Preface
Penetration testing is one of the crucial techniques required in businesses everywhere today. With the rise of cyber and computer-based crime in the past few years, penetration testing has become one of the core aspects of network security and helps in keeping a business secure from internal, as well as external threats. The reason that why penetration testing is a necessity is that it helps uncover the potential flaws in a network, a system, or an application. Moreover, it helps in identifying weaknesses and threats from an attacker's perspective. Various potential flaws in a system are exploited to find out the impact it can have on an organization and the risk factors of the assets as well. However, the success rate of a penetration test depends largely on the knowledge of the target under the test. Therefore, we generally approach a penetration test using two different methods: black box testing and white box testing. Black box testing refers to the testing where there is no prior knowledge of the target under test. Therefore, a penetration tester kicks off testing by collecting information about the target systematically. Whereas, in the case of a white box penetration test, a penetration tester has enough knowledge about the target under test and starts off by identifying known and unknown weaknesses of the target. Generally, a penetration test is divided into seven different phases, which are as follows:
Pre-engagement interactions: This phase defines all the pre-engagement activities and scope definitions, basically, everything you need to discuss with the client before the testing starts.
Intelligence gathering: This phase is all about collecting information about the target that is under the test by connecting to it directly and passively, without connecting to the target at all.
Threat modeling: This phase involves matching the information detected to the assets in order to find the areas with the highest threat level.
Vulnerability analysis: This involves finding and identifying known and unknown vulnerabilities and validating them.
Exploitation: This phase works on taking advantage of the vulnerabilities found in the previous phase. This typically means that we are trying to gain access to the target.
Post-exploitation: The actual task to be performed at the target, which involves downloading a file, shutting a system down, creating a new user account on the target, and so on, are parts of this phase. Generally, this phase describes what you need to do after exploitation.
Reporting: This phase includes the summing up of the results of the test under a file and the possible suggestions and recommendations to fix the current weaknesses in the target.
The seven phases just mentioned may look easy when there is a single target under test. However, the situation completely changes when a large network that contains hundreds of systems is to be tested. Therefore, in a situation like this, manual work is to be replaced with an automated approach. Consider a scenario where the number of systems under the test is exactly 100 and running the same operating system and services. Testing each and every system manually will consume so much time and energy. However, this is a situation where the role of a penetration testing framework is required. The use of a penetration testing framework will not only save time, but will also offer much more flexibility in terms of changing the attack vectors and covering a much wider range of targets under a test. A penetration testing framework will also help in automating most of the attack vectors, scanning processes, identifying vulnerabilities, and most importantly, exploiting those vulnerabilities, thus saving time and pacing a penetration test.
Mastering Metasploit aims at providing readers with an insight into the most popular penetration testing framework, that is, Metasploit. This book specifically focuses on mastering Metasploit in terms of exploitation, writing custom exploits, porting exploits, testing services, and conducting sophisticated, client-side testing. Moreover, this book helps to convert your customized attack vectors into Metasploit modules, covering Ruby, assembly, and attack scripting, such as Cortana. This book will help you build programming skills as well.
What this book covers
Chapter 1, Approaching a Penetration Test Using Metasploit, takes us through the absolute basics of conducting a penetration test with Metasploit. It helps in establishing an approach and setting up the environment for testing. Moreover, it takes us through the various stages of a penetration test systematically. It further discusses the advantages of using Metasploit over traditional and manual testing.
Chapter 2, Reinventing Metasploit, covers the absolute basics of Ruby programming essentials that are required for module building. This chapter further covers how to dig existing Metasploit modules and write our custom scanner, post exploitation, and meterpreter modules; finally, it sums up by shedding light on developing custom modules in RailGun.
Chapter 3, The Exploit Formulation Process, discusses how to build exploits by covering the basic essentials of assembly programming. This chapter also introduces fuzzing and sheds light on debuggers too. It then focuses on gathering essentials for exploitation by analyzing the application's behavior under a debugger. It finally shows the exploit-writing process in Metasploit based on the information collected.
Chapter 4, Porting Exploits, helps converting publically available exploits into the Metasploit framework. This chapter focuses on gathering essentials from the available exploits written in Perl, Python, and PHP, and interpreting those essentials into Metasploit-compatible ones using Metasploit libraries.
