Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Title Page
Copyright and Credits
Hands-On Web Penetration Testing with Metasploit
About Packt
Why subscribe?
Contributors
About the authors
About the reviewer
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Disclaimer
Get in touch
Reviews
Introduction
Introduction to Web Application Penetration Testing
What is a penetration test?
Types of penetration test
White box penetration test
Black box penetration test
Gray box penetration test
Stages of penetration testing
Reconnaissance and information gathering
Enumeration
Vulnerability assessment and analysis
Exploitation
Reporting
Important terminologies
Penetration testing methodologies
Open Source Security Testing Methodology Manual (OSSTMM)
Operational security metrics
Trust analysis
Human security testing
Physical security testing
Wireless security testing
Telecommunications security testing
Data network security testing
Compliance regulations
Reporting with the STAR
OSSTMM test types
Information Systems Security Assessment Framework (ISSAF)
Penetration Testing Execution Standard (PTES)
Pre-engagement interactions
Intelligence gathering
Threat modeling
Vulnerability analysis
Exploitation
Post-exploitation
Reporting
Common Weakness Enumeration (CWE)
OWASP Top 10
SANS TOP 25
Summary
Questions
Further reading
Metasploit Essentials
Technical requirements
Introduction to Metasploit Framework
Metasploit Framework terminology
Installing and setting up Metasploit
Installing Metasploit Framework on *nix
Installing Metasploit Framework on Windows
Getting started with Metasploit Framework
Interacting with Metasploit Framework using msfconsole
MSF console commands
Customizing global settings
Variable manipulation in MSF
Exploring MSF modules
Running OS commands in MSF
Setting up a database connection in Metasploit Framework
Loading plugins in MSF
Using Metasploit modules
Searching modules in MSF
Checking for hosts and services in MSF
Nmap scanning with MSF
Setting up payload handling in MSF
MSF payload generation
Generating an MSF payload using msfconsole (one-liner)
Generating an MSF payload using msfvenom
Summary
Questions
Further reading
The Metasploit Web Interface
Technical requirements
Introduction to the Metasploit web interface
Installing and setting up the web interface
Installing Metasploit Community Edition on Windows
Installing Metasploit Community Edition on Linux/Debian
Getting started with the Metasploit web interface
Interface
Main menu
Project tab bar
Navigational breadcrumbs
Tasks bar
Project creation
Default project
Creating a custom project
Target enumeration
Using the built-in option
Importing scan results
Module selection
Auxiliary module
Using an exploit module
Session interaction
Post-exploitation modules
Summary
Questions
Further reading
The Pentesting Life Cycle with Metasploit
Using Metasploit for Reconnaissance
Technical requirements
Introduction to reconnaissance
Active reconnaissance
Banner grabbing
HTTP header detection
Web robot page enumeration
Finding hidden Git repos
Open proxy detection
Passive reconnaissance
Archived domain URLs
Censys
SSL recon
Summary
Questions
Further reading
Web Application Enumeration Using Metasploit
Technical requirements
Introduction to enumeration
DNS enumeration
Going the extra mile – editing source code
Enumerating files
Crawling and scraping with Metasploit
Scanning virtual hosts
Summary
Questions
Further reading
Vulnerability Scanning Using WMAP
Technical requirements
Understanding WMAP
The WMAP scanning process
Data reconnaissance
Loading the scanner
WMAP configuration
Launching WMAP
WMAP module execution order
Adding a module to WMAP
Clustered scanning using WMAP
Summary
Questions
Further reading
Vulnerability Assessment Using Metasploit (Nessus)
Technical requirements
Introduction to Nessus
Using Nessus with Metasploit
Nessus authentication via Metasploit
Basic commands
Patching the Metasploit library
Performing a Nessus scan via Metasploit
Using the Metasploit DB for Nessus scan
Importing Nessus scan in the Metasploit DB
Summary
Questions
Further reading
Pentesting Content Management Systems (CMSes)
Pentesting CMSes - WordPress
Technical requirements
Introduction to WordPress
WordPress architecture
File/directory structure
Base folder
wp-includes
wp-admin
wp-content
WordPress reconnaissance and enumeration
Version detection
Readme.html
Meta generator
Getting the version via JavaScript and CSS files
Getting the version via the feed
Using Outline Processor Markup Language (OPML)
Unique/advanced fingerprinting
WordPress reconnaissance using Metasploit
WordPress enumeration using Metasploit
Vulnerability assessment for WordPress
WordPress exploitation part 1 – WordPress Arbitrary File Deletion
Vulnerability flow and analysis
Exploiting the vulnerability using Metasploit
WordPress exploitation part 2 – unauthenticated SQL injection
Vulnerability flow and analysis
Exploiting the vulnerability using Metasploit
WordPress exploitation part 3 – WordPress 5.0.0 Remote Code Execution
Vulnerability flow and analysis
Exploiting the vulnerability using Metasploit
Going the extra mile – customizing the Metasploit exploit
Summary
Questions
Further reading
Pentesting CMSes - Joomla
Technical requirements
An introduction to Joomla
The Joomla architecture
The file and directory structure
Reconnaissance and enumeration
Version detection
Detection via a meta tag
Detection via server headers
Detection via language configurations
Detection via README.txt
Detection via the manifest file
Detection via unique keywords
Joomla reconnaissance using Metasploit
Enumerating Joomla plugins and modules using Metasploit
Page enumeration
Plugin enumeration
Performing vulnerability scanning with Joomla
Joomla exploitation using Metasploit
How does the exploit work?
Joomla shell upload
Summary
Questions
Further reading
Pentesting CMSes - Drupal
Technical requirements
Introduction to Drupal and its architecture
Drupal's architecture
Directory structure
Drupal reconnaissance and enumeration
Detection via README.txt
Detection via meta tags
Detection via server headers
Detection via CHANGELOG.txt
Detection via install.php
Plugin, theme, and module enumeration
Drupal vulnerability scanning using droopescan
Exploiting Drupal
Exploiting Drupal using Drupalgeddon2
Understanding the Drupalgeddon vulnerability
Exploiting Drupalgeddon2 using Metasploit
The RESTful Web Services exploit – unserialize()
Understanding serialization
What is a POP chain?
Deserializing the payload
Exploiting RESTful Web Services RCE via unserialize() using Metasploit
Summary
Questions
Further reading
Performing Pentesting on Technological Platforms
Penetration Testing on Technological Platforms - JBoss
Technical requirements
An introduction to JBoss
The JBoss architecture (JBoss 5)
JBoss files and the directory structure
Reconnaissance and enumeration
Detection via the home page
Detection via the error page
Detection via the title HTML tag
Detection via X-Powered-By
Detection via hashing favicon.ico
Detection via stylesheets (CSS)
Carrying out a JBoss status scan using Metasploit
JBoss service enumeration
Performing a vulnerability assessment on JBoss AS
Vulnerability scanning using JexBoss
Vulnerable JBoss entry points
JBoss exploitation
JBoss exploitation via the administration console
Exploitation via the JMX console (the MainDeployer method)
Exploitation via the JMX console using Metasploit (MainDeployer)
Exploitation via the JMX console (BSHDeployer)
Exploitation via the JMX console using Metasploit (BSHDeployer)
Exploitation via the web console (Java applet)
Exploitation via the web console (the Invoker method)
Creating BSH scripts
Deploying the BSH script using webconsole_invoker.rb
Exploitation via JMXInvokerServlet (JexBoss)
Exploitation via JMXInvokerServlet using Metasploit
Summary
Questions
Further reading
Penetration Testing on Technological Platforms - Apache Tomcat
Technical requirements
An introduction to Tomcat
The Apache Tomcat architecture
Files and their directory structures
Detecting Tomcat installations
Detection via the HTTP response header – X-Powered-By
Detection via the HTTP response header – WWW-Authenticate
Detection via HTML tags – the title tag
Detection via HTTP 401 Unauthorized error
Detection via unique fingerprinting (hashing)
Detection via directories and files
Version detection
Version detection via the HTTP 404 error page
Version disclosure via Release-Notes.txt
Version disclosure via Changelog.html
Exploiting Tomcat
The Apache Tomcat JSP upload bypass vulnerability
Tomcat WAR shell upload (authenticated)
An introduction to Apache Struts
Understanding OGNL
OGNL expression injection
Testing for remote code execution via OGNL injection
Testing for blind remote code execution via OGNL injection
Testing for OGNL out-of-band injection
Struts 2 exploitation using Metasploit
Summary
Questions
Further reading
Penetration Testing on Technological Platforms - Jenkins
Technical requirements
Introduction to Jenkins
Jenkins terminology
The Stapler library
URL routing
Apache Groovy
Meta-programming
Abstract syntax tree
Pipeline
Jenkins reconnaissance and enumeration
Detecting Jenkins using favicon hashes
Detecting Jenkins using HTTP response headers
Jenkins enumeration using Metasploit
Exploiting Jenkins
Jenkins ACL bypass
Understanding Jenkins unauthenticated RCE
Summary
Questions
Further reading
Logical Bug Hunting
Web Application Fuzzing - Logical Bug Hunting
Technical requirements
What is fuzzing?
Fuzzing terminology
Fuzzing attack types
Application fuzzing
Protocol fuzzing
File-format fuzzing
Introduction to web app fuzzing
Fuzzer installation (Wfuzz)
Fuzzer installation (ffuf)
Identifying web application attack vectors
HTTP request verbs
Fuzzing HTTP methods/verbs using Wfuzz
Fuzzing HTTP methods/verbs using ffuf
Fuzzing HTTP methods/verbs using Burp Suite Intruder
HTTP request URIs
Fuzzing an HTTP request URl path using Wfuzz
Fuzzing an HTTP request URl path using ffuf
Fuzzing an HTTP request URl path using Burp Suite Intruder
Fuzzing HTTP request URl filenames and file extensions using Wfuzz
Fuzzing HTTP request URl filenames and file extensions using ffuf
Fuzzing HTTP request URl filenames and file extensions using Burp Suite Intruder
Fuzzing an HTTP request URl using Wfuzz (GET parameter + value)
Fuzzing an HTTP request URl using Burp Suite Intruder (GET parameter + value)
HTTP request headers
Fuzzing standard HTTP headers using Wfuzz, ffuf, and Burp Suite
Scenario 1 – Cookie header fuzzing
Scenario 2 – User-defined cookie header fuzzing
Fuzzing a custom header using Wfuzz, ffuf, and Burp Suite
Scenario 3 – Custom header fuzzing
Summary
Questions
Further reading
Writing Penetration Testing Reports
Technical requirements
Introduction to report writing
Writing executive reports
Title page
Document version control
Table of contents
Objective
Defined scope
Key findings (impact)
Issue overview
Strategic recommendations
Writing detailed technical reports
Title page
Document version control
Table of contents
Report summary
Defined scope
Methodology used
CVSS
Vulnerability summary
Conclusion
Appendix
Introduction to Dradis Framework
Pre-installation configuration
Installation and setup
Getting started with Dradis
Importing third-party reports into Dradis
Defining the security testing methodology in Dradis
Organizing reports using Dradis
Exporting reports in Dradis
Working with Serpico
Installation and setup
Getting started with Serpico
Importing data from Metasploit to Serpico
Importing third-party reports into Serpico
User management in Serpico
Managing templates in Serpico
Generating reports in multiple formats
Summary
Questions
Further reading
Assessment
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
Chapter 15
Other Books You May Enjoy
Leave a review - let other readers know what you think
← Prev
Back
Next →
← Prev
Back
Next →