Table of Contents

Open all
Close all
Preface
33
What Hacking Has to Do with Security
33
About this Book
34
What’s New in the Third Edition
35
Target Group
35
Let’s Go!
35
Foreword by Klaus Gebeshuber
36
Foreword by Stefan Kania
36
Greeting
36
1 Introduction
39
1.1 Hacking
39
1.1.1 Hacking Contests, Capture the Flag
40
1.1.2 Penetration Test versus Hacking
41
1.1.3 Hacking Procedure
41
1.1.4 Hacking Targets
44
1.1.5 Hacking Tools
46
1.2 Security
47
1.2.1 Why Are IT Systems So Insecure?
48
1.2.2 Attack Vectors
49
1.2.3 Who Is Your Enemy?
53
1.2.4 Intrusion Detection
55
1.2.5 Forensics
55
1.2.6 Ten Steps to Greater Safety
56
1.2.7 Security Is Not Visible
57
1.2.8 Security Is Inconvenient
57
1.2.9 The Limits of This Book
58
1.3 Exploits
58
1.3.1 Zero-Day Exploits
60
1.3.2 The Value of Exploits
61
1.3.3 Exploit Types
61
1.3.4 Finding Vulnerabilities and Exploits
62
1.3.5 Common Vulnerabilities and Exposures
62
1.3.6 Common Vulnerability Scoring System
62
1.3.7 Vulnerability and Exploit Databases
63
1.3.8 Vulnerability Scanner
64
1.3.9 Exploit Collections
65
1.4 Authentication and Passwords
65
1.4.1 Password Rules
66
1.4.2 Phishing
66
1.4.3 Storage of Passwords (Hash Codes)
67
1.4.4 Alternatives to Passwords
68
1.4.5 Fast Identity Online
69
1.5 Security Risk IPv6
70
1.5.1 Security Complications
71
1.6 Legal Framework
72
1.6.1 Unauthorized Hacking Is Punishable by Law
72
1.6.2 Negligent Handling of IT Security Is Also a Criminal Offense
73
1.6.3 European General Data Protection Regulation
74
1.6.4 Critical Infrastructure, Banks
74
1.6.5 Security Guidelines and Standards
75
1.7 Security Organizations and Government Institutions
75
2 Kali Linux
77
2.1 Kali Alternatives
77
2.2 Trying Out Kali Linux without Installation
78
2.2.1 Verifying the Download
78
2.2.2 Verifying the Signature of the Checksum File
79
2.2.3 Trying Kali Linux in VirtualBox
80
2.2.4 Saving Data Permanently
83
2.2.5 Forensic Mode
83
2.3 Installing Kali Linux in VirtualBox
84
2.3.1 Option 1: Using a Prebuilt VirtualBox Image
85
2.3.2 Option 2: Installing Kali Linux Yourself
85
2.3.3 Installation
85
2.3.4 Login and sudo
88
2.3.5 Time Zone and Time Display
88
2.3.6 Network Connection
88
2.3.7 Using Kali Linux via SSH
89
2.3.8 Clipboard for Kali Linux and the Host Computer
91
2.4 Kali Linux and Hyper-V
91
2.5 Kali Linux in the Windows Subsystem for Linux
93
2.5.1 Kali Linux in Graphic Mode
94
2.5.2 WSL1 versus WSL2
95
2.5.3 Practical Experience
96
2.6 Kali Linux on Raspberry Pi
96
2.7 Running Kali Linux on Apple PCs with ARM CPUs
97
2.8 Simple Application Examples
99
2.8.1 Address Scan on the Local Network
100
2.8.2 Port Scan of a Server
101
2.8.3 Hacking Metasploitable
103
2.9 Internal Details of Kali
103
2.9.1 Basic Coverage
103
2.9.2 Package Sources
104
2.9.3 Rolling Release
104
2.9.4 Performing Updates
104
2.9.5 Installing Software
105
2.9.6 Python 2
105
2.9.7 Network Services and Firewall
106
2.9.8 kali-tweaks
106
2.9.9 Undercover Mode
107
2.9.10 PowerShell
107
3 Setting Up the Learning Environment: Metasploitable, Juice Shop
109
3.1 Honeypots
110
3.2 Metasploitable 2
110
3.2.1 Installation in VirtualBox
111
3.2.2 Network Settings
111
3.2.3 Host-Only Network
112
3.2.4 Using Metasploitable 2
113
3.2.5 Hacking Metasploitable 2
114
3.2.6 rlogin Exploit
115
3.3 Metasploitable 3 (Ubuntu Variant)
116
3.3.1 Why No Ready-Made Images?
117
3.3.2 Requirements
117
3.3.3 Installation
118
3.3.4 Starting and Stopping Metasploitable 3
120
3.3.5 Administrating Metasploitable 3
120
3.3.6 Network Configuration
121
3.3.7 Hacking Metasploitable 3
122
3.4 Metasploitable 3 (Windows Variant)
123
3.4.1 Administrating Metasploitable 3
124
3.4.2 SSH login
126
3.4.3 Internal Details and Installation Variants
126
3.4.4 Overview of Services in Metasploitable 3 (Windows Variant)
127
3.4.5 Hacking Metasploitable 3
129
3.5 Juice Shop
133
3.5.1 Installation with Vagrant
133
3.5.2 Installation with Docker
134
3.5.3 Docker in Kali Linux
135
3.5.4 Hacking Juice Shop
135
4 Hacking Tools
137
4.1 nmap
138
4.1.1 Syntax
138
4.1.2 Examples
140
4.1.3 Variants and Alternatives
141
4.2 hydra
142
4.2.1 Syntax
142
4.2.2 Password Lists
144
4.2.3 Examples
144
4.2.4 Attacks on Web Forms and Login Pages
145
