Table of Contents

Open all
Close all
1 Introduction
19
1.1 What Is Ethical Hacking?
19
1.2 Protection Goals of Information Security
21
1.3 Motivations for Hacking Attacks
23
1.4 Types of Hackers
24
1.5 The Cyber Kill Chain
26
1.6 Hacker Ethics
28
1.7 Advanced Persistent Threats
30
1.8 Common Vulnerabilities and Exposures
32
1.9 Common Vulnerability Scoring System
35
1.10 Classification of Attacks
38
1.11 The MITRE ATT&CK Framework
39
1.12 Tactics, Techniques, and Procedures
45
1.13 Indicators of Compromise
46
1.14 Security Models
47
1.14.1 Defense in Depth
47
1.14.2 The Diamond Model
48
1.14.3 Zero-Trust Model
49
1.14.4 The Pyramid of Pain
50
1.15 Information Warfare
52
1.16 Practice Questions
54
2 TryHackMe
73
2.1 TryHackMe Overview
73
2.2 Hacking Lab
76
2.2.1 Setting Up a Hacking Lab
77
2.2.2 Installing VirtualBox and Kali Linux on Windows
78
2.2.3 Installing VirtualBox and Kali Linux on macOS
81
2.2.4 Setting Up Kali Linux
85
2.2.5 Setting Up an OpenVPN Connection
87
2.2.6 AttackBox
89
2.3 Starting and Solving Hacking Challenges
90
2.4 Support from AI: ShellGPT
95
3 Footprinting and Reconnaissance
101
3.1 What is Footprinting?
101
3.2 Active and Passive Footprinting
102
3.2.1 Footprinting with Search Engines
102
3.2.2 Google Hacking
107
3.2.3 Shodan
109
3.2.4 Reverse Image Search
111
3.2.5 Video Search Engines
112
3.2.6 Meta Search Engines
113
3.2.7 Internet of Things Search Engines
113
3.2.8 Social Networks
114
3.2.9 People Search Engines
115
3.2.10 Job Portals
116
3.2.11 The Wayback Machine (Archive.org)
117
3.2.12 Geographic Search Engines
118
3.2.13 Email Tracking
120
3.2.14 Domain Name System Lookups and Whois
120
3.2.15 Active Footprinting
123
3.3 Well-Known Files
124
3.4 Footprinting on the Dark Web
126
3.5 Tools for Footprinting
127
3.5.1 Finding Subdomains with Sublist3r
131
3.5.2 Collecting Information with theHarvester
133
3.5.3 Finding User Names with Sherlock
133
3.5.4 Creating Word Lists with Custom Word List Generator
134
3.5.5 Reading Metadata with ExifTool
136
3.6 Protection against Footprinting
140
3.7 OhSINT
142
3.7.1 Preparation
142
3.7.2 Finding The User’s Avatar
144
3.7.3 Finding the City Where the Person Is Located
145
3.7.4 Finding the Service Set Identifier of the Wireless Access Point
145
3.7.5 Finding the Email Address of the Target Person
147
3.7.6 Finding the Origin of the Email Address
147
3.7.7 Finding Where the Target Person Went on Vacation
147
3.7.8 Finding the Secret Password
148
3.8 Practice Questions
149
4 Scanning
169
4.1 Ports and Services
169
4.2 The OSI Model
171
4.3 HTTP
173
4.4 ICMP, UDP, and TCP
177
4.5 Hping3
181
4.6 Wireshark
184
4.7 Nmap
188
4.7.1 Scanning Techniques with Nmap
191
4.7.2 Host Discovery with AI
192
4.7.3 Protection against Ping Sweeps
193
4.7.4 Scanning Ports and Services with Nmap
194
4.7.5 Scanning Ports and Services with AI
199
4.7.6 Protection Against Port Scanning
201
4.8 Banner Grabbing
201
4.9 Practice Questions
205
5 Enumeration and Fuzzing
