Metasploit The Penetration Er S Guide
Metasploit-The%20Penetration%20er%20s%20Guide
Metasploit-The%20Penetration%20er's%20Guide
Metasploit-The%20Penetration%20er%20s%20Guide
Metasploit-The%20Penetration%20er%20s%20Guide
Metasploit-The%20Penetration%20er%20s%20Guide
User Manual:
Open the PDF directly: View PDF .
Page Count: 332
Once you’ve built your foundation for penetration
testing, you’ll learn the Framework’s conventions,
interfaces, and module system as you launch simulated
attacks. You’ll move on to advanced penetration testing
techniques, including network reconnaissance and
enumeration, client-side attacks, wireless attacks, and
targeted social-engineering attacks.
Learn how to:
Find and exploit unmaintained, misconfigured, and
Bypass antivirus technologies and circumvent
security controls
Metasploit
The Penetration Tester’s Guide
Integrate Nmap, NeXpose, and Nessus with
Metasploit to automate discovery
Use the Meterpreter shell to launch further
attacks from inside the network
Harness stand-alone Metasploit utilities, third-
party tools, and plug-ins
Learn how to write your own Meterpreter post-
exploitation modules and scripts
You’ll even touch on exploit discovery for zero-day
research, write a fuzzer, port existing exploits into the
Framework, and learn how to cover your tracks. Whether
your goal is to secure your own networks or to put
someone else’s to the test, Metasploit: The Penetration
Tester’s Guide will take you there and beyond.
unpatched systems
Perform reconnaissance and find valuable
information about your target
T H E F I N E ST I N G E E K E N T E RTA I N M E N T ™
“I LAY FLAT.” This book uses RepKover — a durable binding that won’t snap shut.
w w w.nostarch.com
$49.95 ($57.95 CDN)
Shelve In: Computers/Internet/Security
The Penetration Tester’s Guide
The Metasploit Framework makes discovering,
exploiting, and sharing vulnerabilities quick and
relatively painless. But while Metasploit is used by
security professionals everywhere, the tool can be
hard to grasp for first-time users. Metasploit: The
Penetration Tester’s Guide fills this gap by teaching you
how to harness the Framework and interact with the
vibrant community of Metasploit contributors.
Metasploit
“The best guide to the
Metasploit Framework.” — HD Moore,
Founder of the Metasploit Project
Kennedy
O’Gorman
Kearns
Aharoni
David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni
Foreword by HD Moore
METASPLOIT
METASPLOIT
The Penetration
Tester’s Guide
by David Kennedy,
Jim O’Gorman, Devon Kearns,
and Mati Aharoni
San Francisco
METASPLOIT. Copyright © 2011 by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior
written permission of the copyright owner and the publisher.
15 14 13 12 11
123456789
ISBN-10: 1-59327-288-X
ISBN-13: 978-1-59327-288-3
Publisher: William Pollock
Production Editor: Alison Law
Cover Illustration: Hugh D’Andrade
Interior Design: Octopod Studios
Developmental Editors: William Pollock and Tyler Ortman
Technical Reviewer: Scott White
Copyeditor: Lisa Theobald
Compositors: Susan Glinert Stevens
Proofreader: Ward Webber
Indexer: BIM Indexing & Proofreading Services
For information on book distributors or translations, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
38 Ringold Street, San Francisco, CA 94103
phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com
Library of Congress Cataloging-in-Publication Data
A catalog record of this book is available from the Library of Congress.
No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and
company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark
symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the
benefit of the trademark owner, with no intention of infringement of the trademark.
The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been
taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the
information contained in it.
BRIEF CONTENTS
Foreword by HD Moore ................................................................................................ xiii
Preface .......................................................................................................................xvii
Acknowledgments .........................................................................................................xix
Introduction .................................................................................................................xxi
Chapter 1: The Absolute Basics of Penetration Testing .........................................................1
Chapter 2: Metasploit Basics ............................................................................................7
Chapter 3: Intelligence Gathering ...................................................................................15
Chapter 4: Vulnerability Scanning...................................................................................35
Chapter 5: The Joy of Exploitation...................................................................................57
Chapter 6: Meterpreter ..................................................................................................75
Chapter 7: Avoiding Detection .......................................................................................99
Chapter 8: Exploitation Using Client-Side Attacks............................................................109
Chapter 9: Metasploit Auxiliary Modules .......................................................................123
Chapter 10: The Social-Engineer Toolkit.........................................................................135
Chapter 11: Fast-Track.................................................................................................163
Chapter 12: Karmetasploit ...........................................................................................177
Chapter 13: Building Your Own Module........................................................................185
Chapter 14: Creating Your Own Exploits .......................................................................197
Chapter 15: Porting Exploits to the Metasploit Framework................................................215
Chapter 16: Meterpreter Scripting.................................................................................235
Chapter 17: Simulated Penetration Test..........................................................................251
Appendix A: Configuring Your Target Machines .............................................................267
Appendix B: Cheat Sheet .............................................................................................275
Index .........................................................................................................................285
vi
B ri e f C on t e n t s
CONTENTS IN DETAIL
FOREWORD by HD Moore
PREFACE
A C KN O W L E D G M E N T S
xiii
xvii
xix
Special Thanks ........................................................................................................ xx
INTRODUCTION
xxi
Why Do A Penetration Test? ................................................................................... xxii
Why Metasploit? .................................................................................................. xxii
A Brief History of Metasploit ................................................................................... xxii
About this Book .....................................................................................................xxiii
What’s in the Book? ..............................................................................................xxiii
A Note on Ethics .................................................................................................. xxiv
1
T H E A B S O L U T E B A S I C S O F P E N E TR A TI O N TE S TI N G
1
The Phases of the PTES .............................................................................................. 2
Pre-engagement Interactions ......................................................................... 2
Intelligence Gathering .................................................................................. 2
Threat Modeling ......................................................................................... 2
Vulnerability Analysis .................................................................................. 3
Exploitation ................................................................................................ 3
Post Exploitation .......................................................................................... 3
Reporting ................................................................................................... 4
Types of Penetration Tests .......................................................................................... 4
Overt Penetration Testing ............................................................................. 5
Covert Penetration Testing ............................................................................ 5
Vulnerability Scanners .............................................................................................. 5
Pulling It All Together ................................................................................................ 6
2
METASPLOIT BASICS
7
Terminology ............................................................................................................ 7
Exploit ....................................................................................................... 8
Payload ..................................................................................................... 8
Shellcode ................................................................................................... 8
Module ...................................................................................................... 8
Listener ...................................................................................................... 8
Metasploit Interfaces ................................................................................................. 8
MSFconsole ................................................................................................ 9
MSFcli ....................................................................................................... 9
Armitage .................................................................................................. 11
Metasploit Utilities .................................................................................................. 12
MSFpayload ............................................................................................. 12
MSFencode .............................................................................................. 13
Nasm Shell ............................................................................................... 13
Metasploit Express and Metasploit Pro ...................................................................... 14
Wrapping Up ........................................................................................................ 14
