background image

INDEX

293

Next SEH (NSEH), 204, 208–209, 229

nmap

, 168, 257–259

idle scan, 22, 23
importing results into Metasploit, 

21–22

-Pn

 flag, 

nmap

, 19

port scanning with, 18–20, 76
running from 

msfconsole

, 24–25

scan, 252
script options, 64–65
TCP idle scan, 22–23

No Execute (NX), 67
noncredentialed scan, 43
NOP (no-operation instruction), 111, 

204, 209, 216, 219

Notepad, 239–240

notepad.exe

, 156

NSEH (Next SEH), 204, 208–209, 229

nslookup

, passive information gathering 

using, 18

NT AUTHORITY\SYSTEM server user-

name, 86

NTLM (NT LAN Manager), 82, 83
NTLMv2 (NT LAN Manager v2), 82
NX (No Execute), 67

O

Offset

 value, 223

oledlg.dll

 file, 230

opcodes, 13
Open option, Immunity Debugger, 113
open source intelligence (OSINT), 16
OpenSSH, 28, 259
Open Table option, SQL Server Man-

agement Studio Express, 272

open_x11

 scanner, 54–55

opt/framework3/msf3/lib/rex/post/

meterpreter/ui/console/
command_dispatcher/

 

directory, 242

OSINT (open source intelligence), 16
OS X system

dumping hashes on, 283
VMware Player, 268

overt penetration testing, 4, 5
overwrite exploits, for SEH, 226–232

P

packers, 107–108

packetrecorder

 command, 93

passing password hashes, 84–85

passive information gathering, 16–18

using Netcraft, 17
using 

nslookup

, 18

whois

 lookups, 16–17

pass-the-hash technique, 84
passwords

harvesting, 148–150
hashes for, 82–84

dumping, 83–84
extracting, 82–83
passing, 84–85

pattern_offset.rb

 file, 203

pay = client.framework.payloads

.create(payload)

 function, 239

payload, 8, 75

payload.encoded

 function, 224

payload.exe 

file, 85, 86

.pcap 

file format, 93

.pde 

file, 159

PDF file format bug, spear-phishing 

attack vector, 137

PE (Portable Executable) format, 100
penetration testing, 4–5. 

See also

 simu-

lated penetration test

Penetration Testing Execution Stan-

dard (PTES), phases of, 2–4

exploitation, 3
intelligence gathering, 2
post exploitation, 3–4
pre-engagement interactions, 2
reporting, 4
threat modeling, 2–3
vulnerability analysis, 3

pentest/exploits/fasttrack/

 directory, 274

pentest/exploits/set/

 directory, 136, 274

Perez, Carlos, 235

Perform a Mass Email Attack

 option, SET 

main menu, 139

persistence

 command, 94–95

PID (process ID), 236
PID variable, 238

ping 

command, 19

pivoting

with Meterpreter, 89–91
process of, 25

polymorphic encoding, 103
PolyPack project, 108
POP3 service, 181

POP-POP-RETN

 sequence of instruc-

tions, 204, 206, 208, 226, 
229, 230

Portable Executable (PE) format, 100