The Art of Network Penetration Testing : How to Take Over Any Company in the World
معرفی کتاب «The Art of Network Penetration Testing : How to Take Over Any Company in the World» نوشتهٔ Royce Davis، منتشرشده توسط نشر Manning Publications Company; Manning; Manning Publications در سال 2020. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
The Art of Network Penetration Testing is a guide to simulating an internal security breach. You'll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.Summary Penetration testing is about more than just getting through a perimeter firewall. The biggest security threats are inside the network, where attackers can rampage through sensitive data by exploiting weak access controls and poorly patched software. Designed for up-and-coming security professionals, The Art of Network Penetration Testing teaches you how to take over an enterprise network from the inside. It lays out every stage of an internal security assessment step-by-step, showing you how to identify weaknesses before a malicious invader can do real damage. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology Penetration testers uncover security gaps by attacking networks exactly like malicious intruders do. To become a world-class pentester, you need to master offensive security concepts, leverage a proven methodology, and practice, practice, practice. Th is book delivers insights from security expert Royce Davis, along with a virtual testing environment you can use to hone your skills. About the book The Art of Network Penetration Testing is a guide to simulating an internal security breach. You'll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. As you brute force passwords, exploit unpatched services, and elevate network level privileges, you'll learn where the weaknesses are—and how to take advantage of them. What's inside Set up a virtual pentest lab Exploit Windows and Linux network vulnerabilities Establish persistent re-entry to compromised targets Detail your findings in an engagement report About the reader For tech professionals. No security experience required. About the author Royce Davis has orchestrated hundreds of penetration tests, helping to secure many of the largest companies in the world. Table of Contents 1 Network Penetration Testing PHASE 1 - INFORMATION GATHERING 2 Discovering network hosts 3 Discovering network services 4 Discovering network vulnerabilities PHASE 2 - FOCUSED PENETRATION 5 Attacking vulnerable web services 6 Attacking vulnerable database services 7 Attacking unpatched services PHASE 3 - POST-EXPLOITATION AND PRIVILEGE ESCALATION 8 Windows post-exploitation 9 Linux or UNIX post-exploitation 10 Controlling the entire network PHASE 4 - DOCUMENTATION 11 Post-engagement cleanup 12 Writing a solid pentest deliverable The Art of Network Penetration Testing contents preface acknowledgments about this book Who should read this book How this book is organized: A roadmap About the code liveBook discussion forum about the author about the cover illustration Chapter 1: Network penetration testing 1.1 Corporate data breaches 1.2 How hackers break in 1.2.1 The defender role 1.2.2 The attacker role 1.3 Adversarial attack simulation: Penetration testing 1.3.1 Typical INPT workflow 1.4 When a penetration test is least effective 1.4.1 Low-hanging fruit 1.4.2 When does a company really need a penetration test? 1.5 Executing a network penetration test 1.5.1 Phase 1: Information gathering 1.5.2 Phase 2: Focused penetration 1.5.3 Phase 3: Post-exploitation and privilege escalation 1.5.4 Phase 4: Documentation 1.6 Setting up your lab environment 1.6.1 The Capsulecorp Pentest project 1.7 Building your own virtual pentest platform 1.7.1 Begin with Linux 1.7.2 The Ubuntu project 1.7.3 Why not use a pentest distribution? Summary Phase 1: Information gathering Chapter 2: Discovering network hosts 2.1 Understanding your engagement scope 2.1.1 Black-box, white-box, and grey-box scoping 2.1.2 Capsulecorp 2.1.3 Setting up the Capsulecorp Pentest environment 2.2 Internet Control Message Protocol 2.2.1 Using the ping command 2.2.2 Using bash to pingsweep a network range 2.2.3 Limitations of using the ping command 2.3 Discovering hosts with Nmap 2.3.1 Primary output formats 2.3.2 Using remote management interface ports 2.3.3 Increasing Nmap scan performance 2.4 Additional host-discovery methods 2.4.1 DNS brute-forcing 2.4.2 Packet capture and analysis 2.4.3 Hunting for subnets Summary Chapter 3: Discovering network services 3.1 Network services from an attacker’s perspective 3.1.1 Understanding network service communication 3.1.2 Identifying listening network services 3.1.3 Network service banners 3.2 Port scanning with Nmap 3.2.1 Commonly used ports 3.2.2 Scanning all 65,536 TCP ports 3.2.3 Sorting through NSE script output 3.3 Parsing XML output with Ruby 3.3.1 Creating protocol-specific target lists Summary Chapter 4: Discovering network vulnerabilities 4.1 Understanding vulnerability