Hands-On Penetration Testing on Windows

Book description

Master the art of identifying vulnerabilities within the Windows OS and develop the desired solutions for it using Kali Linux.

Key Features

  • Identify the vulnerabilities in your system using Kali Linux 2018.02
  • Discover the art of exploiting Windows kernel drivers
  • Get to know several bypassing techniques to gain control of your Windows environment

Book Description

Windows has always been the go-to platform for users around the globe to perform administration and ad hoc tasks, in settings that range from small offices to global enterprises, and this massive footprint makes securing Windows a unique challenge. This book will enable you to distinguish yourself to your clients.

In this book, you'll learn advanced techniques to attack Windows environments from the indispensable toolkit that is Kali Linux. We'll work through core network hacking concepts and advanced Windows exploitation techniques, such as stack and heap overflows, precision heap spraying, and kernel exploitation, using coding principles that allow you to leverage powerful Python scripts and shellcode.

We'll wrap up with post-exploitation strategies that enable you to go deeper and keep your access. Finally, we'll introduce kernel hacking fundamentals and fuzzing testing, so you can discover vulnerabilities and write custom exploits.

By the end of this book, you'll be well-versed in identifying vulnerabilities within the Windows OS and developing the desired solutions for them.

What you will learn

  • Get to know advanced pen testing techniques with Kali Linux
  • Gain an understanding of Kali Linux tools and methods from behind the scenes
  • See how to use Kali Linux at an advanced level
  • Understand the exploitation of Windows kernel drivers
  • Understand advanced Windows concepts and protections, and how to bypass them using Kali Linux
  • Discover Windows exploitation techniques, such as stack and heap overflows and kernel exploitation, through coding principles

Who this book is for

This book is for penetration testers, ethical hackers, and individuals breaking into the pentesting role after demonstrating an advanced skill in boot camps. Prior experience with Windows exploitation, Kali Linux, and some Windows debugging tools is necessary