4.2.5 Alternatives
146
4.3 sslyze, sslscan, and testssl
148
4.3.1 sslscan and sslyze
148
4.3.2 testssl
149
4.3.3 Online Tests
150
4.4 whois, host, and dig
151
4.4.1 whois
152
4.4.2 host
152
4.4.3 dig
153
4.4.4 dnsrecon
154
4.5 Wireshark
154
4.5.1 Installation
155
4.5.2 Basic Functions
156
4.5.3 Working Techniques
158
4.5.4 Alternatives
159
4.6 tcpdump
159
4.6.1 Syntax
160
4.6.2 Examples
161
4.6.3 ngrep
162
4.7 Netcat (nc)
163
4.7.1 Syntax
163
4.7.2 Examples
163
4.7.3 socat
166
4.8 OpenVAS
166
4.8.1 Installation
167
4.8.2 Starting and Updating OpenVAS
169
4.8.3 Operation
169
4.8.4 Alive Test
172
4.8.5 Setting Up Tasks Yourself
173
4.8.6 High Resource Requirements
175
4.8.7 Alternatives
175
4.9 Metasploit Framework
176
4.9.1 Operation in Kali Linux
177
4.9.2 Installation on Linux
177
4.9.3 Installation on macOS
178
4.9.4 Installation on Windows
179
4.9.5 Updates
180
4.9.6 The Metasploit Console (“msfconsole”)
180
4.9.7 A Typical “msfconsole” Session
181
4.9.8 Searching Modules
182
4.9.9 Applying Modules
183
4.9.10 Meterpreter
185
4.10 Empire Framework
187
4.10.1 Installation
188
4.10.2 Getting to Know and Setting Up Listeners
189
4.10.3 Selecting and Creating Stagers
190
4.10.4 Creating and Managing Agents
192
4.10.5 Finding the Right Module
193
4.10.6 Obtaining Local Administrator Rights with the Empire Framework
195
4.10.7 The Empire Framework as a Multiuser System
197
4.10.8 Alternatives
197
4.11 The Koadic Postexploitation Framework
197
4.11.1 Installing the Server
198
4.11.2 Using Helper Tools in the Program
199
4.11.3 Creating Connections from a Client to the Server
199
4.11.4 Creating a First Connection: Zombie 0
201
4.11.5 The Modules of Koadic
202
4.11.6 Extending Rights and Reading Password Hashes
203
4.11.7 Conclusion and Countermeasures
205
4.12 Social Engineer Toolkit
205
4.12.1 Syntax
206
4.12.2 Example
206
4.12.3 The dnstwist Command
210
4.12.4 Other SET Modules
211
4.12.5 Alternatives
212
4.13 Burp Suite
212
4.13.1 Installation and Setup
213
4.13.2 Modules
213
4.13.3 Burp Proxy
214
4.13.4 Burp Scanner
216
4.13.5 Burp Intruder
217
4.13.6 Burp Repeater
218
4.13.7 Burp Extensions
218
4.13.8 Alternatives
219
4.14 Sliver
219
4.14.1 Installation
220
4.14.2 Implants and Listeners
220
4.14.3 Other C2 Frameworks
224
5 Offline Hacking
227
5.1 BIOS/EFI: Basic Principles
228
5.1.1 The Boot Process
228
5.1.2 EFI Settings and Password Protection
229
5.1.3 UEFI Secure Boot
229
5.1.4 When the EFI Is Insurmountable: Remove the Hard Drive
230
5.2 Accessing External Systems
230
5.2.1 Booting the Notebook with Kali Linux
230
5.2.2 Reading the Windows File System
231
5.2.3 Vault Files
233
5.2.4 Write Access to the Windows File System
235
5.2.5 Linux
235
5.2.6 macOS
236
5.2.7 Does That Mean That Login Passwords Are Useless?
236
5.3 Accessing External Hard Drives or SSDs
236
5.3.1 Hard Drives and SSDs Removed from Notebooks
237
5.4 Resetting the Windows Password
237
5.4.1 Tools
238
5.4.2 Undesirable Side Effects
239
5.4.3 Resetting the Local Windows Password Using chntpw
240
5.4.4 Activating a Windows Administrator User via chntpw
242
5.5 Resetting Linux and macOS Passwords
244
5.5.1 Resetting a Linux Password
244
5.5.2 Resetting a macOS Password
245
5.6 Encrypting Hard Drives
246
5.6.1 BitLocker
246
5.6.2 Access to BitLocker File Systems on Linux (dislocker)
249
5.6.3 BitLocker Security
250
5.6.4 BitLocker Alternatives
251
5.6.5 macOS: FileVault
252
5.6.6 Linux: Linux Unified Key Setup
253
5.6.7 Security Concerns Regarding LUKS
253
5.6.8 File System Encryption on the Server
254
6 Passwords
255
6.1 Hash Procedures
256
6.1.1 Hash Collisions
257
6.1.2 SHA-2 and SHA-3 Hash Codes
258
6.1.3 Checksums or Hash Codes for Downloads
258
6.2 Brute-Force Password Cracking
259
6.2.1 Estimating the Time Required for Password Cracking
259
6.3 Rainbow Tables
260
6.3.1 Password Salting
261
6.4 Dictionary Attacks
262
6.5 Password Tools
263
6.5.1 John the Ripper: Offline CPU Cracker
264
6.5.2 hashcat: Offline GPU Cracker
265
6.5.3 Crunch: Password List Generator
268
6.5.4 hydra: Online Cracker
269
6.5.5 makepasswd: Password Generator
270
6.5.6 One-Time Secret: Send Passwords by Email
270
6.6 Default Passwords
271
6.7 Data Breaches
272
6.8 Multifactor Authentication
