Details

<p>Introduction xx</p> <p><b>Chapter 1 Mastering the Terminal Window 1</b></p> <p>Kali Linux File System 2</p> <p>Terminal Window Basic Commands 3</p> <p>Tmux Terminal Window 6</p> <p>Starting Tmux 6</p> <p>Tmux Key Bindings 7</p> <p>Tmux Session Management 7</p> <p>Navigating Inside Tmux 9</p> <p>Tmux Commands Reference 9</p> <p>Managing Users and Groups in Kali 10</p> <p>Users Commands 10</p> <p>Groups Commands 14</p> <p>Managing Passwords in Kali 14</p> <p>Files and Folders Management in Kali Linux 15</p> <p>Displaying Files and Folders 15</p> <p>Permissions 16</p> <p>Manipulating Files in Kali 19</p> <p>Searching for Files 20</p> <p>Files Compression 21</p> <p>Manipulating Directories in Kali 23</p> <p>Mounting a Directory 23</p> <p>Managing Text Files in Kali Linux 24</p> <p>Vim vs. Nano 26</p> <p>Searching and Filtering Text 27</p> <p>Remote Connections in Kali 29</p> <p>Remote Desktop Protocol 29</p> <p>Secure Shell 30</p> <p>SSH with Credentials 30</p> <p>Passwordless SSH 32</p> <p>Kali Linux System Management 34</p> <p>Linux Host Information 36</p> <p>Linux OS Information 36</p> <p>Linux Hardware Information 36</p> <p>Managing Running Services 38</p> <p>Package Management 39</p> <p>Process Management 41</p> <p>Networking in Kali Linux 42</p> <p>Network Interface 42</p> <p>IPv4 Private Address Ranges 42</p> <p>Static IP Addressing 43</p> <p>DNS 45</p> <p>Established Connections 46</p> <p>File Transfers 47</p> <p>Summary 48</p> <p><b>Chapter 2 Bash Scripting 49</b></p> <p>Basic Bash Scripting 50</p> <p>Printing to the Screen in Bash 50</p> <p>Variables 52</p> <p>Commands Variable 54</p> <p>Script Parameters 54</p> <p>User Input 56</p> <p>Functions 56</p> <p>Conditions and Loops 57</p> <p>Conditions 58</p> <p>Loops 60</p> <p>File Iteration 61</p> <p>Summary 63</p> <p><b>Chapter 3 Network Hosts Scanning 65</b></p> <p>Basics of Networking 65</p> <p>Networking Protocols 66</p> <p>TCP 66</p> <p>UDP 67</p> <p>Other Networking Protocols 67</p> <p>IP Addressing 69</p> <p>IPv4 69</p> <p>Subnets and CIDR 69</p> <p>IPv6 70</p> <p>Port Numbers 71</p> <p>Network Scanning 72</p> <p>Identifying Live Hosts 72</p> <p>Ping 73</p> <p>ARP 73</p> <p>Nmap 73</p> <p>Port Scanning and Services Enumeration 74</p> <p>TCP Port SYN Scan 75</p> <p>UDP 75</p> <p>Basics of Using Nmap Scans 76</p> <p>Services Enumeration 77</p> <p>Operating System Fingerprinting 79</p> <p>Nmap Scripting Engine 80</p> <p>NSE Category Scan 82</p> <p>NSE Arguments 84</p> <p>DNS Enumeration 84</p> <p>DNS Brute-Force 85</p> <p>DNS Zone Transfer 86</p> <p>DNS Subdomains Tools 87</p> <p>Fierce 87</p> <p>Summary 88</p> <p><b>Chapter 4 Internet Information Gathering 89</b></p> <p>Passive Footprinting and Reconnaissance 90</p> <p>Internet Search Engines 90</p> <p>Shodan 91</p> <p>Google Queries 92</p> <p>Information Gathering Using Kali Linux 94</p> <p>Whois Database 95</p> <p>TheHarvester 97</p> <p>DMitry 99</p> <p>Maltego 99</p> <p>Summary 103</p> <p><b>Chapter 5 Social Engineering Attacks 105</b></p> <p>Spear Phishing Attacks 105</p> <p>Sending an E-mail 106</p> <p>The Social Engineer Toolkit 106</p> <p>Sending an E-mail Using Python 108</p> <p>Stealing Credentials 109</p> <p>Payloads and Listeners 110</p> <p>Bind Shell vs. Reverse Shell 111</p> <p>Bind Shell 111</p> <p>Reverse Shell 112</p> <p>Reverse Shell Using SET 113</p> <p>Social Engineering with the USB Rubber Ducky 115</p> <p>A Practical Reverse Shell Using USB Rubber Ducky and PowerShell 117</p> <p>Generating a