CONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7

Transcription

1 CONTENTS IN DETAIL FOREWORD by HD Moore xiii PREFACE xvii ACKNOWLEDGMENTS xix Special Thanks... xx INTRODUCTION xxi Why Do A Penetration Test?... xxii Why Metasploit?... xxii A Brief History of Metasploit... xxii About this Book...xxiii What s in the Book?...xxiii A Note on Ethics...xxiv 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 The Phases of the PTES... 2 Pre-engagement Interactions... 2 Intelligence Gathering... 2 Threat Modeling... 2 Vulnerability Analysis... 3 Exploitation... 3 Post Exploitation... 3 Reporting... 4 Types of Penetration Tests... 4 Overt Penetration Testing... 5 Covert Penetration Testing... 5 Vulnerability Scanners... 5 Pulling It All Together METASPLOIT BASICS 7 Terminology... 7 Exploit... 8 Payload... 8 Shellcode... 8 Module... 8 Listener... 8 Metasploit Interfaces... 8 MSFconsole... 9 MSFcli... 9 Armitage... 11

2 Metasploit Utilities MSFpayload MSFencode Nasm Shell Metasploit Express and Metasploit Pro Wrapping Up INTELLIGENCE GATHERING 15 Passive Information Gathering whois Lookups Netcraft NSLookup Active Information Gathering Port Scanning with Nmap Working with Databases in Metasploit Port Scanning with Metasploit Targeted Scanning Server Message Block Scanning Hunting for Poorly Configured Microsoft SQL Servers SSH Server Scanning FTP Scanning Simple Network Management Protocol Sweeping Writing a Custom Scanner Looking Ahead VULNERABILITY SCANNING 35 The Basic Vulnerability Scan Scanning with NeXpose Configuration Importing Your Report into the Metasploit Framework Running NeXpose Within MSFconsole Scanning with Nessus Nessus Configuration Creating a Nessus Scan Policy Running a Nessus Scan Nessus Reports Importing Results into the Metasploit Framework Scanning with Nessus from Within Metasploit Specialty Vulnerability Scanners Validating SMB Logins Scanning for Open VNC Authentication Scanning for Open X11 Servers Using Scan Results for Autopwning THE JOY OF EXPLOITATION 57 Basic Exploitation msf> show exploits msf> show auxiliary viii

3 msf> show options msf> show payloads msf> show targets info set and unset setg and unsetg save Exploiting Your First Machine Exploiting an Ubuntu Machine All-Ports Payloads: Brute Forcing Ports Resource Files Wrapping Up METERPRETER 75 Compromising a Windows XP Virtual Machine Scanning for Ports with Nmap Attacking MS SQL Brute Forcing MS SQL Server The xp_cmdshell Basic Meterpreter Commands Capturing Keystrokes Dumping Usernames and Passwords Extracting the Password Hashes Dumping the Password Hash Pass the Hash Privilege Escalation Token Impersonation Using ps Pivoting onto Other Systems Using Meterpreter Scripts Migrating a Process Killing Antivirus Software Obtaining System Password Hashes Viewing All Traffic on a Target Machine Scraping a System Using Persistence Leveraging Post Exploitation Modules Upgrading Your Command Shell to Meterpreter Manipulating Windows APIs with the Railgun Add-On Wrapping Up AVOIDING DETECTION 99 Creating Stand-Alone Binaries with MSFpayload Evading Antivirus Detection Encoding with MSFencode Multi-encoding Custom Executable Templates Launching a Payload Stealthily ix

4 Packers A Final Note on Antivirus Software Evasion EXPLOITATION USING CLIENT-SIDE ATTACKS 109 Browser-Based Exploits How Browser-Based Exploits Work Looking at NOPs Using Immunity Debugger to Decipher NOP Shellcode Exploring the Internet Explorer Aurora Exploit File Format Exploits Sending the Payload Wrapping Up METASPLOIT AUXILIARY MODULES 123 Auxiliary Modules in Use Anatomy of an Auxiliary Module Going Forward THE SOCIAL-ENGINEER TOOLKIT 135 Configuring the Social-Engineer Toolkit Spear-Phishing Attack Vector Web Attack Vectors Java Applet Client-Side Web Exploits Username and Password Harvesting Tabnabbing Man-Left-in-the-Middle Web Jacking Putting It All Together with a Multipronged Attack Infectious Media Generator Teensy USB HID Attack Vector Additional SET Features Looking Ahead FAST-TRACK 163 Microsoft SQL Injection SQL Injector Query String Attack SQL Injector POST Parameter Attack Manual Injection MSSQL Bruter SQLPwnage Binary-to-Hex Generator Mass Client-Side Attack A Few Words About Automation x

5 12 KARMETASPLOIT 177 Configuration Launching the Attack Credential Harvesting Getting a Shell Wrapping Up BUILDING YOUR OWN MODULE 185 Getting Command Execution on Microsoft SQL Exploring an Existing Metasploit Module Creating a New Module PowerShell Running the Shell Exploit Creating powershell_upload_exec Conversion from Hex to Binary Counters Running the Exploit The Power of Code Reuse CREATING YOUR OWN EXPLOITS 197 The Art of Fuzzing Controlling the Structured Exception Handler Hopping Around SEH Restrictions Getting a Return Address Bad Characters and Remote Code Execution Wrapping Up PORTING EXPLOITS TO THE METASPLOIT FRAMEWORK 215 Assembly Language Basics EIP and ESP Registers The JMP Instruction Set NOPs and NOP Slides Porting a Buffer Overflow Stripping the Existing Exploit Configuring the Exploit Definition Testing Our Base Exploit Implementing Features of the Framework Adding Randomization Removing the NOP Slide Removing the Dummy Shellcode Our Completed Module SEH Overwrite Exploit Wrapping Up xi

6 16 METERPRETER SCRIPTING 235 Meterpreter Scripting Basics Meterpreter API Printing Output Base API Calls Meterpreter Mixins Rules for Writing Meterpreter Scripts Creating Your Own Meterpreter Script Wrapping Up SIMULATED PENETRATION TEST 251 Pre-engagement Interactions Intelligence Gathering Threat Modeling Exploitation Customizing MSFconsole Post Exploitation Scanning the Metasploitable System Identifying Vulnerable Services Attacking Apache Tomcat Attacking Obscure Services Covering Your Tracks Wrapping Up A CONFIGURING YOUR TARGET MACHINES 267 Installing and Setting Up the System Booting Up the Linux Virtual Machines Setting Up a Vulnerable Windows XP Installation Configuring Your Web Server on Windows XP Building a SQL Server Creating a Vulnerable Web Application Updating Back Track B CHEAT SHEET 275 MSFconsole Commands Meterpreter Commands MSFpayload Commands MSFencode Commands MSFcli Commands MSF, Ninja, Fu MSFvenom Meterpreter Post Exploitation Commands INDEX 285 xii