Metasploit
The Penetration Tester's Guide
Published on 15. July 2011
328 pages
978-1-59327-402-3 (ISBN)
Description
The Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, the tool can be hard to grasp for first-time users. Metasploit: The Penetration Tester's Guide fills this gap by teaching you how to harness the Framework and interact with the vibrant community of Metasploit contributors.
Once you've built your foundation for penetration testing, you'll learn the Framework's conventions, interfaces, and module system as you launch simulated attacks. You'll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.
Learn how to:
-Find and exploit unmaintained, misconfigured, and unpatched systems
-Perform reconnaissance and find valuable information about your target
-Bypass anti-virus technologies and circumvent security controls
-Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery
-Use the Meterpreter shell to launch further attacks from inside the network
-Harness standalone Metasploit utilities, third-party tools, and plug-ins
-Learn how to write your own Meterpreter post exploitation modules and scripts
You'll even touch on exploit discovery for zero-day research, write a fuzzer, port existing exploits into the Framework, and learn how to cover your tracks. Whether your goal is to secure your own networks or to put someone else's to the test, Metasploit: The Penetration Tester's Guide will take you there and beyond.
Once you've built your foundation for penetration testing, you'll learn the Framework's conventions, interfaces, and module system as you launch simulated attacks. You'll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.
Learn how to:
-Find and exploit unmaintained, misconfigured, and unpatched systems
-Perform reconnaissance and find valuable information about your target
-Bypass anti-virus technologies and circumvent security controls
-Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery
-Use the Meterpreter shell to launch further attacks from inside the network
-Harness standalone Metasploit utilities, third-party tools, and plug-ins
-Learn how to write your own Meterpreter post exploitation modules and scripts
You'll even touch on exploit discovery for zero-day research, write a fuzzer, port existing exploits into the Framework, and learn how to cover your tracks. Whether your goal is to secure your own networks or to put someone else's to the test, Metasploit: The Penetration Tester's Guide will take you there and beyond.
More details
Other editions
Additional editions
Book
07/2011
1st Edition
No Starch Press
€47.00
Article exhausted; check for reprint
Persons
David Kennedy is Chief Information Security Officer at Diebold Incorporated and creator of the Social-Engineer Toolkit (SET), Fast-Track, and other open source tools. He is on the Back|Track and Exploit-Database development team and is a core member of the Social-Engineer podcast and framework. Kennedy has presented at a number of security conferences including Black Hat, DEF CON, ShmooCon, Security B-Sides, and more.
Jim O'Gorman (Elwood) is a professional penetration tester, an instructor at Offensive Security, and manages Offensive Security's consulting services. Jim has lived online from the times of BBS's, to FidoNet, to when SLIP connections were the new hotness. Jim spends time on network intrusion simulation, digital investigations, and malware analysis. When not working on various security issues, Jim spends his time assisting his children in their attempts to fight Zombie hordes.
Devon Kearns is an instructor at Offensive-Security, a Back|Track Linux developer, and administrator of The Exploit Database. He has contributed a number of Metasploit exploit modules and is the maintainer of the Metasploit Unleashed wiki.
Mati Aharoni is the creator of the Back|Track Linux distribution and founder of Offensive-Security, the industry leader in security training.
Jim O'Gorman (Elwood) is a professional penetration tester, an instructor at Offensive Security, and manages Offensive Security's consulting services. Jim has lived online from the times of BBS's, to FidoNet, to when SLIP connections were the new hotness. Jim spends time on network intrusion simulation, digital investigations, and malware analysis. When not working on various security issues, Jim spends his time assisting his children in their attempts to fight Zombie hordes.
Devon Kearns is an instructor at Offensive-Security, a Back|Track Linux developer, and administrator of The Exploit Database. He has contributed a number of Metasploit exploit modules and is the maintainer of the Metasploit Unleashed wiki.
Mati Aharoni is the creator of the Back|Track Linux distribution and founder of Offensive-Security, the industry leader in security training.
Content
- Intro
- Metasploit
- Foreword
- Preface
- Acknowledgments
- Special Thanks
- Introduction
- Why Do a Penetration Test?
- Why Metasploit?
- A Brief History of Metasploit
- About This Book
- What's in the Book?
