Kim, Peter. The Hacker Playbook 2. 2015

The Hacker Playbook 2: Practical Guide To Penetration Testing
Hacker Playboook 2 Peter Kim

  1. Preface
  2. Introduction
    1. Standards
    2. Updates
  3. Pregame – The Setup
    1. Building A Lab
    2. Building Out A Domain
    3. Building Out Additional Servers
    4. Practice
    5. Building You Penetration Testing Box
      1. Setting Up A Penetration Testing Box
      2. Hardware
      3. Open Source Versus Commercial Software
      4. Setting Up Your Boxes
      5. Setting Up Kali Linux
      6. Windows VM
      7. Setting Up Windows
      8. Power Up With Powershell
      9. Easy – P
    6. Learning
      1. Metasploitable 2
      2. Binary Exploitation
    7. Summary
    8. Passive Discovery – Open Source Intelligence (OSINT)
      1. Recon-NG
    9. Discover Scripts
    10. Spiderfoot
  4. Creating Password Lists:
    1. Wordhound
    2. Brutescrspe
    3. Using Compromised Lists To Find Email Address And Credentials
    4. Gitrob – Github Analysis
    5. OSINT Data Collection
  5. External/Internal Active Discovery
    1. Masscan
    2. Sparta
    3. Http Screenshot
    4. Vulnerability Scanning:
      1. Rapid7 Nexpose/Tenable Nessus
      2. Openvas
    5. Web Application Scanning
      1. The Process For Web Scanning
      2. Web Application Scanning
      3. OWASP Zap Proxy
    6. Parsing Nessus, Nmap, Burp
    7. Summary
  6. The Drive – Exploiting Scanner Findings
    1. Metasploit
      1. From A Terminal In Kali – Initialize And Start Metasploit:
      2. Running Metasploit – Common Configuration Commands:
      3. Running Metasploit – Post Exploitation And Other
      4. Using Metasploit For MS08-067:
    2. Scripts
      1. WarFTP Example
    3. Printers
    4. Heartbleed
    5. Shellshock
      1. Shellshock Lab
    6. Dumping Git Repositories (Kali Linux)
    7. NoSQLmap
      1. Starting NoSQLmap:
    8. Elastic Search (Kali Linux)
      1. Elastic Search Lab:
    9. Summary
    10. Web Application Penetration Testing
      1. SLQ Injections
      2. Manual SQL Injection
      3. Cross-Site Scripting (XSS)
      4. Cross-Site Request Forgery (CSRF)
      5. Session Tokens
      6. Additional Fuzzing/Input Validation
      7. Other OWASP Top Ten Vulnerabilities
      8. Functional/Business Logic Testing
    11. Conclusion
  7. The Lateral Pass – Moving Through  The Network
    1. On The Network Without Credential:
      1. Responder.py
    2. ARP (address resolutionprotocol) Poisoning
      1. Cain and Abel
      2. Ettercap
      3. Backdoor Factory Proxy
      4. Steps After Arp Spoofing
    3. With Any Domain Credentials (Non Admin):
      1. Initial System Recon
      2. Group Policy Preferences
      3. Additional POst Exploitation Tips
      4. Privilege Excalation:
      5. Zero To Hero – Linux:
    4. With Any Local Administrative or Domain Admin Account:
      1. Owning The Network With Credentials and Psexec:
      2. Psexec Commands Accross Multiple IPS (Kali Linux)
      3. Move Laterally With WMI (Windows)
      4. Kerberos – MS14-068:
      5. Pass-The-Ticket
      6. Lateral Movement With Postgres SQL
      7. Pulling Cached Credentials
    5. Attacking The Domain Controller:
      1. SMBExec
      2. PSExec_NTDSgrab
    6. Persistence
      1. Veil and Powershell
      2. Persistence With Schedule Tasks
      3. Golden Ticket
      4. Skeleton Key
      5. Sticky Keys
    7. Conclusions
  8. The Screem – Social Engineering
    1. Doppelganger Domains
      1. SMTP Attack
      2. SSH Attack
    2. Phishing
      1. Manual Phishing Code
    3. Phishing Reporting
  9. The Onside Kick – Attacks That Require Physical Access
    1. Exploiting Wireless
      1. Passive – Identification and Reconnaissance
      2. Active Attacks
    2. Badge Cloning
      1. Get It Working In Kali Nethunter
    3. Kon-Boot
      1. Windows
      2. OS X
    4. Pentesting Drop Box – Raspberry Pi 2
    5. Rubber Ducky (http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe)
    6. Conclusion
  10. The Quarterback Sneak – Evading AV
    1. Evading AV
      1. The Backdoor Factory
      2. Hiding WCE From AV (Windows)
      3. Veil
      4. SMBExec
      5. PeCloak.py
      6. Python
    2. Other Keyloggers
      1. Keylogger Using Nishang
      2. Keylogger Using Powersploit
    3. Conclusion
  11. Special Teams – Cracing, Exploits, And Tricks
    1. Password Cracking
      1. John the Ripper
      2. OclHashcat
    2. Vulnerability Searching
      1. Searchploit (Kali Linux)
      2. Bugtraq)
      3. Exploit-db
      4. Querying Metasploit
    3. Tips and Tricks
      1. RC Scripts Within Metasploit
      2. Windows Sniffer
      3. Bypass UAC
      4. Kali Linux Nethunter
      5. Building A Custom Reverse Shell
      6. Evading Application Based Firewalls
      7. Powershell
      8. Windows 7/8 Uploading Files To The Host
      9. Pivoting
    4. Commercial Tools:
      1. Cobalt Strike
      2. Immunity Canvas
      3. Core Impact
    5. Ten-Yard Line
    6. Twenty-Yard Line
    7. Thirty-Yard Line
    8. Fifty-Yard Line
    9. Seventy-Yard Line
    10. Eighty-Yard Line
    11. Goal Line
    12. Touchdown! Touchdown! Touchdown!
    13. Bug Bounties
    14. Major Security Conferences
    15. Training Courses:
    16. Free Training
    17. Capture The Flag
    18. Keeping Up To Date
      1. Mailing Lists
      2. Podcasts
    19. Learning From The Bad Guys
      1. Some Examples:
  12. Final Notes
  13. Special Thanks