Shulou(Shulou.com)06/01 Report--

The simplified Chinese version of this book is written by Wiley Publishing, Inc. Authorized to publish by Tsinghua University Press. Without the written permission of the publisher

Copy or copy the contents of this book in a way.

The cover of this book is affixed with Wiley's anti-counterfeiting label, and those without labels are not allowed to sell it.

Copyright is reserved and infringement must be investigated. Infringement report Tel: 010-62782989 13701121933

Cataloging in publication (CIP) data

Introduction to Penetration testing / by Sean Philips Oriano (Sean-Philip Oriyano); translated by Li Bo, du Jing and Li Haili.

Beijing: Tsinghua University Press, 2018

(classic translation series of security technology)

Title of the book: Penetration Testing Essentials

ISBN 978-7-302-48693-0

Ⅰ. ① infiltration... Ⅱ. ① Shaw... ② Lee... ③ du... ④ Lee... Ⅲ. ① computer network-security technology Ⅳ. ① TP393.08

Chinese version Library CIP data Core character (2017) No. 270947

Responsible Editor: Wang Jun in Ping

Cover design: Niu Yanmin Zhou Xiaoliang

Layout design: Kong Xiangfeng

Responsible proofreading: Cao Yang

Responsible printing: Yang Yan

Published by Tsinghua University Press

Network address: http://www.tup.com.cn, http://www.wqbook.com

Address: block A, Xueyan Building, Tsinghua University, Beijing Postal Editor: 100084

General Manager: 010-62770175 Mail purchase: 010-62786544

Contribution and Reader Service: 010-62776969, c-service@tup.tsinghua.edu.cn

Quality feedback: 010-62772015, zhiliang@tup.tsinghua.edu.cn

Printer: Beijing Fubo Printing Co., Ltd.

Bound by: Beijing text binding Factory, Miyun County, Beijing

Sales: national Xinhua Bookstore

Open copy: 185mm x 260mm sheet: 18 words: 404 thousand words

Edition: January 2018 1st edition printing time: January 2018 1st printing

Number of prints: 1: 3000

Fixed price: 59.80 yuan

-

Product number: 074947-01

With the rapid development of computer network technology and going deep into all aspects of economy and society, identity theft and credit theft

All kinds of cyber crimes, such as interest and money, and even cyber terrorist attacks, have become more and more serious, thus giving birth to

There is an increasingly strong demand for security protection, and penetration testing is to find, analyze, show potential security problems and help control

One of the best ways to make policies to reduce security risks.

Penetration testing, also known as "white hat hacker" testing, is for the purpose of enhancing security, on the premise of authorization

By using the same ideas, techniques, strategies, and means as malicious attackers, the security issues of a given organization

The process of testing and evaluation. Through the penetration test, we can change from "knowing the enemy" to "bosom friend", and it is found that the traditional test is used.

Attack paths, attack methods, and technical weaknesses that cannot be found by testing methods, so that before security problems are exploited by attackers

Fix it in advance and prepare for it.

Sean-Philip Oriyano, the author of the book, is a senior expert who has focused on security for 25 years and is also a

The US Warrant Officer has a lot of experience in commanding a cyber warfare unit specializing in cyber security training, development and strategy formulation.

rich. This book is an introductory book on penetration testing, which is suitable for people with a certain foundation in computer technology and hope to go deeper.

Readers who learn penetration testing and make achievements in the field of network security. This book first introduces infiltration from the perspective of the attacker.

Basic concepts and methodology of testing, as well as intelligence collection, vulnerability scanning, password cracking, maintenance of access, countermeasures

Various penetration testing methods, such as wireless network and mobile device attacks, social engineering attacks, etc., and then from the point of view of the defender

This paper expounds how to strengthen the protection of host and network, and finally gives how to plan career development and establish penetration testing experiment.

Room, a guide to further develop penetration testing skills. The introduction in the book is profound and simple, and provides a wealth of operational examples and chapters.

Thinking questions are convenient for readers to practice and improve.

The main contents of this book are translated by Li Bo, du Jing and Li Haili, as well as Cheng Ruosi, Han Zhe and Qin.

Futong, Pang Xunlong, Kong Deqiang, Huang Yandong, Liu Yu, Yuan Xuejun, Yue Sai, etc. In order to translate the book perfectly, do

"faithfulness, faithfulness and elegance", translators consult and refer to a large number of Chinese and English materials in the process of translation. Of course, limited to the level.

Due to limited energy and limited energy, mistakes and inadequacies in translation are inevitable. We very much hope to get positive feedback from readers.

In correcting and improving.

Thanks to the authors of this book, I feel that your professionalism and professionalism are always so pleasant between the lines.

Thank you Tsinghua University Press for giving us the opportunity to translate and study this book.

Editors, they have devoted great enthusiasm and painstaking efforts to the translation and proofreading of this book without their help.

With help and encouragement, this book cannot be published smoothly.

Finally, I hope that readers can grasp the technical essence of penetration testing and become a "hacker" by reading this book as soon as possible.

Means, show white hat style "security master!

Translator

This book is dedicated to my parents, who gave me particularly valuable core values when I was growing up. Although my father has left

Open us, but I can still feel his influence all the time. In fact, I sometimes feel proud and happy.

The way he laughed was exactly the same as before. My mother is still alive (may she live a long and healthy life), and I want to thank her for her support and

Push me to delve into science and technology, and give me a love of science fiction, cold jokes and the pursuit of doing the right thing. I love you

Two people, this book is first dedicated to you.

I would also like to dedicate this book to my comrades-in-arms in the army, who generously gave me to attend the alternate military Academy (Officer).

Candidate School, OCS), although I am immature and self-centered. Although what I went through at school

The ordeal was unbearable at the time, but it helped me get my life back on track and realized my abilities. It also helps me.

Realize that what matters is not yourself, but those whose lives are influenced by them. I hope all the readers who read this book can.

