Kali Linux Penetration Testing Bible

Оглавление

Gus Khawaja. Kali Linux Penetration Testing Bible

Table of Contents

List of Tables

List of Illustrations

Guide

Pages

Kali Linux Penetration Testing Bible

Introduction

What Does This Book Cover?

Chapter 1: Mastering the Terminal Window

Chapter 2: Bash Scripting

Chapter 3: Network Hosts Scanning

Chapter 4: Internet Information Gathering

Chapter 5: Social Engineering Attacks

Chapter 6: Advanced Enumeration Phase

Chapter 7: Exploitation Phase

Chapter 8: Web Application Vulnerabilities

Chapter 9: Web Penetration Testing and Secure Software Development Lifecycle

Chapter 10: Linux Privilege Escalation

Chapter 11: Windows Privilege Escalation

Chapter 12: Pivoting and Lateral Movement

Chapter 13: Cryptography and Hash Cracking

Chapter 14: Reporting

Chapter 15: Assembly Language and Reverse Engineering

Chapter 16: Buffer/Stack Overflow

Chapter 17: Programming with Python

Chapter 18: Pentest Automation with Python

Appendix A: Kali Linux Desktop at a Glance

Appendix B: Building a Lab Environment Using Docker

Companion Download Files

How to Contact the Publisher

How to Contact the Author

CHAPTER 1 Mastering the Terminal Window

Kali Linux File System

Terminal Window Basic Commands

Tmux Terminal Window

Starting Tmux

Tmux Key Bindings

Tmux Session Management

Window Rename

Window Creation

Splitting Windows

Navigating Inside Tmux

Tmux Commands Reference

Managing Users and Groups in Kali

Users Commands

Groups Commands

Managing Passwords in Kali

Files and Folders Management in Kali Linux

Displaying Files and Folders

Permissions

TIP

Manipulating Files in Kali

Searching for Files

TIP

TIP

Files Compression

Tar Archive

Gz Archive

Bz2 Archive

Zip Archive

Manipulating Directories in Kali

Mounting a Directory

Managing Text Files in Kali Linux

Vim vs. Nano

Searching and Filtering Text

Remote Connections in Kali

Remote Desktop Protocol

Secure Shell

SSH with Credentials

Passwordless SSH

TIP

Kali Linux System Management

Linux Host Information

Linux OS Information

Linux Hardware Information

Managing Running Services

Package Management

Process Management

Networking in Kali Linux

Network Interface

IPv4 Private Address Ranges

Static IP Addressing

DNS

Established Connections

File Transfers

TIP

Summary

CHAPTER 2 Bash Scripting

Basic Bash Scripting

Printing to the Screen in Bash

Variables

Commands Variable

Script Parameters

TIP

User Input

Functions

Conditions and Loops

Conditions

Loops

File Iteration

Summary

CHAPTER 3 Network Hosts Scanning

Basics of Networking

Networking Protocols

TCP

UDP

Other Networking Protocols

ICMP

ARP

IP Addressing

IPv4

Subnets and CIDR

IPv6

Port Numbers

Network Scanning

Identifying Live Hosts

Ping

ARP

Nmap

Port Scanning and Services Enumeration

TCP Port SYN Scan

UDP

Basics of Using Nmap Scans

Services Enumeration

TIP

Operating System Fingerprinting

Nmap Scripting Engine

NSE Category Scan

NSE Arguments

DNS Enumeration

DNS Brute‐Force

TIP

DNS Zone Transfer

DNS Subdomains Tools

Fierce

Summary

CHAPTER 4 Internet Information Gathering

Passive Footprinting and Reconnaissance

Internet Search Engines

Shodan

Google Queries

Information Gathering Using Kali Linux

Whois Database

TheHarvester

DMitry

Maltego

Transform Hub

Creating a Graph

Summary

CHAPTER 5 Social Engineering Attacks

Spear Phishing Attacks

Sending an E‐mail

The Social Engineer Toolkit

Sending an E‐mail Using Python

Stealing Credentials

Payloads and Listeners

Bind Shell vs. Reverse Shell

Bind Shell

Reverse Shell

Reverse Shell Using SET

Social Engineering with the USB Rubber Ducky

A Practical Reverse Shell Using USB Rubber Ducky and PowerShell

Generating a PowerShell Script

Starting a Listener

Hosting the PowerShell Script

Running PowerShell

Download and Execute the PS Script

Reverse Shell

Replicating the Attack Using the USB Rubber Ducky

Summary

CHAPTER 6 Advanced Enumeration Phase

Transfer Protocols

FTP (Port 21)

Exploitation Scenarios for an FTP Server

Enumeration Workflow

Service Scan

Advanced Scripting Scan with Nmap

More Brute‐Forcing Techniques

SSH (Port 22)

Exploitation Scenarios for an SSH Server

Advanced Scripting Scan with Nmap

Brute‐Forcing SSH with Hydra

Advanced Brute‐Forcing Techniques

Telnet (Port 23)

Exploitation Scenarios for Telnet Server

Enumeration Workflow

Service Scan

Advanced Scripting Scan

Brute‐Forcing with Hydra

E‐mail Protocols

SMTP (Port 25)

Nmap Basic Enumeration

Nmap Advanced Enumeration

Enumerating Users

POP3 (Port 110) and IMAP4 (Port 143)

Brute‐Forcing POP3 E‐mail Accounts

Database Protocols

Microsoft SQL Server (Port 1433)

Oracle Database Server (Port 1521)

MySQL (Port 3306)

CI/CD Protocols

Docker (Port 2375)

Jenkins (Port 8080/50000)

Brute‐Forcing a Web Portal Using Hydra

NOTE

Step 1: Enable a Proxy

Step 2: Intercept the Form Request

Step 3: Extracting Form Data and Brute‐Forcing with Hydra

Web Protocols 80/443

NOTE

Graphical Remoting Protocols

RDP (Port 3389)

RDP Brute‐Force

VNC (Port 5900)

File Sharing Protocols

SMB (Port 445)

Brute‐Forcing SMB

SNMP (Port UDP 161)

SNMP Enumeration

Summary

CHAPTER 7 Exploitation Phase

Vulnerabilities Assessment

Vulnerability Assessment Workflow

Vulnerability Scanning with OpenVAS

Installing OpenVAS

NOTE

Scanning with OpenVAS

Create a Target List

Create a Scanner Task

Reviewing the Report

Exploits Research

SearchSploit

Services Exploitation

Exploiting FTP Service

FTP Login

Remote Code Execution

TIP

Spawning a Shell

Exploiting SSH Service

SSH Login

Telnet Service Exploitation

Telnet Login

Sniffing for Cleartext Information

E‐mail Server Exploitation

Docker Exploitation

Testing the Docker Connection

Creating a New Remote Kali Container

Download Kali Image

Check Whether the Image Has Been Downloaded

Running the Container

Checking Whether the Container Is Running

Getting a Shell into the Kali Container

Docker Host Exploitation

SSH Key Generation

Key Transfer

Exploiting Jenkins

Reverse Shells

Using Shells with Metasploit

MSFvenom options

Exploiting the SMB Protocol

Connecting to SMB Shares

SMB Eternal Blue Exploit

Summary

CHAPTER 8 Web Application Vulnerabilities

Web Application Vulnerabilities

Mutillidae Installation

Apache Web Server Installation

Firewall Setup

Installing PHP

Database Installation and Setup

Mutillidae Installation

Cross‐Site Scripting

Reflected XSS

Stored XSS

NOTE

Exploiting XSS Using the Header

Bypassing JavaScript Validation

SQL Injection

Querying the Database

Bypassing the Login Page

Execute Database Commands Using SQLi

SQL Injection Automation with SQLMap

Testing for SQL Injection

Command Injection

File Inclusion

Local File Inclusion

Remote File Inclusion

TIP

Cross‐Site Request Forgery

The Attacker Scenario

The Victim Scenario

File Upload

Simple File Upload

Bypassing Validation

File Rename

TIP

Content Type

Payload Contents

Encoding

OWASP Top 10

Summary

CHAPTER 9 Web Penetration Testing and Secure Software Development Lifecycle

Web Enumeration and Exploitation

Burp Suite Pro

NOTE

Web Pentest Using Burp Suite

Loading Burp Suite Pro

Burp Proxy

Target Tab

Enumerating the Site Items (Spidering/Contents Discovery)

Automated Vulnerabilities Scan

The Repeater Tab

The Intruder Tab

Burp Extender

Creating a Report in Burp

More Enumeration

Nmap

Crawling

Vulnerability Assessment

Manual Web Penetration Testing Checklist

Common Checklist

Special Pages Checklist

Upload Page

Login Page

User Registration

Reset/Change Password

Secure Software Development Lifecycle

Analysis/Architecture Phase

Application Threat Modeling

Assets

Entry Points

Third Parties

Trust Levels

Data Flow Diagram

Development Phase

Testing Phase

Production Environment (Final Deployment)

Summary

CHAPTER 10 Linux Privilege Escalation

Introduction to Kernel Exploits and Missing Configurations

Kernel Exploits

Kernel Exploit: Dirty Cow

SUID Exploitation

Overriding the Passwd Users File

CRON Jobs Privilege Escalation

CRON Basics

Crontab

Anacrontab

Enumerating and Exploiting CRON

sudoers

sudo Privilege Escalation

Exploiting the Find Command

Editing the sudoers File

Exploiting Running Services

Automated Scripts

Summary

CHAPTER 11 Windows Privilege Escalation

Windows System Enumeration

System Information

Windows Architecture

Listing the Disk Drives

Installed Patches

Who Am I?

List Users and Groups

Networking Information

Showing Weak Permissions

Listing Installed Programs

Listing Tasks and Processes

File Transfers

Windows Host Destination

Linux Host Destination

Windows System Exploitation

Windows Kernel Exploits

Getting the OS Version

Find a Matching Exploit

Executing the Payload and Getting a Root Shell

The Metasploit PrivEsc Magic

Exploiting Windows Applications

Running As in Windows

PSExec Tool

Exploiting Services in Windows

Interacting with Windows Services

Misconfigured Service Permissions

Overriding the Service Executable

Unquoted Service Path

Weak Registry Permissions

Exploiting the Scheduled Tasks

Windows PrivEsc Automated Tools

PowerUp

WinPEAS

Summary

CHAPTER 12 Pivoting and Lateral Movement

Dumping Windows Hashes

TIP

Windows NTLM Hashes

SAM File and Hash Dump

Using the Hash

Mimikatz

Dumping Active Directory Hashes

Reusing Passwords and Hashes

TIP

Pass the Hash

TIP

Pivoting with Port Redirection

Port Forwarding Concepts

SSH Tunneling and Local Port Forwarding

Remote Port Forwarding Using SSH

Dynamic Port Forwarding

Dynamic Port Forwarding Using SSH

Summary

CHAPTER 13 Cryptography and Hash Cracking

Basics of Cryptography

Hashing Basics

One‐Way Hash Function

Hashing Scenarios

Hashing Algorithms

Message Digest 5

Secure Hash Algorithm

Hashing Passwords

Securing Passwords with Hash

Before, without Salting

After, with Salting

Hash‐Based Message Authenticated Code

Encryption Basics

Symmetric Encryption

Advanced Encryption Standard

Asymmetric Encryption

Rivest Shamir Adleman

Cracking Secrets with Hashcat

Benchmark Testing

Cracking Hashes in Action

Attack Modes

Straight Mode

Creating a Large Dictionary File

Dictionary Rules

Combinator

Combinator Rules

Mask and Brute‐Force Attacks

Keyspace

Masks

Built‐in Charset Variables

Static Charsets

Custom Charsets

Hashcat Charset Files

Brute‐Force Attack

Hybrid Attacks

Cracking Workflow

Summary

CHAPTER 14 Reporting

Overview of Reports in Penetration Testing

Scoring Severities

Common Vulnerability Scoring System Version 3.1

Report Presentation

Cover Page

History Logs

Report Summary

