Cover......Page 1
Title Page......Page 2
Copyright......Page 3
Credits......Page 5
About the Author......Page 6
About the Reviewer......Page 7
www.PacktPub.com......Page 8
Customer Feedback......Page 9
Table of Contents......Page 10
Preface......Page 17
Conceptual overview of security testing......Page 23
Classical failures of vulnerability scanning, penetration testing, and red team exercises......Page 24
The testing methodology......Page 25
Introduction to Kali Linux β history and purpose......Page 28
Using Kali from a portable device......Page 29
Installing Kali into a virtual machine......Page 30
VMware Workstation Player......Page 31
VirtualBox......Page 34
Installing to a Docker appliance......Page 42
Installing Kali to the cloud β creating an AWS instance......Page 45
Organizing Kali......Page 48
Adding a non-root user......Page 49
Speeding up Kali operations......Page 50
Sharing folders with the host operating system......Page 52
Setting up a virtual network with Active Directory......Page 55
Installing defined targets......Page 59
Metasploitable3......Page 60
Mutillidae......Page 62
Managing collaborative penetration testing using Faraday......Page 64
Summary......Page 69
Chapter 2: Open Source Intelligence and Passive Reconnaissance......Page 70
Basic principles of reconnaissance......Page 71
OSINT......Page 72
Offensive OSINT......Page 73
Maltego......Page 74
CaseFile......Page 79
Google caches......Page 81
Gathering usernames and email addresses......Page 82
Obtaining user information......Page 83
Shodan and censys.io......Page 84
Using dork script to query Google......Page 85
DataDump sites......Page 87
Using scripts to automatically gather OSINT data......Page 88
Defensive OSINT......Page 89
Security breaches......Page 90
Threat intelligence......Page 91
Profiling users for password lists......Page 92
Extracting words from Twitter using Twofi......Page 94
Summary......Page 95
Chapter 3: Active Reconnaissance of External and Internal Networks......Page 96
Adjusting the source IP stack and tool identification settings......Page 98
Modifying packet parameters......Page 100
Using proxies with anonymity networks......Page 102
DNS reconnaissance and route mapping......Page 106
The whois command......Page 107
Employing comprehensive reconnaissance applications......Page 108
The recon-ng framework......Page 109
IPv4......Page 112
IPv6......Page 113
Using IPv6 - specific tools......Page 114
Mapping the route to the target......Page 115
Identifying the external network infrastructure......Page 118
Mapping beyond the firewall......Page 120
IDS/IPS identification......Page 121
Live host discovery......Page 123
Port, operating system, and service discovery......Page 124
Port scanning......Page 125
Writing your own port scanner using netcat......Page 126
Determining active services......Page 127
DHCP information......Page 129
Identification and enumeration of internal network hosts......Page 130
Native MS Windows commands......Page 131
ARP broadcasting......Page 133
Ping sweep......Page 134
Using scripts to combine Masscan and nmap scans......Page 135
Taking advantage of SNMP......Page 137
Windows account information via Server Message Block (SMB) sessions......Page 139
Locating network shares......Page 140
Reconnaissance of active directory domain servers......Page 142
An example to configure SPARTA......Page 143
Summary......Page 144
Chapter 4: Vulnerability Assessment......Page 145
Local and online vulnerability databases......Page 146
Vulnerability scanning with nmap......Page 151
Introduction to LUA scripting......Page 152
Customizing NSE scripts......Page 153
Web application vulnerability scanners......Page 154
Introduction to Nikto and Vega......Page 156
Customizing Nikto and Vega......Page 158
Vulnerability scanners for mobile applications......Page 162
The OpenVAS network vulnerability scanner......Page 164
Customizing OpenVAS......Page 167
Specialized scanners......Page 168
Threat modeling......Page 169
Summary......Page 171
Chapter 5: Physical Security and Social Engineering......Page 172
Methodology and attack methods......Page 173
Computer-based attacks......Page 174
Physical attacks......Page 175
Samdump2 and chntpw......Page 176
Sticky Keys......Page 180
Attacking system memory with Inception......Page 181
Creating a rogue physical device......Page 184
Microcomputer-based attack agents......Page 185
The Social Engineering Toolkit (SET)......Page 187
Using a website attack vector β the credential harvester attack method......Page 191
Using a website attack vector β the tabnabbing attack method......Page 194
Using the PowerShell alphanumeric shellcode injection attack......Page 196
HTA attack......Page 198
Hiding executables and obfuscating the attacker's URL......Page 200
Escalating an attack using DNS redirection......Page 203
Spear phishing attack......Page 204
Setting up a phishing campaign with Phishing Frenzy......Page 209
Launching a phishing attack......Page 213
Summary......Page 216
Chapter 6: Wireless Attacks......Page 217
Wireless reconnaissance......Page 218
Kismet......Page 222
Bypassing a hidden SSID......Page 224
Bypassing MAC address authentication and open authentication......Page 227
Brute-force attacks......Page 229
Attacking wireless routers with Reaver......Page 233
DoS attacks against wireless communications......Page 234
Compromising enterprise implementations of WPA/WPA2......Page 236
