book

The Art of Network Penetration Testing

Name: The Art of Network Penetration Testing
Author: Royce Davis
ISBN: 9781617296826

by Royce Davis

December 2020

Intermediate to advanced

304 pages

8h 57m

English

Manning Publications

Read now

Unlock full access

The Art of Network Penetration Testing
Copyright
contents
front matter
prefaceacknowledgmentsabout this bookWho should read this bookHow this book is organized: A roadmapAbout the codeliveBook discussion forumabout the authorabout the cover illustration
1 Network penetration testing
1.1 Corporate data breaches1.2 How hackers break in1.2.1 The defender role1.2.2 The attacker role1.3 Adversarial attack simulation: Penetration testing1.3.1 Typical INPT workflow1.4 When a penetration test is least effective1.4.1 Low-hanging fruit1.4.2 When does a company really need a penetration test?1.5 Executing a network penetration test1.5.1 Phase 1: Information gathering1.5.2 Phase 2: Focused penetration1.5.3 Phase 3: Post-exploitation and privilege escalation1.5.4 Phase 4: Documentation1.6 Setting up your lab environment1.6.1 The Capsulecorp Pentest project1.7 Building your own virtual pentest platform1.7.1 Begin with Linux1.7.2 The Ubuntu project1.7.3 Why not use a pentest distribution?Summary
Phase 1. Information gathering
2 Discovering network hosts
2.1 Understanding your engagement scope2.1.1 Black-box, white-box, and grey-box scoping2.1.2 Capsulecorp2.1.3 Setting up the Capsulecorp Pentest environment2.2 Internet Control Message Protocol2.2.1 Using the ping command2.2.2 Using bash to pingsweep a network range2.2.3 Limitations of using the ping command2.3 Discovering hosts with Nmap2.3.1 Primary output formats2.3.2 Using remote management interface ports2.3.3 Increasing Nmap scan performance2.4 Additional host-discovery methods2.4.1 DNS brute-forcing2.4.2 Packet capture and analysis2.4.3 Hunting for subnetsSummary
3 Discovering network services
3.1 Network services from an attacker’s perspective3.1.1 Understanding network service communication3.1.2 Identifying listening network services3.1.3 Network service banners3.2 Port scanning with Nmap3.2.1 Commonly used ports3.2.2 Scanning all 65,536 TCP ports3.2.3 Sorting through NSE script output3.3 Parsing XML output with Ruby3.3.1 Creating protocol-specific target listsSummary
4 Discovering network vulnerabilities
4.1 Understanding vulnerability discovery4.1.1 Following the path of least resistance4.2 Discovering patching vulnerabilities4.2.1 Scanning for MS17-010 Eternal Blue4.3 Discovering authentication vulnerabilities4.3.1 Creating a client-specific password list4.3.2 Brute-forcing local Windows account passwords4.3.3 Brute-forcing MSSQL and MySQL database passwords4.3.4 Brute-forcing VNC passwords4.4 Discovering configuration vulnerabilities4.4.1 Setting up Webshot4.4.2 Analyzing output from Webshot4.4.3 Manually guessing web server passwords4.4.4 Preparing for focused penetrationSummary
Phase 3. Focused penetration

