Windows and Linux Penetration Testing from Scratch: Harness the power of pen testing with Kali Linux for unbeatable hard-hitting results, 2nd Edition
- Length: 510 pages
- Edition: 2
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2022-08-30
- ISBN-10: 1801815127
- ISBN-13: 9781801815123
- Sales Rank: #1478898 (See Top 100 Books)
Master the art of identifying and exploiting vulnerabilities with Metasploit, Empire, PowerShell, and Python, turning Kali Linux into your fighter cockpit
Key Features
- Map your client’s attack surface with Kali Linux
- Discover the craft of shellcode injection and managing multiple compromises in the environment
- Understand both the attacker and the defender mindset
Book Description
Let’s be honest―security testing can get repetitive. If you’re ready to break out of the routine and embrace the art of penetration testing, this book will help you to distinguish yourself to your clients.
This pen testing book is your guide to learning advanced techniques to attack Windows and Linux environments from the indispensable platform, Kali Linux. You’ll work through core network hacking concepts and advanced exploitation techniques that leverage both technical and human factors to maximize success. You’ll also explore how to leverage public resources to learn more about your target, discover potential targets, analyze them, and gain a foothold using a variety of exploitation techniques while dodging defenses like antivirus and firewalls. The book focuses on leveraging target resources, such as PowerShell, to execute powerful and difficult-to-detect attacks. Along the way, you’ll enjoy reading about how these methods work so that you walk away with the necessary knowledge to explain your findings to clients from all backgrounds. Wrapping up with post-exploitation strategies, you’ll be able to go deeper and keep your access.
By the end of this book, you’ll be well-versed in identifying vulnerabilities within your clients’ environments and providing the necessary insight for proper remediation.
What you will learn
- Get to know advanced pen testing techniques with Kali Linux
- Gain an understanding of Kali Linux tools and methods from behind the scenes
- Get to grips with the exploitation of Windows and Linux clients and servers
- Understand advanced Windows concepts and protection and bypass them with Kali and living-off-the-land methods
- Get the hang of sophisticated attack frameworks such as Metasploit and Empire
- Become adept in generating and analyzing shellcode
- Build and tweak attack scripts and modules
Who this book is for
This book is for penetration testers, information technology professionals, cybersecurity professionals and students, and individuals breaking into a pentesting role after demonstrating advanced skills in boot camps. Prior experience with Windows, Linux, and networking is necessary.
Windows and Linux Penetration Testing from Scratch Second Edition Contributors About the author About the reviewer Preface Who this book is for What this book covers To get the most out of this book Download the color images Conventions used Get in touch Share Your Thoughts Part 1: Recon and Exploitation Chapter 1: Open Source Intelligence Technical requirements Hiding in plain sight – OSINT and passive recon Walking right in – what the target intends to show the world Just browsing, thanks – stepping into the target’s environment I know a guy – services doing the probing for you The world of Shodan Shodan search filters Google’s dark side Google’s advanced operators The Advanced Search page Thinking like a dark Googler Diving into OSINT with Kali The OSINT analysis tools folder Transforming your perspective – Maltego Entities and transforms and graphs, oh my OSINT with Spiderfoot Summary Questions Chapter 2: Bypassing Network Access Control Technical requirements Bypassing media access control filtering – considerations for the physical assessor Configuring a Kali wireless access point to bypass MAC filtering Design weaknesses – exploiting weak authentication mechanisms Capturing captive portal authentication conversations in the clear Layer-2 attacks against the network Bypassing validation checks Confirming the organizationally unique identifier Passive operating system fingerprinter Spoofing the HTTP user agent Breaking out of jail – masquerading the stack Following the rules spoils the fun – suppressing normal TCP replies Fabricating the handshake with Scapy and Python Summary Questions Further reading Chapter 3: Sniffing and Spoofing Technical requirements Advanced Wireshark – going beyond simple captures Passive wireless analysis Targeting WLANs with the Aircrack-ng suite WLAN analysis with Wireshark Active network analysis with Wireshark Advanced Ettercap – the man-in-the-middle Swiss Army Knife Bridged sniffing and the malicious access point Ettercap filters – fine-tuning your analysis Getting better – scanning, sniffing, and spoofing with BetterCAP Summary Questions Further reading Chapter 4: Windows Passwords on the Network Technical requirements Understanding Windows passwords A crash course on hash algorithms Password hashing methods