Metasploit Revealed: Secrets of the Expert Pentester

Metasploit Revealed: Secrets of the Expert Pentester

by Sagar Rahalkar, Nipun Jaswal
Released December 2017
Publisher(s): Packt Publishing
ISBN: 9781788624596

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Exploit the secrets of Metasploit to master the art of penetration testing.

About This Book

  • Discover techniques to integrate Metasploit with the industry's leading tools
  • Carry out penetration testing in highly-secured environments with Metasploit and acquire skills to build your defense against organized and complex attacks
  • Using the Metasploit framework, develop exploits and generate modules for a variety of real-world scenarios

Who This Book Is For

This course is for penetration testers, ethical hackers, and security professionals who'd like to master the Metasploit framework and explore approaches to carrying out advanced penetration testing to build highly secure networks. Some familiarity with networking and security concepts is expected, although no familiarity of Metasploit is required.

What You Will Learn

  • Get to know the absolute basics of the Metasploit framework so you have a strong foundation for advanced attacks
  • Integrate and use various supporting tools to make Metasploit even more powerful and precise
  • Test services such as databases, SCADA, and many more
  • Attack the client side with highly advanced techniques
  • Test mobile and tablet devices with Metasploit
  • Understand how to Customize Metasploit modules and modify existing exploits
  • Write simple yet powerful Metasploit automation scripts
  • Explore steps involved in post-exploitation on Android and mobile platforms

In Detail

Metasploit is a popular penetration testing framework that has one of the largest exploit databases around. This book will show you exactly how to prepare yourself against the attacks you will face every day by simulating real-world possibilities.

This learning path will begin by introducing you to Metasploit and its functionalities. You will learn how to set up and configure Metasploit on various platforms to create a virtual test environment. You will also get your hands on various tools and components and get hands-on experience with carrying out client-side attacks. In the next part of this learning path, you'll develop the ability to perform testing on various services such as SCADA, databases, IoT, mobile, tablets, and many more services.

After this training, we jump into real-world sophisticated scenarios where performing penetration tests are a challenge. With real-life case studies, we take you on a journey through client-side attacks using Metasploit and various scripts built on the Metasploit framework.

The final instalment of your learning journey will be covered through a bootcamp approach. You will be able to bring together the learning together and speed up and integrate Metasploit with leading industry tools for penetration testing. You'll finish by working on challenges based on user's preparation and work towards solving the challenge.

The course provides you with highly practical content explaining Metasploit from the following Packt books:

  1. Metasploit for Beginners
  2. Mastering Metasploit, Second Edition
  3. Metasploit Bootcamp

Style and approach

This pragmatic learning path is packed with start-to-end instructions from getting started with Metasploit to effectively building new things and solving real-world examples. All the key concepts are explained with the help of examples and demonstrations that will help you understand everything to use this essential IT power tool.

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. What this learning path covers
    2. What you need for this learning path
    3. Who this learning path is for
    4. Reader feedback
    5. Customer support
    6. Errata
    7. Piracy
    8. Questions
  2. Module 1
    1. Metasploit for Beginners
  3. Introduction to Metasploit and Supporting Tools
    1. The importance of penetration testing
    2. Vulnerability assessment versus penetration testing
    3. The need for a penetration testing framework
    4. Introduction to Metasploit
    5. When to use Metasploit?
    6. Making Metasploit effective and powerful using supplementary tools
      1. Nessus
      2. NMAP
      3. w3af
      4. Armitage
    7. Summary
    8. Exercises
  4. Setting up Your Environment
    1. Using the Kali Linux virtual machine - the easiest way
    2. Installing Metasploit on Windows
    3. Installing Metasploit on Linux
    4. Setting up exploitable targets in a virtual environment
    5. Summary
    6. Exercises
  5. Metasploit Components and Environment Configuration
    1. Anatomy and structure of Metasploit
    2. Metasploit components
      1. Auxiliaries
      2. Exploits
      3. Encoders
      4. Payloads
      5. Post
    3. Playing around with msfconsole
    4. Variables in Metasploit
    5. Updating the Metasploit Framework
    6. Summary
    7. Exercises
  6. Information Gathering with Metasploit
    1. Information gathering and enumeration
      1. Transmission Control Protocol
      2. User Datagram Protocol
      3. File Transfer Protocol
      4. Server Message Block
      5. Hypertext Transfer Protocol
      6. Simple Mail Transfer Protocol
      7. Secure Shell
      8. Domain Name System
      9. Remote Desktop Protocol
    2. Password sniffing
    3. Advanced search with shodan
    4. Summary
    5. Exercises
  7. Vulnerability Hunting with Metasploit
    1. Managing the database
      1. Work spaces
      2. Importing scans
      3. Backing up the database
    2. NMAP
      1. NMAP scanning approach
    3. Nessus
      1. Scanning using Nessus from msfconsole
    4. Vulnerability detection with Metasploit auxiliaries
    5. Auto exploitation with db_autopwn
    6. Post exploitation
      1. What is meterpreter?
      2. Searching for content
      3. Screen capture
      4. Keystroke logging
      5. Dumping the hashes and cracking with JTR
      6. Shell command
      7. Privilege escalation
    7. Summary
    8. Exercises
  8. Client-side Attacks with Metasploit
    1. Need of client-side attacks
      1. What are client-side attacks?
        1. What is a Shellcode?
        2. What is a reverse shell?
        3. What is a bind shell?
        4. What is an encoder?
    2. The msfvenom utility
      1. Generating a payload with msfvenom
    3. Social Engineering with Metasploit
      1. Generating malicious PDF
      2. Creating infectious media drives
    4. Browser Autopwn
    5. Summary
    6. Exercises
  9. Web Application Scanning with Metasploit
    1. Setting up a vulnerable application
    2. Web application scanning using WMAP
    3. Metasploit Auxiliaries for Web Application enumeration and scanning
    4. Summary
    5. Exercises
  10. Antivirus Evasion and Anti-Forensics
    1. Using encoders to avoid AV detection
      1. Using packagers and encrypters
      2. What is a sandbox?
    2. Anti-forensics
      1. Timestomp
      2. clearev
    3. Summary
    4. Exercises
  11. Cyber Attack Management with Armitage
    1. What is Armitage?
    2. Starting the Armitage console
    3. Scanning and enumeration
    4. Find and launch attacks
    5. Summary
    6. Exercises
  12. Extending Metasploit and Exploit Development
    1. Exploit development concepts
      1. What is a buffer overflow?
      2. What are fuzzers?
    2. Exploit templates and mixins
      1. What are Metasploit mixins?
    3. Adding external exploits to Metasploit
    4. Summary
    5. Exercises
  13. Module 2
    1. Mastering Metasploit
  14. Approaching a Penetration Test Using Metasploit
    1. Organizing a penetration test
    2. Preinteractions
    3. Intelligence gathering/reconnaissance phase
    4. Predicting the test grounds
      1. Modeling threats
      2. Vulnerability analysis
      3. Exploitation and post-exploitation
      4. Reporting
      5. Mounting the environment
    5. Setting up Kali Linux in virtual environment
    6. The fundamentals of Metasploit
    7. Conducting a penetration test with Metasploit
      1. Recalling the basics of Metasploit
    8. Benefits of penetration testing using Metasploit
      1. Open source
      2. Support for testing large networks and easy naming conventions
      3. Smart payload generation and switching mechanism
      4. Cleaner exits
      5. The GUI environment
    9. Penetration testing an unknown network
      1. Assumptions
      2. Gathering intelligence
    10. Using databases in Metasploit
    11. Modeling threats
    12. Vulnerability analysis of VSFTPD 2.3.4 backdoor
      1. The attack procedure
      2. The procedure of exploiting the vulnerability
      3. Exploitation and post exploitation
    13. Vulnerability analysis of PHP-CGI query string parameter vulnerability
      1. Exploitation and post exploitation
    14. Vulnerability analysis of HFS 2.3
      1. Exploitation and post exploitation
    15. Maintaining access
    16. Clearing tracks
    17. Revising the approach
    18. Summary
  15. Reinventing Metasploit
    1. Ruby – the heart of Metasploit
      1. Creating your first Ruby program
        1. Interacting with the Ruby shell
        2. Defining methods in the shell
      2. Variables and data types in Ruby
        1. Working with strings
          1. Concatenating strings
          2. The substring function
          3. The split function
        2. Numbers and conversions in Ruby
          1. Conversions in Ruby
        3. Ranges in Ruby
        4. Arrays in Ruby
      3. Methods in Ruby
      4. Decision-making operators
      5. Loops in Ruby
      6. Regular expressions
      7. Wrapping up with Ruby basics
    2. Developing custom modules
      1. Building a module in a nutshell
        1. The architecture of the Metasploit framework
        2. Understanding the file structure
        3. The libraries layout
      2. Understanding the existing modules
        1. The format of a Metasploit module
      3. Disassembling existing HTTP server scanner module
        1. Libraries and the function
      4. Writing out a custom FTP scanner module
        1. Libraries and the function
          1. Using msftidy
      5. Writing out a custom SSH authentication brute forcer
        1. Rephrasing the equation
      6. Writing a drive disabler post exploitation module
      7. Writing a credential harvester post exploitation module
    3. Breakthrough meterpreter scripting
      1. Essentials of meterpreter scripting
      2. Pivoting the target network
      3. Setting up persistent access
      4. API calls and mixins
      5. Fabricating custom meterpreter scripts
    4. Working with RailGun
      1. Interactive Ruby shell basics
      2. Understanding RailGun and its scripting
      3. Manipulating Windows API calls
      4. Fabricating sophisticated RailGun scripts
    5. Summary
  16. The Exploit Formulation Process
    1. The absolute basics of exploitation
      1. The basics
      2. The architecture
        1. System organization basics
      3. Registers
    2. Exploiting stack-based buffer overflows with Metasploit
      1. Crashing the vulnerable application
      2. Building the exploit base
      3. Calculating the offset
        1. Using the pattern_create tool
        2. Using the pattern_offset tool
      4. Finding the JMP ESP address
        1. Using Immunity Debugger to find executable modules
        2. Using msfbinscan
      5. Stuffing the space
        1. Relevance of NOPs
      6. Determining bad characters
      7. Determining space limitations
      8. Writing the Metasploit exploit module
    3. Exploiting SEH-based buffer overflows with Metasploit
      1. Building the exploit base
      2. Calculating the offset
        1. Using pattern_create tool
        2. Using pattern_offset tool
      3. Finding the POP/POP/RET address
        1. The Mona script
        2. Using msfbinscan
      4. Writing the Metasploit SEH exploit module
        1. Using NASM shell for writing assembly instructions
    4. Bypassing DEP in Metasploit modules
      1. Using msfrop to find ROP gadgets
      2. Using Mona to create ROP chains
      3. Writing the Metasploit exploit module for DEP bypass
    5. Other protection mechanisms
    6. Summary
  17. Porting Exploits
    1. Importing a stack-based buffer overflow exploit
      1. Gathering the essentials
      2. Generating a Metasploit module
      3. Exploiting the target application with Metasploit
      4. Implementing a check method for exploits in Metasploit
    2. Importing web-based RCE into Metasploit
      1. Gathering the essentials
      2. Grasping the important web functions
      3. The essentials of the GET/POST method
      4. Importing an HTTP exploit into Metasploit
    3. Importing TCP server/ browser-based exploits into Metasploit
      1. Gathering the essentials
      2. Generating the Metasploit module
    4. Summary
  18. Testing Services with Metasploit
    1. The fundamentals of SCADA
      1. The fundamentals of ICS and its components
      2. The significance of ICS-SCADA
      3. Analyzing security in SCADA systems
        1. Fundamentals of testing SCADA
        2. SCADA-based exploits
      4. Securing SCADA
        1. Implementing secure SCADA
        2. Restricting networks
    2. Database exploitation
      1. SQL server
      2. Fingerprinting SQL server with Nmap
      3. Scanning with Metasploit modules
      4. Brute forcing passwords
      5. Locating/capturing server passwords
      6. Browsing SQL server
      7. Post-exploiting/executing system commands
        1. Reloading the xp_cmdshell functionality
        2. Running SQL-based queries
    3. Testing VOIP services
      1. VOIP fundamentals
        1. An introduction to PBX
        2. Types of VOIP services
        3. Self-hosted network
        4. Hosted services
        5. SIP service providers
      2. Fingerprinting VOIP services
      3. Scanning VOIP services
      4. Spoofing a VOIP call
      5. Exploiting VOIP
        1. About the vulnerability
        2. Exploiting the application
    4. Summary
  19. Virtual Test Grounds and Staging
    1. Performing a penetration test with integrated Metasploit services
      1. Interaction with the employees and end users
      2. Gathering intelligence
        1. Example environment under test
      3. Vulnerability scanning with OpenVAS using Metasploit
      4. Modeling the threat areas
      5. Gaining access to the target
        1. Vulnerability scanning with Nessus
      6. Maintaining access and covering tracks
      7. Managing a penetration test with Faraday
    2. Summary
  20. Client-side Exploitation
    1. Exploiting browsers for fun and profit
      1. The browser autopwn attack
        1. The technology behind a browser autopwn attack
        2. Attacking browsers with Metasploit browser autopwn
      2. Compromising the clients of a website
        1. Injecting malicious web scripts
        2. Hacking the users of a website
      3. Conjunction with DNS spoofing
        1. Tricking victims with DNS hijacking
    2. Metasploit and Arduino - the deadly combination
    3. File format-based exploitation
      1. PDF-based exploits
      2. Word-based exploits
    4. Compromising Linux clients with Metasploit
    5. Attacking Android with Metasploit
    6. Summary
  21. Metasploit Extended
    1. The basics of post exploitation with Metasploit
    2. Basic post exploitation commands
      1. The help menu
      2. Background command
      3. Machine ID and UUID command
      4. Reading from a channel
      5. Getting the username and process information
      6. Getting system information
      7. Networking commands
      8. File operation commands
      9. Desktop commands
      10. Screenshots and camera enumeration
    3. Additional post exploitation modules
      1. Gathering wireless SSIDs with Metasploit
      2. Gathering Wi-Fi passwords with Metasploit
      3. Getting applications list
      4. Gathering skype passwords
      5. Gathering USB history
      6. Searching files with Metasploit
      7. Wiping logs from target with clearev command
    4. Advanced extended features of Metasploit
      1. Privilege escalation using Metasploit
      2. Finding passwords in clear text using mimikatz
      3. Sniffing traffic with Metasploit
      4. Host file injection with Metasploit
      5. Phishing window login passwords
    5. Summary
  22. Speeding up Penetration Testing
    1. The loadpath command
    2. Pacing up development using reload, edit and reload_all commands
    3. Automating Social-Engineering Toolkit
    4. Summary
  23. Visualizing with Armitage
    1. The fundamentals of Armitage
      1. Getting started
      2. Touring the user interface
      3. Managing the workspace
    2. Scanning networks and host management
      1. Modeling out vulnerabilities
      2. Finding the match
    3. Exploitation with Armitage
    4. Post-exploitation with Armitage
    5. Attacking on the client side with Armitage
    6. Scripting Armitage
      1. The fundamentals of Cortana
