Mastering Kali Linux for Advanced Penetration Testing电子书

Title Page

Copyright and Credits

Mastering Kali Linux for Advanced Penetration Testing Third Edition

Dedication

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Goal-Based Penetration Testing

Conceptual overview of security testing

Misconceptions of vulnerability scanning, penetration testing, and red team exercises

Objective-based penetration testing

The testing methodology

Introduction to Kali Linux – features

Role of Kali in red team tactics

Installing and updating Kali Linux

Using as a portable device

Installing Kali to Raspberry Pi 3

Installing Kali onto a VM

VMware Workstation Player

VirtualBox

Installing to a Docker Appliance

Kali on AWS Cloud

Organizing Kali Linux

Configuring and customizing Kali Linux

Resetting the root password

Adding a non-root user

Configuring network services and secure communications

Adjusting network proxy settings

Accessing the secure shell

Speeding up Kali operations

Sharing folders with the host operating system

Using Bash scripts to customize Kali

Building a verification lab

Installing defined targets

Metasploitable3

Mutillidae

Setting up an Active Directory and Domain Controller

Adding users to the Active Directory

Adding Metasploitable3 Windows to the new domain

Managing collaborative penetration testing using Faraday

Summary

Open Source Intelligence and Passive Reconnaissance

Basic principles of reconnaissance

Open source intelligence

Offensive OSINT

Domain gathering using Sublist3r

Maltego

OSRFramework

Web archives

Scraping

Gathering usernames and email addresses

Obtaining user information

Shodan and censys.io

Google Hacking Database

Using dork scripts to query Google

Data dump sites

Using scripts to automatically gather OSINT data

Defensive OSINT

Dark web

Security breaches

Threat intelligence

Profiling users for password lists

Creating custom wordlists for cracking passwords

Using CeWL to map a website

Extracting words from Twitter using twofi

Summary

Active Reconnaissance of External and Internal Networks

Stealth scanning strategies

Adjusting source IP stack and tool identification settings

Modifying packet parameters

Using proxies with anonymity networks

DNS reconnaissance and route mapping

The whois command (Post GDPR)

Employing comprehensive reconnaissance applications

The recon-ng framework

IPv4

IPv6

Using IPv6-specific tools

Mapping the route to the target

Identifying the external network infrastructure

Mapping beyond the firewall

IDS/IPS identification

Enumerating hosts

Live host discovery

Port, operating system, and service discovery

Port scanning

Writing your own port scanner using netcat

Fingerprinting the operating system

Determining active services

Large-scale scanning

DHCP information

Identification and enumeration of internal network hosts

Native MS Windows commands

ARP broadcasting

Ping sweep

Using scripts to combine masscan and nmap scans

Taking advantage of SNMP

Windows account information via SMB (Server Message Block) sessions

Locating network shares

Reconnaissance of active directory domain servers

Using comprehensive tools (SPARTA)

An example to configure SPARTA

Summary

Vulnerability Assessment

Vulnerability nomenclature

Local and online vulnerability databases

Vulnerability scanning with Nmap

Introduction to Lua scripting

Customizing NSE scripts

Web application vulnerability scanners

Introduction to Nikto and Vega

Customizing Nikto and Vega

Vulnerability scanners for mobile applications

The OpenVAS network vulnerability scanner

Customizing OpenVAS

Commercial vulnerability scanners

Nessus

Nexpose

Specialized scanners

Threat modeling

Summary

Advanced Social Engineering and Physical Security

Methodology and attack methods

Technology

Computer-based

Mobile-based

People-based

Physical attacks

Voice-based

Physical attacks at the console

samdump2 and chntpw

Sticky keys

Creating a rogue physical device

Microcomputer or USB-based attack agents

The Raspberry Pi

The MalDuino – the BadUSB

The Social Engineering Toolkit (SET)