discovery 4.1.1 Following the path of least resistance 4.2 Discovering patching vulnerabilities 4.2.1 Scanning for MS17-010 Eternal Blue 4.3 Discovering authentication vulnerabilities 4.3.1 Creating a client-specific password list 4.3.2 Brute-forcing local Windows account passwords 4.3.3 Brute-forcing MSSQL and MySQL database passwords 4.3.4 Brute-forcing VNC passwords 4.4 Discovering configuration vulnerabilities 4.4.1 Setting up Webshot 4.4.2 Analyzing output from Webshot 4.4.3 Manually guessing web server passwords 4.4.4 Preparing for focused penetration Summary Phase 2: Focused penetration Chapter 5: Attacking vulnerable web services 5.1 Understanding phase 2: Focused penetration 5.1.1 Deploying backdoor web shells 5.1.2 Accessing remote management services 5.1.3 Exploiting missing software patches 5.2 Gaining an initial foothold 5.3 Compromising a vulnerable Tomcat server 5.3.1 Creating a malicious WAR file 5.3.2 Deploying the WAR file 5.3.3 Accessing the web shell from a browser 5.4 Interactive vs. non-interactive shells 5.5 Upgrading to an interactive shell 5.5.1 Backing up sethc.exe 5.5.2 Modifying file ACLs with cacls.exe 5.5.3 Launching Sticky Keys via RDP 5.6 Compromising a vulnerable Jenkins server 5.6.1 Groovy script console execution Summary Chapter 6: Attacking vulnerable database services 6.1 Compromising Microsoft SQL Server 6.1.1 MSSQL stored procedures 6.1.2 Enumerating MSSQL servers with Metasploit 6.1.3 Enabling xp_cmdshell 6.1.4 Running OS commands with xp_cmdshell 6.2 Stealing Windows account password hashes 6.2.1 Copying registry hives with reg.exe 6.2.2 Downloading registry hive copies 6.3 Extracting password hashes with creddump 6.3.1 Understanding pwdump’s output Summary Chapter 7: Attacking unpatched services 7.1 Understanding software exploits 7.2 Understanding the typical exploit life cycle 7.3 Compromising MS17-010 with Metasploit 7.3.1 Verifying that the patch is missing 7.3.2 Using the ms17_010_psexec exploit module 7.4 The Meterpreter shell payload 7.4.1 Useful Meterpreter commands 7.5 Cautions about the public exploit database 7.5.1 Generating custom shellcode Summary Phase 3: Post-exploitation and privilege escalation Chapter 8: Windows post-exploitation 8.1 Fundamental post-exploitation objectives 8.1.1 Maintaining reliable re-entry 8.1.2 Harvesting credentials 8.1.3 Moving laterally 8.2 Maintaining reliable re-entry with Meterpreter 8.2.1 Installing a Meterpreter autorun backdoor executable 8.3 Harvesting credentials with Mimikatz 8.3.1 Using the Meterpreter extension 8.4 Harvesting domain cached credentials 8.4.1 Using the Meterpreter post module 8.4.2 Cracking cached credentials with John the Ripper 8.4.3 Using a dictionary file with John the Ripper 8.5 Harvesting credentials from the filesystem 8.5.1 Locating files with findstr and where 8.6 Moving laterally with Pass-the-Hash 8.6.1 Using the Metasploit smb_login module 8.6.2 Passing-the-hash with CrackMapExec Summary Chapter 9: Linux or UNIX post-exploitation 9.1 Maintaining reliable re-entry with cron jobs 9.1.1 Creating an SSH key pair 9.1.2 Enabling pubkey authentication 9.1.3 Tunneling through SSH 9.1.4 Automating an SSH tunnel with cron 9.2 Harvesting credentials 9.2.1 Harvesting credentials from bash history 9.2.2 Harvesting password hashes 9.3 Escalating privileges with SUID binaries 9.3.1 Locating SUID binaries with the find command 9.3.2 Inserting a new user into /etc/passwd 9.4 Passing around SSH keys 9.4.1 Stealing keys from a compromised host 9.4.2 Scanning multiple targets with Metasploit Summary Chapter 10: Controlling the entire network 10.1 Identifying domain admin user accounts 10.1.1 Using net to query Active Directory groups 10.1.2 Locating logged-in domain admin users 10.2 Obtaining domain admin privileges 10.2.1 Impersonating logged-in users with Incognito 10.2.2 Harvesting clear-text credentials with Mimikatz 10.3 ntds.dit and the keys to the kingdom 10.3.1 Bypassing restrictions with VSC 10.3.2 Extracting all the hashes with secretsdump.py Summary Phase 4: Documentation Chapter 11: Post-engagement cleanup 11.1 Killing active shell connections 11.2 Deactivating local user accounts 11.2.1 Removing entries from /etc/passwd 11.3 Removing leftover files from the filesystem 11.3.1 Removing Windows registry hive copies 11.3.2 Removing SSH key pairs 11.3.3 Removing ntds.dit copies 11.4 Reversing configuration changes 11.4.1 Disabling MSSQL stored procedures 11.4.2 Disabling anonymous file shares 11.4.3 Removing crontab entries 11.5 Closing backdoors 11.5.1 Undeploying WAR files from Apache Tomcat 11.5.2 Closing the Sticky Keys backdoor 11.5.3 Uninstalling persistent Meterpreter callbacks Summary Chapter 12: Writing a solid pentest deliverable 12.1 Eight components of a solid pentest deliverable 12.2 Executive summary 12.3 Engagement methodology 12.4 Attack narrative 12.5 Technical observations 12.5.1 Finding recommendations 12.6 Appendices 12.6.1 Severity definitions 12.6.2 Hosts and services 12.6.3 Tools list 12.6.4 Additional references 12.7 Wrapping it up 12.8 What now? Summary appendix A: Building a virtual pentest platform A.1 Creating an Ubuntu virtual machine A.2 Additional OS dependencies A.2.1 Managing Ubuntu packages with apt A.2.2 Installing CrackMapExec A.2.3 Customizing your terminal look and feel A.3 Installing Nmap A.3.1 NSE: The Nmap scripting engine A.3.2 Operating system dependencies A.3.3 Compiling and installing from source A.3.4 Exploring the documentation A.4 The Ruby scripting language A.4.1 Installing Ruby Version Manager A.4.2 Writing an obligatory Hello World example A.5 The Metasploit framework A.5.1 Operating system dependencies A.5.2 Necessary Ruby gems A.5.3 Setting up PostgreSQL for Metasploit A.5.4 Navigating the msfconsole appendix B: Essential Linux commands B.1 CLI commands B.1.1 $ cat B.1.2 $ cut B.1.3 $ grep B.1.4 $ sort and wc B.2 tmux B.2.1 Using tmux commands B.2.2 Saving a tmux session appendix C: Creating the Capsulecorp Pentest lab network C.1 Hardware and software requirements C.2 Creating the primary Windows servers C.2.1 Goku.capsulecorp.local C.2.2 Gohan.capsulecorp.local C.2.3 Vegeta.capsulecorp.local C.2.4 Trunks.capsulecorp.local C.2.5 Nappa.capsulecorp.local and tien.capsulecorp.local C.2.6 Yamcha.capsulecorp.local and Krillin.capsulecorp.local C.3 Creating the Linux servers appendix D: Capsulecorp internal network penetration test report Executive summary Engagement scope Summary of observations Engagement methodology Information gathering Focused penetration Post-exploitation and privilege escalation Documentation and cleanup Attack narrative Technical observations Appendix 1: Severity definitions Critical High Medium Low Appendix 2: Hosts and services Appendix 3: Tools list Appendix 4: Additional references appendix E: Exercise answers Exercise 2.1: Identifying your engagement targets Exercise 3.1: Creating protocol-specific target lists Exercise 4.1: Identifying missing patches Exercise 4.2: Creating a client-specific password list Exercise 4.3: Discovering weak passwords Exercise 5.1: Deploying a malicious WAR file Exercise 6.1 Stealing SYSTEM and SAM registry hives Exercise 7.1: Compromising tien.capsulecorp.local Exercise 8.1: Accessing your first level-two host Exercise 10.1: Stealing passwords from ntds.dit Exercise 11.1: Performing post-engagement cleanup index Symbols A B C D E F G H I J K L M N O P Q R S T U V W X Y The Art of Network Penetration Testing is a guide to simulating an internal security breach. Youll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. Summary Penetration testing is about more than just getting through a perimeter firewall. The biggest security threats are inside the network, where attackers can rampage through sensitive data by exploiting weak access controls and poorly patched software. Designed for up-and-coming security professionals, The Art of Network Penetration Testing teaches you how to take over an enterprise network from the inside. It lays out every stage of an internal security assessment step-by-step, showing you how to identify weaknesses before a malicious invader can do real damage. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology Penetration testers uncover security gaps by attacking networks exactly like malicious intruders do. To become a world-class pentester, you need to master offensive security concepts, leverage a proven methodology, and practice, practice, practice. Th is book delivers insights from security expert Royce Davis, along with a virtual testing environment you can use to hone your skills. About the book The Art of Network Penetration Testing is a guide to simulating an internal security breach. Youll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network. As you brute force passwords, exploit unpatched services, and elevate network level privileges, youll learn where the weaknesses areand how to take advantage of them. What's inside Set up a virtual pentest lab Exploit Windows and Linux network vulnerabilities Establish persistent re-entry to compromised targets Detail your findings in an engagement report About the reader For tech professionals. No security experience required. About the author Royce Davis has orchestrated hundreds of penetration tests, helping to secure many of the largest companies in the world. Table of Contents 1 Network Penetration Testing PHASE 1 - INFORMATION GATHERING 2 Discovering network hosts 3 Discovering network services 4 Discovering network vulnerabilities PHASE 2 - FOCUSED PENETRATION 5 Attacking vulnerable web services 6 Attacking vulnerable database services 7 Attacking unpatched services PHASE 3 - POST-EXPLOITATION AND PRIVILEGE ESCALATION 8 Windows post-exploitation 9 Linux or UNIX post-exploitation 10 Controlling the entire network PHASE 4 - DOCUMENTATION 11 Post-engagement cleanup 12 Writing a solid pentest deliverable
دانلود کتاب The Art of Network Penetration Testing : How to Take Over Any Company in the World