Contents
1
Preparation ............................................................................................ 1
Installing VMware Workstation............................................................................ 3
Configuring Virtual Machines............................................................................ 10
Installing a Virtual Windows 2000 Workstation ....................................... 11
Installing VMware Tools for Windows 2000 Virtual Machines................. 29
Installing a Red Hat Version 8 Virtual Machine ....................................... 35
Installing VMware Tools for Red Hat Virtual Machines............................ 55
What Is on the CD?........................................................................................... 60
Restrict Anonymous........................................................................................... 60
To Restrict Anonymous ............................................................................ 60
In Windows NT ............................................................................... 60
For Windows XP, 2003..................................................................... 60
For Windows 2000 .......................................................................... 61
What Is the Difference? ........................................................................... 61
2
Banner Identification.......................................................................... 63
Lab 1: Banner Identification .............................................................................. 65
Lab 2: Banner Identification .............................................................................. 67
Lab 3: Banner Identification .............................................................................. 73
Lab 4: Operating System Identification ............................................................. 75
Detect Operating System of Target: Xprobe2
Lab 5: Banner Identification .............................................................................. 79
Lab 6: Banner Identification .............................................................................. 84
Lab 7: Personal Social Engineering ................................................................... 86
Social Engineering Techniques: Dumpster Diving/Personnel
AU7057_C000.fm Page vii Monday, September 25, 2006 12:16 PM
viii
Contents
3
Target Enumeration ............................................................................ 87
Lab 8: Establish a NULL Session ........................................................................ 89
Establish a NULL Session: NULL Session
Lab 9: Enumerate Target MAC Address.............................................................. 90
Enumerate MAC Address and Total NICs: GETMAC
Lab 10: Enumerate SID from User ID ............................................................... 91
Enumerate the SID from the Username: USER2SID
Lab 11: Enumerate User ID from SID ............................................................... 93
Enumerate the Username from the Known SID: SID2USER
Lab 12: Enumerate User Information ................................................................ 96
Enumerate User Information from Target: USERDUMP
Lab 13: Enumerate User Information ................................................................ 97
Exploit Data from Target Computer: USERINFO
Lab 14: Enumerate User Information ................................................................ 98
Exploit User Information from Target: DUMPSEC
Lab 15: Host/Domain Enumeration ................................................................. 102
Enumerate Hosts and Domains of LAN: Net Commands
Lab 16: Target Connectivity/Route .................................................................. 105
Detect Target Connectivity: PingG
Lab 17: Target Connectivity/Route .................................................................. 107
Connectivity/Routing Test: Pathping
Lab 18: Operating System Identification ......................................................... 109
Identify Target Operating System: Nmap/nmapFE
Lab 19: Operating System Identification ......................................................... 117
Identify Target Operating System: NmapNT
Lab 20: IP/Hostname Enumeration ................................................................. 123
Enumerate IP or Hostname: Nslookup
Lab 21: IP/Hostname Enumeration ................................................................. 124
Enumerate IP or Hostname: Nmblookup
Lab 22: RPC Reporting .................................................................................... 125
Report the RPC of Target: Rpcinfo
Lab 23: Location/Registrant Identification ...................................................... 126
Gather Registration Info/Trace Visual Route: Visual Route
Lab 24: Registrant Identification ..................................................................... 128
Gather IP or Hostname: Sam Spade
Lab 25: Operating System Identification ......................................................... 131
Gather OS Runtime and Registered IPs: Netcraft
Lab 26: Operating System Identification ......................................................... 133
Scan Open Ports of Target: Sprint
Lab 27: Default Shares ..................................................................................... 135
Disable Default Shares: Windows Operating System
Lab 28: Host Enumeration ............................................................................... 139
Scan Open Ports of Target: WinFingerprint
4
Scanning............................................................................................. 145
Lab 29: Target Scan/Share Enumeration .......................................................... 147
Scan Open Ports of Target: Angry IP
AU7057_C000.fm Page viii Monday, September 25, 2006 12:16 PM
Contents
ix
Lab 30: Target Scan/Penetration ...................................................................... 151
Scan Open Ports/Penetration Testing: LANguard
Lab 31: Target Scan through Firewall .............................................................. 153
Scan Open Ports of Target: Fscan
Lab 32: Passive Network Discovery ................................................................ 154
Passively Identify Target Information on the LAN: Passifist
Lab 33: Network Discovery............................................................................. 158
Identify Target Information: LanSpy
Lab 34: Open Ports/Services ........................................................................... 161
Scan Open Ports/Services of Target: Netcat
Lab 35: Port Scan/Service Identification ......................................................... 163
Scan Open Ports of Target: SuperScan
Lab 36: Port Scanner ....................................................................................... 166
Identify Ports Open: Strobe
Lab 37: Anonymous FTP Locator..................................................................... 169
Locate Anonymous FTP Servers: FTPScanner
Lab 38: CGI Vulnerability Scanner................................................................... 171
Identify CGI Vulnerabilities: TCS CGI Scanner
Lab 39: Shared Resources Locator .................................................................. 178
Identify Open Shared Resources: Hydra
Lab 40: Locate Wingate Proxy Servers ............................................................ 187
Locate Wingate Proxy Servers: WGateScan/ADM Gates
5
Sniffing Traffic .................................................................................. 193
Lab 41: Packet Capture — Sniffer ................................................................... 195
Exploit Data from Network Traffic: Ethereal
To Install Ethereal on a Red Hat Linux Computer ....................... 196
To Install Ethereal on Microsoft Windows.................................... 206
Lab 42: Packet Capture — Sniffer ................................................................... 213
Exploit Data from Network Traffic: Ngrep
For Linux ....................................................................................... 213
For Windows ................................................................................. 219
Lab 43: Packet Capture — Sniffer ................................................................... 223
Exploit Data from Network Traffic
:
TcpDump
Lab 44: Packet Capture — Sniffer ................................................................... 230
Exploit Data from Network Traffic: WinDump
Lab 45: Packet Capture — Sniffer ................................................................... 234
Monitor IP Network Traffic Flow: IPDump2
For Linux ....................................................................................... 234
For Windows ................................................................................ 237
Lab 46: Password Capture — Sniffer .............................................................. 240
Exploit Passwords and Sniff the Network: ZxSniffer
Lab 47: Exploit Data from Target Computer — Sniffit ................................... 249
6
Spoofing ............................................................................................. 261
Lab 48: Spoofing IP Addresses......................................................................... 263
Send Packets via False IP Address: RafaleX
Lab 49: Spoofing MAC Addresses .................................................................... 268
Send Packets via a False MAC Address: SMAC
AU7057_C000.fm Page ix Monday, September 25, 2006 12:16 PM
x
Contents
Lab 50: Spoofing MAC Addresses .................................................................... 277
Send Packets via a False MAC Address: Linux
Lab 51: Packet Injection/Capture/Trace.......................................................... 284
Send Packets via a False IP/MAC Address: Packit
Lab 52: Spoof MAC Address ............................................................................ 295
Altering the MAC Address: VMware Workstation
7
Brute Force ........................................................................................ 299
Lab 53: Brute-Force FTP Server....................................................................... 301
Crack an FTP Password: NETWOX/NETWAG
Lab 54: Retrieve Password Hashes .................................................................. 309
Extract Password Hashes: FGDump
Lab 55: Crack Password Hashes ...................................................................... 313
Crack and Capture Password Hashes: LC5
Lab 56: Overwrite Administrator Password..................................................... 325
Change the Administrator Password: CHNTPW
Lab 57: Brute-Force Passwords ........................................................................ 337
Brute-Force Passwords for a Hashed File: John the Ripper
Lab 58: Brute-Force FTP Password .................................................................. 346
Brute-Force an FTP Password Connection: BruteFTP
Lab 59: Brute-Force Terminal Server ............................................................... 354
Brute-Force Terminal Server Passwords: TSGrinder II
8
Vulnerability Scanning ..................................................................... 357
Lab 60: Vulnerability Scanner .......................................................................... 359
Perform Vulnerability Assessment: SAINT
Lab 61: SNMP Walk.......................................................................................... 379
Exploit Data via SNMP Walk: NETWOX/NETWAG
Lab 62: Brute-Force Community Strings ......................................................... 386
Exploit the SNMP Community Strings: Solar Winds
Lab 63: Target Assessment ............................................................................... 392
Assessment of Target Security: Retina
Lab 64: Target Assessment ............................................................................... 397
Assessment of Target Security: X-Scan
Lab 65: Vulnerability Scanner .......................................................................... 402
Perform Vulnerability Assessment: SARA
Lab 66: Web Server Target Assessment ............................................................ 414
Assessment of Web Server Security: N-Stealth
Lab 67: Vulnerability Scanner .......................................................................... 421
Exploit Data from Target Computer: Pluto
Lab 68: Vulnerability Assessment ..................................................................... 429
Perform Vulnerability Assessment: Metasploit
On Windows.................................................................................. 429
On Linux ....................................................................................... 441
Lab 69: Web Server Target Assessment ............................................................ 451
Assessment of Web Server Security: Nikto
Lab 70: Vulnerability Scanner .......................................................................... 455
Assessment of Target Security: Shadow Scanner
AU7057_C000.fm Page x Monday, September 25, 2006 12:16 PM
Contents
xi
Lab 71: Internet Vulnerability Scanner ............................................................ 468
Assessment of Target Security: Cerberus
Lab 72: WHAX — Auto Exploit Reverse Shell ................................................ 474
Automatically Exploit the Target: AutoScan
Lab 73: Unique Fake Lock Screen XP ............................................................. 491
Grab the Administrator Password: Fake Lock Screen XP
Lab 74: Bypassing Microsoft Serial Numbers.................................................. 499
Bypassing Serial Number Protection: RockXP/Custom Script
Lab 75: Vulnerability Exploit ........................................................................... 507
Assessment of Target Security: Web Hack Control Center
9
Wi
reless .............................................................................................. 511
Lab 76: Locate Unsecured Wireless................................................................. 513
Locate Unsecured Wireless: NetStumbler/Mini-Stumbler
Lab 77: Trojan .................................................................................................. 519
Unauthorized Access and Control: Back Orifice
On the Target Computer ............................................................... 519
On the Attacker’s Computer ......................................................... 528
Lab 78: Trojan .................................................................................................. 534
Unauthorized Access and Control: NetBus
On the Target (Server)................................................................... 534
On the Attacker’s Computer ......................................................... 540
Lab 79: ICMP Tunnel Backdoor ....................................................................... 545
Bidirectional Spoofed ICMP Tunnel: Sneaky-Sneaky
On the Target (Server)................................................................... 545
On the Attacker’s Machine............................................................ 548
Lab 80: Hiding Tools on the Target.................................................................. 553
Hiding Files on the Target: CP
Scenario: Hiding Netcat inside the Calculator Application .......... 553
To Ver ify ........................................................................................ 555
Lab 81: Capturing Switched Network Traffic.................................................. 556
Intercept/Exploit Traffic: Ettercap
Lab 82: Password Capture ............................................................................... 573
Capture Passwords Traversing the Network: Dsniff
Lab 83: Data Manipulation .............................................................................. 574
Manipulate the Live Data Stream: Achilles
Lab 84: Covert Reverse Telnet Session............................................................ 588
Create a Reverse Telnet Session: Netcat
Lab 85: Covert Channel — Reverse Shell ....................................................... 596
Exploit Data from Target Computer: Reverse Shell
10
Redirection......................................................................................... 603
Lab 86: PortMapper ......................................................................................... 605
Traffic Redirection: PortMapper
Lab 87: Executing Applications — Elitewrap.................................................. 618
Executing Hidden Applications: Elitewrap
Lab 88: TCP Relay — Bypass Firewalls............................................................ 627
Traffic Redirection: Fpipe
AU7057_C000.fm Page xi Monday, September 25, 2006 12:16 PM
xii
Contents
Lab 89: Remote Execution .............................................................................. 633
Remote Execution on Target: PsExec
Lab 90: TCP Relay — Bypass Firewalls............................................................ 638
Traffic Redirection: NETWOX/NETWAG
11
Denial-of-Service (DoS) ..................................................................... 643
Lab 91: Denial-of-Service — Land Attack ........................................................ 645
DoS Land Attack: Land Attack
Lab 92: Denial-of-Service — Smurf Attack ...................................................... 650
DoS Smurf Attack: Smurf Attack
Lab 93: Denial-of-Service — SYN Attack ......................................................... 655
DoS Land Attack: SYN Attack
Lab 94: Denial-of-Service — UDP Flood ......................................................... 660
DoS UDP Flood Attack: UDP Flood Attack
Lab 95: Denial-of-Service — Trash2.c .............................................................. 665
Create Denial-of-Service Traffic: Trash2.c
Appendix A: References ........................................................................... 671
Appendix B: Tool Syntax .......................................................................... 675
Index........................................................................................................... 725
دانلود کتاب Practical Hacking Techniques and Countermeasures
