book

The Ultimate Kali Linux Book - Third Edition

by Glen D. Singh

April 2024

Intermediate to advanced

828 pages

21h 34m

English

Packt Publishing

Read now

Unlock full access

Who this book is forWhat this book coversTo get the most out of this book
Understanding the need for cybersecurityExploring cybersecurity terminologyIdentifying threat actors and their intentUnderstanding what matters to threat actorsTimeResourcesFinancial factorsHack valueExploring the importance of penetration testingPenetration testing methodologiesPre-engagement phaseInformation-gathering phaseThreat modelingVulnerability analysisExploitationPost-exploitationReport writingDiscovering penetration testing approachesTypes of penetration testingWeb application penetration testingMobile application penetration testingSocial engineering penetration testingNetwork penetration testing (external and internal)Cloud penetration testingPhysical penetration testingExploring the phases of penetration testingReconnaissanceScanning and enumerationGaining access (exploitation)Maintaining accessCovering your tracksUnderstanding the Cyber Kill Chain framework ReconnaissanceWeaponizationDeliveryExploitationInstallationCommand and Control (C2)Actions on objectivesSummaryFurther reading
Technical requirementsAn overview of the lab setup and technologies usedSetting up a hypervisor and virtual networksPart 1 – setting up the hypervisorPart 2 – creating virtually isolated networksSetting up and working with Kali LinuxPart 1 – deploying Kali Linux as a virtual machinePart 2 – customizing Kali Linux and its network adaptersPart 3 – getting started with Kali LinuxPart 4 – updating repository sources and packagesSetting up a vulnerable web applicationDeploying Metasploitable 2 as a vulnerable machinePart 1 – deploying Metasploitable 2Part 2 – configuring network settingsBuilding and deploying Metasploitable 3Part 1 – building the Windows server versionPart 2 – building the Linux server versionSummaryFurther reading
Technical requirementsBuilding an Active Directory red team labPart 1 – Setting up Windows ServerPart 2 – Configuring virtual machine additional featuresPart 3 – Setting Active Directory Domain ServicesPart 4 – Creating domain users and administrator accountsPart 5 – Disabling antimalware protection and the domain firewallPart 6 – Setting up for service authentication attacksPart 7 – Installing Windows 10 EnterprisePart 8 – Adding the clients to the domain Part 9 – Setting up for account takeover and file sharing attacksSetting up a wireless penetration testing labBrief overview of wireless network securitySetting up a RADIUS serverPart 1 – Install a Ubuntu serverPart 2 – Setting up FreeRadiusPart 3 – Setting the wireless router with RADIUSSummaryFurther reading
Technical requirementsThe importance of reconnaissanceExploring passive reconnaissanceOpen source intelligenceHow much data should be collected?Creating a sock puppetAnonymizing internet-based trafficVPNProxychainsTORSummaryFurther reading
Technical requirementsGoogle hacking techniquesDomain reconnaissanceCollecting WHOIS dataPerforming DNS enumerationExploiting DNS zone transferAutomation using SpiderFootSub-domain harvestingEnumeration with DNSMapSub-domain discovery with KnockpyIdentifying organizational infrastructureData leakage on job websitesFinding vulnerable systems using ShodanDiscovering exposed systems with CensysMapping external systems using MaltegoIdentifying infrastructure with NetcraftUsing Recon-ng for data harvestingData collection with theHarvesterHarvesting employees’ data using HunterAutomating social media reconnaissance with SherlockSummary Further reading
Technical requirementsUnderstanding active informationProfiling websites using EyeWitnessExploring active scanning techniquesChanging your MAC addressPerforming live host discoveryIdentifying open ports, services, and operating systemsUsing scanning evasion techniquesAvoiding detection with decoysUsing MAC and IP spoofing techniquesStealth scanning techniquesEnumerating network servicesEnumerating SMB servicesEnumerating SMTP servicesEnumerating SNMP servicesDiscovering data leaks in the cloudSummaryFurther reading
Technical requirementsGetting started with NessusPart 1 – installing NessusPart 2 – identifying vulnerabilities Part 3 – vulnerability analysisPart 4 – exporting vulnerability reportsVulnerability identification using NmapWorking with Greenbone Vulnerability ManagerPart 1 – installing GVMPart 2 – vulnerability identificationPart 3 – vulnerability analysis and reportingUsing web application scannersWhatWebNmapNiktoMetasploitWPScanSummaryFurther reading
Technical requirementsIntroduction to network penetration testingWorking with bind and reverse shellsWorking with remote shells using NetcatSetting up a bind shellSetting up reverse shellsAntimalware evasion techniquesEncoding payloads with MSFvenomCreating custom payloads with ShellterWorking with wireless adaptersConnecting wireless adapters to Kali LinuxConnecting a wireless adapter with an RTL8812AU chipsetManaging and Monitoring wireless modesConfiguring Monitoring modeUsing aircrack-ng to enable monitor modeSummaryFurther reading
Technical requirementsExploring password-based attacksCreating a keyword-based wordlistGenerating a custom wordlist using CrunchGaining access by exploiting SSHExploiting Remote Desktop ProtocolPerforming host discoveryProfiling a targeted systemIdentifying and exploiting vulnerable servicesExploiting Linux-based systemsCompromising Windows-based systemsExploiting vulnerable SMB servicesCracking hashes with HashcatExploiting Windows Remote ManagementExploiting ElasticSearch Exploiting Simple Network Management ProtocolSummaryFurther reading