3
INTELLIGENCE GATHERING
15
Passive Information Gathering ................................................................................. 16
whois Lookups .......................................................................................... 16
Netcraft ................................................................................................... 17
NSLookup ................................................................................................ 18
Active Information Gathering ................................................................................... 18
Port Scanning with Nmap .......................................................................... 18
Working with Databases in Metasploit ........................................................ 20
Port Scanning with Metasploit ..................................................................... 25
Targeted Scanning ................................................................................................. 26
Server Message Block Scanning .................................................................. 26
Hunting for Poorly Configured Microsoft SQL Servers .................................... 27
SSH Server Scanning ................................................................................. 28
FTP Scanning ............................................................................................ 29
Simple Network Management Protocol Sweeping ......................................... 30
Writing a Custom Scanner ...................................................................................... 31
Looking Ahead ...................................................................................................... 33
4
V U L N E R AB I L IT Y S C A N N IN G
35
The Basic Vulnerability Scan .................................................................................... 36
Scanning with NeXpose .......................................................................................... 37
Configuration ........................................................................................... 37
Importing Your Report into the Metasploit Framework .................................... 42
Running NeXpose Within MSFconsole ......................................................... 43
Scanning with Nessus ............................................................................................. 44
Nessus Configuration ................................................................................ 44
Creating a Nessus Scan Policy ................................................................... 45
Running a Nessus Scan .............................................................................. 47
Nessus Reports ......................................................................................... 47
Importing Results into the Metasploit Framework ............................................ 48
Scanning with Nessus from Within Metasploit .............................................. 49
Specialty Vulnerability Scanners ............................................................................... 51
Validating SMB Logins ............................................................................... 51
Scanning for Open VNC Authentication ....................................................... 52
Scanning for Open X11 Servers .................................................................. 54
Using Scan Results for Autopwning ........................................................................... 56
5
THE JOY OF EXPLOITATION
57
Basic Exploitation ................................................................................................... 58
msf> show exploits .................................................................................... 58
msf> show auxiliary .................................................................................. 58
viii
Contents i n Detail
msf> show options .................................................................................... 58
msf> show payloads .................................................................................. 60
msf> show targets ..................................................................................... 62
info ......................................................................................................... 63
set and unset ............................................................................................ 63
setg and unsetg ......................................................................................... 64
save ........................................................................................................ 64
Exploiting Your First Machine .................................................................................. 64
Exploiting an Ubuntu Machine ................................................................................. 68
All-Ports Payloads: Brute Forcing Ports ....................................................................... 71
Resource Files ........................................................................................................ 72
Wrapping Up ........................................................................................................ 73
6
M E T E R PR E T E R
75
Compromising a Windows XP Virtual Machine .......................................................... 76
Scanning for Ports with Nmap .................................................................... 76
Attacking MS SQL ..................................................................................... 76
Brute Forcing MS SQL Server ...................................................................... 78
The xp_cmdshell ........................................................................................ 79
Basic Meterpreter Commands ..................................................................... 80
Capturing Keystrokes ................................................................................. 81
Dumping Usernames and Passwords ........................................................................ 82
Extracting the Password Hashes .................................................................. 82
Dumping the Password Hash ...................................................................... 83
Pass the Hash ........................................................................................................ 84
Privilege Escalation ................................................................................................ 85
Token Impersonation ............................................................................................... 87
Using ps ............................................................................................................... 87
Pivoting onto Other Systems .................................................................................... 89
Using Meterpreter Scripts ........................................................................................ 92
Migrating a Process ................................................................................... 92
Killing Antivirus Software ........................................................................... 93
Obtaining System Password Hashes ............................................................ 93
Viewing All Traffic on a Target Machine ...................................................... 93
Scraping a System .................................................................................... 93
Using Persistence ...................................................................................... 94
Leveraging Post Exploitation Modules ....................................................................... 95
Upgrading Your Command Shell to Meterpreter ......................................................... 95
Manipulating Windows APIs with the Railgun Add-On ................................................ 97
Wrapping Up ........................................................................................................ 97
7
A V O ID I N G D E T E C T I O N
99
Creating Stand-Alone Binaries with MSFpayload ...................................................... 100
Evading Antivirus Detection ................................................................................... 101
Encoding with MSFencode ....................................................................... 102
Multi-encoding ........................................................................................ 103
Custom Executable Templates ................................................................................ 105
Launching a Payload Stealthily................................................................................ 106
Contents in D etai l
ix
Packers ............................................................................................................... 107
A Final Note on Antivirus Software Evasion ............................................................. 108
8
E X P L O I T A T I O N U S I N G C L I E N T- S I D E A T T A C K S
109
Browser-Based Exploits ......................................................................................... 110
How Browser-Based Exploits Work ............................................................ 111
Looking at NOPs ..................................................................................... 112
Using Immunity Debugger to Decipher NOP Shellcode ............................................. 112
Exploring the Internet Explorer Aurora Exploit .......................................................... 116
File Format Exploits .............................................................................................. 119
Sending the Payload ............................................................................................ 120
Wrapping Up ...................................................................................................... 121
9
METASPLOIT AUXILIARY MODULES
123
Auxiliary Modules in Use ...................................................................................... 126
Anatomy of an Auxiliary Module ............................................................................ 128
Going Forward .................................................................................................... 133
10
THE SOCIAL-ENGINEER TOOLKIT
135
Configuring the Social-Engineer Toolkit ................................................................... 136
Spear-Phishing Attack Vector ................................................................................. 137
Web Attack Vectors .............................................................................................. 142
Java Applet ............................................................................................ 142
Client-Side Web Exploits .......................................................................... 146
