You are previewing Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide.
O'Reilly logo
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

Book Description

"

Learn to perform professional penetration testing for highly-secured environments with this intensive hands-on guide with this book and ebook.

  • Learn how to perform an efficient, organized, and effective penetration test from start to finish

  • Gain hands-on penetration testing experience by building and testing a virtual lab environment that includes commonly found security measures such as IDS and firewalls

  • Take the challenge and perform a virtual penetration test against a fictional corporation from start to finish and then verify your results by walking through step-by-step solutions

In Detail

The internet security field has grown by leaps and bounds over the last decade. Everyday more people around the globe gain access to the internet and not all of them with good intentions. The need for penetration testers has grown now that the security industryhas had time to mature. Simply running a vulnerability scanner is a thing of the past and is no longer an effective method of determining a business’s true security posture. Learn effective penetration testing skills so that you can effectively meet and manage the rapidly changing security needs of your company.

Advanced Penetration Testing for Highly-Secured Environments will teach you how to efficiently and effectively ensure the security posture of environments that have been secured using IDS/IPS, firewalls, network segmentation, hardened system configurations and more. The stages of a penetration test are clearly defined and addressed using step-by-step instructions that you can follow on your own virtual lab.

The book follows the standard penetration testing stages from start to finish with step-by-step examples. The book thoroughly covers penetration test expectations, proper scoping and planning, as well as enumeration and footprinting. You'll learn how to clean up and compile proof of concept, exploit code from the web, advanced web application testing techniques, client side attacks, post exploitation strategies, detection avoidance methods, generation of well defined reports and metrics, and setting up a penetration testing virtual lab that mimics a secured environment. The book closes by issuing a challenge to your skills and ability to perform a full penetration test against a fictional corporation; followed by a detailed walk through of the solution.

Advanced Penetration Testing for Highly-Secured Environments is packed with detailed examples that reinforce enumeration, exploitation, post-exploitation, reporting skills and more.

"

Table of Contents

  1. Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
    1. Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
    2. Credits
    3. About the Author
    4. About the Reviewers
    5. www.PacktPub.com
      1. Support files, eBooks, discount offers and more
        1. Why Subscribe?
        2. Free Access for Packt account holders
    6. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Errata
        2. Piracy
        3. Questions
    7. 1. Planning and Scoping for a Successful Penetration Test
      1. Introduction to advanced penetration testing
        1. Vulnerability assessments
        2. Penetration testing
        3. Advanced penetration testing
      2. Before testing begins
        1. Determining scope
        2. Setting limits — nothing lasts forever
          1. Rules of engagement documentation
      3. Planning for action
        1. Installing VirtualBox
        2. Installing your BackTrack virtual machine
          1. Preparing the virtual guest machine for BackTrack
          2. Installing BackTrack on the virtual disk image
      4. Exploring BackTrack
          1. Logging in
          2. Changing the default password
          3. Updating the applications and operating system
      5. Installing OpenOffice
      6. Effectively manage your test results
        1. Introduction to MagicTree
          1. Starting MagicTree
          2. Adding nodes
          3. Data collection
          4. Report generation
      7. Introduction to the Dradis Framework
        1. Exporting a project template
        2. Importing a project template
        3. Preparing sample data for import
          1. Importing your Nmap data
        4. Exporting data into HTML
        5. Dradis Category field
          1. Changing the default HTML template
      8. Summary
    8. 2. Advanced Reconnaissance Techniques
      1. Introduction to reconnaissance
        1. Reconnaissance workflow
      2. DNS recon
        1. Nslookup — it's there when you need it
          1. Default output
          2. Changing nameservers
          3. Creating an automation script
        2. What did we learn?
        3. Domain Information Groper (Dig)
          1. Default output
          2. Zone transfers using Dig
          3. Advanced features of Dig
            1. Shortening the output
            2. Listing the bind version
            3. Reverse DNS lookup using Dig
            4. Multiple commands
            5. Tracing the path
            6. Batching with dig
        4. DNS brute forcing with fierce
          1. Default command usage
          2. Creating a custom wordlist
      3. Gathering and validating domain and IP information
        1. Gathering information with whois
          1. Specifying which registrar to use
          2. Where in the world is this IP?
          3. Defensive measures
      4. Using search engines to do your job for you
        1. SHODAN
          1. Filters
          2. Understanding banners
            1. HTTP banners
          3. Finding specific assets
        2. Finding people (and their documents) on the web
          1. Google hacking database
            1. Google filters
          2. Metagoofil
        3. Searching the Internet for clues
        4. Metadata collection
          1. Extracting metadata from photos using exiftool
      5. Summary
    9. 3. Enumeration: Choosing Your Targets Wisely
      1. Adding another virtual machine to our lab
        1. Configuring and testing our Vlab_1 clients
          1. BackTrack Manual ifconfig
          2. Ubuntu — Manual ifconfig
          3. Verifying connectivity
          4. Maintaining IP settings after reboot
      2. Nmap — getting to know you
        1. Commonly seen Nmap scan types and options
        2. Basic scans — warming up
        3. Other Nmap techniques
          1. Remaining stealthy
            1. Taking your time
            2. Trying different scan types
              1. SYN scan
              2. Null scan
              3. ACK scan
              4. Conclusion
          2. Shifting blame — the zombies did it!
          3. IDS rules, how to avoid them
          4. Using decoys
        4. Adding custom Nmap scripts to your arsenal
          1. How to decide if a script is right for you
          2. Adding a new script to the database
      3. SNMP: A goldmine of information just waiting to be discovered
        1. SNMPEnum
        2. SNMPCheck
        3. When the SNMP community string is NOT "public"
      4. Creating network baselines with scanPBNJ
        1. Setting up MySQL for PBNJ
          1. Starting MySQL
          2. Preparing the PBNJ database
        2. First scan
        3. Reviewing the data
      5. Enumeration avoidance techniques
        1. Naming conventions
        2. Port knocking
        3. Intrusion detection and avoidance systems
        4. Trigger points
        5. SNMP lockdown
      6. Summary
    10. 4. Remote Exploitation
      1. Exploitation — Why bother?
      2. Target practice — Adding a Kioptrix virtual machine
      3. Manual exploitation
        1. Enumerating services
          1. Quick scan with Unicornscan
        2. Full scan with Nmap
        3. Banner grabbing with Netcat and Ncat
          1. Banner grabbing with Netcat
          2. Banner grabbing with Ncat
          3. Banner grabbing with smbclient
        4. Searching Exploit-DB
        5. Exploit-DB at hand
          1. Compiling the code
          2. Compiling the proof of concept code
          3. Troubleshooting the code
            1. What are all of these ^M characters and why will they not go away?
            2. Broken strings — The reunion
        6. Running the exploit
      4. Getting files to and from victim machines
        1. Installing and starting a TFTP server on BackTrack 5
        2. Installing and configuring pure-ftpd
        3. Starting pure-ftpd
      5. Passwords: Something you know…
        1. Cracking the hash
        2. Brute forcing passwords
        3. THC Hydra
      6. Metasploit — learn it and love it
