Advanced Penetration Testing: Hacking the World's Most Secure Networks

Build a better defense against motivated, organized, professional attacks Advanced Penetration Testing: Hacking the World's Most Secure Networks takes hacking far beyond Kali linux and Metasploit to provide a more complex attack simulation. Featuring techniques not taught in any certification prep or covered by common defensive scanners, this book integrates social engineering, programming, and vulnerability exploits into a multidisciplinary approach for targeting and compromising high security environments. From discovering and creating attack vectors, and moving unseen through a target enterprise, to establishing command and exfiltrating data—even from organizations without a direct Internet connection—this guide contains the crucial techniques that provide a more accurate picture of your system's defense. Custom coding examples use VBA, Windows Scripting Host, C, Java, JavaScript, Flash, and more, with coverage of standard library applications and the use of scanning tools to bypass common defensive measures. Typical penetration testing consists of low-level hackers attacking a system with a list of known vulnerabilities, and defenders preventing those hacks using an equally well-known list of defensive scans. The professional hackers and nation states on the forefront of today's threats operate at a much more complex level—and this book shows you how to defend your high security network. Use targeted social engineering pretexts to create the initial compromise Leave a command and control structure in place for long-term access Escalate privilege and breach networks, operating systems, and trust structures Infiltrate further using harvested credentials while expanding control Today's threats are organized, professionally-run, and very much for-profit. Financial institutions, health care organizations, law enforcement, government agencies, and other high-value targets need to harden their IT infrastructure and human capital against targeted advanced attacks from motivated professionals. Advanced Penetration Testing goes beyond Kali linux and Metasploit and to provide you advanced pen testing for high security networks.

Table of Contents:
Foreword xxiii Introduction xxvii Chapter 1 Medical Records (In)security 1 An Introduction to Simulating Advanced Persistent Threat 2 Background and Mission Briefi ng 2 Payload Delivery Part 1: Learning How to Use the VBA Macro 5 How NOT to Stage a VBA Attack 6 Examining the VBA Code 11 Avoid Using Shellcode 11 Automatic Code Execution 13 Using a VBA/VBS Dual Stager 13 Keep Code Generic Whenever Possible 14 Code Obfuscation 15 Enticing Users 16 Command and Control Part 1: Basics and Essentials 19 The Attack 23 Bypassing Authentication 23 Summary 27 Exercises 28 Chapter 2 Stealing Research 29 Background and Mission Briefi ng 30 Payload Delivery Part 2: Using the Java Applet for Payload Delivery 31 Java Code Signing for Fun and Profit 32 Writing a Java Applet Stager 36 Create a Convincing Pretext 39 Signing the Stager 40 Notes on Payload Persistence 41 Microsoft Windows 41 Linux 42 OSX 45 Command and Control Part 2: Advanced Attack Management 45 Adding Stealth and Multiple System Management 45 Implementing a Command Structure 47 Building a Management Interface 48 The Attack 49 Situational Awareness 50 Using AD to Gather Intelligence 50 Analyzing AD Output 51 Attack Against Vulnerable Secondary System 52 Credential Reuse Against Primary Target System 53 Summary 54 Exercises 55 Chapter 3 Twenty-First Century Heist 57 What Might Work? 57 Nothing Is Secure 58 Organizational Politics 58 APT Modeling versus Traditional Penetration Testing 59 Background and Mission Briefi ng 59 Command and Control Part III: Advanced Channels and Data Exfi ltration 60 Notes on Intrusion Detection and the Security Operations Center 64 The SOC Team 65 How the SOC Works 65 SOC Reaction Time and Disruption 66 IDS Evasion 67 