Hacker play book 2 :- Introduction
You have been hired as a penetration tester for a large industrial company called Secure Universal Cyber Kittens, Inc. or SUCK, for short. They are developing future weapons to be used by the highest bidder and you have been given the license to kill…okay, maybe not kill, but the license to hack. This authorization gives you full approval to use any tactic in your arsenal to try to break into and steal the company’s trade secrets.
As you pack your laptop, drop boxes, rubber duckies, Proxmarks, and cables, you almost forget the most important thing…The Hacker Playbook 2 (THP). You know that THP will help get you out of some of the stickiest situations. Your mind begins hazing back to your last engagement…
After cloning some badges and deploying your drop box on the network, you run out of the office, barely sneaking past the security guards. Your drop box connects back to your SSH server and now you are on their network. You want to stay pretty quiet on the network and not trigger any IDS signatures. What do you look for? You flip to the Before the Snap chapter and remember printers! You probe around for a multifunction printer and see that it is configured with default passwords.
Great! You re-configure LDAP on the printer, set up your netcat listener, and obtain Active Directory credentials. Since you don’t know what permissions these credentials have, you try to psexec to a Windows machine with a custom SMBexec payload. The credentials work and you are now a regular user. After a couple tricks with PowerTools in the Lateral Pass section, you move to local admin and pull passwords from memory with Mimikatz. Phew… you sigh… this is too easy. After pulling passwords for a few accounts, you find where the domain admins (DA) are and connect to their boxes to pull passwords again. With domain admin creds, it is pretty straightforward to dump the Domain controller (DC) with psexec_ntdsgrab and then clear your tracks…
Glad you didn’t forget your copy of THP!
Standards
Before we can dive into THP, we need to understand some of the basics and standards used for penetration testing. This will be the foundation for recon, finding and exploiting vulnerabilities, and reporting. There really is no right way to perform an engagement, but you will need to at least cover the basics.
The Penetration Testing Execution Standard
(PTES - http://www.pentest standard.org/index.php):
PTES is the current standard for performing penetration tests. These are referenced regularly and are the core elements in what goes on in an engagement. I highly recommend that you go through the entire PTES technical guideline as it is full of detailed information. The standard accepted model consists of seven main sections:
1. Pre-engagement Interactions
2. Intelligence Gathering
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post Exploitation
7. Reporting
One thing I encourage you to do is to be creative and find what works for you. For me, although the PTES framework is a great model for performing penetration tests, I like taking penetration tests and tweaking the standard model. From experience, the standard I would typically use would look something like the following:
1. Intelligence Gathering
2. Initial Foothold
3. Local/Network Enumeration
4. Local Privilege Escalation
5. Persistence
6. Lateral Movement
7. Domain Privilege Escalation
8. Dumping Hashes
9. Data Identification/Exfiltration
10. Reporting
This breakdown shows what I would perform and focus on during a penetration test. After the initial foothold via social engineering, the focus is to acquire a privileged account. To get there, you have to enumerate the system/network and look for misconfigurations or local vulnerabilities. We also need to implement persistence, just in case we end up losing our shells. Once at a system or elevated account, we need to see if we can acquire a domain-privileged account. To do this, we need to compromise other boxes to eventually get to a domain admin (DA) account. At a domain controller (DC), the best part of the test is to dump the domain hashes and take a quick break for a happy dance.
This test should not end here. Where customer value really comes into play is going after sensitive data, especially personally identified information (PII), intellectual property (IP), or other information requested by the client. Lastly, since we all know that reporting pays the bills, having a good standard template and valuable data will set you apart from the competition.
Of course, this was all a very quick and high-level example of what can occur during an assessment. To guide you through this process, I have tried to develop a format to help you on your path. The Hacker Playbook is setup with 11 different sections, laid out as a football playbook. But, do not worry, you don’t necessarily need to know the football terms in detail to follow along. Here is the breakdown:
● Pregame: This is all about how to set up your lab, attacking machines, and the tools we will use throughout the book.
● Before the Snap: Before you can run any plays, you need to scan your environment and understand what you are up against. We will dive into discovery and smart scanning.
● The Drive: Take the vulnerabilities which were identified from Before the Snap and start exploiting those systems. This is where we get our hands a little dirty and start exploiting boxes.
● The Throw: Sometimes you need to get creative and look for the open target. We will take a look at how to find and exploit manual web application findings.
● The Lateral Pass: After you have compromised a system, we will discuss ways to move laterally through the network.
● The Screen: A play typically used to trick the enemy. This chapter will explain social engineering tactics.
● The Onside Kick: A deliberately short kick that requires close distance. Here, I will describe attacks that require physical access.
● The Quarterback Sneak: When you only need a couple of yards, a quarterback sneak is perfect. Sometimes you will get stuck with antivirus (AV); this chapter describes how to get over those small hurdles by evading AV.
● Special Teams: Cracking passwords, exploits, NetHunter and some tricks.
● Two-Minute Drill: You have only two minutes on the clock and you need to go from no access to full domain admin.
● Post-Game Analysis: Reporting your findings.
Updates
As we all know, security changes quickly and things break all the time. I try to keep up with all of the
changes and any requests you might have. You can find updates here:
Subscribe for Book Updates:
http://thehackerplaybook.com/subscribe
Twitter: @HackerPlaybook
URL: http://TheHackerPlaybook.com
Github: https://www.github.com/cheetz
Email: book@thehackerplaybook.com