Penetration Testing For Dummies®
Published by: John Wiley & Sons, Inc.,111 River Street, Hoboken, NJ 07030-5774, www.wiley.com
Copyright © 2020 by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions
.
Trademarks:Wiley, For Dummies, the Dummies Man logo, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit https://hub.wiley.com/community/support/dummies
.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com
. For more information about Wiley products, visit www.wiley.com
.
Library of Congress Control Number: 2020934346
ISBN 978-1-119-57748-5 (pbk); ISBN 978-1-119-57747-8 (ebk); ISBN 978-1-119-57746-1 (ebk)
Penetration Testing For Dummies®
To view this book's Cheat Sheet, simply go to www.dummies.comand search for “Penetration Testing For Dummies Cheat Sheet” in the Search box.
Table of Contents
1 Cover
2 Introduction Introduction Welcome to Penetration Testing For Dummies ! It is my goal to start you down the path to learning more about pen testing and why it’s such a hot topic for anyone interested in information technology security. This book shows you how to target, test, analyze, and report on security vulnerabilities with pen testing tools. I break down the most complex of topics into easily digestible chunks that familiarize you with the details of conducting a pen test, but also why you need to do it and how the hackers you are trying to access your systems are doing so. Your purpose as a pen tester is to test systems, identify risks, and then mitigate those risks before the hackers do. It takes a person with hacking skills to look for the weaknesses that make an organization susceptible to hacking. The topics in this book aim to equip IT professionals at various levels with the basic knowledge of pen testing.
About This Book About This Book One of my main goals in writing this book is to give you an understanding of the different attacks, vectors, vulnerabilities, patterns, and paths that hackers use to get into your network and systems. Pen testing is intended to follow those same steps, so security pros know about them (and can fix or monitor them) before the hackers do. For this book, I use a Windows workstation and where I must, I use Linux tools run from a virtual machine. I have chosen this because this is where many beginners are likely to start their pen testing journey. For this book, you can use any current supported version of Windows (Windows 7 and above) on a device that has a network connection (wired and wireless). A highly experienced pen tester will likely use a native Linux system like Ubuntu (as an example), but you do not need to use it now. If you are using Linux or Apple, you can follow the same steps throughout the book with a few modifications here and there.
Foolish Assumptions Foolish Assumptions As I was writing this book, I assumed you work in IT and want to transition to security. It is the go-to book for those who have some IT experience but desire more knowledge of how to gather intelligence on a target, learn the steps for mapping out a test, and discover best practices for analyzing, solving, and reporting on vulnerabilities. You might have an entry-level or junior position, or you might be a manager or director, with more experience but coming from a different area of expertise. Either way, you want to know more about how pen testing fits into the big picture. As such, you’ll find that I explain even simple concepts to clarify things in the context of penetration testing and overall security.
Icons Used in This Book Icons Used in This Book Throughout the book, I use various icons to draw your attention to specific information. Here’s a list of those icons and what they mean. This icon highlights pointers where I provide an easier way of doing something or info that can save you time. This icon points to content you definitely don’t want to miss, so be sure to read whatever’s next to it. When you see this icon, you know it’s next to information to keep in mind — or something I’ve discussed elsewhere, and I’m reminding you of it. It’s often advice to help keep you out of trouble. Pay close attention to this icon, which I use to point out pitfalls to avoid or where doing something (or not doing something) could land you in legal trouble (like pen testing something you don’t have permission to test). Sometimes I provide particularly sticky details about an issue, which can get technical and which may not be of interest (or help). You could ignore any text marked with this icon, and you won’t miss it a whit.
What You’re Not to Read What You’re Not to Read This book is written so you aren’t required to read it beginning to end. If you’re familiar with the basics of penetration testing, for example, you can probably skip the first part. You can skip Part 2 if you feel you have a pretty good handle on attack types and various pen testing tools. Technical Stuff icons are truly technical pieces of information that I file under “nice to know” — skip those, as well, if you’re looking for need-to-know content only.
Читать дальше