Mastering Metasploit电子书

Mastering Metasploit

Table of Contents

Mastering Metasploit

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Approaching a Penetration Test Using Metasploit

Setting up the environment

Preinteractions

Intelligence gathering / reconnaissance phase

Presensing the test grounds

Modeling threats

Vulnerability analysis

Exploitation and post-exploitation

Reporting

Mounting the environment

Setting up the penetration test lab

The fundamentals of Metasploit

Configuring Metasploit on different environments

Configuring Metasploit on Windows XP/7

Configuring Metasploit on Ubuntu

Dealing with error states

Errors in the Windows-based installation

Errors in the Linux-based installation

Conducting a penetration test with Metasploit

Recalling the basics of Metasploit

Penetration testing Windows XP

Assumptions

Gathering intelligence

Modeling threats

Vulnerability analysis

The attack procedure with respect to the NETAPI vulnerability

The concept of attack

The procedure of exploiting a vulnerability

Exploitation and post-exploitation

Maintaining access

Clearing tracks

Penetration testing Windows Server 2003

Penetration testing Windows 7

Gathering intelligence

Modeling threats

Vulnerability analysis

The exploitation procedure

Exploitation and post-exploitation

Using the database to store and fetch results

Generating reports

The dominance of Metasploit

Open source

Support for testing large networks and easy naming conventions

Smart payload generation and switching mechanism

Cleaner exits

The GUI environment

Summary

2. Reinventing Metasploit

Ruby – the heart of Metasploit

Creating your first Ruby program

Interacting with the Ruby shell

Defining methods in the shell

Variables and data types in Ruby

Working with strings

The split function

The squeeze function

Numbers and conversions in Ruby

Ranges in Ruby

Arrays in Ruby

Methods in Ruby

Decision-making operators

Loops in Ruby

Regular expressions

Wrapping up with Ruby basics

Developing custom modules

Building a module in a nutshell

The architecture of the Metasploit framework

Understanding the libraries' layout

Understanding the existing modules

Writing out a custom FTP scanner module

Writing out a custom HTTP server scanner

Writing out post-exploitation modules

Breakthrough meterpreter scripting

Essentials of meterpreter scripting

Pivoting the target network

Setting up persistent access

API calls and mixins

Fabricating custom meterpreter scripts

Working with RailGun

Interactive Ruby shell basics

Understanding RailGun and its scripting

Manipulating Windows API calls

Fabricating sophisticated RailGun scripts

Summary

3. The Exploit Formulation Process

The elemental assembly primer

The basics

Architectures

System organization basics

Registers

Gravity of EIP

Gravity of ESP

Relevance of NOPs and JMP

Variables and declaration

Fabricating example assembly programs

The joy of fuzzing

Crashing the application

Variable input supplies

Generating junk

An introduction to Immunity Debugger

An introduction to GDB

Building up the exploit base

Calculating the buffer size

Calculating the JMP address

Examining the EIP

The script

Stuffing applications for fun and profit

Examining ESP

Stuffing the space

Finalizing the exploit

Determining bad characters

Determining space limitations

Fabricating under Metasploit

Automation functions in Metasploit

The fundamentals of a structured exception handler

Controlling SEH

Bypassing SEH

SEH-based exploits

Summary

4. Porting Exploits

Porting a Perl-based exploit

Dismantling the existing exploit

Understanding the logic of exploitation

Gathering the essentials

Generating a skeleton for the exploit

Generating a skeleton using Immunity Debugger

Stuffing the values

Precluding the ShellCode

Experimenting with the exploit

Porting a Python-based exploit

Dismantling the existing exploit

Gathering the essentials

Generating a skeleton

Stuffing the values

Experimenting with the exploit

Porting a web-based exploit

Dismantling the existing exploit

Gathering the essentials

Grasping the important web functions

The essentials of the GET/POST method

