WIXLIB

Once you’ve built your foundation for penetrationtesting, you’ll learn the Framework’s conventions,interfaces, and module system as you launch simulatedattacks. You’ll move on to advanced penetration testingtechniques, including network reconnaissance andenumeration, client-side attacks, wireless attacks, andtargeted social-engineering attacks.Learn how to: Find and exploit unmaintained, misconfigured, and Bypass antivirus technologies and circumventsecurity controlsMetasploitThe Penetration Tester’s Guide Integrate Nmap, NeXpose, and Nessus withMetasploit to automate discovery Use the Meterpreter shell to launch furtherattacks from inside the network Harness stand-alone Metasploit utilities, third-party tools, and plug-ins Learn how to write your own Meterpreter post-exploitation modules and scriptsYou’ll even touch on exploit discovery for zero-dayresearch, write a fuzzer, port existing exploits into theFramework, and learn how to cover your tracks. Whetheryour goal is to secure your own networks or to putsomeone else’s to the test, Metasploit: The PenetrationTester’s Guide will take you there and beyond.unpatched systems Perform reconnaissance and find valuableinformation about your targetT H E F I N E ST I N G E E K E N T E RTA I N M E N T “I LAY FLAT.” This book uses RepKover — a durable binding that won’t snap shut.w w w.nostarch.com 49.95 ( 57.95 CDN)Shelve In: Computers/Internet/SecurityThe Penetration Tester’s GuideThe Metasploit Framework makes discovering,exploiting, and sharing vulnerabilities quick andrelatively painless. But while Metasploit is used bysecurity professionals everywhere, the tool can behard to grasp for first-time users. Metasploit: ThePenetration Tester’s Guide fills this gap by teaching youhow to harness the Framework and interact with thevibrant community of Metasploit contributors.Metasploit“The best guide to theMetasploit Framework.” — HD Moore,Founder of the Metasploit ProjectKennedyO’GormanKearnsAharoniDavid Kennedy, Jim O’Gorman, Devon Kearns, and Mati AharoniForeword by HD Moore

PRAISE FOR METASPLOIT: THE PENETRATION TESTER’S GUIDE“The best guide to the Metasploit Framework.”—HD MOORE, FOUNDER OF THE METASPLOIT PROJECT“A great book about the Metasploit Framework.”—RICHARD BEJTLICH, CSO OF MANDIANT AND AUTHOR OF THE PRACTICE OFNETWORK SECURITY MONITORING“For anyone who wants to get involved in the mechanics of penetrationtesting with Metasploit, this book is an excellent resource.”—TOD BEARDSLEY, RAPID7“Takes current documentation further and provides a valuable resource forpeople who are interested in security but don’t have the time or money totake a training class on Metasploit. Rating: 10/10.”—SLASHDOT“My recommendation: get this book.”—CHRIS KOGER, PENTEST MAGAZINE“Very comprehensive and packed full of great advice.”—CHRISTIAN KIRSCH, RAPID7“Whether you are a penetration tester or a technical security professional,quality time spent working through this book will add valuable tools andinsight to your professional repertoire.”—IEEE CIPHER“For those looking to use Metasploit to its fullest, Metasploit: The PenetrationTester’s Guide is a valuable aid.”—BEN ROTHKE, SECURITY MANAGEMENT“A great book to get people started, has examples to walk through, andincludes more advanced topics for experienced users.”—DARK READING

METASPLOITThe PenetrationTester’s Guideby David Kennedy,Jim O’Gorman, Devon Kearns,and Mati AharoniSan Francisco

METASPLOIT. Copyright 2011 by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati AharoniAll rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic ormechanical, including photocopying, recording, or by any information storage or retrieval system, without the priorwritten permission of the copyright owner and the publisher.Fifth printing16 15 14 1356789ISBN-10: 1-59327-288-XISBN-13: 978-1-59327-288-3Publisher: William PollockProduction Editor: Alison LawCover Illustration: Hugh D’AndradeInterior Design: Octopod StudiosDevelopmental Editors: William Pollock and Tyler OrtmanTechnical Reviewer: Scott WhiteCopyeditor: Lisa TheobaldCompositor: Susan Glinert StevensProofreader: Ward WebberIndexer: BIM Indexing & Proofreading ServicesFor information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:No Starch Press, Inc.245 8th Street, San Francisco, CA 94103phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.comLibrary of Congress Cataloging-in-Publication DataMetasploit : the penetration tester's guide / by David Kennedy . [et al.].p. cm.Includes index.ISBN-13: 978-1-59327-288-3 (pbk.)ISBN-10: 1-59327-288-X (pbk.)1. Computers--Access control. 2. Penetration testing (Computer security) 3. Metasploit (Electronicresource) 4. Computer networks--Security measures--Testing. I. Kennedy, David, 1982QA76.9.A25M4865 2011005.8--dc23201102016.No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product andcompany names mentioned herein may be the trademarks of their respective owners. Rather than use a trademarksymbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to thebenefit of the trademark owner, with no intention of infringement of the trademark.The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has beentaken in the preparation of this work, neither the authors nor No Starch Press, Inc. shall have any liability to anyperson or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by theinformation contained in it.

BRIEF CONTENTSForeword by HD Moore . xiiiPreface .xviiAcknowledgments .xixIntroduction .xxiChapter 1: The Absolute Basics of Penetration Testing .1Chapter 2: Metasploit Basics .7Chapter 3: Intelligence Gathering .15Chapter 4: Vulnerability Scanning.35Chapter 5: The Joy of Exploitation.57Chapter 6: Meterpreter .75Chapter 7: Avoiding Detection .99Chapter 8: Exploitation Using Client-Side Attacks.109Chapter 9: Metasploit Auxiliary Modules .123Chapter 10: The Social-Engineer Toolkit.135Chapter 11: Fast-Track.163Chapter 12: Karmetasploit .177Chapter 13: Building Your Own Module.185

Chapter 14: Creating Your Own Exploits .197Chapter 15: Porting Exploits to the Metasploit Framework.215Chapter 16: Meterpreter Scripting.235Chapter 17: Simulated Penetration Test.251Appendix A: Configuring Your Target Machines .267Appendix B: Cheat Sheet .275Index .285viB ri e f C on t e n t s

CONTENTS IN DETAILFOREWORD by HD MoorePREFACEA C KN O W L E D G M E N T SxiiixviixixSpecial Thanks . xxINTRODUCTIONxxiWhy Do A Penetration Test? . xxiiWhy Metasploit? . xxiiA Brief History of Metasploit . xxiiAbout this Book .xxiiiWhat’s in the Book? .xxiiiA Note on Ethics . xxiv1T H E A BS O L U T E BA S I C S O F P E N E TR A TI O N TE S TI N G1The Phases of the PTES . 2Pre-engagement Interactions . 2Intelligence Gathering . 2Threat Modeling . 2Vulnerability Analysis . 3Exploitation . 3Post Exploitation . 3Reporting . 4Types of Penetration Tests . 4Overt Penetration Testing . 5Covert Penetration Testing . 5Vulnerability Scanners . 5Pulling It All Together . 62METASPLOIT BASICS7Terminology . 7Exploit . 8Payload . 8Shellcode . 8Module . 8Listener . 8Metasploit Interfaces . 8MSFconsole . 9MSFcli . 9Armitage . 11