Think about these questions. Colonel K, Lieutenant A, Captain M, Captain D, Captain J and Captain A, I am forever grateful to you.

Patient, sincere, direct and frank evaluation. I hope I've become a Warrant Officer to be proud of. This book is also

It's for you.

Finally, I would like to dedicate this book to my team, who have demonstrated the ability to turn decay into magic. In the past year

You surprise me all the time. You make me look good, but I can't take credit for it. I didn't bear that.

You undertake the heavy work; I lack the ability and creativity to improvise, and you provide me. Staff Sergeant E,

Staff Sergeant L, staff Sergeant S and Warrant Officer N, please continue to stand out and win the honor. I would also like to thank my commander, Colonel L, who

Trust my ability and give me the support to accomplish all this.

I repeat, there are too many people to thank. I really hope I haven't missed anyone.

First of all, I would like to thank Jim Minatel for giving me the opportunity to create this book. I look forward to other opportunities in the future.

Next, I want to thank Kim Wimpsett. You are no doubt that I don't look stupid because of words and passages that don't make sense.

The main reason. I don't know how to express your value in the team. I hope every project I have in the future has.

You're in.

And then I want to thank everyone in the United States military, no matter who you are. Although it may not be possible for you to

Anyone can go home safely (of course, I sincerely hope so), and no one will ever be forgotten. And when I put on my uniform,

Not only to work, but also to commemorate your sacrifice.

Sean-Philip Oriyano is a senior security professional and entrepreneur. In the past 25 years, he has spent his time

Put into security research, consulting and providing training in the field of IT and network security. In addition, he is also a figure.

A best-selling author with many years of experience in publishing and print media. In the past decade, Sean has published several books and

His influence was further expanded by his participation in television and radio programs. So far, Sean has participated in more than a dozen

TV and radio programs discuss different network security topics and technologies. In front of the camera, Sean because of his approachability

He is famous for his demeanor and is widely praised for his ability to explain complex topics in a profound and simple way.

In addition to engaging in his own business activities, he is also a warrant officer, directing a unit specializing in network security training and development.

And strategic units. In addition, as a Warrant Officer, he is recognized as a subject matter expert in his field and is often used when needed.

Professional knowledge, training and guidance are required.

When not working, Sean is an avid obstacle runner who has completed a number of events, including a

Four world championships, four Sparta and three Grand Slam. He also likes traveling, fitness, MMA fighting and playing games.

Galactic Warriors and the Legend of Zelda.

Security is one of the most important topics in the world today. As people rely more and more on different forms of technology,

How important are digital products and many other types of systems and devices to the actual security of these devices and systems

The note is increasing with each passing day. To deal with networks such as identity theft, information theft, service disruptions, hacking campaigns and even terrorism

With the increase of network crime, many public and private organizations are facing the need to become victims of cybercrime and to sue.

The challenge of testing, evaluating, and fixing these potential security issues prior to litigation. It is to deal with the past, the present and

In such situations in the future, many organizations are hastily implementing or seeking various security solutions.

As a result, penetration testers emerge as the times require, and behind them represent search, analysis, presentation and recommendation strategies to reduce

One of the best and most effective means of potential risks caused by security incidents. Penetration testers are those who use their skills and

With a deep understanding of its loopholes and advantages, we should locate and evaluate security issues ahead of those who have bad intentions to the organization at the request of customers.

Donovan's people.

The target audience of this book includes those who already have a certain technical background and want to enter the field of penetration testing. With Xu

Unlike most other books that cover the subject of penetration testing, this book tries to introduce the subject in a simple and easy-to-understand way. The contents of this book

The purpose of the standard is to help readers better understand the process of penetration testing and learn from a variety of basic theories and practical exercises of penetration testing.

Gain experience and knowledge.

After completing this book, you should be able to understand the meaning of becoming a penetration tester and the skills, tools, and

General knowledge has a better understanding. After completing this book and practicing what I have learned, I have mastered the search for more advanced skills.

Tools required for techniques, testing methods and skills.

Some conveniences are needed to make full use of the value of this book. Before you start, you should have one with at least

8GB RAM computers that can run the latest version of Microsoft Windows or Kali Linux. Besides, you should be able to

Virtualization software used, such as Oracle's VirtualBox or VMware products; choose which virtualization software to use

It depends on personal preference and financial ability.

As you read this book, you will be introduced to hardware-and software-based tools for completing tasks. In the chapter

In the and problem sets, download links to the selected tools or other ways to obtain them are given. This book covers a wide range of topics for getting started with penetration testing. A brief introduction to each chapter and its focus is listed below.

Chapter 1 "introduction to Penetration testing" this chapter focuses on the general principles of penetration testing and the skills needed to succeed.

And knowledge.

Chapter 2, "introduction to operating system and Network", has a solid understanding of the structure of the operating system and the network it is connected to.

Necessary for penetration testers. This chapter discusses the basic principles of the two in order to lay the foundation for learning.

Chapter 3 "introduction to Cryptography" if there is no encryption technology, many means to prevent inadvertent disclosure of information will not have

The law is working normally. In addition, it will be very difficult to meet the requirements of various laws and regulations if you do not understand cryptography. This chapter introduces

Basic knowledge of cryptographic functions and mechanisms and how to apply them.

Chapter 4 "Overview of Penetration testing Methodology" in order to reliably obtain the most complete and effective results, penetration testing

There is a set of procedures and methods that must be followed. In this chapter, the most popular methods of performing penetration testing are introduced.

Chapter 5 "Intelligence gathering" the first step in the penetration testing process is to collect information about the target. In this chapter, you will

Explore the various means of collecting information and how to integrate them into the whole infiltration process.

Chapter 6, "scanning and enumerating", once you have gathered enough information about the target, you can begin to detect and find out

To extract what information. This chapter includes how to obtain information about user names, groups, security policies, and so on.

