Learn Penetration Testing E-Book

Learn Penetration Testing

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor:Vijin BorichaAcquisition Editor: Heramb BhavsarContent Development Editor: Jordina DcunhaTechnical Editor: Mamta YadavCopy Editor:Safis EditingProject Coordinator: Nusaiba AnsariProofreader: Safis EditingIndexer: Pratik ShirodkarGraphics: Jisha ChirayilProduction Coordinator: Shraddha Falebhai

First published: May 2019

Production reference: 1290519

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83864-016-3

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Rishalin Pillay has over 12 years' cybersecurity experience, and has acquired a vast amount of skills consulting for Fortune 500 companies while taking part in projects performing tasks in network security design, implementation, and vulnerability analysis.

He holds many certifications that demonstrate his knowledge and expertise in the cybersecurity field from vendors such as ISC2, Cisco, Juniper, Checkpoint, Microsoft, CompTIA, and more.

Rishalin currently works at a large software company as a Senior Cybersecurity Engineer.

About the reviewer

Chris Griffinhas been involved in cybersecurity since 2002, starting in Security Operations Centre (SOC) and internal penetration testing. In 2004, he became a volunteer for ISECOM, helping with work on the Open Source Security Testing Methodology Manual (OSSTMM) and teaching OSSTMM certifications. This culminated in Chris becoming a board member at ISECOM in 2014.

Chris is a regular as various security conferences around the world—a list that is ever-growing. He has also reviewed several books and been a contributor to the book Hacking Linux Exposed 3rd Edition, written as an ISECOM project.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Learn Penetration Testing

Dedication

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Section 1: The Basics

Introduction to Penetration Testing

Technical requirements

What is penetration testing?

Stages of a penetration test

Pre-engagement

Scoping

Timelines

Dealing with third parties

Payment

Your "get out of jail free card" 

Intelligence gathering

Threat modeling

Vulnerability analysis

Exploitation

Post-exploitation

Reporting

Executive summary

Technical report

Getting started with your lab

Creating virtual machines in VMware, Hyper-V, and VirtualBox

Microsoft Hyper-V

VMware

VirtualBox

Target machines

Metasploitable

Summary

Questions

Getting Started with Kali Linux

Technical requirements

An introduction to Kali Linux

Installing and configuring Kali Linux

Installation

Installing Kali Linux on macOS

Installing Kali Linux using the Windows Subsystem for Linux (WSL)

Installing Kali Linux using VirtualBox

Configuring Kali Linux

Basic commands in Kali Linux

Scripting in Kali Linux

The essential tools of Kali Linux

Nmap

Aircrack-ng

John the Ripper (JTR) and Hydra

SET

Burp Suite

Summary

Questions

Section 2: Exploitation

Performing Information Gathering

Technical requirements

Passive information gathering

Using the internet 

Google dorks

Shodan

Shodan scripting

Using Kali Linux

Maltego

Active information gathering

Nmap

Vulnerability scanning

OpenVAS

Nessus

Capturing traffic

Wireshark

tcpdump

Summary

Questions

Mastering Social Engineering

Technical requirements

What is social engineering?

Pretexting 

Phishing 

Spear phishing 

Tailgating 

Social engineering tools

The social engineering toolkit (SET)

