Practical Guide To Penetration Testing
Peter Kim
Purchase Now !
Just with Paypal
Just with Paypal
Book Details
Price
|
2.00 |
|---|---|
Pages
| 214 p |
File Size
|
26,740 KB |
File Type
|
PDF format |
ISBN ISBN-13-13
| 1494932636 9781494932633 |
Copyright©
| 2014 by Secure Planet LLC |
I didn’t start one day to think that I’d write a book about penetration testing,
but I kind of fell into it.
What happened was I started taking notes from penetration tests, conferences, security articles,
research, and life experiences. As my notes grew and grew, I found better and better ways to perform
repetitive tasks and I began to understand what worked and what didn’t.
As I began to teach, speak at conferences, and get involved in the security community, I felt that the
industry could benefit from my lessons learned. This book is a collection of just that. One important
thing I want to point out is that I am not a professional writer, but wrote this book as a hobby. You
may have your own preferred tools, techniques and tactics that you utilize, but that is what makes this
field great. There are often many different answers to the same question and I invite you to explore
them all. I won’t be giving a step-by-step walkthrough of every type of attack; so it’s your job to
continually do research, try differently methods, and see what works for you.
This book assumes that you have some knowledge of common security tools, have used a little
Metasploit, and keep up somewhat with the security industry. You don’t have to be a penetration
tester to take full advantage of the book; but it helps if your passion is for security.
My purpose in writing this book is to create a straightforward and practical approach to penetration
testing. There are many security books that discuss every type of tool and every type of vulnerability,
where only small portions of the attacks seem to be relevant to the average penetration tester. My
hope is that this book will help you evolve your security knowledge and better understand how you
need to protect your own environment.
Throughout the book, I’ll be going into techniques and processes that I feel are real world and part of
a typical penetration engagement. You won’t always be able to use these techniques exactly as shown,
but they should help provide a good baseline for where you should start.
I will conclude with some advice that I have found to be helpful. To become a better security
professional, some of the most important things to do are:
1. Learn, study, and understand vulnerabilities and common security weaknesses
2. Practice exploiting and securing vulnerabilities in controlled environments
3. Perform testing in real world environments
4. Teach and present to the security community
These pointers represent a continual lifecycle, which will help you evolve in your technical maturity.
Thanks again for reading this book and I hope you have as much fun reading it as I had writing it.
Introduction
Hunched over your keyboard in your dimly lit room, frustrated, possibly on one too many energy
drinks, you check your phone. As you squint from the glare of the bright LCD screen, you barely make
out the time to be 3:00 a.m. “Great”, you think to yourself. You have 5 more hours before your test is
over and you haven’t found a single exploit or critical vulnerability. Your scans were not fruitful and
no one’s going to accept a report with a bunch of Secure Flag cookie issues.
You need that Hail Mary pass, so you pick up The Hacker Playbook and open to the section called
“The Throw - Manual Web Application Findings”. Scanning through, you see that you’ve missed
testing the cookies for SQL injection attacks. You think, “This is something that a simple web scanner
would miss.” You kick off SQLMap using the cookie switch and run it. A couple of minutes later,
your screen starts to violently scroll and stops at:
Web server operating system: Windows 2008
web application technology: ASP.net, Microsoft IIS 7.5
back and DBMS: Microsoft SQL Server 2008
Perfect. You use SQLMap to drop into a command shell, but sadly realize that you do not have
administrative privileges. “What would be the next logical step…? I wish I had some postexploitation
tricks up my sleeve”, you think to yourself. Then you remember that this book could help
with that. You open to the section “The Lateral Pass - Moving through the Network” and read up and
down. There are so many different options here, but let’s see if this host is connected to the domain
and if they used Group Policy Preferences to set Local Administrators.
Taking advantage of the IEX Power Shell command, you force the server to download Power Sploit’s
GPP script, execute it, and store the results to a file. Looks like it worked without triggering Anti-
Virus! You read the contents of the file that the script exported and lo and behold, the local
administrative password.
The rest is history… you spawn a Meterpreter shell with the admin privileges, pivot through that host,
and use SMBexec to pull all the user hashes from the Domain Controller.
