This book takes a hands-on approach to teaching and understanding penetration testing concepts at an intermediate to advanced level. It's designed to lay the foundation for advanced roles in the field with an engaging and easy-to-follow style. There are a lot of books on the subject of penetration testing, but what makes this book special is the emphasis on the underlying logic and mechanisms of the concept at hand. Recognizing that there aren't enough pages to give each subject what it deserves, this book takes a springboard approach to the topics by providing enough key information and theory to inform further research outside of these pages. The reader can thus spend less time searching and more time learning.
This book is for penetration testers who want to break out of old routines, security professionals who want to break into penetration testing, security managers who want to understand penetration testing, and young security students and professionals who excel in ethical-hacking boot camps.
Chapter 1, Bypassing Network Access Control, focuses on getting a foothold in the network. Network Access Control systems, or NACs, rely on certain detection technology – this chapter will review them and how they work at a low level.
Chapter 2, Sniffing and Spoofing, will discuss advanced Wireshark techniques to give the reader practical experience in low-level traffic analysis. The reader will then learn applied network-spoofing attacks, focusing on layer-2 poisoning attacks and DNS spoofing.
Chapter 3, Windows Passwords on the Network, demonstrates advanced Windows password attacks. The chapter reviews how Windows passwords are carried over the network and then provides practical demonstrations of capturing, understanding, and cracking Windows passwords to gain access.
Chapter 4, Advanced Network Attacks, ties together the network-hacking portion with coverage of advanced concepts. We cover software-update hijacking, SSL stripping, and routers. A discussion of IPv6 is included along with practical demonstrations of using Kali to attack IPv6 implementations.
Chapter 5, Cryptography and the Penetration Tester, discusses cryptographic system implementations and practical attacks against them. Attacking message integrity via bit-flipping is demonstrated against the AES implementation of cipher block chaining. We also look at length-extension attacks and run through a demonstration of how they work. Another demonstration of an attack against confidentiality will be given with a padding-oracle attack using Kali.
Chapter 6, Advanced Exploitation with Metasploit, will take the reader to the next level with the standard attack framework in every pen tester's toolkit: Metasploit. The finer points of exploits in Metasploit are discussed, including working with the payload generator, metamodules, and building custom modules. Attacks will be demonstrated while organizing them with Metasploit's task automation features.
Chapter 7, Stack and Heap – Memory Management, guides the reader through understanding memory management for practical application to pen testing. An introduction to stack overflow attacks is demonstrated step by step. The reader will use a debugger to develop exploitation opportunity from finding software bugs.
Chapter 8, Windows Kernel Security, guides the reader through understanding and attacking the other side of the Windows virtual address space: the kernel. The reader will understand the fundamentals of kernel exploitation, including context switching and the use of the scheduler to inform race condition attacks, and vulnerabilities that the hacker seeks to exploit, including pointer issues, such as NULL pointer dereferencing and corrupted pointers.
Chapter 9, Weaponizing Python, is a crash course in Python to bring the reader to a level of understanding that will facilitate pen testing tasks with Python modules. Some of the techniques covered that can be transformed into pen testing tools include network analysis with Python and Scapy.
Chapter 10, Windows Shellcoding, will step through stack-protection mechanisms of the Windows OS and demonstrate practical bypass methods. We demonstrate heap spraying with step-by-step explanations, as well as exploit creation.
Chapter 11, Bypassing Protections with ROP, will guide the reader through understanding Windows memory protection mechanisms and bypassing them with Return-Oriented Programming (ROP). The mechanisms discussed are Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). The reader will understand the core assembly mechanisms that allow ROP to work, building on knowledge of memory management from other chapters.
Chapter 12, Fuzzing Techniques, guides the reader through practical fuzzing techniques. The reader will understand the core principle and will be able to understand what's happening at a low memory-management level. The reader will have hands-on experience with trial and error fuzzing applications. From there, we will move on to more advanced fuzzing techniques, such as protocol fuzzing.
Chapter 13, Going Beyond the Foothold, explores the post-exploitation modules of Metasploit. The Windows post modules are introduced and practically demonstrated so the reader will know how to capture keystrokes from a compromised Windows host, scan the network for new targets, and learn and exploit trust relationships to complete the pivot. We then cover enumeration on the compromised Windows host to inform post-exploitation efforts.
Chapter 14, Taking PowerShell to the Next Level, guides the reader through PowerShell fundamentals with hands-on examples, and then moves on to offensive PowerShell techniques. Post-exploitation with the PowerShell Empire framework on Kali is explained and demonstrated in practical hands-on examples.
Chapter 15, Escalating Privileges, steps through Metasploit and PS Empire techniques while analyzing the core mechanisms, including duplication of tokens and named pipe impersonation. The reader will review local exploit options, a method for attacking Active Directory credentials on a domain controller, and a technique that leverages the Windows Management Instrumentation Command line (WMIC).
Chapter 16, Maintaining Access, guides the reader through a series of hands-on demonstrations of access maintenance via backdoors using tools such as Netcat. Metasploit, PS Empire, and PowerSploit persistence abilities are also discussed and demonstrated.
Chapter 17, Tips and Tricks, provides a brief discussion of virtualization on Windows to assist the reader in setting up a hacking lab with some hints on advanced virtual network configuration.
This book makes a few assumptions about the reader. You should have a solid understanding of networking essentials; layered interconnection concepts, such as the OSI model; and you should be self-sufficient with OS basics and troubleshooting. We won't cover getting your OS installed, and though basic installation instructions are provided for some tools, you need to be self-sufficient in troubleshooting any dependency problems you may run into in your unique environment.
This book tries to be as useful as possible even without a lab. It's a hands-on book first and foremost, but with the provided examples and coverage of concepts, you should be able to benefit from the information without your computer.
You can download the example code files for this book from your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.
You can download the code files by following these steps:
- Log in or register at www.packtpub.com.
- Select the
SUPPORTtab. - Click on
Code Downloads & Errata. - Enter the name of the book in the
Searchbox and follow the onscreen instructions.
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
- WinRAR/7-Zip for Windows
- Zipeg/iZip/UnRarX for Mac
- 7-Zip/PeaZip for Linux
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Hands-On-Penetration-Testing-on-Windows. In case there's an update to the code, it will be updated on the existing GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/HandsOnPenetrationTestingonWindows_ColorImages.pdf.
There are a number of text conventions used throughout this book.
CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The default output is filter.ef but you can name it whatever you want."
A block of code is set as follows:
if (ip.proto == TCP) {
if (tcp.src == 80 || tcp.dst == 80) {
msg("HTTP traffic detected.\n");
}
}When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
if (ip.proto == TCP) {
if (tcp.src == 80 || tcp.dst == 80) {
msg("HTTP traffic detected.\n");
}
}Any command-line input or output is written as follows:
use server/capture/smbBold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Right-click on a target and click Applyas Filter| Selected."
Feedback from our readers is always welcome.
General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packtpub.com.
The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.