Mastering Kali Linux for Advanced Penetration Testing: Become a cybersecurity ethical hacking expert using Metasploit, Nmap, Wireshark, and Burp Suite, 4th Edition

Cover
Copyright
Contributors
Table of Contents
Preface
Chapter 1: Goal-Based Penetration Testing
	Different types of threat actors
	Conceptual overview of security testing
	Common pitfalls of vulnerability assessments, penetration testing, and red team exercises
	Objective-based penetration testing
	The testing methodology
	Introduction to Kali Linux features
		The role of Kali in red team tactics
	Installing and updating Kali Linux
		Using as a portable device
		Installing Kali on a Raspberry Pi 4
		Installing Kali on a VM
			VMware Workstation Player
			VirtualBox
		Installing to a Docker appliance
		Kali on AWS Cloud
		Kali on Google Cloud Platform (GCP)
	Kali on Android (non-rooted phones)
	Organizing Kali Linux
		Configuring and customizing Kali Linux
		Resetting the default password
		Configuring network services and secure communications
		Adjusting network proxy settings
		Accessing the secure shell remotely
		Speeding up Kali operations
		Sharing folders with the host operating system
		Using Bash scripts to customize Kali
	Building a verification lab
		Installing defined targets
			Lab Network
			Active Directory and Domain Controller
			Installing Microsoft Exchange Server 2016
			Metasploitable3
			Mutillidae
	CloudGoat
	Managing collaborative penetration testing using Faraday
	Summary
Chapter 2: Open-Source Intelligence and Passive Reconnaissance
	Basic principles of reconnaissance
		OSINT
		Offensive OSINT
		Gather domain information
		Maltego
		OSRFramework
		Web archives
		Passive Total
	Scraping
		Gathering usernames and email addresses
		Obtaining user information
			TinEye
		Online search portals
			SpiderFoot
		Other commercial tools
	Google Hacking Database
		Using dork scripts to query Google
		Data dump sites
		Defensive OSINT
			Dark web
			Security breaches
			Public records
		Threat intelligence
		Profiling users for password lists
	Creating custom wordlists for cracking passwords
		Using CeWL to map a website
		Extracting words from Twitter using twofi
	Summary
Chapter 3: Active Reconnaissance of External and Internal Networks
	Stealth scanning techniques
		Adjusting source IP stack and tool identification settings
		Modifying packet parameters
		Using proxies with anonymity networks
	DNS reconnaissance and route mapping
		The whois command (post GDPR)
	Employing comprehensive reconnaissance applications
		The recon-ng framework
			IPv4
			IPv6
		Using IPv6-specific tools
		Mapping the route to the target
	Identifying the external network infrastructure
	Mapping beyond the firewall
	IDS/IPS identification
	Enumerating hosts
		Live host discovery
	Port, operating system, and service discovery
		Port scanning
	Writing your own port scanner using netcat
		Fingerprinting the operating system
		Determining active services
	Large-scale scanning
		DHCP information
		Identification and enumeration of internal network hosts
		Native MS Windows commands
		ARP broadcasting
		Ping sweep
		Using scripts to combine masscan and nmap scans
		Taking advantage of SNMP
		Windows account information via SMB sessions
		Locating network shares
		Reconnaissance of active directory domain servers
		Enumerating the Microsoft Azure environment
		Using comprehensive tools (Legion)
	Using machine learning for reconnaissance
	Summary
Chapter 4: Vulnerability Assessment
	Vulnerability nomenclature
	Local and online vulnerability databases
	Vulnerability scanning with Nmap
		Introduction to Lua scripting
		Customizing NSE scripts
	Web application vulnerability scanners
		Nikto
		Customizing Nikto
		OWASP ZAP
	Vulnerability scanners for mobile applications
	The OpenVAS network vulnerability scanner
		Customizing OpenVAS
	Commercial vulnerability scanners
		Nessus
		Qualys
	Specialized scanners
	Threat modeling
	Summary
Chapter 5: Advanced Social Engineering and Physical Security
	Command methodology and TTPs
		Technology
			Computer-based
			Mobile-based
		People-based
			Physical attacks
			Voice-based
	Physical attacks at the console
		samdump2 and chntpw
		Sticky Keys
	Creating a rogue physical device
		Microcomputer or USB-based attack agents
			The Raspberry Pi
			MalDuino: the BadUSB
	The Social Engineering Toolkit (SET)
		Social-engineering attacks
		Credential harvester web attack method
		Multi-attack web attack method
		HTA web attack method
		Using the PowerShell alphanumeric shellcode injection attack
	Hiding executables and obfuscating the attacker’s URL
	Escalating an attack using DNS redirection
		Spear phishing attack
		Email phishing using Gophish
	Launching a phishing attack using Gophish
	Using bulk transfer as phishing to deliver payloads
	Summary
Chapter 6: Wireless and Bluetooth Attacks
	Introduction to wireless and Bluetooth technologies
	Configuring Kali for wireless attacks
	Wireless reconnaissance
	Bypassing a hidden SSID
	Bypassing MAC address authentication and open authentication
	Attacking WPA and WPA2
		Brute-force attacks
		Attacking wireless routers with Reaver
	Denial of Service (DoS) attacks against wireless communications
	Compromising enterprise implementations of WPA2
	Working with bettercap
	Evil Twin attack using Wifiphisher
	WPA3
	Bluetooth attacks
	Summary
Chapter 7: Exploiting Web-Based Applications
	Web application hacking methodology
	The hacker’s mind map
	Reconnaissance of web apps
		Detection of web application firewall and load balancers
		Fingerprinting a web application and CMS
		Mirroring a website from the command line
	Client-side proxies
		Burp Proxy
		Web crawling and directory brute-force attacks
		Web service-specific vulnerability scanners
	Application-specific attacks
		Brute-forcing access credentials
			OS command injection using commix
			sqlmap
			XML injection
			Bit-flipping attack
			Maintaining access with web shells
	The Browser Exploitation Framework (BeEF)
		Installing and configuring BeEF
	Understanding the BeEF browser
		Using BeEF as a tunneling proxy
	Summary
Chapter 8: Cloud Security Exploitation
	Introduction to cloud services
	Vulnerability scanning and application exploitation in an EC2 instance
	Testing for S3 bucket misconfiguration
	Exploiting security permission flaws
	Obfuscating CloudTrail logs
	Summary
Chapter 9: Bypassing Security Controls
	Bypassing Network Access Control (NAC)
		Pre-admission NAC
			Adding new elements
			Identifying the rules
			Disabling endpoint security
		Post-admission NAC
			Bypassing isolation
			Detecting a honeypot
	Bypassing application-level controls
		Tunneling past client-side firewalls using SSH
			Inbound to outbound
			Bypassing URL filtering mechanisms
			Outbound to inbound
	Bypassing the antivirus with files
		Using the Veil framework
		Using Shellter
	Going fileless and evading antivirus
	Bypassing Windows operating system controls
		User Account Control (UAC)
			Using fodhelper to bypass UAC in Windows 10
			Using Disk Cleanup to bypass UAC in Windows 10
		Obfuscating the PowerShell and using fileless techniques
		Other Windows-specific operating system controls
			Access and authorization
			Encryption
			System security
			Communications security
			Auditing and logging
	Summary
Chapter 10: Exploitation
	The Metasploit Framework
		Libraries
			REX
			Framework core
			Framework base
		Interfaces
		Modules
		Database setup and configuration
	Exploiting targets using MSF
		Single targets using a simple reverse shell
	Exploiting multiple targets using MSF resource files
	Using public exploits
		Locating and verifying publicly available exploits
		Compiling and using exploits
			Compiling C files and executing exploits
			Adding the exploits that are written using the MSF as a base
	Developing a Windows exploit
		Identify the vulnerability through fuzzing
		Debug and replicate the crash
		Control the application execution
		Identify the right bad characters and generate shellcode
		Obtain the shell
	PowerShell Empire framework
	Summary
Chapter 11: Action on the Objective and Lateral Movement
	Activities on the compromised local system
		Conducting rapid reconnaissance of a compromised system
		Finding and taking sensitive data – pillaging the target
			Creating additional accounts
		Post-exploitation tools
			The Metasploit Framework – Meterpreter
			The PowerShell Empire project
			CrackMapExec
	Horizontal escalation and lateral movement
		Compromising domain trusts and shares
		PsExec, WMIC, and other tools
			WMIC
			Windows Credentials Editor
		Lateral movement using services
		Pivoting and port forwarding
			Using ProxyChains
	Summary
Chapter 12: Privilege Escalations
	Overview of the common escalation methodology
	Escalating from domain user to system administrator
	Local system escalation
	Escalating from administrator to system
		DLL injection
	Credential harvesting and escalation attacks
		Password sniffers
		Responder
		Performing a MiTM attack on LDAP over TLS
	Escalating access rights in Active Directory
	Compromising Kerberos – a golden-ticket attack
	Summary
Chapter 13: Command and Control
	Persistence
	Using persistent agents
		Employing Netcat as a persistent agent
		Using schtasks to configure a persistent task
		Maintaining persistence with the Metasploit framework
			Using the post exploit persistence module
		Creating a standalone persistent agent with Metasploit
		Persistence using online file storage cloud services
			Dropbox
			Microsoft OneDrive
			Covenant
			PoshC2
	Domain fronting
		Using Amazon CloudFront for C2
	Exfiltration of data
		Using existing system services (Telnet, RDP, and VNC)
		Using the ICMP protocol
		Hiding evidence of an attack
	Summary
Chapter 14: Embedded Devices and RFID Hacking
	Embedded systems and hardware architecture
		Embedded system basic architecture
			Understanding firmware
			Different types of firmware
			Understanding bootloaders
			Common tools
	Firmware unpacking and updating
	Introduction to RouterSploit Framework
	UART
	Cloning RFID using ChameleonMini
		Other tools
	Summary
PacktPage
Other Books You May Enjoy
Index