Gophish

Modlishka

Wifiphisher

Creating a social engineering campaign

Installing Modlishka

Executing the attack

Using SET to create a phishing campaign

Summary

Questions

Diving into the Metasploit Framework

Technical requirements

Introducing Metasploit

Updating the Metasploit Framework

Linking the Metasploit Framework to a database

Enhancing your experience within Metasploit

Using Metasploit to exploit a remote target

Finding modules

Exploit-DB

Rapid7 exploit database

0day.today

Adding modules

Metasploit options, shells, and payloads

Options

Shells

Payloads

Working with MSFvenom

Summary

Questions

Understanding Password Attacks

Technical requirements

Introduction to password attacks

Working with wordlists

Password profiling

Password mutation

Offline password attacks

John the Ripper

Hashcat

Online password attacks

Hydra

Medusa

Ncrack

Dumping passwords from memory

Summary

Questions

Working with Burp Suite

Technical requirements

Understanding Burp Suite

Preparing your environment

Installing Burp Suite Professional

Setting up OWASP BWA

Configuring your browser

Exploring and configuring Burp Suite components

Burp Suite tools

Proxy 

Target 

Scanner

Repeater

Intruder

Sequencer

Decoder

Comparer

Extender

Summary

Questions

Attacking Web Applications

Technical requirements

Preparing your environment

Types of web application security testing

The components of a web application

Web application architecture

Web application languages

Python

Ruby

Java

Understanding the HTTP protocol

HTTP requests and responses

Common web application attacks

Inclusion attacks (LFI/RFI)

Cross-Site Request Forgery (CSRF)

Cross-site scripting (XSS)

SQL injection (SQLi)

Command execution

Attacking web applications

Nikto

Using Sqlmap

Performing attacks using Sqlmap

Information gathering

Dumping user details from SQL tables

Creating a backdoor using PHP

Performing XSS attacks

Performing a reflective XSS attack

Performing a stored XSS attack

Performing a file inclusion attack

Performing a command execution attack

Summary

Questions

Getting Started with Wireless Attacks

Technical requirements

Exploring wireless attacks

Wireless network architecture

Wireless frames

Notable wireless frames

Wireless security protocols

WEP

WPA

Wi-Fi Protected Access version 2 (WPA2)

Wi-Fi Protected Access version 3 (WPA3)

Types of wireless attacks

Compatible hardware

Wireless adapters

Wireless attack tools

Wifiphisher

Aircrack-ng suite

Airmon-ng

Airodump-ng

Aireplay-ng

Airgeddon

The Evil Twin attack

Cracking WEP, WPA, and WPA2

Cracking WPA/WPA2

Cracking WEP

Summary

Questions

Section 3: Post Exploitation

Moving Laterally and Escalating Your Privileges

Technical requirements

Discovering post-exploitation techniques

Lateral movement

Privilege escalation

Pivoting

Preparing your environment

Post-exploitation tools

Metasploit Framework

Metasploit post modules

Empire

Responder

Mimikatz

Performing post-exploitation attacks

Performing credential harvesting

Performing Overpass-the-Hash

Performing lateral movement

Performing a Pass-the-Ticket attack

Summary

Questions

Antivirus Evasion

Technical requirements

The evolution of antivirus technologies

Out with the old

In with the new

Concepts of antivirus evasion

Antivirus evasion techniques

Encoders

Custom compiling

Obfuscation

Getting started with antivirus evasion

MSFvenom

Veil Evasion

TheFatRat

Custom compiling

Testing evasion techniques

VirusTotal

Summary

Questions

Maintaining Control within the Environment

Technical requirements

The importance of maintaining access

Techniques used to maintain access

Backdoor

C2

Linux cron jobs

Living off the land

Using tools for persistence

The Metasploit Framework

Empire

Summary

Questions

Section 4: Putting It All Together

Reporting and Acting on Your Findings

Technical requirements

The importance of a penetration testing report

What goes into a penetration test report?

Cover page

Executive summary

Background

Overall posture

Risk ranking

General findings

Strategic roadmap

Technical report

Tools used

Information gathering

Vulnerability assessment and exploitation

Post-exploitation

Conclusion

Tools for report writing

Methodologies

Nodes

Issues and evidence

Recommending remediation options

Information gathering

Social engineering

Vulnerabilities and OS hardening

Passwords

Web applications

Privilege escalation and lateral movement

Summary

Questions

Where Do I Go from Here?

