INDEX
293
Next SEH (NSEH), 204, 208–209, 229
nmap
, 168, 257–259
idle scan, 22, 23
importing results into Metasploit,
21–22
-Pn
flag,
nmap
, 19
port scanning with, 18–20, 76
running from
msfconsole
, 24–25
scan, 252
script options, 64–65
TCP idle scan, 22–23
No Execute (NX), 67
noncredentialed scan, 43
NOP (no-operation instruction), 111,
204, 209, 216, 219
Notepad, 239–240
notepad.exe
, 156
NSEH (Next SEH), 204, 208–209, 229
nslookup
, passive information gathering
using, 18
NT AUTHORITY\SYSTEM server user-
name, 86
NTLM (NT LAN Manager), 82, 83
NTLMv2 (NT LAN Manager v2), 82
NX (No Execute), 67
O
Offset
value, 223
oledlg.dll
file, 230
opcodes, 13
Open option, Immunity Debugger, 113
open source intelligence (OSINT), 16
OpenSSH, 28, 259
Open Table option, SQL Server Man-
agement Studio Express, 272
open_x11
scanner, 54–55
opt/framework3/msf3/lib/rex/post/
meterpreter/ui/console/
command_dispatcher/
directory, 242
OSINT (open source intelligence), 16
OS X system
dumping hashes on, 283
VMware Player, 268
overt penetration testing, 4, 5
overwrite exploits, for SEH, 226–232
P
packers, 107–108
packetrecorder
command, 93
passing password hashes, 84–85
passive information gathering, 16–18
using Netcraft, 17
using
nslookup
, 18
whois
lookups, 16–17
pass-the-hash technique, 84
passwords
harvesting, 148–150
hashes for, 82–84
dumping, 83–84
extracting, 82–83
passing, 84–85
pattern_offset.rb
file, 203
pay = client.framework.payloads
.create(payload)
function, 239
payload, 8, 75
payload.encoded
function, 224
payload.exe
file, 85, 86
.pcap
file format, 93
.pde
file, 159
PDF file format bug, spear-phishing
attack vector, 137
PE (Portable Executable) format, 100
penetration testing, 4–5.
See also
simu-
lated penetration test
Penetration Testing Execution Stan-
dard (PTES), phases of, 2–4
exploitation, 3
intelligence gathering, 2
post exploitation, 3–4
pre-engagement interactions, 2
reporting, 4
threat modeling, 2–3
vulnerability analysis, 3
pentest/exploits/fasttrack/
directory, 274
pentest/exploits/set/
directory, 136, 274
Perez, Carlos, 235
Perform a Mass Email Attack
option, SET
main menu, 139
persistence
command, 94–95
PID (process ID), 236
PID variable, 238
ping
command, 19
pivoting
with Meterpreter, 89–91
process of, 25
polymorphic encoding, 103
PolyPack project, 108
POP3 service, 181
POP-POP-RETN
sequence of instruc-
tions, 204, 206, 208, 226,
229, 230
Portable Executable (PE) format, 100