Search icon Close icon
Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Checkout

Change country

Modal Close icon
Country selected Country selected
country flag United States
Country selected
country flag Great Britain
Country selected
country flag India
Country selected
country flag Germany
Country selected
country flag France
Country selected
country flag Canada
Country selected
country flag Russia
Country selected
country flag Spain
Country selected
country flag Brazil
Country selected
country flag Australia
Country selected
country flag South Africa
Country selected
country flag Thailand
Country selected
country flag Ukraine
Country selected
country flag Switzerland
Country selected
country flag Slovakia
Country selected
country flag Luxembourg
Country selected
country flag Hungary
Country selected
country flag Romania
Country selected
country flag Denmark
Country selected
country flag Ireland
Country selected
country flag Estonia
Country selected
country flag Belgium
Country selected
country flag Italy
Country selected
country flag Finland
Country selected
country flag Cyprus
Country selected
country flag Lithuania
Country selected
country flag Latvia
Country selected
country flag Malta
Country selected
country flag Netherlands
Country selected
country flag Portugal
Country selected
country flag Slovenia
Country selected
country flag Sweden
Country selected
country flag Argentina
Country selected
country flag Colombia
Country selected
country flag Ecuador
Country selected
country flag Indonesia
Country selected
country flag Mexico
Country selected
country flag New Zealand
Country selected
country flag Norway
Country selected
country flag South Korea
Country selected
country flag Taiwan
Country selected
country flag Turkey
Country selected
country flag Czechia
Country selected
country flag Austria
Country selected
country flag Greece
Country selected
country flag Isle of Man
Country selected
country flag Bulgaria
Country selected
country flag Japan
Country selected
country flag Philippines
Country selected
country flag Poland
Country selected
country flag Singapore
Country selected
country flag Egypt
Country selected
country flag Chile
Country selected
country flag Malaysia
Country selected
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Home > Security > Penetration Testing > Metasploit Penetration Testing Cookbook
Metasploit Penetration Testing Cookbook
Metasploit Penetration Testing Cookbook

Metasploit Penetration Testing Cookbook: Evade antiviruses, bypass firewalls, and exploit complex environments with the most widely used penetration testing framework , Third Edition

Arrow left icon
Profile Icon Teixeira Profile Icon Nipun Jaswal Profile Icon Abhinav Singh Profile Icon Agarwal
Arrow right icon
£9.99 per month
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.8 (5 Ratings)
Paperback Feb 2018 426 pages 3rd Edition
eBook
£29.99
Paperback
£36.99
Subscription
Free Trial
Renews at £9.99p/m
Arrow left icon
Profile Icon Teixeira Profile Icon Nipun Jaswal Profile Icon Abhinav Singh Profile Icon Agarwal
Arrow right icon
£9.99 per month
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.8 (5 Ratings)
Paperback Feb 2018 426 pages 3rd Edition
eBook
£29.99
Paperback
£36.99
Subscription
Free Trial
Renews at £9.99p/m
eBook
£29.99
Paperback
£36.99
Subscription
Free Trial
Renews at £9.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. £13.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Metasploit Penetration Testing Cookbook

Chapter 2. Information Gathering and Scanning

In this chapter, we will cover the following recipes:

  • Passive information gathering with Metasploit
  • Active information gathering with Metasploit
  • Port scanning—the Nmap way
  • Port scanning—the db_nmap way
  • Host discovery with ARP Sweep
  • UDP Service Sweeper
  • SMB scanning and enumeration
  • Detecting SSH versions with the SSH Version Scanner
  • FTP scanning
  • SMTP enumeration
  • SNMP enumeration
  • HTTP scanning
  • WinRM scanning and brute forcing
  • Integrating with Nessus
  • Integrating with NeXpose
  • Integrating with OpenVAS

Introduction

Information gathering is the first and one of the most, if not the most, important activities in penetration testing. This step is carried out in order to find out as much information about the target machine as possible. The more information we have, the better our chances will be for exploiting the target. During the information gathering phase, our main focus is to collect facts about the target machine, such as the IP address, available services, and open ports. This information plays a vital role in the process of penetration testing. To achieve this goal, we will be learning certain scanning techniques such as SMB scanning, SSH server scanning, FTP scanning, SNMP enumeration, HTTP scanning, and WinRM scanning and brute forcing by the end of this chapter.

