39,59 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Metasploit® software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. The goal of the software is to provide a clear understanding of the critical vulnerabilities in any environment and to manage those risks.Metasploit Penetration Testing Cookbook targets both professionals and beginners to the framework. The chapters of the book are logically arranged with an increasing level of complexity and cover Metasploit aspects ranging from pre-exploitation to the post-exploitation phase thoroughly. The recipe structure of the book provides a good mix of both theoretical understanding and practical implementation. This book will help readers in thinking from a hacker's perspective to dig out the flaws in target networks and also to leverage the powers of Metasploit to compromise them. It will take your penetration skills to the next level.The book starts with the basics such as gathering information about your target and gradually covers advanced topics like building your own framework scripts and modules. The book goes deep into operating systems-based penetration testing techniques and moves ahead with client-based exploitation methodologies. In the post- exploitation phase, it covers meterpreter, antivirus bypass, ruby wonders, exploit building, porting exploits to framework, and third party tools like armitage, and SET. Metasploit Penetration Testing Cookbook is the required guide to penetration testing and exploitation.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 341
Veröffentlichungsjahr: 2012
Ähnliche
Table of Contents
Metasploit Penetration Testing Cookbook
Metasploit Penetration Testing Cookbook
Copyright © 2012 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: June 2012
Production Reference: 1150612
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-84951-742-3
www.packtpub.com
Cover Image by Asher Wishkerman (<[email protected]>)
Credits
Author
Abhinav Singh
Reviewers
Kubilay Onur Gungor
Kanishka Khaitan
Sachin Raste
Acquisition Editor
Usha Iyer
Lead Technical Editor
Azharuddin Sheikh
Technical Editor
Vrinda Amberkar
Project Coordinator
Leena Purkait
Proofreader
Linda Morris
Indexer
Rekha Nair
Graphics
Manu Joseph
Production Coordinator
Melwyn D'sa
Cover Work
Melwyn D'sa
About the Author
AbhinavSingh is a young Information Security Specialist from India. He has a keen interest in the field of Hacking and Network Security. He actively works as a freelancer with several security companies, and provides them with consultancy. Currently, he is employed as a Systems Engineer at Tata Consultancy Services, India. He is an active contributor of the SecurityXploded community. He is well recognized for his blog (http://hackingalert.blogspot.com), where he shares about his encounters with hacking and network security. Abhinav's work has been quoted in several technology magazines and portals.
I would like to thank my parents for always being supportive and letting me do what I want; my sister, for being my doctor and taking care of my fatigue level; Sachin Raste sir, for taking the pain to review my work; Kanishka Khaitan, for being my perfect role model; to my blog followers for their comments and suggestions, and, last but not the least, to Packt Publishing for making this a memorable project for me.
About the Reviewers
KubilayOnurGungor currently works at Sony Europe as a Web Application Security Expert, and is also one of the Incident Managers for the Europe and Asia regions.
He has been working in the IT Security field for more than 5 years. After individual, security work experience, he started his security career with the cryptanalysis of images, which are encrypted by using chaotic logistic maps. He gained experience in the Network Security field by working in the Data Processing Center of Isik University. After working as a QA Tester in Netsparker, he continued his work in the Penetration Testing field, for one of the leading security companies in Turkey. He performed many penetration tests for the IT infrastructures of many big clients, such as banks, government institutions, and telecommunication companies. He has also provided security consulting to several software manufacturers to help secure their compiled software.
Kubilay has also been developing multidisciplinary, cyber security approaches, including criminology, conflict management, perception management, terrorism, international relations, and sociology. He is the Founder of the Arquanum Multidisciplinary Cyber Security Studies Society.
Kubilay has participated in many security conferences as a frequent speaker.
KanishkaKhaitan, a postgraduate in Master of Computer Application from the University of Pune, with Honors in Mathematics from Banaras Hindu University, has been working in the web domain with Amazon for the past two years. Prior to that, she worked for Infibeam, an India-based, online retail startup, in an internship program lasting for six months.
SachinRaste is a leading security expert, with over 17 years of experience in the fields of Network Management and Information Security. With his team, he has designed, streamlined, and integrated the networks, applications, and IT processes for some of the big business houses in India, and helped them achieve business continuity.
He is currently working with MicroWorld, the developers of the eScan range of Information Security Solution, as a Senior Security Researcher. He has designed and developed some path-breaking algorithms to detect and prevent Malware and Digital Fraud, to safeguard networks from Hackers and Malware. In his professional capacity, Sachin Raste has presented many whitepapers, and has also participated in many TV shows spreading awareness on Digital Frauds.
Working with MicroWorld has helped him in developing his technical skills to keep up with the current trends in the Information Security industry.
First and foremost, I'd like to thank my wife, my son, and my close group of friends for their support, without whom everything in this world would have seemed impossible. To my colleagues from MicroWorld and from past organizations, for being patient listeners and assisting me in successfully completing complex projects; it has been a pleasure working with all of you. And to my boss, MD of MicroWorld, for allowing me the freedom and space to explore beyond my limits.
I thank you all.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
Dedicated to my grandparents for their blessings. To my parents and sister for their support and encouragement, and to my dear friend Neetika for being a motivator.
--Abhinav SinghPreface
Penetration testing is one of the core aspects of network security in today's scenario. It involves a complete analysis of the system by implementing real-life security tests. It helps in identifying potential weaknesses in the system's major components which can occur either in its hardware or software. The reason which makes penetration testing an important aspect of security is that it helps in identifying threats and weaknesses from a hacker's perspective. Loopholes can be exploited in real time to figure out the impact of vulnerability and then a suitable remedy or patch can be explored in order to protect the system from any outside attack and reduce the risk factors.
The biggest factor that determines the feasibility of penetration testing is the knowledge about the target system. Black box penetration testing is implemented when there is no prior knowledge of the target user. A pen-tester will have to start from scratch by collecting every bit of information about the target system in order to implement an attack. In white box testing, the complete knowledge about the target is known and the tester will have to identify any known or unknown weakness that may exist. Either of the two methods of penetration testing are equally difficult and are environment specific. Industry professionals have identified some of the key steps that are essential in almost all forms of penetration testing. These are:
These steps may appear few in number, but in fact a complete penetration testing of a high-end system with lots of services running on it can take days or even months to complete. The reason which makes penetration testing a lengthy task is that it is based on the "trial and error" technique. Exploits and vulnerabilities depend a lot on the system configuration so we can never be certain that a particular exploit will be successful or not unless we try it. Consider the example of exploiting a Windows-based system that is running 10 different services. A pen-tester will have to identify if there are any known vulnerabilities for those 10 different services. Once they are identified, the process of exploitation starts. This is a small example where we are considering only one system. What if we have an entire network of such systems to penetrate one by one?
This is where a penetration testing framework comes into action. They automate several processes of testing like scanning the network, identifying vulnerabilities based on available services and their versions, auto-exploit, and so on. They speed up the pen-testing process by proving a complete control panel to the tester from where he/she can manage all the activities and monitor the target systems effectively. The other important benefit of the penetration testing framework is report generation. They automate the process of saving the penetration testing results and generate reports that can be saved for later use, or can be shared with other peers working remotely.
Metasploit Penetration Testing Cookbook aims at helping the readers in mastering one of the most widely used penetration testing frameworks of today's scenarios. The Metasploit framework is an open source platform that helps in creating real-life exploitation scenarios along with other core functionalities of penetration testing. This book will take you to an exciting journey of exploring the world of Metasploit and how it can be used to perform effective pen-tests. This book will also cover some other extension tools that run over the framework and enhance its functionalities to provide a better pen-testing experience.
What this book covers
Chapter 1, Metasploit Quick Tips for Security Professionals, is the first step into the world of Metasploit and penetration testing. The chapter deals with a basic introduction to the framework, its architecture and libraries. In order to begin with penetration testing, we need a setup, so the chapter will guide you through setting up your own dummy penetration testing environment using virtual machines. Later, the chapter discusses about installing the framework on different operating systems. The chapter ends with giving the first taste of Metasploit and an introduction about its interfaces.
Chapter 2, Information Gathering and Scanning, is the first step to penetration testing. It starts with the most traditional way of information gathering and later on advances to scanning with Nmap. The chapter also covers some additional tools such as Nessus and NeXpose which covers the limitations of Nmap by providing additional information. At the end, the chapter discusses about the Dradis framework which is widely used by pen-testers to share their test results and reports with other remote testers.
Chapter 3, Operating System-based Vulnerability Assessment and Exploitation, talks about finding vulnerabilities in unpatched operating systems running on the target system. Operating system-based vulnerabilities have a good success rate and they can be exploited easily. The chapter discusses about penetrating several popular operating systems such as Windows XP, Windows 7, and Ubuntu. The chapter covers some of the popular, and known, exploits of these operating systems and how they can be used in Metasploit to break into a target machine.
Chapter 4, Client-side Exploitation and Antivirus Bypass, carries our discussion to the next step where we will discuss how Metasploit can be used to perform client-side exploitation. The chapter covers some of the popular client-side software such as Microsoft Office, Adobe Reader, and Internet Explorer. Later on, the chapter covers an extensive discussion about killing the client-side antivirus protection in order to prevent raising the alarm in the target system.
Chapter 5, Using Meterpreter to Explore the Compromised Target, discusses about the next step after exploitation. Meterpreter is a post-exploitation tool that has several functionalities, which can be helpful in penetrating the compromised target and gaining more information. The chapter covers some of the useful penetration testing techniques such as privilege escalation, accessing the file system, and keystroke sniffing.
Chapter 6, Advance Meterpreter Scripting, takes our Metasploit knowledge to the next level by covering some advance topics, such as building our own meterpreter script and working with API mixins. This chapter will provide flexibility to the readers as they can implement their own scripts into the framework according to the scenario. The chapter also covers some advance post exploitation concepts like pivoting, pass the hash and persistent connection.
Chapter 7, Working with Modules for Penetration Testing, shifts our focus to another important aspect of Metasploit; its modules. Metasploit has a decent collection of specific modules that can be used under particular scenarios. The chapter covers some important auxiliary modules and later on advances to building our own Metasploit modules. The chapter requires some basic knowledge of Ruby scripting.
Chapter 8, Working with Exploits, adds the final weapon into the arsenal by discussing how we can convert any exploit into a Metasploit module. This is an advanced chapter that will enable the readers to build their own Metasploit exploit modules and import it into the framework. As all the exploits are not covered under the framework, this chapter can be handy in case we want to test an exploit that is not there in the Metasploit repository. The chapter also discusses about fuzzing modules that can be useful in building your own proof of concepts for any vulnerability. Finally, the chapter ends with a complete example on how we can fuzz an application to find the overflow conditions and then build a Metasploit module for it.
Chapter 9, Working with Armitage, is a brief discussion about one of the popular Metasploit extensions, Armitage. It provides a graphical interface to the framework and enhances its functionalities by providing point and click exploitation options. The chapter focuses on important aspects of Armitage, such as quickly finding vulnerabilities, handling multiple targets, shifting among tabs, and dealing with post exploitation.
Chapter 10, Social Engineer Toolkit, is the final discussion of this book which covers yet another important extension of framework. SocialEngineerToolkit (SET) is used to generate test cases that rely on human negligence in order to compromise the target. The chapter covers basic attack vectors related to SET that includes spear phishing, website attack vector, generating infectious media such as a USB.
What you need for this book
To follow and recreate the recipes of this book, you will need two systems. One can be your pen-testing system and the other can be your target. Alternatively, you can also work with a single system and set up a penetration testing environment by using any virtualization software.
Apart from that you will require an ISO image of BackTrack 5 which has pre-installed Metasploit and other tools that we will be discussing in this book. Alternatively, you can download the Metasploit framework separately for your preferred operating system from its official website.
Who this book is for
This book targets both professional penetration testers, as well as new users of Metasploit who are willing to expertise the tool. There is something for everyone. The book has a recipe structure which is easy to read, understand, and recollect. The book starts with the basics of penetration testing and later on advances to expert level. The transition from the beginners to the advanced level is smooth. So, it can be easily read and understood by readers of all categories. The book requires basic knowledge of scanning, exploitation, and Ruby language.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: " The last two commands, vulns and db_autopwn are post-exploitation commands, which we will deal with in later chapters."
A block of code is set as follows:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: " You can either start the Metasploit framework from the Applications menu or from the command line".
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title through the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the erratasubmissionform link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website, or added to any list of existing errata, under the Errata section of that title.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. Metasploit Quick Tips for Security Professionals
In this chapter, we will cover:
Introduction
Metasploit is currently the most buzzing word in the field of information security and penetration testing. It has totally revolutionized the way we can perform security tests on our systems. The reason which makes Metasploit so popular is the wide range of tasks that it can perform to ease the work of penetration testing to make systems more secure. Metasploit is available for all popular operating systems. The working process of the framework is almost the same for all of them. Here in this book, we will primarily work on BackTrack 5 OS as it comes with the pre-installed Metasploit framework and other third-party tools which run over the framework.
Let us start with a quick introduction to the framework and the various terminologies related to it:
The Metasploit framework has a modular architecture and the exploits, payload, encoders, and so on are considered as separate modules.
Let us examine the architecture diagram closely.
Metasploit uses different libraries which hold the key to the proper functioning of the framework. These libraries are a collection of pre-defined tasks, operations, and functions that can be utilized by different modules of the framework. The most fundamental part of the framework is the Ruby Extension (Rex) library. Some of the components provided by Rex include a wrapper socket subsystem, implementations of protocol clients and servers, a logging subsystem, exploitation utility classes, and a number of other useful classes. Rex itself is designed to have no dependencies, other than what comes with the default Ruby installation.
Then we have the MSF Core library which extends Rex. Core is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins. This core library is extended by the framework base library which is designed to provide simpler wrapper routines for dealing with the framework core, as well as providing utility classes for dealing with different aspects of the framework, such as serializing a module state to different output formats. Finally, the base library is extended by the framework'sUser Interface (UI) that implements support for the different types of user interfaces to the framework itself, such as the command console and the web interface.
