book

Metasploit

Name: Metasploit
ISBN: 9781593272883

by David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni

July 2011

Intermediate to advanced

328 pages

9h 1m

English

No Starch Press

Read now

Unlock full access

Metasploit
Foreword
Preface
Acknowledgments
Special Thanks
Introduction
Why Do a Penetration Test?
Why Metasploit?
A Brief History of Metasploit
About This Book
What’s in the Book?
A Note on Ethics

1. The Absolute Basics of Penetration Testing
The Phases of the PTESPre-engagement InteractionsIntelligence GatheringThreat ModelingVulnerability AnalysisExploitationPost ExploitationReporting
Types of Penetration Tests
Overt Penetration TestingCovert Penetration Testing
Vulnerability Scanners
Pulling It All Together
2. Metasploit Basics
TerminologyExploitPayloadShellcodeModuleListener
Metasploit Interfaces
MSFconsoleStarting MSFconsoleMSFcliSample UsageArmitageRunning Armitage
Metasploit Utilities
MSFpayloadMSFencodeNasm Shell
Metasploit Express and Metasploit Pro
Wrapping Up
3. Intelligence Gathering
Passive Information Gatheringwhois LookupsNetcraftNSLookup
Active Information Gathering
Port Scanning with NmapWorking with Databases in MetasploitImporting Nmap Results into MetasploitAdvanced Nmap Scanning: TCP Idle ScanRunning Nmap from MSFconsolePort Scanning with Metasploit
Targeted Scanning
Server Message Block ScanningHunting for Poorly Configured Microsoft SQL ServersSSH Server ScanningFTP ScanningSimple Network Management Protocol Sweeping
Writing a Custom Scanner
Looking Ahead
4. Vulnerability Scanning
The Basic Vulnerability Scan
Scanning with NeXpose
ConfigurationThe New Site WizardThe New Manual Scan WizardThe New Report WizardImporting Your Report into the Metasploit FrameworkRunning NeXpose Within MSFconsole
Scanning with Nessus
Nessus ConfigurationCreating a Nessus Scan PolicyRunning a Nessus ScanNessus ReportsImporting Results into the Metasploit FrameworkScanning with Nessus from Within Metasploit
Specialty Vulnerability Scanners
Validating SMB LoginsScanning for Open VNC AuthenticationScanning for Open X11 Servers
Using Scan Results for Autopwning
5. The Joy of Exploitation
Basic Exploitationmsf> show exploitsmsf> show auxiliarymsf> show optionsmsf> show payloadsmsf> show targetsinfoset and unsetsetg and unsetgsave
Exploiting Your First Machine
Exploiting an Ubuntu Machine
All-Ports Payloads: Brute Forcing Ports
Resource Files
Wrapping Up
6. Meterpreter
Compromising a Windows XP Virtual MachineScanning for Ports with NmapAttacking MS SQLBrute Forcing MS SQL ServerThe xp_cmdshellBasic Meterpreter CommandsCapturing a ScreenshotsysinfoCapturing Keystrokes
Dumping Usernames and Passwords
Extracting the Password HashesDumping the Password Hash
Pass the Hash
Privilege Escalation
Token Impersonation
Using ps
Pivoting onto Other Systems
Using Meterpreter Scripts
Migrating a ProcessKilling Antivirus SoftwareObtaining System Password HashesViewing All Traffic on a Target MachineScraping a SystemUsing Persistence
Leveraging Post Exploitation Modules
Upgrading Your Command Shell to Meterpreter
Manipulating Windows APIs with the Railgun Add-On
Wrapping Up
7. Avoiding Detection
Creating Stand-Alone Binaries with MSFpayload
Evading Antivirus Detection
Encoding with MSFencodeMulti-encoding
Custom Executable Templates
Launching a Payload Stealthily
Packers
A Final Note on Antivirus Software Evasion
8. Exploitation Using Client-Side Attacks
Browser-Based ExploitsHow Browser-Based Exploits WorkLooking at NOPs
Using Immunity Debugger to Decipher NOP Shellcode
Exploring the Internet Explorer Aurora Exploit
File Format Exploits
Sending the Payload
Wrapping Up
9. Metasploit Auxiliary Modules
Auxiliary Modules in Use
Anatomy of an Auxiliary Module
Going Forward
10. The Social-Engineer Toolkit
Configuring the Social-Engineer Toolkit
Spear-Phishing Attack Vector
Web Attack Vectors
Java AppletClient-Side Web ExploitsUsername and Password HarvestingTabnabbingMan-Left-in-the-MiddleWeb JackingPutting It All Together with a Multipronged Attack
Infectious Media Generator
Teensy USB HID Attack Vector
Additional SET Features
Looking Ahead
11. Fast-Track
Microsoft SQL InjectionSQL Injector—Query String AttackSQL Injector—POST Parameter AttackManual InjectionMSSQL BruterSQLPwnage
Binary-to-Hex Generator
Mass Client-Side Attack
A Few Words About Automation
12. Karmetasploit
Configuration
Launching the Attack
Credential Harvesting
Getting a Shell
Wrapping Up
13. Building Your Own Module
Getting Command Execution on Microsoft SQL
Exploring an Existing Metasploit Module
Creating a New Module
PowerShellRunning the Shell ExploitCreating powershell_upload_execConversion from Hex to BinaryCountersRunning the Exploit
The Power of Code Reuse
14. Creating Your Own Exploits
The Art of Fuzzing
Controlling the Structured Exception Handler
Hopping Around SEH Restrictions
Getting a Return Address
Bad Characters and Remote Code Execution
Wrapping Up
15. Porting Exploits to the Metasploit Framework
Assembly Language BasicsEIP and ESP RegistersThe JMP Instruction SetNOPs and NOP Slides
Porting a Buffer Overflow
Stripping the Existing ExploitConfiguring the Exploit DefinitionTesting Our Base ExploitImplementing Features of the FrameworkAdding RandomizationRemoving the NOP SlideRemoving the Dummy ShellcodeOur Completed Module
SEH Overwrite Exploit
Wrapping Up
16. Meterpreter Scripting
Meterpreter Scripting Basics
Meterpreter API
Printing OutputBase API CallsMeterpreter Mixins
Rules for Writing Meterpreter Scripts
Creating Your Own Meterpreter Script
Wrapping Up
17. Simulated Penetration Test
Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Exploitation
Customizing MSFconsole
Post Exploitation
Scanning the Metasploitable SystemIdentifying Vulnerable Services
Attacking Apache Tomcat
Attacking Obscure Services
Covering Your Tracks
Wrapping Up
A. Configuring Your Target Machines
Installing and Setting Up the System
Booting Up the Linux Virtual Machines
Setting Up a Vulnerable Windows XP Installation
Configuring Your Web Server on Windows XPBuilding a SQL ServerCreating a Vulnerable Web ApplicationUpdating Back|Track
B. Cheat Sheet
MSFconsole Commands
Meterpreter Commands
MSFpayload Commands
MSFencode Commands
MSFcli Commands
MSF, Ninja, Fu
MSFvenom
Meterpreter Post Exploitation Commands
Index
About the Authors
Colophon
C. Updates

Content preview from Metasploit

Targeted Scanning

When you are conducting a penetration test, there is no shame in looking for an easy win. A targeted scan looks for specific operating systems, services, program versions, or configurations that are known to be exploitable and that provide an easy door into a target network. For example, it is common to scan a target network quickly for the vulnerability MS08-067, as this is (still) an extremely common hole that will give you SYSTEM access much more quickly than scanning an entire target network for vulnerabilities.

Server Message Block Scanning

Metasploit can scour a network and attempt to identify versions of Microsoft Windows using its smb_version module.

Note

If you are not familiar with Server Message Block (SMB, a common file-sharing ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781593272883Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design