Hands-On Penetration Testing on Windows电子书

Title Page

Copyright and Credits

Hands-On Penetration Testing on Windows

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Bypassing Network Access Control

Technical requirements

Bypassing MAC filtering – considerations for the physical assessor

Configuring a Kali wireless access point to bypass MAC filtering

Design weaknesses – exploiting weak authentication mechanisms

Capturing captive portal authentication conversations in the clear

Layer-2 attacks against the network

Bypassing validation checks

Confirming the Organizationally Unique Identifier

Passive Operating system Fingerprinter

Spoofing the HTTP User-Agent

Breaking out of jail – masquerading the stack

Following the rules spoils the fun – suppressing normal TCP replies

Fabricating the handshake with Scapy and Python

Summary

Questions

Further reading

Sniffing and Spoofing

Technical requirements

Advanced Wireshark – going beyond simple captures

Passive wireless analysis

Targeting WLANs with the Aircrack-ng suite

WLAN analysis with Wireshark

Active network analysis with Wireshark

Advanced Ettercap – the man-in-the-middle Swiss Army Knife

Bridged sniffing and the malicious access point

Ettercap filters – fine-tuning your analysis

Killing connections with Ettercap filters

Getting better – spoofing with BetterCAP

ICMP redirection with BetterCAP

Summary

Questions

Further reading

Windows Passwords on the Network

Technical requirements

Understanding Windows passwords

A crash course on hash algorithms

Password hashing methods in Windows

If it ends with 1404EE, then it's easy for me – understanding LM hash flaws

Authenticating over the network–a different game altogether

Capturing Windows passwords on the network

A real-world pen test scenario – the chatty printer

Configuring our SMB listener

Authentication capture

Hash capture with LLMNR/NetBIOS NS spoofing

Let it rip – cracking Windows hashes

The two philosophies of password cracking

John the Ripper cracking with a wordlist

John the Ripper cracking with masking

Reviewing your progress with the show flag

Summary

Questions

Further reading

Advanced Network Attacks

Technical requirements

Binary injection with BetterCAP proxy modules

The Ruby file injection proxy module – replace_file.rb

Creating the payload and connect-back listener with Metasploit

HTTP downgrading attacks with sslstrip

Removing the need for a certificate – HTTP downgrading

Understanding HSTS bypassing with DNS spoofing

HTTP downgrade attacks with BetterCAP ARP/DNS spoofing

The evil upgrade – attacking software update mechanisms

Exploring ISR Evilgrade

Configuring the payload and upgrade module

Spoofing ARP/DNS and injecting the payload

IPv6 for hackers

IPv6 addressing basics

Local IPv6 reconnaissance and the Neighbor Discovery Protocol

IPv6 man-in-the-middle – attacking your neighbors

Living in an IPv4 world – creating a local 4-to-6 proxy for your tools

Summary

Questions

Further reading

Cryptography and the Penetration Tester

Technical requirements

Flipping the bit – integrity attacks against CBC algorithms

Block ciphers and modes of operation

Introducing block chaining

Setting up your bit-flipping lab

Manipulating the IV to generate predictable results

Flipping to root – privilege escalation via CBC bit-flipping

Sneaking your data in – hash length extension attacks

Setting up your hash attack lab

Understanding SHA-1's running state and compression function

Data injection with the hash length extension attack

Busting the padding oracle with PadBuster

Interrogating the padding oracle

Decrypting a CBC block with PadBuster

Behind the scenes of the oracle padding attack

Summary

Questions

Further reading

Advanced Exploitation with Metasploit

Technical requirements

How to get it right the first time – generating payloads

Installing Wine32 and Shellter

Payload generation goes solo – working with msfvenom

Creating nested payloads

Helter Skelter evading antivirus with Shellter

Modules – the bread and butter of Metasploit

Building a simple Metasploit auxiliary module

Efficiency and attack organization with Armitage

Getting familiar with your Armitage environment

Enumeration with Armitage

Exploitation made ridiculously simple with Armitage

A word about Armitage and the pen tester mentality

Social engineering attacks with Metasploit payloads

Creating a Trojan with Shellter

Preparing a malicious USB drive for Trojan delivery

Summary

Questions

Further reading

Stack and Heap Memory Management

Technical requirements

An introduction to debugging

Understanding the stack

Understanding registers

Assembly language basics

Disassemblers, debuggers, and decompilers – oh my!

