Kevin Beaver - Hacking For Dummies

11 Part 7: The Part of Tens Chapter 20: Ten Tips for Getting Security Buy-In Cultivate an Ally and a Sponsor Don’t Be a FUDdy-Duddy Demonstrate That the Organization Can’t Afford to Be Hacked Outline the General Benefits of Security Testing Show How Security Testing Specifically Helps the Organization Get Involved in the Business Establish Your Credibility Speak on Management’s Level Show Value in Your Efforts Be Flexible and Adaptable Chapter 21: Ten Reasons Hacking Is the Only Effective Way to Test The Bad Guys Think Bad Thoughts, Use Good Tools, and Develop New Methods IT Governance and Compliance Are More Than High-Level Audits Vulnerability and Penetration Testing Complements Audits and Security Evaluations Customers and Partners Will Ask How Secure Your Systems Are The Law of Averages Works Against Businesses Security Assessments Improve Understanding of Business Threats If a Breach Occurs, You Have Something to Fall Back On In-Depth Testing Brings Out the Worst in Your Systems Combined Vulnerability and Penetration Testing Is What You Need Proper Testing Can Uncover Overlooked Weaknesses Chapter 22: Ten Deadly Mistakes Not Getting Approval Assuming That You Can Find All Vulnerabilities Assuming That You Can Eliminate All Vulnerabilities Performing Tests Only Once Thinking That You Know It All Running Your Tests Without Looking at Things from a Hacker’s Viewpoint Not Testing the Right Systems Not Using the Right Tools Pounding Production Systems at the Wrong Time Outsourcing Testing and Not Staying Involved

12 Appendix: Tools and Resources Bluetooth Certifications Databases Denial of Service (DoS) Protection Exploits Firewall Rulebase Analyzers General Research and OSINT Tools Hacker and Security Testing Publications Internet of Things Keyloggers Laws and Regulations Linux Live Toolkits Log Analysis Messaging Miscellaneous Mobile Networks Password Cracking Patch Management Security Education and Learning Resources Security Frameworks Security Reports and Statistics Social Engineering and Phishing Source Code Analysis Storage User Awareness and Training Voice over Internet Protocol Vulnerability Databases Websites and Applications Windows Wireless Networks

13 Index

14 About the Author

15 Advertisement Page

16 Connect with Dummies

17 End User License Agreement

1 Chapter 9TABLE 9-1 Commonly Hacked Ports

2 Chapter 17TABLE 17-1 Prioritizing Vulnerabilities

1 Chapter 4FIGURE 4-1: Netcraft’s web server version utility.

2 Chapter 6FIGURE 6-1: Using LUCY to start an email phishing campaign.FIGURE 6-2: Sample email phishing template options in LUCY.

3 Chapter 8FIGURE 8-1: Brute-force password-cracking options in Proactive Password Auditor...FIGURE 8-2: Output from pwdump3.FIGURE 8-3: Cracked password file hashes with John the Ripper.FIGURE 8-4: Using Cain & Abel to capture passwords going across the network.

4 Chapter 9FIGURE 9-1: Performing a ping sweep of an entire class C network with Nmap.FIGURE 9-2: In-depth port-scanning options in NMapWin.FIGURE 9-3: NetScanTools Pro OS Fingerprinting tool.FIGURE 9-4: General SNMP information gathered by Getif.FIGURE 9-5: Management interface user IDs gleaned via Getif’s SNMP browsing fun...FIGURE 9-6: Information gathered about an email server via Telnet.FIGURE 9-7: Connecting a network analyzer outside the firewall. FIGURE 9-8: Omnipeek can help uncover someone running an illicit system, such a...FIGURE 9-9: CommView’s interface for viewing network statisticsFIGURE 9-10: NetResident can track Internet use and ensure that security polici...FIGURE 9-11: Selecting your victim hosts for ARP poisoning in Cain & AbelFIGURE 9-12: ARP poisoning results in Cain & Abel