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On Penetration Testing on Windows
  3. Dedication
  4. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
    5. Disclaimer
  7. Bypassing Network Access Control
    1. Technical requirements
    2. Bypassing MAC filtering – considerations for the physical assessor
      1. Configuring a Kali wireless access point to bypass MAC filtering
    3. Design weaknesses – exploiting weak authentication mechanisms
      1. Capturing captive portal authentication conversations in the clear
      2. Layer-2 attacks against the network
    4. Bypassing validation checks
      1. Confirming the Organizationally Unique Identifier
      2. Passive Operating system Fingerprinter
      3. Spoofing the HTTP User-Agent
    5. Breaking out of jail – masquerading the stack
      1. Following the rules spoils the fun – suppressing normal TCP replies
      2. Fabricating the handshake with Scapy and Python
    6. Summary
    7. Questions
    8. Further reading
  8. Sniffing and Spoofing
    1. Technical requirements
    2. Advanced Wireshark – going beyond simple captures
      1. Passive wireless analysis
      2. Targeting WLANs with the Aircrack-ng suite
      3. WLAN analysis with Wireshark
      4. Active network analysis with Wireshark
    3. Advanced Ettercap – the man-in-the-middle Swiss Army Knife
      1. Bridged sniffing and the malicious access point
    4. Ettercap filters – fine-tuning your analysis
      1. Killing connections with Ettercap filters
    5. Getting better – spoofing with BetterCAP
      1. ICMP redirection with BetterCAP
    6. Summary
    7. Questions
    8. Further reading
  9. Windows Passwords on the Network
    1. Technical requirements
    2. Understanding Windows passwords
      1. A crash course on hash algorithms
      2. Password hashing methods in Windows
      3. If it ends with 1404EE, then it's easy for me – understanding LM hash flaws
      4. Authenticating over the network–a different game altogether
    3. Capturing Windows passwords on the network
      1. A real-world pen test scenario – the chatty printer
      2. Configuring our SMB listener
      3. Authentication capture
      4. Hash capture with LLMNR/NetBIOS NS spoofing
    4. Let it rip – cracking Windows hashes
      1. The two philosophies of password cracking
      2. John the Ripper cracking with a wordlist
      3. John the Ripper cracking with masking
      4. Reviewing your progress with the show flag
    5. Summary
    6. Questions
    7. Further reading
  10. Advanced Network Attacks
    1. Technical requirements
    2. Binary injection with BetterCAP proxy modules
      1. The Ruby file injection proxy module – replace_file.rb
      2. Creating the payload and connect-back listener with Metasploit
    3. HTTP downgrading attacks with sslstrip
      1. Removing the need for a certificate – HTTP downgrading
      2. Understanding HSTS bypassing with DNS spoofing
      3. HTTP downgrade attacks with BetterCAP ARP/DNS spoofing
    4. The evil upgrade – attacking software update mechanisms
      1. Exploring ISR Evilgrade
      2. Configuring the payload and upgrade module
      3. Spoofing ARP/DNS and injecting the payload
    5. IPv6 for hackers
      1. IPv6 addressing basics
      2. Local IPv6 reconnaissance and the Neighbor Discovery Protocol
      3. IPv6 man-in-the-middle – attacking your neighbors
      4. Living in an IPv4 world – creating a local 4-to-6 proxy for your tools
    6. Summary
    7. Questions
    8. Further reading
  11. Cryptography and the Penetration Tester
    1. Technical requirements
    2. Flipping the bit – integrity attacks against CBC algorithms
      1. Block ciphers and modes of operation
      2. Introducing block chaining
      3. Setting up your bit-flipping lab
      4. Manipulating the IV to generate predictable results
      5. Flipping to root – privilege escalation via CBC bit-flipping
    3. Sneaking your data in – hash length extension attacks
      1. Setting up your hash attack lab
      2. Understanding SHA-1's running state and compression function
      3. Data injection with the hash length extension attack
    4. Busting the padding oracle with PadBuster
      1. Interrogating the padding oracle
      2. Decrypting a CBC block with PadBuster
      3. Behind the scenes of the oracle padding attack
    5. Summary
    6. Questions
    7. Further reading
  12. Advanced Exploitation with Metasploit
    1. Technical requirements
    2. How to get it right the first time – generating payloads
      1. Installing Wine32 and Shellter
      2. Payload generation goes solo – working with msfvenom
      3. Creating nested payloads
      4. Helter Skelter evading antivirus with Shellter
    3. Modules – the bread and butter of Metasploit
      1. Building a simple Metasploit auxiliary module
    4. Efficiency and attack organization with Armitage
      1. Getting familiar with your Armitage environment
      2. Enumeration with Armitage
      3. Exploitation made ridiculously simple with Armitage
      4. A word about Armitage and the pen tester mentality
    5. Social engineering attacks with Metasploit payloads
      1. Creating a Trojan with Shellter
      2. Preparing a malicious USB drive for Trojan delivery
