Sign In Start Free Trial

Book Overview & Buying
Table Of Contents
Feedback & Rating

Metasploit Penetration Testing Cookbook

By : Teixeira, Nipun Jaswal, Singh, Agarwal

3.8 (5)

Metasploit Penetration Testing Cookbook

3.8 (5)

By: Teixeira, Nipun Jaswal, Singh, Agarwal

Overview of this book

Metasploit is the world's leading penetration testing tool and helps security and IT professionals find, exploit, and validate vulnerabilities. Metasploit allows penetration testing automation, password auditing, web application scanning, social engineering, post exploitation, evidence collection, and reporting. Metasploit's integration with InsightVM (or Nexpose), Nessus, OpenVas, and other vulnerability scanners provides a validation solution that simplifies vulnerability prioritization and remediation reporting. Teams can collaborate in Metasploit and present their findings in consolidated reports. In this book, you will go through great recipes that will allow you to start using Metasploit effectively. With an ever increasing level of complexity, and covering everything from the fundamentals to more advanced features in Metasploit, this book is not just for beginners but also for professionals keen to master this awesome tool. You will begin by building your lab environment, setting up Metasploit, and learning how to perform intelligence gathering, threat modeling, vulnerability analysis, exploitation, and post exploitation—all inside Metasploit. You will learn how to create and customize payloads to evade anti-virus software and bypass an organization's defenses, exploit server vulnerabilities, attack client systems, compromise mobile phones, automate post exploitation, install backdoors, run keyloggers, highjack webcams, port public exploits to the framework, create your own modules, and much more.