Fabricating an auxiliary-based exploit

Working and explanation

Experimenting with the auxiliary exploit

Summary

5. Offstage Access to Testing Services

The fundamentals of SCADA

The fundamentals of ICS and its components

The seriousness of ICS-SCADA

SCADA torn apart

The fundamentals of testing SCADA

SCADA-based exploits

Securing SCADA

Implementing secure SCADA

Restricting networks

Database exploitation

SQL server

FootPrinting SQL server with Nmap

Scanning with Metasploit modules

Brute forcing passwords

Locating/capturing server passwords

Browsing SQL server

Post-exploiting/executing system commands

Reloading the xp_cmdshell functionality

Running SQL-based queries

VOIP exploitation

VOIP fundamentals

An introduction to PBX

Types of VOIP services

Self-hosted network

Hosted services

SIP service providers

FootPrinting VOIP services

Scanning VOIP services

Spoofing a VOIP call

Exploiting VOIP

About the vulnerability

Exploiting the application

Post-exploitation on Apple iDevices

Exploiting iOS with Metasploit

Summary

6. Virtual Test Grounds and Staging

Performing a white box penetration test

Interaction with the employees and end users

Gathering intelligence

Explaining the fundamentals of the OpenVAS vulnerability scanner

Setting up OpenVAS

Greenbone interfaces for OpenVAS

Modeling the threat areas

Targeting suspected vulnerability prone systems

Gaining access

Covering tracks

Introducing MagicTree

Other reporting services

Generating manual reports

The format of the report

The executive summary

Methodology / network admin level report

Additional sections

Performing a black box penetration test

FootPrinting

Using Dmitry for FootPrinting

WHOIS details and information

Finding out subdomains

E-mail harvesting

DNS enumeration with Metasploit

Conducting a black box test with Metasploit

Pivoting to the target

Scanning the hidden target using proxychains and db_nmap

Conducting vulnerability scanning using Nessus

Exploiting the hidden target

Elevating privileges

Summary

7. Sophisticated Client-side Attacks

Exploiting browsers

The workings of the browser autopwn attack

The technology behind the attack

Attacking browsers with Metasploit browser autopwn

File format-based exploitation

PDF-based exploits

Word-based exploits

Media-based exploits

Compromising XAMPP servers

The PHP meterpreter

Escalating to system-level privileges

Compromising the clients of a website

Injecting the malicious web scripts

Hacking the users of a website

Bypassing AV detections

msfencode

msfvenom

Cautions while using encoders

Conjunction with DNS spoofing

Tricking victims with DNS hijacking

Attacking Linux with malicious packages

Summary

8. The Social Engineering Toolkit

Explaining the fundamentals of the social engineering toolkit

The attack types

Attacking with SET

Creating a Payload and Listener

Infectious Media Generator

Website Attack Vectors

The Java applet attack

The tabnabbing attack

The web jacking attack

Third-party attacks with SET

Providing additional features and further readings

The SET web interface

Automating SET attacks

Summary

9. Speeding Up Penetration Testing

Introducing automated tools

Fast Track MS SQL attack vectors

A brief about Fast Track

Carrying out the MS SQL brute force attack

The depreciation of Fast Track

Renewed Fast Track in SET

Automated exploitation in Metasploit

Re-enabling db_autopwn

Scanning the target

Attacking the database

Fake updates with the DNS-spoofing attack

Introducing WebSploit

Fixing up WebSploit

Fixing path issues

Fixing payload generation

Fixing the file copy issue

Attacking a LAN with WebSploit

Summary

10. Visualizing with Armitage

The fundamentals of Armitage

Getting started

Touring the user interface

Managing the workspace

Scanning networks and host management

Modeling out vulnerabilities

Finding the match

Exploitation with Armitage

Post-exploitation with Armitage

Attacking on the client side with Armitage

Scripting Armitage

The fundamentals of Cortana

Controlling Metasploit

Post-exploitation with Cortana

Building a custom menu in Cortana

Working with interfaces

Summary

Further reading

Index