Penetration Testing with Kali Linux

Transcription

1 Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11

2 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written permission from the author. PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 2 of 11

3 0. - Penetration Testing: What You Should Know About Kali Linux About Penetration Testing Legal The megacorpone.com Domain Offensive Security Labs VPN Labs Overview Lab Control Panel Reporting 1. - Getting Comfortable with Kali Linux Finding Your Way Around Kali Booting Up Kali Linux The Kali Menu Find, Locate, and Which Exercises Managing Kali Linux Services Default root Password SSH Service HTTP Service Exercises The Bash Environment Intro to Bash Scripting Practical Bash Usage Example Practical Bash Usage Example Exercises 2. - The Essential Tools Netcat Connecting to a TCP/UDP Port Listening on a TCP/UDP Port PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 3 of 11

4 Transferring Files with Netcat Remote Administration with Netcat Exercises Ncat Exercises Wireshark Wireshark Basics Making Sense of Network Dumps Capture and Display Filters Following TCP Streams Exercises Tcpdump Filtering Traffic Advanced Header Filtering Exercises 3. - Passive Information Gathering A Note From the Author Open Web Information Gathering Google Google Hacking Exercises Harvesting Exercise Additional Resources Netcraft Whois Enumeration Exercise Recon- ng 4. - Active Information Gathering DNS Enumeration PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 4 of 11

5 Interacting with a DNS Server Automating Lookups Forward Lookup Brute Force Reverse Lookup Brute Force DNS Zone Transfers Relevant Tools in Kali Linux Exercises Port Scanning A Note From the Author TCP CONNECT / SYN Scanning UDP Scanning Common Port Scanning Pitfalls Port Scanning with Nmap OS Fingerprinting Banner Grabbing/Service Enumeration Nmap Scripting Engine (NSE) Exercises SMB Enumeration Scanning for the NetBIOS Service Null Session Enumeration Nmap SMB NSE Scripts Exercises SMTP Enumeration Exercise SNMP Enumeration A Note From the Author MIB Tree Scanning for SNMP Windows SNMP Enumeration Example Exercises 5. - Vulnerability Scanning PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 5 of 11

6 5.1 - Vulnerability Scanning with Nmap The OpenVAS Vulnerability Scanner OpenVAS Initial Setup Exercises 6. - Buffer Overflows Fuzzing Vulnerability History A Word About DEP and ASLR Interacting with the POP3 Protocol Exercises 7. - Win32 Buffer Overflow Exploitation Replicating the Crash Controlling EIP Binary Tree Analysis Sending a Unique String Exercises Locating Space for Your Shellcode Checking for Bad Characters Exercises Redirecting the Execution Flow Finding a Return Address Exercises Generating Shellcode with Metasploit Getting a Shell Exercises Improving the Exploit Exercises 8. - Linux Buffer Overflow Exploitation Setting Up the Environment Crashing Crossfire PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 6 of 11

7 Exercise Controlling EIP Finding Space for Our Shellcode Improving Exploit Reliability Discovering Bad Characters Exercises Finding a Return Address Getting a Shell Exercise 9. - Working with Exploits Searching for Exploits Finding Exploits in Kali Linux Finding Exploits on the Web Customizing and Fixing Exploits Setting Up a Development Environment Dealing with Various Exploit Code Languages Exercises File Transfers A Word About Anti Virus Software File Transfer Methods The Non- Interactive Shell Uploading Files Exercises Privilege Escalation Privilege Escalation Exploits Local Privilege Escalation Exploit in Linux Example Local Privilege Escalation Exploit in Windows Example Configuration Issues Incorrect File and Service Permissions Think Like a Network Administrator PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 7 of 11

8 Exercises Client Side Attacks Know Your Target Passive Client Information Gathering Active Client Information Gathering Social Engineering and Client Side Attacks Exercises MS Internet Explorer 8 Fixed Col Span ID Setting up the Client Side Exploit Swapping Out the Shellcode Exercises Java Signed Applet Attack Exercises Web Application Attacks Essential Iceweasel Add- ons Cross Site Scripting (XSS) Browser Redirection and IFRAME Injection Stealing Cookies and Session Information Exercises File Inclusion Vulnerabilities Local File Inclusion Remote File Inclusion MySQL SQL Injection Authentication Bypass Enumerating the Database Column Number Enumeration Understanding the Layout of the Output Extracting Data from the Database Leveraging SQL Injection for Code Execution Web Application Proxies PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 8 of 11

9 Exercises Automated SQL Injection Tools Exercises Password Attacks Preparing for Brute Force Dictionary Files Key- space Brute Force Pwdump and Fgdump Windows Credential Editor (WCE) Exercises Password Profiling Password Mutating Online Password Attacks Hydra, Medusa, and Ncrack Choosing the Right Protocol: Speed vs. Reward Exercises Password Hash Attacks Password Hashes Password Cracking John the Ripper Rainbow Tables Passing the Hash in Windows Exercises Port Redirection and Tunneling Port Forwarding/Redirection SSH Tunneling Local Port Forwarding Remote Port Forwarding Dynamic Port Forwarding Proxychains PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 9 of 11

10 HTTP Tunneling Traffic Encapsulation Exercises The Metasploit Framework Metasploit User Interfaces Setting up Metasploit Framework on Kali Exploring the Metasploit Framework Auxiliary Modules Getting Familiar with MSF Syntax Metasploit Database Access Exercises Exploit Modules Exercises Metasploit Payloads Staged vs. Non- Staged Payloads Meterpreter Payloads Experimenting with Meterpreter Executable Payloads Reverse HTTPS Meterpreter Metasploit Exploit Multi Handler Revisiting Client Side Attacks Exercises Building Your Own MSF Module Exercise Post Exploitation with Metasploit Meterpreter Post Exploitation Features Post Exploitation Modules Bypassing Antivirus Software Encoding Payloads with Metasploit Crypting Known Malware with Software Protectors PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 10 of 11

11 Using Custom/Uncommon Tools and Payloads Exercise Assembling the Pieces: Penetration Test Breakdown Phase 0 Scenario Description Phase 1 Information Gathering Phase 2 Vulnerability Identification and Prioritization Password Cracking Phase 3 Research and Development Phase 4 Exploitation Linux Local Privilege Escalation Phase 5 Post- Exploitation Expanding Influence Client Side Attack Against Internal Network Privilege Escalation Through AD Misconfigurations Port Tunneling SSH Tunneling with HTTP Encapsulation Looking for High Value Targets Domain Privilege Escalation Going for the Kill PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 11 of 11