Table of Contents

Advanced Penetration Testing for Highly-Secured Environments Second Edition

Credits

About the Authors

About the Reviewer

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

1. Penetration Testing Essentials

Methodology defined

Example methodologies

Penetration testing framework

Penetration Testing Execution Standard

Pre-engagement interactions

Intelligence gathering

Threat modeling

Vulnerability analysis

Exploitation

Post-exploitation

Reporting

Abstract methodology

Final thoughts

Summary

2. Preparing a Test Environment

Introducing VMware Workstation

Why VMware Workstation?

Installing VMware Workstation

Network design

VMnet0

VMnet1

VMnet8

Folders

Understanding the default architecture

Installing Kali Linux

Creating the switches

Putting it all together

Installing Ubuntu LTS

Installing Kioptrix

Creating pfSense VM

Summary

3. Assessment Planning

Introducing advanced penetration testing

Vulnerability assessments

Penetration testing

Advanced penetration testing

Before testing begins

Determining scope

Setting limits – nothing lasts forever

Rules of Engagement documentation

Planning for action

Configuring Kali

Updating the applications and operating system

Installing LibreOffice

Effectively managing your test results

Introduction to MagicTree

Starting MagicTree

Adding nodes

Data collection

Report generation

Introduction to the Dradis framework

Exporting a project template

Importing a project template

Preparing sample data for import

Importing your Nmap data

Exporting data into HTML

Dradis Category field

Changing the default HTML template

Summary

4. Intelligence Gathering

Introducing reconnaissance

Reconnaissance workflow

DNS recon

nslookup – it's there when you need it

Default output

Changing nameservers

Creating an automation script

What did we learn?

Domain information groper

Default output

Zone transfers using Dig

Advanced features of Dig

Shortening the output

Listing the bind version

Reverse DNS lookup using Dig

Multiple commands

Tracing the path

Batching with dig

DNS brute-forcing with fierce

Default command usage

Creating a custom word list

Gathering and validating domain and IP information

Gathering information with Whois

Specifying which registrar to use

Where in the world is this IP?

Defensive measures

Using search engines to do your job for you

Shodan

Filters

Understanding banners

HTTP banners

Finding specific assets

Finding people (and their documents) on the web

Google hacking database

Google filters

Searching the Internet for clues

Creating network baselines with scanPBNJ

Metadata collection

Extracting metadata from photos using exiftool

Summary

5. Network Service Attacks

Configuring and testing our lab clients

Kali – manual ifconfig

Ubuntu – manual ifconfig

Verifying connectivity

Maintaining IP settings after reboot

Angry IP Scanner

Nmap – getting to know you

Commonly seen Nmap scan types and options

Basic scans – warming up

Other Nmap techniques

Remaining stealthy

Taking your time

Trying different scan types

SYN scan

Null scan

ACK scan

Conclusion

Shifting blame – the zombies did it!

IDS rules and how to avoid them

Using decoys

Adding custom Nmap scripts to your arsenal

Deciding if a script is right for you

Adding a new script to the database

Zenmap – for those who want the GUI

SNMP – a goldmine of information just waiting to be discovered

When the SNMP community string is NOT public

Network baselines with scanPBNJ

Setting up MySQL for PBNJ

Preparing the PBNJ database

First scan

Reviewing the data

Enumeration avoidance techniques

Naming conventions

Port knocking

Intrusion detection and avoidance systems

Trigger points

SNMP lockdown

Reader challenge

Summary

6. Exploitation

Exploitation – why bother?

Manual exploitation

Enumerating services

Quick scans with unicornscan

Full scanning with Nmap

Banner grabbing with Netcat and Ncat

Banner grabbing with Netcat

Banner grabbing with Ncat

Banner grabbing with smbclient

Searching Exploit-DB

Exploit-DB at hand

Compiling the code

Compiling proof-of-concept code

Troubleshooting the code

What are all of these ^M characters and why won't they go away?

Broken strings – the reunion

Running the exploit

Getting files to and from victim machines

Starting a TFTP server on Kali

Installing and configuring pure-ftpd

Starting pure-ftpd

Passwords – something you know…

Cracking the hash

Brute-forcing passwords

Metasploit – learn it and love it

Databases and Metasploit

Performing an nmap scan from within Metasploit

Using auxiliary modules

Using Metasploit to exploit Kioptrix

Reader challenge

Summary

7. Web Application Attacks

Practice makes perfect

Creating a KioptrixVM Level 3 clone

Installing and configuring Mutillidae on the Ubuntu virtual machine

Configuring pfSense

Configuring the pfSense DHCP server

Starting the virtual lab

pfSense DHCP – Permanent reservations

Installing HAProxy for load balancing

Adding Kioptrix3.com to the host file

Detecting load balancers

Quick reality check – Load Balance Detector

So, what are we looking for anyhow?

Detecting web application firewalls (WAF)

Taking on Level 3 – Kioptrix

Web Application Attack and Audit framework (w3af)

Using w3af GUI to save configuration time

Using a second tool for comparisons

Scanning using the w3af console

Using WebScarab as an HTTP proxy

Introduction to browser plugin HackBar

Reader challenge

Summary

8. Exploitation Concepts

Buffer overflows – a refresher

Memory basics

Cing is believing – Create a vulnerable program

Turning ASLR on and off in Kali

Understanding the basics of buffer overflows

64-bit exploitation

Introducing vulnserver

Fuzzing tools included in Kali

Bruteforce Exploit Detector (BED)

sfuzz – Simple fuzzer

Social Engineering Toolkit

Fast-Track

Reader challenge

Summary

9. Post-Exploitation

Rules of Engagement

What is permitted?

Can you modify anything and everything?

Are you allowed to add persistence?

How is the data that is collected and stored handled by you and your team?

Employee data and personal information

Data gathering, network analysis, and pillaging

Linux

Important directories and files

Important commands

Putting this information to use

Enumeration

Exploitation

We are connected, now what?

Which tools are available on the remote system?

Finding network information

Determine connections

Checking installed packages

Package repositories

Programs and services that run at startup

Searching for information

History files and logs

Configurations, settings, and other files

Users and credentials

Moving the files

Microsoft Windows™ post-exploitation

Important directories and files

Using Armitage for post-exploitation

Enumeration

Exploitation

We are connected, now what?

Networking details

Finding installed software and tools

Pivoting

Reader challenge

Summary

10. Stealth Techniques

Lab preparation

Kali guest machine

Ubuntu guest machine

The pfSense guest machine configuration

The pfSense network setup

WAN IP configuration

LAN IP configuration

Firewall configuration

Stealth scanning through the firewall

Finding the ports

Traceroute to find out if there is a firewall

Finding out if the firewall is blocking certain ports

Hping3

Nmap firewalk script

Now you see me, now you don't – avoiding IDS

Canonicalization

Timing is everything

Blending in

PfSense SSH logs

Looking at traffic patterns

Cleaning up compromised hosts

Using a checklist

When to clean up

Local log files

Miscellaneous evasion techniques

Divide and conquer

Hiding out (on controlled units)

File Integrity Monitoring (FIM)

Using common network management tools to do the deed

Reader challenge

Summary

11. Data Gathering and Reporting

Record now – sort later

Old school – the text editor method

Nano

VIM –the power user's text editor of choice

Gedit – Gnome text editor

Dradis framework for collaboration

Binding to an available interface other than 127.0.0.1

The report

Reader challenge

Summary

12. Penetration Testing Challenge

Firewall lab setup

Installing additional packages in pfSense

The scenario

The virtual lab setup

AspenMLC Research Labs' virtual network

Additional system modifications

Ubuntu 8.10 server modifications

The challenge

The walkthrough

Defining the scope

Determining the why

So what is the why of this particular test?

