Advanced Infrastructure Penetration Testing E-Book

Advanced Infrastructure Penetration Testing

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Heramb BhavsarContent Development Editor: Nithin VargheseTechnical Editors: Prashant Chaudhari, Komal KarneCopy Editors: Safis Editing, Dipti MankameProject Coordinator: Virginia DiasProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Tom ScariaProduction Coordinator: Nilesh Mohite

First published: February 2018

Production reference: 1220218

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78862-448-0

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Chiheb Chebbi is a Tunisian information security enthusiast with experience in various aspects of information security, focusing on the investigation of advanced cyber attacks and researching cyber espionage and APT attacks. His core interest lies in infrastructure penetration testing, machine learning, and malware analysis. He is a frequent speaker at many world-class information security conferences.

About the reviewer

Alex Samm has more than 10 years of experience in the IT field, including system and network administration, EUC support, Windows and Linux server support, virtualization, programming, penetration testing, and forensic investigations.

Currently, he works at ESP Global Services, supporting contracts in North America, Latin America, and the Caribbean. He also lectures at the Computer Forensics and Security Institute on IT security courses, including ethical hacking and penetration testing.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Advanced Infrastructure Penetration Testing

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Introduction to Advanced Infrastructure Penetration Testing

Information security overview

Confidentiality

Integrity

Availability

Least privilege and need to know

Defense in depth

Risk analysis

Information Assurance

Information security management program

Hacking concepts and phases

Types of hackers

Hacking phases

Reconnaissance

Passive reconnaissance

Active reconnaissance

Scanning

Port scanning

Network scanning

Vulnerability scanning

Gaining access

Maintaining access

Clearing tracks

Penetration testing overview

Penetration testing types

White box pentesting

Black box pentesting

Gray box pentesting

The penetration testing teams

Red teaming

Blue teaming

Purple teaming

Pentesting standards and guidance

Policies

Standards

Procedures

Guidance

Open Source Security Testing Methodology Manual

Information Systems Security Assessment Framework

Penetration Testing Execution Standard

Payment Card Industry Data Security Standard

Penetration testing steps

Pre-engagement

The objectives and scope

A get out of jail free card

Emergency contact information

Payment information

Non-disclosure agreement 

Intelligence gathering

Public intelligence

Social engineering attacks

Physical analysis

Information system and network analysis

Human intelligence 

Signal intelligence

Open source intelligence 

Imagery intelligence 

Geospatial intelligence 

Threat modeling

Business asset analysis

Business process analysis

Threat agents analysis

Threat capability analysis

Motivation modeling

Vulnerability analysis

Vulnerability assessment with Nexpose

Installing Nexpose

Starting Nexpose

Start a scan

Exploitation

Post-exploitation

Infrastructure analysis

Pillaging

High-profile targets

Data exfiltration

Persistence

Further penetration into infrastructure

Cleanup

Reporting

Executive summary

Technical report

Penetration testing limitations and challenges

Pentesting maturity and scoring model

Realism

Methodology

Reporting

Summary

Advanced Linux Exploitation

Linux basics

Linux commands

Streams

Redirection

Linux directory structure

Users and groups

Permissions

The chmod command

The chown command

The chroot command 

The power of the find command

Jobs, cron, and crontab

Security models

Security controls

Access control models

Linux attack vectors

Linux enumeration with LinEnum

OS detection with Nmap

Privilege escalation

Linux privilege checker

Linux kernel exploitation

UserLand versus kernel land

System calls

Linux kernel subsystems 

Process 

Threads

Security-Enhanced Linux 

Memory models and the address spaces 

Linux kernel vulnerabilities

NULL pointer dereference

Arbitrary kernel read/write 

Case study CVE-2016-2443 Qualcomm MSM debug fs kernel arbitrary write

Memory corruption vulnerabilities

Kernel stack vulnerabilities

Kernel heap vulnerabilities

Race conditions

Logical and hardware-related bugs

Case study CVE-2016-4484 – Cryptsetup Initrd root Shell

Linux Exploit Suggester 

Buffer overflow prevention techniques 

Address space layout randomization

Stack canaries

Non-executable stack

Linux return oriented programming 

Linux hardening

Summary

Corporate Network and Database Exploitation

Networking fundamentals

Network topologies

Bus topology 

Star topology

Ring topology

Tree topology

Mesh topology

Hybrid topology

Transmission modes

Communication networks

Local area network

Metropolitan area network 

Wide area network

Personal area network

Wireless network

Data center multi-tier model design

Open Systems Interconnection model

In-depth network scanning

TCP communication

ICMP scanning

SSDP scanning

UDP Scanning

Intrusion detection systems

Machine learning for intrusion detection 

Supervised learning

Unsupervised learning

Semi-supervised learning

Reinforcement

Machine learning systems' workflow

Machine learning model evaluation metrics

Services enumeration

Insecure SNMP configuration

DNS security

DNS attacks 

Sniffing attacks

DDoS attacks

Types of DDoS attacks 

Defending against DDoS attacks

DDoS scrubbing centers

Software-Defined Network penetration testing

SDN attacks

SDNs penetration testing

DELTA: SDN security evaluation framework

SDNPWN

Attacks on database servers 

Summary

Active Directory Exploitation

Active Directory

Single Sign-On 

Kerberos authentication

Lightweight Directory Access Protocol 

PowerShell and Active Directory

Active Directory attacks

PowerView

Kerberos attacks

Kerberos TGS service ticket offline cracking (Kerberoast)

SPN scanning

Passwords in SYSVOL and group policy preferences

14-068 Kerberos vulnerability on a domain controller 

Dumping all domain credentials with Mimikatz

Pass the credential

Dumping LSASS memory with Task Manager (get domain admin credentials)

Dumping Active Directory domain credentials from an NTDS.dit file

Summary

Docker Exploitation

Docker fundamentals

Virtualization

Cloud computing

Cloud computing security challenges

Docker containers

Docker exploitation 

Kernel exploits

DoS and resource abuse

Docker breakout

Poisoned images

Database passwords and data theft

Docker bench security

Docker vulnerability static analysis with Clair

Building a penetration testing laboratory

Summary

Exploiting Git and Continuous Integration Servers

Software development methodologies

Continuous integration

Types of tests

Continuous integration versus continuous delivery

DevOps

Continuous integration with GitHub and Jenkins

Installing Jenkins

Continuous integration attacks

Continuous integration server penetration testing

Rotten Apple project for testing continuous integration  or continuous delivery system security

Continuous security with Zed Attack Proxy

Summary

Metasploit and PowerShell for Post-Exploitation

Dissecting Metasploit Framework

Metasploit architecture

Modules

Exploits

Payloads

Auxiliaries

Encoders

NOPs

Posts

Starting Metasploit

Bypassing antivirus with the Veil-Framework

Writing your own Metasploit module

Metasploit Persistence scripts

Weaponized PowerShell with Metasploit

Interactive PowerShell

PowerSploit

Nishang – PowerShell for penetration testing

Defending against PowerShell attacks

Summary

VLAN Exploitation

Switching in networking

LAN switching

MAC attack

Media Access Control Security

DHCP attacks

DHCP starvation

Rogue DHCP server

ARP attacks

VLAN attacks

Types of VLANs

VLAN configuration

VLAN hopping attacks

Switch spoofing

VLAN double tagging

Private VLAN attacks

Spanning Tree Protocol attacks

Attacking STP

Summary

VoIP Exploitation

VoIP fundamentals

H.323

Skinny Call Control Protocol

RTP/RTCP

Secure Real-time Transport Protocol

H.248 and Media Gateway Control Protocol

Session Initiation Protocol

VoIP exploitation

VoIP attacks

Denial-of-Service

Eavesdropping

SIP attacks

SIP registration hijacking

Spam over Internet Telephony 

Embedding malware

Viproy – VoIP penetration testing kit

VoLTE Exploitation

VoLTE  attacks

SiGploit – Telecom Signaling Exploitation Framework

Summary

Insecure VPN Exploitation

Cryptography

Cryptosystems

Ciphers

Classical ciphers

Modern ciphers

Kerckhoffs' principle for cryptosystems

Cryptosystem types

Symmetric cryptosystem

Asymmetric cryptosystem

Hash functions and message integrity

Digital signatures

Steganography

Key management

Cryptographic attacks

VPN fundamentals 

Tunneling protocols

IPSec

Secure Sockets Layer/Transport Layer Security

SSL attacks 

DROWN attack (CVE-2016-0800)  

POODLE attack (CVE-2014-3566) 

BEAST attack  (CVE-2011-3389)

CRIME attack (CVE-2012-4929) 

BREACH attack (CVE-2013-3587) 

Heartbleed attack 

Qualys SSL Labs

Summary

Routing and Router Vulnerabilities

Routing fundamentals

Exploiting routing protocols

Routing Information Protocol

RIPv1 reflection DDoS

Open Shortest Path First

OSPF attacks

Disguised LSA

MaxAge LSAs

Remote false adjacency

Seq++ attack

Persistent poisoning

Defenses

Interior Gateway Routing Protocol

Enhanced Interior Gateway Routing Protocol

Border Gateway Protocol

BGP attacks

Exploiting routers

Router components

Router bootup process

Router attacks

The router exploitation framework

Summary

Internet of Things Exploitation

The IoT ecosystem

IoT project architecture

IoT protocols

The IoT communication stack

IP Smart Objects protocols suite

Standards organizations

IoT attack surfaces

Devices and appliances

Firmware

Web interfaces

Network services

Cloud interfaces and third-party API

Case study – Mirai Botnet

The OWASP IoT Project

Insecure web interface

Insufficient authentication/authorization

Insecure network services

Lack of transport encryption

Privacy concerns

Insecure cloud interface

Insecure mobile interface

Insufficient security configurability

Insecure software/firmware

Poor physical security

Hacking connected cars

Threats to connected cars

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Advanced Infrastructure Penetration Testing gives you the core skills and techniques you need to effectively conduct penetration tests and evaluate enterprise security posture. This book contains the crucial techniques to exploit the modern information technology infrastructures by providing a practical experience. Every chapter will take you through the attack vectors and system defenses, starting from the fundamentals to the latest cutting-edge techniques and utilities. 

Who this book is for

If you are a system administrator, SOC analyst, penetration tester, or a network engineer and want to take your penetration testing skills and security knowledge to the next level, then this book is for you. Some hands-on experience with penetration testing tools and knowledge of Linux and Windows command-line syntax would be beneficial.

What this book covers

Chapter 1, Introduction to Advanced Infrastructure Penetration Testing, introduces you to the different methodologies and techniques of penetration testing and shows you how to perform a penetration testing program.

Chapter 2, Advanced Linux Exploitation, explains how to exploit Linux infrastructure using the latest cutting-edge techniques.

Chapter 3, Corporate Network and Database Exploitation, gives you an overview of real-world corporate networks and databases attacks in addition to the techniques and procedures to effectively secure your network.

Chapter 4, Active Directory Exploitation, discusses how to exploit Active Directory environments using the latest tools and techniques.

Chapter 5, Docker Exploitation, covers most of the well-known techniques to exploit Dockerized environments and explains how to defend against Docker threats. 

Chapter 6, Exploiting Git and Continuous Integration Servers, explains how to defend against major Continuous Integration Server threats.

Chapter 7, Metasploit and PowerShell for Post-Exploitation, shows how to use Metasploit and PowerShell for post-exploitation to perform advanced attacks.

Chapter 8, VLAN Exploitation, explains how to perform many layer 2 attacks, including VLAN threats.

Chapter 9, VoIP Exploitation, covers the major threats to VoIP systems and discusses VoIP protocols.

Chapter 10, Insecure VPN Exploitation, helps you to exploit insecure virtual private networks  from theory to practice.

Chapter 11, Routing and Router Vulnerabilities, gives you an interesting overview of routing protocols and routers and shows you how to exploit and secure them.

Chapter 12,Internet of Things Exploitation, provides a practical guide to securing modern IoT projects and connected cars.

To get the most out of this book

To get the most from this book, readers should have some technical information security experience and be familiar with common administrative tools in Windows and Linux. Readers should read this book actively; in other words, after being exposed to new information or tools, it is highly recommended to practice and search for more scenarios and capabilities.  

Read the book with a goal in mind and try to use it or a part of it as an action plan toward making your infrastructure more secure. 

The following are the requirements:

Microsoft Windows OS

Kali Linux (installed or hosted in a virtual machine) 

2 GB RAM or more

Internet access

Wireless card or adapter supporting Kali Linux

Download the example code files

You can download the example code files for this book from your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packtpub.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub athttps://github.com/PacktPublishing/Advanced-Infrastructure-Penetration-Testing. We also have other code bundles from our rich catalog of books and videos available athttps://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it from https://www.packtpub.com/sites/default/files/downloads/AdvancedInfrastructurePenetrationTesting_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

A block of code is set as follows:

def intializesuper('Name' => 'TCP scanner','Version' => '$Revisiov: 1 $','Description' => 'This is a Demo for Packt Readers','License' => MSF_LICENSSE)

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

def intializesuper('Name' => 'TCP scanner','Version' => '$Revisiov: 1 $',

'Description' => 'This is a Demo for Packt Readers',

'License' => MSF_LICENSSE)

Any command-line input or output is written as follows:

git clone https://github.com/laramies/theHarvester

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "To start a Nexpose scan, open a project, click on Create and select Site, for example. Then, enter a target IP or an IP range to start a scan"

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Introduction to Advanced Infrastructure Penetration Testing

Security is a critical concern for enterprises and organizations of all sizes, in all industries. Information security is a set of processes, tools, policies, and systems implemented to protect against internal and external threats that can damage or disrupt information assets. This book is hands-on and designed to take you through real-world techniques so that you can gain the required and highly demanded skills that will enable you to step into a new level of penetration testing career. Every chapter is designed, not only for you to learn the methodologies, tools, and techniques to simulate hacking attacks, but also so that you will also come away with a new mindset. In this chapter, you will be introduced to the latest penetration testing strategies and techniques. It will take you through every required step in detail to carry out efficient penetration testing and furthermore, to be able to evaluate a pentesting report, based on industry-accepted metrics. Once you have completed the chapter, you will have the skills to deliver a high-standard and well-documented penetration testing report, after practicing the techniques to gather information on any target, even in the deep web, and move beyond automated tools. 

Information security overview

Before diving into penetration testing, let's start by discovering some important terminology in information security. The core principles of information security are confidentiality, availability, and integrity. These principles institute what we call the CIA triad.

Confidentiality

Confidentiality asserts that all the information and data are accessible only by persons who are authorized to have access. It is important to make sure that the information won't be disclosed by unauthorized parties. The theft of Personal Identifiable Information (PII) is an example of a confidentiality attack.

Integrity

The aim of integrity is to protect information against unauthorized modification; in other words, the trustworthiness of data. This means that data has to be consistent, accurate, and trustworthy during every single information process. Some protection methods must be in place and available to detect any changes in data. 

Availability

Availability seeks to ensure that the information is available by authorized users when it is needed. Denial of Service (DoS) is an example of an availability attack. High-availability clusters and backup copies are some of the mitigation systems used against availability attacks.

Least privilege and need to know

Least privilege and need to know describes the fact that authorized users should be granted the minimum amount of access and authorization during their jobs. Need to know means that the user must have a legitimate reason to access information.

Defense in depth

Defense in depth, or layered security, is a security approach using multilayer security lines, and controls an example of a defense in depth approach using multiple firewalls from different vendors to improve the security of the systems.

Information Assurance

Information Assurance (IA) refers to the assurance of the confidentiality, the integrity, and the availability of information and making sure that all the systems are protected during different phases of information processing. Policies, guidelines, identifying resource requirements, identifying vulnerabilities, and training are forms of information assurance.

Information security management program

The main aim of the information security management program is to make sure that the business operates in a reduced risk environment. This means coworking happens between organizational and operational parties during the whole process. The Information Security Management Framework (ISMF) is an example of a business-driven framework (policies, procedures, standards, and guidelines) that helps an information security professional establish a good level of security.

Hacking concepts and phases

Hacking refers to the gaining of unauthorized access to a system to disclose data, exploiting vulnerabilities within information system. In this section, we will discuss types of hackers and hacking phases.

Types of hackers