Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide -- Table of Contents -- Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide -- Credits -- About the Author -- About the Reviewers -- www.PacktPub.com -- Support files, eBooks, discount offers and more -- Why Subscribe? -- Free Access for Packt account holders -- Preface -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Errata -- Piracy -- Questions -- 1. Planning and Scoping for a Successful Penetration Test -- Introduction to advanced penetration testing -- Vulnerability assessments -- Penetration testing -- Advanced penetration testing -- Before testing begins -- Determining scope -- Setting limits - nothing lasts forever -- Rules of engagement documentation -- Planning for action -- Installing VirtualBox -- Installing your BackTrack virtual machine -- Preparing the virtual guest machine for BackTrack -- Installing BackTrack on the virtual disk image -- Exploring BackTrack -- Logging in -- Changing the default password -- Updating the applications and operating system -- Installing OpenOffice -- Effectively manage your test results -- Introduction to MagicTree -- Starting MagicTree -- Adding nodes -- Data collection -- Report generation -- Introduction to the Dradis Framework -- Exporting a project template -- Importing a project template -- Preparing sample data for import -- Importing your Nmap data -- Exporting data into HTML -- Dradis Category field -- Changing the default HTML template -- Summary -- 2. Advanced Reconnaissance Techniques -- Introduction to reconnaissance -- Reconnaissance workflow -- DNS recon -- Nslookup - it's there when you need it -- Default output -- Changing nameservers -- Creating an automation script.

What did we learn? -- Domain Information Groper (Dig) -- Default output -- Zone transfers using Dig -- Advanced features of Dig -- Shortening the output -- Listing the bind version -- Reverse DNS lookup using Dig -- Multiple commands -- Tracing the path -- Batching with dig -- DNS brute forcing with fierce -- Default command usage -- Creating a custom wordlist -- Gathering and validating domain and IP information -- Gathering information with whois -- Specifying which registrar to use -- Where in the world is this IP? -- Defensive measures -- Using search engines to do your job for you -- SHODAN -- Filters -- Understanding banners -- HTTP banners -- Finding specific assets -- Finding people (and their documents) on the web -- Google hacking database -- Google filters -- Metagoofil -- Searching the Internet for clues -- Metadata collection -- Extracting metadata from photos using exiftool -- Summary -- 3. Enumeration: Choosing Your Targets Wisely -- Adding another virtual machine to our lab -- Configuring and testing our Vlab_1 clients -- BackTrack - Manual ifconfig -- Ubuntu - Manual ifconfig -- Verifying connectivity -- Maintaining IP settings after reboot -- Nmap - getting to know you -- Commonly seen Nmap scan types and options -- Basic scans - warming up -- Other Nmap techniques -- Remaining stealthy -- Taking your time -- Trying different scan types -- SYN scan -- Null scan -- ACK scan -- Conclusion -- Shifting blame - the zombies did it! -- IDS rules, how to avoid them -- Using decoys -- Adding custom Nmap scripts to your arsenal -- How to decide if a script is right for you -- Adding a new script to the database -- SNMP: A goldmine of information just waiting to be discovered -- SNMPEnum -- SNMPCheck -- When the SNMP community string is NOT "public" -- Creating network baselines with scanPBNJ -- Setting up MySQL for PBNJ -- Starting MySQL.

Preparing the PBNJ database -- First scan -- Reviewing the data -- Enumeration avoidance techniques -- Naming conventions -- Port knocking -- Intrusion detection and avoidance systems -- Trigger points -- SNMP lockdown -- Summary -- 4. Remote Exploitation -- Exploitation - Why bother? -- Target practice - Adding a Kioptrix virtual machine -- Manual exploitation -- Enumerating services -- Quick scan with Unicornscan -- Full scan with Nmap -- Banner grabbing with Netcat and Ncat -- Banner grabbing with Netcat -- Banner grabbing with Ncat -- Banner grabbing with smbclient -- Searching Exploit-DB -- Exploit-DB at hand -- Compiling the code -- Compiling the proof of concept code -- Troubleshooting the code -- What are all of these ^M characters and why will they not go away? -- Broken strings - The reunion -- Running the exploit -- Getting files to and from victim machines -- Installing and starting a TFTP server on BackTrack 5 -- Installing and configuring pure-ftpd -- Starting pure-ftpd -- Passwords: Something you know… -- Cracking the hash -- Brute forcing passwords -- THC Hydra -- Metasploit - learn it and love it -- Updating the Metasploit framework -- Databases and Metasploit -- Installing PostgreSQL on BackTrack 5 -- Verifying database connectivity -- Performing an Nmap scan from within Metasploit -- Using auxiliary modules -- Using Metasploit to exploit Kioptrix -- Summary -- 5. Web Application Exploitation -- Practice makes perfect -- Installing Kioptrix Level 3 -- Creating a Kioptrix VM Level 3 clone -- Installing and configuring Mutillidae 2.1.7 on the Ubuntu virtual machine -- Installing and configuring pfSense -- Preparing the virtual machine for pfSense -- pfSense virtual machine persistence -- Configuring the pfSense DHCP server -- Starting the virtual lab -- pfSense DHCP - Permanent reservations -- Installing HAProxy for load balancing.