Technical requirements

Knowledge maintenance

Network penetration testing

Wireless penetration testing

Web application penetration testing

Online training

Cybrary

Pentester Academy

Pentesterlab

Certifications

eLearnSecurity

Offensive security

Global Information Assurance Certifications (GIACs)

Toolkit maintenance

Purposefully vulnerable resources

Vulnhub

Hack The Box

Summary

Assessments

Chapter 1: Introduction to Penetration Testing

Chapter 2: Getting Started with Kali Linux

Chapter 3: Performing Information Gathering

Chapter 4: Mastering Social Engineering

Chapter 5: Diving into the Metasploit Framework

Chapter 6: Understanding Password Attacks

Chapter 7: Working with Burp Suite

Chapter 8: Attacking Web Applications

Chapter 9: Getting Started with Wireless Attacks

Chapter 10: Moving Laterally and Escalating your Privileges

Chapter 11: Antivirus Evasion

Chapter 12: Maintaining Control within the Environment

Chapter 13: Reporting and Acting on Your Findings

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Penetration testing can be a complex topic, especially if you are someone who is just starting out in the field. When I wrote this book, I looked at my own situation and how overwhelmed I felt when I started working in penetration testing. There is a lot of great content available online, but knowing where to start was the point that I really got stuck on. I would find content that assumes you have some knowledge of penetration testing, or knowledge of how a certain tool works, and so on.

This book is geared to those who are looking at finding a good starting point on their career within penetration testing. The objective of the book is not to teach you flashy skills that you can use to break into networks, but rather to help you gain a good understanding of the technology while practicing your skills in a controlled environment using real-world tools.

The goal of the book is to give you a good, solid understanding of penetration testing by the time you've finished reading. You will be able to fully grasp the phases of a penetration test, how to perform various techniques, and how to use various tools.

Who this book is for

This book is intended for those who wish to learn about penetration testing, but who only have minimal or no experience with this particular topic. The ideal person to read this book either has some basic IT education and knows the basics of Linux, or is self-taught and able to pick up new skills fast, through both theory and hands-on practice. Those who already have some skills in ethical hacking may find it easier to digest the contents of this book on a faster-than-average basis.

What this book covers

Chapter 1, Introduction to Penetration Testing, helps you to understand what a penetration test is. Here, we will introduce the stages of a penetration test and what happens at each stage. Having a lab is key for learning, so we will cover how to build your own lab environment using VMware, Hyper-V, or VirtualBox. We will discuss target virtual machines based on Windows and Linux, which you will use to practice your skills.

Chapter 2, Getting Started with Kali Linux, gets you started with a penetration base operating system. Kali Linux is well known and used by both pentesters and attackers. We will cover the installation and setup of Kali Linux, as well as the basic commands and essential tools that are contained within Kali Linux. We will look at installing additional tools, maintaining updates of the tools, and how to leverage scripts within Kali Linux.

 Chapter 3, Performing Information Gathering, gets you familiar with the various types of information gathering. We will cover various online resources and tools that can be used to gather information about your target. Techniques that are covered in this chapter include port scanning, vulnerability scanning, and traffic capturing.

Chapter 4, Mastering Social Engineering, focuses on one of the most common attack methods in the real world. Here, we will cover why social engineering is successful and how you can conduct social engineering attacks using various tools.

Chapter 5, Diving into the Metasploit Framework, focuses on a tool that speaks for itself. The Metasploit Framework is well known and is extremely flexible and robust. Here, you will learn about the various exploits that it contains and where to find additional ones. We will cover various components of the Metasploit Framework and how you can leverage this framework in a penetration test.

Chapter 6, Understanding Password Attacks, dives into the various types of password attacks that exist. We will cover the tools that are used for the various attacks. You will learn how to build wordlists, and where you can obtain additional wordlists that are prebuilt. You will use these skills to perform password cracking and to dump credentials from memory.

Chapter 7, Working with Burp Suite, teaches you how to use Burp Suite like a professional. Here, we will look at how you can obtain the latest version of Burp Suite Professional and the differences between the various editions. We will cover many aspects of the tool, and how to use the tool to perform various attacks.

Chapter 8, Attacking Web Applications, is where we turn our focus to web applications. Web applications have evolved dramatically over the years, and we will cover the various components of web applications and some of the languages that are used for development. You will learn about various attacks and how to perform them using your lab environment, with tools designed for web application attacks.

Chapter 9, Getting Started with Wireless Attacks, focuses on wireless technologies. To perform a penetration test on a wireless network, you need to understand the components of a wireless network, as well as the various wireless frames and tools that are used. We will cover all of these, including the hardware requirements for performing attacks against a wireless network.

