Penetration Tester's Open Source Toolkit, Third Edition, discusses the open source tools available to penetration testers, the ways to use them, and the situations in which they apply. The book consists of 10 chapters that focus on a specific area of penetration testing: tools of the trade; reconnaissance; scanning and enumeration; client-side attacks and human weaknesses; hacking database services; Web server and Web application testing; network devices; enterprise application testing; wireless penetrating testing; and building penetration test labs. Each chapter is organized to discuss objectives associated with the focus area, an approach to penetration testing of that area, core technologies for penetration testing, and open source tools that can be used to perform penetration testing. The chapters also include case studies where the tools that are discussed are applied. This book is for people who are interested in penetration testing or professionals engaged in penetration testing. Those working in the areas of database, network, system, or application administration, as well as architects, can gain insights into how penetration testers perform testing in their specific areas of expertise and learn what to expect from a penetration test. This book can also serve as a reference for security or audit professionals. * Details current open source penetration testing tools* Presents core technologies for each type of testing and the best tools for the job* New to this edition: Enterprise application testing, client-side attacks and updates on Metasploit and Backtrack
Acknowledgments xiii
Introduction xv
About the Author xxi
About the Technical Editor xxi
Chapter 1 Tools of the Trade 1 (28)
1.1 Objectives 1 (1)
1.2 Approach 2 (2)
1.3 Core technologies 4 (5)
1.3.1 LiveCDs 4 (2)
1.3.2 ISO images 6 (1)
1.3.3 Bootable USB drives 6 (2)
1.3.4 Creating a persistent LiveCD 8 (1)
1.4 Open source tools 9 (14)
1.4.1 Tools for building LiveCDs 9 (3)
1.4.2 Penetration testing toolkits 12 (8)
1.4.3 Penetration testing targets 20 (3)
1.5 Case study: the tools in action 23 (4)
1.6 Hands-on challenge 27 (2)
Summary 27 (1)
Endnote 28 (1)
Chapter 2 Reconnaissance 29 (66)
2.1 Objective 30 (2)
2.2 A methodology for reconnaissance 32 (1)
2.3 Intelligence gathering 33 (16)
2.3.1 Core technologies 34 (2)
2.3.2 Approach 36 (4)
2.3.3 Open source tools 40 (9)
2.3.4 Intelligence gathering summary 49 (1)
2.4 Footprinting 49 (18)
2.4.1 Core technologies 49 (6)
2.4.2 Approach 55 (4)
2.4.3 Open source tools 59 (8)
2.4.4 Footprinting summary 67 (1)
2.5 Human recon 67 (7)
2.5.1 Core technologies 68 (3)
2.5.2 Open source tools 71 (3)
2.5.3 Human recon summary 74 (1)
2.6 Verification 74 (11)
2.6.1 Core technologies 74 (2)
2.6.2 Approach 76 (6)
2.6.3 Open source tools 82 (2)
2.6.4 Verification summary 84 (1)
2.7 Case study: the tools in action 85 (7)
2.7.1 Intelligence gathering, 85 (7)
footprinting, and verification of an
Internet-connected network
2.7.2 Case study summary 92 (1)
2.8 Hands-on challenge 92 (3)
Summary 93 (1)
Endnotes 93 (2)
Chapter 3 Scanning and Enumeration 95 (46)
3.1 Objectives 95 (2)
3.1.1 Before you start 96 (1)
3.1.2 Why do scanning and enumeration? 96 (1)
3.2 Scanning 97 (13)
3.2.1 Approach 97 (1)
3.2.2 Core technology 98 (3)
3.2.3 Open source tools 101 (9)
3.3 Enumeration 110 (18)
3.3.1 Approach 110 (1)
3.3.2 Core technology 111 (4)
3.3.3 Open source tools 115 (13)
3.4 Case studies: the tools in action 128 (10)
3.4.1 External 129 (2)
3.4.2 Internal 131 (3)
3.4.3 Stealthy 134 (2)
3.4.4 Noisy (IDS) testing 136 (2)
3.5 Hands-on challenge 138 (3)
Summary 138 (3)
Chapter 4 Client-Side Attacks and Human 141 (48)
Weaknesses
4.1 Objective 141 (1)
4.2 Phishing 142 (14)
4.2.1 Approaches 142 (4)
4.2.2 Core technologies 146 (4)
4.2.3 Open source tools 150 (6)
4.3 Social network attacks 156 (14)
4.3.1 Approach 156 (5)
4.3.2 Core technologies 161 (3)
4.3.3 Open source tools 164 (6)
4.4 Custom malware 170 (11)
4.4.1 Approach 170 (2)
4.4.2 Core technologies 172 (3)
4.4.3 Open source tools 175 (6)
4.5 Case study: the tools in action 181 (6)
4.6 Hands-on challenge 187 (2)
Summary 187 (1)
Endnote 188 (1)
Chapter 5 Hacking Database Services 189 (30)
5.1 Objective 189 (1)
5.2 Core technologies 190 (4)
5.2.1 Basic terminology 190 (1)
5.2.2 Database installation 191 (2)
5.2.3 Communication 193 (1)
5.2.4 Resources and auditing 193 (1)
5.3 Microsoft SQL Server 194 (8)
5.3.1 Microsoft SQL Server users 194 (1)
5.3.2 SQL Server roles and permissions 195 (1)
5.3.3 SQL Server stored procedures 195 (1)
5.3.4 Open source tools 196 (6)
5.4 Oracle database management system 202 (10)
5.4.1 Oracle users 202 (2)
5.4.2 Oracle roles and privileges 204 (1)
5.4.3 Oracle stored procedures 204 (1)
5.4.4 Open source tools 204 (8)
5.5 Case study: the tools in action 212 (3)
5.6 Hands-on challenge 215 (4)
Summary 216 (3)
Chapter 6 Web Server and Web Application 219 (40)
Testing
6.1 Objective 219 (2)
6.1.1 Web server vulnerabilities: a 220 (1)
short history
6.1.2 Web applications: the new 221 (1)
challenge
6.2 Approach 221 (3)
6.2.1 Web server testing 222 (1)
6.2.2 CGI and default pages testing 223 (1)
6.2.3 Web application testing 224 (1)
6.3 Core technologies 224 (9)
6.3.1 Web server exploit basics 225 (5)
6.3.2 CGI and default page exploitation 230 (1)
6.3.3 Web application assessment 231 (2)
6.4 Open source tools 233 (14)
6.4.1 WAFWOOF 234 (2)
6.4.2 Nikto 236 (2)
6.4.3 Grendel-Scan 238 (3)
6.4.4 fimap 241 (2)
6.4.5 SQLiX 243 (2)
6.4.6 sqlmap 245 (1)
6.4.7 DirBuster 245 (2)
6.5 Case study: the tools in action 247 (8)
6.6 Hands-on challenge 255 (4)
Summary 256 (1)
Endnote 257 (2)
Chapter 7 Network Devices 259 (32)
7.1 Objectives 259 (1)
7.2 Approach 260 (1)
7.3 Core technologies 260 (7)
7.3.1 Switches 261 (3)
7.3.2 Routers 264 (1)
7.3.3 Firewalls 265 (1)
7.3.4 IPv6 266 (1)
7.4 Open source tools 267 (17)
7.4.1 Footprinting tools 267 (4)
7.4.2 Scanning tools 271 (5)
7.4.3 Enumeration tools 276 (1)
7.4.4 Exploitation tools 276 (8)
7.5 Case study: the tools in action 284 (5)
7.6 Hands-on challenge 289 (2)
Summary 290 (1)
Chapter 8 Enterprise Application Testing 291 (28)
8.1 Objective 291 (1)
8.2 Core technologies 292 (4)
8.2.1 What is an enterprise application? 292 (1)
8.2.2 Multi-tier architecture 293 (2)
8.2.3 Integrations 295 (1)
8.3 Approach 296 (4)
8.4 Open source tools 300 (13)
8.4.1 Nmap 300 (1)
8.4.2 Netstat 301 (2)
8.4.3 sapyto 303 (3)
8.4.4 soapUI 306 (7)
8.4.5 Metasploit 313 (1)
8.5 Case study: the tools in action 313 (4)
8.6 Hands-on challenge 317 (2)
Summary 318 (1)
Chapter 9 Wireless Penetration Testing 319 (52)
9.1 Objective 319 (1)
9.2 Approach 320 (1)
9.3 Core technologies 321 (11)
9.3.1 Understanding WLAN vulnerabilities 321 (1)
9.3.2 Evolution of WLAN vulnerabilities 322 (2)
9.3.3 Wireless penetration testing tools 324 (8)
9.4 Open source tools 332 (35)
9.4.1 Information-gathering tools 332 (6)
9.4.2 Footprinting tools 338 (4)
9.4.3 Enumeration tool 342 (1)
9.4.4 Vulnerability assessment tool 342 (1)
9.4.5 Exploitation tools 343 (19)
9.4.6 Bluetooth vulnerabilities 362 (5)
9.5 Case study: the tools in action 367 (2)
9.6 Hands-on challenge 369 (2)
Summary 370 (1)
Chapter 10 Building Penetration Test Labs 371 (32)
10.1 Objectives 372 (1)
10.2 Approach 372 (18)
10.2.1 Designing your lab 372 (13)
10.2.2 Building your lab 385 (3)
10.2.3 Running your lab 388 (2)
10.3 Core technologies 390 (4)
10.3.1 Defining virtualization 391 (1)
10.3.2 Virtualization and penetration 391 (1)
testing
10.3.3 Virtualization architecture 392 (2)
10.4 Open source tools 394 (3)
10.4.1 Xen 394 (1)
10.4.2 VirtualBox 395 (1)
10.4.3 GNS3/Dynagen/Dynamips 395 (1)
10.4.4 Other tools 396 (1)
10.5 Case study: the tools in action 397 (3)
10.6 Hands-on challenge 400 (3)
Summary 401 (2)
Index 403
新书报道