Mastering Metasploit, E-Book

Mastering Metasploit Third Edition

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor:Rohit RajkumarContent Development Editor:Abhishek JadhavTechnical Editor:Aditya KhadyeCopy Editor:Safis Editing, Dipti MankameProject Coordinator:Judie JoseProofreader: Safis EditingIndexer:Priyanka DhadkeGraphics:Tom ScariaProduction Coordinator: Deepika Naik

First published: May 2014 Second edition: September 2016 Third edition: May 2018

Production reference: 1240518

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78899-061-5

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Nipun Jaswal is an International Cyber Security Author and an award-winning IT security researcher with a decade of experience in penetration testing, vulnerability assessments, surveillance and monitoring solutions, and RF and wireless hacking.

He has authored Metasploit Bootcamp, Mastering Metasploit, and Mastering Metasploit—Second Edition, and coauthored the Metasploit Revealed set of books. He has authored numerous articles and exploits that can be found on popular security databases, such as packet storm and exploit-db. Please feel free to contact him at @nipunjaswal.

About the reviewer

Sagar Rahalkar, is a seasoned InfoSec professional with more than 11 years of experience in various verticals of IS. His domain expertise is mainly in Digital Forensics, AppSec, VAPT, and IT GRC. He holds a master's degree in computer science and several industry-recognized certifications, such as Certified Cyber Crime Investigator, CEH, ECSA, ISO 27001 Lead Auditor, IBM AppScan, CISM, and PRINCE2. He has independently authored two books and reviewed several publications as well.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Mastering Metasploit Third Edition

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Approaching a Penetration Test Using Metasploit

Organizing a penetration test

Preinteractions

Intelligence gathering/reconnaissance phase

Threat modeling

Vulnerability analysis

Exploitation and post-exploitation

Reporting

Mounting the environment

Setting up Kali Linux in a virtual environment

The fundamentals of Metasploit

Conducting a penetration test with Metasploit

Recalling the basics of Metasploit

Benefits of penetration testing using Metasploit

Open source

Support for testing large networks and natural naming conventions

Smart payload generation and switching mechanism

Cleaner exits

The GUI environment

Case study - diving deep into an unknown network

Gathering intelligence

Using databases in Metasploit

Modeling threats

Vulnerability analysis - arbitrary file upload (unauthenticated)

Attacking mechanism on the PhpCollab 2.5.1 application

Exploitation and gaining access

Escalating privileges with local root exploits

Maintaining access with Metasploit

Post-exploitation and pivoting

Vulnerability analysis - SEH based buffer overflow

Exploiting human errors by compromising Password Managers

Revisiting the case study

Revising the approach

Summary and exercises

Reinventing Metasploit

Ruby - the heart of Metasploit

Creating your first Ruby program

Interacting with the Ruby shell

Defining methods in the shell

Variables and data types in Ruby

Working with strings

Concatenating strings

The substring function

The split function

Numbers and conversions in Ruby

Conversions in Ruby

Ranges in Ruby

Arrays in Ruby

Methods in Ruby

Decision-making operators

Loops in Ruby

Regular expressions

Wrapping up with Ruby basics

Developing custom modules

Building a module in a nutshell

The architecture of the Metasploit framework

Understanding the file structure

The libraries layout

Understanding the existing modules

The format of a Metasploit module

Disassembling the existing HTTP server scanner module

Libraries and the function

Writing out a custom FTP scanner module

Libraries and functions

Using msftidy

Writing out a custom SSH-authentication with a brute force attack

Rephrasing the equation

Writing a drive-disabler post-exploitation module

Writing a credential harvester post-exploitation module

Breakthrough Meterpreter scripting

Essentials of Meterpreter scripting

Setting up persistent access

API calls and mixins

Fabricating custom Meterpreter scripts

Working with RailGun

Interactive Ruby shell basics

Understanding RailGun and its scripting

Manipulating Windows API calls

Fabricating sophisticated RailGun scripts

Summary and exercises

The Exploit Formulation Process

The absolute basics of exploitation

The basics

The architecture

System organization basics

Registers

Exploiting stack-based buffer overflows with Metasploit

Crashing the vulnerable application

Building the exploit base

Calculating the offset

Using the pattern_create tool

Using the pattern_offset tool

Finding the JMP ESP address

Using the Immunity Debugger to find executable modules

Using msfpescan

Stuffing the space

Relevance of NOPs

Determining bad characters

Determining space limitations

Writing the Metasploit exploit module

Exploiting SEH-based buffer overflows with Metasploit

Building the exploit base

Calculating the offset

Using the pattern_create tool

Using the pattern_offset tool

Finding the POP/POP/RET address

The Mona script

Using msfpescan

Writing the Metasploit SEH exploit module

Using the NASM shell for writing assembly instructions

Bypassing DEP in Metasploit modules

Using msfrop to find ROP gadgets

Using Mona to create ROP chains

Writing the Metasploit exploit module for DEP bypass

Other protection mechanisms

Summary

Porting Exploits

Importing a stack-based buffer overflow exploit

Gathering the essentials

Generating a Metasploit module

Exploiting the target application with Metasploit

Implementing a check method for exploits in Metasploit

Importing web-based RCE into Metasploit

Gathering the essentials

Grasping the important web functions

The essentials of the GET/POST method

Importing an HTTP exploit into Metasploit

Importing TCP server/browser-based exploits into Metasploit

Gathering the essentials

Generating the Metasploit module

Summary

Testing Services with Metasploit

Fundamentals of testing SCADA systems

The fundamentals of ICS and its components

The significance of ICS-SCADA

Exploiting HMI in SCADA servers

Fundamentals of testing SCADA

SCADA-based exploits

Attacking the Modbus protocol

Securing SCADA

Implementing secure SCADA

Restricting networks

Database exploitation

SQL server

Scanning MSSQL with Metasploit modules

Brute forcing passwords

Locating/capturing server passwords

Browsing the SQL server

Post-exploiting/executing system commands

Reloading the xp_cmdshell functionality

Running SQL-based queries

Testing VOIP services

VOIP fundamentals

An introduction to PBX

Types of VOIP services

Self-hosted network

Hosted services

SIP service providers

Fingerprinting VOIP services

Scanning VOIP services

Spoofing a VOIP call

Exploiting VOIP

About the vulnerability

Exploiting the application

Summary

Virtual Test Grounds and Staging

Performing a penetration test with integrated Metasploit services

Interaction with the employees and end users

Gathering intelligence

Example environment being tested

Vulnerability scanning with OpenVAS using Metasploit

Modeling the threat areas

Gaining access to the target

Exploiting the Active Directory (AD) with Metasploit

Finding the domain controller

Enumerating shares in the Active Directory network

Enumerating the AD computers

Enumerating signed-in users in the Active Directory

Enumerating domain tokens

Using extapi in Meterpreter

Enumerating open Windows using Metasploit

Manipulating the clipboard

Using ADSI management commands in Metasploit

Using PsExec exploit in the network

Using Kiwi in Metasploit

Using cachedump in Metasploit

Maintaining access to AD

Generating manual reports

The format of the report

The executive summary

Methodology/network admin-level report

Additional sections

Summary

Client-Side Exploitation

Exploiting browsers for fun and profit

The browser autopwn attack

The technology behind the browser autopwn attack

Attacking browsers with Metasploit browser autopwn

Compromising the clients of a website

Injecting the malicious web scripts

Hacking the users of a website

The autopwn with DNS spoofing and MITM attacks

