Title Details

MIKE CHAPPLE, PHD, CISSP, PenTest+, is Associate Teaching Professor of IT, Analytics, and Operations at the University of Notre Dame. He's a cybersecurity professional and educator with over 20 years of experience, and provides cybersecurity certification resources at his website, CertMike.com. DAVID SEIDL, CISSP, CySA+, Pentest+, GPEN, GCIH is Senior Director for Campus Technology Services at the University of Notre Dame. A former Director of Information Security, he is now responsible for cloud operations, middleware, enterprise operating systems, applications, and identity and access management.

Introduction xxv

Assessment Test lvi

Chapter 1 Penetration Testing 1

What Is Penetration Testing? 2

Cybersecurity Goals 2

Adopting the Hacker Mind-Set 4

Reasons for Penetration Testing 5

Benefits of Penetration Testing 5

Regulatory Requirements for Penetration Testing 6

Who Performs Penetration Tests? 8

Internal Penetration Testing Teams 8

External Penetration Testing Teams 9

Selecting Penetration Testing Teams 9

The CompTIA Penetration Testing Process 10

Planning and Scoping 11

Information Gathering and Vulnerability Identification 11

Attacking and Exploiting 12

Reporting and Communicating Results 13

The Cyber Kill Chain 13

Reconnaissance 15

Weaponization 15

Delivery 16

Exploitation 16

Installation 16

Command and Control 16

Actions on Objectives 17

Tools of the Trade 17

Reconnaissance 19

Vulnerability Scanners 20

Social Engineering 21

Credential-Testing Tools 21

Debuggers 21

Software Assurance 22

Network Testing 22

Remote Access 23

Exploitation 23

Summary 23

Exam Essentials 24

Lab Exercises 25

Activity 1.1: Adopting the Hacker Mind-Set 25

Activity 1.2: Using the Cyber Kill Chain 25

Review Questions 26

Chapter 2 Planning and Scoping Penetration Tests 31

Scoping and Planning Engagements 35

Assessment Types 36

White Box, Black Box, or Gray Box? 36

The Rules of Engagement 38

Scoping Considerations: A Deeper Dive 40

Support Resources for Penetration Tests 42

Key Legal Concepts for Penetration Tests 45

Contracts 45

Data Ownership and Retention 46

Authorization 46

Environmental Differences 46

Understanding Compliance-Based Assessments 48

Summary 50

Exam Essentials 51

Lab Exercises 52

Review Questions 53

Chapter 3 Information Gathering 57

Footprinting and Enumeration 60

OSINT 61

Location and Organizational Data 64

Infrastructure and Networks 67

Security Search Engines 72

Active Reconnaissance and Enumeration 74

Hosts 75

Services 75

Networks, Topologies, and Network Traffic 81

Packet Crafting and Inspection 83

Enumeration 84

Information Gathering and Code 88

Information Gathering and Defenses 89

Defenses Against Active Reconnaissance 90

Preventing Passive Information Gathering 90

Summary 90

Exam Essentials 91

Lab Exercises 92

Activity 3.1: Manual OSINT Gathering 92

Activity 3.2: Exploring Shodan 93

Activity 3.3: Running a Nessus Scan 93

Review Questions 94

Chapter 4 Vulnerability Scanning 99

Identifying Vulnerability Management Requirements 102

Regulatory Environment 102

Corporate Policy 106

Support for Penetration Testing 106

Identifying Scan Targets 106

Determining Scan Frequency 107

Configuring and Executing Vulnerability Scans 109

Scoping Vulnerability Scans 110

Configuring Vulnerability Scans 111

Scanner Maintenance 117

Software Security Testing 119

Analyzing and Testing Code 120

Web Application Vulnerability Scanning 121

Developing a Remediation Workflow 125

Prioritizing Remediation 126

Testing and Implementing Fixes 127

Overcoming Barriers to Vulnerability Scanning 127

Summary 129

Exam Essentials 129

Lab Exercises 130

Activity 4.1: Installing a Vulnerability Scanner 130

Activity 4.2: Running a Vulnerability Scan 130

Activity 4.3: Developing a Penetration Test Vulnerability Scanning Plan 131

Review Questions 132

Chapter 5 Analyzing Vulnerability Scans 137

Reviewing and Interpreting Scan Reports 138

Understanding CVSS 142

Validating Scan Results 147

False Positives 147

Documented Exceptions 147

Understanding Informational Results 148

Reconciling Scan Results with Other Data Sources 149

Trend Analysis 149

Common Vulnerabilities 150

Server and Endpoint Vulnerabilities 151

Network Vulnerabilities 161

Virtualization Vulnerabilities 167

Internet of Things (IoT) 169

Web Application Vulnerabilities 170

Summary 172

Exam Essentials 173

Lab Exercises 174

Activity 5.1: Interpreting a Vulnerability Scan 174

Activity 5.2: Analyzing a CVSS Vector 174

Activity 5.3: Developing a Penetration Testing Plan 175

Review Questions 176

Chapter 6 Exploit and Pivot 181

Exploits and Attacks 184

Choosing Targets 184

Identifying the Right Exploit 185

Exploit Resources 188

Developing Exploits 189

Exploitation Toolkits 191

Metasploit 192

PowerSploit 198

Exploit Specifics 199

RPC/DCOM 199

PsExec 199

PS Remoting/WinRM 199

WMI 200

Scheduled Tasks and cron Jobs 200

SMB 201

RDP 202

Apple Remote Desktop 203

VNC 203

X-Server Forwarding 203

Telnet 203

SSH 204

Leveraging Exploits 204

Common Post-Exploit Attacks 204

Privilege Escalation 207

Social Engineering 208

Persistence and Evasion 209

Scheduled Jobs and Scheduled Tasks 209

Inetd Modification 210

Daemons and Services 210

Back Doors and Trojans 210

New Users 211

Pivoting 211

Covering Your Tracks 212

Summary 213

Exam Essentials 214

Lab Exercises 215

Activity 6.1: Exploit 215

Activity 6.2: Discovery 215

Activity 6.3: Pivot 216

Review Questions 217

Chapter 7 Exploiting Network Vulnerabilities 223

Conducting Network Exploits 226

VLAN Hopping 226

Network Proxies 228

DNS Cache Poisoning 228

Man-in-the-Middle 229

NAC Bypass 233

DoS Attacks and Stress Testing 234

Exploiting Windows Services 236

NetBIOS Name Resolution Exploits 236

SMB Exploits 240

Exploiting Common Services 240

SNMP Exploits 241

SMTP Exploits 242

FTP Exploits 243

Samba Exploits 244

Wireless Exploits 245

Evil Twins and Wireless MITM 245

Other Wireless Protocols and Systems 247

RFID Cloning 248

Jamming 249

Repeating 249

Summary 250

Exam Essentials 251

Lab Exercises 251

Activity 7.1: Capturing Hashes 251

Activity 7.2: Brute-Forcing Services 252

Activity 7.3: Wireless Testing 253

Review Questions 254

Chapter 8 Exploiting Physical and Social Vulnerabilities 259

Physical Facility Penetration Testing 262

Entering Facilities 262

Information Gathering 266

Social Engineering 266

In-Person Social Engineering 267

Phishing Attacks 269

Website-Based Attacks 270

Using Social Engineering Tools 270

Summary 273

Exam Essentials 274

Lab Exercises 275

Activity 8.1: Designing a Physical Penetration Test 275

Activity 8.2: Brute-Forcing Services 276

Activity 8.3: Using Beef 276

Review Questions 278

Chapter 9 Exploiting Application Vulnerabilities 283

Exploiting Injection Vulnerabilities 287

Input Validation 287

Web Application Firewalls 288

SQL Injection Attacks 289

Code Injection Attacks 292

Command Injection Attacks 293

Exploiting Authentication Vulnerabilities 293

Password Authentication 294

Session Attacks 295

Kerberos Exploits 298

Exploiting Authorization Vulnerabilities 299

Insecure Direct Object References 299

Directory Traversal 300

File Inclusion 301

Exploiting Web Application Vulnerabilities 302

Cross-Site Scripting (XSS) 302

