Metasploit Penetration Testing Cookbook Second Edition Over 80 recipes to master the most widely used penetration testing framework Monika Agarwal Abhinav Singh BIRMINGHAM - MUMBAI Metasploit Penetration Testing Cookbook Second Edition Copyright © 2013 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: June 2012 Second edition: October 2013 Production Reference: 1181013 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78216-678-8 www.packtpub.com Cover Image by Prashant Timappa Shetty ([email protected]) Credits Authors Project Coordinator Monika Agarwal Wendell Palmer Abhinav Singh Proofreader Lauren Harkins Reviewers Conrad Brown Sagar A. Rahalkar Indexer Hemangini Bari Acquisition Editor Joanne Fitzpatrick Graphics Yuvraj Mannari Usha Iyer Production Coordinator Lead Technical Editor Aditi Gajjar Ankita Shashi Cover Work Technical Editors Aditi Gajjar Pragnesh Bilimoria Chandni Maishery Iram Malik Anand Singh About the Authors Monika Agarwal is a young Information Security Researcher from India. She has presented many research papers at both national and international conferences. She is a member of IAENG (International Association of Engineers). Her main areas of interest are ethical hacking and ad hoc networking. I would like to thank my parents, my husband, Nikhil, and give special thanks to my father-in-law and mother-in-law for always being so supportive. And last but not the least, Packt Publishing, for giving me this opportunity. Abhinav Singh is a young Information Security Specialist from India. He has a keen interest in the field of Hacking and Network Security. He actively works as a freelancer with several security companies, and provides them consultancy. Currently, he is employed as a Systems Engineer at Tata Consultancy Services, India. He is an active contributor of the SecurityXploded community. He is well recognized for his blog (http://hackingalert. blogspot.com), where he shares his encounters with hacking and network security. Abhinav's works have been quoted in several technology magazines and portals. I would like to thank my parents, for always being supportive and letting me do what I want; my sister, for being my doctor and taking care of my fatigue level, Sachin Raste sir, for taking the pain to review my work; and Kanishka Khaitan, for being my perfect role model. I would also like to thank my blog followers for their comments and suggestions, and last but not the least, to Packt Publishing, for making this a memorable project for me. About the Reviewers Conrad Brown started his career in the IT field at a small print shop, helping the IT support team with daily tasks. From there, he developed a passion for IT Security and Systems Engineering. He currently works as a System Engineer for the United States Federal Government, where he has won awards for his work. He found the Southern Maryland Hacker Space and is the Lead Technical Writer for Lokisec.com. When not working on any of these projects, he helps local small businesses by securing their IT infrastructure. Sagar A. Rahalkar is a seasoned Information Security Professional, having close to 7 years of comprehensive experience in various verticals of I.S, such as Cyber Crime Investigations, Digital Forensics, Application Security, Vulnerability Assessment and Penetration Testing, Compliance for Mandates and Regulations, and so on. He holds a Master's degree in Computer Science, and several industry recognized certifications, such as a Certified Cyber Crime Investigator, Certified Ethical Hacker, Certified Security Analyst, ISO 27001 Lead Auditor, IBM Certified Specialist, Rational AppScan, Certified Information Security Manager (CISM), and more. He has been closely associated with Indian Law Enforcement agencies for more than three years, dealing with digital crime investigations and related trainings, and received several awards and appreciations from senior officials of Police and Defense organizations in India. He is also associated with several online Information Security publications, both as an author, as well as a reviewer. He can be reached at [email protected]. www.PacktPub.com Support files, eBooks, discount offers and more You might want to visit www.PacktPub.com for support files and downloads related to your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. TM http://PacktLib.PacktPub.com Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books. Why Subscribe? f Fully searchable across every book published by Packt f Copy and paste, print and bookmark content f On demand and accessible via web browser Free Access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access. Table of Contents Preface 1 Chapter 1: Metasploit Quick Tips for Security Professionals 7 Introduction 7 Configuring Metasploit on Windows 11 Configuring Metasploit on Ubuntu 13 Installing Metasploit with BackTrack 5 R3 16 Setting up penetration testing using VMware 19 Setting up Metasploit on a virtual machine with SSH connectivity 21 Installing and configuring PostgreSQL in BackTrack 5 R3 23 Using the database to store the penetration testing results 25 Working with BBQSQL 27 Chapter 2: Information Gathering and Scanning 31 Introduction 31 Passive information gathering 34 Port scanning – the Nmap way 37 Port scanning – the DNmap way 42 Using keimpx – an SMB credentials scanner 48 Detecting SSH versions with the SSH version scanner 52 FTP scanning 55 SNMP sweeping 56 Vulnerability scanning with Nessus 59 Scanning with NeXpose 62 Working with OpenVAS – a vulnerability scanner 63 Chapter 3: Operating-System-based Vulnerability Assessment 71 Introduction 71 Penetration testing on a Windows XP SP2 machine 74 Binding a shell to the target for remote access 79 Penetration testing on Windows 8 82 Table of Contents Exploiting a Linux (Ubuntu) machine 85 Understanding the Windows DLL injection flaws 89 Chapter 4: Client-side Exploitation and Antivirus Bypass 95 Introduction 95 Exploiting Internet Explorer execCommand Use-After-Free vulnerability 97 Understanding Adobe Flash Player "new function" invalid pointer use 100 Understanding Microsoft Word RTF stack buffer overflow 101 Working with Adobe Reader U3D Memory Corruption 104 Generating binary and shell code from msfpayload 106 Msfencoding schemes with the detection ratio 109 Using the killav.rb script to disable the antivirus programs 112 Killing the antiviruses' services from the command line 116 Working with the syringe utility 118 Chapter 5: Working with Modules for Penetration Testing 121 Introduction 121 Working with scanner auxiliary modules 122 Working with auxiliary admin modules 125 SQL injection and DoS attack module 127 Post-exploitation modules 130 Understanding the basics of module building 132 Analyzing an existing module 134 Building your own post-exploitation module 137 Chapter 6: Exploring Exploits 143 Introduction 143 Exploiting the module structure 145 Working with msfvenom 147 Converting an exploit to a Metasploit module 149 Porting and testing the new exploit module 154 Fuzzing with Metasploit 155 Writing a simple FileZilla FTP fuzzer 158 Chapter 7: VoIP Penetration Testing 163 Introduction 163 Scanning and enumeration phase 166 Yielding passwords 170 VLAN hopping 172 VoIP MAC spoofing 174 Impersonation attack 176 DoS attack 177 ii Table of Contents Chapter 8: Wireless Network Penetration Testing 181 Introduction 181 Setting up and running Fern WiFi Cracker 182 Sniffing interfaces with tcpdump 185 Cracking WEP and WPA with Fern WiFi Cracker 189 Session hijacking via a MAC address 196 Locating a target's geolocation 198 Understanding an evil twin attack 201 Configuring Karmetasploit 205 Chapter 9: Social-Engineer Toolkit 209 Introduction 209 Getting started with the Social-Engineer Toolkit (SET) 210 Working with the SET config file 211 Working with the spear-phishing attack vector 215 Website attack vectors 218 Working with the multi-attack web method 223 Infectious media generator 224 Chapter 10: Working with Meterpreter 227 Introduction 228 Understanding the Meterpreter system commands 229 Understanding the Meterpreter filesystem commands 231 Understanding the Meterpreter networking commands 233 Privilege escalation and process migration 236 Setting up multiple communication channels with the target 239 Meterpreter anti-forensics – timestomp 241 The getdesktop and keystroke sniffing 244 Using a scraper Meterpreter script 248 Passing the hash 250 Setting up a persistent connection with backdoors 253 Pivoting with Meterpreter 256 Port forwarding with Meterpreter 258 Meterpreter API and mixins 261 Railgun – converting Ruby into a weapon 264 Adding DLL and function definition to Railgun 267 Building a "Windows Firewall De-activator" Meterpreter script 269 Analyzing an existing Meterpreter script 272 Injecting the VNC server remotely 278 Exploiting a vulnerable PHP application 282 Incognito attack with Meterpreter 284 iii
Description: