0%

The Art of Network Penetration Testing is a guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. As you brute force passwords, exploit unpatched services, and elevate network level privileges, you’ll learn where the weaknesses are—and how to take advantage of them.

Table of Contents

  1. The Art of Network Penetration Testing
  2. Copyright
  3. contents
  4. front matter
    1. preface
    2. acknowledgments
    3. about this book
    4. Who should read this book
    5. How this book is organized: A roadmap
    6. About the code
    7. liveBook discussion forum
    8. about the author
    9. about the cover illustration
  5. 1 Network penetration testing
    1. 1.1 Corporate data breaches
    2. 1.2 How hackers break in
    3. 1.2.1 The defender role
    4. 1.2.2 The attacker role
    5. 1.3 Adversarial attack simulation: Penetration testing
    6. 1.3.1 Typical INPT workflow
    7. 1.4 When a penetration test is least effective
    8. 1.4.1 Low-hanging fruit
    9. 1.4.2 When does a company really need a penetration test?
    10. 1.5 Executing a network penetration test
    11. 1.5.1 Phase 1: Information gathering
    12. 1.5.2 Phase 2: Focused penetration
    13. 1.5.3 Phase 3: Post-exploitation and privilege escalation
    14. 1.5.4 Phase 4: Documentation
    15. 1.6 Setting up your lab environment
    16. 1.6.1 The Capsulecorp Pentest project
    17. 1.7 Building your own virtual pentest platform
    18. 1.7.1 Begin with Linux
    19. 1.7.2 The Ubuntu project
    20. 1.7.3 Why not use a pentest distribution?
    21. Summary
  6. Phase 1. Information gathering
  7. 2 Discovering network hosts
    1. 2.1 Understanding your engagement scope
    2. 2.1.1 Black-box, white-box, and grey-box scoping
    3. 2.1.2 Capsulecorp
    4. 2.1.3 Setting up the Capsulecorp Pentest environment
    5. 2.2 Internet Control Message Protocol
    6. 2.2.1 Using the ping command
    7. 2.2.2 Using bash to pingsweep a network range
    8. 2.2.3 Limitations of using the ping command
    9. 2.3 Discovering hosts with Nmap
    10. 2.3.1 Primary output formats
    11. 2.3.2 Using remote management interface ports
    12. 2.3.3 Increasing Nmap scan performance
    13. 2.4 Additional host-discovery methods
    14. 2.4.1 DNS brute-forcing
    15. 2.4.2 Packet capture and analysis
    16. 2.4.3 Hunting for subnets
    17. Summary
  8. 3 Discovering network services
    1. 3.1 Network services from an attacker’s perspective
    2. 3.1.1 Understanding network service communication
    3. 3.1.2 Identifying listening network services
    4. 3.1.3 Network service banners
    5. 3.2 Port scanning with Nmap
    6. 3.2.1 Commonly used ports
    7. 3.2.2 Scanning all 65,536 TCP ports
    8. 3.2.3 Sorting through NSE script output
    9. 3.3 Parsing XML output with Ruby
    10. 3.3.1 Creating protocol-specific target lists
    11. Summary
  9. 4 Discovering network vulnerabilities
    1. 4.1 Understanding vulnerability discovery
    2. 4.1.1 Following the path of least resistance
    3. 4.2 Discovering patching vulnerabilities
    4. 4.2.1 Scanning for MS17-010 Eternal Blue
    5. 4.3 Discovering authentication vulnerabilities
    6. 4.3.1 Creating a client-specific password list
    7. 4.3.2 Brute-forcing local Windows account passwords
    8. 4.3.3 Brute-forcing MSSQL and MySQL database passwords
    9. 4.3.4 Brute-forcing VNC passwords
    10. 4.4 Discovering configuration vulnerabilities
    11. 4.4.1 Setting up Webshot
    12. 4.4.2 Analyzing output from Webshot
    13. 4.4.3 Manually guessing web server passwords
    14. 4.4.4 Preparing for focused penetration
    15. Summary
  10. Phase 3. Focused penetration
  11. 5 Attacking vulnerable web services
    1. 5.1 Understanding phase 2: Focused penetration
    2. 5.1.1 Deploying backdoor web shells
    3. 5.1.2 Accessing remote management services
    4. 5.1.3 Exploiting missing software patches
    5. 5.2 Gaining an initial foothold
    6. 5.3 Compromising a vulnerable Tomcat server
    7. 5.3.1 Creating a malicious WAR file
    8. 5.3.2 Deploying the WAR file
    9. 5.3.3 Accessing the web shell from a browser
    10. 5.4 Interactive vs. non-interactive shells
    11. 5.5 Upgrading to an interactive shell
    12. 5.5.1 Backing up sethc.exe
    13. 5.5.2 Modifying file ACLs with cacls.exe
    14. 5.5.3 Launching Sticky Keys via RDP
    15. 5.6 Compromising a vulnerable Jenkins server
    16. 5.6.1 Groovy script console execution
    17. Summary