Chapter 5, Offstage Access to Testing Services, carries our discussion on to performing a penetration test on various services. This chapter covers some important modules in Metasploit that help in exploiting SCADA services. Further, it discusses testing a database and running a privileged command in it. Next, it sheds light on VOIP exploitation and carrying out attacks such as spoofing VOIP calls. In the end, the chapter discusses post-exploitation on Apple iDevices.
Chapter 6, Virtual Test Grounds and Staging, provides a brief discussion on carrying out a white box as well as a black box test. This chapter focuses on additional tools that can work along with Metasploit to conduct a complete penetration test. The chapter advances by discussing popular tools, such as Nmap, Nessus, and OpenVAS, and discusses importing their results into Metasploit and running these tools from Metasploit itself. It finally discusses how to generate manual and automated reports.
Chapter 7, Sophisticated Client-side Attacks, shifts our focus on to client-side exploits. This chapter focuses on modifying the traditional client-side exploits into a much more sophisticated and certain approach. The chapter starts with a browser-based exploitation and file-format-based exploits. Further, it discusses compromising web servers and the users of a website. Next, it sheds light on bypassing antivirus and protection mechanisms. Then, it discusses the modification of browser exploits into a lethal weapon using Metasploit along with vectors such as DNS Poisoning.
Chapter 8, The Social Engineering Toolkit, helps in automating client-side exploitation using Metasploit as a backend. This chapter sheds light on various website attack vectors and helps carry out advanced phishing attacks. It then focuses on attack vectors such as tabnabbing, Java applets, and many others. Further, it sheds light on third-party modules within the Social Engineering Toolkit. Next, it discusses the GUI part of the social engineering toolkit and how to automate various attacks in it.
Chapter 9, Speeding Up Penetration Testing, focuses on developing quick approaches to penetration testing. This chapter starts by discussing Fast Track and testing a database with Fast Track. Further, it discusses the lost features of Metasploit and how to re-enable them in Metasploit. Finally, it discusses another great tool, that is, WebSploit, and covers carrying out the tricky client-side exploitation with it.
Chapter 10, Visualizing with Armitage, is dedicated to the most popular GUI associated with Metasploit, that is, Armitage. This chapter builds up on scanning a target with Armitage and exploiting the target. Further, it discusses Cortana, which is used to script automated attacks in Armitage and aids penetration testing by developing virtual bots. Next, this chapter discusses adding custom functionalities and building up custom interfaces and menus in Armitage.
What you need for this book
To follow and recreate the examples in this book, you will need two to three systems. One can be your penetration testing system, whereas others can be the systems to be tested. Alternatively, you can work on a single system and set up the other two on a virtual environment.
Apart from systems, you will need the latest ISO of Kali Linux, which comes with Metasploit that is preinstalled and contains all the other tools that are required for recreating the examples of this book.
However, you will need the ISO of Ubuntu, Windows XP, Windows Server 2003, Windows 7, and Windows Server 2008 to test them with Metasploit. It is worth noting that all the other tools with their exact versions are described in this book.
Who this book is for
This book targets professional penetration testers, security engineers, and analysts who possess a basic knowledge of Metasploit and wish to master the Metasploit framework, and want to develop exploit-writing skills and module development skills; it also targets those who want to achieve testing skills for testing various services. Further, it helps all those researchers who wish to add their custom functionalities to Metasploit. The transition from the intermediate-cum-basic level to the expert level, in the end, is smooth. This book discusses Ruby programming, assembly language, and attack scripting using Cortana. Therefore, a little knowledge of programming languages is required.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "This can be simply achieved using the db_export
function."
A block of code is set as follows:
require 'msf/core' require 'rex' require 'msf/core/post/windows/registry' class Metasploit3 < Msf::Post include Msf::Post::Windows::Registry def initialize super( 'Name' => 'Drive Disabler Module', 'Description' => 'C Drive Disabler Module', 'License' => MSF_LICENSE, 'Author' => 'Nipun Jaswal' ) End
Any command-line input or output is written as follows:
#services postgresql start #services metasploit start
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "Type an appropriate name in the Name field and select the Operating System type and Version."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <feedback@packtpub.com>
, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <copyright@packtpub.com>
with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <questions@packtpub.com>
if you are having a problem with any aspect of the book, and we will do our best to address it.