Tricking victims with DNS hijacking

Using Kali NetHunter with browser exploits

Metasploit and Arduino - the deadly combination

File format-based exploitation

PDF-based exploits

Word-based exploits

Attacking Android with Metasploit

Summary and exercises

Metasploit Extended

Basics of post-exploitation with Metasploit

Basic post-exploitation commands

The help menu

The background command

Reading from a channel

File operation commands

Desktop commands

Screenshots and camera enumeration

Advanced post-exploitation with Metasploit

Obtaining system privileges

Changing access, modification, and creation time with timestomp

Additional post-exploitation modules

Gathering wireless SSIDs with Metasploit

Gathering Wi-Fi passwords with Metasploit

Getting the applications list

Gathering Skype passwords

Gathering USB history

Searching files with Metasploit

Wiping logs from the target with the clearev command

Advanced extended features of Metasploit

Using pushm and popm commands

Speeding up development using the reload, edit, and reload_all commands

Making use of resource scripts

Using AutoRunScript in Metasploit

Using the multiscript module in AutoRunScript option

Privilege escalation using Metasploit

Finding passwords in clear text using mimikatz

Sniffing traffic with Metasploit

Host file injection with Metasploit

Phishing Windows login passwords

Summary and exercises

Evasion with Metasploit

Evading Meterpreter using C wrappers and custom encoders

Writing a custom Meterpreter encoder/decoder in C

Evading intrusion detection systems with Metasploit

Using random cases for fun and profit

Using fake relatives to fool IDS systems

Bypassing Windows firewall blocked ports

Using the reverse Meterpreter on all ports

Summary and exercises

Metasploit for Secret Agents

Maintaining anonymity in Meterpreter sessions

Maintaining access using vulnerabilities in common software

DLL search order hijacking

Using code caves for hiding backdoors

Harvesting files from target systems

Using venom for obfuscation

Covering tracks with anti-forensics modules

Summary

Visualizing with Armitage

The fundamentals of Armitage

Getting started

Touring the user interface

Managing the workspace

Scanning networks and host management

Modeling out vulnerabilities

Finding the match

Exploitation with Armitage

Post-exploitation with Armitage

Red teaming with Armitage team server

Scripting Armitage

The fundamentals of Cortana

Controlling Metasploit

Post-exploitation with Cortana

Building a custom menu in Cortana

Working with interfaces

Summary

Tips and Tricks

Automation using Minion script

Using connect as Netcat

Shell upgrades and background sessions

Naming conventions

Changing the prompt and making use of database variables

Saving configurations in Metasploit

Using inline handler and renaming jobs

Running commands on multiple Meterpreters

Automating the Social Engineering Toolkit

Cheat sheets on Metasploit and penetration testing

Further reading

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Penetration testing is required everywhere in business today. With the rise of cyber and computer-based crime over the past few years, penetration testing has become one of the core aspects of network security and helps keep a business secure from internal and external threats. The reason that penetration testing is a necessity is that it helps uncover potential flaws in a network, a system, or an application. Moreover, it helps identify weaknesses and threats from an attacker's perspective. Various inherent weaknesses in a system are exploited to find out the impact it can have on an organization and the risk to the assets that exist as well. However, the success rate of a penetration test depends mostly on knowledge of the target under test. Therefore, we generally approach a penetration test using two different methods: black box testing and white box testing. Black box testing refers to testing where there is no prior knowledge of the target under test. Therefore, a penetration tester kicks off testing by collecting information about the target systematically. However, in the case of a white box penetration test, a penetration tester has knowledge about the target under test and starts off by identifying weaknesses of the target. In general, a penetration test is divided into seven different phases, which are as follows:

Pre-engagement interactions

: This phase defines all the pre-engagement activities and scope definitions, basically, everything you need to discuss with the client before the testing starts.

Intelligence gathering

: This phase is all about collecting information about the target under test, by connecting to the target directly and passively, and without connecting to the target at all.

Threat modeling

: This phase involves matching the information detected to the assets to find the areas with the highest threat level.

Vulnerability analysis

: This involves finding and identifying known and unknown vulnerabilities and validating them.

Exploitation

: This phase works on taking advantage of the vulnerabilities found in the previous stage and typically means that we are trying to gain access to the target.

Post-exploitation

: The actual actions to perform on the target, such as downloading a file, shutting a system down, creating a new user account on the target, are parts of this phase. In general, this phase describes what you need to do after exploitation.

Reporting

: This phase includes summing up the results of the test in a file and the possible suggestions and recommendations to fix the current weaknesses in the target.

These seven stages may look easy when there is a single target under test. However, the situation completely changes when a vast network that contains hundreds of systems is to be tested. Therefore, in a case like this, manual work is to be replaced with an automated approach. Consider a scenario where the number of systems under test is precisely 100, and they are running the same operating system and services. Testing every system manually will consume much time and energy. Situations such as these demand the use of a penetration testing framework. Using a penetration testing framework will not only save time but will also offer much more flexibility regarding changing the attack vectors and covering a much wider range of targets under test. A penetration testing framework will eliminate additional time consumption and also help to automate most of the attack vectors, scanning processes, identifying vulnerabilities, and most importantly, exploiting the vulnerabilities, thus saving time and pacing a penetration test, and this is where Metasploit kicks in.

Metasploit is considered one of the best and is the most widely used penetration testing framework. With a lot of reputation in the IT security community, Metasploit is not only an excellent penetration test framework, but also delivers innovative features that make the life of a penetration tester easy.

Mastering Metasploit, Third Edition aims to provide readers with insights into the legendary Metasploit framework. This book focuses explicitly on mastering Metasploit with respect to exploitation, writing custom exploits, porting exploits, testing services, and conducting sophisticated client-side testing. Moreover, this book helps to convert your customized attack vectors into Metasploit modules, covering Ruby and attack scripting, such as Cortana. This book will not only cater to your penetration testing knowledge but will also help you build programming skills as well.

Who this book is for

This book targets professional penetration testers, security engineers, and law enforcement analysts who possess a basic knowledge of Metasploit, wish to master the Metasploit framework, and want to develop exploit writing and module development skills. Further, it helps all those researchers who want to add their custom functionalities to Metasploit. The transition from the intermediate-cum-basic level to the expert level by the end is smooth. The book discusses Ruby programming and attack scripting using Cortana. Therefore, a little knowledge about these programming languages is required.

What this book covers

Chapter 1, Approaching a Penetration Test Using Metasploit, takes us through the absolute basics of conducting a penetration test with Metasploit. It helps establish an approach and set up an environment for testing. Moreover, it takes us through the various stages of a penetration test systematically. It further discusses the advantages of using Metasploit over traditional and manual testing.

Chapter 2, Reinventing Metasploit, covers the absolute basics of Ruby programming essentials that are required for module building. This chapter further covers how to dig existing Metasploit modules and write our custom scanner, authentication tester, post-exploitation, and credential harvester modules; finally, it sums up by throwing light on developing custom modules in RailGun.

Chapter 3, The Exploit Formulation Process, discusses how to build exploits by covering the essentials of exploit writing. This chapter also introduces fuzzing and throws light on debuggers too. It then focuses on gathering essentials for exploitation by analyzing the application's behavior under a debugger. It finally shows the exploit-writing process in Metasploit based on the information collected and discusses bypasses for protection mechanisms such as SEH and DEP.

Chapter 4, Porting Exploits, helps to convert publicly available exploits into the Metasploit framework. This chapter focuses on gathering essentials from the available exploits written in Perl/Python, PHP, and server-based exploits by interpreting the essential information to a Metasploit-compatible module using Metasploit libraries and functions.

Chapter 5, Testing Services with Metasploit, carries our discussion on performing a penetration test over various services. This chapter covers some crucial modules in Metasploit that helps in testing SCADA, database, and VOIP services.

Chapter 6, Virtual Test Grounds and Staging, is a brief discussion on carrying out a complete penetration test using Metasploit. This chapter focuses on additional tools that can work along with Metasploit to conduct a comprehensive penetration test. The chapter advances by discussing popular tools such as Nmap, Nessus, and OpenVAS, and explains about using these tools within Metasploit itself. It finally discusses how to generate manual and automated reports.

Chapter 7, Client-Side Exploitation, shifts our focus on to client-side exploits. This chapter focuses on modifying the traditional client-side exploits into a much more sophisticated and certain approach. The chapter starts with a browser-based and file-format-based exploits and discusses compromising the users of a web server. It also explains how to modify browser exploits into a lethal weapon using Metasploit along with vectors such as DNS Poisoning. At the end, the chapter focuses on developing strategies to exploit Android using Kali NetHunter.

