book

The Art of Network Penetration Testing

by Royce Davis

December 2020

Intermediate to advanced

304 pages

8h 57m

English

Manning Publications

Read now

Unlock full access

prefaceacknowledgmentsabout this bookWho should read this bookHow this book is organized: A roadmapAbout the codeliveBook discussion forumabout the authorabout the cover illustration
1.1 Corporate data breaches1.2 How hackers break in1.2.1 The defender role1.2.2 The attacker role1.3 Adversarial attack simulation: Penetration testing1.3.1 Typical INPT workflow1.4 When a penetration test is least effective1.4.1 Low-hanging fruit1.4.2 When does a company really need a penetration test?1.5 Executing a network penetration test1.5.1 Phase 1: Information gathering1.5.2 Phase 2: Focused penetration1.5.3 Phase 3: Post-exploitation and privilege escalation1.5.4 Phase 4: Documentation1.6 Setting up your lab environment1.6.1 The Capsulecorp Pentest project1.7 Building your own virtual pentest platform1.7.1 Begin with Linux1.7.2 The Ubuntu project1.7.3 Why not use a pentest distribution?Summary
2.1 Understanding your engagement scope2.1.1 Black-box, white-box, and grey-box scoping2.1.2 Capsulecorp2.1.3 Setting up the Capsulecorp Pentest environment2.2 Internet Control Message Protocol2.2.1 Using the ping command2.2.2 Using bash to pingsweep a network range2.2.3 Limitations of using the ping command2.3 Discovering hosts with Nmap2.3.1 Primary output formats2.3.2 Using remote management interface ports2.3.3 Increasing Nmap scan performance2.4 Additional host-discovery methods2.4.1 DNS brute-forcing2.4.2 Packet capture and analysis2.4.3 Hunting for subnetsSummary
3.1 Network services from an attacker’s perspective3.1.1 Understanding network service communication3.1.2 Identifying listening network services3.1.3 Network service banners3.2 Port scanning with Nmap3.2.1 Commonly used ports3.2.2 Scanning all 65,536 TCP ports3.2.3 Sorting through NSE script output3.3 Parsing XML output with Ruby3.3.1 Creating protocol-specific target listsSummary
4.1 Understanding vulnerability discovery4.1.1 Following the path of least resistance4.2 Discovering patching vulnerabilities4.2.1 Scanning for MS17-010 Eternal Blue4.3 Discovering authentication vulnerabilities4.3.1 Creating a client-specific password list4.3.2 Brute-forcing local Windows account passwords4.3.3 Brute-forcing MSSQL and MySQL database passwords4.3.4 Brute-forcing VNC passwords4.4 Discovering configuration vulnerabilities4.4.1 Setting up Webshot4.4.2 Analyzing output from Webshot4.4.3 Manually guessing web server passwords4.4.4 Preparing for focused penetrationSummary

