Mastering Metasploit - Second Edition

Table of Contents

Mastering Metasploit

Second Edition

Credits

Foreword

About the Author

About the Reviewer

www.PacktPub.com

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Approaching a Penetration Test Using Metasploit

Organizing a penetration test

Preinteractions

Intelligence gathering/reconnaissance phase

Predicting the test grounds

Modeling threats

Vulnerability analysis

Exploitation and post-exploitation

Reporting

Mounting the environment

Setting up Kali Linux in virtual environment

The fundamentals of Metasploit

Conducting a penetration test with Metasploit

Recalling the basics of Metasploit

Benefits of penetration testing using Metasploit

Open source

Support for testing large networks and easy naming conventions

Smart payload generation and switching mechanism

Cleaner exits

The GUI environment

Penetration testing an unknown network

Assumptions

Gathering intelligence

Using databases in Metasploit

Modeling threats

Vulnerability analysis of VSFTPD 2.3.4 backdoor

The attack procedure

The procedure of exploiting the vulnerability

Exploitation and post exploitation

Vulnerability analysis of PHP-CGI query string parameter vulnerability

Exploitation and post exploitation

Vulnerability analysis of HFS 2.3

Exploitation and post exploitation

Maintaining access

Clearing tracks

Revising the approach

Summary

2. Reinventing Metasploit

Ruby – the heart of Metasploit

Creating your first Ruby program

Interacting with the Ruby shell

Defining methods in the shell

Variables and data types in Ruby

Working with strings

Concatenating strings

The substring function

The split function

Numbers and conversions in Ruby

Conversions in Ruby

Ranges in Ruby

Arrays in Ruby

Methods in Ruby

Decision-making operators

Loops in Ruby

Regular expressions

Wrapping up with Ruby basics

Developing custom modules

Building a module in a nutshell

The architecture of the Metasploit framework

Understanding the file structure

The libraries layout

Understanding the existing modules

The format of a Metasploit module

Disassembling existing HTTP server scanner module

Libraries and the function

Writing out a custom FTP scanner module

Libraries and the function

Using msftidy

Writing out a custom SSH authentication brute forcer

Rephrasing the equation

Writing a drive disabler post exploitation module

Writing a credential harvester post exploitation module

Breakthrough meterpreter scripting

Essentials of meterpreter scripting

Pivoting the target network

Setting up persistent access

API calls and mixins

Fabricating custom meterpreter scripts

Working with RailGun

Interactive Ruby shell basics

Understanding RailGun and its scripting

Manipulating Windows API calls

Fabricating sophisticated RailGun scripts

Summary

3. The Exploit Formulation Process

The absolute basics of exploitation

The basics

The architecture

System organization basics

Registers

Exploiting stack-based buffer overflows with Metasploit

Crashing the vulnerable application

Building the exploit base

Calculating the offset

Using the pattern_create tool

Using the pattern_offset tool

Finding the JMP ESP address

Using Immunity Debugger to find executable modules

Using msfbinscan

Stuffing the space

Relevance of NOPs

Determining bad characters

Determining space limitations

Writing the Metasploit exploit module

Exploiting SEH-based buffer overflows with Metasploit

Building the exploit base

Calculating the offset

Using pattern_create tool

Using pattern_offset tool

Finding the POP/POP/RET address

The Mona script

Using msfbinscan

Writing the Metasploit SEH exploit module

Using NASM shell for writing assembly instructions

Bypassing DEP in Metasploit modules

Using msfrop to find ROP gadgets

Using Mona to create ROP chains

Writing the Metasploit exploit module for DEP bypass

Other protection mechanisms

Summary

4. Porting Exploits

Importing a stack-based buffer overflow exploit

Gathering the essentials

Generating a Metasploit module

Exploiting the target application with Metasploit

Implementing a check method for exploits in Metasploit

Importing web-based RCE into Metasploit

Gathering the essentials

Grasping the important web functions

The essentials of the GET/POST method

Importing an HTTP exploit into Metasploit

Importing TCP server/ browser-based exploits into Metasploit

Gathering the essentials

Generating the Metasploit module

Summary

5. Testing Services with Metasploit

The fundamentals of SCADA

The fundamentals of ICS and its components

The significance of ICS-SCADA

Analyzing security in SCADA systems

Fundamentals of testing SCADA

SCADA-based exploits

Securing SCADA

Implementing secure SCADA

Restricting networks

