Book Image

Metasploit Bootcamp

By : Nipun Jaswal
Book Image

Metasploit Bootcamp

By: Nipun Jaswal

Overview of this book

The book starts with a hands-on Day 1 chapter, covering the basics of the Metasploit framework and preparing the readers for a self-completion exercise at the end of every chapter. The Day 2 chapter dives deep into the use of scanning and fingerprinting services with Metasploit while helping the readers to modify existing modules according to their needs. Following on from the previous chapter, Day 3 will focus on exploiting various types of service and client-side exploitation while Day 4 will focus on post-exploitation, and writing quick scripts that helps with gathering the required information from the exploited systems. The Day 5 chapter presents the reader with the techniques involved in scanning and exploiting various services, such as databases, mobile devices, and VOIP. The Day 6 chapter prepares the reader to speed up and integrate Metasploit with leading industry tools for penetration testing. Finally, Day 7 brings in sophisticated attack vectors and challenges based on the user’s preparation over the past six days and ends with a Metasploit challenge to solve.
Table of Contents (15 chapters)
Title Page
About the Author
About the Reviewer
Customer Feedback

Phase-I: footprinting and scanning

Footprinting and scanning is the first phase after the pre-interactions and, based on the type of testing approach (black box, white box, or grey box), the footprinting phase will differ significantly. In a black box test scenario, we will target everything since no prior knowledge of the target is given, while we will perform focused application- and architecture-specific tests in a white box approach. A grey box test will combine the best of both types of methodology. We will follow the black box approach. So, let's fire up Metasploit and run a basic scan. However, let us add a new workspace to Metasploit. Adding a new workspace will keep the scan data separate from the other scans in the database and will help to find the results in a much easier and more manageable way. To add a new workspace, just type in workspace -a [name of the new workspace] and, to switch the context to the new workspace, simply type in workspace followed by the name of the workspace, as shown in the following screenshot:

In the preceding screenshot, we can see that we added a new workspace NetworkVAPT and switched onto it. Let us now perform a quick scan of the network to check all the live hosts. Since we are on the same network as that of our target, we can perform an ARP sweep scan using the module from auxiliary/scanner/discovery/arp_sweep, as shown in the following screenshot:

We choose a module to launch with the use command. The show options command will show us all the necessary options required for the module to work correctly. We set all the options with the set keyword. In the preceding illustration, we spoof our MAC and IP address by setting SMAC and SHOST to anything other than our original IP address. We used, which looks similar to the router's base IP address. Hence, all the packets generated via the ARP scan will look as if produced by the router. Let's run the module and also check how valid our statement is by analyzing traffic in Wireshark, as shown in the following screenshot:

We can clearly see in the preceding screenshot that our packets are being spoofed from the MAC and IP address we used for the module:

msf auxiliary(arp_sweep) > run appears to be up.
Scanned 256 of 256 hosts (100% complete)
Auxiliary module execution completed
msf auxiliary(arp_sweep) >

From the obtained results, we have one IP address which appears to be live, that is, Let us perform a TCP scan over and check which ports are open. We can perform a TCP scan with the portscan module from auxiliary/scanner/portscan/tcp, as shown in the following screenshot:

Next, we will set RHOSTS to the IP address We can also increase the speed of the scan by using a high number of threads and setting the concurrency, as shown in the following screenshot:

It's advisable to perform banner-grabbing over all the open ports found during the scan. However, we will focus on the HTTP-based ports for this example. Let us find the type of web server running on 80, 8080 using the auxiliary/scanner/http/http_version module, as shown in the following screenshot:

We load the http_version scanner module using the use command and set RHOSTS to First, we scan port 80 by setting RPORT to 80, which yields the result as IIS/8.5 and then we run the module for port 8080 which depicts that the port is running the HFS 2.3 web server.