Metasploit: The Penetration Tester’s Guide is written by Dave (ReL1K) Kennedy, Jim O’Gorman (_Elwood_), Devon Kearns (dookie2000ca), and Mati Aharoni (muts). This book is an essential read for anyone looking to get into the field of Penetration Testing as well as seasoned veterans. There are a ton of examples through out the book that make it more interactive and enjoyable to read. Below I will go over a chapter by chapter analysis.
In Chapter 1 it explains the basics of penetration testing by running down the list of PTES phases. By doing this the author is able to acclimate those that are not familiar with what a penetration test involves.
In Chapter 2 the book explains what Metasploit is by going over the basics. This includes the terms that are used by Metasploit. It also introduces the reader to the different interfaces that Metasploit includes like msfconsole and Armitage.
In Chapter 3 its all about information gathering. Both active and passive techniques are covered. For passive info gathering WHOIS, Netcraft, and DNS query techniques are covered. For active info gathering it covers using Nmap, Metasploit, and writing your own Ruby script that can be used in msfconsole.
In Chapter 4 it introduces the concept of vulnerability scanning. It goes through the steps of using NeXpose, Nessus, and some Metasploit modules to find vulnerabilities on a network.
In Chapter 5 they start to walk you through msfconsole first showing how to search for Metasploit’s different modules. Then it walks through the steps of using ms08_067_netapi to exploit a vulnerable Windows box. If that wasn’t enough they then walk you through exploiting a vulnerable Ubuntu box using lsa_transnames_heap. They then go over rc files and how to use them to automate exploitation.
In Chapter 6 With the knowledge of msfconsole from the last chapter they then move on to explaining how to use the Meterpreter payloads to further facilitate the post exploitation process. They then go on to explain pivoting and how to use it. They then move on to explain Meterpreter Scripts and how they are being converted over to Post Exploitation Modules. Then they show how to upgrade from a command shell session to a Meterpreter shell session.Next they go over using Windows APIs in Railgun.
In Chapter 7 it’s all about avoiding detection by AV. msfpayload is covered first to explain how to create a malicious package. Then they go over using msfencode to evade AV. When going over msfencode they show that it takes some time to get a package that can evade AV. Then backdooring good applications with malicious code is covered. Lastly packers are covered as a means to evade AV.
In Chapter 8 client-side attacks are covered. Browser exploits are first on the list. They go over what browser based exploits are and how they work by going through assembly code. They explain what a NOP slide is and how it works by being placed in the correct location in code. Then the chapter is finished off by going over file format exploits.
In Chapter 9 contains an in depth look at Metasploit Auxiliary Modules.
In Chapter 10 the Social-Engineer Toolkit is the focus. It goes over configuring SET and then goes into an example of crafting a spear-phishing attack. Then crafting a web attack is covered by using a Java exploit on a cloned website. Then Internet Explorer is targeted using the Aurora exploit on a cloned website. Next they go over username and password harvesting in SET. Then short overviews are given on Tabnabbing, Man-Left-in-the-Middle, and Web Jacking. Next an example of using the Teensy USB HID device as an attack vector is covered using SET’s built in Arduino code.
In Chapter 11 yet another program by Dave is covered, Fast-Track. To cover Fast-Track they go over Microsoft SQL Injection by using MSSQL Injector, MSSQL Bruter, and SQLPwnage. Then they move on to Fast-Track’s ability to convert Binary to Hex. This is useful to send programs to remote systems via a shell. Next the Mass Client-Side Attack is discussed.
In Chapter 12 Karmetasploit is explained. First by going over how to set it up then launching the attack. After the attack is launched what is/can be captured is explained.
In Chapter 13 they go over creating your own Metasploit module. They do this by first going over the mssql_exec module explaining what each line does. Then they take the mssql_payload.rb and add functionality to it to create an entirely new module.
In Chapter 14 it is time to start creating your own exploit. To show the progression on how to create an exploit they first create a simple IMAP fuzzer to fuzz NetWin SurgeMail with Immunity Debugger capturing the process. They then go through the motions to create and test an exploit.
In Chapter 15 porting an exploit to the Metasploit framework is covered. This is accomplished by first going over some of the most common Assembly Programming Language instructions. Then they show examples of how to port a few well known exploits into Metasploit. These examples included a stack overflow and then a SEH overwrite.
In Chapter 16 they get into the meat of writing Meterpreter scripts by going over how Carlos Perez (darkoperator) created the multi_meter_inject script. Then they go over the basics of using the Meterpreter API and the rules that govern Meterpreter scripts that are commited to the Metasploit Framework. They then show you how to create a script that uploads and executes a Meterpreter payload. The chapter is then wrapped up with an example on how Dave Kennedy and Kevin Mitnick created a Meterpreter module to bypass Windows UAC.
In Chapter 17 a simulated pentest is ran through using Metasploit’s vulnerable Linux virtual machine called Metasploitable. The book does a walk through over a few of the vulnerabilities that are in Metasploitable. This allows the reader to test out what the book has taught them without needing to go to other resources.
As I said before this book is an essential read for anyone looking to get into the field of Penetration Testing as well as seasoned veterans. If you haven’t already go to No Starch Press and pick this book up. Thank you Dave (ReL1K) Kennedy, Jim O’Gorman (_Elwood_), Devon Kearns (dookie2000ca), and Mati Aharoni (muts) for taking the time to write such a great book!