PowerShell Script 118</p> <p>Starting a Listener 118</p> <p>Hosting the PowerShell Script 119</p> <p>Running PowerShell 120</p> <p>Download and Execute the PS Script 120</p> <p>Reverse Shell 121</p> <p>Replicating the Attack Using the USB Rubber Ducky 122</p> <p>Summary 122</p> <p><b>Chapter 6 Advanced Enumeration Phase 125</b></p> <p>Transfer Protocols 126</p> <p>FTP (Port 21) 126</p> <p>Exploitation Scenarios for an FTP Server 126</p> <p>Enumeration Workflow 127</p> <p>Service Scan 127</p> <p>Advanced Scripting Scan with Nmap 128</p> <p>More Brute-Forcing Techniques 129</p> <p>SSH (Port 22) 130</p> <p>Exploitation Scenarios for an SSH Server 130</p> <p>Advanced Scripting Scan with Nmap 131</p> <p>Brute-Forcing SSH with Hydra 132</p> <p>Advanced Brute-Forcing Techniques 133</p> <p>Telnet (Port 23) 134</p> <p>Exploitation Scenarios for Telnet Server 135</p> <p>Enumeration Workflow 135</p> <p>Service Scan 135</p> <p>Advanced Scripting Scan 136</p> <p>Brute-Forcing with Hydra 136</p> <p>E-mail Protocols 136</p> <p>SMTP (Port 25) 137</p> <p>Nmap Basic Enumeration 137</p> <p>Nmap Advanced Enumeration 137</p> <p>Enumerating Users 138</p> <p>POP3 (Port 110) and IMAP4 (Port 143) 141</p> <p>Brute-Forcing POP3 E-mail Accounts 141</p> <p>Database Protocols 142</p> <p>Microsoft SQL Server (Port 1433) 142</p> <p>Oracle Database Server (Port 1521) 143</p> <p>MySQL (Port 3306) 143</p> <p>CI/CD Protocols 143</p> <p>Docker (Port 2375) 144</p> <p>Jenkins (Port 8080/50000) 145</p> <p>Brute-Forcing a Web Portal Using Hydra 147</p> <p>Step 1: Enable a Proxy 148</p> <p>Step 2: Intercept the Form Request 149</p> <p>Step 3: Extracting Form Data and Brute-Forcing with Hydra 150</p> <p>Web Protocols 80/443 151</p> <p>Graphical Remoting Protocols 152</p> <p>RDP (Port 3389) 152</p> <p>RDP Brute-Force 152</p> <p>VNC (Port 5900) 153</p> <p>File Sharing Protocols 154</p> <p>SMB (Port 445) 154</p> <p>Brute-Forcing SMB 156</p> <p>SNMP (Port UDP 161) 157</p> <p>SNMP Enumeration 157</p> <p>Summary 159</p> <p><b>Chapter 7 Exploitation Phase 161</b></p> <p>Vulnerabilities Assessment 162</p> <p>Vulnerability Assessment Workflow 162</p> <p>Vulnerability Scanning with OpenVAS 164</p> <p>Installing OpenVAS 164</p> <p>Scanning with OpenVAS 165</p> <p>Exploits Research 169</p> <p>SearchSploit 171</p> <p>Services Exploitation 173</p> <p>Exploiting FTP Service 173</p> <p>FTP Login 173</p> <p>Remote Code Execution 174</p> <p>Spawning a Shell 177</p> <p>Exploiting SSH Service 178</p> <p>SSH Login 178</p> <p>Telnet Service Exploitation 179</p> <p>Telnet Login 179</p> <p>Sniffing for Cleartext Information 180</p> <p>E-mail Server Exploitation 183</p> <p>Docker Exploitation 185</p> <p>Testing the Docker Connection 185</p> <p>Creating a New Remote Kali Container 186</p> <p>Getting a Shell into the Kali Container 187</p> <p>Docker Host Exploitation 188</p> <p>Exploiting Jenkins 190</p> <p>Reverse Shells 193</p> <p>Using Shells with Metasploit 194</p> <p>Exploiting the SMB Protocol 196</p> <p>Connecting to SMB Shares 196</p> <p>SMB Eternal Blue Exploit 197</p> <p>Summary 198</p> <p><b>Chapter 8 Web Application Vulnerabilities 199</b></p> <p>Web Application Vulnerabilities 200</p> <p>Mutillidae Installation 200</p> <p>Apache Web Server Installation 200</p> <p>Firewall Setup 201</p> <p>Installing PHP 201</p> <p>Database Installation and Setup 201</p> <p>Mutillidae Installation 202</p> <p>Cross-Site Scripting 203</p> <p>Reflected XSS 203</p> <p>Stored XSS 204</p> <p>Exploiting XSS Using