in Windows If it ends with 1404EE, then it’s easy for me – understanding LM hash flaws Authenticating over the network – a different game altogether Capturing Windows passwords on the network A real-world pen test scenario – the chatty printer Configuring our SMB listener Authentication capture Hash capture with LLMNR/NetBIOS NS spoofing Let it rip – cracking Windows hashes The two philosophies of password cracking John the Ripper cracking with a wordlist John the Ripper cracking with masking Reviewing your progress with the show flag Here, kitty kitty – getting started with Hashcat Summary Questions Further reading Chapter 5: Assessing Network Security Technical requirements Network probing with Nmap Host discovery Port scanning – scan types Port scanning – port states Firewall/IDS evasion, spoofing, and performance Service and OS detection Hands-on with Nmap Integrating Nmap with Metasploit Console Exploring binary injection with BetterCAP The magic of download hijacking Smuggling data – dodging firewalls with HTTPTunnel IPv6 for hackers IPv6 addressing basics Watch me neigh neigh – local IPv6 recon and the Neighbor Discovery Protocol IPv6 man-in-the-middle – attacking your neighbors Living in an IPv4 world – creating a local 4-to-6 proxy for your tools Summary Questions Further reading Chapter 6: Cryptography and the Penetration Tester Technical requirements Flipping the bit – integrity attacks against CBC algorithms Block ciphers and modes of operation Introducing block chaining Setting up your bit-flipping lab Manipulating the IV to generate predictable results Flipping to root – privilege escalation via CBC bit-flipping Sneaking your data in – hash length extension attacks Setting up your hash attack lab Understanding SHA-1’s running state and compression function Data injection with the hash length extension attack Busting the padding oracle with PadBuster Interrogating the padding oracle Decrypting a CBC block with PadBuster Behind the scenes of the oracle padding attack Summary Questions Chapter 7: Advanced Exploitation with Metasploit Technical requirements How to get it right the first time – generating payloads Installing Wine32 and Shellter Payload generation goes solo – working with msfvenom Creating nested payloads Helter skelter – evading antivirus with Shellter Modules – the bread and butter of Metasploit Building a simple Metasploit auxiliary module Efficiency and attack organization with Armitage Getting familiar with your Armitage environment Enumeration with Armitage Exploitation made ridiculously simple with Armitage A word about Armitage and the pen tester mentality Social engineering attacks with Metasploit payloads Creating a Trojan with Shellter Preparing a malicious USB drive for Trojan delivery Summary Questions Further reading Part 2: Vulnerability Fundamentals Chapter 8: Python Fundamentals Technical requirements Incorporating Python into your work Why Python? Getting cozy with Python in your Kali environment Introducing Vim with Python syntax awareness Network analysis with Python modules Python modules for networking Building a Python client Building a Python server Building a Python reverse-shell script Antimalware evasion in Python Creating Windows executables of your Python scripts Preparing your raw payload Writing your payload retrieval and delivery in Python Python and Scapy – a classy pair Revisiting ARP poisoning with Python and Scapy Summary Questions Further reading Chapter 9: PowerShell Fundamentals Technical requirements Power to the shell – PowerShell fundamentals What is PowerShell? PowerShell’s cmdlets and the PowerShell scripting language Working with the Windows Registry Pipelines and loops in PowerShell It gets better – PowerShell’s ISE Post-exploitation with PowerShell ICMP enumeration from a pivot point with PowerShell PowerShell as a TCP-connect port scanner Delivering a Trojan to your target via PowerShell Encoding and decoding binaries in PowerShell Offensive PowerShell – introducing the Empire framework Installing and introducing PowerShell Empire Configuring listeners Configuring stagers Your inside guy – working with agents Configuring a module for agent tasking Summary Questions Further reading Chapter 10: Shellcoding - The Stack Technical requirements An introduction to debugging Understanding the stack Understanding registers Assembly language basics Disassemblers, debuggers, and decompilers – oh my! Getting cozy with the Linux command-line debugger – GDB Stack smack – introducing buffer overflows Examining the stack and registers during execution Lilliputian concerns – understanding endianness Introducing shellcoding Hunting bytes that break shellcode Generating shellcode with msfvenom Grab your mittens, we’re going NOP sledding Summary Questions Further reading Chapter 11: Shellcoding – Bypassing Protections Technical requirements DEP and ASLR – the intentional and the unavoidable Understanding DEP Understanding ASLR Demonstrating ASLR on Kali Linux with C Introducing ROP Borrowing chunks and returning to libc – turning the code against itself The basic unit of ROP – gadgets Getting cozy with our tools – MSFrop