  12. 6 Attacking vulnerable database services
    1. 6.1 Compromising Microsoft SQL Server
    2. 6.1.1 MSSQL stored procedures
    3. 6.1.2 Enumerating MSSQL servers with Metasploit
    4. 6.1.3 Enabling xp_cmdshell
    5. 6.1.4 Running OS commands with xp_cmdshell
    6. 6.2 Stealing Windows account password hashes
    7. 6.2.1 Copying registry hives with reg.exe
    8. 6.2.2 Downloading registry hive copies
    9. 6.3 Extracting password hashes with creddump
    10. 6.3.1 Understanding pwdump’s output
    11. Summary
  13. 7 Attacking unpatched services
    1. 7.1 Understanding software exploits
    2. 7.2 Understanding the typical exploit life cycle
    3. 7.3 Compromising MS17-010 with Metasploit
    4. 7.3.1 Verifying that the patch is missing
    5. 7.3.2 Using the ms17_010_psexec exploit module
    6. 7.4 The Meterpreter shell payload
    7. 7.4.1 Useful Meterpreter commands
    8. 7.5 Cautions about the public exploit database
    9. 7.5.1 Generating custom shellcode
    10. Summary
  14. Phase 3. Post-exploitation and privilege escalation
  15. 8 Windows post-exploitation
    1. 8.1 Fundamental post-exploitation objectives
    2. 8.1.1 Maintaining reliable re-entry
    3. 8.1.2 Harvesting credentials
    4. 8.1.3 Moving laterally
    5. 8.2 Maintaining reliable re-entry with Meterpreter
    6. 8.2.1 Installing a Meterpreter autorun backdoor executable
    7. 8.3 Harvesting credentials with Mimikatz
    8. 8.3.1 Using the Meterpreter extension
    9. 8.4 Harvesting domain cached credentials
    10. 8.4.1 Using the Meterpreter post module
    11. 8.4.2 Cracking cached credentials with John the Ripper
    12. 8.4.3 Using a dictionary file with John the Ripper
    13. 8.5 Harvesting credentials from the filesystem
    14. 8.5.1 Locating files with findstr and where
    15. 8.6 Moving laterally with Pass-the-Hash
    16. 8.6.1 Using the Metasploit smb_login module
    17. 8.6.2 Passing-the-hash with CrackMapExec
    18. Summary
  16. 9 Linux or UNIX post-exploitation
    1. 9.1 Maintaining reliable re-entry with cron jobs
    2. 9.1.1 Creating an SSH key pair
    3. 9.1.2 Enabling pubkey authentication
    4. 9.1.3 Tunneling through SSH
    5. 9.1.4 Automating an SSH tunnel with cron
    6. 9.2 Harvesting credentials
    7. 9.2.1 Harvesting credentials from bash history
    8. 9.2.2 Harvesting password hashes
    9. 9.3 Escalating privileges with SUID binaries
    10. 9.3.1 Locating SUID binaries with the find command
    11. 9.3.2 Inserting a new user into /etc/passwd
    12. 9.4 Passing around SSH keys
    13. 9.4.1 Stealing keys from a compromised host
    14. 9.4.2 Scanning multiple targets with Metasploit
    15. Summary
  17. 10 Controlling the entire network
    1. 10.1 Identifying domain admin user accounts
    2. 10.1.1 Using net to query Active Directory groups
    3. 10.1.2 Locating logged-in domain admin users
    4. 10.2 Obtaining domain admin privileges
    5. 10.2.1 Impersonating logged-in users with Incognito
    6. 10.2.2 Harvesting clear-text credentials with Mimikatz
    7. 10.3 ntds.dit and the keys to the kingdom
    8. 10.3.1 Bypassing restrictions with VSC
    9. 10.3.2 Extracting all the hashes with secretsdump.py
    10. Summary
  18. Phase 4. Documentation
  19. 11 Post-engagement cleanup
    1. 11.1 Killing active shell connections
    2. 11.2 Deactivating local user accounts
    3. 11.2.1 Removing entries from /etc/passwd
    4. 11.3 Removing leftover files from the filesystem
    5. 11.3.1 Removing Windows registry hive copies
    6. 11.3.2 Removing SSH key pairs
    7. 11.3.3 Removing ntds.dit copies
    8. 11.4 Reversing configuration changes
    9. 11.4.1 Disabling MSSQL stored procedures
    10. 11.4.2 Disabling anonymous file shares
    11. 11.4.3 Removing crontab entries
    12. 11.5 Closing backdoors
    13. 11.5.1 Undeploying WAR files from Apache Tomcat
    14. 11.5.2 Closing the Sticky Keys backdoor
    15. 11.5.3 Uninstalling persistent Meterpreter callbacks
    16. Summary
  20. 12 Writing a solid pentest deliverable
    1. 12.1 Eight components of a solid pentest deliverable
    2. 12.2 Executive summary
    3. 12.3 Engagement methodology
    4. 12.4 Attack narrative
    5. 12.5 Technical observations
    6. 12.5.1 Finding recommendations
    7. 12.6 Appendices
    8. 12.6.1 Severity definitions
    9. 12.6.2 Hosts and services
    10. 12.6.3 Tools list
    11. 12.6.4 Additional references
    12. 12.7 Wrapping it up
    13. 12.8 What now?
