Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Advanced Penetration Testing for Highly-Secured Environments Second Edition
Table of Contents
Advanced Penetration Testing for Highly-Secured Environments Second Edition
Credits
About the Authors
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and more
Why subscribe?
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the color images of this book
Errata
Piracy
Questions
1. Penetration Testing Essentials
Methodology defined
Example methodologies
Penetration testing framework
Penetration Testing Execution Standard
Pre-engagement interactions
Intelligence gathering
Threat modeling
Vulnerability analysis
Exploitation
Post-exploitation
Reporting
Abstract methodology
Final thoughts
Summary
2. Preparing a Test Environment
Introducing VMware Workstation
Why VMware Workstation?
Installing VMware Workstation
Network design
VMnet0
VMnet1
VMnet8
Folders
Understanding the default architecture
Installing Kali Linux
Creating the switches
Putting it all together
Installing Ubuntu LTS
Installing Kioptrix
Creating pfSense VM
Summary
3. Assessment Planning
Introducing advanced penetration testing
Vulnerability assessments
Penetration testing
Advanced penetration testing
Before testing begins
Determining scope
Setting limits – nothing lasts forever
Rules of Engagement documentation
Planning for action
Configuring Kali
Updating the applications and operating system
Installing LibreOffice
Effectively managing your test results
Introduction to MagicTree
Starting MagicTree
Adding nodes
Data collection
Report generation
Introduction to the Dradis framework
Exporting a project template
Importing a project template
Preparing sample data for import
Importing your Nmap data
Exporting data into HTML
Dradis Category field
Changing the default HTML template
Summary
4. Intelligence Gathering
Introducing reconnaissance
Reconnaissance workflow
DNS recon
nslookup – it's there when you need it
Default output
Changing nameservers
Creating an automation script
What did we learn?
Domain information groper
Default output
Zone transfers using Dig
Advanced features of Dig
Shortening the output
Listing the bind version
Reverse DNS lookup using Dig
Multiple commands
Tracing the path
Batching with dig
DNS brute-forcing with fierce
Default command usage
Creating a custom word list
Gathering and validating domain and IP information
Gathering information with Whois
Specifying which registrar to use
Where in the world is this IP?
Defensive measures
Using search engines to do your job for you
Shodan
Filters
Understanding banners
HTTP banners
Finding specific assets
Finding people (and their documents) on the web
Google hacking database
Google filters
Searching the Internet for clues
Creating network baselines with scanPBNJ
Metadata collection
Extracting metadata from photos using exiftool
Summary
5. Network Service Attacks
Configuring and testing our lab clients
Kali – manual ifconfig
Ubuntu – manual ifconfig
Verifying connectivity
Maintaining IP settings after reboot
Angry IP Scanner
Nmap – getting to know you
Commonly seen Nmap scan types and options
Basic scans – warming up
Other Nmap techniques
Remaining stealthy
Taking your time
Trying different scan types
SYN scan
Null scan
ACK scan
Conclusion
Shifting blame – the zombies did it!
IDS rules and how to avoid them
Using decoys
Adding custom Nmap scripts to your arsenal
Deciding if a script is right for you
Adding a new script to the database
Zenmap – for those who want the GUI
SNMP – a goldmine of information just waiting to be discovered
When the SNMP community string is NOT "public"
Network baselines with scanPBNJ
Setting up MySQL for PBNJ
Preparing the PBNJ database
First scan
Reviewing the data
Enumeration avoidance techniques
Naming conventions
Port knocking
Intrusion detection and avoidance systems
Trigger points
SNMP lockdown
Reader challenge
Summary
6. Exploitation
Exploitation – why bother?
Manual exploitation
Enumerating services
Quick scans with unicornscan
Full scanning with Nmap
Banner grabbing with Netcat and Ncat
Banner grabbing with Netcat
Banner grabbing with Ncat
Banner grabbing with smbclient
Searching Exploit-DB
Exploit-DB at hand
Compiling the code
Compiling proof-of-concept code
Troubleshooting the code
What are all of these ^M characters and why won't they go away?