Information gathering, footprinting, and enumeration are terms that are often used interchangeably. But they are still different. According to the SANS standard, footprinting is the ability to obtain essential information...

Passive information gathering with Metasploit

In this chapter, we will analyze the various passive and active techniques of information gathering in detail. From the beginning, we will analyze the most commonly used and most commonly neglected techniques of passive information gathering and in later recipes, we will focus on gaining information through port scanning. Metasploit has several built-in scanning capabilities, as well as some third-party tools integrated with it to further enhance the process of port scanning. We will analyze both the inbuilt scanners, as well as some of the popular third-party scanners which work over the Metasploit Framework. Let's move on to the recipes and start our process of gaining information about our target.

Getting ready

We will start information gathering with the company domain name, get information about the company, search for subdomains, find targets, check for honeypots, gather email addresses, and much more.

How to do it...

The Metasploit Framework...

Active information gathering with Metasploit

Scanning is an active information gathering technique in which we will now start dealing with the target directly. Port scanning is an interesting process of information gathering. It involves a deeper search of the target machine, but since active port scanning involves reaching out to the target systems, these activities can be detected by firewalls and intrusion prevention systems.

How to do it...

There are a variety of port scanners available to us within the Metasploit Framework, allowing us to properly enumerate the target systems. To list all the available portscan modules, you can use the search command, as follows:

TCP Port Scanner

We can start by doing a basic TCP portscan with the TCP Port Scanner auxiliary module and see what we can find.

Note

Since the TCP Port Scanner auxiliary module does not need administrative privileges on the source machine, it can be extremely useful when pivoting.

To run the TCP Port Scanner auxiliary module, we...

Port scanning—the Nmap way

Nmap is the most powerful and preferred scanner for security professionals. The usage of Nmap varies from novice to an advanced level; we will analyze the various scan techniques in detail.

Getting ready

You run Nmap directly from msfconsole, as you normally would from the command line. However, if you want to import the results into the Metasploit database, you need to run the Nmap scan using the -oX flag, followed by the desired filename to generate the XML output file, and then issue the db_import command to populate the Metasploit database.

How to do it...

Starting Nmap from Metasploit is easy:

  1. Launch msfconsole and type in nmap to display the list of scan options that Nmap provides:
msf > nmap
  1. The TCP connect [-sT] scan is the most basic and default scan type in Nmap. It follows the three-way handshake process to detect the open ports on the target machine. Let's perform this scan on one of our targets:
msf > nmap -sT 192.168.216.10
[*] exec: nmap -sT 192.168...

Port scanning—the db_nmap way

Using the db_nmap command, we can run Nmap against our targets and store our scan results automatically in our database, without the need to use the db_import command.

Getting ready

The db_nmap command is part of msfconsole, so you just need to launch msfconsole and use db_nmap, as you would use nmap on the command line.

How to do it...

In Chapter 1, Metasploit Quick Tips for Security Professionals, we already talked about the db_nmap basic usage, so now we will take a look at some more advanced features. In the following example, you will learn how to use some of those features:

msf > db_nmap -Pn -sTV -T4 --open --min-parallelism 64 --version-all 192.168.216.10 -p -
[*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-20 06:33 EDT
[*] Nmap: Nmap scan report for 192.168.216.10
[*] Nmap: Host is up (0.00044s latency).
[*] Nmap: Not shown: 54809 closed ports, 10678 filtered ports
[*] Nmap: Some closed ports may be reported as filtered due to --defeat-rst...

Host discovery with ARP Sweep

ARP Sweep allows us to enumerate live hosts in the local network using ARP requests, providing us with a simple and fast way to identify possible targets.

Getting ready

When your target systems are located on the same LAN as your attacking machine, you are able to enumerate systems by performing an ARP scan.

How to do it...

  1. To enumerate systems using ARP in Metasploit, you can use the ARP Sweep Local Network Discovery auxiliary module. You just need to set the target address range in RHOSTS, set the number of concurrent threads, and run the module:
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > set RHOSTS 192.168.216.0/24
RHOSTS => 192.168.216.0/24
msf auxiliary(arp_sweep) > set THREADS 256
THREADS => 256
msf auxiliary(arp_sweep) > run

[+] 192.168.216.1 appears to be up (VMware, Inc.).
[+] 192.168.216.2 appears to be up (VMware, Inc.).
[+] 192.168.216.10 appears to be up (VMware, Inc.).
[+] 192.168.216.129 appears to...

