O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Advanced Infrastructure Penetration Testing

Book Description

A highly detailed guide to performing powerful attack vectors in many hands-on scenarios and defending significant security flaws in your company's infrastructure

About This Book

  • Advanced exploitation techniques to breach modern operating systems and complex network devices
  • Learn about Docker breakouts, Active Directory delegation, and CRON jobs
  • Practical use cases to deliver an intelligent endpoint-protected system

Who This Book Is For

If you are a system administrator, SOC analyst, penetration tester, or a network engineer and want to take your penetration testing skills and security knowledge to the next level, then this book is for you. Some prior experience with penetration testing tools and knowledge of Linux and Windows command-line syntax is beneficial.

What You Will Learn

  • Exposure to advanced infrastructure penetration testing techniques and methodologies
  • Gain hands-on experience of penetration testing in Linux system vulnerabilities and memory exploitation
  • Understand what it takes to break into enterprise networks
  • Learn to secure the configuration management environment and continuous delivery pipeline
  • Gain an understanding of how to exploit networks and IoT devices
  • Discover real-world, post-exploitation techniques and countermeasures

In Detail

It has always been difficult to gain hands-on experience and a comprehensive understanding of advanced penetration testing techniques and vulnerability assessment and management. This book will be your one-stop solution to compromising complex network devices and modern operating systems. This book provides you with advanced penetration testing techniques that will help you exploit databases, web and application servers, switches or routers, Docker, VLAN, VoIP, and VPN.

With this book, you will explore exploitation abilities such as offensive PowerShell tools and techniques, CI servers, database exploitation, Active Directory delegation, kernel exploits, cron jobs, VLAN hopping, and Docker breakouts. Moving on, this book will not only walk you through managing vulnerabilities, but will also teach you how to ensure endpoint protection.

Toward the end of this book, you will also discover post-exploitation tips, tools, and methodologies to help your organization build an intelligent security system.

By the end of this book, you will have mastered the skills and methodologies needed to breach infrastructures and provide complete endpoint protection for your system.

Style and approach

Your one-stop guide to mastering the skills and methodologies of breaching infrastructures and providing complete endpoint protection to your system.