Metasploit Utilities . 12MSFpayload . 12MSFencode . 13Nasm Shell . 13Metasploit Express and Metasploit Pro . 14Wrapping Up . 143INTELLIGENCE GATHERING15Passive Information Gathering . 16whois Lookups . 16Netcraft . 17NSLookup . 18Active Information Gathering . 18Port Scanning with Nmap . 18Working with Databases in Metasploit . 20Port Scanning with Metasploit . 25Targeted Scanning . 26Server Message Block Scanning . 26Hunting for Poorly Configured Microsoft SQL Servers . 27SSH Server Scanning . 28FTP Scanning . 29Simple Network Management Protocol Sweeping . 30Writing a Custom Scanner . 31Looking Ahead . 334V U L N E R AB I L IT Y S C A N N IN G35The Basic Vulnerability Scan . 36Scanning with NeXpose . 37Configuration . 37Importing Your Report into the Metasploit Framework . 42Running NeXpose Within MSFconsole . 43Scanning with Nessus . 44Nessus Configuration . 44Creating a Nessus Scan Policy . 45Running a Nessus Scan . 47Nessus Reports . 47Importing Results into the Metasploit Framework . 48Scanning with Nessus from Within Metasploit . 49Specialty Vulnerability Scanners . 51Validating SMB Logins . 51Scanning for Open VNC Authentication . 53Scanning for Open X11 Servers . 555THE JOY OF EXPLOITATION57Basic Exploitation . 58msf show exploits . 58msf show auxiliary . 58viiiContents i n Detail

msf show options . 58msf show payloads . 60msf show targets . 62info . 63set and unset . 63setg and unsetg . 64save . 64Exploiting Your First Machine . 64Exploiting an Ubuntu Machine . 68All-Ports Payloads: Brute Forcing Ports . 71Resource Files . 72Wrapping Up . 736M E T E R PR E T E R75Compromising a Windows XP Virtual Machine . 76Scanning for Ports with Nmap . 76Attacking MS SQL . 76Brute Forcing MS SQL Server . 78The xp cmdshell . 79Basic Meterpreter Commands . 80Capturing Keystrokes . 81Dumping Usernames and Passwords . 82Extracting the Password Hashes . 82Dumping the Password Hash . 83Pass the Hash . 84Privilege Escalation . 85Token Impersonation . 87Using ps . 87Pivoting onto Other Systems . 89Using Meterpreter Scripts . 92Migrating a Process . 92Killing Antivirus Software . 93Obtaining System Password Hashes . 93Viewing All Traffic on a Target Machine . 93Scraping a System . 93Using Persistence . 94Leveraging Post Exploitation Modules . 95Upgrading Your Command Shell to Meterpreter . 95Manipulating Windows APIs with the Railgun Add-On . 97Wrapping Up . 977A V O ID I N G D E T E C T I O N99Creating Stand-Alone Binaries with MSFpayload . 100Evading Antivirus Detection . 101Encoding with MSFencode . 102Multi-encoding . 103Custom Executable Templates . 105Launching a Payload Stealthily. 106Contents in D etai lix

Packers . 107A Final Note on Antivirus Software Evasion . 1088E X P L O I T A T I O N U S I N G C L I E N T- S I D E A T T A C K S109Browser-Based Exploits . 110How Browser-Based Exploits Work . 111Looking at NOPs . 112Using Immunity Debugger to Decipher NOP Shellcode . 112Exploring the Internet Explorer Aurora Exploit . 116File Format Exploits . 119Sending the Payload . 120Wrapping Up . 1219METASPLOIT AUXILIARY MODULES123Auxiliary Modules in Use . 126Anatomy of an Auxiliary Module . 128Going Forward . 13310THE SOCIAL-ENGINEER TOOLKIT135Configuring the Social-Engineer Toolkit . 136Spear-Phishing Attack Vector . 137Web Attack Vectors . 142Java Applet . 143Client-Side Web Exploits . 146Username and Password Harvesting . 148Tabnabbing . 151Man-Left-in-the-Middle . 151Web Jacking . 151Putting It All Together with a Multipronged Attack . 153Infectious Media Generator . 158Teensy USB HID Attack Vector . 158Additional SET Features . 161Looking Ahead . 16211FAST-TRACK163Microsoft SQL Injection . 164SQL Injector—Query String Attack . 165SQL Injector—POST Parameter Attack . 166Manual Injection . 167MSSQL Bruter . 168SQLPwnage . 172Binary-to-Hex Generator . 174Mass Client-Side Attack . 175A Few Words About Automation . 176xContents in D e ta i l