        1. Updating the Metasploit framework
        2. Databases and Metasploit
          1. Installing PostgreSQL on BackTrack 5
          2. Verifying database connectivity
          3. Performing an Nmap scan from within Metasploit
          4. Using auxiliary modules
        3. Using Metasploit to exploit Kioptrix
      7. Summary
    11. 5. Web Application Exploitation
      1. Practice makes perfect
        1. Installing Kioptrix Level 3
        2. Creating a Kioptrix VM Level 3 clone
        3. Installing and configuring Mutillidae 2.1.7 on the Ubuntu virtual machine
        4. Installing and configuring pfSense
        5. Preparing the virtual machine for pfSense
        6. pfSense virtual machine persistence
        7. Configuring the pfSense DHCP server
        8. Starting the virtual lab
        9. pfSense DHCP — Permanent reservations
        10. Installing HAProxy for load balancing
        11. Adding Kioptrix3.com to the host file
      2. Detecting load balancers
        1. Quick reality check — Load Balance Detector
          1. So, what are we looking for anyhow?
      3. Detecting Web Application Firewalls (WAF)
      4. Taking on Level 3 — Kioptrix
      5. Web Application Attack and Audit Framework (w3af)
        1. Using w3af GUI to save time
        2. Scanning by using the w3af console
          1. Using WebScarab as a HTTP proxy
      6. Introduction to Mantra
      7. Summary
    12. 6. Exploits and Client-Side Attacks
      1. Buffer overflows — A refresher
        1. "C"ing is believing — Create a vulnerable program
        2. Turning ASLR on and off in BackTrack
        3. Understanding the basics of buffer overflows
      2. Introduction to fuzzing
      3. Introducing vulnserver
      4. Fuzzing tools included in BackTrack
        1. Bruteforce Exploit Detector (BED)
        2. SFUZZ: Simple fuzzer
      5. Fast-Track
        1. Updating Fast-Track
        2. Client-side attacks with Fast-Track
      6. Social Engineering Toolkit
      7. Summary
    13. 7. Post-Exploitation
      1. Rules of engagement
        1. What is permitted?
        2. Can you modify anything and everything?
        3. Are you allowed to add persistence?
        4. How is the data that is collected and stored handled by you and your team?
        5. Employee data and personal information
      2. Data gathering, network analysis, and pillaging
        1. Linux
          1. Important directories and files
          2. Important commands
        2. Putting this information to use
          1. Enumeration
          2. Exploitation
          3. Were connected, now what?
          4. Which tools are available on the remote system
          5. Finding network information
          6. Determine connections
          7. Checking installed packages
          8. Package repositories
          9. Programs and services that run at startup
          10. Searching for information
          11. History files and logs
          12. Configurations, settings, and other files
          13. Users and credentials
          14. Moving the files
        3. Microsoft Windows™ post-exploitation
          1. Important directories and files
          2. Using Armitage for post-exploitation
          3. Enumeration
          4. Exploitation
          5. Were connected, now what?
          6. Networking details
          7. Finding installed software and tools
      3. Pivoting
      4. Summary
    14. 8. Bypassing Firewalls and Avoiding Detection
      1. Lab preparation
        1. BackTrack guest machine
        2. Ubuntu guest machine
        3. pfSense guest machine configuration
          1. pfSense network setup
          2. WAN IP configuration
          3. LAN IP configuration
        4. Firewall configuration
      2. Stealth scanning through the firewall
        1. Finding the ports
          1. Traceroute to find out if there is a firewall
          2. Finding out if the firewall is blocking certain ports
            1. Hping
            2. Nmap firewalk script
      3. Now you see me, now you don't — Avoiding IDS
        1. Canonicalization
        2. Timing is everything
      4. Blending in
      5. Looking at traffic patterns
      6. Cleaning up compromised hosts
        1. Using a checklist
        2. When to clean up
        3. Local log files
      7. Miscellaneous evasion techniques
        1. Divide and conquer
        2. Hiding out (on controlled units)
        3. File integrity monitoring
        4. Using common network management tools to do the deed
      8. Summary
    15. 9. Data Collection Tools and Reporting
      1. Record now — Sort later
      2. Old school — The text editor method
        1. Nano
        2. VIM — The power user's text editor of choice
        3. NoteCase
      3. Dradis framework for collaboration
        1. Binding to an available interface other than 127.0.0.1
      4. The report
      5. Challenge to the reader
      6. Summary
    16. 10. Setting Up Virtual Test Lab Environments
      1. Why bother with setting up labs?
      2. Keeping it simple
        1. No-nonsense test example
        2. Network segmentation and firewalls
          1. Requirements
          2. Setup
      3. Adding complexity or emulating target environments
        1. Configuring firewall1
          1. Installing additional packages in pfSense
        2. Firewall2 setup and configuration
        3. Web1
        4. DB1
        5. App1
        6. Admin1
      4. Summary
    17. 11. Take the Challenge — Putting It All Together
      1. The scenario
      2. The setup
        1. NewAlts Research Labs' virtual network
        2. Additional system modifications
          1. Web server modifications
      3. The challenge
      4. The walkthrough
        1. Defining the scope
        2. Determining the "why"
          1. So what is the "why" of this particular test?
        3. Developing the Rules of Engagement document
        4. Initial plan of attack
        5. Enumeration and exploitation
      5. Reporting
      6. Summary