book

Mastering Metasploit - Second Edition

Name: Mastering Metasploit - Second Edition
Author: Nipun Jaswal
ISBN: 9781786463166

by Nipun Jaswal

September 2016

Intermediate to advanced

440 pages

7h 56m

English

Packt Publishing

Read now

Unlock full access

Mastering Metasploit
Mastering Metasploit
Second Edition
Credits
Foreword
About the Author
About the Reviewer
www.PacktPub.com
Why subscribe?
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
ErrataPiracyQuestions
1. Approaching a Penetration Test Using Metasploit
Organizing a penetration test
Preinteractions
Intelligence gathering/reconnaissance phase
Predicting the test grounds
Modeling threatsVulnerability analysisExploitation and post-exploitationReportingMounting the environment
Setting up Kali Linux in virtual environment
The fundamentals of Metasploit
Conducting a penetration test with Metasploit
Recalling the basics of Metasploit
Benefits of penetration testing using Metasploit
Open sourceSupport for testing large networks and easy naming conventionsSmart payload generation and switching mechanismCleaner exitsThe GUI environment
Penetration testing an unknown network
AssumptionsGathering intelligence
Using databases in Metasploit
Modeling threats
Vulnerability analysis of VSFTPD 2.3.4 backdoor
The attack procedureThe procedure of exploiting the vulnerabilityExploitation and post exploitation
Vulnerability analysis of PHP-CGI query string parameter vulnerability
Exploitation and post exploitation
Vulnerability analysis of HFS 2.3
Exploitation and post exploitation
Maintaining access
Clearing tracks
Revising the approach
Summary
2. Reinventing Metasploit
Ruby – the heart of MetasploitCreating your first Ruby programInteracting with the Ruby shellDefining methods in the shellVariables and data types in RubyWorking with stringsConcatenating stringsThe substring functionThe split functionNumbers and conversions in RubyConversions in RubyRanges in RubyArrays in RubyMethods in RubyDecision-making operatorsLoops in RubyRegular expressionsWrapping up with Ruby basics
Developing custom modules
Building a module in a nutshellThe architecture of the Metasploit frameworkUnderstanding the file structureThe libraries layoutUnderstanding the existing modulesThe format of a Metasploit moduleDisassembling existing HTTP server scanner moduleLibraries and the functionWriting out a custom FTP scanner moduleLibraries and the functionUsing msftidyWriting out a custom SSH authentication brute forcerRephrasing the equationWriting a drive disabler post exploitation moduleWriting a credential harvester post exploitation module
Breakthrough meterpreter scripting
Essentials of meterpreter scriptingPivoting the target networkSetting up persistent accessAPI calls and mixinsFabricating custom meterpreter scripts
Working with RailGun
Interactive Ruby shell basicsUnderstanding RailGun and its scriptingManipulating Windows API callsFabricating sophisticated RailGun scripts
Summary
3. The Exploit Formulation Process
The absolute basics of exploitationThe basicsThe architectureSystem organization basicsRegisters
Exploiting stack-based buffer overflows with Metasploit
Crashing the vulnerable applicationBuilding the exploit baseCalculating the offsetUsing the pattern_create toolUsing the pattern_offset toolFinding the JMP ESP addressUsing Immunity Debugger to find executable modulesUsing msfbinscanStuffing the spaceRelevance of NOPsDetermining bad charactersDetermining space limitationsWriting the Metasploit exploit module
Exploiting SEH-based buffer overflows with Metasploit
Building the exploit baseCalculating the offsetUsing pattern_create toolUsing pattern_offset toolFinding the POP/POP/RET addressThe Mona scriptUsing msfbinscanWriting the Metasploit SEH exploit moduleUsing NASM shell for writing assembly instructions
Bypassing DEP in Metasploit modules
Using msfrop to find ROP gadgetsUsing Mona to create ROP chainsWriting the Metasploit exploit module for DEP bypass
Other protection mechanisms
Summary
4. Porting Exploits
Importing a stack-based buffer overflow exploitGathering the essentialsGenerating a Metasploit moduleExploiting the target application with MetasploitImplementing a check method for exploits in Metasploit
Importing web-based RCE into Metasploit
Gathering the essentialsGrasping the important web functionsThe essentials of the GET/POST methodImporting an HTTP exploit into Metasploit
Importing TCP server/ browser-based exploits into Metasploit
Gathering the essentialsGenerating the Metasploit module
Summary
5. Testing Services with Metasploit
The fundamentals of SCADAThe fundamentals of ICS and its componentsThe significance of ICS-SCADAAnalyzing security in SCADA systemsFundamentals of testing SCADASCADA-based exploitsSecuring SCADAImplementing secure SCADARestricting networks
Database exploitation
SQL serverFingerprinting SQL server with NmapScanning with Metasploit modulesBrute forcing passwordsLocating/capturing server passwordsBrowsing SQL serverPost-exploiting/executing system commandsReloading the xp_cmdshell functionalityRunning SQL-based queries
Testing VOIP services
VOIP fundamentalsAn introduction to PBXTypes of VOIP servicesSelf-hosted networkHosted servicesSIP service providersFingerprinting VOIP servicesScanning VOIP servicesSpoofing a VOIP callExploiting VOIPAbout the vulnerabilityExploiting the application
Summary
6. Virtual Test Grounds and Staging
Performing a penetration test with integrated Metasploit servicesInteraction with the employees and end usersGathering intelligenceExample environment under testVulnerability scanning with OpenVAS using MetasploitModeling the threat areasGaining access to the targetVulnerability scanning with NessusMaintaining access and covering tracksManaging a penetration test with FaradayGenerating manual reportsThe format of the reportThe executive summaryMethodology / network admin level reportAdditional sections
Summary
7. Client-side Exploitation
Exploiting browsers for fun and profitThe browser autopwn attackThe technology behind a browser autopwn attackAttacking browsers with Metasploit browser autopwnCompromising the clients of a websiteInjecting malicious web scriptsHacking the users of a websiteConjunction with DNS spoofingTricking victims with DNS hijacking
Metasploit and Arduino - the deadly combination
File format-based exploitation
PDF-based exploitsWord-based exploits
Compromising Linux clients with Metasploit
Attacking Android with Metasploit
Summary
8. Metasploit Extended
The basics of post exploitation with Metasploit
Basic post exploitation commands
The help menuBackground commandMachine ID and UUID commandReading from a channelGetting the username and process informationGetting system informationNetworking commandsFile operation commandsDesktop commandsScreenshots and camera enumeration
Advanced post exploitation with Metasploit
Migrating to safer processesObtaining system privilegesObtaining password hashes using hashdumpChanging access, modification and creation time with timestomp
Additional post exploitation modules
Gathering wireless SSIDs with MetasploitGathering Wi-Fi passwords with MetasploitGetting applications listGathering skype passwordsGathering USB historySearching files with MetasploitWiping logs from target with clearev command
Advanced extended features of Metasploit
Privilege escalation using MetasploitFinding passwords in clear text using mimikatzSniffing traffic with MetasploitHost file injection with MetasploitPhishing window login passwords
Summary
9. Speeding up Penetration Testing
Using pushm and popm commands
The loadpath command
Pacing up development using reload, edit and reload_all commands
Making use of resource scripts
Using AutoRunScript in Metasploit
Using multiscript module in AutoRunScript option
Globalizing variables in Metasploit
Automating Social-Engineering Toolkit
Summary
10. Visualizing with Armitage
The fundamentals of ArmitageGetting startedTouring the user interfaceManaging the workspace
Scanning networks and host management
Modeling out vulnerabilitiesFinding the match
Exploitation with Armitage
Post-exploitation with Armitage
Attacking on the client side with Armitage
Scripting Armitage
The fundamentals of CortanaControlling MetasploitPost-exploitation with CortanaBuilding a custom menu in CortanaWorking with interfaces
Summary
Further reading

Content preview from Mastering Metasploit - Second Edition

Chapter 5. Testing Services with Metasploit

	"It's better to pay a cent for security than a dollar as a ransom" - Santosh Khadsare, cybercrime investigator
	--

Let's now talk about testing various specialized services. It is likely that during our career as a penetration tester we will come across a company or a testable environment that only requires testing to be performed on a particular server, and this server may run services such as databases, VOIP, or SCADA. In this chapter, we will look at various developing strategies to use while carrying out penetration tests on these services. In this chapter, we will cover the following points:

Understanding SCADA exploitation
The fundamentals of ICS and their critical nature
Carrying out database penetration ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781786463166

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering Metasploit - Second Edition

by Nipun Jaswal

Chapter 5. Testing Services with Metasploit

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.