The Hacker Playbook 3 PDF

Peter Kim

Scan to Download
 The Hacker Playbook 3
Elevate Your Offensive Skills with Real-World
Hacking Strategies.
Written by Bookey
Check more about The Hacker Playbook 3 Summary
Listen The Hacker Playbook 3 Audiobook

Scan to Download
About the book
Return to the thrilling world of cybersecurity with *The
Hacker Playbook 3: Red Team Edition*, where you’ll elevate
your offensive skills to a professional level. This
comprehensive guide equips you with cutting-edge strategies,
techniques, and insights into why security measures often fall
short, leading to significant breaches in major organizations
and government entities. Explore the concept of Red Teams,
which simulate advanced attack scenarios to rigorously test
your organization's defenses and incident response
capabilities. With a focus on real-world tactics, this hands-on
book covers initial entry points, exploitation, custom malware,
persistence, and lateral movement—all aimed at ensuring you
remain undetected. Packed with lab exercises, virtual
machines, and exclusive tools, *The Hacker Playbook 3*
invites you to dive into the action and refine your skills for a
more robust security posture. Prepare to immerse yourself in
the art of breaking barriers and enhancing defenses.

Scan to Download
About the author
Peter Kim is a renowned cybersecurity expert and practitioner
with extensive experience in offensive security and penetration
testing. With a background that blends both technical expertise
and real-world application, he has worked with numerous
organizations to enhance their security postures. As the author
of "The Hacker Playbook 3," Kim synthesizes his deep
knowledge and practical insights into the art of hacking,
offering readers a comprehensive guide to understanding and
executing effective penetration testing methodologies. His
contributions to the cybersecurity community emphasize not
just the techniques of hacking, but also the ethical
considerations and strategic thinking necessary for any
aspiring security professional.

Scan to Download
Summary Content List
Chapter 1 : Notes and Disclaimer

Chapter 2 : Penetration Testing Teams vs Red Teams

Chapter 3 : Setting Up Your Campaign

Chapter 4 : Setting Up Your External Servers

Chapter 5 : Tools of the Trade

Chapter 6 : Monitoring an Environment

Chapter 7 : Bug Bounty Programs:

Chapter 8 : Web Attacks Introduction - Cyber Space Kittens

Chapter 9 : Cyber Space Kittens: Chat Support Systems

Chapter 10 : Finding Credentials from Outside the Network

Chapter 11 : Moving Through the Network

Chapter 12 : On the Network with No Credentials

Chapter 13 : After Compromising Your Initial Host

Chapter 14 : Privilege Escalation

Chapter 15 : Living Off of the Land in a Windows Domain

Environment

Scan to Download
Chapter 16 : Dumping the Domain Controller Hashes

Chapter 17 : Lateral Movement via RDP over the VPS

Chapter 18 : Privilege Escalation

Chapter 19 : Linux Lateral Movement Lab

Chapter 20 : Building Your Social Engineering (SE)

Campaigns

Chapter 21 : Phishing

Chapter 22 : Exploiting Internal Jenkins with Social

Engineering

Chapter 23 : Conclusion

Chapter 24 : Card Reader Cloners

Chapter 25 : Physical Tools to Bypass Access Points

Chapter 26 : Bash Bunny

Chapter 27 : The Basics Building a Keylogger

Chapter 28 : THP Custom Droppers

Chapter 29 : Recompiling Metasploit/Meterpreter to Bypass

AV and Network Detection

Scan to Download
Chapter 30 : SharpShooter

Chapter 31 : Application Whitelisting Bypass

Chapter 32 : Code Caves

Chapter 33 : PowerShell Obfuscation

Chapter 34 : HideMyPS

Chapter 35 : Automation

Chapter 36 : Password Cracking

Chapter 37 : Gotta Crack Em All - Quickly Cracking as

Many as You Can

Chapter 38 : Creative Campaigns

Chapter 39 : Windows Download File from Internet

Command Line

Chapter 40 : Retrieving NTLM Hashes without Touching

LSASS

Scan to Download
 Chapter 1 Summary : Notes and
Disclaimer

Section Key Points

Confidence and Technical Ability in Red

Teaming - Combines technical skills with confidence.
- Social engineering tasks challenge comfort zones.
- Embracing challenges is essential (David Letterman's perspective on
fear).

Legal and Ethical Considerations

- Avoid unauthorized vulnerability or exploit seeking.
- Mandatory approval needed for attacks discussed.
- Curiosity can result in serious legal consequences without consent.

Learning and Legal Hacking Opportunities

- Engage with bug bounty programs and vulnerable platforms.
- Distinction between legitimate research and illegal activity; seek
permission.
- Many legal hacking opportunities exist for skill enhancement.

Author's Expertise and Community

Engagement - Acknowledges limitations in expertise across technical domains.
- Updates on technology/tools will be shared on Hacker Playbook
Updates webpage.
- Emphasis on community contribution and recognizing peers’ original
work.

Scan to Download
Summary of Chapter 1 from "The Hacker Playbook
3"

Confidence and Technical Ability in Red Teaming

- Being part of a Red Team combines technical skills with

confidence.
- Social engineering tasks often push individuals beyond
their comfort zones.
- Embracing challenges with confidence is crucial, as
highlighted by David Letterman's perspective on fear.

Legal and Ethical Considerations

- Avoid seeking vulnerabilities or exploits on unauthorized

systems.
- Proper approval is mandatory before conducting any of the
attacks discussed in the book.
- Curiosity can lead to serious legal consequences if actions
are taken without consent.

Learning and Legal Hacking Opportunities

Scan to Download
- Engage with bug bounty programs and vulnerable platforms
to enhance hacking skills legally.
- There is a fine line between legitimate research and illegal
activity; always seek permission before testing systems.
- Numerous legal hacking opportunities exist for further
education and skill development.

Author's Expertise and Community Engagement

- The author acknowledges limitations in expertise across

various technical domains.
- Corrections and updates regarding technology or tools will
be made available on the Hacker Playbook Updates webpage.
- Emphasis on community contribution, with a commitment
to recognizing the original work of peers.

Scan to Download
Example
Key Point:Embrace Confidence in Social
Engineering Challenges
Example:Picture yourself walking into a high-stakes
negotiation where you must convincingly persuade
others to believe your fabricated story. This scenario
exemplifies the necessity of balancing your technical
expertise with unshakeable confidence. By tackling
uncomfortable social engineering tasks head-on, you
learn to navigate fear and uncertainty, much like the
comedian David Letterman advises. When you face
challenges with a steady mindset, you not only fortify
your skills but also enhance your effectiveness as a Red
Team member, pushing the boundaries of your abilities.

Scan to Download
Critical Thinking
Key Point:Confidence and Technical Ability in Red
Teaming
Critical Interpretation:While Peter Kim asserts that
confidence is essential for success in Red Team tactics,
it's important to recognize that overconfidence can lead
to mistakes, especially in high-pressure scenarios where
technical skills are paramount. Confidence does not
inherently equate to capability; hence, a misalignment
could result in dire consequences, questioning whether
simply pushing beyond comfort zones is universally
beneficial. Critics might argue that cultivating a
balanced approach, combining methodical skill-building
with confidence, is necessary to mitigate risks. Sources
such as 'The Psychology of Confidence' by Robert Diltz
may offer alternative viewpoints on the role of
confidence in performance under stress.

Scan to Download
 Chapter 2 Summary : Penetration
Testing Teams vs Red Teams

Section Summary

Introduction to The chapter introduces Cyber Space Kittens (CSK) and their security operations center and policies aimed
Cyber Space at assessing defenses against threats.
Kittens

The Mission The task involves a Red Team assessment to evaluate CSK's security, focusing on vulnerability
identification, exploitation, and defense detection through methods like reconnaissance and social
engineering.

Penetration The author differentiates Penetration Testing (structured, well-defined, short duration, focuses on
Testing vs. Red vulnerabilities) from Red Teaming (unannounced, longer duration, simulates real attacks, identifies
Teaming security program gaps).

Key Focus Red Teams prioritize minimizing detection in internal networks and focus on process, policy, and skills
Areas for Red gaps rather than just discovering vulnerabilities.
Teams

Metrics of Critical metrics discussed include Time To Detect (TTD) and Time To Mitigate (TTM), emphasizing the
Success duration from incident occurrence to detection and mitigation, respectively.

Overall The chapter stresses the vital role of Red Teams in improving security postures and preparing
Summary organizations for cyber threats through realistic simulations.

Summary of Chapter 2: Red Team Assessments in

Cyber Space Kittens

Scan to Download
Introduction to Cyber Space Kittens

The chapter begins by introducing a new engagement with

Cyber Space Kittens (CSK), which emerged from lessons
learned in previous security assessments. CSK has
established a local security operations center and developed
security policies to assess their defenses against internal and
external threats.

The Mission

You are tasked with conducting a Red Team assessment to

evaluate CSK's security posture. This includes identifying
vulnerabilities, utilizing the latest exploits, and determining
if their defensive teams can effectively detect or stop
breaches. The mission will involve thorough reconnaissance,
social engineering, privilege escalation, and lateral
movement within the network.

Penetration Testing vs. Red Teaming

The author distinguishes between Penetration Testing, which

Scan to Download
is a structured and methodical assessment of a system, and
Red Teaming, which simulates the tactics of real-world
adversaries.
-
Penetration Testing:

- Methodical and well-defined process.

- Lasts 1-2 weeks and is generally announced.
- Focuses on finding and exploiting vulnerabilities to create
actionable reports.
-
Red Teaming:

- Emulates real-world attack scenarios and tactics.

- Campaigns may last from 2 weeks to 6 months and are
often unannounced.
- Focuses on identifying gaps in a security program,
employee skills, and overall security posture rather than
merely listing vulnerabilities.

Key Focus Areas for Red Teams

Red Teams operate with different rules and timelines

compared to penetration tests:

Scan to Download
- They avoid vulnerability scans in internal networks to
minimize detection.
- Their outcomes emphasize gaps in processes, policies, and
skills rather than just vulnerabilities.

Metrics of Success

The chapter highlights the importance of metrics such as

Time To Detect (TTD) and Time To Mitigate (TTM). TTD
represents the duration between the occurrence of an incident
and its detection, while TTM reflects the time taken to
mitigate the threat after detection.
In summary, the chapter elaborates on the critical role of Red
Teams in enhancing security postures and preparing
organizations for potential cyber threats through real-world
simulations.

Scan to Download
 Chapter 3 Summary : Setting Up Your
Campaign
Section Summary

Assumed Organizations should operate under the assumption of a breach. Red Team campaigns focus on detection and
Breach mitigation rather than just finding vulnerabilities. Assumed breach exercises assess an organization's ability to
Exercises identify and counteract further cyber threats using custom malware payloads.

Setting Successful Red Team campaigns require careful planning and a broad scope, contrasting with typical penetration
Up Your tests. Objectives may include evaluating APT detection capabilities and addressing specific organizational
Campaign security needs.

Assumed Breach Exercises

Companies today must operate under the assumption that a

breach has already occurred. Many mistakenly believe that
passing penetration tests ensures their security. Instead, a
mindset of constant vigilance and anomaly detection is
essential. This is where Red Team campaigns differ
significantly from traditional penetration tests, as they focus
on detection and mitigation rather than merely identifying
vulnerabilities.
One valuable assessment method is the assumed breach
exercise. The premise here is that vulnerabilities, such as
0-days, will always exist. The goal is to determine whether
the client can identify and mitigate secondary and tertiary
cyber threats. In these instances, Red Teams collaborate with

Scan to Download
a small group within the organization to deploy a custom
malware payload on a server. This payload aims to connect
out in various ways, evade common antivirus programs, and
facilitate execution of further payloads from memory.

Setting Up Your Campaign

A key aspect of running a successful Red Team campaign

involves thorough planning and scoping before attempting to
compromise systems. Unlike standard penetration tests,
which often focus narrowly on a single target, Red Team
campaigns begin with several overarching objectives. These
objectives might include identifying Advanced Persistent
Threat (APT) detection capabilities or achieving specific
goals relevant to the organization’s security posture.

Scan to Download
Example
Key Point:Always assume you've been compromised
to improve security posture.
Example:Imagine you’re the security officer in charge,
tasked with protecting your organization’s sensitive
data. As you conduct an assumed breach exercise, you
simulate an attack on your systems, introducing a
custom malware payload that quietly infiltrates your
network. You and your team must then race against time
to identify this intrusion, assess its impact, and execute
measures to neutralize the threat. This exercise shifts
your focus from mere vulnerability testing to actively
searching for real-time anomalies, tailoring your
defenses to resist future attacks, and fostering a
proactive security culture within your organization.

Scan to Download
 Chapter 4 Summary : Setting Up Your
External Servers
Section Summary

Introduction to Understanding server setups is essential for purposes like data retrieval and metrics. Techniques
Campaign Goals should be identified with reference to the MITRE ATT&CK Matrix.

Client Tools and Consider clients' preferred assessment tools (COTS or custom). Detection during assessments reflects
Assessment the strength of client defenses.

External Server Utilize affordable VPS options like Digital Ocean or AWS Lightsail; AWS Lightsail is recommended
Setup for its ease of use and compliance with service terms.

Creating and Instances should have at least 1 GB RAM, use Ubuntu OS, and automate tool installations using
Configuring scripts, including TrustedSec's PenTesters Framework.
Instances

Installation Guide Offer a quick setup process for penetration testing tools, focusing on system updates and PTF
installation for efficient exploitation and analysis.

Conclusion After setup, Metasploit can be launched easily for immediate testing in environments.

Chapter 4 Summary: Setting Up Your External

Servers

Introduction to Campaign Goals

- Understanding the purpose of server setups is crucial: Are

they for data retrieval, TTD metrics, or replicating public
campaigns?
- Identify the techniques to be used, referencing the MITRE
ATT&CK Matrix for details on specific tactics.

Scan to Download
Client Tools and Assessment

- Consider the tools preferred by clients, whether they are

commercial off-the-shelf (COTS) tools like Metasploit or
custom options.
- Emphasize that being detected during assessments
demonstrates the effectiveness (or lack thereof) of client
defenses.

External Server Setup

- Utilize affordable Virtual Private Servers (VPS) such as

Digital Ocean or AWS Lightsail for hosting attacker
machines.
- Focus on AWS Lightsail for ease of setup, automation, and
traffic volume advantages.
- Ensure compliance with VPS provider terms of service.

Creating and Configuring Instances

- Recommend a minimum of 1 GB RAM for server

instances.
- Use Ubuntu as the operating system, ensuring all necessary

Scan to Download
tools are installed efficiently with the help of automation
scripts.
- Introduction of TrustedSec's PenTesters Framework (PTF)
to streamline the installation of essential tools.

Installation Guide

- Provide a quick setup process for various penetration

testing tools, outlining commands for updating the system
and installing PTF.
- Highlight the capability to manage a wide array of
exploitation, intelligence gathering, post-exploitation, and
vulnerability analysis tools through a simplified approach.

Conclusion

- Upon successful setup, launching Metasploit is

straightforward, allowing for immediate use in testing
environments.

Scan to Download
 Chapter 5 Summary : Tools of the Trade
Section Summary

Chapter 5 Summary This chapter emphasizes creating a secure and structured environment for Red Team operations
using various advanced tools and techniques while ensuring operational security.

Setting Up Your Implement strong IPTables rules to protect the attacker server, secure against vulnerabilities, and use
Environment AWS Docker or Lightsail for scalability and quick redeployment.

Tools of the Trade This section introduces essential Red Team tools focused on replicating real-world attacks to test
organizational defenses.

Metasploit Framework Metasploit is a leading penetration testing tool, valued for community support and capability to
exploit vulnerabilities and create payloads.

Obfuscating Techniques for obfuscating payloads and using PowerShell to evade detection by AV software, with
Meterpreter Payloads a focus on implementing signed SSL/TLS certificates.

Cobalt Strike Useful for post-exploitation and stealth actions within networks, utilizing redirectors and Domain
Fronting to avoid detection.

Aggressor Scripts Scripting tools to automate tasks and improve efficiency in Red Team operations.

PowerShell Empire A powerful post-exploitation tool with secure communication and flexibility, requiring proper
configuration for stealth.

Dnscat2 Facilitates command-and-control communication over DNS for evasion, necessitating an

authoritative DNS server setup.

Shell Tunneling and Explains methods for tunneling and command execution via Dnscat2 for accessing internal networks
Command Execution remotely.

Other Tools Mentioned Alternative tools like P0wnedShell, Pupy, PoshC2, and Merlin provide diverse functionalities across
various platforms.

Chapter 5 Summary

Setting Up Your Environment

- Strong IPTables rules are crucial to protect your attacker

server by limiting SSH authentication sources and payload

Scan to Download
initiations.
- Be aware of vulnerabilities found in tools like Cobalt Strike
and ensure your servers are secure against unauthorized
access.
- Use AWS Docker environments or Lightsail for efficient,
scalable setups and take snapshots for quick redeployment.

Tools of the Trade

- The chapter introduces essential Red Team tools

emphasizing the importance of replicating real-world attacks
for testing an organization’s defenses.

Metasploit Framework

- Metasploit remains a leading tool for penetration testing,

leveraging community support for continuous updates.
- It can be employed to exploit vulnerabilities and create
attack payloads.

Obfuscating Meterpreter Payloads

- For social engineering attacks, leverage techniques to

obfuscate payloads and use PowerShell commands to

Scan to Download
minimize detection by AV software.
- Implement signed SSL/TLS certificates for improved
communication security.

Cobalt Strike

- Cobalt Strike is favored for post-exploitation actions, lateral

movement, and stealth within networks.
- It offers redirectors and Domain Fronting techniques to
avoid detection by utilizing high-reputation domains.
- Supports SMB Beacons to communicate internally while
remaining hidden.

Aggressor Scripts

- Employ scripted automation tools to improve operational

efficiency during Red Team operations.

PowerShell Empire

- Empire is highlighted as a powerful post-exploitation tool

with secure communications and a flexible architecture
focused on PowerShell and Python capabilities.
- Proper configuration is critical to maintaining stealth during

Scan to Download
operations.

Dnscat2

- Dnscat2 enables command-and-control communication

over DNS, providing a method for evasion within restricted
environments.
- It requires setting up an authoritative DNS server and
compiling the client for effective operation.

Shell Tunneling and Command Execution

- Dnscat2 supports tunneling through compromised systems

for internal network access.
- The chapter covers command execution methods and shell
interaction via Dnscat2, allowing for remote actions on
targets.

Other Tools Mentioned

- P0wnedShell, Pupy, PoshC2, and Merlin are noted as

alternative tools, each providing distinct functionalities and
support for various platforms and techniques.
This chapter emphasizes the importance of a structured and

Scan to Download
secure environment for executing Red Team operations,
leveraging a variety of advanced tools and techniques while
maintaining operational security.

Scan to Download
Example
Key Point:The importance of establishing secure
environments for Red Team operations.
Example:Imagine you're configuring your attacker's
server, carefully implementing IPTables rules to only
allow SSH access from specific locations. You
methodically set up your environment, knowing that
even the slightest mistake could lead to unauthorized
access, compromising your entire operation. As you
deploy tools like Metasploit and Cobalt Strike, you
ensure each is properly secured against known
vulnerabilities, reflecting on how the integrity of your
Red Team efforts relies on this foundational security.
You practice replicating real-world threats, all while
maintaining stealth, illustrating the critical need for a
secure approach in your cybersecurity maneuvers.

Scan to Download
 Chapter 6 Summary : Monitoring an
Environment
Section Summary

Overview of Tools and This section discusses reconnaissance tools like Recon-NG, Discover, Spiderfoot, Gitrob, and
Techniques others for target intelligence gathering.

Monitoring an Environment Emphasizes constant vigilance in Red Team operations to identify services and vulnerabilities
in a target environment.

Regular Nmap Diffing Introduces daily Nmap scans via monitoring scripts to detect changes in the target network.

Web Application Highlights tools like HTTPScreenshot and Eyewitness for capturing web layouts and
Monitoring screenshots of detected servers.

Cloud Scanning Focuses on misconfigurations in cloud services and using tools like Shodan and Censys for
real-time environment monitoring.

Network/Service Search Describes using Shodan and Censys for passive information gathering on potential targets
Engines without detection.

Subdomain Discovery Discusses tools like Discover Scripts and Sublist3r for identifying subdomains that may
represent attack surfaces.

Github Reconnaissance Explores the use of tools like Truffle Hog to find sensitive data exposed in public GitHub
repositories.

Cloud Security Risks Identifies common vulnerabilities like misconfigured S3 buckets and tools like Slurp for risk
detection.

Collecting Email Addresses Highlights the importance of gathering employee email addresses for social engineering, using
for Attacks tools like SimplyEmail.

Past Breaches Emphasizes analyzing past data breaches for insights into valid email addresses and potential
targets.

Chapter 6 Summary: Expanding Reconnaissance for

Red Teams

Overview of Tools and Techniques

Scan to Download
In this chapter, the focus continues on implementing
reconnaissance tools and techniques from a Red Team
perspective. The tools mentioned include Recon-NG,
Discover, Spiderfoot, Gitrob, Masscan, Sparta, HTTP
Screenshot, Vulnerability Scanners, Burp Suite, and others.
These are employed for scanning and gathering intelligence
on a target's infrastructure.

Monitoring an Environment

Red Team operations require constant vigilance to identify

attack opportunities. Tools are utilized to scan environments
for services and vulnerabilities, helping to gather more
information quickly about a target.

Regular Nmap Diffing

Setting up monitoring scripts for daily Nmap scans allows

for identifying changes in a target network. A basic bash
script is recommended to automate this process and notify
Install
teams of newBookey
findings.App to Unlock Full Text and
Audio
Web Application Monitoring

Scan to Download
 Chapter 7 Summary : Bug Bounty
Programs:
Section Summary

Web Significant increase in critical web attacks over recent years, highlighting breaches like Apache Struts 2,
Application Panera Bread, and Uber. Attack methods vary yearly across different OSI model layers, showing a cyclical
Attacks pattern in security breaches.
Overview

Historical Early 2000s saw SQL injection and remote file inclusion as common exploits. As defenses improved,
Context of attackers shifted to social engineering and phishing. Recently, attention has reverted to application-level
Web exploits due to increasing application and API complexities.
Vulnerabilities

Focus of the The book focuses on real-world vulnerabilities that Red Teamers face, rather than exhaustive lists of web
Book vulnerabilities or deep exploitation methodologies, concentrating on critical vulnerabilities affecting
sensitive information.

Bug Bounty Bug bounty programs serve as a valuable tool for continuous learning. They provide practical experience on
Programs live systems, although consistent bug discovery may take 3-6 months. Popular platforms include
HackerOne, BugCrowd, and SynAck, with varying reward potentials.

Getting Started Beginners should start with No-Reward Bug Bounty Programs or established programs like Yahoo, which
with Bug have broad scopes. Understanding program guidelines and permissible actions is essential for effective bug
Bounty hunting participation.
Hunting

Reporting It is vital to report vulnerabilities to companies with detailed information, including type, severity,
Vulnerabilities exploitation steps, and supporting evidence. Resources to facilitate consistent reporting are beneficial.

Web Application Attacks Overview

Over recent years, critical externally-facing web attacks have

increased significantly, including notable breaches involving
Apache Struts 2, Panera Bread, and Uber. The trend indicates
ongoing severe breaches from public internet-facing
endpoints, reflecting a cyclical pattern in the security
industry. Attack methods often shift in focus each year across

Scan to Download
different layers of the OSI model.

Historical Context of Web Vulnerabilities

In the early 2000s, common exploits included SQL injection

(SQLi) and remote file inclusion (RFI). As organizations
began to enhance their external defenses and perform
penetration tests, attackers turned to Layer 8 tactics, such as
social engineering and phishing, as primary entry points.
However, with advancements in internal security, attention is
moving back to application-level exploits. The growing
complexity of applications and APIs has reopened both old
and new vulnerabilities.

Focus of the Book

This book emphasizes real-world vulnerabilities that Red

Teamers encounter without providing exhaustive lists of web
vulnerabilities or detailed exploitation methodologies. It
targets critical vulnerabilities that lead to the compromise of
sensitive information.

Bug Bounty Programs

Scan to Download
Bug bounty programs are an effective avenue for continuous
learning post-training. Engaging with real, live systems
fosters practical experience, although it often takes 3-6
months to find bugs consistently. Resources like HackerOne,
BugCrowd, and SynAck are popular platforms for these
programs, with potential rewards varying significantly.

Getting Started with Bug Bounty Hunting

To bolster bug hunting skills, beginners should consider

starting with No-Reward Bug Bounty Programs or larger,
older programs like Yahoo, which tend to have extensive
scopes and legacy systems. Bug bounty programs often
outline specific guidelines regarding permissible actions,
highlighting the importance of understanding these rules for
effective participation.

Reporting Vulnerabilities

Reporting found vulnerabilities to companies is crucial,

emphasizing the provision of detailed information such as the
type and severity of the vulnerability, steps taken to exploit
it, and any supporting evidence like screenshots or proof of
concept. Resources for generating consistent reports can
assist in this process.

Scan to Download
Example
Key Point:Understanding OSI Model Layers is Key
to Identifying Vulnerabilities
Example:As you navigate your own online activities,
imagine trying to assess a web application for potential
security flaws. You might start at the application layer,
identifying user inputs vulnerable to SQL injection
attacks, before looking deeper into how data flows
through the transport layer, ensuring sensitive
information isn’t exposed. Recognizing the cyclical
nature of vulnerabilities means being prepared for shifts
in attack tactics every year, prompting you to constantly
update your skills and learn from past breaches, like
those impacting Panera Bread or Uber. Embrace the
challenge of understanding each layer of the OSI model,
as it will equip you to think like an attacker and fortify
your defenses against evolving threats.

Scan to Download
Chapter 8 Summary : Web Attacks
Introduction - Cyber Space Kittens

Summary of Chapter 8: Web Attacks Introduction

in The Hacker Playbook 3

Exploiting Vulnerabilities and Bug Bounty

Programs

Research into vulnerabilities can have serious consequences

if researchers exceed the limits of ethical testing. Examples
of this include excessive data dumping, page defacement, or
unauthorized lateral movement within systems. Adhering
strictly to the scope of bug bounty programs is crucial, and if
an action feels illegal, it likely is.

Web Application Exploitation Overview

Following reconnaissance, if standard targets do not present

themselves, one might explore less common applications,
like a Customer Support System. A virtual machine (VM) is

Scan to Download
provided to practice these labs. Users can set up by
downloading a specific THP VM, accessing commands, and
configuring their attacker Kali system to target a vulnerable
application.

Advanced Web Application Attacks

The content shifts focus from basic attacks to those used in

real-world scenarios, omitting extensive technical details but
emphasizing the need for practical understanding. Key
resources, such as OWASP, are recommended for
understanding security vulnerabilities, particularly the
OWASP Top 10.

Chat Support System Lab

The lab will highlight a custom Chat Support System, which

is designed to expose both new and traditional
vulnerabilities. The application, built on Node.js—an
increasingly popular platform for web
applications—necessitates an understanding of its security
implications. Node.js facilitates running JavaScript outside
the browser and features a large package ecosystem (NPM)
that presents unique vulnerabilities.

Scan to Download
Importance of Node.js in Penetration Testing

As Node.js continues to grow, penetration testers must be

aware of its potential weaknesses, including risks associated
with weak NPM credentials that can lead to broader
vulnerabilities. The chapter encourages a hands-on approach
to learning about Node.js security, employing frameworks
like Express and Pug for practical application development.

Conclusion

The chapter serves as a wake-up call for ethical hacking

within bug bounty programs and underscores the importance
of understanding advanced techniques in web application
security, especially with burgeoning technologies like
Node.js. It leans on practical exercises and foundational
knowledge, paving the way for success in penetration testing
careers.

Scan to Download
 Chapter 9 Summary : Cyber Space
Kittens: Chat Support Systems
Section Summary

Introduction to Express and Pug Express is a minimalist Node.js framework aiding in web development, while Pug is a
server-side HTML templating engine.

Overview of Cyber Space CSK chat support system is analyzed for vulnerabilities, focusing on coding issues,
Kittens (CSK) misconfigurations, and logic flaws.

Setting Up Tools for Attacking Essential tools include browsers with varied XSS responses, Wappalyzer & BuiltWith for
Web Applications tech discovery, Retire.js for JS library scans, and penetration testing tools like Burp Suite
& OWASP ZAP.

Analyzing a Web Application Understanding the technology stack is crucial for targeted attacks, with Wappalyzer
providing insights into systems like Express and Node.js.

Web Discovery Techniques Burp Suite's capabilities for endpoint discovery and content scanning are described, along
with tools like Dirbuster and GoBuster for directory enumeration.

Cross-Site Scripting (XSS) XSS is explored through various attack types, including cookie stealing, forced file
Attacks download, redirection, and complex payloads to bypass filtering.

Blind XSS and DOM-based Blind XSS attacks are invisible to attackers until viewed by an admin, while DOM-based
XSS XSS manipulates client-side scripts without server feedback.

Exploiting XSS to Compromise Transforming XSS attacks into shell access methods, particularly in content management
Systems systems during user-to-admin interactions.

NoSQL Injections Manipulation of JSON queries in NoSQL databases is discussed, highlighting potential
vulnerabilities.

Deserialization Attacks Risks associated with deserialization in Node.js, illustrating arbitrary code execution
vulnerabilities are highlighted.

Template Injection Attacks Exploitation through template engines, particularly with Node.js and Pug, is demonstrated.

Remote Code Execution (RCE) RCE is targeted via upload vulnerabilities, with methods to execute malicious payloads in
Node.js applications outlined.

Server Side Request Forgery SSRF allows server requests to internal resources, while XXE attacks target XML parsers
(SSRF) and XML External for file access and potential RCE.
Entities (XXE)

Conclusion Chapter emphasizes understanding technologies and persistence in exploring attack

methods for significant breaches in web applications.

Summary of Chapter 9: Web Application Attacks in

Scan to Download
The Hacker Playbook 3

Introduction to Express and Pug

Express is a minimalist web framework for Node.js,

facilitating the development of web and mobile applications
with various features. Middleware modules allow integration
of third-party services like authentication and payments. Pug,
formerly known as Jade, is a templating engine for
generating HTML on the server side.

Overview of Cyber Space Kittens (CSK)

This section describes the CSK chat support system as a

target for web application attacks. Initial vulnerability
scanning reveals minimal weaknesses, implying the system
has been well-maintained. The focus shifts to coding issues,
misconfigurations, and logic flaws as avenues for
exploitation.

Install
Setting Bookey
Up Tools App to Unlock
for Attacking Full Text
Web Applications and
Audio
Several tools are highlighted as essential for web application

Scan to Download
 Chapter 10 Summary : Finding
Credentials from Outside the Network
Section Summary

Introduction This chapter focuses on using Red Team tactics to penetrate corporate infrastructure without traditional
vulnerability scanners, highlighting the importance of reconnaissance and strategy adaptation.

Reconnaissance Despite initial challenges in finding vulnerabilities, the team reviews notes to strategize, emphasizing that
Review simple methods can be very effective.

Finding Entry Identifying entry points is critical. The team utilizes techniques like password brute-forcing while targeting
Points online services such as email and chat systems to gather credentials.

Password This strategy targets applications with common credentials obtained from reconnaissance, emphasizing the
Spraying careful selection of passwords to avoid account lockouts.

Tools for Two highlighted tools are:

Password
Attacks

1. Spray Facilitates authentication attempts across services like OWA and SMB with user-configurable parameters.

2. Ruler Developed by Sensepost, it helps with brute-forcing and information gathering on Exchange servers,
allowing for further exploitation after credential recovery.

Using Gaining credentials allows the Red Team to exploit email system features for malware delivery, testing
Compromised Blue Teams' detection capabilities.
Credentials

Final Thoughts The chapter stresses validating organizational resilience against attacks, pushing for enhancements in
detection and response strategies amidst the Red Team vs. Blue Team dynamic.

Summary of Chapter 10: Red Team Tactics in

Corporate Environments

Introduction

In this chapter, the focus shifts towards using Red Team

Scan to Download
tactics to penetrate corporate infrastructure without relying
on traditional vulnerability scanners. The narrative follows a
Red Team's second day of assessment, highlighting the
importance of recon and adapting strategies to find initial
entry points.

Reconnaissance Review

Despite initial setbacks in finding vulnerabilities, the Red

Team reviews reconnaissance notes to strategize.
Recognizing that gaining access leads to a bounty of
potential tricks and insights, it emphasizes that simple
methods often yield effective results.

Finding Entry Points

Finding an entry point can be complex but is crucial for

success. The chapter emphasizes basic techniques like
password brute-forcing, which remains a powerful tool. As
organizations expand their online services, the Red Team
targets externally authenticated applications like email, chat
systems, and collaboration tools to gather credentials.

Password Spraying

Scan to Download
The strategy known as Password Spraying targets various
applications using common credentials found during
reconnaissance. The process focuses on trying simple
passwords while avoiding account lockouts, as many services
are less secure than they might appear.

Tools for Password Attacks

Two main tools are highlighted for conducting password

attacks:
1.
Spray
- This tool facilitates authentication attempts across multiple
services, including OWA (Outlook Web Access) and SMB.
Users can configure it with specific parameters to test
potential passwords against a list of usernames.
2.
Ruler
- Developed by Sensepost, Ruler helps interact with
Exchange servers and can be used for both brute-forcing and
information gathering. Once credentials are obtained, Ruler
can also leverage them for further exploitation based on the
access granted.

Scan to Download
Using Compromised Credentials

With gained credentials, the Red Team can explore and

exploit features within the email systems to send malware
through trusted channels. The chapter stresses the importance
of testing detection capabilities of Blue Teams through
real-world attack simulations.

Final Thoughts

The emphasis is placed on validating the organization's

resilience against simulated attacks, pushing for
improvements in detection and response strategies,
underscoring the ongoing cat-and-mouse game between Red
Teams and Blue Teams.

Scan to Download
Example
Key Point:The Importance of Recon and Adapting
Strategies
Example:Imagine you're an attacker studying a target
corporation; you meticulously map out their digital
footprint. By analyzing their reconnaissance notes, you
identify weak points in their external applications,
realizing that a simple password attack might be all it
takes to breach their defenses. Instead of relying solely
on sophisticated tools, you employ Password Spraying
to stealthily attempt common credentials, ensuring you
avoid detection while opening doors to critical systems.
This strategic adaptability showcases how foundational
techniques can yield powerful results, proving crucial in
navigating corporate cyber defenses.

Scan to Download
Critical Thinking
Key Point:The effectiveness of Red Team tactics in
corporate cybersecurity assessments.
Critical Interpretation:The chapter highlights how Red
Team tactics, particularly those that forego traditional
vulnerability scans, can reveal underlying weaknesses in
corporate infrastructures. While the author advocates for
simple techniques like password spraying and tools such
as Spray and Ruler, it is essential for readers to consider
the broader context of cybersecurity. The reliance on
specific tactics may not universally apply across diverse
corporate environments, and organizations could benefit
from a more holistic approach that incorporates various
security measures beyond penetration testing. Critics of
solely using Red Team methodologies suggest that it
can lead to tunnel vision, focusing primarily on
immediate vulnerabilities rather than the overall security
posture (source: "The Art of Deception" by Kevin
Mitnick). Hence, evaluating the author's perspective
critically allows for a more comprehensive
understanding of cybersecurity strategies.

Scan to Download
 Chapter 11 Summary : Moving Through
the Network
Section Summary

Introduction to This section discusses extracting compromised emails using a Python script, highlighting the potential
Compromised recovery of large data volumes, sometimes in gigabytes.
Emails

Building a Readers are encouraged to create a password spray tool to test authentication types against services like
Password Spray XMPP and SaaS tools, ideally from multiple VPS instances managed by a master server.
Tool

Red Team The goal for Red Teamers is discreet network navigation, exploiting features for information without
Network detection. Traditional vulnerability scans are discouraged to enhance stealth and minimize detection.
Movement

Setting Up the A lab environment is recommended for practice, guiding on constructing a network that mimics
Lab Environment real-world scenarios since no pre-packaged labs are provided.

Requirement of An ideal lab setup includes a Windows 2016 Domain Controller, a Windows 2016 Web Server, three
the Lab Windows 10 clients, two Windows 7 clients, with at least 16 GB RAM and a 500GB SSD.

Configuration Steps include installing Active Directory, creating users/groups, configuring client machines for domain
Steps joining while managing permissions, and automating logins for ease of testing.

Setting Up IIS The chapter concludes with configuring the IIS server and setting Service Principal Names (SPN) to
Server finalize the testing network setup.

Overall Emphasis The chapter highlights the necessity of a controlled environment for safely experimenting with attack
techniques while remaining undetected in enterprise networks.

Summary of Chapter 11: Moving Through the

Network

Introduction to Compromised Emails

This chapter begins by discussing the extraction of

Scan to Download
compromised emails through a Python script, emphasizing
the potential for large amounts of data recovery - sometimes
reaching gigabytes.

Building a Password Spray Tool

Readers are encouraged to build a password spray tool to test

various authentication types against services like XMPP and
SaaS tools, preferably from multiple VPS instances
controlled by a single master server.

Red Team Network Movement

As Red Teamers, the goal is to navigate the network

discreetly by utilizing available features to locate and exploit
information without attracting attention. Traditional
vulnerability scans are discouraged due to increased
detection capabilities by organizations, hence highlighting
the importance of stealth in operational procedures.

Setting Up the Lab Environment

Creating a lab environment is recommended for hands-on

practice since there aren't pre-packaged VM labs provided.

Scan to Download
The chapter guides readers on constructing a network that
mirrors the environments they may encounter.

Requirement of the Lab

A suggested ideal lab includes:

- Windows 2016 Domain Controller
- Windows 2016 Web Server (IIS)
- Three Windows 10 client machines and two Windows 7
client machines
- Operational requirements include a minimum of 16 GB
RAM and a 500GB SSD

Configuration Steps

1. Installing and configuring Active Directory based on

Microsoft guidelines.
2. Creating users and groups using dsac.exe.
3. Configuring client machines to join the domain while
ensuring proper administrative privileges and disabling
firewall and antivirus settings via Group Policy Objects
(GPO).
4. Automating logins on client machines for ease of testing.

Scan to Download
Setting Up IIS Server

Lastly, the chapter touches on configuring the IIS server and

setting Service Principal Names (SPN) to complete the
testing network setup.
This chapter emphasizes the importance of creating a
controlled environment to safely experiment with various
attack techniques while remaining undetected within
enterprise networks.

Scan to Download
Example
Key Point:Creating a Controlled Lab Environment
is Essential for Network Testing
Example:Imagine you're gearing up to test your
cybersecurity skills; you meticulously configure a lab
setup that mimics a real corporate network. This
dedicated environment allows you to safely navigate
through various attack vectors, honing your stealth
tactics as you analyze compromised emails and practice
password spraying. With a Windows Domain Controller
and multiple client machines at your disposal, each
successful maneuver enhances your confidence,
preparing you for real-world situations without the risk
of detection or harm.

Scan to Download
Chapter 12 Summary : On the Network
with No Credentials

Summary of Chapter 12: Accessing Networks

Without Credentials

Introduction

This chapter discusses methods to access a network without

prior credentials, focusing on physical infiltration and
network-based attacks.

Gaining Access

- The scenario includes infiltrating a company’s premises by

blending in with employees at their smoking entrance.
- After entering the facility, the attacker discreetly plugs in a
drop box to connect to the network and then leaves
unnoticed.

Network Discovery

Scan to Download
- Once home, the attacker accesses the drop box remotely to
explore the client’s network and tools.

Using Responder for Credential Harvesting

- Responder is introduced as a tool for capturing credentials

by exploiting network name resolution failures.
- When a system fails to resolve a DNS name, it queries the
network using LLMNR and NBT-NS.
- Responder listens for these queries and provides false
responses to capture NTLMv2 credentials from the victim's
attempts to connect to a nonexistent share.

Capturing and Cracking Credentials

- Captured credentials are in the form of NTLM

Challenge/Response hashes.
- Although these are slower to crack compared to standard
NTLM hashes, they can still be processed using Hashcat.
- An alternative approach involves prompting users for their
Installand
username Bookey
passwordApp to Unlock
through Full Text and
a basic authentication
pop-up. Audio

Scan to Download
Chapter 13 Summary : After
Compromising Your Initial Host

After Compromising Your Initial Host

After gaining access to a host through various techniques

such as social engineering or exploiting vulnerabilities, the
next steps are crucial. Understanding the surrounding
network is fundamental to advancing one’s objectives.

Initial Commands

Several commands can be executed to gather information

about the compromised system:
-
Network Information:

- `netstat -anop | findstr LISTEN`

- `net group "Domain Admins" /domain`
-
Process List:

Scan to Download
 - `tasklist /v`
-
System Host Information:

- `sysinfo`
- `Get-WmiObject -class win32_operatingsystem | select
-property * | export-csv c:\temp\os.txt`
- `wmic qfe get Caption, Description, HotFixID,
InstalledOn`
-
File Searches:

- `dir /s *password* | findstr /s /n /i /p foo*`

- `findstr /si pass *.txt | *.xml | *.ini`
-
Information from Shares/Mounted Drives:

- `powershell -Command "get-WmiObject -class

Win32_Share"`
- `powershell -Command "get-PSDrive"`
- `powershell -Command "Get-WmiObject -Class
Win32_MappedLogicalDisk | select Name, ProviderName"`
Given the multitude of commands, remembering them all can
be challenging. However, a useful tool exists: RTFM (Read

Scan to Download
The Fine Manual), developed by leostat. This Python script
provides a searchable database of handy commands for ease
of use. To use RTFM, simply update and run the script as
follows:
- Change directory: `cd /opt/rtfm`
- Grant execute permissions: `chmod +x rtfm.py`

Scan to Download
Chapter 14 Summary : Privilege
Escalation

Chapter 14 Summary

Overview

This chapter discusses leveraging PowerShell to extract

network and environmental information to enhance
penetration testing efforts. It emphasizes methods for
privilege escalation, including identifying vulnerabilities in
service paths and registry permissions.

PowerShell and Enumeration

- Utilizes RTFM commands for efficient enumeration.

- PowerShell is integral for executing commands from
various C2 tools (Empire, Metasploit, Cobalt Strike).

Privilege Escalation Techniques

Scan to Download
-
Unquoted Service Paths
: Outlines how services lacking quotes around executable
paths can be exploited.
- Example: Modifying a service path to inject malware if
permissions allow.
-
Vulnerable Service Paths
: Use `wmic` commands to identify vulnerable services.
-
Registry Permissions
: Highlight the need to check `AlwaysInstallElevated` key to
gain elevated privileges via .MSI exploits.

PowerUp Module

- The PowerUp PowerShell script identifies

misconfigurations allowing privilege escalation.
- Example: Finding unquoted service paths and replacing
executable files to get a Meterpreter shell.

Identifying Patches and Vulnerabilities

Scan to Download
Using System Commands
: The `systeminfo` command can check for installed patches.
-
Windows Exploit Suggester
can be used to find known vulnerabilities based on the
service packages installed.

Testing Privilege Escalation

- Use Metasploitable3 for testing various privilege escalation

techniques.
- Example: Compromising a service running with privileged
access, such as Apache Tomcat.

Collecting Credentials

- Discusses Mimikatz and its limitations under Windows 10

regarding LSASS access.
- Recommend setting registry keys to store credentials in
memory (requires user relogin).
- Introduces tools like Mimikittenz to extract login data from
browsers without needing elevated privileges.

Windows Credential Store

Scan to Download
- Windows Credential Store saves user credentials, which can
be accessed easily when user context is compromised.
- PowerShell scripts can extract this information along with
browser history and cookies for further exploitation.

OSX Considerations

- Although less common, OSX systems are increasingly

present; thus, similar attack techniques are applicable
(SSH/VNC lateral movement).
- Empire can create OSX Macro payloads enabling the
attacker to execute code when the victim opens a specific
document.

Conclusion

Emphasizes that the techniques discussed are crucial for

effective penetration testing, highlighting the importance of
understanding system vulnerabilities and exploitation
methodologies.

Scan to Download
Chapter 15 Summary : Living Off of the
Land in a Windows Domain
Environment

Summary of Chapter 15: The Hacker Playbook 3

Introduction

In this chapter, the process of exploiting weaknesses in a

target's systems using various tools and techniques in an
Active Directory environment is discussed. The chapter
emphasizes reconnaissance, enumeration, and lateral
movement within a compromised network.

Reconnaissance Phase

- Craft a convincing story to encourage users to enable

macros.
- Once connected to the Empire server, various information
gathering techniques are employed:
-

Scan to Download
Dumping Browser Information:
Using the module `collection/osx/browser_dump` to gather
browsing data and stored passwords.
-
Keylogger Activation:
Enabling a keylogger through `collection/osx/keylogger`.
-
App Prompt for Password Capture:
Using `collection/osx/prompt` to solicit user information.
-
Webcam Usage:
Taking pictures via `collection/osx/webcam`.

Living Off the Land

- Techniques for collecting information within a Windows

domain using PowerShell Empire, without alerting system
defenses.
- Querying Active Directory (AD) service accounts utilizing
Service Principal Names (SPNs) provides valuable insights
into network services without triggering scans.
Install Bookey App to Unlock Full Text and
Using PowerView for ADAudio
Enumeration

Scan to Download
Chapter 16 Summary : Dumping the
Domain Controller Hashes

Summary of Chapter 16 from "The Hacker

Playbook 3"

PowerShell and Kerberoasting

- The Empire PowerShell module facilitates Kerberoasting,

allowing users to extract service tickets and process them
with tools like John the Ripper or Hashcat for password
cracking.
- In extensive environments, alternatives such as using
PowerShell and Mimikatz may be required to pull service
tickets.

Dumping Domain Controller Hashes

- Domain Administrative access allows for the retrieval of

NTDS.dit file hashes, which can be obtained using Volume
Shadow Copy (VSS) for taking a snapshot and accessing the

Scan to Download
data within.
- The process includes creating a shadow copy, copying
necessary files (like NTDS.dit, System, SAM, and Boot
Key), and ensuring to delete any traces left behind.

NinjaCopy Tool

- NinjaCopy is a tool that helps copy locked system files

from an NTFS partition by bypassing DACLs and read locks,
thus allowing access to NTDS.dit and registry hives.
- The command to run NinjaCopy is detailed, showing how
to move NTDS.dit to a local destination.

DCSync Method

- DCSync, developed by Benjamin Delpy and Vincent Le

Toux, revolutionizes how hashes are dumped from Domain
Controllers by impersonating a DC to request all user hashes.
- Unlike old methods, DCSync does not require direct
command execution or file dropping on the Domain
Controller, but does require specific permissions typically
held by Domain Admins or similar accounts.
- The method can be executed with a command from
Mimikatz.

Scan to Download
This chapter emphasizes the evolution of tools and
techniques used in exporting hashes from Domain
Controllers, showcasing both traditional and modern
approaches.

Scan to Download
Critical Thinking
Key Point:The Evolution of Cybersecurity Exploits
Critical Interpretation:The chapter illustrates the rapid
advancement in hacking techniques, particularly
through tools like DCSync and Kerberoasting, which
exemplify the shifting landscape of cybersecurity threats
and defenses. While the effectiveness of these tools
signals a major risk to system integrity, it is essential to
recognize that such advances can also spur
enhancements in security protocols. Therefore, while the
author presents a compelling case for the potency of
these tools, the implications may be overly
deterministic; for example, numerous cybersecurity
professionals emphasize the importance of proactive
measures and continuous evolution in security practices,
challenging the notion that attackers always stay ahead.
Studies such as those from the SANS Institute provide
extensive insight into defending against these
vulnerabilities (SANS Incident Response).

Scan to Download
Chapter 17 Summary : Lateral
Movement via RDP over the VPS

DCSync and Lateral Movement Techniques

DCSync Integration with PowerShell Empire

- DCSync is utilized in tools like PowerShell Empire.

- The module
powershell/credentials/mimikatz/dcsync_hashdump retrieves
NTLM hashes from Active Directory users, including the
krbtgt hash for potential Golden Ticket attacks.

Challenges with Lateral Movement

- Increased use of Next Gen AV makes traditional lateral

movement methods (WMI/PowerShell Remoting/PSExec)
less effective.
- Organizations are logging all Windows Command prompts,
necessitating more discreet techniques.

Scan to Download
Using VPS for Lateral Movement

- VPS servers provide a shell without a GUI, challenging

direct usage.
- Traffic is rerouted: from the attacker's host through the
VPS, then to the compromised hosts and next targets.

Setting Up the Environment

1. Configure a VPS with open ports and install Metasploit

using PTF.
2. Infect the initial victim with a Meterpreter payload.
3. Utilize the default SSH client for Local Port Forwarding:
- Connect to the VPS over SSH with the SSH key.
- Configure local port 3389 on the attacker’s machine to
forward traffic to the VPS.

Local Port Forwarding Steps

1. Infect the target with Meterpreter.

2. Use SSH to establish the local port forward on the attacker
system.
- Command: `ssh -i key.pem ubuntu@[VPS IP] -L
127.0.0.1:3389:127.0.0.1:3389`

Scan to Download
3. Establish Meterpreter port forwarding:
- Command: `portfwd add -l 3389 -p 3389 -r [Victim's RDP
IP]`
4. Connect to the victim using Remote Desktop on the
attacker's machine:
- Set the connection to localhost (127.0.0.1) and use the
victim's credentials.

Scan to Download
Chapter 18 Summary : Privilege
Escalation

SSH Traffic Tunneling and Pivoting

To enhance security during penetration testing, SSH can be

used for traffic tunneling and pivoting between compromised
hosts. Key techniques include:
-
Dynamic SOCKS Proxy:
Set up with the command `ssh -D 127.0.0.1:8888 -p 22
<user>@<Target_IP>` to redirect traffic through the
compromised host.
-
Basic Port Forwards:
Use `ssh <user>@<Target_IP> -L
127.0.0.1:55555:<Target_to_Pivot_to>:80` for single port
forwarding.
-
VPN Over SSH:
This allows tunneling of Layer 3 network traffic.

Scan to Download
Privilege Escalation on Linux

Privilege escalation in Linux requires searching for

vulnerable services and misconfigurations to gain higher
access levels. The following steps outline the approach:
1.
Gather System Information:
Identify users, services, cronjobs, and software versions.
Tools like
[LinEnum](https://github.com/rebootuser/LinEnum) can
automate this process and provide extensive reports.
2.
Analyze for Vulnerabilities:
If no misconfigurations are found, consider exploiting
known vulnerabilities. Use [linux-exploit-suggester](https://g
ithub.com/mzet-/linux-exploit-suggester) to identify missing
patches and available exploits.
3.
Testing for Exploits:
Conduct trials in a controlled lab environment to ensure
stability. One notable vulnerability is
Install Bookey App to Unlock Full Text and
DirtyCOW
Audio
, which allows escalation from a non-privileged user to root
by exploiting a race condition in Linux kernel memory

Scan to Download
Chapter 19 Summary : Linux Lateral
Movement Lab

Linux Lateral Movement Lab

Lateral movement within a network can be complex to

practice without a proper environment. This chapter
introduces the CSK Secure Network Lab designed for
experimenting with lateral movement techniques, exploits,
and privilege escalation in a Linux setting.

Setting Up the Virtual Environment

To set up the lab:

1. Download the three necessary virtual machines: [Lab
VMs](http://thehackerplaybook.com/get.php?type=csk-lab)
2. Use the credentials provided: username - hacker, password
- changeme.
3. Configure NAT settings in VMWare for the IP range
172.16.250.0/24.

Attacking the CSK Secure Network

Scan to Download
Once you've pivoted into the secure production network:
- Conduct Nmap scans on the 172.16.250.0/24 range to
identify accessible boxes.
- Target the box at 172.16.250.10 running Apache Tomcat
and OpenCMS.
- Execute the struts2_content_type_ognl exploit using a DNS
C2 payload with dnscat2.

Privilege Escalation

To escalate privileges:
- Compile the DirtyCOW exploit and configure the system
settings for stability.
- If the exploit presents issues, SSH into the server using
provided credentials to gain root access.

Post-Exploitation Activities

- Investigate the server for sensitive data, including the SSH

key to access a second box (172.16.250.30).
- Explore the Jenkins service running on port 8080 to extract
credentials.
- Use base64 encoding/decoding to handle sensitive files and

Scan to Download
decrypt stored passwords.

Final Steps

- Access the database server (172.16.250.50) using the

db_backup account obtained from Jenkins.
- As a final challenge, examine the contents of the
cyberspacekittens database to find encrypted secrets.

Conclusion

The lab empowers users to practice various hacking

techniques and encourages further exploration within the
compromised environment.

Scan to Download
Critical Thinking
Key Point:Ethical Implications of Hacking
Education
Critical Interpretation:While the chapter emphasizes the
importance of practicing hacking techniques in
controlled environments, readers should critically assess
the ethical implications of such education. Teaching and
learning these skills can lead to potential misuse outside
of ethical boundaries. The author promotes the idea of
controlled experimentation, which might implicitly
suggest that skills acquired could be misapplied in
malicious contexts. Sources such as the Ethics in
Information Technology by George Reynolds argue that
understanding the responsibility that comes with
knowledge is crucial, urging readers to consider whether
equipping individuals with hacking capabilities, even
within a lab, increases the risk of those skills being
misappropriated.

Scan to Download
Chapter 20 Summary : Building Your
Social Engineering (SE) Campaigns

Building Your Social Engineering (SE) Campaigns

Social engineering (SE) attacks are favored by Red Teamers

due to their low skill requirements and low-cost, high-impact
potential. Key aspects of SE campaigns include setting up
fake domains, servers, crafting persuasive emails, and
distributing USB sticks. Metrics tracked during these
campaigns typically include the number of emails sent, links
clicked, and credentials captured. Competitions like
DefCon's Social Engineering Competition showcase the
effectiveness of these tactics in teaching companies to
recognize and report malicious activities.

Doppelganger Domains

A prevalent technique for credential capture involves

creating domains that closely resemble legitimate company
URLs. This tactic exploits user errors, encouraging victims to
input their credentials on fake sites without overt phishing

Scan to Download
methods. Victims may bookmark these malicious sites,
increasing the likelihood of repeated visits.

How to Clone Authentication Pages

The Social Engineering Toolkit (SET) by TrustedSec is a

vital tool for cloning web application authentication pages.
The setup involves configuring Apache settings, selecting
appropriate attack methods, and testing the cloned site. Best
practices include securing the Apache server with SSL and
storing recorded passwords using strong encryption methods
to enhance security against server breaches.

Credentials with 2FA

As organizations increasingly adopt two-factor authentication

(2FA), Red Teams face new challenges. Tools such as
ReelPhish by FireEye enable automated triggering of 2FA
during credential capture. The process involves cloning sites
that require 2FA, monitoring traffic to authenticate, and
redirecting victims back to the legitimate site after extraction
of their credentials. Other solutions like Evilginx and
CredSniper also offer 2FA bypass capabilities.

Scan to Download
Conclusion

Running successful SE campaigns requires creativity and the

right tools. With techniques ranging from Doppelganger
Domains to automated 2FA handling, Red Teams can
effectively demonstrate security weaknesses while also
educating organizations about the importance of identifying
and reporting malicious attempts.

Scan to Download
Example
Key Point:Understanding the mechanics of social
engineering is crucial for defending against it.
Example:Imagine you receive an email that seems to be
from your bank, complete with its logo and language.
Unbeknownst to you, the email comes from a
doppelganger domain designed to trick you into entering
your login credentials. By neglecting to check the URL
carefully, you could unwittingly provide sensitive
information to an attacker. This scenario underscores the
critical need for awareness of social engineering tactics
and robust security practices to prevent such deceptive
strategies.

Scan to Download
Critical Thinking
Key Point:Reliability of Social Engineering Tactics
Critical Interpretation:The chapter highlights the
effectiveness of social engineering tactics in
cybersecurity, yet one must question whether such
tactics genuinely prepare organizations for real threats
or merely expose inherent vulnerabilities. Social
engineering relies on exploiting human psychology,
which can lead to ethical concerns about manipulation,
creating a dilemma for organizations weighing security
training against the potential risks of encouraging a false
sense of security. Critics argue that while understanding
social engineering attacks is important, overemphasis on
such tactics may detract from addressing systemic
security issues that require technological solutions, as
discussed by scholars like Bruce Schneier in his works
addressing behavioral security.

Scan to Download
Chapter 21 Summary : Phishing

Phishing Tactics

Phishing remains a highly effective technique for Red

Teams, leveraging fear, urgency, or enticing offers to trick
victims. Common examples include fraudulent emails about
unauthorized purchases or tax fraud. Despite increased
awareness among corporate employees, these attacks still
yield significant success, underscoring the need for
continuous monitoring and adaptation by Red Teams.

Automated Phishing Tools

Several automated tools can assist in executing phishing

campaigns:
-
Gophish
: User-friendly, supports templates, and tracks metrics.
-
Phishing Frenzy
: Ruby-based tool for phishing campaign management.
-

Scan to Download
King Phisher
: Python-based framework for advanced phishing attacks.
Targeted campaigns may employ manual tactics based on
reconnaissance of the victim's email infrastructure (e.g.,
Office 365), utilizing leaked information and tailoring
messages to specific individuals, especially executives.