UDP Service Sweeper

The UDP Service Sweeper auxiliary module allows us to detect interesting UDP services. Since UDP is a connectionless protocol, it is more difficult to probe than TCP. Using an auxiliary module like the UDP Service Sweeper can help you find some low-hanging fruit, in a timely manner.

How to do it...

To run the UDP Service Sweeper, select the auxiliary/scanner/discovery/udp_sweep module and set the target address range in RHOSTS:

msf > use auxiliary/scanner/discovery/udp_sweep 
msf auxiliary(udp_sweep) > set RHOSTS 192.168.216.0/24
RHOSTS => 192.168.216.0/24
msf auxiliary(udp_sweep) > run

[*] Sending 13 probes to 192.168.216.0->192.168.216.255 (256 hosts)
[*] Discovered NetBIOS on 192.168.216.1:137 (MACBOOK-PRO:<00>:U :00:50:56:c0:00:08)
...

[*] Discovered Portmap on 192.168.216.129:111 (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(52986), 100024 v1 TCP(53621), 100003 v2 UDP(2049), 100003 v3 UDP(2049), 100003 v4 UDP(2049), 100021 v1 UDP(49681...

SMB scanning and enumeration

Over the years, the Server Message Block (SMB) protocol, a network file sharing protocol implemented in Microsoft Windows, has proven to be one of the most abused protocols, allowing from sharing and user enumeration up to remote code execution.

How to do it...

  1. Using the SMB Share Enumeration auxiliary module without authentication, allows us to collect some valuable information, such as share names and OS versions and services packs:
msf > use auxiliary/scanner/smb/smb_enumshares 
msf auxiliary(smb_enumshares) > set RHOSTS 192.168.216.10,129
RHOSTS => 192.168.216.10,129
msf auxiliary(smb_enumshares) > run

...
[+] 192.168.216.129:139 - IPC$ - (I) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[+] 192.168.216.129:139 - ADMIN$ - (I) IPC Service (metasploitable server (Samba 3.0.20-Debian))
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) >
  1. The SMB Share Enumeration auxiliary module...

Detecting SSH versions with the SSH Version Scanner

SSH is a widely used application that provides a secure remote login. It uses strong cryptography to provide authentication and confidentiality. In this recipe, we will be detecting SSH versions currently running on our target. With this SSH Version Scanner, we can determine if the target is equipped with any vulnerable SSH version and, if yes, we can move further.

Getting ready

Previous scans show us that we have TCP port 22 open on the target systems, so we will use the SSH Version Scanner auxiliary module to get information about the SSH version running on the target system.

How to do it...

  1. To scan for SSH servers on the network, use the auxiliary/scanner/ssh/ssh_version auxiliary module, set the target address range in RHOSTS, and the number of concurrent threads to 256:
msf > use auxiliary/scanner/ssh/ssh_version 
msf auxiliary(ssh_version) > set RHOSTS 192.168.216.0/24
RHOSTS => 192.168.216.0/24
msf auxiliary(ssh_version) &gt...

FTP scanning

In this recipe, we will do a version scan for all open FTP servers in a network, using Metasploit.

Getting ready

The FTP Version Scanner auxiliary module allows us to detect the FTP version running.

How to do it...

  1. To scan for FTP servers on the network, use the auxiliary/scanner/ftp/ftp_version auxiliary module, set the target address range in RHOSTS, and the number of concurrent threads to 256:
msf > use auxiliary/scanner/ftp/ftp_version 
msf auxiliary(ftp_version) > set RHOSTS 192.168.216.10,129
RHOSTS => 192.168.216.10,129
msf auxiliary(ftp_version) > set THREADS 256
THREADS => 256
msf auxiliary(ftp_version) > run

[+] 192.168.216.129:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) >
  1. The scan results, as with the previous auxiliary modules, will get stored in the Metasploit database and can be accessed using the...

SMTP enumeration

The Simple Mail Transfer Protocol (SMTP) service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of users' aliases and lists of emails (mailing lists)).

Getting ready

The SMTP User Enumeration Utility auxiliary module, through the implementation of these SMTP commands, can reveal a list of valid users.

How to do it...

