You are previewing Professional Penetration Testing.
O'Reilly logo
Professional Penetration Testing

Book Description

Professional Penetration Testing: Creating and Operating a Formal Hacking Lab examines all aspects of professional penetration testing, from project management to team building, metrics, risk management, training, reporting, information gathering, vulnerability identification, vulnerability exploitation, privilege escalation, and test-data archival methods. It also discusses how to maintain access and cover one's tracks. It includes two video courses to teach readers fundamental and intermediate information-system penetration testing techniques, and to explain how to create and operate a formal hacking lab.
The book is divided into three parts. Part 1 focuses on the professionals who are members of a penetration test team, the skills required to be an effective team member, and the ways to create a PenTest lab. Part 2 looks at the activities involved in a penetration test and how to run a PenTest to improve the overall security posture of the client. Part 3 discusses the creation of a final report for the client, cleaning up the lab for the next penetration test, and identifying the training needs of penetration-test team members.
This book will benefit both experienced and novice penetration test practitioners.

  • Find out how to turn hacking and pen testing skills into a professional career

  • Understand how to conduct controlled attacks on a network through real-world examples of vulnerable and exploitable servers

  • Master project management skills necessary for running a formal penetration test and setting up a professional ethical hacking business

  • Discover metrics and reporting methodologies that provide experience crucial to a professional penetration tester

  • Learn through video - the DVD includes instructional videos that replicate classroom instruction and live, real-world vulnerability simulations of complete servers with known and unknown vulnerabilities to practice hacking skills in a controlled lab environment

Table of Contents

  1. Copyright
  2. About the Author
    1. Technical Editor
  3. Acknowledgments
    1. Family
    2. Heorot.net
    3. On the Side
  4. Foreword
  5. 1. Setting Up
    1. 1. Introduction
      1. Introduction
      2. About the Book
        1. Target Audience
        2. How to Use This Book
      3. About the DVD
        1. Course Material
        2. Reference Material
        3. LiveCDs
          1. Hackerdemia
          2. De-ICE
          3. pWnOS
          4. WebGoat
          5. BackTrack
      4. Summary
      5. Solutions Fast Track
        1. About the Book
        2. About the DVD
      6. Reference
    2. 2. Ethics and Hacking
      1. Introduction
      2. Why Stay Ethical?
        1. Black Hat Hackers
        2. White Hat Hackers
        3. Gray Hat Hackers
      3. Ethical Standards
        1. Certifications
        2. Contractor
        3. Employer
        4. Educational and Institutional Organizations
          1. Information Systems Security Association (ISSA)
          2. Internet Activities Board (IAB)
          3. Institute of Electrical and Electronics Engineers (IEEE)
          4. Organization for Economic Cooperation and Development (OECD)
      4. Computer Crime Laws
        1. Types of Laws
          1. Civil Law
          2. Criminal Law
          3. Administrative/Regulatory Law
        2. Type of Computer Crimes and Attacks
        3. U.S. Federal Laws
        4. U.S. State Laws
        5. International Laws
          1. Canada
          2. United Kingdom
          3. Australia
          4. Malaysia
          5. Singapore
          6. Venezuela
        6. Safe Harbor and Directive 95/46/EC
      5. Getting Permission to Hack
        1. Confidentiality Agreement
        2. Company Obligations
        3. Contractor Obligations
        4. Auditing and Monitoring
        5. Conflict Management
      6. Summary
      7. Solutions Fast Track
        1. Why Stay Ethical?
        2. Ethical Standards
        3. Computer Crime Laws
        4. Getting Permission to Hack
      8. Frequently Asked Questions
      9. Expand Your Skills
      10. References
    3. 3. Hacking as a Career
      1. Introduction
      2. Career Paths
        1. Network Architecture
        2. System Administration
        3. Applications and Databases
      3. Certifications
        1. High-Level Certifications
          1. (ISC)2
            1. About (ISC)2
            2. Our Mission
            3. The (ISC)2 CBK
            4. Certification Programs
            5. Associate of (ISC)2
            6. SSCP [(ISC)2]
            7. Certification and Accreditation Professional (CAP)
            8. Certified Secure Software Lifecycle Professional (CSSLP) [(ISC)2]
            9. CISSP [(ISC)2]
            10. CISSP–ISSAP [(ISC)2]
            11. CISSP–ISSEP [(ISC)2]
            12. CISSP–ISSMP [(ISC)2]
          2. Information Systems Audit and Control Association (ISACA)
            1. CISA
            2. CISM
          3. Global Information Assurance Certification (GIAC)
            1. GSLC
            2. GSE
          4. CompTIA
            1. Project Management Institute (PMI)
          5. Dynamic Systems Development Method (DSDM) Consortium
        2. Skill- and Vendor-Specific Certifications
          1. Cisco
            1. CCNA Security
            2. CCSP
            3. CCIE Security
          2. GIAC
            1. GISF
            2. GSEC
            3. GWAPT
            4. GPEN
          3. CheckPoint
          4. Juniper Networks
            1. JNCIA-ER (Juniper networks)
          5. Microsoft
            1. Designing Security for a Windows Server 2003 Network
            2. Implementing and Administering Security in a Microsoft Windows Server 2003 Network
            3. Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004
            4. TS: Microsoft Internet Security and Acceleration Server 2006, Configuring
          6. Sun Microsystems
            1. SCSECA
      4. Associations and Organizations
        1. Professional Organizations
        2. Conferences
          1. January
          2. February
          3. March
          4. May
          5. June
          6. July
          7. August
          8. September
          9. October
          10. November
          11. December
        3. Local Communities
        4. Mailing Lists
      5. Summary
      6. Solutions Fast Track
        1. Career Paths
        2. Certifications
        3. Associations and Organizations
      7. Frequently Asked Questions
      8. Expand Your Skills
      9. References
    4. 4. Setting Up Your Lab
      1. Introduction
      2. Personal Lab
        1. Keeping it simple
        2. Equipment
        3. Software
        4. Lab for Book Exercises
      3. Corporate Lab
        1. Internal Labs
        2. External Labs
        3. Equipment
        4. Software
      4. Protecting Penetration Test Data
        1. Encryption Schemas
          1. Data Encryption
          2. Data Hashing
        2. Securing PenTest Systems
        3. Mobile Security Concerns
        4. Wireless Lab Data
      5. Additional Network Hardware
        1. Routers
        2. Firewalls
        3. Intrusion Detection System/Intrusion Prevention System
      6. Summary
      7. Solutions Fast Track
        1. Personal Lab
        2. Corporate Lab
        3. Protecting Penetration Test Data
        4. Additional Network Hardware
      8. Frequently Asked Questions
      9. Expand Your Skills
      10. Reference
    5. 5. Creating and Using PenTest Targets in Your Lab
      1. Introduction
      2. Turn-Key Scenarios versus Real-World Targets
        1. Problems with Learning to Hack
        2. Real-World Scenarios
      3. Turn-Key Scenarios
        1. What is a LiveCD?
        2. De-ICE
          1. Scenarios
            1. 1.100
            2. 1.110
            3. 2.100
        3. Hackerdemia
        4. pWnOS
        5. Foundstone
          1. Scenarios
        6. Open Web Application Security Project
          1. Scenarios
      4. Using Exploitable Targets
        1. Operating Systems
        2. Applications
      5. Analyzing Malware – Viruses and Worms
        1. Setting up a Lab
          1. Virtual versus Nonvirtual Labs
          2. Creating a Controlled Environment
          3. Harvesting Malware
          4. Information Analysis
      6. Other Target Ideas
        1. CTF Events
        2. Web-Based Challenges
        3. Vulnerability Announcements
      7. Summary
      8. Solutions Fast Track
        1. Turn-Key Scenarios versus Real-World Targets
        2. Turn-Key Scenarios
        3. Using Exploitable Targets
        4. Analyzing Malware – Viruses and Worms
        5. Other Target Ideas
      9. Frequently Asked Questions
      10. Expand Your Skills
      11. References
    6. 6. Methodologies
      1. Introduction
      2. Project Management Body of Knowledge
        1. Introduction to PMBOK
        2. Initiating Process Group
        3. Planning Process Group
        4. Executing Process Group
        5. Closing Process Group
        6. Monitoring and Controlling Process Group
      3. Information System Security Assessment Framework
        1. Planning and Preparation – Phase I
        2. Assessment – Phase II
          1. Network Security
          2. Host Security
          3. Application Security
          4. Database Security
          5. Social Engineering
        3. Reporting, Clean-up, and Destroy Artifacts – Phase III
          1. Reporting
          2. Clean-Up and Destroy Artifacts
      4. Open Source Security Testing Methodology Manual
        1. Rules of Engagement
        2. Channels
          1. Human Security
          2. Physical Security
          3. Wireless Communications
          4. Telecommunications
          5. Data Networks
        3. Modules
      5. Summary
      6. Solutions Fast Track
        1. Project Management Body of Knowledge
        2. Information System Security Assessment Framework
        3. Open Source Security Testing Methodology Manual
      7. Frequently Asked Questions
      8. Expand Your Skills
      9. References
    7. 7. PenTest Metrics
      1. Introduction
      2. Quantitative, Qualitative, and Mixed Methods
        1. Quantitative Analysis
        2. Qualitative Analysis
        3. Mixed Method Analysis
      3. Current Methodologies
        1. Project Management Institute
          1. Expert Judgment
          2. Probability Distribution
          3. Sensitivity Analysis
          4. Expected Monetary Value
          5. Decision Tree Analysis
          6. Modeling and Simulation
        2. ISSAF
        3. OSSTMM
        4. Tool-Generated Reports
      4. Summary
      5. Solutions Fast Track
        1. Quantitative, Qualitative, and Mixed Methods
        2. Current Methodologies
      6. Frequently Asked Questions
      7. References
    8. 8. Management of a PenTest
      1. Introduction
      2. Project Team Members
        1. Roles and Responsibilities
          1. Team Champion
          2. Project Manager
          3. PenTest Engineers
        2. Organizational Structure
          1. Functional Organization
          2. Matrix Organization
          3. Projectized Organization
      3. Project Management
        1. Initiating Stage
        2. Planning Stage
        3. Executing Stage
        4. Monitoring and Controlling
        5. Closing Stage
          1. Formal Project Review
          2. Effort Evaluation
          3. Identification of New Projects
          4. Future Project Priority Identification
      4. Summary
      5. Solutions Fast Track
        1. Project Team Members
        2. Project Management
      6. Frequently Asked Questions
      7. Expand Your Skills
      8. References
  6. 2. Running a PenTest
    1. 9. Information Gathering
      1. Introduction
      2. Passive Information Gathering
        1. Web Presence
        2. Corporate Data
        3. WHOIS and DNS Enumeration
        4. Additional Internet Resources
      3. Active Information Gathering
        1. DNS Interrogation
        2. E-mail Accounts
        3. Perimeter Network Identification
        4. Network Surveying
      4. Project Management
        1. Executing Process Phase
          1. Perform QA
          2. Acquire and Develop Project Team
          3. Request Seller Responses
        2. Monitoring and Control Process
          1. Scope Verification
          2. Scope Control
          3. Schedule Control
          4. Cost Control
      5. Summary
      6. Solutions Fast Track
        1. Passive Information Gathering
        2. Active Information Gathering
        3. Project Management
      7. Frequently Asked Questions
      8. Expand Your Skills
      9. References
    2. 10. Vulnerability Identification
      1. Introduction
      2. Port Scanning
        1. Target Verification
          1. Active Scans
          2. Passive Scans
        2. UDP Scanning
        3. TCP Scanning
          1. TCP Connect Scan (-sT)
          2. TCP SYN Stealth Scan (-sS)
        4. Perimeter Avoidance Scanning
          1. Null Scan Attack (-sN)
          2. ACK Scan (-sA)
          3. FIN (-sF) and Xmas Tree (-sX) Scans
      3. System Identification
        1. Active OS Fingerprinting
        2. Passive OS Fingerprinting
      4. Services Identification
        1. Banner Grabbing
        2. Enumerating Unknown Services
      5. Vulnerability Identification
      6. Summary
      7. Solutions Fast Track
        1. Port Scanning
        2. System Identification
        3. Services Identification
        4. Vulnerability Identification
      8. Frequently Asked Questions
      9. Expand Your Skills
      10. Reference
    3. 11. Vulnerability Verification
      1. Introduction
      2. Exploit Codes – Finding and Running
        1. Internet Sites
        2. Automated Tools
          1. Vulnerability Assessment
            1. Nessus Installation
            2. Running Our Nessus Scan
          2. Vulnerability Exploitation
            1. CORE IMPACT Installation
            2. CORE IMPACT Vulnerability Exploitation
      3. Exploit Codes – Creating Your Own
        1. Fuzzing
        2. Code Review
        3. Application Reversing
      4. Web Hacking
        1. SQL Injection
        2. Cross-Site Scripting
        3. Web Application Vulnerabilities
      5. Project Management
        1. Executing Process Phase
          1. Information Distribution
        2. Monitoring and Control Process
          1. Schedule Control
          2. Manage Stakeholders
      6. Summary
      7. Solutions Fast Track
        1. Exploit Codes – Finding and Running
        2. Exploit Codes – Creating Your Own
        3. Web Hacking
        4. Project Management
      8. Frequently Asked Questions
      9. Expand Your Skills
      10. References
    4. 12. Compromising a System and Privilege Escalation
      1. Introduction
      2. System Enumeration
        1. Internal Vulnerabilities
        2. Sensitive Data
      3. Network Packet Sniffing
      4. Social Engineering
        1. Baiting
        2. Phishing
        3. Pretexting
      5. Wireless Attacks
        1. Wi-Fi Protected Access Attack
        2. WEP Attack
      6. Project Management
        1. Executing Process Phase
          1. Information Distribution
        2. Monitoring and Control Process
          1. Schedule Control
      7. Summary
      8. Solutions Fast Track
        1. System Enumeration
        2. Network Packet Sniffing
        3. Social Engineering
        4. Wireless Attacks
        5. Project Management
      9. Frequently Asked Questions
      10. Expand Your Skills
      11. References
    5. 13. Maintaining Access
      1. Introduction
      2. Shells and Reverse Shells
        1. Netcat Shell
        2. Netcat Reverse Shell
      3. Encrypted Tunnels
        1. Adding a Host Firewall (Optional)
        2. Setting Up the SSH Reverse Shell
          1. Setting Up Public/Private Keys
          2. Launch the Encrypted Reverse Shell
      4. Other Encryption and Tunnel Methods
      5. Summary
      6. Solutions Fast Track
        1. Shells and Reverse Shells
        2. Encrypted Tunnels
        3. Other Encryption and Tunnel Methods
      7. Frequently Asked Questions
      8. Expand Your Skills
      9. Reference
    6. 14. Covering Your Tracks
      1. Introduction
      2. Manipulating Log Data
        1. User Login
        2. Application Logs
      3. Hiding Files
        1. Hiding Files in Plain Sight
        2. Hiding Files Using the File System
        3. Hiding Files in Windows
      4. Summary
      5. Solutions Fast Track
        1. Manipulating Log Data
        2. Hiding Files
      6. Frequently Asked Questions
      7. Expand Your Skills
      8. Reference
  7. 3. Wrapping Everything Up
    1. 15. Reporting Results
      1. Introduction
      2. What Should You Report?
        1. Out of Scope Issues
        2. Findings
        3. Solutions
        4. Manuscript Preparation
          1. Title Page
          2. Abstract
          3. Text
          4. References
          5. Appendices
      3. Initial Report
        1. Peer Reviews
        2. Fact Checking
        3. Metrics
          1. Nessus
          2. Core Impact
      4. Final Report
        1. Peer Reviews
        2. Documentation
      5. Summary
      6. Solutions Fast Track
        1. What Should You Report?
        2. Initial Report
        3. Final Report
      7. Frequently Asked Questions
      8. Expand Your Skills
      9. References
    2. 16. Archiving Data
      1. Introduction
      2. Should You Keep Data?
        1. Legal Issues
        2. E-mail
        3. Findings and Reports
      3. Securing Documentation
        1. Access Controls
        2. Archival Methods
        3. Archival Locations
        4. Destruction Policies
      4. Summary
      5. Solutions Fast Track
        1. Should You Keep Data?
        2. Securing Documentation
      6. Frequently Asked Questions
      7. Reference
    3. 17. Cleaning Up Your Lab
      1. Introduction
      2. Archiving Lab Data
        1. Proof of Concepts
        2. Malware Analysis
      3. Creating and Using System Images
        1. License Issues
        2. Virtual Machines
        3. “Ghost” Images
      4. Creating a “Clean Shop”
        1. Sanitization Methods
        2. Using Hashes
        3. Change Management Controls
      5. Summary
      6. Solutions Fast Track
        1. Archiving Lab Data
        2. Creating and Using System Images
        3. Creating a “Clean Shop”
      7. Frequently Asked Questions
      8. Reference
    4. 18. Planning for Your Next PenTest
      1. Introduction
      2. Risk Management Register
        1. Creating a Risk Management Register
        2. Prioritization of Risks and Responses
      3. Knowledge Database
        1. Creating a Knowledge Database
        2. Sanitization of Findings
        3. Project Management Knowledge Database
      4. After-Action Review
        1. Project Assessments
        2. Team Assessments
        3. Training Proposals
      5. Summary
      6. Solutions Fast Track
        1. Risk Management Register
        2. Knowledge Database
        3. After-Action Review
      7. Frequently Asked Questions
      8. Expand Your Skills
      9. Final Exercise
      10. Reference
    5. A. Acronyms
    6. B. Definitions
      1. References