Book Image

Metasploit Penetration Testing Cookbook - Third Edition

By : Daniel Teixeira, Abhinav Singh, Nipun Jaswal, Monika Agarwal
Book Image

Metasploit Penetration Testing Cookbook - Third Edition

By: Daniel Teixeira, Abhinav Singh, Nipun Jaswal, Monika Agarwal

Overview of this book

Metasploit is the world's leading penetration testing tool and helps security and IT professionals find, exploit, and validate vulnerabilities. Metasploit allows penetration testing automation, password auditing, web application scanning, social engineering, post exploitation, evidence collection, and reporting. Metasploit's integration with InsightVM (or Nexpose), Nessus, OpenVas, and other vulnerability scanners provides a validation solution that simplifies vulnerability prioritization and remediation reporting. Teams can collaborate in Metasploit and present their findings in consolidated reports. In this book, you will go through great recipes that will allow you to start using Metasploit effectively. With an ever increasing level of complexity, and covering everything from the fundamentals to more advanced features in Metasploit, this book is not just for beginners but also for professionals keen to master this awesome tool. You will begin by building your lab environment, setting up Metasploit, and learning how to perform intelligence gathering, threat modeling, vulnerability analysis, exploitation, and post exploitation—all inside Metasploit. You will learn how to create and customize payloads to evade anti-virus software and bypass an organization's defenses, exploit server vulnerabilities, attack client systems, compromise mobile phones, automate post exploitation, install backdoors, run keyloggers, highjack webcams, port public exploits to the framework, create your own modules, and much more.

Related Content you might be interested in

Current Title:

Small book image
Metasploit Penetration Testing Cookbook - Third Edition
Daniel Teixeira | Abhinav Singh | Nipun Jaswal | Monika Agarwal
Feb, 2018 | 426 pages
Small book image
Mastering Metasploit
Nipun Jaswal
Jun, 2020 | 502 pages
Small book image
Metasploit for Beginners
Sagar Rahalkar
Jul, 2017 | 190 pages
Small book image
Industrial Cybersecurity
Pascal Ackerman
Oct, 2017 | 456 pages
Table of Contents (20 chapters)
Title Page
Title Page
Copyright and Credits
Copyright and Credits
Contributors
Contributors
Packt Upsell
Packt Upsell
Preface
Preface
Free Chapter
1
Metasploit Quick Tips for Security Professionals
Metasploit Quick Tips for Security Professionals
Introduction
Installing Metasploit on Windows
Installing Linux and macOS
Installing Metasploit on macOS
Using Metasploit in Kali Linux
Setting up a penetration-testing lab
Setting up SSH connectivity
Connecting to Kali using SSH
Configuring PostgreSQL
Creating  workspaces
Using the database
Using the hosts command
Understanding the services command
2
Information Gathering and Scanning
Information Gathering and Scanning
Introduction
Passive information gathering with Metasploit
Active information gathering with Metasploit
Port scanning—the Nmap way
Port scanning—the db_nmap way
Host discovery with ARP Sweep
UDP Service Sweeper
SMB scanning and enumeration
Detecting SSH versions with the SSH Version Scanner
FTP scanning
SMTP enumeration
SNMP enumeration
HTTP scanning
WinRM scanning and brute forcing
Integrating with Nessus
Integrating with NeXpose
Integrating with OpenVAS
3
Server-Side Exploitation
Server-Side Exploitation
Introduction
Exploiting a Linux server
SQL injection
Types of shell
Exploiting a Windows Server machine
Exploiting common services
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
MS17-010 EternalRomance/EternalSynergy/EternalChampion
Installing backdoors
Denial of Service
4
Meterpreter
Meterpreter
Introduction
Understanding the Meterpreter core commands
Understanding the Meterpreter filesystem commands
Understanding Meterpreter networking commands
Understanding the Meterpreter system commands
Setting up multiple communication channels with the target
Meterpreter anti-forensics
The getdesktop and keystroke sniffing
Using a scraper Meterpreter script
Scraping the system using winenum
Automation with AutoRunScript
Meterpreter resource scripts
Meterpreter timeout control
Meterpreter sleep control
Meterpreter transports
Interacting with the registry
Loading framework plugins
Meterpreter API and mixins
Railgun—converting Ruby into a weapon
Adding DLL and function definitions to Railgun
Injecting the VNC server remotely
Enabling Remote Desktop
5
Post-Exploitation
Post-Exploitation
Introduction
Post-exploitation modules
Bypassing UAC
Dumping the contents of the SAM database
Passing the hash
Incognito attacks with Meterpreter
Using Mimikatz
Setting up a persistence with backdoors
Becoming TrustedInstaller
Backdooring Windows binaries
Pivoting with Meterpreter
Port forwarding with Meterpreter
Credential harvesting
Enumeration modules
Autoroute and socks proxy server
Analyzing an existing post-exploitation module
Writing a post-exploitation module
6
Using MSFvenom
Using MSFvenom
Introduction
Payloads and payload options
Encoders
Output formats
Templates
Meterpreter payloads with trusted certificates
7
Client-Side Exploitation and Antivirus Bypass
Client-Side Exploitation and Antivirus Bypass
Introduction
Exploiting a Windows 10 machine
Bypassing antivirus and IDS/IPS
Metasploit macro exploits
Human Interface Device attacks
HTA attack
Backdooring executables using a MITM attack
Creating a Linux trojan
Creating an Android backdoor
8
Social-Engineer Toolkit
Social-Engineer Toolkit
Introduction
Getting started with the Social-Engineer Toolkit
Working with the spear-phishing attack vector
Website attack vectors
Working with the multi-attack web method
Infectious media generator
9
Working with Modules for Penetration Testing
Working with Modules for Penetration Testing
Introduction
Working with auxiliary modules
DoS attack modules
Post-exploitation modules
Understanding the basics of module building
Analyzing an existing module
Building your own post-exploitation module
Building your own auxiliary module
10
Exploring Exploits
Exploring Exploits
Introduction
Common exploit mixins
Exploiting the module structure
Using MSFvenom to generate shellcode
Converting an exploit to a Metasploit module
Porting and testing the new exploit module
Fuzzing with Metasploit
Writing a simple fuzzer
11
Wireless Network Penetration Testing
Wireless Network Penetration Testing
Introduction
Metasploit and wireless
Understanding an evil twin attack
Configuring Karmetasploit
Wireless MITM attacks
SMB relay attacks
12
Cloud Penetration Testing
Cloud Penetration Testing
Introduction
Metasploit in the cloud
Metasploit PHP Hop
Phishing from the cloud
Setting up a cloud penetration testing lab
13
Best Practices
Best Practices
Introduction
Best practices
Using Metasploit over the Tor network
Metasploit logging
Documentation
Cleaning up
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index
Index

Setting up a penetration-testing lab

Creating a penetration-testing lab is essential, it will allow you to practice and test new techniques and exploits in a secure environment. Using virtual machines for your lab environment will give you portability, flexibility, and low maintenance. You can work simultaneously on more than one operating system, set up complex network scenarios, and perform penetration tests on multiple targets. So, let's have a quick look at how we can set up a penetration-testing lab using virtualization.

Getting ready

For your lab, you can use the hypervisor of your choice; the most common hypervisors are VirtualBox, VMware Workstation Pro, VMware Fusion Pro (for Mac), VMware ESXi, and Microsoft Hyper-V. For the penetration testing lab used in this book, I would recommend you to use VirtualBox since it is an open source hypervisor and a requirement for building one of the virtual machines.

Note

Although you need to build the virtual machine using VirtualBox, after building the machine you can import it to any of the hypervisors you like.

This is the network diagram for the penetration-testing lab:

We will use four virtual machines with Kali Linux, a Linux server, a Windows server, and a Windows 10 client. In this lab, we have a modern scenario that will allow us to test and practice the latest techniques and exploits.

How to do it...

For the Kali Linux machine, the Linux server, and the Windows 10 client, the setup is simple. We can download the Kali Linux virtual machine from the official site, https://www.kali.org/downloads/; for the Linux server, we will use the Metasploitable 2 machine which you can download from SourceForge at https://sourceforge.net/projects/metasploitable/files/Metasploitable2/; and for the Windows 10 client, we can download a 90-day trial from the Microsoft Developer site at https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/.

For the last machine, we will use Metasploitable 3, a Windows virtual machine that we will build, with many security vulnerabilities for us to test. To build the Metasploitable 3 machine, we have to install Packer, Vagrant, the Vagrant Reload plugin, and VirtualBox. The build scripts and documentation, as well as the most up-to-date build instructions, can be found at the official GitHub repository: https://github.com/rapid7/metasploitable3. To build the machine automatically, perform the following steps:

  1. Run the build_win2008.sh script if using Bash, or build_win2008.ps1 if using Windows.
  2. Upon successful completion, run vagrant up.
  3. When the process completes, you should be able to open the VM within VirtualBox and log in using the username vagrant and password vagrant.

Before you start your virtual machines, there is an important configuration that you will have to make in order to set up the network communication for the lab:

  1. Select the Kali Linux virtual machine and click on Settings. Then, move to Removable Devices. In the Network Adapter option, the network adapter should be configured to use Internet SharingShare with my Mac, which will allow the virtual machine to access the internet, sharing the IP address of the host machine, since it will provide Network Address Translation (NAT) for network traffic from the virtual machine.
  1. The network adapter of the Metasploitable 3 virtual machine and the first network adapter of the Metasploitable 2 virtual machine should also be configured to use NAT:
  1. In VMware Fusion, go to Preferences, select the Network tab, and create a custom network. Check the box to provide addresses on this network via DHCP; use the Subnet IP of 10.0.0.0  and the Subnet Mask of 255.255.255.0:

  1. Now that you have created the custom network, select the Windows 10 virtual machine, click on Settings, then go to the Network Adapter settings. Choose Custom network and select the custom network we have created. Repeat the process for the second Network Adapter of the Metasploitable 2 virtual machine:
  1. To verify the configuration, log in to the Metasploitable 2 machine and use the ip a command. The default username for the root user is msfadmin and the password is msfadmin:

How it works...

By creating two NAT networks, we can simulate internet-facing servers using the first NAT network and internal machines using the custom network we have created, thus providing a more realistic scenario, and giving you the possibility to learn how to do reconnaissance of internal targets, pivoting, and lateral movement.

Previous Section
End of Section 7
Next Section