Showing posts with label Secure Planet LLC. Show all posts

Red Team Edition

Peter Kim


e-books shop

Purchase Now !
Just with Paypal



Book Details
 Price
 4.00
 Pages
 337 p
 File Size 
 8,923 KB
 File Type
 PDF format
 ISBN-13
 978-1980901754
 Copyright©   
 2018 by Secure Planet LLC 

About the Author
Peter Kim has been in the information security industry for more than 14 years
and has been running Penetration Testing/Red Teams for more than 12 years.
He has worked for multiple utility companies, Fortune 1000 entertainment
companies, government agencies, and large financial organizations. Although
he is most well-known for The Hacker Playbook series, his passions are building
a safe security community, mentoring students, and training others. He founded
and maintains one of Southern California's largest technical security clubs called
LETHAL (www.meetup.com/LETHAL), performs private training at his
warehouse LETHAL Security (lethalsecurity.com), and runs a boutique
penetration testing firm called Secure Planet (www.SecurePla.net).

Peter's main goal with The Hacker Playbook series is to instill passion into his
readers and get them to think outside the box. With the ever-changing
environment of security, he wants to help build the next generation of security professionals.
Feel free to contact Peter Kim for any of the following:
Questions about the book: book@thehackerplaybook.com
Inquiries on private training or Penetration Tests: secure@securepla.net
Twitter: @hackerplaybook

preface
This is the third iteration of The Hacker Playbook (THP) series. Below is an
overview of all the new vulnerabilities and attacks that will be discussed. In
addition to the new content, some attacks and techniques from the prior books
(which are still relevant today) are included to eliminate the need to refer back to
the prior books. So, what's new? Some of the updated topics from the past
couple of years include:
Abusing Active Directory
Abusing Kerberos
Advanced Web Attacks
Better Ways to Move Laterally
Cloud Vulnerabilities
Faster/Smarter Password Cracking
Living Off the Land
Lateral Movement Attacks
Multiple Custom Labs
Newer Web Language Vulnerabilities
Physical Attacks
Privilege Escalation
PowerShell Attacks
Ransomware Attacks
Red Team vs Penetration Testing
Setting Up Your Red Team Infrastructure
Usable Red Team Metrics
Writing Malware and Evading AV
And so much more
Additionally, I have attempted to incorporate all of the comments and
recommendations received from readers of the first and second books. I do want
to reiterate that I am not a professional author. I just love security and love
teaching security and this is one of my passion projects. I hope you enjoy it.

This book will also provide a more in-depth look into how to set up a lab
environment in which to test your attacks, along with the newest tips and tricks
of penetration testing. Lastly, I tried to make this version easier to follow since
many schools have incorporated my book into their curricula. Whenever
possible, I have added lab sections that help provide a way to test a vulnerability or exploit.

As with the other two books, I try to keep things as realistic, or “real world”, as
possible. I also try to stay away from theoretical attacks and focus on what I
have seen from personal experience and what actually worked. I think there has
been a major shift in the industry from penetration testers to Red Teamers, and I
want to show you rather than tell you why this is so. As I stated before, my
passion is to teach and challenge others. So, my goals for you through this book
are two-fold: first, I want you to get into the mindset of an attacker and
understand “the how” of the attacks; second, I want you to take the tools and
techniques you learn and expand upon them. Reading and repeating the labs is
only one part – the main lesson I teach to my students is to let your work speak
for your talents. Instead of working on your resume (of course, you should have
a resume), I really feel that having a strong public Github repo/technical blog
speaks volumes in security over a good resume. Whether you live in the blue
defensive or red offensive world, getting involved and sharing with our security
community is imperative.

For those who did not read either of my two prior books, you might be
wondering what my experience entails. My background includes more than 12
years of penetration testing/red teaming for major financial institutions, large
utility companies, Fortune 500 entertainment companies, and government
organizations. I have also spent years teaching offensive network security at
colleges, spoken at multiple security conferences, been referenced in many
security publications, taught courses all over the country, ran multiple public
CTF competitions, and started my own security school. One of my big passion
project was building a free and open security community in Southern California
called LETHAL (meetup.com/lethal). Now, with over 800+ members, monthly
meetings, CTF competitions, and more, it has become an amazing environment
for people to share, learn, and grow.

