Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity

Dear Reader
Notes on Usage
Table of Contents
Preface
What Hacking Has to Do with Security
About this Book
What’s New in the Third Edition
Target Group
Let’s Go!
Foreword by Klaus Gebeshuber
Foreword by Stefan Kania
Greeting
1 Introduction
1.1 Hacking
1.1.1 Hacking Contests, Capture the Flag
1.1.2 Penetration Test versus Hacking
1.1.3 Hacking Procedure
1.1.4 Hacking Targets
1.1.5 Hacking Tools
1.2 Security
1.2.1 Why Are IT Systems So Insecure?
1.2.2 Attack Vectors
1.2.3 Who Is Your Enemy?
1.2.4 Intrusion Detection
1.2.5 Forensics
1.2.6 Ten Steps to Greater Safety
1.2.7 Security Is Not Visible
1.2.8 Security Is Inconvenient
1.2.9 The Limits of This Book
1.3 Exploits
1.3.1 Zero-Day Exploits
1.3.2 The Value of Exploits
1.3.3 Exploit Types
1.3.4 Finding Vulnerabilities and Exploits
1.3.5 Common Vulnerabilities and Exposures
1.3.6 Common Vulnerability Scoring System
1.3.7 Vulnerability and Exploit Databases
1.3.8 Vulnerability Scanner
1.3.9 Exploit Collections
1.4 Authentication and Passwords
1.4.1 Password Rules
1.4.2 Phishing
1.4.3 Storage of Passwords (Hash Codes)
1.4.4 Alternatives to Passwords
1.4.5 Fast Identity Online
1.5 Security Risk IPv6
1.5.1 Security Complications
1.6 Legal Framework
1.6.1 Unauthorized Hacking Is Punishable by Law
1.6.2 Negligent Handling of IT Security Is Also a Criminal Offense
1.6.3 European General Data Protection Regulation
1.6.4 Critical Infrastructure, Banks
1.6.5 Security Guidelines and Standards
1.7 Security Organizations and Government Institutions
2 Kali Linux
2.1 Kali Alternatives
2.2 Trying Out Kali Linux without Installation
2.2.1 Verifying the Download
2.2.2 Verifying the Signature of the Checksum File
2.2.3 Trying Kali Linux in VirtualBox
2.2.4 Saving Data Permanently
2.2.5 Forensic Mode
2.3 Installing Kali Linux in VirtualBox
2.3.1 Option 1: Using a Prebuilt VirtualBox Image
2.3.2 Option 2: Installing Kali Linux Yourself
2.3.3 Installation
2.3.4 Login and sudo
2.3.5 Time Zone and Time Display
2.3.6 Network Connection
2.3.7 Using Kali Linux via SSH
2.3.8 Clipboard for Kali Linux and the Host Computer
2.4 Kali Linux and Hyper-V
2.5 Kali Linux in the Windows Subsystem for Linux
2.5.1 Kali Linux in Graphic Mode
2.5.2 WSL1 versus WSL2
2.5.3 Practical Experience
2.6 Kali Linux on Raspberry Pi
2.7 Running Kali Linux on Apple PCs with ARM CPUs
2.8 Simple Application Examples
2.8.1 Address Scan on the Local Network
2.8.2 Port Scan of a Server
2.8.3 Hacking Metasploitable
2.9 Internal Details of Kali
2.9.1 Basic Coverage
2.9.2 Package Sources
2.9.3 Rolling Release
2.9.4 Performing Updates
2.9.5 Installing Software
2.9.6 Python 2
2.9.7 Network Services and Firewall
2.9.8 kali-tweaks
2.9.9 Undercover Mode
2.9.10 PowerShell
3 Setting Up the Learning Environment: Metasploitable, Juice Shop
3.1 Honeypots
3.2 Metasploitable 2
3.2.1 Installation in VirtualBox
3.2.2 Network Settings
3.2.3 Host-Only Network
3.2.4 Using Metasploitable 2
3.2.5 Hacking Metasploitable 2
3.2.6 rlogin Exploit
3.3 Metasploitable 3 (Ubuntu Variant)
3.3.1 Why No Ready-Made Images?
3.3.2 Requirements
3.3.3 Installation
3.3.4 Starting and Stopping Metasploitable 3
3.3.5 Administrating Metasploitable 3
3.3.6 Network Configuration
3.3.7 Hacking Metasploitable 3
3.4 Metasploitable 3 (Windows Variant)
3.4.1 Administrating Metasploitable 3
3.4.2 SSH login
3.4.3 Internal Details and Installation Variants
3.4.4 Overview of Services in Metasploitable 3 (Windows Variant)
3.4.5 Hacking Metasploitable 3
3.5 Juice Shop
3.5.1 Installation with Vagrant
3.5.2 Installation with Docker
3.5.3 Docker in Kali Linux
3.5.4 Hacking Juice Shop
4 Hacking Tools
4.1 nmap
4.1.1 Syntax
4.1.2 Examples
4.1.3 Variants and Alternatives
4.2 hydra
4.2.1 Syntax
