Mastering Kali Linux for Advanced Penetration Testing - Third Edition

Mastering Kali Linux for Advanced Penetration Testing - Third Edition

by Vijay Kumar Velu, Robert Beggs
Released January 2019
Publisher(s): Packt Publishing
ISBN: 9781789340563

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

A practical guide to testing your infrastructure security with Kali Linux, the preferred choice of pentesters and hackers

Key Features

  • Employ advanced pentesting techniques with Kali Linux to build highly secured systems
  • Discover various stealth techniques to remain undetected and defeat modern infrastructures
  • Explore red teaming techniques to exploit secured environment

Book Description

This book takes you, as a tester or security practitioner, through the reconnaissance, vulnerability assessment, exploitation, privilege escalation, and post-exploitation activities used by pentesters.

To start with, you'll use a laboratory environment to validate tools and techniques, along with an application that supports a collaborative approach for pentesting. You'll then progress to passive reconnaissance with open source intelligence and active reconnaissance of the external and internal infrastructure. You'll also focus on how to select, use, customize, and interpret the results from different vulnerability scanners, followed by examining specific routes to the target, which include bypassing physical security and the exfiltration of data using a variety of techniques. You'll discover concepts such as social engineering, attacking wireless networks, web services, and embedded devices.

Once you are confident with these topics, you'll learn the practical aspects of attacking user client systems by backdooring with fileless techniques, followed by focusing on the most vulnerable part of the network – directly attacking the end user. By the end of this book, you'll have explored approaches for carrying out advanced pentesting in tightly secured environments, understood pentesting and hacking techniques employed on embedded peripheral devices.

What you will learn

  • Configure the most effective Kali Linux tools to test infrastructure security
  • Employ stealth to avoid detection in the infrastructure being tested
  • Recognize when stealth attacks are being used against your infrastructure
  • Exploit networks and data systems using wired and wireless networks as well as web services
  • Identify and download valuable data from target systems
  • Maintain access to compromised systems
  • Use social engineering to compromise the weakest part of the network - the end users

Who this book is for

This third edition of Mastering Kali Linux for Advanced Penetration Testing is for you if you are a security analyst, pentester, ethical hacker, IT professional, or security consultant wanting to maximize the success of your infrastructure testing using some of the advanced features of Kali Linux. Prior exposure of penetration testing and ethical hacking basics will be helpful in making the most out of this book.

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Mastering Kali Linux for Advanced Penetration Testing Third Edition
  3. Dedication
  4. About Packt
    1. Why subscribe?
    2. Packt.com
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
    5. Disclaimer
  7. Goal-Based Penetration Testing
    1. Conceptual overview of security testing
    2. Misconceptions of vulnerability scanning, penetration testing, and red team exercises
    3. Objective-based penetration testing
    4. The testing methodology
    5. Introduction to Kali Linux – features
      1. Role of Kali in red team tactics
    6. Installing and updating Kali Linux
      1. Using as a portable device
      2. Installing Kali to Raspberry Pi 3
      3. Installing Kali onto a VM
        1. VMware Workstation Player
        2. VirtualBox
      4. Installing to a Docker Appliance
      5. Kali on AWS Cloud
    7. Organizing Kali Linux
      1. Configuring and customizing Kali Linux
      2. Resetting the root password
      3. Adding a non-root user
      4. Configuring network services and secure communications
      5. Adjusting network proxy settings
      6. Accessing the secure shell
      7. Speeding up Kali operations
      8. Sharing folders with the host operating system
      9. Using Bash scripts to customize Kali
    8. Building a verification lab
      1. Installing defined targets
        1. Metasploitable3
        2. Mutillidae
      2. Setting up an Active Directory and Domain Controller
        1. Adding users to the Active Directory
        2. Adding Metasploitable3 Windows to the new domain
    9. Managing collaborative penetration testing using Faraday
    10. Summary
  8. Open Source Intelligence and Passive Reconnaissance
    1. Basic principles of reconnaissance
      1. Open source intelligence
      2. Offensive OSINT
      3. Domain gathering using Sublist3r
      4. Maltego
      5. OSRFramework
      6. Web archives
      7. Scraping
      8. Gathering usernames and email addresses
      9. Obtaining user information
      10. Shodan and censys.io
    2. Google Hacking Database
      1. Using dork scripts to query Google
      2. Data dump sites
      3. Using scripts to automatically gather OSINT data
      4. Defensive OSINT
        1. Dark web
        2. Security breaches
        3. Threat intelligence
      5. Profiling users for password lists
    3. Creating custom wordlists for cracking passwords
      1. Using CeWL to map a website
      2. Extracting words from Twitter using twofi
    4. Summary
  9. Active Reconnaissance of External and Internal Networks
    1. Stealth scanning strategies
      1. Adjusting source IP stack and tool identification settings
      2. Modifying packet parameters
      3. Using proxies with anonymity networks
    2. DNS reconnaissance and route mapping
      1. The whois command (Post GDPR)
    3. Employing comprehensive reconnaissance applications
      1. The recon-ng framework
        1. IPv4
        2. IPv6
      2. Using IPv6-specific tools
      3. Mapping the route to the target
    4. Identifying the external network infrastructure
    5. Mapping beyond the firewall
    6. IDS/IPS identification
    7. Enumerating hosts
      1. Live host discovery
    8. Port, operating system, and service discovery
      1. Port scanning
    9. Writing your own port scanner using netcat
      1. Fingerprinting the operating system
      2. Determining active services
    10. Large-scale scanning
      1. DHCP information
      2. Identification and enumeration of internal network hosts
      3. Native MS Windows commands
      4. ARP broadcasting
      5. Ping sweep
      6. Using scripts to combine masscan and nmap scans
      7. Taking advantage of SNMP
      8. Windows account information via SMB (Server Message Block) sessions
      9. Locating network shares
      10. Reconnaissance of active directory domain servers
      11. Using comprehensive tools (SPARTA)
      12. An example to configure SPARTA
    11. Summary
  10. Vulnerability Assessment
    1. Vulnerability nomenclature
    2. Local and online vulnerability databases
    3. Vulnerability scanning with Nmap
      1. Introduction to Lua scripting
      2. Customizing NSE scripts
    4. Web application vulnerability scanners
      1. Introduction to Nikto and Vega
      2. Customizing Nikto and Vega
    5. Vulnerability scanners for mobile applications
    6. The OpenVAS network vulnerability scanner
      1. Customizing OpenVAS
    7. Commercial vulnerability scanners
      1. Nessus
      2. Nexpose 
    8. Specialized scanners
    9. Threat modeling
    10. Summary
  11. Advanced Social Engineering and Physical Security
    1. Methodology and attack methods
      1. Technology
        1. Computer-based
        2. Mobile-based
      2. People-based
        1. Physical attacks
        2. Voice-based
    2. Physical attacks at the console
      1. samdump2 and chntpw
      2. Sticky keys
    3. Creating a rogue physical device
      1. Microcomputer or USB-based attack agents
        1. The Raspberry Pi
        2. The MalDuino – the BadUSB
    4. The Social Engineering Toolkit (SET)
      1. Using a website attack vector – the credential harvester attack method
      2. Using a website attack vector – the tabnabbing attack method
      3. HTA attack
      4. Using the PowerShell alphanumeric shellcode injection attack
    5. Hiding executables and obfuscating the attacker's URL
    6. Escalating an attack using DNS redirection
      1. Spear phishing attack
      2. Setting up a phishing campaign with Gophish
    7. Launching a phishing attack
    8. Using bulk transfer as a mode of phishing
    9. Summary
  12. Wireless Attacks
    1. Configuring Kali for wireless attacks
    2. Wireless reconnaissance
      1. Kismet
    3. Bypassing a hidden SSID
    4. Bypassing the MAC address authentication and open authentication
    5. Attacking WPA and WPA2
      1. Brute-force attacks
      2. Attacking wireless routers with Reaver
    6. Denial-of-service (DoS) attacks against wireless communications
    7. Compromising enterprise implementations of WPA/WPA2
    8. Working with Ghost Phisher
    9. Summary
  13. Exploiting Web-Based Applications
    1. Web application hacking methodology
    2. The hacker's mind map
    3. Reconnaissance of web apps
      1. Detection of web application firewall and load balancers
      2. Fingerprinting a web application and CMS
      3. Mirroring a website from the command line
    4. Client-side proxies
      1. Burp Proxy
      2. Web crawling and directory brute-force attacks
      3. Web service-specific vulnerability scanners
    5. Application-specific attacks
      1. Brute-forcing access credentials
      2. Injection
        1. OS command injection using commix
        2. SQL injection
        3. XML injection
        4. Bit-flipping attack
        5. Maintaining access with web shells
    6. Summary
  14. Client-Side Exploitation
    1. Backdooring executable files
    2. Attacking a system using hostile scripts
      1. Conducting attacks using VBScript
      2. Attacking systems using Windows PowerShell
    3. The Cross-Site Scripting framework
    4. The Browser Exploitation Framework (BeEF)
      1. Configuring the BeEF
    5. Understanding BeEF Browser
      1. Integrating BeEF and Metasploit attacks
      2. Using BeEF as a tunneling proxy
    6. Summary
  15. Bypassing Security Controls
    1. Bypassing Network Access Control (NAC)
      1. Pre-admission NAC
        1. Adding new elements
        2. Identifying the rules
          1. Exceptions
          2. Quarantine rules
        3. Disabling endpoint security
          1. Preventing remediation
          2. Adding exceptions
      2. Post-admission NAC
        1. Bypassing isolation
        2. Detecting honeypot
    2. Bypassing the antivirus with files
      1. Using the Veil framework
      2. Using Shellter
    3. Going fileless and evading antivirus
    4. Bypassing application-level controls
      1. Tunneling past client-side firewalls using SSH
        1. Inbound to outbound
        2. Bypassing URL filtering mechanisms
        3. Outbound to inbound
    5. Bypassing Windows operating system controls
      1. User Account Control (UAC)
      2. Using fileless techniques
        1. Using fodhelper to bypass UAC in Windows 10
        2. Using Disk Cleanup to bypass UAC in Windows 10
      3. Other Windows-specific operating system controls
        1. Access and authorization
        2. Encryption
        3. System security
        4. Communications security
        5. Auditing and logging
    6. Summary
  16. Exploitation
    1. The Metasploit Framework
      1. Libraries
        1. REX
        2. Framework core
        3. Framework base
      2. Interfaces
      3. Modules
      4. Database setup and configuration
    2. Exploiting targets using MSF
      1. Single targets using a simple reverse shell
      2. Single targets using a reverse shell with a PowerShell attack vector
    3. Exploiting multiple targets using MSF resource files
    4. Exploiting multiple targets with Armitage
    5. Using public exploits
      1. Locating and verifying publicly available exploits
      2. Compiling and using exploits
        1. Compiling C files
        2. Adding the exploits that are written using the MSF as a base
    6. Developing a Windows exploit
      1. Identifying a vulnerability using fuzzing
      2. Creating a Windows-specific exploit
    7. Summary
  17. Action on the Objective and Lateral Movement
    1. Activities on the compromised local system
      1. Conducting rapid reconnaissance of a compromised system
      2. Finding and taking sensitive data – pillaging the target
        1. Creating additional accounts
      3. Post-exploitation tools
        1. The Metasploit Framework
        2. The Empire project
        3. CrackMapExec
    2. Horizontal escalation and lateral movement
      1. Veil-Pillage
      2. Compromising domain trusts and shares
      3. PsExec, WMIC, and other tools
        1. WMIC
        2. Windows Credential Editor
      4. Lateral movement using services
      5. Pivoting and port forwarding
        1. Using Proxychains
    3. Summary
  18. Privilege Escalation
    1. Overview of the common escalation methodology
    2. Escalating from domain user to system administrator
    3. Local system escalation
    4. Escalating from administrator to system
      1. DLL injection
    5. Credential harvesting and escalation attacks
      1. Password sniffers
      2. Responder
      3. SMB relay attacks
    6. Escalating access rights in Active Directory
    7. Compromising Kerberos – the golden-ticket attack
    8. Summary
  19. Command and Control
    1. Persistence
    2. Using persistent agents
      1. Employing Netcat as a persistent agent
      2. Using schtasks to configure a persistent task
      3. Maintaining persistence with the Metasploit framework
      4. Using the persistence script
      5. Creating a standalone persistent agent with Metasploit
      6. Persistence using online file storage cloud services
        1. Dropbox
        2. Microsoft OneDrive
    3. Domain fronting
      1. Using Amazon CloudFront for C2
      2. Using Microsoft Azure for C2
    4. Exfiltration of data
      1. Using existing system services (Telnet, RDP, and VNC)
      2. Using the DNS protocol
      3. Using the ICMP protocol
      4. Using the Data Exfiltration Toolkit (DET)
      5. Using PowerShell
    5. Hiding evidence of an attack
    6. Summary
  20. Embedded Devices and RFID Hacking
    1. Embedded systems and hardware architecture
      1. Embedded system basic architecture
        1. Understanding firmware
        2. Different types of firmware
        3. Understanding bootloaders
        4. Common tools
    2. Firmware unpacking and updating
    3. Introduction to RouterSploit Framework
    4. UART
    5. Cloning RFID using Chameleon Mini
      1. Other tools
    6. Summary
  21. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Mastering Kali Linux for Advanced Penetration Testing - Third Edition
  • Author(s): Vijay Kumar Velu, Robert Beggs
  • Release date: January 2019
  • Publisher(s): Packt Publishing
  • ISBN: 9781789340563