One important note is that I am using both commercial and open source tools.
For every commercial tool discussed, I try to provide an open source
counterpart. I occasionally run into some pentesters who claim they only use
open source tools. As a penetration tester, I find this statement hard to accept. If
you are supposed to emulate a “real world” attack, the “bad guys” do not have
these restrictions; therefore, you need to use any tool (commercial or open
source) that will get the job done.

A question I get often is, who is this book intended for? It is really hard to state
for whom this book is specifically intended as I truly believe anyone in security
can learn. Parts of this book might be too advanced for novice readers, some
parts might be too easy for advanced hackers, and other parts might not even be
in your field of security.

For those who are just getting into security, one of the most common things I
hear from readers is that they tend to gain the most benefit from the books after
reading them for the second or third time (making sure to leave adequate time
between reads). There is a lot of material thrown at you throughout this book
and sometimes it takes time to absorb it all. So, I would say relax, take a good
read, go through the labs/examples, build your lab, push your scripts/code to a
public Github repository, and start up a blog.

Lastly, being a Red Team member is half about technical ability and half about
having confidence. Many of the social engineering exercises require you to
overcome your nervousness and go outside your comfort zone. David Letterman
said it best, "Pretending to not be afraid is as good as actually not being afraid."
Although this should be taken with a grain of salt, sometimes you just have to
have confidence, do it, and don't look back.


Table of Contents
Contents
Preface
Notes and Disclaimer
Introduction
Penetration Testing Teams vs Red Teams
Summary
1 Pregame - The Setup
Assumed Breach Exercises
Setting Up Your Campaign
Setting Up Your External Servers
Tools of the Trade
Metasploit Framework
Cobalt Strike
PowerShell Empire
dnscat2
p0wnedShell
Pupy Shell
PoshC2
Merlin
Nishang
Conclusion
2 Before the Snap - Red Team Recon
Monitoring an Environment
Regular Nmap Diffing
Web Screenshots
Cloud Scanning
Network/Service Search Engines
Manually Parsing SSL Certificates
Subdomain Discovery
Github
Cloud
Emails
Additional Open Source Resources
Conclusion
3 The Throw - Web Application Exploitation
Bug Bounty Programs:
Web Attacks Introduction - Cyber Space Kittens
The Red Team Web Application Attacks
Chat Support Systems Lab
Cyber Space Kittens: Chat Support Systems
Setting Up Your Web Application Hacking Machine
Analyzing a Web Application
Web Discovery
Cross-Site Scripting XSS
Blind XSS
DOM Based XSS
Advanced XSS in NodeJS
XSS to Compromise
NoSQL Injections
Deserialization Attacks
Template Engine Attacks - Template Injections
JavaScript and Remote Code Execution
Server Side Request Forgery (SSRF)
XML eXternal Entities (XXE)
Advanced XXE - Out Of Band (XXE-OOB)
Conclusion
4 The Drive - Compromising the Network
Finding Credentials from Outside the Network
Advanced Lab
Moving Through the Network
Setting Up the Environment - Lab Network
On the Network with No Credentials
Responder
Better Responder (MultiRelay.py)
PowerShell Responder
User Enumeration Without Credentials
Scanning the Network with CrackMapExec (CME)
After Compromising Your Initial Host
Privilege Escalation
Privilege Escalation Lab
Pulling Clear Text Credentials from Memory
Getting Passwords from the Windows Credential Store and Browsers
Getting Local Creds and Information from OSX
Living Off of the Land in a Windows Domain Environment
Service Principal Names
Querying Active Directory
Bloodhound/Sharphound
Moving Laterally - Migrating Processes
Moving Laterally Off Your Initial Host
Lateral Movement with DCOM
Pass-the-Hash
Gaining Credentials from Service Accounts
Dumping the Domain Controller Hashes
Lateral Movement via RDP over the VPS
Pivoting in Linux
Privilege Escalation
Linux Lateral Movement Lab
Attacking the CSK Secure Network
Conclusion
5 The Screen - Social Engineering
Building Your Social Engineering (SE) Campaigns
Doppelganger Domains
How to Clone Authentication Pages
Credentials with 2FA
Phishing
Microsoft Word/Excel Macro Files
Non-Macro Office Files - DDE
Hidden Encrypted Payloads
Exploiting Internal Jenkins with Social Engineering
Conclusion
6 The Onside Kick - Physical Attacks
Card Reader Cloners
Physical Tools to Bypass Access Points
LAN Turtle (lanturtle.com)
Packet Squirrel
Bash Bunny
Breaking into Cyber Space Kittens
QuickCreds
BunnyTap
WiFi
Conclusion
7 The Quarterback Sneak - Evading AV and Network Detection
Writing Code for Red Team Campaigns
The Basics Building a Keylogger
Setting up your environment
Compiling from Source
Sample Framework
Obfuscation
THP Custom Droppers
Shellcode vs DLLs
Running the Server
Client
Configuring the Client and Server
Adding New Handlers
Further Exercises
Recompiling Metasploit/Meterpreter to Bypass AV and Network Detection
How to Build Metasploit/Meterpreter on Windows:
Creating a Modified Stage 0 Payload:
SharpShooter
Application Whitelisting Bypass
Code Caves
PowerShell Obfuscation
PowerShell Without PowerShell:
HideMyPS
Conclusion
8 Special Teams - Cracking, Exploits, and Tricks
Automation
Automating Metasploit with RC scripts
Automating Empire
Automating Cobalt Strike
The Future of Automation
Password Cracking
Gotta Crack Em All - Quickly Cracking as Many as You Can
Cracking the CyberSpaceKittens NTLM hashes:
Creative Campaigns
Disabling PS Logging
Windows Download File from Internet Command Line
Getting System from Local Admin
Retrieving NTLM Hashes without Touching LSASS
Building Training Labs and Monitor with Defensive Tools
Conclusion
9 Two-Minute Drill - From Zero to Hero
10 Post Game Analysis - Reporting
Continuing Education
About the Author
special thanks

Bookscreen
e-books shop

Introduction
In the last engagement (The Hacker Playbook 2), you were tasked with breaking
into the Cyber Kittens weapons facility. They are now back with their brand
new space division called Cyber Space Kittens (CSK). This new division took
all the lessons learned from the prior security assessment to harden their
systems, set up a local security operations center, and even create security
policies. They have hired you to see if all of their security controls have helped
their overall posture.

From the little details we have picked up, it looks like Cyber Space Kittens has
discovered a secret planet located in the Great Andromeda Nebula or
Andromeda Galaxy. This planet, located on one of the two spiral arms, is
referred to as KITT-3n. KITT-3n, whose size is double that of Earth, resides in
the binary system called OI 31337 with a star that is also twice the size of
Earth’s star. This creates a potentially habitable environment with oceans, lakes,
plants, and maybe even life…

With the hope of new life, water, and another viable planet, the space race is
real. CSK has hired us to perform a Red Team assessment to make sure they are
secure, and capable of detecting and stopping a breach. Their management has
seen and heard of all the major breaches in the last year and want to hire only the
best. This is where you come in...

Your mission, if you choose to accept it, is to find all the external and internal
vulnerabilities, use the latest exploits, use chained vulnerabilities, and see if their
defensive teams can detect or stop you.

What types of tactics, threats, and procedures are you going to have to employ?
In this campaign, you are going to need to do a ton of reconnaissance and
discovery, look for weaknesses in their external infrastructure, social engineer
employees, privilege escalate, gain internal network information, move laterally
throughout the network, and ultimately exfiltrate KITT-3n systems and databases.

- Practical Guide To Penetration Testing -

Peter Kim

Library of Congress Control Number: 2015908471
CreateSpace Independent Publishing Platform
North Charleston, South Carolina
MHID:
Book design and production by Peter Kim, Secure Planet LLC
Cover design by Dit Vannouvong
Publisher: Secure Planet LLC
Published: 1st July 2015

e-books shop

Purchase Now !
Just with Paypal



Book Details
 Price
 3.00
 Pages
 398 p
 File Size 
 23,766 KB
 File Type
 PDF format
 ISBN-13
 ISBN-10
 978-1512214567
 1512214566
 Copyright©   
 2015 by Secure Planet LLC 