Vulnerabilities Section

Summary

CHAPTER 15 Assembly Language and Reverse Engineering

CPU Registers

General CPU Registers

Index Registers

Pointer Registers

Segment Registers

Flag Registers

Assembly Instructions

Little Endian

Data Types

Memory Segments

Addressing Modes

Reverse Engineering Example

Visual Studio Code for C/C++

Immunity Debugger for Reverse Engineering

Summary

CHAPTER 16 Buffer/Stack Overflow

Basics of Stack Overflow

Stack Overview

PUSH Instruction

POP Instruction

C Program Example

Buffer Analysis with Immunity Debugger

Stack Overflow

Stack Overflow Mechanism

Stack Overflow Exploitation

Lab Overview

Vulnerable Application

Phase 1: Testing

Testing the Happy Path

Testing the Crash

Phase 2: Buffer Size

Pattern Creation

Offset Location

Phase 3: Controlling EIP

Adding the JMP Instruction

Phase 4: Injecting the Payload and Getting a Remote Shell

Payload Generation

Bad Characters

Shellcode Python Script

Summary

CHAPTER 17 Programming with Python

Basics of Python

Running Python Scripts

Debugging Python Scripts

Installing VS Code on Kali

Practicing Python

NOTE

Python Basic Syntaxes

Python Shebang

Comments in Python

Line Indentation and Importing Modules

Input and Output

Printing CLI Arguments

Variables

Numbers

Arithmetic Operators

Strings

String Formatting

String Functions

Lists

Reading Values in a List

Updating List Items

Removing a list item

Tuples

Dictionary

More Techniques in Python

Functions

Returning Values

Optional Arguments

Global Variables

Changing Global Variables

Conditions

if/else Statement

Comparison Operators

Loop Iterations

while Loop

for Loop

Managing Files

Exception Handling

Text Escape Characters

Custom Objects in Python

Summary

CHAPTER 18 Pentest Automation with Python

Penetration Test Robot

Application Workflow

NOTE

Python Packages

Application Start

Input Validation

Code Refactoring

Scanning for Live Hosts

Ports and Services Scanning

Attacking Credentials and Saving the Results

Summary

APPENDIX A Kali Linux Desktop at a Glance

Downloading and Running a VM of Kali Linux

REFERENCE

Virtual Machine First Boot

Kali Xfce Desktop

Kali Xfce Menu

Search Bar

Favorites Menu Item

Usual Applications

Other Menu Items

Kali Xfce Settings Manager

Advanced Network Configuration

Appearance

Style

Icons

Fonts

Settings

Desktop

Background

Menus

Icons

Display

General

Advanced

File Manager

Display

Side Pane

Behavior

Advanced

Keyboard

Behavior

Application Shortcuts

Layout

MIME Type Editor

Mouse and Touchpad

Panel

Display

Appearance

Items

Workspaces

Window Manager

Style

Keyboard

Focus

Practical Example of Desktop Customization

Edit the Top Panel

Remove Icons

Adding a New Bottom Panel

Panel Addition

Changing the Desktop Look

Changing Desktop Background

Changing Desktop Icons

Installing Kali Linux from Scratch

Summary

APPENDIX B Building a Lab Environment Using Docker

Docker Technology

Docker Basics

Docker Installation

Images and Registries

Containers

TIP

TIP

Dockerfile

Volumes

Networking

Mutillidae Docker Container

Summary

Index

About the Author

About the Technical Editor

Acknowledgments

WILEY END USER LICENSE AGREEMENT

Отрывок из книги

Gus Khawaja

.....

$less [file name]

To sort a text file, simply use the sort command:

.....