231
5.1 What Is Enumeration?
231
5.1.1 Network Basic Input/Output System Enumeration
231
5.1.2 Simple Network Management Protocol Enumeration
232
5.1.3 Lightweight Directory Access Protocol Enumeration
232
5.1.4 Simple Mail Transfer Protocol Enumeration
233
5.1.5 Domain Name System Enumeration
233
5.1.6 Server Message Block Enumeration
234
5.1.7 Network File System Enumeration
234
5.1.8 Remote Procedure Call Enumeration
235
5.1.9 Active Directory Enumeration
235
5.1.10 Web Enumeration
236
5.2 Gobuster
236
5.3 What Is Fuzzing?
238
5.3.1 Dumb Fuzzing
238
5.3.2 Smart Fuzzing (Generation-Based Fuzzing)
239
5.3.3 Mutation-Based Fuzzing
239
5.3.4 Coverage-Guided Fuzzing
240
5.3.5 Protocol Fuzzing
240
5.3.6 Web Fuzzing
240
5.4 Fuzz Faster U Fool
241
5.4.1 Fuzzing Directories and Files
241
5.4.2 Parameter Fuzzing
242
5.4.3 Subdomain and DNS Fuzzing
242
5.5 WPScan
243
5.6 Practice Questions
244
6 Metasploit
251
6.1 Exploits
251
6.2 Searching for Exploits
252
6.3 The Metasploit Framework
255
6.3.1 Metasploitable 2
259
6.3.2 vsftpd Exploit
264
6.3.3 Enumerating SMTP Users
268
6.3.4 Billing: Access to the Server
271
6.4 Practice Questions
275
7 Cryptography
283
7.1 Introduction to Cryptography
283
7.1.1 Protection Goals of Cryptography
284
7.1.2 Types of Cryptography
284
7.1.3 Government Access to Keys and Key Escrow
285
7.1.4 The Kerckhoffs Principle
286
7.2 Ciphers
286
7.2.1 The Caesar Cipher
288
7.2.2 The Vigenère Cipher
290
7.2.3 The Book Cipher
293
7.3 The XOR Operation
295
7.4 The Feistel Network
296
7.5 Encryption Algorithms
301
7.5.1 The RSA Algorithm
303
7.5.2 The Diffie-Hellman Algorithm
304
7.6 Hash Algorithms
306
7.7 One-Time Pad
308
7.8 Digital Signatures
310
7.9 Quantum Cryptography
311
7.10 Public Key Infrastructure
312
7.11 Email Encryption
315
7.12 Cryptanalysis
315
7.13 Practice Questions
319
8 Covert Communication
337
8.1 Why Is Covert Communication Used?
337
8.2 Classic Techniques and Modern Equivalents
337
8.3 Steganography
339
8.3.1 The Least Significant Bit Method
341
8.3.2 File Overlay
343
8.3.3 Alternate Data Streams
345
8.3.4 Steghide
347
8.4 Communication via Side Channels
350
8.5 The Darknet
353
8.5.1 The Tor Network
353
8.5.2 Hidden Services
355
8.5.3 OnionShare
357
8.6 c4ptur3-th3-fl4g
366
8.6.1 Translation and Shifting
366
8.6.2 Spectrograms
371
8.6.3 Steganography
372
8.6.4 Security Through Obscurity
372
8.7 Practice Questions
373
9 Cracking Passwords
381
9.1 Hash Functions and Password Hashes
381
9.2 Kerberos
384
9.3 Salt and Pepper
386
9.4 hashcat
387
9.4.1 Brute Force
389
9.4.2 Dictionary Attack
390
9.4.3 Mask Attack
391
9.4.4 Rule-Based Attack
392
9.4.5 Combinator Attack
394
9.4.6 HAITI
395
9.5 Attacks on Passwords
396
9.5.1 Analog Password Attacks
396
9.5.2 Online Attacks
396
9.5.3 Offline Attacks
398
9.5.4 Cracking Secure Shell Access
399
9.5.5 Cracking ZIP Files
404
9.6 Protection Against Password Attacks
405
9.7 CrackIT
405
9.7.1 Brute Force
405
9.7.2 Dictionary Attack