Using a website attack vector – the credential harvester attack method

Using a website attack vector – the tabnabbing attack method

HTA attack

Using the PowerShell alphanumeric shellcode injection attack

Hiding executables and obfuscating the attacker's URL

Escalating an attack using DNS redirection

Spear phishing attack

Setting up a phishing campaign with Gophish

Launching a phishing attack

Using bulk transfer as a mode of phishing

Summary

Wireless Attacks

Configuring Kali for wireless attacks

Wireless reconnaissance

Kismet

Bypassing a hidden SSID

Bypassing the MAC address authentication and open authentication

Attacking WPA and WPA2

Brute-force attacks

Attacking wireless routers with Reaver

Denial-of-service (DoS) attacks against wireless communications

Compromising enterprise implementations of WPA/WPA2

Working with Ghost Phisher

Summary

Exploiting Web-Based Applications

Web application hacking methodology

The hacker's mind map

Reconnaissance of web apps

Detection of web application firewall and load balancers

Fingerprinting a web application and CMS

Mirroring a website from the command line

Client-side proxies

Burp Proxy

Web crawling and directory brute-force attacks

Web service-specific vulnerability scanners

Application-specific attacks

Brute-forcing access credentials

Injection

OS command injection using commix

SQL injection

XML injection

Bit-flipping attack

Maintaining access with web shells

Summary

Client-Side Exploitation

Backdooring executable files

Attacking a system using hostile scripts

Conducting attacks using VBScript

Attacking systems using Windows PowerShell

The Cross-Site Scripting framework

The Browser Exploitation Framework (BeEF)

Configuring the BeEF

Understanding BeEF Browser

Integrating BeEF and Metasploit attacks

Using BeEF as a tunneling proxy

Summary

Bypassing Security Controls

Bypassing Network Access Control (NAC)

Pre-admission NAC

Adding new elements

Identifying the rules

Exceptions

Quarantine rules

Disabling endpoint security

Preventing remediation

Adding exceptions

Post-admission NAC

Bypassing isolation

Detecting honeypot

Bypassing the antivirus with files

Using the Veil framework

Using Shellter

Going fileless and evading antivirus

Bypassing application-level controls

Tunneling past client-side firewalls using SSH

Inbound to outbound

Bypassing URL filtering mechanisms

Outbound to inbound

Bypassing Windows operating system controls

User Account Control (UAC)

Using fileless techniques

Using fodhelper to bypass UAC in Windows 10

Using Disk Cleanup to bypass UAC in Windows 10

Other Windows-specific operating system controls

Access and authorization

Encryption

System security

Communications security

Auditing and logging

Summary

Exploitation

The Metasploit Framework

Libraries

REX

Framework core

Framework base

Interfaces

Modules

Database setup and configuration

Exploiting targets using MSF

Single targets using a simple reverse shell

Single targets using a reverse shell with a PowerShell attack vector

Exploiting multiple targets using MSF resource files

Exploiting multiple targets with Armitage

Using public exploits

Locating and verifying publicly available exploits

Compiling and using exploits

Compiling C files

Adding the exploits that are written using the MSF as a base

Developing a Windows exploit

Identifying a vulnerability using fuzzing

Creating a Windows-specific exploit

Summary

Action on the Objective and Lateral Movement

Activities on the compromised local system

Conducting rapid reconnaissance of a compromised system

Finding and taking sensitive data – pillaging the target

Creating additional accounts

Post-exploitation tools

The Metasploit Framework

The Empire project

CrackMapExec

Horizontal escalation and lateral movement

Veil-Pillage

Compromising domain trusts and shares

PsExec, WMIC, and other tools

WMIC

Windows Credential Editor

Lateral movement using services

Pivoting and port forwarding

Using Proxychains

Summary

Privilege Escalation

Overview of the common escalation methodology

Escalating from domain user to system administrator

Local system escalation

Escalating from administrator to system

DLL injection

Credential harvesting and escalation attacks

Password sniffers

Responder

SMB relay attacks

Escalating access rights in Active Directory

Compromising Kerberos – the golden-ticket attack

Summary

Command and Control

Persistence

Using persistent agents

Employing Netcat as a persistent agent

Using schtasks to configure a persistent task

Maintaining persistence with the Metasploit framework

Using the persistence script

Creating a standalone persistent agent with Metasploit

Persistence using online file storage cloud services

Dropbox

Microsoft OneDrive

Domain fronting

Using Amazon CloudFront for C2

Using Microsoft Azure for C2

Exfiltration of data

Using existing system services (Telnet, RDP, and VNC)

Using the DNS protocol

Using the ICMP protocol

Using the Data Exfiltration Toolkit (DET)

Using PowerShell

Hiding evidence of an attack

Summary

Embedded Devices and RFID Hacking

Embedded systems and hardware architecture

Embedded system basic architecture

Understanding firmware

Different types of firmware

Understanding bootloaders

Common tools

Firmware unpacking and updating

Introduction to RouterSploit Framework

UART

Cloning RFID using Chameleon Mini

Other tools

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think