Broken strings – the reunion
Running the exploit
Getting files to and from victim machines
Starting a TFTP server on Kali
Installing and configuring pure-ftpd
Starting pure-ftpd
Passwords – something you know…
Cracking the hash
Brute-forcing passwords
Metasploit – learn it and love it
Databases and Metasploit
Performing an nmap scan from within Metasploit
Using auxiliary modules
Using Metasploit to exploit Kioptrix
Reader challenge
Summary
7. Web Application Attacks
Practice makes perfect
Creating a KioptrixVM Level 3 clone
Installing and configuring Mutillidae on the Ubuntu virtual machine
Configuring pfSense
Configuring the pfSense DHCP server
Starting the virtual lab
pfSense DHCP – Permanent reservations
Installing HAProxy for load balancing
Adding Kioptrix3.com to the host file
Detecting load balancers
Quick reality check – Load Balance Detector
So, what are we looking for anyhow?
Detecting web application firewalls (WAF)
Taking on Level 3 – Kioptrix
Web Application Attack and Audit framework (w3af)
Using w3af GUI to save configuration time
Using a second tool for comparisons
Scanning using the w3af console
Using WebScarab as an HTTP proxy
Introduction to browser plugin HackBar
Reader challenge
Summary
8. Exploitation Concepts
Buffer overflows – a refresher
Memory basics
"C"ing is believing – Create a vulnerable program
Turning ASLR on and off in Kali
Understanding the basics of buffer overflows
64-bit exploitation
Introducing vulnserver
Fuzzing tools included in Kali
Bruteforce Exploit Detector (BED)
sfuzz – Simple fuzzer
Social Engineering Toolkit
Fast-Track
Reader challenge
Summary
9. Post-Exploitation
Rules of Engagement
What is permitted?
Can you modify anything and everything?
Are you allowed to add persistence?
How is the data that is collected and stored handled by you and your team?
Employee data and personal information
Data gathering, network analysis, and pillaging
Linux
Important directories and files
Important commands
Putting this information to use
Enumeration
Exploitation
We are connected, now what?
Which tools are available on the remote system?
Finding network information
Determine connections
Checking installed packages
Package repositories
Programs and services that run at startup
Searching for information
History files and logs
Configurations, settings, and other files
Users and credentials
Moving the files
Microsoft Windows™ post-exploitation
Important directories and files
Using Armitage for post-exploitation
Enumeration
Exploitation
We are connected, now what?
Networking details
Finding installed software and tools
Pivoting
Reader challenge
Summary
10. Stealth Techniques
Lab preparation
Kali guest machine
Ubuntu guest machine
The pfSense guest machine configuration
The pfSense network setup
WAN IP configuration
LAN IP configuration
Firewall configuration
Stealth scanning through the firewall
Finding the ports
Traceroute to find out if there is a firewall
Finding out if the firewall is blocking certain ports
Hping3
Nmap firewalk script
Now you see me, now you don't – avoiding IDS
Canonicalization
Timing is everything
Blending in
PfSense SSH logs
Looking at traffic patterns
Cleaning up compromised hosts
Using a checklist
When to clean up
Local log files
Miscellaneous evasion techniques
Divide and conquer
Hiding out (on controlled units)
File Integrity Monitoring (FIM)
Using common network management tools to do the deed
Reader challenge
Summary
11. Data Gathering and Reporting
Record now – sort later
Old school – the text editor method
Nano
VIM –the power user's text editor of choice
Gedit – Gnome text editor
Dradis framework for collaboration
Binding to an available interface other than 127.0.0.1
The report
Reader challenge
Summary
12. Penetration Testing Challenge
Firewall lab setup
Installing additional packages in pfSense
The scenario
The virtual lab setup
AspenMLC Research Labs' virtual network
Additional system modifications
Ubuntu 8.10 server modifications
The challenge
The walkthrough
Defining the scope
Determining the "why"
So what is the "why" of this particular test?
Developing the Rules of Engagement document
Initial plan of attack
Enumeration and exploitation
Reporting
Summary
Index
← Prev
Back
Next →
← Prev
Back
Next →