Windows and Linux Penetration Testing from Scratch: Harness the power of pen testing with Kali Linux for unbeatable hard-hitting results, 2nd Edition

Length: 510 pages
Edition: 2
Language: English
Publisher: Packt Publishing
Publication Date: 2022-08-30
ISBN-10: 1801815127
ISBN-13: 9781801815123
Sales Rank: #1478898 (See Top 100 Books)

Master the art of identifying and exploiting vulnerabilities with Metasploit, Empire, PowerShell, and Python, turning Kali Linux into your fighter cockpit

Key Features

Map your client’s attack surface with Kali Linux
Discover the craft of shellcode injection and managing multiple compromises in the environment
Understand both the attacker and the defender mindset

Book Description

Let’s be honest―security testing can get repetitive. If you’re ready to break out of the routine and embrace the art of penetration testing, this book will help you to distinguish yourself to your clients.

This pen testing book is your guide to learning advanced techniques to attack Windows and Linux environments from the indispensable platform, Kali Linux. You’ll work through core network hacking concepts and advanced exploitation techniques that leverage both technical and human factors to maximize success. You’ll also explore how to leverage public resources to learn more about your target, discover potential targets, analyze them, and gain a foothold using a variety of exploitation techniques while dodging defenses like antivirus and firewalls. The book focuses on leveraging target resources, such as PowerShell, to execute powerful and difficult-to-detect attacks. Along the way, you’ll enjoy reading about how these methods work so that you walk away with the necessary knowledge to explain your findings to clients from all backgrounds. Wrapping up with post-exploitation strategies, you’ll be able to go deeper and keep your access.

By the end of this book, you’ll be well-versed in identifying vulnerabilities within your clients’ environments and providing the necessary insight for proper remediation.

What you will learn

Get to know advanced pen testing techniques with Kali Linux
Gain an understanding of Kali Linux tools and methods from behind the scenes
Get to grips with the exploitation of Windows and Linux clients and servers
Understand advanced Windows concepts and protection and bypass them with Kali and living-off-the-land methods
Get the hang of sophisticated attack frameworks such as Metasploit and Empire
Become adept in generating and analyzing shellcode
Build and tweak attack scripts and modules

Who this book is for

This book is for penetration testers, information technology professionals, cybersecurity professionals and students, and individuals breaking into a pentesting role after demonstrating advanced skills in boot camps. Prior experience with Windows, Linux, and networking is necessary.

