Professional Penetration Testing
eBook - ePub

Professional Penetration Testing

Volume 1: Creating and Learning in a Hacking Lab

  1. 528 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Professional Penetration Testing

Volume 1: Creating and Learning in a Hacking Lab

About this book

Professional Penetration Testing: Creating and Operating a Formal Hacking Lab examines all aspects of professional penetration testing, from project management to team building, metrics, risk management, training, reporting, information gathering, vulnerability identification, vulnerability exploitation, privilege escalation, and test-data archival methods. It also discusses how to maintain access and cover one's tracks. It includes two video courses to teach readers fundamental and intermediate information-system penetration testing techniques, and to explain how to create and operate a formal hacking lab.The book is divided into three parts. Part 1 focuses on the professionals who are members of a penetration test team, the skills required to be an effective team member, and the ways to create a PenTest lab. Part 2 looks at the activities involved in a penetration test and how to run a PenTest to improve the overall security posture of the client. Part 3 discusses the creation of a final report for the client, cleaning up the lab for the next penetration test, and identifying the training needs of penetration-test team members. This book will benefit both experienced and novice penetration test practitioners.- Find out how to turn hacking and pen testing skills into a professional career- Understand how to conduct controlled attacks on a network through real-world examples of vulnerable and exploitable servers- Master project management skills necessary for running a formal penetration test and setting up a professional ethical hacking business- Discover metrics and reporting methodologies that provide experience crucial to a professional penetration tester

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Professional Penetration Testing by Thomas Wilhelm in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2015
eBook ISBN
9780080960944
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science
CHAPTER 1. Introduction

Introduction

Без умения и сило ни причем. – Russian proverb: “Skill will accomplish what is denied to force.”
(Mertvago, 1995)
There are plenty of books on the market discussing how to use the various “hacker” tools, including some books to which I have contributed chapters. However, professional penetration tests are not all about tools – they require skills beyond simply understanding how to use a tool, including knowledge of project management, understanding and following methodologies, and understanding system and network architecture designs. The primary purpose of this book is to provide the reader an in-depth understanding of all facets of a penetration test, rather than simply discuss which tool to use and when.
The book and the accompanying DVD were written to be used in a variety of different ways. The initial intent is to provide a formal training program on penetration testing. The DVD includes video courses that have been used to teach how to use the current PenTest methodologies and apply those methodologies to a penetration test. In addition, this book can be used in technical courses – in either educational institutions or “boot camp” training events – to provide the readers a way to learn how to use various hacker tools in a controlled and secure manner, through the use of a personal PenTest lab. The final objective of this book is to provide managers an understanding of what engineering activities occur within a professional penetration test, what needs to be reported, how to take metrics, monitor quality, identify risks, and other essential processes, so that management may provide the resources, training, and funding necessary to successfully complete a PenTest.
This book is not meant to be a complete reference to all topics related to penetration testing; rather, it is a guide to conduct professional penetration tests from conception to conclusion. Volumes have been written on each topic discussed within this book, which will require us to expand our knowledge through other sources. To speed up the learning process, hands-on exercises are provided in each chapter, written in a way that will assist in locating authoritative sources and expand the skills of the reader.
Another feature of the DVD is that it includes several server images (in the form of LiveCDs or virtual machine [VM] images) that can be used in a penetration test lab. These LiveCDs are specifically designed to mimic exploitable real-world servers so that we can practice the skills learned within the video courses and the book in a safe and legal manner. Examples in both the book and the videos reference these LiveCDs, and after the readers set up their own penetration test lab, they can follow along, exactly as presented in the material.

About the Book

This book is different from most, in that there are two mediums in which you learn about the topic of penetration testing. The first is the printed material and the second is the accompanying DVD. Read from cover to cover, the printed material provides the reader a systematic way of learning how penetration tests are conducted professionally and what management and engineering skills are needed to successfully complete a PenTest.
The DVD includes two different video courses, which have been used to teach fundamental and intermediate penetration test skills online to students around the world. Even though the DVD could be used independently from the book, the material on the DVD and in the book complement each other, and should be used in tandem. The DVD also contains LiveCD images of servers that can be used as learning platforms so that we can reinforce what we cover in the book or in the videos.

Target Audience

There are three groups of people who can benefit by reading this book and performing the exercises at the end of each chapter:
■ Individuals new to the topic of professional penetration testing
■ Professional penetration testers who want to increase the “capability maturity” of their current PenTest processes
■ Management trying to understand how to conduct a penetration test
For those who are new to professional penetration testing, knowledge of computer systems or network devices should already be understood – the field of penetration testing is not an entry-level position within Information Technology (IT) and prior knowledge of computing systems and the networks that support them is necessary. Although this book will cover topics related to IT, including protocols and system configuration, it is not intended to instruct the readers on the communication mechanisms used in networks. Those who have experience in IT will be able to use personal knowledge throughout this book as a foundation to learn the challenges unique to penetration testing, and how to conduct penetration tests within an organization or for clients.
Those of us who have conducted or participated in a penetration test will understand that tools are not the only thing necessary to successfully complete a PenTest. Methodologies are essential for ensuring that the assessor identifies all vulnerabilities within the client's network. The book and the intermediate video course on the DVD can be used to incorporate methodologies into a PenTest project and provide the reader an understanding of the role of a PenTest engineer within the project as a whole.
Project managers new to penetration test projects are often confronted with dramatically different challenges than those found in other IT projects, such as application and engineering projects. A solid understanding of project management and the challenges posed within the field of PenTesting are essential to successfully conclude a professional penetration test. The book provides information beneficial to project managers who are tasked with overseeing a PenTest and discusses ways to integrate formal project management frameworks with methodologies related to penetration testing.

How to Use This Book

Although the book and the exercises can be used independently, it is intended to be used with the accompanying DVD. The examples within each chapter often use material from the DVD, which can be used by the reader to repeat the examples in a lab. Practice exercises are included at the end of each chapter, which can be used to expand understanding of the chapter's topic.
The chapters of the book are organized into three different sections:
Part 1 covers topics related to setting up a PenTest lab and knowledge essential to the profession of penetration testing, including ethics, methodologies, metrics, and project management. The following chapters are included in Part 1:
■ Ethics and Hacking: Discusses ethics and laws specific to penetration testing
■ Hacking as a Career: Identifies career paths, certifications, and information on security organizations that can assist in career development
■ Setting Up Your Lab: Designs a corporate or private penetration test lab
■ Creating and Using PenTest Targets in Your Lab: Uses turnkey scenarios and real-world targets in the penetration test lab
■ Methodologies: Examines the different methodologies available for professional penetration test projects
■ PenTest Metrics: Identifies the different methods of applying metrics to vulnerabilities found in a penetration test project
■ Management of a PenTest: Explains team members, roles, and organizational structures that influence the success of a penetration test
Part 2 discusses the actual penetration test and walks the reader through the different steps used to examine target systems and networks for vulnerabilities and exploits using a peer-reviewed methodology.
■ Information Gathering: Collects information on a target system
■ Vulnerability Identification: Examines target systems for possible vulnerabilities
■ Vulnerability Verification: Attempts to exploit discovered vulnerabilities
■ Compromising a System and Privilege Escalation: Finds ways to “own” the system
■ Maintaining Access: Discusses how to stay on the exploited system
■ Covering Your Tracks: Manipulates the system to remain undetected
Part 3 wraps up the PenTest project by discussing reporting, data archival, and preparing for the next penetration test.
■ Reporting Results: Writes a report and verify the facts
■ Archiving Data: Saves penetration test data
■ Cleaning Up Your Lab: Saves configuration and data from the lab
■ Planning for Your Next PenTest: Identifies training needs and obtaining resources
Each chapter includes information for both engineers and project managers. The addition of project management topics within a book on penetration testing provides engineers a better understanding of the engineer's role within the project. It also provides the project manager a view of what tasks the project engineers must perform to successfully complete the project on time and under budget.
For those individuals just starting out in the world of penetration testing, the way to get the most out of this book and DVD is to start by reading Part 1 of the book. After that, view the fundamental course videos on the DVD while working through Part 2 of the book. The final section of the book, Part 3, provides some insight into additional topics on professional penetration testing, but can be saved until the fundamentals are well understood and the readers are ready to advance their skills.
Engineers who have experience in penetration testing should review material in Part 1 of this book as a refresher. Chapter 6, Methodologies, should be read carefully because understanding methodologies is critical in t...

Table of contents

  1. Cover Image
  2. Table of Contents
  3. Copyright
  4. About the Author
  5. Acknowledgments
  6. Foreword
  7. Setting Up
  8. CHAPTER 1. Introduction
  9. CHAPTER 2. Ethics and Hacking
  10. CHAPTER 3. Hacking as a Career
  11. CHAPTER 4. Setting Up Your Lab
  12. CHAPTER 5. Creating and Using PenTest Targets in Your Lab
  13. CHAPTER 6. Methodologies
  14. CHAPTER 7. PenTest Metrics
  15. CHAPTER 8. Management of a PenTest
  16. Running a PenTest
  17. CHAPTER 9. Information Gathering
  18. CHAPTER 10. Vulnerability Identification
  19. CHAPTER 11. Vulnerability Verification
  20. CHAPTER 12. Compromising a System and Privilege Escalation
  21. CHAPTER 13. Maintaining Access
  22. CHAPTER 14. Covering Your Tracks
  23. Wrapping Everything Up
  24. CHAPTER 15. Reporting Results
  25. CHAPTER 16. Archiving Data
  26. CHAPTER 17. Cleaning Up Your Lab
  27. CHAPTER 18. Planning for Your Next PenTest
  28. Appendix A. Acronyms
  29. Appendix B. Definitions
  30. Index