You are previewing Metasploit.
O'Reilly logo
Metasploit

Book Description

"The best guide to the Metasploit Framework." ?HD Moore, Founder of the Metasploit Project

The Metasploit Framework is a powerful suite of tools that security researchers use to investigate and resolve potential network and system vulnerabilities. Metasploit: The Penetration Tester's Guide shows readers how to assess networks by using Metasploit to launch simulated attacks that expose weaknesses in their security.

Table of Contents

  1. Metasploit
    1. Foreword
    2. Preface
    3. Acknowledgments
      1. Special Thanks
    4. Introduction
      1. Why Do a Penetration Test?
      2. Why Metasploit?
      3. A Brief History of Metasploit
      4. About This Book
      5. What’s in the Book?
      6. A Note on Ethics
    5. 1. The Absolute Basics of Penetration Testing
      1. The Phases of the PTES
        1. Pre-engagement Interactions
        2. Intelligence Gathering
        3. Threat Modeling
        4. Vulnerability Analysis
        5. Exploitation
        6. Post Exploitation
        7. Reporting
      2. Types of Penetration Tests
        1. Overt Penetration Testing
        2. Covert Penetration Testing
      3. Vulnerability Scanners
      4. Pulling It All Together
    6. 2. Metasploit Basics
      1. Terminology
        1. Exploit
        2. Payload
        3. Shellcode
        4. Module
        5. Listener
      2. Metasploit Interfaces
        1. MSFconsole
          1. Starting MSFconsole
        2. MSFcli
          1. Sample Usage
        3. Armitage
          1. Running Armitage
      3. Metasploit Utilities
        1. MSFpayload
        2. MSFencode
        3. Nasm Shell
      4. Metasploit Express and Metasploit Pro
      5. Wrapping Up
    7. 3. Intelligence Gathering
      1. Passive Information Gathering
        1. whois Lookups
        2. Netcraft
        3. NSLookup
      2. Active Information Gathering
        1. Port Scanning with Nmap
        2. Working with Databases in Metasploit
          1. Importing Nmap Results into Metasploit
          2. Advanced Nmap Scanning: TCP Idle Scan
          3. Running Nmap from MSFconsole
        3. Port Scanning with Metasploit
      3. Targeted Scanning
        1. Server Message Block Scanning
        2. Hunting for Poorly Configured Microsoft SQL Servers
        3. SSH Server Scanning
        4. FTP Scanning
        5. Simple Network Management Protocol Sweeping
      4. Writing a Custom Scanner
      5. Looking Ahead
    8. 4. Vulnerability Scanning
      1. The Basic Vulnerability Scan
      2. Scanning with NeXpose
        1. Configuration
          1. The New Site Wizard
          2. The New Manual Scan Wizard
          3. The New Report Wizard
        2. Importing Your Report into the Metasploit Framework
        3. Running NeXpose Within MSFconsole
      3. Scanning with Nessus
        1. Nessus Configuration
        2. Creating a Nessus Scan Policy
        3. Running a Nessus Scan
        4. Nessus Reports
        5. Importing Results into the Metasploit Framework
        6. Scanning with Nessus from Within Metasploit
      4. Specialty Vulnerability Scanners
        1. Validating SMB Logins
        2. Scanning for Open VNC Authentication
        3. Scanning for Open X11 Servers
      5. Using Scan Results for Autopwning
    9. 5. The Joy of Exploitation
      1. Basic Exploitation
        1. msf> show exploits
        2. msf> show auxiliary
        3. msf> show options
        4. msf> show payloads
        5. msf> show targets
        6. info
        7. set and unset
        8. setg and unsetg
        9. save
      2. Exploiting Your First Machine
      3. Exploiting an Ubuntu Machine
      4. All-Ports Payloads: Brute Forcing Ports
      5. Resource Files
      6. Wrapping Up
    10. 6. Meterpreter
      1. Compromising a Windows XP Virtual Machine
        1. Scanning for Ports with Nmap
        2. Attacking MS SQL
        3. Brute Forcing MS SQL Server
        4. The xp_cmdshell
        5. Basic Meterpreter Commands
          1. Capturing a Screenshot
          2. sysinfo
        6. Capturing Keystrokes
      2. Dumping Usernames and Passwords
        1. Extracting the Password Hashes
        2. Dumping the Password Hash
      3. Pass the Hash
      4. Privilege Escalation
      5. Token Impersonation
      6. Using ps
      7. Pivoting onto Other Systems
      8. Using Meterpreter Scripts
        1. Migrating a Process
        2. Killing Antivirus Software
        3. Obtaining System Password Hashes
        4. Viewing All Traffic on a Target Machine
        5. Scraping a System
        6. Using Persistence
