Table of Contents
Acknowledgments xvii
Foreword xix
Introduction xxi
Why Read This Book? xxii
Installing Python xxii
What Is in the Book? xxii
Part I Networking Fundamentals xxiii
Part II Cryptography xxiii
Part III Social Engineering xxiv
Part IV Exploitation xxiv
Part V Controlling the Network xxv
Reaching Out xxv
1 Setting Up 1
Virtual Lab 2
Setting Up VirtualBox 3
Setting Up pfSense 3
Setting Up the Internal Network 5
Configuring pfSense 6
Setting Up Metasploitable 8
Setting Up Kali Linux 9
Setting Up the Ubuntu Linux Desktop 10
Your First Hack: Exploiting a Backdoor in Metasploitable 11
Getting the IP Address of the Metasploitable Server 12
Using the Backdoor to Gain Access 13
Part I Network Fundamentals
2 Capturing Traffic with Arp Spoofing 17
How the Internet Transmits Data 17
Packets 18
MAC Addresses 18
IP Addresses 18
ARP Tables 20
ARP Spoofing Attacks 21
Performing an ARP Spoofing Attack 21
Defecting an ARP Spoofing Attack 26
Exercises 27
Inspect ARP Tables 27
Implement an ARP Spoofer in Python 28
MAC Flooding 29
3 Analyzing Captured Traffic 31
Packets and the internet Protocol Stack 31
The Five-Layer Internet Protocol Stack 33
Viewing Packets in Wireshark 37
Analyzing Packets Collected by Your Firewall 42
Capturing Traffic on Port 80 42
Exercises 44
PfSense 44
Exploring Packets in Wireshark 45
4 Crafting TCP Shells and Botnets 47
Sockets and Process Communication 48
TCP Handshakes 48
A TCP Reverse Shell 50
Accessing the Victim Machine 52
Scanning for Open Ports 52
Exploiting a Vulnerable Service 54
Writing a Reverse Shell Client 55
Writing a TCP Server That Listens for Client Connections 56
Loading the Reverse Shell onto the Metasploitable Server 57
Botnets 58
Exercises 61
A Multiclient Bot Server 61
SYN Scans 62
Detecting XMas Scans 63
Part II Cryptography
5 Cryptography and Ransomware 67
Encryption 68
One-Time Pad 68
Pseudorandom Generators 71
Insecure Block Ciphers Modes 72
Secure Block Ciphers Modes 74
Encrypting and Decrypting a File 75
Email Encryption 76
Public-Key Cryptography 76
Rivest-Shamir-Adleman Theory 77
The RSA Math 77
Encrypting a File with RSA 79
Optimal Asymmetric Encryption Padding 81
Writing Ransomware 82
Exercises 85
The Ransomware Server 85
Extending the Ransomware Client 86
Unsolved Codes 86
6 TLS and Diffie-Hellman 89
Transport Layer Security 90
Message Authentication 91
Certificate Authorities and Signatures 92
Certificate Authorities 93
Using Diffie-Hellman to Compute a Shared Key 94
Step 1 Generating the Shared Parameters 95
Step 2 Generating the Public-Private Key Pair 96
Why Can't a Hacker Calculate the Private Key? 97
Step 3 Exchanging Key Shares and Nonces 98
Step 4 Calculating the Shared Secret Key 98
Step 5 Key Derivation 99
Attacking Diffie-Hellman 100
Elliptic-Curve Diffie-Hellman 100
The Math of Elliptic Curves 101
The Double and Add Algorithm 102
Why Can't a Hacker Use Gxy and axy to Calculate the Private Key A? 103
Writing TLS Sockets 104
The Secure Client Socket 104
The Secure Server Socket 106
SSL Stripping and HSTS Bypass 107
Exercise: Add Encryption to your Ransomware Server 107
Part III Social Engineering
7 Phishing and Deepfakes 113
A Sophisticated and Sneaky Social Engineering Attack 114
Faking Emails 114
Performing a DNS Lookup of a Mail Server 115
Communicating with SMTP 115
Writing an Email Spoofer 117
Spoofing SMTPS Emails 119
Faking Websites 121
Creating Deepfake Videos 123
Accessing Google Colab 124
Importing the Machine Learning Models 125
Exercises 127
Voice Cloning 127
Phishing at Scale 128
SMTP Auditing 129
8 Scanning Targets 131
Link Analysis 132
Maltego 133
Leaked Credential Databases 136
SIM Jacking 137
Google Dorking 138
Scanning the Entire Internet 139
Masscan 139
Shodan 143
IPv6 and NAT Limitations 144
Internet Protocol Version 6 [IPv6] 144
NAT 145
Vulnerability Databases 146
Vulnerability Scanners 148
Exercises 151
Nmap Scans 152
Discover 152
Writing Your Own OSINT Tool 154
Part IV Exploitation
9 Fuzzing for Zero-Day Vulnerabilities 159
Case Study: Exploiting the Heartbleed OpenSSL Vulnerability 160
Creating an Exploit 160
Starting the Program 161
Writing the Client Hello Message 162
Reading the Server Response 164
Crafting the Malicious Heartbeat Request 165
Reading the Leaked Memory Contents 166
Writing the Exploit Function 167
Putting It Together 167
Fuzzing 168
A Simplified Example 168
Writing Your Own Fuzzer 169
American Fuzzy Lop 170
Symbolic Execution 174
A Symbolic Execution of the Test Program 175
Limitations of Symbolic Execution 175