the Header 205</p> <p>Bypassing JavaScript Validation 207</p> <p>SQL Injection 208</p> <p>Querying the Database 208</p> <p>Bypassing the Login Page 211</p> <p>Execute Database Commands Using SQLi 211</p> <p>SQL Injection Automation with SQLMap 215</p> <p>Testing for SQL Injection 216</p> <p>Command Injection 217</p> <p>File Inclusion 217</p> <p>Local File Inclusion 218</p> <p>Remote File Inclusion 219</p> <p>Cross-Site Request Forgery 220</p> <p>The Attacker Scenario 221</p> <p>The Victim Scenario 222</p> <p>File Upload 223</p> <p>Simple File Upload 223</p> <p>Bypassing Validation 225</p> <p>Encoding 227</p> <p>OWASP Top 10 228</p> <p>Summary 229</p> <p><b>Chapter 9 Web Penetration Testing and Secure Software Development Lifecycle 231</b></p> <p>Web Enumeration and Exploitation 231</p> <p>Burp Suite Pro 232</p> <p>Web Pentest Using Burp Suite 232</p> <p>More Enumeration 245</p> <p>Nmap 246</p> <p>Crawling 246</p> <p>Vulnerability Assessment 247</p> <p>Manual Web Penetration Testing Checklist 247</p> <p>Common Checklist 248</p> <p>Special Pages Checklist 248</p> <p>Secure Software Development Lifecycle 250</p> <p>Analysis/Architecture Phase 251</p> <p>Application Threat Modeling 251</p> <p>Assets 251</p> <p>Entry Points 252</p> <p>Third Parties 252</p> <p>Trust Levels 252</p> <p>Data Flow Diagram 252</p> <p>Development Phase 252</p> <p>Testing Phase 255</p> <p>Production Environment (Final Deployment) 255</p> <p>Summary 255</p> <p><b>Chapter 10 Linux Privilege Escalation 257</b></p> <p>Introduction to Kernel Exploits and Missing Configurations 258</p> <p>Kernel Exploits 258</p> <p>Kernel Exploit: Dirty Cow 258</p> <p>SUID Exploitation 261</p> <p>Overriding the Passwd Users File 263</p> <p>CRON Jobs Privilege Escalation 264</p> <p>CRON Basics 265</p> <p>Crontab 265</p> <p>Anacrontab 266</p> <p>Enumerating and Exploiting CRON 266</p> <p>sudoers 268</p> <p>sudo Privilege Escalation 268</p> <p>Exploiting the Find Command 268</p> <p>Editing the sudoers File 269</p> <p>Exploiting Running Services 270</p> <p>Automated Scripts 270</p> <p>Summary 271</p> <p><b>Chapter 11 Windows Privilege Escalation 273</b></p> <p>Windows System Enumeration 273</p> <p>System Information 274</p> <p>Windows Architecture 275</p> <p>Listing the Disk Drives 276</p> <p>Installed Patches 276</p> <p>Who Am I? 276</p> <p>List Users and Groups 277</p> <p>Networking Information 279</p> <p>Showing Weak Permissions 282</p> <p>Listing Installed Programs 283</p> <p>Listing Tasks and Processes 283</p> <p>File Transfers 284</p> <p>Windows Host Destination 284</p> <p>Linux Host Destination 285</p> <p>Windows System Exploitation 286</p> <p>Windows Kernel Exploits 287</p> <p>Getting the OS Version 287</p> <p>Find a Matching Exploit 288</p> <p>Executing the Payload and Getting a Root Shell 289</p> <p>The Metasploit PrivEsc Magic 289</p> <p>Exploiting Windows Applications 293</p> <p>Running As in Windows 295</p> <p>PSExec Tool 296</p> <p>Exploiting Services in Windows 297</p> <p>Interacting with Windows Services 297</p> <p>Misconfigured Service Permissions 297</p> <p>Overriding the Service Executable 299</p> <p>Unquoted Service Path 299</p> <p>Weak Registry Permissions 301</p> <p>Exploiting the Scheduled Tasks 302</p> <p>Windows PrivEsc Automated Tools 302</p> <p>PowerUp 302</p> <p>WinPEAS 303</p> <p>Summary 304</p> <p><b>Chapter 12 Pivoting and Lateral Movement 305</b></p> <p>Dumping Windows Hashes 306</p> <p>Windows NTLM Hashes 306</p> <p>SAM File and Hash Dump 307</p> <p>Using the Hash 308</p> <p>Mimikatz 308</p> <p>Dumping Active Directory Hashes 310</p> <p>Reusing Passwords and Hashes 310</p> <p>Pass the Hash 311</p> <p>Pivoting with Port Redirection 312</p> <p>Port Forwarding Concepts 312</p> <p>SSH Tunneling and Local Port Forwarding 314</p> <p>Remote Port Forwarding Using SSH 315</p> <p>Dynamic Port Forwarding 316</p> <p>Dynamic Port Forwarding Using SSH 316</p> <p>Summary 317</p> <p><b>Chapter 13 Cryptography and Hash Cracking 319</b></p> <p>Basics of Cryptography 319</p> <p>Hashing Basics 320</p> <p>One-Way Hash Function 320</p> <p>Hashing Scenarios 321</p> <p>Hashing Algorithms 321</p> <p>Message Digest 5 321</p> <p>Secure Hash Algorithm 323</p> <p>Hashing Passwords 323</p> <p>Securing Passwords with Hash 324</p> <p>Hash-Based Message Authenticated Code 325</p> <p>Encryption Basics 326</p> <p>Symmetric Encryption 326</p> <p>Advanced Encryption Standard 326</p> <p>Asymmetric Encryption 328</p> <p>Rivest Shamir Adleman 329</p> <p>Cracking Secrets with Hashcat 331</p> <p>Benchmark Testing 332</p> <p>Cracking Hashes in Action 334</p> <p>Attack Modes 336</p> <p>Straight Mode 336</p> <p>Combinator 337</p> <p>Mask and Brute-Force Attacks 339</p> <p>Brute-Force Attack 342</p> <p>Hybrid Attacks 342</p> <p>Cracking Workflow 343</p> <p>Summary 344</p> <p><b>Chapter 14 Reporting 345</b></p> <p>Overview of Reports in Penetration Testing 345</p> <p>Scoring Severities 346</p> <p>Common Vulnerability Scoring System Version 3.1 346</p> <p>Report Presentation 349</p> <p>Cover Page 350</p> <p>History Logs 350</p> <p>Report Summary 350</p> <p>Vulnerabilities Section 350</p> <p>Summary 351</p> <p><b>Chapter 15 Assembly Language and Reverse Engineering 353</b></p> <p>CPU Registers 353</p> <p>General CPU Registers 354</p> <p>Index Registers 355</p> <p>Pointer Registers 355</p> <p>Segment Registers 355</p> <p>Flag Registers 357</p> <p>Assembly Instructions 358</p> <p>Little Endian 360</p> <p>Data Types 360</p> <p>Memory Segments 361</p> <p>Addressing Modes 361</p> <p>Reverse Engineering Example 361</p> <p>Visual Studio Code for C/C++ 362</p> <p>Immunity Debugger for Reverse Engineering 363</p> <p>Summary 368</p> <p><b>Chapter 16 Buffer/Stack Overflow 369</b></p> <p>Basics of Stack Overflow 369</p> <p>Stack Overview 370</p> <p>PUSH Instruction 370</p> <p>POP Instruction 371</p> <p>C Program Example 371</p> <p>Buffer Analysis with Immunity Debugger 372</p> <p>Stack Overflow 376</p> <p>Stack Overflow Mechanism 377</p> <p>Stack Overflow Exploitation 378</p> <p>Lab Overview 379</p> <p>Vulnerable Application 379</p> <p>Phase 1: Testing 379</p> <p>Testing the Happy Path 379</p> <p>Testing the Crash 381</p> <p>Phase 2: Buffer Size 382</p> <p>Pattern Creation 382</p> <p>Offset Location 382</p> <p>Phase 3: Controlling EIP 383</p> <p>Adding the JMP Instruction 384</p> <p>Phase 4: Injecting the Payload and Getting a Remote Shell 386</p> <p>Payload Generation 386</p> <p>Bad Characters 386</p> <p>Shellcode Python Script 387</p> <p>Summary 388</p> <p><b>Chapter 17 Programming with Python 389</b></p> <p>Basics of Python 389</p> <p>Running Python Scripts 390</p> <p>Debugging Python Scripts 391</p> <p>Installing VS Code on Kali 391</p> <p>Practicing Python 392</p> <p>Python Basic Syntaxes 393</p> <p>Python Shebang 393</p> <p>Comments in Python 393</p> <p>Line Indentation and Importing Modules 394</p> <p>Input and Output 394</p> <p>Printing CLI Arguments 395</p> <p>Variables 395</p> <p>Numbers 395</p> <p>Arithmetic Operators 397</p> <p>Strings 