Book Image

Hands-On Penetration Testing on Windows

By : Phil Bramwell
Book Image

Hands-On Penetration Testing on Windows

By: Phil Bramwell

Overview of this book

Windows has always been the go-to platform for users around the globe to perform administration and ad hoc tasks, in settings that range from small offices to global enterprises, and this massive footprint makes securing Windows a unique challenge. This book will enable you to distinguish yourself to your clients. In this book, you'll learn advanced techniques to attack Windows environments from the indispensable toolkit that is Kali Linux. We'll work through core network hacking concepts and advanced Windows exploitation techniques, such as stack and heap overflows, precision heap spraying, and kernel exploitation, using coding principles that allow you to leverage powerful Python scripts and shellcode. We'll wrap up with post-exploitation strategies that enable you to go deeper and keep your access. Finally, we'll introduce kernel hacking fundamentals and fuzzing testing, so you can discover vulnerabilities and write custom exploits. By the end of this book, you'll be well-versed in identifying vulnerabilities within the Windows OS and developing the desired solutions for them.

Related Content you might be interested in

Current Title:

Small book image
Hands-On Penetration Testing on Windows
Phil Bramwell
Jul, 2018 | 452 pages
Small book image
Kali Linux 2018: Windows Penetration Testing
Michael J Halton | Arthur L Weaver
Oct, 2018 | 404 pages
Small book image
Offensive Shellcode from Scratch.
Rishalin Pillay
Apr, 2022 | 208 pages
Small book image
Learn Penetration Testing
Rishalin Pillay
May, 2019 | 424 pages
Table of Contents (25 chapters)
Title Page
Title Page
Dedication
Dedication
Packt Upsell
Packt Upsell
Contributors
Contributors
Preface
Preface
Free Chapter
1
Bypassing Network Access Control
Bypassing Network Access Control
Technical requirements
Bypassing MAC filtering – considerations for the physical assessor
Design weaknesses – exploiting weak authentication mechanisms
Bypassing validation checks
Breaking out of jail – masquerading the stack
Summary
Questions
Further reading
2
Sniffing and Spoofing
Sniffing and Spoofing
Technical requirements
Advanced Wireshark – going beyond simple captures
Advanced Ettercap – the man-in-the-middle Swiss Army Knife
Ettercap filters – fine-tuning your analysis
Getting better – spoofing with BetterCAP
Summary
Questions
Further reading
3
Windows Passwords on the Network
Windows Passwords on the Network
Technical requirements
Understanding Windows passwords
Capturing Windows passwords on the network
Let it rip – cracking Windows hashes
Summary
Questions
Further reading
4
Advanced Network Attacks
Advanced Network Attacks
Technical requirements
Binary injection with BetterCAP proxy modules
HTTP downgrading attacks with sslstrip
The evil upgrade – attacking software update mechanisms
IPv6 for hackers
Summary
Questions
Further reading
5
Cryptography and the Penetration Tester
Cryptography and the Penetration Tester
Technical requirements
Flipping the bit – integrity attacks against CBC algorithms
Sneaking your data in – hash length extension attacks
Busting the padding oracle with PadBuster
Summary
Questions
Further reading
6
Advanced Exploitation with Metasploit
Advanced Exploitation with Metasploit
Technical requirements
How to get it right the first time – generating payloads
Modules – the bread and butter of Metasploit
Efficiency and attack organization with Armitage
Social engineering attacks with Metasploit payloads
Summary
Questions
Further reading
7
Stack and Heap Memory Management
Stack and Heap Memory Management
Technical requirements
An introduction to debugging
Stack smack – introducing buffer overflows
Introducing shellcoding
Summary
Questions
Further Reading
8
Windows Kernel Security
Windows Kernel Security
Technical requirements
Kernel fundamentals – understanding how kernel attacks work
Pointing out the problem – pointer issues
Practical kernel attacks with Kali
Summary
Questions
Further reading
9
Weaponizing Python
Weaponizing Python
Technical requirements
Incorporating Python into your work
Python network analysis
Antimalware evasion in Python
Python and Scapy – a classy pair
Summary
Questions
Further reading
10
Windows Shellcoding
Windows Shellcoding
Technical requirements
Taking out the guesswork – heap spraying
Understanding Metasploit shellcode delivery
Injection with Backdoor Factory
Summary
Questions
Further reading
11
Bypassing Protections with ROP
Bypassing Protections with ROP
Technical requirements
DEP and ASLR – the intentional and the unavoidable
Introducing return-oriented programming
Getting hands-on with the return-to-PLT attack
Summary
Questions
Further reading
12
Fuzzing Techniques
Fuzzing Techniques
Technical requirements
Network fuzzing – mutation fuzzing with Taof proxying
Hands-on fuzzing with Kali and Python
Fuzzy registers – the low-level perspective
Summary
Questions
Further reading
13
Going Beyond the Foothold
Going Beyond the Foothold
Technical requirements
Gathering goodies – enumeration with post modules
Network pivoting with Metasploit
Escalating your pivot – passing attacks down the line
Summary
Questions
Further reading
14
Taking PowerShell to the Next Level
Taking PowerShell to the Next Level
Technical requirements
Power to the shell – PowerShell fundamentals
Post-exploitation with PowerShell
Offensive PowerShell – introducing the Empire framework
Summary
Questions
Further reading
15
Escalating Privileges
Escalating Privileges
Technical requirements
Climb the ladder with Armitage
When the easy way fails—local exploits
Escalation with WMIC and PS Empire
Dancing in the shadows – looting domain controllers with vssadmin
Summary
Questions
Further reading
16
Maintaining Access
Maintaining Access
Technical requirements
Persistence with Metasploit and PowerShell Empire
Hack tunnels – netcat backdoors on the fly
Maintaining access with PowerSploit
Summary
Questions
Further reading
17
Tips and Tricks
Tips and Tricks
Getting familiar with VMware Workstation
Building your attack lab
Network configuration tricks
Further reading
Assessment
Assessment
Chapter 1: Bypassing Network Access Control
Chapter 2: Sniffing and Spoofing
Chapter 3: Windows Passwords on the Network
Chapter 4: Advanced Network Attacks
Chapter 5: Cryptography and the Penetration Tester
Chapter 6: Advanced Exploitation with Metasploit
Chapter 7: Stack and Heap Memory Management
Chapter 8: Windows Kernel Security
Chapter 9: Weaponizing Python
Chapter 10: Windows Shellcoding
Chapter 11: Bypassing Protections with ROP
Chapter 12: Fuzzing Techniques
Chapter 13: Going Beyond the Foothold
Chapter 14: Taking PowerShell to the Next Level
Chapter 15: Escalating Privileges
Chapter 16: Maintaining Access
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index
Index

Questions

  1. What does apd in hostapd stand for?
  2. How can you quickly tell if your wireless card doesn't support access point mode?
  3. What does the hostapd configuration parameter ignore_broadcast_ssid do?
  4. 255.255.255.255 is the broadcast address of the ____________.
  5. You're running an ARP poisoning attack. You know the target and gateway IP addresses, so you immediately fire up arpspoof. Suddenly, communication between the target and the gateway is broken. What happened?
  6. What do the first three octets and the last three octets of the MAC address represent, respectively? 
  7. The MSS and the MTU are the same size. (True | False)
  8. What does the -j flag do in iptables?
  9. You have defined the IP and TCP layers of a specially crafted packet as IP and TCP respectively. You want Scapy to send the packet and save the reply as REPLY. What's the command?
Previous Section
End of Section 8
Next Section