The SMTP User Enumeration Utility auxiliary module, by default, will use the unix_users.txt file located at /usr/share/metasploit-framework/data/wordlists/, but you can specify your own. To run the module, set the target address range, the number of concurrent threads, and type run:

msf > use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(smtp_enum) > set RHOSTS 192.168.216.129
msf auxiliary(smtp_enum) > set THREADS 256
THREADS => 256
msf auxiliary(smtp_enum) > run

[*] 192.168.216.129:25 - 192.168.216.129:25 Banner: 220 metasploitable.localdomain...

SNMP enumeration

The Simple Network Management Protocol (SNMP) is used on networked devices to read, write, and update device configuration remotely. SNMP sweeps are often a good indicator in finding a lot of information about a specific system, or actually compromising the remote device. In this recipe, we will learn to use the SNMP scanning module.

Getting ready

Metasploit has a built-in auxiliary module specifically for sweeping SNMP devices. One must understand it before performing an attack. First, read-only and read-write community strings play an important role in the sort of information that can be mined or altered on the devices themselves. The Management Information Base (MIB) interface allows us to query the device and extract information.

Note

If dealing with Windows-based devices configured with SNMP, often at times with the RO/RW community strings, we can extract patch levels, services running, last reboot times, usernames on the system, routes, and various other aspects that worth...

HTTP scanning

The Hypertext Transfer Protocol (HTTP) is an application protocol that serves as the foundation of data communication for the World Wide Web. Since it is used by numerous applications, from the Internet of Things (IoT) devices to mobile applications, it is a great place to search for vulnerabilities.

Getting ready

The HTTP SSL Certificate Checker auxiliary module will check the certificate of the specified web servers to ensure the subject and issuer match the supplied pattern, and that the certificate is not expired.

The HTTP Robots.txt Content Scanner auxiliary module will search for robots.txt files and analyze their content.

If the PUT method can be used by any unauthenticated remote user, arbitrary web pages can be inserted into the web root, possibly leading to a deface or even remote code execution, or the disk can be filled with meaningless data, resulting in a denial of service attack.

The Jenkins-CI Enumeration HTTP auxiliary module enumerates a remote Jenkins-CI installation...

WinRM scanning and brute forcing

Windows Remote Management (WinRM) is the Microsoft implementation of the WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.

Getting ready

The WinRM Authentication Method Detection auxiliary module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the authentication methods supported.

Now that we know that the target system has WinRM enabled, we can start scanning to see if we can leverage WinRM and compromise the system.

Using the credentials found with the SMB Login Check Scanner auxiliary module, we can test if we can run Windows commands using the WinRM service, using the WinRM Command Runner auxiliary module.

How to do it...

  1. To use the WinRM Authentication Method Detection auxiliary module, set the target address range in RHOSTS and type run:
msf > use...

Integrating with Nessus

So far, we have learned the basics of port scanning, along with the practical implementation with Nmap. Port scanning has been extended to several other tools which further enhances the process of scanning and information gathering. In the next few recipes, we will cover those tools which scan the target for available services and open ports and then try to determine the type of vulnerability that may exist for that particular service or port. Let's begin our journey to vulnerability scanning.

Nessus is one of the most widely used vulnerability scanners. It scans the target for a range of vulnerabilities and produces a detailed report for it. Nessus is a very helpful tool to use for penetration testing. Either you can use the GUI version of Nessus, or you can use it from the Metasploit console. In this book, we will primarily focus on using Nessus with msfconsole.

Getting ready

To use Nessus for the first time, you will have to register and get a registration code from...

Integrating with NeXpose

In the previous recipe, we discussed Nessus as a potential vulnerability scanner. In this recipe, we will cover another important vulnerability scanner called NeXpose.

NeXpose is a popular tool by Rapid7, which performs the task of vulnerability scanning and importing results to the Metasploit database. The usage of NeXpose is similar to Nessus, but let's have a quick look at how to get started with NeXpose. I will leave the task of exploring it deeper as an assignment for you.

Getting ready

You can download NeXpose Community from http://www.rapid7.com/products/metasploit/metasploit-community-registration.jsp. After installing NeXpose, you can start using it the from the msfconsole, but first, we need to load the plugin to connect to the NeXpose server. Let's execute these steps in the command line:

To connect with the NeXpose server, use the nexpose_connect command followed by the credentials, hostname, port, and verify the SSL certificate:

msf > nexpose_connect NexposeUser...

