Title Details

Sean-Philip Oriyano CEH, CEI, CISSP, is cofounder and vice president of Sonwell & Oriyano, LLC, an IT security consulting and training company based in Las Vegas. Oriyano is a 20-year veteran of the IT industry and is currently an instructor who specializes in infrastructure and security topics for various public and private entities. Sean has served as an IT security instructor for the US Air Force, Navy, and Army at locations both in North America and internationally.

Introduction xxi

Assessment Test xxx

Chapter 1 Getting Started with Ethical Hacking 1

Hacking: A Short History 2

The Early Days of Hacking 2

Current Developments 3

Hacking: Fun or Criminal Activity? 4

The Evolution and Growth of Hacking 6

What Is an Ethical Hacker? 7

Ethical Hacking and Penetration Testing 10

Hacking Methodologies 15

Vulnerability Research and Tools 18

Ethics and the Law 18

Summary 20

Exam Essentials 20

Review Questions 21

Chapter 2 System Fundamentals 25

Exploring Network Topologies 26

Working with the Open Systems Interconnection Model 30

Dissecting the TCP/IP Suite 33

IP Subnetting 35

Hexadecimal vs. Binary 35

Exploring TCP/IP Ports 37

Domain Name System 39

Understanding Network Devices 39

Routers and Switches 39

Working with MAC Addresses 41

Proxies and Firewalls 42

Intrusion Prevention and Intrusion Detection Systems 43

Network Security 44

Knowing Operating Systems 46

Windows 46

Mac OS 47

Linux 48

Backups and Archiving 49

Summary 49

Exam Essentials 50

Review Questions 51

Chapter 3 Cryptography 55

Cryptography: Early Applications and Examples 56

History of Cryptography 57

Tracing the Evolution 58

Cryptography in Action 59

So How Does It Work? 60

Symmetric Cryptography 61

Asymmetric, or Public Key, Cryptography 62

Understanding Hashing 68

Issues with Cryptography 69

Applications of Cryptography 71

IPSec 71

Pretty Good Privacy 73

Secure Sockets Layer (SSL) 74

Summary 75

Exam Essentials 75

Review Questions 76

Chapter 4 Footprinting and Reconnaissance 81

Understanding the Steps of

Ethical Hacking 82

Phase 1: Footprinting 82

Phase 2: Scanning 83

Phase 3: Enumeration 83

Phase 4: System Hacking 83

What Is Footprinting? 84

Why Perform Footprinting? 84

Goals of the Footprinting Process 85

Terminology in Footprinting 87

Open Source and Passive Information Gathering 87

Active Information Gathering 87

Pseudonymous Footprinting 88

Internet Footprinting 88

Threats Introduced by Footprinting 88

The Footprinting Process 88

Using Search Engines 89

Location and Geography 91

Social Networking and Information Gathering 91

Financial Services and Information Gathering 92

The Value of Job Sites 92

Working with E-mail 93

Competitive Analysis 94

Google Hacking 95

Gaining Network Information 96

Social Engineering: The Art of Hacking Humans 96

Summary 97

Exam Essentials 97

Review Questions 98

Chapter 5 Scanning Networks 103

What Is Network Scanning? 104

Checking for Live Systems 106

Wardialing 106

Wardriving 108

Pinging 108

Port Scanning 110

Checking for Open Ports 110

Types of Scans 112

Full Open Scan 112

Stealth Scan, or Half-open Scan 112

Xmas Tree Scan 113

FIN Scan 114

NULL Scan 114

ACK Scanning 115

UDP Scanning 115

OS Fingerprinting 116

Banner Grabbing 117

Countermeasures 118

Vulnerability Scanning 119

Drawing Network Diagrams 119

Using Proxies 120

Setting a Web Browser to Use a Proxy 121

Summary 122

Exam Essentials 122

Review Questions 123

Chapter 6 Enumeration of Services 127

A Quick Review 128

Footprinting 128

Scanning 128

What Is Enumeration? 129

Windows Basics 130

Users 130

Groups 131

Security Identifiers 132

Services and Ports of Interest 132

Commonly Exploited Services 133

NULL Sessions 135

SuperScan 136

The PsTools Suite 137

Enumeration with SNMP 137

Management Information Base 138

SNScan 139

Unix and Linux Enumeration 139

finger 140

rpcinfo 140

showmount 140

Enum4linux 141

LDAP and Directory Service Enumeration 141

Enumeration Using NTP 142

SMTP Enumeration 143

