Penetration testing is one of the core aspects of network security in today's scenario. It involves a complete analysis of the system by implementing real-life security tests. It helps in identifying potential weaknesses in the system's major components which can occur either in its hardware or software. The reason which makes penetration testing an important aspect of security is that it helps in identifying threats and weaknesses from a hacker's perspective. Loopholes can be exploited in real time to figure out the impact of vulnerability and then a suitable remedy or patch can be explored in order to protect the system from any outside attack and reduce the risk factors.
The biggest factor that determines the feasibility of penetration testing is the knowledge about the target system. Black box penetration testing is implemented when there is no prior knowledge of the target user. A pen-tester will have to start from scratch by collecting every bit of information about the target system in order to implement an attack. In white box testing, the complete knowledge about the target is known and the tester will have to identify any known or unknown weakness that may exist. Either of the two methods of penetration testing are equally difficult and are environment specific. Industry professionals have identified some of the key steps that are essential in almost all forms of penetration testing. These are:
Target discovery and enumeration: Identifying the target and collecting basic information about it without making any physical connection with it
Vulnerability identification: Implementing various discovery methods such as scanning, remote login, and network services, to figure out different services and software running on the target system
Exploitation: Exploiting a known or an unknown vulnerability in any of the software or services running on the target system
Level of control after exploitation: This is the level of access that an attacker can get on the target system after a successful exploitation
Reporting: Preparing an advisory about the vulnerability and its possible counter measures
These steps may appear few in number, but in fact a complete penetration testing of a high-end system with lots of services running on it can take days or even months to complete. The reason which makes penetration testing a lengthy task is that it is based on the "trial and error" technique. Exploits and vulnerabilities depend a lot on the system configuration so we can never be certain that a particular exploit will be successful or not unless we try it. Consider the example of exploiting a Windows-based system that is running 10 different services. A pen-tester will have to identify if there are any known vulnerabilities for those 10 different services. Once they are identified, the process of exploitation starts. This is a small example where we are considering only one system. What if we have an entire network of such systems to penetrate one by one?
This is where a penetration testing framework comes into action. They automate several processes of testing like scanning the network, identifying vulnerabilities based on available services and their versions, auto-exploit, and so on. They speed up the pen-testing process by proving a complete control panel to the tester from where he/she can manage all the activities and monitor the target systems effectively. The other important benefit of the penetration testing framework is report generation. They automate the process of saving the penetration testing results and generate reports that can be saved for later use, or can be shared with other peers working remotely.
Metasploit Penetration Testing Cookbook aims at helping the readers in mastering one of the most widely used penetration testing frameworks of today's scenarios. The Metasploit framework is an open source platform that helps in creating real-life exploitation scenarios along with other core functionalities of penetration testing. This book will take you to an exciting journey of exploring the world of Metasploit and how it can be used to perform effective pen-tests. This book will also cover some other extension tools that run over the framework and enhance its functionalities to provide a better pen-testing experience.
Chapter 1, Metasploit Quick Tips for Security Professionals, is the first step into the world of Metasploit and penetration testing. The chapter deals with a basic introduction to the framework, its architecture and libraries. In order to begin with penetration testing, we need a setup, so the chapter will guide you through setting up your own dummy penetration testing environment using virtual machines. Later, the chapter discusses about installing the framework on different operating systems. The chapter ends with giving the first taste of Metasploit and an introduction about its interfaces.
Chapter 2, Information Gathering and Scanning, is the first step to penetration testing. It starts with the most traditional way of information gathering and later on advances to scanning with Nmap. The chapter also covers some additional tools such as Nessus and NeXpose which covers the limitations of Nmap by providing additional information. At the end, the chapter discusses about the Dradis framework which is widely used by pen-testers to share their test results and reports with other remote testers.
Chapter 3, Operating System-based Vulnerability Assessment and Exploitation, talks about finding vulnerabilities in unpatched operating systems running on the target system. Operating system-based vulnerabilities have a good success rate and they can be exploited easily. The chapter discusses about penetrating several popular operating systems such as Windows XP, Windows 7, and Ubuntu. The chapter covers some of the popular, and known, exploits of these operating systems and how they can be used in Metasploit to break into a target machine.
Chapter 4, Client-side Exploitation and Antivirus Bypass, carries our discussion to the next step where we will discuss how Metasploit can be used to perform client-side exploitation. The chapter covers some of the popular client-side software such as Microsoft Office, Adobe Reader, and Internet Explorer. Later on, the chapter covers an extensive discussion about killing the client-side antivirus protection in order to prevent raising the alarm in the target system.
Chapter 5, Using Meterpreter to Explore the Compromised Target, discusses about the next step after exploitation. Meterpreter is a post-exploitation tool that has several functionalities, which can be helpful in penetrating the compromised target and gaining more information. The chapter covers some of the useful penetration testing techniques such as privilege escalation, accessing the file system, and keystroke sniffing.
Chapter 6, Advance Meterpreter Scripting, takes our Metasploit knowledge to the next level by covering some advance topics, such as building our own meterpreter script and working with API mixins. This chapter will provide flexibility to the readers as they can implement their own scripts into the framework according to the scenario. The chapter also covers some advance post exploitation concepts like pivoting, pass the hash and persistent connection.
Chapter 7, Working with Modules for Penetration Testing, shifts our focus to another important aspect of Metasploit; its modules. Metasploit has a decent collection of specific modules that can be used under particular scenarios. The chapter covers some important auxiliary modules and later on advances to building our own Metasploit modules. The chapter requires some basic knowledge of Ruby scripting.
Chapter 8, Working with Exploits, adds the final weapon into the arsenal by discussing how we can convert any exploit into a Metasploit module. This is an advanced chapter that will enable the readers to build their own Metasploit exploit modules and import it into the framework. As all the exploits are not covered under the framework, this chapter can be handy in case we want to test an exploit that is not there in the Metasploit repository. The chapter also discusses about fuzzing modules that can be useful in building your own proof of concepts for any vulnerability. Finally, the chapter ends with a complete example on how we can fuzz an application to find the overflow conditions and then build a Metasploit module for it.
Chapter 9, Working with Armitage, is a brief discussion about one of the popular Metasploit extensions, Armitage. It provides a graphical interface to the framework and enhances its functionalities by providing point and click exploitation options. The chapter focuses on important aspects of Armitage, such as quickly finding vulnerabilities, handling multiple targets, shifting among tabs, and dealing with post exploitation.
Chapter 10, Social Engineer Toolkit, is the final discussion of this book which covers yet another important extension of framework. Social Engineer Toolkit (SET) is used to generate test cases that rely on human negligence in order to compromise the target. The chapter covers basic attack vectors related to SET that includes spear phishing, website attack vector, generating infectious media such as a USB.
To follow and recreate the recipes of this book, you will need two systems. One can be your pen-testing system and the other can be your target. Alternatively, you can also work with a single system and set up a penetration testing environment by using any virtualization software.
Apart from that you will require an ISO image of BackTrack 5 which has pre-installed Metasploit and other tools that we will be discussing in this book. Alternatively, you can download the Metasploit framework separately for your preferred operating system from its official website.
This book targets both professional penetration testers, as well as new users of Metasploit who are willing to expertise the tool. There is something for everyone. The book has a recipe structure which is easy to read, understand, and recollect. The book starts with the basics of penetration testing and later on advances to expert level. The transition from the beginners to the advanced level is smooth. So, it can be easily read and understood by readers of all categories. The book requires basic knowledge of scanning, exploitation, and Ruby language.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: " The last two commands, vulns and db_autopwn are post-exploitation commands, which we will deal with in later chapters."
A block of code is set as follows:
# Register command execution options
register_options(
[
OptString.new('USER', [ true, "The username to create", "metasploit" ]),
OptString.new('PASS', [ true, "The password for this user", "metasploit" ]),
], self.class)Any command-line input or output is written as follows:
$ chmod +x framework-4.*-linux-full.run
$ sudo ./framework-4.*-linux-full.runNew terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: " You can either start the Metasploit framework from the Applications menu or from the command line".
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title through the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website, or added to any list of existing errata, under the Errata section of that title.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.