The Complete Metasploit Guide: Explore effective penetration testing techniques with Metasploit

Cover
FM
Copyright
About Packt
Contributors
Table of Contents
Preface
Chapter 1: Introduction to Metasploit and Supporting Tools
	The importance of penetration testing
	Vulnerability assessment versus penetration testing
	The need for a penetration testing framework
	Introduction to Metasploit
	When to use Metasploit?
	Making Metasploit effective and powerful using supplementary tools
		Nessus
		NMAP
		w3af
		Armitage
	Summary
	Exercises
Chapter 2: Setting up Your Environment
	Using the Kali Linux virtual machine - the easiest way
	Installing Metasploit on Windows
	Installing Metasploit on Linux
	Setting up exploitable targets in a virtual environment
	Summary
	Exercises
Chapter 3: Metasploit Components and Environment Configuration
	Anatomy and structure of Metasploit
	Metasploit components
		Auxiliaries
		Exploits
		Encoders
		Payloads
		Post
	Playing around with msfconsole
	Variables in Metasploit
	Updating the Metasploit Framework
	Summary
	Exercises
Chapter 4: Information Gathering with Metasploit
	Information gathering and enumeration
		Transmission Control Protocol
		User Datagram Protocol
		File Transfer Protocol
		Server Message Block
		Hypertext Transfer Protocol
		Simple Mail Transfer Protocol
		Secure Shell
		Domain Name System
		Remote Desktop Protocol
	Password sniffing
	Advanced search with shodan
	Summary
	Exercises
Chapter 5: Vulnerability Hunting with Metasploit
	Managing the database
		Work spaces
		Importing scans
		Backing up the database
	NMAP
		NMAP scanning approach
	Nessus
		Scanning using Nessus from msfconsole
	Vulnerability detection with Metasploit auxiliaries
	Auto exploitation with db_autopwn
	Post exploitation
		What is meterpreter?
		Searching for content
		Screen capture
		Keystroke logging
		Dumping the hashes and cracking with JTR
		Shell command
		Privilege escalation
	Summary
	Exercises
Chapter 6: Client-side Attacks with Metasploit
	Need of client-side attacks
		What are client-side attacks?
			What is a Shellcode?
			What is a reverse shell?
			What is a bind shell?
			What is an encoder?
	The msfvenom utility
		Generating a payload with msfvenom
	Social Engineering with Metasploit
		Generating malicious PDF
		Creating infectious media drives
	Browser Autopwn
	Summary
	Exercises
Chapter 7: Web Application Scanning with Metasploit
	Setting up a vulnerable application
	Web application scanning using WMAP
	Metasploit Auxiliaries for Web Application enumeration and scanning
	Summary
	Exercises
Chapter 8: Antivirus Evasion and Anti-Forensics
	Using encoders to avoid AV detection
		Using packagers and encrypters
		What is a sandbox?
	Anti-forensics
		Timestomp
		clearev
	Summary
	Exercises
Chapter 9: Cyber Attack Management with Armitage
	What is Armitage?
	Starting the Armitage console
	Scanning and enumeration
	Find and launch attacks
	Summary
	Exercises
Chapter 10: Extending Metasploit and Exploit Development
	Exploit development concepts
		What is a buffer overflow?
		What are fuzzers?
	Exploit templates and mixins
		What are Metasploit mixins?
	Adding external exploits to Metasploit
	Summary
	Exercises
Chapter 11: Approaching a Penetration Test Using Metasploit
	Organizing a penetration test
		Preinteractions
		Intelligence gathering/reconnaissance phase
		Threat modeling
		Vulnerability analysis
		Exploitation and post-exploitation
		Reporting
	Mounting the environment
		Setting up Kali Linux in a virtual environment
	The fundamentals of Metasploit
	Conducting a penetration test with Metasploit
		Recalling the basics of Metasploit
	Benefits of penetration testing using Metasploit
		Open source
		Support for testing large networks and natural naming conventions
		Smart payload generation and switching mechanism
		Cleaner exits
		The GUI environment
	Case study - diving deep into an unknown network
		Gathering intelligence
			Using databases in Metasploit
		Modeling threats
		Vulnerability analysis - arbitrary file upload (unauthenticated)
			Attacking mechanism on the PhpCollab 2.5.1 application
		Exploitation and gaining access
			Escalating privileges with local root exploits
		Maintaining access with Metasploit
		Post-exploitation and pivoting
		Vulnerability analysis - SEH based buffer overflow
		Exploiting human errors by compromising Password Managers
	Revisiting the case study
		Revising the approach
	Summary and exercises
Chapter 12: Reinventing Metasploit
	Ruby - the heart of Metasploit
		Creating your first Ruby program
			Interacting with the Ruby shell
			Defining methods in the shell
		Variables and data types in Ruby
			Working with strings
				Concatenating strings
				The substring function
				The split function
			Numbers and conversions in Ruby
				Conversions in Ruby
			Ranges in Ruby
			Arrays in Ruby
		Methods in Ruby
		Decision-making operators
		Loops in Ruby
		Regular expressions
		Wrapping up with Ruby basics
	Developing custom modules
		Building a module in a nutshell
			The architecture of the Metasploit framework
			Understanding the file structure
			The libraries layout
		Understanding the existing modules
			The format of a Metasploit module
		Disassembling the existing HTTP server scanner module
			Libraries and the function
		Writing out a custom FTP scanner module
			Libraries and functions
				Using msftidy
		Writing out a custom SSH-authentication with a brute force attack
			Rephrasing the equation
		Writing a drive-disabler post-exploitation module
		Writing a credential harvester post-exploitation module
	Breakthrough Meterpreter scripting
		Essentials of Meterpreter scripting
		Setting up persistent access
		API calls and mixins
		Fabricating custom Meterpreter scripts
	Working with RailGun
		Interactive Ruby shell basics
		Understanding RailGun and its scripting
		Manipulating Windows API calls
		Fabricating sophisticated RailGun scripts
	Summary and exercises
Chapter 13: The Exploit Formulation Process
	The absolute basics of exploitation
		The basics
		The architecture
			System organization basics
		Registers
	Exploiting stack-based buffer overflows with Metasploit
		Crashing the vulnerable application
		Building the exploit base
		Calculating the offset
			Using the pattern_create tool
			Using the pattern_offset tool
		Finding the JMP ESP address
			Using the Immunity Debugger to find executable modules
			Using msfpescan
		Stuffing the space
			Relevance of NOPs
		Determining bad characters
		Determining space limitations
		Writing the Metasploit exploit module
	Exploiting SEH-based buffer overflows with Metasploit
		Building the exploit base
		Calculating the offset
			Using the pattern_create tool
			Using the pattern_offset tool
		Finding the POP/POP/RET address
			The Mona script
			Using msfpescan
		Writing the Metasploit SEH exploit module
			Using the NASM shell for writing assembly instructions
	Bypassing DEP in Metasploit modules
		Using msfrop to find ROP gadgets
		Using Mona to create ROP chains
		Writing the Metasploit exploit module for DEP bypass
	Other protection mechanisms
	Summary
Chapter 14: Porting Exploits
	Importing a stack-based buffer overflow exploit
		Gathering the essentials
		Generating a Metasploit module
		Exploiting the target application with Metasploit
		Implementing a check method for exploits in Metasploit
	Importing web-based RCE into Metasploit
		Gathering the essentials
		Grasping the important web functions
		The essentials of the GET/POST method
		Importing an HTTP exploit into Metasploit
	Importing TCP server/browser-based exploits into Metasploit
		Gathering the essentials
		Generating the Metasploit module
	Summary
Chapter 15: Testing Services with Metasploit
	Fundamentals of testing SCADA systems
		The fundamentals of ICS and its components
		The significance of ICS-SCADA
		Exploiting HMI in SCADA servers
			Fundamentals of testing SCADA
			SCADA-based exploits
		Attacking the Modbus protocol
		Securing SCADA
			Implementing secure SCADA
			Restricting networks
	Database exploitation
		SQL server
		Scanning MSSQL with Metasploit modules
		Brute forcing passwords
