The Hacker Playbook 3: Practical Guide To Penetration Testing

The Hacker Playbook 3: Practical Guide To Penetration Testing

Now pay Easier and Secure using Paypal

Read more

Red Team Edition

Peter Kim

e-books shop
e-books shop
Purchase Now !
Just with Paypal

Book Details
 337 p
 File Size 
 8,923 KB
 File Type
 PDF format
 2018 by Secure Planet LLC 

About the Author
Peter Kim has been in the information security industry for more than 14 years
and has been running Penetration Testing/Red Teams for more than 12 years.
He has worked for multiple utility companies, Fortune 1000 entertainment
companies, government agencies, and large financial organizations. Although
he is most well-known for The Hacker Playbook series, his passions are building
a safe security community, mentoring students, and training others. He founded
and maintains one of Southern California's largest technical security clubs called
LETHAL (www.meetup.com/LETHAL), performs private training at his
warehouse LETHAL Security (lethalsecurity.com), and runs a boutique
penetration testing firm called Secure Planet (www.SecurePla.net).

Peter's main goal with The Hacker Playbook series is to instill passion into his
readers and get them to think outside the box. With the ever-changing
environment of security, he wants to help build the next generation of security professionals.
Feel free to contact Peter Kim for any of the following:
Questions about the book: book@thehackerplaybook.com
Inquiries on private training or Penetration Tests: secure@securepla.net
Twitter: @hackerplaybook

This is the third iteration of The Hacker Playbook (THP) series. Below is an
overview of all the new vulnerabilities and attacks that will be discussed. In
addition to the new content, some attacks and techniques from the prior books
(which are still relevant today) are included to eliminate the need to refer back to
the prior books. So, what's new? Some of the updated topics from the past
couple of years include:
Abusing Active Directory
Abusing Kerberos
Advanced Web Attacks
Better Ways to Move Laterally
Cloud Vulnerabilities
Faster/Smarter Password Cracking
Living Off the Land
Lateral Movement Attacks
Multiple Custom Labs
Newer Web Language Vulnerabilities
Physical Attacks
Privilege Escalation
PowerShell Attacks
Ransomware Attacks
Red Team vs Penetration Testing
Setting Up Your Red Team Infrastructure
Usable Red Team Metrics
Writing Malware and Evading AV
And so much more
Additionally, I have attempted to incorporate all of the comments and
recommendations received from readers of the first and second books. I do want
to reiterate that I am not a professional author. I just love security and love
teaching security and this is one of my passion projects. I hope you enjoy it.

This book will also provide a more in-depth look into how to set up a lab
environment in which to test your attacks, along with the newest tips and tricks
of penetration testing. Lastly, I tried to make this version easier to follow since
many schools have incorporated my book into their curricula. Whenever
possible, I have added lab sections that help provide a way to test a vulnerability or exploit.

As with the other two books, I try to keep things as realistic, or “real world”, as
possible. I also try to stay away from theoretical attacks and focus on what I
have seen from personal experience and what actually worked. I think there has
been a major shift in the industry from penetration testers to Red Teamers, and I
want to show you rather than tell you why this is so. As I stated before, my
passion is to teach and challenge others. So, my goals for you through this book
are two-fold: first, I want you to get into the mindset of an attacker and
understand “the how” of the attacks; second, I want you to take the tools and
techniques you learn and expand upon them. Reading and repeating the labs is
only one part – the main lesson I teach to my students is to let your work speak
for your talents. Instead of working on your resume (of course, you should have
a resume), I really feel that having a strong public Github repo/technical blog
speaks volumes in security over a good resume. Whether you live in the blue
defensive or red offensive world, getting involved and sharing with our security
community is imperative.

For those who did not read either of my two prior books, you might be
wondering what my experience entails. My background includes more than 12
years of penetration testing/red teaming for major financial institutions, large
utility companies, Fortune 500 entertainment companies, and government
organizations. I have also spent years teaching offensive network security at
colleges, spoken at multiple security conferences, been referenced in many
security publications, taught courses all over the country, ran multiple public
CTF competitions, and started my own security school. One of my big passion
project was building a free and open security community in Southern California
called LETHAL (meetup.com/lethal). Now, with over 800+ members, monthly
meetings, CTF competitions, and more, it has become an amazing environment
for people to share, learn, and grow.

One important note is that I am using both commercial and open source tools.
For every commercial tool discussed, I try to provide an open source
counterpart. I occasionally run into some pentesters who claim they only use
open source tools. As a penetration tester, I find this statement hard to accept. If
you are supposed to emulate a “real world” attack, the “bad guys” do not have
these restrictions; therefore, you need to use any tool (commercial or open
source) that will get the job done.

A question I get often is, who is this book intended for? It is really hard to state
for whom this book is specifically intended as I truly believe anyone in security
can learn. Parts of this book might be too advanced for novice readers, some
parts might be too easy for advanced hackers, and other parts might not even be
in your field of security.

For those who are just getting into security, one of the most common things I
hear from readers is that they tend to gain the most benefit from the books after
reading them for the second or third time (making sure to leave adequate time
between reads). There is a lot of material thrown at you throughout this book
and sometimes it takes time to absorb it all. So, I would say relax, take a good
read, go through the labs/examples, build your lab, push your scripts/code to a
public Github repository, and start up a blog.

Lastly, being a Red Team member is half about technical ability and half about
having confidence. Many of the social engineering exercises require you to
overcome your nervousness and go outside your comfort zone. David Letterman
said it best, "Pretending to not be afraid is as good as actually not being afraid."
Although this should be taken with a grain of salt, sometimes you just have to
have confidence, do it, and don't look back.