Chapter 8, Metasploit Extended, talks about basic and advanced post-exploitation features of Metasploit. The chapter advances by discussing necessary post-exploitation features available on the Meterpreter payload and moves on to discussing the advanced and hardcore post-exploitation modules. This chapter not only helps with quick know-how about speeding up the penetration testing process but also uncovers many features of Metasploit that save a reasonable amount of time while scripting exploits. At the end, the chapter also discusses automating the post-exploitation process.

Chapter 9, Evasion with Metasploit, discusses how Metasploit can evade advanced protection mechanisms such as an antivirus solution using custom codes with Metasploit payloads. It also outlines how signatures of IDPS solutions such as Snort can be bypassed and how we can circumvent blocked ports on a windows-based target.

Chapter 10, Metasploit for Secret Agents, talks about how law enforcement agencies can make use of Metasploit for their operations. The chapter discusses proxying sessions, unique APT methods for persistence, sweeping files from the target systems, code caving techniques for evasion, using venom framework to generate undetectable payloads, and how not to leave traces on the target systems using anti-forensic modules.

Chapter 11, Visualizing with Armitage, is dedicated to the most popular GUI associated with Metasploit, that is, Armitage. This chapter explains how to scan a target with Armitage and then exploit the target. The chapter also teaches the fundamentals of red-teaming with Armitage. Further, it discusses Cortana, which is used to script automated attacks in Armitage that aid penetration testing by developing virtual bots. At the end, this chapter discusses adding custom functionalities and building up custom interfaces and menus in Armitage.

Chapter 12, Tips and Tricks, teaches you various skills that speed up your testing and help you to use Metasploit more efficiently.

To get the most out of this book

To follow the examples in this book, you will need six to seven systems or virtual machines. One system can be your penetration testing system, whereas others can act as your test bed.

Apart from systems or virtualization, you will need the latest VMware image of Kali Linux, which already packs Metasploit by default and contains all the other tools that are required to recreate the examples in this book. However, in some cases, you can use the latest Ubuntu desktop OS with Metasploit installed.

You will also need to install Ubuntu, Windows 7, Windows 10, Windows Server 2008, Windows Server 2012, and Metasploitable 2 either on virtual machines or live systems as all these operating systems will serve as the test bed for Metasploit.

In addition, links to all other required tools and vulnerable software are provided in the chapters.

Download the example code files

You can download the example code files for this book from your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packtpub.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Metasploit-Third-Edition. In case, there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it from https://www.packtpub.com/sites/default/files/downloads/MasteringMetasploitThirdEdition_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "We can see that we used thepost/windows/manage/inject_hostmodule onSESSION 1, and inserted the entry into the target's host file."

A block of code is set as follows:

irb(main):001:0> 2=> 2

Any command-line input or output is written as follows:

msf > openvas_config_list[+] OpenVAS list of configs

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on theConnectbutton in the pop-up box to set up a connection."

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Approaching a Penetration Test Using Metasploit

Penetration testing is an intentional attack on a computer-based system where the intention is to find vulnerabilities, security weaknesses, and certifying whether a system is secure. A penetration test will advise an organization on their security posture if it is vulnerable to an attack, whether the implemented security is enough to oppose any invasion, which security controls can be bypassed, and much more. Hence, a penetration test focuses on improving the security posture of an organization.

Achieving success in a penetration test largely depends on using the right set of tools and techniques. A penetration tester must choose the right set of tools and methodologies to complete a test. While talking about the best tools for penetration testing, the first one that comes to mind is Metasploit. It is considered one of the most effective auditing tools to carry out penetration testing today. Metasploit offers a wide variety of exploits, an excellent exploit development environment, information gathering and web testing capabilities, and much more.

This book has been written so that it will not only cover the frontend perspectives of Metasploit, but it will also focus on the development and customization of the framework as well. This book assumes that the reader has basic knowledge of the Metasploit framework. However, some of the sections of this book will help you recall the basics as well.

While covering Metasploit from the very basics to the elite level, we will stick to a step-by-step approach, as shown in the following diagram:

This chapter will help you recall the basics of penetration testing and Metasploit, which will help you warm up to the pace of this book.