5.1 Understanding phase 2: Focused penetration5.1.1 Deploying backdoor web shells5.1.2 Accessing remote management services5.1.3 Exploiting missing software patches5.2 Gaining an initial foothold5.3 Compromising a vulnerable Tomcat server5.3.1 Creating a malicious WAR file5.3.2 Deploying the WAR file5.3.3 Accessing the web shell from a browser5.4 Interactive vs. non-interactive shells5.5 Upgrading to an interactive shell5.5.1 Backing up sethc.exe5.5.2 Modifying file ACLs with cacls.exe5.5.3 Launching Sticky Keys via RDP5.6 Compromising a vulnerable Jenkins server5.6.1 Groovy script console executionSummary
6.1 Compromising Microsoft SQL Server6.1.1 MSSQL stored procedures6.1.2 Enumerating MSSQL servers with Metasploit6.1.3 Enabling xp_cmdshell6.1.4 Running OS commands with xp_cmdshell6.2 Stealing Windows account password hashes6.2.1 Copying registry hives with reg.exe6.2.2 Downloading registry hive copies6.3 Extracting password hashes with creddump6.3.1 Understanding pwdump’s outputSummary
7.1 Understanding software exploits7.2 Understanding the typical exploit life cycle7.3 Compromising MS17-010 with Metasploit7.3.1 Verifying that the patch is missing7.3.2 Using the ms17_010_psexec exploit module7.4 The Meterpreter shell payload7.4.1 Useful Meterpreter commands7.5 Cautions about the public exploit database7.5.1 Generating custom shellcodeSummary
8.1 Fundamental post-exploitation objectives8.1.1 Maintaining reliable re-entry8.1.2 Harvesting credentials8.1.3 Moving laterally8.2 Maintaining reliable re-entry with Meterpreter8.2.1 Installing a Meterpreter autorun backdoor executable8.3 Harvesting credentials with Mimikatz8.3.1 Using the Meterpreter extension8.4 Harvesting domain cached credentials8.4.1 Using the Meterpreter post module8.4.2 Cracking cached credentials with John the Ripper8.4.3 Using a dictionary file with John the Ripper8.5 Harvesting credentials from the filesystem8.5.1 Locating files with findstr and where8.6 Moving laterally with Pass-the-Hash8.6.1 Using the Metasploit smb_login module8.6.2 Passing-the-hash with CrackMapExecSummary
9.1 Maintaining reliable re-entry with cron jobs9.1.1 Creating an SSH key pair9.1.2 Enabling pubkey authentication9.1.3 Tunneling through SSH9.1.4 Automating an SSH tunnel with cron9.2 Harvesting credentials9.2.1 Harvesting credentials from bash history9.2.2 Harvesting password hashes9.3 Escalating privileges with SUID binaries9.3.1 Locating SUID binaries with the find command9.3.2 Inserting a new user into /etc/passwd9.4 Passing around SSH keys9.4.1 Stealing keys from a compromised host9.4.2 Scanning multiple targets with MetasploitSummary
10.1 Identifying domain admin user accounts10.1.1 Using net to query Active Directory groups10.1.2 Locating logged-in domain admin users10.2 Obtaining domain admin privileges10.2.1 Impersonating logged-in users with Incognito10.2.2 Harvesting clear-text credentials with Mimikatz10.3 ntds.dit and the keys to the kingdom10.3.1 Bypassing restrictions with VSC10.3.2 Extracting all the hashes with secretsdump.pySummary
11.1 Killing active shell connections11.2 Deactivating local user accounts11.2.1 Removing entries from /etc/passwd11.3 Removing leftover files from the filesystem11.3.1 Removing Windows registry hive copies11.3.2 Removing SSH key pairs11.3.3 Removing ntds.dit copies11.4 Reversing configuration changes11.4.1 Disabling MSSQL stored procedures11.4.2 Disabling anonymous file shares11.4.3 Removing crontab entries11.5 Closing backdoors11.5.1 Undeploying WAR files from Apache Tomcat11.5.2 Closing the Sticky Keys backdoor11.5.3 Uninstalling persistent Meterpreter callbacksSummary
12.1 Eight components of a solid pentest deliverable12.2 Executive summary12.3 Engagement methodology12.4 Attack narrative12.5 Technical observations12.5.1 Finding recommendations12.6 Appendices12.6.1 Severity definitions12.6.2 Hosts and services12.6.3 Tools list12.6.4 Additional references12.7 Wrapping it up12.8 What now?Summary
A.1 Creating an Ubuntu virtual machineA.2 Additional OS dependenciesA.2.1 Managing Ubuntu packages with aptA.2.2 Installing CrackMapExecA.2.3 Customizing your terminal look and feelA.3 Installing NmapA.3.1 NSE: The Nmap scripting engineA.3.2 Operating system dependenciesA.3.3 Compiling and installing from sourceA.3.4 Exploring the documentationA.4 The Ruby scripting languageA.4.1 Installing Ruby Version ManagerA.4.2 Writing an obligatory Hello World exampleA.5 The Metasploit frameworkA.5.1 Operating system dependenciesA.5.2 Necessary Ruby gemsA.5.3 Setting up PostgreSQL for MetasploitA.5.4 Navigating the msfconsole
B.1 CLI commandsB.1.1 $ catB.1.2 $ cutB.1.3 $ grepB.1.4 $ sort and wcB.2 tmuxB.2.1 Using tmux commandsB.2.2 Saving a tmux session
C.1 Hardware and software requirementsC.2 Creating the primary Windows serversC.2.1 Goku.capsulecorp.localC.2.2 Gohan.capsulecorp.localC.2.3 Vegeta.capsulecorp.localC.2.4 Trunks.capsulecorp.localC.2.5 Nappa.capsulecorp.local and tien.capsulecorp.localC.2.6 Yamcha.capsulecorp.local and Krillin.capsulecorp.localC.3 Creating the Linux servers
Executive summaryEngagement scopeSummary of observationsEngagement methodologyInformation gatheringFocused penetrationPost-exploitation and privilege escalationDocumentation and cleanupAttack narrativeTechnical observationsAppendix 1: Severity definitionsCriticalHighMediumLowAppendix 2: Hosts and servicesAppendix 3: Tools listAppendix 4: Additional references
Exercise 2.1: Identifying your engagement targetsExercise 3.1: Creating protocol-specific target listsExercise 4.1: Identifying missing patchesExercise 4.2: Creating a client-specific password listExercise 4.3: Discovering weak passwordsExercise 5.1: Deploying a malicious WAR fileExercise 6.1 Stealing SYSTEM and SAM registry hivesExercise 7.1: Compromising tien.capsulecorp.localExercise 8.1: Accessing your first level-two hostExercise 10.1: Stealing passwords from ntds.ditExercise 11.1: Performing post-engagement cleanup

Content preview from The Art of Network Penetration Testing

11 Post-engagement cleanup

This chapter covers

Killing active shell connections
Removing unnecessary user accounts
Deleting miscellaneous files
Reversing configuration changes
Closing backdoors

You’ve completed the first three phases of your internal network penetration test (INPT)! Before moving on to the writing your deliverable, I want to cover some post-engagement cleanup etiquette. You’ve spent the last week or two bombarding your client’s network with attacks and compromising countless systems on their domain. This was not a stealthy red team engagement, so you’ve no doubt left lots of traces in your wake—traces such as user accounts, backdoors, binary files, and changes to system configurations. Leaving the network in this state may ...