275
6.9 Implementing Secure Password Handling
276
6.9.1 Implementation Tips
277
7 IT Forensics
279
7.1 Methodical Analysis of Incidents
281
7.1.1 Digital Traces
281
7.1.2 Forensic Investigation
281
7.1.3 Areas of IT Forensics
282
7.1.4 Analysis of Security Incidents
284
7.2 Postmortem Investigation
284
7.2.1 Forensic Backup of Memory
284
7.2.2 Recovering Deleted Files by File Carving
286
7.2.3 Metadata and File Analysis
288
7.2.4 System Analyses with Autopsy
290
7.2.5 Basic System Information
292
7.2.6 Reading the Last Activities
295
7.2.7 Analyzing Web Activities
296
7.2.8 Tracing Data Exchanges
298
7.3 Live Analysis
300
7.3.1 Finding User Data
301
7.3.2 Called Domains and URLs
301
7.3.3 Active Network Connections
302
7.3.4 Extracting the TrueCrypt Password
302
7.4 Forensic Readiness
303
7.4.1 Strategic Preparations
303
7.4.2 Operational Preparations
304
7.4.3 Effective Logging
304
7.4.4 Protection against Tampering
305
7.4.5 Integrity Verification
305
7.4.6 Digital Signatures
305
7.5 Summary
305
8 Wi-Fi, Bluetooth, and SDR
307
8.1 802.11x Systems: Wi-Fi
307
8.1.1 Preparation and Infrastructure
308
8.1.2 Wireless Equivalent Privacy
310
8.1.3 WPA/WPA-2: Wireless Protected Access
315
8.1.4 Wireless Protected Setup
317
8.1.5 Wi-Fi Default Passwords
320
8.1.6 WPA-2-KRACK Attack
321
8.1.7 WPA-2 Enterprise
322
8.1.8 Wi-Fi Client: Man-in-the-Middle
323
8.1.9 WPA-3
325
8.2 Collecting WPA-2 Handshakes with Pwnagotchi
325
8.3 Bluetooth
332
8.3.1 Bluetooth Technology
332
8.3.2 Identifying Bluetooth Classic Devices
334
8.3.3 Hiding (and Still Finding) Bluetooth Devices
339
8.3.4 Bluetooth Low Energy (BTLE)
343
8.3.5 Listening In on Bluetooth Low Energy Communication
344
8.3.6 Identifying Apple Devices via Bluetooth
346
8.3.7 Bluetooth Attacks
347
8.3.8 Modern Bluetooth Attacks
349
8.4 Software-Defined Radios
349
8.4.1 SDR Devices
351
8.4.2 Decoding a Wireless Remote Control
353
9 Attack Vector USB Interface
359
9.1 USB Rubber Ducky
360
9.1.1 Structure and Functionality
360
9.1.2 DuckyScript
360
9.1.3 Installing a Backdoor on Windows 11
363
9.1.4 Use With Duck Encoder to Create the Finished Payload
366
9.2 Digispark: A Wolf in Sheep’s Clothing
367
9.2.1 Downloading and Setting Up the Arduino Development Environment
368
9.2.2 The Script Language of the Digispark
370
9.2.3 Setting Up a Linux Backdoor with Digispark
371
9.3 Bash Bunny
375
9.3.1 Structure and Functionality
375
9.3.2 Configuring the Bash Bunny
377
9.3.3 Status LED
378
9.3.4 Software Installation
379
9.3.5 Connecting to the Bash Bunny
379
9.3.6 Connecting the Bash Bunny to the Internet: Linux Host
381
9.3.7 Connecting the Bash Bunny to the Internet: Windows Host
382
9.3.8 Bunny Script: The Scripting Language of the Bash Bunny
384
9.3.9 Using Custom Extensions and Functions
386
9.3.10 Setting Up a macOS Backdoor with Bash Bunny
387
9.3.11 The payload.txt Files for Switch1 and Switch2
390
9.3.12 Updating the Bash Bunny
394
9.3.13 Key Takeaways
395
9.4 P4wnP1: The Universal Talent
396
9.4.1 Structure and Functionality
396
9.4.2 Installation and Connectivity
397
9.4.3 HID Scripts
398
9.4.4 CLI Client
399
9.4.5 An Attack Scenario with the P4wnP1
399
9.4.6 Creating a Dictionary
400
9.4.7 Launching a Brute-Force Attack
401
9.4.8 Setting Up a Trigger Action
404
9.4.9 Deploying the P4wnP1 on the Target System
405
9.4.10 Key Takeaways
405
9.5 MalDuino W
406
9.5.1 The Web Interface of the MalDuino W
407
9.5.2 The Scripting Language and the CLI
408
9.5.3 An Attack Scenario with the MalDuino W
408
9.5.4 How Does the Attack Work?
409
9.5.5 Key Takeaways
412
9.6 Countermeasures
412
9.6.1 Hardware Measures
413
9.6.2 Software Measures
413
10 External Security Checks
419
10.1 Reasons for Professional Checks
419
10.2 Types of Security Checks
420
10.2.1 Open-Source Intelligence
420
10.2.2 Vulnerability Scan
422
10.2.3 Vulnerability Assessment
424
10.2.4 Penetration Test
425
10.2.5 Red Teaming
425
10.2.6 Purple Teaming
427
10.2.7 Bug Bounty Programs
428
10.2.8 Type of Performance
428
10.2.9 Depth of Inspection: Attacker Type
429
10.2.10 Prior to the Order
430
10.3 Legal Protection
430
10.4 Objectives and Scope
432
10.4.1 Sample Objective
432
10.4.2 Sample Worst-Case Scenarios
433
10.4.3 Sample Scope
433
10.5 Implementation Methods
433
10.6 Reporting
434
10.7 Selecting the Right Provider
437
11 Penetration Testing
441
11.1 Gathering Information
442
11.1.1 Searching for Information about a Company
442
11.1.2 Using Metadata of Published Files
445
11.1.3 Identifying the Structure of Email Addresses
447
11.1.4 Database and Password Leaks
449
11.1.5 Partial Automation with Maltego
450
11.1.6 Automating Maltego Transforms
456
11.1.7 Defense
458
11.2 Initial Access with Code Execution
459
11.2.1 Checking External IP Addresses of the PTA
459
11.3 Scanning Targets of Interest
463
11.3.1 Gathering Information via DNS
463
11.3.2 Detecting Active Hosts
465
11.3.3 Detecting Active Services with nmap
467
11.3.4 Using nmap in Combination with Metasploit
469
11.4 Searching for Known Vulnerabilities Using nmap
470
11.5 Exploiting Known Vulnerabilities Using Metasploit
472
11.5.1 Example: GetSimple CMS
474
11.6 Attacking Using Known or Weak Passwords
478
11.7 Email Phishing Campaigns for Companies
481
11.7.1 Organizational Preparatory Measures
481
11.7.2 Preparing a Phishing Campaign with Gophish
483
11.8 Phishing Attacks with Office Macros
490
11.9 Phishing Attacks with ISO and ZIP Files
494
11.9.1 Creating an Executable File with Metasploit
495
11.9.2 Creating a File with ScareCrow to Bypass Virus Scanners
499
11.9.3 Disguising and Deceiving: From EXE to PDF File
502
11.9.4 Defense
503
11.10 Attack Vector USB Phishing
504
11.11 Network Access Control and 802.1X in Local Networks
506
11.11.1 Getting to Know the Network by Listening
506
11.11.2 Network Access Control and 802.1X
507
11.12 Extending Rights on the System
509
11.12.1 Local Privilege Escalation
510
11.12.2 Bypassing Windows User Account Control Using the Default Setting
512
11.12.3 Bypassing UAC Using the Highest Setting
515
11.13 Collecting Credentials and Tokens
517
11.13.1 Reading Passwords from Local and Domain Accounts
518
11.13.2 Bypassing Windows 10 Protection against mimikatz
519
11.13.3 Stealing Windows Tokens to Impersonate a User
520
11.13.4 Matching Users with DCSync
521
11.13.5 Golden Ticket
522
11.13.6 Reading Local Password Hashes
523
11.13.7 Broadcasting within the Network by Means of Pass-the-Hash
524
11.13.8 Man-in-the-Middle Attacks in Local Area Networks
527
11.13.9 Basic Principles
527
11.13.10 LLMNR/NBT-NS and SMB Relaying
534
11.14 SMB Relaying Attack on Ordinary Domain Users
540
11.14.1 Command-and-Control
542
12 Securing Windows Servers
543
12.1 Local Users, Groups, and Rights
544
12.1.1 User and Password Properties
545
12.1.2 Local Admin Password Solution
548
12.2 Manipulating the File System
553
12.2.1 Attacks on Virtualized Machines
556
12.2.2 Protection
557
12.2.3 Attacking through the Registry
557
12.3 Server Hardening
558
12.3.1 Ensure a Secure Foundation
559
12.3.2 Harden New Installations
559
12.3.3 Protect Privileged Users
559
12.3.4 Threat Detection
560
12.3.5 Secure Virtual Machines as Well
560
12.3.6 Security Compliance Toolkit
560
12.4 Microsoft Defender
561
12.4.1 Defender Configuration
562
12.4.2 Defender Administration via PowerShell
563
12.5 Windows Firewall
564
12.5.1 Basic Configuration
565
12.5.2 Advanced Configuration
565
12.5.3 IP Security
567
12.6 Windows Event Viewer
568
12.6.1 Classification of Events
569
12.6.2 Log Types
570
12.6.3 Linking Actions to Event Logs
572
12.6.4 Windows Event Forwarding
573
12.6.5 Event Viewer Tools
575
13 Active Directory
579
13.1 What Is Active Directory?
579
13.1.1 Domains
580
13.1.2 Partitions
580
13.1.3 Access Control Lists
583
13.1.4 Security Descriptor Propagator
585
13.1.5 Standard Permissions
588
13.1.6 The Confidentiality Attribute
592
13.2 Manipulating the Active Directory Database or its Data
592
13.2.1 ntdsutil Command
593
13.2.2 dsamain Command
594
13.2.3 Accessing the AD Database via Backups
595
13.3 Manipulating Group Policies
596
13.3.1 Configuration Files for Group Policies
598
13.3.2 Example: Changing a Password
600
13.4 Domain Authentication: Kerberos
603
13.4.1 Kerberos: Basic Principles
603
13.4.2 Kerberos in a Theme Park
604
13.4.3 Kerberos on Windows
604
13.4.4 Kerberos Tickets
605
13.4.5 krbtgt Account
606
13.4.6 TGS Request and Reply
608
13.4.7 Older Authentication Protocols