Preface
This is the second iteration of The Hacker Playbook (THP). For those that read the first book, this is
an extension of that book. Below is an overview of all of the new vulnerabilities and attacks that will
be discussed. In addition to the new content, attacks and techniques from the first book, which are still
relevant today, are included to eliminate the need to refer back to the first book. So, what’s new?
Some of the updated attacks from the last year and a half include:
● Heartbleed
● ShellShock
● Kerberos issues (Golden Ticket/Skeleton Key)
● PTH Postgres
● New Spear Phishing
● Better/Cheaper Dropboxes
● Faster/Smarter Password Cracking
● New WIFI attacks
● Tons of PowerShell scripts
● Privilege Escalation Attacks
● Mass network compromises
● Moving laterally smarter
● Burp Modules
● Printer Exploits
● Backdoor Factory
● ZAP Proxy
● Sticky Keys
● NoSQL Injection
● Commercial Tools (Cobalt Strike, Canvas, Core Impact)
● Lab sections
● And so much more
In addition to describing the attacks that have changed in the last couple years, I have attempted to
incorporate all of the comments and recommendations received from readers of the first book into this
second book. A more in-depth look into how to set up a lab environment in which to test your attacks
is also given, along with the newest tips and tricks of penetration testing. Lastly, I tried to make this
version easier to follow since many schools have incorporated my book into their curricula.
Whenever possible, I have added lab sections that help provide a way to test a vulnerability or exploit.

Introduction
You have been hired as a penetration tester for a large industrial company called Secure Universal
Cyber Kittens, Inc. or SUCK, for short. They are developing future weapons to be used by the highest
bidder and you have been given the license to kill…okay, maybe not kill, but the license to hack. This
authorization gives you full approval to use any tactic in your arsenal to try to break into and steal the
company’s trade secrets.

As you pack your laptop, drop boxes, rubber duckies, Proxmarks, and cables, you almost forget the
most important thing…The Hacker Playbook 2 (THP). You know that THP will help get you out of
some of the stickiest situations. Your mind begins hazing back to your last engagement…

After cloning some badges and deploying your drop box on the network, you run out of the office,
barely sneaking past the security guards. Your drop box connects back to your SSH server and now
you are on their network. You want to stay pretty quiet on the network and not trigger any IDS
signatures. What do you look for? You flip to the Before the Snap chapter and remember printers!
You probe around for a multifunction printer and see that it is configured with default passwords.

Great! You re-configure LDAP on the printer, set up your netcat listener, and obtain Active Directory
credentials. Since you don’t know what permissions these credentials have, you try to psexec to a
Windows machine with a custom SMBexec payload. The credentials work and you are now a regular
user. After a couple tricks with PowerTools in the Lateral Pass section, you move to local admin and
pull passwords from memory with Mimikatz. Phew… you sigh… this is too easy. After pulling
passwords for a few accounts, you find where the domain admins (DA) are and connect to their boxes
to pull passwords again. With domain admin creds, it is pretty straightforward to dump the Domain
controller (DC) with psexec_ntdsgrab and then clear your tracks…
Glad you didn’t forget your copy of THP!

