Transcription
Penetration Testing with Kali Linux Syllabus Updated February 2020Penetration Testing with Kali LinuxOffensive SecurityPWKCopyright 2020 Offensive Security Ltd. All rights reserved.1
Penetration Testing with Kali Linux Syllabus Updated February 2020Copyright 2020 Offensive Security Ltd. All rights reserved.No part of this publication, in whole or in part, may be reproduced, copied,transferred or any other right reserved to its copyright owner, includingphotocopying and all other copying, any transfer or transmission using any networkor other means of communication, any broadcast for distant learning, in any form orby any means such as any information storage, transmission or retrieval system,without prior written permission from the author.PWKCopyright 2020 Offensive Security Ltd. All rights reserved.2
Penetration Testing with Kali Linux Syllabus Updated February 2020Table of Contents1Penetration Testing with Kali Linux: General Course Information1.1About The PWK Course1.1.1PWK Course Materials1.1.2Access to the Internal VPN Lab Network1.1.3The Offensive Security Student Forum1.1.4Live Support1.1.5OSCP Exam Attempt1.2Overall Strategies for Approaching the Course1.2.1Welcome and Course Information Emails1.2.2Course Materials1.2.3Course Exercises1.2.4PWK Labs1.3Obtaining Support1.4About Penetration Testing1.5Legal1.6The MegaCorpone.com and Sandbox.local Domains1.7About the PWK VPN Labs1.7.1Lab Warning1.7.2Control Panel1.7.3Reverts1.7.4Client Machines1.7.5Kali Virtual Machine1.7.6Lab Behavior and Lab Restrictions1.81.8.1Consider the Objective1.8.2Consider the Audience1.8.3Consider What to Include1.8.4Consider the Presentation1.8.5The PWK Report1.8.6Note Taking1.91.9.1PWKReportingAbout the OSCP ExamMetasploit Usage - Lab vs ExamCopyright 2020 Offensive Security Ltd. All rights reserved.3
Penetration Testing with Kali Linux Syllabus Updated February 20201.102Wrapping UpGetting Comfortable with Kali Linux2.1Booting Up Kali Linux2.2The Kali Menu2.3Kali Documentation2.3.1The Kali Linux Official Documentation2.3.2The Kali Linux Support Forum2.3.3The Kali Linux Tools Site2.3.4The Kali Linux Bug Tracker2.3.5The Kali Training Site2.3.6Exercises2.42.4.1The Linux Filesystem2.4.2Basic Linux Commands2.4.3Finding Files in Kali Linux2.5Managing Kali Linux Services2.5.1SSH Service2.5.2HTTP Service2.5.3Exercises2.6Searching, Installing, and Removing Tools2.6.1apt update2.6.2apt upgrade2.6.3apt-cache search and apt show2.6.4apt install2.6.5apt remove –purge2.6.6dpkg2.73Finding Your Way Around KaliWrapping UpCommand Line Fun3.13.1.1Environment Variables3.1.2Tab Completion3.1.3Bash History Tricks3.23.2.1PWKThe Bash EnvironmentPiping and RedirectionRedirecting to a New FileCopyright 2020 Offensive Security Ltd. All rights reserved.4
Penetration Testing with Kali Linux Syllabus Updated February 20203.2.2Redirecting to an Existing File3.2.3Redirecting from a File3.2.4Redirecting awk3.3.5Practical Example3.4nano3.4.2viComparing Files3.5.1comm3.5.2diff3.5.3vimdiff3.6Managing Processes3.6.1Backgrounding Processes (bg)3.6.2Jobs Control: jobs and fg3.6.3Process Control: ps and kill3.7File and Command Monitoring3.7.1tail3.7.2watch3.8Downloading Files3.8.1wget3.8.2curl3.8.3axel3.9Customizing the Bash Environment3.9.1Bash History Customization3.9.2Alias3.9.3Persistent Bash Customization3.10PWKEditing Files from the Command Line3.4.13.54Text Searching and ManipulationWrapping UpPractical ToolsCopyright 2020 Offensive Security Ltd. All rights reserved.5