In this chapter, you will learn about the following topics:

The phases of penetration testing

The basics of the Metasploit framework

The workings of Metasploit exploit and scanner modules

Testing a target network with Metasploit

The benefits of using databases

Pivoting and diving deep into internal networks

An important point to take note of here is that we might not become an expert penetration tester in a single day. It takes practice, familiarization with the work environment, the ability to perform in critical situations, and most importantly, an understanding of how we have to cycle through the various stages of a penetration test.

When we think about conducting a penetration test on an organization, we need to make sure that everything is set correctly and is according to a penetration test standard. Therefore, if you feel you are new to penetration testing standards or uncomfortable with the term Penetration Testing Execution Standard (PTES), please refer to http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines to become more familiar with penetration testing and vulnerability assessments. According to PTES, the following diagram explains the various phases of a penetration test:

Organizing a penetration test

Before we start firing sophisticated and complex attacks with Metasploit, let's understand the various phases of a penetration test and see how to organize a penetration test on a professional scale.

Preinteractions

The very first phase of a penetration test, preinteractions, involves a discussion of the critical factors regarding the conduct of a penetration test on a client's organization, company, institute, or network with the client itself. This phase serves as the connecting line between the penetration tester, the client, and his/her requirements. Preinteractions help a client get enough knowledge on what is to be performed over his or her network/domain or server.

Therefore, the tester will serve here as an educator to the client. The penetration tester also discusses the scope of the test, gathers knowledge on all the domains under the scope of the project, and any special requirements that will be needed while conducting the analysis. The requirements include special privileges, access to critical systems, network or system credentials, and much more. The expected positives of the project should also be the part of the discussion with the client in this phase. As a process, preinteractions discuss some of the following key points:

Scope

: This section reviews the scope of the project and estimates the size of the project. The scope also defines what to include for testing and what to exclude from the test. The tester also discusses IP ranges and domains under the scope and the type of test (black box or white box). In case of a white box test, the tester discusses the kind of access and required credentials as well; the tester also creates, gathers, and maintains questionnaires for administrators. The schedule and duration of the test, whether to include stress testing or not, and payment, are included in the scope. A general scope document provides answers to the following questions:

What are the target organization's most significant security concerns?

What specific hosts, network address ranges, or applications should be tested?

What specific hosts, network address ranges, or applications should explicitly NOT be tested?

Are there any third parties that own systems or networks that are in the scope, and which systems do they hold (written permission must have been obtained in advance by the target organization)?

Will the test be performed in a live production environment or a test environment?

Will the penetration test include the following testing techniques: ping sweep of network ranges, a port scan of target hosts, vulnerability scan of targets, penetration of targets, application-level manipulation, client-side Java/ActiveX reverse engineering, physical penetration attempts, social engineering?

Will the penetration test include internal network testing? If so, how will access be obtained?

Are client/end user systems included in the scope? If so, how many clients will be leveraged?

Is social engineering allowed? If so, how may it be used?

Is Denial of Service attacks allowed?

Are dangerous checks/exploits allowed?

Goals

: This section discusses various primary and secondary objectives that a penetration test is set to achieve. The common questions related to the goals are as follows:

What is the business requirement for this penetration test?

Is the test required by a regulatory audit or just a standard procedure?

What are the objectives?

Map out vulnerabilities

Demonstrate that the vulnerabilities exist

Test the incident response

Actual exploitation of a vulnerability in a network, system, or application

All of the above

Testing terms and definitions

: This phase discusses basic terminologies with the client and helps the client in understanding the terms well

Rules of engagement

: This section defines the time of testing, timeline, permissions to attack, and regular meetings to update the status of the ongoing test. The common questions related to rules of engagement are as follows:

At what time do you want these tests to be performed?

During business hours

After business hours

Weekend hours

During a system maintenance window

Will this testing be done in a production environment?

If production environments should not be affected, does a similar environment (development or test systems) exist that can be used to conduct the penetration test?

Who is the technical point of contact?

