Home Page Icon
Home Page
Table of Contents for
Contents
Close
Contents
by Wil Allsopp
Advanced Penetration Testing
Cover
Title Page
Introduction
Coming Full Circle
Advanced Persistent Threat (APT)
Next Generation Technology
“Hackers”
Forget Everything You Think You Know About Penetration Testing
How This Book Is Organized
Chapter 1: Medical Records (In)security
An Introduction to Simulating Advanced Persistent Threat
Background and Mission Briefing
Payload Delivery Part 1: Learning How to Use the VBA Macro
Command and Control Part 1: Basics and Essentials
The Attack
Summary
Exercises
Chapter 2: Stealing Research
Background and Mission Briefing
Payload Delivery Part 2: Using the Java Applet for Payload Delivery
Notes on Payload Persistence
Command and Control Part 2: Advanced Attack Management
The Attack
Summary
Exercises
Chapter 3: Twenty-First Century Heist
What Might Work?
Nothing Is Secure
Organizational Politics
APT Modeling versus Traditional Penetration Testing
Background and Mission Briefing
Command and Control Part III: Advanced Channels and Data Exfiltration
Payload Delivery Part III: Physical Media
The Attack
Summary
Exercises
Chapter 4: Pharma Karma
Background and Mission Briefing
Payload Delivery Part IV: Client-Side Exploits 1
Command and Control Part IV: Metasploit Integration
The Attack
Summary
Exercises
Chapter 5: Guns and Ammo
Background and Mission Briefing
Payload Delivery Part V: Simulating a Ransomware Attack
Command and Control Part V: Creating a Covert C2 Solution
New Strategies in Stealth and Deployment
The Attack
Summary
Exercises
Chapter 6: Criminal Intelligence
Payload Delivery Part VI: Deploying with HTA
Privilege Escalation in Microsoft Windows
Command and Control Part VI: The Creeper Box
The Attack
Summary
Exercises
Chapter 7: War Games
Background and Mission Briefing
Payload Delivery Part VII: USB Shotgun Attack
Command and Control Part VII: Advanced Autonomous Data Exfiltration
The Attack
Summary
Exercises
Chapter 8: Hack Journalists
Briefing
Advanced Concepts in Social Engineering
C2 Part VIII: Experimental Concepts in Command and Control
Payload Delivery Part VIII: Miscellaneous Rich Web Content
The Attack
Summary
Exercises
Chapter 9: Northern Exposure
Overview
Operating Systems
North Korean Public IP Space
The North Korean Telephone System
Approved Mobile Devices
The “Walled Garden”: The Kwangmyong Intranet
Audio and Video Eavesdropping
Summary
Exercises
End User License Agreement
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Cover
Next
Next Chapter
Title Page
Table of Contents
Cover
Title Page
Introduction
Coming Full Circle
Advanced Persistent Threat (APT)
Next Generation Technology
“Hackers”
Forget Everything You Think You Know About Penetration Testing
How This Book Is Organized
Chapter 1: Medical Records (In)security
An Introduction to Simulating Advanced Persistent Threat
Background and Mission Briefing
Payload Delivery Part 1: Learning How to Use the VBA Macro
Command and Control Part 1: Basics and Essentials
The Attack
Summary
Exercises
Chapter 2: Stealing Research
Background and Mission Briefing
Payload Delivery Part 2: Using the Java Applet for Payload Delivery
Notes on Payload Persistence
Command and Control Part 2: Advanced Attack Management
The Attack
Summary
Exercises
Chapter 3: Twenty-First Century Heist
What Might Work?
Nothing Is Secure
Organizational Politics
APT Modeling versus Traditional Penetration Testing
Background and Mission Briefing
Command and Control Part III: Advanced Channels and Data Exfiltration
Payload Delivery Part III: Physical Media
The Attack
Summary
Exercises
Chapter 4: Pharma Karma
Background and Mission Briefing
Payload Delivery Part IV: Client-Side Exploits 1
Command and Control Part IV: Metasploit Integration
The Attack
Summary
Exercises
Chapter 5: Guns and Ammo
Background and Mission Briefing
Payload Delivery Part V: Simulating a Ransomware Attack
Command and Control Part V: Creating a Covert C2 Solution
New Strategies in Stealth and Deployment
The Attack
Summary
Exercises
Chapter 6: Criminal Intelligence
Payload Delivery Part VI: Deploying with HTA
Privilege Escalation in Microsoft Windows
Command and Control Part VI: The Creeper Box
The Attack
Summary
Exercises
Chapter 7: War Games
Background and Mission Briefing
Payload Delivery Part VII: USB Shotgun Attack
Command and Control Part VII: Advanced Autonomous Data Exfiltration
The Attack
Summary
Exercises
Chapter 8: Hack Journalists
Briefing
Advanced Concepts in Social Engineering
C2 Part VIII: Experimental Concepts in Command and Control
Payload Delivery Part VIII: Miscellaneous Rich Web Content
The Attack
Summary
Exercises
Chapter 9: Northern Exposure
Overview
Operating Systems
North Korean Public IP Space
The North Korean Telephone System
Approved Mobile Devices
The “Walled Garden”: The Kwangmyong Intranet
Audio and Video Eavesdropping
Summary
Exercises
End User License Agreement
Pages
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
Guide
Table of Contents
Begin Reading
List of Illustrations
Chapter 1: Medical Records (In)security
Figure 1.1 Pharmattix network flow
Figure 1.2 User roles
Figure 1.3 VBA exploit code imported into MS Word.
Figure 1.4 Saving for initial antivirus proving.
Figure 1.5 This demonstrates an unacceptably high AV hit rate.
Figure 1.6 Additional information.
Figure 1.7 A stealthy payload indeed.
Figure 1.8 No, Qihoo-360 is not the Holy Grail of AV.
Figure 1.9 Blank document carrying macro payload.
Figure 1.10 A little more convincing.
Figure 1.11 Initial basic Command and Control infrastructure.
Figure 1.12 The completed attack with complete access to the medical records.
Chapter 2: Stealing Research
Figure 2.1 Permit all local Java code to run in the browser.
Figure 2.2 Java applet running in the browser.
Figure 2.3 The upgraded framework handles multiple hosts and operating systems.
Chapter 3: Twenty-First Century Heist
Figure 3.1 The beauty of this setup is that if your C2 is disrupted by security operations, you can point your DNS at another server.
Figure 3.2 A basic intrusion monitoring setup.
Figure 3.3 Mmmmmm. Stealthy.
Chapter 4: Pharma Karma
Figure 4.1 This image from cvedetails shows 56 code execution vulnerabilities in Flash in 2016 alone.
Figure 4.2 The number one issue on this AlienVault SOC alarm screen is vulnerable software, with that software being Flash.
Figure 4.3 This is clearly a large network that lacks a cohesive overall vulnerability management strategy.
Figure 4.4 Script output shows plugin data.
Figure 4.5 A LinkedIn invite comes as an HTML email message.
Figure 4.6 This is a remote command execution bug with reliable exploit code in the wild.
Figure 4.7 Metasploit does an excellent job at obfuscating the CVE-2015-5012 attack.
Figure 4.8 A simple XOR function can easily defeat antivirus technology.
Figure 4.9 The Meterpreter session is tunneled over SSH and looks innocent to network IDS.
Figure 4.10 Notepad cannot write to the C drive. It's a fair bet most desktop software programs have the same restrictions.
Figure 4.11 Armitage displays a list of plugins and their owners.
Figure 4.12 Process migration is a one-click process. Here we have migrated into lsass.exe.
Figure 4.13 In this example test.txt is uploaded from the attacker workstation.
Figure 4.14 Exploiting a vulnerability in the ScriptHost to escalate to the system.
Figure 4.15 Armitage makes a lot of tedious tasks a one-click affair.
Chapter 5: Guns and Ammo
Figure 5.1 Defense distributed ghost gunner. An open source CNC machine designed to manufacture AR-15 lower receivers restricted under Federal law.
Figure 5.2 The Soviet AT-4 (right) was a copy of the French MILAN system (Left).
Figure 5.3 Encryption process flow.
Figure 5.4 Decryption process flow.
Figure 5.5 Simplified covert C2 topology.
Figure 5.6 Veil-Evasion landing screen.
Figure 5.7 Veil with options set.
Figure 5.8 Veil can now generate a compiled Python executable from the raw shellcode.
Figure 5.9 The compiled executable is ready for use.
Figure 5.10 Once again, it's ready to use.
Figure 5.11 A Save As dialog box shows the file types Solid Edge works with.
Figure 5.12 Solid Edge application directory.
Figure 5.13 The victim will still have to Enable Content but that's a social engineering issue.
Figure 5.14 Lower receiver schematic in Solid Edge 3D.
Chapter 6: Criminal Intelligence
Figure 6.1 Not the most inviting message.
Figure 6.2 A basic HTML application.
Figure 6.3 That's a little bit better, but let's select something that fits the attack.
Figure 6.4 The inevitable VirusTotal example.
Figure 6.5 User Account Control dialog box. This can look however you want.
Figure 6.6 The XLS data contains bulletin names, severity, component KB, and so on.
Figure 6.7 Dependency Walker showing full DLL paths.
Figure 6.8 The Raspberry Pi 3B in all its glory.
Figure 6.9 A Raspberry Pi with a PoE HAT (hardware added on top).
Figure 6.10 Step one: connect with 3G.
Figure 6.11 Step two: select a USB device.
Figure 6.12 Step three: HUAWEI mobile.
Figure 6.13 Step four: interface #0.
Figure 6.14 Step five: business subscription.
Figure 6.15 Step six: you're good to go.
Figure 6.16 The KeyGrabber is an example of a WiFi-capable keylogger.
Figure 6.17 Caller ID can be easily spoofed.
Figure 6.18 Spoofing SMS messages likewise.
Figure 6.19 Keep these things simple but use whatever templates you have at hand.
Chapter 7: War Games
Figure 7.1 Compartmented U.S. secure communications center.
Figure 7.2 Not even the greenest jarhead is going to fall for this.
Figure 7.3 This creates the pretext.
Chapter 8: Hack Journalists
Figure 8.1 Initial beacon designated as Master node.
Figure 8.2 C2 uses Master for outbound connectivity.
Figure 8.3 A timeout on the Master node signals it is likely no longer functional or the host is switched off.
Figure 8.4 C2 Server nominates new Master node.
Figure 8.5 Agents nominate their own Master.
Figure 8.6 The Master functions as a gateway for other nodes as before.
Figure 8.7 Further elections are held as necessary.
Figure 8.8 The SDKPluginEntrypoint.cpp file.
Figure 8.9 Xcode build menu.
Figure 8.10 C2 agent extension payload.
Figure 8.11 Pre-flight packaging in InDesign.
Chapter 9: Northern Exposure
Figure 9.1 Red Star Desktop.
Figure 9.2 Getting a shell.
Figure 9.3 A shell.
Figure 9.4 Quicker and easier to work in English.
Figure 9.5 Red Star Linux in English.
Figure 9.6 Run rootsetting.
Figure 9.7 Enter the credentials you created for your user.
Figure 9.8 Now we have root access.
Figure 9.9 Disable Discretionary Access Control.
Figure 9.10 Disable monitoring processes.
Figure 9.11 Red Star Linux Install Screen.
Figure 9.12 Choose Desktop Manager.
Figure 9.13 Once again, better to work in English.
Figure 9.14 Insecure Squid Proxy.
Figure 9.15 Webmin Interface.
Figure 9.16 Toneloc output.
Figure 9.17 WarVOX Configuration.
Figure 9.18 Add targets to WarVOX.
Figure 9.19 Old School!
Figure 9.20 Yecon Tablet Device Information.
List of Tables
Chapter 5: Guns and Ammo
Table 5.1 The libgcrypt library contains all the crypto functions you will ever need.
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset