Royce Davis - The Art of Network Penetration Testing: Taking over any company in the world

How to Take Over Any Company in the World

Royce Davis

To comment go to liveBook

Manning

Shelter Island

For more information on this and other Manning titles go to

manning.com

For online information and ordering of these and other Manning books, please visit manning.com. The publisher offers discounts on these books when ordered in quantity.

For more information, please contact

Special Sales Department

Manning Publications Co.

20 Baldwin Road

PO Box 761

Shelter Island, NY 11964

Email: orders@manning.com

2020 by Manning Publications Co. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps.

Recognizing the importance of preserving what has been written, it is Mannings policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine.

ISBN: 9781617296826

My name is Royce Davis, and Im a professional hacker, red teamer, penetration tester, offensive security guywe go by many names in this industry. For the past decade and change, I have been offering professional adversarial emulation services to a wide spectrum of clients in just about every business vertical you could imagine. Throughout that time, there has been no question in my mind which service companies are most interested in paying professional hackers to conduct. Im talking, of course, about the internal network penetration test (INPT).

The INPT is a complex enterprise engagement that can easily be summarized in a few sentences. An attacker (played by you) has managed to gain physical entry to a corporate office using any one of numerous and highly plausible techniques that are intentionally absent from the scope of this book. Now what? Armed with only a laptop loaded with hacker tools, and with no up-front knowledge of the companys network infrastructure, the attacker penetrates as far as they can into the companys corporate environment. Individual goals and objectives vary from engagement to engagement, company to company. Typically, though, a global domination scenario where you (the attacker) gain complete control of the network is more or less the primary objective driving an INPT.

In my career, Ive done hundreds of these engagements for hundreds of companies ranging from small businesses with a single IT guy to Fortune-10 conglomerates with offices on every continent.

What has surprised me the most during my journey is how simple the process is to take over a companys network from the inside regardless of the specifics of the companys size or industry vertical. It doesnt matter if the target is a bank in South Dakota, a video game company in California, a chemical plant in Singapore, or a call center in London. The networks are all configured more or less the same way. Sure, the individual technologies, hardware, and applications are wildly different from organization to organization, but the use cases are the same.

Businesses have employees who use devices to access centralized servers hosting documents and internal applications that the employees access using credentials to process requests, transactions, tickets, and information that ultimately help the company operate and make money. As an attacker, no matter what my target is, my method for identifying network hosts, enumerating their listening services (their attack surface), and discovering security weaknesses within the authentication, configuration, and patch mechanisms of those systems doesnt change from engagement to engagement.

After all these years and all these INPTs, I have decided to document my methodology for performing INPTs and provide a comprehensive set of actionable guidelines that someone fairly new to penetration testing can follow in step-by-step fashion to conduct a proper penetration test on their own. It is solely my opinion that such a resource is not available or, at least, was not available at the time I wrote this book.

Lots of professional training and certification programs exist that offer students a wide variety of valuable skills and techniques. I have hired and trained many such students, but even after graduating from the toughest and most highly respected training programs, many students dont really know how to do a penetration test. That is, I cant say to them, OK, youve got a gig with client XYZ starting next Monday; heres the statement of work (SOW), without them staring at me like a deer in headlights.

My commitment to you regarding this book is simple. If someone tasks you with performing a real network penetration test targeting a real network with hundreds or even thousands of computer systems, and if that engagement is scoped more or less in alignment with what Ill later describe as a typical INPT, you can satisfy the requirements of that engagement by following the steps laid out in this bookeven if youve never done a penetration test before.

Now, if youre a hacker dude/dudette and youre reading this out of pure enjoyment for the subject matter, youll definitely ask questions like, What about wireless attacks? and How come you dont cover anti-virus bypass? and Where is the section on buffer overflows? and more. My message to you is that in the professional world of adversarial emulation services, companies hire individuals to perform scoped engagements. The no-holds-barred, anything-goes approach, as exciting as it sounds, rarely (if ever) happens.

This book, rather than touching briefly on every topic related to ethical hacking, is a complete start-to-finish manual for conducting an entire INPT. It has everything you need to be successful in conducting the most common type of engagement youll be asked to perform should you enter a career in professional penetration testing.