5 Chapter 10FIGURE 10-1: Finding the MAC address of an AP by using arp.FIGURE 10-2: Searching for your wireless APs by using the WiGLE database.FIGURE 10-3: NetStumbler displays detailed data on APs.FIGURE 10-4: A LanGuard scan of a live AP.FIGURE 10-5: Using airodump to capture WEP initialization vectors.FIGURE 10-6: Using aircrack to crack WEP.FIGURE 10-7: Using ElcomSoft Wireless Security Auditor to crack WPA PSKs.FIGURE 10-8: Using Omnipeek to view encrypted wireless traffic.FIGURE 10-9: ElcomSoft Wireless Security Auditor’s numerous password cracking o...FIGURE 10-10: The Reaver Pro startup window.FIGURE 10-11: Using Reaver Pro to determine that Wi-Fi Protected Setup is enabl...FIGURE 10-12: NetStumbler showing potentially unauthorized APs.FIGURE 10-13: You can configure Omnipeek to detect APs that don’t broadcast the...FIGURE 10-14: CommView for WiFi showing several unauthorized ad-hoc clients.FIGURE 10-15: Finding an accessible AP via NetStumbler.FIGURE 10-16: Looking for the MAC address of a wireless client on the network b...FIGURE 10-17: SMAC showing a spoofed MAC address.

6 Chapter 11FIGURE 11-1: ElcomSoft System Recovery is great for cracking and resetting Wind...FIGURE 11-2: Loading password hashes from a remote SAM database in ophcrack.FIGURE 11-3: Usernames and hashes extracted via ophcrack.FIGURE 11-4: Loading the required hash tables in ophcrack.FIGURE 11-5: iOS Forensic Toolkit’s main page.FIGURE 11-6: Select the appropriate iOS device from the list.FIGURE 11-7: iOS Forensic Toolkit Ramdisk loading successfully.FIGURE 11-8: Cracking a four-digit PIN on an iPhone.

7 Chapter 12FIGURE 12-1: Port-scanning a Windows 11 system with NetScanTools Pro.FIGURE 12-2: Gathering SMB versions with NetScanTools SMB Scanner.FIGURE 12-3: Using Nmap to determine the Windows version.FIGURE 12-4: Using nbtstat to gather information on a Windows 11 system.FIGURE 12-5: Using LanGuard to scan your network for Windows shares.FIGURE 12-6: Mapping a null session to a vulnerable Windows system.FIGURE 12-7: net view displays drive shares on a remote Windows host.FIGURE 12-8: Default local security-policy settings in Windows 7 that restrict ...FIGURE 12-9: SoftPerfect Network Scanner’s Share Finder profile seeks out Windo...FIGURE 12-10: Exploitable vulnerability found by Nexpose.FIGURE 12-11: The main Metasploit console.FIGURE 12-12: Metasploit options to obtain a remote command prompt on the targe...FIGURE 12-13: Remote command prompt on target system obtained by exploiting a m...FIGURE 12-14: Metasploit Pro’s graphical interface provides broad security test...FIGURE 12-15: Starting the exploit process in Metasploit Pro is as simple as im...FIGURE 12-16: Testing login credentials before running an authenticated scan wi...

8 Chapter 13FIGURE 13-1: Port scanning a Linux host with NetScanTools Pro.FIGURE 13-2: Using Nexpose to discover vulnerabilities in macOS.FIGURE 13-3: Using the Test Credentials feature as part of the Nexpose scan con...FIGURE 13-4: Using Nmap to determine the OS kernel version of a Linux server.FIGURE 13-5: Using NetScanTools Pro to determine that Slackware Linux is likely...FIGURE 13-6: Using Nmap to check application versions.FIGURE 13-7: Viewing the PIDs for running daemons by using ps -aux.FIGURE 13-8: The rexec file showing the disable option.FIGURE 13-9: /etc/inittab showing the line that allows a Ctrl+Alt+Delete shutdo...FIGURE 13-10: Running the Tiger security-auditing tool.FIGURE 13-11: Partial output of the Tiger tool.

9 Chapter 14FIGURE 14-1: Limiting the number of resources that handle inbound messages.FIGURE 14-2: An SMTP banner showing server-version information.FIGURE 14-3: An SMTP banner that disguises the version information.FIGURE 14-4: smtpscan gathers version info even when the SMTP banner is disguis...FIGURE 14-5: Using VRFY to verify that an email address exists.FIGURE 14-6: Using EXPN to verify that a mailing list exists.FIGURE 14-7: Using EmailVerify to verify an email address.FIGURE 14-8: Using smtp-user-enum to glean email addresses.FIGURE 14-9: Using NetScanTools Pro SMTP Server Tests to check for an open emai...FIGURE 14-10: Critical information revealed in email headers.FIGURE 14-11: Using the EICAR test string to test antimalware software.FIGURE 14-12: A WebInspect scan of a VoIP network adapter showing several weakn...FIGURE 14-13: Using Cain & Abel to capture, record, and play back VoIP conversa...FIGURE 14-14: Connecting to a VoIP phone’s web interface using the default pass...