Using VRFY 143

Using EXPN 144

Using RCPT TO 144

SMTP Relay 145

Summary 145

Exam Essentials 146

Review Questions 147

Chapter 7 Gaining Access to a System 151

Up to This Point 152

System Hacking 154

Authentication on Microsoft Platforms 165

Executing Applications 169

Covering Your Tracks 170

Summary 172

Exam Essentials 173

Review Questions 174

Chapter 8 Trojans, Viruses, Worms, and Covert Channels 179

Malware 180

Malware and the Law 182

Categories of Malware 183

Viruses 184

Worms 190

Spyware 192

Adware 193

Scareware 193

Trojans 194

Overt and Covert Channels 203

Summary 205

Exam Essentials 205

Review Questions 206

Chapter 9 Sniffers 209

Understanding Sniffers 210

Using a Sniffer 212

Sniffing Tools 213

Wireshark 214

TCPdump 218

Reading Sniffer Output 221

Switched Network Sniffing 224

MAC Flooding 224

ARP Poisoning 225

MAC Spoofing 226

Port Mirror or SPAN Port 227

On the Defensive 227

Mitigating MAC Flooding 228

Detecting Sniffing Attacks 230

Exam Essentials 230

Summary 230

Review Questions 231

Chapter 10 Social Engineering 235

What Is Social Engineering? 236

Why Does Social Engineering Work? 237

Why is Social Engineering Successful? 238

Social-Engineering Phases 239

What Is the Impact of Social Engineering? 239

Common Targets of Social Engineering 240

What Is Social Networking? 241

Mistakes in Social Media and Social Networking 243

Countermeasures for Social Networking 245

Commonly Employed Threats 246

Identity Theft 250

Protective Measures 250

Know What Information Is Available 251

Summary 252

Exam Essentials 252

Review Questions 254

Chapter 11 Denial of Service 259

Understanding DoS 260

DoS Targets 262

Types of Attacks 262

Buffer Overflow 267

Understanding DDoS 271

DDoS Attacks 271

DoS Tools 273

DDoS Tools 273

DoS Defensive Strategies 276

Botnet-Specific Defenses 277

DoS Pen Testing Considerations 277

Summary 277

Exam Essentials 278

Review Questions 279

Chapter 12 Session Hijacking 283

Understanding Session Hijacking 284

Spoofing vs. Hijacking 286

Active and Passive Attacks 287

Session Hijacking and Web Apps 288

Types of Application-Level Session Hijacking 289

A Few Key Concepts 292

Network Session Hijacking 294

Exploring Defensive Strategies 302

Summary 302

Exam Essentials 303

Review Questions 304

Chapter 13 Web Servers and Web Applications 309

Exploring the Client-Server Relationship 310

The Client and the Server 311

Closer Inspection of a Web Application 311

Vulnerabilities of Web Servers and

Applications 313

Common Flaws and Attack Methods 316

Summary 323

Exam Essentials 323

Review Questions 324

Chapter 14 SQL Injection 329

Introducing SQL Injection 330

Results of SQL Injection 332

The Anatomy of a Web Application 333

Databases and Their Vulnerabilities 334

Anatomy of a SQL Injection Attack 336

Altering Data with a SQL

Injection Attack 339

Injecting Blind 341

Information Gathering 342

Evading Detection Mechanisms 342

SQL Injection Countermeasures 343

Summary 344

Exam Essentials 344

Review Questions 345

Chapter 15 Wireless Networking 349

What Is a Wireless Network? 350

Wi-Fi: An Overview 350

The Fine Print 351

Wireless Vocabulary 353

A Close Examination of Threats 360

Ways to Locate Wireless Networks 364

Choosing the Right Wireless Card 365

Hacking Bluetooth 365

Summary 367

Exam Essentials 368

Review Questions 369

Chapter 16 Evading IDSs, Firewalls, and Honeypots 373

Honeypots, IDSs, and Firewalls 374

The Role of Intrusion Detection Systems 374

Firewalls 379

What’s That Firewall Running? 382

Honeypots 383

Run Silent, Run Deep: Evasion Techniques 383

Evading Firewalls 385

Summary 388

Exam Essentials 388

Review Questions 389

Chapter 17 Physical Security 393

Introducing Physical Security 394

Simple Controls 394

Dealing with Mobile Device Issues 397

Securing the Physical Area 401

Defense in Depth 408

Summary 409

Exam Essentials 409

Review Questions 410

Appendix A Answers to Review Questions 415

Appendix B About the Additional Study Tools 437

Index 441