Working with Ghost Phisher......Page 241
Summary......Page 243
Chapter 7: Reconnaissance and Exploitation of Web-Based Applications......Page 244
Methodology......Page 245
Hackers mindmap......Page 247
Conducting reconnaissance of websites......Page 248
Detection of web application firewall and load balancers......Page 250
Fingerprinting a web application and CMS......Page 252
Client-side proxies......Page 255
Burp Proxy......Page 256
Extending the functionality of web browsers......Page 262
Web crawling and directory brute-force attacks......Page 263
Web-service-specific vulnerability scanners......Page 264
OS command injection using commix......Page 266
Injection attacks against databases......Page 268
Maintaining access with web shells......Page 270
Summary......Page 273
Chapter 8: Attacking Remote Access......Page 274
Compromising Remote Desktop Protocol (RDP)......Page 275
Compromising secure shell......Page 279
Compromising remote access protocols (VNC)......Page 281
Attacking Secure Sockets Layer (SSL)......Page 283
Compression Ratio Info-leak Made Easy (CRIME)......Page 284
Padding Oracle On Demanded Legacy Encryption (POODLE)......Page 285
Introduction to Testssl......Page 286
Reconnaissance of SSL connections......Page 287
Using sslstrip to conduct a man-in-the-middle attack......Page 295
Denial-of-service attacks against SSL......Page 297
Attacking an IPSec virtual private network......Page 298
Scanning for VPN gateways......Page 299
Fingerprinting the VPN gateway......Page 301
Performing offline PSK cracking......Page 302
Summary......Page 303
Chapter 9: Client-Side Exploitation......Page 304
Backdooring executable files......Page 305
Conducting attacks using VBScript......Page 308
Attacking systems using Windows PowerShell......Page 312
The Cross-Site Scripting Framework (XSSF)......Page 314
The Browser Exploitation Framework (BeEF)......Page 319
Configuring BeEF......Page 320
Understanding the BeEF browser......Page 324
Integrating BeEF and Metasploit attacks......Page 328
Using BeEF as a tunneling proxy......Page 330
Summary......Page 332
Bypassing Network Access Control (NAC)......Page 333
Pre-admission NAC......Page 334
Identifying the rules......Page 335
Post-admission NAC......Page 336
Bypassing antivirus using different frameworks......Page 337
Using the Veil framework......Page 338
Using Shellter......Page 345
Bypassing application-level controls......Page 350
Bypassing URL filtering mechanisms......Page 351
Outbound to inbound......Page 354
Defeating application whitelisting......Page 356
Enhanced Migration Experience Toolkit (EMET)......Page 358
User Account Control (UAC)......Page 360
Access and authorization......Page 365
Auditing and logging......Page 367
Summary......Page 368
The Metasploit framework......Page 369
Libraries......Page 370
Interfaces......Page 371
Modules......Page 372
Database setup and configuration......Page 373
Exploiting targets using Metasploit Framework......Page 379
Single targets using a simple reverse shell......Page 380
Single targets using a reverse shell with a PowerShell attack vector......Page 381
Exploiting multiple targets using Metasploit Framework resource files......Page 383
Exploiting multiple targets with Armitage......Page 384
Using public exploits......Page 386
Locating and verifying publicly available exploits......Page 387
Compiling C files......Page 389
Adding the exploits that are written using Metasploit Framework as a base......Page 390
Developing a Windows exploit......Page 391
Identifying a vulnerability using fuzzing......Page 392
Crafting a Windows-specific exploit......Page 400
Summary......Page 404
Activities on the compromised local system......Page 405
Conducting a rapid reconnaissance of a compromised system......Page 406
Finding and taking sensitive data β pillaging the target......Page 408
Creating additional accounts......Page 411
Post-exploitation tools (MSF, the Veil-Pillage framework, scripts)......Page 412
Veil-Pillage......Page 416
Compromising domain trusts and shares......Page 421
PsExec, WMIC, and other tools......Page 422
WMIC......Page 423
Lateral movement using services......Page 427
Pivoting and port forwarding......Page 428
Using Proxychains......Page 430
Summary......Page 431
Chapter 13: Privilege Escalation......Page 432
Overview of common escalation methodology......Page 433
Local system escalation......Page 434
Escalating from administrator to system......Page 435
DLL injection......Page 436
PowerShell's Empire tool......Page 439
Password sniffers......Page 445
Responder......Page 447
Escalating access rights in Active Directory......Page 450
Compromising Kerberos β the golden ticket attack......Page 459
Summary......Page 461
Chapter 14: Command and Control......Page 462
Using persistent agents......Page 463
Employing Netcat as a persistent agent......Page 464
Using schtasks to configure a persistent task......Page 468
Using the persistence script......Page 470
Creating a standalone persistent agent with Metasploit......Page 472
Persistence using social media and Gmail......Page 474
Using existing system services (Telnet, RDP, and VNC)......Page 479
Exfiltration of data using the DNS protocol......Page 481
Exfiltration of data using ICMP......Page 483
Using the Data Exfiltration Toolkit (DET)......Page 485
Hiding evidence of the attack......Page 487
Summary......Page 490
Index......Page 491