Table of Contents
Notes and Disclaimer
Penetration Testing Teams vs Red Teams
1 Pregame - The Setup
Assumed Breach Exercises
Setting Up Your Campaign
Setting Up Your External Servers
Tools of the Trade
Metasploit Framework
Cobalt Strike
PowerShell Empire
Pupy Shell
2 Before the Snap - Red Team Recon
Monitoring an Environment
Regular Nmap Diffing
Web Screenshots
Cloud Scanning
Network/Service Search Engines
Manually Parsing SSL Certificates
Subdomain Discovery
Additional Open Source Resources
3 The Throw - Web Application Exploitation
Bug Bounty Programs:
Web Attacks Introduction - Cyber Space Kittens
The Red Team Web Application Attacks
Chat Support Systems Lab
Cyber Space Kittens: Chat Support Systems
Setting Up Your Web Application Hacking Machine
Analyzing a Web Application
Web Discovery
Cross-Site Scripting XSS
Blind XSS
Advanced XSS in NodeJS
XSS to Compromise
NoSQL Injections
Deserialization Attacks
Template Engine Attacks - Template Injections
JavaScript and Remote Code Execution
Server Side Request Forgery (SSRF)
XML eXternal Entities (XXE)
Advanced XXE - Out Of Band (XXE-OOB)
4 The Drive - Compromising the Network
Finding Credentials from Outside the Network
Advanced Lab
Moving Through the Network
Setting Up the Environment - Lab Network
On the Network with No Credentials
Better Responder (MultiRelay.py)
PowerShell Responder
User Enumeration Without Credentials
Scanning the Network with CrackMapExec (CME)
After Compromising Your Initial Host
Privilege Escalation
Privilege Escalation Lab
Pulling Clear Text Credentials from Memory
Getting Passwords from the Windows Credential Store and Browsers
Getting Local Creds and Information from OSX
Living Off of the Land in a Windows Domain Environment
Service Principal Names
Querying Active Directory
Moving Laterally - Migrating Processes
Moving Laterally Off Your Initial Host
Lateral Movement with DCOM
Gaining Credentials from Service Accounts
Dumping the Domain Controller Hashes
Lateral Movement via RDP over the VPS
Pivoting in Linux
Privilege Escalation
Linux Lateral Movement Lab
Attacking the CSK Secure Network
5 The Screen - Social Engineering
Building Your Social Engineering (SE) Campaigns
Doppelganger Domains
How to Clone Authentication Pages
Credentials with 2FA
Microsoft Word/Excel Macro Files
Non-Macro Office Files - DDE
Hidden Encrypted Payloads
Exploiting Internal Jenkins with Social Engineering
6 The Onside Kick - Physical Attacks
Card Reader Cloners
Physical Tools to Bypass Access Points
LAN Turtle (lanturtle.com)
Packet Squirrel
Bash Bunny
Breaking into Cyber Space Kittens
7 The Quarterback Sneak - Evading AV and Network Detection
Writing Code for Red Team Campaigns
The Basics Building a Keylogger
Setting up your environment
Compiling from Source
Sample Framework
THP Custom Droppers
Shellcode vs DLLs
Running the Server
Configuring the Client and Server
Adding New Handlers
Further Exercises
Recompiling Metasploit/Meterpreter to Bypass AV and Network Detection
How to Build Metasploit/Meterpreter on Windows:
Creating a Modified Stage 0 Payload:
Application Whitelisting Bypass
Code Caves
PowerShell Obfuscation
PowerShell Without PowerShell:
8 Special Teams - Cracking, Exploits, and Tricks
Automating Metasploit with RC scripts
Automating Empire
Automating Cobalt Strike
The Future of Automation
Password Cracking
Gotta Crack Em All - Quickly Cracking as Many as You Can
Cracking the CyberSpaceKittens NTLM hashes:
Creative Campaigns
Disabling PS Logging
Windows Download File from Internet Command Line
Getting System from Local Admin
Retrieving NTLM Hashes without Touching LSASS
Building Training Labs and Monitor with Defensive Tools
9 Two-Minute Drill - From Zero to Hero
10 Post Game Analysis - Reporting
Continuing Education
About the Author
special thanks

e-books shop

In the last engagement (The Hacker Playbook 2), you were tasked with breaking
into the Cyber Kittens weapons facility. They are now back with their brand
new space division called Cyber Space Kittens (CSK). This new division took
all the lessons learned from the prior security assessment to harden their
systems, set up a local security operations center, and even create security
policies. They have hired you to see if all of their security controls have helped
their overall posture.

From the little details we have picked up, it looks like Cyber Space Kittens has
discovered a secret planet located in the Great Andromeda Nebula or
Andromeda Galaxy. This planet, located on one of the two spiral arms, is
referred to as KITT-3n. KITT-3n, whose size is double that of Earth, resides in
the binary system called OI 31337 with a star that is also twice the size of
Earth’s star. This creates a potentially habitable environment with oceans, lakes,
plants, and maybe even life…

With the hope of new life, water, and another viable planet, the space race is
real. CSK has hired us to perform a Red Team assessment to make sure they are
secure, and capable of detecting and stopping a breach. Their management has
seen and heard of all the major breaches in the last year and want to hire only the
best. This is where you come in...

Your mission, if you choose to accept it, is to find all the external and internal
vulnerabilities, use the latest exploits, use chained vulnerabilities, and see if their
defensive teams can detect or stop you.

What types of tactics, threats, and procedures are you going to have to employ?
In this campaign, you are going to need to do a ton of reconnaissance and
discovery, look for weaknesses in their external infrastructure, social engineer
employees, privilege escalate, gain internal network information, move laterally
throughout the network, and ultimately exfiltrate KITT-3n systems and databases.