book

Metasploit, 2nd Edition

by David Kennedy, Mati Aharoni, Devon Kearns, Jim O'Gorman

January 2025

Intermediate to advanced

288 pages

7h 12m

English

No Starch Press

Read now

Unlock full access

Why Do a Penetration Test?Why Metasploit?About This BookWhat’s New to This EditionA Note on Ethics
The Phases of the PTESPreengagement InteractionsIntelligence GatheringThreat ModelingVulnerability AnalysisExploitationPost ExploitationReportingTypes of Penetration TestsOvertCovertVulnerability ScannersInstalling Kali, Metasploit, and MetasploitableWrapping Up
TerminologyExploitPayloadShellcodeModuleListenerMetasploit InterfacesMSFconsoleResource ScriptsArmitage and Cobalt StrikeMetasploit UtilitiesMSFvenomNASM ShellMetasploit ProWrapping Up

Passive Information GatheringWhois LookupsNetcraftDNS AnalysisActive Information GatheringPort Scanning with NmapPort Scanning with MetasploitTargeted ScanningScanning for Server Message BlockHunting for Poorly Configured Microsoft SQL ServersScanning for S3 BucketsScanning for SSH Server VersionScanning for FTP ServersSweeping for Simple Network Management ProtocolWriting a Custom ScannerWrapping Up
The Basic Vulnerability ScanScanning with NexposeConfiguring NexposeImporting Reports into MetasploitRunning Nexpose in MSFconsoleScanning with NessusConfiguring NessusCreating ScansCreating Scan PoliciesViewing ReportsImporting Results into MetasploitNessus Scanning in MetasploitSpecialty Vulnerability ScannersValidating SMB LoginsFinding Scanners for Recent ExploitsWrapping Up
Basic ExploitationSearching for an ExploitsearchsploitinfoSelecting an Exploitshow payloadsshow targetsset and unsetsetg and unsetgsaveexploitExploiting a Windows MachineExploiting an Ubuntu MachineWrapping Up
Compromising a Windows Virtual MachinePort Scanning with NmapBrute-Forcing MySQL Server AuthenticationUploading User-Defined FunctionsBasic Meterpreter CommandsCapturing ScreenshotsFinding Platform InformationCapturing KeystrokesExtracting Password HashesPassing the HashMimikatz and KiwiPrivilege EscalationLateral Movement TechniquesToken ImpersonationDCSync and Golden Ticket AttacksOther Useful Meterpreter CommandsEnabling Remote Desktop ServicesViewing All Traffic on a TargetScraping a SystemEstablishing PersistenceManipulating Windows APIs with RailgunPivoting to Other SystemsWrapping Up
Creating Stand-Alone Binaries with MSFvenomEncoding with MSFvenomPacking ExecutablesCustom Executable TemplatesLaunching Payloads StealthilyEvasion ModulesDeveloping Custom PayloadsGenerating Executables from Python FilesWrapping Up
Updating and Configuring the Social-Engineer ToolkitSpear-Phishing AttacksSetting Up an Email ServerSending Malicious EmailPhishing with GophishWeb AttacksUsername and Password HarvestingTabnabbingBypassing Two-Factor AuthenticationInfectious Media Generation AttacksWrapping Up
Browser-Based ExploitsFinding Exploits in MetasploitAutomating Exploitation with AutoPwn2Finding Even More Recent ExploitsFile-Format ExploitsExploiting Word DocumentsSending PayloadsWrapping Up
Connecting to Wireless AdaptersMonitoring Wi-Fi TrafficDeauth and DoS AttacksCapturing and Cracking HandshakesEvil Twin AttacksSniffing Traffic with MetasploitHarvesting Credentials with the Wi-Fi PineappleWrapping Up
Exploring Auxiliary ModulesSearching for HTTP ModulesCreating an Auxiliary ModuleWriting the ModuleRunning the ModuleDebugging the ModuleWrapping Up
Assembly Language BasicsEIP and ESP RegistersThe JMP Instruction SetNOPs and NOP SlidesDisabling ProtectionsPorting Buffer OverflowsStripping Existing ExploitsConfiguring the Exploit DefinitionTesting the Base ExploitImplementing Features of the FrameworkAdding RandomizationRemoving the NOP SlideRemoving the Dummy ShellcodePorting an SEH Overwrite ExploitWrapping Up
Getting Command Execution on MS SQLEnabling Administrator-Level ProceduresRunning the ModuleExploring the Module CodeCreating a New ModuleEditing an Existing ModuleRunning the Shell ExploitDefining the ExploitUploading PowerShell ScriptsRunning the ExploitWrapping Up
The Art of FuzzingDownloading the Test ApplicationWriting the FuzzerTesting the FuzzerControlling the Structured Exception HandlerHopping Around RestrictionsGetting a Return AddressIncluding Backward Jumps and Near JumpsAdding a PayloadBad Characters and Remote Code ExecutionWrapping Up
Preengagement InteractionsIntelligence GatheringThreat ModelingExploitationExecuting the ExploitEstablishing PersistencePost ExploitationScanning the Linux SystemIdentifying Vulnerable ServicesAttacking Apache TomcatAttacking Obscure ServicesCovering Your TracksWrapping Up
Cloud Security BasicsIdentity and Access ManagementServerless FunctionsStorageDocker ContainersSetting Up Cloud Testing EnvironmentsContainer TakeoversEscaping Docker ContainersKubernetesWrapping Up
x86 and AMD64ARM and Apple SiliconInstalling Kali Meta Packages
MSFconsoleMeterpreterMSFvenomMeterpreter Post Exploitation

Content preview from Metasploit, 2nd Edition

9 CLIENT-SIDE ATTACKS

Years of focus on network defense have drastically shrunk traditional attack surfaces. When one avenue becomes too difficult to penetrate, attackers must find new and more sophisticated methods. Client-side attacks have evolved as network defenses have improved. Metasploit includes modules for several built-in client-side exploits that target software commonly installed on computers, such as web browsers, PDF readers, and Microsoft Office applications.

These exploits typically require first bypassing the protective countermeasures a company has by, for example, tricking a user into clicking a malicious link. Suppose ...