Книга представляет практическое руководство по автоматизации задач, разработке атак living-off-the-land и многому другому.
В ней рассмотрены:
- Основы сценариев bash: от управляющих структур, функций, циклов и обработки текста с помощью grep, awk и sed.
- Настройка лаборатории.
- Разведка и сканирование уязвимостей: методы обнаружение хостов, фаззинг и сканирование портов с помощью таких инструментов, как Wfuzz, Nmap и Nuclei.
- Эксплуатация и повышение привилегий: веб-шелл, реверс-шелл и создание точки опоры.
- Уклонение от защиты и боковое перемещение: проверка хоста на ловушки, уход от обнаружения и перемещение по сети.
Copyright
About the Authors
About the Technical Reviewer
Brief Contents
Contents in Detail
Acknowledgments
Introduction
What Is in This Book
The Scripting Exercises
How to Use This Book
1. Bash Basics
Environmental Setup
Accessing the Bash Shell
Installing a Text Editor
Exploring the Shell
Checking Environment Variables
Running Linux Commands
Elements of a Bash Script
The Shebang Line
Comments
Commands
Execution
Debugging
Basic Syntax
Variables
Arithmetic Operators
Arrays
Streams
Control Operators
Redirection Operators
Positional Arguments
Input Prompting
Exit Codes
Exercise 1: Recording Your Name and the Date
Summary
2. Flow Control and Text Processing
Test Operators
if Conditions
Linking Conditions
Testing Command Success
Checking Subsequent Conditions
Functions
Returning Values
Accepting Arguments
Loops and Loop Controls
while
until
for
break and continue
case Statements
Text Processing and Parsing
Filtering with grep
Filtering with awk
Editing Streams with sed
Job Control
Managing the Background and Foreground
Keeping Jobs Running After Logout
Bash Customizations for Penetration Testers
Placing Scripts in Searchable Paths
Shortening Commands with Aliases
Customizing the ~/.bashrc Profile
Importing Custom Scripts
Capturing Terminal Session Activity
Exercise 2: Pinging a Domain
Summary
3. Setting Up a Hacking Lab
Security Lab Precautions
Installing Kali
The Target Environment
Installing Docker and Docker Compose
Cloning the Book’s Repository
Deploying Docker Containers
Testing and Verifying the Containers
The Network Architecture
The Public Network
The Corporate Network
Kali Network Interfaces
The Machines
Managing the Lab
Shutting Down
Removing
Rebuilding
Accessing Individual Lab Machines
Installing Additional Hacking Tools
WhatWeb
RustScan
Nuclei
dirsearch
Linux Exploit Suggester 2
Gitjacker
pwncat
LinEnum
unix-privesc-check
Assigning Aliases to Hacking Tools
Summary
4. Reconnaissance
Creating Reusable Target Lists
Consecutive IP Addresses
Possible Subdomains
Host Discovery
ping
Nmap
arp-scan
Exercise 3: Receiving Alerts About New Hosts
Port Scanning
Nmap
RustScan
Netcat
Exercise 4: Organizing Scan Results
Detecting New Open Ports
Banner Grabbing
Using Active Banner Grabbing
Detecting HTTP Responses
Using Nmap Scripts
Detecting Operating Systems
Analyzing Websites and JSON
Summary
5. Vulnerability Scanning and Fuzzing
Scanning Websites with Nikto
Building a Directory Indexing Scanner
Identifying Suspicious robots.txt Entries
Exercise 5: Exploring Non-indexed Endpoints
Brute-Forcing Directories with dirsearch
Exploring Git Repositories
Cloning the Repository
Viewing Commits with git log
Filtering git log Information
Inspecting Repository Files
Vulnerability Scanning with Nuclei
Understanding Templates
Writing a Custom Template
Applying the Template
Running a Full Scan
Exercise 6: Parsing Nuclei’s Findings
Fuzzing for Hidden Files
Creating a Wordlist of Possible Filenames
Fuzzing with ffuf
Fuzzing with Wfuzz
Assessing SSH Servers with Nmap’s Scripting Engine
Exercise 7: Combining Tools to Find FTP Issues
Summary
6. Gaining a Web Shell
Arbitrary File Upload Vulnerabilities
Fuzzing for Arbitrary File Uploads
Bypassing File Upload Controls
Uploading Files with Burp Suite
Staging Web Shells
Finding Directory Traversal Vulnerabilities
Uploading Malicious Payloads
Executing Web Shell Commands
Exercise 8: Building a Web Shell Interface
Limitations of Web Shells
Lack of Persistence
Lack of Real-Time Responses
Limited Functionality
OS Command Injection
Exercise 9: Building a Command Injection Interface
Bypassing Command Injection Restrictions
Obfuscation and Encoding
Globbing
Summary
7. Reverse Shells
How Reverse Shells Work
Ingress vs. Egress Controls
Shell Payloads and Listeners
The Communication Sequence
Executing a Connection
Setting Up a Netcat Listener
Crafting a Payload
Delivering and Initializing the Payload
Executing Commands
Listening with pwncat
Bypassing Security Controls
Encrypting and Encapsulating Traffic
Alternating Between Destination Ports
Spawning TTY Shells with Pseudo-terminal Devices
Python’s pty Module
socat
Post-exploitation Binary Staging
Serving Netcat
Uploading Files with pwncat
Downloading Binaries from Trusted Sites
Exercise 10: Maintaining a Continuous Reverse Shell Connection
Initial Access with Brute Force
Exercise 11: Brute-Forcing an SSH Server
Summary
8. Local Information Gathering
The Filesystem Hierarchy Standard
The Shell Environment
Environment Variables
Sensitive Information in Bash Profiles
Users and Groups
Local Accounts
Local Groups
Home Folder Access
Valid Shells
Processes
Viewing Process Files
Running ps
Examining Root Processes
The Operating System
Exercise 12: Writing a Linux Operating System Detection Script
Login Sessions and User Activity
Collecting User Sessions
Investigating Executed Commands
Networking
Network Interfaces and Routes
Connections and Neighbors
Firewall Rules
Network Interface Configuration Files
Domain Resolvers
Software Installations
Storage
Block Devices
The Filesystem Tab File
Logs
System Logs
Application Logs
Exercise 13: Recursively Searching for Readable Logfiles
Kernels and Bootloaders
Configuration Files
Scheduled Tasks
Cron
At
Exercise 14: Writing a Cron Job Script to Find Credentials
Hardware
Virtualization
Using Dedicated Tools
Living Off the Land
Automating Information Gathering with LinEnum
Exercise 15: Adding Custom Functionality to LinEnum
Summary
9. Privilege Escalation
What Is Privilege Escalation?
Linux File and Directory Permissions
Viewing Permissions
Setting Permissions
Creating File Access Control Lists
Viewing SetUID and SetGID
Setting the Sticky Bit
Finding Files Based on Permissions
Exploiting a SetUID Misconfiguration
Scavenging for Credentials
Passwords and Secrets
Private Keys
Exercise 16: Brute-Forcing GnuPG Key Passphrases
Examining the sudo Configuration
Abusing Text Editor Tricks
Downloading Malicious sudoers Files
Hijacking Executables via PATH Misconfigurations
Exercise 17: Maliciously Modifying a Cron Job
Finding Kernel Exploits
SearchSploit
Linux Exploit Suggester 2
Attacking Adjacent Accounts
Privilege Escalation with GTFOBins
Exercise 18: Mapping GTFOBins Exploits to Local Binaries
Automating Privilege Escalation
LinEnum
unix-privesc-check
MimiPenguin
Linuxprivchecker
Bashark
Summary
10. Persistence
The Enemies of Persistent Access
Modifying Service Configurations
System V
systemd
Hooking into Pluggable Authentication Modules
Exercise 19: Coding a Malicious pam_exec Bash Script
Generating Rogue SSH Keys
Repurposing Default System Accounts
Poisoning Bash Environment Files
Exercise 20: Intercepting Data via Profile Tampering
Credential Theft
Hooking a Text Editor
Streaming Executed Commands
Forging a Not-So-Innocent sudo
Exercise 21: Hijacking Password Utilities
Distributing Malicious Packages
Understanding DEB Packages
Packaging Innocent Software
Converting Package Formats with alien
Exercise 22: Writing a Malicious Package Installer
Summary
11. Network Probing and Lateral Movement
Probing the Corporate Network
Service Mapping
Port Frequencies
Exercise 23: Scanning Ports Based on Frequencies
Exploiting Cron Scripts on Shared Volumes
Verifying Exploitability
Checking the User Context
Exercise 24: Gaining a Reverse Shell on the Backup Server
Exploiting a Database Server
Port Forwarding
Brute-Forcing with Medusa
Backdooring WordPress
Running SQL Commands with Bash
Exercise 25: Executing Shell Commands via WordPress
Compromising a Redis Server
Raw CLI Commands
Metasploit
Exposed Database Files
Dumping Sensitive Information
Uploading a Web Shell with SQL
Summary
12. Defense Evasion and Exfiltration
Defensive Controls
Endpoint Security
Application and API Security
Network Security
Honeypots
Log Collection and Aggregation
Exercise 26: Auditing Hosts for Landmines
Concealing Malicious Processes
Library Preloading
Process Hiding
Process Masquerading
Exercise 27: Rotating Process Names
Dropping Files in Shared Memory
Disabling Runtime Security Controls
Manipulating History
Tampering with Session Metadata
Concealing Data
Encoding
Encryption
Exercise 28: Writing Substitution Cipher Functions
Exfiltration
Raw TCP
DNS
Text Storage Sites
Slack Webhooks
Sharding Files
Number of Lines
Size
Chunks
Exercise 29: Sharding and Scheduling Exfiltration
Summary
Index
About the Authors
About the Technical Reviewer
Brief Contents
Contents in Detail
Acknowledgments
Introduction
What Is in This Book
The Scripting Exercises
How to Use This Book
1. Bash Basics
Environmental Setup
Accessing the Bash Shell
Installing a Text Editor
Exploring the Shell
Checking Environment Variables
Running Linux Commands
Elements of a Bash Script
The Shebang Line
Comments
Commands
Execution
Debugging
Basic Syntax
Variables
Arithmetic Operators
Arrays
Streams
Control Operators
Redirection Operators
Positional Arguments
Input Prompting
Exit Codes
Exercise 1: Recording Your Name and the Date
Summary
2. Flow Control and Text Processing
Test Operators
if Conditions
Linking Conditions
Testing Command Success
Checking Subsequent Conditions
Functions
Returning Values
Accepting Arguments
Loops and Loop Controls
while
until
for
break and continue
case Statements
Text Processing and Parsing
Filtering with grep
Filtering with awk
Editing Streams with sed
Job Control
Managing the Background and Foreground
Keeping Jobs Running After Logout
Bash Customizations for Penetration Testers
Placing Scripts in Searchable Paths
Shortening Commands with Aliases
Customizing the ~/.bashrc Profile
Importing Custom Scripts
Capturing Terminal Session Activity
Exercise 2: Pinging a Domain
Summary
3. Setting Up a Hacking Lab
Security Lab Precautions
Installing Kali
The Target Environment
Installing Docker and Docker Compose
Cloning the Book’s Repository
Deploying Docker Containers
Testing and Verifying the Containers
The Network Architecture
The Public Network
The Corporate Network
Kali Network Interfaces
The Machines
Managing the Lab
Shutting Down
Removing
Rebuilding
Accessing Individual Lab Machines
Installing Additional Hacking Tools
WhatWeb
RustScan
Nuclei
dirsearch
Linux Exploit Suggester 2
Gitjacker
pwncat
LinEnum
unix-privesc-check
Assigning Aliases to Hacking Tools
Summary
4. Reconnaissance
Creating Reusable Target Lists
Consecutive IP Addresses
Possible Subdomains
Host Discovery
ping
Nmap
arp-scan
Exercise 3: Receiving Alerts About New Hosts
Port Scanning
Nmap
RustScan
Netcat
Exercise 4: Organizing Scan Results
Detecting New Open Ports
Banner Grabbing
Using Active Banner Grabbing
Detecting HTTP Responses
Using Nmap Scripts
Detecting Operating Systems
Analyzing Websites and JSON
Summary
5. Vulnerability Scanning and Fuzzing
Scanning Websites with Nikto
Building a Directory Indexing Scanner
Identifying Suspicious robots.txt Entries
Exercise 5: Exploring Non-indexed Endpoints
Brute-Forcing Directories with dirsearch
Exploring Git Repositories
Cloning the Repository
Viewing Commits with git log
Filtering git log Information
Inspecting Repository Files
Vulnerability Scanning with Nuclei
Understanding Templates
Writing a Custom Template
Applying the Template
Running a Full Scan
Exercise 6: Parsing Nuclei’s Findings
Fuzzing for Hidden Files
Creating a Wordlist of Possible Filenames
Fuzzing with ffuf
Fuzzing with Wfuzz
Assessing SSH Servers with Nmap’s Scripting Engine
Exercise 7: Combining Tools to Find FTP Issues
Summary
6. Gaining a Web Shell
Arbitrary File Upload Vulnerabilities
Fuzzing for Arbitrary File Uploads
Bypassing File Upload Controls
Uploading Files with Burp Suite
Staging Web Shells
Finding Directory Traversal Vulnerabilities
Uploading Malicious Payloads
Executing Web Shell Commands
Exercise 8: Building a Web Shell Interface
Limitations of Web Shells
Lack of Persistence
Lack of Real-Time Responses
Limited Functionality
OS Command Injection
Exercise 9: Building a Command Injection Interface
Bypassing Command Injection Restrictions
Obfuscation and Encoding
Globbing
Summary
7. Reverse Shells
How Reverse Shells Work
Ingress vs. Egress Controls
Shell Payloads and Listeners
The Communication Sequence
Executing a Connection
Setting Up a Netcat Listener
Crafting a Payload
Delivering and Initializing the Payload
Executing Commands
Listening with pwncat
Bypassing Security Controls
Encrypting and Encapsulating Traffic
Alternating Between Destination Ports
Spawning TTY Shells with Pseudo-terminal Devices
Python’s pty Module
socat
Post-exploitation Binary Staging
Serving Netcat
Uploading Files with pwncat
Downloading Binaries from Trusted Sites
Exercise 10: Maintaining a Continuous Reverse Shell Connection
Initial Access with Brute Force
Exercise 11: Brute-Forcing an SSH Server
Summary
8. Local Information Gathering
The Filesystem Hierarchy Standard
The Shell Environment
Environment Variables
Sensitive Information in Bash Profiles
Users and Groups
Local Accounts
Local Groups
Home Folder Access
Valid Shells
Processes
Viewing Process Files
Running ps
Examining Root Processes
The Operating System
Exercise 12: Writing a Linux Operating System Detection Script
Login Sessions and User Activity
Collecting User Sessions
Investigating Executed Commands
Networking
Network Interfaces and Routes
Connections and Neighbors
Firewall Rules
Network Interface Configuration Files
Domain Resolvers
Software Installations
Storage
Block Devices
The Filesystem Tab File
Logs
System Logs
Application Logs
Exercise 13: Recursively Searching for Readable Logfiles
Kernels and Bootloaders
Configuration Files
Scheduled Tasks
Cron
At
Exercise 14: Writing a Cron Job Script to Find Credentials
Hardware
Virtualization
Using Dedicated Tools
Living Off the Land
Automating Information Gathering with LinEnum
Exercise 15: Adding Custom Functionality to LinEnum
Summary
9. Privilege Escalation
What Is Privilege Escalation?
Linux File and Directory Permissions
Viewing Permissions
Setting Permissions
Creating File Access Control Lists
Viewing SetUID and SetGID
Setting the Sticky Bit
Finding Files Based on Permissions
Exploiting a SetUID Misconfiguration
Scavenging for Credentials
Passwords and Secrets
Private Keys
Exercise 16: Brute-Forcing GnuPG Key Passphrases
Examining the sudo Configuration
Abusing Text Editor Tricks
Downloading Malicious sudoers Files
Hijacking Executables via PATH Misconfigurations
Exercise 17: Maliciously Modifying a Cron Job
Finding Kernel Exploits
SearchSploit
Linux Exploit Suggester 2
Attacking Adjacent Accounts
Privilege Escalation with GTFOBins
Exercise 18: Mapping GTFOBins Exploits to Local Binaries
Automating Privilege Escalation
LinEnum
unix-privesc-check
MimiPenguin
Linuxprivchecker
Bashark
Summary
10. Persistence
The Enemies of Persistent Access
Modifying Service Configurations
System V
systemd
Hooking into Pluggable Authentication Modules
Exercise 19: Coding a Malicious pam_exec Bash Script
Generating Rogue SSH Keys
Repurposing Default System Accounts
Poisoning Bash Environment Files
Exercise 20: Intercepting Data via Profile Tampering
Credential Theft
Hooking a Text Editor
Streaming Executed Commands
Forging a Not-So-Innocent sudo
Exercise 21: Hijacking Password Utilities
Distributing Malicious Packages
Understanding DEB Packages
Packaging Innocent Software
Converting Package Formats with alien
Exercise 22: Writing a Malicious Package Installer
Summary
11. Network Probing and Lateral Movement
Probing the Corporate Network
Service Mapping
Port Frequencies
Exercise 23: Scanning Ports Based on Frequencies
Exploiting Cron Scripts on Shared Volumes
Verifying Exploitability
Checking the User Context
Exercise 24: Gaining a Reverse Shell on the Backup Server
Exploiting a Database Server
Port Forwarding
Brute-Forcing with Medusa
Backdooring WordPress
Running SQL Commands with Bash
Exercise 25: Executing Shell Commands via WordPress
Compromising a Redis Server
Raw CLI Commands
Metasploit
Exposed Database Files
Dumping Sensitive Information
Uploading a Web Shell with SQL
Summary
12. Defense Evasion and Exfiltration
Defensive Controls
Endpoint Security
Application and API Security
Network Security
Honeypots
Log Collection and Aggregation
Exercise 26: Auditing Hosts for Landmines
Concealing Malicious Processes
Library Preloading
Process Hiding
Process Masquerading
Exercise 27: Rotating Process Names
Dropping Files in Shared Memory
Disabling Runtime Security Controls
Manipulating History
Tampering with Session Metadata
Concealing Data
Encoding
Encryption
Exercise 28: Writing Substitution Cipher Functions
Exfiltration
Raw TCP
DNS
Text Storage Sites
Slack Webhooks
Sharding Files
Number of Lines
Size
Chunks
Exercise 29: Sharding and Scheduling Exfiltration
Summary
Index
Скачать с libgen
или с DamageLiB
P. S. Учитывая, что вся серия Blackhat something... переведена на русский издательством Питер, скорее всего переведут и ее.
Последнее редактирование: