Mastering Metasploit - Second Edition电子书

Mastering Metasploit

Mastering Metasploit

Second Edition

Credits

Foreword

About the Author

About the Reviewer

www.PacktPub.com

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Approaching a Penetration Test Using Metasploit

Organizing a penetration test

Preinteractions

Intelligence gathering/reconnaissance phase

Predicting the test grounds

Modeling threats

Vulnerability analysis

Exploitation and post-exploitation

Reporting

Mounting the environment

Setting up Kali Linux in virtual environment

The fundamentals of Metasploit

Conducting a penetration test with Metasploit

Recalling the basics of Metasploit

Benefits of penetration testing using Metasploit

Open source

Support for testing large networks and easy naming conventions

Smart payload generation and switching mechanism

Cleaner exits

The GUI environment

Penetration testing an unknown network

Assumptions

Gathering intelligence

Using databases in Metasploit

Modeling threats

Vulnerability analysis of VSFTPD 2.3.4 backdoor

The attack procedure

The procedure of exploiting the vulnerability

Exploitation and post exploitation

Vulnerability analysis of PHP-CGI query string parameter vulnerability

Exploitation and post exploitation

Vulnerability analysis of HFS 2.3

Exploitation and post exploitation

Maintaining access

Clearing tracks

Revising the approach

Summary

2. Reinventing Metasploit

Ruby – the heart of Metasploit

Creating your first Ruby program

Interacting with the Ruby shell

Defining methods in the shell

Variables and data types in Ruby

Working with strings

Concatenating strings

The substring function

The split function

Numbers and conversions in Ruby

Conversions in Ruby

Ranges in Ruby

Arrays in Ruby

Methods in Ruby

Decision-making operators

Loops in Ruby

Regular expressions

Wrapping up with Ruby basics

Developing custom modules

Building a module in a nutshell

The architecture of the Metasploit framework

Understanding the file structure

The libraries layout

Understanding the existing modules

The format of a Metasploit module

Disassembling existing HTTP server scanner module

Libraries and the function

Writing out a custom FTP scanner module

Libraries and the function

Using msftidy

Writing out a custom SSH authentication brute forcer

Rephrasing the equation

Writing a drive disabler post exploitation module

Writing a credential harvester post exploitation module

Breakthrough meterpreter scripting

Essentials of meterpreter scripting

Pivoting the target network

Setting up persistent access

API calls and mixins

Fabricating custom meterpreter scripts

Working with RailGun

Interactive Ruby shell basics

Understanding RailGun and its scripting

Manipulating Windows API calls

Fabricating sophisticated RailGun scripts

Summary

3. The Exploit Formulation Process

The absolute basics of exploitation

The basics

The architecture

System organization basics

Registers

Exploiting stack-based buffer overflows with Metasploit

Crashing the vulnerable application

Building the exploit base

Calculating the offset

Using the pattern_create tool

Using the pattern_offset tool

Finding the JMP ESP address

Using Immunity Debugger to find executable modules

Using msfbinscan

Stuffing the space

Relevance of NOPs

Determining bad characters

Determining space limitations

Writing the Metasploit exploit module

Exploiting SEH-based buffer overflows with Metasploit

Building the exploit base

Calculating the offset

Using pattern_create tool

Using pattern_offset tool

Finding the POP/POP/RET address

The Mona script

Using msfbinscan

Writing the Metasploit SEH exploit module

Using NASM shell for writing assembly instructions

Bypassing DEP in Metasploit modules

Using msfrop to find ROP gadgets

Using Mona to create ROP chains

Writing the Metasploit exploit module for DEP bypass

Other protection mechanisms

Summary

4. Porting Exploits

Importing a stack-based buffer overflow exploit

Gathering the essentials

Generating a Metasploit module

Exploiting the target application with Metasploit

Implementing a check method for exploits in Metasploit

Importing web-based RCE into Metasploit

Gathering the essentials

Grasping the important web functions

The essentials of the GET/POST method

Importing an HTTP exploit into Metasploit

Importing TCP server/ browser-based exploits into Metasploit

Gathering the essentials

Generating the Metasploit module

Summary

5. Testing Services with Metasploit

The fundamentals of SCADA

The fundamentals of ICS and its components

The significance of ICS-SCADA

Analyzing security in SCADA systems

Fundamentals of testing SCADA

SCADA-based exploits

Securing SCADA

Implementing secure SCADA

Restricting networks

Database exploitation

SQL server

Fingerprinting SQL server with Nmap

Scanning with Metasploit modules

Brute forcing passwords

Locating/capturing server passwords

Browsing SQL server

Post-exploiting/executing system commands

Reloading the xp_cmdshell functionality

Running SQL-based queries

Testing VOIP services

VOIP fundamentals

An introduction to PBX

Types of VOIP services

Self-hosted network

Hosted services

SIP service providers

Fingerprinting VOIP services

Scanning VOIP services

Spoofing a VOIP call

Exploiting VOIP

About the vulnerability

Exploiting the application

Summary

6. Virtual Test Grounds and Staging

Performing a penetration test with integrated Metasploit services

Interaction with the employees and end users

Gathering intelligence

Example environment under test

Vulnerability scanning with OpenVAS using Metasploit

Modeling the threat areas

Gaining access to the target

Vulnerability scanning with Nessus

Maintaining access and covering tracks

Managing a penetration test with Faraday

Generating manual reports

The format of the report

The executive summary

Methodology / network admin level report

Additional sections

Summary

7. Client-side Exploitation

Exploiting browsers for fun and profit

The browser autopwn attack

The technology behind a browser autopwn attack

Attacking browsers with Metasploit browser autopwn

Compromising the clients of a website

Injecting malicious web scripts

Hacking the users of a website

Conjunction with DNS spoofing

Tricking victims with DNS hijacking

Metasploit and Arduino - the deadly combination

File format-based exploitation

PDF-based exploits

Word-based exploits

Compromising Linux clients with Metasploit

Attacking Android with Metasploit

Summary

8. Metasploit Extended

The basics of post exploitation with Metasploit

Basic post exploitation commands

The help menu

Background command

Machine ID and UUID command

Reading from a channel

Getting the username and process information

Getting system information

Networking commands

File operation commands

Desktop commands

Screenshots and camera enumeration

Advanced post exploitation with Metasploit

Migrating to safer processes

Obtaining system privileges

Obtaining password hashes using hashdump

Changing access, modification and creation time with timestomp

Additional post exploitation modules

Gathering wireless SSIDs with Metasploit

Gathering Wi-Fi passwords with Metasploit

Getting applications list

Gathering skype passwords

Gathering USB history

Searching files with Metasploit

Wiping logs from target with clearev command

Advanced extended features of Metasploit

Privilege escalation using Metasploit

Finding passwords in clear text using mimikatz

Sniffing traffic with Metasploit

Host file injection with Metasploit

Phishing window login passwords

Summary

9. Speeding up Penetration Testing

Using pushm and popm commands

The loadpath command

Pacing up development using reload, edit and reload_all commands

Making use of resource scripts

Using AutoRunScript in Metasploit

Using multiscript module in AutoRunScript option

Globalizing variables in Metasploit

Automating Social-Engineering Toolkit

Summary

10. Visualizing with Armitage

The fundamentals of Armitage

Getting started

Touring the user interface

Managing the workspace

Scanning networks and host management

Modeling out vulnerabilities

Finding the match

Exploitation with Armitage

Post-exploitation with Armitage

Attacking on the client side with Armitage

Scripting Armitage

The fundamentals of Cortana

Controlling Metasploit

Post-exploitation with Cortana

Building a custom menu in Cortana

Working with interfaces

Summary

Further reading