Cover image for Hands-On Web Penetration Testing with Metasploit

Hands-On Web Penetration Testing with Metasploit

Author Harpreet Singh , Himanshu Sharma
Release Date: 2020/05/01
Topic:
0%
429
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Book Description

Identify, exploit, and test web application security with ease

Key Features

  • Get up to speed with Metasploit and discover how to use it for pentesting
  • Understand how to exploit and protect your web environment effectively
  • Learn how an exploit works and what causes vulnerabilities

Book Description

Metasploit has been a crucial security tool for many years. However, there are only a few modules that Metasploit has made available to the public for pentesting web applications. In this book, you'll explore another aspect of the framework – web applications – which is not commonly used. You'll also discover how Metasploit, when used with its inbuilt GUI, simplifies web application penetration testing.

The book starts by focusing on the Metasploit setup, along with covering the life cycle of the penetration testing process. Then, you will explore Metasploit terminology and the web GUI, which is available in the Metasploit Community Edition. Next, the book will take you through pentesting popular content management systems such as Drupal, WordPress, and Joomla, which will also include studying the latest CVEs and understanding the root cause of vulnerability in detail. Later, you'll gain insights into the vulnerability assessment and exploitation of technological platforms such as JBoss, Jenkins, and Tomcat. Finally, you'll learn how to fuzz web applications to find logical security vulnerabilities using third-party tools.

By the end of this book, you'll have a solid understanding of how to exploit and validate vulnerabilities by working with various tools and techniques.

What you will learn

  • Get up to speed with setting up and installing the Metasploit framework
  • Gain first-hand experience of the Metasploit web interface
  • Use Metasploit for web-application reconnaissance
  • Understand how to pentest various content management systems
  • Pentest platforms such as JBoss, Tomcat, and Jenkins
  • Become well-versed with fuzzing web applications
  • Write and automate penetration testing reports

Who this book is for

This book is for web security analysts, bug bounty hunters, security professionals, or any stakeholder in the security sector who wants to delve into web application security testing. Professionals who are not experts with command line tools or Kali Linux and prefer Metasploit's graphical user interface (GUI) will also find this book useful. No experience with Metasploit is required, but basic knowledge of Linux and web application pentesting will be helpful.