Database exploitation

SQL server

Fingerprinting SQL server with Nmap

Scanning with Metasploit modules

Brute forcing passwords

Locating/capturing server passwords

Browsing SQL server

Post-exploiting/executing system commands

Reloading the xp_cmdshell functionality

Running SQL-based queries

Testing VOIP services

VOIP fundamentals

An introduction to PBX

Types of VOIP services

Self-hosted network

Hosted services

SIP service providers

Fingerprinting VOIP services

Scanning VOIP services

Spoofing a VOIP call

Exploiting VOIP

About the vulnerability

Exploiting the application

Summary

6. Virtual Test Grounds and Staging

Performing a penetration test with integrated Metasploit services

Interaction with the employees and end users

Gathering intelligence

Example environment under test

Vulnerability scanning with OpenVAS using Metasploit

Modeling the threat areas

Gaining access to the target

Vulnerability scanning with Nessus

Maintaining access and covering tracks

Managing a penetration test with Faraday

Generating manual reports

The format of the report

The executive summary

Methodology / network admin level report

Additional sections

Summary

7. Client-side Exploitation

Exploiting browsers for fun and profit

The browser autopwn attack

The technology behind a browser autopwn attack

Attacking browsers with Metasploit browser autopwn

Compromising the clients of a website

Injecting malicious web scripts

Hacking the users of a website

Conjunction with DNS spoofing

Tricking victims with DNS hijacking

Metasploit and Arduino - the deadly combination

File format-based exploitation

PDF-based exploits

Word-based exploits

Compromising Linux clients with Metasploit

Attacking Android with Metasploit

Summary

8. Metasploit Extended

The basics of post exploitation with Metasploit

Basic post exploitation commands

The help menu

Background command

Machine ID and UUID command

Reading from a channel

Getting the username and process information

Getting system information

Networking commands

File operation commands

Desktop commands

Screenshots and camera enumeration

Advanced post exploitation with Metasploit

Migrating to safer processes

Obtaining system privileges

Obtaining password hashes using hashdump

Changing access, modification and creation time with timestomp

Additional post exploitation modules

Gathering wireless SSIDs with Metasploit

Gathering Wi-Fi passwords with Metasploit

Getting applications list

Gathering skype passwords

Gathering USB history

Searching files with Metasploit

Wiping logs from target with clearev command

Advanced extended features of Metasploit

Privilege escalation using Metasploit

Finding passwords in clear text using mimikatz

Sniffing traffic with Metasploit

Host file injection with Metasploit

Phishing window login passwords

Summary

9. Speeding up Penetration Testing

Using pushm and popm commands

The loadpath command

Pacing up development using reload, edit and reload_all commands

Making use of resource scripts

Using AutoRunScript in Metasploit

Using multiscript module in AutoRunScript option

Globalizing variables in Metasploit

Automating Social-Engineering Toolkit

Summary

10. Visualizing with Armitage

The fundamentals of Armitage

Getting started

Touring the user interface

Managing the workspace

Scanning networks and host management

Modeling out vulnerabilities

Finding the match

Exploitation with Armitage

Post-exploitation with Armitage

Attacking on the client side with Armitage

Scripting Armitage

The fundamentals of Cortana

Controlling Metasploit

Post-exploitation with Cortana

Building a custom menu in Cortana

Working with interfaces

Summary

Further reading

Mastering Metasploit

Mastering Metasploit

Second Edition

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: May 2014

Second edition: September 2016

Production reference: 1270916

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham 

B3 2PB, UK.

ISBN 978-1-78646-316-6

www.packtpub.com

Credits

Foreword

With the rising age of technology, the need for IT security has not only become a necessity but a practice that every organization must follow. Penetration testing is a practice that tends to keep businesses and organizations safe from the external and internal threats such as information leakage, unauthorized access to the various resources, critical business data and much more.

Companies providing services such as penetration testing and vulnerability assessments can be thought of as a group of people paid to break into a company so that no one else can break into it. However, the word penetration testing has a completely different meaning when it comes to law enforcement agencies throughout the world.

A Penetration test comprises of various different phases starting with profiling of the target through information gathering, scanning for open entrances which are also termed as port scanning, gaining access to the systems by exploiting vulnerable entrances, maintaining access to the target and covering tracks.

Zero day exploits and advanced persistent threats have recently dominated the cyber security scene throughout the world by compromising small to large firms by leaking crucial business data. Therefore, the life of a penetration tester has become quite challenging in terms of day to day operations and it is very important for a penetration tester to keep him updated with latest tools and techniques.

In this book, you will see penetration testing covered through a completely practical approach. The author is a widely known security professional with his experience ranging from the top of the corporate security structure all the way to the ground level research and exploit writing.

There are a number of books available on penetration testing, there are many covering specific security tools in penetration testing. This book is a perfect blend of both while covering the most widely used penetration testing framework, Metasploit, using a completely hands-on approach.

Metasploit is one of the most widely used penetration testing framework used from corporate to law enforcement agencies. Metasploit comprises of over 1500+ modules that deliver functionalities covering every phase of a penetration test, making the life of a penetration tester comparatively easier. Not only it provides a comprehensive and an efficient way of conducting a penetration test but being an open source framework, it also offers an extensive approach in developing new exploits and automating various tasks that reduce tons of manual efforts and saves a great deal of time.

With the support of a large community, Metasploit is constantly updated with new tools and techniques and is so frequently updated that a particular technique might change overnight. The author undertook a massive task in writing a book on a subject, which is so frequently updated. I believe you will find the techniques covered in this book valuable and an excellent reference in all your future engagements.

Maj. Gen. J.P Singh, Shaurya Chakra (Retd.)

M.Sc, MBA, MMS, M.Phill

Sr. Director, Amity University

About the Author

Nipun Jaswal is an IT security business executive & a passionate IT security Researcher with more than 7 years of professional experience and possesses knowledge in all aspects of IT security testing and implementation with expertise in managing cross-cultural teams and planning the execution of security needs beyond national boundaries.

He is an M.tech in Computer Sciences and a thought leader who has contributed in raising the bar of understanding on cyber security and ethical hacking among students of many colleges and universities in India. He is a voracious public speaker, delivers speech on Improving IT Security, Insider Threat, Social Engineering, Wireless forensics, and Exploit writing. He is the author of numerous IT security articles with popular security magazines like Eforensics, Hakin9, and Security Kaizen etc. Many popular companies like Apple, Microsoft, AT&T, Offensive Security, Rapid7, Blackberry, Nokia, Zynga.com and many others have thanked him for finding vulnerabilities in their system. He has also been acknowledged with the Award of excellence from National cyber defense and research center (NCDRC) for his tremendous contributions to the IT security industry.

In his current profile, he leads team super specialists in cyber security to protect various clients from Cyber Security threats and network intrusion by providing necessary solutions and services. Please feel free to contact him via mail at [email protected].

At the very first, I would like to thank everyone who read the first edition and made it a success. I would like to thank my mom, Mrs. Sushma Jaswal and my grandmother, Mrs. Malkiet Parmar for helping me out at every stage of my life. I would also like to extend gratitude to Ms. Mini Malhotra for being extremely supportive throughout the writing process. I would like to thank Mr. Adrian Pruteanu for reviewing my work and suggesting all the changes. I would like to thank everyone at Packt including Ms. Prachi Bisht, Ms. Trusha Shriyan for being an excellent team and providing me with opportunity to work on this wonderful project. Last but not the least; I would like to thank the almighty for providing me with the immense power to work on this project.

About the Reviewer

Adrian Pruteanu is a senior consultant who specializes in penetration testing and reverse engineering. With over 10 years of experience in the security industry, Adrian has provided services to all major financial institutions in Canada, as well as countless other companies around the world. You can find him on Twitter as @waydrian, or on his seldom updated blog https://bittherapy.net.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

In the Memory of all our brave soldiers who lost their lives serving for the country. 

Preface

Penetration testing is the one necessity required everywhere in business today. With the rise of cyber- and computer-based crime in the past few years, penetration testing has become one of the core aspects of network security and helps in keeping a business secure from internal as well as external threats. The reason that makes penetration testing a necessity is that it helps in uncovering the potential flaws in a network, a system, or an application. Moreover, it helps in identifying weaknesses and threats from an attacker's perspective. Various potential flaws in a system are exploited to find out the impact it can cause to an organization and the risk factors to the assets as well. However, the success rate of a penetration test depends largely on the knowledge of the target under the test. Therefore, we generally approach a penetration test using two different methods: black box testing and white box testing. Black box testing refers to the testing where there is no prior knowledge of the target under test. Therefore, a penetration tester kicks off testing by collecting information about the target systematically. Whereas in the case of a white box penetration test, a penetration tester has enough knowledge about the target under test and he starts off by identifying known and unknown weaknesses of the target. Generally, a penetration test is divided into seven different phases, which are mentioned as follows:

Pre-engagement interactions: This phase defines all the pre-engagement activities and scope definitions, basically, everything you need to discuss with the client before the testing starts.

Intelligence gathering: This phase is all about collecting information about the target, which is under the test, by connecting to the target directly and passively, without connecting to the target at all.

Threat modeling: This phase involves matching the information detected to the assets in order to find the areas with the highest threat level.

Vulnerability analysis: This involves finding and identifying known and unknown vulnerabilities and validating them.

Exploitation: This phase works on taking advantage of the vulnerabilities found in the previous phase. This typically means that we are trying to gain access to the target.

Post exploitation: The actual task to perform at the target that involves downloading a file, shutting a system down, creating a new user account on the target, and so on, are parts of this phase. Generally, this phase describes what you need to do after exploitation.

Reporting: This phase includes summing up the results of the test under a file and the possible suggestions and recommendations to fix the current weaknesses in the target

The seven phases just mentioned may look easier when there is a single target under test. However, the situation completely changes when a large network that contains hundreds of systems are to be tested. Therefore, in a situation like this, manual work is to be replaced with an automated approach. Consider a scenario where the number of systems under the test is exactly 100 and are running the same operating system and services. Testing each and every system manually will consume much time and energy. Situations like these demand the use of a penetration-testing framework. The use of a penetration testing framework will not only save time, but will also offer much more flexibility in terms of changing the attack vectors and covering a much wider range of targets under a test. A penetration testing framework will eliminate additional time consumption and will  also help in automating most of the attack vectors; scanning processes; identifying vulnerabilities, and most importantly, exploiting the vulnerabilities, thus saving time and pacing a penetration test. This is where Metasploit kicks in.

Metasploit is considered as one of the best and most used widely used penetration testing framework. With a lot of rep in the IT security community, Metasploit not only caters to the needs of being a great penetration test framework but also delivers such innovative features that make life of a penetration tester easy.

Mastering Metasploit aims at providing readers with the insights to the most popular penetration-testing framework, that is, Metasploit. This book specifically focuses on mastering Metasploit in terms of exploitation, writing custom exploits, porting exploits, testing services, and conducting sophisticated client-side testing. Moreover, this book helps to convert your customized attack vectors into Metasploit modules, covering Ruby, and attack scripting, such as CORTANA. This book will not only caters to your penetration-testing knowledge, but will also help you build programming skills as well.

What this book covers

Chapter 1, Approaching a Penetration Test Using Metasploit, tells you concisely about WebStorm 10 and its new features. It helps you install it, guides you through its workspace, discusses setting up a new project, familiarizes you with the interface and useful features, and describes the ways to customize them to suit your needs.

Chapter 2, Reinventing Metasploit, exposes the most distinctive features of WebStorm, which are at the core of improving your efficiency in building web applications.

Chapter 3, The Exploit Formulation Process, describes the process of setting up a new project with the help of templates by importing an existing project, serving a web application, and using File Watchers.

Chapter 4, Porting Exploits, describes using package managers and building systems for your application by means of WebStorm's built-in features.

Chapter 5, Testing Services with Metasploit, focuses on the state-of-the-art technologies of the web industry and describes the process of building a typical application in them using the power of WebStorm features.

Chapter 6, Virtual Test Grounds and Staging, shows you how to use JavaScript, HTML, and CSS to develop a mobile application and how to set up the environment to test run this mobile application.

Chapter 7, Client-side Exploitation, shows how to perform the debugging, tracing, profiling, and code style checking activities directly in WebStorm.

Chapter 8, Metasploit Extended, presents a couple of proven ways to easily perform application testing in WebStorm using some of the most popular testing