610
13.5 Attacks against Authentication Protocols and LDAP
611
13.6 Pass-the-Hash Attacks: mimikatz
612
13.6.1 Setting up a Defender Exception
613
13.6.2 Windows Credentials Editor
614
13.6.3 mimikatz
617
13.6.4 The mimikatz “sekurlsa” Module
618
13.6.5 mimikatz and Kerberos
621
13.6.6 PowerSploit
623
13.7 Golden Ticket and Silver Ticket
624
13.7.1 Creating a Golden Ticket Using mimikatz
625
13.7.2 Silver Ticket and Trust Ticket
627
13.7.3 BloodHound
628
13.7.4 Deathstar
628
13.8 Reading Sensitive Data from the Active Directory Database
628
13.9 Basic Coverage
631
13.9.1 Core Server
631
13.9.2 Roles in the Core Server
632
13.9.3 Nano Server
633
13.9.4 Updates
633
13.9.5 Hardening the Domain Controller
634
13.10 More Security through Tiers
635
13.10.1 Group Policies for the Tier Model
636
13.10.2 Authentication Policies and Silos
636
13.11 Protective Measures against Pass-the-Hash and Pass-the-Ticket Attacks
639
13.11.1 Kerberos Reset
639
13.11.2 Kerberos Policies
641
13.11.3 Kerberos Claims and Armoring
642
13.11.4 Monitoring and Detection
643
13.11.5 Microsoft Advanced Threat Analytics: Legacy
644
13.11.6 Other Areas of Improvement in Active Directory
647
14 Securing Linux
649
14.1 Other Linux Chapters
649
14.2 Installation
650
14.2.1 Server Distributions
650
14.2.2 Partitioning the Data Medium
652
14.2.3 IPv6
653
14.3 Software Updates
654
14.3.1 Is a Restart Necessary?
655
14.3.2 Automating Updates
655
14.3.3 Configuring Automatic Updates on RHEL
656
14.3.4 Configuring Automatic Updates on Ubuntu
656
14.3.5 The Limits of Linux Update Systems
657
14.4 Kernel Updates: Live Patches
658
14.4.1 Kernel Live Patches
659
14.4.2 Kernel Live Patches for RHEL
660
14.4.3 Kernel Live Patches on Ubuntu
660
14.5 Securing SSH
661
14.5.1 sshd_config
661
14.5.2 Blocking the Root Login
662
14.5.3 Authentication with Keys
663
14.5.4 Authenticating with Keys in the Cloud
664
14.5.5 Blocking IPv6
665
14.6 2FA with Google Authenticator
665
14.6.1 Setting Up Google Authenticator
666
14.6.2 2FA with Password and One-Time Code
668
14.6.3 What Happens if the Smartphone Is Lost?
669
14.6.4 Authy as an Alternative to the Google Authenticator App
670
14.7 2FA with YubiKey
670
14.7.1 PAM Configuration
671
14.7.2 Mapping File
671
14.7.3 SSH Configuration
672
14.8 Fail2ban
673
14.8.1 Installation
673
14.8.2 Configuration
674
14.8.3 Basic Parameters
676
14.8.4 Securing SSH
676
14.8.5 Securing Other Services
677
14.8.6 Securing Custom Web Applications
678
14.8.7 Fail2ban Client
678
14.9 Firewall
679
14.9.1 From Netfilter to ntftables
680
14.9.2 Basic Principles
680
14.9.3 Determining the Firewall Status
682
14.9.4 Defining Rules
683
14.9.5 Syntax for Firewall Rules
685
14.9.6 Example: Simple Protection of a Web Server
687
14.9.7 FirewallD: RHEL
688
14.9.8 firewall-cmd Command
689
14.9.9 ufw: Ubuntu
691
14.9.10 Firewall Protection in the Cloud
693
14.10 SELinux
693
14.10.1 Concept
693
14.10.2 The Right Security Context
694
14.10.3 Process Context: Domain
695
14.10.4 Policies
696
14.10.5 SELinux Parameters: Booleans
696
14.10.6 Status
697
14.10.7 Fixing SELinux Issues
698
14.11 AppArmor
699
14.11.1 AppArmor on Ubuntu
700
14.11.2 Rules: Profiles
701
14.11.3 Structure of Rule Files
701
14.11.4 Rule Parameters: Tunables
703
14.11.5 Logging and Maintenance
703
14.12 Kernel Hardening
704
14.12.1 Changing Kernel Options Using sysctl
704
14.12.2 Setting Kernel Boot Options in the GRUB Configuration
706
14.13 Apache
706
14.13.1 Certificates
707
14.13.2 Certificate Files
708
14.13.3 Apache Configuration
709
14.13.4 HTTPS Is Not HTTPS
710
14.14 MySQL and MariaDB
712
14.14.1 MySQL versus MariaDB
712
14.14.2 Login System
713
14.14.3 MySQL and MariaDB on Debian/Ubuntu
714
14.14.4 Securing MySQL on RHEL
715
14.14.5 Securing MariaDB on RHEL
715
14.14.6 Hash Codes in the “mysql.user” Table: Old MySQL and MariaDB Versions
716
14.14.7 Privileges
717
14.14.8 Server Configuration
718
14.15 Postfix
719
14.15.1 Postfix: Basic Settings
719
14.15.2 Sending and Receiving Emails in Encrypted Form
720
14.15.3 Spam and Virus Defense
722
14.16 Dovecot
724
14.16.1 Using Custom Certificates for IMAP and POP
724
14.16.2 SMTP Authentication for Postfix
725
14.17 Rootkit Detection and Intrusion Detection
726
14.17.1 chkrootkit
727
14.17.2 rkhunter
728
14.17.3 Lynis
729
14.17.4 ISPProtect
730
14.17.5 Snort
731
14.17.6 Verifying Files from Packages
731
14.17.7 Scanning for Suspicious Ports and Processes
732
15 Security of Samba File Servers
735
15.1 Preliminary Considerations
735
15.1.1 Compiling Samba, SerNet Packages
736
15.2 Basic CentOS Installation
737
15.2.1 Partitions
737
15.2.2 Disabling IPv6
738
15.2.3 Installing Samba Packages on CentOS
741
15.3 Basic Debian Installation
741
15.3.1 The Partitions
741
15.3.2 Disabling IPv6
742
15.3.3 Installing Samba Packages on Debian
743
15.4 Configuring the Samba Server
743
15.4.1 Configuring the Kerberos Client
745
15.5 Samba Server in Active Directory
746
15.5.1 Joining the Samba Server
746
15.5.2 Testing the Server
748
15.6 Shares on the Samba Server
750
15.6.1 File System Rights on Linux
750
15.6.2 File System Rights on Windows
750
15.6.3 Special Shares on a Windows Server
751
15.6.4 The Admin Share on Samba
751
15.6.5 Creating the Admin Share
751
15.6.6 Creating the User Shares
752
15.7 Changes to the Registry
755
15.7.1 Accessing the Registry from Windows
757
15.8 Samba Audit Functions
758
15.9 Firewall
760
15.9.1 Testing the Firewall Script
763
15.9.2 Starting Firewall Script Automatically
764
15.10 Attack Scenarios on Samba File Servers
765
15.10.1 Known Vulnerabilities in Recent Years
766
15.11 Checking Samba File Servers
768
15.11.1 Tests with nmap
768
15.11.2 Testing the Samba Protocols
769
15.11.3 Testing the Open Ports
769
15.11.4 smb-os-discovery
771
15.11.5 smb2-capabilities
771
15.11.6 ssh-brute
772
16 Intrusion Detection Systems
775
16.1 Intrusion Detection Methods
775
16.1.1 Pattern Recognition: Static
775
16.1.2 Anomaly Detection (Dynamic)
777
16.2 Host-Based versus Network-Based Intrusion Detection
778
16.2.1 Host-Based IDS
778
16.2.2 Network-Based IDS
779
16.2.3 NIDS Metadata
780
16.2.4 NIDS Connection Contents
782
16.3 Responses
783
16.3.1 Automatic Intrusion Prevention
783
16.3.2 Walled Garden
784
16.3.3 Swapping Computers
784
16.4 Bypassing and Manipulating Intrusion Detection
785
16.4.1 Insertions
785
16.4.2 Evasions
786
16.4.3 Resource Consumption
786
16.5 Snort
787
16.5.1 Installation and Launch
787
16.5.2 Getting Started
789
16.5.3 IDS or IPS
790
16.5.4 Configuration
791
16.5.5 Modules
791
16.5.6 Snort Event Logging
792
16.6 Snort Rules
793
16.6.1 Syntax of Snort Rules
793
16.6.2 Service Rules
794
16.6.3 General Rule Options
795
16.6.4 Matching Options
797
16.6.5 Hyperscan
798
16.6.6 Inspector-Specific Options
799
16.6.7 Managing Rule Sets with PulledPork
800
17 Security of Web Applications
803
17.1 Architecture of Web Applications
803
17.1.1 Components of Web Applications
804
17.1.2 Authentication and Authorization
805
17.1.3 Session Management
806
17.2 Attacks against Web Applications
806
17.2.1 Attacks against Authentication
806
17.2.2 Session Hijacking
807
17.2.3 HTML Injection
808
17.2.4 Cross-Site Scripting
811
17.2.5 Session Fixation
815
17.2.6 Cross-Site Request Forgery
815
17.2.7 Directory Traversal
816
17.2.8 Local File Inclusion
817
17.2.9 Remote File Inclusion
819
17.2.10 File Upload
820
17.2.11 SQL Injection
821
17.2.12 sqlmap
823
17.2.13 Advanced SQL Injection: Blind SQL Injection (Boolean)
824
17.2.14 Advanced SQL Injection: Blind SQL Injection (Time)
825
17.2.15 Advanced SQL Injection: Out-of-Band Data Exfiltration
827
17.2.16 Advanced SQL Injection: Error-Based SQL Injection
827
17.2.17 Command Injection
828
17.2.18 Clickjacking
830
17.2.19 XML Attacks
832
17.2.20 Server Side Request Forgery
834
17.2.21 Angular Template Injection
835
17.2.22 Attacks on Object Serialization
835
17.2.23 Vulnerabilities in Content Management Systems
836
17.3 Practical Analysis of a Web Application
837
17.3.1 Information Gathering
838
17.3.2 Testing SQL Injection
840
17.3.3 Directory Traversal
845
17.3.4 Port Knocking
847
17.3.5 SSH Login
849
17.3.6 Privilege Escalation
850
17.3.7 Automatic Analysis via Burp
855
17.4 Protection Mechanisms and Defense against Web Attacks
859
17.4.1 Minimizing the Server Signature
860
17.4.2 Turning Off the Directory Listing
860
17.4.3 Restricted Operating System Account for the Web Server
861
17.4.4 Running the Web Server in a “chroot” Environment
861
17.4.5 Disabling Unneeded Modules
861
17.4.6 Restricting HTTP Methods
862
17.4.7 Restricting the Inclusion of External Content
862
17.4.8 Protecting Cookies from Access
863
17.4.9 Server Timeout
863
17.4.10 Secure Socket Layer
863
17.4.11 HTTP Strict Transport Security
864
17.4.12 Input and Output Validation
865
17.4.13 Web Application Firewall
866
17.5 Security Analysis of Web Applications
867
17.5.1 Code Analysis
868
17.5.2 Analysis of Binary Files
869
17.5.3 Fuzzing
869
18 Software Exploitation
871
18.1 Software Vulnerabilities
871
18.1.1 Race Conditions
871
18.1.2 Logic Error
872
18.1.3 Format String Attacks
873
18.1.4 Buffer Overflows
873
18.1.5 Memory Leaks
873
18.2 Detecting Security Gaps
874
18.3 Executing Programs on x86 Systems
874
18.3.1 Memory Areas
874
18.3.2 Stack Operations
876
18.3.3 Calling Functions
879
18.4 Exploiting Buffer Overflows
884
18.4.1 Analysis of the Program Functionality
884
18.4.2 Creating a Program Crash
886
18.4.3 Reproducing the Program Crash
888
18.4.4 Analysis of the Crash
889
18.4.5 Offset Calculation
891
18.4.6 Creating the Exploit Structure
893
18.4.7 Generating Code
895
18.4.8 Dealing with Prohibited Characters
896
18.5 Structured Exception Handling
899
18.6 Heap Spraying
901
18.7 Protective Mechanisms against Buffer Overflows
903
18.7.1 Address Space Layout Randomization
903
18.7.2 Stack Canaries or Stack Cookies
904
18.7.3 Data Execution Prevention
905
18.7.4 SafeSEH and Structured Exception Handling Overwrite Protection
906
18.7.5 Protection Mechanisms against Heap Spraying
907
18.8 Bypassing Protective Measures against Buffer Overflows
907
18.8.1 Bypassing Address Space Layout Randomization
907
18.8.2 Bypassing Stack Cookies
908
18.8.3 Bypassing SafeSEH and SEHOP
908
18.8.4 Return-Oriented Programming
908
18.8.5 DEP Bypass
911
18.9 Preventing Buffer Overflows as a Developer
914
18.10 Spectre and Meltdown
915
18.10.1 Meltdown
915
18.10.2 Defense Measures
916
18.10.3 Proof of Concept (Meltdown)
917
18.10.4 Spectre
918
18.10.5 Proof of Concept (Spectre)
919
18.10.6 The Successors to Spectre and Meltdown
921
19 Bug Bounty Programs
923
19.1 The Idea Behind Bug Bounties
923
19.1.1 Providers
923
19.1.2 Variants
924
19.1.3 Earning Opportunities
925
19.2 Reporting Vulnerabilities
926
19.2.1 Testing Activities
926
19.3 Tips and Tricks for Analysts
927
19.3.1 Scope
927
19.3.2 Exploring the Response Quality of the Target Company
927
19.3.3 Take Your Time
927
19.3.4 Finding Errors in Systems or Systems with Errors
928
19.3.5 Spend Money
928
19.3.6 Get Tips, Learn from the Pros
928
19.3.7 Companies Buy Companies
928
19.3.8 Creating a Test Plan
929
19.3.9 Automating Standard Processes
929
19.4 Tips for Companies
930
20 Security in the Cloud
931
20.1 Overview
931
20.1.1 Arguments for the Cloud
932
20.1.2 Cloud Risks and Attack Vectors
933
20.1.3 Recommendations
934
20.2 Amazon Simple Storage Service
935
20.2.1 Basic Security and User Management
937
20.2.2 The aws Command
938
20.2.3 Encrypting Files
939
20.2.4 Public Access to Amazon S3 Files
941
20.2.5 Amazon S3 Hacking Tools
942
20.3 Nextcloud and ownCloud
943
20.3.1 Installing Nextcloud
944
20.3.2 Blocking Access to the “data Folder”
946
20.3.3 Performing Updates
947
20.3.4 File Encryption
948
20.3.5 Security Testing for ownCloud and Nextcloud Installations
949
20.3.6 Brute-Force Attacks and Protection
950
21 Securing Microsoft 365
953
21.1 Identities and Access Management
954
21.1.1 Azure Active Directory and Microsoft 365
954
21.1.2 User Management in AAD
957
21.1.3 Application Integration
958
21.2 Security Assessment
960
21.3 Multifactor Authentication
961
21.3.1 Preliminary Considerations
962
21.3.2 Enabling Multifactor Authentication for a User Account
962
21.3.3 User Configuration of Multifactor Authentication
963
21.3.4 App Passwords for Incompatible Applications and Apps
965
21.4 Conditional Access
969
21.4.1 Creating Policies
970
21.4.2 Conditions for Policies
972
21.4.3 Access Controls
973
21.5 Identity Protection
975
21.5.1 Responding to Vulnerabilities
975
21.6 Privileged Identities
976
21.6.1 Enabling Privileged Identities
977
21.6.2 Configuring a User as a Privileged Identity
979
21.6.3 Requesting Administrator Permissions
980
21.7 Detecting Malicious Code
982
21.7.1 Protection for File Attachments
986
21.7.2 Protection for Files in SharePoint Online and OneDrive for Business
988
21.7.3 Protection for Links
989
21.7.4 Protection for Links in Office Applications
991
21.8 Security in Data Centers
992
21.8.1 Encryption of Your Data
992
21.8.2 Access Governance
994
21.8.3 Audits and Privacy
995
22 Mobile Security
997
22.1 Android and iOS Security: Basic Principles
997
22.1.1 Sandboxing
998
22.1.2 Authorization Concept
998
22.1.3 Protection against Brute-Force Attacks when the Screen Is Locked
999
22.1.4 Device Encryption
1000
22.1.5 Patch Days
1001
22.2 Threats to Mobile Devices
1003
22.2.1 Theft or Loss of a Mobile Device
1003
22.2.2 Unsecured and Open Networks
1004
22.2.3 Insecure App Behavior at Runtime
1004
22.2.4 Abuse of Authorizations
1006
22.2.5 Insecure Network Communication
1007
22.2.6 Attacks on Data Backups
1009
22.2.7 Third-Party Stores
1013
22.3 Malware and Exploits
1014
22.3.1 Stagefright (Android)
1019
22.3.2 Pegasus (iOS)
1023
22.3.3 Spy Apps
1024
22.4 Technical Analysis of Apps
1025
22.4.1 Reverse Engineering of Apps
1025
22.4.2 Automated Vulnerability Analysis of Mobile Applications
1031
22.5 Protective Measures for Android and iOS
1036
22.5.1 Avoid Rooting or Jailbreaking
1036
22.5.2 Update Operating Systems and Apps
1037
22.5.3 Device Encryption
1038
22.5.4 Antitheft Protection and Activation Lock
1038
22.5.5 Lock Screen
1039
22.5.6 Antivirus Apps
1041
22.5.7 Two-Factor Authentication
1042
22.5.8 Critical Review of Permissions
1044
22.5.9 Installing Apps from Alternative App Stores
1045
22.5.10 Using VPN Connections
1046
22.5.11 Related Topic: WebAuthn and FIDO2
1046
22.5.12 Using Android and iOS in the Enterprise
1048
22.6 Apple Supervised Mode and Apple Configurator
1048
22.6.1 Conclusion
1055
22.7 Enterprise Mobility Management
1055
22.7.1 Role and Authorization Management
1057
22.7.2 Device Management
1058
22.7.3 App Management
1059
22.7.4 System Settings
1061
22.7.5 Container Solutions Based on the Example of Android Enterprise
1062
22.7.6 Tracking Managed Devices
1062
22.7.7 Reporting
1063
22.7.8 Conclusion
1064
23 Internet of Things Security
1065
23.1 What Is the Internet of Things?
1065
23.2 Finding IoT Vulnerabilities
1067
23.2.1 Shodan Search Engine for Publicly Accessible IoT Devices
1067
23.2.2 Using Shodan
1068
23.2.3 For Professionals: Filtering Using Search Commands
1069
23.2.4 Printer Exploitation Toolkit
1071
23.2.5 RouterSploit
1073
23.2.6 AutoSploit
1077
23.2.7 Consumer Devices as a Gateway
1081
23.2.8 Attacks from the Inside via a Port Scanner
1081
23.2.9 Sample Port Scan of an Entertainment Device
1082
23.2.10 Local Network versus Internet
1083
23.2.11 Incident Scenarios with Cheap IoT Devices
1083
23.2.12 Danger from Network Operator Interfaces
1084
23.3 Securing IoT Devices in Networks
1085
23.4 IoT Protocols and Services
1086
23.4.1 MQ Telemetry Transport
1087
23.4.2 Installing an MQTT Broker
1089
23.4.3 MQTT Example
1091
23.4.4 $SYS Topic Tree
1092
23.4.5 Securing the Mosquitto MQTT Broker
1094
23.5 Wireless IoT Technologies
1097
23.5.1 6LoWPAN
1098
23.5.2 Zigbee
1098
23.5.3 LoRaWAN
1099
23.5.4 NFC and RFID
1100
23.5.5 NFC Hacking
1101
23.6 IoT from the Developer’s Perspective
1102
23.6.1 Servers for IoT Operation
1103
23.6.2 Embedded Linux, Android, or Windows IoT Devices
1104
23.6.3 Embedded Devices and Controllers without Classic Operating Systems
1105
23.7 Programming Languages for Embedded Controllers
1107
23.7.1 C
1107
23.7.2 C++
1108
23.7.3 Lua
1108
23.8 Rules for Secure IoT Programming
1109
23.8.1 Processes as Simple as Possible
1110
23.8.2 Short, Testable Functions
1111
23.8.3 Transfer Values Must Be Checked in Their Entirety
1112
23.8.4 Returning Error Codes
1113
23.8.5 Fixed Boundaries in Loops
1115
23.8.6 No Dynamic Memory Allocation (or as Little as Possible)
1115
23.8.7 Make Dimensioning Buffers or Arrays Sufficiently Large
1116
23.8.8 Always Pass Buffer and Array Sizes
1116
23.8.9 Use Caution with Function Pointers
1117
23.8.10 Enabling Compiler Warnings
1118
23.8.11 String Copy for Few Resources
1118
23.8.12 Using Libraries
1119
The Authors
1121
Index
1123