407
9.7.3 Mask Attack
408
9.7.4 The HKAHacker’s Secret Password
409
9.7.5 CVE-2023-32784
410
9.7.6 Cracking a ZIP Archive
413
9.8 Practice Questions
413
10 OWASP Top 10
425
10.1 A01:2021 Broken Access Control
425
10.2 A02:2021 Cryptographic Failures
428
10.3 A03:2021 Injection
431
10.4 A04:2021 Insecure Design
435
10.5 A05:2021 Security Misconfiguration
438
10.6 A06:2021 Vulnerable and Outdated Components
441
10.7 A07:2021 Identification and Authentication Failures
443
10.8 A08:2021 Software and Data Integrity Failures
445
10.8.1 Software Integrity Failures
445
10.8.2 Data Integrity Failures
446
10.9 A09:2021 Security Logging and Monitoring Failures
450
10.10 A10:2021 Server-Side Request Forgery
452
10.11 Practice Questions
453
11 The OWASP Juice Shop
461
11.1 What Is the OWASP Juice Shop?
461
11.2 Installing the OWASP Juice Shop
461
11.3 Tasks in the OWASP Juice Shop
464
11.3.1 DOM XSS
464
11.3.2 Burp Suite
465
11.3.3 Zero Stars
472
11.3.4 Login Admin
473
11.3.5 Empty User Registration
478
11.3.6 Login Bender or Login Jim
479
11.3.7 Admin Registration
480
12 Cross-Site Scripting
483
12.1 Types of XSS
483
12.1.1 Stored XSS
484
12.1.2 Reflected XSS
484
12.1.3 Document Object Model–Based XSS
485
12.1.4 Blind XSS
487
12.2 Protection Against XSS
489
12.3 Google XSS Game
490
12.3.1 Level 1: Hello, World with XSS
491
12.3.2 Level 2: Persistence Is Key
492
12.3.3 Level 3: That Sinking Feeling...
494
12.3.4 Level 4: Context Matters
496
12.3.5 Level 5: Breaking Protocol
498
12.3.6 Level 6: Hello, World of XSS
500
12.3.7 Level 7: How Do You Hack the Google XSS Game?
502
12.4 Practice Questions
506
13 SQL Injection
517
13.1 SQL Basics
517
13.2 Types of SQL Injections
520
13.2.1 Inline SQL Injections
521
13.2.2 Boolean-Based Blind SQL Injections
521
13.2.3 Time-Based Blind SQL Injections
523
13.2.4 Error-Based SQL Injections
525
13.2.5 UNION-Based SQL Injections
526
13.2.6 Out-of-Band SQL Injections
526
13.3 Protection Against SQL Injections
527
13.4 SQLMap
527
13.5 Practice Questions
538
14 Social Engineering
545
14.1 What Is Social Engineering?
545
14.2 Psychology of Social Engineering
546
14.3 Phases of a Social Engineering Attack
547
14.4 Social Engineering Techniques
548
14.4.1 Human-Based Social Engineering
548
14.4.2 Computer-Based Social Engineering
550
14.4.3 Phishing
551
14.4.4 Mobile-Based Social Engineering
555
14.5 Insider Threats
556
14.5.1 Motives and Types
556
14.5.2 Detecting Insider Attacks
558
14.6 Identity Impersonation and Identity Theft
558
14.6.1 Types of Identity Theft
560
14.6.2 How Identity Theft Is Carried Out
561
14.6.3 Recognizing Identity Theft
561
14.7 Threats Posed by Deepfakes
562
14.8 Measures Against Social Engineering
564
14.8.1 Protection Against Insider Threats
564
14.8.2 Protection Against Identity Theft
565
14.8.3 Train Employees
566
14.9 The Social Engineering Lab
566
14.9.1 Scenarios
567
14.9.2 Phishing Email
569
14.9.3 Phishing Email with Attachment
571
14.9.4 Phishing Search Image
573
14.9.5 Creating a Phishing Email
574
14.10 Practice Questions
577
15 Reverse Shells
599
15.1 What Is a Bind Shell and How Does It Work?
599
15.2 What Is a Reverse Shell and How Does It Work?
600
15.3 Examples of Reverse Shells
602
15.3.1 PHP
602
15.3.2 Java
604
15.3.3 PowerShell
606
15.3.4 Python
607
15.3.5 TTY Shells
608
15.4 Obfuscation Techniques for Reverse Shells
609
15.5 Measures to Protect Against Reverse Shells
613
15.6 All in One: Reverse Shell
613
15.7 Practice Questions
618
16 Privilege Escalation
625
16.1 What Is Privilege Escalation?
625
16.2 GTFOBins
625
16.3 Techniques for Privilege Escalation
627
16.3.1 DLL Hijacking
627
16.3.2 Dylib Hijacking
628
16.3.3 Named Pipe Impersonation
629
16.3.4 Pivoting and Relaying
630
16.3.5 Manipulation of Boot and Logon Scripts
630
16.3.6 sudo -l
630
16.3.7 SUID Bit
631
16.3.8 Protection Against Privilege Escalation
633
16.4 RootMe
633
16.5 Billing: Privilege Escalation
637
16.6 All in One: Privilege Escalation
640
16.7 Practice Questions
641
17 Malware
649
17.1 What Is Malware?
649
17.1.1 A Brief History of Malware
650
17.1.2 How Does Malware Get onto a System?
655
17.1.3 What Does Malware Consist of?
656
17.2 Types of Malware
657
17.2.1 Keylogger
657
17.2.2 Rootkits
658
17.2.3 Trojan
658
17.2.4 Ransomware
663
17.2.5 Viruses and Worms
667
17.2.6 Artificial Intelligence–Based Malware
669
17.3 Malware Analysis
670
17.4 Protection Against Malware
672
17.5 Practice Questions
672
18 Professional Pentesting
683
18.1 Pentest Procedure
683
18.1.1 Defining the Scope
683
18.1.2 Non-Disclosure Agreement
684
18.1.3 Putting Together the Team
684
18.1.4 Conducting the Pentest
684
18.1.5 Report
685
18.1.6 Presentation
685
18.2 Pentesting Standards and Frameworks
685
18.2.1 Penetration Testing Execution Standard
686
18.2.2 Open Web Application Security Project Web Security Testing Guide
687
18.2.3 NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
687
18.2.4 Open Source Security Testing Methodology Manual
688
18.2.5 German Federal Office for Information Security Classification
688
18.3 Structure of Pentest Reports
690
18.3.1 Executive Summary
691
18.3.2 Scope and Objectives
691
18.3.3 Methodology
691
18.3.4 Overview of Vulnerabilities Found
691
18.3.5 Technical Vulnerability Details
691
18.3.6 Recommendations and Measures
692
18.3.7 Appendix
692
18.4 Writing Pentest Reports with Artificial Intelligence Support
692
18.5 Tips for Writing Pentest Reports
696
19 Final Challenge
699
19.1 The Hunt for Agent Dalvikov
699
19.1.1 Challenge 1.1
699
19.1.2 Challenge 1.2
700
19.1.3 Challenge 1.3
702
19.2 The Secret Password Database
702
19.2.1 Challenge 2.1
702
19.2.2 Challenge 2.2
703
19.2.3 Challenge 2.3
704
19.3 Admin Cookie
705
19.3.1 Challenge 3.1
705
19.3.2 Challenge 3.2
707
19.4 The Secret ZIP Folder
708
19.5 Federal Bureau of Investigation–Style Criminal Database
709
19.6 Gaining Access
711
19.7 Privilege Escalation
714
The Author
715
Index
717