Penetration Testing Bootcamp E-Book

Quickly get up and running with pentesting techniques

BIRMINGHAM - MUMBAI

Penetration Testing Bootcamp

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: June 2017

Production reference: 1230617

ISBN978-1-78728-874-4

www.packtpub.com

Credits

Authors

Jason Beltrame

Copy Editor

Safis Editing

Reviewer

Kubilay Onur Gungor

Project Coordinator

Kinjal Bari

Commissioning Editor

Pratik Shah

Proofreader

Safis Editing

Acquisition Editor

Chandan Kumar

Indexer

Mariammal Chettiyar

Content Development Editor

Mamata Walkar

Graphics

Kirk'd Penha

Technical Editor

Naveenkumar Jain

Production Coordinator

Melwyn dsa

About the Author

Jason Beltrame is a Systems Engineer for Cisco, living in the Eastern Pennsylvania Area. He has worked in the Network and Security field for 18 years, with the last 2 years as a Systems Engineer, and the prior 16 years on the operational side as a Network Engineer. During that time, Jason has achieved the following certifications: CISSP, CCNP, CCNP Security, CCDP, CCSP, CISA, ITILv2, and VCP5. He is a graduate from DeSales University with a BS in Computer Science. He has a passion for security and loves learning.

In his current role at Cisco, Jason focuses on Security and Enterprise Networks, but as a generalist SE, he covers all aspects of technology. Jason works with commercial territory customers, helping them achieve their technology goals based on their individual business requirements. His 16 years of real-world experience allows him to relate with his customers and understand both their challenges and desired outcomes.

I would like to thank my wife, Becky, for her support and love, as well as everything that she does. I would also like to thank both my children, Josh and Ryan, for supporting me along the way, and helping me relax and put things in perspective. Without this strong support system that I have, none of this would have been possible. Finally, I would like to thank Mike McPhee and Joey Muniz for their support in writing this new book. ;

About the Reviewer

Kubilay Onur Gungor has been working in the Cyber Security field for more than 8 years. He started his professional career with cryptanalysis of encrypted images using chaotic logistic maps. After working as a QA tester in the Netsparker Project, he continued his career in the penetration testing field. He performed many penetration tests and consultancies on the IT infrastructure of many large clients, such as banks, government institutions, and telecommunication companies.

Following his pentesting activities, he worked as a web application security expert and incident management and response expert Sony Europe and Global Sony Electronics.

Kubilay believes in a multidisciplinary approach to cyber security and defines it as a struggle. With this approach, he has developed his own unique certification and training program, including, penetration testing-malware analysis, incident management and response, cyber terrorism, criminal profiling, unorthodox methods, perception management, and international relations. Currently, this certification program is up and running in Istanbul as cyberstruggle.org. Besides security certificates, he holds foreign policy, brand management, surviving in extreme conditions, international cyber conflicts, anti-terrorism accreditation board, terrorism and counter-terrorism comparing studies certificates.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1787288749.

If you'd like to join our team of regular reviewers, you can e-mail us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

Planning and Preparation

Why does penetration testing take place?

Understanding the engagement

Defining objectives with stakeholder questionnaires

Scoping criteria

Documentation

Understanding the network diagram – onshore IT example

Data flow diagram

Organization chart

Building the systems for the penetration test

Penetration system software setup

Summary

Information Gathering

Understanding the current environment

Where to look for information – checking out the toolbox!

Search engines as an information source

Utilizing whois for information gathering

Enumerating DNS with dnsmap

DNS reconnaissance with DNSRecon

Checking for a DNS BIND version

Probing the network with Nmap

Checking for DNS recursion with NSE

Fingerprinting systems with P0f

Firewall reconnaissance with Firewalk

Detecting a web application firewall

Protocol fuzzing with DotDotPwn

Using Netdiscover to find undocumented IPs

Enumerating your findings

Summary

Setting up and maintaining the Command and Control Server

Command and control servers

Setting up secure connectivity

Inside server SSH setup

Command and control server SSH setup

Setting up a reverse SSH tunnel

stunnel to the rescue

stunnel setup on the client – Raspberry Pi

Verifying automation

Automating evidence collection

File utilities

Playing with tar

Split utility

Summary

Vulnerability Scanning and Metasploit

Vulnerability scanning tools

Scanning techniques

OpenVAS

Getting started with OpenVAS

Performing scans against the environment

Getting started with Metasploit

Exploiting our targets with Metasploit

Understanding client-side attacks

Using BeEF for browser-based exploitation

Using SET for client-side exploitation

Summary

Traffic Sniffing and Spoofing

Traffic sniffing tools and techniques

Sniffing tools

Tcpdump

WinDump

Wireshark

Understanding spoofing attacks

ARP spoofing

Ettercap

SSLStrip

Intercepting SSL traffic with SSLsplit

Summary

Password-based Attacks

Generating rainbow tables and wordlists

Creating rainbows with RainbowCrack

Crunching wordlists

Online locations

Cracking utilities

John the Ripper

THC-Hydra

Ncrack

Medusa

Social engineering experiments

Impersonation to get the goods

Scenario 1

Scenario 2

Dumpster diving

Free USB drives for all!!

