book

Advanced Penetration Testing for Highly-Secured Environments - Second Edition

Name: Advanced Penetration Testing for Highly-Secured Environments - Second Edition
ISBN: 9781784395810

by Lee Allen, Kevin Cardwell

March 2016

Intermediate to advanced

428 pages

9h 17m

English

Packt Publishing

Read now

Unlock full access

Advanced Penetration Testing for Highly-Secured Environments Second Edition
Table of Contents
Advanced Penetration Testing for Highly-Secured Environments Second Edition
Credits
About the Authors
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and moreWhy subscribe?
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the color images of this bookErrataPiracyQuestions
1. Penetration Testing Essentials
Methodology defined
Example methodologies
Penetration testing frameworkPenetration Testing Execution StandardPre-engagement interactionsIntelligence gatheringThreat modelingVulnerability analysisExploitationPost-exploitationReporting
Abstract methodology
Final thoughts
Summary
2. Preparing a Test Environment
Introducing VMware WorkstationWhy VMware Workstation?
Installing VMware Workstation
Network design
VMnet0VMnet1VMnet8Folders
Understanding the default architecture
Installing Kali Linux
Creating the switches
Putting it all together
Installing Ubuntu LTSInstalling KioptrixCreating pfSense VM
Summary
3. Assessment Planning
Introducing advanced penetration testingVulnerability assessmentsPenetration testingAdvanced penetration testing
Before testing begins
Determining scopeSetting limits – nothing lasts foreverRules of Engagement documentation
Planning for action
Configuring KaliUpdating the applications and operating system
Installing LibreOffice
Effectively managing your test results
Introduction to MagicTreeStarting MagicTreeAdding nodesData collectionReport generation
Introduction to the Dradis framework
Exporting a project templateImporting a project templatePreparing sample data for importImporting your Nmap dataExporting data into HTMLDradis Category fieldChanging the default HTML template
Summary
4. Intelligence Gathering
Introducing reconnaissanceReconnaissance workflow
DNS recon
nslookup – it's there when you need itDefault outputChanging nameserversCreating an automation scriptWhat did we learn?Domain information groperDefault outputZone transfers using DigAdvanced features of DigShortening the outputListing the bind versionReverse DNS lookup using DigMultiple commandsTracing the pathBatching with digDNS brute-forcing with fierceDefault command usageCreating a custom word list
Gathering and validating domain and IP information
Gathering information with WhoisSpecifying which registrar to useWhere in the world is this IP?Defensive measures
Using search engines to do your job for you
ShodanFiltersUnderstanding bannersHTTP bannersFinding specific assetsFinding people (and their documents) on the webGoogle hacking databaseGoogle filtersSearching the Internet for clues
Creating network baselines with scanPBNJ
Metadata collectionExtracting metadata from photos using exiftool
Summary
5. Network Service Attacks
Configuring and testing our lab clientsKali – manual ifconfigUbuntu – manual ifconfigVerifying connectivityMaintaining IP settings after reboot
Angry IP Scanner
Nmap – getting to know you
Commonly seen Nmap scan types and optionsBasic scans – warming upOther Nmap techniquesRemaining stealthyTaking your timeTrying different scan typesSYN scanNull scanACK scanConclusionShifting blame – the zombies did it!IDS rules and how to avoid themUsing decoysAdding custom Nmap scripts to your arsenalDeciding if a script is right for youAdding a new script to the databaseZenmap – for those who want the GUI
SNMP – a goldmine of information just waiting to be discovered
When the SNMP community string is NOT "public"
Network baselines with scanPBNJ
Setting up MySQL for PBNJPreparing the PBNJ databaseFirst scanReviewing the data
Enumeration avoidance techniques
Naming conventionsPort knockingIntrusion detection and avoidance systemsTrigger pointsSNMP lockdown
Reader challenge
Summary
6. Exploitation
Exploitation – why bother?
Manual exploitation
Enumerating servicesQuick scans with unicornscanFull scanning with NmapBanner grabbing with Netcat and NcatBanner grabbing with NetcatBanner grabbing with NcatBanner grabbing with smbclientSearching Exploit-DBExploit-DB at handCompiling the codeCompiling proof-of-concept codeTroubleshooting the codeWhat are all of these ^M characters and why won't they go away?Broken strings – the reunionRunning the exploit
Getting files to and from victim machines
Starting a TFTP server on KaliInstalling and configuring pure-ftpdStarting pure-ftpd
Passwords – something you know…
Cracking the hashBrute-forcing passwords
Metasploit – learn it and love it
Databases and MetasploitPerforming an nmap scan from within MetasploitUsing auxiliary modulesUsing Metasploit to exploit Kioptrix
Reader challenge
Summary
7. Web Application Attacks
Practice makes perfectCreating a KioptrixVM Level 3 cloneInstalling and configuring Mutillidae on the Ubuntu virtual machine
Configuring pfSense
Configuring the pfSense DHCP serverStarting the virtual labpfSense DHCP – Permanent reservationsInstalling HAProxy for load balancingAdding Kioptrix3.com to the host file
Detecting load balancers
Quick reality check – Load Balance DetectorSo, what are we looking for anyhow?
Detecting web application firewalls (WAF)
Taking on Level 3 – Kioptrix
Web Application Attack and Audit framework (w3af)
Using w3af GUI to save configuration timeUsing a second tool for comparisonsScanning using the w3af consoleUsing WebScarab as an HTTP proxy
Introduction to browser plugin HackBar
Reader challenge
Summary
8. Exploitation Concepts
Buffer overflows – a refresherMemory basics"C"ing is believing – Create a vulnerable programTurning ASLR on and off in KaliUnderstanding the basics of buffer overflows
64-bit exploitation
Introducing vulnserver
Fuzzing tools included in Kali
Bruteforce Exploit Detector (BED)sfuzz – Simple fuzzer
Social Engineering Toolkit
Fast-Track
Reader challenge
Summary
9. Post-Exploitation
Rules of EngagementWhat is permitted?Can you modify anything and everything?Are you allowed to add persistence?How is the data that is collected and stored handled by you and your team?Employee data and personal information
Data gathering, network analysis, and pillaging
LinuxImportant directories and filesImportant commandsPutting this information to useEnumerationExploitationWe are connected, now what?Which tools are available on the remote system?Finding network informationDetermine connectionsChecking installed packagesPackage repositoriesPrograms and services that run at startupSearching for informationHistory files and logsConfigurations, settings, and other filesUsers and credentialsMoving the filesMicrosoft Windows™ post-exploitationImportant directories and filesUsing Armitage for post-exploitationEnumerationExploitationWe are connected, now what?Networking detailsFinding installed software and tools
Pivoting
Reader challenge
Summary
10. Stealth Techniques
Lab preparationKali guest machineUbuntu guest machineThe pfSense guest machine configurationThe pfSense network setupWAN IP configurationLAN IP configurationFirewall configuration
Stealth scanning through the firewall
Finding the portsTraceroute to find out if there is a firewallFinding out if the firewall is blocking certain portsHping3Nmap firewalk script
Now you see me, now you don't – avoiding IDS
CanonicalizationTiming is everything
Blending in
PfSense SSH logs
Looking at traffic patterns
Cleaning up compromised hosts
Using a checklistWhen to clean upLocal log files
Miscellaneous evasion techniques
Divide and conquerHiding out (on controlled units)File Integrity Monitoring (FIM)Using common network management tools to do the deed
Reader challenge
Summary
11. Data Gathering and Reporting
Record now – sort later
Old school – the text editor method
NanoVIM –the power user's text editor of choiceGedit – Gnome text editor
Dradis framework for collaboration
Binding to an available interface other than 127.0.0.1
The report
Reader challenge
Summary
12. Penetration Testing Challenge
Firewall lab setupInstalling additional packages in pfSense
The scenario
The virtual lab setup
AspenMLC Research Labs' virtual networkAdditional system modificationsUbuntu 8.10 server modifications
The challenge
The walkthrough
Defining the scopeDetermining the "why"So what is the "why" of this particular test?Developing the Rules of Engagement documentInitial plan of attackEnumeration and exploitation
Reporting
Summary
Index

Overview

Dive into the world of penetration testing with this hands-on and technique-rich guide. Explore advanced pentesting methodologies and learn how to effectively breach highly-secured environments. With practical examples and real-world scenarios, this book equips you with essential skills to handle modern secure systems and environments effectively.

What this Book will help me do

Master step-by-step methodologies for advanced penetration testing.
Effectively test security perimeters using cutting-edge tools and techniques.
Understand and exploit vulnerabilities in various systems and applications.
Gain proficiency in stealth and evasion techniques to bypass security measures.
Challenge your skills with real-world scenarios and practical exercises.

Author(s)

The authors, None Allen and None Cardwell, are seasoned penetration testers and security professionals with years of in-depth experience in the field. Their extensive knowledge and practical approach make this book an authoritative guide. Through their work, they aim to share insights and methodologies to help security professionals enhance their skills in penetration testing. They emphasize real-world applications and hands-on learning.

Who is it for?

This book is intended for IT professionals, security analysts, or ethical hackers seeking to refine their penetration testing expertise. It's perfect for practitioners at all skill levels, from beginners eager to learn advanced concepts to experienced testers aiming to stay ahead of emerging threats. If you're involved in securing or testing IT systems, this book aligns with your professional goals.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781784395810

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills