At some point, all penetration testers get asked, “Where did you learn all this stuff?” In my experience, the question often comes from clients and students interested in pen testing. Usually, they’re asking because they aren’t sure where to start. There are a number of two- and four-year college programs that can provide a nice structured approach, but generally I think penetration testing is like any other skillset; if you find the right resources, a good direction, and study hard, you’ll acquire the skills you’re looking for. However, I will say that it does help to already have a strong IT background. Regardless of the path taken, it’s nice to have some decent resources along the way. In this blog, I’ve put together a list of books and online training resources that cover topics and skills that I’ve found useful as a penetration tester. Hopefully the list is also useful to those of you interested in getting your feet wet. Have fun and Hack Responsibly!

Recommended Books

Read, read, and read some more. Recommending that people “Read the F***ing Manual” (RTMF) is just as important today as it was 20 years ago. The list below is really directed at specific tasks that most penetration testers have to perform. I’m aware that there are some obvious gaps in the list, but I haven’t found any books that I really love related to privilege escalation, network attacks, AV evasion, or penetration testing as a profession. Regardless, I hope you enjoy the books as much as I have.

  1. Web Application Hacker’s Handbook 2nd Edition
    Every penetration tester should have a copy of this book. It has good coverage on a lot of web application attack methods with an emphasis on Burp Suite, which a very robust local HTTP proxy.
  2. SQL Injection Attack and Defense
    This book is very complimentary to the Web Application Hacker’s Hand Book. It provides a pretty straightforward approach for identifying and exploiting SQL injection flaws on common database platforms. As a side note, I also recommend playing with Burp Suite and SQLMap while learning how to perform SQL injection attacks.
  3. Web Application Obfuscation
    This book is also complimentary to the Web Application Hacker’s Hand Book and SQL Injection Attack and Defense. It provides a decent overview of techniques that can be used to essentially hide your attacks from web application firewalls, intrusion prevention systems, and web application input filters.
  4. Database Hacker’s Handbook
    This is an oldie but a goody. It provides some great coverage on how to attack the common database platforms. This can come in handy if you’re hoping to escalate your privileges on the database level after finding an SQL injection issue.
  5. Managed Code Rootkits
    This book provides manual and automated methods for reverse engineering managed code applications and frameworks. It covers the .NET framework, Java RTE., and Dalvik applications. I thought it was interesting because it has a large focus on actually poisoning the frameworks instead of the application directly. However, it should be noted that this book does not focus on advanced debugging techniques like most reversing books.
  6. A Guide to Kernel Exploitation: Attacking the Core
    Not all penetration testers spend their days developing kernel exploits, but it’s still good to know the basics. This book has a focus on understanding kernel exploits and how they actually expose operating system vulnerabilities. So far, it’s been a good read, but I haven’t finished it yet. Someone also recently recommended The Shellcoder’s Handbook to me. So consider that as well.
  7. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
    I liked this one a lot. It provides a good assembly primer which can come in handy in a lot of ways during a penetration test. It also provides decent coverage in areas that you would expect like static and dynamic malware analysis, file structures, test handlers, packers, and debugging. I’ve also heard that the IDA PRO Book is great if you want to become the reversing master of the universe. However, I don’t actually own it at the moment.
  8. Gray Hat Python
    I really like this book as well. It’s a quick read and it does a good job of describing different debugging, injection, and fuzzing techniques. It also provides a lot of sample code that can be used to perform tasks like hooking and DLL/code injection. I’ve found both techniques to be quite handy for avoiding anti-virus solutions and stealing data protected with encryption.
  9. Windows® Internals, Part 1 / Part 2: Covering Windows Server® 2008 R2 and Windows 7
    I will most likely never finish either of these books in their entirety. However, they do make great references. If you ever need to know anything about how any part of Windows works, these are the go-to books.
  10. Network exploration and security auditing cookbook
    Nmap has become one of the fundamental “tools of the trade” over the past decade or so. In my opinion, it’s as valuable to administrators as it is to attackers. I think that every IT professional should know what Nmap is and how to use it. This book is a great start for someone who has not been exposed to it in the past. It covers everything from basic system discovery to writing your own plugins to scan for vulnerabilities.
  11. MetaSploit: A Penetration Tester’s Guide
    MetaSploit has also become one of the fundamental “tools of the trade” in recent years. There is a lot of community involvement and I think this is a good book for beginners who want to learn more about MetaSploit and some practical use cases.

Free Online Training and Vulnerable VMs

Obviously, there are ton of great blogs, training sites, and vulnerable VMs/application out there. I will not be coving all of them. However, I’ve tried to include online resources that are valuable for beginners and veterans alike.

SecurityTube

SecurityTube is like YouTube, but the videos are dedicated to teaching penetration test skills. Our intern actually recommended this site to me before I knew what it was. Since that time, I’ve been checking every time I start learning a new topic just to see if they have already covered it. I feel the quality of the tutorials is great and obviously recommend it.