Summary

Attacks on the Network Infrastructure

attacks

snmp-check

Rogue DHCP server

Denial-of-service checks

Various attacks with hping3

Land attacks with hping3

Smurf attacks using hping3

MAC flooding with Macof

Wireless-based attacks

Cracking WPA2 with aircrack-ng

Monitoring the airway with Kismet

Attacking WEP with wifite

Bluetooth probing

Bluelog

Btscanner

Blueranger

Scanning with Hcitool

Physical security considerations

Secure access

Employee/vendor identification

Summary

Web Application Attacks

Manipulation by client-side testing

Cross-site scripting attacks

Reflected XSS attack

Stored XSS attack

Using OWASP ZAP to find session issues

Infrastructure and design weaknesses

Uniscan

Using Skipfish for web application recon

Identity-based testing

Role based access control

Apache-users

Wfuzz

Validating data, error handling, and logic

SQL Injection fun with Sqlmap

Error handling issues

Session management

Burp suite with intercept

Using XSS for cookie retrieval

Summary

Cleaning Up and Getting Out

Cleaning up any trails left behind

Covering your tracks

Clearev with Metasploit

Shredding files with shred

CLI tips for hiding your tracks

ClearLogs for Windows

Using DD and mkfs to clear drives

LUKS Nuke blowing up partition

Destroying equipment

Stakeholder-sponsored destruction

Destruction by the penetration tester

Summary

Writing Up the Penetration Testing Report

Gathering all your data

Importance of defining risk

Structure of a penetration test report

Cover sheet

Table of contents

Executive summary

The scope of the project

Objectives of the penetration test

Description of risk rating scale

Summary of findings

Detailed findings

Conclusion

Appendix A - tools used

Appendix B - attached reports

Appendix C attached diagrams

About your company

Building the report

Delivering the report

Summary

Preface

Penetration testing is becoming an important skill set for any individual to have within their toolset with the proliferation of security threats in today’s modern landscape. The issue at hand is that many individuals just don’t know where to start learning the proper way to run a penetration test for their organization. The focus of this book is to help individuals understand the penetration testing process as well as learn about the different aspects of the penetration test. Using a Raspberry Pi running on Kali Linux and various workstations and servers, we will go through various testing scenarios using open source tools to not only tell you how to use these tools but also show you how to interpret the results. This way, as you work your way through the book, you can apply what you learn daily to whichever penetration testing project you may be working on.

What this book covers

Chapter 1, Planning and Preparation, gets you started with the penetration testing process by using real world examples of what is required to prepare. This allows you to build the foundation of the penetration test by discussing what the goals are as well as getting buy-in from management.

Chapter 2, Information Gathering, shows the reader how to start gathering information about the environment as well as the type of information to obtain. Reconnaissance is a very important step and can make or break the penetration test.

Chapter 3, Setting up and maintaining the Command and Control Server, works with getting set up with connectivity to a C&C server that can help you with intelligence gathering and offsite processing.

Chapter 4, Vulnerability Scanning and Metasploit, focuses on scanning the environment for vulnerabilities and then using this information to try and exploit the targets that are found.

Chapter 5, Traffic Sniffing and Spoofing, gets you started on how to sniff the network and then utilize this information to run various attacks like Man-in-the-Middle attacks and spoofing attacks to gain even more insight and intelligence of what is happening on the network.

Chapter 6, Password-based Attacks, shows you the process of running various password-based attacks, obtaining credentials, and utilizing this information for future penetration testing attacks.

Chapter 7, Attacks on the Network Infrastructure, looks at the infrastructure as part of the penetration test. We will explore tools to find various holes within the infrastructure before the bad guys do.

Chapter 8, Web Application Attacks, explores how to probe and exploit web applications as part of our penetration test.

Chapter 9, Cleaning Up and Getting Out, focuses on the importance of cleaning up your tracks left behind after the penetration test is complete.

Chapter 10, Writing Up the Penetration Testing Report, the final culmination of the book, shows not only the importance of the penetration testing report but also how to format it and fill with data that was obtained during our tests.

What you need for this book

To be able to utilize the concepts and examples in this book, having a Raspberry Pi 3 with Kali Linux is definitely recommended. It is also recommended to have additional workstations/laptops available to help not only test but also process some of the more hardware intensive tools. Kali Linux is the operating system of choice as well as the other utilities/tools that are discussed in this book . These are all open source, meaning they are free to download and use. The hardware and software covered in this book are not required if you are just looking to learn about the process of penetration testing.