False Positives 67 Payload Delivery Part III: Physical Media 68 A Whole New Kind of Social Engineering 68 Target Location Profi ling 69 Gathering Targets 69 The Attack 72 Summary 75 Exercises 75 Chapter 4 Pharma Karma 77 Background and Mission Briefi ng 78 Payload Delivery Part IV: Client-Side Exploits 1 79 The Curse That Is Flash 79 At Least You Can Live Without It 81 Memory Corruption Bugs: Dos and Don’ts 81 Reeling in the Target 83 Command and Control Part IV: Metasploit Integration 86 Metasploit Integration Basics 86 Server Confi guration 86 Black Hats/White Hats 87 What Have I Said About AV? 88 Pivoting 89 The Attack 89 The Hard Disk Firewall Fail 90 Metasploit Demonstration 90 Under the Hood 91 The Benefits of Admin 92 Typical Subnet Cloning 96 Recovering Passwords 96 Making a Shopping List 99 Summary 101 Exercises 101 Chapter 5 Guns and Ammo 103 Background and Mission Briefing 104 Payload Delivery Part V: Simulating a Ransomware Attack 106 What Is Ransomware? 106 Why Simulate a Ransomware Attack? 107 A Model for Ransomware Simulation 107 Asymmetric Cryptography 108 Remote Key Generation 109 Targeting Files 110 Requesting the Ransom 111 Maintaining C2 111 Final Thoughts 112 Command and Control Part V: Creating a Covert C2 Solution 112 Introducing the Onion Router 112 The Torrc File 113 Configuring a C2 Agent to Use the Tor Network 115 Bridges 115 New Strategies in Stealth and Deployment 116 VBA Redux: Alternative Command-Line Attack Vectors 116 PowerShell 117 FTP 117 Windows Scripting Host (WSH) 118 BITSadmin 118 Simple Payload Obfuscation 119 Alternative Strategies in Antivirus Evasion 121 The Attack 125 Gun Design Engineer Answers Your Questions 126 Identifying the Players 127 Smart(er) VBA Document Deployment 128 Email and Saved Passwords 131 Keyloggers and Cookies 132 Bringing It All Together 133 Summary 134 Exercises 135 Chapter 6 Criminal Intelligence 137 Payload Delivery Part VI: Deploying with HTA 138 Malware Detection 140 Privilege Escalation in Microsoft Windows 141 Escalating Privileges with Local Exploits 143 Exploiting Automated OS Installations 147 Exploiting the Task Scheduler 147 Exploiting Vulnerable Services 149 Hijacking DLLs 151 Mining the Windows Registry 154 Command and Control Part VI: The Creeper Box 155 Creeper Box Specifi cation 155 Introducing the Raspberry Pi and Its Components 156 GPIO 157 Choosing an OS 157 Configuring Full-Disk Encryption 158 A Word on Stealth 163 Configuring Out-of-Band Command and Control Using 3G/4G 164 Creating a Transparent Bridge 168 Using a Pi as a Wireless AP to Provision Access by Remote Keyloggers 169 The Attack 171 Spoofing Caller ID and SMS Messages 172 Summary 174 Exercises 174 Chapter 7 War Games 175 Background and Mission Briefi ng 176 Payload Delivery Part VII: USB Shotgun Attack 178 USB Media 178 A Little Social Engineering 179 Command and Control Part VII: Advanced Autonomous Data Exfiltration 180 What We Mean When We Talk About “Autonomy” 180 Means of Egress 181 The Attack 185 Constructing a Payload to Attack a Classified Network 187 Stealthy 3G/4G Software Install 188 Attacking the Target and Deploying the Payload 189 Efficient “Burst-Rate” Data Exfiltration 190 Summary 191 Exercises 191 Chapter 8 Hack Journalists 193 Briefing 193 Advanced Concepts in Social Engineering 194 Cold Reading 194 C2 Part VIII: Experimental Concepts in Command and Control 199 Scenario 1: C2 Server Guided Agent Management 199 Scenario 2: Semi-Autonomous C2 Agent Management 202 Payload Delivery Part VIII: Miscellaneous Rich Web Content 205 Java Web Start 205 Adobe AIR 206 A Word on HTML5 207 The Attack 207 Summary 211 Exercises 211 Chapter 9 Northern Exposure 213 Overview 214 Operating Systems 214 Red Star Desktop 3.0 215 Red Star Server 3.0 219 North Korean Public IP Space 221 The North Korean Telephone System 224 Approved Mobile Devices 228 The “Walled Garden”: The Kwangmyong Intranet 230 Audio and Video Eavesdropping 231 Summary 233 Exercises 234 Index 235