Chapter 10, Moving Laterally and Escalating Your Privileges, focuses on post-exploitation. You will learn the various post exploitation techniques that exist and the various tools that can be used. Here, we will focus on performing post-exploitation attacks on an Active Directory domain by taking advantage of the workings of the Kerberos protocol.

Chapter 11, Antivirus Evasion, looks at how antivirus technologies have evolved. Here, we will cover the various techniques that exist for antivirus evasion. We will look at the tools that can be used, and how to use the various tools when building a payload to avoid detection.

Chapter 12, Maintaining Control within the Environment, finalizes the post exploitation phase by looking at how we can maintain a foothold within a compromised network. Here, we will look at various ways in which we can maintain persistence, and what tools can be used to accomplish our goal.

Chapter 13, Reporting and Acting on Your Findings, looks at an integral part of any penetration test. In this chapter, you will learn how to write a penetration testing report that is tailored to executives and technical staff. You will learn about the various recommendations that should be made to remediate some of the common findings that you would come across in a real-world penetration test.

Chapter 14, Where Do I Go from Here?, concludes the book by looking at how you can take your skills to the next level. We will cover some certifications and where you can obtain vulnerable operating systems that you can use to practice and enhance your skills.

To get the most out of this book

In order to gain the most benefit from the practical aspects of this book, you will need to have a virtualization environment set up. This can be set up using VMware or VirtualBox. Hyper-V will work, but there is a restriction that does not allow you to link a wireless card directly to the virtual machine. This prevents you from performing wireless attacks if you have a compatible wireless card.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781838640163_ColorImages.pdf.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Section 1: The Basics

In this section, we will begin with the basics. You will learn about penetration testing and what it entails. Understanding the stages of a penetration test is the key to success. We will start to prepare our environment by using an operating system that is geared toward penetration testing—Kali Linux. You will learn how to set up and configure the various elements of Kali Linux.

The following chapters will be covered in this section:

Chapter 1

,

Introduction to Penetration Testing

Chapter 2

,

Getting Started with Kali Linux

Introduction to Penetration Testing

In this chapter, we begin our journey by building a solid foundation. Having a good understanding of the basics of penetration testing will help you conduct a successful penetration test, as opposed to haphazardly scanning networks and performing tests blindly. We will define penetration testing and how it differs from other security assessments. Before the actual penetration test occurs, there are a few things that need to be done in order to ensure that the correct authorization is in place and the correct scope is defined. Every successful penetration testing student requires a lab environment—it can be daunting to build one, but don't despair. We will look at what options exist for a lab environment.

As you progress through the chapter, you will learn the following:

What is penetration testing?

Stages of a penetration test

Getting started with your lab

Creating

virtual machines

(

VMs

) in VMware, Hyper-V, and Virtualbox

Technical requirements

The following technical requirements are required for this chapter:

Kali Linux version 2019.1

Any hypervisor, such as VMware, Hyper-V, or Virtualbox

What is penetration testing?

Today, penetration testing is often confused with vulnerability assessments, red team assessments, and other security assessments. However, there are some differences between them, as follows:

Vulnerability assessment

: This 

is the process of identifying vulnerabilities and risks in systems. In a vulnerability assessment, the vulnerability is not exploited. It merely highlights the risks so that the business can identify the risks and plan for remediation.

Penetration testing

: This is the authorized process of finding and using vulnerabilities to perform an intrusion into a network, application, or host in a predefined time frame. Penetration testing can be conducted by an internal team or an external third party. Penetration testing goes one step further as opposed to a vulnerability assessment, in that a penetration test exploits the vulnerability to ensure it is not a false positive. 

Penetration testing does not involve anything that is unauthorized or uncoordinated. During a penetration test, some tests might affect business applications and cause downtime. For this reason, awareness at the management and staff levels is often required.

Red team assessment

: This is similar to a penetration test, but it's more targeted. As a penetration test's main aim is to discover multiple vulnerabilities and exploit them, the goal of a red team assessment is to test an organization's response capabilities and act on vulnerabilities that will meet their goals. In a red team assessment, the team will attempt to access information in any way possible and remain as quiet as possible. Stealth is key in a red team assessment. In a red team assessment, the duration of the assessment is much longer than a penetration test.

As you start your penetration testing journey, it's important to understand what penetration testing is. To illustrate what penetration testing is, let's consider a scenario.

You currently own an organization that holds customer data. Within your organization, you have SQL databases, public-facing websites, internet-facing servers, and a sizeable number of users. Your organization is a prime target for a number of attacks, such as SQL injections, social engineering against users, and weak passwords. Should your organization be compromised, there is a risk of customer data being exposed, and more.

In order to reduce your exposure to risks, you need to identify the holes in your current security posture. Penetration testing helps you to identify these holes in a controlled manner before an attacker does. Penetration testing uses real-world attacks that attackers would leverage; the aim is to obtain accurate information as to how deep an attacker could go within your network and how much information the attacker could obtain. The results of a penetration test give organizations an open view of the vulnerabilities and allow them to patch these before an adversary can act on them.

Think of penetration testing as looking through the eyes of an enemy.

As the security maturity of organizations differs, so will the scope of your penetration tests. Some organizations might have really good security mechanisms in place, while others might not. As businesses have policies, business continuity plans, risk assessments, and disaster recovery as integral parts of their overall security, penetration testing needs to be included.

Stages of a penetration test

Now that you understand what penetration testing is, you may be wondering what the flow of a penetration test is. Penetration testing has a number of stages, and each stage forms an important part of the overall penetration test.

The following stages follow the Penetration Testing Execution Standard (PTES), which I found to be a great starting point. The full standard can be found at http://www.pentest-standard.org/.

Pre-engagement

This is the most important phase in every penetration test. In this phase, you start defining the blueprint for the penetration test and align this blueprint to the business goals of the client. The aim is to ensure that everyone involved is on the same page and expectations are set well in advance.

During this phase, as a penetration tester, you need to take time to understand your client's requirements and goals. For example, why is the client performing a penetration test? Was the client compromised? Is the client performing the penetration test purely to meet a compliance requirement, or does the client intend to perform remediation on the findings? Talking to the client and understanding their business goals will help you plan and scope your penetration test so that any sticky situation can be avoided.

The pre-engagement phase consists of a few additional components that you need to consider.

Scoping

This component defines what will be tested. Here, the key is in finding a balance between time, cost, and the goals of the business. It's important to note that everything agreed upon during the scope must be clearly documented and all legal implications must be considered. 

During this component, you will ask questions such as the following:

What is the number of IP address ranges or systems that will be tested?

Does the penetration test cover physical security, wireless networks, application servers, social engineering, and so on?

What is off-limits for the penetration test? The business might have mission-critical systems that could lead to loss of revenue if these are affected by the penetration test.

Will the penetration test be onsite or offsite?

Are there any third-party servers that are in the scope of the penetration test? 

Are you performing a white-box, grey-box, or black-box penetration test?

While you work on scoping your penetration test, be very careful of scope creep. Scope creep is any additional work that is not agreed upon during the initial scope. It introduces risks to your penetration test, which can lead to loss of revenue for you, an unsatisfied client, and even legal implications. Scope creep is a trap that you can easily fall into.

Keep in mind the cost of a penetration test when in the scoping phase. Penetration test prices vary depending on what needs to be tested. For example, testing a complex web application will require a lot more time and effort, therefore the cost will be a lot more when compared to a simple network penetration test. The regularity with which you conduct the penetration test is another factor that affects the cost.

Timelines

Timelines can be set by the client as to when you are allowed to perform the penetration test. Some clients might have business-critical servers that are patched during a specific time window, and these servers might be off-limits during that time.

Ensure that the start and end dates are defined. This allows the penetration test to have a defined end date.

Dealing with third parties

Today, many businesses are utilizing cloud services. There is a high probability that you will encounter cloud servers within your penetration scope. It's important to keep in mind who owns the server. In the case of a cloud environment, the server is not owned by the business that the penetration test is being conducted for, but rather the cloud provider.