Chapter 7, "implementing vulnerability scanning", want to take a different approach to understand the target? Then, you can use either manually or

The process of automatic vulnerability scanning to locate weaknesses in the environment for later exploitation.

Chapter 8 "cracking passwords" because passwords are the first-line defense of many environments and applications, you must obtain

Invest a certain amount of time in the process of taking this valuable information. The user name has been obtained in the enumeration, so you can focus on

Collect the passwords for these usernames.

Chapter 9, "using backdoors and malware to maintain access" through investigation, exploration, breakthrough, you have now entered

The system. But after gaining access and establishing this beachhead, how can it be preserved? What this chapter is going to discuss is

Related content.

Chapter 10 "report" remember that you are working for the client under the contract and the goal is to find the problem and report your hair.

Now. In this chapter, the general format and layout of the report will be introduced.

Chapter 11, "dealing with Security and Detection Systems", of course, not all systems are wide open, waiting for penetration.

In fact, there are several different forms of defense in many systems, ready to be prepared. In this case, intrusion detection and pre-detection

Defense systems are mortal enemies of penetration testers, and in this chapter you will learn how to deal with them.

Chapter 12, "hiding tracks and evading Detection", leaving clues at the crime scene can easily lead to being caught and frustrated. In the

In this chapter, you will learn how to clean up afterwards so that no one but the most determined person can find you.

Chapter 13 "detecting and attacking Wireless Networks" Wireless networks are ubiquitous, so in almost any ring you explore

You need to deal with it in the environment. If these environments include mobile devices, you are bound to encounter such networks, and then you can set the

As a target.

Chapter 14 "Mobile device Security" No matter what you think of mobile devices, mobile devices will not stop their development, but continue to introduce new forms, functions, shapes, and have become a part of our daily life. By

They have been integrated into the business environment, and the line between business and personal use has been blurred, so you have to learn

Learn how to deal with mobile devices.

Chapter 15, "conducting Social Engineering attacks", has the weakest link in each system, and in many cases

The weakest link is human. As a penetration tester, you can take advantage of your eloquence, psychology and ingenuity

Resign and lead the conversation to topics that can provide useful information.

Chapter 16, "hardening the host system", has a variety of countermeasures that can be used to delay or prevent attacks. One of the outermost lines of defense

Is to often lock or reinforce the system to reduce its chances of being damaged.

Chapter 17, "strengthening your Network", like hardening hosts, has

Countermeasures. Removing unnecessary protocols and applying firewalls and other mechanisms can delay and frustrate attackers.

Chapter 18, "Planning the path to career success" in this chapter, regards yourself as a graduate. Now you're looking for

Future development in the field of penetration testing. This chapter will provide guidance on how to continue to develop skills next.

Chapter 19, "establishing a Penetration testing Laboratory." A good penetration tester needs to practice what he or she has in practice.

Donovan's equipment. In this chapter, we will explore how to establish a basic laboratory that can be used in practice and experiments.

Chapter 1 introduction to penetration testing 1

1.1 definition of penetration test 1

1.1.1 the work of the penetration tester 2

1.1.2 identify opponent 2

1.2 Protection of confidentiality, integrity and availability 3

1.3 talk about the evolutionary history of hackers 4

1.3.1 role of Internet 5

1.3.2 hacker Hall of Fame (or stigma) 6

1.3.3 how does the law classify hacking 7

1.4 Summary of this chapter 9

1.5 exercise 10

Chapter 2 introduction to operating system and Network 11

2.1 comparison of common operating systems 11

2.1.1 Microsoft Windows 12

2.1.2 Mac OS 13

2.1.3 Linux 14

2.1.4 Unix 15

2.2 preliminary study on the concept of Network 16

2.2.1 OSI Model 17

2.2.2 TCP/IP protocol family 19

2.2.3 IP address 20

2.2.4 format of IP address 22

2.2.5 Network Devices 25

2.3 Summary of this chapter 27

2.4 problem sets 27

Chapter 3 introduction to Cryptography 29

3.1 understanding the four goals of Cryptography 29 3.2 History of encryption 30

3.3 Common terms in cryptography 31

3.4 comparison of symmetric and asymmetric encryption techniques 32

3.4.1 symmetric encryption 32

3.4.2 asymmetric (public key) encryption 34

3.5 transform data 36 by hashing algorithm

3.6 A hybrid system: using digital signatures 37

3.7Using PKI 38

3.7.1 Certification Certificate 39

3.7.2 Building a Public key Infrastructure (PKI) architecture 40

3.8 Summary of this chapter 40

3.9 exercise 40

Chapter 4 Overview of Penetration testing Methodology

4.1 define the objectives and scope of work 43

4.2 Select the type of test to be executed 45

4.3 obtain a license by signing a contract 46

4.3.1 gathering intelligence 47

4.3.2 scanning and enumerating 48

4.3.3 Penetration Target 49

4.3.4 maintain visits 50

4.3.5 conceal traces 50

4.3.6 record test results 50

4.3.7 understanding of EC-Council process 51

4.4 testing according to law 52

4.5 Summary of this chapter 53

4.6 problem sets 54

Chapter 5 Intelligence Collection 55

5.1 introduction to intelligence gathering 55

5.1.1 Information Classification 56

5.1.2 Classification of collection methods 56

5.2 check the company's website 57

5.2.1 offline viewing the website 58

5.2.2 find subdomains 59

5.3 find websites that no longer exist 60 5.4 collect information with search engines 60

5.4.1 using Google for hacking activities 61

5.4.2 get search engine alarms 61

5.5 use the search website to locate employees 62

5.6 location information found 63

5.7 apply social networking 64

5.8 find information through financial services 67

5.9 Survey job recruitment bulletin board 67

5.10 search email 68

5.11 extraction of technical information 68

5.12 Summary of this chapter 69

5.13 exercise 69

Chapter 6 scanning and enumerating 71

6.1 introduction to scanning 71

6.2 check for survival system 72

6.3 perform port scan 76

6.3.1 full scan (port scan) 78

6.3.2 concealed scan (semi-open scan) 79

6.3.3 Christmas Tree scan 80

6.3.4 FIN scan 80

6.3.5 NULL scan 81

6.3.6 ACK scan 81

6.3.7 Segmentation scan 82

6.3.8 UDP scan 84

6.4 identify operating system 84

6.5 vulnerability scanning 86

6.6 use a proxy server (i.e. keep a low profile) 87

6.7 enumerate 88

6.7.1 valuable port 88

6.7.2 using email ID 89

6.7.3 SMTP enumeration 89

6.7.4 frequently used services 91

6.7.5 NetBIOS 91

6.7.6 empty session 93

6.8 this chapter summarizes 93 6.9 exercises 94

Chapter 7 implementation vulnerability scanning 95

7.1 introduction to vulnerability scanning 95

7.2 recognize the limitations of vulnerability scanning 96

7.3 Overview of vulnerability scanning process 97

7.3.1 regular assessment of existing equipment 97

7.3.2 evaluate the new system 98

7.3.3 understanding scanning target 98

7.3.4 risk Mitigation 98

7.4 scan types that can be performed 99

7.5 Summary of this chapter 100

7.6 problem sets 100

Chapter 8 cracking password 101

8.1 identify strong passwords 101

8.2 choose a password cracking technology 102

8.3 implement passive online attack 103

8.3.1 Network sniffing and packet analysis 103

8.3.2 Man-in-the-middle attack 104

8.4 implement active online attacks 104

8.4.1 password guess 104

8.4.2 malware 105

8.5 implement offline attacks 105

8.6 use of non-technical methods 107

8.6.1 default password 107

8.6.2 guess 108

8.6.3 using flash drives to steal passwords 108

8.7 upgrade permissions 109

8.8 Summary of this chapter 110

8.9 exercise 111

Chapter 9 using backdoors and malware to maintain access 113

9.1 decide how to attack 113

9.2 use PsTools to install backdoor 1149.3 use LAN Turtle to open a shell 115

9.4 identify various malware 116

9.5 activate virus 117

9.5.1 Life cycle of the virus 117

9.5.2 Type of virus 119

9.6 start worm 121

9.7 start spyware 122

9.8 implanted Trojan 123

9.8.1 working with netcat 124

9.8.2 Communication with netcat 126

9.8.3 send files using netcat 126

9.9 install rootkit 127,

9.10 Summary of this chapter 127

9.11 exercise 128

Chapter 10 report 129

10.1 report test parameter 129

10.2 Collection of information 130

10.3 highlight important information 131

10.4 add support document 134

10.5 implement quality assurance 135

10.6 Summary of this chapter 136

10.7 exercise 136

Chapter 11 response to Security and Detection system 137

11.1 intrusion detection 137

11.1.1 Network-based intrusion detection 137

11.1.2 Classification of network detection engines 139

11.1.3 Host-based intrusion detection 140

11.1.4 intrusion Prevention system 140

11.2 Identification of intrusion traces 141

11.2.1 Host system intrusion 141

11.2.2 Unified threat Management 142

11.2.3 indicators of network intrusion 142

11.2.4 vague signs of intrusion 143 11.3 circumventing IDS 143

11.3.1 targeting IDS 144

11.3.2 confusion 144

11.3.3 use of covert channels 145

11.3.4 here comes the Wolf 145

11.3.5 circumventing 146 through encryption

11.4 breach of firewall 146

11.4.1 Firewall configuration 147

11.4.2 types of firewalls 148

11.4.3 understand goal 148

11.4.4 "go through the fire" on the firewall 149

11.5 Honeypot: Wolf in sheep's clothing 151

11.5.1 testing honeypot 152

11.5.2 questions about honeypots 152

11.6 Summary of this chapter 153

11.7 exercise 153

Chapter 12 track concealment and evasion detection 155

12.1 Awareness of circumvention motivation 155

12.2 clear log file 156

12.2.1 disable logging process in Windows 157

12.2.2 Delete event 158 from the log file

12.2.3 clear the event log on the Linux computer

12.2.4 erase Command History 160

12.3 hide File 161

12.3.1 hiding files using alternate data streams (NTFS)

12.3.2 hiding files 163 by steganography

12.4 avoid antivirus software detection 166

12.5 evade defense through the back door 168

12.6 use rootkit to circumvent 169

12.7 Summary of this chapter 170

12.8 exercise 170

Chapter 13 detecting and attacking wireless networks 171

13.1 introduction to Wireless Network 171 13.1.1 understanding of Wireless Network Standards 172

13.1.2 compare 5GHz and 2.4GHz wireless networks

13.1.3 identify components of the wireless network 174

13.1.4 Wi-Fi authentication mode 177

13.2 break through wireless encryption technology 178

13.2.1 crack WEP 178

13.2.2 conversion from WEP to WPA 179

13.2.3 cracking WPA and WPA2 180

13.2.4 learn about wireless deployment options 181

13.2.5 Protection against WEP and WPA attacks

13.3 conduct Wardriving attacks

13.4 other types of attacks 185

13.5 choose tools to attack wireless networks 186

13.5.1 Select Utility 187

13.5.2 Select the appropriate wireless network card 187

13.6 crack Bluetooth 189

13.6.1 types of Bluetooth attacks 190

13.6.2 Note on Bluetooth 191

13.7 Internet of things hacker technology 192

13.8 Summary of this chapter 192

13.9 exercise 193

Chapter 14 Mobile device Security 195

14.1 recognize today's mobile devices 195

14.1.1 version and type of mobile operating system 196

14.1.2 threats to mobile devices 197

14.1.3 goal of mobile security 197

14.2 using Android operating system 199

14.2.1 root operation of Android system 200

14.2.2 operating in a sandbox 200

14.2.3 build a customized Android system

14.3 using Apple iOS 203

14.4 find security vulnerabilities in mobile devices 204

14.4.1 crack the mobile password 204

14.4.2 looking for unprotected networks 205

14.5 about BYOD 205 14.6 Select tools to test mobile devices 206

14.7 Summary of this chapter 207

14.8 exercise 207

Chapter 15 Social Engineering attacks 209

15.1 introduction to Social Engineering 209

15.2 use of human nature 210

15.3 act like a social engineering attacker 211

15.4 Select specific victims 212

15.5 using social networks 213

15.6 achieve a more secure social network 213

15.7 Summary of this chapter 214

15.8 exercise 215

Chapter 16 hardening mainframe system 217

16.1 introduction to reinforcement 217

16.2 three principles of defense 218

16.2.1 adopt the method of defense in depth 218

16.2.2 implement the principle of implicit refusal 219

16.2.3 implement the principle of minimum authority 220

16.3 establish a security baseline 221

16.4 reinforcement using group policy 222

16.5 Desktop system Security hardening 223

16.5.1 Management Patch 224

16.5.2 enhanced password 227

16.5.3 carefully install software 228

16.5.4 use antivirus package 229

16.6 backup system 229

16.7 Summary of this chapter 230

16.8 exercise 231

Chapter 17 strengthening your Network 233

17.1 introduction to Network hardening 233

17.2 intrusion Detection system 234

17.2.1 Overview of IDS principles 234 17.2.2 HIDS components 235

17.2.3 limitations of IDS 235

17.2.4 investigation incident 236

17.3 Firewall 236

17.3.1 principles of firewalls 237

17.3.2 limitations of firewalls 238

17.3.3 implement firewall 239

17.3.4 develop firewall policies 240

17.3.5 Network connection Policy 240

17.4 physical security control 241

17.5 Summary of this chapter 242

17.6 exercise 242

Chapter 18 Planning for career success 243

18.1 choose a career development route 243

18.2 Establishment of a database 245

18.3 practice writing technical articles 246

18.4 Show your skills 246

18.5 Summary of this chapter 247

18.6 problem sets 247

Chapter 19 Establishment of a penetration testing laboratory 249

19.1 decided to establish a laboratory 249

19.2 consider virtualization 250

19.2.1 benefits of Virtualization 251

19.2.2 disadvantages of Virtualization 252

19.3 commencement of action and resource requirements 252

19.4 install software 253

19.5 Summary of this chapter 254

19.6 exercise 255

You have decided to become a penetration tester (commonly known as pentester), but you still don't know how to get started. This book will help

To help you understand what it means to be a penetration tester, as well as the skills and moral responsibilities that this role requires. You will

Acquire the skills necessary to succeed in the area of infiltration and security practices.

Specifically, you will be exposed to a variety of methods that are being used in the front line of hacker attack and defense; at the same time, you will also be exposed to the available

Any of various techniques used in penetration testing to obtain information or to establish a support point for launching more advanced attacks.

In addition, understanding the motivation of the attacker helps to grasp the scope of the attack and even the details of the attack. In fact, you need to stand on

From the attacker's point of view to understand the reasons for their attack, and then use this experience to test the customer's network.

This chapter will learn:

The definition of penetration testing and the work of penetration testers

Why protect confidentiality, integrity, and availability

Review the history of hackers and penetration testing

Definition of penetration testing

In today's world, because all kinds of organizations have to examine their security situation and improvement methods more seriously, penetration testing

The interviewer becomes more important. Such as retail giant Target and entertainment giant Sony suffered

Some major security incidents, such as attacks, have triggered people to be well-trained, skilled, able to understand system weaknesses and be able to

To be positioned by the needs of security experts. By adopting a set of procedures that integrate technical, administrative and physical means

Many organizations have learned to resist loopholes in their systems.

Technical means include the use of virtual private networks (Virtual Private Network, VPN), encryption protocols and intrusions

Detection system (Intrusion Detection System, IDS), intrusion prevention system (Intrusion Prevention)

System, IPS), access control list (Access Control List, ACL), biometric technology, smart card

Technology and other devices that help improve security.

Administrative means include the application of policies, procedures, and other rules that have been applied and strengthened over the past decade.

Physical means include the use of devices such as cable locks, equipment locks, alarm systems and other similar devices.

As a penetration tester, you must test all kinds of environments that contain one or more of the above technologies and almost no

Be prepared for other victories. So, what role does the penetration tester play? Penetration testers are usually organized by internal employees or external entities (such as contractors by position or by project)

Formal employment. Regardless of the form of employment, penetration testers are required to conduct penetration testing: take advantage of the use of malicious attackers

The same technology, strategy, and means to investigate, evaluate and test the security of a given organizational structure. Penetration tester vs.

The main difference between malicious attackers is the purpose and whether or not to obtain legal permission from the owner of the system being evaluated. In addition, osmosis

The penetration tester shall not disclose the test results to anyone other than the person designated by the customer. In order to protect the rights and interests of both parties, the employer

A non-disclosure agreement (Nondisclosure Agreement, NDA) is often signed with penetration testers. By doing so, you can guarantee

Protect the company's property and allow penetration testers to access internal resources. In the end, the penetration tester serves the company according to the contract

The contract specifies which behaviors are illegal and what the penetration tester is required to submit at the end of the test. Close

All the details depend on the specific needs of the organization.

Other terms are also often used to refer to penetration testers: penetration testers, moral hackers, and white hat hackers. All

These terms are correct, and they describe the same category of people (although on some occasions some people may know that

The conspicuous synonym starts the argument. In general, penetration testers are the most commonly used. However, the International Electronic Commerce Consulting Bureau

(EC-Council) uses the word "moral" in its own certificate, moral hacker authentication (Certified Ethical Hacker).

The term "hacker".

On some occasions, "what is a hacker" has always been a hot topic.

Topic. Over the past few years, the author has participated in the term "hacker".

A lot of interesting discussions. Many hackers do bad things to no avail, movies, televisions

This is often how they are described in TV, books and other media. However,

Hackers have also evolved, and the term no longer refers only to those who commit crimes.

In fact, many hackers have shown that although they have the ability to commit crime and destroy

But they are more interested in communicating with customers and others to help them improve

Safety or conduct corresponding research.

In the real world, hackers can be classified to distinguish their skills and intentions.

Script boy hackers have only limited or no training and only know how to use the basic

Tools or techniques. They may not even understand what they are doing.

White hat hackers such hackers think in the way of attack teams, but serve good people. It is generally believed that their characteristics

Yes, there is a set of "no harm" principles that are often regarded as moral norms. This group is also known as infiltration.

Tester.

Grey hat hackers, who wander between black and white, have now decided to change tack and abandon evil for good. But even though it has been

After turning over a new leaf, we still can't trust them completely. In addition, in the modern security world, such people will also discover and exploit loopholes.

The results are then provided to the supplier, either for free or in exchange for some form of reward.

To be on the safe side, I don't want to build

Troubled professionals should avoid

Use the word "hacker" to avoid

Cause possible panic among customers.

The term "penetration tester"

Should be the first choice. Black hat hackers are villains who break the law. Their actions may have a certain plan, or they may have nothing.

There are no rules at all. In most cases, there is not much between black hat hacking and out-and-out crime.

The difference.

Cyber terrorists are a new form of attackers who try to destroy targets without considering concealment.

Hide your identity. In essence, they are trying to prove a point and are not worried about being arrested or jailed.

Protect confidentiality, integrity and availability

Any security-conscious organization is working hard to maintain the three elements of CIA security, namely, confidentiality (confidentiality) and confidentiality.

The three core principles of integrity and availability. The following list describes its core concepts. On the job

These concepts should be kept in mind when performing penetration testing tasks and responsibilities.

Confidentiality this refers to the protection of information from unauthorized access. Control measures to protect confidentiality

It's permissions and encryption.

Integrity this means that the information is kept in a format that retains its original intention, that is, the data opened by the recipient is different from that of the recipient.

The creator intends to create the same data.

Availability this means ensuring that information and resources are available to those who need them. In short, no matter how much information or resources

Security, they will be useless if they are not ready and available when needed.

When conducting system security assessment and planning, CIA guidelines are the most important, if not the most important assurance objectives.

One of the goals. After targeting a system, the attacker will attempt to destroy or disrupt these targets. Three elements of CIA Security

The complementary relationship is shown in figure 1.1.

Why are the three elements of CIA security so important? Consider that if an investment company or defense contractor suffers from someone

What are the consequences of leaks by malicious groups? The result would be catastrophic, not to mention that it could make the organization

Face serious civil and even criminal risks. As a penetration tester, what you need to do is to try to find out the loopholes that break the CIA guidelines in the customer's environment and figure out its mechanism, while another way to analyze the problem is to use a book called

A tool for anti-CIA guidelines (see figure 1.2).

Improper disclosure this refers to the disclosure or access of information or resources as a result of negligence, accident, or malice. Jane

In other words, if you are not the person who has access to the object, you should never access it.

Unauthorized modification is the opposite of integrity and refers to unauthorized or other forms of information modification. This modification

It can be caused by errors, unexpected visits, or subjective malice.

Interruption (also known as loss) this refers to the loss of access to information or resources, which should not have been the case. In essence, when needed

Information that is not there from time to time is useless. Although information or other resources may not be 100% available, some organizations

It takes time and money to achieve 99.999% uptime, which is equivalent to an average of only about 6 minutes of downtime per year

time.

On the Evolutionary History of hackers

The role of penetration tester is often one of the most misunderstood positions in the IT security industry. In order to understand the character,

First of all, you need to review the evolutionary history of the predecessor of the penetration tester, that is, the hacker.

The word "hacker" has a long history, and its origin can be traced back to the skills of more than 50 years ago (1960s).

A madman. Unlike today's hackers, these people just have curiosity and enthusiasm for new technologies and take the time

People who explore the inherent mechanisms and limitations of the early system. In the early days, these hackers would look for the target system and try to discover

New functions of the system or discovery of secrets that are not public or unknown to the technology at that time to challenge the limit. Although the technology has been acquired

Great progress has been made, but the ideas of these early hackers have been continued.

The word hacker has a dual meaning in the technology industry. it can describe both software programmers and those who have not

A person who has permission to hack into computers and networks. The former has a more positive meaning, while the latter has a derogatory meaning. When it comes to computers or other related technologies, the news media must use the word hacker to make its meaning more confusing. Basically, the news media,

Movies and TV programs will refer to anyone who changes technology or has a high level of knowledge as a hacker.

Looking back at these early technology enthusiasts, we can find that they have one thing in common, that is, new technologies.

Curiosity and desire to learn new things. The curiosity of the first hackers was excited by large computers in colleges and universities or enterprises.

I sent it. With the passage of time, the personal computer (PC) attracted their attention because it is a brand-new and shining project.

The four-shot technology needs to be explored, analyzed and utilized. In fact, the early PC made it easier than the previous short year.

In the 1990's, more people can inherit the mantle of technology enthusiasts and hackers. In the 1990s, Internet enabled hackers to

It is easier than ever to spread their activities widely, which forms an irresistible temptation for them. Now

Today, after 2016, we have more chances than ever before. Wi-Fi, Bluetooth,

The explosive growth of tablets and smartphones, as well as many other technologies, has further added chaos and can be hacked into

The number of devices invading and attacking. With the development of technology, hackers are also making progress, and their increasing technical capabilities and creativity

Force-induced attacks are also evolving.

Because consumer products do not pay as much attention to security as they focus on product functionality, attacks become easier. talk about

At the end of the year, manufacturers that usually release new products (such as tablets, PC, or other products) tend to focus on the functionality of the product rather than

Pay attention to the safety of the product. Although this trend may have changed in recent years, some suppliers are more production-oriented than in the past.