4.2.2 Password Lists
4.2.3 Examples
4.2.4 Attacks on Web Forms and Login Pages
4.2.5 Alternatives
4.3 sslyze, sslscan, and testssl
4.3.1 sslscan and sslyze
4.3.2 testssl
4.3.3 Online Tests
4.4 whois, host, and dig
4.4.1 whois
4.4.2 host
4.4.3 dig
4.4.4 dnsrecon
4.5 Wireshark
4.5.1 Installation
4.5.2 Basic Functions
4.5.3 Working Techniques
4.5.4 Alternatives
4.6 tcpdump
4.6.1 Syntax
4.6.2 Examples
4.6.3 ngrep
4.7 Netcat (nc)
4.7.1 Syntax
4.7.2 Examples
4.7.3 socat
4.8 OpenVAS
4.8.1 Installation
4.8.2 Starting and Updating OpenVAS
4.8.3 Operation
4.8.4 Alive Test
4.8.5 Setting Up Tasks Yourself
4.8.6 High Resource Requirements
4.8.7 Alternatives
4.9 Metasploit Framework
4.9.1 Operation in Kali Linux
4.9.2 Installation on Linux
4.9.3 Installation on macOS
4.9.4 Installation on Windows
4.9.5 Updates
4.9.6 The Metasploit Console (“msfconsole”)
4.9.7 A Typical “msfconsole” Session
4.9.8 Searching Modules
4.9.9 Applying Modules
4.9.10 Meterpreter
4.10 Empire Framework
4.10.1 Installation
4.10.2 Getting to Know and Setting Up Listeners
4.10.3 Selecting and Creating Stagers
4.10.4 Creating and Managing Agents
4.10.5 Finding the Right Module
4.10.6 Obtaining Local Administrator Rights with the Empire Framework
4.10.7 The Empire Framework as a Multiuser System
4.10.8 Alternatives
4.11 The Koadic Postexploitation Framework
4.11.1 Installing the Server
4.11.2 Using Helper Tools in the Program
4.11.3 Creating Connections from a Client to the Server
4.11.4 Creating a First Connection: Zombie 0
4.11.5 The Modules of Koadic
4.11.6 Extending Rights and Reading Password Hashes
4.11.7 Conclusion and Countermeasures
4.12 Social Engineer Toolkit
4.12.1 Syntax
4.12.2 Example
4.12.3 The dnstwist Command
4.12.4 Other SET Modules
4.12.5 Alternatives
4.13 Burp Suite
4.13.1 Installation and Setup
4.13.2 Modules
4.13.3 Burp Proxy
4.13.4 Burp Scanner
4.13.5 Burp Intruder
4.13.6 Burp Repeater
4.13.7 Burp Extensions
4.13.8 Alternatives
4.14 Sliver
4.14.1 Installation
4.14.2 Implants and Listeners
4.14.3 Other C2 Frameworks
5 Offline Hacking
5.1 BIOS/EFI: Basic Principles
5.1.1 The Boot Process
5.1.2 EFI Settings and Password Protection
5.1.3 UEFI Secure Boot
5.1.4 When the EFI Is Insurmountable: Remove the Hard Drive
5.2 Accessing External Systems
5.2.1 Booting the Notebook with Kali Linux
5.2.2 Reading the Windows File System
5.2.3 Vault Files
5.2.4 Write Access to the Windows File System
5.2.5 Linux
5.2.6 macOS
5.2.7 Does That Mean That Login Passwords Are Useless?
5.3 Accessing External Hard Drives or SSDs
5.3.1 Hard Drives and SSDs Removed from Notebooks
5.4 Resetting the Windows Password
5.4.1 Tools
5.4.2 Undesirable Side Effects
5.4.3 Resetting the Local Windows Password Using chntpw
5.4.4 Activating a Windows Administrator User via chntpw
5.5 Resetting Linux and macOS Passwords
5.5.1 Resetting a Linux Password
5.5.2 Resetting a macOS Password
5.6 Encrypting Hard Drives
5.6.1 BitLocker
5.6.2 Access to BitLocker File Systems on Linux (dislocker)
5.6.3 BitLocker Security
5.6.4 BitLocker Alternatives
5.6.5 macOS: FileVault
5.6.6 Linux: Linux Unified Key Setup
5.6.7 Security Concerns Regarding LUKS
5.6.8 File System Encryption on the Server
6 Passwords
6.1 Hash Procedures
6.1.1 Hash Collisions
6.1.2 SHA-2 and SHA-3 Hash Codes
6.1.3 Checksums or Hash Codes for Downloads
6.2 Brute-Force Password Cracking
6.2.1 Estimating the Time Required for Password Cracking
6.3 Rainbow Tables
6.3.1 Password Salting
6.4 Dictionary Attacks
6.5 Password Tools
6.5.1 John the Ripper: Offline CPU Cracker
6.5.2 hashcat: Offline GPU Cracker
6.5.3 Crunch: Password List Generator
6.5.4 hydra: Online Cracker
6.5.5 makepasswd: Password Generator
6.5.6 One-Time Secret: Send Passwords by Email
6.6 Default Passwords
6.7 Data Breaches
6.8 Multifactor Authentication
6.9 Implementing Secure Password Handling
6.9.1 Implementation Tips
7 IT Forensics
7.1 Methodical Analysis of Incidents
7.1.1 Digital Traces
7.1.2 Forensic Investigation
7.1.3 Areas of IT Forensics
7.1.4 Analysis of Security Incidents
7.2 Postmortem Investigation
7.2.1 Forensic Backup of Memory
7.2.2 Recovering Deleted Files by File Carving
7.2.3 Metadata and File Analysis
7.2.4 System Analyses with Autopsy
7.2.5 Basic System Information
7.2.6 Reading the Last Activities
7.2.7 Analyzing Web Activities
7.2.8 Tracing Data Exchanges
7.3 Live Analysis
7.3.1 Finding User Data
7.3.2 Called Domains and URLs
7.3.3 Active Network Connections
7.3.4 Extracting the TrueCrypt Password
7.4 Forensic Readiness
7.4.1 Strategic Preparations
7.4.2 Operational Preparations
7.4.3 Effective Logging
7.4.4 Protection against Tampering
7.4.5 Integrity Verification
7.4.6 Digital Signatures
7.5 Summary
8 Wi-Fi, Bluetooth, and SDR
8.1 802.11x Systems: Wi-Fi
8.1.1 Preparation and Infrastructure
8.1.2 Wireless Equivalent Privacy
8.1.3 WPA/WPA-2: Wireless Protected Access
8.1.4 Wireless Protected Setup
8.1.5 Wi-Fi Default Passwords
8.1.6 WPA-2-KRACK Attack
8.1.7 WPA-2 Enterprise
8.1.8 Wi-Fi Client: Man-in-the-Middle
8.1.9 WPA-3
8.2 Collecting WPA-2 Handshakes with Pwnagotchi
8.3 Bluetooth
8.3.1 Bluetooth Technology
8.3.2 Identifying Bluetooth Classic Devices
8.3.3 Hiding (and Still Finding) Bluetooth Devices
8.3.4 Bluetooth Low Energy (BTLE)
8.3.5 Listening In on Bluetooth Low Energy Communication
8.3.6 Identifying Apple Devices via Bluetooth
8.3.7 Bluetooth Attacks
8.3.8 Modern Bluetooth Attacks
8.4 Software-Defined Radios
8.4.1 SDR Devices
8.4.2 Decoding a Wireless Remote Control
9 Attack Vector USB Interface
9.1 USB Rubber Ducky
9.1.1 Structure and Functionality
9.1.2 DuckyScript
9.1.3 Installing a Backdoor on Windows 11
9.1.4 Use With Duck Encoder to Create the Finished Payload
9.2 Digispark: A Wolf in Sheep’s Clothing
9.2.1 Downloading and Setting Up the Arduino Development Environment
9.2.2 The Script Language of the Digispark
9.2.3 Setting Up a Linux Backdoor with Digispark
9.3 Bash Bunny
9.3.1 Structure and Functionality
9.3.2 Configuring the Bash Bunny
9.3.3 Status LED
9.3.4 Software Installation
9.3.5 Connecting to the Bash Bunny
9.3.6 Connecting the Bash Bunny to the Internet: Linux Host
9.3.7 Connecting the Bash Bunny to the Internet: Windows Host
9.3.8 Bunny Script: The Scripting Language of the Bash Bunny
9.3.9 Using Custom Extensions and Functions
9.3.10 Setting Up a macOS Backdoor with Bash Bunny
9.3.11 The payload.txt Files for Switch1 and Switch2
9.3.12 Updating the Bash Bunny
9.3.13 Key Takeaways
9.4 P4wnP1: The Universal Talent
9.4.1 Structure and Functionality
9.4.2 Installation and Connectivity
9.4.3 HID Scripts
9.4.4 CLI Client
9.4.5 An Attack Scenario with the P4wnP1
9.4.6 Creating a Dictionary
9.4.7 Launching a Brute-Force Attack
9.4.8 Setting Up a Trigger Action
9.4.9 Deploying the P4wnP1 on the Target System
9.4.10 Key Takeaways
9.5 MalDuino W
9.5.1 The Web Interface of the MalDuino W
9.5.2 The Scripting Language and the CLI
9.5.3 An Attack Scenario with the MalDuino W
9.5.4 How Does the Attack Work?
9.5.5 Key Takeaways
9.6 Countermeasures
9.6.1 Hardware Measures
9.6.2 Software Measures
10 External Security Checks
10.1 Reasons for Professional Checks
10.2 Types of Security Checks
10.2.1 Open-Source Intelligence
10.2.2 Vulnerability Scan
10.2.3 Vulnerability Assessment
10.2.4 Penetration Test
10.2.5 Red Teaming
10.2.6 Purple Teaming
10.2.7 Bug Bounty Programs
10.2.8 Type of Performance
10.2.9 Depth of Inspection: Attacker Type
10.2.10 Prior to the Order
10.3 Legal Protection
10.4 Objectives and Scope
10.4.1 Sample Objective
10.4.2 Sample Worst-Case Scenarios
