| |
| |
Foreword | |
| |
| |
Preface | |
| |
| |
Acknowledgments | |
| |
| |
Special Thanks | |
| |
| |
Introduction | |
| |
| |
Why Do a Penetration Test? | |
| |
| |
Why Metasploit? | |
| |
| |
A Brief History of Metasploit | |
| |
| |
About This Book | |
| |
| |
What's in the Book? | |
| |
| |
A Note on Ethics | |
| |
| |
| |
The Absolute Basics of Penetration Testing | |
| |
| |
| |
The Phases of the PTES | |
| |
| |
| |
Types of Penetration Tests | |
| |
| |
| |
Vulnerability Scanners | |
| |
| |
| |
Pulling It All Together | |
| |
| |
| |
Metasploit Basics | |
| |
| |
| |
Terminology | |
| |
| |
| |
Metasploit Interfaces | |
| |
| |
| |
Metasploit Utilities | |
| |
| |
| |
Metasploit Express and Metasploit Pro | |
| |
| |
| |
Wrapping Up | |
| |
| |
| |
Intelligence Gathering | |
| |
| |
| |
Passive Information Gathering | |
| |
| |
| |
Active Information Gathering | |
| |
| |
| |
Targeted Scanning | |
| |
| |
| |
Writing a Custom Scanner | |
| |
| |
| |
Looking Ahead | |
| |
| |
| |
Vulnerability Scanning | |
| |
| |
| |
The Basic Vulnerability Scan | |
| |
| |
| |
Scanning with NeXpose | |
| |
| |
| |
Scanning with Nessus | |
| |
| |
| |
Specialty Vulnerability Scanners | |
| |
| |
| |
Using Scan Results for Autopwning | |
| |
| |
| |
The Joy of Exploitation | |
| |
| |
| |
Basic Exploitation | |
| |
| |
| |
Exploiting Your First Machine | |
| |
| |
| |
Exploiting an Ubuntu Machine | |
| |
| |
| |
All-Ports Payloads: Brute Forcing Ports | |
| |
| |
| |
Resource Files | |
| |
| |
| |
Wrapping Up | |
| |
| |
| |
Meterpreter | |
| |
| |
| |
Compromising a Windows XP Virtual Machine | |
| |
| |
| |
Dumping Usernames and Passwords | |
| |
| |
| |
Pass the Hash | |
| |
| |
| |
Privilege Escalation | |
| |
| |
| |
Token Impersonation | |
| |
| |
| |
Using ps | |
| |
| |
| |
Pivoting onto Other Systems | |
| |
| |
| |
Using Meterpreter Scripts | |
| |
| |
| |
Leveraging Post Exploitation Modules | |
| |
| |
| |
Upgrading Your Command Shell to Meterpreter | |
| |
| |
| |
Manipulating Windows APIs with the Railgun Add-On | |
| |
| |
| |
Wrapping Up | |
| |
| |
| |
Avoiding Detection | |
| |
| |
| |
Creating Stand-Alone Binaries with MSFpayload | |
| |
| |
| |
Evading Antivirus Detection | |
| |
| |
| |
Custom Executable Templates | |
| |
| |
| |
Launching a Payload Stealthily | |
| |
| |
| |
Packers | |
| |
| |
| |
A Final Note on Antivirus Software Evasion | |
| |
| |
| |
Exploitation Using Client-Side Attacks | |
| |
| |
| |
Browser-Based Exploits | |
| |
| |
| |
Using Immunity Debugger to Decipher NOP Shellcode | |
| |
| |
| |
Exploring the Internet Explorer Aurora Exploit | |
| |
| |
| |
File Format Exploits | |
| |
| |
| |
Sending the Payload | |
| |
| |
| |
Wrapping Up | |
| |
| |
| |
Metasploit Auxiliary Modules | |
| |
| |
| |
Auxiliary Modules in Use | |
| |
| |
| |
Anatomy of an Auxiliary Module | |
| |
| |
| |
Going Forward | |
| |
| |
| |
The Social-Engineer Toolkit | |
| |
| |
| |
Configuring the Social-Engineer Toolkit | |
| |
| |
| |
Spear-Phishing Attack Vector | |
| |
| |
| |
Web Attack Vectors | |
| |
| |
| |
Infectious Media Generator | |
| |
| |
| |
Teensy USB HID Attack Vector | |
| |
| |
| |
Additional SET Features | |
| |
| |
| |
Looking Ahead | |
| |
| |
| |
Fast-Track | |
| |
| |
| |
Microsoft SQL Injection | |
| |
| |
| |
Binary-to-Hex Generator | |
| |
| |
| |
Mass Client-Side Attack | |
| |
| |
| |
A Few Words About Automation | |
| |
| |
| |
Karmetasploit | |
| |
| |
| |
Configuration | |
| |
| |
| |
Launching the Attack | |
| |
| |
| |
Credential Harvesting | |
| |
| |
| |
Getting a Shell | |
| |
| |
| |
Wrapping Up | |
| |
| |
| |
Building Your Own Module | |
| |
| |
| |
Getting Command Execution on Microsoft SQL | |
| |
| |
| |
Exploring an Existing Metasploit Module | |
| |
| |
| |
Creating a New Module | |
| |
| |
| |
The Power of Code Reuse | |
| |
| |
| |
Creating Your Own Exploits | |
| |
| |
| |
The Art of Fuzzing | |
| |
| |
| |
Controlling the Structured Exception Handler | |
| |
| |
| |
Hopping Around SEH Restrictions | |
| |
| |
| |
Getting a Return Address | |
| |
| |
| |
Bad Characters and Remote Code Execution | |
| |
| |
| |
Wrapping Up | |
| |
| |
| |
Porting Exploits to the Metasploit Framework | |
| |
| |
| |
Assembly Language Basics | |
| |
| |
| |
Porting a Buffer Overflow | |
| |
| |
| |
SEH Overwrite Exploit | |
| |
| |
| |
Wrapping Up | |
| |
| |
| |
Meterpreter Scripting | |
| |
| |
| |
Meterpreter Scripting Basics | |
| |
| |
| |
Meterpreter API | |
| |
| |
| |
Rules for Writing Meterpreter Scripts | |
| |
| |
| |
Creating Your Own Meterpreter Script | |
| |
| |
| |
Wrapping Up | |
| |
| |
| |
Simulated Penetration Test | |
| |
| |
| |
Pre-engagement Interactions | |
| |
| |
| |
Intelligence Gathering | |
| |
| |
| |
Threat Modeling | |
| |
| |
| |
Exploitation | |
| |
| |
| |
Customizing MSFconsole | |
| |
| |
| |
Post Exploitation | |
| |
| |
| |
Attacking Apache Tomcat | |
| |
| |
| |
Attacking Obscure Services | |
| |
| |
| |
Covering Your Tracks | |
| |
| |
| |
Wrapping Up; Configuring Your Target Machines | |
| |
| |
Installing and Setting Up the System | |
| |
| |
Booting Up the Linux Virtual Machines | |
| |
| |
Setting Up a Vulnerable Windows XP Installation; Cheat Sheet | |
| |
| |
MSFconsole Commands | |
| |
| |
Meterpreter Commands | |
| |
| |
MSFpayload Commands | |
| |
| |
MSFencode Commands | |
| |
| |
MSFcli Commands | |
| |
| |
MSF, Ninja, Fu | |
| |
| |
MSFvenom | |
| |
| |
Meterpreter Post Exploitation Commands | |
| |
| |
Colophon | |
| |
| |
Updates | |