ebook img

Advanced Penetration Testing. Hacking the World’s Most Secure Networks PDF

297 Pages·2017·6.3 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Advanced Penetration Testing. Hacking the World’s Most Secure Networks

Table of Contents Cover Title Page Introduction Coming Full Circle Advanced Persistent Threat (APT) Next Generation Technology “Hackers” Forget Everything You Think You Know About Penetration Testing How This Book Is Organized Chapter 1: Medical Records (In)security An Introduction to Simulating Advanced Persistent Threat Background and Mission Briefing Payload Delivery Part 1: Learning How to Use the VBA Macro Command and Control Part 1: Basics and Essentials The Attack Summary Exercises Chapter 2: Stealing Research Background and Mission Briefing Payload Delivery Part 2: Using the Java Applet for Payload Delivery Notes on Payload Persistence Command and Control Part 2: Advanced Attack Management The Attack Summary Exercises Chapter 3: Twenty-First Century Heist What Might Work? Nothing Is Secure Organizational Politics APT Modeling versus Traditional Penetration Testing Background and Mission Briefing Command and Control Part III: Advanced Channels and Data Exfiltration Payload Delivery Part III: Physical Media The Attack Summary Exercises Chapter 4: Pharma Karma Background and Mission Briefing Payload Delivery Part IV: Client-Side Exploits 1 Command and Control Part IV: Metasploit Integration The Attack Summary Exercises Chapter 5: Guns and Ammo Background and Mission Briefing Payload Delivery Part V: Simulating a Ransomware Attack Command and Control Part V: Creating a Covert C2 Solution New Strategies in Stealth and Deployment The Attack Summary Exercises Chapter 6: Criminal Intelligence Payload Delivery Part VI: Deploying with HTA Privilege Escalation in Microsoft Windows Command and Control Part VI: The Creeper Box The Attack Summary Exercises Chapter 7: War Games Background and Mission Briefing Payload Delivery Part VII: USB Shotgun Attack Command and Control Part VII: Advanced Autonomous Data Exfiltration The Attack Summary Exercises Chapter 8: Hack Journalists Briefing Advanced Concepts in Social Engineering C2 Part VIII: Experimental Concepts in Command and Control Payload Delivery Part VIII: Miscellaneous Rich Web Content The Attack Summary Exercises Chapter 9: Northern Exposure Overview Operating Systems North Korean Public IP Space The North Korean Telephone System Approved Mobile Devices The “Walled Garden”: The Kwangmyong Intranet Audio and Video Eavesdropping Summary Exercises End User License Agreement List of Illustrations Chapter 1: Medical Records (In)security Figure 1.1 Pharmattix network flow Figure 1.2 User roles Figure 1.3 VBA exploit code imported into MS Word. Figure 1.4 Saving for initial antivirus proving. Figure 1.5 This demonstrates an unacceptably high AV hit rate. Figure 1.6 Additional information. Figure 1.7 A stealthy payload indeed. Figure 1.8 No, Qihoo-360 is not the Holy Grail of AV. Figure 1.9 Blank document carrying macro payload. Figure 1.10 A little more convincing. Figure 1.11 Initial basic Command and Control infrastructure. Figure 1.12 The completed attack with complete access to the medical records. Chapter 2: Stealing Research Figure 2.1 Permit all local Java code to run in the browser. Figure 2.2 Java applet running in the browser. Figure 2.3 The upgraded framework handles multiple hosts and operating systems. Chapter 3: Twenty-First Century Heist Figure 3.1 The beauty of this setup is that if your C2 is disrupted by security operations, you can point your DNS at another server. Figure 3.2 A basic intrusion monitoring setup. Figure 3.3 Mmmmmm. Stealthy. Chapter 4: Pharma Karma Figure 4.1 This image from cvedetails shows 56 code execution vulnerabilities in Flash in 2016 alone. Figure 4.2 The number one issue on this AlienVault SOC alarm screen is vulnerable software, with that software being Flash. Figure 4.3 This is clearly a large network that lacks a cohesive overall vulnerability management strategy. Figure 4.4 Script output shows plugin data. Figure 4.5 A LinkedIn invite comes as an HTML email message. Figure 4.6 This is a remote command execution bug with reliable exploit code in the wild. Figure 4.7 Metasploit does an excellent job at obfuscating the CVE- 2015-5012 attack. Figure 4.8 A simple XOR function can easily defeat antivirus technology. Figure 4.9 The Meterpreter session is tunneled over SSH and looks innocent to network IDS. Figure 4.10 Notepad cannot write to the C drive. It's a fair bet most desktop software programs have the same restrictions. Figure 4.11 Armitage displays a list of plugins and their owners. Figure 4.12 Process migration is a one-click process. Here we have migrated into lsass.exe. Figure 4.13 In this example test.txt is uploaded from the attacker workstation. Figure 4.14 Exploiting a vulnerability in the ScriptHost to escalate to the system. Figure 4.15 Armitage makes a lot of tedious tasks a one-click affair. Chapter 5: Guns and Ammo Figure 5.1 Defense distributed ghost gunner. An open source CNC machine designed to manufacture AR-15 lower receivers restricted under Federal law. Figure 5.2 The Soviet AT-4 (right) was a copy of the French MILAN system (Left). Figure 5.3 Encryption process flow. Figure 5.4 Decryption process flow. Figure 5.5 Simplified covert C2 topology. Figure 5.6 Veil-Evasion landing screen. Figure 5.7 Veil with options set. Figure 5.8 Veil can now generate a compiled Python executable from the raw shellcode. Figure 5.9 The compiled executable is ready for use. Figure 5.10 Once again, it's ready to use. Figure 5.11 A Save As dialog box shows the file types Solid Edge works with. Figure 5.12 Solid Edge application directory. Figure 5.13 The victim will still have to Enable Content but that's a social engineering issue. Figure 5.14 Lower receiver schematic in Solid Edge 3D. Chapter 6: Criminal Intelligence Figure 6.1 Not the most inviting message. Figure 6.2 A basic HTML application. Figure 6.3 That's a little bit better, but let's select something that fits the attack. Figure 6.4 The inevitable VirusTotal example. Figure 6.5 User Account Control dialog box. This can look however you want. Figure 6.6 The XLS data contains bulletin names, severity, component KB, and so on. Figure 6.7 Dependency Walker showing full DLL paths. Figure 6.8 The Raspberry Pi 3B in all its glory. Figure 6.9 A Raspberry Pi with a PoE HAT (hardware added on top). Figure 6.10 Step one: connect with 3G. Figure 6.11 Step two: select a USB device. Figure 6.12 Step three: HUAWEI mobile. Figure 6.13 Step four: interface #0. Figure 6.14 Step five: business subscription. Figure 6.15 Step six: you're good to go. Figure 6.16 The KeyGrabber is an example of a WiFi-capable keylogger. Figure 6.17 Caller ID can be easily spoofed. Figure 6.18 Spoofing SMS messages likewise. Figure 6.19 Keep these things simple but use whatever templates you have at hand. Chapter 7: War Games Figure 7.1 Compartmented U.S. secure communications center. Figure 7.2 Not even the greenest jarhead is going to fall for this. Figure 7.3 This creates the pretext. Chapter 8: Hack Journalists Figure 8.1 Initial beacon designated as Master node. Figure 8.2 C2 uses Master for outbound connectivity. Figure 8.3 A timeout on the Master node signals it is likely no longer functional or the host is switched off. Figure 8.4 C2 Server nominates new Master node. Figure 8.5 Agents nominate their own Master. Figure 8.6 The Master functions as a gateway for other nodes as before. Figure 8.7 Further elections are held as necessary. Figure 8.8 The SDKPluginEntrypoint.cpp file. Figure 8.9 Xcode build menu. Figure 8.10 C2 agent extension payload. Figure 8.11 Pre-flight packaging in InDesign. Chapter 9: Northern Exposure Figure 9.1 Red Star Desktop. Figure 9.2 Getting a shell. Figure 9.3 A shell. Figure 9.4 Quicker and easier to work in English. Figure 9.5 Red Star Linux in English. Figure 9.6 Run rootsetting. Figure 9.7 Enter the credentials you created for your user. Figure 9.8 Now we have root access. Figure 9.9 Disable Discretionary Access Control. Figure 9.10 Disable monitoring processes. Figure 9.11 Red Star Linux Install Screen. Figure 9.12 Choose Desktop Manager. Figure 9.13 Once again, better to work in English. Figure 9.14 Insecure Squid Proxy. Figure 9.15 Webmin Interface. Figure 9.16 Toneloc output. Figure 9.17 WarVOX Configuration. Figure 9.18 Add targets to WarVOX. Figure 9.19 Old School! Figure 9.20 Yecon Tablet Device Information. List of Tables Chapter 5: Guns and Ammo Table 5.1 The libgcrypt library contains all the crypto functions you will ever need. Advanced Penetration Testing Hacking the World’s Most Secure Networks Wil Allsopp

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.