Mastering Metasploit电子书

Title Page

Copyright and Credits

Mastering Metasploit Third Edition

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Approaching a Penetration Test Using Metasploit

Organizing a penetration test

Preinteractions

Intelligence gathering/reconnaissance phase

Threat modeling

Vulnerability analysis

Exploitation and post-exploitation

Reporting

Mounting the environment

Setting up Kali Linux in a virtual environment

The fundamentals of Metasploit

Conducting a penetration test with Metasploit

Recalling the basics of Metasploit

Benefits of penetration testing using Metasploit

Open source

Support for testing large networks and natural naming conventions

Smart payload generation and switching mechanism

Cleaner exits

The GUI environment

Case study - diving deep into an unknown network

Gathering intelligence

Using databases in Metasploit

Modeling threats

Vulnerability analysis - arbitrary file upload (unauthenticated)

Attacking mechanism on the PhpCollab 2.5.1 application

Exploitation and gaining access

Escalating privileges with local root exploits

Maintaining access with Metasploit

Post-exploitation and pivoting

Vulnerability analysis - SEH based buffer overflow

Exploiting human errors by compromising Password Managers

Revisiting the case study

Revising the approach

Summary and exercises

Reinventing Metasploit

Ruby - the heart of Metasploit

Creating your first Ruby program

Interacting with the Ruby shell

Defining methods in the shell

Variables and data types in Ruby

Working with strings

Concatenating strings

The substring function

The split function

Numbers and conversions in Ruby

Conversions in Ruby

Ranges in Ruby

Arrays in Ruby

Methods in Ruby

Decision-making operators

Loops in Ruby

Regular expressions

Wrapping up with Ruby basics

Developing custom modules

Building a module in a nutshell

The architecture of the Metasploit framework

Understanding the file structure

The libraries layout

Understanding the existing modules

The format of a Metasploit module

Disassembling the existing HTTP server scanner module

Libraries and the function

Writing out a custom FTP scanner module

Libraries and functions

Using msftidy

Writing out a custom SSH-authentication with a brute force attack

Rephrasing the equation

Writing a drive-disabler post-exploitation module

Writing a credential harvester post-exploitation module

Breakthrough Meterpreter scripting

Essentials of Meterpreter scripting

Setting up persistent access

API calls and mixins

Fabricating custom Meterpreter scripts

Working with RailGun

Interactive Ruby shell basics

Understanding RailGun and its scripting

Manipulating Windows API calls

Fabricating sophisticated RailGun scripts

Summary and exercises

The Exploit Formulation Process

The absolute basics of exploitation

The basics

The architecture

System organization basics

Registers

Exploiting stack-based buffer overflows with Metasploit

Crashing the vulnerable application

Building the exploit base

Calculating the offset

Using the pattern_create tool

Using the pattern_offset tool

Finding the JMP ESP address

Using the Immunity Debugger to find executable modules

Using msfpescan

Stuffing the space

Relevance of NOPs

Determining bad characters

Determining space limitations

Writing the Metasploit exploit module

Exploiting SEH-based buffer overflows with Metasploit

Building the exploit base

Calculating the offset

Using the pattern_create tool

Using the pattern_offset tool

Finding the POP/POP/RET address

The Mona script

Using msfpescan

Writing the Metasploit SEH exploit module

Using the NASM shell for writing assembly instructions

Bypassing DEP in Metasploit modules

Using msfrop to find ROP gadgets

Using Mona to create ROP chains

Writing the Metasploit exploit module for DEP bypass

Other protection mechanisms

Summary

Porting Exploits

Importing a stack-based buffer overflow exploit

Gathering the essentials

Generating a Metasploit module

Exploiting the target application with Metasploit

Implementing a check method for exploits in Metasploit

Importing web-based RCE into Metasploit

Gathering the essentials

Grasping the important web functions

The essentials of the GET/POST method

Importing an HTTP exploit into Metasploit

Importing TCP server/browser-based exploits into Metasploit

Gathering the essentials

Generating the Metasploit module

Summary

Testing Services with Metasploit

Fundamentals of testing SCADA systems

The fundamentals of ICS and its components

The significance of ICS-SCADA

Exploiting HMI in SCADA servers

Fundamentals of testing SCADA

SCADA-based exploits

Attacking the Modbus protocol

Securing SCADA

Implementing secure SCADA

Restricting networks

Database exploitation

SQL server

Scanning MSSQL with Metasploit modules

Brute forcing passwords

