Penetration Tester's Open Source Toolkit

This is the first fully integrated Penetration Testing book and bootable Linux CD containing the Auditor Security Collection which includes over 300 of the most effective and commonly used open source attack and penetration testing tools. This powerful tool kit and authoritative reference is written by the security industry's foremost penetration testers including HD Moore, Jay Beale, and SensePost. This unique package provides you with a completely portable and bootable Linux attack distribution and authoritative reference to the toolset included and the required methodology.

Penetration testing a network requires a delicate balance of art and science. A penetration tester must be creative enough to think outside of the box to determine all possible attack vector into his own network, and also be expert in using the literally hundreds of tools required to execute the plan and meticulously document their results. This book provides both the art and the science. The authors of the book are expert penetration testers who have developed many of the leading pen testing tools; such as the Metasploit framework. The authors allow the reader inside their heads to unravel the mysteries of thins like identifying targets, enumerating hosts, application fingerprinting, cracking passwords, and attacking exposed vulnerabilities. Along the way, the authors provide an invaluable reference to the hundreds of hijacking tools; sniffers; scanners; Web application; and vulnerability assessment tools from the bootable-Linux CD including the Metasploit Framework; ettercap, dsniff, Ethereal, Nmap, Paketto, Scanrand, Hydra, Paros, Nessus, and many more.

