Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Hands-On Penetration Testing on Windows
  • Table Of Contents Toc
  • Feedback & Rating feedback
Hands-On Penetration Testing on Windows

Hands-On Penetration Testing on Windows

By : Phil Bramwell
5 (3)
Buy this Book
close
close
Hands-On Penetration Testing on Windows

Hands-On Penetration Testing on Windows

5 (3)
By: Phil Bramwell
Buy this Book

Overview of this book

Windows has always been the go-to platform for users around the globe to perform administration and ad hoc tasks, in settings that range from small offices to global enterprises, and this massive footprint makes securing Windows a unique challenge. This book will enable you to distinguish yourself to your clients. In this book, you'll learn advanced techniques to attack Windows environments from the indispensable toolkit that is Kali Linux. We'll work through core network hacking concepts and advanced Windows exploitation techniques, such as stack and heap overflows, precision heap spraying, and kernel exploitation, using coding principles that allow you to leverage powerful Python scripts and shellcode. We'll wrap up with post-exploitation strategies that enable you to go deeper and keep your access. Finally, we'll introduce kernel hacking fundamentals and fuzzing testing, so you can discover vulnerabilities and write custom exploits. By the end of this book, you'll be well-versed in identifying vulnerabilities within the Windows OS and developing the desired solutions for them.
Table of Contents (19 chapters)
close
close
close
Free Chapter
1
Bypassing Network Access Control
Icon
Bypassing Network Access Control
Icon
Technical requirements
Icon
Bypassing MAC filtering – considerations for the physical assessor
Icon
Design weaknesses – exploiting weak authentication mechanisms
Icon
Bypassing validation checks
Icon
Breaking out of jail – masquerading the stack
Icon
Summary
Icon
Questions
Icon
Further reading
2
Sniffing and Spoofing
Icon
Sniffing and Spoofing
Icon
Technical requirements
Icon
Advanced Wireshark – going beyond simple captures
Icon
Advanced Ettercap – the man-in-the-middle Swiss Army Knife
Icon
Ettercap filters – fine-tuning your analysis
Icon
Getting better – spoofing with BetterCAP
Icon
Summary
Icon
Questions
Icon
Further reading
3
Windows Passwords on the Network
Icon
Windows Passwords on the Network
Icon
Technical requirements
Icon
Understanding Windows passwords
Icon
Capturing Windows passwords on the network
Icon
Let it rip – cracking Windows hashes
Icon
Summary
Icon
Questions
Icon
Further reading
4
Advanced Network Attacks
Icon
Advanced Network Attacks
Icon
Technical requirements
Icon
Binary injection with BetterCAP proxy modules
Icon
HTTP downgrading attacks with sslstrip
Icon
The evil upgrade – attacking software update mechanisms
Icon
IPv6 for hackers
Icon
Summary
Icon
Questions
Icon
Further reading
5
Cryptography and the Penetration Tester
Icon
Cryptography and the Penetration Tester
Icon
Technical requirements
Icon
Flipping the bit – integrity attacks against CBC algorithms
Icon
Sneaking your data in – hash length extension attacks
Icon
Busting the padding oracle with PadBuster
Icon
Summary
Icon
Questions
Icon
Further reading
6
Advanced Exploitation with Metasploit
Icon
Advanced Exploitation with Metasploit
Icon
Technical requirements
Icon
How to get it right the first time – generating payloads
Icon
Modules – the bread and butter of Metasploit
Icon
Efficiency and attack organization with Armitage
Icon
Social engineering attacks with Metasploit payloads
Icon
Summary
Icon
Questions
Icon
Further reading
7
Stack and Heap Memory Management
Icon
Stack and Heap Memory Management
Icon
Technical requirements
Icon
An introduction to debugging
Icon
Stack smack – introducing buffer overflows
Icon
Introducing shellcoding
Icon
Summary
Icon
Questions
Icon
Further Reading
8
Windows Kernel Security
Icon
Windows Kernel Security
Icon
Technical requirements
Icon
Kernel fundamentals – understanding how kernel attacks work
Icon
Pointing out the problem – pointer issues
Icon
Practical kernel attacks with Kali
Icon
Summary
Icon
Questions
Icon
Further reading
9
Weaponizing Python
Icon
Weaponizing Python
Icon
Technical requirements
Icon
Incorporating Python into your work
Icon
Python network analysis
Icon
Antimalware evasion in Python
Icon
Python and Scapy – a classy pair
Icon
Summary
Icon
Questions
Icon
Further reading
10
Windows Shellcoding
Icon
Windows Shellcoding
Icon
Technical requirements
Icon
Taking out the guesswork – heap spraying
Icon
Understanding Metasploit shellcode delivery
Icon
Injection with Backdoor Factory
Icon
Summary
Icon
Questions
Icon
Further reading
11
Bypassing Protections with ROP
Icon
Bypassing Protections with ROP
Icon
Technical requirements
Icon
DEP and ASLR – the intentional and the unavoidable
Icon
Introducing return-oriented programming
Icon
Getting hands-on with the return-to-PLT attack
Icon
Summary
Icon
Questions
Icon
Further reading
12
Fuzzing Techniques
Icon
Fuzzing Techniques
Icon
Technical requirements
Icon
Network fuzzing – mutation fuzzing with Taof proxying
Icon
Hands-on fuzzing with Kali and Python
Icon
Fuzzy registers – the low-level perspective
Icon
Summary
Icon
Questions
Icon
Further reading
13
Going Beyond the Foothold
Icon
Going Beyond the Foothold
Icon
Technical requirements
Icon
Gathering goodies – enumeration with post modules
Icon
Network pivoting with Metasploit
Icon
Escalating your pivot – passing attacks down the line
Icon
Summary
Icon
Questions
Icon
Further reading
14
Taking PowerShell to the Next Level
Icon
Taking PowerShell to the Next Level
Icon
Technical requirements
Icon
Power to the shell – PowerShell fundamentals
Icon
Post-exploitation with PowerShell
Icon
Offensive PowerShell – introducing the Empire framework
Icon
Summary
Icon
Questions
Icon
Further reading
15
Escalating Privileges
chevron up
Icon
Escalating Privileges
Icon
Technical requirements
Icon
Climb the ladder with Armitage
Icon
When the easy way fails—local exploits
Icon
Escalation with WMIC and PS Empire
Icon
Dancing in the shadows – looting domain controllers with vssadmin
Icon
Summary
Icon
Questions
Icon
Further reading
16
Maintaining Access
Icon
Maintaining Access
Icon
Technical requirements
Icon
Persistence with Metasploit and PowerShell Empire
Icon
Hack tunnels – netcat backdoors on the fly
Icon
Maintaining access with PowerSploit
Icon
Summary
Icon
Questions
Icon
Further reading
17
Tips and Tricks
Icon
Tips and Tricks
Icon
Getting familiar with VMware Workstation
Icon
Building your attack lab
Icon
Network configuration tricks
Icon
Further reading
18
Assessment
Icon
Assessment
Icon
Chapter 1: Bypassing Network Access Control
Icon
Chapter 2: Sniffing and Spoofing
Icon
Chapter 3: Windows Passwords on the Network
Icon
Chapter 4: Advanced Network Attacks
Icon
Chapter 5: Cryptography and the Penetration Tester
Icon
Chapter 6: Advanced Exploitation with Metasploit
Icon
Chapter 7: Stack and Heap Memory Management
Icon
Chapter 8: Windows Kernel Security
Icon
Chapter 9: Weaponizing Python
Icon
Chapter 10: Windows Shellcoding
Icon
Chapter 11: Bypassing Protections with ROP
Icon
Chapter 12: Fuzzing Techniques
Icon
Chapter 13: Going Beyond the Foothold
Icon
Chapter 14: Taking PowerShell to the Next Level
Icon
Chapter 15: Escalating Privileges
Icon
Chapter 16: Maintaining Access
19
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Leave a review - let other readers know what you think

Dancing in the shadows – looting domain controllers with vssadmin

So, you achieved domain administrator in your client's environment. Congratulations! Now what?

In a section about pressing forward from initial compromise and a chapter about escalating privileges, we need a little outside-of-the-box thinking. We've covered a lot of technical ground, but don't forget the whole idea: you're conducting an assessment for a client, and the value of your results isn't just a bunch of screenshots with green text in it. When you're having a drink with your hacker friends and you tell them about your domain administrator compromise, they understand what that means. But when you're presenting your findings for the executive management of a client? I've had countless executives ask me point-blank, so what? Shaking them by the shoulders while...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 6
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Edit Note

Modal Close icon
Write a note (max 255 characters)
Cancel
Update Note

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY