This package contains all magazine editions published by PenTest Magazine in 2019. Every issue is dedicated to different main topic, and contains various practical tutorials and articles on different offensive security aspects.
Please note that subscribers already have access to all of the products that are a part of this package.
Table of Contents
We are extremely happy to present you the first 2020 edition of PenTest Mag! The main focus of this issue is the most hip, relevant, and - in most cases - open-access tools which will be immensely useful for every pentester this year. No matter which exact pentesting territory is your favourite, whether you’re into application security, cloud security, IoT - you will definitely find something for yourself here!
To start with, Valerio Alessandroni presents a case study of his Active Directory CTF, completed on the “Hack The Box” platform. Analysing how other pentesters solve CTFs is one of the most efficient ways to learn, so we definitely recommend checking this one out! Marlene Ladendorff, PhD is honouring us with her contribution again! This time this unquestionable expert on Operational Technology security provides you with an insight on the role of Active Directory in OT environments. This piece will enrich your understanding of the AD with a new perspective.
Our contributors did an amazing job, and provided you with more than 150 pages of articles this month!To start with, we would like to take a closer look at Fuzzing - it’s role in pentesting, attack vectors, tools, and case studies of using this technique. Maksim Shudrak opens the issue with his great article, entitled “Leveraging Coverage-Guided Fuzzing To Find Exploitable Bugs”. On the example of the Google OSS-Fuzz Project, the author explains the efficiency and the importance of this sophisticated technique. Alcyon Junior brings a new article to the table, and this time he shows the different types of fuzzing attacks. Mukul Kantiwal also introduces the reader to the topic with a tool tutorial - SPIKE fuzzing creation kit. If you are into fuzzing techniques, or have always wanted to learn about them, the perfect time is now!
In the current issue, we focus on the topic of MITRE ATT&CK. There is no doubt that this non-profit, globally-accessible base of knowledge of adversary tactics and techniques is crucial for being up-to-date and effective as an information security specialist, especially during red and blue teaming practice. Our contributors present you with a comprehensive perspective of using this helpful framework - from a general overview of how MITRE should be understood and used, through the context of Threat Hunting, honeypots, attack simulation, to the benefits for enterprise.
To start with, Krishna Raj introduces you to the realm of healthcare cybersecurity. You will learn about the challenges for healthcare information security, the most relevant types of threats, and the compliance aspects in this crucial industry. Considering the fact that in the time of COVID-19 pandemic healthcare facilities are experiencing probably the most important battle so far, the understanding of the role of cybersecurity is definitely a must. For those of you who are most interested in post-exploitation scenarios, we have something special. Johann Rehberger describes the Shadowbunny technique. The fact that there is now evidence that adversaries use this technique for ransomware deployment means more light has to be put on it. A great read for every offensive security professional indeed!
We decided to gather the best open access articles from the preview versions of our premium mags and compile a really interesting and diverse Penetration Tester’s Starter Kit! With this edition you can enter the realm of pentesting with accessible and clear guidance into its various aspects, such as offensive security, defensive security, social engineering vectors, risk management, cybersecurity in time of a pandemic, OSINT, FinTech, or communication between technical and non-technical professionals.
The main topic of this month's edition is the usage of Splunk in Cybersecurity. This world’s leading SIEM software is definitely a great help in tracking down issues in your log data. Even though companies mostly use paid versions of Splunk, a Splunk Free version is also available, offering a great opportunity to dive into its options and advantages, before you decide to get a paid license. As the growth of the amount of data doesn’t stop, knowledge of Splunk is a great asset for every potential SOC employee.
We take a closer look at AWS pentesting. All pentesters are undoubtedly aware of the fact that methodologies for ethical hacking of the AWS cloud differ from the standard procedures of assessing vulnerabilities, according to the company policies. Our contributors present you with practical tutorials on useful (and legitimate!) techniques and tools, such as PACU exploitation framework, cognitive hacking, test scenarios, and recommendations to prevent certain types of attacks.
All the contributors did a magnificent job with their articles, so the issue is a great compendium for the best understanding of open-source intelligence and its meaning for cybersecurity. While reading you will start a fascinating journey with numerous tools, techniques, and various out-of the box approaches to OSINT in the penetration testing context. As one of the authors - Aaron Roberts - states in his article, “OSINT is an art-form when it comes to cybersecurity, and understanding how to maximise its value will aid not just intelligence professionals, but pentesters, Security Operations Centre (SOC) analysts and vulnerability managers.”
Due to intensifying ransomware attacks over the recent months, we take a closer look into this notorious type of threat in the current edition, making it the main focus of the issue. Observing the dangerous trend of holding companies and public institutions for ransom successfully performed by malicious actors, our contributors decided to share their expertise on the topic, presenting it from many different security angles.
Mobile devices and applications have dominated our lives. As the global population becomes highly dependent on using pocket-sized technologies in plenty of aspects of its everyday functioning, the demand for skilled mobile pentesters and other security specialists is growing steadily. A good knowledge of the topic is simply a must, and that’s why we decided to enrich our library with an edition dedicated to mobile pentesting this month.
We decided to prepare a special “Best of 2020” edition, which is a selection of 10 articles that enjoyed a particularly good reception among our readers. Inside, you will read about the most trendy topics, tools, and techniques, analyzed in different cybersecurity contexts, while always keeping up to the highest standards, being innovative and bringing an “out of the box” perspective to the analyzed matters.
The first articles of the issue present the power of Windows PowerShell used in the context of penetration testing. You will read about post exploitation, as well as on leveraging WMIObjects, CIMClasses, and transactions for PowerShell pentesting.What also deserves your attention are two fantastic reports presented by our regular contributor, Filipi Pires - those are must reads for every threat hunting and analysis enthusiast! If you like to discover new projects, Project V3, presented in this edition by Anthony Radzykewych, is definitely your treat!