5 Attacking vulnerable web services
5.1 Understanding phase 2: Focused penetration5.1.1 Deploying backdoor web shells5.1.2 Accessing remote management services5.1.3 Exploiting missing software patches5.2 Gaining an initial foothold5.3 Compromising a vulnerable Tomcat server5.3.1 Creating a malicious WAR file5.3.2 Deploying the WAR file5.3.3 Accessing the web shell from a browser5.4 Interactive vs. non-interactive shells5.5 Upgrading to an interactive shell5.5.1 Backing up sethc.exe5.5.2 Modifying file ACLs with cacls.exe5.5.3 Launching Sticky Keys via RDP5.6 Compromising a vulnerable Jenkins server5.6.1 Groovy script console executionSummary
6 Attacking vulnerable database services
6.1 Compromising Microsoft SQL Server6.1.1 MSSQL stored procedures6.1.2 Enumerating MSSQL servers with Metasploit6.1.3 Enabling xp_cmdshell6.1.4 Running OS commands with xp_cmdshell6.2 Stealing Windows account password hashes6.2.1 Copying registry hives with reg.exe6.2.2 Downloading registry hive copies6.3 Extracting password hashes with creddump6.3.1 Understanding pwdump’s outputSummary
7 Attacking unpatched services
7.1 Understanding software exploits7.2 Understanding the typical exploit life cycle7.3 Compromising MS17-010 with Metasploit7.3.1 Verifying that the patch is missing7.3.2 Using the ms17_010_psexec exploit module7.4 The Meterpreter shell payload7.4.1 Useful Meterpreter commands7.5 Cautions about the public exploit database7.5.1 Generating custom shellcodeSummary
Phase 3. Post-exploitation and privilege escalation
8 Windows post-exploitation
8.1 Fundamental post-exploitation objectives8.1.1 Maintaining reliable re-entry8.1.2 Harvesting credentials8.1.3 Moving laterally8.2 Maintaining reliable re-entry with Meterpreter8.2.1 Installing a Meterpreter autorun backdoor executable8.3 Harvesting credentials with Mimikatz8.3.1 Using the Meterpreter extension8.4 Harvesting domain cached credentials8.4.1 Using the Meterpreter post module8.4.2 Cracking cached credentials with John the Ripper8.4.3 Using a dictionary file with John the Ripper8.5 Harvesting credentials from the filesystem8.5.1 Locating files with findstr and where8.6 Moving laterally with Pass-the-Hash8.6.1 Using the Metasploit smb_login module8.6.2 Passing-the-hash with CrackMapExecSummary
9 Linux or UNIX post-exploitation
9.1 Maintaining reliable re-entry with cron jobs9.1.1 Creating an SSH key pair9.1.2 Enabling pubkey authentication9.1.3 Tunneling through SSH9.1.4 Automating an SSH tunnel with cron9.2 Harvesting credentials9.2.1 Harvesting credentials from bash history9.2.2 Harvesting password hashes9.3 Escalating privileges with SUID binaries9.3.1 Locating SUID binaries with the find command9.3.2 Inserting a new user into /etc/passwd9.4 Passing around SSH keys9.4.1 Stealing keys from a compromised host9.4.2 Scanning multiple targets with MetasploitSummary
10 Controlling the entire network
10.1 Identifying domain admin user accounts10.1.1 Using net to query Active Directory groups10.1.2 Locating logged-in domain admin users10.2 Obtaining domain admin privileges10.2.1 Impersonating logged-in users with Incognito10.2.2 Harvesting clear-text credentials with Mimikatz10.3 ntds.dit and the keys to the kingdom10.3.1 Bypassing restrictions with VSC10.3.2 Extracting all the hashes with secretsdump.pySummary
Phase 4. Documentation
11 Post-engagement cleanup
11.1 Killing active shell connections11.2 Deactivating local user accounts11.2.1 Removing entries from /etc/passwd11.3 Removing leftover files from the filesystem11.3.1 Removing Windows registry hive copies11.3.2 Removing SSH key pairs11.3.3 Removing ntds.dit copies11.4 Reversing configuration changes11.4.1 Disabling MSSQL stored procedures11.4.2 Disabling anonymous file shares11.4.3 Removing crontab entries11.5 Closing backdoors11.5.1 Undeploying WAR files from Apache Tomcat11.5.2 Closing the Sticky Keys backdoor11.5.3 Uninstalling persistent Meterpreter callbacksSummary
12 Writing a solid pentest deliverable
12.1 Eight components of a solid pentest deliverable12.2 Executive summary12.3 Engagement methodology12.4 Attack narrative12.5 Technical observations12.5.1 Finding recommendations12.6 Appendices12.6.1 Severity definitions12.6.2 Hosts and services12.6.3 Tools list12.6.4 Additional references12.7 Wrapping it up12.8 What now?Summary
appendix A. Building a virtual pentest platform
A.1 Creating an Ubuntu virtual machineA.2 Additional OS dependenciesA.2.1 Managing Ubuntu packages with aptA.2.2 Installing CrackMapExecA.2.3 Customizing your terminal look and feelA.3 Installing NmapA.3.1 NSE: The Nmap scripting engineA.3.2 Operating system dependenciesA.3.3 Compiling and installing from sourceA.3.4 Exploring the documentationA.4 The Ruby scripting languageA.4.1 Installing Ruby Version ManagerA.4.2 Writing an obligatory Hello World exampleA.5 The Metasploit frameworkA.5.1 Operating system dependenciesA.5.2 Necessary Ruby gemsA.5.3 Setting up PostgreSQL for MetasploitA.5.4 Navigating the msfconsole
appendix B. Essential Linux commands
B.1 CLI commandsB.1.1 $ catB.1.2 $ cutB.1.3 $ grepB.1.4 $ sort and wcB.2 tmuxB.2.1 Using tmux commandsB.2.2 Saving a tmux session
appendix C. Creating the Capsulecorp Pentest lab network
C.1 Hardware and software requirementsC.2 Creating the primary Windows serversC.2.1 Goku.capsulecorp.localC.2.2 Gohan.capsulecorp.localC.2.3 Vegeta.capsulecorp.localC.2.4 Trunks.capsulecorp.localC.2.5 Nappa.capsulecorp.local and tien.capsulecorp.localC.2.6 Yamcha.capsulecorp.local and Krillin.capsulecorp.localC.3 Creating the Linux servers
appendix D. Capsulecorp internal network penetration test report
Executive summaryEngagement scopeSummary of observationsEngagement methodologyInformation gatheringFocused penetrationPost-exploitation and privilege escalationDocumentation and cleanupAttack narrativeTechnical observationsAppendix 1: Severity definitionsCriticalHighMediumLowAppendix 2: Hosts and servicesAppendix 3: Tools listAppendix 4: Additional references
appendix E. Exercise answers
Exercise 2.1: Identifying your engagement targetsExercise 3.1: Creating protocol-specific target listsExercise 4.1: Identifying missing patchesExercise 4.2: Creating a client-specific password listExercise 4.3: Discovering weak passwordsExercise 5.1: Deploying a malicious WAR fileExercise 6.1 Stealing SYSTEM and SAM registry hivesExercise 7.1: Compromising tien.capsulecorp.localExercise 8.1: Accessing your first level-two hostExercise 10.1: Stealing passwords from ntds.ditExercise 11.1: Performing post-engagement cleanup
index

Content preview from The Art of Network Penetration Testing

1 Network penetration testing

This chapter covers

Corporate data breaches
Adversarial attack simulations
When organizations don’t need a penetration test
The four phases of an internal network penetration test

Everything today exists digitally within networked computer systems in the cloud. Your tax returns; pictures of your kids that you take with a cellphone; the locations, dates, and times of all the places you’ve navigated to using your GPS—they’re all there, ripe for the picking by an attacker who is dedicated and skilled enough.

The average enterprise corporation has 10 times (at least) as many connected devices running on its network as it does employees who use those devices to conduct normal business operations. This probably doesn’t ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781617296826Publisher Support Publisher Website

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Art of Network Penetration Testing

by Royce Davis

1 Network penetration testing

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.