• Foreword
• Chapter 1: Reconnaissance
• Objectives
• Approach
• A Methodology for Reconnaissance
• Intelligence Gathering
• Footprinting
• Verification
• Core Technologies
• Intelligence Gathering
• Search Engines
• WHOIS
• RWHOIS
• Domain Name Registries and Registrars
• Web Site Copiers
• Footprinting
• DNS
• SMTP
• Verification
• Virtual Hosting
• IP Subnetting
• The Regional Internet Registries
• Open Source Tools
• Intelligence-Gathering Tools
• Web Resources
• *nix Command-Line Tools
• Open Source Windows Tools
• WinBiLE (www.sensepost.com/research)
• Footprinting Tools
• Web Resources
• *nix Console Tools
• Open Source Windows Tools
• Verification Tools
• Web Resources
• *nix Console Tools
• Case Studies—The Tools in Action
• Intelligence Gathering, Footprinting, and Verification of an Internet-Connected Network
• Footprinting
• Verification
• Chapter 2: Enumeration and Scanning
• Objectives
• Approach
• Scanning
• Enumeration
• Core Technology
• How Scanning Works
• Port Scanning
• Going Behind the Scenes with Enumeration
• Service Identification
• RPC Enumeration
• Fingerprinting
• Being Loud, Quiet, and All that Lies Between
• Timing
• Bandwidth Issues
• Unusual Packet Formation
• Open Source Tools
• Scanning
• Fyodor's nmap
• netenum: Ping Sweep
• unicornscan: Port Scan
• scanrand: Port Scan
• Enumeration
• nmap: Banner Grabbing
• Windows Enumeration: smbgetserverinfo/smbdumpusers
• Case Studies—The Tools in Action
• External
• Internal
• Stealthy
• Noisy (IDS Testing)
• Further Information
• Chapter 3: Introduction to Testing Databases
• Objectives
• Intended Audience
• Introduction
• Approach
• Context of Database Assessment
• Process of Penetration Testing a Database
• Core Technologies
• Basic Terminology
• Database Installation
• Default Users and New Users
• Roles and Privileges
• Technical Details
• Open Source Tools
• Intelligence Gathering
• Footprinting, Scanning, and Enumeration Tools
• Locating Database Servers by Port
• Enumeration Tools
• Unauthenticated Enumeration
• Vulnerability Assessment and Exploit Tools
• Nessus Checks
• Interpreting Nessus Database Vulnerabilities
• OScanner and OAT
• SQLAT
• WHAX Tools
• Case Studies—The Tools in Action
• MS SQL Assessment
• Oracle Assessment
• Further Information
• Discovering Databases
• Enumeration Tools
• Chapter 4: Web Server & Web Application Testing
• Objectives
• Introduction
• Web Server Vulnerabilities—A Short History
• Web Applications—The New Challenge
• Chapter Scope
• Approach
• Approach: Web Server Testing
• Approach: CGI and Default Pages Testing
• Approach: Web Application Testing
• Core Technologies
• Web Server Exploit Basics
• What Are We Talking About?
• CGI and Default Page Exploitation
• Web Application Assessment
• Information Gathering Attacks
• File System and Directory Traversal Attacks
• Command Execution Attacks
• Database Query Injection Attacks
• Cross-site Scripting
• Authentication and Authorization
• Parameter Passing Attacks
• Open Source Tools
• Intelligence Gathering Tools
• Scanning Tools
• Assessment Tools
• Authentication
• Proxy
• Exploitation Tools
• Case Studies—The Tools in Action
• Web Server Assessments
• CGI and Default Page Exploitation
• Web Application Assessment
• Chapter 5: Wireless Penetration Testing Using Auditor
• Objectives
• Introduction
• Approach
• Understanding WLAN Vulnerabilities
• Evolution of WLAN Vulnerabilities
• Core Technologies
• WLAN Discovery
• Choosing the Right Antenna
• WLAN Encryption
• Wired Equivalent Privacy (WEP)
• WiFi Protected Access (WPA/WPA2)
• Extensible Authentication Protocol (EAP)
• Virtual Private Network (VPN)
• Attacks
• Attacks Against WEP
• Attacks Against WPA
• Attacks Against LEAP
• Attacks Against VPN
• Open Source Tools
• Footprinting Tools
• Intelligence Gathering Tools
• USENET Newsgroups
• Google (Internet Search Engines)
• Scanning Tools
• Wellenreiter
• Kismet
• Enumeration Tools
• Vulnerability Assessment Tools
• Exploitation Tools
• MAC Address Spoofing
• Deauthentication with Void11
• Cracking WEP with the Aircrack Suite
• Cracking WPA with the CoWPAtty
• Case Studies
• Case Study—Cracking WEP
• Case Study—Cracking WPA-PSK
• Further Information
• Additional GPSMap Map Servers
• Chapter 6: Network Devices
• Objectives
• Approach
• Core Technologies
• Open-Source Tools
• Foot Printing Tools
• Traceroute
• DNS
• Nmap
• ICMP
• Ike-scan
• Scanning Tools
• Nmap
• ASS
• Cisco Torch
• Snmpfuzz.pl
• Enumeration Tools
• SNMP
• Finger
• Vulnerability Assessment Tools
• Nessus
• Exploitation Tools
• ADMsnmp
• Hydra
• TFTP-Bruteforce
• Cisco Global Exploiter
• Internet Routing Protocol Attack Suite (IRPAS)
• Ettercap
• Case Studies—The Tools in Action
• Obtaining a Router Configuration by Brute Force
• Further Information
• Common and Default Vendor Passwords
• Modification of cge.pl
• References
• Software
• Chapter 7: Writing Open Source Security Tools
• Introduction
• Why Would You Want to Learn to Code?
• The Process of Programming