The product is safe, but don't get too happy. Many products still have loopholes by default.

Shortly after Internet was opened to the public, hackers became more productive and dangerous. Originally carried out on Internet

Multiple attacks are mischievous, such as tampering with web pages or similar behavior. Although the initial attacks on Internet are essentially

It may have been a prank, but the subsequent attack was much worse.

In fact, since 2000, attacks have become more and more complex, more aggressive and more public.

Higher and higher. One example is the massive data breach of Apple's cloud data service iCloud in August 2014, resulting in several

Intimate photos of hundreds of celebrities were made public. Unfortunately, Apple's customer terms make it impossible for customers to pursue.

Responsible for investigating data leaks and other problems. So far, the attack has led to a number of cases involving photo theft.

The lawsuit has also brought a lot of negative public impact to Apple at the same time. Photos stolen due to data leaks are now available at

It was found at random on Internet and spread like wildfire, which brought great trouble to the people in the photo.

Another example of damage caused by malicious hackers is the target data leak that occurred in September 2014. The

The incident caused about 56 million credit card accounts to be leaked. This data leak comes from the last well-known target company.

It has been less than a year since the data breach, and the last incident led to the disclosure of 40 million customer accounts.

The final example comes from the information provided by the United States Government in March 2016. It has been revealed that as of March 2015, 18

During the six-month period, 316 cyber security incidents of varying severity have been reported on the Obamacare website. In the millions

Americans use the site to search for and obtain health care information in all but 12 states and Washington, D.C.

They all use it. Although a comprehensive analysis of these events shows that no personal information has been disclosed, such as social security accounts or family residence.

Address, but it does indicate that the site may be seen as an effective target for stealing such information. What is worrying is that, in fact, there are many other serious security problems, such as unpatched systems and poorly integrated systems.

Tong et al. (easy to be exploited by hackers).

All these attacks are examples of malicious attacks that are taking place and causing harm to the public.

Many factors have contributed to the increase in hackers and cybercrime, including the huge amount of data available on Internet and new technologies.

And the proliferation of digital products are the two leading reasons. Since 2000, more and more portable devices have appeared in the market.

And the function and performance are growing steadily. Smartphones, tablets, wearable computing and similar products have changed

It has to be highly open and easy to connect to the Internet, allowing people to share information easily. In addition, note the huge amount of Internet devices that can be connected

Large quantities, such as smartphones, tablets and other digital products that you carry with you. All the above examples are cited

It has attracted the attention of criminals, many of whom have an incentive to steal money, data and other resources.

Many of the attacks that have occurred in the past decade are no longer carried out by curious hackers of the past, but by other groups. Involved

And the groups include politically motivated groups, radical groups and criminals. Although many cyber attacks are still good.

Strangers or pranksters launch, but these more maliciously motivated attacks are often more likely to be exposed and have a great impact.

Many hackers and criminals choose to hide behind pseudonyms, and in many cases, they have been at large, but this is not

It means that there are no well-known hacker figures and events. Here are some famous hackers in history:

In 1988, Robert T. Morris, Jr, a student at Cornell University. Made what is thought to be the first Internet worm

Virus. Due to carelessness in the design of the worm, the virus replicated indiscriminately very quickly, resulting in widespread speed.

The degree decreased, affecting the whole Internet.

In 1994, Kevin Lee Poulsen took over Los Angeles under the pseudonym "Dark Dante".

All the phone lines of the KIIS-FM radio station to ensure that he becomes the 102nd caller and wins a car guarantee

Porsche 944 S2 sports car. Poulsen became famous as the first person to be banned from using Internet after he was released from prison.

Rise (though the ban is only a term penalty). A tidbit of the incident is that Poulsen is now in the United States.

The editor of Wired magazine.

In 1999, David L. Smith created the "Melissa" virus, which was designed to send

E-mail invades the user's address book and then deletes files on the infected system.

In 2001, Jan de Wit created a virus named after tennis beauty Kournikova.

The virus is designed to read user Outlook software (one of Microsoft Office Suite, which is mainly used to send and receive email) communication.

And sends itself to each mailbox in the address book.

In 2002, Gary McKinnon accessed the US military network and deleted key files, including

Turn off information about weapons and other systems.

In 2004, Adam Botbyl conspired with two friends to steal credit cards from Lowe's tool chain.

information.

In 2005, Cameron Lacroix hacked into the famous Paris Hilton (Paris Hilton) phone

And took part in the attack on the website of LexisNexis, an online public record aggregator that eventually leaked thousands of personal information records.

In 2009, Kristina Vladimirovna Svechinskaya, a young Russian hacker, participated in several frauds against the United States.

The events of some big banks in China and the United Kingdom. She used a Trojan horse to attack Bank of America (Bank of)

America) opened thousands of bank accounts through which she could defraud a total of $3 billion.

An interesting tidbit of the incident is that Ms. Svechinskaya was named the most sexual in the world because of her beauty.

Feel the hacker. The mention of this point is to illustrate the fact that the social difficulties of living in the basement or a

The hacker image of the vice nerd is gone forever. In this case, the hacker is not only skilled and dangerous.

It's dangerous, and it doesn't fit the stereotype of the appearance of hackers.

Since 2010, the hacker group Anonymous has attacked a number of targets, including local government networks

Luo and news organizations, etc. To this day, the group is still active and has carried out several high-profile attacks. They used to

Targeted Donald Trump (Donald Trump) and his 2016 presidential campaign.

Although many attacks and the hackers who carried out these attacks have formed some patterns or forms of news to some extent.

But there are many who are not. In fact, many high-value, complex and dangerous attacks occur frequently, but have never been reported

To make matters worse, some have not even been discovered. In the discovered attacks, only a few hackers will be tried and jailed.

