by Peter Kim
1st Edition, July 2015 / SecurePlanet LLC / ISBN-13: 9781512214567
I got a copy of this text from a class I just completed, which I'll describe in greater detail when you see me in person at the meeting. What it's important to get down in this review is some descriptions of the content (which is up to date) and that those descriptions be delivered in the proper order. For some reason this first printing either didn't get enough proofreading or the setup editor screwed up, not bolding or increasing font size on chapter headings, nor even numbering them. So I laboriously found all the chapter headings and will organize my comments by them below, for your convenience if you acquire a copy of Mr. Kim's excellent book (after figuring the headings out, I just marked them on their pages and on the Contents page with a highlighter so that they became useful). Also, the descriptive conceit of the book uses analogies to game plays and strategies in American football so as to separate concepts, so keep that in mind. By the way, the "2" designation in the title doesn't mean that you need to look up the previous one; it denotes a second edition which includes all material still useful from Kim's earlier volume, with updates and additional coverage of tools and strategy as relevant to about 10 months ago.
"Pregame - The Setup" amounts to Chapter 1. This covers the physical setup needed for pen testing. He describes your lab as needing such features as virtualization software, particular VMs representing popular OS's, and mentions particular aspects of popular systems such as Powershell in Windows. Finally a "Learning" section has some early discussion of tools and strategies like Metasploitable and issues like lack of secure form in binaries.
"Before The Snap - Scanning The Network" amounts to Chapter 2. Passive observation and discovery is the first topic, noting tools like Recon-NG, 'discover' scripts and Spiderfoot. I should mention that all versions are referring to Kali Linux inclusions. Kali Linux is one of the largest and most popular security distributions and it's referred to so much here that an interesting secondary use of Mr. Kim's book would be as a Kali manual.
IN FACT, Kali Linux is so badass, go get a copy right now if you don't have it, at this convenient location.
Coverage proceeds to password lists, looked at with Wordhound and Brutescrape, then with active tools like Masscan and Sparta. Then some vulnerability tools are introduced like Rapid7/Nexpose, Teneble Nessus and Openvas. Web apps are looked at with OWASP Zap proxy, which is available for Windows, Linux and OSX. Finally, nmap, Burp and straight Nessus are mentioned.
"The Drive - Exploiting Scanner Findings" amounts to Chapter 3. It starts with a Metasploit Framework example which, while comprehensive, assumes previous experience with Metasploit and gives links as to where to get up to speed with that. Then there's a discussion of printers, Nosqlmap and Elastic Search. Then some recent issues like Hearbleed and Shellshock are described (no doubt some stalwart professionals are still vulnerable to those).
"The Throw - Manual Web App Findings" amounts to Chapter 4. There's a general intro to web app pen testing and SQL injections as such, then a generous 15 pages on manual SQL injection methods, followed by 5 pages on Cross Site Scripting. Other topics covered are Cross Site Request Forgery, tokens and fuzzing. Then Kim gives a mention of the Top Ten vulnerability list maintained by OWASP (I'll give it here for your convenience):
OWASP Top Ten cheat sheet
"The Lateral Pass - Moving Through The Network" amounts to Chapter 5. Responder is the first tool mentioned; included in Kali, responder.py looks for multicast name resolution and NetBios information, and uses the Microsoft WPAD vulnerability (there's a TechNet article on that; evidently the service's PAC file points to a config file that's wide open, if you can find it). Then ARP poisoning is discussed from the standpoint of two Kali-included tools (ettercap and Backdoor Factory proxy) and Cain And Abel for Windows. Two methods for getting network access at this point are given, with specific steps. The methods are either 1)with any credentials or 2)with Local Admin or Domain Admin account info. Two tools for manipulating the domain controller then mentioned are SMBexec and PSExec_ndtsgrab, both in their Kali inclusion versions. The convenient strategy of creating access "persistence" is then brought up, listing popular tools for this as Golden Ticket (a Kerberos crack), Skeleton Key (a domain admin backdoor) and Sticky Keys (a sort of automation of hitting Shift five times on a Windows host; this idea uses registry settings, which seems nonstealthy to me if the registry is locked or monitored in some way but this is one of Kim's favorite tools so I'll defer to his experience).
"The Screen - Social Engineering" amounts to Chapter 5. The expected phishing and wireless methods are covered, but there's also the tale of the author's actual purchase of similar domains as targets to take advantage of typographical errors when users enter domain addresses. He links to his complete research paper but also describes this very nasty idea, popularly referred to as "doppelganger domains". If an outfit uses their subdomain for email and somebody mistypes, BANG. They go to the bad guy's location instead. To make a long story short, these similar addresses can be incorportated into links in emails or into icons on which to click. Do you want to maim somebody all of a sudden? I don't blame you. Then there's the methods that involve the risk of physical access, like planting rogue access points, dropping USB sticks with hidden file infectors in the hall or parking lot, purchased devices for smart card cracking, KonBoot on USB for at-the-host password bypass and on and on.
"The Quarterback Sneak - Evading AV" amounts to Chapter 6. BDF (backdoor factory) is included in Kali and its methods of changing the functionality of normal services is described in minute detail. Next is a method for using a tool called Evade to allow another tool (Windows Credential Editor) to cloak itself from antivirus programs and snatch cleartext passwords FROM MEMORY! Neat. Then there's a discussion of Veil, a tool that hides executables from AV detection by automatically re-coding them in Python. There's SMBExec, which is a suite that can get hashes out of a domain controller, randomize or recompile things to render the observable form unfamiliar to the AV scanner (not merely changing the filename), create reverse shells, etc. He wraps up by describing some keylogging methods.
"Special Teams - Cracking, Exploits And Tricks" amounts to Chapter 7. Lots of helpful wordlist locations are given, then particular tools John (John The Ripper, JtR, JtR Jumbo) and oclHashcat are described. oclHashcat assumes use of a GPU and is mentioned as the author's favorite password cracker... although he does refer to historical use of Rainbow Tables. Specific vulnerability searching (within Kali at least) is described in the context of Searchsploit (for default queries) and the venerable BugTraq and Exploit-DB, not to mention msfconsole. Kim also gives specifics on bypassuac_injection, NetHunter (EXCLUSIVE to Kali/Offensive Security, it's an Android pen test platform) and he adds a description of building a custom reverse shell, which can get around firewalls and IDS. He also mentions three commercial products, Cobalt Strike, Core Impact and Immunity Canvas. Although Cobalt Strike costs thousands, Kim says that it's "must-have" for professional pen testers.
"Two Minute Drill - From Zero To Hero", a kind of Chapter 8, is a rundown of what's now possible to you, once you are familiar with the tools involved. From the initial stage of "discovery" (as the lawyers say), you use a fake website to spoof their Outlook Web Access page (that hole was left open for awhile on Hillary Clinton's email server, so although little was logged, it's a promising area of concern for that organization). With a Meterpreter script to add persistence on reboot for everything done so far, you'd then run PowerUser to create a new Administrator and find all the Domain Admins. Getting at least one of their passwords, the hashes are pulled from the controller and you dump the AD environment. Persist later surrepitious entry with Sticky Key and all that's left is the documentation paperwork and to invoice your satisfied customer!
I wish I fully understood everything I described above, but luckily I've got Kim's book. This provides either clear, specific steps to do what's discussed, or where that would assume previous knowledge, Kim gives links and references on where to get the knowledge. To read this book is time well spent, if pen testing is what you need to do, or need to be able to sell to a reputable actor, of course.