    6. Summary
    7. Questions
    8. Further reading
  13. Stack and Heap Memory Management
    1. Technical requirements
    2. An introduction to debugging
      1. Understanding the stack
      2. Understanding registers
      3. Assembly language basics
      4. Disassemblers, debuggers, and decompilers – oh my!
      5. Getting cozy with the Linux command-line debugger – GDB
    3. Stack smack – introducing buffer overflows
      1. Examining the stack and registers during execution
      2. Lilliputian concerns – understanding endianness 
    4. Introducing shellcoding
      1. Hunting bytes that break shellcode
      2. Generating shellcode with msfvenom
      3. Grab your mittens, we're going a NOP sledding
    5. Summary
    6. Questions
    7. Further Reading
  14. Windows Kernel Security
    1. Technical requirements
    2. Kernel fundamentals – understanding how kernel attacks work
      1. Kernel attack vectors
      2. The kernel's role as time cop
      3. It's just a program
    3. Pointing out the problem – pointer issues
      1. Dereferencing pointers in C and assembly
      2. Understanding NULL pointer dereferencing
      3. The Win32k kernel-mode driver
      4. Passing an error code as a pointer to xxxSendMessage()
      5. Metasploit – exploring a Windows kernel exploit module
    4. Practical kernel attacks with Kali
      1. An introduction to privilege escalation
      2. Escalating to SYSTEM on Windows 7 with Metasploit
    5. Summary
    6. Questions
    7. Further reading
  15. Weaponizing Python
    1. Technical requirements
    2. Incorporating Python into your work
      1. Why Python?
      2. Getting cozy with Python in your Kali environment
      3. Introducing Vim with Python syntax awareness
    3. Python network analysis
      1. Python modules for networking
      2. Building a Python client
      3. Building a Python server
      4. Building a Python reverse shell script
    4. Antimalware evasion in Python
      1. Creating Windows executables of your Python scripts
      2. Preparing your raw payload
      3. Writing your payload retrieval and delivery in Python
    5. Python and Scapy – a classy pair
      1. Revisiting ARP poisoning with Python and Scapy
    6. Summary
    7. Questions
    8. Further reading
  16. Windows Shellcoding
    1. Technical requirements
    2. Taking out the guesswork – heap spraying
      1. Memory allocation – stack versus heap
      2. Shellcode whac-a-mole – heap spraying fundamentals
      3. Shellcode generation for the Java vulnerability
      4. Creating the malicious website to exploit Java
      5. Debugging Internet Explorer with WinDbg
      6. Examining memory after spraying the heap
      7. Fine-tuning your attack and getting a shell
    3. Understanding Metasploit shellcode delivery
      1. Encoder theory and techniques – what encoding is and isn't
      2. Windows binary disassembly within Kali
    4. Injection with Backdoor Factory
      1. Code injection fundamentals – fine-tuning with BDF
      2. Trojan engineering with BDF and IDA
    5. Summary
    6. Questions
    7. Further reading
  17. Bypassing Protections with ROP
    1. Technical requirements
    2. DEP and ASLR – the intentional and the unavoidable
      1. Understanding DEP
      2. Understanding ASLR
      3. Testing DEP protection with WinDbg
      4. Demonstrating ASLR on Kali Linux with C
    3. Introducing return-oriented programming
      1. Borrowing chunks and returning to libc – turning the code against itself
      2. The basic unit of ROP – gadgets
      3. Getting cozy with our tools – MSFrop and ROPgadget
        1. Metasploit Framework's ROP tool – MSFrop
        2. Your sophisticated ROP lab – ROPgadget
      4. Creating our vulnerable C program without disabling protections
        1. No PIE for you – compiling your vulnerable executable without ASLR hardening
      5. Generating a ROP chain
    4. Getting hands-on with the return-to-PLT attack
      1. Extracting gadget information for building your payload
        1. Finding the .bss address
        2. Finding  a pop pop ret structure
        3. Finding addresses for system@plt and strcpy@plt functions
        4. Finding target characters in memory with ROPgadget and Python
      2. Go, go, gadget ROP chain – bringing it together for the exploit
        1. Finding the offset to return with gdb
        2. Writing the Python exploit
    5. Summary
    6. Questions
    7. Further reading
  18. Fuzzing Techniques
    1. Technical requirements
    2. Network fuzzing – mutation fuzzing with Taof proxying
      1. Configuring the Taof proxy to target the remote service
      2. Fuzzing by proxy – generating legitimate traffic
    3. Hands-on fuzzing with Kali and Python
      1. Picking up where Taof left off with Python – fuzzing the vulnerable FTP server
      2. The other side – fuzzing a vulnerable FTP client
      3. Writing a bare-bones FTP fuzzer service in Python
      4. Crashing the target with the Python fuzzer
    4. Fuzzy registers – the low-level perspective
      1. Calculating the EIP offset with the Metasploit toolset
      2. Shellcode algebra – turning the fuzzing data into an exploit
    5. Summary
    6. Questions
    7. Further reading
  19. Going Beyond the Foothold
    1. Technical requirements
    2. Gathering goodies – enumeration with post modules
      1. ARP enumeration with meterpreter
      2. Forensic analysis with meterpreter – stealing deleted files
      3. Privileges enumeration with meterpreter
      4. Internet Explorer enumeration – discovering internal web resources
    3. Network pivoting with Metasploit
      1. Just a quick review of subnetting
      2. Launching Metasploit into the hidden network with autoroute
    4. Escalating your pivot – passing attacks down the line
      1. Extracting credentials with hashdump
      2. Quit stalling and pass the hash – exploiting password equivalents in Windows
    5. Summary
    6. Questions
    7. Further reading
  20. Taking PowerShell to the Next Level
    1. Technical requirements
    2. Power to the shell – PowerShell fundamentals
      1. What is PowerShell?
      2. PowerShell's own cmdlets and PowerShell scripting language
      3. Working with the registry
      4. Pipelines and loops in PowerShell
      5. It gets better – PowerShell's ISE
    3. Post-exploitation with PowerShell
      1. ICMP enumeration from a pivot point with PowerShell
      2. PowerShell as a TCP-connect port scanner
      3. Delivering a Trojan to your target via PowerShell
    4. Offensive PowerShell – introducing the Empire framework
      1. Installing and introducing PowerShell Empire
      2. Configuring listeners
      3. Configuring stagers
      4. Your inside guy – working with agents
      5. Configuring a module for agent tasking
    5. Summary
    6. Questions
    7. Further reading
  21. Escalating Privileges
    1. Technical requirements
    2. Climb the ladder with Armitage
      1. Named pipes and security contexts
      2. Impersonating the security context of a pipe client
      3. Superfluous pipes and pipe creation race conditions
      4. Moving past the foothold with Armitage
      5. Armitage pivoting
    3. When the easy way fails—local exploits
      1. Kernel pool overflow and the danger of data types
      2. Let's get lazy – Schlamperei privilege escalation on Windows 7
    4. Escalation with WMIC and PS Empire
      1. Quietly spawning processes with WMIC
      2. Create a PowerShell Empire agent with remote WMIC
      3. Escalating your agent to SYSTEM via access token theft
    5. Dancing in the shadows – looting domain controllers with vssadmin
      1. Extracting the NTDS database and SYSTEM hive from a shadow copy
      2. Exfiltration across the network with cifs
      3. Password hash extraction with libesedb and ntdsxtract
    6. Summary
    7. Questions
    8. Further reading
  22. Maintaining Access
    1. Technical requirements
    2. Persistence with Metasploit and PowerShell Empire
      1. Creating a payload for Metasploit persister
      2. Configuring the Metasploit persistence module and firing away
      3. Verifying your persistent Meterpreter backdoor
      4. Not to be outdone – persistence in PS Empire
      5. Elevating the security context of our Empire agent
      6. Creating a WMI subscription for stealthy persistence of your agent
      7. Verifying agent persistence
    3. Hack tunnels – netcat backdoors on the fly
      1. Uploading and configuring persistent netcat with meterpreter
      2. Remotely tweaking Windows Firewall to allow inbound netcat connections
      3. Verifying persistence is established
    4. Maintaining access with PowerSploit
      1. Installing the persistence module in PowerShell
      2. Configuring and executing meterpreter persistence
      3. Lying in wait – verifying persistence
      4. What did the persistence script do?
    5. Summary
    6. Questions
    7. Further reading
  23. Tips and Tricks
    1. Getting familiar with VMware Workstation
      1. VMware versus Oracle for desktop virtualization
    2. Building your attack lab
      1. Finding Windows machines for your lab
        1. Downloading Edge tester VMs for developers
        2. Downloading an evaluation copy of Windows Server
        3. Installing Windows from an OEM disc or downloaded ISO file
    3. Network configuration tricks
      1. Network address translation and VMnet subnets
      2. Using the Virtual Network Editor
    4. Further reading
  24. Assessment
    1. Chapter 1: Bypassing Network Access Control
    2. Chapter 2: Sniffing and Spoofing
    3. Chapter 3: Windows Passwords on the Network
    4. Chapter 4: Advanced Network Attacks
    5. Chapter 5: Cryptography and the Penetration Tester
    6. Chapter 6: Advanced Exploitation with Metasploit
    7. Chapter 7: Stack and Heap Memory Management
    8. Chapter 8: Windows Kernel Security
    9. Chapter 9: Weaponizing Python
    10. Chapter 10: Windows Shellcoding
    11. Chapter 11: Bypassing Protections with ROP
    12. Chapter 12: Fuzzing Techniques
    13. Chapter 13: Going Beyond the Foothold
    14. Chapter 14: Taking PowerShell to the Next Level
    15. Chapter 15: Escalating Privileges
    16. Chapter 16: Maintaining Access
  25. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Hands-On Penetration Testing on Windows
  • Author(s): Phil Bramwell
  • Release date: July 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781788295666