Windows and Linux Penetration Testing from Scratch
Second Edition
Contributors
About the author
About the reviewer
Preface
    Who this book is for
    What this book covers
    To get the most out of this book
    Download the color images
    Conventions used
    Get in touch
    Share Your Thoughts
Part 1: Recon and Exploitation
Chapter 1: Open Source Intelligence
    Technical requirements
    Hiding in plain sight – OSINT and passive recon
        Walking right in – what the target intends to show the world
        Just browsing, thanks – stepping into the target’s environment
        I know a guy – services doing the probing for you
    The world of Shodan
        Shodan search filters
    Google’s dark side
        Google’s advanced operators
        The Advanced Search page
        Thinking like a dark Googler
    Diving into OSINT with Kali
        The OSINT analysis tools folder
        Transforming your perspective – Maltego
        Entities and transforms and graphs, oh my
        OSINT with Spiderfoot
    Summary
    Questions
Chapter 2: Bypassing Network Access Control
    Technical requirements
    Bypassing media access control filtering – considerations for the physical assessor
        Configuring a Kali wireless access point to bypass MAC filtering
    Design weaknesses – exploiting weak authentication mechanisms
        Capturing captive portal authentication conversations in the clear
        Layer-2 attacks against the network
    Bypassing validation checks
        Confirming the organizationally unique identifier
        Passive operating system fingerprinter
        Spoofing the HTTP user agent
    Breaking out of jail – masquerading the stack
        Following the rules spoils the fun – suppressing normal TCP replies
        Fabricating the handshake with Scapy and Python
    Summary
    Questions
    Further reading
Chapter 3: Sniffing and Spoofing
    Technical requirements
    Advanced Wireshark – going beyond simple captures
        Passive wireless analysis
        Targeting WLANs with the Aircrack-ng suite
        WLAN analysis with Wireshark
        Active network analysis with Wireshark
    Advanced Ettercap – the man-in-the-middle Swiss Army Knife
        Bridged sniffing and the malicious access point
        Ettercap filters – fine-tuning your analysis
    Getting better – scanning, sniffing, and spoofing with BetterCAP
    Summary
    Questions
    Further reading
Chapter 4: Windows Passwords on the Network
    Technical requirements
    Understanding Windows passwords
        A crash course on hash algorithms
        Password hashing methods in Windows
        If it ends with 1404EE, then it’s easy for me – understanding LM hash flaws
        Authenticating over the network – a different game altogether
    Capturing Windows passwords on the network
        A real-world pen test scenario – the chatty printer
        Configuring our SMB listener
        Authentication capture
        Hash capture with LLMNR/NetBIOS NS spoofing
    Let it rip – cracking Windows hashes
        The two philosophies of password cracking
        John the Ripper cracking with a wordlist
        John the Ripper cracking with masking
        Reviewing your progress with the show flag
        Here, kitty kitty – getting started with Hashcat
    Summary
    Questions
    Further reading
Chapter 5: Assessing Network Security
    Technical requirements
    Network probing with Nmap
        Host discovery
        Port scanning – scan types
        Port scanning – port states
        Firewall/IDS evasion, spoofing, and performance
        Service and OS detection
        Hands-on with Nmap
        Integrating Nmap with Metasploit Console
    Exploring binary injection with BetterCAP 
        The magic of download hijacking
    Smuggling data – dodging firewalls with HTTPTunnel
    IPv6 for hackers
        IPv6 addressing basics
        Watch me neigh neigh – local IPv6 recon and the Neighbor Discovery Protocol
        IPv6 man-in-the-middle – attacking your neighbors
        Living in an IPv4 world – creating a local 4-to-6 proxy for your tools
    Summary
    Questions
    Further reading
Chapter 6: Cryptography and the Penetration Tester
    Technical requirements
    Flipping the bit – integrity attacks against CBC algorithms
        Block ciphers and modes of operation
        Introducing block chaining
        Setting up your bit-flipping lab
        Manipulating the IV to generate predictable results
        Flipping to root – privilege escalation via CBC bit-flipping
    Sneaking your data in – hash length extension attacks
        Setting up your hash attack lab
        Understanding SHA-1’s running state and compression function
        Data injection with the hash length extension attack
    Busting the padding oracle with PadBuster
        Interrogating the padding oracle
        Decrypting a CBC block with PadBuster
        Behind the scenes of the oracle padding attack
    Summary
    Questions