      2. Controlling Metasploit
      3. Post-exploitation with Cortana
      4. Building a custom menu in Cortana
      5. Working with interfaces
    7. Summary
    8. Further reading
  24. Module 3
    1. Metasploit Bootcamp
  25. Getting Started with Metasploit
    1. The fundamentals of Metasploit
      1. Metasploit Framework console and commands
    2. Benefits of using Metasploit
    3. Penetration testing with Metasploit
      1. Assumptions and testing setup
    4. Phase-I: footprinting and scanning
    5. Phase-II: gaining access to the target
    6. Phase-III: maintaining access / post-exploitation / covering tracks
    7. Summary and exercises
  26. Identifying and Scanning Targets
    1. Working with FTP servers using Metasploit
      1. Scanning FTP services
      2. Modifying scanner modules for fun and profit
    2. Scanning MSSQL servers with Metasploit
      1. Using the mssql_ping module
      2. Brute-forcing MSSQL passwords
    3. Scanning SNMP services with Metasploit
    4. Scanning NetBIOS services with Metasploit
    5. Scanning HTTP services with Metasploit
    6. Scanning HTTPS/SSL with Metasploit
    7. Summary and exercises
  27. Exploitation and Gaining Access
    1. Setting up the practice environment
    2. Exploiting applications with Metasploit
      1. Using db_nmap in Metasploit
      2. Exploiting Desktop Central 9 with Metasploit
      3. Testing the security of a GlassFish web server with Metasploit
      4. Exploiting FTP services with Metasploit
    3. Converting exploits to Metasploit
      1. Gathering the essentials
      2. Generating a Metasploit module
      3. Exploiting the target application with Metasploit
    4. Summary and exercises
  28. Post-Exploitation with Metasploit
    1. Extended post-exploitation with Metasploit
      1. Advanced post-exploitation with Metasploit
        1. Migrating to safer processes
        2. Obtaining system privileges
        3. Changing access, modification, and creation time with timestomp
        4. Obtaining password hashes using hashdump
    2. Metasploit and privilege escalation
      1. Escalating privileges on Windows Server 2008
      2. Privilege escalation on Linux with Metasploit
    3. Gaining persistent access with Metasploit
      1. Gaining persistent access on Windows-based systems
      2. Gaining persistent access on Linux systems
    4. Summary
  29. Testing Services with Metasploit
    1. Testing MySQL with Metasploit
      1. Using Metasploit's mysql_version module
      2. Brute-forcing MySQL with Metasploit
      3. Finding MySQL users with Metasploit
      4. Dumping the MySQL schema with Metasploit
      5. Using file enumeration in MySQL using Metasploit
      6. Checking for writable directories
      7. Enumerating MySQL with Metasploit
      8. Running MySQL commands through Metasploit
      9. Gaining system access through MySQL
    2. Summary and exercises
  30. Fast-Paced Exploitation with Metasploit
    1. Using pushm and popm commands
    2. Making use of resource scripts
    3. Using AutoRunScript in Metasploit
      1. Using the multiscript module in the AutoRunScript option
    4. Global variables in Metasploit
    5. Wrapping up and generating manual reports
      1. The format of the report
      2. The executive summary
      3. Methodology/network admin-level report
      4. Additional sections
    6. Summary and preparation for real-world scenarios
  31. Exploiting Real-World Challenges with Metasploit
    1. Scenario 1: Mirror environment
      1. Understanding the environment
      2. Fingerprinting the target with DB_NMAP
      3. Gaining access to vulnerable web applications
      4. Migrating from a PHP meterpreter to a Windows meterpreter
      5. Pivoting to internal networks
      6. Scanning internal networks through a meterpreter pivot
      7. Using the socks server module in Metasploit
      8. Dumping passwords in clear text
      9. Sniffing a network with Metasploit
      10. Summary of the attack
    2. Scenario 2: You can't see my meterpreter
      1. Using shellcode for fun and profit
      2. Encrypting the shellcode
      3. Creating a decoder executable
    3. Further roadmap and summary
  32. Bibliography
  33. Thanks page
    1. About Packt Publishing
    2. Writing for Packt

Product information

  • Title: Metasploit Revealed: Secrets of the Expert Pentester
  • Author(s): Sagar Rahalkar, Nipun Jaswal
  • Release date: December 2017
  • Publisher(s): Packt Publishing
  • ISBN: 9781788624596