Intelligence gathering/reconnaissance phase

In the intelligence-gathering stage, you need to gather as much information as possible about the target network. The target network could be a website, an organization, or might be a full-fledged fortune company. The most important aspect is to gather information about the target from social media networks and use Google Hacking (a way to extract sensitive information from Google using specific queries) to find confidential and sensitive information related to the organization to be tested. Footprinting the organization using active and passive attacks can also be an approach.

The intelligence gathering phase is one of the most crucial aspects of penetration testing. Correctly gained knowledge about the target will help the tester to simulate appropriate and exact attacks, rather than trying all possible attack mechanisms; it will also help the tester save a considerable amount of time as well. This phase will consume 40 to 60 percent of the total time of testing, as gaining access to the target depends mainly upon how well the system is footprinted.

A penetration tester must gain adequate knowledge about the target by conducting a variety of scans, looking for open ports, service identification, and choosing which services might be vulnerable and how to make use of them to enter the desired system.

The procedures followed during this phase are required to identify the security policies and mechanisms that are currently deployed on the target infrastructure, and to what extent they can be circumvented.

Let's discuss this using an example. Consider a black box test against a web server where the client wants to perform a network stress test.

Here, we will be testing a server to check what level of bandwidth and resource stress the server can bear or in simple terms, how the server is responding to the Denial of Service (DoS) attack. A DoS attack or a stress test is the name given to the procedure of sending indefinite requests or data to a server to check whether the server can handle and respond to all the requests successfully or crashes causing a DoS. A DoS can also occur if the target service is vulnerable to specially crafted requests or packets. To achieve this, we start our network stress testing tool and launch an attack towards a target website. However, after a few seconds of launching the attack, we see that the server is not responding to our browser and the site does not open. Additionally, a page shows up saying that the website is currently offline. So what does this mean? Did we successfully take out the web server we wanted? Nope! In reality, it is a sign of a protection mechanism set by the server administrator that sensed our malicious intent of taking the server down and hence resulted in the ban of our IP address. Therefore, we must collect correct information and identify various security services at the target before launching an attack.

A better approach is to test the web server from a different IP range. Maybe keeping two to three different virtual private servers for testing is the right approach. Also, I advise you to test all the attack vectors under a virtual environment before launching these attack vectors onto the real targets. Proper validation of the attack vectors is mandatory because if we do not validate the attack vectors before the attack, it may crash the service at the target, which is not favorable at all. Network stress tests should be performed towards the end of the engagement or in a maintenance window. Additionally, it is always helpful to ask the client for whitelisting IP addresses, which are used for testing.

Now, let's look at the second example. Consider a black box test against a Windows 2012 server. While scanning the target server, we find that port 80 and port 8080 are open. On port 80, we see the latest version of Internet Information Services (IIS) running, while on port 8080, we discover that the vulnerable version of the Rejetto HFS Server is running, which is prone to the Remote Code Execution flaw.

However, when we try to exploit this vulnerable version of HFS, the exploit fails. The situation is a typical scenario where the firewall blocks malicious inbound traffic.

In this case, we can simply change our approach to connecting back from the server, which will establish a connection from the target back to our system, rather than us connecting to the server directly. The change may prove to be more successful as firewalls are commonly being configured to inspect ingress traffic rather than egress traffic.

As a process, this phase can be broken down into the following key points:

Target selection

: Selecting the targets to attack, identifying the goals of the attack, and the time of the attack.

Covert gathering

: This involves the collection of data from the physical site, the equipment in use, and dumpster diving. This phase is a part of on-location white box testing only.

Footprinting

: Footprinting consists of active or passive scans to identify various technologies and software deployed on the target, which includes port scanning, banner grabbing, and so on.

Identifying protection mechanisms

: This involves identifying firewalls, filtering systems, network- and host-based protections, and so on.

Threat modeling

Threat modeling helps in conducting a comprehensive penetration test. This phase focuses on modeling out true threats, their effect, and their categorization based on the impact they can cause. Based on the analysis made during the intelligence gathering phase, we can model the best possible attack vectors. Threat modeling applies to business asset analysis, process analysis, threat analysis, and threat capability analysis. This phase answers the following set of questions:

How can we attack a particular network?

To which critical sections do we need to gain access?

What approach is best suited for the attack?