· ... Preface ... 33
· ... What Hacking Has to Do with Security ... 33
· ... About this Book ... 34
· ... What's New in the Third Edition ... 35
· ... Target Group ... 35
· ... Let's Go! ... 35
· ... Foreword by Klaus Gebeshuber ... 36
· ... Foreword by Stefan Kania ... 36
· ... Greeting ... 36
· Introduction ... 39
· 1.1 ... Hacking ... 39
· 1.2 ... Security ... 47
· 1.3 ... Exploits ... 58
· 1.4 ... Authentication and Passwords ... 65
· 1.5 ... Security Risk IPv6 ... 70
· 1.6 ... Legal Framework ... 72
· 1.7 ... Security Organizations and Government Institutions ... 75
· 2 ... Kali Linux ... 77
· 2.1 ... Kali Alternatives ... 77
· 2.2 ... Trying Out Kali Linux without Installation ... 78
· 2.3 ... Installing Kali Linux in VirtualBox ... 84
· 2.4 ... Kali Linux and Hyper-V ... 91
· 2.5 ... Kali Linux in the Windows Subsystem for Linux ... 93
· 2.6 ... Kali Linux on Raspberry Pi ... 96
· 2.7 ... Running Kali Linux on Apple PCs with ARM CPUs ... 97
· 2.8 ... Simple Application Examples ... 99
· 2.9 ... Internal Details of Kali ... 103
· 3 ... Setting Up the Learning Environment: Metasploitable, Juice Shop ... 109
· 3.1 ... Honeypots ... 110
· 3.2 ... Metasploitable 2 ... 110
· 3.3 ... Metasploitable 3 (Ubuntu Variant) ... 116
· 3.4 ... Metasploitable 3 (Windows Variant) ... 123
· 3.5 ... Juice Shop ... 133
· 4 ... Hacking Tools ... 137
· 4.1 ... nmap ... 138
· 4.2 ... hydra ... 142
· 4.3 ... sslyze, sslscan, and testssl ... 148
· 4.4 ... whois, host, and dig ... 151
· 4.5 ... Wireshark ... 154
· 4.6 ... tcpdump ... 159
· 4.7 ... Netcat (nc) ... 163
· 4.8 ... OpenVAS ... 166
· 4.9 ... Metasploit Framework ... 176
· 4.10 ... Empire Framework ... 187
· 4.11 ... The Koadic Postexploitation Framework ... 197
· 4.12 ... Social Engineer Toolkit ... 205
· 4.13 ... Burp Suite ... 212
· 4.14 ... Sliver ... 219
· 5 ... Offline Hacking ... 227
· 5.1 ... BIOS/EFI: Basic Principles ... 228
· 5.2 ... Accessing External Systems ... 230
· 5.3 ... Accessing External Hard Drives or SSDs ... 236
· 5.4 ... Resetting the Windows Password ... 237
· 5.5 ... Resetting Linux and macOS Passwords ... 244
· 5.6 ... Encrypting Hard Drives ... 246
· 6 ... Passwords ... 255
· 6.1 ... Hash Procedures ... 256
· 6.2 ... Brute-Force Password Cracking ... 259
· 6.3 ... Rainbow Tables ... 260
· 6.4 ... Dictionary Attacks ... 262
· 6.5 ... Password Tools ... 263
· 6.6 ... Default Passwords ... 271
· 6.7 ... Data Breaches ... 272
· 6.8 ... Multifactor Authentication ... 275
· 6.9 ... Implementing Secure Password Handling ... 276
· IT Forensics ... 279
· 7.1 ... Methodical Analysis of Incidents ... 281
· 7.2 ... Postmortem Investigation ... 284
· 7.3 ... Live Analysis ... 300
· 7.4 ... Forensic Readiness ... 303
· 7.5 ... Summary ... 305
· 8 ... Wi-Fi, Bluetooth, and SDR ... 307
· 8.1 ... 802.11x Systems: Wi-Fi ... 307
· 8.2 ... Collecting WPA-2 Handshakes with Pwnagotchi ... 325
· 8.3 ... Bluetooth ... 332
· 8.4 ... Software-Defined Radios ... 349
· 9 ... Attack Vector USB Interface ... 359
· 9.1 ... USB Rubber Ducky ... 360
· 9.2 ... Digispark: A Wolf in Sheep's Clothing ... 367
· 9.3 ... Bash Bunny ... 375