Penetration Testing with Kali Linux Syllabus Updated February 20204.14.1.1Connecting to a TCP/UDP Port4.1.2Listening on a TCP/UDP Port4.1.3Transferring Files with Netcat4.1.4Remote Administration with Netcat4.2Socat4.2.1Netcat vs Socat4.2.2Socat File Transfers4.2.3Socat Reverse Shells4.2.4Socat Encrypted Bind Shells4.3PowerShell and Powercat4.3.1PowerShell File Transfers4.3.2PowerShell Reverse Shells4.3.3PowerShell Bind Shells4.3.4Powercat4.3.5Powercat File Transfers4.3.6Powercat Reverse Shells4.3.7Powercat Bind Shells4.3.8Powercat Stand-Alone Payloads4.4Wireshark4.4.1Wireshark Basics4.4.2Launching Wireshark4.4.3Capture Filters4.4.4Display Filters4.4.5Following TCP Streams4.5Tcpdump4.5.2Filtering Traffic4.5.3Advanced Header Filtering4.65NetcatWrapping UpBash Scripting5.1Intro to Bash Scripting5.2VariablesPWK5.2.1Arguments5.2.2Reading User InputCopyright 2020 Offensive Security Ltd. All rights reserved.6
Penetration Testing with Kali Linux Syllabus Updated February 20205.3If, Else, Elif Statements5.4Boolean Logical Operations5.5Loops5.5.1For Loops5.5.2While Loops5.6Functions5.7Practical Examples5.7.1Practical Bash Usage – Example 15.7.2Practical Bash Usage – Example 25.7.3Practical Bash Usage – Example 35.86Wrapping UpPassive Information Gathering6.1Taking Notes6.2Website Recon6.3Whois Enumeration6.4Google Hacking6.5Netcraft6.6Recon-ng6.7Open-Source Code6.8Shodan6.9Security Headers Scanner6.10SSL Server Test6.11Pastebin6.12User Information Gathering6.12.1Email Harvesting6.12.2Password Dumps6.13Social Media Tools6.13.2Site-Specific Tools6.14Stack Overflow6.15Information Gathering Frameworks6.15.1OSINT Framework6.15.2Maltego6.16PWKWrapping UpCopyright 2020 Offensive Security Ltd. All rights reserved.7
Penetration Testing with Kali Linux Syllabus Updated February 20207Active Information Gathering7.1DNS Enumeration7.1.1Interacting with a DNS Server7.1.2Automating Lookups7.1.3Forward Lookup Brute Force7.1.4Reverse Lookup Brute Force7.1.5DNS Zone Transfers7.1.6Relevant Tools in Kali Linux7.2Port Scanning7.2.1TCP / UDP Scanning7.2.2Port Scanning with Nmap7.2.3Masscan7.3SMB Enumeration7.3.1Scanning for the NetBIOS Service7.3.2Nmap SMB NSE Scripts7.4NFS Enumeration7.4.1Scanning for NFS Shares7.4.2Nmap NFS NSE Scripts7.5SMTP Enumeration7.6SNMP Enumeration7.6.1The SNMP MIB Tree7.6.2Scanning for SNMP7.6.3Windows SNMP Enumeration Example7.78Wrapping UpVulnerability Scanning8.18.1.1How Vulnerability Scanners Work8.1.2Manual vs. Automated Scanning8.1.3Internet Scanning vs Internal Scanning8.1.4Authenticated vs Unauthenticated Scanning8.2PWKVulnerability Scanning Overview and ConsiderationsVulnerability Scanning with Nessus8.2.1Installing Nessus8.2.2Defining Targets8.2.3Configuring Scan DefinitionsCopyright 2020 Offensive Security Ltd. All rights reserved.8
Penetration Testing with Kali Linux Syllabus Updated February 20208.2.4Unauthenticated Scanning With Nessus8.2.5Authenticated Scanning With Nessus8.2.6Scanning with Individual Nessus Plugins8.3Vulnerability Scanning with Nmap8.4Wrapping Up9Web Application Attacks9.1Web Application Assessment Methodology9.2Web Application Enumeration9.2.1Inspecting URLs9.2.2Inspecting Page Content9.2.3Viewing Response Headers9.2.4Inspecting Sitemaps9.2.5Locating Administration Consoles9.3Web Application Assessment Tools9.3.2DIRB9.3.3Burp Suite9.3.4Nikto9.4Exploiting Web-based Vulnerabilities9.4.1Exploiting Admin Consoles9.4.2Cross-Site Scripting (XSS)9.4.3Directory Traversal Vulnerabilities9.4.4File Inclusion Vulnerabilities9.4.5SQL Injection9.5Extra Miles9.5.19.610Wrapping UpIntroduction to Buffer Overflows10.1Introduction to the x Architecture10.1.1Program Memory10.1.2CPU Registers10.2PWKExercisesBuffer Overflow Walkthrough10.2.1Sample Vulnerable Code10.2.2Introducing the Immunity Debugger10.2.3Navigating CodeCopyright 2020 Offensive Security Ltd. All rights reserved.9
Penetration Testing with Kali Linux Syllabus Updated February 202010.2.4Overflowing the Buffer10.2.5Exercises10.311Wrapping UpWindows Buffer Overflows11.1Discovering the Vulnerability11.1.111.2Fuzzing the HTTP ProtocolWin Buffer Overflow Exploitation11.2.1A Word About DEP, ASLR, and CFG11.2.2Replicating the Crash11.2.3Controlling EIP11.2.4Locating Space for Our Shellcode11.2.5Checking for Bad Characters11.2.6Redirecting the Execution Flow11.2.7Finding a Return Address11.2.8Generating Shellcode with Metasploit11.2.9Getting a Shell11.2.1011.312Improving the ExploitWrapping UpLinux Buffer Overflows12.1About DEP, ASLR, and Canaries12.2Replicating the Crash12.3Controlling EIP12.4Locating Space for Our Shellcode12.5Checking for Bad Characters12.6Finding a Return Address12.7Getting a Shell12.8Wrapping Up13Client-Side Attacks13.113.1.1Passive Client Information Gathering13.1.2Active Client Information Gathering13.2PWKKnow Your TargetLeveraging HTML Applications13.2.1Exploring HTML Applications13.2.2HTA Attack in ActionCopyright 2020 Offensive Security Ltd. All rights reserved.10
Penetration Testing with Kali Linux Syllabus Updated February 202013.3Exploiting Microsoft Office13.3.1Installing Microsoft Office13.3.2Microsoft Word Macro13.3.3Object Linking and Embedding13.3.4Evading Protected View13.414Wrapping UpLocating Public Exploits14.1A Word of Caution14.2Searching for Exploits14.2.1Online Exploit Resources14.2.2Offline Exploit Resources14.3Putting It All Together14.4Wrapping Up15Fixing Exploits15.115.1.1Overview and Considerations15.1.2Importing and Examining the Exploit15.1.3Cross-Compiling Exploit Code15.1.4Changing the Socket Information15.1.5Changing the Return Address15.1.6Changing the Payload15.1.7Changing the Overflow Buffer15.2Fixing Web Exploits15.2.1Considerations and Overview15.2.2Selecting the Vulnerability15.2.3Changing Connectivity Information15.2.4Troubleshooting the “index out of range” Error15.316Wrapping UpFile Transfers16.1Considerations and Preparations16.1.1Dangers of Transferring Attack Tools16.1.2Installing Pure-FTPd16.1.3The Non-Interactive Shell16.2PWKFixing Memory Corruption ExploitsTransferring Files with Windows HostsCopyright 2020 Offensive Security Ltd. All rights reserved.11
Penetration Testing with Kali Linux Syllabus Updated February 202016.2.1Non-Interactive FTP Download16.2.2Windows Downloads Using Scripting Languages16.2.3Windows Downloads with exe2hex and PowerShell16.2.4Windows Uploads Using Windows Scripting Languages16.2.5Uploading Files with TFTP16.317Wrapping UpAntivirus Evasion17.1What is Antivirus Software17.2Methods of Detecting Malicious Code17.2.1Signature-Based Detection17.2.2Heuristic and Behavioral-Based Detection17.317.3.1On-Disk Evasion17.3.2In-Memory Evasion17.3.3AV Evasion: Practical Example17.418Information Gathering18.1.1Manual Enumeration18.1.2Automated Enumeration18.2Windows Privilege Escalation Examples18.2.1Understanding Windows Privileges and Integrity Levels18.2.2Introduction to User Account Control (UAC)18.2.3User Account Control (UAC) Bypass: fodhelper.exe Case Study18.2.4Insecure File Permissions: Serviio Case Study18.2.5Leveraging Unquoted Service Paths18.2.6Windows Kernel Vulnerabilities: USBPcap Case Study18.3Linux Privilege Escalation Examples18.3.1Understanding Linux Privileges18.3.2Insecure File Permissions: Cron Case Study18.3.3Insecure File Permissions: /etc/passwd Case Study18.3.4Kernel Vulnerabilities: CVE-7-2 Case Study18.4PWKWrapping UpPrivilege Escalation18.119Bypassing Antivirus DetectionWrapping UpPassword AttacksCopyright 2020 Offensive Security Ltd. All rights reserved.12
Penetration Testing with Kali Linux Syllabus Updated February 202019.1Wordlists19.1.1Standard Wordlists19.2Brute Force Wordlists19.3Common Network Service Attack Methods19.3.1HTTP htaccess Attack with Medusa19.3.2Remote Desktop Protocol Attack with Crowbar19.3.3SSH Attack with THC-Hydra19.3.4HTTP POST Attack with THC-Hydra19.4Leveraging Password Hashes19.4.1Retrieving Password Hashes19.4.2Passing the Hash in Windows19.4.3Password Cracking19.520Wrapping UpPort Redirection and Tunneling20.1Port Forwarding20.1.120.2RINETDSSH Tunneling20.2.1SSH Local Port Forwarding20.2.2SSH Remote Port Forwarding20.2.3SSH Dynamic Port Forwarding20.3PLINK.exe20.4NETSH20.5HTTPTunnel-ing Through Deep Packet Inspection20.6Wrapping Up21Active Directory Attacks21.1Active Directory Theory21.2Active Directory Enumeration21.2.1Traditional Approach21.2.2A Modern Approach21.2.3Resolving Nested Groups21.2.4Currently Logged on Users21.2.5Enumeration Through Service Principal Names21.3Active Directory Authentication21.3.1PWKNTLM AuthenticationCopyright 2020 Offensive Security Ltd. All rights reserved.13
Penetration Testing with Kali Linux Syllabus Updated February 202021.3.2Kerberos Authentication21.3.3Cached Credential Storage and Retrieval21.3.4Service Account Attacks21.3.5Low and Slow Password Guessing21.4Active Directory Lateral Movement21.4.1Pass the Hash21.4.2Overpass the Hash21.4.3Pass the Ticket21.4.4Distributed Component Object Model21.5Active Directory Persistence21.5.1Golden Tickets21.5.2Domain Controller Synchronization21.622Wrapping UpThe Metasploit Framework22.1Metasploit User Interfaces and Setup22.1.1Getting Familiar with MSF Syntax22.1.2Metasploit Database Access22.1.3Auxiliary Modules22.2Exploit Modules22.2.122.3SyncBreeze EnterpriseMetasploit Payloads22.3.1Staged vs Non-Staged Payloads22.3.2Meterpreter Payloads22.3.3Experimenting with Meterpreter22.3.4Executable Payloads22.3.5Metasploit Exploit Multi Handler22.3.6Client-Side Attacks22.3.7Advanced Features and Transports22.4Building Our Own MSF Module22.5Post-Exploitation with MetasploitPWK22.5.1Core Post-Exploitation Features22.5.2Migrating Processes22.5.3Post-Exploitation Modules22.5.4Pivoting with the Metasploit FrameworkCopyright 2020 Offensive Security Ltd. All rights reserved.14
Penetration Testing with Kali Linux Syllabus Updated February 202022.6Metasploit Automation22.7Wrapping Up23PowerShell Empire23.1Installation, Setup, and Usage23.1.1PowerShell Empire Syntax23.1.2Listeners and Stagers23.1.3The Empire Agent23.2PowerShell Modules23.2.1Situational Awareness23.2.2Credentials and Privilege Escalation23.2.3Lateral Movement23.3Switching Between Empire and Metasploit23.4Wrapping Up24Assembling the Pieces: Penetration Test Breakdown24.1Public Network Enumeration24.2Targeting the Web Application24.2.1Web Application Enumeration24.2.2SQL Injection Exploitation24.2.3Cracking the Password24.2.4Enumerating the Admin Interface24.2.5Obtaining a Shell24.2.6Post-Exploitation Enumeration24.2.7Creating a Stable Pivot Point24.324.3.1Enumeration24.3.2Attempting to Exploit the Database24.4Deeper Enumeration of the Web Application Server24.4.1More Thorough Post Exploitation24.4.2Privilege Escalation24.4.3Searching for DB Credentials24.5PWKTargeting the DatabaseTargeting the Database Again24.5.1Exploitation24.5.2Post-Exploitation Enumeration24.5.3Creating a Stable Reverse TunnelCopyright 2020 Offensive Security Ltd. All rights reserved.15
Penetration Testing with Kali Linux Syllabus Updated February 202024.6Targeting Poultry24.6.2Enumeration24.6.3Exploitation (Or Just Logging In)24.6.4Post-Exploitation Enumeration24.6.5Unquoted Search Path Exploitation24.6.6Post-Exploitation Enumeration24.7Internal Network Enumeration24.7.124.8Reviewing the ResultsTargeting the Jenkins Server24.8.1Application Enumeration24.8.2Exploiting Jenkins24.8.3Post Exploitation Enumeration24.8.4Privilege Escalation24.8.5Post Exploitation Enumeration24.9Targeting the Domain Controller24.9.124.1025Exploiting the Domain ControllerWrapping UpTrying Harder: The Labs25.1Real Life Simulations25.2Machine Dependencies25.3Cloned Lab Machines25.4Unlocking Networks25.5Routing25.6Machine Ordering & Attack Vectors25.7Firewall / Routers / NAT25.8PasswordsPWKCopyright 2020 Offensive Security Ltd. All rights reserved.16
Pen etr ati on T esti n g w i th K al i Li n u x S y l l ab u s Up d ated Feb r u ar y 2 0 2 0 Table of Contents 1 Pen etr a ti on T esti n g w i th K a l i L
