Book Image

Windows and Linux Penetration Testing from Scratch - Second Edition

By : Phil Bramwell

Book Image

Windows and Linux Penetration Testing from Scratch - Second Edition

By: Phil Bramwell

Overview of this book

Let’s be honest—security testing can get repetitive. If you’re ready to break out of the routine and embrace the art of penetration testing, this book will help you to distinguish yourself to your clients. This pen testing book is your guide to learning advanced techniques to attack Windows and Linux environments from the indispensable platform, Kali Linux. You'll work through core network hacking concepts and advanced exploitation techniques that leverage both technical and human factors to maximize success. You’ll also explore how to leverage public resources to learn more about your target, discover potential targets, analyze them, and gain a foothold using a variety of exploitation techniques while dodging defenses like antivirus and firewalls. The book focuses on leveraging target resources, such as PowerShell, to execute powerful and difficult-to-detect attacks. Along the way, you’ll enjoy reading about how these methods work so that you walk away with the necessary knowledge to explain your findings to clients from all backgrounds. Wrapping up with post-exploitation strategies, you’ll be able to go deeper and keep your access. By the end of this book, you'll be well-versed in identifying vulnerabilities within your clients’ environments and providing the necessary insight for proper remediation.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Share Your Thoughts

Part 1: Recon and Exploitation

Part 1: Recon and Exploitation

Free Chapter

Chapter 1: Open Source Intelligence

Chapter 1: Open Source Intelligence

Technical requirements

Hiding in plain sight – OSINT and passive recon

The world of Shodan

Google’s dark side

Diving into OSINT with Kali

Chapter 2: Bypassing Network Access Control

Chapter 2: Bypassing Network Access Control

Technical requirements

Bypassing media access control filtering – considerations for the physical assessor

Design weaknesses – exploiting weak authentication mechanisms

Bypassing validation checks

Breaking out of jail – masquerading the stack

Further reading

Chapter 3: Sniffing and Spoofing

Chapter 3: Sniffing and Spoofing

Technical requirements

Advanced Wireshark – going beyond simple captures

Advanced Ettercap – the man-in-the-middle Swiss Army Knife

Getting better – scanning, sniffing, and spoofing with BetterCAP

Further reading

Chapter 4: Windows Passwords on the Network

Chapter 4: Windows Passwords on the Network

Technical requirements

Understanding Windows passwords

Capturing Windows passwords on the network

Let it rip – cracking Windows hashes

Further reading

Chapter 5: Assessing Network Security

Chapter 5: Assessing Network Security

Technical requirements

Network probing with Nmap

Exploring binary injection with BetterCAP

Smuggling data – dodging firewalls with HTTPTunnel

IPv6 for hackers

Further reading

Chapter 6: Cryptography and the Penetration Tester

Chapter 6: Cryptography and the Penetration Tester

Technical requirements

Flipping the bit – integrity attacks against CBC algorithms

Sneaking your data in – hash length extension attacks

Busting the padding oracle with PadBuster

Chapter 7: Advanced Exploitation with Metasploit

Chapter 7: Advanced Exploitation with Metasploit

Technical requirements

How to get it right the first time – generating payloads

Modules – the bread and butter of Metasploit

Efficiency and attack organization with Armitage

Social engineering attacks with Metasploit payloads

Further reading

Part 2: Vulnerability Fundamentals

Part 2: Vulnerability Fundamentals

Chapter 8: Python Fundamentals

Chapter 8: Python Fundamentals

Technical requirements

Incorporating Python into your work

Network analysis with Python modules

Antimalware evasion in Python

Python and Scapy – a classy pair

Further reading

Chapter 9: PowerShell Fundamentals

Chapter 9: PowerShell Fundamentals

Technical requirements

Power to the shell – PowerShell fundamentals

Post-exploitation with PowerShell

Encoding and decoding binaries in PowerShell

Offensive PowerShell – introducing the Empire framework

Further reading

Chapter 10: Shellcoding - The Stack

Chapter 10: Shellcoding - The Stack

Technical requirements

An introduction to debugging

Stack smack – introducing buffer overflows

Introducing shellcoding

Further reading

Chapter 11: Shellcoding – Bypassing Protections

Chapter 11: Shellcoding – Bypassing Protections

Technical requirements

DEP and ASLR – the intentional and the unavoidable

Introducing ROP

Getting hands-on with the return-to-PLT attack

Further reading

Chapter 12: Shellcoding – Evading Antivirus

Chapter 12: Shellcoding – Evading Antivirus

Technical requirements

Living off the land with PowerShell

Understanding Metasploit shellcode delivery

Injection with Backdoor Factory

Chapter 13: Windows Kernel Security

Chapter 13: Windows Kernel Security

Technical requirements

Kernel fundamentals – understanding how kernel attacks work

Pointing out the problem – pointer issues

Practical kernel attacks with Kali

Further reading

Chapter 14: Fuzzing Techniques

Chapter 14: Fuzzing Techniques

Technical requirements

Network fuzzing – mutation fuzzing with Taof proxying

Hands-on fuzzing with Kali and Python

Fuzzy registers – the low-level perspective

Further reading

Part 3: Post-Exploitation

Part 3: Post-Exploitation

Chapter 15: Going Beyond the Foothold

Chapter 15: Going Beyond the Foothold

Technical requirements

Gathering goodies – enumeration with post modules

Network pivoting with Metasploit

Escalating your pivot – passing attacks down the line

Further reading

Chapter 16: Escalating Privileges

Chapter 16: Escalating Privileges

Technical requirements

Climbing the ladder with Armitage

When the easy way fails – local exploits

Escalation with WMIC and PS Empire

Dancing in the shadows – looting domain controllers with vssadmin

Further reading

Chapter 17: Maintaining Access

Chapter 17: Maintaining Access

Technical requirements

Persistence with Metasploit and PowerShell Empire

Hack tunnels – netcat backdoors on the fly

Maintaining access with PowerSploit

Further reading

Answers

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Questions

Answer the following questions to test your knowledge of this chapter.

A null input to a hash function produces a null output. True or false?
The ____ effect refers to the cryptographic property where a small change to the input value causes a radical change in the output value.
What two design flaws would cause a 14-character password stored as an LM hash to be significantly easier to crack?
Why do we need to define the server challenge when capturing Net-NTLMv1?
What is the predecessor to LLMNR?
Dictionary rulesets decrease the search space, whereas masks increase the brute-force search space. True or false?
What mask would you use to find a five-character password that starts with two digits, then has a symbol, and the remaining two characters are uppercase or lowercase letters after Q (inclusive) in the alphabet?
Jack the Ripper is the most popular password cracker. True or false?