The art of network penetration testing : how to take over any company in the world

The art of network penetration testing how to take over any company in the world

Detalles Bibliográficos
Otros Autores: Davis, Royce, author (author)
Formato: Libro electrónico
Idioma:Inglés
Publicado: Shelter Island, New York : Manning [2020]
Materias:
Penetration testing (Computer security)
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009631329306719
Tabla de Contenidos:
  • Intro
  • The Art of Network Penetration Testing
  • Copyright
  • contents
  • front matter
  • preface
  • acknowledgments
  • about this book
  • Who should read this book
  • How this book is organized: A roadmap
  • About the code
  • liveBook discussion forum
  • about the author
  • about the cover illustration
  • 1 Network penetration testing
  • 1.1 Corporate data breaches
  • 1.2 How hackers break in
  • 1.2.1 The defender role
  • 1.2.2 The attacker role
  • 1.3 Adversarial attack simulation: Penetration testing
  • 1.3.1 Typical INPT workflow
  • 1.4 When a penetration test is least effective
  • 1.4.1 Low-hanging fruit
  • 1.4.2 When does a company really need a penetration test?
  • 1.5 Executing a network penetration test
  • 1.5.1 Phase 1: Information gathering
  • 1.5.2 Phase 2: Focused penetration
  • 1.5.3 Phase 3: Post-exploitation and privilege escalation
  • 1.5.4 Phase 4: Documentation
  • 1.6 Setting up your lab environment
  • 1.6.1 The Capsulecorp Pentest project
  • 1.7 Building your own virtual pentest platform
  • 1.7.1 Begin with Linux
  • 1.7.2 The Ubuntu project
  • 1.7.3 Why not use a pentest distribution?
  • Summary
  • Phase 1. Information gathering
  • 2 Discovering network hosts
  • 2.1 Understanding your engagement scope
  • 2.1.1 Black-box, white-box, and grey-box scoping
  • 2.1.2 Capsulecorp
  • 2.1.3 Setting up the Capsulecorp Pentest environment
  • 2.2 Internet Control Message Protocol
  • 2.2.1 Using the ping command
  • 2.2.2 Using bash to pingsweep a network range
  • 2.2.3 Limitations of using the ping command
  • 2.3 Discovering hosts with Nmap
  • 2.3.1 Primary output formats
  • 2.3.2 Using remote management interface ports
  • 2.3.3 Increasing Nmap scan performance
  • 2.4 Additional host-discovery methods
  • 2.4.1 DNS brute-forcing
  • 2.4.2 Packet capture and analysis
  • 2.4.3 Hunting for subnets
  • Summary
  • 3 Discovering network services.
  • 3.1 Network services from an attacker's perspective
  • 3.1.1 Understanding network service communication
  • 3.1.2 Identifying listening network services
  • 3.1.3 Network service banners
  • 3.2 Port scanning with Nmap
  • 3.2.1 Commonly used ports
  • 3.2.2 Scanning all 65,536 TCP ports
  • 3.2.3 Sorting through NSE script output
  • 3.3 Parsing XML output with Ruby
  • 3.3.1 Creating protocol-specific target lists
  • Summary
  • 4 Discovering network vulnerabilities
  • 4.1 Understanding vulnerability discovery
  • 4.1.1 Following the path of least resistance
  • 4.2 Discovering patching vulnerabilities
  • 4.2.1 Scanning for MS17-010 Eternal Blue
  • 4.3 Discovering authentication vulnerabilities
  • 4.3.1 Creating a client-specific password list
  • 4.3.2 Brute-forcing local Windows account passwords
  • 4.3.3 Brute-forcing MSSQL and MySQL database passwords
  • 4.3.4 Brute-forcing VNC passwords
  • 4.4 Discovering configuration vulnerabilities
  • 4.4.1 Setting up Webshot
  • 4.4.2 Analyzing output from Webshot
  • 4.4.3 Manually guessing web server passwords
  • 4.4.4 Preparing for focused penetration
  • Summary
  • Phase 3. Focused penetration
  • 5 Attacking vulnerable web services
  • 5.1 Understanding phase 2: Focused penetration
  • 5.1.1 Deploying backdoor web shells
  • 5.1.2 Accessing remote management services
  • 5.1.3 Exploiting missing software patches
  • 5.2 Gaining an initial foothold
  • 5.3 Compromising a vulnerable Tomcat server
  • 5.3.1 Creating a malicious WAR file
  • 5.3.2 Deploying the WAR file
  • 5.3.3 Accessing the web shell from a browser
  • 5.4 Interactive vs. non-interactive shells
  • 5.5 Upgrading to an interactive shell
  • 5.5.1 Backing up sethc.exe
  • 5.5.2 Modifying file ACLs with cacls.exe
  • 5.5.3 Launching Sticky Keys via RDP
  • 5.6 Compromising a vulnerable Jenkins server
  • 5.6.1 Groovy script console execution
  • Summary.
  • 6 Attacking vulnerable database services
  • 6.1 Compromising Microsoft SQL Server
  • 6.1.1 MSSQL stored procedures
  • 6.1.2 Enumerating MSSQL servers with Metasploit
  • 6.1.3 Enabling xp_cmdshell
  • 6.1.4 Running OS commands with xp_cmdshell
  • 6.2 Stealing Windows account password hashes
  • 6.2.1 Copying registry hives with reg.exe
  • 6.2.2 Downloading registry hive copies
  • 6.3 Extracting password hashes with creddump
  • 6.3.1 Understanding pwdump's output
  • Summary
  • 7 Attacking unpatched services
  • 7.1 Understanding software exploits
  • 7.2 Understanding the typical exploit life cycle
  • 7.3 Compromising MS17-010 with Metasploit
  • 7.3.1 Verifying that the patch is missing
  • 7.3.2 Using the ms17_010_psexec exploit module
  • 7.4 The Meterpreter shell payload
  • 7.4.1 Useful Meterpreter commands
  • 7.5 Cautions about the public exploit database
  • 7.5.1 Generating custom shellcode
  • Summary
  • Phase 3. Post-exploitation and privilege escalation
  • 8 Windows post-exploitation
  • 8.1 Fundamental post-exploitation objectives
  • 8.1.1 Maintaining reliable re-entry
  • 8.1.2 Harvesting credentials
  • 8.1.3 Moving laterally
  • 8.2 Maintaining reliable re-entry with Meterpreter
  • 8.2.1 Installing a Meterpreter autorun backdoor executable
  • 8.3 Harvesting credentials with Mimikatz
  • 8.3.1 Using the Meterpreter extension
  • 8.4 Harvesting domain cached credentials
  • 8.4.1 Using the Meterpreter post module
  • 8.4.2 Cracking cached credentials with John the Ripper
  • 8.4.3 Using a dictionary file with John the Ripper
  • 8.5 Harvesting credentials from the filesystem
  • 8.5.1 Locating files with findstr and where
  • 8.6 Moving laterally with Pass-the-Hash
  • 8.6.1 Using the Metasploit smb_login module
  • 8.6.2 Passing-the-hash with CrackMapExec
  • Summary
  • 9 Linux or UNIX post-exploitation
  • 9.1 Maintaining reliable re-entry with cron jobs.
  • 9.1.1 Creating an SSH key pair
  • 9.1.2 Enabling pubkey authentication
  • 9.1.3 Tunneling through SSH
  • 9.1.4 Automating an SSH tunnel with cron
  • 9.2 Harvesting credentials
  • 9.2.1 Harvesting credentials from bash history
  • 9.2.2 Harvesting password hashes
  • 9.3 Escalating privileges with SUID binaries
  • 9.3.1 Locating SUID binaries with the find command
  • 9.3.2 Inserting a new user into /etc/passwd
  • 9.4 Passing around SSH keys
  • 9.4.1 Stealing keys from a compromised host
  • 9.4.2 Scanning multiple targets with Metasploit
  • Summary
  • 10 Controlling the entire network
  • 10.1 Identifying domain admin user accounts
  • 10.1.1 Using net to query Active Directory groups
  • 10.1.2 Locating logged-in domain admin users
  • 10.2 Obtaining domain admin privileges
  • 10.2.1 Impersonating logged-in users with Incognito
  • 10.2.2 Harvesting clear-text credentials with Mimikatz
  • 10.3 ntds.dit and the keys to the kingdom
  • 10.3.1 Bypassing restrictions with VSC
  • 10.3.2 Extracting all the hashes with secretsdump.py
  • Summary
  • Phase 4. Documentation
  • 11 Post-engagement cleanup
  • 11.1 Killing active shell connections
  • 11.2 Deactivating local user accounts
  • 11.2.1 Removing entries from /etc/passwd
  • 11.3 Removing leftover files from the filesystem
  • 11.3.1 Removing Windows registry hive copies
  • 11.3.2 Removing SSH key pairs
  • 11.3.3 Removing ntds.dit copies
  • 11.4 Reversing configuration changes
  • 11.4.1 Disabling MSSQL stored procedures
  • 11.4.2 Disabling anonymous file shares
  • 11.4.3 Removing crontab entries
  • 11.5 Closing backdoors
  • 11.5.1 Undeploying WAR files from Apache Tomcat
  • 11.5.2 Closing the Sticky Keys backdoor
  • 11.5.3 Uninstalling persistent Meterpreter callbacks
  • Summary
  • 12 Writing a solid pentest deliverable
  • 12.1 Eight components of a solid pentest deliverable
  • 12.2 Executive summary.
  • 12.3 Engagement methodology
  • 12.4 Attack narrative
  • 12.5 Technical observations
  • 12.5.1 Finding recommendations
  • 12.6 Appendices
  • 12.6.1 Severity definitions
  • 12.6.2 Hosts and services
  • 12.6.3 Tools list
  • 12.6.4 Additional references
  • 12.7 Wrapping it up
  • 12.8 What now?
  • Summary
  • appendix A. Building a virtual pentest platform
  • A.1 Creating an Ubuntu virtual machine
  • A.2 Additional OS dependencies
  • A.2.1 Managing Ubuntu packages with apt
  • A.2.2 Installing CrackMapExec
  • A.2.3 Customizing your terminal look and feel
  • A.3 Installing Nmap
  • A.3.1 NSE: The Nmap scripting engine
  • A.3.2 Operating system dependencies
  • A.3.3 Compiling and installing from source
  • A.3.4 Exploring the documentation
  • A.4 The Ruby scripting language
  • A.4.1 Installing Ruby Version Manager
  • A.4.2 Writing an obligatory Hello World example
  • A.5 The Metasploit framework
  • A.5.1 Operating system dependencies
  • A.5.2 Necessary Ruby gems
  • A.5.3 Setting up PostgreSQL for Metasploit
  • A.5.4 Navigating the msfconsole
  • appendix B. Essential Linux commands
  • B.1 CLI commands
  • B.1.1 cat
  • B.1.2 cut
  • B.1.3 grep
  • B.1.4 sort and wc
  • B.2 tmux
  • B.2.1 Using tmux commands
  • B.2.2 Saving a tmux session
  • appendix C. Creating the Capsulecorp Pentest lab network
  • C.1 Hardware and software requirements
  • C.2 Creating the primary Windows servers
  • C.2.1 Goku.capsulecorp.local
  • C.2.2 Gohan.capsulecorp.local
  • C.2.3 Vegeta.capsulecorp.local
  • C.2.4 Trunks.capsulecorp.local
  • C.2.5 Nappa.capsulecorp.local and tien.capsulecorp.local
  • C.2.6 Yamcha.capsulecorp.local and Krillin.capsulecorp.local
  • C.3 Creating the Linux servers
  • appendix D. Capsulecorp internal network penetration test report
  • Executive summary
  • Engagement scope
  • Summary of observations
  • Engagement methodology
  • Information gathering.
  • Focused penetration.

Ejemplares similares