Getting cozy with the Linux command-line debugger – GDB

Stack smack – introducing buffer overflows

Examining the stack and registers during execution

Lilliputian concerns – understanding endianness

Introducing shellcoding

Hunting bytes that break shellcode

Generating shellcode with msfvenom

Grab your mittens, we're going a NOP sledding

Summary

Questions

Further Reading

Windows Kernel Security

Technical requirements

Kernel fundamentals – understanding how kernel attacks work

Kernel attack vectors

The kernel's role as time cop

It's just a program

Pointing out the problem – pointer issues

Dereferencing pointers in C and assembly

Understanding NULL pointer dereferencing

The Win32k kernel-mode driver

Passing an error code as a pointer to xxxSendMessage()

Metasploit – exploring a Windows kernel exploit module

Practical kernel attacks with Kali

An introduction to privilege escalation

Escalating to SYSTEM on Windows 7 with Metasploit

Summary

Questions

Further reading

Weaponizing Python

Technical requirements

Incorporating Python into your work

Why Python?

Getting cozy with Python in your Kali environment

Introducing Vim with Python syntax awareness

Python network analysis

Python modules for networking

Building a Python client

Building a Python server

Building a Python reverse shell script

Antimalware evasion in Python

Creating Windows executables of your Python scripts

Preparing your raw payload

Writing your payload retrieval and delivery in Python

Python and Scapy – a classy pair

Revisiting ARP poisoning with Python and Scapy

Summary

Questions

Further reading

Windows Shellcoding

Technical requirements

Taking out the guesswork – heap spraying

Memory allocation – stack versus heap

Shellcode whac-a-mole – heap spraying fundamentals

Shellcode generation for the Java vulnerability

Creating the malicious website to exploit Java

Debugging Internet Explorer with WinDbg

Examining memory after spraying the heap

Fine-tuning your attack and getting a shell

Understanding Metasploit shellcode delivery

Encoder theory and techniques – what encoding is and isn't

Windows binary disassembly within Kali

Injection with Backdoor Factory

Code injection fundamentals – fine-tuning with BDF

Trojan engineering with BDF and IDA

Summary

Questions

Further reading

Bypassing Protections with ROP

Technical requirements

DEP and ASLR – the intentional and the unavoidable

Understanding DEP

Understanding ASLR

Testing DEP protection with WinDbg

Demonstrating ASLR on Kali Linux with C

Introducing return-oriented programming

Borrowing chunks and returning to libc – turning the code against itself

The basic unit of ROP – gadgets

Getting cozy with our tools – MSFrop and ROPgadget

Metasploit Framework's ROP tool – MSFrop

Your sophisticated ROP lab – ROPgadget

Creating our vulnerable C program without disabling protections

No PIE for you – compiling your vulnerable executable without ASLR hardening

Generating a ROP chain

Getting hands-on with the return-to-PLT attack

Extracting gadget information for building your payload

Finding the .bss address

Finding a pop pop ret structure

Finding addresses for system@plt and strcpy@plt functions

Finding target characters in memory with ROPgadget and Python

Go, go, gadget ROP chain – bringing it together for the exploit

Finding the offset to return with gdb

Writing the Python exploit

Summary

Questions

Further reading

Fuzzing Techniques

Technical requirements

Network fuzzing – mutation fuzzing with Taof proxying

Configuring the Taof proxy to target the remote service

Fuzzing by proxy – generating legitimate traffic

Hands-on fuzzing with Kali and Python

Picking up where Taof left off with Python – fuzzing the vulnerable FTP server

The other side – fuzzing a vulnerable FTP client

Writing a bare-bones FTP fuzzer service in Python

Crashing the target with the Python fuzzer

Fuzzy registers – the low-level perspective

Calculating the EIP offset with the Metasploit toolset

Shellcode algebra – turning the fuzzing data into an exploit

Summary

Questions

Further reading

Going Beyond the Foothold

Technical requirements

Gathering goodies – enumeration with post modules