• Step 1: Solve the Right Problem by Asking the Right Questions
• Step 2: Breaking the Problem into Smaller, Manageable Problems
• Step 3: Write Pseudocode
• Step 4: Implement the Actual Code
• Languages
• Programming Languages
• Logo
• Basic
• Delphi
• C/C++
• PERL
• C#
• Python
• Java
• Web Application Languages
• PHP
• ASP/ASP .NET
• Interactive Development Environments
• Eclipse
• KDevelop
• Microsoft Visual Studio .NET
• Monodevelop
• Quick Start Mini Guides
• PERL Mini Guide
• Basic Program Structure, Data Structures, Conditionals, and Loops
• Basic File IO and Subroutines
• Writing to a Socket and Using MySQL
• Consuming a Web Service and Writing a CGI
• C# Mini Guide
• Basic Program Structure, Data Structures, Conditionals, and Loops
• Basic File IO and Databases
• Writing to Sockets
• Conclusion
• Useful functions and code snippets
• C# Snippets
• PERL Code Snippets
• Links to Resources in this Chapter / Further Reading
• Chapter 8: Nessus
• Introduction
• What Is It?
• Basic Components
• Client and Server
• The Plugins
• The Knowledge Base
• Launching Nessus
• Running Nessus from Auditor
• Point and Click: Launching Nessus From Within Auditor
• Behind the Scenes: Analyzing Auditor's start-nessus Script
• From The Ground Up: Nessus Without A Startup Script
• Running Nessus on Windows
• Maintaining Nessus
• Standard Plug-In Update
• Auditor's Plug-In Update: Method #1
• Auditor's Plug-In Update: Method #2
• Updating the Nessus Program
• Using Nessus
• Plugins
• Prefs (The Preferences Tab)
• Scan Options
• Target Selection
• Summary
• Solutions Fast Track
• Links to Sites
• Frequently Asked Questions
• Chapter 9: Coding for Nessus
• Introduction
• History
• Goals of NASL
• Simplicity and Convenience
• Modularity and Efficiency
• Safety
• NASL's Limitations
• NASL Script Syntax
• Comments
• Variables
• Operators
• Control Structures
• Writing NASL Scripts
• Writing Personal-Use Tools in NASL
• Networking Functions
• HTTP Functions
• Packet Manipulation Functions
• String Manipulation Functions
• Cryptographic Functions
• The NASL Command-Line Interpreter
• Programming in the Nessus Framework
• Descriptive Functions
• Case Study: The Canonical NASL Script
• Porting to and from NASL
• Logic Analysis
• Identify Logic
• Pseudo Code
• Porting to NASL
• Porting to NASL from C/C++
• Porting from NASL
• Case Studies of Scripts
• Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability
• Case Study: IIS .HTR ISAPI Filter Applied CVE-2002-0071
• Microsoft IIS/Site Server codebrws.asp Arbitrary File Access
• Case Study: Codebrws.asp Source Disclosure Vulnerability CVE-1999-0739
• Microsoft SQL Server Bruteforcing
• Case Study: Microsoft's SQL Server Bruteforce
• ActivePerl perlIIS.dll Buffer Overflow Vulnerability
• Case Study: ActivePerl perlIS.dll Buffer Overflow
• Microsoft FrontPage/IIS Cross-Site Scripting shtml.dll Vulnerability
• Case Study: Microsoft FrontPage XSS
• Summary
• Solutions FastTrack
• Links to Sites
• Frequently Asked Questions
• Chapter 10: NASL Extensions and Custom Tests
• Introduction
• Extending NASL Using Include Files
• Include Files
• Extending the Capabilities of Tests Using the Nessus Knowledge Base
• Extending the Capabilities of Tests Using Process Launching and Results Analysis
• What Can We Do with Trusted Functions?
• Creating a Trusted Test
• Summary
• Chapter 11: Understanding the Extended Capabilities of the Nessus Environment
• Introduction
• Windows Testing Functionality Provided by the smb_nt.inc Include File
• Windows Testing Functionality Provided by the smb_hotfixes.inc Include File
• UNIX Testing Functionality Provided by the Local Testing Include Files
• Summary
• Chapter 12: Extending Metasploit I
• Introduction
• Using the MSF
• The msfweb Interface
• The msfconsole Interface
• Starting msfconsole
• General msfconsole Commands
• The MSF Environment
• Exploiting with msfconsole
• The msfcli Interface
• Updating the MSF
• Summary
• Solutions Fast Track
• Links to Sites
• Frequently Asked Questions
• Chapter 13: Extending Metasploit II
• Introduction
• Exploit Development with Metasploit
• Determining the Attack Vector
• Finding the Offset
• Selecting a Control Vector
• Finding a Return Address
• Using the Return Address
• Determining Bad Characters
• Determining Space Limitations
• Nop Sleds
• Choosing a Payload and Encoder
• Integrating Exploits into the Framework
• Understanding the Framework
• Analyzing an Existing Exploit Module
• Overwriting Methods
• Summary
• Solutions Fast Track
• Links to Sites
• Frequently Asked Questions

A very good overview of different OSS-tools for penetration testing, even if the quality of the book sometimes is a bit uneven (considering the number of authors, that is no surprise).

Of course, a book like this gets out of date very fast, but it still manages to age very well. Beware, that it is intended to the technical security crowd, so don't expect any relevant risk guidelines etc.

Still, an interesting book, if you're into the subject.