Hands-On Penetration Testing on Windows

Unleash Kali Linux, PowerShell, and Windows debugging tools for security testing and analysis 

Phil Bramwell


e-books shop
e-books shop
Purchase Now !
Just with Paypal



Book Details
 Price
 3.00 USD
 Pages
 440 p
 File Size
 64,465 KB
 File Type
 PDF format
 ISBN
 978-1-78829-566-6
 Copyright   
 2018 Packt Publishing   

About the Author
Phil Bramwell acquired the Certified Ethical Hacker and Certified Expert Penetration
Tester certifications at the age of 21. His professional experience includes Common Criteria
design reviews and testing, network security consulting, penetration testing, and PCI-DSS
compliance auditing for banks, universities, and governments. He later acquired the CISSP
and Metasploit Pro Certified Specialist credentials. Today, he is a cybersecurity and
cryptocurrency consultant and works as a cybersecurity analyst specializing in malware
detection and analysis.
A big thank you to everyone at Packt. I initially told Shrilekha "no way," but she
motivated me to believe in myself. Sharon was available day and night to guide me and
keep my eyes on the prize. I also want to thank my friends and mentors from Kalamazoo to
Atascadero to Answers to Plante Moran: thank you for keeping me going.

About the reviewer
Abhijit Mohanta works as a malware researcher for Juniper Threat Labs. He worked as a
malware researcher for Cyphort, MacAfee, and Symantec. He has expertise in reverse
engineering. He has experience working with antivirus and sandbox technologies. He is
author of the book Preventing Ransomware, Understand everything about digital extortion and its
prevention. He has written a number of blogs on malware research. He has filed a couple of
patents related to malware detection.

Table of Contents
Chapter 1: Bypassing Network Access Control 7
Technical requirements 8
Bypassing MAC filtering – considerations for the physical assessor8
Configuring a Kali wireless access point to bypass MAC filtering 9
Design weaknesses – exploiting weak authentication mechanisms14
Capturing captive portal authentication conversations in the clear 15
Layer-2 attacks against the network 18
Bypassing validation checks 22
Confirming the Organizationally Unique Identifier 22
Passive Operating system Fingerprinter 23
Spoofing the HTTP User-Agent 27
Breaking out of jail – masquerading the stack 30
Following the rules spoils the fun – suppressing normal TCP replies 31
Fabricating the handshake with Scapy and Python 33
Summary 39
Questions 40
Further reading 40
Chapter 2: Sniffing and Spoofing 41
Technical requirements 42
Advanced Wireshark – going beyond simple captures 42
Passive wireless analysis 42
Targeting WLANs with the Aircrack-ng suite 45
WLAN analysis with Wireshark 47
Active network analysis with Wireshark 48
Advanced Ettercap – the man-in-the-middle Swiss Army Knife 51
Bridged sniffing and the malicious access point 52
Ettercap filters – fine-tuning your analysis 56
Killing connections with Ettercap filters 57
Getting better – spoofing with BetterCAP 61
ICMP redirection with BetterCAP 63
Summary 66
Questions 66
Further reading 67
Chapter 3: Windows Passwords on the Network 68
Technical requirements 69
Understanding Windows passwords 69
A crash course on hash algorithms 69
Password hashing methods in Windows 70
If it ends with 1404EE, then it's easy for me – understanding LM has7h1 flaws
Authenticating over the network–a different game altogether 72
Capturing Windows passwords on the network 73
A real-world pen test scenario – the chatty printer 73
Configuring our SMB listener 74
Authentication capture 77
Hash capture with LLMNR/NetBIOS NS spoofing 78
Let it rip – cracking Windows hashes 81
The two philosophies of password cracking 81
John the Ripper cracking with a wordlist 83
John the Ripper cracking with masking 85
Reviewing your progress with the show flag 86
Summary 87
Questions 88
Further reading 88
Chapter 4: Advanced Network Attacks 89
Technical requirements 90
Binary injection with BetterCAP proxy modules 90
The Ruby file injection proxy module – replace_file.rb 91
Creating the payload and connect-back listener with Metasploit 92
HTTP downgrading attacks with sslstrip 94
Removing the need for a certificate – HTTP downgrading 95
Understanding HSTS bypassing with DNS spoofing 96
HTTP downgrade attacks with BetterCAP ARP/DNS spoofing 98
The evil upgrade – attacking software update mechanisms 100
Exploring ISR Evilgrade 100
Configuring the payload and upgrade module 101
Spoofing ARP/DNS and injecting the payload 104
IPv6 for hackers 107
IPv6 addressing basics 107
Local IPv6 reconnaissance and the Neighbor Discovery Protocol 109
IPv6 man-in-the-middle – attacking your neighbors 111
Living in an IPv4 world – creating a local 4-to-6 proxy for your tools112
Summary 114
Questions 114
Further reading 114
Chapter 5: Cryptography and the Penetration Tester 116
Technical requirements 117
Flipping the bit – integrity attacks against CBC algorithms 117
Block ciphers and modes of operation 118
Introducing block chaining 119
Setting up your bit-flipping lab 121
Manipulating the IV to generate predictable results 122
Flipping to root – privilege escalation via CBC bit-flipping 125
Sneaking your data in – hash length extension attacks 128
Setting up your hash attack lab 128
Understanding SHA-1's running state and compression function 129
Data injection with the hash length extension attack 133
Busting the padding oracle with PadBuster 138
Interrogating the padding oracle 139
Decrypting a CBC block with PadBuster 140
Behind the scenes of the oracle padding attack 142
Summary 144
Questions 144
Further reading 144
Chapter 6: Advanced Exploitation with Metasploit 146
Technical requirements 147
How to get it right the first time – generating payloads 147
Installing Wine32 and Shellter 147
Payload generation goes solo – working with msfvenom 148
Creating nested payloads 150
Helter Skelter evading antivirus with Shellter 152
Modules – the bread and butter of Metasploit 155
Building a simple Metasploit auxiliary module 155
Efficiency and attack organization with Armitage 159
Getting familiar with your Armitage environment 160
Enumeration with Armitage 161
Exploitation made ridiculously simple with Armitage 162
A word about Armitage and the pen tester mentality 164
Social engineering attacks with Metasploit payloads 165
Creating a Trojan with Shellter 166
Preparing a malicious USB drive for Trojan delivery 168
Summary 169
Questions 169
Further reading 169
Chapter 7: Stack and Heap Memory Management 170
Technical requirements 170
An introduction to debugging 171
Understanding the stack 172
Understanding registers 172
Assembly language basics 174
Disassemblers, debuggers, and decompilers – oh my! 176
Getting cozy with the Linux command-line debugger – GDB 177
Stack smack – introducing buffer overflows 178
Examining the stack and registers during execution 180
Lilliputian concerns – understanding endianness 183
Introducing shellcoding 184
Hunting bytes that break shellcode 184
Generating shellcode with msfvenom 186
Grab your mittens, we're going a NOP sledding 187
Summary 189
Questions 189
Further Reading 189
Chapter 8: Windows Kernel Security 190
Technical requirements 191
Kernel fundamentals – understanding how kernel attacks work 191
Kernel attack vectors 193
The kernel's role as time cop 193
It's just a program 195
Pointing out the problem – pointer issues 195
Dereferencing pointers in C and assembly 195
Understanding NULL pointer dereferencing 197
The Win32k kernel-mode driver 198
Passing an error code as a pointer to xxxSendMessage() 200
Metasploit – exploring a Windows kernel exploit module 202
Practical kernel attacks with Kali 206
An introduction to privilege escalation 206
Escalating to SYSTEM on Windows 7 with Metasploit 207
Summary 209
Questions 209
Further reading 210
Chapter 9: Weaponizing Python 211
Technical requirements 212
Incorporating Python into your work 212
Why Python? 213
Getting cozy with Python in your Kali environment 214
Introducing Vim with Python syntax awareness 215
Python network analysis 217
Python modules for networking 218
Building a Python client 219
Building a Python server 221
Building a Python reverse shell script 225
Antimalware evasion in Python 226
Creating Windows executables of your Python scripts 227
Preparing your raw payload 228
Writing your payload retrieval and delivery in Python 229
Python and Scapy – a classy pair 231
Revisiting ARP poisoning with Python and Scapy 232
Summary 236
Questions 236
Further reading 237
Chapter 10: Windows Shellcoding 238
Technical requirements 239
Taking out the guesswork – heap spraying 239
Memory allocation – stack versus heap 239
Shellcode whac-a-mole – heap spraying fundamentals 241
Shellcode generation for the Java vulnerability 242
Creating the malicious website to exploit Java 243
Debugging Internet Explorer with WinDbg 246
Examining memory after spraying the heap 248
Fine-tuning your attack and getting a shell 250
Understanding Metasploit shellcode delivery 252
Encoder theory and techniques – what encoding is and isn't 252
Windows binary disassembly within Kali 253
Injection with Backdoor Factory 256
Code injection fundamentals – fine-tuning with BDF 256
Trojan engineering with BDF and IDA 259
Summary 265
Questions 266
Further reading 266
Chapter 11: Bypassing Protections with ROP 267
Technical requirements 268
DEP and ASLR – the intentional and the unavoidable 268
Understanding DEP 268
Understanding ASLR 269
Testing DEP protection with WinDbg 271
Demonstrating ASLR on Kali Linux with C 274
Introducing return-oriented programming 275
Borrowing chunks and returning to libc – turning the code against 2it7s5elf
The basic unit of ROP – gadgets 277
Getting cozy with our tools – MSFrop and ROPgadget 278
Metasploit Framework's ROP tool – MSFrop 278
Your sophisticated ROP lab – ROPgadget 279
Creating our vulnerable C program without disabling protections 281
No PIE for you – compiling your vulnerable executable without ASLR h2a8r1dening
Generating a ROP chain 281
Getting hands-on with the return-to-PLT attack 282
Extracting gadget information for building your payload 283
Finding the .bss address 283
Finding a pop pop ret structure 284
Finding addresses for system@plt and strcpy@plt functions 284
Finding target characters in memory with ROPgadget and Python 285
Go, go, gadget ROP chain – bringing it together for the exploit 286
Finding the offset to return with gdb 286
Writing the Python exploit 287
Summary 289
Questions 290
Further reading 290
Chapter 12: Fuzzing Techniques 291
Technical requirements 292
Network fuzzing – mutation fuzzing with Taof proxying 292
Configuring the Taof proxy to target the remote service 293
Fuzzing by proxy – generating legitimate traffic 295
Hands-on fuzzing with Kali and Python 299
Picking up where Taof left off with Python – fuzzing the vulnerable FTP
server 299
The other side – fuzzing a vulnerable FTP client 301
Writing a bare-bones FTP fuzzer service in Python 301
Crashing the target with the Python fuzzer 303
Fuzzy registers – the low-level perspective 305
Calculating the EIP offset with the Metasploit toolset 305
Shellcode algebra – turning the fuzzing data into an exploit 309
Summary 310
Questions 310
Further reading 311
Chapter 13: Going Beyond the Foothold 312
Technical requirements 312
Gathering goodies – enumeration with post modules 313
ARP enumeration with meterpreter 313
Forensic analysis with meterpreter – stealing deleted files 315
Privileges enumeration with meterpreter 317
Internet Explorer enumeration – discovering internal web resource3s18
Network pivoting with Metasploit 319
Just a quick review of subnetting 320
Launching Metasploit into the hidden network with autoroute 321
Escalating your pivot – passing attacks down the line 325
Extracting credentials with hashdump 325
Quit stalling and pass the hash – exploiting password equivalents in
Windows 326
Summary 330
Questions 331
Further reading 331
Chapter 14: Taking PowerShell to the Next Level 332
Technical requirements 333
Power to the shell – PowerShell fundamentals 333
What is PowerShell? 333
PowerShell's own cmdlets and PowerShell scripting language 335
Working with the registry 336
Pipelines and loops in PowerShell 337
It gets better – PowerShell's ISE 338
Post-exploitation with PowerShell 340
ICMP enumeration from a pivot point with PowerShell 340
PowerShell as a TCP-connect port scanner 341
Delivering a Trojan to your target via PowerShell 341
Offensive PowerShell – introducing the Empire framework 343
Installing and introducing PowerShell Empire 343
Configuring listeners 347
Configuring stagers 349
Your inside guy – working with agents 350
Configuring a module for agent tasking 353
Summary 354
Questions 354
Further reading 354
Chapter 15: Escalating Privileges 355
Technical requirements 355
Climb the ladder with Armitage 356
Named pipes and security contexts 356
Impersonating the security context of a pipe client 357
Superfluous pipes and pipe creation race conditions 358
Moving past the foothold with Armitage 358
Armitage pivoting 360
When the easy way fails—local exploits 363
Kernel pool overflow and the danger of data types 363
Let's get lazy – Schlamperei privilege escalation on Windows 7 364
Escalation with WMIC and PS Empire 365
Quietly spawning processes with WMIC 366
Create a PowerShell Empire agent with remote WMIC 368
Escalating your agent to SYSTEM via access token theft 371
Dancing in the shadows – looting domain controllers with
vssadmin 373
Extracting the NTDS database and SYSTEM hive from a shadow co3p7y4
Exfiltration across the network with cifs 375
Password hash extraction with libesedb and ntdsxtract 376
Summary 379
Questions 380
Further reading 380
Chapter 16: Maintaining Access 381
Technical requirements 382
Persistence with Metasploit and PowerShell Empire 382
Creating a payload for Metasploit persister 382
Configuring the Metasploit persistence module and firing away 383
Verifying your persistent Meterpreter backdoor 384
Not to be outdone – persistence in PS Empire 384
Elevating the security context of our Empire agent 385
Creating a WMI subscription for stealthy persistence of your agent386
Verifying agent persistence 386
Hack tunnels – netcat backdoors on the fly 387
Uploading and configuring persistent netcat with meterpreter 387
Remotely tweaking Windows Firewall to allow inbound netcat conn3e8c8tions
Verifying persistence is established 389
Maintaining access with PowerSploit 389
Installing the persistence module in PowerShell 389
Configuring and executing meterpreter persistence 392
Lying in wait – verifying persistence 394
What did the persistence script do? 395
Summary 396
Questions 397
Further reading 397
Chapter 17: Tips and Tricks 398
Getting familiar with VMware Workstation 398
VMware versus Oracle for desktop virtualization 399
Building your attack lab 400
Finding Windows machines for your lab 400
Downloading Edge tester VMs for developers 401
Downloading an evaluation copy of Windows Server 402
Installing Windows from an OEM disc or downloaded ISO file 402
Network configuration tricks 403
Network address translation and VMnet subnets 403
Using the Virtual Network Editor 404
Further reading 405
Appendix A: Assessment 407
Chapter 1: Bypassing Network Access Control 407
Chapter 2: Sniffing and Spoofing 407
Chapter 3: Windows Passwords on the Network 407
Chapter 4: Advanced Network Attacks 408
Chapter 5: Cryptography and the Penetration Tester 408
Chapter 6: Advanced Exploitation with Metasploit 409
Chapter 7: Stack and Heap Memory Management 409
Chapter 8: Windows Kernel Security 410
Chapter 9: Weaponizing Python 410
Chapter 10: Windows Shellcoding 410
Chapter 11: Bypassing Protections with ROP 411
Chapter 12: Fuzzing Techniques 411
Chapter 13: Going Beyond the Foothold 411
Chapter 14: Taking PowerShell to the Next Level 412
Chapter 15: Escalating Privileges 412
Chapter 16: Maintaining Access 413
Other Books You May Enjoy 414
Index 417


