第1页 / 共398页
第2页 / 共398页
第3页 / 共398页
第4页 / 共398页
第5页 / 共398页
第6页 / 共398页
第7页 / 共398页
第8页 / 共398页
the hacker playbook.pdf
Preface
Introduction
Standards
Updates
Pregame - The Setup
Building A Lab
Building Out A Domain
Building Out Additional Servers
Practice
Building Your Penetration Testing Box
Setting Up A Penetration Testing Box
Hardware
Open Source Versus Commercial Software
Setting Up Your Boxes
Setting Up Kali Linux
Windows VM
Setting Up Windows
Power Up With Powershell
Easy-P
Learning
Metasploitable 2
Binary Exploitation
Summary
Passive Discovery - Open Source Intelligence �⠀伀匀䤀一吀)
Recon-NG
Discover Scripts
Spiderfoot
Creating Password Lists:
Wordhound
Brutescrape
Using Compromised Lists To Find Email Addresses And Credentials
Gitrob - Github Analysis
OSINT Data Collection
External/Internal Active Discovery
Masscan
Sparta
Http Screenshot
Vulnerability Scanning:
Rapid7 Nexpose/Tenable Nessus
Openvas
Web Application Scanning
The Process For Web Scanning
Web Application Scanning
OWASP Zap Proxy
Parsing Nessus, Nmap, Burp
Summary
The Drive - Exploiting Scanner Findings
Metasploit
From A Terminal In Kali - Initialize And Start Metasploit:
Running Metasploit - Common Configuration Commands:
Running Metasploit - Post Exploitation And Other
Using Metasploit For MS08-067:
Scripts
WarFTP Example
Printers
Heartbleed
Shellshock
Shellshock Lab
Dumping Git Repositories �⠀䬀愀氀椀 䰀椀渀甀砀)
NoSQLmap
Starting NoSQLmap:
Elastic Search �⠀䬀愀氀椀 䰀椀渀甀砀)
Elastic Search Lab:
Summary
Web Application Penetration Testing
SLQ Injections
Manual SQL Injection
Cross-Site Scripting �⠀堀匀匀)
Cross-Site Request Forgery �⠀䌀匀刀䘀)
Session Tokens
Additional Fuzzing/Input Validation
Other OWASP Top Ten Vulnerabilities
Functional/Business Logic Testing
Conclusion
The Lateral Pass - Moving Through The Network
On The Network Without Credentials:
Responder.py
ARP �⠀愀搀搀爀攀猀猀 爀攀猀漀氀甀琀椀漀渀 瀀爀漀琀漀挀漀氀) Poisoning
Cain and Abel
Ettercap
Backdoor Factory Proxy
Steps After Arp Spoofing:
With Any Domain Credentials �⠀一漀渀ⴀ䄀搀洀椀渀):
Initial System Recon
Group Policy Preferences:
Additional Post Exploitation Tips
Privilege Escalation:
Zero To Hero - Linux:
With Any Local Administrative or Domain Admin Account:
Owning The Network With Credentials And Psexec:
Psexec Commands Across Multiple IPS �⠀䬀愀氀椀 䰀椀渀甀砀)
Move Laterally With WMI �⠀眀椀渀搀漀眀猀)
Kerberos - MS14-068:
Pass-The-Ticket
Lateral Movement With Postgres SQL
Pulling Cached Credentials
Attacking The Domain Controller:
SMBExec
PSExec_NTDSgrab
Persistence
Veil And Powershell
Persistence With Schedule Tasks
Golden Ticket
Skeleton Key
Sticky Keys
Conclusion
The Screen - Social Engineering
Doppelganger Domains
SMTP Attack
SSH Attack
Phishing
Manual Phishing Code
Phishing Reporting
The Onside Kick - Attacks That Require Physical Access
Exploiting Wireless
Passive - Identification and Reconnaissance
Active Attacks
Badge Cloning
Get It Working In Kali Nethunter
Kon-Boot
Windows
OS X:
Pentesting Drop Box - Raspberry Pi 2
Rubber Ducky
�⠀栀琀琀瀀㨀⼀⼀栀愀欀猀栀漀瀀⸀洀礀猀栀漀瀀椀昀礀⸀挀漀洀⼀瀀爀漀搀甀挀琀猀⼀甀猀戀ⴀ爀甀戀戀攀爀ⴀ搀甀挀欀礀ⴀ搀攀氀甀砀攀)
Conclusion
The Quarterback Sneak - Evading AV
Evading AV
The Backdoor Factory
Hiding WCE From AV �⠀眀椀渀搀漀眀猀)
Veil
SMBExec
PeCloak.py
Python
Other Keyloggers
Keylogger Using Nishang
Keylogger Using Powersploit
Conclusion
Special Teams - Cracking, Exploits, And Tricks
Password Cracking
John The Ripper
OclHashcat
Vulnerability Searching
Searchsploit �⠀䬀愀氀椀 䰀椀渀甀砀)
Bugtraq
Exploit-db
Querying Metasploit
Tips and Tricks
RC Scripts Within Metasploit
Windows Sniffer
Bypass UAC
Kali Linux Nethunter
Building A Custom Reverse Shell
Evading Application Based Firewalls
Powershell
Windows 7/8 Uploading Files To The Host
Pivoting
Commercial Tools:
Cobalt Strike:
Immunity Canvas
Core Impact
Ten-Yard Line:
Twenty-Yard Line:
Thirty-Yard Line:
Fifty-Yard Line:
Seventy-Yard Line:
Eighty-Yard Line:
Goal Line:
Touchdown! Touchdown! Touchdown!
Bug Bounties:
Major Security Conferences:
Training Courses:
Free Training:
Capture The Flag �⠀䌀吀䘀)
Keeping Up To Date
Mailing Lists
Podcasts
Learning From The Bad Guys
Some Examples:
Final Notes
Special Thanks
THE
2
HACKER
PLAYBOOK
Practical Guide To
Penetration Testing
Peter Kim
Copyright © 2015 by Secure Planet LLC. All rights reserved. Except as permitted under United States
Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by
any means, or stored in a database or retrieval system, without the prior written permission of the
author.
ISBN-13: 978-1512214567
ISBN-10: 1512214566
Library of Congress Control Number: 2015908471
CreateSpace Independent Publishing Platform
North Charleston, South Carolina
MHID:
Book design and production by Peter Kim, Secure Planet LLC
Cover design by Dit Vannouvong
Publisher: Secure Planet LLC
Published: 1st July 2015
To Kristen, our dog Dexter, and my family.
Thank you for all of your support,
even when you had no clue what I was talking about.
Dedication
Contents
Preface
Introduction
Standards
Updates
Pregame - The Setup
Building A Lab
Building Out A Domain
Building Out Additional Servers
Practice
Building Your Penetration Testing Box
Setting Up A Penetration Testing Box
Hardware
Open Source Versus Commercial Software
Setting Up Your Boxes
Setting Up Kali Linux
Windows VM
Setting Up Windows
Power Up With Powershell
Easy-P
Learning
Metasploitable 2
Binary Exploitation
Summary
Passive Discovery - Open Source Intelligence (OSINT)
Recon-NG
Discover Scripts
Spiderfoot
Creating Password Lists:
Wordhound
Brutescrape
Using Compromised Lists To Find Email Addresses And
Credentials
Gitrob - Github Analysis
OSINT Data Collection
External/Internal Active Discovery
Masscan
Sparta
Http Screenshot
Vulnerability Scanning:
Rapid7 Nexpose/Tenable Nessus
Openvas
Web Application Scanning
The Process For Web Scanning
Web Application Scanning
OWASP Zap Proxy
Parsing Nessus, Nmap, Burp
Summary
The Drive - Exploiting Scanner Findings
Metasploit
From A Terminal In Kali - Initialize And Start Metasploit:
Running Metasploit - Common Configuration Commands:
Running Metasploit - Post Exploitation And Other
Using Metasploit For MS08-067:
Scripts
WarFTP Example
Printers
Heartbleed
Shellshock
Shellshock Lab
Dumping Git Repositories (Kali Linux)
NoSQLmap
Starting NoSQLmap:
Elastic Search (Kali Linux)
Elastic Search Lab:
Summary
Web Application Penetration Testing
SLQ Injections
Manual SQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Session Tokens
Additional Fuzzing/Input Validation
Other OWASP Top Ten Vulnerabilities
Functional/Business Logic Testing
Conclusion
The Lateral Pass - Moving Through The Network
On The Network Without Credentials:
Responder.py
ARP (address resolution protocol) Poisoning
Cain and Abel
Ettercap
Backdoor Factory Proxy
Steps After Arp Spoofing:
With Any Domain Credentials (Non-Admin):
Initial System Recon
Group Policy Preferences:
Additional Post Exploitation Tips
Privilege Escalation:
Zero To Hero - Linux:
With Any Local Administrative or Domain Admin Account:
Owning The Network With Credentials And Psexec:
Psexec Commands Across Multiple IPS (Kali Linux)
Move Laterally With WMI (windows)
Kerberos - MS14-068:
Pass-The-Ticket
Lateral Movement With Postgres SQL
Pulling Cached Credentials
Attacking The Domain Controller:
SMBExec
PSExec_NTDSgrab
Persistence
Veil And Powershell
Persistence With Schedule Tasks
Golden Ticket
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
