Hands-on penetration testing on Windows unleash Kali Linux, PowerShell, and Windows debugging tools for security testing and analysis
Master the art of identifying vulnerabilities within the Windows OS and develop the desired solutions for it using Kali Linux. Key Features Identify the vulnerabilities in your system using Kali Linux 2018.02 Discover the art of exploiting Windows kernel drivers Get to know several bypassing techniq...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham :
Packt
2018.
|
| Edición: | 1st edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009631587506719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright and Credits
- Dedication
- Packt Upsell
- Contributors
- Table of Contents
- Preface
- Chapter 1: Bypassing Network Access Control
- Technical requirements
- Bypassing MAC filtering - considerations for the physical assessor
- Configuring a Kali wireless access point to bypass MAC filtering
- Design weaknesses - exploiting weak authentication mechanisms
- Capturing captive portal authentication conversations in the clear
- Layer-2 attacks against the network
- Bypassing validation checks
- Confirming the Organizationally Unique Identifier
- Passive Operating system Fingerprinter
- Spoofing the HTTP User-Agent
- Breaking out of jail - masquerading the stack
- Following the rules spoils the fun - suppressing normal TCP replies
- Fabricating the handshake with Scapy and Python
- Summary
- Questions
- Further reading
- Chapter 2: Sniffing and Spoofing
- Technical requirements
- Advanced Wireshark - going beyond simple captures
- Passive wireless analysis
- Targeting WLANs with the Aircrack-ng suite
- WLAN analysis with Wireshark
- Active network analysis with Wireshark
- Advanced Ettercap - the man-in-the-middle Swiss Army Knife
- Bridged sniffing and the malicious access point
- Ettercap filters - fine-tuning your analysis
- Killing connections with Ettercap filters
- Getting better - spoofing with BetterCAP
- ICMP redirection with BetterCAP
- Summary
- Questions
- Further reading
- Chapter 3: Windows Passwords on the Network
- Technical requirements
- Understanding Windows passwords
- A crash course on hash algorithms
- Password hashing methods in Windows
- If it ends with 1404EE, then it's easy for me - understanding LM hash flaws
- Authenticating over the network-a different game altogether
- Capturing Windows passwords on the network.
- A real-world pen test scenario - the chatty printer
- Configuring our SMB listener
- Authentication capture
- Hash capture with LLMNR/NetBIOS NS spoofing
- Let it rip - cracking Windows hashes
- The two philosophies of password cracking
- John the Ripper cracking with a wordlist
- John the Ripper cracking with masking
- Reviewing your progress with the show flag
- Summary
- Questions
- Further reading
- Chapter 4: Advanced Network Attacks
- Technical requirements
- Binary injection with BetterCAP proxy modules
- The Ruby file injection proxy module - replace_file.rb
- Creating the payload and connect-back listener with Metasploit
- HTTP downgrading attacks with sslstrip
- Removing the need for a certificate - HTTP downgrading
- Understanding HSTS bypassing with DNS spoofing
- HTTP downgrade attacks with BetterCAP ARP/DNS spoofing
- The evil upgrade - attacking software update mechanisms
- Exploring ISR Evilgrade
- Configuring the payload and upgrade module
- Spoofing ARP/DNS and injecting the payload
- IPv6 for hackers
- IPv6 addressing basics
- Local IPv6 reconnaissance and the Neighbor Discovery Protocol
- IPv6 man-in-the-middle - attacking your neighbors
- Living in an IPv4 world - creating a local 4-to-6 proxy for your tools
- Summary
- Questions
- Further reading
- Chapter 5: Cryptography and the Penetration Tester
- Technical requirements
- Flipping the bit - integrity attacks against CBC algorithms
- Block ciphers and modes of operation
- Introducing block chaining
- Setting up your bit-flipping lab
- Manipulating the IV to generate predictable results
- Flipping to root - privilege escalation via CBC bit-flipping
- Sneaking your data in - hash length extension attacks
- Setting up your hash attack lab
- Understanding SHA-1's running state and compression function.
- Data injection with the hash length extension attack
- Busting the padding oracle with PadBuster
- Interrogating the padding oracle
- Decrypting a CBC block with PadBuster
- Behind the scenes of the oracle padding attack
- Summary
- Questions
- Further reading
- Chapter 6: Advanced Exploitation with Metasploit
- Technical requirements
- How to get it right the first time - generating payloads
- Installing Wine32 and Shellter
- Payload generation goes solo - working with msfvenom
- Creating nested payloads
- Helter Skelter evading antivirus with Shellter
- Modules - the bread and butter of Metasploit
- Building a simple Metasploit auxiliary module
- Efficiency and attack organization with Armitage
- Getting familiar with your Armitage environment
- Enumeration with Armitage
- Exploitation made ridiculously simple with Armitage
- A word about Armitage and the pen tester mentality
- Social engineering attacks with Metasploit payloads
- Creating a Trojan with Shellter
- Preparing a malicious USB drive for Trojan delivery
- Summary
- Questions
- Further reading
- Chapter 7: Stack and Heap Memory Management
- Technical requirements
- An introduction to debugging
- Understanding the stack
- Understanding registers
- Assembly language basics
- Disassemblers, debuggers, and decompilers - oh my!
- Getting cozy with the Linux command-line debugger - GDB
- Stack smack - introducing buffer overflows
- Examining the stack and registers during execution
- Lilliputian concerns - understanding endianness
- Introducing shellcoding
- Hunting bytes that break shellcode
- Generating shellcode with msfvenom
- Grab your mittens, we're going a NOP sledding
- Summary
- Questions
- Further Reading
- Chapter 8: Windows Kernel Security
- Technical requirements
- Kernel fundamentals - understanding how kernel attacks work.
- Kernel attack vectors
- The kernel's role as time cop
- It's just a program
- Pointing out the problem - pointer issues
- Dereferencing pointers in C and assembly
- Understanding NULL pointer dereferencing
- The Win32k kernel-mode driver
- Passing an error code as a pointer to xxxSendMessage()
- Metasploit - exploring a Windows kernel exploit module
- Practical kernel attacks with Kali
- An introduction to privilege escalation
- Escalating to SYSTEM on Windows 7 with Metasploit
- Summary
- Questions
- Further reading
- Chapter 9: Weaponizing Python
- Technical requirements
- Incorporating Python into your work
- Why Python?
- Getting cozy with Python in your Kali environment
- Introducing Vim with Python syntax awareness
- Python network analysis
- Python modules for networking
- Building a Python client
- Building a Python server
- Building a Python reverse shell script
- Antimalware evasion in Python
- Creating Windows executables of your Python scripts
- Preparing your raw payload
- Writing your payload retrieval and delivery in Python
- Python and Scapy - a classy pair
- Revisiting ARP poisoning with Python and Scapy
- Summary
- Questions
- Further reading
- Chapter 10: Windows Shellcoding
- Technical requirements
- Taking out the guesswork - heap spraying
- Memory allocation - stack versus heap
- Shellcode whac-a-mole - heap spraying fundamentals
- Shellcode generation for the Java vulnerability
- Creating the malicious website to exploit Java
- Debugging Internet Explorer with WinDbg
- Examining memory after spraying the heap
- Fine-tuning your attack and getting a shell
- Understanding Metasploit shellcode delivery
- Encoder theory and techniques - what encoding is and isn't
- Windows binary disassembly within Kali
- Injection with Backdoor Factory.
- Code injection fundamentals - fine-tuning with BDF
- Trojan engineering with BDF and IDA
- Summary
- Questions
- Further reading
- Chapter 11: Bypassing Protections with ROP
- Technical requirements
- DEP and ASLR - the intentional and the unavoidable
- Understanding DEP
- Understanding ASLR
- Testing DEP protection with WinDbg
- Demonstrating ASLR on Kali Linux with C
- Introducing return-oriented programming
- Borrowing chunks and returning to libc - turning the code against itself
- The basic unit of ROP - gadgets
- Getting cozy with our tools - MSFrop and ROPgadget
- Metasploit Framework's ROP tool - MSFrop
- Your sophisticated ROP lab - ROPgadget
- Creating our vulnerable C program without disabling protections
- No PIE for you - compiling your vulnerable executable without ASLR hardening
- Generating a ROP chain
- Getting hands-on with the return-to-PLT attack
- Extracting gadget information for building your payload
- Finding the .bss address
- Finding a pop pop ret structure
- Finding addresses for system@plt and strcpy@plt functions
- Finding target characters in memory with ROPgadget and Python
- Go, go, gadget ROP chain - bringing it together for the exploit
- Finding the offset to return with gdb
- Writing the Python exploit
- Summary
- Questions
- Further reading
- Chapter 12: Fuzzing Techniques
- Technical requirements
- Network fuzzing - mutation fuzzing with Taof proxying
- Configuring the Taof proxy to target the remote service
- Fuzzing by proxy - generating legitimate traffic
- Hands-on fuzzing with Kali and Python
- Picking up where Taof left off with Python - fuzzing the vulnerable FTP server
- The other side - fuzzing a vulnerable FTP client
- Writing a bare-bones FTP fuzzer service in Python
- Crashing the target with the Python fuzzer
- Fuzzy registers - the low-level perspective.
- Calculating the EIP offset with the Metasploit toolset.
