Book Review: "Advanced Penetration Testing"
"Advanced Penetration Testing: Hacking the World's Most Secure Networks", by Wil Allsopp, is a "next level" penetration testing book. This book was made for pentesters who are looking to take their game to that next plateau in terms of social engineering payloads, evading detection, and custom implants. The book takes the stance of APT modeling or "Advanced Persistent Threat" attack modeling, such that pentesters can conduct better simulations as well as help organizations prepare for motivated actors. When I was talking to Wil about the book, he actually made this excellent point as well, "it needed to be written if only to point out the growing gulf between how systems are getting compromised and the way pen tests are currently being performed". Each chapter introduces a new vertical market to attack, as well as a new phishing technique or initial access techniques, all usually relying on some form of social engineering, or getting a user to execute code. Each chapter also introduces a novel C2 method, or method of the agents / implants calling back to the attacker infrastructure, relaying data and receiving new instructions. These are great exercises in red teaming, and gives readers all sorts of innovative new ideas to try in their callback channels. The book ranges from ~$25-$35 for about ~250 pages on Amazon, and the content is well worth that. I give the book 8 out of 10 stars for presenting consistently interesting techniques, promoting advanced attacker theory, generally intriguing pentests, and being a good text for taking traditional pentest techniques to the next level. I recommend this book to penetration testers of medium to advanced skill level, essentially if you are already writing your own implants or finding the need to write custom implants to avoid detection. Even if you aren't at that stage in your pentesting, the book is wildly entertaining if you’re into penetration testing in general. Below are the chapters and sections of the book, in my typical fashion, such that you can get a better understanding for the techniques and contents of the book:
Foreword
Introduction
Chapter 1: Medical Records (In)security
An Introduction to Simulating Advanced Persistent Threat
Background and Mission Briefing
Payload Delivery Part 1: Learning How to Use the VBA Macro
How NOT to Stage a VBA Attack
Examining the VBA Code
Avoid Using Shellcode
Automatic Code Execution
Using a VBA/VBS Dual Stager
Keep Code Generic Whenever Possible
Code Obfuscation
Enticing Users
Command and Control Part 1: Basics and Essentials
The Attack
Bypassing Authentication
Summary
Exercises
Chapter 2: Stealing Research
Background and Mission Briefing
Payload Delivery Part 2: Using the Java Applet for Payload Delivery
Java Code Signing for Fun and Profit
Writing a Java Applet Stager
Create a Convincing Pretext
Signing the Stager
Notes on Payload Persistence
Microsoft Windows
Linux
OSX
Command and Control Part 2: Advanced Attack Management
Adding Stealth and Multiple System Management
Implementing a Command Structure
Building a Management Interface
The Attack
Situational Awareness
Using AD to Gather Intelligence
Analyzing AD Output
Attack Against Vulnerable Secondary System
Credential Reuse Against Primary Target System
Summary
Exercises
Chapter 3: Twenty-First Century Heist
What Might Work?
Nothing Is Secure
Organizational Politics
APT Modeling versus Traditional Penetration Testing
Background and Mission Briefing
Command and Control Part III: Advanced Channels and Data Exfiltration
Notes on Intrusion Detection and the Security Operations Center
The SOC Team
How the SOC Works
SOC Reaction Time and Disruption
IDS Evasion
False Positives
Payload Delivery Part III: Physical Media
A Whole New Kind of Social Engineering
Target Location Profiling
Gathering Targets
The Attack
Summary
Exercises
Chapter 4: Pharma Karma
Background and Mission Briefing
Payload Delivery Part IV: Client-Side Exploits 1
The Curse That Is Flash
At Least You Can Live Without It
Memory Corruption Bugs: Dos and Don’ts
Reeling in the Target
Command and Control Part IV: Metasploit Integration
Metasploit Integration Basics
Server Configuration
Black Hats/White Hats
What Have I Said About AV?
Pivoting
The Attack
The Hard Disk Firewall Fail
Metasploit Demonstration
Under the Hood
The Benefits of Admin
Typical Subnet Cloning
Recovering Passwords
Making a Shopping List
Summary
Exercises
Chapter 5: Guns and Ammo
Background and Mission Briefing
Payload Delivery Part V: Simulating a Ransomware Attack
What Is Ransomware?