Microsoft Office Macros

Utilizing malicious Microsoft Office files remains a classic

approach:
-
VBA Macros
: Create payloads via tools like Empire and Unicorn.
Generated payloads can execute code when enabled by the
victim.
-
Embedding Executables
: Tools such as LuckyStrike and VBad allow for the
embedding of payloads within Office documents, making
detection difficult.
Install Bookey App to Unlock Full Text and
Audio
Exploiting DDE Vulnerabilities

Scan to Download
Chapter 22 Summary : Exploiting
Internal Jenkins with Social Engineering

Exploiting Internal Jenkins with Social Engineering

Introduction

- Red Teamers leverage creativity in attacks, revamping old

exploits for new contexts.
- Jenkins, commonly used for continuous integration, allows
unauthenticated script execution that can lead to full system
compromise.

Understanding the Challenge

- Jenkins services are typically hosted internally, making

external attacks difficult.
- Red Teamers create a replica network to understand
command execution requests and devise tools for remote
code execution (RCE).

Scan to Download
Attack Methodology

1.
Social Engineering Setup

- Victim is led to visit a public, malicious website.

- A JavaScript payload is executed in the victim's browser
using XSS.
2.
Information Gathering

- The JavaScript payload exposes the victim's internal IP

address using WebRTC.
- With the internal IP, the attacker deduces the local subnet
of the victim’s machine.
3.
Scanning for Vulnerable Jenkins Instances

- The attacker scans the organization's internal network

range on port 8080.
- The exploit tool, "generateJenkinsExploit.py," prepares
payloads for compromise.
4.
Payload Delivery and Execution

Scan to Download
 - The malicious webpage retrieves the internal IP and
sprays the Jenkins exploit across the local network.
- Upon finding a vulnerable Jenkins server, it executes a
Groovy script to download and run a Meterpreter binary.

Technical Details of the Exploit

- The process mimics a Server Side Request Forgery (SSRF),

using the victim's browser to initiate connections to internal
servers.

Vulnerability Note

- This exploitation method is effective only on Jenkins

versions prior to 2.x, which lacked CSRF protection and
authentication measures.

Setting Up a Jenkins Exploitation Lab

1. Install Windows VM with a bridged interface.

2. Download and set up Java JDK8 and Jenkins WAR file.
3. Test the Groovy Script Console to check for
vulnerabilities.

Scan to Download
4. Use the THP Jenkins Exploit Tool to build a Meterpreter
payload.

Conclusion

- This methodology illustrates a sophisticated approach to

exploiting internal Jenkins servers, enhancing understanding
and proficiency in Red Team tactics.

Scan to Download
Chapter 23 Summary : Conclusion

Chapter 23 Summary

Jenkins Exploit Process

This section details the exploitation of vulnerabilities in

Jenkins servers using a malicious webpage. The process
involves:
1.
Preparing the Malicious Files
: Generate a malicious HTML page and an encrypted binary
using a Python script and move them to the server's web
directory.

2.
Exploitation
: By visiting the malicious webpage from a different system,
the browser initiates a Groovy payload that scans the internal
network for Jenkins servers. When identified, it triggers the
download, decryption, and execution of the encrypted
Meterpreter shell.

Scan to Download
3.
Wider Applications
: While Jenkins is exemplified, any service that allows
unauthenticated code execution via HTTP methods
(GET/POST) can be targeted.

Understanding the Attack Surface

Identifying applications in use within a target environment is

vital in crafting effective exploits against system
vulnerabilities.

Conclusion: The Role of Social Engineering

Social engineering techniques exploit human factors such as

fear, urgency, and trust. Successful attacks rely on
understanding these vulnerabilities to create effective
campaigns for system compromise. The chapter advocates
for a proactive approach in detecting and addressing phishing
and social engineering threats, moving beyond reactive
measures and focusing on actively identifying potential
attacks.

Scan to Download
Chapter 24 Summary : Card Reader
Cloners

Physical Assessment Guidelines

Objective

Conduct a physical assessment of the facility as requested by

CSK, evaluating gate adequacy, guard responses, and overall
security measures.

Legal Considerations

- Consult local, state, and federal laws before proceeding

with physical assessments.
- Note that possession of lock picks may be illegal in certain
states.
- Seek approval and work with the facility's security teams to
avoid legal issues.

Pre-Engagement Preparations

Scan to Download
- Coordinate with the physical security team about
contingency plans if guards intercept you.
- Clarify whether you can retreat or must comply if
approached.
- Ensure guards refrain from contacting law enforcement to
minimize risks.

Facility Reconnaissance

- The facility is located at 299792458 Light Dr., identified as

gated with guard shacks.
- Multiple entry points and potential areas for fence breaches
have been noted.
- Initial walkthrough revealed cameras, gates, and card reader
systems.

Card Reader Cloners

- Card reader cloning techniques, particularly for HID

badges, continue to be viable; updates include a new portable
Install
device, Bookey
Proxmark3 AppKit.
RDV2 to Unlock Full Text and
- Previously, the Proxmark3Audio
device was largely used for
cloning ProxCard II badges, which lack protections and are

Scan to Download
Chapter 25 Summary : Physical Tools to
Bypass Access Points

Summary of Chapter 25: Common RFID Cards and

Physical Access Bypass Tools

Common RFID Cards

The chapter lists several common RFID cards, including:

- HID iClass (13.56 MHz)
- HID ProxCard (125 kHz)
- EM4100x (125 kHz)
- MIFARE Classic (13.56 MHz)

Physical Tools for Bypassing Access Points

The chapter emphasizes the importance of physical

assessments and provides a brief overview of tools used in
physical penetration testing:
-
Lock Picks

Scan to Download
: Recommended vendor - SouthOrd.
-
Gate Bypass Devices
: For navigating locked gates.
-
Shove-it Tool
: Used to open doors with a latch.
-
Under the Door Tool
: Accesses lever handle doors from underneath.
-
Air Canisters
: Useful for bypassing motion-sensor-activated doors.

Purpose of Tools

Tools and techniques are intended for documenting physical

security program flaws and monitoring incident response
times.

LAN Turtle

The LAN Turtle is a crucial tool utilized for network

penetration:

Scan to Download
- It functions as a covert device, offering essential features
such as SSH access, DNS spoofing, and more.
- By establishing a reverse VPN connection, the LAN Turtle
can be integrated into a network, allowing the attacker to
scan and exploit the internal network.
- The setup process involves configuring an OpenVPN server
and the LAN Turtle itself.

Setting Up a VPN Server

The chapter outlines steps for creating a virtual private server

(VPS) running OpenVPN, recommending providers like
AWS Lightsail or Linode for their efficiency in handling
network traffic undetected.

Configuring the LAN Turtle

Key steps include:

- Installing OpenVPN on the LAN Turtle.
- Modifying the Firewall rules for traffic management.
- Verifying connectivity back to the OpenVPN server.

Accessing the Target Network

Scan to Download
Once configured, the attacker can SSH into the LAN Turtle,
identify the victim network’s IP range, and enable traffic
routing through the VPN for further intrusion tactics such as
vulnerability scans and data extraction.

Conclusion

The chapter highlights the strategic use of RFID access tools

and the LAN Turtle in advancing physical penetration testing
while addressing key security weaknesses in organizational
environments.

Scan to Download
Critical Thinking
Key Point:The Duality of RFID Security Tools and
Their Ethical Implications
Critical Interpretation:While the author outlines the
utility of RFID bypass tools and devices like the LAN
Turtle for improving security assessments, it's crucial to
recognize that such tools can easily be misused for
malicious purposes. The narrative presents these tools in
a quasi-heroic light, suggesting they are merely means
to enhance security; however, this overlooks the
potential for abuse in less scrupulous hands. Experts like
Bruce Schneier warn about the ethical dilemmas and
security paradoxes associated with hacking techniques,
advocating for a balanced view on the implementation
of such tools to prevent misuse while promoting
responsible security testing. Readers should weigh both
the potential benefits of understanding these tools and
the risks posed by their possible exploitation,
encouraging critical evaluation of the author's
perspectives.

Scan to Download
Chapter 26 Summary : Bash Bunny

Summary of Chapter 26: Hacking with Packet

Squirrel and Bash Bunny

Packet Squirrel Configuration

- Similar to LAN Turtle for network penetration, configure

the Packet Squirrel for a Reverse VPN connection to the
company.
- Edit necessary configuration files and upload the required
VPN files.
- The Packet Squirrel can serve as a DIY disposable pen-test
dropbox.

Bash Bunny Overview

- The Bash Bunny is an advanced tool that emulates HID

devices and can execute various attacks, unlike its
predecessor, the Rubber Ducky.
- Supports multiple payloads for different functionalities such
as credential stealing, phishing, and executing commands.

Scan to Download
Using Bash Bunny in Engagements

- In scenarios where machines are locked or encrypted, the

Bash Bunny can execute BunnyTap and QuickCreds
payloads to gather information.
- BunnyTap captures cookies from browsers, while
QuickCreds uses Responder to capture NTLMv2 hashes.

Practical Application: Cyber Space Kittens

- Upon physical access, the attacker uses KonBoot for

encrypted machines and Bash Bunny for locked screensavers,
successfully capturing credentials and session cookies.

Setup Instructions for Bash Bunny

- Download the latest firmware and set up the Bash Bunny

for payload use.
- Configure payloads for Windows or Mac depending on the
target system.
- Execute commands to install essential tools and clone
necessary repositories for further setup.

Scan to Download
Detailed Functions of Payloads

-
QuickCreds
: Captures NTLMv2 hashes from locked machines
efficiently.
-
BunnyTap
: Based on PoisonTap, it captures HTTP cookies from a
locked machine and exposes the internal router to the
attacker.

Final Notes

- Efficient physical penetration testing using tools like Bash

Bunny and Packet Squirrel enables information extraction
without needing the victim's passwords.
- Explore additional Bash Bunny payloads for diverse
hacking capabilities.

Scan to Download
Chapter 27 Summary : The Basics
Building a Keylogger

Writing Code for Red Team Campaigns

One of the distinguishing aspects of successful Red Teamers

and Penetration Testers is their ability to adapt to and
understand various protections. This includes knowledge of
low-level assembly, shellcode creation, custom C2 binaries,
and code modification to effectively execute their tasks.
While coding isn't always a requirement for penetration
testing, lacking this skill can hinder professional
development.

The Basics: Building a Keylogger

Keyloggers are vital tools for any penetration testing or Red

Team operation. This section teaches how to create a generic
keylogger, which is particularly useful when monitoring a
user for potential credential gathering or future campaigns.
The keylogger will run continuously on the victim's system,
capturing keystrokes and sending them out.

Scan to Download
Setting Up Your Environment

To develop the keylogger in C, the environment requires

Windows 10 on a VM and Visual Studio for compiling the
code. Key resources include Microsoft's Development
Network (MSDN) for Windows API programming, "The C
Programming Language" by Kernighan and Ritchie, and
Beej’s Guide to Network Programming for socket
programming.

Compiling from Source

Use Microsoft’s Optimizing Compiler within Visual Studio

to compile the code examples. Ensure you set the
environment for 64-bit or 32-bit compilation as needed.

Sample Framework

The keylogger utilizes low-level Windows functions like

`SetWindowsHookEx` and `LowLevelKeyboardProc` to
Install
capture Bookey
keyboard App
events. Thistoinvolves
Unlocksetting
Full specific
Text andhook
types and defining callbackAudio
functions to process keystrokes
and log them to a file. The file is continuously updated with

Scan to Download
Chapter 28 Summary : THP Custom
Droppers

Summary of Chapter 28: Custom THP Dropper

Development

Overview of Improvements

The chapter discusses enhancements for a stealthy logging

approach, including encrypting logs and using a DLL for
process injection to minimize detection risks.

Custom Droppers in Red Teaming

Custom dropper tools are critical for Red Teams, allowing

the execution of implants without leaving traces on the
victim's disk. Key points in designing a dropper include:
- Treating the dropper as a disposable asset due to detection
risks.
- Establishing a standard server for repetitive use.

Scan to Download
Developing THP Custom Dropper Code

A basic dropper code is shared through a GitHub repository,

which can load either shellcode or DLLs directly into
memory, avoiding disk writes. This is important for
maintaining stealth and minimizing forensic footprints.

Building and Running the Server

Instructions are provided to compile and run the custom

dropper server. Commands for the installation of necessary
tools, server compilation, and execution are outlined, along
with payload generation techniques using `msfvenom`.

Client Implementation

The client mimics server functionalities by registering

message handlers, connecting back to the server, and
processing received payloads. Configuration settings for
hostname, port, and packet duration are adjustable.

Extending Functionality

Adding new message handlers is straightforward; developers

Scan to Download
can register callback functions to process incoming packets.
Suggestions for improvements include encrypting transport
layers and managing data more securely.

Further Development Exercises

The section encourages customization and encryption

enhancements to improve security and efficacy further.
Potential directions include incorporating encryption
methods to protect data in transit.

Resources

- GitHub repository for code samples: [THP Dropper

GitHub](https://github.com/cheetz/thpDropper.git)

Scan to Download
Chapter 29 Summary : Recompiling
Metasploit/Meterpreter to Bypass AV
and Network Detection

Summary of Chapter 29 - Bypassing AV and

Network Detection

Introduction

This chapter discusses advanced techniques for modifying

Metasploit/Meterpreter to evade antivirus (AV) and network
detection systems. The focus is on adapting payloads to
remain undetected while maintaining functionality.

Extending Functionality and Payload Modification

- Transform LoadBlobHandler() to include a new

LOAD_TYPE for loading signed drivers when run as
administrator.
- Employ CreateService() and StartService() WinAPI calls
for driver management, while considering file system filters

Scan to Download
for detection.
- Since AV tools often have signatures for tools like
Metasploit, it’s essential to obfuscate payloads using
methods such as Shikata Ga Nai.

Evading Detection

- Modify payloads to eliminate easily identifiable signatures

in both network traffic and memory.
- Revise the metsrv persistence module to avoid triggering
AV alerts.
- Use Clang to compile parts of metsrv, ensuring no
detectable signatures remain in the binaries.
- Develop a new stage0 payload that downloads and executes
the Meterpreter without raising AV alarms.

Building the Environment

- Set up a Windows environment with Visual Studio 2013,

LLVM, GNU Make, and Git.
- Clone necessary repositories that contain modified versions
of Metasploit and associated payloads.
- Following the setup, review changes made to the codebase
for comprehensive improvements prior to compiling.

Scan to Download
Compilation Process

- Compile modified metsrv and associated binaries using

Visual Studio.
- After compilation, move binaries to the appropriate
Meterpreter folder for use in exploitation.

Creating a Custom Stage 0 Payload

- A Stage 0 payload is essential in bypassing detection by

mimicking Meterpreter's function of establishing a
connection and receiving the main payload.
- Replicate download and execute properties to remain
undetectable.
- Employ methods to avoid use of predictable imports, which
are common detection points for AV software.

Execution and Further Improvements

- After creating and compiling the new Stage 0 payload, test

it against systems with AV tools to confirm its effectiveness.
- Encourage the exploration of additional obfuscation
techniques, including:

Scan to Download
 - Utilizing a clang-based obfuscation toolchain.
- Implementing string encryption for payloads.
- Randomizing payload generation to improve stealth.

Conclusion

The chapter emphasizes a combination of code

modifications, environment setup, and advanced payload
creation to successfully bypass security measures,
highlighting ongoing efforts and innovations necessary to
remain undetected in the field of penetration testing.

Scan to Download
Critical Thinking
Key Point:Potential Risks of Bypassing Security
Measures
Critical Interpretation:While 'The Hacker Playbook 3'
illustrates techniques for bypassing antivirus detection,
it is crucial to recognize the ethical implications and
risks involved with such practices. The portrayal may
glorify evasion tactics, which could lead readers to
misinterpret their application in unauthorized contexts,
potentially resulting in legal and ethical breaches. A
critical perspective is essential here; as cybersecurity
experts emphasize the importance of ethical hacking
within the confines of legality and responsibility (e.g.,
Merritt, S. 'Ethics in Cyber Security: Balancing Security
Needs with Individual Rights'). Readers should consider
that while techniques may be effective for penetration
testing, their misuse can have severe ramifications.

Scan to Download
Chapter 30 Summary : SharpShooter

SharpShooter Overview

SharpShooter is a tool used by Red Teamers to create

payloads that can evade next-generation antivirus (AV) and
sandbox detection. It utilizes anti-sandboxing techniques
alongside James Forshaw’s DotNetToJScript for executing
shellcode in Windows scripting formats.

Key Features of SharpShooter

-
Payload Execution
: Supports both staged and stageless payload execution
through HTTP(S), DNS, or a combination of both.
-
Staged Payloads
: When executed, a staged payload retrieves a zipped and
base64 encoded C# source code file, which is then
downloaded and compiled on the host using the .NET
CodeDom compiler.
-

Scan to Download
Reflection Execution
: The desired method is executed from the compiled source
code using Reflection.

Example Usage

A simple command to run SharpShooter for a staged payload

could be:
```
python SharpShooter.py --interactive 1 -For .NET v2 Y
-Staged Payload 1 -HTA Payload
```

Anti-Sandbox Techniques Available

The following techniques can be utilized to bypass sandbox

detection:
1. Key to Domain
2. Ensure Domain Joined
3. Check for Sandbox Artifacts
4. Check for Bad MACs
Install
5. Check forBookey App to Unlock Full Text and
Debugging
Audio
Creating a C# Meterpreter Payload

Scan to Download
Chapter 31 Summary : Application
Whitelisting Bypass

Summary of Chapter 31 from "The Hacker

Playbook 3"

Creating and Deploying Malicious Payloads

1.
Using Templates for Payloads

- You can choose from custom or predefined templates for

testing.
- After creating malicious files, move them to your web
directory.
- Set up a Meterpreter handler for the payload.
- Start the Apache2 service and interact with potential
victims.
2.
Execution Mechanism

Scan to Download
 - Once a victim visits the malicious page (using IE/Edge),
it prompts them to run the downloaded HTA file.
- If executed, the payload will run in memory and may
download additional payloads depending on sandbox
controls.
3.
Application Whitelisting Bypass Techniques

- Discussed methods to trigger PowerShell without direct

execution.
- MSBuild.exe is highlighted as a key tool for bypassing
application whitelisting.
- It can execute payloads embedded in malicious XML
project files.
4.
Using GreatSCT Tool

- The GreatSCT tool can be used to create malicious XML

files that spawn Meterpreter sessions.
- Instructions are given on generating the reverse HTTP
Meterpreter payload using GreatSCT.
- The generated XML file must be executed on the victim’s
machine using MSBuild to establish the reverse session.
5.

Scan to Download
Execution on Victim Systems

- The command to execute the malicious XML file is

provided, which builds and starts a Meterpreter session.
- It’s recommended to obfuscate payloads within the XML
file to avoid detection by antivirus software.

Additional Resources

- Links are provided for further details on payload generation

and examples of the GreatSCT tool functionalities.

Scan to Download
Chapter 32 Summary : Code Caves

Application Whitelisting Bypasses

Application Whitelisting Bypasses can be approached in

various ways, warranting extensive discussion beyond just a
few examples. Here are some resources for further
exploration:
- Examples of bypass techniques utilizing Windows default
executables: [Ultimate AppLocker ByPass List](https://githu
b.com/api0cradle/UltimateAppLockerByPassList)
- Evading Application Whitelisting with REGSRV32 and
PowerShell Empire: [Read More](https://www.blackhillsinfo
sec.com/evade-application-whitelisting-using-,regsvr32/)
- DLL Execution via Excel.Application RegisterXLL:
[Details Here](https://rileykidd.com/2017/08/03/application-
whitelist-bypass-using-,XLL-and-embedded-shellcode/)
- Leveraging INF-SCT Fetch & Execute Techniques for
Bypass, Evasion, & Persistence: [Explore Techniques](https:/
/bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-,te
chniques-for-bypass-evasion-persistence-part-2/)
- AppLocker Bypass with Regsvr32: [Blog Post](https://pent
estlab.blog/2017/05/11/applocker-bypass-regsvr32/)

Scan to Download
Creative Lateral Movement

In Red Team operations, the goal is often to find inventive

methodologies for lateral movement within a target
environment while maintaining stealth. If credentials are
available, attackers may utilize WMI or PSExec to execute
payloads remotely. However, relying on these methods can
lead to detection, as they are usually flagged as abnormal
activities. The challenge lies in ensuring that any movements
do not leave clear traces that can be traced back to every
involved domain, IP, or compromised host. Finding
alternative methods to conceal lateral movements is essential
to avoid detection by Blue Teams, who are adept at analyzing
these common connection patterns.

Scan to Download
Chapter 33 Summary : PowerShell
Obfuscation

Summary of Chapter 33 from "The Hacker

Playbook 3"

Creative Movement in Hacking

- The chapter discusses the creative approaches hackers can

employ once inside a target environment.
- Identifying publicly shared files and shares is emphasized,
as well as embedding malware in executable binaries, which
often have low detection rates.

Malware Injection Techniques

- Tools such as Backdoor Factory allow attackers to find code

caves in executable programs for malware injection.
- Additional resources are provided for those interested in
backdooring executables.

Scan to Download
PowerShell Obfuscation

- PowerShell scripts are increasingly detected by antivirus

tools, especially when they are dropped onto disk.
- Various methods for obfuscating PowerShell parameters,
such as `-ExecutionPolicy Bypass`, are suggested to avoid
detection.
- The chapter highlights the effectiveness of using partial
parameter strings to prevent Blue Team alerts.

Advanced Obfuscation Techniques

- Techniques are demonstrated for heavily obfuscating

PowerShell commands intended to execute malicious scripts,
including the usage of Invoke-Obfuscation.
- Cryptographic methods such as SecureString (AES) are
mentioned for further securing payloads during execution.

Practical Examples and Resources

- The chapter includes practical examples of PowerShell

Install used
commands Bookey App toand
to download Unlock
execute Full Text
payloads and
like
Mimikatz. Audio
- It provides references to tools and GitHub resources for

Scan to Download
Chapter 34 Summary : HideMyPS

PowerShell Execution Techniques

Introduction to PowerShell Malware Execution

PowerShell can be utilized through .Net instead of directly

invoking PowerShell.exe. This method, while typically
flagged by antivirus (AV) software, lays the groundwork for
creating binaries that can execute PowerShell malware
clandestinely.

NPS_Payload

This tool developed by TrustedSec leverages MSBuild.exe to

execute PowerShell payloads without using the PowerShell
executable. It generates an XML file (`msbuild_nps.xml`)
that, when called, executes the embedded PowerShell code
via MSBuild.

SharpPick Tool

Scan to Download
SharpPick, a component of PowerPick, enables PowerShell
execution without launching the PowerShell process. It
utilizes the `RunPS` function to run scripts inside a
PowerShell runspace, thus avoiding detection by traditional
AV. Users can create binaries from PowerShell Empire
payloads using SharpPick.

Creating DLLs for Execution

In scenarios where dropping a binary is not feasible, attackers

can create a Class Library (DLL file) to execute payloads
using `rundll32.exe`. This flexibility allows specific
PowerShell payload execution without relying on
PowerShell.exe.

HideMyPS Tool

HideMyPS, developed to combat PowerShell's detection by

AV software, obfuscates scripts to evade static signatures.
This tool converts PowerShell scripts into versions that avoid
detection by altering function names, breaking strings, and
removing comments.

Practical Example

Scan to Download
For demonstration, a sample script (Invoke-Mimikatz) is
obfuscated to alter its structure and disguise its
functionalities. This helps maintain stealth against security
measures from updated antivirus programs.

Conclusion

These techniques and tools illustrate the ongoing battle

between attackers using PowerShell for malicious purposes
and the defenses employed by security software. The
constant evolution of methods to evade detection emphasizes
the necessity for both sides to adapt continuously.

Scan to Download
Chapter 35 Summary : Automation

Chapter 35 Summary: Useful Resources for Red

Teams and Penetration Testing

Overview

This chapter highlights various tools and strategies beneficial

for Red Teams and Penetration Testing, particularly for
specific scenarios or unique instances.

Automation in Attacks

- As security measures improve, attacks must become

quicker.
- Initial payloads are designed to avoid detection but are used
to gather information about the target environment.
- The chapter emphasizes the importance of getting caught
initially to learn about defensive measures.

Automating Metasploit with RC Scripts

Scan to Download
- Metasploit can run post-exploitation scripts efficiently by
configuring an `AutoRunScript`.
- A handler file is created to manage connections and
automate various tasks during an attack.

Automating Empire

- Empire's resources enable automation of repetitive tasks

similar to Metasploit.
- A dedicated file is created to load and execute various post
modules automatically upon agent connection.

Automating Cobalt Strike

- Cobalt Strike's power lies in its Aggressor Scripts, which

facilitate automation of attacks and tasks.

Conclusion

The chapter provides practical approaches to automation

using key tools, enhancing the effectiveness of Red Team
operations and penetration tests.

Scan to Download
Chapter 36 Summary : Password
Cracking

Strike Aggressor Scripts

Aggressor Scripts allow for the automation of complex

attacks, such as running Mimikatz every thirty minutes to
gather clear-text credentials from shared workstations.
Example scripts and collections can be found at:
- [Aggressor Scripts by bluscreenofjeff](https://github.com/bl
uscreenofjeff/AggressorScripts)
- [Aggressor Scripts by harleyQu1nn](https://github.com/harl
eyQu1nn/AggressorScripts)

The Future of Automation

The future of hacking will involve increased automation,

particularly for smart compromises and APT attacks. Two
notable tools in this movement are:
- [Portia](https://github.com/SpiderLabs/portia)
- [Caldera](https://github.com/mitre/caldera)

Scan to Download
Password Cracking

A recent 41GB password dump contains 1.4 billion

username/password pairs. It is advised to use just password
lists rather than the entire dump to avoid sensitive
information. The password list can be found [here](http://the
hackerplaybook.com/get.php?type=THP-password).
For effective password cracking, a powerful rig can be built
for around $12,000, consisting of multiple GPU cards
capable of cracking NTLM hashes at impressive speeds.

Cloud Cracking Options

For those unable to afford a large GPU setup, cloud-cracking

is available. Amazon now offers Tesla GPUs, which
outperform standard models. The cost to run AWS for
cracking is approximately $25 per hour.

Password Cracking Lab

Troy Hunt released a SHA1 list of password hashes, which

canInstall Bookey
be a useful App
resource to Unlock
for testing Full Text and
password-cracking skills.
Audio
Passwords under ten characters can be smart-bruteforced
effectively as GPU technology advances.

Scan to Download
Chapter 37 Summary : Gotta Crack Em
All - Quickly Cracking as Many as You
Can

Password Cracking Techniques

KoreLogic Rules and Hashcat

- KoreLogicRulesAppendYears provides a method to append

years to passwords for cracking.
- Using existing rules such as Hashcat default rules, Kore
Rules, NSAKEY, and Hob0Rules can enhance efficiency.
- It’s noted that more complex rules can slow down the
cracking process.

Getting Started with Password Cracking

- Understanding the hashing algorithm in use is crucial

before starting.
- Test runs with various hashing algorithms (e.g., NTLM and
SHA-256) provide insight into their speed and efficiency.

Scan to Download
- The choice of a hashing algorithm impacts the overall
approach to password cracking.

Setting Up for Cracking

- Start by dumping NTLM hashes from the domain controller

using DCSync.
- Organize NTLM hashes in a file for processing.
- The cracking process begins with balanced configurations
of hashcat commands optimized for speed.

Initial Password Cracking Strategies

- Employ brute-force attacks for passwords of 7 characters or

less initially.
- Compare common password lists against the hashes for
quicker results.
- Utilize different rule sets on large password lists to
maximize password recovery success.

Advanced Techniques for Cracking

- Techniques include adding characters to existing password

lists for length variations.

Scan to Download
- Use Hashcat utilities like combinator to create
combinations of smaller password lists efficiently.

Custom Password List Creation

- Custom password lists can be generated using tools like

Brutescrape and Burp Word List Extractor.
- Analyzing cracked passwords helps develop effective
masks for future cracking efforts.

Analyzing Cracked Passwords

- Use tools to analyze the cracked passwords, identify

patterns, and create focused attack masks.
- Employ Pipal to better understand base words and create a
target analysis based on compromised accounts.

Future Directions in Password Cracking

- Continuous research and adaptation of techniques and tools

are essential for staying ahead in password cracking.

Scan to Download
Chapter 38 Summary : Creative
Campaigns

Summary of Chapter 38: Simulated Ransomware

Campaigns

Introduction to Simulated Ransomware

- Internal Red Teams provide opportunities for creative

security campaigns, one being the simulation of ransomware
attacks.
- Simulated campaigns during historical events like
WannaCry highlight the need for effective business recovery
and disaster recovery procedures.

Importance of Testing Recovery Procedures

- Organizations must assess their ability to recover from

potential malware incidents.
- The common response, "I think so," lacks validation;
internal Red Teams are essential for testing and confirming

Scan to Download
security measures.