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On Web Penetration Testing with Metasploit
  3. About Packt
    1. Why subscribe?
  4. Contributors
    1. About the authors
    2. About the reviewer
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Disclaimer
    5. Get in touch
      1. Reviews
  6. Introduction
  7. Introduction to Web Application Penetration Testing
    1. What is a penetration test?
    2. Types of penetration test
      1. White box penetration test
      2. Black box penetration test
      3. Gray box penetration test
    3. Stages of penetration testing
      1. Reconnaissance and information gathering
      2. Enumeration
      3. Vulnerability assessment and analysis
      4. Exploitation
      5. Reporting
    4. Important terminologies
    5. Penetration testing methodologies
      1. Open Source Security Testing Methodology Manual (OSSTMM)
        1. Operational security metrics
        2. Trust analysis
        3. Human security testing
        4. Physical security testing
        5. Wireless security testing
        6. Telecommunications security testing
        7. Data network security testing
        8. Compliance regulations
        9. Reporting with the STAR
      2. OSSTMM test types 
      3. Information Systems Security Assessment Framework (ISSAF)
      4. Penetration Testing Execution Standard (PTES)
        1. Pre-engagement interactions
        2. Intelligence gathering
        3. Threat modeling
        4. Vulnerability analysis
        5. Exploitation
        6. Post-exploitation
        7. Reporting
    6. Common Weakness Enumeration (CWE)
      1. OWASP Top 10
      2. SANS TOP 25
    7. Summary
    8. Questions
    9. Further reading
  8. Metasploit Essentials
    1. Technical requirements
    2. Introduction to Metasploit Framework
    3. Metasploit Framework terminology
    4. Installing and setting up Metasploit
      1. Installing Metasploit Framework on *nix
      2. Installing Metasploit Framework on Windows
    5. Getting started with Metasploit Framework
      1. Interacting with Metasploit Framework using msfconsole
      2. MSF console commands
        1. Customizing global settings
        2. Variable manipulation in MSF
        3. Exploring MSF modules
        4. Running OS commands in MSF
        5. Setting up a database connection in Metasploit Framework
        6. Loading plugins in MSF
        7. Using Metasploit modules
        8. Searching modules in MSF
        9. Checking for hosts and services in MSF
        10. Nmap scanning with MSF
        11. Setting up payload handling in MSF
      3. MSF payload generation
        1. Generating an MSF payload using msfconsole (one-liner)
        2. Generating an MSF payload using msfvenom
    6. Summary
    7. Questions
    8. Further reading
  9. The Metasploit Web Interface
    1. Technical requirements
    2. Introduction to the Metasploit web interface
    3. Installing and setting up the web interface
      1. Installing Metasploit Community Edition on Windows
      2. Installing Metasploit Community Edition on Linux/Debian
    4. Getting started with the Metasploit web interface
      1. Interface
        1. Main menu
        2. Project tab bar
        3. Navigational breadcrumbs
        4. Tasks bar
      2. Project creation
        1. Default project
        2. Creating a custom project
      3. Target enumeration
        1. Using the built-in option
        2. Importing scan results
      4. Module selection
        1. Auxiliary module
        2. Using an exploit module
        3. Session interaction
        4. Post-exploitation modules
    5. Summary
    6. Questions
    7. Further reading
  10. The Pentesting Life Cycle with Metasploit
  11. Using Metasploit for Reconnaissance
    1. Technical requirements
    2. Introduction to reconnaissance
    3. Active reconnaissance
      1. Banner grabbing
      2. HTTP header detection
      3. Web robot page enumeration
      4. Finding hidden Git repos
      5. Open proxy detection
    4. Passive reconnaissance
      1. Archived domain URLs
      2. Censys
      3. SSL recon
    5. Summary
    6. Questions
    7. Further reading
  12. Web Application Enumeration Using Metasploit
    1. Technical requirements
    2. Introduction to enumeration
      1. DNS enumeration
      2. Going the extra mile – editing source code
    3. Enumerating files
      1. Crawling and scraping with Metasploit
      2. Scanning virtual hosts
    4. Summary
    5. Questions
    6. Further reading
  13. Vulnerability Scanning Using WMAP
    1. Technical requirements
    2. Understanding WMAP
    3. The WMAP scanning process
      1. Data reconnaissance
      2. Loading the scanner
      3. WMAP configuration
      4. Launching WMAP
    4. WMAP module execution order
    5. Adding a module to WMAP
    6. Clustered scanning using WMAP
    7. Summary
    8. Questions
    9. Further reading
  14. Vulnerability Assessment Using Metasploit (Nessus)
    1. Technical requirements
    2. Introduction to Nessus
      1. Using Nessus with Metasploit
