Book Image

Mastering Kali Linux for Advanced Penetration Testing - Third Edition

By : Vijay Kumar Velu, Robert Beggs
Book Image

Mastering Kali Linux for Advanced Penetration Testing - Third Edition

By: Vijay Kumar Velu, Robert Beggs

Overview of this book

This book takes you, as a tester or security practitioner, through the reconnaissance, vulnerability assessment, exploitation, privilege escalation, and post-exploitation activities used by pentesters. To start with, you'll use a laboratory environment to validate tools and techniques, along with an application that supports a collaborative approach for pentesting. You'll then progress to passive reconnaissance with open source intelligence and active reconnaissance of the external and internal infrastructure. You'll also focus on how to select, use, customize, and interpret the results from different vulnerability scanners, followed by examining specific routes to the target, which include bypassing physical security and the exfiltration of data using a variety of techniques. You'll discover concepts such as social engineering, attacking wireless networks, web services, and embedded devices. Once you are confident with these topics, you'll learn the practical aspects of attacking user client systems by backdooring with fileless techniques, followed by focusing on the most vulnerable part of the network – directly attacking the end user. By the end of this book, you'll have explored approaches for carrying out advanced pentesting in tightly secured environments, understood pentesting and hacking techniques employed on embedded peripheral devices.

Related Content you might be interested in

Current Title:

Small book image
Mastering Kali Linux for Advanced Penetration Testing - Third Edition
Vijay Kumar Velu | Robert Beggs
Jan, 2019 | 548 pages
Small book image
Learn Penetration Testing
Rishalin Pillay
May, 2019 | 424 pages
Small book image
Metasploit Penetration Testing Cookbook
Monika Agarwal | Abhinav Singh | Nipun Jaswal | Daniel Teixeira
Feb, 2018 | 426 pages
Small book image
The Ultimate Kali Linux Book
Glen D Singh
Feb, 2022 | 742 pages
Table of Contents (21 chapters)
Title Page
Title Page
Dedication
Dedication
About Packt
About Packt
Contributors
Contributors
Preface
Preface
Free Chapter
1
Goal-Based Penetration Testing
Goal-Based Penetration Testing
Conceptual overview of security testing
Misconceptions of vulnerability scanning, penetration testing, and red team exercises
Objective-based penetration testing
The testing methodology
Introduction to Kali Linux – features
Installing and updating Kali Linux
Organizing Kali Linux
Building a verification lab
Managing collaborative penetration testing using Faraday
Summary
2
Open Source Intelligence and Passive Reconnaissance
Open Source Intelligence and Passive Reconnaissance
Basic principles of reconnaissance
Google Hacking Database
Creating custom wordlists for cracking passwords
Summary
3
Active Reconnaissance of External and Internal Networks
Active Reconnaissance of External and Internal Networks
Stealth scanning strategies
DNS reconnaissance and route mapping
Employing comprehensive reconnaissance applications
Identifying the external network infrastructure
Mapping beyond the firewall
IDS/IPS identification
Enumerating hosts
Port, operating system, and service discovery
Writing your own port scanner using netcat
Large-scale scanning
Summary
4
Vulnerability Assessment
Vulnerability Assessment
Vulnerability nomenclature
Local and online vulnerability databases
Vulnerability scanning with Nmap
Web application vulnerability scanners
Vulnerability scanners for mobile applications
The OpenVAS network vulnerability scanner
Commercial vulnerability scanners
Specialized scanners
Threat modeling
Summary
5
Advanced Social Engineering and Physical Security
Advanced Social Engineering and Physical Security
Methodology and attack methods
Physical attacks at the console
Creating a rogue physical device
The Social Engineering Toolkit (SET)
Hiding executables and obfuscating the attacker's URL
Escalating an attack using DNS redirection
Launching a phishing attack
Using bulk transfer as a mode of phishing
Summary
6
Wireless Attacks
Wireless Attacks
Configuring Kali for wireless attacks
Wireless reconnaissance
Bypassing a hidden SSID
Bypassing the MAC address authentication and open authentication
Attacking WPA and WPA2
Denial-of-service (DoS) attacks against wireless communications
Compromising enterprise implementations of WPA/WPA2
Working with Ghost Phisher
Summary
7
Exploiting Web-Based Applications
Exploiting Web-Based Applications
Web application hacking methodology
The hacker's mind map
Reconnaissance of web apps
Client-side proxies
Application-specific attacks
Summary
8
Client-Side Exploitation
Client-Side Exploitation
Backdooring executable files
Attacking a system using hostile scripts
The Cross-Site Scripting framework
The Browser Exploitation Framework (BeEF)
Understanding BeEF Browser
Summary
9
Bypassing Security Controls
Bypassing Security Controls
Bypassing Network Access Control (NAC)
Bypassing the antivirus with files
Going fileless and evading antivirus
Bypassing application-level controls
Bypassing Windows operating system controls
Summary
10
Exploitation
Exploitation
The Metasploit Framework
Exploiting targets using MSF
Exploiting multiple targets using MSF resource files
Exploiting multiple targets with Armitage
Using public exploits
Developing a Windows exploit
Summary
11
Action on the Objective and Lateral Movement
Action on the Objective and Lateral Movement
Activities on the compromised local system
Horizontal escalation and lateral movement
Summary
12
Privilege Escalation
Privilege Escalation
Overview of the common escalation methodology
Escalating from domain user to system administrator
Local system escalation
Escalating from administrator to system
Credential harvesting and escalation attacks
Escalating access rights in Active Directory
Compromising Kerberos – the golden-ticket attack
Summary
13
Command and Control
Command and Control
Persistence
Using persistent agents
Domain fronting
Exfiltration of data
Hiding evidence of an attack
Summary
14
Embedded Devices and RFID Hacking
Embedded Devices and RFID Hacking
Embedded systems and hardware architecture
Firmware unpacking and updating
Introduction to RouterSploit Framework
UART
Cloning RFID using Chameleon Mini
Summary
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index
Index