and ROPgadget Creating our vulnerable C program without disabling the protections No PIE for you – compiling your vulnerable executable without ASLR hardening Generating an ROP chain Getting hands-on with the return-to-PLT attack Extracting gadget information for building your payload Go, go, gadget ROP chain – bringing it together for the exploit Summary Questions Further reading Chapter 12: Shellcoding – Evading Antivirus Technical requirements Living off the land with PowerShell Injecting Shellcode into interpreter memory Getting sassy – on-the-fly LSASS memory dumping with PowerShell Staying flexible – tweaking the scripts Understanding Metasploit shellcode delivery Encoder theory and techniques – what encoding is and isn’t Windows binary disassembly within Kali Injection with Backdoor Factory Time travel with your Python installation – using PyEnv Installing BDF Code injection fundamentals – fine-tuning with BDF Trojan engineering with BDF and IDA Summary Questions Chapter 13: Windows Kernel Security Technical requirements Kernel fundamentals – understanding how kernel attacks work Kernel attack vectors The kernel’s role as a time cop It’s just a program Pointing out the problem – pointer issues Dereferencing pointers in C and assembly Understanding NULL pointer dereferencing The Win32k kernel-mode driver Passing an error code as a pointer to xxxSendMessage() Metasploit – exploring a Windows kernel exploit module Practical kernel attacks with Kali An introduction to privilege escalation Escalating to SYSTEM on Windows 7 with Metasploit Summary Questions Further reading Chapter 14: Fuzzing Techniques Technical requirements Network fuzzing – mutation fuzzing with Taof proxying Configuring the Taof proxy to target the remote service Fuzzing by proxy – generating legitimate traffic Hands-on fuzzing with Kali and Python Picking up where Taof left off with Python – fuzzing the vulnerable FTP server Exploring with boofuzz Impress your teachers – using boofuzz grammar The other side – fuzzing a vulnerable FTP client Writing a bare-bones FTP fuzzer service in Python Crashing the target with the Python fuzzer Fuzzy registers – the low-level perspective Calculating the EIP offset with the Metasploit toolset Shellcode algebra – turning the fuzzing data into an exploit Summary Questions Further reading Part 3: Post-Exploitation Chapter 15: Going Beyond the Foothold Technical requirements Gathering goodies – enumeration with post modules ARP enumeration with Meterpreter Forensic analysis with Meterpreter – stealing deleted files Internet Explorer enumeration – discovering internal web resources Network pivoting with Metasploit Just a quick review of subnetting Launching Metasploit into the hidden network with autoroute Escalating your pivot – passing attacks down the line Using your captured goodies Quit stalling and Pass-the-Hash – exploiting password equivalents in Windows Summary Questions Further reading Chapter 16: Escalating Privileges Technical requirements Climbing the ladder with Armitage Named pipes and security contexts Impersonating the security context of a pipe client Superfluous pipes and pipe creation race conditions Moving past the foothold with Armitage Armitage pivoting When the easy way fails – local exploits Kernel pool overflow and the danger of data types Let’s get lazy – Schlamperei privilege escalation on Windows 7 Escalation with WMIC and PS Empire Quietly spawning processes with WMIC Creating a PowerShell Empire agent with remote WMIC Escalating your agent to SYSTEM via access token theft Dancing in the shadows – looting domain controllers with vssadmin Extracting the NTDS database and SYSTEM hive from a shadow copy Exfiltration across the network with cifs Password hash extraction with libesedb and ntdsxtract Summary Questions Further reading Chapter 17: Maintaining Access Technical requirements Persistence with Metasploit and PowerShell Empire Creating a payload for the Metasploit persister Configuring the Metasploit persistence module and firing away Verifying your persistent Meterpreter backdoor Not to be outdone – persistence in PowerShell Empire Elevating the security context of our Empire agent Creating a WMI subscription for stealthy persistence of your agent Verifying agent persistence Hack tunnels – netcat backdoors on the fly Uploading and configuring persistent netcat with Meterpreter Remotely tweaking Windows Firewall to allow inbound netcat connections Verifying persistence is established Maintaining access with PowerSploit Installing the persistence module in PowerShell Configuring and executing Meterpreter persistence Lying in wait – verifying persistence Summary Questions Further reading Answers Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Why subscribe? Other Books You May Enjoy Packt is searching for authors like you Share Your Thoughts
Donate to keep this site alive
How to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Windows and Linux Penetration Testing from Scratch: Harness the power of pen testing with Kali Linux for unbeatable hard-hitting results, 2nd Edition
, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.