Why Simulate a Ransomware Attack?
A Model for Ransomware Simulation
A symmetric Cryptography
Remote Key Generation
Targeting Files
Requesting the Ransom
Maintaining C2
Final Thoughts
Command and Control Part V: Creating a Covert C2 Solution
Introducing the Onion Router
The Torrc File
Configuring a C2 Agent to Use the Tor Network
Bridges
New Strategies in Stealth and Deployment
VBA Redux: Alternative Command-Line Attack Vectors
PowerShell
FTP
Windows Scripting Host (WSH)
BITSadmin
Simple Payload Obfuscation
Alternative Strategies in Antivirus Evasion
The Attack
Gun Design Engineer Answers Your Questions
Identifying the Players
Smart(er) VBA Document Deployment
Email and Saved Passwords
Keyloggers and Cookies
Bringing It All Together
Summary
Exercises
Chapter 6: Criminal Intelligence
Payload Delivery Part VI: Deploying with HTA
Malware Detection
Privilege Escalation in Microsoft Windows
Escalating Privileges with Local Exploits
Exploiting Automated OS Installations
Exploiting the Task Scheduler
Exploiting Vulnerable Services
Hijacking DLLs
Mining the Windows Registry
Command and Control Part VI: The Creeper Box
Creeper Box Specification
Introducing the Raspberry Pi and Its Components
GPIO
Choosing an OS
Configuring Full-Disk Encryption
A Word on Stealth
Configuring Out-of-Band Command and Control Using 3G/4G
Creating a Transparent Bridge
Using a Pi as a Wireless AP to Provision Access by Remote
Keyloggers
The Attack
Spoofing Caller ID and SMS Messages
Summary
Exercises
Chapter 7: War Games
Background and Mission Briefing
Payload Delivery
Part VII: USB Shotgun Attack
USB Media
A Little Social Engineering
Command and Control Part VII: Advanced Autonomous Data Exfiltration
What We Mean When We Talk About “Autonomy”
Means of Egress
The Attack
Constructing a Payload to Attack a Classified Network
Stealthy 3G/4G Software Install
Attacking the Target and Deploying the Payload
Efficient “Burst-Rate” Data Exfiltration
Summary
Exercises
Chapter 8: Hack Journalists
Briefing
Advanced Concepts in Social Engineering
Cold Reading
C2 Part VIII: Experimental Concepts in Command and Control
Scenario 1: C2 Server Guided Agent Management
Scenario 2: Semi-Autonomous C2 Agent Management
Payload Delivery Part VIII: Miscellaneous Rich Web Content
Java Web Start
Adobe AIR
A Word on HTML5
The Attack
Summary
Exercises
Chapter 9: Northern Exposure
Overview
Operating Systems
Red Star Desktop 3.0
Red Star Server 3.0
North Korean Public IP Space
The North Korean Telephone System
Approved Mobile Devices
The “Walled Garden”: The Kwangmyong Intranet
Audio and Video Eavesdropping
Summary
Exercises
This book is chock full of fundamental offensive computer security techniques, from the basics of process migration to enumerating Windows domains, hunting specific users, and assuming their privileges. "APT" also dives into tons of custom software stacks, such as the hilarious HDF solution, that is legitimately funny to read about. One of my favorite "hacks" is when Wil shows how the custom Raspberry Pi build pentest drop box (He calls it a Creeper) gathers and exfiltrates other short range wireless keylogger data. It's a pretty epic combo that really weaponize those physical intercept devices. Other excellent attacks include bypassing two factor security by pivoting through the browser and existing web sessions and many more. My only critique is at times I felt like there was some filler content, such as the short bit on SOC analysts could have been summarized as a footnote or link to a more in-depth resource (considering readers are expected to be on "advanced" content). I really enjoyed the evolution of phishing payload attack vectors, like document macros and rich HTA applications. In fact, the barrage of creative initial vectors and the various command and control channel implementations alone made this book worth it, there’s also a companion site of sorts (Wil's homepage). I encourage you to check this book out, it was both enlightening and entertaining!