Practical Guide to Penetration
Testing
,Contents
Preface
Notes and Disclaimer
Introduction
Penetration Testing Teams vs Red Teams
Summary
1 Pregame - The Setup
Assumed Breach Exercises
Setting Up Your Campaign
Setting Up Your External Servers
Tools of the Trade
Metasploit Framework
Cobalt Strike
PowerShell
Empire dnscat2
p0wnedShell Pupy
Shell
PoshC2
Merlin
Nishang
Conclusion
2 Before the Snap - Red Team Recon
Monitoring an Environment
Regular Nmap Diffing
Web Screenshots
Cloud Scanning
Network/Service Search Engines
Manually Parsing SSL Certificates
Subdomain Discovery
Github
Cloud
Emails
Additional Open Source Resources
Conclusion
,3 The Throw - Web Application
Exploitation Bug Bounty Programs:
Web Attacks Introduction- Cyber Space Kittens
The Red Team Web Application Attacks
Chat Support Systems Lab
Cyber Space Kittens: Chat Support Systems
Setting Up Your Web Application Hacking Machine
Analyzing a Web Application
Web Discovery
Cross-Site Scripting XSS
Blind XSS
DOM Based XSS
Advanced XSS in NodeJS
XSS to Compromise
NoSQL Injections
Deserialization Attacks
Template Engine Attacks - Template
Injections
JavaScript and Remote Code Execution
Server Side Request Forgery (SSRF)
XML eXternal Entities (XXE)
Advanced XXE - Out Of Band (XXE-
OOB) Conclusion
4 The Drive - Compromising the Network
Finding Credentials from Outside the Network
Advanced Lab
Moving Through the Network
Setting Up the Environment - Lab Network
On the Network with No Credentials
Responder
Better Responder (MultiRelay.py)
PowerShell Responder
User Enumeration Without Credentials
Scanning the Network with CrackMapExec (CME)
After Compromising Your Initial Host
Privilege Escalation
, Privilege Escalation Lab
Pulling Clear Text Credentials from Memory
Getting Passwords from the Windows Credential Store and
Browsers
Getting Local Creds and Information from OSX
Living Off of the Land in a Windows
Domain Environment
Service Principal Names
Querying Active Directory
Bloodhound/Sharphound
Moving Laterally - Migrating Processes
Moving Laterally Off Your Initial Host
Lateral Movement with DCOM
Pass-the-Hash
Gaining Credentials from Service Accounts
Dumping the Domain Controller Hashes
Lateral Movement via RDP over the VPS
Pivoting in Linux
Privilege Escalation
Linux Lateral Movement Lab
Attacking the CSK Secure Network
Conclusion
5 The Screen - Social Engineering
Building Your Social Engineering (SE) Campaigns
Doppelganger Domains
How to Clone Authentication Pages
Credentials with 2FA
Phishing
Microsoft Word/Excel Macro Files
Non-Macro Office Files - DDE
Hidden Encrypted Payloads
Exploiting Internal Jenkins with Social
Engineering Conclusion
6 The Onside Kick - Physical AttacksCard
Reader Cloners
Testing
,Contents
Preface
Notes and Disclaimer
Introduction
Penetration Testing Teams vs Red Teams
Summary
1 Pregame - The Setup
Assumed Breach Exercises
Setting Up Your Campaign
Setting Up Your External Servers
Tools of the Trade
Metasploit Framework
Cobalt Strike
PowerShell
Empire dnscat2
p0wnedShell Pupy
Shell
PoshC2
Merlin
Nishang
Conclusion
2 Before the Snap - Red Team Recon
Monitoring an Environment
Regular Nmap Diffing
Web Screenshots
Cloud Scanning
Network/Service Search Engines
Manually Parsing SSL Certificates
Subdomain Discovery
Github
Cloud
Emails
Additional Open Source Resources
Conclusion
,3 The Throw - Web Application
Exploitation Bug Bounty Programs:
Web Attacks Introduction- Cyber Space Kittens
The Red Team Web Application Attacks
Chat Support Systems Lab
Cyber Space Kittens: Chat Support Systems
Setting Up Your Web Application Hacking Machine
Analyzing a Web Application
Web Discovery
Cross-Site Scripting XSS
Blind XSS
DOM Based XSS
Advanced XSS in NodeJS
XSS to Compromise
NoSQL Injections
Deserialization Attacks
Template Engine Attacks - Template
Injections
JavaScript and Remote Code Execution
Server Side Request Forgery (SSRF)
XML eXternal Entities (XXE)
Advanced XXE - Out Of Band (XXE-
OOB) Conclusion
4 The Drive - Compromising the Network
Finding Credentials from Outside the Network
Advanced Lab
Moving Through the Network
Setting Up the Environment - Lab Network
On the Network with No Credentials
Responder
Better Responder (MultiRelay.py)
PowerShell Responder
User Enumeration Without Credentials
Scanning the Network with CrackMapExec (CME)
After Compromising Your Initial Host
Privilege Escalation
, Privilege Escalation Lab
Pulling Clear Text Credentials from Memory
Getting Passwords from the Windows Credential Store and
Browsers
Getting Local Creds and Information from OSX
Living Off of the Land in a Windows
Domain Environment
Service Principal Names
Querying Active Directory
Bloodhound/Sharphound
Moving Laterally - Migrating Processes
Moving Laterally Off Your Initial Host
Lateral Movement with DCOM
Pass-the-Hash
Gaining Credentials from Service Accounts
Dumping the Domain Controller Hashes
Lateral Movement via RDP over the VPS
Pivoting in Linux
Privilege Escalation
Linux Lateral Movement Lab
Attacking the CSK Secure Network
Conclusion
5 The Screen - Social Engineering
Building Your Social Engineering (SE) Campaigns
Doppelganger Domains
How to Clone Authentication Pages
Credentials with 2FA
Phishing
Microsoft Word/Excel Macro Files
Non-Macro Office Files - DDE
Hidden Encrypted Payloads
Exploiting Internal Jenkins with Social
Engineering Conclusion
6 The Onside Kick - Physical AttacksCard
Reader Cloners