Bookscreen
e-books shop

Preface
This book takes a hands-on approach to teaching and understanding penetration testing
concepts at an intermediate to advanced level. It's designed to lay the foundation for
advanced roles in the field with an engaging and easy-to-follow style. There are a lot of
books on the subject of penetration testing, but what makes this book special is the
emphasis on the underlying logic and mechanisms of the concept at hand. Recognizing that
there aren't enough pages to give each subject what it deserves, this book takes a
springboard approach to the topics by providing enough key information and theory to
inform further research outside of these pages. The reader can thus spend less time
searching and more time learning.

Who this book is for
This book is for penetration testers who want to break out of old routines, security
professionals who want to break into penetration testing, security managers who want to
understand penetration testing, and young security students and professionals who excel in
ethical-hacking boot camps.

What this book covers
Chapter 1, Bypassing Network Access Control, focuses on getting a foothold in the network.
Network Access Control systems, or NACs, rely on certain detection technology – this
chapter will review them and how they work at a low level.
Chapter 2, Sniffing and Spoofing, will discuss advanced Wireshark techniques to give the
reader practical experience in low-level traffic analysis. The reader will then learn applied
network-spoofing attacks, focusing on layer-2 poisoning attacks and DNS spoofing.
Chapter 3, Windows Passwords on the Network, demonstrates advanced Windows password
attacks. The chapter reviews how Windows passwords are carried over the network and
then provides practical demonstrations of capturing, understanding, and cracking
Windows passwords to gain access.
Chapter 4, Advanced Network Attacks, ties together the network-hacking portion with
coverage of advanced concepts. We cover software-update hijacking, SSL stripping, and
routers. A discussion of IPv6 is included along with practical demonstrations of using Kali
to attack IPv6 implementations.
Chapter 5, Cryptography and the Penetration Tester, discusses cryptographic system
implementations and practical attacks against them. Attacking message integrity via bitflipping
is demonstrated against the AES implementation of cipher block chaining. We also
look at length-extension attacks and run through a demonstration of how they work.
Another demonstration of an attack against confidentiality will be given with a paddingoracle
attack using Kali.
Chapter 6, Advanced Exploitation with Metasploit, will take the reader to the next level with
the standard attack framework in every pen tester's toolkit: Metasploit. The finer points of
exploits in Metasploit are discussed, including working with the payload generator,
metamodules, and building custom modules. Attacks will be demonstrated while
organizing them with Metasploit's task automation features.
Chapter 7, Stack and Heap – Memory Management, guides the reader through understanding
memory management for practical application to pen testing. An introduction to stack
overflow attacks is demonstrated step by step. The reader will use a debugger to develop
exploitation opportunity from finding software bugs.
Chapter 8, Windows Kernel Security, guides the reader through understanding and
attacking the other side of the Windows virtual address space: the kernel. The reader will
understand the fundamentals of kernel exploitation, including context switching and the
use of the scheduler to inform race condition attacks, and vulnerabilities that the hacker
seeks to exploit, including pointer issues, such as NULL pointer dereferencing and
corrupted pointers.
Chapter 9, Weaponizing Python, is a crash course in Python to bring the reader to a level of
understanding that will facilitate pen testing tasks with Python modules. Some of the
techniques covered that can be transformed into pen testing tools include network analysis
with Python and Scapy.
Chapter 10, Windows Shellcoding, will step through stack-protection mechanisms of the
Windows OS and demonstrate practical bypass methods. We demonstrate heap spraying
with step-by-step explanations, as well as exploit creation.
Chapter 11, Bypassing Protections with ROP, will guide the reader through understanding
Windows memory protection mechanisms and bypassing them with Return-Oriented
Programming (ROP). The mechanisms discussed are Data Execution Prevention (DEP)
and Address Space Layout Randomization (ASLR). The reader will understand the core
assembly mechanisms that allow ROP to work, building on knowledge of memory
management from other chapters.
Chapter 12, Fuzzing Techniques, guides the reader through practical fuzzing techniques.
The reader will understand the core principle and will be able to understand what's
happening at a low memory-management level. The reader will have hands-on experience
with trial and error fuzzing applications. From there, we will move on to more advanced
fuzzing techniques, such as protocol fuzzing.
Chapter 13, Going Beyond the Foothold, explores the post-exploitation modules of
Metasploit. The Windows post modules are introduced and practically demonstrated so the
reader will know how to capture keystrokes from a compromised Windows host, scan the
network for new targets, and learn and exploit trust relationships to complete the pivot. We
then cover enumeration on the compromised Windows host to inform post-exploitation efforts.
Chapter 14, Taking PowerShell to the Next Level, guides the reader through PowerShell
fundamentals with hands-on examples, and then moves on to offensive PowerShell
techniques. Post-exploitation with the PowerShell Empire framework on Kali is explained
and demonstrated in practical hands-on examples.
Chapter 15, Escalating Privileges, steps through Metasploit and PS Empire techniques while
analyzing the core mechanisms, including duplication of tokens and named pipe
impersonation. The reader will review local exploit options, a method for attacking Active
Directory credentials on a domain controller, and a technique that leverages the Windows
Management Instrumentation Command line (WMIC).
Chapter 16, Maintaining Access, guides the reader through a series of hands-on
demonstrations of access maintenance via backdoors using tools such as Netcat. Metasploit,
PS Empire, and PowerSploit persistence abilities are also discussed and demonstrated.
Chapter 17, Tips and Tricks, provides a brief discussion of virtualization on Windows to
assist the reader in setting up a hacking lab with some hints on advanced virtual network
configuration.

Loading...
DMCA.com Protection Status