      2. Nessus authentication via Metasploit
    3. Basic commands
      1. Patching the Metasploit library
    4. Performing a Nessus scan via Metasploit
      1. Using the Metasploit DB for Nessus scan
      2. Importing Nessus scan in the Metasploit DB
    5. Summary
    6. Questions
    7. Further reading
  15. Pentesting Content Management Systems (CMSes)
  16. Pentesting CMSes - WordPress
    1. Technical requirements
    2. Introduction to WordPress
      1. WordPress architecture
      2. File/directory structure
        1. Base folder
          1. wp-includes
          2. wp-admin
          3. wp-content
    3. WordPress reconnaissance and enumeration
      1. Version detection
        1. Readme.html
        2. Meta generator
        3. Getting the version via JavaScript and CSS files
        4. Getting the version via the feed
        5. Using Outline Processor Markup Language (OPML)
        6. Unique/advanced fingerprinting
      2. WordPress reconnaissance using Metasploit
      3. WordPress enumeration using Metasploit
    4. Vulnerability assessment for WordPress
    5. WordPress exploitation part 1 – WordPress Arbitrary File Deletion
      1. Vulnerability flow and analysis
      2. Exploiting the vulnerability using Metasploit
    6. WordPress exploitation part 2 – unauthenticated SQL injection
      1. Vulnerability flow and analysis
      2. Exploiting the vulnerability using Metasploit
    7. WordPress exploitation part 3 – WordPress 5.0.0 Remote Code Execution
      1. Vulnerability flow and analysis
      2. Exploiting the vulnerability using Metasploit
    8. Going the extra mile – customizing the Metasploit exploit
    9. Summary
    10. Questions
    11. Further reading
  17. Pentesting CMSes - Joomla
    1. Technical requirements
    2. An introduction to Joomla
    3. The Joomla architecture
      1. The file and directory structure
    4. Reconnaissance and enumeration
      1. Version detection
        1. Detection via a meta tag
        2. Detection via server headers
        3. Detection via language configurations
        4. Detection via README.txt
        5. Detection via the manifest file
        6. Detection via unique keywords
      2. Joomla reconnaissance using Metasploit
    5. Enumerating Joomla plugins and modules using Metasploit
      1. Page enumeration
      2. Plugin enumeration
    6. Performing vulnerability scanning with Joomla
    7. Joomla exploitation using Metasploit
      1. How does the exploit work? 
    8. Joomla shell upload
    9. Summary 
    10. Questions
    11. Further reading
  18. Pentesting CMSes - Drupal
    1. Technical requirements
    2. Introduction to Drupal and its architecture
      1. Drupal's architecture
      2. Directory structure
    3. Drupal reconnaissance and enumeration
      1. Detection via README.txt
      2. Detection via meta tags
      3. Detection via server headers
      4. Detection via CHANGELOG.txt
      5. Detection via install.php
      6. Plugin, theme, and module enumeration
    4. Drupal vulnerability scanning using droopescan
    5. Exploiting Drupal
      1. Exploiting Drupal using Drupalgeddon2
        1. Understanding the Drupalgeddon vulnerability
        2. Exploiting Drupalgeddon2 using Metasploit
      2. The RESTful Web Services exploit – unserialize()
        1. Understanding serialization
        2. What is a POP chain?
        3. Deserializing the payload
        4. Exploiting RESTful Web Services RCE via unserialize() using Metasploit
    6. Summary
    7. Questions
    8. Further reading
  19. Performing Pentesting on Technological Platforms
  20. Penetration Testing on Technological Platforms - JBoss
    1. Technical requirements
    2. An introduction to JBoss
      1. The JBoss architecture (JBoss 5)
      2. JBoss files and the directory structure
    3. Reconnaissance and enumeration
      1. Detection via the home page
      2. Detection via the error page
      3. Detection via the title HTML tag
      4. Detection via X-Powered-By
      5. Detection via hashing favicon.ico
      6. Detection via stylesheets (CSS)
      7. Carrying out a JBoss status scan using Metasploit
      8. JBoss service enumeration
    4. Performing a vulnerability assessment on JBoss AS
      1. Vulnerability scanning using JexBoss
      2. Vulnerable JBoss entry points
    5. JBoss exploitation
      1. JBoss exploitation via the administration console
      2. Exploitation via the JMX console (the MainDeployer method)
      3. Exploitation via the JMX console using Metasploit (MainDeployer)
      4. Exploitation via the JMX console (BSHDeployer)
      5. Exploitation via the JMX console using Metasploit (BSHDeployer)
      6. Exploitation via the web console (Java applet)
      7. Exploitation via the web console (the Invoker method)
        1. Creating BSH scripts
        2. Deploying the BSH script using webconsole_invoker.rb
        3. Exploitation via JMXInvokerServlet (JexBoss)
      8. Exploitation via JMXInvokerServlet using Metasploit
    6. Summary
    7. Questions
    8. Further reading
