portable devices have appeared on the market with increasing amounts of power and functionality. Devices such as smartphones, tablets, wearable computing, and similar items have become very open and networkable, allowing for the easy sharing of information. Additionally, I could also point to the number of Internet-connected devices such as smartphones, tablets, and other gadgets that individuals carry around in increasing numbers. Each of these examples has attracted attention of criminals, many of whom have the intention of stealing money, data, and other resources.

Many of the attacks that have taken place over the last decade have been perpetrated not by the curious hackers of the past but rather by other groups. The groups that have entered the picture include those who are politically motivated, activist groups, and criminals. While there are still plenty of cases of cyberattacks being carried out by the curious or by pranksters, the attacks that tend to get reported and have the greatest impact are these more maliciously motivated ones.

The Hacker Hall of Fame (or Shame)

Many hackers and criminals have chosen to stay hidden behind aliases or in many cases they have never gotten caught, but that doesn’t mean there haven’t been some noticeable faces and incidents. Here’s a look at some famous hacks over time:

In 1988, Cornell University student Robert T. Morris, Jr. created what is considered to be the first Internet worm. Because of an oversight in the design of the worm, it replicated extremely quickly and indiscriminately, resulting in widespread slowdowns affecting the whole Internet.

In 1994, Kevin Lee Poulsen, going by the name Dark Dante, took over the telephone lines of the entire Los Angeles–based radio station KIIS-FM to ensure he would be the 102nd caller in order to win a Porsche 944 S2. Poulsen has the notable distinction of being the first to be banned from using the Internet after his release from prison (though the ban was only for a limited time). As a footnote to Poulsen’s story, Poulsen is now an editor at Wired magazine.

In 1999, David L. Smith created the Melissa virus, which was designed to email itself to entries in a user’s address book and later delete files on the infected system.

In 2001, Jan de Wit authored the Anna Kournikova virus, which was designed to read all the entries of a user’s Outlook address book and email itself to each.

In 2002, Gary McKinnon connected to and deleted critical files on U.S. military networks, including information on weapons and other systems.

In 2004, Adam Botbyl, together with two friends, conspired to steal credit card information from the Lowe’s hardware chain.

In 2005, Cameron Lacroix hacked into the phone of celebrity Paris Hilton and also participated in an attack against the site LexisNexis, an online public record aggregator, ultimately exposing thousands of personal records.

In 2009, Kristina Vladimirovna Svechinskaya, a young Russian hacker, got involved in several plots to defraud some of the largest banks in the United States and Great Britain. She used a Trojan horse to attack and open thousands of bank accounts in the Bank of America, through which she was able to skim around $3 billion in total. In an interesting footnote to this story, Ms. Svechinskaya was named World’s Sexiest Hacker at one point due to her good looks. I mention this point to illustrate the fact that the image of a hacker living in a basement, being socially awkward, or being really nerdy looking is gone. In this case, the hacker in question was not only very skilled and dangerous, but she also did not fit the stereotype of what a hacker looks like.

In 2010 through the current day, the hacking group Anonymous has attacked multiple targets, including local government networks, news agencies, and others. The group is still active and has committed several other high-profile attacks up to the current day. Attacks in recent history have included the targeting of individuals such as Donald Trump and his presidential campaign of 2016.

While many attacks and the hackers that perpetrate them make the news in some way shape or form, many don’t. In fact, many high-value, complicated, and dangerous attacks occur on a regular basis and are never reported or, even worse, are never detected. Of the attacks that are detected, only a small number of hackers ever even see the inside of a courtroom much less a prison cell. Caught or not, however, hacking is still a crime and can be prosecuted under an ever-developing body of laws.

Recognizing How Hacking Is Categorized Under the Law

Over the past two decades crimes associated with hacking have evolved tremendously, but these are some broad categories of cybercrime:

Identity Theft This is the stealing of information that would allow someone to assume the identity of another party for illegal purposes. Typically this type of activity is done for financial gains such as opening credit card or bank accounts or in extreme cases to commit other crimes such as obtaining rental properties or other services.