Username and Password Harvesting .......................................................... 148
Tabnabbing ............................................................................................ 150
Man-Left-in-the-Middle .............................................................................. 150
Web Jacking .......................................................................................... 151
Putting It All Together with a Multipronged Attack ........................................ 153
Infectious Media Generator ................................................................................... 157
Teensy USB HID Attack Vector ............................................................................... 157
Additional SET Features ........................................................................................ 160
Looking Ahead .................................................................................................... 161
11
FAST-TRACK
163
Microsoft SQL Injection ......................................................................................... 164
SQL Injector—Query String Attack ............................................................. 165
SQL Injector—POST Parameter Attack ........................................................ 166
Manual Injection ..................................................................................... 167
MSSQL Bruter ......................................................................................... 168
SQLPwnage ............................................................................................ 172
Binary-to-Hex Generator ........................................................................................ 174
Mass Client-Side Attack ........................................................................................ 175
A Few Words About Automation ............................................................................ 176
x
Contents in D etai l
12
KARMETASPLOIT
177
Configuration ...................................................................................................... 178
Launching the Attack ............................................................................................. 179
Credential Harvesting ........................................................................................... 181
Getting a Shell ..................................................................................................... 182
Wrapping Up ...................................................................................................... 184
13
B U I L D IN G Y O U R O W N M O D U L E
185
Getting Command Execution on Microsoft SQL ........................................................ 186
Exploring an Existing Metasploit Module ................................................................. 187
Creating a New Module ....................................................................................... 189
PowerShell ............................................................................................. 189
Running the Shell Exploit .......................................................................... 190
Creating powershell_upload_exec ............................................................. 192
Conversion from Hex to Binary ................................................................. 192
Counters ................................................................................................ 194
Running the Exploit .................................................................................. 195
The Power of Code Reuse ..................................................................................... 196
14
CREATING YOUR OWN EXPLOITS
197
The Art of Fuzzing ................................................................................................ 198
Controlling the Structured Exception Handler ........................................................... 201
Hopping Around SEH Restrictions ........................................................................... 204
Getting a Return Address ...................................................................................... 206
Bad Characters and Remote Code Execution ........................................................... 210
Wrapping Up ...................................................................................................... 213
15
P O R T I N G E X P L O I T S T O T H E M E TA S P L O IT FR A M E W O R K
215
Assembly Language Basics .................................................................................... 216
EIP and ESP Registers ............................................................................... 216
The JMP Instruction Set ............................................................................. 216
NOPs and NOP Slides ............................................................................ 216
Porting a Buffer Overflow ...................................................................................... 216
Stripping the Existing Exploit ..................................................................... 218
Configuring the Exploit Definition .............................................................. 219
Testing Our Base Exploit .......................................................................... 220
Implementing Features of the Framework .................................................... 221
Adding Randomization ............................................................................ 222
Removing the NOP Slide .......................................................................... 223
Removing the Dummy Shellcode ................................................................ 223
Our Completed Module ........................................................................... 224
SEH Overwrite Exploit .......................................................................................... 226
Wrapping Up ...................................................................................................... 233
Contents in D etai l
xi
16
M E T E R PR E T E R S C R I PT IN G
235
Meterpreter Scripting Basics .................................................................................. 235
Meterpreter API .................................................................................................... 241
Printing Output ........................................................................................ 241
Base API Calls ........................................................................................ 242
Meterpreter Mixins .................................................................................. 242
Rules for Writing Meterpreter Scripts ...................................................................... 244
Creating Your Own Meterpreter Script .................................................................... 244
Wrapping Up ...................................................................................................... 250
17
SIMULATED PENETRATION TEST
251
Pre-engagement Interactions .................................................................................. 252
Intelligence Gathering ........................................................................................... 252
Threat Modeling .................................................................................................. 253
Exploitation ......................................................................................................... 255
Customizing MSFconsole ...................................................................................... 255
Post Exploitation ................................................................................................... 257
Scanning the Metasploitable System .......................................................... 258
Identifying Vulnerable Services ................................................................. 259
Attacking Apache Tomcat ..................................................................................... 260
Attacking Obscure Services ................................................................................... 262
Covering Your Tracks ........................................................................................... 264
Wrapping Up ...................................................................................................... 266
A
CONFIGURING YOUR TARGET MACHINES
267
Installing and Setting Up the System ....................................................................... 267
Booting Up the Linux Virtual Machines .................................................................... 268
Setting Up a Vulnerable Windows XP Installation ..................................................... 269
Configuring Your Web Server on Windows XP ........................................... 269
Building a SQL Server .............................................................................. 269
Creating a Vulnerable Web Application .................................................... 272
Updating Back|Track .............................................................................. 273
B
C H E AT S H E E T
275
MSFconsole Commands ........................................................................................ 275
Meterpreter Commands ........................................................................................ 277
MSFpayload Commands ....................................................................................... 280
MSFencode Commands ........................................................................................ 280
MSFcli Commands ............................................................................................... 281
MSF, Ninja, Fu .................................................................................................... 281
MSFvenom .......................................................................................................... 281
Meterpreter Post Exploitation Commands ................................................................ 282
INDEX
xii
C on t e n t s i n D e t a i l
285
FOREWORD
Information technology is a complex field, littered
with the half-dead technology of the past and an
ever-increasing menagerie of new systems, software,
and protocols. Securing today’s enterprise networks
involves more than simply patch management, firewalls, and user education; it requires frequent realworld validation of what works and what fails. This is
what penetration testing is all about.
Penetration testing is a uniquely challenging job. You are paid to think
like a criminal, to use guerilla tactics to your advantage, and to find the weakest links in a highly intricate net of defenses. The things you find can be both
surprising and disturbing; penetration tests have uncovered everything from
rogue pornography sites to large-scale fraud and criminal activity.
Penetration testing is about ignoring an organization’s perception of
its security and probing its systems for weaknesses. The data obtained from a
successful penetration test often uncovers issues that no architecture review
or vulnerability assessment would be able to identify. Typical findings include
shared passwords, cross-connected networks, and troves of sensitive data sitting in the clear. The problems created by sloppy system administration and
rushed implementations often pose significant threats to an organization,
while the solutions languish under a dozen items on an administrator’s to-do
list. Penetration testing highlights these misplaced priorities and identifies
what an organization needs to do to defend itself from a real intrusion.
Penetration testers handle a company’s most sensitive resources; they
gain access to areas that can have dire real-world consequences if the wrong
action is taken. A single misplaced packet can bring a factory floor to a halt,
with a cost measured in millions of dollars per hour. Failure to notify the
appropriate personnel can result in an uncomfortable and embarrassing conversation with the local police. Medical systems are one area that even the
most experienced security professionals may hesitate to test; nobody wants
to be responsible for mixing up a patient’s blood type in an OpenVMS mainframe or corrupting the memory on an X-ray machine running Windows XP.
The most critical systems are often the most exposed, and few system administrators want to risk an outage by bringing down a database server to apply a
security patch.
Balancing the use of available attack paths and the risk of causing damage is a skill that all penetration testers must hone. This process depends not
only on a technical knowledge of the tools and the techniques but also on a
strong understanding of how the organization operates and where the path
of least resistance may lie.
In this book, you will see penetration testing through the eyes of four
security professionals with widely divergent backgrounds. The authors include
folks with experience at the top of the corporate security structure all the way
down to the Wild West world of underground exploit development and vulnerability research. There are a number of books available on penetration testing and security assessments, and there are many that focus entirely on tools.
This book, however, strives for a balance between the two, covering the fundamental tools and techniques while also explaining how they play into the
overall structure of a successful penetration testing process. Experienced
penetration testers will benefit from the discussion of the methodology,
which is based on the recently codified Penetration Test Execution Standard.
Readers who are new to the field will be presented with a wealth of information not only about how to get started but also why those steps matter and
what they mean in the bigger picture.
This book focuses on the Metasploit Framework. This open source
platform provides a consistent, reliable library of constantly updated exploits
and offers a complete development environment for building new tools and
automating every aspect of a penetration test. Metasploit Express and Metasploit Pro, the commercial siblings of the Framework, are also represented in
this book. These products provide a different perspective on how to conduct
and automate large-scale penetration tests.
xiv
Fo r ewo rd
The Metasploit Framework is an infamously volatile project; the code
base is updated dozens of times every day by a core group of developers and
submissions from hundreds of community contributors. Writing a book about
the Framework is a masochistic endeavor; by the time that a given chapter
has been proofread, the content may already be out of date. The authors
took on the Herculean task of writing this book in such a way that the content will still be applicable by the time it reaches its readers.
The Metasploit team has been involved with this book to make sure that
changes to the code are accurately reflected and that the final result is as close
to zero-day coverage of the Metasploit Framework as is humanly possible. We
can state with full confidence that it is the best guide to the Metasploit Framework available today, and it will likely remain so for a long time. We hope you
find this book valuable in your work and an excellent reference in your trials
ahead.
HD Moore
Founder, The Metasploit Project
Fo r e w or d
xv
PREFACE
The Metasploit Framework has long been one of the
tools most widely used by information security professionals, but for a long time little documentation
existed aside from the source code itself or comments
on blogs. That situation changed significantly when
Offensive-Security developed its online course, Metasploit Unleashed. Shortly after the course went live, No
Starch Press contacted us about the possibly of creating a book to expand on our work with Metasploit
Unleashed.
This book is designed to teach you the ins and outs of Metasploit and
how to use the Framework to its fullest. Our coverage is selective—we won’t
cover every single flag or exploit—but we give you the foundation you’ll need
to understand and use Metasploit now and in future versions.
When we began writing this book, we had in mind a comment by HD
Moore, developer of the Metasploit Framework. In a conversation with HD
about the development of our Metasploit Unleashed course, one of us said
to him, “I hope the course comes out good.” To this offhand comment, HD
merely replied, “Then make sure it is good.” And that’s just what we’ve
attempted to do with this book.
As a group, we are experienced penetration testers who use Metasploit
daily to circumvent security controls, bypass protections, and attack systems
methodically. We wrote this book with the intention of helping our readers
become competent penetration testers. HD’s drive and focus on quality is
apparent within the Metasploit Framework, and we have tried to match those
characteristics in this book. We leave it up to you to judge how well we have
lived up to that standard.
xviii
P r ef a c e
ACKNOWLEDGMENTS
We would like to thank a number of people, beginning with the folks whose hard work provides the
community with an invaluable tool. Special thanks to
the Metasploit Team: HD Moore, James Lee, David
D. Rude II, Tod Beardsley, Jonathan Cran, Stephen
Fewer, Joshua Drake, Mario Ceballos, Ramon Valle,
Patrick Webster, Efrain Torres, Alexandre Maloteaux, Wei Chen, Steve Tornio,
Nathan Keltner, Chris Gates, Carlos Perez, Matt Weeks, and Raphael Mudge.
Also an extra thanks to Carlos Perez for his assistance in writing portions of
the Meterpreter scripting chapter.
Many thanks to Scott White, technical reviewer for this book, for being
awesome.
Thanks to Offensive-Security for bringing us all together. The OffensiveSecurity trademark phrase “Try Harder” alternately inspires and tortures us
(ryujin is evil).
We have many other members of the information security community
to thank, but there are too many to list and the odds of missing someone are
high. So thank you to our friends in the security community; hugs from all
of us.
A very special thanks to the whole crew at No Starch Press for their
immeasurable effort. Bill, Alison, Travis, and Tyler, it has been a pleasure
working with you and everyone else behind the scenes at No Starch Press!
Finally, a big thank you to our families. We are all married and half of
us have children. We spend far too long wearing down the plastic on our
keyboards and not enough time with them. To our families, thanks for your
understanding; we will make it up to you—as soon as we update this next
line of code, or find the source of this memory corruption, or finish this svn
update, or get this next fuzzer run setup, or . . .
Special Thanks
Dave (Twitter: @dave_rel1k): I dedicate my work on this book to my loving
wife Erin, who tolerated late nights of me hammering away at the keyboard.
To my three children who keep me young and old at the same time. To my
father, Jim; my mother, Janna; and my stepmother, Deb, for being there for
me and making me what I am today. Thanks to Jim, Dookie, and Muts for
their hard work on the book and for being great friends! To my good friends
at Offensive-Security; Chris “Logan” Hadnagy; my brother, Shawn Sullivan;
and my team at Diebold. To my good friend HD Moore, whose dedication to
the security industry is an inspiration to us all. To all my friends in life, and to
Scott Angelo for giving me an opportunity and believing in me. Lastly, to
God, without whom none of this would be possible.
Devon (@dookie2000ca): For my beautiful and tolerant wife, who not
only supports but encourages my mania. You are my inspiration and motivation; without you by my side in these pursuits, I would never get anywhere.
To my co-authors, thank you for having faith in a newcomer and welcoming
me as one of your own. Lastly, an especially big thank you to Mati for not
only getting this merry band together but for giving me a chance.
Muts (@backtracklinux): A special thanks to the co-authors of this book,
whose time and dedication to it is truly inspiring. I count Jim, Devon, and
Dave as great friends and colleagues in the security field.
Jim (@_Elwood_): Thanks to Matteo, Chris “Logan,” and the entire
Offensive-Security crew. Also a big thanks to Robert, Matt, Chris, and my
co-workers at StrikeForce. And to my wonderful wife Melissa: The book you
hold in your hands is proof that I was not just avoiding housework all the time.
And to Jake and Joe, please don’t tell Mom that I am just playing games with
you when I tell her I am working. You three are the Pack-a-Punch to my life.
And finally to my co-authors Mati, Devon, and Dave: Thanks for letting me
put my name on this book—I really was just avoiding housework.
xx
A c k n owl e d g m e n t s
INTRODUCTION
Imagine that sometime in the not-so-distant future an
attacker decides to attack a multinational company’s
digital assets, targeting hundreds of millions of dollars
worth of intellectual property buried behind millions
of dollars in infrastructure. Naturally, the attacker
begins by firing up the latest version of Metasploit.
After exploring the target’s perimeter, he finds a soft spot and begins a
methodical series of attacks, but even after he’s compromised nearly every
aspect of the network, the fun has only just begun. He maneuvers through
systems, identifying core, critical business components that keep the company running. With a single keystroke, he could help himself to millions of
company dollars and compromise all their sensitive data.
Congratulations on a job well done—you’ve shown true business impact,
and now it’s time to write the report. Oddly enough, today’s penetration
testers often find themselves in the role of a fictitious adversary like the one
described above, performing legal attacks at the request of companies that
need high levels of security. Welcome to the world of penetration testing and
the future of security.
Why Do a Penetration Test?
Companies invest millions of dollars in security programs to protect critical
infrastructures, identify chinks in the armor, and prevent serious data breaches.
A penetration test is one of the most effective ways to identify systemic weaknesses and deficiencies in these programs. By attempting to circumvent security controls and bypass security mechanisms, a penetration tester is able to
identify ways in which a hacker might be able to compromise an organization’s
security and damage the organization as a whole.
As you read through this book, remember that you’re not necessarily
targeting one system or multiple systems. Your goal is to show, in a safe and
controlled manner, how an attacker might be able to cause serious harm to
an organization and impact its ability to, among other things, generate revenue, maintain its reputation, and protect its customers.
Why Metasploit?
Metasploit isn’t just a tool; it’s an entire framework that provides the infrastructure needed to automate mundane, routine, and complex tasks. This
allows you to concentrate on the unique or specialized aspects of penetration
testing and on identifying flaws within your information security program.
As you progress through the chapters in this book and establish a wellrounded methodology, you will begin to see the many ways in which Metasploit can be used in your penetration tests. Metasploit allows you to easily
build attack vectors to augment its exploits, payloads, encoders, and more
in order to create and execute more advanced attacks. At various points in
this book we explain several third-party tools—including some written by the
authors of this book—that build on the Metasploit Framework. Our goal is to
get you comfortable with the Framework, show you some advanced attacks,
and ensure that you can apply these techniques responsibly. We hope you
enjoy reading this book as much as we enjoyed creating it. Let the fun and
games begin.
A Brief History of Metasploit
Metasploit was originally developed and conceived by HD Moore while he
was employed by a security firm. When HD realized that he was spending
most of his time validating and sanitizing public exploit code, he began to
create a flexible and maintainable framework for the creation and development of exploits. He released his first edition of the Perl-based Metasploit
in October 2003 with a total of 11 exploits.
With the help of Spoonm, HD released a total rewrite of the project,
Metasploit 2.0, in April 2004. This version included 19 exploits and over 27
payloads. Shortly after this release, Matt Miller (Skape) joined the Metasploit
development team, and as the project gained popularity, the Metasploit Framework received heavy backing from the information security community and
quickly became a necessary tool for penetration testing and exploitation.
xxii
I n t ro d u c t i o n
Following a complete rewrite in the Ruby programming language,
the Metasploit team released Metasploit 3.0 in 2007. The migration of the
Framework from Perl to Ruby took 18 months and resulted in over 150,000
lines of new code. With the 3.0 release, Metasploit saw widespread adoption
in the security community and a big increase in user contributions.
In fall 2009, Metasploit was acquired by Rapid7, a leader in the
vulnerability-scanning field, which allowed HD to build a team to focus
solely on the development of the Metasploit Framework. Since the acquisition, updates have occurred more rapidly than anyone could have imagined.
Rapid7 released two commercial products based on the Metasploit Framework: Metasploit Express and Metasploit Pro. Metasploit Express is a lighter
version of the Metasploit Framework with a GUI and additional functionality,
including reporting, among other useful features. Metasploit Pro is an expanded
version of Metasploit Express that touts collaboration and group penetration
testing and such features as a one-click virtual private network (VPN) tunnel
and much more.
About This Book
This book is designed to teach you everything from the fundamentals of
the Framework to advanced techniques in exploitation. Our goal is to provide a useful tutorial for the beginner and a reference for practitioners. However, we won’t always hold your hand. Programming knowledge is a definite
advantage in the penetration testing field, and many of the examples in this
book will use either the Ruby or Python programming language. Still, while
we suggest that you learn a language like Ruby or Python to aid in advanced
exploitation and customization of attacks, programming knowledge is not
required.
As you grow more comfortable with Metasploit, you will notice that the
Framework is frequently updated with new features, exploits, and attacks.
This book was developed with the knowledge that Metasploit is continually
changing and that no printed book is likely to be able to keep pace with this
rapid development. Therefore, we focus on the fundamentals, because once
you understand how Metasploit works you will be able to ramp up quickly
with updates to the Framework.
What’s in the Book?
How can this book help you to get started or take your skills to the next level?
Each chapter is designed to build on the previous one and to help you build
your skills as a penetration tester from the ground up.
z
Chapter 1, “The Absolute Basics of Penetration Testing,” establishes the
methodologies around penetration testing.
z
Chapter 2, “Metasploit Basics,” is your introduction to the various tools
within the Metasploit Framework.
z
Chapter 3, “Intelligence Gathering,” shows you ways to leverage Metasploit in the reconnaissance phase of a penetration test.
I n t ro d u c t i o n
xxiii
z
Chapter 4, “Vulnerability Scanning,” walks you through identifying vulnerabilities and leveraging vulnerability scanning technology.
z
Chapter 5, “The Joy of Exploitation,” throws you into exploitation.
z
Chapter 6, “Meterpreter,” walks you through the Swiss Army knife of
post exploitation: Meterpreter.
z
Chapter 7, “Avoiding Detection,” focuses on the underlying concepts of
antivirus evasion techniques.
z
Chapter 8, “Exploitation Using Client-Side Attacks,” covers client-side
exploitation and browser bugs.
z
Chapter 9, “Metasploit Auxiliary Modules,” walks you through auxiliary
modules.
z
Chapter 10, “The Social-Engineer Toolkit,” is your guide to leveraging
the Social-Engineer Toolkit in social-engineering attacks.
z
Chapter 11, “Fast-Track,” offers a complete run down on Fast-Track, an
automated penetration testing framework.
z
Chapter 12, “Karmetasploit,” shows you how to leverage Karmetasploit
for wireless attacks.
z
Chapter 13, “Building Your Own Modules,” teaches you how to build
your own exploitation module.
z
Chapter 14, “Creating Your Own Exploits,” covers fuzzing and creating
exploit modules out of buffer overflows.
z
Chapter 15, “Porting Exploits to the Metasploit Framework,” is an indepth look at how to port existing exploits into a Metasploit-based module.
z
Chapter 16, “Meterpreter Scripting,” shows you how to create your own
Meterpreter scripts.
z
Chapter 17, “Simulated Penetration Test,” pulls everything together as it
walks you through a simulated penetration test.
A Note on Ethics
Our goal in writing this book is to help you to improve your skills as a penetration tester. As a penetration tester, you will be bypassing security measures;
that’s simply part of the job. When you do, keep the following in mind:
z
Don’t be malicious.
z
Don’t be stupid.
z
Don’t attack targets without written permission.
z
Consider the consequences of your actions.
z
If you do things illegally, you can be caught and put in jail!
Neither the authors of this book nor No Starch Press, its publisher,
condones or encourages the misuse of the penetration testing techniques
discussed herein. Our goal is to make you smarter, not to help you to get
into trouble, because we won’t be there to get you out.
xxiv
I n t r o du ct i on
THE ABSOLUTE BASICS OF
PENETRATION TESTING
Penetration testing is a way for you to simulate the
methods that an attacker might use to circumvent
security controls and gain access to an organization’s
systems. Penetration testing is more than running scanners and automated tools and then writing a report.
And you won’t become an expert penetration tester
overnight; it takes years of practice and real-world
experience to become proficient.
Currently, there is a shift in the way people regard and define penetration testing within the security industry. The Penetration Testing Execution
Standard (PTES) is redefining the penetration test in ways that will affect
both new and experienced penetration testers, and it has been adopted by
several leading members of the security community. Its charter is to define
and raise awareness about what a true penetration test means by establishing
a baseline of fundamental principles required to conduct a penetration test.
If you’re new to penetration testing or unfamiliar with PTES, visit http://
www.pentest-standard.org/ to learn more about it.
The Phases of the PTES
PTES phases are designed to define a penetration test and assure the client
organization that a standardized level of effort will be expended in a penetration test by anyone conducting this type of assessment. The standard is
divided into seven categories with different levels of effort required for each,
depending on the organization under attack.
Pre-engagement Interactions
Pre-engagement interactions typically occur when you discuss the scope and terms
of the penetration test with your client. It is critical during pre-engagement
that you convey the goals of the engagement. This stage also serves as your
opportunity to educate your customer about what is to be expected from a
thorough, full-scope penetration test—one without restrictions regarding what
can and will be tested during the engagement.
Intelligence Gathering
In the intelligence gathering phase, you will gather any information you can
about the organization you are attacking by using social-media networks,
Google hacking, footprinting the target, and so on. One of the most important skills a penetration tester can have is the ability to learn about a target,
including how it behaves, how it operates, and how it ultimately can be attacked.
The information that you gather about your target will give you valuable
insight into the types of security controls in place.
During intelligence gathering, you attempt to identify what protection
mechanisms are in place at the target by slowly starting to probe its systems.
For example, an organization will often only allow traffic on a certain subset of
ports on externally facing devices, and if you query the organization on anything other than a whitelisted port, you will be blocked. It is generally a good
idea to test this blocking behavior by initially probing from an expendable IP
address that you are willing to have blocked or detected. The same holds true
when you’re testing web applications, where, after a certain threshold, the
web application firewalls will block you from making further requests.
To remain undetected during these sorts of tests, you can perform your
initial scans from IP address ranges that can’t be linked back to you and your
team. Typically, organizations with an external presence on the Internet
experience attacks every day, and your initial probing will likely be an undetected part of the background noise.
NOTE
In some cases, it might make sense to run very noisy scans from an entirely different IP
range other than the one you will be using for the main attack. This will help you determine how well the organization responds to the tools you are using.
Threat Modeling
Threat modeling uses the information you acquired in the intelligence-gathering
phase to identify any existing vulnerabilities on a target system. When performing threat modeling, you will determine the most effective attack method,
2
Chapter 1
the type of information you are after, and how the organization might be
attacked. Threat modeling involves looking at an organization as an adversary
and attempting to exploit weaknesses as an attacker would.