Chapter 7: Advanced Exploitation with Metasploit
    Technical requirements
    How to get it right the first time – generating payloads
        Installing Wine32 and Shellter
        Payload generation goes solo – working with msfvenom
        Creating nested payloads
        Helter skelter – evading antivirus with Shellter
    Modules – the bread and butter of Metasploit
        Building a simple Metasploit auxiliary module
    Efficiency and attack organization with Armitage
        Getting familiar with your Armitage environment
        Enumeration with Armitage
        Exploitation made ridiculously simple with Armitage
        A word about Armitage and the pen tester mentality
    Social engineering attacks with Metasploit payloads
        Creating a Trojan with Shellter
        Preparing a malicious USB drive for Trojan delivery
    Summary
    Questions
    Further reading
Part 2: Vulnerability Fundamentals
Chapter 8: Python Fundamentals
    Technical requirements
    Incorporating Python into your work
        Why Python?
        Getting cozy with Python in your Kali environment
        Introducing Vim with Python syntax awareness
    Network analysis with Python modules
        Python modules for networking
        Building a Python client
        Building a Python server
        Building a Python reverse-shell script
    Antimalware evasion in Python
        Creating Windows executables of your Python scripts
        Preparing your raw payload
        Writing your payload retrieval and delivery in Python
    Python and Scapy – a classy pair
        Revisiting ARP poisoning with Python and Scapy
    Summary
    Questions
    Further reading
Chapter 9: PowerShell Fundamentals
    Technical requirements
    Power to the shell – PowerShell fundamentals
        What is PowerShell?
        PowerShell’s cmdlets and the PowerShell scripting language
        Working with the Windows Registry
        Pipelines and loops in PowerShell
        It gets better – PowerShell’s ISE
    Post-exploitation with PowerShell
        ICMP enumeration from a pivot point with PowerShell
        PowerShell as a TCP-connect port scanner
        Delivering a Trojan to your target via PowerShell
    Encoding and decoding binaries in PowerShell
    Offensive PowerShell – introducing the Empire framework
        Installing and introducing PowerShell Empire
        Configuring listeners
        Configuring stagers
        Your inside guy – working with agents
        Configuring a module for agent tasking
    Summary
    Questions
    Further reading
Chapter 10: Shellcoding - The Stack
    Technical requirements
    An introduction to debugging
        Understanding the stack
        Understanding registers
        Assembly language basics
        Disassemblers, debuggers, and decompilers – oh my!
        Getting cozy with the Linux command-line debugger – GDB
    Stack smack – introducing buffer overflows
        Examining the stack and registers during execution
        Lilliputian concerns – understanding endianness 
    Introducing shellcoding
        Hunting bytes that break shellcode
        Generating shellcode with msfvenom
        Grab your mittens, we’re going NOP sledding
    Summary
    Questions
    Further reading
Chapter 11: Shellcoding – Bypassing Protections
    Technical requirements
    DEP and ASLR – the intentional and the unavoidable
        Understanding DEP
        Understanding ASLR
        Demonstrating ASLR on Kali Linux with C
    Introducing ROP
        Borrowing chunks and returning to libc – turning the code against itself
        The basic unit of ROP – gadgets
        Getting cozy with our tools – MSFrop and ROPgadget
        Creating our vulnerable C program without disabling the protections
        No PIE for you – compiling your vulnerable executable without ASLR hardening
        Generating an ROP chain
    Getting hands-on with the return-to-PLT attack
        Extracting gadget information for building your payload
        Go, go, gadget ROP chain – bringing it together for the exploit
    Summary
    Questions
    Further reading
Chapter 12: Shellcoding – Evading Antivirus
    Technical requirements
    Living off the land with PowerShell
        Injecting Shellcode into interpreter memory
        Getting sassy – on-the-fly LSASS memory dumping with PowerShell
        Staying flexible – tweaking the scripts
    Understanding Metasploit shellcode delivery
        Encoder theory and techniques – what encoding is and isn’t
        Windows binary disassembly within Kali
    Injection with Backdoor Factory
        Time travel with your Python installation – using PyEnv
        Installing BDF
        Code injection fundamentals – fine-tuning with BDF
        Trojan engineering with BDF and IDA
    Summary
    Questions
Chapter 13: Windows Kernel Security
    Technical requirements
    Kernel fundamentals – understanding how kernel attacks work
        Kernel attack vectors
        The kernel’s role as a time cop
        It’s just a program