Dynamic Symbolic Execution 176
Using DSE to Crack a Passcode 179
Creating an Executable Binary 179
Installing and Running Angr 180
The Angr Program 181
Exercises 182
Capture the Flag Games with Angr 182
Fuzzing Web Protocols 183
Fuzzing an Open Source Project 184
Implement Your Own Concolic Execution Engine 185
10 Building Trojans 187
Case Study: Re-Creating Drovorub by Using Metasploit 188
Building the Attacker's Server 188
Building the Victim Client 190
Uploading the Implant 190
Using the Attacker Agent 191
Why We Need a Victim Kernel Module 192
Hiding an Implant in a Legitimate File 193
Creating a Trojan 193
Hosting the Trojan 197
Downloading the Infected File 197
Controlling the Implant 198
Evading Antivirus by Using Encoders 200
The Base64 Encoder 201
Writing a Metasploit Module 202
Shikata Ga Nai Encoder 204
Creating a Windows Trojan 206
Hiding the Trojan in Minesweeper 206
Hiding the Trojan in a Word Document (or Another Innocent File) 207
Creating an Android Trojan 208
Deconstructing the APK to View the Implant 208
Rebuilding and Signing the APK 211
Testing the Android Trojan 212
Exercises 215
Evil-Droid 216
Writing Your Own Python Implant 217
Obfuscate Your Implant 218
Build a Platform-Specific Executable 219
11 Building and Installing Linux Rootkits 221
Writing a Linux Kernel Module 222
Backing Up Your Kali Linux Virtual Machine 222
Writing the Code 223
Compiling and Running Your Kernel Module 224
Modifying System Calls 226
How System Calls Work 226
Hooking Syscalls 229
Hooking the Shutdown Syscall 230
Hiding Files 234
The linux_dirent struct 234
Writing the Hooking Code 235
Using Armitage to Exploit a Host and Install a Rootkit 237
Scanning the Network 238
Exploiting a Host 239
Installing a Rootkit 240
Exercises 240
The Keylogger 240
Self-Hiding Module 243
12 Stealing and Cracking Passwords 245
SQL injection 246
Stealing Passwords from a Website's Database 247
Enumerating Reachable Files on the Web Server 248
Performing SQL Injection 248
Writing Your Own SQL Injection Tool 250
Understanding HTTP Requests 250
Writing the Injection Program 252
Using SGLMap 254
Hashing Passwords 256
The Anatomy of the MD5 Hash 257
Cracking Hashes 259
Salting Hashes with a Nonce 260
Building a Salted Hash Cracker 260
Popular Hash Cracking and Brute-Forcing Tools 261
John the Ripper 261
Hashcat 262
Hydra 263
Exercises 264
NoSQL Injection 264
Brute-Forcing Web Logins 265
Burp Suite 266
13 Serious Cross-Site Scripting Exploitation 269
Cross-Site Scripting 270
How JavaScript Can Be Malicious 271
Stored XSS Attacks 273
Reflected XSS Attacks 275
Finding Vulnerabilities with OWASP Zed Attack Proxy 276
Using Browser Exploitation Framework Payloads 278
Injecting the BeEF Hook 278
Performing a Social Engineering Attack 279
Moving from Browser to Machine 281
Case Study: Exploiting an Old Version of the Chrome Browser 281
Installing Rootkits via Website Exploitation 282
Exercise: Hunting for Bugs in a Bug Bounty Program 285
Part V Controlling the Network
14 Pivoting and Privilege Escalation 289
Pivoting from a Dual-Homed Device 290
Configuring a Dual-Homed Device 290
Connecting a Machine to Your Private Network 293
Pivoting with Metasploit 294
Writing an Attacker Proxy 297
Extracting Password Hashes on Linux 298
Where Linux Stores Usernames and Passwords 299
Performing a Dirty COW Privilege Escalation Mack 300
Exercises 303
Adding NAT to Your Dual-Homed Device 303
Suggested Reading on Windows Privilege Escalation 304
15 Moving through the Corporate Windows Network 305
Creating a Windows Virtual Lab 306
Extracting Password Hashes with Mimikatz 306
Passing the Hash with NT LAN Manager 309
Exploring the Corporate Windows Network 310
Attacking the DNS Service 311
Attacking Active Directory and LDAP Services 313
Writing an LDAP Query Client 314
Using SharpHound and Bloodhound for LDAP Enumeration 317
Attacking Kerberos 318
The Pass-the-Ticket Attack 320
The Golden Ticket and DC Sync Attacks 321
Exercise: Kerberoasting 322
16 Next Steps 323
Setting Up a Hardened Hacking Environment 324
Remaining Anonymous with Tor and Tails 324
Setting Up a Virtual Private Server 326
Setting Up SSH 326
Installing Your Hacking Tools 328
Hardening the Server 329
Auditing Your Hardened Server 331
Other Topics 332
Software-Defined Radios 332
Attacking Cellular Infrastructure 333
Escaping the Air Gap 333
Reverse Engineering 334
Physical Hacking Tools 334
Forensics 334
Hacking Industrial Systems 335
Quantum Computation 335
Connect with Others 335
Index 337