Big players in the cloud space, such as Microsoft, Amazon, and Google, all have penetration testing rules-of-engagement documents. These documents detail what you are allowed to do and what you are not allowed to do.

Make sure that you obtain the correct approvals from the cloud provider if you have any cloud services within your penetration scope; failure to do so might lead to legal consequences.

Payment

Discussions around payment terms are crucial, as it's common for large organizations to delay payments. You need to define your payment terms upfront. Clear dates should be defined as to when payments should be made. 

Don't forget to define the costs; for example, you will perform a penetration test on 10 IP addresses at a cost of $500 per IP address. 

Your "get out of jail free card" 

As you perform penetration testing, you will uncover multitudes of information that are valuable to real-world attackers, and you will also be performing activities that are illegal. The only thing that separates a penetration tester from a malicious hacker is permission.

Obtaining the relevant permission forms your "get out of jail free card". The permission that is provided by the business details any constraints and authorizes you to perform activities defined in your scoping agreement. 

It's a formal approval from the business to begin the penetration test.

Intelligence gathering

Once you have completed the pre-engagement phase, you need to gather as much information as you can before you begin your attack. In the intelligence-gathering phase, also referred to as information gathering, you start looking at how much information you can obtain about your target. You will gather information from publicly accessible resources. This is known as Open Source Intelligence (OSINT). You will start leveraging tools that can assist you, such as Maltego and Shodan.

The importance of intelligence gathering is that you are able to detect entry points into the target organization. Businesses and employees do not take into account how much of their data they can expose on the internet, so this data becomes a wealth of information for a determined attacker.

In Chapter 3, Performing Information Gathering, we will cover information gathering in more detail.

Threat modeling

Once you have gathered information in the intelligence-gathering phase, you start working on threat modeling. In threat modelling, you begin to create a structure of threats and how they relate to your target's environment. For example, you will identify systems that hold valuable information, then you will identify the threats that pertain to the systems and what vulnerabilities exist in the system that can allow the attacker to act on the threat.

Threat modeling has a few methodologies, such as the following:

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

(

STRIDE

)

Process for Attack Simulation and Threat Analysis

(

PASTA

)

Visual Agile and Simple Threat Modelling

(

VAST

)

There are few tools that you can leverage for threat modeling; the most common being the following two:

Microsoft Threat Modelling Tool

: 

https://aka.ms/tmt

OWASP Threat Dragon

: 

https://www.owasp.org/index.php/OWASP_Threat_Dragon

Vulnerability analysis

Once you have defined the threats that could lead to compromise, it's time to discover what vulnerabilities exist for those threats. In the vulnerability analysis phase, you start to discover vulnerabilities in systems and how you can act upon those by using exploits. 

Here, you will perform either active or passive analysis. Keep in mind that any failed exploits can lead to detection.

Active vulnerability analysis can consist of the following:

Network scanners

Web application scanners

Automated scanners

Passive vulnerability analysis can consist of the following:

Monitoring traffic

Metadata

There are many vulnerability scanners that exist today. For example, the more commonly used one is Nessus, but there are many others, such as OpenVAS, Nikto, and QualysGuard.

Exploitation

In the exploitation phase, you start focusing on obtaining access to systems and evading any security blockers that exist. By performing a vulnerability analysis in the exploitation phase, you can create a precise plan that you can execute. 

In this phase, you will begin to work with many tools. Some exploits can be done easily, while others can be complex. 

Post-exploitation

Post-exploitation covers activities that can be performed once a target is successfully exploited.

The post-exploitation phase really showcases your skills as a penetration tester. When malicious hackers breach a system, they start to trawl the environment looking for high-value targets. They also start creating backdoors so that they can easily revisit the compromised system.

As a penetration tester, you would perform tasks as if you were an attacker. Once you have breached a system, it's time to look for high-value targets and valuable information, attempt to access escalated privileges, move laterally, and look at how you can pivot.

Reporting

In the final phase of penetration testing, findings need to be provided to the business in a meaningful way. Here, you would define everything from how you entered their environment to what you found. It's important to provide the business with recommendations on how to fix the gaps that you have exposed in your penetration test.