· 9.4 ... P4wnP1: The Universal Talent ... 396
· 9.5 ... MalDuino W ... 406
· 9.6 ... Countermeasures ... 412
· 10 ... External Security Checks ... 419
· 10.1 ... Reasons for Professional Checks ... 419
· 10.2 ... Types of Security Checks ... 420
· 10.3 ... Legal Protection ... 430
· 10.4 ... Objectives and Scope ... 432
· 10.5 ... Implementation Methods ... 433
· 10.6 ... Reporting ... 434
· 10.7 ... Selecting the Right Provider ... 437
· 11 ... Penetration Testing ... 441
· 11.1 ... Gathering Information ... 442
· 11.2 ... Initial Access with Code Execution ... 459
· 11.3 ... Scanning Targets of Interest ... 463
· 11.4 ... Searching for Known Vulnerabilities Using nmap ... 470
· 11.5 ... Exploiting Known Vulnerabilities Using Metasploit ... 472
· 11.6 ... Attacking Using Known or Weak Passwords ... 478
· 11.7 ... Email Phishing Campaigns for Companies ... 481
· 11.8 ... Phishing Attacks with Office Macros ... 490
· 11.9 ... Phishing Attacks with ISO and ZIP Files ... 494
· 11.10 ... Attack Vector USB Phishing ... 504
· 11.11 ... Network Access Control and 802.1X in Local Networks ... 506
· 11.12 ... Extending Rights on the System ... 509
· 11.13 ... Collecting Credentials and Tokens ... 517
· 11.14 ... SMB Relaying Attack on Ordinary Domain Users ... 540
· 12 ... Securing Windows Servers ... 543
· 12.1 ... Local Users, Groups, and Rights ... 544
· 12.2 ... Manipulating the File System ... 553
· 12.3 ... Server Hardening ... 558
· 12.4 ... Microsoft Defender ... 561
· 12.5 ... Windows Firewall ... 564
· 12.6 ... Windows Event Viewer ... 568
· 13 ... Active Directory ... 579
· 13.1 ... What Is Active Directory? ... 579
· 13.2 ... Manipulating the Active Directory Database or its Data ... 592
· 13.3 ... Manipulating Group Policies ... 596
· 13.4 ... Domain Authentication: Kerberos ... 603
· 13.5 ... Attacks against Authentication Protocols and LDAP ... 611
· 13.6 ... Pass-the-Hash Attacks: mimikatz ... 612
· 13.7 ... Golden Ticket and Silver Ticket ... 624
· 13.8 ... Reading Sensitive Data from the Active Directory Database ... 628
· 13.9 ... Basic Coverage ... 631
· 13.10 ... More Security through Tiers ... 635
· 13.11 ... Protective Measures against Pass-the-Hash and Pass-the-Ticket Attacks ... 639
· 14 ... Securing Linux ... 649
· 14.1 ... Other Linux Chapters ... 649
· 14.2 ... Installation ... 650
· 14.3 ... Software Updates ... 654
· 14.4 ... Kernel Updates: Live Patches ... 658
· 14.5 ... Securing SSH ... 661
· 14.6 ... 2FA with Google Authenticator ... 665
· 14.7 ... 2FA with YubiKey ... 670
· 14.8 ... Fail2ban ... 673
· 14.9 ... Firewall ... 679
· 14.10 ... SELinux ... 693
· 14.11 ... AppArmor ... 699
· 14.12 ... Kernel Hardening ... 704
· 14.13 ... Apache ... 706
· 14.14 ... MySQL and MariaDB ... 712
· 14.15 ... Postfix ... 719
· 14.16 ... Dovecot ... 724
· 14.17 ... Rootkit Detection and Intrusion Detection ... 726
· 15 ... Security of Samba File Servers ... 735
· 15.1 ... Preliminary Considerations ... 735
· 15.2 ... Basic CentOS Installation ... 737
· 15.3 ... Basic Debian Installation ... 741
· 15.4 ... Configuring the Samba Server ... 743
· 15.5 ... Samba Server in Active Directory ... 746
· 15.6 ... Shares on the Samba Server ... 750
· 15.7 ... Changes to the Registry ... 755
· 15.8 ... Samba Audit Functions ... 758
· 15.9 ... Firewall ... 760
· 15.10 ... Attack Scenarios on Samba File Servers ... 765
· 15.11 ... Checking Samba File Servers ... 768
· 16 ... Intrusion Detection Systems ... 775
· 16.1 ... Intrusion Detection Methods ... 775
· 16.2 ... Host-Based versus Network-Based Intrusion Detection ... 778
· 16.3 ... Responses ... 783
· 16.4 ... Bypassing and Manipulating Intrusion Detection ... 785
· 16.5 ... Snort ... 787
· 16.6 ... Snort Rules ... 793
· 17 ... Security of Web Applications ... 803
· 17.1 ... Architecture of Web Applications ... 803
· 17.2 ... Attacks against Web Applications ... 806
· 17.3 ... Practical Analysis of a Web Application ... 837
· 17.4 ... Protection Mechanisms and Defense against Web Attacks ... 859
· 17.5 ... Security Analysis of Web Applications ... 867
· 18 ... Software Exploitation ... 871
· 18.1 ... Software Vulnerabilities ... 871
· 18.2 ... Detecting Security Gaps ... 874
· 18.3 ... Executing Programs on x86 Systems ... 874
· 18.4 ... Exploiting Buffer Overflows ... 884
· 18.5 ... Structured Exception Handling ... 899
· 18.6 ... Heap Spraying ... 901
· 18.7 ... Protective Mechanisms against Buffer Overflows ... 903
· 18.8 ... Bypassing Protective Measures against Buffer Overflows ... 907
· 18.9 ... Preventing Buffer Overflows as a Developer ... 914
· 18.10 ... Spectre and Meltdown ... 915
· 19 ... Bug Bounty Programs ... 923
· 19.1 ... The Idea Behind Bug Bounties ... 923
· 19.2 ... Reporting Vulnerabilities ... 926
· 19.3 ... Tips and Tricks for Analysts ... 927
· 19.4 ... Tips for Companies ... 930
· 20 ... Security in the Cloud ... 931
· 20.1 ... Overview ... 931
· 20.2 ... Amazon Simple Storage Service ... 935
· 20.3 ... Nextcloud and ownCloud ... 943
· 21 ... Securing Microsoft 365 ... 953
· 21.1 ... Identities and Access Management ... 954
· 21.2 ... Security Assessment ... 960
· 21.3 ... Multifactor Authentication ... 961
· 21.4 ... Conditional Access ... 969
· 21.5 ... Identity Protection ... 975
· 21.6 ... Privileged Identities ... 976
· 21.7 ... Detecting Malicious Code ... 982
· 21.8 ... Security in Data Centers ... 992
· 22 ... Mobile Security ... 997
· 22.1 ... Android and iOS Security: Basic Principles ... 997
· 22.2 ... Threats to Mobile Devices ... 1003
· 22.3 ... Malware and Exploits ... 1014
· 22.4 ... Technical Analysis of Apps ... 1025
· 22.5 ... Protective Measures for Android and iOS ... 1036
· 22.6 ... Apple Supervised Mode and Apple Configurator ... 1048
· 22.7 ... Enterprise Mobility Management ... 1055
· 23 ... Internet of Things Security ... 1065
· 23.1 ... What Is the Internet of Things? ... 1065
· 23.2 ... Finding IoT Vulnerabilities ... 1067
· 23.3 ... Securing IoT Devices in Networks ... 1085
· 23.4 ... IoT Protocols and Services ... 1086
· 23.5 ... Wireless IoT Technologies ... 1097
· 23.6 ... IoT from the Developer's Perspective ... 1102
· 23.7 ... Programming Languages for Embedded Controllers ... 1107
· 23.8 ... Rules for Secure IoT Programming ... 1109
· ... The Authors ... 1121
· ... Index ... 1123
