-->
Navigation
The Hacker Playbook 2

The Hacker Playbook 2

Now pay Easier and Secure using Paypal
Price:

Read more

- Practical Guide To Penetration Testing -

Peter Kim

Library of Congress Control Number: 2015908471
CreateSpace Independent Publishing Platform
North Charleston, South Carolina
MHID:
Book design and production by Peter Kim, Secure Planet LLC
Cover design by Dit Vannouvong
Publisher: Secure Planet LLC
Published: 1st July 2015

e-books shop
e-books shop
Purchase Now !
Just with Paypal



Book Details
 Price
 3.00
 Pages
 398 p
 File Size 
 23,766 KB
 File Type
 PDF format
 ISBN-13
 ISBN-10
 978-1512214567
 1512214566
 Copyright©   
 2015 by Secure Planet LLC 

Preface
This is the second iteration of The Hacker Playbook (THP). For those that read the first book, this is
an extension of that book. Below is an overview of all of the new vulnerabilities and attacks that will
be discussed. In addition to the new content, attacks and techniques from the first book, which are still
relevant today, are included to eliminate the need to refer back to the first book. So, what’s new?
Some of the updated attacks from the last year and a half include:
● Heartbleed
● ShellShock
● Kerberos issues (Golden Ticket/Skeleton Key)
● PTH Postgres
● New Spear Phishing
● Better/Cheaper Dropboxes
● Faster/Smarter Password Cracking
● New WIFI attacks
● Tons of PowerShell scripts
● Privilege Escalation Attacks
● Mass network compromises
● Moving laterally smarter
● Burp Modules
● Printer Exploits
● Backdoor Factory
● ZAP Proxy
● Sticky Keys
● NoSQL Injection
● Commercial Tools (Cobalt Strike, Canvas, Core Impact)
● Lab sections
● And so much more
In addition to describing the attacks that have changed in the last couple years, I have attempted to
incorporate all of the comments and recommendations received from readers of the first book into this
second book. A more in-depth look into how to set up a lab environment in which to test your attacks
is also given, along with the newest tips and tricks of penetration testing. Lastly, I tried to make this
version easier to follow since many schools have incorporated my book into their curricula.
Whenever possible, I have added lab sections that help provide a way to test a vulnerability or exploit.

Introduction
You have been hired as a penetration tester for a large industrial company called Secure Universal
Cyber Kittens, Inc. or SUCK, for short. They are developing future weapons to be used by the highest
bidder and you have been given the license to kill…okay, maybe not kill, but the license to hack. This
authorization gives you full approval to use any tactic in your arsenal to try to break into and steal the
company’s trade secrets.

As you pack your laptop, drop boxes, rubber duckies, Proxmarks, and cables, you almost forget the
most important thing…The Hacker Playbook 2 (THP). You know that THP will help get you out of
some of the stickiest situations. Your mind begins hazing back to your last engagement…

After cloning some badges and deploying your drop box on the network, you run out of the office,
barely sneaking past the security guards. Your drop box connects back to your SSH server and now
you are on their network. You want to stay pretty quiet on the network and not trigger any IDS
signatures. What do you look for? You flip to the Before the Snap chapter and remember printers!
You probe around for a multifunction printer and see that it is configured with default passwords.

Great! You re-configure LDAP on the printer, set up your netcat listener, and obtain Active Directory
credentials. Since you don’t know what permissions these credentials have, you try to psexec to a
Windows machine with a custom SMBexec payload. The credentials work and you are now a regular
user. After a couple tricks with PowerTools in the Lateral Pass section, you move to local admin and
pull passwords from memory with Mimikatz. Phew… you sigh… this is too easy. After pulling
passwords for a few accounts, you find where the domain admins (DA) are and connect to their boxes
to pull passwords again. With domain admin creds, it is pretty straightforward to dump the Domain
controller (DC) with psexec_ntdsgrab and then clear your tracks…
Glad you didn’t forget your copy of THP!

Table of Contents
Preface
Introduction
Standards
Updates
Pregame - The Setup
Building A Lab
Building Out A Domain
Building Out Additional Servers
Practice
Building Your Penetration Testing Box
Setting Up A Penetration Testing Box
Hardware
Open Source Versus Commercial Software
Setting Up Your Boxes
Setting Up Kali Linux
Windows VM
Setting Up Windows
Power Up With Powershell
Easy-P
Learning
Metasploitable 2
Binary Exploitation
Summary
Passive Discovery - Open Source Intelligence (OSINT)
Recon-NG
Discover Scripts
Spiderfoot
Creating Password Lists:
Wordhound
Brutescrape
Using Compromised Lists To Find Email Addresses And
Credentials
Gitrob - Github Analysis
OSINT Data Collection
External/Internal Active Discovery
Masscan
Sparta
Http Screenshot
Vulnerability Scanning:
Rapid7 Nexpose/Tenable Nessus
Openvas
Web Application Scanning
The Process For Web Scanning
Web Application Scanning
OWASP Zap Proxy
Parsing Nessus, Nmap, Burp
Summary
The Drive - Exploiting Scanner Findings
Metasploit
From A Terminal In Kali - Initialize And Start Metasploit:
Running Metasploit - Common Configuration Commands:
Running Metasploit - Post Exploitation And Other
Using Metasploit For MS08-067:
Scripts
WarFTP Example
Printers
Heartbleed
Shellshock
Shellshock Lab
Dumping Git Repositories (Kali Linux)
NoSQLmap
Starting NoSQLmap:
Elastic Search (Kali Linux)
Elastic Search Lab:
Summary
Web Application Penetration Testing
SLQ Injections
Manual SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Session Tokens
Additional Fuzzing/Input Validation
Other OWASP Top Ten Vulnerabilities
Functional/Business Logic Testing
Conclusion
The Lateral Pass - Moving Through The Network
On The Network Without Credentials:
Responder.py
ARP (address resolution protocol) Poisoning
Cain and Abel
Ettercap
Backdoor Factory Proxy
Steps After Arp Spoofing:
With Any Domain Credentials (Non-Admin):
Initial System Recon
Group Policy Preferences:
Additional Post Exploitation Tips
Privilege Escalation:
Zero To Hero - Linux:
With Any Local Administrative or Domain Admin Account:
Owning The Network With Credentials And Psexec:
Psexec Commands Across Multiple IPS (Kali Linux)
Move Laterally With WMI (windows)
Kerberos - MS14-068:
Pass-The-Ticket
Lateral Movement With Postgres SQL
Pulling Cached Credentials
Attacking The Domain Controller:
SMBExec
PSExec_NTDSgrab
Persistence
Veil And Powershell
Persistence With Schedule Tasks
Golden Ticket
Skeleton Key
Sticky Keys
Conclusion
The Screen - Social Engineering
Doppelganger Domains
SMTP Attack
SSH Attack
Phishing
Manual Phishing Code
Phishing Reporting
The Onside Kick - Attacks That Require Physical Access
Exploiting Wireless
Passive - Identification and Reconnaissance
Active Attacks
Badge Cloning
Get It Working In Kali Nethunter
Kon-Boot
Windows
OS X:
Pentesting Drop Box - Raspberry Pi 2
Rubber Ducky
(http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe)
Conclusion
The Quarterback Sneak - Evading AV
Evading AV
The Backdoor Factory
Hiding WCE From AV (windows)
Veil
SMBExec
PeCloak.py
Python
Other Keyloggers
Keylogger Using Nishang
Keylogger Using Powersploit
Conclusion
Special Teams - Cracking, Exploits, And Tricks
Password Cracking
John The Ripper
OclHashcat
Vulnerability Searching
Searchsploit (Kali Linux)
Bugtraq
Exploit-db
Querying Metasploit
Tips and Tricks
RC Scripts Within Metasploit
Windows Sniffer
Bypass UAC
Kali Linux Nethunter
Building A Custom Reverse Shell
Evading Application Based Firewalls
Powershell
Windows 7/8 Uploading Files To The Host
Pivoting
Commercial Tools:
Cobalt Strike:
Immunity Canvas
Core Impact
Ten-Yard Line:
Twenty-Yard Line:
Thirty-Yard Line:
Fifty-Yard Line:
Seventy-Yard Line:
Eighty-Yard Line:
Goal Line:
Touchdown! Touchdown! Touchdown!
Bug Bounties:
Major Security Conferences:
Training Courses:
Free Training:
Capture The Flag (CTF)
Keeping Up To Date
Mailing Lists
Podcasts
Learning From The Bad Guys
Some Examples:
Final Notes
Special Thanks


Bookscreen
e-books shop

Final Notes
Now, you have fully compromised the SUCK organization, cracked all the passwords, found all of
their weakness, and made it out clean. It is time to take everything you learned and build on top of
that. I have already recommended that you get involved with your local security groups and/or
participate in security conferences. You can also start a blog and start playing with these different
tools. Find out what works and what doesn’t and see how you can attack more efficiently and be
silent on the network. It will take some time outside your normal 9-to-5 job, but it will definitely be worth it.

I hope you have found the content in this book to be something of value and picked up some tips and
tricks. I wrote this second book mainly because security is always changing and it is really important
to stay on top of your game. As I have emphasized throughout this book and the prior one, there isn’t a
point when you can say you have mastered security. However, once you have the basics down pat, the
high-level attacks don’t really change. We see time and time again that old attacks come back and that
you always need to be ready.

If you did find this book to be helpful, please feel free to leave me a comment on the book’s website.
It will help me to continue developing better content and see what topics you would like to hear more
about . If I forgot to mention someone in this book or I misspoke on a topic, I apologize in advance
and will try my best to provide updated/corrected information on the book website.
Subscribe for Book Updates:
Twitter: @HackerPlaybook
*From the last book, I know that many of you downloaded copies of my book through less than legal
means. Although I don’t promote it, I am glad that I was able to share my knowledge and hope this
continues your interest in computer security. If you did happen to stumble on this copy somewhere on
the “internets” and did like my book, feel free to donate to the BTC address below. All proceeds will
go directly to LETHAL (http://www.meetup.com/lethal/) to promote the growth of our security community.
Happy Hacking!

0