Of course, this was all a very quick and high-level example, but this is how I tried to layout the book.
There are 10 different sections to this book, laid out as a football playbook. The 10 sections are:
Pregame: This is all about how to set up your attacking machines and the tools we’ll use throughout the book.
Before the Snap: Before you can run any plays, you need to scan your environment and understand
what you are up against. We’ll dive into discovery and smart scanning.
The Drive: Take those vulnerabilities which you identified from the scans, and exploiting those
systems. This is where we get our hands a little dirty and start exploiting boxes.
The Throw: Sometimes you need to get creative and look for the open target. We’ll take a look at
how to find and exploit manual Web Application findings.
The Lateral Pass - After you have compromised a system, how to move laterally through the network.
The Screen - A play usually used to trick the enemy. This chapter will explain some social engineering tactics.
The Onside Kick - A deliberately short kick that requires close distance. Here I will describe
attacks that require physical access.
The Quarterback Sneak - When you only need a couple of yards a quarterback sneak is perfect.
Sometimes you get stuck with antivirus (AV); this chapter describes how to get over those small
hurdles by evading AV.
Special Teams - Cracking passwords, exploits, and some tricks
Post-Game Analysis - Reporting your findings
Before we dig into how to attack different networks, pivot through security controls, and evade AV, I
want to get you into the right mindset. Imagine you have been hired as the penetration tester to test the
overall security of a Fortune 500 company. Where do you start? What are you your baseline security
tests? How do you provide consistent testing for all of your clients and when do you deviate from that
line? This is how I am going to deliver the messages of this book.
Table of Contents
Preface
Introduction
Additional Information about this Book
Disclaimer
Pregame - The Setup
Setting Up a Penetration Testing Box
Hardware:
Basic hardware requirements are:
Optional hardware discussed later within the book:
Commercial Software
Kali Linux (http://www.kali.org/)
High level tools list additional to Kali:
Setting up Kali:
Once Your Kali VM is Up and Running:
Windows VM Host
High level tools list addition to Windows:
Setting up Windows
Summary
Before the Snap - Scanning the Network
External Scanning
Passive Discovery
Discover Scripts (Previously Backtrack Scripts) (Kali Linux)
How to Run Passive Discovery
Using Compromised Lists to Find Email Addresses and Credentials
External/Internal Active Discovery
The Process for Network Scanning:
Network Vulnerability Scanning (Nexpose/Nessus)
Screen Capture - Peeping Tom
Web Application Scanning
The Process for Web Scanning:
Web Application Scanning
Configuring Your Network Proxy and Browser
Spider Application
Discover Content
Running the Active Scanner
Summary
The Drive - Exploiting Scanner Findings
Metasploit (http://www.metasploit.com) (Windows/Kali Linux)
Basic Steps when Configuring Metasploit Remote Attacks:
Searching via Metasploit (using the good ol’ MS08-067 vulnerability):
Scripts
WarFTP Example
Summary
The Throw - Manual Web Application Findings
Web Application Penetration Testing
SQL Injections
SQLmap (http://sqlmap.org/) (Kali Linux)
Sqlninja (http://sqlninja.sourceforge.net/) (Kali Linux)
Executing Sqlninja
Cross-Site Scripting (XSS)
BeEF Exploitation Framework (http://beefproject.com/) (Kali Linux)
Cross-Site Scripting Obfuscation:
Crowd Sourcing
OWASP Cheat Sheet
Cross-Site Request Forgery (CSRF)
Using Burp for CSRF Replay Attacks
Session Tokens
Additional Fuzzing/Input Validation
Functional/Business Logic Testing
Conclusion
The Lateral Pass - Moving Through the Network
On the Network without Credentials:
Responder.py (https://github.com/SpiderLabs/Responder) (Kali Linux)
