product iamge

Windows and Linux Penetration Testing from Scratch: Harness the power of pen testing with Kali Linux for unbeatable hard-hitting results

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Master the art of identifying and exploiting vulnerabilities with Metasploit, Empire, PowerShell, and Python, turning Kali Linux into your fighter cockpit

Key Features

  • Map your client's attack surface with Kali Linux
  • Discover the craft of shellcode injection and managing multiple compromises in the environment
  • Understand both the attacker and the defender mindset

Book Description

Let's be honest―security testing can get repetitive. If you're ready to break out of the routine and embrace the art of penetration testing, this book will help you to distinguish yourself to your clients.

This pen testing book is your guide to learning advanced techniques to attack Windows and Linux environments from the indispensable platform, Kali Linux. You'll work through core network hacking concepts and advanced exploitation techniques that leverage both technical and human factors to maximize success. You'll also explore how to leverage public resources to learn more about your target, discover potential targets, analyze them, and gain a foothold using a variety of exploitation techniques while dodging defenses like antivirus and firewalls. The book focuses on leveraging target resources, such as PowerShell, to execute powerful and difficult-to-detect attacks. Along the way, you'll enjoy reading about how these methods work so that you walk away with the necessary knowledge to explain your findings to clients from all backgrounds. Wrapping up with post-exploitation strategies, you'll be able to go deeper and keep your access.

By the end of this book, you'll be well-versed in identifying vulnerabilities within your clients' environments and providing the necessary insight for proper remediation.

What you will learn

  • Get to know advanced pen testing techniques with Kali Linux
  • Gain an understanding of Kali Linux tools and methods from behind the scenes
  • Get to grips with the exploitation of Windows and Linux clients and servers
  • Understand advanced Windows concepts and protection and bypass them with Kali and living-off-the-land methods
  • Get the hang of sophisticated attack frameworks such as Metasploit and Empire
  • Become adept in generating and analyzing shellcode
  • Build and tweak attack scripts and modules

Who this book is for

This book is for penetration testers, information technology professionals, cybersecurity professionals and students, and individuals breaking into a pentesting role after demonstrating advanced skills in boot camps. Prior experience with Windows, Linux, and networking is necessary.

Table of Contents

  1. Open Source Intelligence
  2. Bypassing Network Access Control
  3. Sniffing and Spoofing
  4. Windows Passwords on the Network
  5. Assessing Network Security
  6. Cryptography and the Penetration Tester
  7. Advanced Exploitation with Metasploit
  8. Python Fundamentals
  9. PowerShell Fundamentals
  10. Shellcoding - The Stack
  11. Shellcoding - Bypassing Protections
  12. Shellcoding - Evading Antivirus
  13. Windows Kernel Security
  14. Fuzzing Techniques
  15. Going Beyond the Foothold
  16. Escalating Privileges
  17. Maintaining Access
  18. Answers

Author(s): Phil Bramwell
Edition: 2
Publisher: Packt Publishing
Year: 2022

Language: English
Commentary: Publisher PDF
Pages: 510
City: Birmingham, UK
Tags: Windows; Linux; Penetration Tester; Metasploit; Shellcoding; Sniffing; Spoofing; Network Security; Cryptography

Cover
Title Page
Copyright and Credits
Contributors
Table of Contents
Preface
Part 1: Recon and Exploitation
Chapter 1: Open Source Intelligence
Technical requirements
Hiding in plain sight – OSINT and passive recon
Walking right in – what the target intends to show the world
Just browsing, thanks – stepping into the target’s environment
I know a guy – services doing the probing for you
The world of Shodan
Shodan search filters
Google’s dark side
Google’s advanced operators
The Advanced Search page
Thinking like a dark Googler
Diving into OSINT with Kali
The OSINT analysis tools folder
Transforming your perspective – Maltego
Entities and transforms and graphs, oh my
OSINT with Spiderfoot
Summary
Questions
Chapter 2: Bypassing Network Access Control
Technical requirements
Bypassing media access control filtering – considerations for the physical assessor
Configuring a Kali wireless access point to bypass MAC filtering
Design weaknesses – exploiting weak authentication mechanisms
Capturing captive portal authentication conversations in the clear
Layer-2 attacks against the network
Bypassing validation checks
Confirming the organizationally unique identifier
Passive operating system fingerprinter
Spoofing the HTTP user agent
Breaking out of jail – masquerading the stack
Following the rules spoils the fun – suppressing normal TCP replies
Fabricating the handshake with Scapy and Python
Summary
Questions
Further reading
Chapter 3: Sniffing and Spoofing
Technical requirements
Advanced Wireshark – going beyond simple captures
Passive wireless analysis
Targeting WLANs with the Aircrack-ng suite
WLAN analysis with Wireshark
Active network analysis with Wireshark
Advanced Ettercap – the man-in-the-middle Swiss Army Knife
Bridged sniffing and the malicious access point
Ettercap filters – fine-tuning your analysis
Getting better – scanning, sniffing, and spoofing with BetterCAP
Summary
Questions
Further reading
Chapter 4: Windows Passwords on the Network
Technical requirements
Understanding Windows passwords
A crash course on hash algorithms
Password hashing methods in Windows
If it ends with 1404EE, then it’s easy for me – understanding LM hash flaws
Authenticating over the network – a different game altogether
Capturing Windows passwords on the network
A real-world pen test scenario – the chatty printer
Configuring our SMB listener
Authentication capture
Hash capture with LLMNR/NetBIOS NS spoofing
Let it rip – cracking Windows hashes
The two philosophies of password cracking
John the Ripper cracking with a wordlist
John the Ripper cracking with masking
Reviewing your progress with the show flag
Here, kitty kitty – getting started with Hashcat
Summary
Questions
Further reading
Chapter 5: Assessing Network Security
Technical requirements
Network probing with Nmap
Host discovery
Port scanning – scan types
Port scanning – port states
Firewall/IDS evasion, spoofing, and performance
Service and OS detection
Hands-on with Nmap
Integrating Nmap with Metasploit Console
Exploring binary injection with BetterCAP
The magic of download hijacking
Smuggling data – dodging firewalls with HTTPTunnel
IPv6 for hackers
IPv6 addressing basics
Watch me neigh neigh – local IPv6 recon and the Neighbor Discovery Protocol
IPv6 man-in-the-middle – attacking your neighbors
Living in an IPv4 world – creating a local 4-to-6 proxy for your tools
Summary
Questions
Further reading
Chapter 6: Cryptography and the Penetration Tester
Technical requirements
Flipping the bit – integrity attacks against CBC algorithms
Block ciphers and modes of operation
Introducing block chaining
Setting up your bit-flipping lab
Manipulating the IV to generate predictable results
Flipping to root – privilege escalation via CBC bit-flipping
Sneaking your data in – hash length extension attacks
Setting up your hash attack lab
Understanding SHA-1’s running state and compression function
Data injection with the hash length extension attack
Busting the padding oracle with PadBuster
Interrogating the padding oracle
Decrypting a CBC block with PadBuster
Behind the scenes of the oracle padding attack
Summary
Questions
Chapter 7: Advanced Exploitation with Metasploit
Technical requirements
How to get it right the first time – generating payloads
Installing Wine32 and Shellter
Payload generation goes solo – working with msfvenom
Creating nested payloads
Helter skelter – evading antivirus with Shellter
Modules – the bread and butter of Metasploit
Building a simple Metasploit auxiliary module
Efficiency and attack organization with Armitage
Getting familiar with your Armitage environment
Enumeration with Armitage
Exploitation made ridiculously simple with Armitage
A word about Armitage and the pen tester mentality
Social engineering attacks with Metasploit payloads
Creating a Trojan with Shellter
Preparing a malicious USB drive for Trojan delivery
Summary
Questions
Further reading
Part 2: Vulnerability Fundamentals
Chapter 8: Python Fundamentals
Technical requirements
Incorporating Python into your work
Why Python?
Getting cozy with Python in your Kali environment
Introducing Vim with Python syntax awareness
Network analysis with Python modules
Python modules for networking
Building a Python client
Building a Python server
Building a Python reverse-shell script
Antimalware evasion in Python
Creating Windows executables of your Python scripts
Preparing your raw payload
Writing your payload retrieval and delivery in Python
Python and Scapy – a classy pair
Revisiting ARP poisoning with Python and Scapy
Summary
Questions
Further reading
Chapter 9: PowerShell Fundamentals
Technical requirements
Power to the shell – PowerShell fundamentals
What is PowerShell?
PowerShell’s cmdlets and the PowerShell scripting language
Working with the Windows Registry
Pipelines and loops in PowerShell
It gets better – PowerShell’s ISE
Post-exploitation with PowerShell
ICMP enumeration from a pivot point with PowerShell
PowerShell as a TCP-connect port scanner
Delivering a Trojan to your target via PowerShell
Encoding and decoding binaries in PowerShell
Offensive PowerShell – introducing the Empire framework
Installing and introducing PowerShell Empire
Configuring listeners
Configuring stagers
Your inside guy – working with agents
Configuring a module for agent tasking
Summary
Questions
Further reading
Chapter 10: Shellcoding - The Stack
Technical requirements
An introduction to debugging
Understanding the stack
Understanding registers
Assembly language basics
Disassemblers, debuggers, and decompilers – oh my!
Getting cozy with the Linux command-line debugger – GDB
Stack smack – introducing buffer overflows
Examining the stack and registers during execution
Lilliputian concerns – understanding endianness 
Introducing shellcoding
Hunting bytes that break shellcode
Generating shellcode with msfvenom
Grab your mittens, we’re going NOP sledding
Summary
Questions
Further reading
Chapter 11: Shellcoding – Bypassing Protections
Technical requirements
DEP and ASLR – the intentional and the unavoidable
Understanding DEP
Understanding ASLR
Demonstrating ASLR on Kali Linux with C
Introducing ROP
Borrowing chunks and returning to libc – turning the code against itself
The basic unit of ROP – gadgets
Getting cozy with our tools – MSFrop and ROPgadget
Creating our vulnerable C program without disabling the protections
No PIE for you – compiling your vulnerable executable without ASLR hardening
Generating an ROP chain
Getting hands-on with the return-to-PLT attack
Extracting gadget information for building your payload
Go, go, gadget ROP chain – bringing it together for the exploit
Summary
Questions
Further reading
Chapter 12: Shellcoding – Evading Antivirus
Technical requirements
Living off the land with PowerShell
Injecting Shellcode into interpreter memory
Getting sassy – on-the-fly LSASS memory dumping with PowerShell
Staying flexible – tweaking the scripts
Understanding Metasploit shellcode delivery
Encoder theory and techniques – what encoding is and isn’t
Windows binary disassembly within Kali
Injection with Backdoor Factory
Time travel with your Python installation – using PyEnv
Installing BDF
Code injection fundamentals – fine-tuning with BDF
Trojan engineering with BDF and IDA
Summary
Questions
Chapter 13: Windows Kernel Security
Technical requirements
Kernel fundamentals – understanding how kernel attacks work
Kernel attack vectors
The kernel’s role as a time cop
It’s just a program
Pointing out the problem – pointer issues
Dereferencing pointers in C and assembly
Understanding NULL pointer dereferencing
The Win32k kernel-mode driver
Passing an error code as a pointer to xxxSendMessage()
Metasploit – exploring a Windows kernel exploit module
Practical kernel attacks with Kali
An introduction to privilege escalation
Escalating to SYSTEM on Windows 7 with Metasploit
Summary
Questions
Further reading
Chapter 14: Fuzzing Techniques
Technical requirements
Network fuzzing – mutation fuzzing with Taof proxying
Configuring the Taof proxy to target the remote service
Fuzzing by proxy – generating legitimate traffic
Hands-on fuzzing with Kali and Python
Picking up where Taof left off with Python – fuzzing the vulnerable FTP server
Exploring with boofuzz
Impress your teachers – using boofuzz grammar
The other side – fuzzing a vulnerable FTP client
Writing a bare-bones FTP fuzzer service in Python
Crashing the target with the Python fuzzer
Fuzzy registers – the low-level perspective
Calculating the EIP offset with the Metasploit toolset
Shellcode algebra – turning the fuzzing data into an exploit
Summary
Questions
Further reading
Part 3: Post-Exploitation
Chapter 15: Going beyond the Foothold
Technical requirements
Gathering goodies – enumeration with post modules
ARP enumeration with Meterpreter
Forensic analysis with Meterpreter – stealing deleted files
Internet Explorer enumeration – discovering internal web resources
Network pivoting with Metasploit
Just a quick review of subnetting
Launching Metasploit into the hidden network with autoroute
Escalating your pivot – passing attacks down the line
Using your captured goodies
Quit stalling and Pass-the-Hash – exploiting password equivalents in Windows
Summary
Questions
Further reading
Chapter 16: Escalating Privileges
Technical requirements
Climbing the ladder with Armitage
Named pipes and security contexts
Impersonating the security context of a pipe client
Superfluous pipes and pipe creation race conditions
Moving past the foothold with Armitage
Armitage pivoting
When the easy way fails – local exploits
Kernel pool overflow and the danger of data types
Let’s get lazy – Schlamperei privilege escalation on Windows 7
Escalation with WMIC and PS Empire
Quietly spawning processes with WMIC
Creating a PowerShell Empire agent with remote WMIC
Escalating your agent to SYSTEM via access token theft
Dancing in the shadows – looting domain controllers with vssadmin
Extracting the NTDS database and SYSTEM hive from a shadow copy
Exfiltration across the network with cifs
Password hash extraction with libesedb and ntdsxtract
Summary
Questions
Further reading
Chapter 17: Maintaining Access
Technical requirements
Persistence with Metasploit and PowerShell Empire
Creating a payload for the Metasploit persister
Configuring the Metasploit persistence module and firing away
Verifying your persistent Meterpreter backdoor
Not to be outdone – persistence in PowerShell Empire
Elevating the security context of our Empire agent
Creating a WMI subscription for stealthy persistence of your agent
Verifying agent persistence
Hack tunnels – netcat backdoors on the fly
Uploading and configuring persistent netcat with Meterpreter
Remotely tweaking Windows Firewall to allow inbound netcat connections
Verifying persistence is established
Maintaining access with PowerSploit
Installing the persistence module in PowerShell
Configuring and executing Meterpreter persistence
Lying in wait – verifying persistence
Summary
Questions
Further reading
Answers
Index
Other Books You May Enjoy