10.4.3 Sample Scope
10.5 Implementation Methods
10.6 Reporting
10.7 Selecting the Right Provider
11 Penetration Testing
11.1 Gathering Information
11.1.1 Searching for Information about a Company
11.1.2 Using Metadata of Published Files
11.1.3 Identifying the Structure of Email Addresses
11.1.4 Database and Password Leaks
11.1.5 Partial Automation with Maltego
11.1.6 Automating Maltego Transforms
11.1.7 Defense
11.2 Initial Access with Code Execution
11.2.1 Checking External IP Addresses of the PTA
11.3 Scanning Targets of Interest
11.3.1 Gathering Information via DNS
11.3.2 Detecting Active Hosts
11.3.3 Detecting Active Services with nmap
11.3.4 Using nmap in Combination with Metasploit
11.4 Searching for Known Vulnerabilities Using nmap
11.5 Exploiting Known Vulnerabilities Using Metasploit
11.5.1 Example: GetSimple CMS
11.6 Attacking Using Known or Weak Passwords
11.7 Email Phishing Campaigns for Companies
11.7.1 Organizational Preparatory Measures
11.7.2 Preparing a Phishing Campaign with Gophish
11.8 Phishing Attacks with Office Macros
11.9 Phishing Attacks with ISO and ZIP Files
11.9.1 Creating an Executable File with Metasploit
11.9.2 Creating a File with ScareCrow to Bypass Virus Scanners
11.9.3 Disguising and Deceiving: From EXE to PDF File
11.9.4 Defense
11.10 Attack Vector USB Phishing
11.11 Network Access Control and 802.1X in Local Networks
11.11.1 Getting to Know the Network by Listening
11.11.2 Network Access Control and 802.1X
11.12 Extending Rights on the System
11.12.1 Local Privilege Escalation
11.12.2 Bypassing Windows User Account Control Using the Default Setting
11.12.3 Bypassing UAC Using the Highest Setting
11.13 Collecting Credentials and Tokens
11.13.1 Reading Passwords from Local and Domain Accounts
11.13.2 Bypassing Windows 10 Protection against mimikatz
11.13.3 Stealing Windows Tokens to Impersonate a User
11.13.4 Matching Users with DCSync
11.13.5 Golden Ticket
11.13.6 Reading Local Password Hashes
11.13.7 Broadcasting within the Network by Means of Pass-the-Hash
11.13.8 Man-in-the-Middle Attacks in Local Area Networks
11.13.9 Basic Principles
11.13.10 LLMNR/NBT-NS and SMB Relaying
11.14 SMB Relaying Attack on Ordinary Domain Users
11.14.1 Command-and-Control
12 Securing Windows Servers
12.1 Local Users, Groups, and Rights
12.1.1 User and Password Properties
12.1.2 Local Admin Password Solution
12.2 Manipulating the File System
12.2.1 Attacks on Virtualized Machines
12.2.2 Protection
12.2.3 Attacking through the Registry
12.3 Server Hardening
12.3.1 Ensure a Secure Foundation
12.3.2 Harden New Installations
12.3.3 Protect Privileged Users
12.3.4 Threat Detection
12.3.5 Secure Virtual Machines as Well
12.3.6 Security Compliance Toolkit
12.4 Microsoft Defender
12.4.1 Defender Configuration
12.4.2 Defender Administration via PowerShell
12.5 Windows Firewall
12.5.1 Basic Configuration
12.5.2 Advanced Configuration
12.5.3 IP Security
12.6 Windows Event Viewer
12.6.1 Classification of Events
12.6.2 Log Types
12.6.3 Linking Actions to Event Logs
12.6.4 Windows Event Forwarding
12.6.5 Event Viewer Tools
13 Active Directory
13.1 What Is Active Directory?
13.1.1 Domains
13.1.2 Partitions
13.1.3 Access Control Lists
13.1.4 Security Descriptor Propagator
13.1.5 Standard Permissions
13.1.6 The Confidentiality Attribute
13.2 Manipulating the Active Directory Database or its Data
13.2.1 ntdsutil Command
13.2.2 dsamain Command
13.2.3 Accessing the AD Database via Backups
13.3 Manipulating Group Policies
13.3.1 Configuration Files for Group Policies
13.3.2 Example: Changing a Password
13.4 Domain Authentication: Kerberos
13.4.1 Kerberos: Basic Principles
13.4.2 Kerberos in a Theme Park
13.4.3 Kerberos on Windows
13.4.4 Kerberos Tickets
13.4.5 krbtgt Account
13.4.6 TGS Request and Reply
13.4.7 Older Authentication Protocols
13.5 Attacks against Authentication Protocols and LDAP
13.6 Pass-the-Hash Attacks: mimikatz
13.6.1 Setting up a Defender Exception
13.6.2 Windows Credentials Editor
13.6.3 mimikatz
13.6.4 The mimikatz “sekurlsa” Module
13.6.5 mimikatz and Kerberos
13.6.6 PowerSploit
13.7 Golden Ticket and Silver Ticket
13.7.1 Creating a Golden Ticket Using mimikatz
13.7.2 Silver Ticket and Trust Ticket
13.7.3 BloodHound
13.7.4 Deathstar
13.8 Reading Sensitive Data from the Active Directory Database
13.9 Basic Coverage
13.9.1 Core Server
13.9.2 Roles in the Core Server
13.9.3 Nano Server
13.9.4 Updates
13.9.5 Hardening the Domain Controller
13.10 More Security through Tiers
13.10.1 Group Policies for the Tier Model
13.10.2 Authentication Policies and Silos
13.11 Protective Measures against Pass-the-Hash and Pass-the-Ticket Attacks
13.11.1 Kerberos Reset
13.11.2 Kerberos Policies
13.11.3 Kerberos Claims and Armoring
13.11.4 Monitoring and Detection
13.11.5 Microsoft Advanced Threat Analytics: Legacy
13.11.6 Other Areas of Improvement in Active Directory
14 Securing Linux
14.1 Other Linux Chapters
14.2 Installation
14.2.1 Server Distributions
14.2.2 Partitioning the Data Medium
14.2.3 IPv6
14.3 Software Updates
14.3.1 Is a Restart Necessary?
14.3.2 Automating Updates
14.3.3 Configuring Automatic Updates on RHEL
14.3.4 Configuring Automatic Updates on Ubuntu
14.3.5 The Limits of Linux Update Systems
14.4 Kernel Updates: Live Patches
14.4.1 Kernel Live Patches
14.4.2 Kernel Live Patches for RHEL
14.4.3 Kernel Live Patches on Ubuntu
14.5 Securing SSH
14.5.1 sshd_config
14.5.2 Blocking the Root Login
14.5.3 Authentication with Keys
14.5.4 Authenticating with Keys in the Cloud
14.5.5 Blocking IPv6
14.6 2FA with Google Authenticator
14.6.1 Setting Up Google Authenticator
14.6.2 2FA with Password and One-Time Code
14.6.3 What Happens if the Smartphone Is Lost?
14.6.4 Authy as an Alternative to the Google Authenticator App
14.7 2FA with YubiKey
14.7.1 PAM Configuration
14.7.2 Mapping File
14.7.3 SSH Configuration
14.8 Fail2ban
14.8.1 Installation
14.8.2 Configuration
14.8.3 Basic Parameters
14.8.4 Securing SSH
14.8.5 Securing Other Services
14.8.6 Securing Custom Web Applications
14.8.7 Fail2ban Client
14.9 Firewall
14.9.1 From Netfilter to ntftables
14.9.2 Basic Principles
14.9.3 Determining the Firewall Status
14.9.4 Defining Rules
14.9.5 Syntax for Firewall Rules
14.9.6 Example: Simple Protection of a Web Server
14.9.7 FirewallD: RHEL
14.9.8 firewall-cmd Command
14.9.9 ufw: Ubuntu
14.9.10 Firewall Protection in the Cloud
14.10 SELinux
14.10.1 Concept
14.10.2 The Right Security Context
14.10.3 Process Context: Domain
14.10.4 Policies
14.10.5 SELinux Parameters: Booleans
14.10.6 Status
14.10.7 Fixing SELinux Issues
14.11 AppArmor
14.11.1 AppArmor on Ubuntu
14.11.2 Rules: Profiles
14.11.3 Structure of Rule Files
14.11.4 Rule Parameters: Tunables
14.11.5 Logging and Maintenance
14.12 Kernel Hardening
14.12.1 Changing Kernel Options Using sysctl
14.12.2 Setting Kernel Boot Options in the GRUB Configuration
14.13 Apache
14.13.1 Certificates
14.13.2 Certificate Files
14.13.3 Apache Configuration
14.13.4 HTTPS Is Not HTTPS
14.14 MySQL and MariaDB
14.14.1 MySQL versus MariaDB
14.14.2 Login System
14.14.3 MySQL and MariaDB on Debian/Ubuntu
14.14.4 Securing MySQL on RHEL
14.14.5 Securing MariaDB on RHEL
14.14.6 Hash Codes in the “mysql.user” Table: Old MySQL and MariaDB Versions
14.14.7 Privileges
14.14.8 Server Configuration
14.15 Postfix
14.15.1 Postfix: Basic Settings
14.15.2 Sending and Receiving Emails in Encrypted Form
14.15.3 Spam and Virus Defense
14.16 Dovecot
14.16.1 Using Custom Certificates for IMAP and POP
14.16.2 SMTP Authentication for Postfix
14.17 Rootkit Detection and Intrusion Detection
14.17.1 chkrootkit
14.17.2 rkhunter
14.17.3 Lynis
14.17.4 ISPProtect
14.17.5 Snort
14.17.6 Verifying Files from Packages
14.17.7 Scanning for Suspicious Ports and Processes
15 Security of Samba File Servers
15.1 Preliminary Considerations
15.1.1 Compiling Samba, SerNet Packages
15.2 Basic CentOS Installation
15.2.1 Partitions
15.2.2 Disabling IPv6
15.2.3 Installing Samba Packages on CentOS
15.3 Basic Debian Installation
15.3.1 The Partitions
15.3.2 Disabling IPv6
15.3.3 Installing Samba Packages on Debian
15.4 Configuring the Samba Server
15.4.1 Configuring the Kerberos Client
15.5 Samba Server in Active Directory
15.5.1 Joining the Samba Server
15.5.2 Testing the Server
15.6 Shares on the Samba Server
15.6.1 File System Rights on Linux
15.6.2 File System Rights on Windows
15.6.3 Special Shares on a Windows Server
15.6.4 The Admin Share on Samba
15.6.5 Creating the Admin Share
15.6.6 Creating the User Shares
15.7 Changes to the Registry
15.7.1 Accessing the Registry from Windows
15.8 Samba Audit Functions
15.9 Firewall
15.9.1 Testing the Firewall Script
15.9.2 Starting Firewall Script Automatically
15.10 Attack Scenarios on Samba File Servers
15.10.1 Known Vulnerabilities in Recent Years
15.11 Checking Samba File Servers
15.11.1 Tests with nmap
15.11.2 Testing the Samba Protocols
15.11.3 Testing the Open Ports
15.11.4 smb-os-discovery
15.11.5 smb2-capabilities
15.11.6 ssh-brute
16 Intrusion Detection Systems
16.1 Intrusion Detection Methods
16.1.1 Pattern Recognition: Static
16.1.2 Anomaly Detection (Dynamic)
16.2 Host-Based versus Network-Based Intrusion Detection
16.2.1 Host-Based IDS
16.2.2 Network-Based IDS
16.2.3 NIDS Metadata
16.2.4 NIDS Connection Contents
16.3 Responses
16.3.1 Automatic Intrusion Prevention
16.3.2 Walled Garden
16.3.3 Swapping Computers
16.4 Bypassing and Manipulating Intrusion Detection
16.4.1 Insertions
16.4.2 Evasions
16.4.3 Resource Consumption
16.5 Snort
16.5.1 Installation and Launch
16.5.2 Getting Started
16.5.3 IDS or IPS
16.5.4 Configuration
16.5.5 Modules
16.5.6 Snort Event Logging
16.6 Snort Rules
16.6.1 Syntax of Snort Rules
16.6.2 Service Rules
16.6.3 General Rule Options
16.6.4 Matching Options
16.6.5 Hyperscan
16.6.6 Inspector-Specific Options
16.6.7 Managing Rule Sets with PulledPork
17 Security of Web Applications
17.1 Architecture of Web Applications
17.1.1 Components of Web Applications
17.1.2 Authentication and Authorization
17.1.3 Session Management
17.2 Attacks against Web Applications
17.2.1 Attacks against Authentication
17.2.2 Session Hijacking
17.2.3 HTML Injection
17.2.4 Cross-Site Scripting
17.2.5 Session Fixation
17.2.6 Cross-Site Request Forgery
17.2.7 Directory Traversal
17.2.8 Local File Inclusion
17.2.9 Remote File Inclusion
17.2.10 File Upload
17.2.11 SQL Injection
17.2.12 sqlmap
17.2.13 Advanced SQL Injection: Blind SQL Injection (Boolean)
17.2.14 Advanced SQL Injection: Blind SQL Injection (Time)
17.2.15 Advanced SQL Injection: Out-of-Band Data Exfiltration
17.2.16 Advanced SQL Injection: Error-Based SQL Injection
17.2.17 Command Injection
17.2.18 Clickjacking
17.2.19 XML Attacks
17.2.20 Server Side Request Forgery
17.2.21 Angular Template Injection
17.2.22 Attacks on Object Serialization
17.2.23 Vulnerabilities in Content Management Systems
17.3 Practical Analysis of a Web Application
17.3.1 Information Gathering
17.3.2 Testing SQL Injection
17.3.3 Directory Traversal
17.3.4 Port Knocking
17.3.5 SSH Login
17.3.6 Privilege Escalation
17.3.7 Automatic Analysis via Burp
17.4 Protection Mechanisms and Defense against Web Attacks
17.4.1 Minimizing the Server Signature
17.4.2 Turning Off the Directory Listing
17.4.3 Restricted Operating System Account for the Web Server