Adding Kioptrix3.com to the host file -- Detecting load balancers -- Quick reality check - Load Balance Detector -- So, what are we looking for anyhow? -- Detecting Web Application Firewalls (WAF) -- Taking on Level 3 - Kioptrix -- Web Application Attack and Audit Framework (w3af) -- Using w3af GUI to save time -- Scanning by using the w3af console -- Using WebScarab as a HTTP proxy -- Introduction to Mantra -- Summary -- 6. Exploits and Client-Side Attacks -- Buffer overflows-A refresher -- "C"ing is believing-Create a vulnerable program -- Turning ASLR on and off in BackTrack -- Understanding the basics of buffer overflows -- Introduction to fuzzing -- Introducing vulnserver -- Fuzzing tools included in BackTrck -- Bruteforce Exploit Detector (BED) -- SFUZZ: Simple fuzzer -- Fast-Track -- Updating Fast-Track -- Client-side attacks with Fast-Track -- Social Engineering Toolkit -- Summary -- 7. Post-Exploitation -- Rules of engagement -- What is permitted? -- Can you modify anything and everything? -- Are you allowed to add persistence? -- How is the data that is collected and stored handled by you and your team? -- Employee data and personal information -- Data gathering, network analysis, and pillaging -- Linux -- Important directories and files -- Important commands -- Putting this information to use -- Enumeration -- Exploitation -- Were connected, now what? -- Which tools are available on the remote system -- Finding network information -- Determine connections -- Checking installed packages -- Package repositories -- Programs and services that run at startup -- Searching for information -- History files and logs -- Configurations, settings, and other files -- Users and credentials -- Moving the files -- Microsoft Windows™ post-exploitation -- Important directories and files -- Using Armitage for post-exploitation -- Enumeration -- Exploitation.

Were connected, now what? -- Networking details -- Finding installed software and tools -- Pivoting -- Summary -- 8. Bypassing Firewalls and Avoiding Detection -- Lab preparation -- BackTrack guest machine -- Ubuntu guest machine -- pfSense guest machine configuration -- pfSense network setup -- WAN IP configuration -- LAN IP configuration -- Firewall configuration -- Stealth scanning through the firewall -- Finding the ports -- Traceroute to find out if there is a firewall -- Finding out if the firewall is blocking certain ports -- Hping -- Nmap firewalk script -- Now you see me, now you don't - Avoiding IDS -- Canonicalization -- Timing is everything -- Blending in -- Looking at traffic patterns -- Cleaning up compromised hosts -- Using a checklist -- When to clean up -- Local log files -- Miscellaneous evasion techniques -- Divide and conquer -- Hiding out (on controlled units) -- File integrity monitoring -- Using common network management tools to do the deed -- Summary -- 9. Data Collection Tools and Reporting -- Record now - Sort later -- Old school - The text editor method -- Nano -- VIM - The power user's text editor of choice -- NoteCase -- Dradis framework for collaboration -- Binding to an available interface other than 127.0.0.1 -- The report -- Challenge to the reader -- Summary -- 10. Setting Up Virtual Test Lab Environments -- Why bother with setting up labs? -- Keeping it simple -- No-nonsense test example -- Network segmentation and firewalls -- Requirements -- Setup -- Adding complexity or emulating target environments -- Configuring firewall1 -- Installing additional packages in pfSense -- Firewall2 setup and configuration -- Web1 -- DB1 -- App1 -- Admin1 -- Summary -- 11. Take the Challenge - Putting It All Together -- The scenario -- The setup -- NewAlts Research Labs' virtual network -- Additional system modifications.

Web server modifications.