Technical requirementsPass-the-hash techniquesGaining a shell with PTH-WinExeWorking with ImpacketPass-the-hash for remote desktopPost exploitation using MeterpreterCore operationsUser interface optionsFile transfersPrivilege escalationToken stealing and impersonationSetting up persistenceLateral movement and pivotingClearing tracksData encoding and exfiltrationEncoding using exe2hexExfiltration with PacketWhisperPart 1 – setting up the environmentPart 2 – changing the DNS settings on the targeted systemPart 3 – performing data exfiltrationPart 4 – reassembling dataMan-in-the-Middle (MiTM) attacksIntercepting traffic with MiTM attacksSummaryFurther reading
Technical requirementsUnderstanding C2Setting up C2 operationsPart 1 – Empire client-server modelPart 2 – Managing users on EmpirePost-exploitation using EmpirePart 1 – Creating a listenerPart 2 – Creating a stagerPart 3 – Working with agentsPart 4 – Creating a new agentPart 5 – Threat emulationPart 6 – Setting up persistenceWorking with StarkillerPart 1 – StarkillerPart 2 – User managementPart 3 – Working with modulesPart 4 – Creating listenersPart 5 – Creating stagersPart 6 – Interacting with agentsPart 7 – Credentials and reportingSummaryFurther reading
Technical requirementsUnderstanding Active DirectoryEnumerating Active DirectoryWorking with PowerViewExploring BloodHoundPart 1 – setting up BloodHoundPart 2 – remote data collection with BloodHound.pyPart 3 – data analysis using BloodHoundLeveraging network-based trustExploiting LLMNR and NetBIOS-NSExploiting SMB and NTLMv2 within Active DirectoryRetrieving the SAM databaseObtaining a reverse shellSummaryFurther reading
Technical requirementsUnderstanding KerberosAbusing trust on IPv6 with Active DirectoryPart 1: setting up for an attackPart 2: launching the attackPart 3: taking over the domainAttacking Active DirectoryLateral movement with CrackMapExecVertical movement with KerberosLateral movement with MimikatzPart 1: setting up the attackPart 2: grabbing credentialsDomain dominance and persistenceGolden ticketSilver ticketSkeleton keySummaryFurther reading
Technical RequirementsIntroduction to Wireless NetworkingSingle-In Single-Out (SISO) and Multiple-In Multiple-Out (MIMO)Wireless security standardsPerforming Wireless ReconnaissanceIdentifying the associated clients of a targeted networkCompromising WPA/WPA2 NetworksPerforming AP-less AttacksExploiting Enterprise NetworksPart 1 – setting up for the attackPart 2 – choosing the targetPart 3 – starting the attackPart 4 – retrieving user credentialsSetting Up a Wi-Fi HoneypotExploiting WPA3 AttacksPerforming a Downgrade and Dictionary AttackSummaryFurther Reading
Technical requirementsFundamentals of social engineeringElements of social engineeringTypes of social engineeringHuman-based social engineeringComputer-based social engineeringMobile-based social engineeringSocial networkingPlanning for each type of social engineering attackDefending against social engineeringExploring social engineering tools and techniquesCreating infectious mediaCreating a phishing websiteCreating a fake wireless networkSummaryFurther reading
Technical requirementsUnderstanding web applicationsThe fundamentals of HTTPExploring the OWASP Top 10: 2021Getting started with FoxyProxy and Burp SuitePart 1 - setting up FoxyProxyPart 2 - setting up Burp SuitePart 3 - getting familiar with Burp SuiteUnderstanding injection-based attacksPerforming an SQLi attackExploring broken access control attacksDiscovering cryptographic failuresUnderstanding insecure designExploring security misconfigurationSummaryFurther reading
Technical requirementsIdentifying vulnerable and outdated componentsExploiting identification and authentication failuresDiscovering authentication failuresUnderstanding software and data integrity failuresExploring server-side request forgeryUnderstanding security logging and monitoring failuresIdentifying logging security vulnerabilitiesUnderstanding cross-site scriptingPart 1 – Discovering reflected XSSPart 2 – Performing DOM-based XSSPart 3 – Discovering stored XSSAutomating SQL injection attacksPart 1 – Discovering databasesPart 2 – Retrieving sensitive informationPerforming client-side attacksSummaryFurther reading
Technical requirementsGuidelines for penetration testersGaining written permissionBeing ethicalPenetration testing contractRules of engagementPenetration testing checklistPre-engagementReconnaissanceEnumerationVulnerability assessment ExploitationPost-exploitationCovering tracksReport writingCreating a hacker’s toolkitESP8266 microcontrollerWiFi Pineapple NanoBash BunnyPacket SquirrelLAN TurtleMini USB-powered network switchRetractable network cableFlipper ZeroSetting up remote accessNext steps aheadSummaryFurther reading
Setting Up a Penetration Testing Lab on Ubuntu DesktopTechnical requirementsAn overview of the lab setup and technologies usedSetting up a hypervisor and virtual networksSetting up Kali Linux on UbuntuSetting up Metasploitable 3 on UbuntuPart 1 – building the Windows Server versionPart 2 – building the Linux Server versionSummary

Content preview from The Ultimate Kali Linux Book - Third Edition

10 Post-Exploitation Techniques

During the exploitation phase of the Cyber Kill Chain, ethical hackers and penetration testers focus on taking advantage of potential security vulnerabilities that were identified during the reconnaissance phase with the intent to determine whether the security vulnerability exists on the targeted system or not. However, while the exploitation phase may seem like a victory for aspiring ethical hackers, keep in mind that the objective is to discover known and hidden security flaws that may exist on the organization’s assets.

After exploiting a targeted system or network, performing post-exploitation techniques enables penetration testers to gather sensitive information such as users’ log-on credentials and password ...