Mastering Metasploit - Third Edition

By : Nipun Jaswal

Mastering Metasploit - Third Edition

By: Nipun Jaswal

Overview of this book

We start by reminding you about the basic functionalities of Metasploit and its use in the most traditional ways. You’ll get to know about the basics of programming Metasploit modules as a refresher and then dive into carrying out exploitation as well building and porting exploits of various kinds in Metasploit. In the next section, you’ll develop the ability to perform testing on various services such as databases, Cloud environment, IoT, mobile, tablets, and similar more services. After this training, we jump into real-world sophisticated scenarios where performing penetration tests are a challenge. With real-life case studies, we take you on a journey through client-side attacks using Metasploit and various scripts built on the Metasploit framework. By the end of the book, you will be trained specifically on time-saving techniques using Metasploit.

Preface

Who this book is for

What this book covers

To get the most out of this book

Get in touch

Disclaimer

Free Chapter

Approaching a Penetration Test Using Metasploit

Organizing a penetration test

Mounting the environment

The fundamentals of Metasploit

Conducting a penetration test with Metasploit

Benefits of penetration testing using Metasploit

Case study - diving deep into an unknown network

Revisiting the case study

Summary and exercises

Reinventing Metasploit

Ruby - the heart of Metasploit

Developing custom modules

Breakthrough Meterpreter scripting

Working with RailGun

Summary and exercises

The Exploit Formulation Process

The absolute basics of exploitation

Exploiting stack-based buffer overflows with Metasploit

Exploiting SEH-based buffer overflows with Metasploit

Bypassing DEP in Metasploit modules

Other protection mechanisms

Summary

Porting Exploits

Importing a stack-based buffer overflow exploit

Importing web-based RCE into Metasploit

Importing TCP server/browser-based exploits into Metasploit

Summary

Testing Services with Metasploit

Fundamentals of testing SCADA systems

Database exploitation

Testing VOIP services

Summary

Virtual Test Grounds and Staging

Performing a penetration test with integrated Metasploit services

Generating manual reports

Summary

Client-Side Exploitation

Exploiting browsers for fun and profit

Metasploit and Arduino - the deadly combination

File format-based exploitation

Attacking Android with Metasploit

Summary and exercises

Metasploit Extended

Basics of post-exploitation with Metasploit

Basic post-exploitation commands

Advanced post-exploitation with Metasploit

Additional post-exploitation modules

Advanced extended features of Metasploit

Summary and exercises

Evasion with Metasploit

Evading Meterpreter using C wrappers and custom encoders

Evading intrusion detection systems with Metasploit

Bypassing Windows firewall blocked ports

Summary and exercises

Metasploit for Secret Agents

Maintaining anonymity in Meterpreter sessions

Maintaining access using vulnerabilities in common software

Harvesting files from target systems

Using venom for obfuscation

Covering tracks with anti-forensics modules

Summary

Visualizing with Armitage

The fundamentals of Armitage

Scanning networks and host management

Exploitation with Armitage

Post-exploitation with Armitage

Red teaming with Armitage team server

Scripting Armitage

Summary

Tips and Tricks

Automation using Minion script

Using connect as Netcat

Shell upgrades and background sessions

Naming conventions

Saving configurations in Metasploit

Using inline handler and renaming jobs

Running commands on multiple Meterpreters

Automating the Social Engineering Toolkit

Cheat sheets on Metasploit and penetration testing

Revisiting the case study

To set up the test environment, we will require multiple operating systems with primarily two different host-only networks. Also, we will need the following components:

Component name	Type	Version used	Network details	Network type
Kali Linux VM Image	Operating System	Kali Rolling (2017.3) x64	`192.168.174.128` (Vmnet8)	Host-only
Ubuntu 14.04 LTS	Operating System	14.04 (trusty)	`192.168.174.132` (Vmnet8) 192.168.116.129 (Vmnet6)	Host-only Host-only
Windows 7	Operating System	Professional Edition	192.168.116.133 (Vmnet6)	Host-only
Ubuntu 16.04 LTS	Operating System	16.04.3 LTS (xenial)	192.168.116.133 (Vmnet6)	Host-only
PhpCollab	Web Application	2.5.1
Disk Pulse	Enterprise Disk Management Software	9.9.16
WinSCP	SSH and SFTP	5.7

Revising the approach

Throughout this exercise, we performed the following critical steps:

We started by conducting an Nmap scan on the target IP address, which is 192.168.174.132.
The Nmap scan revealed that port 80 at 192.168.174.132 is open.
Next, we did a fingerprint of the application running on port 80 and encountered Apache 2.4.7 running.
We tried browsing to the HTTP port. However, we couldn't find anything.
We ran the dir_scanner module to perform a dictionary-based check on the Apache server and found the PhpCollab application directory.
We found an exploit module for PhpCollab using searchsploit and had to import the third-party exploit into Metasploit.
Next, we exploited the application and gained limited user access to the target system.
To improve our access mechanism, we uploaded a backdoored executable and achieved a better level of access to the target.
To gain root access, we run the exploit suggester module and found that the overlayfs privilege escalation exploit will help us achieve root access to the target.
We downloaded the overlayfs exploit from https://exploit-db.com/, compiled it, and run it to gain root access to the target.

Using the same previously generated backdoor, we opened another Meterpreter shell, but this time with root privileges.

We added persistence to the system by using the sshkey_persistence module in Metasploit.
Running the arp command on the target, we found that there was a separate network connection to the host, which is in the target range of 192.168.116.0/24.
We added a route to this network by using the autoroute script.
We scanned the system found from the arp command using the TCP port scanner module in Metasploit.
We saw that port 80 of the system was open.
Since we only had access to the target network through Meterpreter, we used the socks4a module in Metasploit for making other tools connect to the target through Meterpreter.
Running the socks proxy, we configured our browser to utilize the socks4a proxy on port 1080.

We opened 192.168.116.133 through our browser and saw that it was running the Disk Pulse 9.9.16 web server service.
We searched Metasploit for Disk Pulse and found that it was vulnerable to an SEH-based buffer overflow vulnerability.

We exploited the vulnerability and gained the highest level of privileges on the target since the software runs with SYSTEM-level privileges.

We enumerated the list of installed applications and found that WinSCP 5.7 is installed on the system.
We saw that Metasploit contains an inbuilt module to harvest saved credentials from WinSCP.
We collected the root credentials from WinSCP and used the ssh_login module to gain a root shell on the target.

We uploaded another backdoor to gain a Meterpreter shell with root privileges on the target.

Mastering Metasploit - Third Edition

By : Nipun Jaswal

Mastering Metasploit - Third Edition

By: Nipun Jaswal

Overview of this book

Related Content you might be interested in

Current Title:

Mastering Metasploit - Third Edition