Who this book is for

This book is designed for anyone who wants to learn how a penetration test works. The layout of the book allows the reader to follow along with what they are learning on a chapter-by-chapter basis, and apply it to their real-life penetration tests. The great thing about the topics in this book is that even though the book is written by applying the knowledge you are learning into practical use, it is not required to use the book in that method. Just reading through the book will allow you to understand the penetration testing process from start to finish. Prior knowledge about networking and Linux would be an advantage; however, it is not required to follow the concepts covered in this book. Additionally, having a prior understanding of security and penetration tests at a base level will definitely be advantageous but not required due to lots of examples within the book.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at [email protected] with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.

Planning and Preparation

Proper planning and preparation is key to a successful penetration test. It is definitely not as exciting as some of the tasks we will do within the penetration test later, but it will lay the foundation of the penetration test. There are a lot of moving parts to a penetration test, and you need to make sure that you stay on the correct path and know just how far you can and should go. The last thing you want to do in a penetration test is cause a customer outage because you took down their application server with an exploit test (unless, of course, they want us to get to that depth) or scanned the wrong network. Performing any of these actions would cause our penetration-testing career to be a rather short-lived one.

In this chapter, the following topics will be covered:

Why does penetration testing take place?

Scoping meeting, stakeholder questionnaire, and documentation

Building the systems for the penetration test

Penetration system software setup

Why does penetration testing take place?

There are many reasons why penetration tests are necessary. Sometimes, a company may want to have a stronger understanding of their security footprint. Sometimes, they may have a compliance requirement that they have to meet. Either way, understanding why penetration testing is necessary will help you understand the goal of the company. Plus, it will also let you know whether you are performing an internal penetration test or an external penetration test. External penetration tests will follow the flow of an external user and see what they have access to, and what they can do with that access.

Internal penetration tests are designed to test internal systems, so typically, the penetration box will have full access to that environment, being able to test all software and systems for known vulnerabilities. Since tests have different objectives, we need to treat them differently; therefore, our tools and methodologies will be different.

Understanding the engagement

One of the first tasks you need to complete prior to starting a penetration test is to have a meeting with the stakeholders and discuss various data points concerning the upcoming penetration test. This meeting could involve you as an external entity performing a penetration test for a client, or as an internal security employee doing the test for your own company. The important element here is that the meeting should happen either way, and the same type of information needs to be discussed.

During the scoping meeting, the goal is to discuss various items of the penetration test so that you have not only everything you need, but also full management buy-in with clearly defined objectives and deliverables. Full management buy-in is a key component for a successful penetration test. Without it, you may have trouble getting the required information from certain teams, or there may be scope creep, or general pushback.

Defining objectives with stakeholder questionnaires

This section goes over the various questions that I have used, and That I think are important for this type of engagement. These will help define clear and measurable objectives for the penetration tester.

Let's have a look at a questionnaire to determine the engagement criteria:

What is the objective of this penetration test?

What will be the deliverables required at the end of the penetration test?

What is the length of the penetration test, and is there any period of time when the penetration test cannot happen? (For example, the customer may have a busy period during the day when they don't want anything to interrupt their business processes)

During the penetration test, does the penetration test stop at finding vulnerabilities, or does it proceed to actively try to exploit these vulnerabilities? (This question is important because the stakeholder may not want systems to be taken down or potential data modified/deleted, so we want to make sure we know the boundaries) If exploiting systems is acceptable, do you want the penetration tester to try lateral movement within the environment after that?

Will this be an internal penetration test, an external penetration test, or both?

Who are the contacts within the company?

Are there any compliance standards that the company needs to follow?

Scoping criteria

We will now see an example questionnaire for the scoping criteria. First, we will start with questions that will be derived from a white-box tester only to gain intimate knowledge of the network for testing:

What are the subnets and/or IP addresses in the scope of this test?

Are there any systems that are out of scope?

Are there security devices within the network? (This is important because these devices may block access into an environment, and that will prevent testing the system correctly)

Is there any type of important data held or transferred within the environment?

Finally, if the penetration tester is using more of a black-box mentality, then these questions will be relevant for them, as well as the white-box testers:

Is guest access in scope as well?

Which corporate SSIDs are in scope?

What are the physical locations in scope for the test (if there are multiple locations)? Are all locations/networks dedicated, or are they shared with another company (for example, shared hosting or some cloud environments)?

Documentation

Documentation is an important part of the planning and preparation phase. Sometimes, this information is not provided to you, and you must glean it yourself. In Chapter 2, Information Gathering, we will focus on getting some of this information as well, if it is not all provided.

But hopefully, you can get some information about the environment prior to jumping into the penetration test. There are different types of documentation that are great to have prior to starting a penetration test. In the next couple of sections, we will see some of the main types of documentation that we need during the preparation phase.

