book

The Ultimate Kali Linux Book - Second Edition

by Glen D. Singh

February 2022

Intermediate to advanced

742 pages

15h 41m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorAbout the reviewer
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedDisclaimerShare Your Thoughts
Identifying threat actors and their intentUnderstanding what matters to threat actorsTimeResourcesFinancial factorsHack valueDiscovering cybersecurity terminologiesExploring the need for penetration testing and its phasesCreating a penetration testing battle planUnderstanding penetration testing approachesTypes of penetration testing Exploring hacking phases Reconnaissance or information gathering Scanning and enumerationGaining access Maintaining access Covering your tracks Understanding the Cyber Kill Chain frameworkReconnaissance WeaponizationDeliveryExploitationInstallationCommand and Control (C2)Actions on objectivesSummaryFurther reading
Technical requirementsUnderstanding the lab overview and its technologiesSetting up a hypervisor and virtually isolated networksPart 1 – deploying the hypervisorPart 2 – creating virtually isolated networksSetting up and working with Kali LinuxPart 1 – setting up Kali Linux as a virtual machinePart 2 – customizing the Kali Linux virtual machine and network adaptersPart 3 – getting started with Kali LinuxPart 4 – updating sources and packagesDeploying Metasploitable 2 as a target systemPart 1 – deploying Metasploitable 2Part 2 – configuring networking settingsImplementing Metasploitable 3 using VagrantPart 1 – setting up the Windows versionPart 2 – setting up the Linux versionSetting up vulnerability web application systemsPart 1 – deploying OWASP Juice ShopPart 2 – setting up OWASP Broken Web ApplicationsSummaryFurther reading
Technical requirementsBuilding an AD red team labPart 1 – installing Windows Server 2019 Part 2 – installing Windows 10 EnterprisePart 2 – setting up AD servicesPart 3 – promoting to a DCPart 4 – creating domain users and administrator accountsPart 5 – disabling antimalware protection and the domain firewallPart 6 – setting up for file sharing and service authentication attacks Part 7 – joining clients to the AD domainPart 8 – setting up for local account takeover and SMB attacks Setting up a wireless penetration testing labImplementing a RADIUS server SummaryFurther reading
Technical requirementsUnderstanding the importance of reconnaissance FootprintingUnderstanding passive information gatheringExploring open source intelligenceUsing OSINT strategies to gather intelligenceImportance of a sock puppetAnonymizing your traffic Profiling a target organization's IT infrastructureGathering employees' dataSocial media reconnaissance Gathering a company's infrastructure dataSummaryFurther reading
Technical requirementsUnderstanding active reconnaissanceExploring Google hacking strategies Exploring DNS reconnaissancePerforming DNS enumerationChecking for DNS zone transfer misconfigurationAutomating OSINTEnumerating subdomainsWorking with DNSmapExploring Sublist3rProfiling websites using EyeWitnessExploring active scanning techniquesSpoofing MAC addressesDiscovering live systems on a networkProbing open service ports, services, and operating systemsWorking with evasion techniquesEnumerating common network servicesScanning using MetasploitEnumerating SMBEnumerating SSHPerforming user enumeration through noisy authentication controlsFinding data leaks in the cloudSummaryFurther reading
Technical requirementsNessus and its policiesSetting up NessusScanning with NessusAnalyzing Nessus resultsExporting Nessus resultsVulnerability discovery using NmapWorking with Greenbone Vulnerability ManagerUsing web application scannersWhatWebNmap MetasploitNiktoWPScanSummaryFurther reading

Technical requirementsIntroduction to network penetration testingWorking with bind and reverse shellsRemote shells using NetcatCreating a bind shellCreating a reverse shellAntimalware evasion techniquesUsing MSFvenon to encode payloadsCreating payloads using ShellterWorking with wireless adaptersConnecting a wireless adapter to Kali LinuxConnecting a wireless adapter with an RTL8812AU chipsetManaging and monitoring wireless modesConfiguring monitor mode manuallyUsing Aircrack-ng to enable monitor modeSummaryFurther reading
Technical requirementsDiscovering live systemsProfiling a target systemExploring password-based attacksExploiting Windows Remote Desktop ProtocolCreating wordlists using keywordsCrunching those wordlistsIdentifying and exploiting vulnerable servicesExploiting a vulnerable service on a Linux systemExploiting SMB in Microsoft WindowsPassing the hashGaining access by exploiting SSHExploiting Windows Remote ManagementExploiting ElasticSearchExploiting Simple Network Management ProtocolUnderstanding watering hole attacksFurther reading
Technical requirementsPost-exploitation using MeterpreterCore operationsUser interface operationsFile transfersPrivilege escalationToken stealing and impersonationImplementing persistenceLateral movement and pivotingClearing tracksData encoding and exfiltrationEncoding executables using exe2hexData exfiltration using PacketWhisperUnderstanding MITM and packet sniffing attacksPerforming MITM attacks using EttercapSummaryFurther reading
Technical requirementsUnderstanding Active DirectoryEnumerating Active Directory Working with PowerViewExploring BloodhoundLeveraging network-based trustExploiting LLMNR and NetBIOS-NSExploiting trust between SMB and NTLMv2 within Active DirectorySummaryFurther reading
Technical requirementsUnderstanding KerberosAbusing trust on IPv6 with Active DirectoryPart 1: Setting up for the attackPart 2: Launching the attackPart 3: Taking over the domainAttacking Active DirectoryLateral movement with CrackMapExecVertical movement with KerberosLateral movement with MimikatzDomain dominance and persistenceGolden ticketSilver ticketSkeleton keySummaryFurther reading
Technical requirementsUnderstanding C2Setting up C2 operationsPart 1 – setting up EmpirePart 2 – managing usersPost-exploitation using EmpirePart 1 – creating a listenerPart 2 – creating a stagerPart 3 – working with agentsPart 4 – creating a new agentPart 5 – improving threat emulationPart 6 – setting up persistenceWorking with StarkillerPart 1 – starting StarkillerPart 2 – user managementPart 3 – working with modulesPart 4 – creating listenersPart 5 – creating stagersPart 6 – interacting with agentsPart 7 – credentials and reportingSummaryFurther reading
Technical requirementsIntroduction to wireless networkingSISO and MIMOWireless security standardsPerforming wireless reconnaissanceDetermining the associated clients for a specific networkCompromising WPA and WPA2 networksPerforming AP-less attacksExploiting enterprise wireless networksPart 1 – setting up for the attackPart 2 – choosing the targetPart 3 – starting the attackPart 4 – retrieving user credentialsCreating a Wi-Fi honeypotDiscovering WPA3 attacksPerforming a downgrade and dictionary attackSecuring your wireless networkSSID managementMAC filteringPower levels for antennasStrong passwordsSecuring enterprise wireless networksSummaryFurther reading
Technical requirementsFundamentals of social engineeringElements of social engineeringTypes of social engineeringHuman-basedComputer-basedMobile-basedSocial networkingDefending against social engineeringPlanning for each type of social engineering attackExploring social engineering tools and techniquesCreating a phishing websiteCreating infectious media SummaryFurther reading
Technical requirementsUnderstanding web applicationsFundamentals of HTTPExploring the OWASP Top 10: 2021Getting started with FoxyProxy and Burp Suite Part one – setting up FoxyProxyPart two – setting up Burp SuitePart three – getting familiar with Burp SuiteUnderstanding injection-based attacksPerforming a SQL injection attackExploring broken access control attacksExploring broken access controlDiscovering cryptographic failuresExploiting cryptographic failuresUnderstanding insecure designExploring security misconfigurationExploiting security misconfigurationsSummaryFurther reading
Technical requirementsIdentifying vulnerable and outdated componentsDiscovering vulnerable componentsExploiting identification and authentication failuresDiscovering authentication failuresUnderstanding software and data integrity failuresUnderstanding security logging and monitoring failuresPerforming server-side request forgeryAutomating SQL injection attacksPart 1 – discovering databasesPart 2 – retrieving sensitive informationUnderstanding cross-site scriptingPart 1 – discovering reflected XSSPart 2 – discovering stored XSSPerforming client-side attacksSummaryFurther reading
Technical requirementsGuidelines for penetration testersGaining written permissionBeing ethicalPenetration testing contractRules of engagementPenetration testing checklistInformation gatheringNetwork scanningEnumerationGaining accessCovering tracksReport writingCreating a hacker's tool bagSetting up remote accessNext steps aheadSummaryFurther reading
Other Books You May EnjoyPackt is searching for authors like youShare Your Thoughts

Content preview from The Ultimate Kali Linux Book - Second Edition

Chapter 5: Exploring Active Information Gathering

The more information that's known about a target, the more penetration testers are prepared to simulate real-world cyberattacks with a higher rate of success of compromising the organization's assets. While passive information gathering techniques are very cool and awesome, we need to dig even deeper to gather specific information about the target, though this is not always made publicly available.

Active information gathering can be used to provide very useful results during the reconnaissance phase of a penetration test. With this active approach, the penetration tester makes direct contact with the actual target to gather specific details that Open Source Intelligence (OSINT) is unable to ...