Irongeek

It’s not a pretty site, but it provides a lot of good content. It is also known for releasing video presentations from security conferences is record time.

MetaSploit Unleashed

This web site provides a free online course all about MetaSploit. They do ask for donations to fund Hackers for Charity which raises funds for underprivileged children in East Africa. It’s a great site with a great cause – I recommend checking it out.

VulnHub

Reading only gets you so far. Most people in IT are hands on learners so, in order to get your hands dirty, I recommend checking out VulnHub. This is a relatively new site that supplies virtual machines that are designed to be vulnerable. For those of you looking for a quick way to set up a testing lab at home, this may be the most cost/time affective solution.

Bug bounties

If you feel you have the skills, now they can pay the bills.  There are lots of companies willing to pay real money if you find a big issue in their product. Below are  a few sites dedicated to consolidating a list of the companies currently paying “bug bounties”.

Good Google Searches

As I mentioned earlier, I haven’t been able to find books that cover everything I’d like them to. Where books fail, Google usually succeeds. I suggest using it to find good archived presentations from security conferences such as Defcon, Blackhat, Derby con etc. Below I’ve also provided some topics that you might find interesting.

Windows Penetration and Escalation

In my experience, 90% of enterprise environments are Windows-based operating systems that centralized access control around Active Directory Services. Therefore, it’s good to have an understanding of the tools and techniques used to escalate privileges in those environments. Unfortunately, I have yet to find a single book that covers well; below are some basic keywords, vulnerability categories, and tools to get you started.

  • Default passwords
  • Clear text passwords
  • Excessive privileges: Users, services, gui, files, registry, memory
  • Insecure local and remote services
  • Insecure schedule tasks
  • Local and remote exploits
  • Password guessing: medusa, hydra, bruter, and MetaSploit
  • Password and hash dumping: Cain, lsa secrets, credential manager, fgdump, mimikatz, MetaSploit post modules
  • Password hash cracking: john the ripper, hashcat, lophtcrack, masking, Cain
  • Impersonating users: incognito, mimikatz, pass the hash, MetaSploit psexec, shared accounts, smbexec

Linux Penetration and Escalation

Even though Linux and UNIX systems aren’t in the majority on most networks, they still have a role to play and so, naturally, it’s good to understand their soft spots as well. For the most part, Linux has many of the same basic keywords and vulnerability categories as Windows:

  • Default passwords
  • Clear text passwords
  • Excessive privileges: Users, services, gui, files, memory, setuid, orphan files, world writable files, sudoers configurations
  • Insecure local and remote services
  • Insecure schedule tasks
  • Local and remote exploits
  • Password guessing: medusa, hydra, bruter, and MetaSploit
  • Password and hash dumping
  • Password hash cracking: john the ripper, hashcat, masking

Man in the Middle (MITM) Attacks

For some of you, MITM attacks may be a new concept so here is brief description. If a workstation is communicating with a server, and you are routing traffic between them, then you are the MITM. It’s a great position to be in for monitoring and manipulating traffic. There are lots of ways to acquire a MITM position using a range of protocol attacks. To get you started, I’ve provided a list of 10 protocols and tools for attacking systems on a LAN.

  • Address Resolution Protocol (ARP): Cain, ettercap, Intercepter-NG (by Ares), Subterfuge, easycreds
  • NetBIOS Name Service  (NBNS): MetaSploit, Intercepter-NG (by Ares),  and responder
  • Link-local Multicast Name Resolution (LLMNR): MetaSploit, Intercepter-NG (by Ares), and responder
  • Pre-Execution Environment (PXE): MetaSploit
  • Dynamic Trunking Protocol (DTP): Yersinia
  • Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin)
  • Hot Stand-by Router Protocol (HSRP): Yersinia
  • Dynamic Host Configuration Protocol (DHCP): Intercepter-NG (by Ares), MetaSploit, manual setup
  • Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPack
  • VLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig

Anti-Virus Evasion

Anti-virus evasion is often a requirement during penetration testing. I personally break down AV evasion approaches into the four buckets below. I provided a list of keywords for each category to get your searches started. I’m also planning to release a few blogs down the line that will provide more options and actual examples.

  • Bypass Weak AV Configurations
    • Uninstall anti-virus, disable services, terminate processes, disabled via the GUI, create an exception policy for all .exe files, or execute from external media.
  • Source Code Manipulation
    • Remove comments, randomize function and variable names, encode or encrypt content, delay execution of malicious code, use alternative functions, or insert superfluous functions that change execution flow.
  • Binary Manipulation
    • Bind with white listed applications, pack or compress, modify strings, modify resources, modify imports table, modify assembly to do things mentioned in source code manipulation. Common packers: upx, iexpress, and mpress.
  • Process Manipulation
    • Inject malicious code or DLLs into local or remote process. Native languages can do it directly or through a managed code framework like .net. Powershell is a popular example that the MetaSploit team (amongst others) has been using a lot lately. Also, process manipulation is commonly done with python code that is converted to a portable executable.