Locating/capturing server passwords

Browsing the SQL server

Post-exploiting/executing system commands

Reloading the xp_cmdshell functionality

Running SQL-based queries

Testing VOIP services

VOIP fundamentals

An introduction to PBX

Types of VOIP services

Self-hosted network

Hosted services

SIP service providers

Fingerprinting VOIP services

Scanning VOIP services

Spoofing a VOIP call

Exploiting VOIP

About the vulnerability

Exploiting the application

Summary

Virtual Test Grounds and Staging

Performing a penetration test with integrated Metasploit services

Interaction with the employees and end users

Gathering intelligence

Example environment being tested

Vulnerability scanning with OpenVAS using Metasploit

Modeling the threat areas

Gaining access to the target

Exploiting the Active Directory (AD) with Metasploit

Finding the domain controller

Enumerating shares in the Active Directory network

Enumerating the AD computers

Enumerating signed-in users in the Active Directory

Enumerating domain tokens

Using extapi in Meterpreter

Enumerating open Windows using Metasploit

Manipulating the clipboard

Using ADSI management commands in Metasploit

Using PsExec exploit in the network

Using Kiwi in Metasploit

Using cachedump in Metasploit

Maintaining access to AD

Generating manual reports

The format of the report

The executive summary

Methodology/network admin-level report

Additional sections

Summary

Client-Side Exploitation

Exploiting browsers for fun and profit

The browser autopwn attack

The technology behind the browser autopwn attack

Attacking browsers with Metasploit browser autopwn

Compromising the clients of a website

Injecting the malicious web scripts

Hacking the users of a website

The autopwn with DNS spoofing and MITM attacks

Tricking victims with DNS hijacking

Using Kali NetHunter with browser exploits

Metasploit and Arduino - the deadly combination

File format-based exploitation

PDF-based exploits

Word-based exploits

Attacking Android with Metasploit

Summary and exercises

Metasploit Extended

Basics of post-exploitation with Metasploit

Basic post-exploitation commands

The help menu

The background command

Reading from a channel

File operation commands

Desktop commands

Screenshots and camera enumeration

Advanced post-exploitation with Metasploit

Obtaining system privileges

Changing access, modification, and creation time with timestomp

Additional post-exploitation modules

Gathering wireless SSIDs with Metasploit

Gathering Wi-Fi passwords with Metasploit

Getting the applications list

Gathering Skype passwords

Gathering USB history

Searching files with Metasploit

Wiping logs from the target with the clearev command

Advanced extended features of Metasploit

Using pushm and popm commands

Speeding up development using the reload, edit, and reload_all commands

Making use of resource scripts

Using AutoRunScript in Metasploit

Using the multiscript module in AutoRunScript option

Privilege escalation using Metasploit

Finding passwords in clear text using mimikatz

Sniffing traffic with Metasploit

Host file injection with Metasploit

Phishing Windows login passwords

Summary and exercises

Evasion with Metasploit

Evading Meterpreter using C wrappers and custom encoders

Writing a custom Meterpreter encoder/decoder in C

Evading intrusion detection systems with Metasploit

Using random cases for fun and profit

Using fake relatives to fool IDS systems

Bypassing Windows firewall blocked ports

Using the reverse Meterpreter on all ports

Summary and exercises

Metasploit for Secret Agents

Maintaining anonymity in Meterpreter sessions

Maintaining access using vulnerabilities in common software

DLL search order hijacking

Using code caves for hiding backdoors

Harvesting files from target systems

Using venom for obfuscation

Covering tracks with anti-forensics modules

Summary

Visualizing with Armitage

The fundamentals of Armitage

Getting started

Touring the user interface

Managing the workspace

Scanning networks and host management

Modeling out vulnerabilities

Finding the match

Exploitation with Armitage

Post-exploitation with Armitage

Red teaming with Armitage team server

Scripting Armitage

The fundamentals of Cortana

Controlling Metasploit

Post-exploitation with Cortana

Building a custom menu in Cortana

Working with interfaces

Summary

Tips and Tricks

Automation using Minion script

Using connect as Netcat

Shell upgrades and background sessions

Naming conventions

Changing the prompt and making use of database variables

Saving configurations in Metasploit

Using inline handler and renaming jobs

Running commands on multiple Meterpreters

Automating the Social Engineering Toolkit

Cheat sheets on Metasploit and penetration testing

Further reading

Other Books You May Enjoy

Leave a review - let other readers know what you think