Table of Contents
Preface
Introduction
Standards
Updates
Pregame - The Setup
Building A Lab
Building Out A Domain
Building Out Additional Servers
Practice
Building Your Penetration Testing Box
Setting Up A Penetration Testing Box
Hardware
Open Source Versus Commercial Software
Setting Up Your Boxes
Setting Up Kali Linux
Windows VM
Setting Up Windows
Power Up With Powershell
Easy-P
Learning
Metasploitable 2
Binary Exploitation
Summary
Passive Discovery - Open Source Intelligence (OSINT)
Recon-NG
Discover Scripts
Spiderfoot
Creating Password Lists:
Wordhound
Brutescrape
Using Compromised Lists To Find Email Addresses And
Credentials
Gitrob - Github Analysis
OSINT Data Collection
External/Internal Active Discovery
Masscan
Sparta
Http Screenshot
Vulnerability Scanning:
Rapid7 Nexpose/Tenable Nessus
Openvas
Web Application Scanning
The Process For Web Scanning
Web Application Scanning
OWASP Zap Proxy
Parsing Nessus, Nmap, Burp
Summary
The Drive - Exploiting Scanner Findings
Metasploit
From A Terminal In Kali - Initialize And Start Metasploit:
Running Metasploit - Common Configuration Commands:
Running Metasploit - Post Exploitation And Other
Using Metasploit For MS08-067:
Scripts
WarFTP Example
Printers
Heartbleed
Shellshock
Shellshock Lab
Dumping Git Repositories (Kali Linux)
NoSQLmap
Starting NoSQLmap:
Elastic Search (Kali Linux)
Elastic Search Lab:
Summary
Web Application Penetration Testing
SLQ Injections
Manual SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Session Tokens
Additional Fuzzing/Input Validation
Other OWASP Top Ten Vulnerabilities
Functional/Business Logic Testing
Conclusion
The Lateral Pass - Moving Through The Network
On The Network Without Credentials:
Responder.py
ARP (address resolution protocol) Poisoning
Cain and Abel
Ettercap
Backdoor Factory Proxy
Steps After Arp Spoofing:
With Any Domain Credentials (Non-Admin):
Initial System Recon
Group Policy Preferences:
Additional Post Exploitation Tips
Privilege Escalation:
Zero To Hero - Linux:
With Any Local Administrative or Domain Admin Account:
Owning The Network With Credentials And Psexec:
Psexec Commands Across Multiple IPS (Kali Linux)
Move Laterally With WMI (windows)
Kerberos - MS14-068:
Pass-The-Ticket
Lateral Movement With Postgres SQL
Pulling Cached Credentials
Attacking The Domain Controller:
SMBExec
PSExec_NTDSgrab
Persistence
Veil And Powershell
Persistence With Schedule Tasks
Golden Ticket
Skeleton Key
Sticky Keys
Conclusion
The Screen - Social Engineering
Doppelganger Domains
SMTP Attack
SSH Attack
Phishing
Manual Phishing Code
Phishing Reporting
The Onside Kick - Attacks That Require Physical Access
Exploiting Wireless
Passive - Identification and Reconnaissance
Active Attacks
Badge Cloning
Get It Working In Kali Nethunter
Kon-Boot
Windows
OS X:
Pentesting Drop Box - Raspberry Pi 2
Rubber Ducky
(http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe)
Conclusion
The Quarterback Sneak - Evading AV
Evading AV
The Backdoor Factory
Hiding WCE From AV (windows)
Veil
SMBExec
PeCloak.py
Python
Other Keyloggers
Keylogger Using Nishang
Keylogger Using Powersploit
Conclusion
Special Teams - Cracking, Exploits, And Tricks
Password Cracking
John The Ripper
OclHashcat
Vulnerability Searching
Searchsploit (Kali Linux)
Bugtraq
Exploit-db
Querying Metasploit
Tips and Tricks
RC Scripts Within Metasploit
Windows Sniffer
Bypass UAC
Kali Linux Nethunter
Building A Custom Reverse Shell
Evading Application Based Firewalls
Powershell
Windows 7/8 Uploading Files To The Host
Pivoting
Commercial Tools:
Cobalt Strike:
Immunity Canvas
Core Impact
Ten-Yard Line:
Twenty-Yard Line:
Thirty-Yard Line:
Fifty-Yard Line:
Seventy-Yard Line:
Eighty-Yard Line:
Goal Line:
Touchdown! Touchdown! Touchdown!
Bug Bounties:
Major Security Conferences:
Training Courses:
Free Training:
Capture The Flag (CTF)
Keeping Up To Date
Mailing Lists
Podcasts
Learning From The Bad Guys
Some Examples:
Final Notes
Special Thanks


Bookscreen
e-books shop

Final Notes
Now, you have fully compromised the SUCK organization, cracked all the passwords, found all of
their weakness, and made it out clean. It is time to take everything you learned and build on top of
that. I have already recommended that you get involved with your local security groups and/or
participate in security conferences. You can also start a blog and start playing with these different
tools. Find out what works and what doesn’t and see how you can attack more efficiently and be
silent on the network. It will take some time outside your normal 9-to-5 job, but it will definitely be worth it.

I hope you have found the content in this book to be something of value and picked up some tips and
tricks. I wrote this second book mainly because security is always changing and it is really important
to stay on top of your game. As I have emphasized throughout this book and the prior one, there isn’t a
point when you can say you have mastered security. However, once you have the basics down pat, the
high-level attacks don’t really change. We see time and time again that old attacks come back and that
you always need to be ready.

