The Art of Network Penetration Testing
Taking over any company in the world
Royce Davis
  • MEAP began August 2019
  • Publication in September 2020 (estimated)
  • ISBN 9781617296826
  • 280 pages (estimated)
  • printed in black & white

If you're interested in understanding what a pen test is, and what it's not, you need to read this book.

Chris Heneghan
Penetration testing is about more than just getting through a perimeter firewall. The biggest security threats are inside the network, where attackers can rampage through sensitive data by exploiting weak access controls and poorly patched software. Designed for up-and-coming security professionals, The Art of Network Penetration Testing teaches you how to take over an enterprise network from the inside. It lays out every stage of an internal security assessment step-by-step, showing you how to identify weaknesses before a malicious invader can do real damage.

About the Technology

Packed with valuable personal and financial data, business computer systems are attractive targets to cyber criminals. As a penetration tester, your job is to attack an organization’s IT applications and infrastructure to find the vulnerabilities a real intruder would exploit. Master pentesters need the skill to identify internal security flaws that would allow a bad actor to compromise file systems, email, databases, and other core components of a modern connected enterprise.

About the book

The Art of Network Penetration Testing is a hands-on guide to running your own penetration test on an enterprise network. After setting up a virtual environment to use as your lab, you’ll work step-by-step through every stage of a professional pentest, from information gathering to seizing control of a vulnerable system. You’ll learn a repeatable process you can use to identify valuable targets within a typical enterprise environment, perform controlled exploitation of critical security weaknesses, elevate network level privileges, and pivot laterally through the network. Finally, you’ll learn how to write up your findings in a clear and actionable report, to ensure a system can be protected against the weaknesses you’ve identified.
Table of Contents detailed table of contents

1 Network penetration testing

1.1 Corporate data breaches

1.2 How hackers break in

1.2.1 The defender role

1.2.2 The attacker role

1.3 Adversarial attack simulation: penetration testing

1.3.1 Typical INPT workflow

1.4 When a penetration test is least effective

1.4.1 Low-hanging fruit

1.4.2 When does a company really need a penetration test?

1.5 Executing a network penetration test

1.5.1 Information-gathering

1.5.2 Focused penetration

1.5.3 Privilege escalation

1.5.4 Documentation

1.6 Setting up your lab environment

1.6.1 The Capsulecorp-pentest project

1.7 Building your own virtual pentest platform

1.7.1 Begin with Linux

1.7.2 The Ubuntu project

1.7.3 Why not use a pentest distribution?

1.8 Summary

Part 1: Information-gathering (Phase 1)

2 Discovering network hosts

2.1 Understanding your engagement scope

2.1.1 Black, white, and grey box scoping

2.1.2 The Capsule Corporation

2.1.3 Setting up the capsulecorp pentest environment

2.2 Internet control message protocol

2.2.1 Using the ping command

2.2.2 Using Bash to pingsweep a network range

2.2.3 Limitations of using the ping command

2.3 Discovering hosts with nmap

2.3.1 ICMP echo discovery probe

2.3.2 Primary output formats

2.3.3 Using remote management interface ports

2.3.4 Increasing nmap scan performance

2.4 Additional host discovery methods

2.4.1 DNS brute forcing

2.4.2 Packet capture and analysis

2.4.3 Hunting for subnets

2.5 Summary

3 Discovering network services

3.1 Network services from an attacker’s perspective

3.1.1 Understanding network service communication

3.1.2 Identifying listening network services

3.1.3 Network service banners

3.2 Port scanning with nmap

3.2.1 Commonly used ports

3.2.2 Scanning all 65,536 TCP ports

3.2.3 Sorting through NSE script output

3.3 Parsing XML output with Ruby

3.3.1 Creating protocol specific target lists

3.4 Summary

4 Discovering network vulnerabilities

4.1 Understanding vulnerability discovery

4.1.1 Following the path of least resistance

4.2 Discovering patching vulnerabilities

4.2.1 Scanning for MS17-010 Eternal Blue

4.3 Discovering authentication vulnerabilities

4.3.1 Creating a client-specific password list

4.3.2 Brute-forcing local Windows account passwords

4.3.3 Brute-forcing MSSQL and MySQL database passwords

4.3.4 Brute-forcing VNC passwords

4.4 Discovering configuration vulnerabilities

4.4.1 Setting up Webshot

4.4.2 Analyzing output from Webshot

4.4.3 Manually guessing web server passwords

4.4.4 Preparing for focused penetration

4.5 Summary

Part 2: Focused penetration (Phase 2)

