book

Mastering Metasploit

Name: Mastering Metasploit
Author: Nipun Jaswal
ISBN: 9781782162223

by Nipun Jaswal

May 2014

Beginner to intermediate

378 pages

8h 22m

English

Packt Publishing

Read now

Unlock full access

Mastering Metasploit
Table of Contents
Mastering Metasploit
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and moreWhy subscribe?Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
ErrataPiracyQuestions
1. Approaching a Penetration Test Using Metasploit
Setting up the environmentPreinteractionsIntelligence gathering / reconnaissance phasePresensing the test groundsModeling threatsVulnerability analysisExploitation and post-exploitationReporting
Mounting the environment
Setting up the penetration test labThe fundamentals of MetasploitConfiguring Metasploit on different environmentsConfiguring Metasploit on Windows XP/7Configuring Metasploit on UbuntuDealing with error statesErrors in the Windows-based installationErrors in the Linux-based installation
Conducting a penetration test with Metasploit
Recalling the basics of MetasploitPenetration testing Windows XPAssumptionsGathering intelligenceModeling threatsVulnerability analysisThe attack procedure with respect to the NETAPI vulnerabilityThe concept of attackThe procedure of exploiting a vulnerabilityExploitation and post-exploitationMaintaining accessClearing tracksPenetration testing Windows Server 2003Penetration testing Windows 7Gathering intelligenceModeling threatsVulnerability analysisThe exploitation procedureExploitation and post-exploitationUsing the database to store and fetch resultsGenerating reports
The dominance of Metasploit
Open sourceSupport for testing large networks and easy naming conventionsSmart payload generation and switching mechanismCleaner exitsThe GUI environment
Summary
2. Reinventing Metasploit
Ruby – the heart of MetasploitCreating your first Ruby programInteracting with the Ruby shellDefining methods in the shellVariables and data types in RubyWorking with stringsThe split functionThe squeeze functionNumbers and conversions in RubyRanges in RubyArrays in RubyMethods in RubyDecision-making operatorsLoops in RubyRegular expressionsWrapping up with Ruby basics
Developing custom modules
Building a module in a nutshellThe architecture of the Metasploit frameworkUnderstanding the libraries' layoutUnderstanding the existing modulesWriting out a custom FTP scanner moduleWriting out a custom HTTP server scannerWriting out post-exploitation modules
Breakthrough meterpreter scripting
Essentials of meterpreter scriptingPivoting the target networkSetting up persistent accessAPI calls and mixinsFabricating custom meterpreter scripts
Working with RailGun
Interactive Ruby shell basicsUnderstanding RailGun and its scriptingManipulating Windows API callsFabricating sophisticated RailGun scripts
Summary
3. The Exploit Formulation Process
The elemental assembly primerThe basicsArchitecturesSystem organization basicsRegistersGravity of EIPGravity of ESPRelevance of NOPs and JMPVariables and declarationFabricating example assembly programs
The joy of fuzzing
Crashing the applicationVariable input suppliesGenerating junkAn introduction to Immunity DebuggerAn introduction to GDB
Building up the exploit base
Calculating the buffer sizeCalculating the JMP addressExamining the EIPThe scriptStuffing applications for fun and profitExamining ESPStuffing the space
Finalizing the exploit
Determining bad charactersDetermining space limitationsFabricating under MetasploitAutomation functions in Metasploit
The fundamentals of a structured exception handler
Controlling SEHBypassing SEHSEH-based exploits
Summary
4. Porting Exploits
Porting a Perl-based exploitDismantling the existing exploitUnderstanding the logic of exploitationGathering the essentialsGenerating a skeleton for the exploitGenerating a skeleton using Immunity DebuggerStuffing the valuesPrecluding the ShellCodeExperimenting with the exploit
Porting a Python-based exploit
Dismantling the existing exploitGathering the essentialsGenerating a skeletonStuffing the valuesExperimenting with the exploit
Porting a web-based exploit
Dismantling the existing exploitGathering the essentialsGrasping the important web functionsThe essentials of the GET/POST methodFabricating an auxiliary-based exploitWorking and explanationExperimenting with the auxiliary exploit
Summary
5. Offstage Access to Testing Services
The fundamentals of SCADAThe fundamentals of ICS and its componentsThe seriousness of ICS-SCADA
SCADA torn apart
The fundamentals of testing SCADASCADA-based exploits
Securing SCADA