Developing Simulated Ransomware

- While the author refrains from providing detailed examples

due to risks, the chapter encourages readers to create their
own tools and conduct tests in a responsible manner.

Simulated Ransomware Tips

- For organizations that prohibit actual file

deletion/encryption, a simulated breach can be executed.
- This involves scanning systems for sensitive files, reading
data into memory, then randomly modifying it and sending
metadata to a command-and-control server to demonstrate
potential data exfiltration capabilities.

Best Practices for Conducting Simulations

- Review existing ransomware samples to understand the

types of files frequently targeted, as seen in the WannaCry
example.
- When creating malware simulations, keep encryption

Scan to Download
methods simple (e.g., using standard AES, public/private
x509 certificates, or basic bitwise XOR) to avoid
complications that could impede recovery efforts.

Scan to Download
Critical Thinking
Key Point:The necessity of Simulated Ransomware
Testing
Critical Interpretation:While the chapter emphasizes the
importance of conducting simulated ransomware
campaigns to test recovery procedures, it may overlook
the ethical implications and potential risks involved in
such simulations. The perspective that these tests are
inherently beneficial could be challenged, especially
considering that poorly planned simulations could
inadvertently disrupt essential functions or lead to panic
within an organization. Scholars such as Decker and
Hughes (2017) argue that while simulations can enhance
readiness, the context and execution must be carefully
managed to avoid negative outcomes.

Scan to Download
Chapter 39 Summary : Windows
Download File from Internet Command
Line

Summary of Chapter 39: Key Concepts in

Ransomware and Malware Execution

Testing and Backup Recovery

- The chapter emphasizes the importance of testing the

recovery of critical files in the event of ransomware attacks.
- Highlighted is the risk of discovering a company's inability
to recover files if the decryption process fails.

Ransomware Detection Evasion

- Next-gen antivirus solutions detect ransomware based on

behavioral patterns.
- Common sequences observed in ransomware attacks
include scanning for files, encryption, deletion of shadow
copies, and disabling backups.

Scan to Download
- To evade such detection, attackers can slow down their
malicious actions or alter their methods to execute similar
tactics through alternative processes.

Disabling PowerShell Logging

- The text discusses strategies to disable logging in

PowerShell, a critical tool used by system administrators.
- The chapter provides a specific example via a script from a
GitHub repository that demonstrates how to disable
PowerShell logging.

Download and Execute Malicious Payloads

- Upon gaining shell access through vulnerabilities, attackers

can use various Windows features to download and execute
secondary malware.
- Techniques described include the use of:
- `mshta`
- `rundll32.exe`
- `certutil`
- The methods mentioned provide ways to remotely retrieve
and run payloads, further facilitating the execution of
malicious code without detection.

Scan to Download
Example
Key Point:Testing Recovery Procedures
Example:Imagine working in an office, and suddenly,
you receive a notification on your screen that all your
critical files are encrypted. Panic sets in as you realize
that you’ve never actually tested your company's backup
recovery processes, leaving you unprepared for this
ransomware attack. To avoid such a situation, it's vital to
regularly test your recovery strategies; this ensures that
should disaster strike, you are ready to swiftly restore
your essential data without facing major disruptions.

Scan to Download
Critical Thinking
Key Point:Importance of Testing Recovery from
Ransomware Attacks
Critical Interpretation:The chapter insists on the critical
need for businesses to rigorously test their recovery
processes for vital files after a ransomware incident.
While this viewpoint emphasizes preparedness against
potential threats, one must question whether mere
testing suffices for comprehensive risk mitigation.
Berghel's 2019 article in 'Communications of the ACM'
suggests that reliance solely on testing does not address
underlying vulnerabilities or advanced threat vectors
effectively.

Scan to Download
Chapter 40 Summary : Retrieving
NTLM Hashes without Touching LSASS

Chapter 40 Summary

Methods for Code Execution

Various command line techniques are available for executing

secondary code while obscuring logging. Examples include
using `certutil` to download and decode payloads.

Privilege Escalation from Local Admin to System

The common method of escalating privileges from a local

administrator account to the System level is via Metasploit's
`getsystem`, though alternatives exist. One such alternative is
a PowerShell script by decoder-it, which creates a process
with its parent PID owned by System.

Retrieving NTLM Hashes without LSASS

Scan to Download
Research by Elad Shamir yielded a method to capture NTLM
hashes without accessing LSASS, which is hindered by
Credential Guard in more advanced Windows systems. The
"Internal Monologue Attack" effectively retrieves logon
tokens from running processes and interacts with NTLM SSP
to obtain a NetNTLMv1 response without touching LSASS
directly.

Scan to Download
Example
Key Point:Understanding advanced privilege
escalation techniques can greatly enhance your
security expertise.
Example:Imagine you are part of a security team tasked
with protecting your organization’s network. You realize
that merely addressing vulnerabilities is insufficient. By
mastering privilege escalation methods like those using
Metasploit or PowerShell scripts, you can proactively
defend against intrusions. This knowledge allows you
not just to react, but to anticipate and counter potential
threats, thereby elevating your skill set from basic
network defense to advanced cybersecurity strategy.

Scan to Download
Critical Thinking
Key Point:Use of code execution methods can
enhance security risks.
Critical Interpretation:The author highlights several
techniques for executing code secretly and elevating
privileges, which can be seen as a manual for both
ethical hacking and malicious activities. While these
methods may be effective for penetration testing, they
also pose significant risks if wielded by malicious
actors, calling into question the ethical implications of
sharing such information. It is crucial for readers to
evaluate the potential misuse of these techniques in the
real world and consider the broader context of cyber
security practices, as outlined in sources such as
'Cybersecurity Essentials' by Charles J. Brooks et al.,
which emphasizes responsibility and ethics in
cybersecurity.

Scan to Download
Best Quotes from The Hacker Playbook
3 by Peter Kim with Page Numbers
View on Bookey Website and Generate Beautiful Quote Images

Chapter 1 | Quotes From Pages 10-11

1.Pretending to not be afraid is as good as actually
not being afraid.
2.If you ever feel like it's wrong, it's probably wrong, and
you should ask a lawyer...There is a fine line between
research and illegal activities.
Chapter 2 | Quotes From Pages 13-15
1.From the little details we have picked up, it looks
like Cyber Space Kittens has discovered a secret
planet located in the Great Andromeda Nebula...
This creates a potentially habitable environment...
2.The Red Team’s mission is to emulate the tactics,
techniques, and procedures (TTPs) by adversaries.
3.With Red Teams, we need to show value back to the
company... it is about proving how the security program is
running.

Scan to Download
4.Two strong metrics that evolve from these campaigns are
Time To Detect (TTD) and Time To Mitigate (TTM).
5....it is about proving how the security program is running.
Chapter 3 | Quotes From Pages 19-19
1.Companies need to live in a world today where
they start with the assumption that they have
already been breached.
2.We need to get in a state of mind where we are always
hunting, assuming evil is lurking around, and looking for
these anomalies.
3.There will always be 0-days. So, can the client identify and
mitigate against secondary and tertiary steps?
4.This is one of my favorite parts of running Red Teams.
Before you compromise your first system, you need to
scope out your Red Team campaign.
5.In Red Team campaigns, we start out with a few objectives.
These objectives can include, but are not limited to: What
are the end goal goals? Is it just APT detection?

Scan to Download
Chapter 4 | Quotes From Pages 20-21
1.The best part is that getting caught is part of the
assessment.
2.Within minutes, you can have multiple servers set up and
running Metasploit and Empire services.
3.I highly recommend getting at least 1 GB of RAM. Storage
space usually isn't an issue.
4.This is where I recommend that you develop your own
scripts to set up things such as IPTables rules, SSL certs,
tools, scripts, and more.
Chapter 5 | Quotes From Pages 22-35
1.What you do want is to create an efficient and
repeatable process to deploy multiple machines.
2.As a Red Teamer, the purpose is not to compromise an
environment, but to replicate real world attacks.
3.There’s no wrong way to create your systems.
4.Malleable C2 Profiles allow you to make all your traffic
look like normal traffic.
5.Tools are enablers; organizations must embrace a mindset

Scan to Download
 of security.
Chapter 6 | Quotes From Pages -54
1.Not only do you need to have your attack
infrastructure ready at a whim, but you also need
to be constantly looking for vulnerabilities.
2.Build a better network diff scanner: Build a better port list
than the default nmap.
3.Many companies do not have ACLs properly implemented.
They believe that their servers are protected, but we
discover that they are publicly facing.
4.As you can tell these ranges are huge and scanning them
manually would be very hard to do.
5.I highly recommend you take this code as a start, save all
hostnames to a database, make a web UI frontend, connect
additional ports that might have certs, and maybe even look
for some vulnerabilities like .git/.svn style repos.

Scan to Download
Chapter 7 | Quotes From Pages 57-58
1.One caveat, though: on average, it takes about 3-6
months before you begin to consistently find bugs.
2.It really requires you to just dive in, allot a few hours a day,
and focus on understanding how to get that sixth sense to
find bugs.
3.Before we start learning how to exploit web applications,
let’s talk a little about bug bounty programs.
4.The security industry, as a whole, runs in a cyclical pattern.
5.These programs can pay anywhere from Free to $20k+.
Chapter 8 | Quotes From Pages 59-61
1....if it feels illegal, it probably is.
2.if you are going for a penetration testing job, it is
imperative to know, at a minimum, the OWASP Top 10
backwards and forwards.
3.Node.js allows you to run JavaScript outside of a browser.
Chapter 9 | Quotes From Pages -104
1.Understanding the application before blindly
attacking a site can help provide you with a much

Scan to Download
 better approach.
2.Finding vulnerabilities often involves looking beyond
traditional scanning tools to discover the real weaknesses in
code and logic.
3.XSS attacks can take many forms, and leveraging
obfuscated payloads can make these attacks more effective.
4.Polyglot payloads integrate multiple types of attacks into a
single request, making them particularly powerful and
difficult to detect.
5.Utilizing tools like BeEF can transform an XSS
vulnerability into a powerful entry point for
post-exploitation activities.
6.Completely ignorant of the language and frameworks used
could lead to missing significant vulnerabilities.
7.XSS to RCE is a potent transition that exemplifies the
danger of client-side vulnerabilities.
8.SSRF vulnerabilities can allow attackers to access sensitive
internal resources that should be protected.
9.Template injection vulnerabilities showcase the risks of

Scan to Download
 dynamic rendering and can lead to significant breaches.
10.Understanding the server-side and encoding, especially in
XML parsing, can prevent critical data leaks.

Scan to Download
Chapter 10 | Quotes From Pages 107-undefined
1.This is one of the easiest…
2.It only takes one password to get our foot in the door!
3.Remember, it only takes one password to get our foot in the
door!
4.As companies grow, they require more technologies and
tools. For an attacker, this definitely opens up the playing
field.
5.Sometimes, I tell my Red Teams to just... keep it simple.
Chapter 11 | Quotes From Pages -112
1.The only way to really learn how to attack
environments is to fully build it out yourself.
2.We want to move through the network as quietly as
possible.
3.An ideal Windows testing lab for you to create at home
might look something like the following.
Chapter 12 | Quotes From Pages -undefined
1.Even better is that Responder can go a step above
and act as a WPAD (Web Proxy Auto-Discovery

Scan to Download
 Protocol) server, proxying all data through our
attacker server, but that is a whole other attack.
2.Once they submit their credentials, we will be able to
capture them in clear text!
3.Instead of forcing the victim to authenticate to our SMB
share, MultiRelay will forward any authentication requests
to a victim host of our choice.
4.The concept behind this is to only target domain
Administrators, local Administrators, or privileged
accounts.

Scan to Download
Chapter 13 | Quotes From Pages 119-119
1.That is always the million dollar question.
2.Let's be real here, no one has time to remember all of these
commands.
3.I believe, based on the RTFM book (great resource), leostat
created a quick Python script that has a ton of these handy
commands easily searchable in a tool called rtfm.py.
Chapter 14 | Quotes From Pages 120-131
1.These are all the things we have been doing
forever to get information, but what if we could
get much more from the environment?
2.In the following examples, we will be using Empire, but
feel free to try other tools.
3.For unpatched Windows systems, we do have some go-to
privilege escalation attacks... but how do we quickly
identify what patches are installed on a Windows system?
4.This vulnerable framework automatically builds a
Windows VM with all the common and some uncommon
vulnerabilities.

Scan to Download
5.Often, it is just about timing. For example, when a
vulnerability is discovered, that may be your limited
window of opportunity to further compromise the system
before it is patched.
6.One thing we do see is that Apache Tomcat is running as a
privileged process. If we can abuse this service, we may be
able to execute our payload as a higher service.
7.What Mimikittenz does is it utilizes the Windows function
ReadProcessMemory() in order to extract plain-text
passwords from various target processes such as browsers.
8.The Credential Store is a default feature of Windows that
saves usernames, passwords, and certificates for systems,
websites, and servers.
Chapter 15 | Quotes From Pages -151
1.It doesn't really matter as long as you have the
ability to import PowerShell scripts into memory
and evade whatever the host system protections
are.
2.For an attacker, querying SPN is a vital part of the

Scan to Download
 enumeration phase.
3.We can utilize, 'features' of the networks and services to
find all the information we need?
4.As you can see, we were able to do all this without being a
local administrator or having any administrative rights on
the local system.
5.This will help us map which users have which privileges.
However, we still need detailed information about
workstations and systems.
6.BloodHound uses graph theory to reveal the hidden and
often unintended relationships within an Active Directory
environment.
7.What can you do with a basic domain user account with no
other group memberships?
8.Once inside BloodHound and all the data is imported, we
can go to the Queries to look at the 'Find Shortest Paths to
Domain Admin'.
9.Gaining Credentials from Service Accounts... What do you
do next?

Scan to Download
Chapter 16 | Quotes From Pages 152-153
1.Once we have obtained Domain Administrative
access, the old way to pull all the hashes from the
DC was to run commands on the domain
controller and use Shadow Volume or Raw copy
techniques to pull off the Ntds.dit file.
2.Luckily for us, we can take advantage of a Windows
feature called Volume Shadow Copy Service (VSS), which
will create a snapshot copy of the volume.
3.DCSync, written by Benjamin Delpy and Vincent Le Toux,
was introduced and changed the game on dumping hashes
from Domain Controllers.
4.This means, as long as you have permissions, you do not
need to run any commands on the Domain Controller and
you do not have to drop any files on the DC.
Chapter 17 | Quotes From Pages 154-155
1.In today's world, with a ton of Next Gen AV,
running WMI/PowerShell Remoting/PSExec
laterally between computers isn't always the best

Scan to Download
 option.
2.The issue with using VPS servers is that it is only a shell
with no GUI interface.
3.Luckily for us, we can use native tools to accomplish most
of this.
4.Finally, we need to set up a port listening on our VPS on
port 3389 and set up a port forward through our
compromised victim using Meterpreter's port forward
feature to route to our victim's system.
Chapter 18 | Quotes From Pages 157-159
1.In terms of effectively and efficiently parsing a
Linux box for privilege escalation issues, we can
use a few tools to do all the legwork for us.
2.Once we gain information about the system, we try to see if
we can exploit any of these vulnerabilities.
3.One of my favorite vulnerabilities in this scenario is
DirtyCOW.
4.This vulnerability allows an attacker to go from a
non-privileged user to root via kernel vulnerabilities. This

Scan to Download
is the best type of privilege escalation we could ask for!

Scan to Download
Chapter 19 | Quotes From Pages 160-169
1.The problem with lateral movement is that it is
hard to practice without having an environment
set up to pivot.
2.This is everything you have trained for...
3.You have compromised the OpenCMS/Apache Struts
server! Now, what?
4.Feel free to play around on these systems, find more
sensitive files, figure out other ways to privilege escalate,
and more.
5.You have successfully compromised the Cyber Space
Kittens network!
Chapter 20 | Quotes From Pages -174
1.With SE style attacks, there are no right or wrong
answers. As long as they work, it's all good in our
book.
2.Doppelganger Domains...is still one of the most successful
ways to get that initial credential or drop malware.
3.One of the best tools to quickly clone web application

Scan to Download
 authentication pages is the Social Engineering Toolkit
(SET) by TrustedSec.
4.Although 2FA is a big pain for Red Teams, they aren't
impossible to get around.
Chapter 21 | Quotes From Pages -181
1.Phishing, at its core, relies on either fear, urgency,
or something that just sounds too good to be true.
2.The issue with these general attacks is that we are noticing
that corporate employees are getting smarter and smarter.
3.For those looking for more automated attacks, we really
like Gophish.
4.Additionally, we try to find any leaked emails from that
company, programs they might be running, new features,
system upgrades, mergers, and any other information that
might help.
5.One of the older, but tried and tested, methods of social
engineering is sending your victim a malicious Microsoft
Office file.
6.We are always looking for creative ways to build our

Scan to Download
landing pages, encrypt our payloads, and to trick users into
clicking run.

Scan to Download
Chapter 22 | Quotes From Pages 182-184
1.creativity in attacks is what makes our work
extremely exciting.
2.if you have been performing network assessments, you
know that if you come across an unauthenticated Jenkins
application, it pretty much means full compromise.
3.In this case, we solved this problem through a multitude of
steps using JavaScript and WebRTC.
4.When a victim visits our malicious webpage, it will grab
their internal IP and start spraying our exploit to all servers
in the /24 range.
5.Note: This vulnerability does not exist in the latest versions
of Jenkins.
Chapter 23 | Quotes From Pages 185-185
1.Social engineering is one of those areas that will
always be a cat-and-mouse game.
2.By taking advantage of these vulnerabilities, we can create
very clever campaigns that have a high success rate on
system compromise.

Scan to Download
3.In terms of metrics and goals, we need to move away from
a reactive model of waiting for users to report phishing/SE
emails, to a proactive model where we can hunt actively for
these types of malicious attacks.
Chapter 24 | Quotes From Pages 187-187
1.Please make sure to check with local, state, and
federal laws prior to doing any physical
assessments.
2.Also, ensure you have proper approval, work with the
facility's physical security teams, and have a signoff paper
in case you get caught.
3.The last thing you want is to actually go to jail.
4.With an initial walkthrough, we also identify some
cameras, gates, entry points, and card reader systems.
5.HID badges that don't require any public/private
handshakes are still vulnerable to clone and bruteforce ID
numbers.
6.Since then, a much more portable version of this device has
been released called Proxmark3 RDV2 Kit.

Scan to Download
Chapter 25 | Quotes From Pages 188-194
1.In terms of some cool tools that we have used in
the past: Lock Picks... Great quality and works
well.
2.Remember, the purpose of these tools and physical
assessments is to track and monitor how a company's
physical security program responds.
3.The LAN Turtle is one of my favorite tools from Hak5...
The main Red Team use is to gain access into the network.
4.To do this, we are going to have to configure a Reverse
VPN connection.
5.In this case, we are going to be using AWS Lightsail. The
other reason to pick certain VPS providers is because of
detection of traffic.
6.Lastly, let's enable forwarding: Go back into the OpenVPN
AS and edit the user lanturtle...
Chapter 26 | Quotes From Pages 196-200
1.If you haven't played around with KonBoot, we
use it all the time on engagements and have had

Scan to Download
 great success.
2.You can easily convert the Packet Squirrel into an
OpenWRT-based DIY disposable pen-test drop box.
3.QuickCreds is an awesome tool that utilizes Responder
attack to capture NTLMv2 Challenge Hashes from locked
and unlocked machines.
4.Gain access to those web applications without ever
knowing a single password.
5.BunnyTap will capture all of the victim's cookies. Now, we
can take these cookies onto our own computers, replace our
cookies with theirs, and become them without ever
knowing their passwords.
Chapter 27 | Quotes From Pages -211
1.I come across pentesters all the time who can't
code and, although it is not a requirement, it
definitely causes a plateau in their professional
growth.
2.Therefore, I wanted to dedicate a section to those who
haven’t really coded in lower-level languages in order to

Scan to Download
 give them a start.
3.This keylogger makes use of the SetWindowsHookEx and
LowLevelKeyboardProc functions.
4.To compile the examples, open up an instance of the
developer command prompt, then navigate to the folder
that contains the source files.
5.The goal of this project is to create a keylogger that utilizes
C and low-level Windows functions to monitor keystrokes.

Scan to Download
Chapter 28 | Quotes From Pages 212-215
1.The ideas are limitless!
2.This would stop the log data from being seen in plain text,
as it currently is, and also prevent more artifacts from
touching disk.
3.Keeping your implants off disk reduces the risk of them
being compromised, allowing your work to be used
multiple times.
4.The purpose of the dropper is to be a use-and-burn piece of
your arsenal, meaning you will have to assume that using it
in its current form will trigger detection in further
campaigns.
5.While this code will give you a solid base to work with,
there are many ways you can improve it yourself.
6.You would want to create your own send and recv
wrappers, which decrypt/encrypt before calling the send
and recv functions.
Chapter 29 | Quotes From Pages 216-219
1.To keep using our favorite tools, while getting

Scan to Download
 around all the common protections?
2.This was just a proof of concept to get you started. As soon
as this book is released, I am sure a signature will be
detected for some of these techniques.
3.You now have a heavily obfuscated Meterpreter binary and
obfuscated transport layer to get around all of the default
protections.
4.There is still much more you can do to better evade
detection tools.
Chapter 30 | Quotes From Pages 220-220
1.SharpShooter takes a lot of the anti-sandboxing
techniques and James Forshaw’s DotNetToJScript
to execute shellcode in Windows scripting formats.
2.SharpShooter supports both staged and stageless payload
execution.
3.When a staged payload is executed, it will attempt to
retrieve a C# source code file that has been zipped and then
base64 encoded using the chosen delivery technique.
4.The .NET CodeDom compiler is used to execute the

Scan to Download
desired method from the source code.

Scan to Download
Chapter 31 | Quotes From Pages 221-222
1.You are now ready to social engineer your victim
into visiting your malicious site!
2.The concept of Application Whitelisting Bypass is to find
default Windows binaries that can execute our payloads.
3.MSBuild is a default application within the .NET
Framework and serves as a platform for building .NET
applications using a project file in XML format.
4.You may want to edit the shellcode.xml file to put in
obfuscated payloads, as the default Meterpreter will most
likely trigger AV.
Chapter 32 | Quotes From Pages 223-223
1.As Red Teamers, getting caught is not the worst
thing that can happen during a campaign.
2.It is when we get caught and the Blue team finds every
domain, IP, and compromised host that was part of the
campaign.
3.There are times, though, when we need to find creative
ways to move within an environment without being easily

Scan to Download
 tracked.
4.Usually, if we have credentials, we try to execute payloads
on a remote system using WMI or PSExec.
Chapter 33 | Quotes From Pages 224-226
1.If it works, that’s good enough for me.
2.One attack that generally has low detection, but high
success rates, is embedding our custom malware inside
executable binaries.
3.Regardless, if you are importing them into memory from
Cobalt Strike, Meterpreter, or PowerShell Empire, it is
important to make sure that we don't get picked up by AV.
4.We need to create more obfuscated transforms.
5.These tricks will only get us so far.

Scan to Download
Chapter 34 | Quotes From Pages 228-229
1.The RunPS function uses the
System.Management.Automation function to
execute a script inside of a PowerShell runspace
without ever starting a PowerShell process.
2.For the next example, let's take Invoke_Mimikatz.ps1 and
obfuscate the PowerShell file: cd /opt/HideMyPS python
hidemyps.py invoke_mimikatz.ps1 [filename.ps1]
3.the creation of these DLLs can be automatically done for
Meterpreter or Cobalt Strike, but it's nice having the
flexibility to run specific PowerShell payloads without ever
calling PowerShell.exe.
4.This was always just a POC tool, but it still works even
after all these years.
Chapter 35 | Quotes From Pages -undefined
1.Always tell Red Teams to get caught on the first
attempt.
2.The real purpose of it is to just learn about their
environment.

Scan to Download
3.With Metasploit, we can efficiently and effectively run our
post-exploitation scripts.
4.Automate many of the repetitive tasks.
5.Cobalt Strike is powerful because of the Aggressor Scripts.
Chapter 36 | Quotes From Pages 234-236
1.I heavily believe that automation of attack is going
to be the future of compromises, and we will need
the ability to test/validate our security controls.
2.Using password lists from real breaches is one of the fastest
ways to crack passwords larger than 12 characters.
3.As a Red Teamer, we regularly track all the accounts we
crack, analyze them, and add them to our lists.
4.A great list to monitor can be found here:
https://inteltechniques.com/OSINT/pastebins.html.

Scan to Download
Chapter 37 | Quotes From Pages 237-240
1.The one rule to rule them all
2.You can create custom password lists using the client
websites.
3.Using the RockYou rule set... takes about 2 minutes and 9
seconds for these NTLM hashes.
4.You know that you will be able to use these accounts in
future campaigns and show your victim company the poor
password practices they utilize.
5.Where do you go from here?
Chapter 38 | Quotes From Pages 241-241
1.As an IT organization, the question we need to ask
ourselves is, if one of our users clicked on that
malware, what would have been the impact?
2.Without a Red Team to validate the processes in advance,
we end up waiting until after our house is burnt to the
ground to know the true answer.
3.We can really prove and validate if security and IT is
working, all within a controlled environment.

Scan to Download
4.Look at other ransomware samples to see what file types
they were encrypting. This could make for a more realistic
campaign.
Chapter 39 | Quotes From Pages 242-242
1.Test, test, and test. The worst thing you could do is
find out the company can't recover critical files
and your decryption process does not work.
2.Many next-gen AVs automatically block ransomware based
on certain actions in a chain.
3.As Red Teamers, we are always looking for unique ways to
try and disable any sort of logging.
4.If you do get command execution through an application
vulnerability or have shell access through an Office file or
PDF, the next steps could be to download and execute your
secondary malware.

Scan to Download
Chapter 40 | Quotes From Pages 243-243
1.Getting from a local administrator account to
System can be done in a variety of ways.
2.Elad Shamir performed extensive research and was able to
figure out how to grab NTLM hashes without ever having
to touch LSASS.
3.CreateProcessFromParent is a way to set its parent PID of
that new process to be owned by System.
4.Interact with NTLM SSP locally to elicit a NetNTLMv1
response to the chosen challenge in the security context of
the impersonated user.

Scan to Download
The Hacker Playbook 3 Questions
View on Bookey Website

Chapter 1 | Notes and Disclaimer| Q&A

1.Question
What is the key balance that a Red Team member should
possess?
Answer:A Red Team member should balance
technical ability with confidence. It's crucial to be
skilled in hacking techniques while also having the
self-assurance to execute social engineering
strategies without succumbing to anxiety.

2.Question
How can someone overcome nervousness in high-pressure
situations?
Answer:To overcome nervousness, one can adopt the mindset
suggested by David Letterman: 'Pretending to not be afraid is
as good as actually not being afraid.' This means adopting a
confident demeanor even when feeling apprehensive,
enabling one to act with assurance.

Scan to Download
3.Question
What should individuals remember before engaging in
hacking activities?
Answer:Individuals must always have written permission
before testing or hacking any systems. Engaging in hacking
without authorization can have severe legal consequences,
even if the intention is merely exploratory.

4.Question
What is the legal and ethical guideline regarding hacking
practices?
Answer:Always ensure you are working within the legal
frameworks; test only on systems with written consent to
avoid crossing the fine line between research and illegal
activity.

5.Question
What resources are recommended for ethical hacking
practice?
Answer:New hackers should explore bug bounty programs
and vulnerable environments designated for learning. Legal
platforms provide opportunities to practice skills safely and

Scan to Download
ethically.

6.Question
Why is confidence considered important in hacking,
particularly in social engineering?
Answer:Confidence enables hackers to approach targets
effectively without hesitation, necessary for successfully
executing social engineering tactics,essential for a Red Team
member's success.”},{
Chapter 2 | Penetration Testing Teams vs Red
Teams| Q&A
1.Question
What important lessons can be learned from previous
breaches, and how can they influence our current security
posture?
Answer:Previous breaches highlight critical
vulnerabilities that were exploited, emphasizing the
need for companies to proactively assess their
security measures. The lessons learned suggest that
even large companies with sophisticated defenses
can still be compromised. As companies implement

Scan to Download
security measures, they should continually evaluate
and evolve their strategies based on historical
breaches, improving their detection and response
capabilities.

2.Question
How do Red Teams differ from traditional penetration
testing teams in their approach and objectives?
Answer:Red Teams simulate real-world attacks by
employing the same tactics, techniques, and procedures
(TTPs) that real adversaries use. Unlike traditional
penetration testing, which follows a structured and
methodical process often announced to the company, Red
Teams operate in a more flexible, unpredictable manner to
identify significant gaps in security programs and the
capabilities of blue teams. Their focus is less on finding
individual vulnerabilities and more on assessing the overall
effectiveness of security measures.

3.Question
What is the significance of Time To Detect (TTD) and
Time To Mitigate (TTM) in security assessments?