Your report should have an executive summary and a technical report. Each section needs to be tailored to the audience that you are presenting it to. For example, you would not say that you used the MS17-010 EternalBlue exploit to compromise a system in the executive summary, but you would say this in the technical report.

Executive summary

The executive summary will define the goals of the penetration test and provide an overview of the findings at a very high level. As the audience of the executive summary is usually the business decision-makers, you need to communicate on their level. In order to do that, the executive summary may contain the following sections:

Background

:

In the background section, you need to explain the purpose of the penetration test. 

Overall posture

:

Here, you will define how effective the penetration test was in relation to the goals defined during the pre-engagement phases.

Risk ranking

: This defines the overall risk rating that the business resides in. For example, the business might be at an

extreme

,

high

,

moderate

, or 

low risk

. You have to explain this rating so that it is clear to the business why they fall into that risk rank.

General findings

: This section provides a brief summary of the issues that were identified during the penetration test. Charts are often found here that highlight security risk categories; for example, missing patches and operating system hardening.

Recommendation summary

: This outlines a high-level overview of what tasks should be performed to re-mediate the findings. Do not go into detail here, as details are covered in the technical report.

Strategic roadmap

: This provides the business with an actionable roadmap to remediate the findings. This roadmap must be prioritized and be in line with the business-level of potential impact. The roadmap can be broken down into parts, such as

1 to 3-month

,

3 to 6-month

, and

6 to 12-month

 plans. Within each section, there should be actions defined; for example, within the

1 to 3-month

 plan, the business should address missing patches that are

low-impact

.

Technical report

The technical report will include a lot more details compared to the executive summary. In the technical report, you will define the scope, information, attack methods, and remediation steps in full. In this report, you can use technical terms that are easily understood, such as remote shell, pass-the-hash, and NTLM hashes.

The technical report will include the following sections:

Introduction

: This pa

rt will include topics such as the scope of the penetration test, contacts, systems involved, and approach.

Information gathering

: Here, you will explain how much of information you were able to gather on the targets. In this section, you can dive deeper to highlight what information was obtained by

passive intelligence

(information publicly available on the internet, DNS records, IP address information

, 

and so on

),

active intelligence

(port scanning, footprinting

, 

and so on

),

personnel intelligence

(what information was obtained from social engineering, phishing

, 

and so on

), and so forth.

Vulnerability assessment

: In this section, you will define what types of vulnerabilities were discovered, how they were discovered, and provide evidence of the vulnerability. 

Exploitation/vulnerability verification

: This section provides the detailed steps on how you acted on the vulnerabilities discovered. Details such as a timeline of the attack, targets, success/fail ratio, and level of access obtained should be included.

Post exploitation

: Details included here would be activities such as escalation paths, data extraction, information value, how effective the countermeasures were (if any), persistence, and pivot points.

Risk/exposure

: The results from the preceding sections are combined and tied to a risk and exposure rating. This section would contain information such as estimated loss per incident, the skill required to perform a certain attack, countermeasure strength, and risk ranking (critical, high, medium, low).

Conclusion

: The conclusion should always end on a positive note. Here, you will highlight any guidance for increasing the business' security posture with a final overview of the penetration test.

Now that we have built our foundation on what penetration testing is, its phases, and how it differs from vulnerability assessments and red team assessments, it's time to dive into lab environments.

Getting started with your lab

As you work through this book, you will learn how to use different tools in a controlled environment. In order to have a controlled environment, we will need to build one.

There are three options that we have for building a penetration lab. These are as follows:

Using a cloud provider

: Cloud providers such as Microsoft Azure, Amazon Web Services, and Google Cloud give you the flexibility and scalability of deploying systems at a fraction of the cost compared to purchasing dedicated hardware. The only catch with using a cloud provider is that you would probably require permission to perform penetration tests on your deployed services.

Using a high-powered laptop or desktop with virtualization software

: As high-powered laptops and desktops are relatively cheap, this would be the option that many prefer. By using virtualization software such as Microsoft Hyper-V, VMware, and Virtualbox, you can deploy a fully isolated network on your host computer.