    14. Summary
  21. appendix A. Building a virtual pentest platform
    1. A.1 Creating an Ubuntu virtual machine
    2. A.2 Additional OS dependencies
    3. A.2.1 Managing Ubuntu packages with apt
    4. A.2.2 Installing CrackMapExec
    5. A.2.3 Customizing your terminal look and feel
    6. A.3 Installing Nmap
    7. A.3.1 NSE: The Nmap scripting engine
    8. A.3.2 Operating system dependencies
    9. A.3.3 Compiling and installing from source
    10. A.3.4 Exploring the documentation
    11. A.4 The Ruby scripting language
    12. A.4.1 Installing Ruby Version Manager
    13. A.4.2 Writing an obligatory Hello World example
    14. A.5 The Metasploit framework
    15. A.5.1 Operating system dependencies
    16. A.5.2 Necessary Ruby gems
    17. A.5.3 Setting up PostgreSQL for Metasploit
    18. A.5.4 Navigating the msfconsole
  22. appendix B. Essential Linux commands
    1. B.1 CLI commands
    2. B.1.1 $ cat
    3. B.1.2 $ cut
    4. B.1.3 $ grep
    5. B.1.4 $ sort and wc
    6. B.2 tmux
    7. B.2.1 Using tmux commands
    8. B.2.2 Saving a tmux session
  23. appendix C. Creating the Capsulecorp Pentest lab network
    1. C.1 Hardware and software requirements
    2. C.2 Creating the primary Windows servers
    3. C.2.1 Goku.capsulecorp.local
    4. C.2.2 Gohan.capsulecorp.local
    5. C.2.3 Vegeta.capsulecorp.local
    6. C.2.4 Trunks.capsulecorp.local
    7. C.2.5 Nappa.capsulecorp.local and tien.capsulecorp.local
    8. C.2.6 Yamcha.capsulecorp.local and Krillin.capsulecorp.local
    9. C.3 Creating the Linux servers
  24. appendix D. Capsulecorp internal network penetration test report
    1. Executive summary
    2. Engagement scope
    3. Summary of observations
    4. Engagement methodology
    5. Information gathering
    6. Focused penetration
    7. Post-exploitation and privilege escalation
    8. Documentation and cleanup
    9. Attack narrative
    10. Technical observations
    11. Appendix 1: Severity definitions
    12. Critical
    13. High
    14. Medium
    15. Low
    16. Appendix 2: Hosts and services
    17. Appendix 3: Tools list
    18. Appendix 4: Additional references
  25. appendix E. Exercise answers
    1. Exercise 2.1: Identifying your engagement targets
    2. Exercise 3.1: Creating protocol-specific target lists
    3. Exercise 4.1: Identifying missing patches
    4. Exercise 4.2: Creating a client-specific password list
    5. Exercise 4.3: Discovering weak passwords
    6. Exercise 5.1: Deploying a malicious WAR file
    7. Exercise 6.1 Stealing SYSTEM and SAM registry hives
    8. Exercise 7.1: Compromising tien.capsulecorp.local
    9. Exercise 8.1: Accessing your first level-two host
    10. Exercise 10.1: Stealing passwords from ntds.dit
    11. Exercise 11.1: Performing post-engagement cleanup
  26. index
44.200.40.97