There are four different user interfaces provided with the framework namely msfconsole, msfcli, msfgui, and msfweb. It is highly encouraged that one should check out all these different interfaces, but in this book we will primarily work on the msfconsole interface. The reason behind it is that msfconsole provides the best support to the framework, leveraging all the functionalities.
Let us now move to the recipes of this chapter and practically analyze the various aspects.
Configuring Metasploit on Windows
Installation of the Metasploit framework on Windows is simple and requires almost no effort. The framework installer can be downloaded from the Metasploit official website (http://www.metasploit.com/download).
Getting ready
You will notice that there are two types of installer available for Windows. It is recommended to download the complete installer of the Metasploit framework which contains the console and all other relevant dependencies, along with the database and runtime setup. In case you already have a configured database that you want to use for the framework as well, then you can go for the mini installer of the framework which only installs the console and dependencies.
How to do it...
Once you have completed downloading the installer, simply run it and sit back. It will automatically install all the relevant components and set up the database for you. Once the installation is complete, you can access the framework through various shortcuts created by the installer.
How it works...
You will find that the installer has created lots of shortcuts for you. Most of the things are click-and-go in a Windows environment. Some of the options that you will find are Metasploit web, cmd console, Metasploit update, and so on.
Note
While installing Metasploit on Windows, you should disable the antivirus protection as it may detect some of the installation files as potential viruses or threats and can block the installation process. Once the installation is complete, make sure that you have white-listed the framework installation directory in your antivirus, as it will detect the exploits and payloads as malicious.
There's more...
Now let's talk about some other options, or possibly some pieces of general information, that are relevant to installing the Metasploit framework on Windows explicitly.
Database error during installation
There is a common problem with many users while installing the Metasploit framework on the Windows machine. While running the setup you may encounter an error message, as shown in the screenshot:
This is the result of an error in configuring the PostgreSQL server. The possible causes are:
If you face this problem then you can overcome it by downloading the simpler version of the framework which contains only the console and dependencies. Then, configure the database manually and connect it with Metasploit.
Configuring Metasploit on Ubuntu
The Metasploit framework has full support for Ubuntu-based Linux operating systems. The installation process is a bit different from that of Windows.
Getting ready
Download the setup from the official Metasploit website (http://www.metasploit.com/download).
Again, you will have the option to choose either a minimal setup or full setup. Choose your download according to your need. The full setup will include all the dependencies, database setup, environment etc whereas the minimal setup will only contain the dependencies with no database setup.
How to do it...
The process for installing a full setup is a bit different from a minimal setup. Let us analyze each of them:
How it works...
The installation process demonstrated above is a simple Ubuntu-based installation procedure for almost all software. Once the installation is complete, you can run hash –r to reload your path.
Note
This installation process can be followed on almost all flavors and versions of Linux.
There's more...
Now let's talk about some other options, or possibly some pieces of general information that are relevant to this task.
Error during installation
There can be chances that the installer may not work for you for some reason. Some versions of Ubuntu come with broken libraries of the Ruby language, which may be one of the reasons for the installation failure. In that case, we can install the dependencies separately by executing the following commands:
For installing Ruby dependencies run:
For installing the subversion client run:
For building native extensions run:
After installing the following dependencies, download the Metasploit Unix tarball from the official Metasploit download page and execute the following commands:
On successful execution of the preceding commands, the framework will be up and running to receive your instructions.
Metasploit with BackTrack 5 – the ultimate combination
BackTrack is the most popular operating system for security professionals for two reasons. Firstly, it has all the popular penetration testing tools pre-installed in it so it reduces the cost of a separate installation. Secondly, it is a Linux-based operating system which makes it less prone to virus attacks and provides more stability during penetration testing. It saves your time from installing relevant components and tools and who knows when you may encounter an unknown error during the installation process.
Getting ready
Either you can have a separate installation of BackTrack on your hard disk or you can also use it over a host on a virtual machine. The installation process is simple and the same as installing any Linux-based operating system.
How to do it...
How it works...
Launching Metasploit from the command line will follow the complete path to msfconsole. Launching it from the Application menu will provide us a direct access to different UIs available to us.
Setting up the penetration testing lab on a single machine
You can always have a penetration testing lab set up by using multiple machines and it is considered the ideal setup as well. But what if you have an emergency and you immediately need to set up a testing scenario and you only have a single machine? Well using a virtual machine is the obvious answer. You can work simultaneously on more than one operating system and perform the task of penetration testing. So let us have a quick look at how we can set up a penetration testing lab on a single system with the help of a virtual machine.