		Locating/capturing server passwords
		Browsing the SQL server
		Post-exploiting/executing system commands
			Reloading the xp_cmdshell functionality
			Running SQL-based queries
	Testing VOIP services
		VOIP fundamentals
			An introduction to PBX
			Types of VOIP services
			Self-hosted network
			Hosted services
			SIP service providers
		Fingerprinting VOIP services
		Scanning VOIP services
		Spoofing a VOIP call
		Exploiting VOIP
			About the vulnerability
			Exploiting the application
	Summary
Chapter 16: Virtual Test Grounds and Staging
	Performing a penetration test with integrated Metasploit services
		Interaction with the employees and end users
		Gathering intelligence
			Example environment being tested
		Vulnerability scanning with OpenVAS using Metasploit
		Modeling the threat areas
		Gaining access to the target
		Exploiting the Active Directory (AD) with Metasploit
			Finding the domain controller
			Enumerating shares in the Active Directory network
			Enumerating the AD computers
			Enumerating signed-in users in the Active Directory
			Enumerating domain tokens
			Using extapi in Meterpreter
			Enumerating open Windows using Metasploit
			Manipulating the clipboard
			Using ADSI management commands in Metasploit
			Using PsExec exploit in the network
			Using Kiwi in Metasploit
			Using cachedump in Metasploit
		Maintaining access to AD
	Generating manual reports
		The format of the report
		The executive summary
		Methodology/network admin-level report
		Additional sections
	Summary
Chapter 17: Client-Side Exploitation
	Exploiting browsers for fun and profit
		The browser autopwn attack
			The technology behind the browser autopwn attack
			Attacking browsers with Metasploit browser autopwn
		Compromising the clients of a website
			Injecting the malicious web scripts
			Hacking the users of a website
		The autopwn with DNS spoofing and MITM attacks
			Tricking victims with DNS hijacking
			Using Kali NetHunter with browser exploits
	Metasploit and Arduino - the deadly combination
	File format-based exploitation
		PDF-based exploits
		Word-based exploits
	Attacking Android with Metasploit
	Summary and exercises
Chapter 18: Metasploit Extended
	Basics of post-exploitation with Metasploit
	Basic post-exploitation commands
		The help menu
		The background command
		Reading from a channel
		File operation commands
		Desktop commands
		Screenshots and camera enumeration
	Advanced post-exploitation with Metasploit
		Obtaining system privileges
		Changing access, modification, and creation time with timestomp
	Additional post-exploitation modules
		Gathering wireless SSIDs with Metasploit
		Gathering Wi-Fi passwords with Metasploit
		Getting the applications list
		Gathering Skype passwords
		Gathering USB history
		Searching files with Metasploit
		Wiping logs from the target with the clearev command
	Advanced extended features of Metasploit
		Using pushm and popm commands
		Speeding up development using the reload, edit, and reload_all commands
		Making use of resource scripts
		Using AutoRunScript in Metasploit
		Using the multiscript module in AutoRunScript option
		Privilege escalation using Metasploit
		Finding passwords in clear text using mimikatz
		Sniffing traffic with Metasploit
		Host file injection with Metasploit
		Phishing Windows login passwords
	Summary and exercises
Chapter 19: Evasion with Metasploit
	Evading Meterpreter using C wrappers and custom encoders
	Evading intrusion detection systems with Metasploit
		Using random cases for fun and profit
		Using fake relatives to fool IDS systems
	Bypassing Windows firewall blocked ports
		Using the reverse Meterpreter on all ports
	Summary and exercises
Chapter 20: Metasploit for Secret Agents
	Maintaining anonymity in Meterpreter sessions
	Maintaining access using vulnerabilities in common software
		DLL search order hijacking
		Using code caves for hiding backdoors
	Harvesting files from target systems
	Using venom for obfuscation
	Covering tracks with anti-forensics modules
	Summary
Chapter 21: Visualizing with Armitage
	The fundamentals of Armitage
		Getting started
		Touring the user interface
		Managing the workspace
	Scanning networks and host management
		Modeling out vulnerabilities
		Finding the match
	Exploitation with Armitage
	Post-exploitation with Armitage
	Red teaming with Armitage team server
	Scripting Armitage
		The fundamentals of Cortana
		Controlling Metasploit
		Post-exploitation with Cortana
		Building a custom menu in Cortana
		Working with interfaces
	Summary
Chapter 22: Tips and Tricks
	Automation using Minion script
	Using connect as Netcat
	Shell upgrades and background sessions
	Naming conventions
		Changing the prompt and making use of database variables
	Saving configurations in Metasploit
	Using inline handler and renaming jobs
	Running commands on multiple Meterpreters
	Automating the Social Engineering Toolkit
	Cheat sheets on Metasploit and penetration testing
	Further reading
Other Books You May Enjoy
Index