Mastering Kali Linux for Advanced Penetration Testing - Second Edition电子书

Title Page

Second Edition

Copyright

Mastering Kali Linux for Advanced Penetration Testing

Second Edition

Credits

About the Author

About the Reviewer

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

Goal-Based Penetration Testing

Conceptual overview of security testing

Failure of classical vulnerability scanning, penetration testing, and Red Team Exercises

The testing methodology

Introduction to Kali Linux – history and purpose

Installing and updating Kali Linux

Using Kali Linux from a portable device

Installing Kali into a virtual machine

VMware Workstation Player

VirtualBox

Installing to a Docker appliance

Installing Kali to the cloud – creating an AWS instance

Organizing Kali Linux

Configuring and customizing Kali Linux

Resetting the root password

Adding a non-root user

Speeding up Kali operations

Sharing folders with the host operating system

Using BASH scripts to customize Kali

Building a verification lab

Setting up a virtual network with Active Directory

Installing defined targets

Metasploitable3

Mutillidae

Managing collaborative penetration testing using Faraday

Summary

Open Source Intelligence and Passive Reconnaissance

Basic principles of reconnaissance

OSINT

Offensive OSINT

Maltego

CaseFile

Google caches

Scraping

Gathering usernames and email addresses

Obtaining user information

Shodan and censys.io

Google Hacking Database

Using dork script to query Google

DataDump sites

Using scripts to automatically gather OSINT data

Defensive OSINT

Dark Web

Security breaches

Threat Intelligence

Profiling users for password lists

Creating custom word lists for cracking passwords

Using CeWL to map a website

Extracting words from Twitter using Twofi

Summary

Active Reconnaissance of External and Internal Networks

Stealth scanning strategies

Adjusting source IP stack and tool identification settings

Modifying packet parameters

Using proxies with anonymity networks

DNS reconnaissance and route mapping

The whois command

Employing comprehensive reconnaissance applications

The recon-ng framework

IPv4

IPv6

Using IPv6 - specific tools

Mapping the route to the target

Identifying the external network infrastructure

Mapping beyond the firewall

IDS/IPS identification

Enumerating hosts

Live host discovery

Port, operating system, and service discovery

Port scanning

Writing your own port scanner using netcat

Fingerprinting the operating system

Determining active services

Large scale scanning

DHCP information

Identification and enumeration of internal network hosts

Native MS Windows commands

ARP broadcasting

Ping sweep

Using scripts to combine Masscan and nmap scans

Taking advantage of SNMP

Windows account information via Server Message Block (SMB) sessions

Locating network shares

Reconnaissance of active directory domain servers

Using comprehensive tools (SPARTA)

An example to configure SPARTA

Summary

Vulnerability Assessment

Vulnerability nomenclature

Local and online vulnerability databases

Vulnerability scanning with nmap

Introduction to LUA scripting

Customizing NSE scripts

Web application vulnerability scanners

Introduction to Nikto and Vega

Customizing Nikto and Vega

Vulnerability scanners for mobile applications

The OpenVAS network vulnerability scanner

Customizing OpenVAS

Specialized scanners

Threat modelling

Summary

Physical Security and Social Engineering

Methodology and attack methods

Computer-based

Voice-based

Physical attacks

Physical attacks at the console

Samdump2 and chntpw

Sticky keys

Attacking system memory with Inception

Creating a rogue physical device

Microcomputer-based attack agents

The Social Engineering Toolkit (SET)

Using a website attack vector - the credential harvester attack method

Using a website attack vector - the tabnabbing attack method

Using the PowerShell alphanumeric shellcode injection attack

HTA attack

Hiding executables and obfuscating the attacker's URL

Escalating an attack using DNS redirection

Spear phishing attack

Setting up a phishing campaign with Phishing Frenzy

Launching a phishing attack

Summary

Wireless Attacks

Configuring Kali for wireless attacks

Wireless reconnaissance

Kismet

Bypassing a hidden service set identifier (SSID)

Bypassing the MAC address authentication and open authentication

Attacking WPA and WPA2

Brute force attacks

Attacking wireless routers with Reaver

Denial-of-service (DoS) attacks against wireless communications

Compromising enterprise implementations of WPA/WPA2

Working with Ghost Phisher

Summary

Reconnaissance and Exploitation of Web-Based Applications

Methodology

Hackers mindmap

Conducting reconnaissance of websites

Detection of web application firewall and load balancers

Fingerprinting a web application and CMS

Mirroring a website from the command line

Client-side proxies

Burp Proxy

Extending the functionality of web browsers

Web crawling and directory brute force attacks

Web-service-specific vulnerability scanners

Application-specific attacks

Brute-forcing access credentials

OS command injection using commix

Injection attacks against databases

Maintaining access with web shells

Summary

Attacking Remote Access

Exploiting vulnerabilities in communication protocols

Compromising Remote Desktop Protocol (RDP)

Compromising secure shell

Compromising remote access protocols (VNC)

Attacking Secure Sockets Layer (SSL)

Weaknesses and vulnerabilities in the SSL protocol

Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

Compression Ratio Info-leak Made Easy (CRIME)

Factoring Attack on RSA-EXPORT Keys (FREAK)

Heartbleed

Insecure TLS renegotiation

Logjam attack

Padding Oracle On Demanded Legacy Encryption (POODLE)

Introduction to Testssl

Reconnaissance of SSL connections

Using sslstrip to conduct a man-in-the-middle attack

Denial-of-service attacks against SSL

Attacking an IPSec virtual private network

Scanning for VPN gateways

Fingerprinting the VPN gateway

Capturing pre-shared keys

Performing offline PSK cracking

Identifying default user accounts

Summary

Client-Side Exploitation

Backdooring executable files

Attacking a system using hostile scripts

Conducting attacks using VBScript

Attacking systems using Windows PowerShell

The Cross-Site Scripting framework

The Browser Exploitation Framework (BeEF)

Configuring the BeEF

Understanding BeEF browser

Integrating BeEF and Metasploit attacks

Using BeEF as a tunneling proxy

Summary

Bypassing Security Controls

Bypassing Network Access Control (NAC)

Pre-admission NAC

Adding new elements

Identifying the rules

Exceptions

Quarantine rules

Disabling endpoint security

Preventing remediation

Adding exceptions

Post-admission NAC

Bypassing isolation

Detecting HoneyPot

Bypassing antivirus using different frameworks

Using the Veil framework

Using Shellter

Bypassing application-level controls

Tunneling past client-side firewalls using SSH

Inbound to outbound

Bypassing URL filtering mechanisms

Outbound to inbound

Defeating application whitelisting

Bypassing Windows-specific operating system controls

Enhanced Migration Experience Toolkit (EMET)

User Account Control (UAC)

Other Windows-specific operating system controls

Access and authorization

Encryption

System security

Communications security

Auditing and logging

Summary

Exploitation

The Metasploit framework

Libraries

REX

Framework - core

Framework - base

Interfaces

Modules

Database setup and configuration

Exploiting targets using MSF

Single targets using a simple reverse shell

Single targets using a reverse shell with a PowerShell attack vector

Exploiting multiple targets using MSF resource files

Exploiting multiple targets with Armitage

Using public exploits

Locating and verifying publicly available exploits

Compiling and using exploits

Compiling C files

Adding the exploits that are written using Metasploit framework as a base

Developing a Windows exploit

Identifying a vulnerability using fuzzing

Crafting a Windows-specific exploit

Summary

Action on the Objective

Activities on the compromised local system

Conducting a rapid reconnaissance of a compromised system

Finding and taking sensitive data - pillaging the target

Creating additional accounts

Post-exploitation tools (MSF, the Veil-Pillage framework, scripts)

Veil-Pillage

Horizontal escalation and lateral movement

Compromising domain trusts and shares

PsExec, WMIC, and other tools

WMIC

Lateral movement using services

Pivoting and port forwarding

Using Proxychains

Summary

Privilege Escalation

Overview of common escalation methodology

Local system escalation

Escalating from administrator to system

DLL injection

PowerShell's Empire tool

Credential harvesting and escalation attacks

Password sniffers

Responder

SMB relay attacks

Escalating access rights in Active Directory

Compromising Kerberos - the golden ticket attack

Summary

Command and Control

Using persistent agents

Employing Netcat as a persistent agent

Using schtasks to configure a persistent task

Maintaining persistence with the Metasploit framework

Using the persistence script

Creating a standalone persistent agent with Metasploit

Persistence using social media and Gmail

Exfiltration of data

Using existing system services (Telnet, RDP, and VNC)

Exfiltration of data using DNS protocol

Exfiltration of data using ICMP

Using the Data Exfiltration Toolkit (DET)

Exfiltration from PowerShell

Hiding evidence of the attack

Summary