ARP enumeration with meterpreter

Forensic analysis with meterpreter – stealing deleted files

Privileges enumeration with meterpreter

Internet Explorer enumeration – discovering internal web resources

Network pivoting with Metasploit

Just a quick review of subnetting

Launching Metasploit into the hidden network with autoroute

Escalating your pivot – passing attacks down the line

Extracting credentials with hashdump

Quit stalling and pass the hash – exploiting password equivalents in Windows

Summary

Questions

Further reading

Taking PowerShell to the Next Level

Technical requirements

Power to the shell – PowerShell fundamentals

What is PowerShell?

PowerShell's own cmdlets and PowerShell scripting language

Working with the registry

Pipelines and loops in PowerShell

It gets better – PowerShell's ISE

Post-exploitation with PowerShell

ICMP enumeration from a pivot point with PowerShell

PowerShell as a TCP-connect port scanner

Delivering a Trojan to your target via PowerShell

Offensive PowerShell – introducing the Empire framework

Installing and introducing PowerShell Empire

Configuring listeners

Configuring stagers

Your inside guy – working with agents

Configuring a module for agent tasking

Summary

Questions

Further reading

Escalating Privileges

Technical requirements

Climb the ladder with Armitage

Named pipes and security contexts

Impersonating the security context of a pipe client

Superfluous pipes and pipe creation race conditions

Moving past the foothold with Armitage

Armitage pivoting

When the easy way fails—local exploits

Kernel pool overflow and the danger of data types

Let's get lazy – Schlamperei privilege escalation on Windows 7

Escalation with WMIC and PS Empire

Quietly spawning processes with WMIC

Create a PowerShell Empire agent with remote WMIC

Escalating your agent to SYSTEM via access token theft

Dancing in the shadows – looting domain controllers with vssadmin

Extracting the NTDS database and SYSTEM hive from a shadow copy

Exfiltration across the network with cifs

Password hash extraction with libesedb and ntdsxtract

Summary

Questions

Further reading

Maintaining Access

Technical requirements

Persistence with Metasploit and PowerShell Empire

Creating a payload for Metasploit persister

Configuring the Metasploit persistence module and firing away

Verifying your persistent Meterpreter backdoor

Not to be outdone – persistence in PS Empire

Elevating the security context of our Empire agent

Creating a WMI subscription for stealthy persistence of your agent

Verifying agent persistence

Hack tunnels – netcat backdoors on the fly

Uploading and configuring persistent netcat with meterpreter

Remotely tweaking Windows Firewall to allow inbound netcat connections

Verifying persistence is established

Maintaining access with PowerSploit

Installing the persistence module in PowerShell

Configuring and executing meterpreter persistence

Lying in wait – verifying persistence

What did the persistence script do?

Summary

Questions

Further reading

Tips and Tricks

Getting familiar with VMware Workstation

VMware versus Oracle for desktop virtualization

Building your attack lab

Finding Windows machines for your lab

Downloading Edge tester VMs for developers

Downloading an evaluation copy of Windows Server

Installing Windows from an OEM disc or downloaded ISO file

Network configuration tricks

Network address translation and VMnet subnets

Using the Virtual Network Editor

Further reading

Assessment

Chapter 1: Bypassing Network Access Control

Chapter 2: Sniffing and Spoofing

Chapter 3: Windows Passwords on the Network

Chapter 4: Advanced Network Attacks

Chapter 5: Cryptography and the Penetration Tester

Chapter 6: Advanced Exploitation with Metasploit

Chapter 7: Stack and Heap Memory Management

Chapter 8: Windows Kernel Security

Chapter 9: Weaponizing Python

Chapter 10: Windows Shellcoding

Chapter 11: Bypassing Protections with ROP

Chapter 12: Fuzzing Techniques

Chapter 13: Going Beyond the Foothold

Chapter 14: Taking PowerShell to the Next Level

Chapter 15: Escalating Privileges

Chapter 16: Maintaining Access

Other Books You May Enjoy

Leave a review - let other readers know what you think