Transcription
Codingfor PenetrationTestersBetter ToolsBuildingJason AndressRyan LinnAMSTERDAM NEW YORKBOSTON SAN FRANCISCOELSEVIER OXFORD HEIDELBERG PARISSINGAPORESyngress isanimprint LONDONSAN DIEGOSYDNEYof Elsevier TOKYOSYNGRESS
ContentsForewordxiAbout the AuthorsxiiiAbout the Technical EditorxvAcknowledgmentsxvnChapter 0: IntroductionCHAPTER 1xixIntroduction to command shellOn Shellscripting11ScriptingWhat isashell?2What isascript?3Shell3scriptsWhere shellscriptingis usefulUNIX, Linux, and OS X shell scriptingShell availability and choicesWorkingwith shellsBash basics45578Hello World8Variables10Arguments10Control statements11Putting it all together with bashAdding /dev/tcp/ support to bashport scanner with bashImproving the scriptBuildingaavailability15161818Windows scriptingShell15and choicesCommand.com and CMD.exe1818PowerShell19Cygwin20Other shells21PowerShell basics21Hello World22Variables23Arguments25Control statements26Conditionals27Looping28it allwith PowerShellPuttingtogetherBuilding a port scanner with s33V
viContentsCHAPTER 2Introduction to Python35What is35Python?Where doWhere iswe36get Python?36Python useful?Multiplatform scripting36Network36scripting37Extensive modulesReusable code that is easy to37create38Python basicsGetting ipulationException handling55Network communications57Client communications5759Server communicationsScapySummaryCHAPTER 3,6268Endnotes68Introduction to Perl69Where Perl is useful69HandlingGluing applications togethertextWorkingwith PerlEditingExtending7071toolsPerl7071scriptsGUIs in PerlPerl basics727373Hello World73Variables75Shell commands76Arguments79Control statements79Regular expressions85FileinputPuttingit alland output87together91
ContentsBuilding an SNMP scannerImproving the scriptCHAPTER 4with Perl97Summary97Endnotes98Introduction to RubyWhereRuby9999is useful.basics100Variables102Rubyand hashesArrays103Control statements106Functions109classes s114class data115AccessingmanipulationFile117118Database basicsUsingDBI119UsingActive Record121NetworkCHAPTER 5operations124Client communications124Server communications126Putting it all together129Summary134Endnotes135Introduction to Web scripting with PHP137Where Web137scriptingis usefulstarted with PHP138GettingScope138PHP basics138Functions145forms with PHPHandlingFile handling and command executionFile147150150handling154Command executionCHAPTER 691Putting it all together156Summary159ManipulatingDealingWindows with PowerShellwith executionpoliciesin PowerShell161161vii
viiiContentsExecutionpolicies161BypassingGetting inthe162policies165Penetrationfor PowerShelltestingControlling processes and servicesuseswith the eventInterfacingandfilesGettingsendingInterfacing with the RegistryPowerShell andthe network176MetasploitPowerDumpWindows gather PowerShell environment setting177enumeration178MakingSummaryusemodulesof the ap182Nessus/OpenVAS182183Netcatof NetcatImplementationsSimple Netcat usageBuilding a Web server with NetcatTransferringfiles with NetcatNmapWorking with service probes in NmapThe Nmap scripting engineBuilding Nmap NSE filesNessus/OpenVASNASL in Nessus and OpenVASNessus attack scripting language (NASL)CHAPTER 8178180ScannerWorking177179EndnotesCHAPTER notes200Information gathering201Information gathering for penetration testing201Sources of information202Patterns in information202Metadata203
ContentsWhatcan we do with the information?205Advanced operators206Automating Google discovery207to205Web automation with Perl209information from Web sitesPullingWorking with metadataFinding metadata209212212Document metadata214Metadata in media files214PuttingCHAPTER 9204GoogleGoogle hackingTalkingit all219togetherSummary221Endnotes221Exploitation scripting223Building exploits with Python223223Getting softwareSetting up debuggingour first224225crashCausingUsing pattern offset228230EIPControllingAdding shellcode232236shellGettingCreating Metasploit ExploitsourStartinga237237templateexploit code239thePortingExecuting the exploitExploiting PHP scripts240242Remote File Inclusion242Command execution vulnerabilities246Cross-Site248Scripting248What is XSS?ExploitingSummary249XSS253CHAPTER 10 Post-exploitation scriptingWhy post-exploitationis255important255Windows shell commands255User managementGathering network information256Windows network information259gathering260ix
xContentsLinux network informationgatheringScripting Metasploit MeterpreterGetting a shellBuilding a basic scriptExecuting the scriptDatabase post-exploitationWhat is SQL injection?MySQLSQL injection on Microsoft SQL x283Index285
viii Contents Executionpolicies 161 Bypassingthe policies 162 Gettingin 165 Penetrationtesting uses for PowerShell 166 Controlling processes andservices 166 Interfacingwiththeeventlogs 168 Gettingandsending files overthenetwork 169 Interfacingwiththe Registry 171 PowerShell and Metasploit 176 PowerShell-oriented Metasploitmodules 177 PowerDump 177 Windows gather PowerShell environment setting
