Skip to main content

Advanced Penetration Testing: Hacking the World's Most Secure Networks

Advanced Penetration Testing: Hacking the World's Most Secure Networks

Wil Allsopp

ISBN: 978-1-119-36766-6

Feb 2017

288 pages

$32.99

Description

Build a better defense against motivated, organized, professional attacks

Advanced Penetration Testing: Hacking the World's Most Secure Networks takes hacking far beyond Kali linux and Metasploit to provide a more complex attack simulation. Featuring techniques not taught in any certification prep or covered by common defensive scanners, this book integrates social engineering, programming, and vulnerability exploits into a multidisciplinary approach for targeting and compromising high security environments. From discovering and creating attack vectors, and moving unseen through a target enterprise, to establishing command and exfiltrating data—even from organizations without a direct Internet connection—this guide contains the crucial techniques that provide a more accurate picture of your system's defense. Custom coding examples use VBA, Windows Scripting Host, C, Java, JavaScript, Flash, and more, with coverage of standard library applications and the use of scanning tools to bypass common defensive measures.

Typical penetration testing consists of low-level hackers attacking a system with a list of known vulnerabilities, and defenders preventing those hacks using an equally well-known list of defensive scans. The professional hackers and nation states on the forefront of today's threats operate at a much more complex level—and this book shows you how to defend your high security network.

  • Use targeted social engineering pretexts to create the initial compromise
  • Leave a command and control structure in place for long-term access
  • Escalate privilege and breach networks, operating systems, and trust structures
  • Infiltrate further using harvested credentials while expanding control

Today's threats are organized, professionally-run, and very much for-profit. Financial institutions, health care organizations, law enforcement, government agencies, and other high-value targets need to harden their IT infrastructure and human capital against targeted advanced attacks from motivated professionals. Advanced Penetration Testing goes beyond Kali linux and Metasploit and to provide you advanced pen testing for high security networks.

Related Resources

Instructor

Request an Evaluation Copy for this title

Foreword xxiii

Introduction xxvii

Chapter 1 Medical Records (In)security 1

An Introduction to Simulating Advanced Persistent Threat 2

Background and Mission Briefi ng 2

Payload Delivery Part 1: Learning How to Use the VBA Macro 5

How NOT to Stage a VBA Attack 6

Examining the VBA Code 11

Avoid Using Shellcode 11

Automatic Code Execution 13

Using a VBA/VBS Dual Stager 13

Keep Code Generic Whenever Possible 14

Code Obfuscation 15

Enticing Users 16

Command and Control Part 1: Basics and Essentials 19

The Attack 23

Bypassing Authentication 23

Summary 27

Exercises 28

Chapter 2 Stealing Research 29

Background and Mission Briefi ng 30

Payload Delivery Part 2: Using the

Java Applet for Payload Delivery 31

Java Code Signing for Fun and Profit 32

Writing a Java Applet Stager 36

Create a Convincing Pretext 39

Signing the Stager 40

Notes on Payload Persistence 41

Microsoft Windows 41

Linux 42

OSX 45

Command and Control Part 2: Advanced Attack Management 45

Adding Stealth and Multiple System Management 45

Implementing a Command Structure 47

Building a Management Interface 48

The Attack 49

Situational Awareness 50

Using AD to Gather Intelligence 50

Analyzing AD Output 51

Attack Against Vulnerable Secondary System 52

Credential Reuse Against Primary Target System 53

Summary 54

Exercises 55

Chapter 3 Twenty-First Century Heist 57

What Might Work? 57

Nothing Is Secure 58

Organizational Politics 58

APT Modeling versus Traditional Penetration Testing 59

Background and Mission Briefi ng 59

Command and Control Part III: Advanced Channels and Data Exfi ltration 60

Notes on Intrusion Detection and the Security Operations Center 64

The SOC Team 65

How the SOC Works 65

SOC Reaction Time and Disruption 66

IDS Evasion 67

False Positives 67

Payload Delivery Part III: Physical Media 68

A Whole New Kind of Social Engineering 68

Target Location Profi ling 69

Gathering Targets 69

The Attack 72

Summary 75

Exercises 75

Chapter 4 Pharma Karma 77

Background and Mission Briefi ng 78

Payload Delivery Part IV: Client-Side Exploits 1 79

The Curse That Is Flash 79

At Least You Can Live Without It 81

Memory Corruption Bugs: Dos and Don’ts 81

Reeling in the Target 83

Command and Control Part IV: Metasploit Integration 86

Metasploit Integration Basics 86

Server Confi guration 86

Black Hats/White Hats 87

What Have I Said About AV? 88

Pivoting 89

The Attack 89

The Hard Disk Firewall Fail 90

Metasploit Demonstration 90

Under the Hood 91

The Benefits of Admin 92

Typical Subnet Cloning 96

Recovering Passwords 96

Making a Shopping List 99

Summary 101

Exercises 101

Chapter 5 Guns and Ammo 103

Background and Mission Briefing 104

Payload Delivery Part V: Simulating a Ransomware Attack 106

What Is Ransomware? 106

Why Simulate a Ransomware Attack? 107

A Model for Ransomware Simulation 107

Asymmetric Cryptography 108

Remote Key Generation 109

Targeting Files 110

Requesting the Ransom 111

Maintaining C2 111

Final Thoughts 112

Command and Control Part V: Creating a Covert C2 Solution 112

Introducing the Onion Router 112

The Torrc File 113

Configuring a C2 Agent to Use the Tor Network 115

Bridges 115

New Strategies in Stealth and Deployment 116

VBA Redux: Alternative Command-Line Attack Vectors 116

PowerShell 117

FTP 117

Windows Scripting Host (WSH) 118

BITSadmin 118

Simple Payload Obfuscation 119

Alternative Strategies in Antivirus Evasion 121

The Attack 125

Gun Design Engineer Answers Your Questions 126

Identifying the Players 127

Smart(er) VBA Document Deployment 128

Email and Saved Passwords 131

Keyloggers and Cookies 132

Bringing It All Together 133

Summary 134

Exercises 135

Chapter 6 Criminal Intelligence 137

Payload Delivery Part VI: Deploying with HTA 138

Malware Detection 140

Privilege Escalation in Microsoft Windows 141

Escalating Privileges with Local Exploits 143

Exploiting Automated OS Installations 147

Exploiting the Task Scheduler 147

Exploiting Vulnerable Services 149

Hijacking DLLs 151

Mining the Windows Registry 154

Command and Control Part VI: The Creeper Box 155

Creeper Box Specifi cation 155

Introducing the Raspberry Pi and Its Components 156

GPIO 157

Choosing an OS 157

Configuring Full-Disk Encryption 158

A Word on Stealth 163

Configuring Out-of-Band Command and Control Using 3G/4G 164

Creating a Transparent Bridge 168

Using a Pi as a Wireless AP to Provision Access by Remote

Keyloggers 169

The Attack 171

Spoofing Caller ID and SMS Messages 172

Summary 174

Exercises 174

Chapter 7 War Games 175

Background and Mission Briefi ng 176

Payload Delivery Part VII: USB Shotgun Attack 178

USB Media 178

A Little Social Engineering 179

Command and Control Part VII: Advanced Autonomous Data Exfiltration 180

What We Mean When We Talk About “Autonomy” 180

Means of Egress 181

The Attack 185

Constructing a Payload to Attack a Classified Network 187

Stealthy 3G/4G Software Install 188

Attacking the Target and Deploying the Payload 189

Efficient “Burst-Rate” Data Exfiltration 190

Summary 191

Exercises 191

Chapter 8 Hack Journalists 193

Briefing 193

Advanced Concepts in Social Engineering 194

Cold Reading 194

C2 Part VIII: Experimental Concepts in Command and Control 199

Scenario 1: C2 Server Guided Agent Management 199

Scenario 2: Semi-Autonomous C2 Agent Management 202

Payload Delivery Part VIII: Miscellaneous Rich Web Content 205

Java Web Start 205

Adobe AIR 206

A Word on HTML5 207

The Attack 207

Summary 211

Exercises 211

Chapter 9 Northern Exposure 213

Overview 214

Operating Systems 214

Red Star Desktop 3.0 215

Red Star Server 3.0 219

North Korean Public IP Space 221

The North Korean Telephone System 224

Approved Mobile Devices 228

The “Walled Garden”: The Kwangmyong Intranet 230

Audio and Video Eavesdropping 231

Summary 233

Exercises 234

Index 235