Peter Kim - The Hacker Playbook 2: Practical Guide To Penetration Testing

THE

HACKER

PLAYBOOK

Practical Guide To

Penetration Testing

Peter Kim

Copyright 2015 by Secure Planet LLC. All rights reserved. Except as permitted under United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the author.

ISBN-13: 978-1512214567

ISBN-10: 1512214566

Library of Congress Control Number: 2015908471

CreateSpace Independent Publishing Platform

North Charleston, South Carolina

MHID:

Book design and production by Peter Kim, Secure Planet LLC

Cover design by Dit Vannouvong

Publisher: Secure Planet LLC

Published: 1st July 2015

Dedication

To Kristen, our dog Dexter, and my family.
Thank you for all of your support,
even when you had no clue what I was talking about.

Contents

Preface

This is the second iteration of The Hacker Playbook (THP). For those that read the first book, this is an extension of that book. Below is an overview of all of the new vulnerabilities and attacks that will be discussed. In addition to the new content, attacks and techniques from the first book, which are still relevant today, are included to eliminate the need to refer back to the first book. So, whats new? Some of the updated attacks from the last year and a half include:

Heartbleed ShellShock Kerberos issues (Golden Ticket/Skeleton Key) PTH Postgres New Spear Phishing Better/Cheaper Dropboxes Faster/Smarter Password Cracking New WIFI attacks Tons of PowerShell scripts Privilege Escalation Attacks Mass network compromises Moving laterally smarter Burp Modules Printer Exploits Backdoor Factory ZAP Proxy Sticky Keys NoSQL Injection Commercial Tools (Cobalt Strike, Canvas, Core Impact) Lab sections And so much more

In addition to describing the attacks that have changed in the last couple years, I have attempted to incorporate all of the comments and recommendations received from readers of the first book into this second book. A more in-depth look into how to set up a lab environment in which to test your attacks is also given, along with the newest tips and tricks of penetration testing. Lastly, I tried to make this version easier to follow since many schools have incorporated my book into their curricula. Whenever possible, I have added lab sections that help provide a way to test a vulnerability or exploit.

Whats not different? One of my goals from the first book was to make this as real world as possible. I really tried to stay away from theoretical attacks and focused on what I have seen from personal experience and what actually worked. The second goal was to strengthen your core understanding as a penetration tester. In other words, I wanted to encourage you to use different methods to boost your value to your current or future company or client. Just running a vulnerability scanner and submitting that as your report provides no real benefit to a company. Also, penetration tests with an extremely limited scope will give a false sense of security. To THP1 readers, rest assured that although you may find some familiar information, there is a great deal of new information in THP2, which has double the content compared to its predecessor. Additionally, by popular demand, I have created a slew of scripts and tools to help you in your hacking adventure. This was probably one of the top requests by readers, so I have included a ton of scripts located in my Github ( https://github.com/cheetz ) and tried to make it easier to follow.

For those who did not read the first book, you might be wondering what experience I have as a penetration tester. My background comes from eight years of penetration testing for major financial institutions, large utility companies, Fortune 500 entertainment companies, and government organizations. I have also spent years teaching offensive network security, spoken at Toorcon/Derbycon/BayThreat, been referenced in many security publications, and currently run a security community of over 300 members in Southern California. My hope is that you will be able to take what I have learned and incorporate it into your own security lifestyle.

From a technical standpoint, many tools and attacks have changed in the past couple years. With attacks like pass-the-hash, and with Group Policy Preferences getting patched, the process and methods of attackers have changed.

One important note is that I am using both commercial tools and open source. For every commercial tool, I try to give an open source counterpart. I occasionally run into some pentesters that say they only use open source tools. As a penetration tester, I find this a hard statement to take. If you are supposed to emulate a real world attack, the bad guys do not have these restrictions, then you need to use any tool that works to get the job done.

Who is this book intended for? You need to have some experience with Microsoft Active Directory, a solid understanding of Linux, some networking background, some coding experience (Bash, Python, Perl, Ruby, PHP, C, or anything along that line), and using security tools like vulnerability scanners and exploit tools (i.e. Metasploit). If you dont have the background, but are interested in getting into security, I would suggest making sure you have the basics down. You cant just jump into security without the basic knowledge of how things work first.

This book is not just for those looking to get into or who currently are in the offensive fields. This book provides valuable information and insight for incident responders as well, as they need to know how attackers think and what methods they use.

Lastly, I want to discuss a bit about the difference between researchers and penetration testers. Many times, these two professions blend together, as both need to be knowledgeable in both areas. However, in this book, I separate the two areas slightly and focus on penetration testing. To clarify, in this book, a researcher is one who focuses on a single or limited scope and spends more time reversing the application/protocol/OS. Their goal is to discover an unknown exploit for that particular vulnerability. On the other hand (and remember this is a generalization), a penetration tester takes what is already known to compromise systems and applications. There will always be some overlapa pentester will still fuzz vulnerabilities (for example, web parameters) and find zero-daysbut he/she might not spend as much time finding all the issues as a researcher might.

Last Notes and Disclaimer

This book is not going to turn you into some sort of super hacker. It takes a lot of practice, research, and a love for the game. This book will hopefully make you think outside the box, become more creative, and help grow your understanding of flaws that occur in systems.

Just remember, ONLY test systems on which you have written permission. Just Google the term hacker jailed and you will see plenty of different examples where young teens have been sentenced to years in prison for what they thought was a fun time. There are many free platforms where legal hacking is allowed and will help you further educate yourself.

Introduction

You have been hired as a penetration tester for a large industrial company called Secure Universal Cyber Kittens, Inc. or SUCK, for short. They are developing future weapons to be used by the highest bidder and you have been given the license to killokay, maybe not kill, but the license to hack. This authorization gives you full approval to use any tactic in your arsenal to try to break into and steal the companys trade secrets.

As you pack your laptop, drop boxes, rubber duckies, Proxmarks, and cables, you almost forget the most important thingThe Hacker Playbook 2 (THP). You know that THP will help get you out of some of the stickiest situations. Your mind begins hazing back to your last engagement

Next page