      9. Leveraging Post Exploitation Modules
      10. Upgrading Your Command Shell to Meterpreter
      11. Manipulating Windows APIs with the Railgun Add-On
      12. Wrapping Up
    11. 7. Avoiding Detection
      1. Creating Stand-Alone Binaries with MSFpayload
      2. Evading Antivirus Detection
        1. Encoding with MSFencode
        2. Multi-encoding
      3. Custom Executable Templates
      4. Launching a Payload Stealthily
      5. Packers
      6. A Final Note on Antivirus Software Evasion
    12. 8. Exploitation Using Client-Side Attacks
      1. Browser-Based Exploits
        1. How Browser-Based Exploits Work
        2. Looking at NOPs
      2. Using Immunity Debugger to Decipher NOP Shellcode
      3. Exploring the Internet Explorer Aurora Exploit
      4. File Format Exploits
      5. Sending the Payload
      6. Wrapping Up
    13. 9. Metasploit Auxiliary Modules
      1. Auxiliary Modules in Use
      2. Anatomy of an Auxiliary Module
      3. Going Forward
    14. 10. The Social-Engineer Toolkit
      1. Configuring the Social-Engineer Toolkit
      2. Spear-Phishing Attack Vector
      3. Web Attack Vectors
        1. Java Applet
        2. Client-Side Web Exploits
        3. Username and Password Harvesting
        4. Tabnabbing
        5. Man-Left-in-the-Middle
        6. Web Jacking
        7. Putting It All Together with a Multipronged Attack
      4. Infectious Media Generator
      5. Teensy USB HID Attack Vector
      6. Additional SET Features
      7. Looking Ahead
    15. 11. Fast-Track
      1. Microsoft SQL Injection
        1. SQL Injector—Query String Attack
        2. SQL Injector—POST Parameter Attack
        3. Manual Injection
        4. MSSQL Bruter
        5. SQLPwnage
      2. Binary-to-Hex Generator
      3. Mass Client-Side Attack
      4. A Few Words About Automation
    16. 12. Karmetasploit
      1. Configuration
      2. Launching the Attack
      3. Credential Harvesting
      4. Getting a Shell
      5. Wrapping Up
    17. 13. Building Your Own Module
      1. Getting Command Execution on Microsoft SQL
      2. Exploring an Existing Metasploit Module
      3. Creating a New Module
        1. PowerShell
        2. Running the Shell Exploit
        3. Creating powershell_upload_exec
        4. Conversion from Hex to Binary
        5. Counters
        6. Running the Exploit
      4. The Power of Code Reuse
    18. 14. Creating Your Own Exploits
      1. The Art of Fuzzing
      2. Controlling the Structured Exception Handler
      3. Hopping Around SEH Restrictions
      4. Getting a Return Address
      5. Bad Characters and Remote Code Execution
      6. Wrapping Up
    19. 15. Porting Exploits to the Metasploit Framework
      1. Assembly Language Basics
        1. EIP and ESP Registers
        2. The JMP Instruction Set
        3. NOPs and NOP Slides
      2. Porting a Buffer Overflow
        1. Stripping the Existing Exploit
        2. Configuring the Exploit Definition
        3. Testing Our Base Exploit
        4. Implementing Features of the Framework
        5. Adding Randomization
        6. Removing the NOP Slide
        7. Removing the Dummy Shellcode
        8. Our Completed Module
      3. SEH Overwrite Exploit
      4. Wrapping Up
    20. 16. Meterpreter Scripting
      1. Meterpreter Scripting Basics
      2. Meterpreter API
        1. Printing Output
        2. Base API Calls
        3. Meterpreter Mixins
      3. Rules for Writing Meterpreter Scripts
      4. Creating Your Own Meterpreter Script
      5. Wrapping Up
    21. 17. Simulated Penetration Test
      1. Pre-engagement Interactions
      2. Intelligence Gathering
      3. Threat Modeling
      4. Exploitation
      5. Customizing MSFconsole
      6. Post Exploitation
        1. Scanning the Metasploitable System
        2. Identifying Vulnerable Services
      7. Attacking Apache Tomcat
      8. Attacking Obscure Services
      9. Covering Your Tracks
      10. Wrapping Up
    22. A. Configuring Your Target Machines
      1. Installing and Setting Up the System
      2. Booting Up the Linux Virtual Machines
      3. Setting Up a Vulnerable Windows XP Installation
        1. Configuring Your Web Server on Windows XP
        2. Building a SQL Server
        3. Creating a Vulnerable Web Application
        4. Updating Back|Track
    23. B. Cheat Sheet
      1. MSFconsole Commands
      2. Meterpreter Commands
      3. MSFpayload Commands
      4. MSFencode Commands
      5. MSFcli Commands
      6. MSF, Ninja, Fu
      7. MSFvenom
      8. Meterpreter Post Exploitation Commands
    24. Index
    25. About the Authors
    26. Colophon
    27. C. Updates