Book Image

Metasploit Bootcamp

By : Nipun Jaswal
Book Image

Metasploit Bootcamp

By: Nipun Jaswal

Overview of this book

The book starts with a hands-on Day 1 chapter, covering the basics of the Metasploit framework and preparing the readers for a self-completion exercise at the end of every chapter. The Day 2 chapter dives deep into the use of scanning and fingerprinting services with Metasploit while helping the readers to modify existing modules according to their needs. Following on from the previous chapter, Day 3 will focus on exploiting various types of service and client-side exploitation while Day 4 will focus on post-exploitation, and writing quick scripts that helps with gathering the required information from the exploited systems. The Day 5 chapter presents the reader with the techniques involved in scanning and exploiting various services, such as databases, mobile devices, and VOIP. The Day 6 chapter prepares the reader to speed up and integrate Metasploit with leading industry tools for penetration testing. Finally, Day 7 brings in sophisticated attack vectors and challenges based on the user’s preparation over the past six days and ends with a Metasploit challenge to solve.
Table of Contents (15 chapters)
Title Page
About the Author
About the Reviewer
Customer Feedback


Penetration testing is the one necessity required everywhere in business today. With the rise of cyber and computer-based crime in the past few years, penetration testing has become one of the core aspects of network security and helps in keeping a business secure from internal as well as external threats. The reason that makes penetration testing a necessity is that it helps in uncovering the potential flaws in a network, a system, or application. Moreover, it helps in identifying weaknesses and threats from an attacker's perspective. Various potential flaws in a system are exploited to find out the impact they can cause to an organization, and the risk factors to the assets as well. However, the success rate of a penetration test depends primarily on the knowledge of the target under test. Therefore, we approach a penetration test using two different methods: black box testing and white box testing. Black box testing refers to testing where there is no prior knowledge of the target under test. Therefore, a penetration tester kicks off testing by collecting information about the target systematically. Whereas, in the case of a white box penetration test, a penetration tester has enough knowledge about the target under test and he starts off by identifying the known and unknown weaknesses of the target. A penetration test is divided into seven different phases, which are as follows:

  1. Pre-engagement interactions: This step defines all the pre-engagement activities and scope definitions, basically everything you need to discuss with the client before the testing starts.
  2. Intelligence gathering: This phase is all about collecting information about the target under test, by connecting to the target directly or passively, without connecting to the target at all.
  3. Threat modeling: This phase involves matching the information uncovered to the assets to find the areas with the highest threat level.
  4. Vulnerability analysis: This involves finding and identifying known and unknown vulnerabilities and validating them.
  5. Exploitation: This phase works on taking advantage of the vulnerabilities discovered in the previous phase. This typically means that we are trying to gain access to the target.
  6. Post-exploitation: The actual tasks to perform at the target, which involve downloading a file, shutting a system down, creating a new user account on the target, and so on, are parts of this phase. This phase describes what you need to do after exploitation.

  1. Reporting: This phase includes summing up the results of the test in a file and the possible suggestions and recommendations to fix the current weaknesses in the target.

The seven phases just mentioned may look easier when there is a single target under test. However, the situation completely changes when a vast network that contains hundreds of systems are to be tested. Therefore, in a situation like this, manual work is replaced with an automated approach. Consider a scenario where the number of systems under test is exactly 100, and all are running the same operating system and services. Testing each and every system manually will consume much time and energy. Situations like these demand the use of a penetration testing framework. The use of a penetration testing framework will not only save time, but will also offer much more flexibility regarding changing the attack vectors and covering a much wider range of targets under test. A penetration testing framework will eliminate additional time consumption and will also help in automating most of the attack vectors; scanning processes; identifying vulnerabilities, and most importantly, exploiting the vulnerabilities; thus saving time and pacing a penetration test. This is where Metasploit kicks in.

Metasploit is considered one of the best and most widely used penetration testing frameworks. With a lot of rep in the IT security community, Metasploit not only caters to the needs of being an excellent penetration test framework, but also delivers innovative features that make the life of a penetration tester easy.

Metasploit Bootcamp aims at providing readers with insights into the most popular penetration testing framework, Metasploit. This book specifically focuses on conducting a penetration test with Metasploit while uncovering the many great features Metasploit offers over traditional penetration testing. The book covers in-depth scanning techniques, exploitation of various real-world software, post-exploitation, testing for services such as SCADA, VOIP, MSSQL, MySQL, Android Exploitation, AV evasion techniques, and much more in a boot camp-style approach. You will also find yourself scratching your head while completing self-driven exercises which are meant to be challenging.