Integrating with OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is the most widespread open source solution for vulnerability scanning and vulnerability management.

OpenVAS is the scan engine used and supported as part of the Greenbone Security Solutions. The Greenbone development team has contributed significantly to the enhancement of OpenVAS since 2005.

How to do it...

  1. To install OpenVAS on Kali Linux use the apt install openvas command:
root@kali:~# apt-get install openvas
  1. Then use the openvas-setup command to set up OpenVAS, download the latest rules, create an admin user, and start up the various services:
root@kali:~# openvas-setup
  1. When the setup is finished, the OpenVAS manager, scanner, and GSAD services should be listening. To start OpenVAS, use the openvas-start command:
root@kali:~# openvas-start
Starting OpenVas Services
root@kali:~#
  1. Before we can use OpenVAS inside msfconsole, we need to load the OpenVAS plugin using the load command:
msf > load openvas 
[*] Welcome to...
Left arrow icon

Page 1 of 18

Right arrow icon

Key benefits

  • •Special focus on the latest operating systems, exploits, and penetration testing techniques
  • •Learn new anti-virus evasion techniques and use Metasploit to evade countermeasures
  • •Automate post exploitation with AutoRunScript
  • •Exploit Android devices, record audio and video, send and read SMS, read call logs, and much more
  • •Build and analyze Metasploit modules in Ruby
  • •Integrate Metasploit with other penetration testing tools

Description

Metasploit is the world's leading penetration testing tool and helps security and IT professionals find, exploit, and validate vulnerabilities. Metasploit allows penetration testing automation, password auditing, web application scanning, social engineering, post exploitation, evidence collection, and reporting. Metasploit's integration with InsightVM (or Nexpose), Nessus, OpenVas, and other vulnerability scanners provides a validation solution that simplifies vulnerability prioritization and remediation reporting. Teams can collaborate in Metasploit and present their findings in consolidated reports. In this book, you will go through great recipes that will allow you to start using Metasploit effectively. With an ever increasing level of complexity, and covering everything from the fundamentals to more advanced features in Metasploit, this book is not just for beginners but also for professionals keen to master this awesome tool. You will begin by building your lab environment, setting up Metasploit, and learning how to perform intelligence gathering, threat modeling, vulnerability analysis, exploitation, and post exploitation—all inside Metasploit. You will learn how to create and customize payloads to evade anti-virus software and bypass an organization's defenses, exploit server vulnerabilities, attack client systems, compromise mobile phones, automate post exploitation, install backdoors, run keyloggers, highjack webcams, port public exploits to the framework, create your own modules, and much more.

Who is this book for?

If you are a Security professional or pentester and want to get into vulnerability exploitation and make the most of the Metasploit framework, then this book is for you. Some prior understanding of penetration testing and Metasploit is required.

What you will learn

  • •Set up a complete penetration testing environment using Metasploit and virtual machines
  • •Master the world s leading penetration testing tool and use it in professional penetration testing
  • •Make the most of Metasploit with PostgreSQL, importing scan results, using workspaces, hosts, loot, notes, services, vulnerabilities, and exploit results
  • •Use Metasploit with the Penetration Testing Execution Standard methodology
  • •Use MSFvenom efficiently to generate payloads and backdoor files, and create shellcode
  • •Leverage Metasploit s advanced options, upgrade sessions, use proxies, use Meterpreter sleep control, and change timeouts to be stealthy

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Feb 26, 2018
Length: 426 pages
Edition : 3rd
Language : English
ISBN-13 : 9781788623179
Category :
Security
Languages :
Ruby
Concepts :
Penetration Testing
Tools :
Metasploit

What do you get with a Packt Subscription?

Free for first 7 days. £13.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Feb 26, 2018
Length: 426 pages
Edition : 3rd
Language : English
ISBN-13 : 9781788623179
Category :
Security
Languages :
Ruby
Concepts :
Penetration Testing
Tools :
Metasploit

Packt Subscriptions

See our plans and pricing
Modal Close icon
£9.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 6,500+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
START FREE TRIAL
BUY NOW
£99.99 billed annually
Feature tick icon Unlimited access to Packt's library of 6,500+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just £5 each
Feature tick icon Exclusive print discounts
START FREE TRIAL
BUY NOW
£139.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 6,500+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just £5 each
Feature tick icon Exclusive print discounts
START FREE TRIAL
BUY NOW