17.4.4 Running the Web Server in a “chroot” Environment
17.4.5 Disabling Unneeded Modules
17.4.6 Restricting HTTP Methods
17.4.7 Restricting the Inclusion of External Content
17.4.8 Protecting Cookies from Access
17.4.9 Server Timeout
17.4.10 Secure Socket Layer
17.4.11 HTTP Strict Transport Security
17.4.12 Input and Output Validation
17.4.13 Web Application Firewall
17.5 Security Analysis of Web Applications
17.5.1 Code Analysis
17.5.2 Analysis of Binary Files
17.5.3 Fuzzing
18 Software Exploitation
18.1 Software Vulnerabilities
18.1.1 Race Conditions
18.1.2 Logic Error
18.1.3 Format String Attacks
18.1.4 Buffer Overflows
18.1.5 Memory Leaks
18.2 Detecting Security Gaps
18.3 Executing Programs on x86 Systems
18.3.1 Memory Areas
18.3.2 Stack Operations
18.3.3 Calling Functions
18.4 Exploiting Buffer Overflows
18.4.1 Analysis of the Program Functionality
18.4.2 Creating a Program Crash
18.4.3 Reproducing the Program Crash
18.4.4 Analysis of the Crash
18.4.5 Offset Calculation
18.4.6 Creating the Exploit Structure
18.4.7 Generating Code
18.4.8 Dealing with Prohibited Characters
18.5 Structured Exception Handling
18.6 Heap Spraying
18.7 Protective Mechanisms against Buffer Overflows
18.7.1 Address Space Layout Randomization
18.7.2 Stack Canaries or Stack Cookies
18.7.3 Data Execution Prevention
18.7.4 SafeSEH and Structured Exception Handling Overwrite Protection
18.7.5 Protection Mechanisms against Heap Spraying
18.8 Bypassing Protective Measures against Buffer Overflows
18.8.1 Bypassing Address Space Layout Randomization
18.8.2 Bypassing Stack Cookies
18.8.3 Bypassing SafeSEH and SEHOP
18.8.4 Return-Oriented Programming
18.8.5 DEP Bypass
18.9 Preventing Buffer Overflows as a Developer
18.10 Spectre and Meltdown
18.10.1 Meltdown
18.10.2 Defense Measures
18.10.3 Proof of Concept (Meltdown)
18.10.4 Spectre
18.10.5 Proof of Concept (Spectre)
18.10.6 The Successors to Spectre and Meltdown
19 Bug Bounty Programs
19.1 The Idea Behind Bug Bounties
19.1.1 Providers
19.1.2 Variants
19.1.3 Earning Opportunities
19.2 Reporting Vulnerabilities
19.2.1 Testing Activities
19.3 Tips and Tricks for Analysts
19.3.1 Scope
19.3.2 Exploring the Response Quality of the Target Company
19.3.3 Take Your Time
19.3.4 Finding Errors in Systems or Systems with Errors
19.3.5 Spend Money
19.3.6 Get Tips, Learn from the Pros
19.3.7 Companies Buy Companies
19.3.8 Creating a Test Plan
19.3.9 Automating Standard Processes
19.4 Tips for Companies
20 Security in the Cloud
20.1 Overview
20.1.1 Arguments for the Cloud
20.1.2 Cloud Risks and Attack Vectors
20.1.3 Recommendations
20.2 Amazon Simple Storage Service
20.2.1 Basic Security and User Management
20.2.2 The aws Command
20.2.3 Encrypting Files
20.2.4 Public Access to Amazon S3 Files
20.2.5 Amazon S3 Hacking Tools
20.3 Nextcloud and ownCloud
20.3.1 Installing Nextcloud
20.3.2 Blocking Access to the “data Folder”
20.3.3 Performing Updates
20.3.4 File Encryption
20.3.5 Security Testing for ownCloud and Nextcloud Installations
20.3.6 Brute-Force Attacks and Protection
21 Securing Microsoft 365
21.1 Identities and Access Management
21.1.1 Azure Active Directory and Microsoft 365
21.1.2 User Management in AAD
21.1.3 Application Integration
21.2 Security Assessment
21.3 Multifactor Authentication
21.3.1 Preliminary Considerations
21.3.2 Enabling Multifactor Authentication for a User Account
21.3.3 User Configuration of Multifactor Authentication
21.3.4 App Passwords for Incompatible Applications and Apps
21.4 Conditional Access
21.4.1 Creating Policies
21.4.2 Conditions for Policies
21.4.3 Access Controls
21.5 Identity Protection
21.5.1 Responding to Vulnerabilities
21.6 Privileged Identities
21.6.1 Enabling Privileged Identities
21.6.2 Configuring a User as a Privileged Identity