Scan to Download
Answer:TTD measures the time from the initial occurrence
of a security incident to when an analyst detects and begins
addressing it, highlighting the responsiveness of the security
team. TTM refers to the time taken to contain and remediate
the incident. Both metrics are crucial in understanding the
effectiveness of an organization's threat detection and
incident response capabilities, offering insights into areas for
improvement.

4.Question
Why is reconnaissance a critical phase in a Red Team
engagement?
Answer:Reconnaissance is essential because it helps to
gather valuable information about the target's environment,
vulnerabilities, and security measures. Effective
reconnaissance allows Red Teams to plan their tactics
accurately, exploit weaknesses efficiently, and simulate
realistic attack scenarios, ultimately enhancing the
effectiveness of the security assessment.

5.Question

Scan to Download
What potential impact could the discovery of a new
habitable planet like KITT-3n have on societal views of
security and exploration?
Answer:The discovery of KITT-3n could reignite interest in
space exploration and raise awareness about the importance
of securing new frontiers. It may prompt discussions on the
security measures required to protect information and
resources on extraterrestrial objects, along with the ethical
implications of colonization and establishing a security
posture in a new environment.

6.Question
How can companies ensure that their security controls
are effective against the evolving landscape of
cybersecurity threats?
Answer:Companies can ensure their security controls are
effective by adopting a proactive approach, including
continuous penetration testing, Red Team assessments, and
adopting best security practices. They should remain
informed about the latest cyber threats, invest in training

Scan to Download
their personnel, and apply lessons learned from previous
attacks to refine their defenses.

7.Question
What role does social engineering play in Red Team
assessments?
Answer:Social engineering is a critical tactic utilized by Red
Teams to test an organization's human element and identify
how susceptible employees are to manipulation. It involves
techniques that could lead to unauthorized access or data
breaches, showcasing the importance of employee training
and awareness in a comprehensive security program.

8.Question
In what ways should companies view the findings of a
Red Team engagement?
Answer:Companies should view the findings of a Red Team
engagement as a roadmap for improvement rather than just a
list of vulnerabilities. The results should be geared toward
addressing gaps in security processes, policies, tools, and
employee skills, ultimately aiming to strengthen the

Scan to Download
organization's overall security posture.

9.Question
How does the engagement timeline differ between
Penetration Tests and Red Teams?
Answer:Penetration Tests are typically brief engagements
lasting 1-2 weeks and are often announced in advance. In
contrast, Red Team engagements can last from 2 weeks up to
6 months and are more flexible, allowing for extended
simulations of real-world attacks and varying tactics.

10.Question
What does successful social engineering within a Red
Team campaign look like?
Answer:Successful social engineering during a Red Team
campaign involves manipulating individuals into divulging
confidential information, accessing secure areas, or installing
malware, all without raising suspicion. Demonstrating this
capability reveals vulnerabilities within the organization’s
human firewall and highlights the need for enhanced training
and awareness.

Scan to Download
Chapter 3 | Setting Up Your Campaign| Q&A
1.Question
What mindset should companies adopt regarding security
breaches?
Answer:Companies should adopt a mindset of
assuming that they have already been breached and
constantly hunt for anomalies instead of relying
solely on check-box security measures.

2.Question
How do Red Team exercises differ from traditional
penetration tests?
Answer:Red Team exercises differ from traditional
penetration tests by focusing on detection and mitigation
rather than just identifying vulnerabilities. They simulate
real-world attacks to assess how well a company can respond
to threats.

3.Question
What is the purpose of an assumed breach exercise?
Answer:The purpose of an assumed breach exercise is to
prepare organizations for the likelihood of a real breach. It

Scan to Download
tests their ability to identify and mitigate secondary and
tertiary threats following an initial compromise.

4.Question
Can you explain the process of executing a payload
during an assumed breach exercise?
Answer:In an assumed breach exercise, Red Teams work
with a limited group within the organization to deploy a
custom malware payload on a server. This payload is
designed to evade common antivirus systems and establish
further connections for data extraction or other malicious
activities.

5.Question
What is a key step in setting up a Red Team campaign?
Answer:A key step in setting up a Red Team campaign is
scoping out the objectives, including understanding the end
goals such as detecting Advanced Persistent Threats (APTs)
or obtaining certain flags.

6.Question
Why is it essential for organizations to continuously hunt
for anomalies?

Scan to Download
Answer:It is essential for organizations to continuously hunt
for anomalies to stay ahead of cyber threats. This proactive
approach helps in identifying potential breaches early and
mitigates the impact of attacks.

7.Question
What role does custom malware play in Assumed Breach
exercises?
Answer:Custom malware plays a crucial role in Assumed
Breach exercises as it is specifically designed to test the
organization's defenses, bypass security measures, and assess
their incident response capabilities.

8.Question
How often should companies conduct assumed breach
exercises?
Answer:Companies should conduct assumed breach
exercises regularly to adapt to evolving threat landscapes and
ensure their security measures remain effective against new
types of attacks.

9.Question
What should be a company's primary focus during a Red

Scan to Download
Team campaign?
Answer:During a Red Team campaign, a company's primary
focus should be on understanding how to detect and respond
to real-world attack scenarios, rather than solely preventing
breaches.

Scan to Download
Chapter 4 | Setting Up Your External Servers| Q&A
1.Question
What are the key considerations when setting up a
penetration testing campaign?
Answer:When setting up a penetration testing
campaign, you should consider the type of data you
aim to collect (e.g., TTD metrics, database data), the
techniques you'll employ (such as those listed in the
MITRE ATT&CK Matrix), the tools you'll use
(COTS tools like Metasploit or custom tools), and
the environment in which you'll operate (utilizing
cost-effective services like Digital Ocean or AWS
Lightsail). It's important to demonstrate to the client
how their defenses performed during the tests.

2.Question
Why is getting caught during a penetration test not
necessarily a bad thing?
Answer:Getting caught during a penetration test showcases
the effectiveness of the client’s defenses, validating their

Scan to Download
security measures or revealing gaps. If attackers are detected
multiple times, it provides insight into the client’s current
incident response capabilities.

3.Question
What are some effective tools or services for setting up
external servers for a penetration test?
Answer:Digital Ocean Droplets and AWS Lightsail are
popular choices for setting up external servers due to their
low cost, ease of use, and flexibility. They allow quick
configuration of necessary tools for a penetration test, such
as Metasploit.

4.Question
How can one ensure efficient setup of penetration testing
tools on a server?
Answer:To ensure an efficient setup of penetration testing
tools, it's recommended to develop scripts for automating the
installation of components like IPTables rules, SSL
certificates, and necessary tools. Leveraging frameworks
such as TrustedSec's The PenTesters Framework (PTF) can

Scan to Download
streamline this process.

5.Question
What should be included in your reporting after a
penetration test?
Answer:Your reporting after a penetration test should capture
metrics such as detection times, success/failure rates, and
specific vulnerabilities identified. Providing clear examples
and highlighting areas where defenses worked versus where
they failed will help clients understand their security posture.

6.Question
What is the benefit of using a VPS provider's services
effectively?
Answer:Using a VPS provider's services effectively allows
for rapid provisioning and scaling of testing environments,
which facilitates quick iterations during tests. It can lead to
better operational efficiency and cost management in running
penetration tests.

7.Question
How can automation improve the penetration testing
process?

Scan to Download
Answer:Automation can improve the penetration testing
process by speeding up repetitive tasks such as server setup,
tool installation, and scripts execution. This efficiency allows
testers to focus more on analysis and execution rather than
administrative tasks.

8.Question
What is the core recommendation for creating a script for
installing penetration testing tools?
Answer:The core recommendation is to create a script that
not only installs each tool but also handles updating and
configuring them appropriately. This approach ensures
consistency and repeatability across different testing
environments.
Chapter 5 | Tools of the Trade| Q&A
1.Question
What are strong IP tables rules and why are they
important for an attacker server?
Answer:Strong IPTables rules help limit where SSH
authentications and attack payloads can originate

Scan to Download
from. This enhances security by ensuring that only
trusted sources can access your server, thereby
reducing the risk of unauthorized access or
compromise, like the 2016 Cobalt Strike RCE
incident.

2.Question
How can Terraform assist in setting up a Red Team
infrastructure?
Answer:Terraform automates the creation of resilient, secure,
and agile infrastructure for Red Teams—making it easier to
replicate environments using modules like Red Baron. This
reduces setup time and enhances the consistency of
deployments, which is crucial for testing the security
postures of customers.

3.Question
What is the primary purpose of a Red Team?
Answer:The purpose of a Red Team is not merely to
compromise systems but to replicate real-world attack
scenarios to evaluate whether a customer can detect and

Scan to Download
respond to attacks effectively within a short timeframe.

4.Question
What role does Metasploit play in Red Team operations?
Answer:Metasploit serves as a foundational tool for
exploiting vulnerabilities and conducting post-exploitation
activities. It allows Red Teamers to simulate attacks by
compromising internal systems and generating payloads for
further attacks, like social engineering efforts.

5.Question
Why is Cobalt Strike favored among Red Team tools?
Answer:Cobalt Strike is favored for its capabilities in
post-exploitation, lateral movement, and maintaining stealth
within networks. It excels at acting after a system
compromise, offering features for hiding and exfiltrating data
without relying on initial exploits.

6.Question
What is the significance of Domain Fronting in Red Team
operations?
Answer:Domain Fronting allows Red Teams to disguise
Command and Control traffic by routing it through reputable

Scan to Download
domains, making it difficult for security systems to detect the
actual malicious intent behind network communications.

7.Question
How can Malleable C2 Profiles be utilized effectively?
Answer:Malleable C2 Profiles help Red Teams manipulate
how their beacons communicate with Command and Control
servers by altering traffic to appear like legitimate requests.
This is crucial for avoiding detection in environments with
stringent network monitoring.

8.Question
What are some best practices for configuring Empire for
Red Team engagements?
Answer:Best practices for configuring Empire include using
trusted SSL certificates, altering default endpoints to avoid
detection, changing User-Agent strings, and using autorun
scripts to streamline attacker workflows and minimize
exposure.

9.Question
How can dnscat2 help in maintaining C2
communications?

Scan to Download
Answer:Dnscat2 creates encrypted Command and Control
channels over DNS, allowing traffic to blend with regular
DNS queries and evade detection mechanisms set by network
defenses.

10.Question
Why is operational security critical for Red Teams?
Answer:Operational security is vital to ensure that Red Team
campaigns are resilient against discovery. If all agents
communicate with limited C2 endpoints, it increases
vulnerability to being dismantled by defensive teams
identifying those singular connections.

11.Question
What is the purpose of obfuscating Meterpreter
payloads?
Answer:Obfuscating Meterpreter payloads is essential to
avoid triggering antivirus and detection systems during social
engineering attacks, ensuring that the payload can be
delivered successfully under the radar.
Chapter 6 | Monitoring an Environment| Q&A

Scan to Download
1.Question
What is the importance of reconnaissance in a Red Team
operation?
Answer:Reconnaissance is critical because it allows
Red Teamers to identify vulnerabilities and gather
intelligence about the target environment, enabling
them to plan effective attacks. It provides insights
into the infrastructure, misconfigurations, and
potential avenues for exploitation.

2.Question
How can monitoring scripts enhance a team's ability to
detect changes in a client's network?
Answer:By setting up monitoring scripts that perform daily
scans and generate diffs of the network's infrastructure, teams
can quickly identify new ports or services that have been
added. This proactive approach helps in adapting to changes
promptly and maintaining an up-to-date understanding of the
potential attack surface.

3.Question
Why is using multiple tools like Nmap and Masscan

Scan to Download
advantageous during reconnaissance?
Answer:Using multiple tools enhances reconnaissance efforts
as it combines the strengths of each tool—Nmap for detailed
scanning and Masscan for speed. This allows teams to gather
comprehensive data more efficiently, improving their
situational awareness.

4.Question
What role does cloud security play in a Red Team's
reconnaissance efforts?
Answer:Cloud security is crucial because misconfigurations
in cloud environments can create significant vulnerabilities.
Understanding how to identify and exploit these
misconfigurations can provide Red Teamers with valuable
attack vectors.

5.Question
How can SSL certificate scanning be beneficial for
cybersecurity?
Answer:Scanning SSL certificates can reveal a wealth of
information about an organization’s internal infrastructure,

Scan to Download
including hostnames and services. This data can be leveraged
to uncover hidden assets that may not be publicly visible,
thus broadening the attack surface for potential exploitation.

6.Question
What should you do if you discover dangling CNAME
records during reconnaissance?
Answer:If you find dangling CNAME records, it indicates
potential subdomain takeover vulnerabilities. You can use
tools like tko-subs to verify these vulnerabilities and possibly
take over the subdomain if the target has not correctly
configured their DNS.

7.Question
How can subdomain discovery aid in attack planning?
Answer:Identifying subdomains is vital as they can reveal the
existence of different services, applications, or environments
within a target's infrastructure that may have varying security
postures, thus guiding specific attack strategies.

8.Question
What is a practical application for using GitHub during a
penetration test?

Scan to Download
Answer:GitHub can be a source for sensitive information
such as API keys, passwords, and internal documentation. By
analyzing public repositories, testers can uncover
misconfigured repositories or sensitive files that could lead to
vulnerabilities.

9.Question
Why is it important to monitor for past breaches in
relation to email collection?
Answer:Monitoring past breaches helps security
professionals compile lists of email addresses and associated
credentials that could be targeted in social engineering or
phishing attacks. This data can aid in building a
comprehensive understanding of the attack surface focused
on client vulnerabilities.

10.Question
What advantages does passive reconnaissance provide in
a Red Team operation?
Answer:Passive reconnaissance allows attackers to gather
intelligence without alerting the target, thereby reducing the

Scan to Download
risk of detection while collecting useful information that can
inform future active engagement strategies.

Scan to Download
Chapter 7 | Bug Bounty Programs:| Q&A
1.Question
What has been the trend in web application security
attacks over the years?
Answer:Over the years, web application security
attacks have shown a cyclical pattern, shifting to
different layers of the OSI model roughly every
other year. Initially focused on SQL injection and
remote file inclusion attacks in the early 2000s, as
organizations hardened their defenses, attackers
shifted their focus to social engineering tactics,
particularly phishing. Currently, attackers are
turning back to application level vulnerabilities,
influenced by increased application complexity and
the extensive use of APIs.

2.Question
Why is real-life experience important for bug hunting?
Answer:Real-life experience is crucial in bug hunting
because theoretical knowledge and training labs alone are not

Scan to Download
sufficient for skill development. Engaging with live systems
provides practical challenges that enhance learning and
sharpen the 'sixth sense' needed to identify vulnerabilities
effectively. This hands-on experience allows hunters to apply
their knowledge in realistic scenarios, significantly
improving their ability to discover and exploit bugs.

3.Question
What are bug bounty programs and how do they help
aspiring security professionals?
Answer:Bug bounty programs are platforms where
organizations reward ethical hackers for finding and
reporting security vulnerabilities in their systems. They
provide aspiring security professionals with the opportunity
to gain practical experience, learn from real-world
applications, and potentially earn financial compensation.
These programs serve as a bridge between theoretical
training and actual cybersecurity practice, encouraging
continuous learning and development.

4.Question

Scan to Download
How important is understanding the scope of a bug
bounty program?
Answer:Understanding the scope of a bug bounty program is
essential because it dictates what can and cannot be tested.
Each program has specific guidelines regarding eligible
domains, types of vulnerabilities, and testing methodologies,
which ensure the security process is controlled and effective.
Failing to adhere to these guidelines can lead to
disqualification or even legal repercussions, making
adherence critical for successful participation.

5.Question
What are some strategies to get started with bug hunting
on bounty programs?
Answer:To start bug hunting on bounty programs, it's
effective to begin with no-reward programs or older, larger
programs that might not attract seasoned hunters, providing a
less competitive environment to learn. Dedicate a few hours
each day to practice, stay updated with the community, and
focus on refining your skills to develop the intuition needed

Scan to Download
for finding bugs.

6.Question
What should be included in a vulnerability report to a
company?
Answer:A vulnerability report should include detailed
information about the discovered vulnerability, such as its
type, severity, and criticality. Detailed steps taken to exploit
the vulnerability, including screenshots and, if possible, a
working proof of concept, should also be part of the report.
Providing comprehensive information is vital for the
company to understand the risk and to address the
vulnerability effectively.
Chapter 8 | Web Attacks Introduction - Cyber Space
Kittens| Q&A
1.Question
What should researchers keep in mind when validating
vulnerabilities for bug bounty programs?
Answer:Researchers must exercise caution and
adhere to the scope of the bug bounty program.
They should avoid actions that could lead to illegal

Scan to Download
activities, such as dumping entire databases or
defacing pages. If something feels illegal, it likely is;
therefore, always use good judgment and respect the
outlined boundaries of ethical hacking.

2.Question
How can one identify potential vulnerabilities in web
applications?
Answer:After conducting reconnaissance, if standard
exploitable servers or misconfigured applications are not
present, you can rely on your intuition to explore other areas,
such as Customer Support Systems. If something feels off,
it's worth investigating further.

3.Question
What is the significance of understanding OWASP Top 10
for those entering the penetration testing field?
Answer:Knowledge of the OWASP Top 10 is essential for
aspiring penetration testers as it outlines the most critical
web application security risks. Understanding these
vulnerabilities and being able to explain them with examples

Scan to Download
of their risks and how to detect them can significantly
enhance one’s employability in the security field.

4.Question
Why is Node.js important for penetration testing?
Answer:Node.js is increasingly popular and widely used in
the development of web applications. As a penetration tester,
understanding Node.js helps you recognize the security
implications of running JavaScript on the backend. Many
vulnerabilities could arise due to weak NPM credentials or
dependency chains within the Node.js ecosystem.

5.Question
What are some resources for learning about web
application testing?
Answer:Useful resources include the Open Web Application
Security Project (OWASP), which provides educational
materials and lists of vulnerabilities. Additionally, various
checklists and testing guidelines are available online to guide
penetration testers in identifying and exploiting
vulnerabilities.

Scan to Download
6.Question
What practical steps can one take to engage in web
application exploitation activities?
Answer:To engage in web application exploitation, you can
set up a local test environment using a custom virtual
machine. Instructions for setting up vulnerable applications
and performing specific attacks are often provided in
supporting materials such as lab command lists.

7.Question
How should one approach a penetration testing job
application?
Answer:When applying for penetration testing roles, it is
critical to demonstrate a solid understanding of web
application vulnerabilities, alongside practical experience.
Being able to precisely articulate what you know about the
OWASP Top 10, supplemented with real-world examples,
can significantly strengthen your application.
Chapter 9 | Cyber Space Kittens: Chat Support
Systems| Q&A
1.Question

Scan to Download
What is Express and how does it aid in web application
development?
Answer:Express is a minimalistic web framework
for Node.js that simplifies the creation of web and
mobile applications by providing a robust set of
features without requiring extensive coding efforts.
It allows the integration of middlewares for
functionalities such as authentication and payment
processing.

2.Question
How can one discover vulnerabilities in an application
like the Cyber Space Kittens chat support system?
Answer:To discover vulnerabilities, one can use tools like
Wappalyzer and BuiltWith to analyze the underlying
technologies used by the application. Additionally, running
vulnerability and web application scanners can help identify
weaknesses, although manual exploration for coding issues,
misconfigurations, and logic flaws may be necessary when
automated tools yield no results.

Scan to Download
3.Question
What are some essential tools for web application
penetration testing?
Answer:Some essential tools include Burp Suite (commercial
but highly effective), OWASP ZAP (open-source
replacement for Burp), Wappalyzer (detects technologies
used), BuiltWith (provides technology profile for websites),
and Retire.js (detects vulnerable JavaScript libraries).
Different browsers like Firefox and Chrome are also
important for testing as they behave differently with respect
to security features.

4.Question
What is Cross-Site Scripting (XSS) and what are some
methods to exploit it effectively?
Answer:XSS attacks involve injecting malicious scripts into
web pages viewed by other users, which can lead to
unauthorized actions such as cookie theft or redirection to
malicious sites. Effective methods include crafting various
XSS payloads, utilizing obfuscated scripts, and employing

Scan to Download
Polyglot techniques to bypass filters and execute harmful
code.

5.Question
How can one transition from identifying an XSS
vulnerability to executing code on a server?
Answer:One common method is to exploit a user-to-admin
XSS vulnerability in a Content Management System (CMS)
to gain administrative access. This can lead to the ability to
execute shell commands or execute payloads that grab
sensitive information from the server.

6.Question
What constitutes a NoSQL injection and how can it be
exploited in a web application?
Answer:NoSQL injections occur when untrusted data is
incorrectly processed or parsed in queries to NoSQL
databases (like MongoDB). An attacker can manipulate
JSON objects in requests to change the logic of the query,
allowing unauthorized access or data extraction.

7.Question
What are the potential consequences of Server Side

Scan to Download
Request Forgery (SSRF) vulnerabilities?
Answer:SSRF vulnerabilities can expose internal services to
attackers, allowing them to access or manipulate resources
that are only available from the local network, scan internal
networks, read local files, and exploit other services, leading
to serious breaches.

8.Question
How does template injection occur, and why is it a critical
threat in applications using templating engines like Pug?
Answer:Template injection happens when user input is
directly incorporated into templates without proper validation
or encoding, creating opportunities for attackers to execute
unwanted code or commands. In Pug, improper handling of
template strings can lead to serious vulnerabilities.

9.Question
What defines an effective payload for a JavaScript
deserialization attack?
Answer:An effective payload must exploit a vulnerable
library that processes untrusted data unevaluated, enabling an

Scan to Download
attacker to inject malicious JavaScript that can lead to
Remote Code Execution (RCE) on the server. This typically
involves harnessing the power of functions that facilitate
deserialization without proper safety checks.

Scan to Download
Chapter 10 | Finding Credentials from Outside the
Network| Q&A
1.Question
What can we learn from moments of defeat during
penetration testing?
Answer:Defeat during a penetration test is an
opportunity to reflect and reassess strategies. It's
crucial to step back, review reconnaissance notes,
and remember that access to a network may require
creativity and persistent effort.

2.Question
Why is it important to focus on basic plans instead of
complex strategies in Red Team exercises?
Answer:Basic plans often yield effective results because they
rely on fundamental techniques that attackers have
successfully used before. Complex strategies can risk
overcomplicating the approach, while simplicity can lead to
success.

3.Question
How do external services present a target for credential

Scan to Download
harvesting?
Answer:External services like email and collaboration tools
often have less stringent security measures compared to
internal systems, making them prime targets for password
spraying and credential harvesting.

4.Question
What is the concept of 'living off the land' in Red Team
operations?
Answer:'Living off the land' refers to using existing tools and
features within a corporate environment to achieve objectives
without arousing suspicion, maximizing the effectiveness of
attacks while minimizing detection risk.

5.Question
Why is password spraying a preferred method for testing
authentication security?
Answer:Password spraying can avoid account lockouts by
attempting a few common passwords across many accounts,
leveraging the tendency of users to reuse passwords and
targeting vulnerable systems with weak security.

Scan to Download
6.Question
What are some common password patterns that attackers
look for?
Answer:Common patterns include combinations like 'Season
+ Year', 'Local Sports Team + Digits', variants of the
'Company Name', and data from previous breaches, making
them critical for successful credential guessing.

7.Question
What approach should Red Teamers use when they find a
successful password during testing?
Answer:Upon finding a successful password, they should
exploit that access to gather further intelligence, create
persistent footholds in the system, and expand their reach
within the organization.

8.Question
How can rapport and trusted connections be exploited in
social engineering attacks?
Answer:By leveraging established relationships, attackers
can manipulate communication to deliver malware, often
repurposing legitimate email threads to maintain trust and

Scan to Download
reduce suspicion among targets.

9.Question
What is the ultimate objective of Red Team engagements?
Answer:The primary goal of Red Team exercises is to assess
and improve the defenses of the organization by revealing
vulnerabilities and testing the efficacy of detection and
response mechanisms.
Chapter 11 | Moving Through the Network| Q&A
1.Question
Why is it important to move quietly through a network
during Red Team operations?
Answer:Moving quietly in a network minimizes the
risk of detection by real-time monitoring systems.
It’s crucial for maintaining stealth and ensuring that
you can gather as much intelligence as possible
without alerting the defenders.

2.Question
What are the advantages of building your own attack lab
instead of using pre-canned virtual machines?
Answer:Building your own lab allows for a better

Scan to Download
understanding of the environment you are attacking. It helps
in learning the intricacies of each tool, understanding their
limitations, and seeing firsthand how the attacks might work
or fail.

3.Question
What components are recommended for creating a
Windows testing lab for corporate environments?
Answer:An ideal Windows testing lab should include a
Windows 2016 Domain Controller, a web server (IIS on
Windows 2016), and client machines running Windows 10
and Windows 7, configured with adequate system resources
such as 16GB of RAM and a 500GB SSD.

4.Question
How does setting up a Group Policy Object (GPO)
improve the functionality of a lab environment?
Answer:Setting up a GPO allows for centralized management
of multiple settings, such as disabling firewalls and antivirus,
controlling user permissions, and ensuring machines start in
a specific state for testing. This supports a more streamlined

Scan to Download
and effective testing scenario.

5.Question
What should you do after installing and configuring
Active Directory in your lab setup?
Answer:After installing Active Directory, create user
accounts and groups, set up client machines to join the
domain, and ensure at least one user has local administrator
rights by adding them to the local administrators group.

6.Question
What role does automatic logon play in the testing
environment?
Answer:Automatic logon simplifies testing by enabling
machines to log in without manual intervention, providing
quick access to test attack scenarios that may require
credential theft without the delays of manual logins.

7.Question
How can running vulnerability scans be a risk during Red
Team engagements?
Answer:Many modern enterprises have robust systems that
monitor for scans, which can trigger alerts and defensive

Scan to Download
measures. To remain undetected, Red Team members should
rely on stealthy information gathering techniques instead.

8.Question
What tools might a Red Teamer create during their
preparation for a penetration test?
Answer:A Red Teamer might build a password spray tool to
test authentication services across different protocols and
platforms, enhancing their attack capabilities through better
credential gathering.

9.Question
Why might you want to deploy testing from multiple
Virtual Private Servers (VPS)?
Answer:Deploying from multiple VPS can distribute the tests
and make it harder for defenders to associate activities with a
single source, increasing the chances of successful
exploitation without detection.
Chapter 12 | On the Network with No Credentials|
Q&A
1.Question
What motivates hackers to find unconventional ways to

Scan to Download
penetrate networks, and what can this teach us about
creative problem-solving?
Answer:The story illustrates that hackers often
resort to social engineering techniques, like blending
in with employees to gain unauthorized access. This
can inspire anyone to think outside the box when
faced with a challenge. It shows that creative
problem-solving often requires understanding and
manipulating the environment around us, much like
how a hacker uses social cues and technology to
achieve their goal.

2.Question
How does the use of tools like Responder and MultiRelay
illustrate the importance of awareness in cybersecurity?
Answer:These tools highlight how easily attackers can
exploit network vulnerabilities if users are not vigilant. It
serves as a reminder that awareness and understanding of
tools can enhance security practices, emphasizing the need
for continuous education and monitoring within

Scan to Download
organizations to preemptively tackle potential breaches.

3.Question
What role do social interactions play in the tactics
described for gaining unauthorized access?
Answer:Social interactions are critical in the described
hacking tactics, as they allow hackers to establish trust and
gain entry without raising suspicion. This exemplifies how
interpersonal skills can be as valuable as technical skills in
achieving objectives, underscoring the importance of
communication in both professional and cybersecurity
realms.

4.Question
Why is it important to understand adversarial tactics,
such as those demonstrated in the penetration
techniques?
Answer:Understanding these adversarial tactics is crucial for
developing robust defensive systems against them. By
knowing how hackers think and operate, individuals and
organizations can create stronger security protocols,
anticipate potential threats, and better protect sensitive data

Scan to Download
and resources.

5.Question
How can the concepts of credential capturing and replay
attacks illustrate the need for robust authentication
methods?
Answer:These concepts demonstrate how easily credentials
can be intercepted and reused, emphasizing that simple
authentication methods, like NTLM, are often insufficient.
Organizations need to adopt more secure methods like
multi-factor authentication to mitigate the risks of credential
theft and unauthorized access.

6.Question
What does the narrative of sneaking into a building
suggest about the intersection of physical and digital
security?
Answer:The narrative illustrates that physical security and
digital security are closely linked; if an intruder can gain
physical access, they can compromise the network. This
stresses the importance of comprehensive security strategies
that integrate both physical and cybersecurity measures to

Scan to Download
defend against multifaceted attacks.

7.Question
How can the processes of capturing and cracking
credentials reflect on the current state of cybersecurity
defenses?
Answer:The ease with which attackers can capture and crack
credentials sheds light on weaknesses in cybersecurity
defenses. It reflects a pressing need for organizations to
enhance their security measures, including stronger password
policies, regular audits, and awareness training to reduce the
likelihood of successful breaches.

8.Question
What can be learned from the way attackers improvise
when faced with obstacles during a breach attempt?
Answer:Attackers' ability to adapt and improvise underlines
the necessity for resilience and flexibility in problem-solving.
This can teach security professionals the importance of
anticipating possible attack vectors and creating
contingencies to better defend against adaptive threats.

Scan to Download
Chapter 13 | After Compromising Your Initial Host|
Q&A
1.Question
What should be my first step after compromising a host?
Answer:You should assess your environment by
running commands to gather network information,
such as identifying your IP ranges, discovering the
victim's servers, domains, and users.

2.Question
How can I find running services on the compromised
host?
Answer:You can use commands like 'tasklist' to list all
running services and look for anti-virus or other protective
measures that may be active.

3.Question
What are some helpful commands to gather information
post-compromise?
Answer:Helpful commands include 'netstat -anop | findstr
LISTEN' for open ports, 'sysinfo' for system information, and
'wmic qfe get Caption, Description, HotFixID, InstalledOn'

Scan to Download
for system updates.

4.Question
Is there an easier way to manage these commands?
Answer:Yes, you can utilize the 'rtfm.py' Python script,
which compiles many of these commands into a searchable
tool to save time and effort.

5.Question
How can I ensure I always have access to necessary
commands when needed?
Answer:By leveraging tools like 'rtfm.py,' you can keep a
comprehensive list of commands at your fingertips, making it
easier to recall them during a compromise.

6.Question
Why do you emphasize the importance of the initial
information-gathering phase?
Answer:Understanding your immediate environment right
after a compromise is crucial for planning your next moves
effectively; it enables better targeting and minimization of
detection risks.

7.Question

Scan to Download
What does the author suggest about command
memorization?
Answer:The author acknowledges that no one can remember
all the commands, which is why having a tool like 'rtfm.py' is
invaluable.
Chapter 14 | Privilege Escalation| Q&A
1.Question
What is the importance of using PowerShell in network
information gathering during penetration testing?
Answer:PowerShell is a powerful tool that allows
attackers to gain detailed information about the
network and environment quickly and efficiently. By
executing scripts and commands, testers can gather
comprehensive data that informs further
exploitation strategies.

2.Question
How can an unquoted service path lead to privilege
escalation?
Answer:An unquoted service path is a common vulnerability

Scan to Download
where the executable path for a service is not enclosed in
quotes. This means that if a service is configured incorrectly,
an attacker can place malicious executables in paths without
quotes to gain higher privileges when the service restarts.

3.Question
What strategies can be employed to find and exploit
vulnerable service paths on a Windows system?
Answer:To find vulnerable service paths, one can use
commands like 'wmic service' to check service
configurations. Once identified, if the service lacks proper
permissions, an attacker can replace legitimate service
executables with their malicious payloads, leading to
privilege escalation.

4.Question
How do tools like Mimikatz and Mimikittenz transform
the approach to credential harvesting?
Answer:Mimikatz allows attackers to grab plaintext
passwords from memory, which was effective until newer
Windows versions restricted access. Mimikittenz

Scan to Download
innovatively extracts passwords from various browser
processes, allowing credential extraction without needing
administrative access, thus broadening the attack surface.

5.Question
What is the role of the Windows Credential Store in
credential harvesting?
Answer:The Windows Credential Store securely saves user
credentials for various applications and websites. Attackers
can exploit this by running scripts to extract saved passwords
from the store, which they can use without needing admin
privileges. This allows for further exploitation while
maintaining a covert profile.

6.Question
How can one set up a testing lab for privilege escalation
vulnerabilities?
Answer:Using Metasploitable3, a vulnerable framework by
Rapid7, offers a great lab environment. It simulates common
vulnerabilities in a safe setting, allowing penetration testers
to practice exploitation techniques and understand real-world

Scan to Download
application of privilege escalation methods.

7.Question
What factors influence the timing of exploiting discovered
vulnerabilities?
Answer:When a vulnerability is discovered, the timing
becomes crucial as it often corresponds to a limited window
before the vulnerability is patched. Quick identification and
exploitation can lead to maintaining control over the system
until the vulnerability is addressed.

8.Question
What preventive measures can be taken against privilege
escalation attacks?
Answer:Regularly auditing service configurations, ensuring
that executable paths are quoted, maintaining updated
security patches, and using application whitelisting can help
mitigate risks of privilege escalation vulnerabilities.

9.Question
How does understanding the memory structure of an
operating system benefit penetration testing?
Answer:Understanding memory structures helps testers

Scan to Download
identify where sensitive data, like passwords, are stored. This
knowledge allows for more effective exploitation methods,
like accessing plaintext passwords from memory using tools
designed for specific OS architectures.
Chapter 15 | Living Off of the Land in a Windows
Domain Environment| Q&A
1.Question
What is the significance of the reconnaissance phase after
compromising a victim's workstation?
Answer:The reconnaissance phase is crucial as it
allows an attacker to gather reliable information on
servers, workstations, users, and services within an
Active Directory environment without triggering
alarms. By utilizing features such as querying
Service Principal Names (SPNs), attackers can
discover crucial information about services and
users, paving the way for further exploitation.

2.Question
How can querying Active Directory provide valuable
information for an attacker?

Scan to Download
Answer:Querying Active Directory allows attackers to
extract a wide range of information about all service
accounts, their associated permissions, and the relationships
between users and services. This detailed insight is crucial
for identifying vulnerable points of entry and crafting
effective attack paths.

3.Question
What role does PowerView play in gaining information
about users in Active Directory?
Answer:PowerView is a powerful PowerShell tool that
enables attackers to query Active Directory efficiently, even
with minimal permissions. It allows for the acquisition of
detailed information about users, groups, and computers,
streamlining the information-gathering process crucial for
potential exploitation.

4.Question
Why is BloodHound considered a valuable tool in
assessing Active Directory environments for attackers?
Answer:BloodHound employs graph theory to reveal

Scan to Download
complex relationships within Active Directory. This aids
attackers in identifying potential attack paths and uncovering
unintended privileges that could be exploited, thereby
enhancing their strategic decision-making during an attack.

5.Question
What are the benefits of using Kerberoasting for
attacking service accounts?
Answer:Kerberoasting allows attackers to seize service
tickets for specific SPNs. By doing so, they can extract
encrypted service account passwords, which can then be
cracked offline. This method is advantageous as it leverages
weaknesses in Kerberos, enabling attackers to compromise
even services with high privileges.

6.Question
In what scenarios might an attacker be limited in their
ability to scan networks, and how can they still gather
sufficient information?
Answer:An attacker might encounter scenarios where
scanning tools could trigger security alerts. In such cases,
they can leverage Active Directory features, such as querying

Scan to Download
SPNs or using PowerView, to gather critical information
discreetly without raising suspicion.

7.Question
How does the understanding of user roles and their access
privileges enhance an attacker's approach within an
organization?
Answer:By understanding the user roles and access
privileges within an organization, attackers can prioritize
their targets based on the strategic importance of users and
the potential access they could gain. This targeted approach
minimizes risk and maximizes the impact of their attacks.

8.Question
What advanced techniques might attackers use to move
laterally after compromising a workstation?
Answer:Attackers can utilize various techniques such as
PowerShell remoting, WMI, DCOM, and even Classic
methods like PsExec to move laterally within a network.
Each technique provides different levels of stealth and
effectiveness, and attackers choose based on the environment
and risks associated.

Scan to Download
9.Question
What challenges do attackers face when using
BloodHound, and how can they overcome them?
Answer:While BloodHound provides comprehensive
insights, its queries can be loud and detectable on the
network. Attackers can mitigate this by utilizing stealth
options or focusing on specific queries that minimize
interaction with the broader network.

10.Question
How does the concept of tagging in BloodHound enhance
an attacker's ability to visualize their compromises?
Answer:Tagging allows attackers to mark compromised
machines and users in BloodHound, facilitating a clearer
visualization of their attack paths and interconnections. This
improved visibility helps streamline lateral movement and
strategic planning for escalated privileges.

Scan to Download
Chapter 16 | Dumping the Domain Controller
Hashes| Q&A
1.Question
What is the significance of using PowerShell and
Mimikatz in security operations?
Answer:PowerShell and Mimikatz serve as powerful
tools that allow security professionals to extract
sensitive information, such as Kerberos tickets and
NT hashes, from an environment. Their combined
use can efficiently automate the process of gathering
credential information which is crucial for both
offensive and defensive security roles.

2.Question
How does the Volume Shadow Copy Service (VSS)
facilitate the hacker’s techniques?
Answer:The VSS allows attackers to create a snapshot of the
volume where the NTDS.dit file is stored, enabling them to
access and extract sensitive data that would otherwise be
protected against direct access, even for system-level users.

3.Question

Scan to Download
What does DCSync allow an attacker to do differently
than traditional methods?
Answer:DCSync permits an attacker to impersonate a
Domain Controller to request user hashes without the need
for running commands directly on the DC or dropping files,
making it a stealthier option compared to older methods.

4.Question
What are the prerequisites for performing a DCSync
attack?
Answer:To execute a DCSync attack, the attacker must have
proper permissions, typically limited to Domain Admins,
Enterprise Admins, or groups with specific rights like
Replicating Changes. This requirement for permissions
ensures that only authorized personnel can extract sensitive
information.

5.Question
Why is it essential for an attacker to clean tracks after
exploiting a system?
Answer:Cleaning tracks is crucial for an attacker to maintain

Scan to Download
their access and avoid detection. If they leave traces of their
actions, it could lead to prompt remedial actions from
security teams that could prevent future compromises or lead
to their identity being discovered.

6.Question
Explain how NinjaCopy enhances an attacker’s ability to
access critical files like NTDS.dit.
Answer:NinjaCopy specifically allows for the bypassing of
file protections such as DACLs and file locks, enabling
attackers to read critical system files that are typically
inaccessible during standard operations. This tool elevates
the effectiveness of an attack by allowing uninterrupted
access to sensitive data.

7.Question
What is the overarching lesson regarding security
measures highlighted in this chapter?
Answer:The chapter underlines the importance of robust
access controls and monitoring, as even a small breach of
permissions can lead to extensive exploitation capabilities for

Scan to Download
attackers. Effective security requires anticipating such
advanced techniques and implementing strict measures
against unauthorized access.
Chapter 17 | Lateral Movement via RDP over the
VPS| Q&A
1.Question
What is DCSync, and how is it utilized in penetration
testing?
Answer:DCSync is a technique used in Active
Directory to pull NTLM hashes of user accounts,
which can be exploited to perform attacks like
Golden Ticket attacks. In penetration testing,
DCSync is typically used with tools such as
PowerShell Empire to facilitate easier access to
credential harvesting.

2.Question
Why is using VPS for lateral movement sometimes
preferred over traditional methods?
Answer:Using a Virtual Private Server (VPS) for lateral
movement is preferred because traditional methods like WMI

Scan to Download
and PSExec may trigger alerts from modern antivirus
systems, and some organizations log all command prompt
activities. By routing traffic through a VPS, attackers can
conceal their movements and reduce the likelihood of
detection.

3.Question
Describe the process of setting up a local port forwarding
on an attacker’s machine. What advantage does this
technique provide?
Answer:To set up local port forwarding on an attacker’s
machine, you first connect to the VPS via SSH using an SSH
key, specifying a local port (e.g., 3389 for RDP) and
directing traffic to the VPS's localhost port. This allows an
attacker to access services on compromised machines while
obfuscating their connection, effectively disguising their
activities.

4.Question
What role does Meterpreter play in this lateral movement
scenario?
Answer:Meterpreter acts as an advanced multi-purpose

Scan to Download
payload that gives attackers a command interface on the
victim machine. It allows for various post-exploitation tasks,
such as port forwarding, which helps in moving laterally
within a network without raising alarms.

5.Question
Explain how the SSH setup for port forwarding can
enhance the security of an attacker’s connection to
compromised hosts. How does it protect against
detection?
Answer:By using SSH for port forwarding, the attacker
encrypts the traffic between their machine and the VPS,
making it difficult for network monitors to analyze the data
flow. This adds a layer of stealth since the traffic appears as
legitimate SSH connections and can bypass certain security
measures that monitor or log more typical attack patterns.

6.Question
How can an attacker use RDP through this setup? What
does this imply for network security?
Answer:The attacker can use the Microsoft Remote Desktop
Client to connect to their own localhost (127.0.0.1) while

Scan to Download
effectively connecting to a victim's machine by entering the
victim’s credentials. This method suggests that organizations
must monitor unusual RDP access patterns and secure
Remote Desktop protocols to prevent unauthorized access.

7.Question
What are the implications of the ability to perform
Golden Ticket attacks after obtaining the krbtgt NTLM
hash?
Answer:Having the krbtgt NTLM hash allows attackers to
forge Kerberos tickets, which can grant them unauthorized
access to any service within the Active Directory
environment. This represents a major security risk, as
attackers can maintain persistent access and roam freely
across the network without detection.

8.Question
In what scenarios would reverting to basic methods of
lateral movement be necessary?
Answer:Reverting to basic methods of lateral movement
might be necessary when advanced techniques are blocked
by modern antivirus solutions, extensive logging, or when

Scan to Download
attackers need to maintain a low profile to avoid detection
during their operations.
Chapter 18 | Privilege Escalation| Q&A
1.Question
What key features of SSH are useful for pivoting and how
can they be utilized in a compromised environment?
Answer:SSH provides capabilities such as setting up
Dynamic SOCKS Proxy and port forwarding. For
example, using the command 'ssh -D 127.0.0.1:8888
-p 22 <user>@<Target_IP>' creates a dynamic
proxy for tunneling traffic. Similarly, 'ssh
<user>@<Target_IP> -L
127.0.0.1:55555:<Target_to_Pivot_to>:80' allows
traffic for a specific port to be forwarded securely.

2.Question
Why is privilege escalation important in the hacking
process, and what are some common vulnerabilities to
look for?
Answer:Privilege escalation is crucial as it allows an attacker
to gain higher-level access to a system. Common

Scan to Download
vulnerabilities include misconfigured services,
world-writable files, and outdated software. Tools like
LinEnum help identify these weaknesses by providing
detailed system information.

3.Question
How does the DirtyCOW vulnerability work and why is it
significant?
Answer:DirtyCOW is a race condition in the Linux kernel
that allows an unprivileged user to gain write access to
read-only memory mappings. It is significant because it
enables attackers to elevate their privileges to root level,
which is a critical escalation that can lead to full system
control.

4.Question
What precautions should be taken when using the
DirtyCOW vulnerability to avoid system crashes?
Answer:When exploiting DirtyCOW, it's crucial to test on
compatible versions of Linux to prevent kernel panics. This
requires a controlled environment with multiple Linux

Scan to Download
versions to validate that the exploit won't crash the system.

5.Question
What role does experience play in successfully exploiting
vulnerabilities in Linux systems?
Answer:Experience is vital because it enhances one's ability
to identify which vulnerabilities to target and understand the
implications of exploiting them in various environments.
Practice in a lab setup with different configurations helps
validate the effectiveness and safety of the exploits used.

6.Question
What tools are recommended for gathering information
before attempting privilege escalation, and why are they
useful?
Answer:Tools like LinEnum and linux-exploit-suggester are
recommended as they automate the gathering of system
information and identify potential vulnerabilities and missing
patches efficiently. This helps the attacker to have a
comprehensive overview of the target's security posture.

7.Question
What processes should one follow after gaining access to a

Scan to Download
Linux system to identify privilege escalation
opportunities?
Answer:After gaining access, one should first gather system
information about users, services, cron jobs, and software
versions. Then, identify any vulnerabilities or
misconfigurations that can be exploited for privilege
escalation.

8.Question
How does using a lab environment improve the
exploitation process for privilege escalation
vulnerabilities?
Answer:A lab environment allows for safe experimentation
and testing of various exploits on different Linux versions
without risking real systems, enabling hackers to learn and
adapt their techniques without causing damage.

9.Question
What is the significance of performing analysis to
discover missing patches and vulnerabilities using tools
like linux-exploit-suggester?
Answer:Analyzing missing patches and vulnerabilities helps

Scan to Download
in understanding the risk landscape of the target system. It
enables attackers to prioritize which exploits could be
effective and how to tailor their attack strategy based on the
vulnerabilities present.

10.Question
What general strategy should one adopt when searching
for exploits after initial access to a system?
Answer:The strategy should include starting with less
destructive methods to gain higher privileges, such as
probing for misconfigured settings or weak permissions
before resorting to more aggressive exploits that might crash
the system.

Scan to Download
Chapter 19 | Linux Lateral Movement Lab| Q&A
1.Question
What do you need to successfully pivot in a secure
network environment?
Answer:You need to set up a virtual environment
using static virtual machines and configure their
networking correctly to access the secure network.

2.Question
What is the significance of reconnaissance in lateral
movement?
Answer:Reconnaissance allows you to understand the
network structure, identify accessible systems, and plan your
attack effectively.

3.Question
Why do we use nmap scans initially?
Answer:To identify which systems are up and running within
the secure network and determine potential attack vectors.

4.Question
What challenge does the CSK environment present for
lateral movement?

Scan to Download
Answer:The presence of multiple segmented VLANs means
that careful pivoting between systems is required to access
sensitive areas like the vault database.

5.Question
What is the purpose of using a DNS C2 payload with
dnscat2?
Answer:To bypass restrictions on network traffic by
communicating over UDP instead of TCP, which may be
monitored more strictly.

6.Question
How do you escalate privileges after compromising a
server?
Answer:By identifying and exploiting vulnerabilities like
DirtyCOW that allow privilege escalation, thereby gaining
root access to the system.

7.Question
What kind of secrets might you uncover while pillaging a
compromised server?
Answer:You might find SSH keys, database credentials, or
backup files containing sensitive information.

Scan to Download
8.Question
Why is it important to play around on these systems even
after initial compromises?
Answer:Exploring further can reveal more vulnerabilities,
sensitive files, and methods of enhancing your access within
the network.

9.Question
How can Jenkins be useful for lateral movement within
the network?
Answer:Jenkins may store sensitive credentials that can be
extracted and used to access other parts of the network.

10.Question
What does the ability to successfully compromise the
Cyber Space Kittens network symbolize?
Answer:It symbolizes the conclusion of a complex
penetration testing exercise, showcasing skills in
exploitation, privilege escalation, and lateral movement
within a controlled environment.

11.Question
Why is the understanding of networking and system

Scan to Download
configurations crucial before initiating your attack?
Answer:It's essential to know how to navigate through
firewalls, proxies, and segmentation in order to identify the
best attack paths.

12.Question
What does the author mean by "living off the land" in a
Linux environment?
Answer:It refers to utilizing existing system tools and
vulnerabilities within the target environment to execute
attacks rather than installing external malware.
Chapter 20 | Building Your Social Engineering (SE)
Campaigns| Q&A
1.Question
Why is social engineering considered a low skillset attack,
yet can be highly effective?
Answer:Social engineering exploits human
psychology and trust rather than technical skills. It
can be designed inexpensively with tools like fake
domains and convincing emails, making it accessible
to even less technically skilled attackers. For

Scan to Download
instance, registering a domain similar to a
company’s legitimate domain and crafting an email
that appears authentic can trick employees into
revealing credentials, demonstrating that
understanding human behavior is key to success.

2.Question
What are some techniques to execute a successful social
engineering attack?
Answer:Techniques include using Doppelganger Domains,
which involve purchasing similar domains to deceive users,
and tools like the Social Engineering Toolkit (SET) to clone
login pages. Effective campaigns might also involve utilizing
social engineering competitions to practice and refine these
techniques, emphasizing creativity in deception with the end
goal of acquiring sensitive information.

3.Question
How does the Social Engineering Toolkit (SET) assist in
social engineering campaigns?
Answer:SET allows attackers to quickly generate cloned

Scan to Download
authentication pages and automate credential harvesting. By
modifying configurations to suit Apache servers, users can
leverage SET to create seamless phishing experiences,
significantly enhancing the effectiveness of social
engineering campaigns without extensive technical
intervention.

4.Question
What role does two-factor authentication (2FA) play in
social engineering, and how do attackers circumvent it?
Answer:2FA adds a layer of security that complicates
credential theft, but attackers have adapted by using tools
like ReelPhish to automate the 2FA trigger once credentials
are entered on a phishing site. By cloning sites that require
2FA, attackers can exploit weaknesses in the authentication
process, allowing them to bypass the additional security
measure and gain access to sensitive information.

5.Question
How can companies benefit from running social
engineering campaigns?

Scan to Download
Answer:By hiring red teams to conduct social engineering
attacks, companies can identify vulnerabilities in employee
awareness and reinforce training on spotting phishing
attempts. This proactive approach can significantly raise
internal security awareness and help organizations shape
effective training programs targeted at preventing real
attacks.

6.Question
What can be learned from social engineering
competitions like DEF CON?
Answer:Competitions teach participants how to effectively
extract sensitive information through deception within a
limited time frame. They provide a practical environment to
develop skills in social engineering, highlighting innovative
strategies, the psychology behind trust, and effective
communication to achieve objectives, which can be
invaluable for improving overall security awareness in
organizations.

7.Question

Scan to Download
Why is it important to secure credentials, particularly
when bypassing 2FA?
Answer:When bypassing 2FA, attackers may gain access to
sensitive systems without raising initial alarms. Thus,
securing collected credentials with techniques like encryption
ensures that even if attackers compromise the server, the
passwords remain protected and inaccessible without the
appropriate private keys. This layer of security is critical in
maintaining the integrity of sensitive information.

8.Question
How should organizations approach the issue of
bypassing security measures like 2FA?
Answer:Organizations should conduct thorough security
assessments to understand all endpoints where sensitive data
is accessible. Recognizing that some applications may not
enforce 2FA for older clients or APIs can reveal gaps.
Continuous monitoring, security training, and adopting
advanced authentication methods can help protect against
social engineering tactics that exploit these weaknesses.

Scan to Download
Chapter 21 | Phishing| Q&A
1.Question
What is phishing and how does it manipulate individuals?
Answer:Phishing is a technique that exploits human
emotions such as fear and urgency to trick
individuals into providing sensitive information or
downloading malicious software. Attackers often
craft emails that create a sense of immediacy or
offer something that seems too good to be true,
compelling the victim to act quickly without
thinking critically about the request.

2.Question
How can companies assess their vulnerability to phishing
attacks?
Answer:Red Teams can continuously monitor the frequency
and quality of phishing attacks that employees report.
Tracking these metrics helps determine whether employees
are becoming smarter about recognizing phishing attempts
and enhances a company's overall security posture.

Scan to Download
3.Question
What tools are recommended for automating phishing
campaigns?
Answer:Recommended tools for automated phishing
campaigns include Gophish for easy setup and tracking of
campaigns, Phishing Frenzy for Ruby enthusiasts, and King
Phisher for Python users. These tools aid in creating realistic
phishing scenarios and tracking engagement.

4.Question
What strategies should be employed for targeted phishing
campaigns?
Answer:For targeted campaigns, reconnaissance is crucial.
Gather information about the target's email system, recent
corporate events, and personal details of executives. This
information can be used to craft highly believable phishing
scenarios that can increase success rates.

5.Question
What makes Microsoft Office files effective for delivering
malicious payloads?
Answer:Microsoft Office files can execute Visual Basic for

Scan to Download
Applications (VBA) code by default, allowing attackers to
embed and execute malicious payloads when the victim
opens these documents. Despite defense mechanisms, these
methods often succeed due to user trust in Office files.

6.Question
Can you describe a method to execute code without
relying on macros in Microsoft Word?
Answer:Yes, by using Dynamic Data Exchange (DDE),
attackers can execute code without macros. They can exploit
DDEExecute in Word, allowing them to trigger executable
commands seamlessly as users interact with what appears to
be harmless documents.

7.Question
What are 'hidden encrypted payloads' and their purpose
in phishing?
Answer:Hidden encrypted payloads are methods used to
disguise malicious files within benign-looking formats like
HTML. Tools like EmbedInHTML and Demiguise allow
attackers to embed encrypted files into other documents,

Scan to Download
evading detection by security measures and tricking users
into executing the payloads.

8.Question
How do social engineering tactics play a role in the
success of these attacks?
Answer:Social engineering is crucial as it manipulates
individuals into making errors in judgment during high-stress
or urgent situations. By creating believable scenarios or
emotional triggers, attackers enhance the likelihood that
victims will overlook warning signs and take actions
detrimental to their security.

9.Question
How can organizations protect themselves against these
phishing strategies?
Answer:Organizations should conduct regular training on
recognizing phishing attempts, implement advanced email
filtering solutions, and foster a culture of skepticism where
employees feel comfortable reporting suspicious emails.
Additionally, continuous testing and assessment through Red

Scan to Download
Team exercises can help simulate phishing attacks and
identify vulnerabilities.

Scan to Download
Chapter 22 | Exploiting Internal Jenkins with Social
Engineering| Q&A
1.Question
What does creativity bring to Red Teaming in
cybersecurity?
Answer:Creativity in Red Teaming allows
professionals to take existing exploits and adapt
them in innovative ways, making traditional
vulnerabilities relevant again. This approach is
crucial for keeping tactics fresh and effective against
evolving defenses.

2.Question
How significant is Jenkins in the software development
lifecycle for companies?
Answer:Jenkins is heavily utilized across various companies
as a continuous integration tool, making it a critical part of
many development environments. Its widespread use poses a
significant vulnerability if not properly secured.

3.Question
What is the main challenge when attempting to exploit

Scan to Download
Jenkins from outside its network?
Answer:The main challenge is that external attackers cannot
access Jenkins instances that are hosted internally. Therefore,
exploiting them requires clever tactics, like using social
engineering to trick an insider into inadvertently facilitating
the attack.

4.Question
Why is understanding internal network configurations
important for exploiting Jenkins?
Answer:Knowing a victim's internal IP enables the attacker
to deduce the corporate IP ranges, which allows them to
target local Jenkins servers effectively, maximizing the
chance of a successful exploit.

5.Question
What role does WebRTC play in the described exploit
strategy?
Answer:WebRTC exploits a feature in browsers that reveals
the internal IP addresses of users. This information is crucial
for attackers to craft targeted exploits against the local

Scan to Download
network infrastructure.

6.Question
What are the benefits of using a tool like
'generateJenkinsExploit.py'?
Answer:This tool automates the process of preparing exploit
payloads by encrypting binaries and generating the necessary
JavaScript for the attack, increasing efficiency and the
likelihood of a successful execution.

7.Question
What lessons can be learned from the vulnerability of
Jenkins prior to version 2.x?
Answer:The Jenkins vulnerabilities highlight the importance
of default security configurations. Ensuring that CSRF
protection is enabled and proper authentication is enforced
can significantly reduce the risk of exploitation.

8.Question
What are the steps to recreate a Jenkins exploitation lab?
Answer:1. Set up a Windows VM with a bridged network
interface. 2. Install JAVA JDK8. 3. Download and install
Jenkins (specific version). 4. Test the Groovy Script Console.

Scan to Download
5. Prepare the exploit tool and create a Meterpreter payload.

9.Question
How does social engineering fit into the context of the
Jenkins exploitation method?
Answer:Social engineering is essential because it initiates the
attack. By tricking a user into visiting a malicious webpage,
attackers can bridge the gap between external access and
internal network vulnerability.

10.Question
What is the significance of deploying secure coding
practices to prevent Jenkins exploitation?
Answer:Implementing secure coding practices and ensuring
regular updates can protect internal systems like Jenkins
from becoming easy targets for attackers leveraging known
vulnerabilities.
Chapter 23 | Conclusion| Q&A
1.Question
What is the impact of visiting a malicious web page on a
corporate network?
Answer:When a user visits a malicious webpage, it

Scan to Download
may trigger the browser to scan the local network
for Jenkins servers over port 8080. If any are found,
the browser sends a request for those servers to
download a malicious payload, which can lead to
unauthorized code execution and potentially
compromise the entire network.

2.Question
How can I leverage the concept of social engineering in
my security strategy?
Answer:To effectively use social engineering in your security
strategy, focus on understanding and exploiting human
vulnerabilities such as fear, urgency, and trust. Craft
campaigns that manipulate these emotions to increase the
likelihood of successful compromises, while simultaneously
educating users to recognize these tactics.

3.Question
What shift in approach is recommended for handling
phishing and social engineering attacks?
Answer:The recommended shift is from a reactive approach,

Scan to Download
where organizations wait for users to report phishing and
social engineering attempts, to a proactive approach. This
involves actively searching for signs of these malicious
attacks and reinforcing defenses before they result in
significant breaches.

4.Question
What should be the focus of attackers targeting internal
applications?
Answer:Attackers should identify and understand the specific
applications that the target organization uses internally. By
knowing which applications allow unauthorized code
execution through GET or POST HTTP methods, they can
craft tailored exploits that effectively compromise the
systems.

5.Question
Why is the human factor crucial in cybersecurity attacks?
Answer:The human factor is crucial because it represents the
weakest link in an organization's security posture. Attackers
often rely on human psychology—using tactics that invoke

Scan to Download
fear, urgency, and trust—to manipulate individuals into
making mistakes or revealing sensitive information.

6.Question
What are the potential consequences of a successful
exploit on a Jenkins server?
Answer:A successful exploit on a Jenkins server can lead to
the execution of malicious code, resulting in unauthorized
access to potentially sensitive data, installation of backdoors,
and further lateral movement within the organization's
network, significantly increasing the risk of data breaches.

7.Question
In what ways can deception tactics be employed in social
engineering?
Answer:Deception tactics in social engineering can involve
creating fake urgency (e.g., 'Your account will be locked if
you don't act now'), impersonating trusted figures (e.g., IT
support requesting password verification), or spreading
misinformation to create a false sense of safety, encouraging
targets to let their guard down.

Scan to Download
Chapter 24 | Card Reader Cloners| Q&A
1.Question
What is the importance of consulting with local laws
before a physical security assessment?
Answer:It is crucial to consult local laws as certain
actions, such as carrying lock picks or engaging in
unauthorized entry, can be illegal in some
jurisdictions. This helps prevent legal issues and
potential jail time, allowing the assessment to be
conducted within legal boundaries.

2.Question
How can team coordination improve the success of a
physical assessment?
Answer:Coordinating with the physical security team
beforehand helps establish protocols for what to do if caught,
including whether to run or stop. This teamwork ensures
everyone is on the same page and enhances safety during the
assessment.

3.Question
What steps should be taken to prepare for engaging with

Scan to Download
a facility’s security?
Answer:Before an engagement, discuss potential scenarios
with the facility's security, have a clear plan for actions if
detected, and ensure that you have signoff permissions to
avoid misunderstandings with law enforcement.

4.Question
Why is it important to identify multiple entry points and
security measures during reconnaissance?
Answer:Identifying multiple entry points and security
measures is vital for planning a successful assessment. It
helps in determining vulnerabilities and strategizing the
approach to minimize detection.

5.Question
What innovations have been made in card reader cloning
technology since THP2?
Answer:Since THP2, a new portable version of the
Proxmark3 device, called Proxmark3 RDV2 Kit, has been
released. This new device is battery-operated and smaller,
making it more convenient for use in the field for cloning

Scan to Download
tasks.

6.Question
How do vulnerabilities in HID badges present
opportunities for hackers?
Answer:HID badges that do not require public/private
handshakes are vulnerable to cloning and brute-force attacks,
allowing hackers to potentially gain unauthorized access to
restricted areas.

7.Question
What is the significance of ensuring guards do not contact
local law enforcement during an assessment?
Answer:Ensuring that guards do not contact local law
enforcement is critical to avoiding legal complications during
an assessment. If law enforcement gets involved, it could
lead to arrest or interruption of the assessment process.

8.Question
In the context of a physical security assessment, what
lessons can be drawn from previous experiences
recounted in THP2?
Answer:Previous experiences from THP2 offer valuable

Scan to Download
insights into techniques like card cloning and the importance
of choosing unprotected badges, emphasizing the need for
understanding vulnerabilities in security systems to exploit
them effectively.

Scan to Download
Chapter 25 | Physical Tools to Bypass Access Points|
Q&A
1.Question
What is the significance of understanding RFID systems
in security assessments?
Answer:Understanding RFID systems, such as the
various card types like HID iClass and MIFARE
Classic, allows security professionals to identify
potential vulnerabilities in physical access control
systems. This knowledge forms a foundational part
of physical security assessments, enabling
practitioners to exploit weaknesses in RFID
implementations.

2.Question
How do practical skills improve security assessments?
Answer:Practical skills, like using physical tools such as lock
picks or gate bypass devices, enhance the effectiveness of
security assessments. By engaging in hands-on practice and
building physical labs, security professionals can better
understand how to assess and improve a company's physical

Scan to Download
security systems.

3.Question
What tools can be used to bypass physical security
measures?
Answer:Tools such as lock picks from SouthOrd, gate bypass
devices, shove-it tools, and Under the Door tools can be
effective in bypassing physical security measures. These
tools demonstrate the potential weaknesses present in
traditional locking mechanisms and highlight the need for
better security design.

4.Question
What is the purpose of documenting flaws in physical
security during assessments?
Answer:Documenting flaws in physical security systems is
essential for understanding how an organization's security
program responds to breaches. It assists in evaluating
incident response times and helps organizations improve
their security measures based on observed vulnerabilities.

5.Question
Why is the LAN Turtle a valuable tool for security

Scan to Download
professionals?
Answer:The LAN Turtle is valuable because it facilitates
covert access into a network, enabling penetration testers to
establish a secure connection and perform deeper analysis
and scans. Its ability to function as a reverse VPN client
enhances its utility in practical security assessments.

6.Question
What steps are involved in setting up a VPN for
penetration testing with a LAN Turtle?
Answer:To set up a VPN with a LAN Turtle, you begin by
configuring an OpenVPN server, setting up the LAN Turtle
to connect to this VPN, and then ensuring the attacker
machine can route traffic through the LAN Turtle. This setup
allows the tester to be discreet while performing in-depth
testing on the internal network.

7.Question
How does using a VPS for VPN hosting enhance
penetration testing?
Answer:Using a VPS for VPN hosting enhances penetration

Scan to Download
testing by providing a reliable and robust infrastructure that
can be difficult to trace back to the attacker. Services like
AWS Lightsail offer convenience and anonymity within the
network traffic, making it easier to blend in.

8.Question
How can security professionals ensure their tools remain
undetected while performing assessments?
Answer:Security professionals can ensure their tools remain
undetected by modifying identifiers such as MAC addresses
to resemble ordinary devices, and by using
legitimate-looking network traffic patterns, thus reducing the
chance of detection during assessments.

9.Question
What practical implications does configuring firewall
rules have on a penetration test?
Answer:Configuring firewall rules on a LAN Turtle ensures
that the necessary traffic can flow between the testing
equipment and the target environment, allowing for effective
reconnaissance without triggering security alarms.

Scan to Download
10.Question
In what ways can documented assessments lead to
improved security protocols?
Answer:Documented assessments can reveal vulnerabilities
that inform organizational security improvements.
Recommendations based on these assessments guide the
implementation of stronger security protocols and help to
cultivate a culture of security awareness within the
organization.
Chapter 26 | Bash Bunny| Q&A
1.Question
What is the purpose of the Packet Squirrel in the hacking
context?
Answer:The Packet Squirrel serves as a device for
establishing Reverse VPN connections back into a
company network. It allows the user to maintain
access to internal resources even when external
access is limited, acting as a covert method for
pen-testing.

Scan to Download
2.Question
How does the Bash Bunny enhance the capabilities of Red
Team hackers compared to its predecessor, the Rubber
Ducky?
Answer:The Bash Bunny not only emulates HID style attacks
like the Rubber Ducky but also executes a wider range of
actions, such as running complex scripts, stealing credentials,
conducting phishing attacks, and executing various payloads
to penetrate networks.

3.Question
Why is KonBoot particularly useful in physical
penetration testing scenarios?
Answer:KonBoot allows testers to gain access to systems
without passwords by booting from a USB device to
overwrite local administrative passwords. This is especially
valuable in environments where the computers are not
encrypted.

4.Question
What challenges might a hacker face when using
KonBoot, and how can other tools like the Bash Bunny

Scan to Download
provide solutions?
Answer:Challenges with KonBoot include the inability to
bypass encrypted machines and the requirement to reboot the
target system. The Bash Bunny offers alternative methods to
extract data from locked systems through active network
attacks, rendering it more versatile.

5.Question
Explain the function of QuickCreds in the penetration
testing process.
Answer:QuickCreds utilizes Responder to capture NTLMv2
Challenge Hashes from locked machines, enabling hackers to
potentially crack passwords and gain unauthorized access to
other network resources.

6.Question
How does BunnyTap operate and what are its key
features?
Answer:BunnyTap, based on PoisonTap, emulates an
Ethernet device over USB to hijack all internet traffic from a
locked machine, capturing HTTP cookies from popular sites.

Scan to Download
It facilitates remote access via DNS rebinding and can install
persistent backdoors for long-term exploitation.

7.Question
In a physical assessment, how effective is the combination
of the Bash Bunny and its payloads in retrieving sensitive
information?
Answer:The combination proves highly effective. For
instance, by running BunnyTap and QuickCreds, a hacker
can collect hashed credentials or session cookies without
needing to unlock the machines. This can lead to
unauthorized access without requiring any passwords.

8.Question
What ethical considerations should a hacker keep in mind
while using tools like the Bash Bunny and Packet
Squirrel?
Answer:Hacker activities should always adhere to legal
standards. Use these tools only in authorized environments,
where explicit permission from the organization has been
granted to conduct penetration tests, ensuring that all actions
taken are ethical and do not compromise user data or privacy.

Scan to Download
9.Question
How can understanding tools like the Bash Bunny and
Packet Squirrel contribute to a hacker's overall
effectiveness?
Answer:Mastering these tools equips hackers with advanced
techniques to infiltrate and assess security vulnerabilities
effectively. The ability to adapt and utilize specific payloads
enhances their capability to simulate real-world attacks,
providing valuable insights into systems' weaknesses.
Chapter 27 | The Basics Building a Keylogger| Q&A
1.Question
What is the importance of coding skills for Red Teamers
and Penetration Testers?
Answer:Coding skills are crucial as they enable
professionals to adapt and understand various
protections. A lack of coding knowledge can
significantly impede their growth and effectiveness
in identifying vulnerabilities and deploying custom
tools.

2.Question

Scan to Download
What basic setup is required to write a custom keylogger
in C?
Answer:You need Windows 10 in a virtual machine, Visual
Studio for compilation, and resources like MSDN for
reference on Windows API programming.

3.Question
What functions are primarily used in the custom
keylogger framework discussed in the chapter?
Answer:Functions such as SetWindowsHookEx and
LowLevelKeyboardProc are used to intercept keyboard
events, while CreateFile and GetFileSizeEx manage logging
the keystrokes.

4.Question
How does the callback function in the keylogger process
keystrokes?
Answer:The callback function checks if a key is pressed
down using 'WM_KEYDOWN', processes the virtual key
code, converts it to the appropriate letter, and logs this
information into a text file.

Scan to Download
5.Question
What is a common problem when running the keylogger
program, and how can it be fixed?
Answer:The program spawns a command prompt, making it
easily detectable. This can be resolved by using 'WinMain' as
the entry point, which runs the program in the background
without a visible console.

6.Question
What techniques are recommended for obfuscating
malware to evade antivirus detection?
Answer:Implementing string rotation ciphers, calling
functions via pointers instead of directly, and testing against
live antivirus systems are effective obfuscation methods.

7.Question
Why is testing against live AV systems important for Red
Team tools?
Answer:Testing against live AV systems ensures that the
evasion techniques are effective in real-world scenarios, as
submissions to services like VirusTotal can alert antivirus
vendors.

Scan to Download
8.Question
How can the Custom 2 version of the keylogger evade AV
based on your findings?
Answer:By combining string encryption and function pointer
calls, Version 3 showed improved evasion, achieving no
detections when compiled as a 64-bit payload.

9.Question
What resources are recommended for further learning
about Windows API and network programming in C?
Answer:'The C Programming Language' by Kernighan and
Ritchie, MSDN for Windows API documentation, and Beej's
Guide to Network Programming are highly recommended.

10.Question
What is the significance of low-level programming for
security professionals?
Answer:Low-level programming proficiency enables
professionals to have finer control over system resources,
which is critical for crafting stealthy exploits and
understanding operating system behavior.

Scan to Download
Chapter 28 | THP Custom Droppers| Q&A
1.Question
What innovative strategies can be applied to enhance the
stealth of exploits in cybersecurity?
Answer:One effective strategy involves obfuscating
or encrypting log contents to prevent detection in
plain text formats. Additionally, by converting
executables into DLLs and injecting them into
running processes, it's possible to avoid showing
process information in task managers, making the
exploit more discreet.

2.Question
Why is maintaining a minimal disk footprint important
when executing exploits?
Answer:A minimal disk footprint is crucial as it reduces the
risk of detection and compromise. By keeping implants off
disk, they can be reused in multiple campaigns without
exposing them to potential discovery.

3.Question
What role does string sanitization play in the

Scan to Download
development of malware or exploits?
Answer:String sanitization is essential because debug
messages left in a final release can easily aid an analyst in
reversing the malware. Unique strings can become signatures
for antivirus programs, leading to quicker detection.

4.Question
How can developers ensure effective communication
between the dropper and server during exploit execution?
Answer:By developing a standard communication protocol
that allows new handlers to be registered for different
message types, developers can ensure that commands and
responses are sent and received accurately, facilitating
smoother operations.

5.Question
What are some of the key steps in building a dropper and
server for custom payloads?
Answer:The primary steps include cloning the necessary
repositories, compiling the code, and setting up the server
with designated payload types. Proper configuration of client

Scan to Download
and server settings is also vital to ensure successful
communication.

6.Question
How can encryption be implemented in the transport
layer of exploits?
Answer:To integrate encryption, developers can create
wrapping functions for send and receive operations that
incorporate simple encryption methods like multi-byte XOR
keys before data is transmitted.

7.Question
What elements are crucial when configuring the client
and server settings in a dropper?
Answer:Key configuration elements include specifying the
hostname and port for server communication, managing
packet duration, and optionally altering packet signatures to
enhance security through obfuscation.

8.Question
What future improvements can be made to enhance the
capabilities of a dropper and server?
Answer:Future improvements might involve implementing

Scan to Download
more robust encryption methods, adding functionalities for
additional message types, and continuously updating the
architecture to minimize detection risks.
Chapter 29 | Recompiling Metasploit/Meterpreter to
Bypass AV and Network Detection| Q&A
1.Question
What is the significance of modifying Meterpreter
payloads for evading detection methods?
Answer:Modifying Meterpreter payloads is crucial
for maintaining stealth while performing
penetration testing activities. As antivirus and
intrusion detection systems develop signatures to
catch known patterns, modifying payloads helps in
concealing them from such detection. The primary
goal is to prevent easy identification of payloads,
allowing security professionals to assess
vulnerabilities without raising alarms. For example,
by obfuscating payloads and altering their binary
structure, testers can ensure that their tools remain
effective against modern security measures.

Scan to Download
2.Question
How does the creation of a custom Stage 0 payload
contribute to evading antivirus mechanisms?
Answer:Creating a custom Stage 0 payload enhances the
ability to bypass antivirus detection by mimicking the
download and execution behavior of legitimate applications
without triggering security alerts. This Stage 0 payload
connects back to a handler, receives the Meterpreter payload,
and executes it in memory without relying on discernible
strings or predictable patterns that AV tools commonly
detect. For instance, while traditional Meterpreter stages
might be flagged due to heuristic analysis, a custom payload
can obfuscate its actions and thus remain undetected.

3.Question
What advanced techniques can be employed to further
enhance payload obfuscation beyond simple
modifications?
Answer:To improve payload obfuscation, one can implement
techniques such as utilizing a clang obfuscation toolchain,
which adds complexity to the binary code, or using string

Scan to Download
encryption libraries to protect all string literals within the
payload. These methods reduce the risk of detection by
introducing dynamic behavior, making it harder for static
analysis tools to identify malicious activities. Moreover,
modifying the entry point of Meterpreter and creating
automated scripts for adding nops across various payloads
can also significantly obscure the actual payload actions from
detection tools.

4.Question
Why is it important to stay updated with techniques to
evade detection in penetration testing?
Answer:In cybersecurity, staying updated with evasion
techniques is essential due to the rapidly evolving nature of
security defenses. As antivirus and intrusion detection
systems continue to advance and create new signatures for
known threats, penetration testers must adapt by continually
refining their methods to remain effective. Regularly
updating skills and knowledge about obfuscation techniques
and detection evasion strategies ensures that testers can

Scan to Download
effectively assess security posture without being detected,
thereby providing a more accurate representation of
vulnerabilities.

5.Question
How does modifying existing tools like Metasploit
contribute to effective penetration testing?
Answer:By modifying tools like Metasploit, penetration
testers can tailor functionalities to align with specific testing
scenarios and overcome unique security measures. Such
customizations allow for more effective exploitation of
vulnerabilities while maintaining low observability in
compromised environments. This adaptability leads to
successful engagements, where the insights gained from
testing can be used to strengthen overall security, ultimately
benefiting the organization by highlighting gaps and areas for
improvement in their defenses.
Chapter 30 | SharpShooter| Q&A
1.Question
What is the significance of SharpShooter in Red Teaming
activities?

Scan to Download
Answer:SharpShooter is crucial in Red Teaming
because it provides advanced anti-sandbox
techniques to create payloads that can successfully
evade next-generation antivirus (AV) systems and
sandbox environments. This allows security
professionals to test the effectiveness of an
organization's defenses by simulating sophisticated
attacks.

2.Question
What are staged and stageless payloads in SharpShooter?
Answer:Staged payloads in SharpShooter involve initial
execution that retrieves additional code (C# source code) to
run on the target, enabling more complex attacks. Stageless
payloads execute without this retrieval step, which can lead
to faster execution but may be easier to detect.

3.Question
Why is it important to utilize anti-sandboxing techniques
when creating payloads?
Answer:Utilizing anti-sandboxing techniques is vital because

Scan to Download
many modern security environments use sandboxes to
analyze and detect malicious behavior. By implementing
methods to evade these tools, attackers can ensure their
payloads run without detection, providing a greater chance of
success.

4.Question
Can you provide an example of an anti-sandboxing
technique mentioned in the text?
Answer:One example is 'Check for Sandbox Artifacts,' where
the payload checks for signs that it is running inside a
sandbox, such as specific file structures or registry entries
typically created by these analysis environments.

5.Question
What role does reflection play in the execution of
payloads in SharpShooter?
Answer:Reflection in SharpShooter allows for dynamic
method invocation from the downloaded and compiled C#
source code, facilitating the execution of payloads in a way
that is less detectable by security measures.

Scan to Download
6.Question
In the context of Red Teaming, how do you think the
techniques outlined in SharpShooter connect to the
broader goals of cybersecurity?
Answer:The techniques in SharpShooter highlight a key
aspect of cybersecurity: the continuous cat-and-mouse game
between defenders and attackers. By developing
sophisticated methods to bypass security, Red Teamers not
only test defenses but also help organizations strengthen their
security measures against real-world threats.

7.Question
What does the integration of web delivery techniques in
payload generation suggest about current trends in cyber
attacks?
Answer:The integration of web delivery techniques indicates
a trend towards using HTTP and web technologies to deliver
payloads, making it easier to blend attack methods with
legitimate traffic and reducing the likelihood of detection by
network security systems.

8.Question

Scan to Download
How can understanding tools like SharpShooter empower
security professionals?
Answer:By understanding tools like SharpShooter, security
professionals can better anticipate attacker methodologies,
improve defensive strategies, and effectively simulate attacks
to strengthen organizational security postures.

Scan to Download
Chapter 31 | Application Whitelisting Bypass| Q&A
1.Question
What is the importance of using a template for testing in
malware development?
Answer:Using a template for testing accelerates the
setup process, allowing you to quickly deploy
different scenarios without needing to create
everything from scratch. This approach can also
ensure that established methodologies are followed,
potentially reducing errors in the malware
deployment process.

2.Question
How does the process of moving malicious files to a web
directory contribute to the overall plan of social
engineering a target?
Answer:Moving malicious files to a web directory makes
them accessible via the internet, allowing you to create a
scenario where a victim is tricked into visiting a seemingly
legitimate web page. This is a crucial step in social
engineering, as it directly influences the likelihood of the

Scan to Download
victim executing the malware.

3.Question
What role does MSBuild.exe play in bypassing
application whitelisting?
Answer:MSBuild.exe serves as a legitimate software tool
within Windows that allows for the execution of XML
project files. By exploiting this tool, attackers can run their
own malicious payloads without triggering application
whitelisting protections, allowing for covert execution of
malware.

4.Question
What is the process for creating a malicious XML file
using GreatSCT, and why is it essential?
Answer:The process involves cloning the GreatSCT
repository and running a Python script to generate a
shellcode.xml file that contains both build information and a
Meterpreter session. This is essential because it allows
attackers to execute their payload in a manner that bypasses
security mechanisms on the victim's machine.

Scan to Download
5.Question
Why is it important for the Meterpreter payload to run in
memory?
Answer:Running the Meterpreter payload in memory is
significant because it avoids leaving traces on the disk, which
could be detected by antivirus software or other security
measures. This stealthy operation increases the chances of
successful exploitation and maintaining access to the victim's
system.

6.Question
How does social engineering play a critical role in
malware deployment, as discussed in this chapter?
Answer:Social engineering is pivotal because it manipulates
victims into taking actions, like visiting a malicious website
or executing a downloaded file. This psychological aspect is
coupled with technical methods to ensure that the malware
can be successfully delivered and executed.

7.Question
What are the potential benefits of modifying the
shellcode.xml file for obfuscation?

Scan to Download
Answer:Modifying the shellcode.xml file for obfuscation
helps in disguising the payload, making it less recognizable
to security software. This increases the chances of bypassing
antivirus detection, thereby ensuring that the payload can
execute without interruption.

8.Question
What is the chain of actions from creating malware to
executing it on a victim’s machine?
Answer:The chain begins with developing the malware using
a custom or predefined template, followed by moving the
malicious files to a web directory. After setting up the
Meterpreter handler and ensuring the Apache service is
running, the attacker must employ social engineering to
entice the victim into visiting the malicious page, which
initiates the execution of the malware upon interaction.

9.Question
How do the links provided for additional information
enhance the learning experience for malware developers?
Answer:The links serve as valuable resources, providing

Scan to Download
deeper insights into techniques such as payload generation
and Application Whitelisting Bypass. They enable learners to
explore practical examples and implement best practices,
thereby enriching their understanding of malware
development and evasion techniques.
Chapter 32 | Code Caves| Q&A
1.Question
What is the main challenge when performing application
whitelisting bypasses?
Answer:The main challenge is finding creative and
stealthy ways to execute payloads in a system while
avoiding detection by Blue Team defenses, as they
can easily track conventional connection methods
like WMI/PSExec.

2.Question
How can understanding application whitelisting bypass
techniques improve a cybersecurity professional's skills?
Answer:It helps cybersecurity professionals think like
attackers, enabling them to better defend systems by

Scan to Download
anticipating potential bypass methods and strengthening their
security measures against them.

3.Question
What resources can those interested in application
whitelisting bypasses refer to for further study?
Answer:Several resources include the Ultimate AppLocker
Bypass List on GitHub, articles on leveraging REGSRV32
and PowerShell Empire, and techniques for persistence and
evasion such as INF-SCT and DLL Execution via
Excel.Application.

4.Question
What strategy can Red Teamers use for lateral movement
that minimizes detection risk?
Answer:Red Teamers can use creative methods of payload
deployment, such as executing commands in a way that
mimics normal system operations to avoid detection and
tracking by the Blue Team.

5.Question
Why is getting caught during a Red Team campaign not
the worst outcome?

Scan to Download
Answer:Getting caught is not the worst outcome; the worst is
when the Blue Team can trace back and uncover every aspect
of the Red Team's activities, including domains, IP
addresses, and hosts involved in the campaign.

6.Question
What is the ultimate goal for a Red Teamer when
executing an attack?
Answer:The ultimate goal is to successfully compromise a
target while maintaining stealth and avoiding detection,
allowing for continued access and control over the
environment.

7.Question
In what ways can Red Teamers maintain persistence
within a compromised environment?
Answer:They can utilize methods such as creating 'code
caves' or finding alternative execution techniques that blend
in with normal traffic and operations, thereby evading
detection.

8.Question
How do Blue Teams typically identify lateral movements?

Scan to Download
Answer:Blue Teams can identify lateral movements through
unusual activity patterns, particularly by monitoring WMI
and PSExec-style connections that deviate from regular
network traffic.

9.Question
What is the significance of sharing knowledge and
resources for application whitelisting bypasses among
cybersecurity professionals?
Answer:Sharing knowledge allows for a collective
understanding of potential vulnerabilities and methods to
strengthen defenses, ultimately improving the resilience of
systems against evolving threats.

10.Question
Why is creativity important in cybersecurity operations,
especially for Red Teamers?
Answer:Creativity is crucial because it enables Red Teamers
to devise innovative methods for evasion and lateral
movement that are not easily recognized or blocked by
traditional defense mechanisms.

Scan to Download
Chapter 33 | PowerShell Obfuscation| Q&A
1.Question
What is the significance of creativity in executing attacks
according to the text?
Answer:Creativity is crucial in executing attacks as
there is no one-size-fits-all solution. The author
believes that if an approach works, it's valid,
highlighting the importance of experimentation and
adaptability in the hacking process.

2.Question
How can attackers minimize detection when embedding
malicious payloads into executable binaries?
Answer:Attackers can minimize detection by finding code
caves or empty sections within legitimate executable files to
embed their payloads. This technique often goes undetected
because it alters existing software rather than introducing
new files.

3.Question
Why is PowerShell obfuscation necessary for attackers?
Answer:PowerShell obfuscation is necessary to evade

Scan to Download
antivirus detection and make it difficult for forensic teams to
analyze their scripts. By altering or hiding command
parameters, attackers can execute their actions without easily
being caught.

4.Question
What are some of the strategies used to obfuscate
PowerShell command parameters?
Answer:Attackers can use variations in the parameter strings
such as abbreviations or shortened forms. For example,
'-ExecutionPolicy, Bypass' can be modified to '-EP, Bypass'
or even abbreviated in multiple ways without losing
functionality.

5.Question
What are the steps involved in using Invoke-Obfuscation
based on the text?
Answer:The steps involve downloading the
Invoke-Obfuscation tool, loading the PowerShell script,
setting the script to obfuscate, and then executing the
obfuscation process to create a more complex and less

Scan to Download
recognizable command.

6.Question
How does the concept of 'Code Caves' contribute to
successful exploitation?
Answer:'Code Caves' allow attackers to insert their malicious
code into pre-existing software safely. This technique helps
maintain the software's functionality while executing harmful
actions stealthily.

7.Question
What role does encryption play in the obfuscation process
as described?
Answer:Encryption adds a layer of security to the
obfuscation process by transforming commands into
unreadable data unless the correct key is provided. This
prevents immediate detection and analysis during forensics.

8.Question
Can you explain the potential implications of poorly
obfuscated PowerShell scripts for attackers?
Answer:Poorly obfuscated scripts can lead to easy detection
by antivirus programs and forensic teams, which can

Scan to Download
ultimately compromise the success of an attack and expose
the attacker’s methods and intentions.

9.Question
What is the overarching message about the mentality
needed for successful hacking?
Answer:The overarching message is that a flexible and
imaginative mindset is essential for adapting tools and
techniques to bypass defenses effectively while maintaining
stealth during operations.

10.Question
Why is it important for defenders (Blue Teams) to
recognize obfuscation techniques?
Answer:Recognizing obfuscation techniques is crucial for
defenders to improve their detection capabilities and
response strategies, ensuring they can identify and mitigate
threats more effectively.

Scan to Download
Chapter 34 | HideMyPS| Q&A
1.Question
What are some advantages of utilizing tools like
SharpPick and HideMyPS when executing PowerShell
scripts?
Answer:Using tools like SharpPick allows for the
execution of PowerShell scripts without invoking
PowerShell.exe, thus bypassing some traditional AV
protections. HideMyPS, on the other hand,
obfuscates the script to avoid detection by AV
systems by altering function names and breaking up
strings, making it harder for AV to identify
malicious activity.

2.Question
How does the approach of using a Class Library (DLL)
for executing PowerShell payloads enhance flexibility in
penetration testing?
Answer:Creating a Class Library (DLL) allows penetration
testers to drop and execute payloads on a system seamlessly
without needing to leave behind detectable PowerShell

Scan to Download
scripts, providing greater stealth and adaptability in scenarios
where direct execution of PowerShell might be blocked or
monitored.

3.Question
What insights can be drawn from the effectiveness of
obfuscation techniques used in tools like HideMyPS?
Answer:The success of obfuscation techniques highlights the
limitations of traditional AV systems, which often rely on
string matching. By modifying and encrypting script content,
attackers can potentially bypass AV detection, emphasizing
the constant arms race between security measures and
evasion tactics.

4.Question
Why might automated solutions for generating DLLs and
obfuscating scripts be important for security
professionals?
Answer:Automated solutions save time and reduce human
error, enabling security professionals to quickly adapt their
tactics in dynamic environments. This efficiency is crucial in
real-world scenarios where speed and stealth are essential to

Scan to Download
maintain the success of penetration tests or red team
activities.

5.Question
What lessons can be learned from the ongoing battle
between malware evasion techniques and antivirus
detection capabilities?
Answer:The ongoing evolution of evasion techniques, like
the ones described in the chapter, illustrates the necessity for
continuous improvement in security measures. It
demonstrates the importance of proactive defense strategies,
employing advanced threat detection methods, and staying
informed about the latest tactics used by malicious actors.
Chapter 35 | Automation| Q&A
1.Question
What is the main focus of Chapter 35 in 'The Hacker
Playbook 3'?
Answer:The chapter emphasizes different resources
useful for Red Teams and Penetration Testing,
highlighting the automation of attacks and specific
scripts that improve the efficiency of those

Scan to Download
campaigns.

2.Question
Why is automation important in penetration testing and
Red Team operations?
Answer:Automation is crucial as it allows for quicker attacks
that evade advanced detection systems, helping teams to
gather intelligence about the target environment effectively.

3.Question
What strategy is suggested for Red Teams regarding
initial encounters with Blue Teams?
Answer:Red Teams are advised to get caught on the first
attempt using basic malware, as this helps them learn more
about the Blue Team's defenses while not compromising
their overall objectives.

4.Question
Can you explain the utility of Metasploit's
AutoRunScripts in post-exploitation?
Answer:AutoRunScripts allow Red Teams to automate
various post-exploitation tasks by specifying scripts that run
automatically when a Meterpreter shell is established,

Scan to Download
thereby streamlining the process of reconnaissance and
lateral movement.

5.Question
What is the process for creating an automation handler in
Metasploit as described in the chapter?
Answer:To create an automation handler in Metasploit, you
would create a resource file (e.g., handler.rc) and configure it
to include necessary scripts like privilege escalation, then
execute it using msfconsole with the -r flag.

6.Question
How does Empire's automation compare to that of
Metasploit?
Answer:Empire offers similar automation functionalities as
Metasploit through resource files that allow users to run
automated tasks, but it specifically utilizes PowerShell for its
post-exploitation scripts.

7.Question
What benefits do Aggressor Scripts provide in Cobalt
Strike?
Answer:Aggressor Scripts enhance Cobalt Strike's

Scan to Download
capabilities by allowing for custom scripting which can
automate various tasks, making operations more flexible and
powerful for offensive security.

8.Question
What should one consider when selecting automation
tools for Red Team operations?
Answer:It's important to consider the specific operational
scenario and compatibility with the environment, the need for
stealth versus speed, and the type of intelligence needed from
the target.

9.Question
How does the chapter suggest learning from engagements
with Blue Teams?
Answer:The author suggests that even when caught, Red
Teams can leverage the event to learn more about the Blue
Team’s tools and tactics, which can inform future strategies
and enhance overall effectiveness.
Chapter 36 | Password Cracking| Q&A
1.Question
What is the significance of using automation in

Scan to Download
penetration testing and security validation?
Answer:Automation streamlines complex attack
sequences, allowing for more frequent and
consistent security validation. It helps in running
tests like Mimikatz at regular intervals to gather
credentials without manual intervention. This
capability leads to quicker identification of
vulnerabilities and reinforces security measures.

2.Question
How can tools like Aggressor Scripts enhance the
effectiveness of security testing?
Answer:Aggressor Scripts enable testers to create customized
scripts for various tasks, such as regularly pulling credentials
or executing sophisticated attack vectors. By automating
these actions, Red Teamers can focus on analyzing outcomes
rather than getting bogged down by repetitive tasks.

3.Question
Why is it essential to use real-world password lists when
performing password cracking?

Scan to Download
Answer:Utilizing password lists derived from actual breaches
reflects the patterns and habits of users in creating
passwords. This enhances the chances of success in cracking
passwords, especially for those longer than 12 characters,
which are more complex and unique.

4.Question
What are some accessible options for individuals on a
budget wanting to perform password cracking?
Answer:Those with budget constraints can consider
cloud-based solutions, such as using AWS with Tesla GPUs,
which offer powerful performance for password cracking
tasks without the need for an extensive hardware investment.

5.Question
What is the importance of regularly updating and
maintaining a password list in password cracking?
Answer:Regular updates to a password list are crucial as they
ensure the list reflects current password trends and breaches.
By monitoring new breaches and user habits, security
professionals can create a more effective list that enhances

Scan to Download
their cracking techniques.

6.Question
How does understanding common password creation
techniques aid in improving security?
Answer:By analyzing past breaches and the prevalent
techniques users employ when creating passwords, security
experts can better educate users on developing stronger
passwords and implement systems that encourage more
secure password practices.

7.Question
What is the impact of the growing use of advanced GPUs
in password cracking?
Answer:Advanced GPUs dramatically increase cracking
speeds, enabling the processing of billions of hashes per
second. This technological advancement means that even
complex passwords can be cracked in feasible timeframes,
prompting the need for stronger password policies and
practices.

8.Question
How can security professionals ensure their tools and

Scan to Download
methodologies stay effective?
Answer:By continuously researching and integrating the
latest tools, scripts, and methodologies, along with analyzing
emerging trends in attack vectors and defensive strategies,
security professionals can maintain an edge in effective
penetration testing.

9.Question
What role does community sharing of password lists and
resources play in cybersecurity?
Answer:Community contributions of password lists and
resources foster collaboration, accelerate the discovery of
vulnerabilities, and enhance overall security practices.
Sharing this information allows security professionals to stay
updated on evolving threats.

10.Question
What should an effective password cracking strategy
incorporate based on the discussed resources?
Answer:An effective strategy should leverage a combination
of high-quality password lists, real-world data from breaches,

Scan to Download
and advanced cracking tools, while consistently monitoring
new developments in password generation and attacks.

Scan to Download
Chapter 37 | Gotta Crack Em All - Quickly
Cracking as Many as You Can| Q&A
1.Question
What is the importance of using complex password rules
in cracking passwords?
Answer:Using complex password rules significantly
increases the chances of successfully cracking
passwords by generating a wider range of potential
combinations. For instance, the KoreLogic rules can
create variations of a base password by appending
years, whereas the default Hashcat rules leverage
common manipulation techniques from historical
breaches, making them effective to start with.

2.Question
How does understanding hash formats influence the
password cracking process?
Answer:Understanding the hash format allows you to tailor
your cracking strategy based on the algorithm's speed and
complexity. For example, knowing that NTLM hashes
process at 75,000 MH/s compared to only 5,000 MH/s for

Scan to Download
SHA-256 can dictate whether you focus on faster, simpler
attacks or more intensive methods depending on your
resources and what you're targeting.

3.Question
Why is it beneficial to perform initial test runs on hash
algorithms?
Answer:Initial test runs provide insights into how long it will
take to crack specific hashes and allow you to gauge the
effectiveness of your approach. These benchmarks ensure
that you allocate your computing power and time efficiently,
particularly when facing slower algorithms like SHA-256.

4.Question
What strategy did the author use to crack the
CyberSpaceKittens NTLM hashes effectively?
Answer:The author employed a multi-faceted approach,
utilizing a combination of 8 powerful GPUs to maximize
processing speed, and systematically executed brute-force
attacks on shorter passwords while also leveraging extensive
common password lists for quicker results.

Scan to Download
5.Question
How can adding characters to a password list enhance
cracking success?
Answer:By appending or prepending characters to existing
passwords, you can create 'masks' that may match with
longer passwords used by individuals. This strategy increases
the probability of cracking passwords that exceed the original
password length, addressing complexities in user password
choices.

6.Question
What tools and methods did the author recommend for
building more effective password lists?
Answer:The author recommended combining different
password lists using Hashcat utilities, creating custom lists
from client-specific information, and using tools like
Brutescrape and Burp Word List Extractor. These methods
help generate more relevant lists based on potential user
behavior and organizational context.

7.Question
What role does analyzing cracked passwords play in

Scan to Download
improving future attacks?
Answer:Analyzing cracked passwords helps identify
patterns, frequency, and common structures used by
individuals, informing the creation of more targeted masks
and strategies for future attacks. It also exposes commonly
used default passwords across different organizations.

8.Question
What is the purpose of using tools like Pipal in the
password analysis process?
Answer:Tools like Pipal analyze the structure of cracked
passwords, revealing insights about base words and user
behaviors that may be common in particular organizations.
This understanding can lead to more effective guessing
approaches and ultimately more successful attacks.
Chapter 38 | Creative Campaigns| Q&A
1.Question
Why is it important to simulate ransomware attacks
within an organization?
Answer:Simulating ransomware attacks is crucial

Scan to Download
for organizations to test their disaster recovery
processes and understand the potential impact of a
real ransomware incident. By executing simulated
campaigns, organizations can validate their ability
to recover critical files, databases, and share files
after a breach. It allows IT teams to prepare for
actual incidents, reducing the uncertainty and the
potential damage. Without such testing, responses
may be reactive instead of proactive, leading to
severe consequences when a real attack occurs.

2.Question
What can organizations learn from conducting simulated
ransomware breaches?
Answer:Organizations can gain insights into how many files
could be accessed, the volume of data that could potentially
be exfiltrated, and their detection capabilities in real-time.
This helps them identify weaknesses in their security posture,
refine their incident response plans, and ensure that critical
files are adequately protected.

Scan to Download
3.Question
What are the risks involved with live ransomware
simulation, and how can they be mitigated?
Answer:Live ransomware simulations involve significant
risks, such as unintentional data loss or system disruption. To
mitigate these risks, organizations can conduct
non-destructive simulations that only scan and analyze files
without actual deletion or encryption. This approach provides
valuable insights while preserving data integrity.

4.Question
How can understanding ransomware types enhance the
effectiveness of a simulation campaign?
Answer:Studying the characteristics of various ransomware
samples, like WannaCry, enables teams to create more
realistic simulation campaigns. By knowing which file types
are typically targeted and how they are encrypted, IT and
security teams can tailor their simulations to closely mimic a
real attack, enhancing the training value and awareness of
incident responses.

Scan to Download
5.Question
What role does an internal Red Team play in validating
security processes?
Answer:An internal Red Team plays a critical role in
proactively identifying and testing an organization's security
measures through simulated attacks. They help validate
whether security protocols are effective in controlling and
mitigating risk, thereby ensuring that the organization is
prepared for potential breaches and can recover swiftly from
incidents.
Chapter 39 | Windows Download File from Internet
Command Line| Q&A
1.Question
What precautions should companies take against
ransomware, and why are they important?
Answer:Companies must regularly test their backup
and recovery processes to ensure they can recover
critical files after a ransomware attack. Not being
able to recover these files could lead to severe
operational and financial consequences, making it

Scan to Download
crucial to have a reliable disaster recovery plan in
place.

2.Question
How does detecting ransomware early make a difference,
and what practices can help avoid detection?
Answer:Detecting ransomware early can mitigate damage
and potentially stop an attack before critical files are
compromised. To avoid detection, malicious actors may slow
down their actions or disguise their processes. Awareness and
timely monitoring of abnormal system behavior can greatly
reduce risks.

3.Question
Why is disabling logging significant for Red Teamers, and
how can it be achieved?
Answer:Disabling logging is significant for Red Teamers
because it helps in avoiding detection while conducting their
tests. Techniques can include using scripts to manipulate
system logging services, such as PowerShell logging, to
prevent attack logging and keep their activities hidden.

Scan to Download
4.Question
What methods can attackers use to execute secondary
malware on compromised systems?
Answer:Attackers can exploit various Windows features to
download and execute secondary malware. This can be done
using command lines and scripts that take advantage of
system functionalities like mshta, rundll32.exe, and certutil
to silently introduce malicious code without detection.

5.Question
How should organizations prepare to counter tactics
employed by attackers to disable their defenses?
Answer:Organizations should implement robust monitoring
solutions that log all activities, even potentially benign ones,
to prevent attackers from disabling these defenses. Regular
audits of logging settings and comprehensive training for
staff can greatly reduce the chances of successful
exploitations.

6.Question
What role do backups play in ransom recovery, and how
can companies ensure their effectiveness?

Scan to Download
Answer:Backups are essential in ransom recovery as they
allow companies to restore data without succumbing to
ransom demands. To ensure effectiveness, companies should
follow the 3-2-1 backup rule: keep three copies of data, on
two different media, with one copy stored off-site to enhance
redundancy.

7.Question
What are some challenges that can arise during the
ransomware decryption process?
Answer:Challenges in ransomware decryption can include
broken or corrupted backup solutions, ensuring compatibility
with current systems, or the fact that the original decryption
keys may no longer be available. If these issues are not
addressed in advance, data recovery may become impossible.

8.Question
In what ways can organizations educate their employees
about ransomware dangers?
Answer:Organizations can conduct regular training sessions,
simulate phishing attacks, and distribute informational

Scan to Download
resources about identifying suspicious behavior. Creating a
culture of security awareness is essential in empowering
employees to act as the first line of defense against
ransomware threats.

9.Question
What innovative techniques can security professionals
research to enhance defenses against ransomware?
Answer:Security professionals can explore advanced
anomaly detection systems, machine learning models for
threat prediction, and behavioral analysis techniques to
identify ransomware-like activities. Continuous research and
adaptation to new malware patterns are crucial for
maintaining effective defenses.

Scan to Download
Chapter 40 | Retrieving NTLM Hashes without
Touching LSASS| Q&A
1.Question
What are some effective methods of executing secondary
code while avoiding detection through traditional
logging?
Answer:Several methods can be used to execute
secondary code without detection, such as utilizing
command line tools like 'certutil' to download and
decode payload files. Additionally, leveraging
PowerShell scripts like 'psgetsystem' allows for
executing commands with elevated privileges
without traditional monitoring tools being aware of
the activity.

2.Question
How can a local administrative account escalate
privileges to SYSTEM?
Answer:Privilege escalation from a local administrative
account to SYSTEM can be accomplished using tools like
Metasploit's 'getsystem' command or by executing scripts

Scan to Download
such as the PowerShell script 'psgetsystem' developed by
'decoder-it', which creates a new process with SYSTEM
privileges.

3.Question
What was the significance of Elad Shamir's research on
retrieving NTLM hashes without touching LSASS?
Answer:Elad Shamir's work was significant because it
addressed limitations posed by features like Credential Guard
in Windows 10 and Server 2016. By developing the 'Internal
Monologue Attack', it became possible to retrieve NTLM
hashes without directly interacting with LSASS, thereby
circumventing common security barriers.

4.Question
What are the main steps involved in the Internal
Monologue Attack?
Answer:The main steps in the Internal Monologue Attack
include: disabling preventive controls for NetNTLMv1 by
adjusting specific security settings, retrieving non-network
logon tokens from active processes, impersonating users to

Scan to Download
interact with NTLM Security Support Provider (SSP) locally
to gather a NetNTLMv1 response.

5.Question
Why is it important for hackers to continuously seek new
methods to evade detection?
Answer:It is crucial for hackers to innovate in evading
detection techniques as cybersecurity measures evolve.
Traditional logging and detection tools are becoming
increasingly sophisticated, thus new and stealthier execution
methods and privilege escalation techniques are essential for
maintaining access and conducting successful operations
without triggering alarms.

Scan to Download
The Hacker Playbook 3 Quiz and Test
Check the Correct Answer on Bookey Website

Chapter 1 | Notes and Disclaimer| Quiz and Test

1.Being part of a Red Team requires only technical
skills, without the need for confidence.
2.Proper approval is necessary before conducting attacks on
unauthorized systems.
3.Engaging in bug bounty programs is an illegal activity that
can lead to legal consequences.
Chapter 2 | Penetration Testing Teams vs Red
Teams| Quiz and Test
1.Cyber Space Kittens (CSK) established a security
operations center based on lessons learned from
previous security assessments.
2.Penetration Testing lasts longer than Red Teaming
campaigns.
3.Time To Detect (TTD) measures the time taken to mitigate
a threat after it has been detected.
Chapter 3 | Setting Up Your Campaign| Quiz and

Scan to Download
Test
1.Companies should operate under the assumption
that a breach has already occurred.
2.Penetration tests guarantee complete security for
organizations.
3.Red Team campaigns focus solely on identifying
vulnerabilities in a system.

Scan to Download
Chapter 4 | Setting Up Your External Servers| Quiz
and Test
1.Are server setups primarily used for data retrieval
and user monitoring during campaigns?
2.Using AWS Lightsail for external server setup is
recommended due to its complexity and high traffic
restrictions.
3.A minimum of 1 GB RAM is recommended for server
instances when setting up external servers.
Chapter 5 | Tools of the Trade| Quiz and Test
1.Strong IPTables rules are crucial to protect your
attacker server by limiting SSH authentication
sources and payload initiations.
2.Cobalt Strike is a tool that should be used without any
consideration of vulnerabilities it may have.
3.Dnscat2 requires an authoritative DNS server for effective
operation.
Chapter 6 | Monitoring an Environment| Quiz and
Test
1.Red Team operations require constant vigilance to

Scan to Download
 identify attack opportunities.
2.HTTP Screenshot is used for scanning networks and
capturing web layouts.
3.Gathering email addresses of employees is unimportant for
social engineering attacks.

Scan to Download
Chapter 7 | Bug Bounty Programs:| Quiz and Test
1.Critical externally-facing web attacks have
decreased significantly in recent years, including
breaches involving Apache Struts 2, Panera Bread,
and Uber.
2.In the early 2000s, SQL injection (SQLi) and remote file
inclusion (RFI) were the primary exploits used by
attackers.
3.Beginners in bug bounty hunting should avoid No-Reward
Bug Bounty Programs as they are not beneficial for
learning.
Chapter 8 | Web Attacks Introduction - Cyber Space
Kittens| Quiz and Test
1.Exceeding the limits of ethical testing in bug
bounty programs can lead to serious consequences.
2.Node.js is primarily used for running server-side
applications and poses minimal security risks.
3.The OWASP Top 10 is a crucial resource for understanding
security vulnerabilities in web applications.

Scan to Download
Chapter 9 | Cyber Space Kittens: Chat Support
Systems| Quiz and Test
1.Express is a comprehensive web development
framework that includes all features needed for
application security.
2.Cross-Site Scripting (XSS) can be executed through cookie
stealing techniques among others.
3.Server Side Request Forgery (SSRF) allows attackers to
make requests from the client side to internal resources.

Scan to Download
Chapter 10 | Finding Credentials from Outside the
Network| Quiz and Test
1.The chapter emphasizes that traditional
vulnerability scanners are essential for Red Team
assessments.
2.Password brute-forcing is a powerful tool that remains
applicable in many situations for gaining access.
3.The tool 'Ruler' is designed solely for password
brute-forcing and does not assist in information gathering.
Chapter 11 | Moving Through the Network| Quiz
and Test
1.Compromised emails can be extracted through a
Python script, potentially recovering gigabytes of
data.
2.Red Teamers are encouraged to perform traditional
vulnerability scans to navigate the network more
effectively.
3.Setting up a lab environment requires a minimum of 16 GB
RAM and a Windows 2016 Domain Controller.

Scan to Download
Chapter 12 | On the Network with No Credentials|
Quiz and Test
1.An attacker can access a network without any
prior credentials by physically infiltrating a
company's premises.
2.Responder is used to crack NTLM hashes more quickly
than standard NTLM hashes.
3.MultiRelay does not require any passwords to be extracted
to perform replay attacks successfully.

Scan to Download
Chapter 13 | After Compromising Your Initial Host|
Quiz and Test
1.Social engineering is a technique used to gain
access to a host system.
2.The command 'netstat -anop | findstr LISTEN' is used to
display the list of running processes on a compromised
host.
3.The RTFM tool is a Python script that helps users manage
and search for useful commands.
Chapter 14 | Privilege Escalation| Quiz and Test
1.PowerShell can be used effectively for
enumeration and executing commands from
various C2 tools such as Empire and Metasploit.
2.Unquoted Service Paths cannot be exploited for privilege
escalation in Windows environments.
3.Mimikatz can extract sensitive credentials from Windows
10's LSASS without any limitations.
Chapter 15 | Living Off of the Land in a Windows
Domain Environment| Quiz and Test
1.Reconnaissance is an important phase for

Scan to Download
 attackers to gather information about their target
systems.
2.PowerView is primarily used for managing Active
Directory user accounts and does not provide tools for
enumeration.
3.Kerberoasting is a technique used to crack NTLM hashes
in order to gain access to user accounts.

Scan to Download
Chapter 16 | Dumping the Domain Controller
Hashes| Quiz and Test
1.The Empire PowerShell module facilitates
Kerberoasting, allowing users to extract service
tickets for password cracking.
2.NinjaCopy is a tool that can copy any file regardless of it
being locked or not.
3.DCSync requires direct command execution on the Domain
Controller to dump user hashes.
Chapter 17 | Lateral Movement via RDP over the
VPS| Quiz and Test
1.DCSync is utilized in tools like PowerShell
Empire.
2.Using traditional methods like WMI and PSExec for lateral
movement remains equally effective in environments with
Next Gen AV.
3.To set up local port forwarding, a command involving SSH
is required to connect to the VPS.
Chapter 18 | Privilege Escalation| Quiz and Test
1.SSH can be used for traffic tunneling and pivoting

Scan to Download
 between compromised hosts.
2.The command to set up a dynamic SOCKS proxy involves
using the port 8888.
3.The DirtyCOW exploit allows users with root privileges to
escalate their access.

Scan to Download
Chapter 19 | Linux Lateral Movement Lab| Quiz
and Test
1.The CSK Secure Network Lab is designed for
practicing lateral movement techniques in a
Windows environment.
2.To set up the lab, you need to configure NAT settings in
VMWare for the IP range 172.16.250.0/24.
3.After discovering sensitive data, you can use base64
encoding to decrypt stored passwords.
Chapter 20 | Building Your Social Engineering (SE)
Campaigns| Quiz and Test
1.Social engineering attacks have high skill
requirements and are costly for Red Teamers.
2.Doppelganger Domains are used for creating
legitimate-seeming URLs to capture credentials directly
from users.
3.The Social Engineering Toolkit (SET) is unnecessary for
cloning web application authentication pages.
Chapter 21 | Phishing| Quiz and Test
1.Phishing attacks are becoming less effective due to

Scan to Download
 increased awareness among corporate employees.
2.Gophish is an automated tool that supports templates and
tracks metrics for phishing campaigns.
3.Exploiting DDE vulnerabilities allows for code execution
through Microsoft Office applications without the need for
macros.

Scan to Download
Chapter 22 | Exploiting Internal Jenkins with Social
Engineering| Quiz and Test
1.Red Teamers often use creativity in attacks,
revamping old exploits for new contexts.
2.Jenkins can be exploited without any authentication
measures in its newer versions (2.x and above).
3.The exploit methodology discussed allows attackers to find
internal Jenkins servers using a malicious webpage.
Chapter 23 | Conclusion| Quiz and Test
1.In the Jenkins exploit process, a malicious HTML
page and an encrypted binary are generated using
a Python script.
2.The exploitation process of Jenkins vulnerabilities involves
initiating a Groovy payload that scans for Jenkins servers
from the same system.
3.The chapter emphasizes the importance of a proactive
approach in detecting social engineering threats rather than
a reactive approach.
Chapter 24 | Card Reader Cloners| Quiz and Test

Scan to Download
1.Possession of lock picks is legal in all states.
2.The Proxmark3 RDV2 Kit is an improvement over the
original Proxmark3 in terms of portability and battery
efficiency.
3.It is recommended to conduct physical assessments without
consulting the facility's security teams.

Scan to Download
Chapter 25 | Physical Tools to Bypass Access Points|
Quiz and Test
1.HID iClass operates at a frequency of 125 kHz.
2.The LAN Turtle can be used to establish a reverse VPN
connection and exploit internal networks.
3.Under the Door Tool is used to open windows securely
without tools.
Chapter 26 | Bash Bunny| Quiz and Test
1.The Packet Squirrel can be configured for a
Reverse VPN connection to the company.
2.The Bash Bunny is an old tool that does not support
multiple payloads.
3.BunnyTap only captures NTLMv2 hashes from machines
that are not locked.
Chapter 27 | The Basics Building a Keylogger| Quiz
and Test
1.Writing code is not always essential for
penetration testing.
2.Keyloggers can capture keyboard events without using
low-level Windows functions.

Scan to Download
3.Obfuscation techniques are necessary to evade antivirus
systems in penetration testing.

Scan to Download
Chapter 28 | THP Custom Droppers| Quiz and Test
1.Custom dropper tools leave significant traces on
the victim's disk.
2.The dropper should be treated as a disposable asset due to
detection risks.
3.Developing a custom dropper allows for disk writes that
can be detected by forensic analysis.
Chapter 29 | Recompiling Metasploit/Meterpreter to
Bypass AV and Network Detection| Quiz and Test
1.The chapter discusses methods to modify
Metasploit/Meterpreter to evade antivirus
detection.
2.It is unnecessary to obfuscate payloads when using tools
like Metasploit since they are not often flagged by antivirus
software.
3.A Stage 0 payload is designed to be easily detectable by
AV software during penetration testing.
Chapter 30 | SharpShooter| Quiz and Test
1.SharpShooter is designed to create payloads that

Scan to Download
 can evade detection by next-generation antivirus
systems.
2.SharpShooter can only execute staged payloads through
HTTP connections.
3.Reflection execution in SharpShooter is used to compile C#
code on the host machine.

Scan to Download
Chapter 31 | Application Whitelisting Bypass| Quiz
and Test
1.Custom or predefined templates can be used for
creating payloads in hacking tests.
2.The GreatSCT tool is not mentioned as a method for
generating malicious XML files to spawn Meterpreter
sessions.
3.It is unnecessary to obfuscate payloads within the XML file
to avoid detection by antivirus software.
Chapter 32 | Code Caves| Quiz and Test
1.Application Whitelisting Bypasses can only be
accomplished with a few known techniques.
2.Using WMI or PSExec can help in executing payloads
remotely without being detected in Red Team operations.
3.Creative lateral movement in Red Team operations should
avoid leaving clear traces that can be traced back to the
domain, IP, or compromised host.
Chapter 33 | PowerShell Obfuscation| Quiz and Test
1.Hackers can creatively approach and embed

Scan to Download
 malware in executable binaries which have low
detection rates.
2.PowerShell scripts are always safe from detection by
antivirus tools regardless of how they are used or executed.
3.The chapter does not provide any resources or practical
examples for implementing advanced obfuscation
techniques.

Scan to Download
Chapter 34 | HideMyPS| Quiz and Test
1.PowerShell can only be executed directly through
PowerShell.exe.
2.NPS_Payload uses MSBuild.exe to execute PowerShell
payloads without utilizing the PowerShell executable.
3.HideMyPS obfuscates scripts by altering function names,
breaking strings, and adding comments to evade AV
detection.
Chapter 35 | Automation| Quiz and Test
1.Red Teams should avoid automation in their
attacks as security measures improve.
2.Cobalt Strike utilizes Aggressor Scripts to automate tasks
and enhance operational efficiency.
3.Empire requires manual intervention for each repetitive
task during its operations.
Chapter 36 | Password Cracking| Quiz and Test
1.Aggressor Scripts allow for the automation of
complex attacks like running Mimikatz every
thirty minutes to gather clear-text credentials from

Scan to Download
 shared workstations.
2.Cloud-cracking on AWS costs approximately $50 per hour.
3.For effective password cracking, a powerful rig can be built
for around $5,000, consisting of multiple GPU cards.

Scan to Download
Chapter 37 | Gotta Crack Em All - Quickly
Cracking as Many as You Can| Quiz and Test
1.KoreLogicRulesAppendYears provides a method
to append years to passwords for cracking.
2.Using complex rules always enhances the efficiency of
password cracking.
3.Understanding the hashing algorithm in use is crucial
before starting password cracking.
Chapter 38 | Creative Campaigns| Quiz and Test
1.Simulated ransomware campaigns can be
beneficial for organizations in preparing their
recovery procedures.
2.It is unnecessary for organizations to test their ability to
recover from malware incidents as they can rely on their
initial security measures.
3.When conducting simulated ransomware tests, detailed
examples should always be provided to ensure safety.
Chapter 39 | Windows Download File from Internet
Command Line| Quiz and Test
1.Testing the recovery of critical files is essential in

Scan to Download
 the event of ransomware attacks.
2.Ransomware detection is only based on file types, and
behavioral patterns are not considered.
3.Attackers can disable PowerShell logging to conceal their
activities from system administrators.

Scan to Download
Chapter 40 | Retrieving NTLM Hashes without
Touching LSASS| Quiz and Test
1.Various command line techniques are available for
executing secondary code while obscuring logging,
including using `certutil` to download and decode
payloads.
2.The common method of escalating privileges from a local
administrator account to the System level is solely reliant
on Metasploit's `getsystem`, with no other alternatives.
3.Elad Shamir's research found a way to capture NTLM
hashes by directly accessing LSASS, which is commonly
hindered by Credential Guard.

Scan to Download