The Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, the tool can be hard to grasp for first-time users. Metasploit: The Penetration Tester's Guide fills this gap by teaching you how to harness the Framework and interact with the vibrant community of Metasploit contributors.
Once you've built your foundation for penetration testing, you’ll learn the Framework's conventions, interfaces, and module system as you launch simulated attacks. You’ll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.
Learn how to:
–Find and exploit unmaintained, misconfigured, and unpatched systems
–Perform reconnaissance and find valuable information about your target
–Bypass anti-virus technologies and circumvent security controls
–Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery
–Use the Meterpreter shell to launch further attacks from inside the network
–Harness standalone Metasploit utilities, third-party tools, and plug-ins
–Learn how to write your own Meterpreter post exploitation modules and scripts
You'll even touch on exploit discovery for zero-day research, write a fuzzer, port existing exploits into the Framework, and learn how to cover your tracks. Whether your goal is to secure your own networks or to put someone else's to the test, Metasploit: The Penetration Tester's Guide will take you there and beyond.
Author(s): David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni
Edition: 1
Publisher: No Starch Press
Year: 2011
Language: English
Pages: 328
City: San Francisco
Tags: Metasploit; Access control; Penetration testing; Computer Security; Computer networks; Security Measures; Pen-test
Foreword
Preface
Acknowledgments
Special Thanks
Introduction
Why Do a Penetration Test?
Why Metasploit?
A Brief History of Metasploit
About This Book
What’s in the Book?
A Note on Ethics
Chapter 1: The Absolute Basics of Penetration Testing
The Phases of the PTES
Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting
Types of Penetration Tests
Overt Penetration Testing
Covert Penetration Testing
Vulnerability Scanners
Pulling It All Together
Chapter 2: Metasploit Basics
Terminology
Exploit
Payload
Shellcode
Module
Listener
Metasploit Interfaces
MSFconsole
MSFcli
Armitage
Metasploit Utilities
MSFpayload
MSFencode
Nasm Shell
Metasploit Express and Metasploit Pro
Wrapping Up
Chapter 3: Intelligence Gathering
Passive Information Gathering
whois Lookups
Netcraft
NSLookup
Active Information Gathering
Port Scanning with Nmap
Working with Databases in Metasploit
Port Scanning with Metasploit
Targeted Scanning
Server Message Block Scanning
Hunting for Poorly Configured Microsoft SQL Servers
SSH Server Scanning
FTP Scanning
Simple Network Management Protocol Sweeping
Writing a Custom Scanner
Looking Ahead
Chapter 4: Vulnerability Scanning
The Basic Vulnerability Scan
Scanning with NeXpose
Configuration
Importing Your Report into the Metasploit Framework
Running NeXpose Within MSFconsole
Scanning with Nessus
Nessus Configuration
Creating a Nessus Scan Policy
Running a Nessus Scan
Nessus Reports
Importing Results into the Metasploit Framework
Scanning with Nessus from Within Metasploit
Specialty Vulnerability Scanners
Validating SMB Logins
Scanning for Open VNC Authentication
Scanning for Open X11 Servers
Chapter 5: The Joy of Exploitation
Basic Exploitation
msf> show exploits
msf> show auxiliary
msf> show options
msf> show payloads
msf> show targets
info
set and unset
setg and unsetg
save
Exploiting Your First Machine
Exploiting an Ubuntu Machine
All-Ports Payloads: Brute Forcing Ports
Resource Files
Wrapping Up
Chapter 6: Meterpreter
Compromising a Windows XP Virtual Machine
Scanning for Ports with Nmap
Attacking MS SQL
Brute Forcing MS SQL Server
The xp_cmdshell
Basic Meterpreter Commands
Capturing Keystrokes
Dumping Usernames and Passwords
Extracting the Password Hashes
Dumping the Password Hash
Pass the Hash
Privilege Escalation
Token Impersonation
Using ps
Pivoting onto Other Systems
Using Meterpreter Scripts
Migrating a Process
Killing Antivirus Software
Obtaining System Password Hashes
Viewing All Traffic on a Target Machine
Scraping a System
Using Persistence
Leveraging Post Exploitation Modules
Upgrading Your Command Shell to Meterpreter
Manipulating Windows APIs with the Railgun Add-On
Wrapping Up
Chapter 7: Avoiding Detection
Creating Stand-Alone Binaries with MSFpayload
Evading Antivirus Detection
Encoding with MSFencode
Multi-encoding
Custom Executable Templates
Launching a Payload Stealthily
Packers
A Final Note on Antivirus Software Evasion
Chapter 8: Exploitation Using Client-Side Attacks
Browser-Based Exploits
How Browser-Based Exploits Work
Looking at NOPs
Using Immunity Debugger to Decipher NOP Shellcode
Exploring the Internet Explorer Aurora Exploit
File Format Exploits
Sending the Payload
Wrapping Up
Chapter 9: Metasploit Auxiliary Modules
Auxiliary Modules in Use
Anatomy of an Auxiliary Module
Going Forward
Chapter 10: The Social-Engineer Toolkit
Configuring the Social-Engineer Toolkit
Spear-Phishing Attack Vector
Web Attack Vectors
Java Applet
Client-Side Web Exploits
Username and Password Harvesting
Tabnabbing
Man-Left-in-the-Middle
Web Jacking
Putting It All Together with a Multipronged Attack
Infectious Media Generator
Teensy USB HID Attack Vector
Additional SET Features
Looking Ahead
Chapter 11: Fast-Track
Microsoft SQL Injection
SQL Injector-Query String Attack
SQL Injector-POST Parameter Attack
Manual Injection
MSSQL Bruter
SQLPwnage
Binary-to-Hex Generator
Mass Client-Side Attack
A Few Words About Automation
Chapter 12: Karmetasploit
Configuration
Launching the Attack
Credential Harvesting
Getting a Shell
Wrapping Up
Chapter 13: Building Your Own Module
Getting Command Execution on Microsoft SQL
Exploring an Existing Metasploit Module
Creating a New Module
PowerShell
Running the Shell Exploit
Creating powershell_upload_exec
Conversion from Hex to Binary
Counters
Running the Exploit
The Power of Code Reuse
Chapter 14: Creating Your Own Exploits
The Art of Fuzzing
Controlling the Structured Exception Handler
Hopping Around SEH Restrictions
Getting a Return Address
Bad Characters and Remote Code Execution
Wrapping Up
Chapter 15: Porting Exploits to the Metasploit Framework
Assembly Language Basics
EIP and ESP Registers
The JMP Instruction Set
NOPs and NOP Slides
Porting a Buffer Overflow
Stripping the Existing Exploit
Configuring the Exploit Definition
Testing Our Base Exploit
Implementing Features of the Framework
Adding Randomization
Removing the NOP Slide
Removing the Dummy Shellcode
Our Completed Module
SEH Overwrite Exploit
Wrapping Up
Chapter 16: Meterpreter Scripting
Meterpreter Scripting Basics
Meterpreter API
Printing Output
Base API Calls
Meterpreter Mixins
Rules for Writing Meterpreter Scripts
Creating Your Own Meterpreter Script
Wrapping Up
Chapter 17: Simulated Penetration Test
Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Exploitation
Customizing MSFconsole
Post Exploitation
Scanning the Metasploitable System
Identifying Vulnerable Services
Attacking Apache Tomcat
Attacking Obscure Services
Covering Your Tracks
Wrapping Up
Appendix A: Configuring Your Target Machines
Installing and Setting Up the System
Booting Up the Linux Virtual Machines
Setting Up a Vulnerable Windows XP Installation
Configuring Your Web Server on Windows XP
Building a SQL Server
Creating a Vulnerable Web Application
Updating Back|Track or Kali
Bleeding Edge Repositories
Appendix B: Cheat Sheet
MSFconsole Commands
Meterpreter Commands
MSFpayload Commands
MSFencode Commands
MSFcli Commands
MSF, Ninja, Fu
MSFvenom
Meterpreter Post Exploitation Commands
Index
Updates
About the Authors