Building a verification lab

As a penetration tester, it is recommended to set up your own verification lab to test any kind of vulnerabilities and have the right proof of concept before emulating the same on a live environment.

Installing defined targets

In order to practice the art of exploitation, it is always recommended to make use of the well-known vulnerable software. In this section, we will be installing Metasploitable3, which is a Windows platform, and Mutillidae, which is a PHP framework web application.

Metasploitable3

Metasploitable3 is an indubitable vulnerable VM that's intended to be tested for multiple exploits using Metasploit. It is under BSD-style license. Two VMs can be built for practice, which can be downloaded from:https://github.com/rapid7/metasploitable3. You can download the ZIP file and unzip it in your favorite Windows location (typically, we segregate in the D:\HackTools\ folder) or you cangit clone https://github.com/rapid7/metasploitable3 using Bash command. Install all of the relevant supporting software such as Packer (https://www.packer.io/downloads.html), Vagrant (https://www.vagrantup.com/downloads.html), VirtualBox, and the Vagrant reload plugin. The following commands should install all of the relevant vulnerable services and software:

  • On Windows 10 as the host operating system, you can run the following commands:
./build.ps1 windows2008
./build.ps1 ubuntu1404
  • On Linux or macOS, you can run the following commands:
./build.sh windows2008
./build.sh ubuntu1404

After the VirtualBox file download, you'll just have to run vagrant up win2k8 and vagrant up ub1404 in the same PowerShell. This should bring up your new VM in your VirtualBox without any problem as shown in the following screenshot:

Mutillidae

Mutillidae is an open source insecure web application, which is designed for penetration testers to practice all of the web-app specific vulnerability exploitation. XAMPP is another free and open source cross-platform web server solution stack package developed by Apache Friends. The XAMPP can be downloaded from: https://www.apachefriends.org/download.html.

We will now be installing the Mutillidae to our newly installed Microsoft windows 2008 R2 server to host it:

  1. Once XAMPP is downloaded, let's go ahead and install the executable by following the wizard. Once the installation is complete and the XAMPP launched, you should be able to see the following screen. We will be using XAMPP version 5.6.36 / PHP 5.6.36:
  1. Mutillidae can be downloaded from: https://sourceforge.net/projects/mutillidae/files/latest/download.
  2. Unzip the file and copy the folder to C:\yourxampplocation\htdocs\<mutillidae>.
  3. You have to ensure XAMPP is running Apache and MySQL/MariaDB and finally access the .htacess file inside the mutillidae folder and ensure that 127.0.0.1 and the IP range are allowed. We should be able to see the web application installed successfully as shown in the following screenshot and it can be accessed by visiting http://localhost/mutillidae/:

Note

In case of error messages saying that the database is offline or something similar, you may have to reset or set up the DB for Mutillidae.

Setting up an Active Directory and Domain Controller

In the previous edition of Mastering Kali Linux for Advanced Penetration Testing, we learned how to set up an Active Directory in Windows 2008 R2. In this section, we will install Active Directory on Windows 2008 R2. Once you've downloaded the ISO from Microsoft and installed the operating system on VMware workstation player or VirtualBox, you should be able to do the following steps:

  1. Open the Server Manager from the taskbar.
  2. From the Server Manager, click on Add roles and features.
  3. Select Role-based or Features-based installation from the Installation Type screen and click Next.
  4. By default, the same server will be selected.
  5. From the Server Roles page place a checkmark in the checkbox next to Active Directory Domain Services. Additional roles, services, or features are also required to install Domain Services: click Add Features.
  6. Select optional features to install during the AD DS installation by placing a check in the box next to any desired features, and then click Next, operating system compatibility checks, then select Create a new domain in a new format and click Next.
  7. Enter the FQDN (Fully Qualified Domain Name). In the example, we will create a new FQDN as mastering.kali.thirdedition; that should take us to forest functional level. We can select Windows 2008 R2 and click Next; that will enable us to install the DNS (Domain Name System). During this installation, it is recommended to set a static IP to this machine so that the domain controller features can be enabled; in our case, we set the static IP of this server to 192.168.x.x. Finally, you'll need to set the Directory Services Restore mode administrator password; a summary of the configuration will be present.
  8. On the Confirm installation selections screen, review the installation and then click Install.
  9. Once everything is complete, you should be able to see the following screenshot:

Adding users to the Active Directory

To demonstrate the privilege escalation in later chapters, we will create a normal user with domain user privilege and a domain administrator user with full privileges.

To create a normal user on domain, run the following command in the command line on our Domain Controller:

net user normaluser Passw0rd12 /add /domain

To create a domain administrator account, the following commands will create a user as admin and add this user to the domain admins group:

net user admin Passw0rd123 /add /domain
net group "domain admins" admin /add /domain

To validate these users are created, you can use the domain controller by simply running net user from the command line and you should be able to see the users, as shown in the following screenshot:

Adding Metasploitable3 Windows to the new domain

Now we will go back to the Metasaploitable3 Windows that we installed and add it to our newly created domain by following the steps:

  1.  Add the IP address of the domain controller to the DNS setting by editing the Ethernet adapter properties. This is to resolve the FQDN; Metasploitable3 will need to query the domain controller for the domain name resolution.

  2. Click Start button and right click on My Computer and select Properties; under Computer name, Domain and Workgroup settings click on Change settings, that should pop up a system properties windows. On the window click, onChange.

  3. Select the radio button from Workgroup to Domain and enter the domain name as shown in the following screenshot; in our case, the domain name is mastering.kali.thirdedition:
  1. That should prompt you to enter the username and password, and we can login as either normaluser or admin that we created. Once authenticated, the system is connected the domain and any domain user will be able to log in to Metapsloitable3.

This should provide us with a wide range of exposure to multiple vulnerabilities on the network:

  • A vulnerable Windows 2008 R2 (Metasploitable3 server) that is connected to a domain (mastering.kali.thirdedition).
  • A vulnerable web application hosted on a vulnerable Windows 2008 R2 Server (Metasploitable3)
  • A vulnerable services Linux machine (Metasploitable3) running Ubuntu 14.04
  • A domain controller with one domain admin and one normal user
Previous Section
End of Section 9
Next Section