Downloading the example code for this book You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Advanced Infrastructure Penetration Testing
  3. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  4. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
    5. Disclaimer
  6. Introduction to Advanced Infrastructure Penetration Testing
    1. Information security overview
      1. Confidentiality
      2. Integrity
      3. Availability
      4. Least privilege and need to know
      5. Defense in depth
      6. Risk analysis
      7. Information Assurance
      8. Information security management program
    2. Hacking concepts and phases
      1. Types of hackers
      2. Hacking phases
        1. Reconnaissance
          1. Passive reconnaissance
          2. Active reconnaissance
        2. Scanning
          1. Port scanning
          2. Network scanning
          3. Vulnerability scanning
        3. Gaining access
        4. Maintaining access
        5. Clearing tracks
    3. Penetration testing overview
      1. Penetration testing types
        1. White box pentesting
        2. Black box pentesting
        3. Gray box pentesting
      2. The penetration testing teams
        1. Red teaming
        2. Blue teaming
        3. Purple teaming
    4. Pentesting standards and guidance
      1. Policies
      2. Standards
      3. Procedures
      4. Guidance
        1. Open Source Security Testing Methodology Manual
        2. Information Systems Security Assessment Framework
        3. Penetration Testing Execution Standard
        4. Payment Card Industry Data Security Standard
    5. Penetration testing steps
      1. Pre-engagement
        1. The objectives and scope
        2. A get out of jail free card
        3. Emergency contact information
        4. Payment information
        5. Non-disclosure agreement 
      2. Intelligence gathering
        1. Public intelligence
        2. Social engineering attacks
        3. Physical analysis
        4. Information system and network analysis
          1. Human intelligence 
          2. Signal intelligence
          3. Open source intelligence 
          4. Imagery intelligence 
          5. Geospatial intelligence 
      3. Threat modeling
        1. Business asset analysis
        2. Business process analysis
        3. Threat agents analysis
        4. Threat capability analysis
        5. Motivation modeling
      4. Vulnerability analysis
        1. Vulnerability assessment with Nexpose
          1. Installing Nexpose
          2. Starting Nexpose
          3. Start a scan
      5. Exploitation
      6. Post-exploitation
        1. Infrastructure analysis
        2. Pillaging
        3. High-profile targets
        4. Data exfiltration
        5. Persistence
          1. Further penetration into infrastructure
        6. Cleanup
      7. Reporting
        1. Executive summary
        2. Technical report
    6. Penetration testing limitations and challenges
    7. Pentesting maturity and scoring model
      1. Realism
      2. Methodology
      3. Reporting
    8. Summary
  7. Advanced Linux Exploitation
    1. Linux basics
      1. Linux commands
      2. Streams
      3. Redirection
      4. Linux directory structure
      5. Users and groups
      6. Permissions
        1. The chmod command
        2. The chown command
        3. The chroot command 
      7. The power of the find command
      8. Jobs, cron, and crontab
    2. Security models
    3. Security controls
      1. Access control models
    4. Linux attack vectors
      1. Linux enumeration with LinEnum
      2. OS detection with Nmap
      3. Privilege escalation
      4. Linux privilege checker
    5. Linux kernel exploitation
      1. UserLand versus kernel land
      2. System calls
      3. Linux kernel subsystems 
        1. Process 
        2. Threads
      4. Security-Enhanced Linux 
      5. Memory models and the address spaces 
      6. Linux kernel vulnerabilities
        1. NULL pointer dereference
        2. Arbitrary kernel read/write 
          1. Case study CVE-2016-2443 Qualcomm MSM debug fs kernel arbitrary write
        3. Memory corruption vulnerabilities
          1. Kernel stack vulnerabilities
          2. Kernel heap vulnerabilities
        4. Race conditions
      7. Logical and hardware-related bugs
        1. Case study CVE-2016-4484 – Cryptsetup Initrd root Shell
      8. Linux Exploit Suggester 
    6. Buffer overflow prevention techniques 
      1. Address space layout randomization
      2. Stack canaries
      3. Non-executable stack
      4. Linux return oriented programming 
    7. Linux hardening
    8. Summary
  8. Corporate Network and Database Exploitation
    1. Networking fundamentals
      1. Network topologies
        1. Bus topology 
        2. Star topology
        3. Ring topology
        4. Tree topology
        5. Mesh topology
        6. Hybrid topology
      2. Transmission modes
      3. Communication networks
        1. Local area network
        2. Metropolitan area network 
        3. Wide area network
        4. Personal area network
        5. Wireless network
        6. Data center multi-tier model design
    2. Open Systems Interconnection model
    3. In-depth network scanning
      1. TCP communication
      2. ICMP scanning
      3. SSDP scanning
      4. UDP Scanning
      5. Intrusion detection systems
        1. Machine learning for intrusion detection 
          1. Supervised learning
          2. Unsupervised learning
          3. Semi-supervised learning
          4. Reinforcement
          5. Machine learning systems' workflow
          6. Machine learning model evaluation metrics
    4. Services enumeration
      1. Insecure SNMP configuration
      2. DNS security
      3. DNS attacks 
    5. Sniffing attacks
    6. DDoS attacks
      1. Types of DDoS attacks 
      2. Defending against DDoS attacks
      3. DDoS scrubbing centers
    7. Software-Defined Network penetration testing
      1. SDN attacks
      2. SDNs penetration testing
        1. DELTA: SDN security evaluation framework
        2. SDNPWN
    8. Attacks on database servers 
    9. Summary
  9. Active Directory Exploitation