Understanding the network diagram – onshore IT example

A network diagram of the systems and devices that are in scope is important to get a good understanding of the network so you can start working on your overall penetration plan. This documentation will allow you to see what systems are in scope, as well as the path through the network and devices that are involved. A lot of organizations struggle with this type of documentation, so use it strictly as a guide. One of the deliverables might end up being a more comprehensive network diagram for you, based on what is discovered during the penetration test.

Network diagrams come in all shapes and sizes. The important thing is to have it for the in-scope networks and to show the main network devices, security devices, and hosts, if at all possible. The following is a sample network diagram that I created. This will give you a good idea of what to look for:

Data flow diagram

Data flow diagrams are probably one of the most important documents a penetration tester/assessor/auditor can have. The job of a data flow diagram is to show the flow of important data within the organization. The data can be of different types, including credit card information, proprietary company information, or even personally identifiable information (PII). Understanding how this type of data flows in the network, and which systems it interacts with, will allow you to help the penetration tester understand where to focus. This is important as this is where the hackers will focus as well.

Some organizations do not typically have this type of documentation. We have seen many companies having to generate these data flow diagrams while going through an audit or assessment of some sort. But most organizations should have data flow diagrams within the organization for any important data flows.

A great outcome of the penetration test is that this type of documentation may end up being verified by the penetration tests to show its accuracy. Documentation is often a low priority at most companies, unfortunately, so being able to keep it up to date is important.

Here is an example of a data flow diagram of a sample company we created, showing credit card information flowing throughout the network:

Organization chart

You may be wonder why an organization chart is a valuable and required piece of documentation for a penetration test. But when you think about it, people in higher positions tend to get targeted because they have the power to transfer money, or have access to important items. Knowing the chain of command for all employees within an organization allows us, as penetration testers, to see other individuals that can be targeted with the hopes of getting all the way to the top. This information can help show the penetration tester whom to potentially target first. It may be easier for a hacker to get a junior accountant to click on a link and install the malware for the hacker to have remote access than it would be for them to try the same approach with the CFO. Now, we are pretty sure the CFO will have more access compared to the junior accountant, but once you have a foothold within an organization, moving around becomes a lot easier. Remember: People are typically the weakest link in security.

Here is a simple example of an organization chart:

Building the systems for the penetration test

With a clear understanding of expectations, deliverables, and scope, it is now time to start working on getting our penetration systems ready to go. For the hardware, I will be utilizing a decently powered laptop. The laptop is a Macbook Pro with 16 GB of RAM, a 256 GB SSD, and a quad-core 2.3 GHz Intel i7 running VMware Fusion. I will also be using the Raspberry Pi 3. The Raspberry Pi 3 is a 1.2 GHz ARMv8 64-bit Quad Core, with 1 GB of RAM and a 32 GB microSD. Obviously, there is quite a power discrepancy between the laptop and the Raspberry Pi. That is okay though, because I will be using both these devices differently. Any task that requires any sort of processing power will be done on the laptop. I love using the Raspberry Pi because of its small form factor and flexibility. It can be placed in just about any location we need, and if needed, it can be easily concealed.

For software, I will be using Kali Linux as my operating system of choice. Kali is a security-oriented Linux distribution that contains a bunch of security tools already installed. Its predecessor, Backtrack, was also a very popular security operating system. One of the benefits of Kali Linux is that it is also available for the Raspberry Pi, which is perfect in our circumstance. This way, we can have a consistent platform between the devices we plan to use in our penetration-testing labs. Kali Linux can be downloaded from their site at https://www.kali.org. For the Raspberry Pi, the Kali images are managed by Offensive Security at https://www.offensive-security.com. As for the various tools, we will talk about those as we use them in other chapters.

Even though I am using Kali Linux as my software platform of choice, feel free to use whichever software platform you feel most comfortable with. In this book, we will be using a bunch of open source tools for testing. A lot of these tools are available for other distributions and operating systems.

Penetration system software setup

Setting up Kali Linux on both systems is a bit different since they are different platforms. Since this is an intermediate-level book, we won't be diving into a lot of details about the installation, but we will be hitting all the major points. This is the process you can use to get the software up and running.

We will start with the installation on the Raspberry Pi:

Download the images from Offensive Security at

https://www.offensive-security.com/kali-linux-arm-images/

.

Open the Terminal app on OS X.

Using the utility

xz

, you can decompress the Kali image that was downloaded:

xz-d kali-2.1.2-rpi2.img.xz

Next, you insert the USB microSD card reader with the microSD card into the laptop and verify the disks that are installed so that you know the correct disk to put the Kali image on:

diskutil list

Once you know the correct disk, you can unmount the disk to prepare to write to it:

diskutil unmountDisk/dev/disk2

Now that you have the correct disk unmounted, you will want to write the image to it using the

dd