Kali Linux 2018: Windows Penetration Testing
eBook - ePub

Kali Linux 2018: Windows Penetration Testing

Conduct network testing, surveillance, and pen testing on MS Windows using Kali Linux 2018, 2nd Edition

  1. 404 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Kali Linux 2018: Windows Penetration Testing

Conduct network testing, surveillance, and pen testing on MS Windows using Kali Linux 2018, 2nd Edition

Book details
Book preview
Table of contents
Citations

About This Book

Become the ethical hacker you need to be to protect your network

Key Features

  • Set up, configure, and run a newly installed Kali-Linux 2018.x
  • Footprint, monitor, and audit your network and investigate any ongoing infestations
  • Customize Kali Linux with this professional guide so it becomes your pen testing toolkit

Book Description

Microsoft Windows is one of the two most common OSes, and managing its security has spawned the discipline of IT security. Kali Linux is the premier platform for testing and maintaining Windows security. Kali is built on the Debian distribution of Linux and shares the legendary stability of that OS. This lets you focus on using the network penetration, password cracking, and forensics tools, and not the OS.

This book has the most advanced tools and techniques to reproduce the methods used by sophisticated hackers to make you an expert in Kali Linux penetration testing. You will start by learning about the various desktop environments that now come with Kali. The book covers network sniffers and analysis tools to uncover the Windows protocols in use on the network. You will see several tools designed to improve your average in password acquisition, from hash cracking, online attacks, offline attacks, and rainbow tables to social engineering. It also demonstrates several use cases for Kali Linux tools like Social Engineering Toolkit, and Metasploit, to exploit Windows vulnerabilities.

Finally, you will learn how to gain full system-level access to your compromised system and then maintain that access. By the end of this book, you will be able to quickly pen test your system and network using easy-to-follow instructions and support images.

What you will learn

  • Learn advanced set up techniques for Kali and the Linux operating system
  • Understand footprinting and reconnaissance of networks
  • Discover new advances and improvements to the Kali operating system
  • Map and enumerate your Windows network
  • Exploit several common Windows network vulnerabilities
  • Attack and defeat password schemes on Windows
  • Debug and reverse engineer Windows programs
  • Recover lost files, investigate successful hacks, and discover hidden data

Who this book is for

If you are a working ethical hacker who is looking to expand the offensive skillset with a thorough understanding of Kali Linux, then this is the book for you. Prior knowledge about Linux operating systems, BASH terminal, and Windows command line would be highly beneficial.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Kali Linux 2018: Windows Penetration Testing by Wolf Halton, Bo Weaver in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2018
ISBN
9781789130775
Edition
2
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Maintaining Access on Server or Desktop

Ever wonder how hackers are able to get into a secure network and be in the network for months and sometimes years without being caught? Well, the following are some of the big tricks for staying inside once you are there. Not only will we discuss maintaining access for a local machine you have owned, but also how to use a Drop Box inside a network, and have it phone home.
We will cover the following topics in this chapter:
  • Maintaining access, or ET Phone Home
  • Maintaining access with Ncat
  • The Drop Box
  • Cracking the Network Access Controller (NAC)
  • Creating a spear-phishing attack with the Social Engineering Toolkit
  • Using Backdoor Factory to evade antivirus