Frequently bought together

Advanced Infrastructure Penetration Testing
Advanced Infrastructure Penetration Testing
Read more
Feb 2018 396 pages
Full star icon 2.4 (8)
eBook
eBook
  • eBook eBook £29.99
  • Paperback Paperback £36.99
£29.99
£36.99
Metasploit Penetration Testing Cookbook
Metasploit Penetration Testing Cookbook
Read more
Feb 2018 426 pages
Full star icon 3.8 (5)
eBook
eBook
  • eBook eBook £29.99
  • Paperback Paperback £36.99
£29.99
£36.99
Web Penetration Testing with Kali Linux
Web Penetration Testing with Kali Linux
Read more
Feb 2018 426 pages
Full star icon 4.2 (5)
eBook
eBook
  • eBook eBook £32.99
  • Paperback Paperback £41.99
£32.99
£41.99
Stars icon
Total £ 115.97
Advanced Infrastructure Penetration Testing
£36.99
Metasploit Penetration Testing Cookbook
£36.99
Web Penetration Testing with Kali Linux
£41.99
Total £ 115.97 Stars icon
Visually different images

Table of Contents

13 Chapters
Metasploit Quick Tips for Security Professionals Chevron down icon Chevron up icon
Metasploit Quick Tips for Security Professionals
Introduction
Installing Metasploit on Windows
Installing Linux and macOS
Installing Metasploit on macOS
Using Metasploit in Kali Linux
Setting up a penetration-testing lab
Setting up SSH connectivity
Connecting to Kali using SSH
Configuring PostgreSQL
Creating  workspaces
Using the database
Using the hosts command
Understanding the services command
Information Gathering and Scanning Chevron down icon Chevron up icon
Information Gathering and Scanning
Introduction
Passive information gathering with Metasploit
Active information gathering with Metasploit
Port scanning—the Nmap way
Port scanning—the db_nmap way
Host discovery with ARP Sweep
UDP Service Sweeper
SMB scanning and enumeration
Detecting SSH versions with the SSH Version Scanner
FTP scanning
SMTP enumeration
SNMP enumeration
HTTP scanning
WinRM scanning and brute forcing
Integrating with Nessus
Integrating with NeXpose
Integrating with OpenVAS
Server-Side Exploitation Chevron down icon Chevron up icon
Server-Side Exploitation
Introduction
Exploiting a Linux server
SQL injection
Types of shell
Exploiting a Windows Server machine
Exploiting common services
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
MS17-010 EternalRomance/EternalSynergy/EternalChampion
Installing backdoors
Denial of Service
Meterpreter Chevron down icon Chevron up icon
Meterpreter
Introduction
Understanding the Meterpreter core commands
Understanding the Meterpreter filesystem commands
Understanding Meterpreter networking commands
Understanding the Meterpreter system commands
Setting up multiple communication channels with the target
Meterpreter anti-forensics
The getdesktop and keystroke sniffing
Using a scraper Meterpreter script
Scraping the system using winenum
Automation with AutoRunScript
Meterpreter resource scripts
Meterpreter timeout control
Meterpreter sleep control
Meterpreter transports
Interacting with the registry
Loading framework plugins
Meterpreter API and mixins
Railgun—converting Ruby into a weapon
Adding DLL and function definitions to Railgun
Injecting the VNC server remotely
Enabling Remote Desktop
Post-Exploitation Chevron down icon Chevron up icon
Post-Exploitation
Introduction
Post-exploitation modules
Bypassing UAC
Dumping the contents of the SAM database
Passing the hash
Incognito attacks with Meterpreter
Using Mimikatz
Setting up a persistence with backdoors
Becoming TrustedInstaller
Backdooring Windows binaries
Pivoting with Meterpreter
Port forwarding with Meterpreter
Credential harvesting
Enumeration modules
Autoroute and socks proxy server
Analyzing an existing post-exploitation module
Writing a post-exploitation module
Using MSFvenom Chevron down icon Chevron up icon
Using MSFvenom
Introduction
Payloads and payload options
Encoders
Output formats
Templates
Meterpreter payloads with trusted certificates
Client-Side Exploitation and Antivirus Bypass Chevron down icon Chevron up icon
Client-Side Exploitation and Antivirus Bypass
Introduction
Exploiting a Windows 10 machine
Bypassing antivirus and IDS/IPS
Metasploit macro exploits
Human Interface Device attacks
HTA attack
Backdooring executables using a MITM attack
Creating a Linux trojan
Creating an Android backdoor
Social-Engineer Toolkit Chevron down icon Chevron up icon
Social-Engineer Toolkit
Introduction
Getting started with the Social-Engineer Toolkit
Working with the spear-phishing attack vector
Website attack vectors
Working with the multi-attack web method
Infectious media generator
Working with Modules for Penetration Testing Chevron down icon Chevron up icon
Working with Modules for Penetration Testing
Introduction
Working with auxiliary modules
DoS attack modules
Post-exploitation modules
Understanding the basics of module building
Analyzing an existing module
Building your own post-exploitation module
Building your own auxiliary module
Exploring Exploits Chevron down icon Chevron up icon
Exploring Exploits
Introduction
Common exploit mixins
Exploiting the module structure
Using MSFvenom to generate shellcode
Converting an exploit to a Metasploit module
Porting and testing the new exploit module
Fuzzing with Metasploit
Writing a simple fuzzer
Wireless Network Penetration Testing Chevron down icon Chevron up icon
Wireless Network Penetration Testing
Introduction
Metasploit and wireless
Understanding an evil twin attack
Configuring Karmetasploit
Wireless MITM attacks
SMB relay attacks
Cloud Penetration Testing Chevron down icon Chevron up icon
Cloud Penetration Testing
Introduction
Metasploit in the cloud
Metasploit PHP Hop
Phishing from the cloud
Setting up a cloud penetration testing lab
Best Practices Chevron down icon Chevron up icon
Best Practices
Introduction
Best practices
Using Metasploit over the Tor network
Metasploit logging
Documentation
Cleaning up

Recommendations for you

Left arrow icon
CompTIA Security+ SY0-701 Certification Guide
CompTIA Security+ SY0-701 Certification Guide
Read more
Jan 2024 634 pages
Full star icon 4.9 (225)
Paperback
Paperback
  • Paperback Paperback £41.99
£41.99
The Ultimate Kali Linux Book
The Ultimate Kali Linux Book
Read more
Apr 2024 828 pages
Full star icon 4.8 (27)
eBook
eBook
  • eBook eBook £32.99
  • Paperback Paperback £41.99
£32.99
£41.99
Adversarial AI Attacks, Mitigations, and Defense Strategies
Adversarial AI Attacks, Mitigations, and Defense Strategies
Read more
Jul 2024 602 pages
Full star icon 4.9 (13)
eBook
eBook
  • eBook eBook £29.99
  • Paperback Paperback £37.99
£29.99
£37.99
Cyber Security Kill Chain - Tactics and Strategies
Cyber Security Kill Chain - Tactics and Strategies
Read more
May 2025 308 pages
eBook
eBook
  • eBook eBook £26.99
  • Paperback Paperback £33.99
£26.99
£33.99
Mastering Linux Security and Hardening
Mastering Linux Security and Hardening
Read more
Feb 2023 620 pages
Full star icon 4.9 (31)
Paperback
Paperback
  • Paperback Paperback £37.99
  • Hardcover Hardcover £29.99
  • Hardcover Hardcover £52.99
£37.99
£29.99
£52.99
CISA – Certified Information Systems Auditor Study Guide
CISA – Certified Information Systems Auditor Study Guide
Read more
Oct 2024 356 pages
eBook
eBook
  • eBook eBook £29.99
  • Paperback Paperback £37.99
£29.99
£37.99
Cloud Security Handbook
Cloud Security Handbook
Read more
Apr 2025 482 pages
eBook
eBook
  • eBook eBook £26.99
  • Paperback Paperback £33.99
£26.99
£33.99
The OSINT Handbook
The OSINT Handbook
Read more
Mar 2024 198 pages
Full star icon 5 (4)
eBook
eBook
  • eBook eBook £20.99
  • Paperback Paperback £26.99
£20.99
£26.99
Malware Development for Ethical Hackers
Malware Development for Ethical Hackers
Read more
Jun 2024 402 pages
Full star icon 4.3 (9)
eBook
eBook
  • eBook eBook £32.99
  • Paperback Paperback £41.99
£32.99
£41.99
Learning Kubernetes Security
Learning Kubernetes Security
Read more
Jun 2025 390 pages
eBook
eBook
  • eBook eBook £26.99
  • Paperback Paperback £33.99
£26.99
£33.99
Right arrow icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Half star icon Empty star icon 3.8
(5 Ratings)
5 star 40%
4 star 40%
3 star 0%
2 star 0%
1 star 20%
Hugo Bolé Jul 19, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
3 adjectives for this book: Practical, Objective, Excellent!
Amazon Verified review Amazon
Neetu Kaur Sep 27, 2021
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is very helpful
Amazon Verified review Amazon
Nasikh Yishrael Sep 04, 2024
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Feefo Verified review Feefo
S1n0xt0n Nov 16, 2018
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
A great introduction to Metasploit Penetration Testing. I love the hands on approach to learning. I liked the organization of the chapters and their approach. Some topics, I thought could be more in depth...
Amazon Verified review Amazon
Noe Nevarez Aug 29, 2020
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
I had a hard time reading the ebook translated pages when configurations and command-line commands were shown. It appears the transformation (book to ebook) didn't result in an easily readable output.
Amazon Verified review Amazon

People who bought this also bought

Left arrow icon
Mastering Linux Security and Hardening
Mastering Linux Security and Hardening
Read more
Feb 2023 620 pages
Full star icon 4.9 (31)
Paperback
Paperback
  • Paperback Paperback £37.99
  • Hardcover Hardcover £29.99
  • Hardcover Hardcover £52.99
£37.99
£29.99
£52.99
Cybersecurity – Attack and Defense Strategies, 3rd edition
Cybersecurity – Attack and Defense Strategies, 3rd edition
Read more
Sep 2022 570 pages
Full star icon 4.9 (42)
eBook
eBook
  • eBook eBook £25.99
  • Paperback Paperback £31.99
£25.99
£31.99
Mastering Windows Security and Hardening
Mastering Windows Security and Hardening
Read more
Aug 2022 816 pages
Full star icon 4.8 (20)
eBook
eBook
  • eBook eBook £32.99
  • Paperback Paperback £41.99
£32.99
£41.99
Digital Forensics and Incident Response
Digital Forensics and Incident Response
Read more
Dec 2022 532 pages
Full star icon 4.9 (15)
eBook
eBook
  • eBook eBook £32.99
  • Paperback Paperback £41.99
  • Audiobook Audiobook £43.99
£32.99
£41.99
£43.99
Learn Computer Forensics – 2nd edition
Learn Computer Forensics – 2nd edition
Read more
Jul 2022 434 pages
Full star icon 4.8 (63)
eBook
eBook
  • eBook eBook £29.99
  • Paperback Paperback £37.99
  • Audiobook Audiobook £35.99
£29.99
£37.99
£35.99
Right arrow icon

About the 4 authors

Left arrow icon
Profile icon Teixeira
Teixeira
Daniel Teixeira is an IT security expert, author, and trainer, specializing in red team engagements, penetration testing, and vulnerability assessments. His main areas of focus are adversary simulation, emulation of modern adversarial tactics, techniques and procedures; vulnerability research, and exploit development.
Read more
See other products by Teixeira
Profile icon Nipun Jaswal
Nipun Jaswal
LinkedIn icon
Nipun Jaswal is an international cybersecurity author and an award-winning IT security researcher with more than a decade of experience in penetration testing, Red Team assessments, vulnerability research, RF, and wireless hacking. He is presently the Director of Cybersecurity Practices at BDO India. Nipun has trained and worked with multiple law enforcement agencies on vulnerability research and exploit development. He has also authored numerous articles and exploits that can be found on popular security databases, such as PacketStorm and exploit-db. Please feel free to contact him at @nipunjaswal.
Read more
See other products by Nipun Jaswal
Profile icon Abhinav Singh
Abhinav Singh
Abhinav Singh is a well-known information security researcher. He is the author of Metasploit Penetration Testing Cookbook (first and second editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community—paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker at eminent international conferences—Black Hat and RSA. His areas of expertise include malware research, reverse engineering, and cloud security.
Read more
See other products by Abhinav Singh
Profile icon Agarwal
Agarwal
Monika Agarwal is a young Information Security Researcher from India. She has presented many research papers at both national and international conferences. She is a member of IAENG (International Association of Engineers). Her main areas of interest are ethical hacking and ad hoc networking.
Read more
See other products by Agarwal
Right arrow icon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.