  21. Penetration Testing on Technological Platforms - Apache Tomcat
    1. Technical requirements
    2. An introduction to Tomcat
    3. The Apache Tomcat architecture
    4. Files and their directory structures
    5. Detecting Tomcat installations
      1. Detection via the HTTP response header – X-Powered-By
      2. Detection via the HTTP response header – WWW-Authenticate
      3. Detection via HTML tags – the title tag
      4. Detection via HTTP 401 Unauthorized error
      5. Detection via unique fingerprinting (hashing)
      6. Detection via directories and files
    6. Version detection
      1. Version detection via the HTTP 404 error page
      2. Version disclosure via Release-Notes.txt
      3. Version disclosure via Changelog.html
    7. Exploiting Tomcat
      1. The Apache Tomcat JSP upload bypass vulnerability
      2. Tomcat WAR shell upload (authenticated)
    8. An introduction to Apache Struts
      1. Understanding OGNL
      2. OGNL expression injection
      3. Testing for remote code execution via OGNL injection
      4. Testing for blind remote code execution via OGNL injection
      5. Testing for OGNL out-of-band injection
      6. Struts 2 exploitation using Metasploit
    9. Summary
    10. Questions
    11. Further reading
  22. Penetration Testing on Technological Platforms - Jenkins
    1. Technical requirements
    2. Introduction to Jenkins
    3. Jenkins terminology
      1. The Stapler library
      2. URL routing
      3. Apache Groovy
      4. Meta-programming
      5. Abstract syntax tree
      6. Pipeline
    4. Jenkins reconnaissance and enumeration
      1. Detecting Jenkins using favicon hashes
      2. Detecting Jenkins using HTTP response headers
      3. Jenkins enumeration using Metasploit
    5. Exploiting Jenkins
      1. Jenkins ACL bypass
      2. Understanding Jenkins unauthenticated RCE
    6. Summary
    7. Questions
    8. Further reading
  23. Logical Bug Hunting
  24. Web Application Fuzzing - Logical Bug Hunting
    1. Technical requirements
    2. What is fuzzing?
    3. Fuzzing terminology
    4. Fuzzing attack types
      1. Application fuzzing
      2. Protocol fuzzing
      3. File-format fuzzing
    5. Introduction to web app fuzzing
      1. Fuzzer installation (Wfuzz)
      2. Fuzzer installation (ffuf)
    6. Identifying web application attack vectors
      1. HTTP request verbs
        1. Fuzzing HTTP methods/verbs using Wfuzz
        2. Fuzzing HTTP methods/verbs using ffuf
        3. Fuzzing HTTP methods/verbs using Burp Suite Intruder
      2. HTTP request URIs
        1. Fuzzing an HTTP request URl path using Wfuzz
        2.  Fuzzing an HTTP request URl path using ffuf
        3. Fuzzing an HTTP request URl path using Burp Suite Intruder
        4. Fuzzing HTTP request URl filenames and file extensions using Wfuzz
        5. Fuzzing HTTP request URl filenames and file extensions using ffuf
        6. Fuzzing HTTP request URl filenames and file extensions using Burp Suite Intruder
        7. Fuzzing an HTTP request URl using Wfuzz (GET parameter + value)
        8. Fuzzing an HTTP request URl using Burp Suite Intruder (GET parameter + value)
      3. HTTP request headers
        1. Fuzzing standard HTTP headers using Wfuzz, ffuf, and Burp Suite
          1. Scenario 1 – Cookie header fuzzing
          2. Scenario 2 – User-defined cookie header fuzzing
        2. Fuzzing a custom header using Wfuzz, ffuf, and Burp Suite
          1. Scenario 3 – Custom header fuzzing
    7. Summary
    8. Questions
    9. Further reading
  25. Writing Penetration Testing Reports
    1. Technical requirements
    2. Introduction to report writing 
      1. Writing executive reports
        1. Title page
        2. Document version control
        3. Table of contents
        4. Objective
        5. Defined scope
        6. Key findings (impact)
        7. Issue overview
        8. Strategic recommendations
      2. Writing detailed technical reports
        1. Title page
        2. Document version control
        3. Table of contents
        4. Report summary
        5. Defined scope
        6. Methodology used
        7. CVSS
        8. Vulnerability summary
        9. Conclusion
        10. Appendix
    3. Introduction to Dradis Framework
      1. Pre-installation configuration
      2. Installation and setup
      3. Getting started with Dradis
      4. Importing third-party reports into Dradis
      5. Defining the security testing methodology in Dradis
      6. Organizing reports using Dradis
      7. Exporting reports in Dradis
    4. Working with Serpico 
      1. Installation and setup
      2. Getting started with Serpico
      3. Importing data from Metasploit to Serpico
      4. Importing third-party reports into Serpico 
      5. User management in Serpico
      6. Managing templates in Serpico
      7. Generating reports in multiple formats
    5. Summary
    6. Questions
    7. Further reading
  26. Assessment
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
  27. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think
18.118.227.69