Cross-Site Request Forgery (CSRF/XSRF) 305

Clickjacking 305

Unsecure Coding Practices 306

Source Code Comments 306

Error Handling 306

Hard-Coded Credentials 307

Race Conditions 308

Unprotected APIs 308

Unsigned Code 308

Application Testing Tools 308

Static Application Security Testing (SAST) 309

Dynamic Application Security Testing (DAST) 310

Mobile Tools 313

Summary 313

Exam Essentials 313

Lab Exercises 314

Activity 9.1: Application Security Testing Techniques 314

Activity 9.2: Using the ZAP Proxy 314

Activity 9.3: Creating a Cross-Site Scripting Vulnerability 315

Review Questions 316

Chapter 10 Exploiting Host Vulnerabilities 321

Attacking Hosts 325

Linux 325

Windows 331

Cross-Platform Exploits 338

Remote Access 340

SSH 340

NETCAT and Ncat 341

Proxies and Proxychains 341

Metasploit and Remote Access 342

Attacking Virtual Machines and Containers 342

Virtual Machine Attacks 343

Container Attacks 344

Physical Device Security 345

Cold-Boot Attacks 345

Serial Consoles 345

JTAG Debug Pins and Ports 346

Attacking Mobile Devices 347

Credential Attacks 348

Credential Acquisition 348

Offline Password Cracking 349

Credential Testing and Brute-Forcing Tools 350

Wordlists and Dictionaries 351

Summary 352

Exam Essentials 353

Lab Exercises 354

Activity 10.1: Dumping and Cracking the Windows SAM and Other Credentials 354

Activity 10.2: Cracking Passwords Using Hashcat 355

Activity 10.3: Setting Up a Reverse Shell and a Bind Shell 356

Review Questions 358

Chapter 11 Scripting for Penetration Testing 363

Scripting and Penetration Testing 364

Bash 365

PowerShell 366

Ruby 367

Python 368

Variables, Arrays, and Substitutions 368

Bash 370

PowerShell 371

Ruby 371

Python 372

Comparison Operations 372

String Operations 373

Bash 375

PowerShell 376

Ruby 377

Python 378

Flow Control 378

Conditional Execution 379

For Loops 384

While Loops 389

Input and Output (I/O) 394

Redirecting Standard Input and Output 394

Error Handling 395

Bash 395

PowerShell 396

Ruby 396

Python 396

Summary 397

Exam Essentials 397

Lab Exercises 398

Activity 11.1: Reverse DNS Lookups 398

Activity 11.2: Nmap Scan 398

Review Questions 399

Chapter 12 Reporting and Communication 405

The Importance of Communication 408

Defining a Communication Path 408

Communication Triggers 408

Goal Reprioritization 409

Recommending Mitigation Strategies 409

Finding: Shared Local Administrator Credentials 411

Finding: Weak Password Complexity 411

Finding: Plain Text Passwords 413

Finding: No Multifactor Authentication 413

Finding: SQL Injection 414

Finding: Unnecessary Open Services 415

Writing a Penetration Testing Report 415

Structuring the Written Report 415

Secure Handling and Disposition of Reports 417

Wrapping Up the Engagement 418

Post-Engagement Cleanup 418

Client Acceptance 419

Lessons Learned 419

Follow-Up Actions/Retesting 419

Attestation of Findings 419

Summary 420

Exam Essentials 420

Lab Exercises 421

Activity 12.1: Remediation Strategies 421

Activity 12.2: Report Writing 421

Review Questions 422

Appendix

Answers to Review Questions 425

Chapter 1: Penetration Testing 426

Chapter 2: Planning and Scoping Penetration Tests 427

Chapter 3: Information Gathering 429

Chapter 4: Vulnerability Scanning 431

Chapter 5: Analyzing Vulnerability Scans 433

Chapter 6: Exploit and Pivot 434

Chapter 7: Exploiting Network Vulnerabilities 436

Chapter 8: Exploiting Physical and Social Vulnerabilities 438

Chapter 9: Exploiting Application Vulnerabilities 440

Chapter 10: Exploiting Host Vulnerabilities 442

Chapter 11: Script for Penetration Testing 444

Chapter 12: Reporting and Communication 445

Index 447