Theft of Service Examples are the use of phone, Internet, or similar items without expressed or implied permission. Examples of crimes or acts that fall under this category would be acts such as stealing passwords and exploiting vulnerabilities in a system. Interestingly enough, in some situations just the theft of items such as passwords is enough to have committed a crime of this sort. In some states, sharing an account on services such as Netflix with friends and family members can be considered theft of service and can be prosecuted.

Network Intrusions or Unauthorized Access This is one of the oldest and more common types of attacks. It is not unheard of for this type of attack to lead into other attacks such as identity theft, theft of service, or any one of a countless other possibilities. In theory, any access to a network that one has not been granted access to is enough to be considered a network intrusion; this would include using a Wi-Fi network or even logging into a guest account without permission.

Posting and/or Transmitting Illegal Material This has gotten to be a difficult problem to solve and deal with over the last decade. Material that is considered illegal to distribute includes copyrighted materials, pirated software, and child pornography, to name a few. The accessibility of technologies such as encryption, file sharing services, and ways to keep oneself anonymous has made these activities hard to stop.

Fraud This is the deception of another party or parties to illicit information or access typically for financial gain or to cause damage.

Embezzlement This is one form of financial fraud that involves theft or redirection of funds as a result of violating a position of trust. The task has been made easier through the use of modern technology.

Dumpster Diving This is the oldest and simplest way to get and gather material that has been discarded or left in unsecured or unguarded receptacles. Often, discarded data can be pieced together to reconstruct sensitive information. While going through trash itself is not illegal, going through trash on private property is and could be prosecuted under trespassing laws as well as other portions of the law.

Writing Malicious Code This refers to items such as viruses, worms, spyware, adware, rootkits, and other types of malware. Essentially this crime covers a type of software deliberately written to wreak havoc and destruction or disruption.

Unauthorized Destruction or Alteration of Information This covers the modifying, destroying, or tampering with information without appropriate permission.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks These are both ways to overload a system’s resources so it cannot provide the required services to legitimate users. While the goals are the same, the terms DoS and DDoS actually describe two different forms of the attack. DoS attacks are small scale, one-on-one attacks, whereas DDoS attacks are much larger in scale, with thousands of systems attacking a target.

Cyberstalking This is a relatively new crime on this list. The attacker in this type of crime uses online resources and other means to gather information about an individual and uses this to track the person and, in some cases, try to meet these individuals in real life. While some states, such as California, have put laws in place against stalking, which also cover crimes of the cyber variety, they are far from being universal. In many cases, when the stalker crosses state lines during the commission of their crime, it becomes a question of which state or jurisdiction can prosecute.

Cyberbullying This is much like cyberstalking except in this activity individuals use technologies such as social media and other techniques to harass a victim. While this type of crime may not seem like a big deal, it has been known to cause some individuals to commit suicide as a result of being bullied.

Cyberterrorism This, unfortunately, is a reality in today’s world as hostile parties have realized that conventional warfare does not give them the same power as waging a battle in cyberspace. It is worth nothing that a perpetrator conducting terrorism through cyberspace runs the very real risk that they can and will be expedited to the targeted country.

To help understand the nature of cybercrime, it is first important to understand the three core forces that must be present for a crime, any crime, to be committed. These three items are:

Means or the ability to carry out their goals or aims, which in essence means that they have the skills and abilities needed to complete the job

Motive or the reason to be pursuing the given goal

Opportunity, the opening or weakness needed to carry out the threat at a given time

As we will explore in this book, many of these attack types started very simply but rapidly moved to more and more advanced forms. Attackers have quickly upgraded their methods as well as included more advanced strategies, making their attacks much more effective than in the past. While they already knew how to harass and irritate the public, they also caused ever bolder disruptions of today’s world by preying on our “connected” lifestyle.

Attacks mentioned here will only increase as newer technologies such as smartphones and social networking integrate even more into our daily lives. The large volumes of information gathered, tracked, and processed by these devices and technologies are staggering. It is estimated by some sources that information on location, app usage, web browsing, and other data is collected on most individuals every three minutes. With this amount of information being collected, it is easy to envision scenarios where abuse could occur.

What has been behind a lot of the attacks in the past decade or more is greed. Hackers have realized that their skills are now more than curiosity and are something that could be used for monetary gain. One of the common examples is the malware that has appeared over this time period. Not only can malware infect a system, but in many cases it has been used to generate revenue for their creators. For example, malware can redirect a user’s browser to a specific site with the purpose of making the user click or view ads.

NOW YOU KNOW

Now you know that a penetration tester is someone who surveys, assesses, and tests the security of a given organization by using the same techniques a malicious hacker would use. You know your “opponents” are script kiddies, white-hat hackers, gray-hat hackers, black-hat hackers, and cyberterrorists. You also know that you will be trying to disrupt your client’s confidentiality, integrity, and availability.

In addition, you learned to appreciate the evolution of hacking and penetration testing, including the role of the Internet and famous hacks in history.

THE ESSENTIALSAND BEYOND

What are the three types of controls that a company can use to defend against hackers?

What is the main difference between a hacker and a pentester?

What are some other names for a pentester?

What does the CIA triad represent when referring to information security?

Name some of the crimes categorized as cybercrime.

CHAPTER 2Introduction to Operating Systems and Networking

In this chapter, you’ll gain knowledge of the main operating systems that you’ll encounter in your job as a pentester. These include Microsoft Windows, Mac OS, Linux, and Unix. You’ll also explore networking fundamentals, including computer types and network sizes. You’ll need this knowledge as you explore your clients’ networks. Finally, no network introduction would be complete without a discussion of the OSI model and TCP/IP.

In this chapter, you’ll learn to:

Compare operating systems

Explore networking concepts

Comparing Common Operating Systems

Operating systems (OSs) do a lot of different things, but take away all the jargon and features and you will find that an OS is responsible for being the platform on which other applications are executed. Without an OS, a computer is essentially a collection of circuits and wires waiting to be used. The OS is responsible for everything from running applications and providing network access to managing files and storage devices.

Modern operating systems have even more capabilities, such as the ability to monitor users, manage devices, and present a nice, glossy interface. In addition, an OS is supposed to provide a mechanism that prevents unauthorized access to resources such as files and folders or hardware and network resources.

Each OS offers a multitude of features that makes it different from its peers; however, many things tend to be common, such as the following:

Graphical User Interface (GUI) Most OSs today offer a GUI, which allows quick and easy access to the various features and applications on the system without having to know how to use a command line. Features are represented by icons, and actions are taken through menus and buttons.

Network Support With a few exceptions, modern OSs provide the ability to connect to a network whether it is hard wired, wireless, Bluetooth, or 3G/4G in nature. Systems that do not provide such access tend to be either legacy systems or purpose built.

Multitasking The ability to run multiple applications at once is an expected feature of any modern OS. This means an OS can simultaneously execute applications seamlessly and make for a more productive environment.

Application Support An OS is expected to support a range of applications and act as the foundation upon which they are able to run. In fact, the OS is responsible managing and allocating the resources that an application is going to need and share while operating.

Hardware Interface Any modern OS provides the interface between the applications, the user, and hardware. The OS obscures the details of the hardware and allows the user to work without having to think of the details of the hardware. Additionally, the OS interacts and allows interaction with hardware through the use of specialized software known as drivers.

I’ll talk further about OSs as they pertain to scanning and enumeration, but for now I’ll compare and contrast the different operating systems.

Microsoft Windows

Chances are that the majority of the systems you will encounter will be running Microsoft’s Windows platform in one form or another. Since the OS was introduced in the 1980s, it has made its way onto the majority of desktops and servers in both the workplace and at home as well as onto mobile devices such as tablets and smartphones. Since 2009 Microsoft has held fairly steady, with an installed base of around 90 percent of the computers worldwide. It is because of this domination that you must become familiar (or even more familiar) with this OS. Figure 2.1 shows the Windows OS.

FIGURE 2.1 The Windows Desktop