Book review: Metasploit - The Penetration Tester's Guide by Kennedy, O'Gorman, Kearns and Aharoni

Pentesters of the world, this is a book you need to know about. This book talks in 17 chapters and 2 annexes about "the tool" for security testing i.e. Metasploit.

The first element you find in this book is a foreword by the founder of The Metasploit Project and Framework, created already in 2003 and 2004. In 2007, it was migrated from Perl to Ruby.

The following paragraphs provide a helicopter view of what the reader can find in the chapters of this book. This post by no means replaces the reading, and the careful study, of this book. On the contrary, it encourages it!

1 The basics of pen testing

This introductory chapter refers to the industry-redefining value of the Penetration Testing Execution Standard (PTES): An excellent first place to look at for those starting in this field. This chapter mentions the phases of a pen test and the types of tests i.e. overt and covert, depending on how many people in the tested organisation know about the test.

2 The basics of metasploit

Key chapter to grasp the different metasploit tools:
- Interfaces such as the console, the command line interface, the graphical user interface named Armitage.
- Utilities such as msfpayload, msfencode or even the assembly code related tool nasm shell.
- And, certainly, two commercial tools such as Metasploit Express and Pro. 

3 Intelligence gathering

Right after deciding which target to assess, the intelligence gathering phase takes care to collect relevant information before even trying out the target's security capabilities.

There are two types of data collection, passive and active. Metasploit is essential in the active intelligence gathering phase through the use of port, SNMP, SSH and custom scanners. This chapter explains how to link metasploit with two different databases i.e. MySQL and PostgreSQL.

4 Vulnerability scanning

Once the systems to assess have been identified, the next step is to scan them to identify vulnerabilities. There are many tools to scan systems. This chapter focuses initially on NeXpose Community edition, the free version of a vulnerability scanner that provides both a graphical interface and integration with msfconsole.

The second scanner that this chapter mentions is Nessus. It can also be invoked from the msfconsole and its results can also be imported into the metasploit framework.

This fourth ends up with a reference to what the authors call specialty vulnerability scanners and the possibility to use metasploit's autopown to launch attacks based on the scanners' results.  

5 The joy of exploitation

The metasploit console offers the possibility to exploit assessed systems based on the vulnerability scanning. The tester can also launch an nmap scanning from the metasploit console (msf). This nmap action can also contain specific scripts from the nmap scripting engine.

Metasploit offers a specific syntax, explained in this chapter, to proceed with the exploitation of the assessed system by configuring exploits and payloads.

6 Meterpreter

This is a special type of payload that metasploit can inject into the vulnerable system. It consists of an interpreter responding to specific command lines e.g. to capture a screenshot or to capture keystrokes.

This chapter also describes the use of a system to jump into other systems.

7 Avoiding detection 

In this occasion, the authors of the book refer to the controversial topic of antivirus evasion. They also have a small reference to file packers as a simple way to fool malware detection tools.

8 Exploitation using client-side attacks

The pages of this chapter are an introduction to a very common type of attack based on compromising client computers via e.g. browser and file format exploits.

9 Metasploit auxiliary modules

The art of pen-testing starts with metasploit auxiliary modules: A way to perform actions in the compromised box without using payloads.

10 The social-engineer toolkit

This toolkit was born with the site. This piece of work is where soft skills (social engineering) and technical mastery meet. This toolkit is a comprehensive way to deepen into client-side attacks combining different techniques based on the software that could be easily found in almost every desktop nowadays.

11 Fast-track

On top of the metasploit framework, the creator of the social-engineering toolkit, Dave Kennedy, built a Python-based tool to even further automate some advance attack vectors.

12 Karmetasploit

If the systems you need to assess are using a wireless network, then this chapter can help creating a fake wireless access point from where to launch part of the metasploit arsenal.

13 Building your own module

Currently metasploit is coded in Ruby. The creation of new modules is possible. This is one of the beauties of this framework: It grows with its community. 

14 Creating your own exploits

For those advanced ninja pen-testers out there, this chapter provides guidance on how to write their own exploits starting with running a fuzzer to discover and exploiting new vulnerabilities in systems.

15 Porting exploits to the metasploit framework

Again a chapter for those advanced pen testers planning to introduce into metasploit stand-alone exploits.

16 Meterpreter scripting

Pen-testers can also extend metasploit's scripting environment. Advanced stuff.

17 Simulated penetration test

This is the chapter you need to read if you can only read one chapter of this book: a guided example of what this book describes.

Annex A Configuring target machines
Annex B Cheat sheet

These two final annexes provide guidance, first, on how to create a testing lab to start using metasploit and, second, on the commands available in metasploit.

All in all, a reference book in the world of pentesing and code hacking/development!

Thanks a million to all the authors!

Happy exploiting!

A page in History