21.6.3 Requesting Administrator Permissions
21.7 Detecting Malicious Code
21.7.1 Protection for File Attachments
21.7.2 Protection for Files in SharePoint Online and OneDrive for Business
21.7.3 Protection for Links
21.7.4 Protection for Links in Office Applications
21.8 Security in Data Centers
21.8.1 Encryption of Your Data
21.8.2 Access Governance
21.8.3 Audits and Privacy
22 Mobile Security
22.1 Android and iOS Security: Basic Principles
22.1.1 Sandboxing
22.1.2 Authorization Concept
22.1.3 Protection against Brute-Force Attacks when the Screen Is Locked
22.1.4 Device Encryption
22.1.5 Patch Days
22.2 Threats to Mobile Devices
22.2.1 Theft or Loss of a Mobile Device
22.2.2 Unsecured and Open Networks
22.2.3 Insecure App Behavior at Runtime
22.2.4 Abuse of Authorizations
22.2.5 Insecure Network Communication
22.2.6 Attacks on Data Backups
22.2.7 Third-Party Stores
22.3 Malware and Exploits
22.3.1 Stagefright (Android)
22.3.2 Pegasus (iOS)
22.3.3 Spy Apps
22.4 Technical Analysis of Apps
22.4.1 Reverse Engineering of Apps
22.4.2 Automated Vulnerability Analysis of Mobile Applications
22.5 Protective Measures for Android and iOS
22.5.1 Avoid Rooting or Jailbreaking
22.5.2 Update Operating Systems and Apps
22.5.3 Device Encryption
22.5.4 Antitheft Protection and Activation Lock
22.5.5 Lock Screen
22.5.6 Antivirus Apps
22.5.7 Two-Factor Authentication
22.5.8 Critical Review of Permissions
22.5.9 Installing Apps from Alternative App Stores
22.5.10 Using VPN Connections
22.5.11 Related Topic: WebAuthn and FIDO2
22.5.12 Using Android and iOS in the Enterprise
22.6 Apple Supervised Mode and Apple Configurator
22.6.1 Conclusion
22.7 Enterprise Mobility Management
22.7.1 Role and Authorization Management
22.7.2 Device Management
22.7.3 App Management
22.7.4 System Settings
22.7.5 Container Solutions Based on the Example of Android Enterprise
22.7.6 Tracking Managed Devices
22.7.7 Reporting
22.7.8 Conclusion
23 Internet of Things Security
23.1 What Is the Internet of Things?
23.2 Finding IoT Vulnerabilities
23.2.1 Shodan Search Engine for Publicly Accessible IoT Devices
23.2.2 Using Shodan
23.2.3 For Professionals: Filtering Using Search Commands
23.2.4 Printer Exploitation Toolkit
23.2.5 RouterSploit
23.2.6 AutoSploit
23.2.7 Consumer Devices as a Gateway
23.2.8 Attacks from the Inside via a Port Scanner
23.2.9 Sample Port Scan of an Entertainment Device
23.2.10 Local Network versus Internet
23.2.11 Incident Scenarios with Cheap IoT Devices
23.2.12 Danger from Network Operator Interfaces
23.3 Securing IoT Devices in Networks
23.4 IoT Protocols and Services
23.4.1 MQ Telemetry Transport
23.4.2 Installing an MQTT Broker
23.4.3 MQTT Example
23.4.4 $SYS Topic Tree
23.4.5 Securing the Mosquitto MQTT Broker
23.5 Wireless IoT Technologies
23.5.1 6LoWPAN
23.5.2 Zigbee
23.5.3 LoRaWAN
23.5.4 NFC and RFID
23.5.5 NFC Hacking
23.6 IoT from the Developer’s Perspective
23.6.1 Servers for IoT Operation
23.6.2 Embedded Linux, Android, or Windows IoT Devices
23.6.3 Embedded Devices and Controllers without Classic Operating Systems
23.7 Programming Languages for Embedded Controllers
23.7.1 C
23.7.2 C++
23.7.3 Lua
23.8 Rules for Secure IoT Programming
23.8.1 Processes as Simple as Possible
23.8.2 Short, Testable Functions
23.8.3 Transfer Values Must Be Checked in Their Entirety
23.8.4 Returning Error Codes
23.8.5 Fixed Boundaries in Loops
23.8.6 No Dynamic Memory Allocation (or as Little as Possible)
23.8.7 Make Dimensioning Buffers or Arrays Sufficiently Large
23.8.8 Always Pass Buffer and Array Sizes
23.8.9 Use Caution with Function Pointers
23.8.10 Enabling Compiler Warnings
23.8.11 String Copy for Few Resources
23.8.12 Using Libraries
A The Authors
Index
Service Pages
Legal Notes