Maintaining access or ET Phone Home

Persistent connections in the hacker world are called Phoning Home. Persistence gives the attacker the ability to leave a connection back to the attacking machine and have a full command line or a desktop connection to the victim machine.
Why do this? Your network is protected by a firewall normally and port connections to the internal machines are controlled by the firewall and not the local machine. Sure, if you're in a box, you could turn on telnet and you could access the telnet port from the local network. It is unlikely that you would be able to get to this port from the public network. Any local firewall may block this port, and a network scan would reveal that telnet is running on the victim machine. This would alert the target organization's network security team. So, instead of having a port to call on the compromised server, it is safer and more effective to have your victim machine call out to your attacking machine.
In this chapter, we will use HTTPS reverse shells, for the most part. The reason for this is you could have your compromised machine call any port on your attacking machine but a good IDS/IPS system could pick this connection up if it was sent out to an unusual destination, such as port 4444 on the attacking machine. Most IDS/IPS systems will whitelist outbound connections to HTTPS ports because system updates for most systems work over the HTTPS protocol. Your outbound connection to the attacking machine will look more like an update than an outbound hacked port.
A persistent connection does have to go back directly to the attacker's machine. You can pivot this type of connection off one or more machines to cover your tracks. Pivoting off one machine inside the target network, and a couple outside the target network, makes it more difficult for the defenders to see what is happening.
Yes, you can pivot this type of attack off a machine in North Korea or China, and it will look like the attack is coming from there. Every time we hear in the media that a cyber attack is coming from some dastardly foreign attacker, we roll our eyes. There is no way to be sure of the original source of an attack, unless you have access to the attacking machine and its logs. Even with access to this attacking machine, you still don't know how many pivots the attacker made to get to that machine. You still don't know with a full back-trace to the last connection. Use something like Tor in the process and there is no way anyone can be sure exactly where the hack came from.
In this demo, we will be doing an attack from a four-way pivot going across the world, and through four different countries to show you how this is done. Yes, we are doing this for real!
Do not ever attack the public IP addresses we will be using in this book. These are servers that we personally leased for this project. They will no longer be under our control by the time this book is published.
One problem with persistent connections is that they can be seen. One can never underestimate the careful eye of a paranoid sysadmin (Why has server 192.168.202.4 had a HTTP connection to a Chinese IP address for four days?). A real attacker will use this method to cover his tracks in case he gets caught and the attacking server is checked for evidence of the intruder. After a good clearing of the logs after you back out of each machine and, tracing back the connection is almost impossible. This first box to which the persistent connection is made will be viewed as hostile in the eyes of the attacker and they will remove traces of connections to this machine after each time they connect.
Notice in the following diagram that the victim machine has an internal address. Since the victim machine is calling out, we are bypassing the inbound protection of NAT and inbound firewall rules. The victim machine will be calling out to a server in Singapore. The attacker is interacting with the compromised machine in the USA, but is pivoting through two hops before logging into the evil server in Singapore. We are only using four hops here for this demo, but you can use as many hops as you want. The more hops, the more confusing the back-trace. A good attacker will also mix up the hops the next time he comes in, changing his route and the IP address of the inbound connection:
For our first hop, we are going to Amsterdam 178.62.241.119! If we run whois we can see this:
whois 178.62.241.119 inetnum: 178.62.128.0 - 178.62.255.255 netname: DIGITALOCEAN-AMS-5 descr: DigitalOcean Amsterdam country: NL admin-c: BU332-RIPE tech-c: BU332-RIPE status: ASSIGNED PA mnt-by: digitalocean mnt-lower: digitalocean mnt-routes: digitalocean created: 2014-05-01T16:43:59Z last-modified: 2014-05-01T16:43:59Z source: RIPE # Filtered
Hacker tip:
A good investigator, seeing this information, would just subpoena DigitalOcean to find out who was renting that IP when the victim phoned home, but it could just as likely be a machine belonging to a little old lady in Leningrad. The infrastructure of a botnet is developed from a group of compromised boxes. This chapter describes a small do-it-yourself botnet.
We will now pivot to the host in Germany, 46.101.191.216. Again, if we run a whois command, we can see this:
whois 46.101.191.216 inetnum: 46.101.128.0 - 46.101.255.255 netname: EU-DIGITALOCEAN-DE1 descr: Digital Ocean, Inc. country: DE org: ORG-DOI2-RIPE admin-c: BU332-RIPE...

Table of contents

  1. Title Page
  2. Copyright and Credits
  3. Packt Upsell
  4. Contributors
  5. Preface
  6. Choosing Your Distro
  7. Sharpening the Saw
  8. Information Gathering and Vulnerability Assessments
  9. Sniffing and Spoofing
  10. Password Attacks
  11. NetBIOS Name Service and LLMNR - Obsolete but Still Deadly
  12. Gaining Access
  13. Windows Privilege Escalation and Maintaining Access
  14. Maintaining Access on Server or Desktop
  15. Reverse Engineering and Stress Testing
  16. Other Books You May Enjoy