Vulnerability Analysis
Having identified the most viable attack methods, you need to consider how
you will access the target. During vulnerability analysis, you combine the information that you’ve learned from the prior phases and use it to understand
what attacks might be viable. Among other things, vulnerability analysis takes
into account port and vulnerability scans, data gathered by banner grabbing,
and information collected during intelligence gathering.
Exploitation
Exploitation is probably one of the most glamorous parts of a penetration test,
yet it is often done with brute force rather than with precision. An exploit
should be performed only when you know almost beyond a shadow of a doubt
that a particular exploit will be successful. Of course, unforeseen protective
measures might be in place on the target that prevent a particular exploit
from working—but before you trigger a vulnerability, you should know that
the system is vulnerable. Blindly firing off a mass onslaught of exploits and
praying for a shell isn’t productive; it is noisy and provides little if any value
to you as a penetration tester or to your client. Do your homework first, and
then launch well-researched exploits that are likely to succeed.
Post Exploitation
The post exploitation phase begins after you have compromised one or more
systems—but you’re not even close to being done yet.
Post exploitation is a critical component in any penetration test. This is
where you differentiate yourself from the average, run-of-the-mill hacker and
actually provide valuable information and intelligence from your penetration
test. Post exploitation targets specific systems, identifies critical infrastructure,
and targets information or data that the company values most and that it has
attempted to secure. When you exploit one system after another, you are trying to demonstrate attacks that would have the greatest business impact.
When attacking systems in post exploitation, you should take the time
to determine what the various systems do and their different user roles. For
example, suppose you compromise a domain infrastructure system and you’re
running as an enterprise administrator or have domain administrative-level
rights. You might be king of the domain, but what about the systems that
communicate with Active Directory? What about the main financial application that is used to pay employees? Could you compromise that system, and
then, on the next pay cycle, have it route all the money out of the company
to an offshore account? How about the target’s intellectual property?
T h e A bs o lu te B as i cs o f P e n e trati o n T e s ti n g
3
Suppose, for example, that your client is a large software development
shop that ships custom-coded applications to customers for use in manufacturing environments. Can you backdoor their source code and essentially
compromise all of their customers? What would that do to harm their brand
credibility?
Post exploitation is one of those tricky scenarios in which you must take
the time to learn what information is available to you and then use that information to your benefit. An attacker would generally spend a significant amount
of time in a compromised system doing the same. Think like a malicious
attacker—be creative, adapt quickly, and rely on your wits instead of automated tools.
Reporting
Reporting is by far the most important element of a penetration test. You will
use reports to communicate what you did, how you did it, and, most important, how the organization should fix the vulnerabilities discovered during
the penetration test.
When performing a penetration test, you’re working from an attacker’s
point of view, something that organizations rarely see. The information you
obtain during a test is vital to the success of the organization’s information
security program and in stopping future attacks. As you compile and report
your findings, think about how the organization can use your findings to
raise awareness, remediate the issues discovered, and improve overall security
rather than just patch the technical vulnerabilities.
At a minimum, divide your report into an executive summary, executive
presentation, and technical findings. The technical findings will be used by
the client to remediate security holes, but this is also where the value lies in a
penetration test. For example, if you find a SQL injection vulnerability in the
client’s web-based applications, you might recommend that your client sanitize all user input, leverage parameterized SQL queries, run SQL as a limited
user account, and turn on custom error messages.
After the client implements your recommendations and fixes the one
specific SQL injection vulnerability, are they really protected from SQL injection? No. An underlying problem likely caused the SQL injection vulnerability
in the first place, such as a failure to ensure that third-party applications are
secure. Those will need to be fixed as well.
Types of Penetration Tests
Now that you have a basic understanding of the seven PTES categories, let’s
examine the two main types of penetration tests: overt and covert. An overt
pen test, or “white hat” test, occurs with the organization’s full knowledge;
covert tests are designed to simulate the actions of an unknown and unannounced attacker. Both tests offer advantages and disadvantages.
4
Chapter 1
Overt Penetration Testing
Using overt penetration testing, you work with the organization to identify
potential security threats, and the organization’s IT or security team shows you
the organization’s systems. The one main benefit of an overt test is that you
have access to insider knowledge and can launch attacks without fear of
being blocked. A potential downside to overt testing is that overt tests might
not effectively test the client’s incident response program or identify how
well the security program detects certain attacks. When time is limited and
certain PTES steps such as intelligence gathering are out of scope, an overt
test may be your best option.
Covert Penetration Testing
Unlike overt testing, sanctioned covert penetration testing is designed to simulate the actions of an attacker and is performed without the knowledge of
most of the organization. Covert tests are performed to test the internal
security team’s ability to detect and respond to an attack.
Covert tests can be costly and time consuming, and they require more
skill than overt tests. In the eyes of penetration testers in the security industry,
the covert scenario is often preferred because it most closely simulates a true
attack. Covert attacks rely on your ability to gain information by reconnaissance. Therefore, as a covert tester, you will typically not attempt to find a
large number of vulnerabilities in a target but will simply attempt to find the
easiest way to gain access to a system, undetected.
Vulnerability Scanners
Vulnerability scanners are automated tools used to identify security flaws
affecting a given system or application. Vulnerability scanners typically work
by fingerprinting a target’s operating system (that is, identifying the version
and type) as well as any services that are running. Once you have fingerprinted
the target’s operating system, you use the vulnerability scanner to execute
specific checks to determine whether vulnerabilities exist. Of course, these
checks are only as good as their creators, and, as with any fully automated
solution, they can sometimes miss or misrepresent vulnerabilities on a system.
Most modern vulnerability scanners do an amazing job of minimizing
false positives, and many organizations use them to identify out-of-date systems
or potential new exposures that might be exploited by attackers.
Vulnerability scanners play a very important role in penetration testing,
especially in the case of overt testing, which allows you to launch multiple
attacks without having to worry about avoiding detection. The wealth of
knowledge gleaned from vulnerability scanners can be invaluable, but beware
of relying on them too heavily. The beauty of a penetration test is that it can’t
be automated, and attacking systems successfully requires that you have
knowledge and skills. In most cases, when you become a skilled penetration
tester, you will rarely use a vulnerability scanner but will rely on your knowledge and expertise to compromise a system.
T h e A bs o lu te B as i cs o f P e n e trati o n T e s ti n g
5
Pulling It All Together
If you’re new to penetration testing or haven’t really adopted a formal
methodology, study the PTES. As with any experiment, when performing a
penetration test, ensure that you have a refined and adaptable process that is
also repeatable. As a penetration tester, you need to ensure that your intelligence gathering and vulnerability analysis are as expert as possible, to give
you an advantage in adapting to scenarios as they present themselves.
6
Chapter 1
METASPLOIT BASICS
When you encounter the Metasploit Framework (MSF)
for the first time, you might be overwhelmed by its
many interfaces, options, utilities, variables, and modules. In this chapter, we’ll focus on the basics that will
help you make sense of the big picture. We’ll review
some basic penetration testing terminology and then
briefly cover the various user interfaces that Metasploit has to offer. Metasploit itself is free, open source software, with many contributors in the security community, but two commercial Metasploit versions are also available.
When first using Metasploit, it’s important not to get hung up on that newest exploit; instead, focus on how Metasploit functions and what commands
you used to make the exploit possible.
Terminology
Throughout this book, we’ll use various terms that first bear some explanation. The majority of the following basic terms are defined in the context of
Metasploit, but they are generally the same throughout the security industry.
Exploit
An exploit is the means by which an attacker, or pen tester for that matter, takes
advantage of a flaw within a system, an application, or a service. An attacker
uses an exploit to attack a system in a way that results in a particular desired
outcome that the developer never intended. Common exploits include buffer
overflows, web application vulnerabilities (such as SQL injection), and configuration errors.
Payload
A payload is code that we want the system to execute and that is to be selected
and delivered by the Framework. For example, a reverse shell is a payload that
creates a connection from the target machine back to the attacker as a Windows command prompt (see Chapter 5), whereas a bind shell is a payload that
“binds” a command prompt to a listening port on the target machine, which
the attacker can then connect. A payload could also be something as simple as
a few commands to be executed on the target operating system.
Shellcode
Shellcode is a set of instructions used as a payload when exploitation occurs.
Shellcode is typically written in assembly language. In most cases, a command
shell or a Meterpreter shell will be provided after the series of instructions
have been performed by the target machine, hence the name.
Module
A module in the context of this book is a piece of software that can be used by
the Metasploit Framework. At times, you may require the use of an exploit
module, a software component that conducts the attack. Other times, an
auxiliary module may be required to perform an action such as scanning or
system enumeration. These interchangeable modules are the core of what
makes the Framework so powerful.
Listener
A listener is a component within Metasploit that waits for an incoming connection
of some sort. For example, after the target machine has been exploited, it may
call the attacking machine over the Internet. The listener handles that connection, waiting on the attacking machine to be contacted by the exploited system.
Metasploit Interfaces
Metasploit offers more than one interface to its underlying functionality,
including console, command line, and graphical interfaces. In addition to
these interfaces, utilities provide direct access to functions that are normally
internal to the Metasploit Framework. These utilities can be invaluable for
exploit development and situations for which you do not need the flexibility
of the entire Framework.
8
Chapter 2
MSFconsole
Msfconsole is by far the most popular part of the Metasploit Framework,
and for good reason. It is one of the most flexible, feature-rich, and wellsupported tools within the Framework. Msfconsole provides a handy all-in-one
interface to almost every option and setting available in the Framework; it’s
like a one-stop shop for all of your exploitation dreams. You can use msfconsole
to do everything, including launching an exploit, loading auxiliary modules,
performing enumeration, creating listeners, or running mass exploitation
against an entire network.
Although the Metasploit Framework is constantly changing, a subset of
commands remain relatively constant. By mastering the basics of msfconsole,
you will be able to keep up with any changes. To illustrate the importance of
learning msfconsole, it will be used in nearly every chapter of the book.
Starting MSFconsole
To launch msfconsole, enter msfconsole at the command line:
root@bt:/# cd /opt/framework3/msf3/
root@bt:/opt/framework/msf3# msfconsole
< metasploit >
-----------\
,__,
\ (oo)____
(__)
)\
||--|| *
msf >
To access msfconsole’s help files, enter help followed by the command
which you are interested in. In the next example, we are looking for help
for the command connect, which allows us to communicate with a host. The
resulting documentation lists usage, a description of the tool, and the various
option flags.
msf > help connect
We’ll explore MSFConsole in greater depth in the chapters that follow.
MSFcli
Msfcli and msfconsole take very different approaches to providing access to the
Framework. Where msfconsole provides an interactive way to access all features
in a user-friendly manner, msfcli puts the priority on scripting and interpretability with other console-based tools. Instead of providing a unique interpreter to the Framework, msfcli runs directly from the command line, which
allows you to redirect output from other tools into msfcli and direct msfcli
output to other command-line tools. Msfcli also supports the launching of
exploits and auxiliary modules, and it can be convenient when testing modules or developing new exploits for the Framework. It is a fantastic tool for
Met a s p lo i t B a si cs
9
unique exploitation when you know exactly which exploit and options you
need. It is less forgiving than msfconsole, but it offers some basic help (including usage and a list of modes) with the command msfcli -h, as shown here:
root@bt:/opt/framework3/msf3# msfcli -h
Usage: /opt/framework3/msf3/msfcli
Source Exif Data:
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.6
Linearized : No
Page Count : 332
XMP Toolkit : Adobe XMP Core 4.0-c316 44.253921, Sun Oct 01 2006 17:14:39
Producer : Acrobat Distiller 7.0.5 (Windows)
Creator Tool : FrameMaker 7.2
Modify Date : 2011:07:11 10:57:34-04:00
Create Date : 2011:07:05 13:22:36Z
Metadata Date : 2011:07:11 10:57:34-04:00
Document ID : uuid:0f0b7f21-4f53-4ec8-8044-eb83419e661f
Instance ID : uuid:539b085f-3ac9-4c1e-a776-daf599637c56
Format : application/pdf
Title : untitled
Page Mode : UseOutlines
Page Layout : SinglePage
Creator : FrameMaker 7.2
EXIF Metadata provided by EXIF.tools