- A Note on Ethics
- 1. The Absolute Basics of Penetration Testing
- The Phases of the PTES
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
- Types of Penetration Tests
- Overt Penetration Testing
- Covert Penetration Testing
- Vulnerability Scanners
- Pulling It All Together
- 2. Metasploit Basics
- Terminology
- Exploit
- Payload
- Shellcode
- Module
- Listener
- Metasploit Interfaces
- MSFconsole
- Starting MSFconsole
- MSFcli
- Sample Usage
- Armitage
- Running Armitage
- Metasploit Utilities
- MSFpayload
- MSFencode
- Nasm Shell
- Metasploit Express and Metasploit Pro
- Wrapping Up
- 3. Intelligence Gathering
- Passive Information Gathering
- whois Lookups
- Netcraft
- NSLookup
- Active Information Gathering
- Port Scanning with Nmap
- Working with Databases in Metasploit
- Importing Nmap Results into Metasploit
- Advanced Nmap Scanning: TCP Idle Scan
- Running Nmap from MSFconsole
- Port Scanning with Metasploit
- Targeted Scanning
- Server Message Block Scanning
- Hunting for Poorly Configured Microsoft SQL Servers
- SSH Server Scanning
- FTP Scanning
- Simple Network Management Protocol Sweeping
- Writing a Custom Scanner
- Looking Ahead
- 4. Vulnerability Scanning
- The Basic Vulnerability Scan
- Scanning with NeXpose
- Configuration
- The New Site Wizard
- The New Manual Scan Wizard
- The New Report Wizard
- Importing Your Report into the Metasploit Framework
- Running NeXpose Within MSFconsole
- Scanning with Nessus
- Nessus Configuration
- Creating a Nessus Scan Policy
- Running a Nessus Scan
- Nessus Reports
- Importing Results into the Metasploit Framework
- Scanning with Nessus from Within Metasploit
- Specialty Vulnerability Scanners
- Validating SMB Logins
- Scanning for Open VNC Authentication
- Scanning for Open X11 Servers
- Using Scan Results for Autopwning
- 5. The Joy of Exploitation
- Basic Exploitation
- msf& show exploits
- msf& show auxiliary
- msf& show options
- msf& show payloads
- msf& show targets
- info
- set and unset
- setg and unsetg
- save
- Exploiting Your First Machine
- Exploiting an Ubuntu Machine
- All-Ports Payloads: Brute Forcing Ports
- Resource Files
- Wrapping Up
- 6. Meterpreter
- Compromising a Windows XP Virtual Machine
- Scanning for Ports with Nmap
- Attacking MS SQL
- Brute Forcing MS SQL Server
- The xp_cmdshell
- Basic Meterpreter Commands
- Capturing a Screenshot
- sysinfo
- Capturing Keystrokes
- Dumping Usernames and Passwords
- Extracting the Password Hashes
- Dumping the Password Hash
- Pass the Hash
- Privilege Escalation
- Token Impersonation
- Using ps
- Pivoting onto Other Systems
- Using Meterpreter Scripts
- Migrating a Process
- Killing Antivirus Software
- Obtaining System Password Hashes
- Viewing All Traffic on a Target Machine
- Scraping a System
- Using Persistence
- Leveraging Post Exploitation Modules
- Upgrading Your Command Shell to Meterpreter
- Manipulating Windows APIs with the Railgun Add-On
- Wrapping Up
- 7. Avoiding Detection
- Creating Stand-Alone Binaries with MSFpayload
- Evading Antivirus Detection
- Encoding with MSFencode
- Multi-encoding
- Custom Executable Templates
- Launching a Payload Stealthily
- Packers
- A Final Note on Antivirus Software Evasion
- 8. Exploitation Using Client-Side Attacks
- Browser-Based Exploits
- How Browser-Based Exploits Work
- Looking at NOPs
- Using Immunity Debugger to Decipher NOP Shellcode
- Exploring the Internet Explorer Aurora Exploit
- File Format Exploits
- Sending the Payload
- Wrapping Up
- 9. Metasploit Auxiliary Modules
- Auxiliary Modules in Use
- Anatomy of an Auxiliary Module
- Going Forward
- 10. The Social-Engineer Toolkit
- Configuring the Social-Engineer Toolkit
- Spear-Phishing Attack Vector
- Web Attack Vectors
- Java Applet
- Client-Side Web Exploits
- Username and Password Harvesting
- Tabnabbing
- Man-Left-in-the-Middle
- Web Jacking
- Putting It All Together with a Multipronged Attack
- Infectious Media Generator
- Teensy USB HID Attack Vector
- Additional SET Features
- Looking Ahead
- 11. Fast-Track
- Microsoft SQL Injection
- SQL Injector-Query String Attack
- SQL Injector-POST Parameter Attack
- Manual Injection
- MSSQL Bruter
- SQLPwnage
- Binary-to-Hex Generator
- Mass Client-Side Attack
- A Few Words About Automation
- 12. Karmetasploit
- Configuration
- Launching the Attack
- Credential Harvesting
- Getting a Shell
- Wrapping Up
- 13. Building Your Own Module
- Getting Command Execution on Microsoft SQL
- Exploring an Existing Metasploit Module
- Creating a New Module
- PowerShell
- Running the Shell Exploit
- Creating powershell_upload_exec
- Conversion from Hex to Binary
- Counters
- Running the Exploit
- The Power of Code Reuse
- 14. Creating Your Own Exploits
- The Art of Fuzzing
- Controlling the Structured Exception Handler
- Hopping Around SEH Restrictions
- Getting a Return Address
- Bad Characters and Remote Code Execution
- Wrapping Up
- 15. Porting Exploits to the Metasploit Framework
- Assembly Language Basics
- EIP and ESP Registers
- The JMP Instruction Set
- NOPs and NOP Slides
- Porting a Buffer Overflow
- Stripping the Existing Exploit
- Configuring the Exploit Definition
- Testing Our Base Exploit
- Implementing Features of the Framework
- Adding Randomization
- Removing the NOP Slide
- Removing the Dummy Shellcode
- Our Completed Module
- SEH Overwrite Exploit
- Wrapping Up
- 16. Meterpreter Scripting
- Meterpreter Scripting Basics
- Meterpreter API
- Printing Output
- Base API Calls
- Meterpreter Mixins
- Rules for Writing Meterpreter Scripts
- Creating Your Own Meterpreter Script
- Wrapping Up
- 17. Simulated Penetration Test
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Exploitation
- Customizing MSFconsole
- Post Exploitation
- Scanning the Metasploitable System
- Identifying Vulnerable Services
- Attacking Apache Tomcat
- Attacking Obscure Services
- Covering Your Tracks
- Wrapping Up
- A. Configuring Your Target Machines
- Installing and Setting Up the System
- Booting Up the Linux Virtual Machines
- Setting Up a Vulnerable Windows XP Installation
- Configuring Your Web Server on Windows XP
- Building a SQL Server
- Creating a Vulnerable Web Application
- Updating Back|Track
- B. Cheat Sheet
- MSFconsole Commands
- Meterpreter Commands
- MSFpayload Commands
- MSFencode Commands
- MSFcli Commands
- MSF, Ninja, Fu
- MSFvenom
- Meterpreter Post Exploitation Commands
- Index
- About the Authors
- Colophon
- C. Updates