Implementing secure SCADARestricting networks
Database exploitation
SQL serverFootPrinting SQL server with NmapScanning with Metasploit modulesBrute forcing passwordsLocating/capturing server passwordsBrowsing SQL serverPost-exploiting/executing system commandsReloading the xp_cmdshell functionalityRunning SQL-based queries
VOIP exploitation
VOIP fundamentalsAn introduction to PBXTypes of VOIP servicesSelf-hosted networkHosted servicesSIP service providersFootPrinting VOIP servicesScanning VOIP servicesSpoofing a VOIP callExploiting VOIPAbout the vulnerabilityExploiting the application
Post-exploitation on Apple iDevices
Exploiting iOS with Metasploit
Summary
6. Virtual Test Grounds and Staging
Performing a white box penetration testInteraction with the employees and end usersGathering intelligenceExplaining the fundamentals of the OpenVAS vulnerability scannerSetting up OpenVASGreenbone interfaces for OpenVASModeling the threat areasTargeting suspected vulnerability prone systemsGaining accessCovering tracksIntroducing MagicTreeOther reporting services
Generating manual reports
The format of the reportThe executive summaryMethodology / network admin level reportAdditional sections
Performing a black box penetration test
FootPrintingUsing Dmitry for FootPrintingWHOIS details and informationFinding out subdomainsE-mail harvestingDNS enumeration with MetasploitConducting a black box test with MetasploitPivoting to the targetScanning the hidden target using proxychains and db_nmapConducting vulnerability scanning using NessusExploiting the hidden targetElevating privileges
Summary
7. Sophisticated Client-side Attacks
Exploiting browsersThe workings of the browser autopwn attackThe technology behind the attackAttacking browsers with Metasploit browser autopwn
File format-based exploitation
PDF-based exploitsWord-based exploitsMedia-based exploits
Compromising XAMPP servers
The PHP meterpreterEscalating to system-level privileges
Compromising the clients of a website
Injecting the malicious web scriptsHacking the users of a website
Bypassing AV detections
msfencodemsfvenomCautions while using encoders
Conjunction with DNS spoofing
Tricking victims with DNS hijacking
Attacking Linux with malicious packages
Summary
8. The Social Engineering Toolkit
Explaining the fundamentals of the social engineering toolkitThe attack types
Attacking with SET
Creating a Payload and ListenerInfectious Media GeneratorWebsite Attack VectorsThe Java applet attackThe tabnabbing attackThe web jacking attackThird-party attacks with SET
Providing additional features and further readings
The SET web interfaceAutomating SET attacks
Summary
9. Speeding Up Penetration Testing
Introducing automated tools
Fast Track MS SQL attack vectors
A brief about Fast TrackCarrying out the MS SQL brute force attackThe depreciation of Fast TrackRenewed Fast Track in SET
Automated exploitation in Metasploit
Re-enabling db_autopwnScanning the targetAttacking the database
Fake updates with the DNS-spoofing attack
Introducing WebSploitFixing up WebSploitFixing path issuesFixing payload generationFixing the file copy issueAttacking a LAN with WebSploit
Summary
10. Visualizing with Armitage
The fundamentals of ArmitageGetting startedTouring the user interfaceManaging the workspace
Scanning networks and host management
Modeling out vulnerabilitiesFinding the match
Exploitation with Armitage
Post-exploitation with Armitage
Attacking on the client side with Armitage
Scripting Armitage
The fundamentals of CortanaControlling MetasploitPost-exploitation with CortanaBuilding a custom menu in CortanaWorking with interfaces
Summary
Further reading
Index

Content preview from Mastering Metasploit

Compromising XAMPP servers

Getting the shell back from the victim's system is easy. However, what if the target is a web server running the latest copy of XAMPP server? Well, if you have found a vulnerable server where you can upload files by exploiting a web application-based attack, such as some of the web application attacks, including remote file inclusion, SQL injections, or any other means of file upload, you can upload a malicious PHP meterpreter and get access to the target web server.

The PHP meterpreter

To learn the method discussed previously, we need a PHP-based meterpreter shell, which we can make using the following commands:

In the preceding ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781782162223

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering Metasploit

by Nipun Jaswal

Compromising XAMPP servers

The PHP meterpreter

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.