Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 1 Penetration Testing with Kali Linux OffSec 57145360 Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 2 Copyright © 2023 OffSec Services Limited All rights reserved. No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distant learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written permission from the author. Shared by Tamarisk - Exam Solution Penetration Testing with Kali Linux PWK - Copyright © 202 3 OffSec Services Limited All rights reserved. 3 Table of Contents 1 Copyright ................................ ................................ ................................ ................................ .................. 15 2 Penetration Testing with Kali Linux: General Course Information ................................ ................ 16 2.1 Getting Started with PWK ................................ ................................ ................................ ........... 16 2.1.1 PWK Course Materials ................................ ................................ ................................ ............ 16 2.1.2 Student Mentors and Support ................................ ................................ ............................... 17 2.1.3 Setting up Kali ................................ ................................ ................................ ........................... 18 2.1.4 Connecting to the PWK Lab ................................ ................................ ................................ ... 19 2.2 How to Approach the Course ................................ ................................ ................................ ..... 22 2.2.1 A Model of Increasing Uncertainty ................................ ................................ ....................... 22 2.2.2 Learning Modules ................................ ................................ ................................ ..................... 23 2.2.3 Demonstration Module Exercise s ................................ ................................ ......................... 23 2.2.4 Applied Module Exercises ................................ ................................ ................................ ...... 24 2.2.5 Capstone Module Exercises ................................ ................................ ................................ .. 24 2.2.6 Assembling the Pieces ................................ ................................ ................................ ............ 24 2.2.7 Challenge Labs 1 - 3 ................................ ................................ ................................ .................. 24 2.2. 8 Challenge Labs 4 - 6 ................................ ................................ ................................ .................. 25 2.3 Summary of PWK Learning Modules ................................ ................................ ....................... 26 2.3.1 Getting Started: Optional Ramp - up Modules ................................ ................................ ...... 26 2.3.2 Enumeration and Information Gathering ................................ ................................ ............. 26 2.3.3 Web App lication and Client Side Attacks ................................ ................................ ............ 27 2.3.4 Other Perimeter Attacks ................................ ................................ ................................ ......... 28 2.3.5 Privilege Escalation and Lateral Movement ................................ ................................ ........ 28 2.3.6 Active Directory ................................ ................................ ................................ ......................... 29 2.3.7 Challenge Lab Preparation ................................ ................................ ................................ ..... 29 2.4 Wrapping Up ................................ ................................ ................................ ................................ .. 29 3 Introduction To Cybersecurity ................................ ................................ ................................ .............. 30 3.1 The Practice of Cybersecurity ................................ ................................ ................................ .... 30 3.1.1 Challenges in Cybersecurity ................................ ................................ ................................ ... 30 3.1.2 A Word on Mindset s ................................ ................................ ................................ ................ 31 3.1.3 On Emulating the Minds of our Opponents ................................ ................................ ......... 32 3.2 Threats and Threat Actors ................................ ................................ ................................ .......... 33 3.2.1 The Evolution of Attack and Defense ................................ ................................ ................... 33 3.2.2 Risks, Threats, Vulnerabilities, and Exploits ................................ ................................ ........ 34 3.2.3 Threat Actor Classifications ................................ ................................ ................................ ... 36 Penetration Testing with Kali Linux PWK - Copyright © 202 3 OffSec Services Limited All rights reserved. 4 3.2.4 Recent Cybersecurity Breaches ................................ ................................ ............................ 38 3.3 The CIA Triad ................................ ................................ ................................ ................................ 40 3.3.1 Confidentiality ................................ ................................ ................................ ........................... 41 3.3.2 I ntegrity ................................ ................................ ................................ ................................ ...... 42 3.3.3 Availability ................................ ................................ ................................ ................................ .. 43 3.3.4 Balancing the Triad with Organizational Objectives ................................ .......................... 43 3.4 Security Principles, Controls, and Strategies ................................ ................................ ........... 44 3.4.1 Security Principles ................................ ................................ ................................ .................... 44 3.4.2 Security Controls and Strategies ................................ ................................ .......................... 45 3.4.3 Shift - Left Security ................................ ................................ ................................ ..................... 46 3.4.4 Administrative Segmentati on ................................ ................................ ................................ 46 3.4.5 Threat Modelling and Threat Intelligence ................................ ................................ ............ 47 3.4.6 Table - Top Tactics ................................ ................................ ................................ .................... 47 3.4.7 Continuous Patching and Supply Chain Validation ................................ ........................... 48 3.4.8 Encryption ................................ ................................ ................................ ................................ .. 48 3.4.9 Logging and Chaos Testing ................................ ................................ ................................ ... 49 3.5 Cybersecurity Laws, Regulations, Standards, and Frameworks ................................ ......... 49 3.5.1 Laws and Regulations ................................ ................................ ................................ ............. 50 3.5.2 Standards and Frameworks ................................ ................................ ................................ ... 52 3.6 Career Opportunities in Cybersecurity ................................ ................................ ...................... 5 4 3.6.1 Cybersecurity Career Opportunities: Attack ................................ ................................ ........ 54 3.6.2 Cybersecurity Career Opportunities: Defend ................................ ................................ ...... 55 3.6.3 Cybersecurity Career Opportunities: Build ................................ ................................ .......... 56 3.7 What’ s Next? ................................ ................................ ................................ ................................ .. 57 4 Effective Learning Strategies ................................ ................................ ................................ ............... 58 4.1 Learning Theory ................................ ................................ ................................ ............................ 58 4.1.1 What We Know and What We Don’t ................................ ................................ ..................... 59 4.1.2 Memory Mechanisms and Dual Coding ................................ ................................ .............. 59 4.1.3 The Forgetting Curve and Cognitive Load ................................ ................................ ........... 61 4.2 Unique Challenges to Learning Technical Skills ................................ ................................ ..... 63 4.2.1 D igital vs. Print Materials ................................ ................................ ................................ ........ 63 4.2.2 Expecting the Unexpected ................................ ................................ ................................ ...... 64 4.2.3 The Challenges of Remote and Asynchronous Learning ................................ ................. 64 4.3 OffSec Training Methodology ................................ ................................ ................................ .... 65 4.3.1 The Demonstration Method ................................ ................................ ................................ ... 65 4.3.2 Learning by Doing ................................ ................................ ................................ .................... 66 Penetration Testing with Kali Linux PWK - Copyright © 202 3 OffSec Services Limited All rights reserved. 5 4.3. 3 Facing Difficulty ................................ ................................ ................................ ........................ 67 4.3.4 Contextual Learning and Interleaving ................................ ................................ .................. 68 4.4 Case Study: chmod - x chmod ................................ ................................ ................................ .... 68 4.4.1 What is Executable Permission? ................................ ................................ ........................... 69 4.4.2 Going Deeper: Encountering a Strange Problem ................................ ............................... 71 4.4.3 One Potential Solution ................................ ................................ ................................ ............. 73 4.4.4 Analyzing this Approach ................................ ................................ ................................ ......... 75 4.5 Tactics and Common Methods ................................ ................................ ................................ 77 4.5.1 Cornell Notes ................................ ................................ ................................ ............................ 78 4.5.2 Retrieval Practice ................................ ................................ ................................ ..................... 79 4.5.3 Spaced Practice ................................ ................................ ................................ ........................ 79 4.5.4 The SQ3R Method ................................ ................................ ................................ .................... 80 4.5.5 The Feynman Technique ................................ ................................ ................................ ........ 80 4.6 Advice and Suggestions on Exams ................................ ................................ ........................... 81 4.6.1 Dealing with Stress ................................ ................................ ................................ .................. 82 4.6.2 Knowing When You’re Ready ................................ ................................ ................................ 83 4.6.3 Practical Advice for Exam Takers ................................ ................................ ......................... 84 4.7 Practical Steps ................................ ................................ ................................ .............................. 85 4.7.1 Creating a Long Term Strategy ................................ ................................ ............................. 85 4.7.2 Use Time Allotment Strategies ................................ ................................ .............................. 85 4.7.3 Narrowing our Focus ................................ ................................ ................................ ............... 86 4.7.4 Pick a Strategy ................................ ................................ ................................ .......................... 87 4.7.5 Find a Community of Co - Learners ................................ ................................ ........................ 87 4.7.6 Study Your Own Studies ................................ ................................ ................................ ......... 88 5 Report Writing for Penetration Testers ................................ ................................ .............................. 90 5.1 Understanding Note - Taking ................................ ................................ ................................ ........ 90 5.1.1 Penetration Testing Deliverables ................................ ................................ .......................... 90 5.1.2 Note Portabilit y ................................ ................................ ................................ ......................... 91 5.1.3 The General Structure of Penetration Testing Notes ................................ ........................ 91 5.1.4 Choosing the Right Note - Taking Tool ................................ ................................ .................. 94 5.1.5 Taking Screenshots ................................ ................................ ................................ ................. 97 5.1.6 Tools to Take Screenshots ................................ ................................ ................................ .... 99 5.2 Writing Effective Technical Penetration Testing Reports ................................ ................... 101 5.2.1 Purpose of a Technical Report ................................ ................................ ............................ 101 5.2.2 Tailor the Content ................................ ................................ ................................ ................... 102 5.2.3 Executive Summary ................................ ................................ ................................ ............... 103 Penetration Testing with Kali Linux PWK - Copyright © 202 3 OffSec Services Limited All rights reserved. 6 5.2.4 Testing Environment Considerations ................................ ................................ ................. 105 5.2.5 Technical Summary ................................ ................................ ................................ ............... 106 5.2.6 Technical Findings and Recommendation ................................ ................................ ....... 107 5.2.7 Appendices, Further Information, and References ................................ .......................... 110 6 Information Gathering ................................ ................................ ................................ ......................... 111 6.1 The Penetration Testing Lifecycle ................................ ................................ ........................... 111 6.2 Passive Information Gathering ................................ ................................ ................................ 112 6.2.1 Whois Enumeration ................................ ................................ ................................ ............... 114 6.2.2 Google Hacking ................................ ................................ ................................ ...................... 115 6.2.3 Netcraft ................................ ................................ ................................ ................................ .... 120 6.2.4 Open - Source Code ................................ ................................ ................................ ................. 122 6.2.5 Shodan ................................ ................................ ................................ ................................ ..... 126 6.2.6 Security Headers and SSL/TLS ................................ ................................ ........................... 129 6.3 Active Information Gathering ................................ ................................ ................................ ... 131 6.3.1 DNS Enumeration ................................ ................................ ................................ ................... 132 6.3.2 TCP/UDP Port Scanning Theory ................................ ................................ ......................... 138 6.3.3 Port Scanning with Nmap ................................ ................................ ................................ .... 141 6.3.4 SMB Enumeration ................................ ................................ ................................ .................. 152 6.3.5 SMTP Enumeration ................................ ................................ ................................ ................ 155 6.3.6 SNMP Enumeration ................................ ................................ ................................ ............... 157 6.4 Wrapping Up ................................ ................................ ................................ ................................ 161 7 Vulnerability Scanning ................................ ................................ ................................ ......................... 163 7.1 Vulnerability Scanning Theory ................................ ................................ ................................ .. 163 7.1.1 How Vulnerability Scanners Work ................................ ................................ ....................... 163 7.1.2 Types of Vulnerability Scans ................................ ................................ ................................ 165 7.1.3 Things to consider in a Vulnerability Scan ................................ ................................ ........ 166 7.2 Vulnerability Scanning with Nessus ................................ ................................ ........................ 167 7.2.1 Installing Ne ssus ................................ ................................ ................................ .................... 168 7.2.2 Nessus Components ................................ ................................ ................................ ............. 173 7.2.3 Performing a Vulnerability Scan ................................ ................................ .......................... 175 7.2.4 Analyzing the Results ................................ ................................ ................................ ............ 180 7.2.5 Performing an Authenticated Vulnerability Scan ................................ ............................. 184 7.2.6 Working with Nessus Plugins ................................ ................................ .............................. 189 7.3 Vulnerability Scanning with Nmap ................................ ................................ .......................... 194 7.3.1 NSE Vulnerability Scripts ................................ ................................ ................................ ...... 194 7.3.2 Working with NSE Scripts ................................ ................................ ................................ ..... 196 Penetration Testing with Kali Linux PWK - Copyright © 202 3 OffSec Services Limited All rights reserved. 7 7.4 Wrapping Up ................................ ................................ ................................ ................................ 198 8 Introduction to Web Application Attacks ................................ ................................ ......................... 199 8.1 Web Application Assessment Methodology ................................ ................................ ......... 199 8.2 Web Application Assessment Tools ................................ ................................ ....................... 200 8.2.1 Fingerprinting Web Servers with Nmap ................................ ................................ ............. 200 8.2.2 Technology Stack Identification with Wappalyzer ................................ ........................... 201 8.2.3 Directory Brute Force with Gobuster ................................ ................................ .................. 202 8.2.4 Security Testing with Burp Suite ................................ ................................ ......................... 203 8.3 Web Application Enumeration ................................ ................................ ................................ .. 219 8.3.1 Debugging Page Content ................................ ................................ ................................ ...... 219 8.3.2 Inspecting HTTP Response Headers and Sitemaps ................................ ....................... 223 8.3.3 Enumerating and Abusing APIs ................................ ................................ ........................... 225 8.4 Cross - Site Scriptin g ................................ ................................ ................................ .................... 233 8.4.1 Stored vs Reflected XSS Theory ................................ ................................ ......................... 233 8.4.2 JavaScript Refresher ................................ ................................ ................................ ............. 234 8.4.3 Identifying XSS Vulnerabilities ................................ ................................ ............................. 235 8.4.4 Basic XSS ................................ ................................ ................................ ................................ 236 8.4.5 Privilege Escalation via XSS ................................ ................................ ................................ 240 8.5 Wrapping Up ................................ ................................ ................................ ................................ 247 9 Common Web Application Attacks ................................ ................................ ................................ ... 248 9.1 Directory Traversal ................................ ................................ ................................ ..................... 248 9.1.1 Absolute vs Relative Paths ................................ ................................ ................................ ... 248 9.1.2 Identifying and Exploiting Directory Traversals ................................ ................................ 250 9.1.3 Encoding Special Characters ................................ ................................ ............................... 256 9.2 File Inclusion Vulnerabilities ................................ ................................ ................................ ..... 258 9.2.1 Local File Inclusion (LFI) ................................ ................................ ................................ ....... 258 9.2.2 PHP Wrappers ................................ ................................ ................................ ........................ 263 9.2.3 Remote File Inclusion (RFI) ................................ ................................ ................................ .. 267 9.3 File Upload Vulnerabilities ................................ ................................ ................................ ......... 268 9.3.1 Using Executable Files ................................ ................................ ................................ .......... 269 9.3.2 Using Non - Executable Files ................................ ................................ ................................ 274 9.4 Command Injection ................................ ................................ ................................ .................... 278 9.4.1 OS Command Injection ................................ ................................ ................................ ......... 279 9.5 Wrapping Up ................................ ................................ ................................ ................................ 284 10 SQL Injection Attacks ................................ ................................ ................................ ..................... 285 10.1 SQL Theory and Databases ................................ ................................ ................................ ...... 285 Penetration Testing with Kali Linux PWK - Copyright © 202 3 OffSec Services Limited All rights reserved. 8 10.1.1 SQL Theory Refresher ................................ ................................ ................................ ....... 285 10.1.2 DB Types and Characteristics ................................ ................................ ......................... 287 10.2 Manual SQL Exploitation ................................ ................................ ................................ ........... 291 10.2.1 Identifying SQLi via Error - based Payloads ................................ ................................ .... 291 10.2.2 UNION - based Payloads ................................ ................................ ................................ .... 300 10.2.3 Blind SQL Injections ................................ ................................ ................................ .......... 304 10.3 Manual and Automated Code Execution ................................ ................................ ............... 306 10.3.1 Manual Code Execution ................................ ................................ ................................ ... 306 10.3.2 Automating the Attack ................................ ................................ ................................ ...... 309 10.4 Wrapping Up ................................ ................................ ................................ ................................ 312 11 Client - side Attacks ................................ ................................ ................................ .......................... 314 11.1 Target Reconnaissance ................................ ................................ ................................ ............. 315 11.1.1 Information Gathering ................................ ................................ ................................ ...... 316 11.1.2 Client Fingerprinting ................................ ................................ ................................ .......... 319 11.2 Exploiting Microsoft Office ................................ ................................ ................................ ....... 325 11.2.1 Preparing the Attack ................................ ................................ ................................ ......... 325 11.2.2 Installing Microsoft Office ................................ ................................ ................................ 327 11.2.3 Leveraging Microsoft Word Macros ................................ ................................ .............. 330 11.3 Abusing Wind ows Library Files ................................ ................................ ................................ 338 11.3.1 Obtaining Code Execution via Windows Library Files ................................ ................ 338 11.4 Wrapping Up ................................ ................................ ................................ ................................ 349 12 Antivirus Evasion ................................ ................................ ................................ ............................. 350 12.1 Antivirus Software Key Components and Operations ................................ ......................... 350 12.1.1 Known vs Unknown Threats ................................ ................................ ........................... 350 12.1.2 AV En gines and Components ................................ ................................ ......................... 351 12.1.3 Detection Methods ................................ ................................ ................................ ............ 352 12.2 Bypassing Antivirus Detections ................................ ................................ ............................... 356 12.2.1 On - Disk Evasion ................................ ................................ ................................ ................. 357 12.2.2 In - Memory Evasion ................................ ................................ ................................ ........... 358 12.3 AV Evasion in Practice ................................ ................................ ................................ ............... 359 12.3.1 Testing for AV Evasion ................................ ................................ ................................ ..... 359 12.3.2 Evading AV with Thread Injection ................................ ................................ ................... 361 12.3.3 Automating the Process ................................ ................................ ................................ .. 372 12.4 Wrapping Up ................................ ................................ ................................ ................................ 379 13 Password Attacks ................................ ................................ ................................ ........................... 380 13.1 Atta cking Network Services Logins ................................ ................................ ........................ 380 Penetration Testing with Kali Linux PWK - Copyright © 202 3 OffSec Services Limited All rights reserved. 9 13.1.1 SSH and RDP ................................ ................................ ................................ ...................... 381 13.1.2 HTTP POST Login Form ................................ ................................ ................................ ... 383 13.2 Password Cracking Fundamentals ................................ ................................ ......................... 386 13.2.1 Introduction t o Encryption, Hashes and Cracking ................................ ...................... 387 13.2.2 Mutating Wordlists ................................ ................................ ................................ ............ 392 13.2.3 Cracking Methodology ................................ ................................ ................................ ..... 398 13.2.4 Password Manager ................................ ................................ ................................ ........... 399 13.2.5 SSH Private Key Passphrase ................................ ................................ ........................... 404 13.3 Working with Passw ord Hashes ................................ ................................ .............................. 408 13.3.1 Cracking NTLM ................................ ................................ ................................ .................. 409 13.3.2 Passing NTLM ................................ ................................ ................................ .................... 415 13.3.3 Cracking Net - NTLMv2 ................................ ................................ ................................ ...... 419 13.3.4 Relaying Net - NTLMv2 ................................ ................................ ................................ ....... 424 13.4 Wrapping Up ................................ ................................ ................................ ................................ 427 14 Fixing Exploits ................................ ................................ ................................ ................................ .. 428 14.1 Fixing Memory Corruption Exploits ................................ ................................ ......................... 429 14.1.1 Buffer Overflow in a Nutshell ................................ ................................ ........................... 429 14.1.2 Importing and Examining the Exploit ................................ ................................ ............. 433 14.1.3 Cross - Compiling Exploit Code ................................ ................................ ........................ 435 14.1.4 Fixing the Exp loit ................................ ................................ ................................ ................ 436 14.1.5 Changing the Overflow Buffer ................................ ................................ ......................... 443 14.2 Fixing Web Explo its ................................ ................................ ................................ .................... 445 14.2.1 Considerations and Overview ................................ ................................ ......................... 445 14.2.2 Selecting the Vulnerability and Fixing the Code ................................ .......................... 445 14.2.3 Troubleshooting the “index out of range” Error ................................ ........................... 449 14.3 Wrapping Up ................................ ................................ ................................ ................................ 452 15 Locating Public Exploits ................................ ................................ ................................ ................. 4 53 15.1 Getting Started ................................ ................................ ................................ ............................ 453 15.1.1 A Word of Caution ................................ ................................ ................................ ............. 453 15.2 Online Exploit Resources ................................ ................................ ................................ ........... 454 15.2.1 The Exploit Database ................................ ................................ ................................ ........ 455 15.2.2 Packet Storm ................................ ................................ ................................ ...................... 456 15.2.3 GitHub ................................ ................................ ................................ ................................ .. 457 15.2.4 Google Search Operators ................................ ................................ ................................ 459 15.3 Offline Exploit Resources ................................ ................................ ................................ .......... 460 15.3.1 Exploit Frameworks ................................ ................................ ................................ .......... 460 Penetration Testing with Kali Linux PWK - Copyright © 202 3 OffSec Services Limited All rights reserved. 10 15.3.2 SearchSploit ................................ ................................ ................................ ........................ 461 15.3.3 Nmap NSE Scripts ................................ ................................ ................................ ............. 465 15.4 Exploiting a Target ................................ ................................ ................................ ...................... 466 15.4.1 Putting It Together ................................ ................................ ................................ ............. 466 15.5 Wrapping Up ................................ ................................ ................................ ................................ 471 16 Windows Privilege Escalation ................................ ................................ ................................ ....... 472 16.1 Enumerating Windows ................................ ................................ ................................ .............. 472 16.1.1 Understanding Windows Privileges and Access Control Mechanisms .................. 473 16.1.2 Situational Awareness ................................ ................................ ................................ ...... 476 16.1.3 Hidden in Plain View ................................ ................................ ................................ .......... 485 16.1.4 Information Goldmine PowerShell ................................ ................................ ................. 491 16.1.5 Automated Enumeration ................................ ................................ ................................ .. 496 16.2 Leveraging Windows Servi ces ................................ ................................ ................................ 499 16.2.1 Service Binary Hijacking ................................ ................................ ................................ ... 500 16.2.2 Service DLL Hijacking ................................ ................................ ................................ ....... 507 16.2.3 Unquoted Service Paths ................................ ................................ ................................ ... 514 16.3 Abusing Other Windows Components ................................ ................................ ................... 520 16.3.1 Scheduled Tasks ................................ ................................ ................................ ............... 520 16.3.2 Using Exploits ................................ ................................ ................................ ..................... 523 16.4 Wrapping Up ................................ ................................ ................................ ................................ 527 17 Linux Privilege Escalation ................................ ................................ ................................ .............. 528 17.1 Enumerating Linux ................................ ................................ ................................ ...................... 528 17.1.1 Understanding Files and Users Privileges on Linux ................................ .................... 528 17.1.2 Manual Enumeration ................................ ................................ ................................ ......... 529 17.1.3 Automated Enumeration ................................ ................................ ................................ .. 544 17.2 Exposed Confidential Information ................................ ...........................