更新时间:2021-07-23 17:14:32
封面
Title Page
Copyright and Credits
Hands-On Penetration Testing on Windows
Dedication
Packt Upsell
Why subscribe?
PacktPub.com
Contributors
About the author
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
Disclaimer
Bypassing Network Access Control
Technical requirements
Bypassing MAC filtering – considerations for the physical assessor
Configuring a Kali wireless access point to bypass MAC filtering
Design weaknesses – exploiting weak authentication mechanisms
Capturing captive portal authentication conversations in the clear
Layer-2 attacks against the network
Bypassing validation checks
Confirming the Organizationally Unique Identifier
Passive Operating system Fingerprinter
Spoofing the HTTP User-Agent
Breaking out of jail – masquerading the stack
Following the rules spoils the fun – suppressing normal TCP replies
Fabricating the handshake with Scapy and Python
Summary
Questions
Further reading
Sniffing and Spoofing
Advanced Wireshark – going beyond simple captures
Passive wireless analysis
Targeting WLANs with the Aircrack-ng suite
WLAN analysis with Wireshark
Active network analysis with Wireshark
Advanced Ettercap – the man-in-the-middle Swiss Army Knife
Bridged sniffing and the malicious access point
Ettercap filters – fine-tuning your analysis
Killing connections with Ettercap filters
Getting better – spoofing with BetterCAP
ICMP redirection with BetterCAP
Windows Passwords on the Network
Understanding Windows passwords
A crash course on hash algorithms
Password hashing methods in Windows
If it ends with 1404EE then it's easy for me – understanding LM hash flaws
Authenticating over the network–a different game altogether
Capturing Windows passwords on the network
A real-world pen test scenario – the chatty printer
Configuring our SMB listener
Authentication capture
Hash capture with LLMNR/NetBIOS NS spoofing
Let it rip – cracking Windows hashes
The two philosophies of password cracking
John the Ripper cracking with a wordlist
John the Ripper cracking with masking
Reviewing your progress with the show flag
Advanced Network Attacks
Binary injection with BetterCAP proxy modules
The Ruby file injection proxy module – replace_file.rb
Creating the payload and connect-back listener with Metasploit
HTTP downgrading attacks with sslstrip
Removing the need for a certificate – HTTP downgrading
Understanding HSTS bypassing with DNS spoofing
HTTP downgrade attacks with BetterCAP ARP/DNS spoofing
The evil upgrade – attacking software update mechanisms
Exploring ISR Evilgrade
Configuring the payload and upgrade module
Spoofing ARP/DNS and injecting the payload
IPv6 for hackers
IPv6 addressing basics
Local IPv6 reconnaissance and the Neighbor Discovery Protocol
IPv6 man-in-the-middle – attacking your neighbors
Living in an IPv4 world – creating a local 4-to-6 proxy for your tools
Cryptography and the Penetration Tester
Flipping the bit – integrity attacks against CBC algorithms
Block ciphers and modes of operation