With any Domain Credentials (Non-Admin):
Group Policy Preferences:
Pulling Clear Text Credentials
WCE - Windows Credential Editor
(http://www.ampliasecurity.com/research/wcefaq.html) (Windows)
Mimikatz (http://blog.gentilkiwi.com/mimikatz)(Windows)
Post Exploitation Tips
Post Exploitation Lists from Room362.com:
With Any Local Administrative or Domain Admin Account:
Owning the Network with Credentials and PSExec:
PSExec and Veil (Kali Linux)
PSExec Commands Across Multiple IPs (Kali Linux)
Attack the Domain Controller:
SMBExec (https://github.com/brav0hax/smbexec) (Kali Linux)
Post Exploitation with PowerSploit (https://github.com/mattifestation/PowerSploit)
(Windows)
Commands:
Post Exploitation with PowerShell (https://code.google.com/p/nishang/) (Windows)
ARP (Address Resolution Protocol) Poisoning
IPv4
Cain and Abel (Windows)
Ettercap (Kali Linux)
IPv6
The tool is able to do different attacks such as:
Steps After ARP Spoofing:
SideJacking:
Hamster/Ferret (Kali Linux)
Firesheep
DNS Redirection:
SSLStrip:
Commands on Kali:
Proxy Between Hosts
Conclusion
The Screen - Social Engineering
Doppelganger Domains
SMTP Attack
SSH Attack
To Extract OpenSSH:
Spear Phishing
Metasploit Pro - Phishing Module
Social Engineering Toolkit (Kali Linux)
Credential Harvester
To generate a fake page, go through the follow:
Using SET JAVA Attack
Sending Out Massive Spear Phishing Campaigns
Social Engineering with Microsoft Excel
Conclusion
The Onside Kick - Attacks that Require Physical Access
Exploiting Wireless
Passive - Identification and Reconnaissance
Active Attacks
WEP - Wired Equivalent Privacy
How to Crack WEP in Kali:
WPAv2 WPS (Wi-Fi Protected Setup) Attacks
WPA Enterprise - Fake Radius Attack
Configuring a Radius server
Karmetasploit
Physical Card Cloning:
Pentesting Drop Box
Odroid U2:
Physical Social Engineering
Conclusion
The Quarterback Sneak - Evading AV
Evading AV
Hiding WCE from AV (Windows)
Python
Python Shell
Python Keylogger
Veil Example (Kali Linux)
SMBExec (Kali Linux)
Conclusion
Special Teams - Cracking, Exploits, Tricks
Password Cracking
John the Ripper (JtR):
Cracking MD5 Hashes
oclHashcat:
Cracking WPAv2
Cracking NTLMv2
Cracking Smarter
Vulnerability Searching
Searchsploit (Kali Linux)
BugTraq
Exploit-DB
Querying Metasploit
Tips and Tricks
RC Scripts within Metasploit
Bypass UAC
Web Filtering Bypass for Your Domains
Windows XP - Old school FTP trick
Hiding Your Files (Windows)
Keeping Those Files Hidden (Windows)
Windows 7/8 Uploading Files to the Host
Post Game Analysis - Reporting
Reporting
List of My Best Practices and Concepts for Reporting:
Continuing Education
Major Conferences:
The cons that I highly recommend from my own personal experience:
Training Courses:
Books Technical Reading:
Fun Security Related Reading:
Vulnerable Penetration Testing Frameworks
Capture The Flag (CTF)
Keeping Up-to-Date
RSS Feed/Site List:
Email Lists:
Twitter Lists:
Final Notes
Special Thanks
Bookscreen
Additional Information About This Book
has nothing to do with any of my past or current employers or anything that I’m involved with outside
this book. If there are topics or ideas that I have misrepresented or have forgotten to give credit
where appropriate, please let me know and I’ll make updates on the website for the book:
One important recommendation I have when you are learning: take the tools and try to recreate them
in another scripting language. I generally like to use python to recreate common tools and new
exploits. This becomes really important because you will avoid becoming tool dependent, and you
will better understand why the vulnerability is a vulnerability.
Finally, I want to reiterate that practice makes perfect. The rule I’ve always heard is that it takes
10,000 hours to master something. However, I don’t believe that there is ever a time that anyone can
completely master penetration testing, but I’ll say that with enough practice penetration testing can
become second nature.