    Pointing out the problem – pointer issues
        Dereferencing pointers in C and assembly
        Understanding NULL pointer dereferencing
        The Win32k kernel-mode driver
        Passing an error code as a pointer to xxxSendMessage()
        Metasploit – exploring a Windows kernel exploit module
    Practical kernel attacks with Kali
        An introduction to privilege escalation
        Escalating to SYSTEM on Windows 7 with Metasploit
    Summary
    Questions
    Further reading
Chapter 14: Fuzzing Techniques
    Technical requirements
    Network fuzzing – mutation fuzzing with Taof proxying
        Configuring the Taof proxy to target the remote service
        Fuzzing by proxy – generating legitimate traffic
    Hands-on fuzzing with Kali and Python
        Picking up where Taof left off with Python – fuzzing the vulnerable FTP server
        Exploring with boofuzz
        Impress your teachers – using boofuzz grammar
        The other side – fuzzing a vulnerable FTP client
        Writing a bare-bones FTP fuzzer service in Python
        Crashing the target with the Python fuzzer
    Fuzzy registers – the low-level perspective
        Calculating the EIP offset with the Metasploit toolset
        Shellcode algebra – turning the fuzzing data into an exploit
    Summary
    Questions
    Further reading
Part 3: Post-Exploitation
Chapter 15: Going Beyond the Foothold
    Technical requirements
    Gathering goodies – enumeration with post modules
        ARP enumeration with Meterpreter
        Forensic analysis with Meterpreter – stealing deleted files
        Internet Explorer enumeration – discovering internal web resources
    Network pivoting with Metasploit
        Just a quick review of subnetting
        Launching Metasploit into the hidden network with autoroute
    Escalating your pivot – passing attacks down the line
        Using your captured goodies
        Quit stalling and Pass-the-Hash – exploiting password equivalents in Windows
    Summary
    Questions
    Further reading
Chapter 16: Escalating Privileges
    Technical requirements
    Climbing the ladder with Armitage
        Named pipes and security contexts
        Impersonating the security context of a pipe client
        Superfluous pipes and pipe creation race conditions
        Moving past the foothold with Armitage
        Armitage pivoting
    When the easy way fails – local exploits
        Kernel pool overflow and the danger of data types
        Let’s get lazy – Schlamperei privilege escalation on Windows 7
    Escalation with WMIC and PS Empire
        Quietly spawning processes with WMIC
        Creating a PowerShell Empire agent with remote WMIC
        Escalating your agent to SYSTEM via access token theft
    Dancing in the shadows – looting domain controllers with vssadmin
        Extracting the NTDS database and SYSTEM hive from a shadow copy
        Exfiltration across the network with cifs
        Password hash extraction with libesedb and ntdsxtract
    Summary
    Questions
    Further reading
Chapter 17: Maintaining Access
    Technical requirements
    Persistence with Metasploit and PowerShell Empire
        Creating a payload for the Metasploit persister
        Configuring the Metasploit persistence module and firing away
        Verifying your persistent Meterpreter backdoor
        Not to be outdone – persistence in PowerShell Empire
        Elevating the security context of our Empire agent
        Creating a WMI subscription for stealthy persistence of your agent
        Verifying agent persistence
    Hack tunnels – netcat backdoors on the fly
        Uploading and configuring persistent netcat with Meterpreter
        Remotely tweaking Windows Firewall to allow inbound netcat connections
        Verifying persistence is established
    Maintaining access with PowerSploit
        Installing the persistence module in PowerShell
        Configuring and executing Meterpreter persistence
        Lying in wait – verifying persistence
    Summary
    Questions
    Further reading
Answers
    Chapter 1
    Chapter 2
    Chapter 3
    Chapter 4 
    Chapter 5
    Chapter 6
    Chapter 7
    Chapter 8
    Chapter 9
    Chapter 10
    Chapter 11
    Chapter 12
    Chapter 13
    Chapter 14
    Chapter 15
    Chapter 16
    Chapter 17
    Why subscribe?
Other Books You May Enjoy
    Packt is searching for authors like you
    Share Your Thoughts

Disaster & Recovery Hacking Linux Network Administration Network Security Networking Networking & System Administration Programming Windows Windows Administration Windows Desktop

Donate to keep this site alive

To access the Link, solve the captcha.

How to download source code?

1. Go to: https://github.com/PacktPublishing

2. In the Find a repository… box, search the book title: Windows and Linux Penetration Testing from Scratch: Harness the power of pen testing with Kali Linux for unbeatable hard-hitting results, 2nd Edition, sometime you may not get the results, please search the main title.