397</p> <p>String Formatting 397</p> <p>String Functions 398</p> <p>Lists 399</p> <p>Reading Values in a List 399</p> <p>Updating List Items 399</p> <p>Removing a list item 400</p> <p>Tuples 400</p> <p>Dictionary 400</p> <p>More Techniques in Python 400</p> <p>Functions 400</p> <p>Returning Values 401</p> <p>Optional Arguments 401</p> <p>Global Variables 402</p> <p>Changing Global Variables 402</p> <p>Conditions 403</p> <p>if/else Statement 403</p> <p>Comparison Operators 403</p> <p>Loop Iterations 404</p> <p>while Loop 404</p> <p>for Loop 405</p> <p>Managing Files 406</p> <p>Exception Handling 407</p> <p>Text Escape Characters 407</p> <p>Custom Objects in Python 408</p> <p>Summary 409</p> <p><b>Chapter 18 Pentest Automation with Python 411</b></p> <p>Penetration Test Robot 411</p> <p>Application Workflow 412</p> <p>Python Packages 414</p> <p>Application Start 414</p> <p>Input Validation 415</p> <p>Code Refactoring 417</p> <p>Scanning for Live Hosts 418</p> <p>Ports and Services Scanning 420</p> <p>Attacking Credentials and Saving the Results 423</p> <p>Summary 426</p> <p><b>Appendix A Kali Linux Desktop at a Glance 427</b></p> <p>Downloading and Running a VM of Kali Linux 428</p> <p>Virtual Machine First Boot 428</p> <p>Kali Xfce Desktop 429</p> <p>Kali Xfce Menu 430</p> <p>Search Bar 430</p> <p>Favorites Menu Item 430</p> <p>Usual Applications 432</p> <p>Other Menu Items 433</p> <p>Kali Xfce Settings Manager 433</p> <p>Advanced Network Configuration 435</p> <p>Appearance 436</p> <p>Desktop 439</p> <p>Display 441</p> <p>File Manager 442</p> <p>Keyboard 445</p> <p>MIME Type Editor 447</p> <p>Mouse and Touchpad 448</p> <p>Panel 449</p> <p>Workspaces 450</p> <p>Window Manager 451</p> <p>Practical Example of Desktop Customization 454</p> <p>Edit the Top Panel 454</p> <p>Adding a New Bottom Panel 454</p> <p>Changing the Desktop Look 457</p> <p>Installing Kali Linux from Scratch 458</p> <p>Summary 466</p> <p><b>Appendix B Building a Lab Environment Using Docker 467</b></p> <p>Docker Technology 468</p> <p>Docker Basics 468</p> <p>Docker Installation 468</p> <p>Images and Registries 469</p> <p>Containers 470</p> <p>Dockerfile 472</p> <p>Volumes 472</p> <p>Networking 473</p> <p>Mutillidae Docker Container 474</p> <p>Summary 475</p> <p>Index 477</p>

<p><b>Gus Khawaja</b> is an expert in application security and penetration testing. He is a cybersecurity consultant in Montreal, Canada and has a depth of experience working with organizations to protect their assets from cyberattacks. He is a published author and online educator in the field of cybersecurity.</p>

<p><b>Your ultimate guide to pentesting with Kali Linux</b></p><p>Kali is a popular and powerful Linux distribution used by cybersecurity professionals around the world. Penetration testers must master Kali’s varied library of tools to be effective at their work. The <i>Kali Linux Penetration Testing Bible</i> is <i>the</i> hands-on and methodology guide for pentesting with Kali.</p><p>You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.</p> <ul><b><li>Build a modern dockerized environment</li><li>Discover the fundamentals of the bash language in Linux</li><li>Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)</li><li>Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation</li><li>Apply practical and efficient pentesting workflows</li><li>Learn about Modern Web Application Security Secure SDLC</li><li>Automate your penetration testing with Python</li></b></ul>

US