Sagar Rahalkar

Quick Start Guide to Penetration TestingWith NMAP, OpenVAS and Metasploit

Sagar Rahalkar

Pune, Maharashtra, India

Any source code or other supplementary material referenced by the author in this book is available to readers on GitHub via the book’s product page, located at www.​apress.​com/​978-1-4842-4269-8 . For more detailed information, please visit www.​apress.​com/​source-code .

ISBN 978-1-4842-4269-8e-ISBN 978-1-4842-4270-4

https://doi.org/10.1007/978-1-4842-4270-4

Library of Congress Control Number: 2018964909

© Sagar Rahalkar 2019

Standard Apress

Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.

While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.

Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com, or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.

Introduction

Vulnerability assessment and penetration testing have become very important, especially in the past couple of years. Organizations often have complex networks of assets storing sensitive data, and such assets are exposed to potential threats from the inside as well as from the outside. To get an overview of the security posture of an organization, conducting a vulnerability assessment is an essential step. Performing penetration tests requires a well-planned and methodical approach.

To help you perform various tasks across the phases of the penetration testing lifecycle, there are tons of tools, scripts, and utilities available. Linux distributions such as Kali Linux even provide bundled tools to perform these tasks.

It is natural to get overwhelmed with the number of tools available. However, there are a few tools that are so powerful and flexible that they alone can perform most of the tasks across the phases of the penetration testing lifecycle.

This book will get you started with the fundamentals of three such tools: NMAP, OpenVAS, and Metasploit. Just by using these three tools alone, you will acquire extensive penetration testing capabilities.

By the end of this book, you’ll have a substantial understanding of NMAP, OpenVAS, and Metasploit and will be able to apply your skills in real-world pen testing scenarios.

Table of Contents

Chapter 1:​ Introduction to NMAP 1

NMAP 4

NMAP Installation 5

Introduction to NMAP and ZENMAP 6

NMAP Port States 8

Basic Scanning with NMAP 9

NMAP Scripts 20

NMAP Output 40

NMAP and Python 40

Summary 44

Do-It-Yourself (DIY) Exercises 45

Chapter 2:​ OpenVAS 47

Introduction to OpenVAS 48

Installation 49

OpenVAS Administration 55

Feed Update 55

User Management 57

Dashboard 59

Scheduler 60

Trashcan 60

Help 61

Vulnerability Scanning 62

OpenVAS Additional Settings 66

Performance 66

CVSS Calculator 67

Settings 68

Reporting 69

Summary 71

Do-It-Yourself (DIY) Exercises 71

Chapter 3:​ Metasploit 73

Introduction to Metasploit 73

Anatomy and Structure of Metasploit 74

Auxiliaries 76

Payloads 76

Exploits 77

Encoders 77

Post-Exploitation Activities (Post) 78

Basic Commands and Configuration 79

help 80

version 81

connect 82

history 83

set and setg 84

get and getg 85

unset and unsetg 85

save 86

info 87

irb 87

show 88

spool 89

makerc 89

db_​initiate 90

db_​status 90

workspace 91

Invoking NMAP and OpenVAS Scans from Metasploit 92

NMAP 92

OpenVAS 95

Scanning and Exploiting Services with Metasploit Auxiliaries 100

DNS 100

FTP 101

HTTP 102

RDP 104

SMB 104

SSH 106

VNC 107

Meterpreter Basics 108

Meterpreter Commands 108

Core Commands 108

Stdapi:​ System Commands 110

Stdapi:​ User Interface Commands 112

Stdapi:​ Webcam Commands 112

Stdapi:​ Audio Output Commands 113

Priv:​ Elevate Commands 113

Priv:​ Password Database Commands 114

Priv:​ Timestomp Commands 114

Using Meterpreter 114

sysinfo 115

ls 116

getuid 117

getsystem 117

screenshot 118

hashdump 119

Searchsploit 120

Summary 120

Do-It-Yourself (DIY) Exercises 121

Chapter 4:​ Use Case 123

Creating a Virtual Lab 123

Carrying Out Reconnaissance 124

Exploiting the System 126

Index 135

About the Author and About the Technical Reviewer

About the Author

Sagar Rahalkar

is a seasoned information security professional with 11 years of comprehensive experience in the various verticals of information security. His domain expertise is in cybercrime investigations, digital forensics, application security, vulnerability assessment and penetration testing, compliance for mandates and regulations, and IT CRC. He has a master’s degree in computer science and several industry-recognized certifications such as Certified Cyber Crime Investigator, Certified Ethical Hacker, Certified Security Analyst, ISO 27001 Lead Auditor, IBM Certified Specialist – Rational AppScan, Certified Information Security Manager (CISM), and PRINCE2, to name a few. He has been closely associated with Indian law enforcement agencies for more than four years, dealing with digital crime investigations and related trainings for officers, and has received several awards and appreciations from senior officials in police and defense organizations in India. He is the author of several books and articles on information security.

 

About the Technical Reviewer

Sanjib Sinha

is a certified .NET Windows and web developer, specializing in Python, security programming, and PHP; he won Microsoft’s Community Contributor Award in 2011. As a published author, his books include Beginning Ethical Hacking with Python and Beginning Laravel , published by Apress.