Developing the Rules of Engagement document

Initial plan of attack

Enumeration and exploitation

Reporting

Summary

Index

Advanced Penetration Testing for Highly-Secured Environments Second Edition

Advanced Penetration Testing for Highly-Secured Environments Second Edition

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: May 2012

Second edition: March 2016

Production reference: 1210316

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78439-581-0

www.packtpub.com

Credits

Authors

Lee Allen

Kevin Cardwell

Reviewer

S Boominathan

Commissioning Editor

Kartikey Pandey

Acquisition Editor

Subho Gupta

Content Development Editor

Mayur Pawanikar

Technical Editor

Murtaza Tinwala

Copy Editor

Charlotte Carneiro

Project Coordinator

Nidhi Joshi

Proofreader

Safis Editing

Indexer

Rekha Nair

Graphics

Jason Monteiro

Production Coordinator

Aparna Bhagat

Cover Work

Aparna Bhagat

About the Authors

Lee Allen is currently the vulnerability management program lead for one of the Fortune 500. Among many other responsibilities, he performs security assessments and penetration testing.

Lee is very passionate and driven about the subject of penetration testing and security research. His journey into the exciting world of security began back in the 80s, while visiting BBSs with his trusty Commodore 64 and a room carpeted with 5 ¼-inch floppy disks. Over the years, he has continued his attempts at remaining up to date with the latest and greatest in the security industry and the community. He has several industry certifications, including OSWP, and has been working in the IT industry for over 15 years. His hobbies include validating and reviewing proof-of-concept exploit code, programming, security research, attending security conferences, discussing technology, writing, and skiing.

He lives in Ohio with his wife, Kellie, and their 6 children, Heather, Kristina, Natalie, Mason, Alyssa, and Seth.

Kevin Cardwell currently works as a freelance consultant and provides consulting services for companies throughout the world, and as an advisor to numerous government entities in the USA, Middle East, Africa, Asia and the UK. He is an instructor, technical editor, and author for computer forensics and hacking courses. He is the author of the Center for Advanced Security and Training (CAST) Advanced Network Defense and Advanced Penetration Testing courses. He is a technical editor of the Learning Tree course, Penetration Testing Techniques and Computer Forensics. He has presented at the Black Hat USA, Hacker Halted, ISSA, and TakeDownCon conferences, as well as many others. He has chaired the cybercrime and cyber defense summit in Oman and was the executive chairman of the oil and gas cyber defense summit. He is the author of Building Virtual Pentesting Labs for Advanced Penetration Testing and Backtrack – Testing Wireless Network Security. He holds a BS in computer science from National University in California and an MS in software engineering from the Southern Methodist University (SMU) in Texas. He developed the strategy and training development plan for the first Government CERT in the country of Oman, which was recently rated as the top CERT in the Middle East. He serves as a professional training consultant to the Oman Information Technology Authority and developed the team to man the first Commercial Security Operations Center in Oman. He has worked extensively with banks and financial institutions throughout the Middle East, Europe, and the UK in the planning of a robust and secure architecture and implementing requirements to meet compliance. He currently provides consultancy to commercial companies, governments, federal agencies, major banks, and financial institutions throughout the globe. Some of his recent consulting projects include the Muscat Securities Market (MSM), Petroleum Development Oman, and the Central Bank of Oman. He designed and implemented the custom security baseline for the existing Oman Airport Management Company (OAMC) airports and the two new airports opening in 2016. He created custom security baselines for all of the Microsoft Operating Systems, Cisco devices, and other applications as well.

About the Reviewer

S Boominathan is a highly professional security expert with 4 plus years of experience in the field of information security, malware analysis, vulnerability assessment, and network and wireless pentesting. He is currently working with a bellwether of an Indian-based MNC company and is privileged to be doing so. He possesses certifications and knowledge in N+, CCNA, CCSA, CEHV8, CHFIV4, QCP (QualysGuard certified professional), and wireless pentesting expert.

I would like to thank my parents, Sundaram and Valli, my wife, Uthira, and my brother, Sriram, for helping throughout this book. I would like to thank the author and Packt Publishing for providing me with the opportunity to review this book.

www.PacktPub.com

eBooks, discount offers, and more

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Preface

Defenses continue to improve and become more and more common, but this book will provide you with a number of proven techniques to defeat the latest defenses on networks. The methods and techniques contained will provide you with a powerful arsenal of best practices to increase your penetration testing success. Many of the chapters end with a challenge to the reader that is designed to enhance and perfect their penetration testing skills.

What this book covers

Chapter 1, Penetration Testing Essentials, discusses why an essential element of penetration testing is planning, and a key component of this is having a methodology that emulates and matches the threat that we are portraying.