Preface

Preface

Who this book is for

What this book covers

To get the most out of this book

Sections

Get in touch

Disclaimer

Free Chapter

Metasploit Quick Tips for Security Professionals

Metasploit Quick Tips for Security Professionals

Introduction

Installing Metasploit on Windows

Installing Linux and macOS

Installing Metasploit on macOS

Using Metasploit in Kali Linux

Setting up a penetration-testing lab

Setting up SSH connectivity

Connecting to Kali using SSH

Configuring PostgreSQL

Creating workspaces

Using the database

Using the hosts command

Understanding the services command

Information Gathering and Scanning

Information Gathering and Scanning

Introduction

Passive information gathering with Metasploit

Active information gathering with Metasploit

Port scanning—the Nmap way

Port scanning—the db_nmap way

Host discovery with ARP Sweep

UDP Service Sweeper

SMB scanning and enumeration

Detecting SSH versions with the SSH Version Scanner

FTP scanning

SMTP enumeration

SNMP enumeration

HTTP scanning

WinRM scanning and brute forcing

Integrating with Nessus

Integrating with NeXpose

Integrating with OpenVAS

Server-Side Exploitation

Server-Side Exploitation

Introduction

Exploiting a Linux server

SQL injection

Types of shell

Exploiting a Windows Server machine

Exploiting common services

MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

MS17-010 EternalRomance/EternalSynergy/EternalChampion

Installing backdoors

Denial of Service

Meterpreter

Meterpreter

Introduction

Understanding the Meterpreter core commands

Understanding the Meterpreter filesystem commands

Understanding Meterpreter networking commands

Understanding the Meterpreter system commands

Setting up multiple communication channels with the target

Meterpreter anti-forensics

The getdesktop and keystroke sniffing

Using a scraper Meterpreter script

Scraping the system using winenum

Automation with AutoRunScript

Meterpreter resource scripts

Meterpreter timeout control

Meterpreter sleep control

Meterpreter transports

Interacting with the registry

Loading framework plugins

Meterpreter API and mixins

Railgun—converting Ruby into a weapon

Adding DLL and function definitions to Railgun

Injecting the VNC server remotely

Enabling Remote Desktop

Post-Exploitation

Post-Exploitation

Introduction

Post-exploitation modules

Bypassing UAC

Dumping the contents of the SAM database

Passing the hash

Incognito attacks with Meterpreter

Using Mimikatz

Setting up a persistence with backdoors

Becoming TrustedInstaller

Backdooring Windows binaries

Pivoting with Meterpreter

Port forwarding with Meterpreter

Credential harvesting

Enumeration modules

Autoroute and socks proxy server

Analyzing an existing post-exploitation module

Writing a post-exploitation module

Using MSFvenom

Using MSFvenom

Introduction

Payloads and payload options

Encoders

Output formats

Templates

Meterpreter payloads with trusted certificates

Client-Side Exploitation and Antivirus Bypass

Client-Side Exploitation and Antivirus Bypass

Introduction

Exploiting a Windows 10 machine

Bypassing antivirus and IDS/IPS

Metasploit macro exploits

Human Interface Device attacks

HTA attack

Backdooring executables using a MITM attack

Creating a Linux trojan

Creating an Android backdoor

Social-Engineer Toolkit

Social-Engineer Toolkit

Introduction

Getting started with the Social-Engineer Toolkit

Working with the spear-phishing attack vector

Website attack vectors

Working with the multi-attack web method

Infectious media generator

Working with Modules for Penetration Testing

Working with Modules for Penetration Testing

Introduction

Working with auxiliary modules

DoS attack modules

Post-exploitation modules

Understanding the basics of module building

Analyzing an existing module

Building your own post-exploitation module

Building your own auxiliary module

Exploring Exploits

Exploring Exploits

Introduction

Common exploit mixins

Exploiting the module structure

Using MSFvenom to generate shellcode

Converting an exploit to a Metasploit module

Porting and testing the new exploit module

Fuzzing with Metasploit

Writing a simple fuzzer

Wireless Network Penetration Testing

Wireless Network Penetration Testing

Introduction

Metasploit and wireless

Understanding an evil twin attack

Configuring Karmetasploit

Wireless MITM attacks

SMB relay attacks

Cloud Penetration Testing

Cloud Penetration Testing

Introduction

Metasploit in the cloud

Metasploit PHP Hop

Phishing from the cloud

Setting up a cloud penetration testing lab

Best Practices

Best Practices

Introduction

Best practices

Using Metasploit over the Tor network

Metasploit logging

Documentation

Cleaning up

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

3.8 (5)

5 star

40%

4 star

40%

3 star

0

2 star

0

1 star

20%

Using the database

Once the database is configured, we can start using it. First, we will take a look at how to import data from external tools using the db_import command.

Getting ready

To view how to use the command and list the currently supported file types in msfconsole, run the db_import command:

msf > db_import 
Usage: db_import <filename> [file2...]

Filenames can be globs like *.xml, or **/*.xml which will search recursively
Currently supported file types include:
    Acunetix
    Amap Log
    Amap Log -m
    Appscan
    Burp Session XML
    Burp Issue XML

    ...

    Qualys Asset XML
    Qualys Scan XML
    Retina XML
    Spiceworks CSV Export
    Wapiti XML

How to do it...

To test the db_import command, we will use the nmap command, a free security scanner, port scanner, and network exploration tool, with the -oX option to save the result to an XML file. Here is the syntax used to scan the Metasploitable 3 target machine:

nmap -Pn -A -oX report 192.168.216.10

To import the scan report, you can use the db_import command followed by the path to the report you want to import:

msf > db_import /root/report
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.8.0'</strong>
[*] Importing host 192.168.216.10
[*] Successfully imported /root/report

Alternatively, you can run the db_nmap command directly from msfconsole, and the results will be saved in your current database. The db_nmap command works the same way as the regular nmap command:

msf > db_nmap -Pn -A 192.168.216.129
[*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-17 05:05 EDT
[*] Nmap: Nmap scan report for 192.168.216.129
[*] Nmap: Host is up (0.00092s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
[*] Nmap: | ftp-syst:
[*] Nmap: | STAT:

...

[*] Nmap: |_ System time: 2017-10-04T09:11:38-04:00
[*] Nmap: |_smb2-time: Protocol negotiation failed (SMB2)
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 0.92 ms 192.168.216.129
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 31.88 seconds

Search

Your notes and bookmarks