What this book covers

Chapter 1, Getting Started with Metasploit, takes us through the absolute basics of doing a penetration test with Metasploit. It helps in establishing a plan and setting up the environment for testing. Moreover, it takes us through the various stages of a penetration test systematically, while covering some cutting edge post-exploitation modules. It further discusses the advantages of using Metasploit over traditional and manual testing.

Chapter 2, Identifying and Scanning Targets, covers intelligence gathering and scanning using Metasploit. The chapter focuses on scanning a variety of different services such as FTP, MSSQL, SNMP, HTTP, SSL, NetBIOS, and so on. The chapter also dismantles the format, the inner working of scanning modules, and sheds light on libraries used for building modules.

Chapter 3, Exploitation and Gaining Access, moves our discussion to exploiting real-world software. The chapter mixes up a combination of critical and med/low entropy vulnerabilities, and presents them together as a challenge. The chapter also discusses escalation and better quality of access, while discussing challenging topics such as Android and browser exploitation. At the end, the chapter discusses techniques to convert a non-Metasploit exploit to a Metasploit-compatible exploit module.

Chapter 4, Post-Exploitation with Metasploit, talks about the basic and advanced post-exploitation features of Metasploit. The chapter discusses the essential post-exploitation features available on the meterpreter payload and advanced and hardcore post-exploitation, while storming through privilege escalation for both Windows and Linux operating systems.

Chapter 5, Testing Services with Metasploit, moves the discussion on to performing a penetration test with various services. This chapter covers some important modules in Metasploit that help in testing SCADA, MySQL databases, and VOIP services.

Chapter 6, Fast-Paced Exploitation with Metasploit, moves the discussion on to building strategies and scripts that expedite the penetration testing process. Not only does this chapter help with vital know-how about improving the penetration testing process, it also uncovers many features of Metasploit that save time while scripting exploits. At the end, the chapter also discusses automating the post-exploitation process.

Chapter 7, Exploiting Real-World Challenges with Metasploit, moves the action to an environment simulating real-world problems. This chapter focuses on techniques used in the day-to-day life of a penetration tester, which also means where the exploitation is not just a piece of cake; you will have to earn the means to exploit the scenarios. Techniques such as brute-force, identifying applications, pivoting to internal networks, cracking hashes, finding passwords in clear text, evading antivirus detection, forming complex SQL queries, and enumerating data from DBs are a few of the techniques that you will learn in this chapter.

What you need for this book

To follow and recreate the examples in this book, you will need six to seven systems. One can be your penetration testing system--a box with Kali Linux installed--whereas others can be the systems under test. Alternatively, you can work on a single system and set up a virtual environment with host-only or bridged networks.

Apart from systems or virtualization, you will need the latest ISO of Kali Linux, which already packs Metasploit by default and contains all the other tools that are required for recreating the examples in this book.

You will also need to install Ubuntu 14.04 LTS, Windows XP, Windows 7 Home Basic, Windows Server 2008 R2, Windows Server 2012 R1, Metasploitable 2, Metasploitable 3, and Windows 10 either on virtual machines or live systems, as all these operating systems will serve as the test beds for Metasploit.

Additionally, links to all other required tools and vulnerable software are provided in the chapters.

Who this book is for

If you are a penetration tester, ethical hacker, or security consultant who wants to master the Metasploit framework quickly and carry out advanced penetration testing in highly secured environments, then this book is for you.


In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "We can see that running the pattern_create.rb script from the /tools/exploit/ directory, for a pattern of 1000 bytes, will generate the preceding output."

A block of code is set as follows:

def exploit
    weapon = "HEAD "
    weapon << make_nops(target['Offset'])
    weapon << generate_seh_record(target.ret)
    weapon << make_nops(19)
    weapon << payload.encoded
    weapon << " HTTP/1.0\r\n\r\n"

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

    weapon << make_nops(target['Offset'])
 weapon << generate_seh_record(target.ret)
    weapon << make_nops(19)
    weapon << payload.encoded

Any command-line input or output is written as follows:

irb(main):003:1> res = a ^ b
irb(main):004:1> return res

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "We can see we have scanned the entire network and found two hosts running FTP services, which are TP-LINK FTP server and FTP Utility FTP server."


Warnings or important notes appear in a box like this.


Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from


Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to and enter the name of the book in the search field. The required information will appear under the Errata section.


Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at [email protected] with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.


If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.