COVID-19 has changed the way we live and work. Remote working has given hackers plenty of opportunities as more confidential information is shared over the internet than ever before. In this new edition of Mastering Kali Linux for Advanced Penetration Testing, you will learn an offensive approach to enhance your penetration testing skills by becoming aware of the tactics employed by real attackers. You will be introduced to laboratory integration to cloud services so that you learn another dimension of exploitation that is typically forgotten during a penetration test. Gathering all possible information on a target is pivotal for a penetration tester. This book covers the principles of passive and active reconnaissance, from obtaining user information to large-scale port scanning. Building on reconnaissance, different vulnerability assessments are explored, including threat modeling. You’ll also learn about COVID-19 pandemic-specific cyber failures and understand the cyber risks involved with working from home. By the end of this Kali Linux book, you will have explored approaches for performing advanced pentesting in tightly secured infrastructure, cloud environments, and applications and hacking techniques employed on IoT, embedded peripheral devices, and radio frequencies.
Author(s): Vijay Kumar Velu
Edition: 4
Publisher: Packt Publishing
Year: 2022
Language: English
Commentary: TruePDF
Pages: 573
Tags: Kali Linux: Advanced Penetratio Testing
Cover
Copyright
Contributors
Table of Contents
Preface
Chapter 1: Goal-Based Penetration Testing
Different types of threat actors
Conceptual overview of security testing
Common pitfalls of vulnerability assessments, penetration testing, and red team exercises
Objective-based penetration testing
The testing methodology
Introduction to Kali Linux features
The role of Kali in red team tactics
Installing and updating Kali Linux
Using as a portable device
Installing Kali on a Raspberry Pi 4
Installing Kali on a VM
VMware Workstation Player
VirtualBox
Installing to a Docker appliance
Kali on AWS Cloud
Kali on Google Cloud Platform (GCP)
Kali on Android (non-rooted phones)
Organizing Kali Linux
Configuring and customizing Kali Linux
Resetting the default password
Configuring network services and secure communications
Adjusting network proxy settings
Accessing the secure shell remotely
Speeding up Kali operations
Sharing folders with the host operating system
Using Bash scripts to customize Kali
Building a verification lab
Installing defined targets
Lab Network
Active Directory and Domain Controller
Installing Microsoft Exchange Server 2016
Metasploitable3
Mutillidae
CloudGoat
Managing collaborative penetration testing using Faraday
Summary
Chapter 2: Open-Source Intelligence and Passive Reconnaissance
Basic principles of reconnaissance
OSINT
Offensive OSINT
Gather domain information
Maltego
OSRFramework
Web archives
Passive Total
Scraping
Gathering usernames and email addresses
Obtaining user information
TinEye
Online search portals
SpiderFoot
Other commercial tools
Google Hacking Database
Using dork scripts to query Google
Data dump sites
Defensive OSINT
Dark web
Security breaches
Public records
Threat intelligence
Profiling users for password lists
Creating custom wordlists for cracking passwords
Using CeWL to map a website
Extracting words from Twitter using twofi
Summary
Chapter 3: Active Reconnaissance of External and Internal Networks
Stealth scanning techniques
Adjusting source IP stack and tool identification settings
Modifying packet parameters
Using proxies with anonymity networks
DNS reconnaissance and route mapping
The whois command (post GDPR)
Employing comprehensive reconnaissance applications
The recon-ng framework
IPv4
IPv6
Using IPv6-specific tools
Mapping the route to the target
Identifying the external network infrastructure
Mapping beyond the firewall
IDS/IPS identification
Enumerating hosts
Live host discovery
Port, operating system, and service discovery
Port scanning
Writing your own port scanner using netcat
Fingerprinting the operating system
Determining active services
Large-scale scanning
DHCP information
Identification and enumeration of internal network hosts
Native MS Windows commands
ARP broadcasting
Ping sweep
Using scripts to combine masscan and nmap scans
Taking advantage of SNMP
Windows account information via SMB sessions
Locating network shares
Reconnaissance of active directory domain servers
Enumerating the Microsoft Azure environment
Using comprehensive tools (Legion)
Using machine learning for reconnaissance
Summary
Chapter 4: Vulnerability Assessment
Vulnerability nomenclature
Local and online vulnerability databases
Vulnerability scanning with Nmap
Introduction to Lua scripting
Customizing NSE scripts
Web application vulnerability scanners
Nikto
Customizing Nikto
OWASP ZAP
Vulnerability scanners for mobile applications
The OpenVAS network vulnerability scanner
Customizing OpenVAS
Commercial vulnerability scanners
Nessus
Qualys
Specialized scanners
Threat modeling
Summary
Chapter 5: Advanced Social Engineering and Physical Security
Command methodology and TTPs
Technology
Computer-based
Mobile-based
People-based
Physical attacks
Voice-based
Physical attacks at the console
samdump2 and chntpw
Sticky Keys
Creating a rogue physical device
Microcomputer or USB-based attack agents
The Raspberry Pi
MalDuino: the BadUSB
The Social Engineering Toolkit (SET)
Social-engineering attacks
Credential harvester web attack method
Multi-attack web attack method
HTA web attack method
Using the PowerShell alphanumeric shellcode injection attack
Hiding executables and obfuscating the attacker’s URL
Escalating an attack using DNS redirection
Spear phishing attack
Email phishing using Gophish
Launching a phishing attack using Gophish
Using bulk transfer as phishing to deliver payloads
Summary
Chapter 6: Wireless and Bluetooth Attacks
Introduction to wireless and Bluetooth technologies
Configuring Kali for wireless attacks
Wireless reconnaissance
Bypassing a hidden SSID
Bypassing MAC address authentication and open authentication
Attacking WPA and WPA2
Brute-force attacks
Attacking wireless routers with Reaver
Denial of Service (DoS) attacks against wireless communications
Compromising enterprise implementations of WPA2
Working with bettercap
Evil Twin attack using Wifiphisher
WPA3
Bluetooth attacks
Summary
Chapter 7: Exploiting Web-Based Applications
Web application hacking methodology
The hacker’s mind map
Reconnaissance of web apps
Detection of web application firewall and load balancers
Fingerprinting a web application and CMS
Mirroring a website from the command line
Client-side proxies
Burp Proxy
Web crawling and directory brute-force attacks
Web service-specific vulnerability scanners
Application-specific attacks
Brute-forcing access credentials
OS command injection using commix
sqlmap
XML injection
Bit-flipping attack
Maintaining access with web shells
The Browser Exploitation Framework (BeEF)
Installing and configuring BeEF
Understanding the BeEF browser
Using BeEF as a tunneling proxy
Summary
Chapter 8: Cloud Security Exploitation
Introduction to cloud services
Vulnerability scanning and application exploitation in an EC2 instance
Testing for S3 bucket misconfiguration
Exploiting security permission flaws
Obfuscating CloudTrail logs
Summary
Chapter 9: Bypassing Security Controls
Bypassing Network Access Control (NAC)
Pre-admission NAC
Adding new elements
Identifying the rules
Disabling endpoint security
Post-admission NAC
Bypassing isolation
Detecting a honeypot
Bypassing application-level controls
Tunneling past client-side firewalls using SSH
Inbound to outbound
Bypassing URL filtering mechanisms
Outbound to inbound
Bypassing the antivirus with files
Using the Veil framework
Using Shellter
Going fileless and evading antivirus
Bypassing Windows operating system controls
User Account Control (UAC)
Using fodhelper to bypass UAC in Windows 10
Using Disk Cleanup to bypass UAC in Windows 10
Obfuscating the PowerShell and using fileless techniques
Other Windows-specific operating system controls
Access and authorization
Encryption
System security
Communications security
Auditing and logging
Summary
Chapter 10: Exploitation
The Metasploit Framework
Libraries
REX
Framework core
Framework base
Interfaces
Modules
Database setup and configuration
Exploiting targets using MSF
Single targets using a simple reverse shell
Exploiting multiple targets using MSF resource files
Using public exploits
Locating and verifying publicly available exploits
Compiling and using exploits
Compiling C files and executing exploits
Adding the exploits that are written using the MSF as a base
Developing a Windows exploit
Identify the vulnerability through fuzzing
Debug and replicate the crash
Control the application execution
Identify the right bad characters and generate shellcode
Obtain the shell
PowerShell Empire framework
Summary
Chapter 11: Action on the Objective and Lateral Movement
Activities on the compromised local system
Conducting rapid reconnaissance of a compromised system
Finding and taking sensitive data – pillaging the target
Creating additional accounts
Post-exploitation tools
The Metasploit Framework – Meterpreter
The PowerShell Empire project
CrackMapExec
Horizontal escalation and lateral movement
Compromising domain trusts and shares
PsExec, WMIC, and other tools
WMIC
Windows Credentials Editor
Lateral movement using services
Pivoting and port forwarding
Using ProxyChains
Summary
Chapter 12: Privilege Escalations
Overview of the common escalation methodology
Escalating from domain user to system administrator
Local system escalation
Escalating from administrator to system
DLL injection
Credential harvesting and escalation attacks
Password sniffers
Responder
Performing a MiTM attack on LDAP over TLS
Escalating access rights in Active Directory
Compromising Kerberos – a golden-ticket attack
Summary
Chapter 13: Command and Control
Persistence
Using persistent agents
Employing Netcat as a persistent agent
Using schtasks to configure a persistent task
Maintaining persistence with the Metasploit framework
Using the post exploit persistence module
Creating a standalone persistent agent with Metasploit
Persistence using online file storage cloud services
Dropbox
Microsoft OneDrive
Covenant
PoshC2
Domain fronting
Using Amazon CloudFront for C2
Exfiltration of data
Using existing system services (Telnet, RDP, and VNC)
Using the ICMP protocol
Hiding evidence of an attack
Summary
Chapter 14: Embedded Devices and RFID Hacking
Embedded systems and hardware architecture
Embedded system basic architecture
Understanding firmware
Different types of firmware
Understanding bootloaders
Common tools
Firmware unpacking and updating
Introduction to RouterSploit Framework
UART
Cloning RFID using ChameleonMini
Other tools
Summary
PacktPage
Other Books You May Enjoy
Index