It is even more rare. However, whether caught or not, hacking is always a criminal act, in a growing

Will be prosecuted in the legal system.

In the past two decades, great changes have taken place in crimes related to hackers. Cyber crimes are listed below.

Some broad categories:

Embezzling identity information

This refers to the theft of identity information so that someone can use the identity of the other party for illegal purposes. Usually, this kind of

Types of activities are carried out for economic gain, such as opening a credit card or bank account, or in extreme cases

To commit other crimes, such as obtaining leased assets or other services.

Embezzling services

This includes the use of telephone, Internet or other similar services without formal or oral permission. To commit an offence in this category

Examples are generally the act of stealing passwords and exploiting system vulnerabilities. Interestingly, in some cases, it's just stealing

Acts such as passwords are sufficient to constitute a crime. In some states, share Netflix (famous online film and television service) with friends and family

And other service accounts may be prosecuted as misappropriation of services.

Network intrusion or unauthorized access

This is one of the oldest and most common types of attacks. Other attacks (such as identity) spearheaded by this type of attack

Information embezzlement, misappropriation of services, and countless other possibilities) are not unheard of. In theory, any time without authorization

The right of network access is sufficient to be considered a network intrusion, which includes using the Wi-Fi network or even logging in to a guest account without permission.

Publication and / or dissemination of illegal materials

Over the past decade, this has been a difficult problem to solve and deal with. Materials found to be illegally distributed include the accepted version

Rights-protected materials, pirated software and child pornography, etc. Related technologies (such as encryption, file sharing services and hiding

The easy availability of names, etc., makes these activities banned repeatedly.

Fraudulent

This is an act of using illegal information or illegal access to deceive another party or parties, often for the purpose of obtaining information.

To benefit or cause damage.

Encroach on

This is a form of financial fraud that involves embezzlement or misappropriation of funds and is the result of a violation of the credibility of important positions. By making

With modern technology, the task has become easier.

Garbage collection

This is the oldest and easiest way to obtain and collect material that has been discarded or left in an unsafe or unprotected container.

Material. Discarded data can often be spliced together to reconstruct sensitive information. Although it is not illegal to search for garbage in itself, it is not illegal to go through it.

Finding garbage from private property constitutes a crime and can be prosecuted for invasion or other related charges.

Write malicious code

This refers to viruses, worms, spyware, adware, rootkit, or other types of malware. Basically and

In other words, such crimes include a class of software deliberately written to cause damage or disruption.

Unauthorized destruction or change of information

This includes modifying, destroying, or tampering with information without obtaining appropriate permissions.

Denial of Service (DoS) and distributed denial of Service (DDoS) attacks

Both attacks overload the system resources and make it impossible to provide the required services to legitimate users. although

The goals are the same, but the terms DoS and DDoS actually describe two different forms of attack. DoS attacks are small-scale.

An one-on-one attack; the DDoS attack is larger, in which thousands of systems attack the same target.

Network tracking

This is a relatively new type of crime listed here. Attackers of such crimes use online resources or other

Means to collect personal information and use it to track that person; at the same time, in some cases, try to in real life

Contact with the target. Although some states, such as California, have laws against cyber harassment crimes, such as

Legislation is far from common. In many cases, because the harasser crossed the state boundary during the crime, which state or jurisdiction

Wei can sue and become a problem. Cyber bullying

This behavior is very similar to online tracking, except that individuals use social media and other technologies.

To harass the victim. Although this kind of behavior may not seem like a big deal, it is said to have caused some people to be

Commit suicide by bullying.

Cyber terrorism

Unfortunately, a reality in today's world is that the enemy has realized that traditional weapons cannot give them a shot.

With forces like cyberspace warfare. Compared with being sent to the target country, committing terrorist acts through cyberspace

The real risk is negligible.

In order to help understand the nature of cyber crime, we must first understand the three core elements that criminal behavior must have.

Don't be:

The means or ability to achieve an end or end, which essentially means having the skills and abilities necessary to get the job done.

Motivation is the reason for pursuing a set goal.

Opportunity, that is, the vacancy or weakness needed to implement the threat at a given time.

As will be discussed in this book, many of these types of attacks are simple at first, but quickly develop

More and more advanced forms. The attacker quickly upgraded the attack method and adopted a more advanced strategy, making the attack better than

It used to be more effective. Because they already know how to harass and infuriate the public, by combining this modern "interconnected" life

Way as a goal, they have also brought more damage to the world today.

As new technologies such as smartphones and social networks become more integrated into daily life, the attacks mentioned in this book will only increase.

Long. The amount of information collected, tracked and processed through these devices and technologies is staggering. According to some information sources, every other time

Information about location, application usage, web browsing, and other data is collected from most people in three minutes.

With such a large amount of information collection, it is easy to imagine the possible misuse of information.

Over the past decade, a large number of attacks have been driven by greed. Hackers have realized that their skills are now

It can not only satisfy curiosity, but also be used to gain economic benefits. One of the common examples appeared during this period of time.

Malware. Malware can not only infect the system, but also bring benefits to its producers in many cases.

For example, malware can redirect a user's browser to a specified website in order to allow the user to click on or browse advertisements.

Summary of this chapter

This chapter describes how penetration testers investigate, evaluate, and test a given group by using the same techniques as malicious hackers.

The one who weaves security. Their "opponents" are script boy, white hat hacker, gray hat hacker, black hat hacker and cyber terror.

Molecules. The job of penetration testing is to attempt to destroy the confidentiality, integrity, and availability of customers.

In addition, it also introduces the evolution of hackers and penetration testing, including the role played by Internet and history.

The famous hacker. Exercise

1. What three types of security controls can a company use to defend against hackers?

two。 What are the main differences between hackers and penetration testers?

3. What's the nickname for penetration testers?

4. What do the three elements of CIA represent when discussing information security?

5. List some categories of cyber crime.

Purchase address:

Https://item.jd.com/12286400.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.