If you did find this book to be helpful, please feel free to leave me a comment on the book’s website.
It will help me to continue developing better content and see what topics you would like to hear more
about . If I forgot to mention someone in this book or I misspoke on a topic, I apologize in advance
and will try my best to provide updated/corrected information on the book website.
Subscribe for Book Updates:
Twitter: @HackerPlaybook
*From the last book, I know that many of you downloaded copies of my book through less than legal
means. Although I don’t promote it, I am glad that I was able to share my knowledge and hope this
continues your interest in computer security. If you did happen to stumble on this copy somewhere on
the “internets” and did like my book, feel free to donate to the BTC address below. All proceeds will
go directly to LETHAL (http://www.meetup.com/lethal/) to promote the growth of our security community.
Happy Hacking!

 Practical Guide To Penetration Testing

Peter Kim


e-books shop

Purchase Now !
Just with Paypal



Book Details
 Price
 2.00
 Pages
 214 p
 File Size 
 26,740 KB
 File Type
 PDF format
 ISBN
 ISBN-13-13
 1494932636
 9781494932633
 Copyright©   
 2014 by Secure Planet LLC 

Preface
I didn’t start one day to think that I’d write a book about penetration testing
but I kind of fell into it.
What happened was I started taking notes from penetration tests, conferences, security articles,
research, and life experiences. As my notes grew and grew, I found better and better ways to perform
repetitive tasks and I began to understand what worked and what didn’t.

As I began to teach, speak at conferences, and get involved in the security community, I felt that the
industry could benefit from my lessons learned. This book is a collection of just that. One important
thing I want to point out is that I am not a professional writer, but wrote this book as a hobby. You
may have your own preferred tools, techniques and tactics that you utilize, but that is what makes this
field great. There are often many different answers to the same question and I invite you to explore
them all. I won’t be giving a step-by-step walkthrough of every type of attack; so it’s your job to
continually do research, try differently methods, and see what works for you.

This book assumes that you have some knowledge of common security tools, have used a little
Metasploit, and keep up somewhat with the security industry. You don’t have to be a penetration
tester to take full advantage of the book; but it helps if your passion is for security.

My purpose in writing this book is to create a straightforward and practical approach to penetration
testing. There are many security books that discuss every type of tool and every type of vulnerability,
where only small portions of the attacks seem to be relevant to the average penetration tester. My
hope is that this book will help you evolve your security knowledge and better understand how you
need to protect your own environment.

Throughout the book, I’ll be going into techniques and processes that I feel are real world and part of
a typical penetration engagement. You won’t always be able to use these techniques exactly as shown,
but they should help provide a good baseline for where you should start.
I will conclude with some advice that I have found to be helpful. To become a better security
professional, some of the most important things to do are:
1. Learn, study, and understand vulnerabilities and common security weaknesses
2. Practice exploiting and securing vulnerabilities in controlled environments
3. Perform testing in real world environments
4. Teach and present to the security community
These pointers represent a continual lifecycle, which will help you evolve in your technical maturity.
Thanks again for reading this book and I hope you have as much fun reading it as I had writing it.

Introduction
Hunched over your keyboard in your dimly lit room, frustrated, possibly on one too many energy
drinks, you check your phone. As you squint from the glare of the bright LCD screen, you barely make
out the time to be 3:00 a.m. “Great”, you think to yourself. You have 5 more hours before your test is
over and you haven’t found a single exploit or critical vulnerability. Your scans were not fruitful and
no one’s going to accept a report with a bunch of Secure Flag cookie issues.

You need that Hail Mary pass, so you pick up The Hacker Playbook and open to the section called
“The Throw - Manual Web Application Findings”. Scanning through, you see that you’ve missed
testing the cookies for SQL injection attacks. You think, “This is something that a simple web scanner
would miss.” You kick off SQLMap using the cookie switch and run it. A couple of minutes later,
your screen starts to violently scroll and stops at:
Web server operating system: Windows 2008
web application technology: ASP.net, Microsoft IIS 7.5
back and DBMS: Microsoft SQL Server 2008
Perfect. You use SQLMap to drop into a command shell, but sadly realize that you do not have
administrative privileges. “What would be the next logical step…? I wish I had some postexploitation
tricks up my sleeve”, you think to yourself. Then you remember that this book could help
with that. You open to the section “The Lateral Pass - Moving through the Network” and read up and
down. There are so many different options here, but let’s see if this host is connected to the domain
and if they used Group Policy Preferences to set Local Administrators.

Taking advantage of the IEX Power Shell command, you force the server to download Power Sploit’s
GPP script, execute it, and store the results to a file. Looks like it worked without triggering Anti-
Virus! You read the contents of the file that the script exported and lo and behold, the local
administrative password.

The rest is history… you spawn a Meterpreter shell with the admin privileges, pivot through that host,
and use SMBexec to pull all the user hashes from the Domain Controller.

Of course, this was all a very quick and high-level example, but this is how I tried to layout the book.
There are 10 different sections to this book, laid out as a football playbook. The 10 sections are:
Pregame: This is all about how to set up your attacking machines and the tools we’ll use throughout the book.
Before the Snap: Before you can run any plays, you need to scan your environment and understand
what you are up against. We’ll dive into discovery and smart scanning.
The Drive: Take those vulnerabilities which you identified from the scans, and exploiting those
systems. This is where we get our hands a little dirty and start exploiting boxes.
The Throw: Sometimes you need to get creative and look for the open target. We’ll take a look at
how to find and exploit manual Web Application findings.

The Lateral Pass - After you have compromised a system, how to move laterally through the network.
The Screen - A play usually used to trick the enemy. This chapter will explain some social engineering tactics.
The Onside Kick - A deliberately short kick that requires close distance. Here I will describe
attacks that require physical access.
The Quarterback Sneak - When you only need a couple of yards a quarterback sneak is perfect.
Sometimes you get stuck with antivirus (AV); this chapter describes how to get over those small
hurdles by evading AV.
Special Teams - Cracking passwords, exploits, and some tricks
Post-Game Analysis - Reporting your findings
Before we dig into how to attack different networks, pivot through security controls, and evade AV, I
want to get you into the right mindset. Imagine you have been hired as the penetration tester to test the
overall security of a Fortune 500 company. Where do you start? What are you your baseline security
tests? How do you provide consistent testing for all of your clients and when do you deviate from that
line? This is how I am going to deliver the messages of this book.

Table of Contents
Preface
Introduction
Additional Information about this Book
Disclaimer
Pregame - The Setup
Setting Up a Penetration Testing Box
Hardware:
Basic hardware requirements are:
Optional hardware discussed later within the book:
Commercial Software
Kali Linux (http://www.kali.org/)
High level tools list additional to Kali:
Setting up Kali:
Once Your Kali VM is Up and Running:
Windows VM Host
High level tools list addition to Windows:
Setting up Windows
Summary
Before the Snap - Scanning the Network
External Scanning
Passive Discovery
Discover Scripts (Previously Backtrack Scripts) (Kali Linux)
How to Run Passive Discovery
Using Compromised Lists to Find Email Addresses and Credentials
External/Internal Active Discovery
The Process for Network Scanning:
Network Vulnerability Scanning (Nexpose/Nessus)
Screen Capture - Peeping Tom
Web Application Scanning
The Process for Web Scanning:
Web Application Scanning
Configuring Your Network Proxy and Browser
Spider Application
Discover Content
Running the Active Scanner
Summary
The Drive - Exploiting Scanner Findings
Metasploit (http://www.metasploit.com) (Windows/Kali Linux)
Basic Steps when Configuring Metasploit Remote Attacks:
Searching via Metasploit (using the good ol’ MS08-067 vulnerability):
Scripts
WarFTP Example
Summary
The Throw - Manual Web Application Findings
Web Application Penetration Testing
SQL Injections
SQLmap (http://sqlmap.org/) (Kali Linux)
Sqlninja (http://sqlninja.sourceforge.net/) (Kali Linux)
Executing Sqlninja
Cross-Site Scripting (XSS)
BeEF Exploitation Framework (http://beefproject.com/) (Kali Linux)
Cross-Site Scripting Obfuscation:
Crowd Sourcing
OWASP Cheat Sheet
Cross-Site Request Forgery (CSRF)
Using Burp for CSRF Replay Attacks
Session Tokens
Additional Fuzzing/Input Validation
Functional/Business Logic Testing
Conclusion
The Lateral Pass - Moving Through the Network
On the Network without Credentials:
Responder.py (https://github.com/SpiderLabs/Responder) (Kali Linux)
With any Domain Credentials (Non-Admin):
Group Policy Preferences:
Pulling Clear Text Credentials
WCE - Windows Credential Editor
(http://www.ampliasecurity.com/research/wcefaq.html) (Windows)
Mimikatz (http://blog.gentilkiwi.com/mimikatz)(Windows)
Post Exploitation Tips
Post Exploitation Lists from Room362.com:
With Any Local Administrative or Domain Admin Account:
Owning the Network with Credentials and PSExec:
PSExec and Veil (Kali Linux)
PSExec Commands Across Multiple IPs (Kali Linux)
Attack the Domain Controller:
SMBExec (https://github.com/brav0hax/smbexec) (Kali Linux)
Post Exploitation with PowerSploit (https://github.com/mattifestation/PowerSploit)
(Windows)
Commands:
Post Exploitation with PowerShell (https://code.google.com/p/nishang/) (Windows)
ARP (Address Resolution Protocol) Poisoning
IPv4
Cain and Abel (Windows)
Ettercap (Kali Linux)
IPv6
The tool is able to do different attacks such as:
Steps After ARP Spoofing:
SideJacking:
Hamster/Ferret (Kali Linux)
Firesheep
DNS Redirection:
SSLStrip:
Commands on Kali:
Proxy Between Hosts
Conclusion
The Screen - Social Engineering
Doppelganger Domains
SMTP Attack
SSH Attack
To Extract OpenSSH:
Spear Phishing
Metasploit Pro - Phishing Module
Social Engineering Toolkit (Kali Linux)
Credential Harvester
To generate a fake page, go through the follow:
Using SET JAVA Attack
Sending Out Massive Spear Phishing Campaigns
Social Engineering with Microsoft Excel
Conclusion
The Onside Kick - Attacks that Require Physical Access
Exploiting Wireless
Passive - Identification and Reconnaissance
Active Attacks
WEP - Wired Equivalent Privacy
How to Crack WEP in Kali:
WPAv2 WPS (Wi-Fi Protected Setup) Attacks
WPA Enterprise - Fake Radius Attack
Configuring a Radius server
Karmetasploit
Physical Card Cloning:
Pentesting Drop Box
Odroid U2:
Physical Social Engineering
Conclusion
The Quarterback Sneak - Evading AV
Evading AV
Hiding WCE from AV (Windows)
Python
Python Shell
Python Keylogger
Veil Example (Kali Linux)
SMBExec (Kali Linux)
Conclusion
Special Teams - Cracking, Exploits, Tricks
Password Cracking
John the Ripper (JtR):
Cracking MD5 Hashes
oclHashcat:
Cracking WPAv2
Cracking NTLMv2
Cracking Smarter
Vulnerability Searching
Searchsploit (Kali Linux)
BugTraq
Exploit-DB
Querying Metasploit
Tips and Tricks
RC Scripts within Metasploit
Bypass UAC
Web Filtering Bypass for Your Domains
Windows XP - Old school FTP trick
Hiding Your Files (Windows)
Keeping Those Files Hidden (Windows)
Windows 7/8 Uploading Files to the Host
Post Game Analysis - Reporting
Reporting
List of My Best Practices and Concepts for Reporting:
Continuing Education
Major Conferences:
The cons that I highly recommend from my own personal experience:
Training Courses:
Books Technical Reading:
Fun Security Related Reading:
Vulnerable Penetration Testing Frameworks
Capture The Flag (CTF)
Keeping Up-to-Date
RSS Feed/Site List:
Email Lists:
Twitter Lists:
Final Notes
Special Thanks


Bookscreen
E-BOOKS SHOP

Additional Information About This Book
has nothing to do with any of my past or current employers or anything that I’m involved with outside
this book. If there are topics or ideas that I have misrepresented or have forgotten to give credit
where appropriate, please let me know and I’ll make updates on the website for the book:
One important recommendation I have when you are learning: take the tools and try to recreate them
in another scripting language. I generally like to use python to recreate common tools and new
exploits. This becomes really important because you will avoid becoming tool dependent, and you
will better understand why the vulnerability is a vulnerability.
Finally, I want to reiterate that practice makes perfect. The rule I’ve always heard is that it takes
10,000 hours to master something. However, I don’t believe that there is ever a time that anyone can
completely master penetration testing, but I’ll say that with enough practice penetration testing can
become second nature.
Loading...
DMCA.com Protection Status