5 Attacking vulnerable web services

5.1 Understanding phase 2: focused-penetration

5.1.1 Deploying backdoor web shells

5.1.2 Accessing remote management services

5.1.3 Exploiting missing software patches

5.2 Gaining an initial foothold

5.3 Compromising a vulnerable Tomcat server

5.3.1 Creating a malicious WAR file

5.3.2 Deploying the WAR file

5.3.3 Accessing the web shell from a browser

5.4 Interactive versus non-interactive shells

5.5 Upgrading to an interactive shell

5.5.1 Backing up sethc.exe

5.5.2 Modifying file ACLs with cacls.exe

5.5.3 Launching Sticky Keys via RDP

5.6 Compromising a vulnerable Jenkins server

5.6.1 Groovy script console execution

5.7 Summary

6 Attacking vulnerable database services

6.1 Compromising Microsoft SQL Server

6.1.1 MSSQL stored procedures

6.1.2 Enumerating MSSQL servers with metasploit

6.1.3 Enabling xp_cmdshell

6.1.4 Running operating system commands with xp_cmdshell

6.2 Stealing Windows account password hashes

6.2.1 Copying registry hives with reg.exe

6.2.2 Downloading registry hive copies

6.3 Extracting password hashes with Creddump

6.3.1 Understanding pwdump’s output

6.4 Summary

7 Attacking unpatched services

7.1 Understanding software exploits

7.1.1 Understanding the typical exploit lifecycle

7.2 Compromising MS17-010 with Metasploit

7.2.1 Verifying that the patch is missing

7.2.2 Using the ms17_010_psexec exploit module

7.3 The meterpreter shell payload

7.3.1 Useful meterpreter commands

7.4 Cautions about the public exploit database

7.4.1 Generating custom shellcode

7.5 Summary

Part 3: Post-exploitation & privilege escalation (Phase 3)

8 Windows post-exploitation

8.1 Fundamental post-exploitation objectives

8.1.1 Maintaining reliable re-entry

8.1.2 Harvesting credentials

8.1.3 Moving laterally

8.2 Maintaining reliable re-entry with meterpreter

8.2.1 Installing a meterpreter autorun backdoor executable

8.3 Harvesting credentials with Mimikatz

8.3.1 Using the meterpreter extension

8.4 Harvesting domain cached credentials

8.4.1 Using the meterpreter post module

8.4.2 Cracking cached credentials with John the Ripper

8.4.3 Using a dictionary file with John the Ripper

8.5 Harvesting credentials from the filesystem

8.5.1 Locating files with findstr and where

8.6 Moving laterally with pass-the-hash

8.6.1 Using the Metasploit smb_login module

8.6.2 Using CrackMapExec

8.7 Summary

9 Linux or UNIX post-exploitation

9.1 Maintaining reliable re-entry with cron jobs

9.1.1 Creating an SSH key pair

9.1.2 Enabling Pubkey Authentication

9.1.3 Tunneling through SSH

9.1.4 Automating an SSH tunnel with cron

9.2 Harvesting credentials

9.2.1 Harvesting credentials from Bash history

9.2.2 Harvesting password hashes

9.3 Escalating privileges with SUID binaries

9.3.1 Locating SUID binaries with the find command

9.3.2 Inserting a new user into /etc/passwd

9.4 Passing around SSH keys

9.4.1 Stealing keys from a compromised host

9.4.2 Scanning multiple targets with Metasploit

9.5 Summary

10 Controlling the entire network

10.1 Identifying domain admin user accounts

10.1.1 Using net to query Active Directory groups

10.1.2 Locating logged in domain admin users

10.2 Obtaining domain admin privileges

10.2.1 Impersonating logged in users with Incognito

10.2.2 Harvesting cleartext credentials with Mimikatz

10.3 Ntds.dit and the keys to the kingdom

10.3.1 Bypassing restrictions with volume shadow copies

10.3.2 Extracting all the hashes with

10.4 Summary

Part 4: Documentation & Delivery (Phase 4)

11 Post-engagement cleanup

11.1 Killing active shell connections

11.2 Deactivating local user accounts

11.2.1 Removing entries from /etc/passwd

11.3 Removing leftover files from the filesystem

11.3.1 Removing Windows registry hive copies

11.3.2 Removing SSH key pairs

11.3.3 Removing ntds.dit copies

11.4 Reversing configuration changes

11.4.1 Disabling MSSQL stored procedures

11.4.2 Disabling anonymous file shares

11.4.3 Removing crontab entries

11.5 Closing backdoors

11.5.1 Undeploying WAR files from Apache Tomcat

11.5.2 Closing the Sticky Keys backdoor

11.5.3 Uninstalling persistent meterpreter callbacks

11.6 Summary

12 Writing a solid pentest deliverable

12.1 Executive summary

12.2 Engagement methodology

12.3 Attack narrative

12.4 Technical observations

12.4.1 Finding recommendations

12.5 Appendices

12.5.1 Severity definitions

12.5.2 Hosts and services

12.5.3 Tools list

12.5.4 Additional references

12.6 Wrapping it up

12.7 Summary


Appendix A: Building a virtual pentest platform

A.1 Create an Ubuntu virtual machine

A.2 Additional operating system dependencies

A.2.1 Managing Ubuntu packages with apt

A.2.2 Installing CrackMapExec

A.2.3 Customizing your terminal look and feel

A.3 Installing nmap

A.3.1 NSE: The nmap scripting engine

A.3.2 Operating system dependencies

A.3.3 Compiling and installing from source

A.3.4 Exploring the documentation

A.4 The Ruby scripting language

A.4.1 Installing Ruby Version Manager

A.4.2 Writing an obligatory Hello World example

A.5 The Metasploit framework

A.5.1 Operating system dependencies

A.5.2 Necessary Ruby gems

A.5.3 Setting up PostgreSQL for Metasploit

A.5.4 Navigating the msfconsole

A.6 Summary

Appendix B: Essential Linux commands

B.1 CLI commands

B.2 tmux

B.2.1 Using tmux commands

B.2.2 Saving a tmux session

Appendix C: Creating the Capsulecorp lab network

C.1 Hardware and software requirements

C.2 Creating The primary Windows servers

C.2.1 Goku.capsulecorp.local

C.2.2 Gohan.capsulecorp.local

C.2.3 Vegeta.capsulecorp.local

C.2.4 Trunks.capsulecorp.local

C.2.5 Nappa.capsulecorp.local and tien.capsulecorp.local

C.2.6 Yamcha.capsulecorp.local and Krillin.capsulecorp.local

C.3 Creating the Linux servers

Appendix D: Capsulecorp Internal Network Penetration Test Report

D.1 Executive summary

D.1.1 Engagement Scope

D.1.2 Summary of Observations

D.2 Engagement methodology

D.2.1 Information gathering

D.2.2 Focused penetration

D.2.3 Post-exploitation & privilege escalation

D.2.4 Documentation & cleanup

D.3 Attack Narrative

D.4 Technical observations

D.4.1 Default credentials found on Apache Tomcat - High

D.4.2 Default credentials found on Jenkins - High

D.4.3 Default credentials found on Microsoft SQL database - High

D.4.4 Missing Microsoft Security Update MS17-010 - High

D.4.5 Shared local administrator account credentials - Medium

D.5 Appendix A. Severity definitions

D.5.1 Critical

D.5.2 High

D.5.3 Medium

D.5.4 Low

D.6 Appendix B. Hosts & Services

D.7 Appendix C. Tools List

D.8 Appendix D. Additional references

Appendix E: Exercise Answers

E.1 Exercise 2.1 Identifying your engagement targets

E.2 Exercise 3.1 Creating protocol-specific target lists

E.3 Exercise 4.1 Identifying missing patches

E.4 Exercise 4.2 Creating a client-specific password list

E.5 Exercise 4.3 Discovering weak passwords

E.6 Exercise 5.1 Deploying a malicious WAR file

E.7 Exercise 6.1 Stealing system and sam revistry hives

E.8 Exercise 7.1 Compromising tien.capsulecorp.local

E.9 Exercise 8.1 Accessing your first level-two host

E.10 Exercise 10.1 Stealing passwords from ntds.dit

E.11 Exercise 11.1 Performing post-engagement cleanup

What's inside

  • Set up a virtual pentest lab using Ubuntu Linux
  • Identify internal weaknesses on compromised systems
  • Exploit network vulnerabilities to compromise Windows and Linux
  • Establish persistent re-entry back into compromised targets
  • Elevate your privileges to become a domain administrator

About the reader

For system administrators, network professionals, beginning pentesters, and security consultants.

About the author

Royce Davis is a security consultant with over a decade of professional experience. He has orchestrated hundreds of penetration tests, helping to secure many of the largest companies in the world.

placing your order...

Don't refresh or navigate away from the page.
Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
print book $29.99 $49.99 pBook + eBook + liveBook
Additional shipping charges may apply
The Art of Network Penetration Testing (print book) added to cart
continue shopping
go to cart

eBook $24.99 $39.99 3 formats + liveBook
The Art of Network Penetration Testing (eBook) added to cart
continue shopping
go to cart

Prices displayed in rupees will be charged in USD when you check out.

FREE domestic shipping on three or more pBooks