    1. Active Directory
    2. Single Sign-On 
    3. Kerberos authentication
    4. Lightweight Directory Access Protocol 
    5. PowerShell and Active Directory
    6. Active Directory attacks
      1. PowerView
      2. Kerberos attacks
        1. Kerberos TGS service ticket offline cracking (Kerberoast)
        2. SPN scanning
      3. Passwords in SYSVOL and group policy preferences
      4. 14-068 Kerberos vulnerability on a domain controller 
      5. Dumping all domain credentials with Mimikatz
      6. Pass the credential
      7. Dumping LSASS memory with Task Manager (get domain admin credentials)
      8. Dumping Active Directory domain credentials from an NTDS.dit file
    7. Summary
  10. Docker Exploitation
    1. Docker fundamentals
      1. Virtualization
      2. Cloud computing
        1. Cloud computing security challenges
      3. Docker containers
    2. Docker exploitation 
      1. Kernel exploits
      2. DoS and resource abuse
      3. Docker breakout
      4. Poisoned images
      5. Database passwords and data theft
    3. Docker bench security
    4. Docker vulnerability static analysis with Clair
    5. Building a penetration testing laboratory
    6. Summary
  11. Exploiting Git and Continuous Integration Servers
    1. Software development methodologies
    2. Continuous integration
      1. Types of tests
      2. Continuous integration versus continuous delivery
      3. DevOps
    3. Continuous integration with GitHub and Jenkins
      1. Installing Jenkins
    4. Continuous integration attacks
    5. Continuous integration server penetration testing
      1. Rotten Apple project for testing continuous integration  or continuous delivery system security
      2. Continuous security with Zed Attack Proxy
    6. Summary
  12. Metasploit and PowerShell for Post-Exploitation
    1. Dissecting Metasploit Framework
      1. Metasploit architecture
        1. Modules
          1. Exploits
          2. Payloads
          3. Auxiliaries
          4. Encoders
          5. NOPs
          6. Posts
      2. Starting Metasploit
    2. Bypassing antivirus with the Veil-Framework
    3. Writing your own Metasploit module
    4. Metasploit Persistence scripts
    5. Weaponized PowerShell with Metasploit
      1. Interactive PowerShell
      2. PowerSploit
      3. Nishang – PowerShell for penetration testing
    6. Defending against PowerShell attacks
    7. Summary
  13. VLAN Exploitation
    1. Switching in networking
      1. LAN switching
    2. MAC attack
      1. Media Access Control Security
    3. DHCP attacks
      1. DHCP starvation
      2. Rogue DHCP server
    4. ARP attacks
    5. VLAN attacks
      1. Types of VLANs
      2. VLAN configuration
      3. VLAN hopping attacks
        1. Switch spoofing
        2. VLAN double tagging
      4. Private VLAN attacks
    6. Spanning Tree Protocol attacks
      1. Attacking STP
    7. Summary
  14. VoIP Exploitation
    1. VoIP fundamentals
      1. H.323
      2. Skinny Call Control Protocol
      3. RTP/RTCP
      4. Secure Real-time Transport Protocol
      5. H.248 and Media Gateway Control Protocol
      6. Session Initiation Protocol
    2. VoIP exploitation
      1. VoIP attacks
        1. Denial-of-Service
        2. Eavesdropping
      2. SIP attacks
        1. SIP registration hijacking
      3. Spam over Internet Telephony 
      4. Embedding malware
      5. Viproy – VoIP penetration testing kit
    3. VoLTE Exploitation
      1. VoLTE  attacks
      2. SiGploit – Telecom Signaling Exploitation Framework
    4. Summary
  15. Insecure VPN Exploitation
    1. Cryptography
      1. Cryptosystems
        1. Ciphers
          1. Classical ciphers
          2. Modern ciphers
        2. Kerckhoffs' principle for cryptosystems
        3. Cryptosystem types
          1. Symmetric cryptosystem
          2. Asymmetric cryptosystem
    2. Hash functions and message integrity
      1. Digital signatures
    3. Steganography
    4. Key management
    5. Cryptographic attacks
    6. VPN fundamentals 
      1. Tunneling protocols
      2. IPSec
      3. Secure Sockets Layer/Transport Layer Security
        1. SSL attacks 
          1. DROWN attack (CVE-2016-0800)  
          2. POODLE attack (CVE-2014-3566) 
          3. BEAST attack  (CVE-2011-3389)
          4. CRIME attack (CVE-2012-4929) 
          5. BREACH attack (CVE-2013-3587) 
          6. Heartbleed attack 
        2. Qualys SSL Labs
    7. Summary
  16. Routing and Router Vulnerabilities
    1. Routing fundamentals
    2. Exploiting routing protocols
      1. Routing Information Protocol
        1. RIPv1 reflection DDoS
      2. Open Shortest Path First
        1. OSPF attacks
          1. Disguised LSA
          2. MaxAge LSAs
          3. Remote false adjacency
          4. Seq++ attack
          5. Persistent poisoning
        2. Defenses
      3. Interior Gateway Routing Protocol
      4. Enhanced Interior Gateway Routing Protocol
      5. Border Gateway Protocol
      6. BGP attacks
    3. Exploiting routers
      1. Router components
        1. Router bootup process
      2. Router attacks
      3. The router exploitation framework
    4. Summary
  17. Internet of Things Exploitation
    1. The IoT ecosystem
      1. IoT project architecture
      2. IoT protocols
      3. The IoT communication stack
      4. IP Smart Objects protocols suite
      5. Standards organizations
    2. IoT attack surfaces
      1. Devices and appliances
      2. Firmware
      3. Web interfaces
      4. Network services
      5. Cloud interfaces and third-party API
      6. Case study – Mirai Botnet
      7. The OWASP IoT Project
        1. Insecure web interface
        2. Insufficient authentication/authorization
        3. Insecure network services
        4. Lack of transport encryption
        5. Privacy concerns
        6. Insecure cloud interface
        7. Insecure mobile interface
        8. Insufficient security configurability
        9. Insecure software/firmware
        10. Poor physical security
      8. Hacking connected cars
      9. Threats to connected cars
    3. Summary
  18. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think