Book: Metasploit: A Penetration Testers Guide (Jul, ’11)

[BillV]

Wow, just after I noticed that basics of hacking book, I noticed this one coming out by several of the OffSec guys. Will certainly be picking up a copy!

Metasploit: A Penetration Tester’s Guide
By: David Kennedy, Jim O’Gorman, Devon Kearns, Mati Aharoni

Amazon.com

No Starch Press

he Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, documentation is lacking and the tool can be hard to grasp for first-time users. Metasploit: A Penetration Tester’s Guide fills this gap by teaching you how to harness the Framework, use its many features, and interact with the vibrant community of Metasploit contributors.

The authors begin by building a foundation for penetration testing and establishing a fundamental methodology. From there, they explain the Framework’s conventions, interfaces, and module system, as they show you how to assess networks with Metasploit by launching simulated attacks. Having mastered the essentials, you’ll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, devastating wireless attacks, and targeted social engineering attacks.

[lorddicranius]

Very cool, thanks for the heads up BillV!

[dbest]

Nice find. If they cover more than what is on metasploit unleashed its gonna be a good buy.

[hayabusa]

Being that both muts and R3l1k are authoring, should be a good read.  Thanks, BillV, for the info.

[WCNA]

I will be getting this one too. I talked with muts (Mahti Aharoni) quite a few times when I took the OSCP course and he really knows his stuff. I hope the book is as good as the course was.

[hayabusa]

LOL… Yeah, I know.  Well, we KNOW he won’t beat out the course, with a book, else he’d lose a ton of $$.  😛  But I’m pretty sure it’ll be a great one, regardless!

[El33tsamurai]

With all the book reviews lately, I wonder if Don could get for one of the month give a way’s a year pass to http://www.packtpub.com/.  That would be really cool,

[BillV]

@El33tsamurai wrote:

With all the book reviews lately, I wonder if Don could get for one of the month give a way’s a year pass to http://www.packtpub.com/.  That would be really cool,

If anyone can get it done, it would be Don 🙂

http://packtlib.packtpub.com/

[Don Donzal]

I know books are great, but what do you think of the current giveaway?

I will take your advice and hit up packtpub. Just keep in mind that the giveaways are usually scheduled months in advance.

BTW – Thanks for the vote of confidence,
Don

[hayabusa]

@don – the current giveaway is yet another example of the respect and notice EH-net gets from great companies.  This one’s another great one.  Keep up the great work!

Edit: Gee… Can I say great one more time??? ;-p yep… Great!  LOL (sorry)

[El33tsamurai]

@BillV wrote:

@El33tsamurai wrote:

With all the book reviews lately, I wonder if Don could get for one of the month give a way’s a year pass to http://www.packtpub.com/.  That would be really cool,

If anyone can get it done, it would be Don 🙂

http://packtlib.packtpub.com/

I agree, Don I love this site.

[El33tsamurai]

@don wrote:

I know books are great, but what do you think of the current giveaway?

I will take your advice and hit up packtpub. Just keep in mind that the giveaways are usually scheduled months in advance.

BTW – Thanks for the vote of confidence,
Don

The new one is amazing and in my defense this was before it was posted 😀

[Anonymous]

Yah got this one in my amazon list too cant wait for this book should be good.

[cd1zz]

All of you might want to cancel your Amazon order and order direct from the publisher. After the 40% discount, the book is the same price plus you get an EBook version of it as well 🙂

http://www.backtrack-linux.org/backtrack/metasploit-a-penetration-testers-guide/?utm_source=twitterfeed&utm_medium=twitter

[lorddicranius]

cd1zz beat me to it 😛  Just pre-ordered it from nostarch.com.  I figured the ebook link would be sent via email or be available via the website once the book was released, but nope – I got the link to download it immediately upon pressing “submit order.”  Perusing through it already!

[cd1zz]

Super bad ass!

[dbest]

just found out about the nostarch option from my colleague and am gonna be purchasing the book. 🙂

[hayabusa]

Great read, so far.  (Obviously got the pdf, already)

[impelse]

How is the information between this book and the information in the offensive-security site?

[hayabusa]

Honestly, I haven’t even read it, with regards to doing any comparison, to this point.  But I’ve liked what I’ve read so far, and am looking forward to some of the stuff in the later chapters (some of the expanded info on SET and FastTrack, Karmetasploit, etc.)  It’s particularly refreshing to see continued effort at documenting the framework and working with it, rather than all the emphasis, elsewhere, on paid tools and commercial versions.

I haven’t looked closely at Metasploit Unleashed in some time, personally.  The book does start emphasizing PTES more, and following the PTES methodology (which is starting to be more common, from what I see and hear,) than I recall having seen anything of in online.  They go more deeply into building your own exploits and modules, and putting them into the framework, too, than what I recall from Unleashed.  The overall material just really looks good, and grabbed my attention.

Maybe once I finish this book, I’ll see about doing a comparison, from my viewpoint, between the book and Metasploit Unleashed, although, personally, I’m still happy to have both.  The nice thing about books, for me, is that once you get the hard copy, or print it out, you have something you don’t have to sit in front of a monitor to look at, for a change.

[tturner]

Use coupon code REDTEAM for the discount. I did not see it mentioned in this thread (but I may have missed it) so figured I’d let people know about it.

[cd1zz]

I’ve read both the Unleashed and have skimmed the PDF for this new book. I would say that if you’re not very experienced with metasploit, the book is great. It seems well written, clear and covers a lot of topics. There IS a lot of overlap with the Metasploit unleased online reference but you get much more rich content in the book. Explanations etc…

However, if you’ve spend any decent amount of time in the framework, there isn’t too much new information. I do like the karmetasploit stuff, aux module stuff and most of all, the porting exploits to the framework section.

I do think its valuable for anyone as a solid reference because its organized into one location!

[hayabusa]

  In total agreement, based on my reading, thus far.

[Don Donzal]

Official review coming from Jason Haddix soon.

Don

[impelse]

Great

[nicklauscombs]

officially ordered the book from no starch and really looking forward to browsing through this book.

to those that preordered the book and pdf did they put the pdf up for download right away? been a few days and havent seen it available for download yet….

[hayabusa]

You should be able to sign into your no-starch account, and under orders, see the book, and the link to the pdf was there, too.  It was available immediately, as soon as I finished ordering.

[nicklauscombs]

@hayabusa wrote:

You should be able to sign into your no-starch account, and under orders, see the book, and the link to the pdf was there, too.  It was available immediately, as soon as I finished ordering.

yeah that’s what i thought…. but no luck. i shot them an email to see whats up.

[Tancred]

I had to log out and then log back in for my download to register as available, but it was there minutes after I’d actually made my purchase.  Any update, nicklaus?

[nicklauscombs]

@Tancred wrote:

I had to log out and then log back in for my download to register as available, but it was there minutes after I’d actually made my purchase.  Any update, nicklaus?

not sure if there was a problem but after emailing them they quickly got back to me and made the download available. about halfway through the book and really enjoying the read so far.

[Tancred]

Awesome, was just curious because I’d had a similar issue.  Can’t wait til my physical copy arrives, but I wanted to pre-order so I could have it right away. 

[hayabusa]

Paperback arrived in today’s mail.  Now I can mark it up…  :-p

[DragonGorge]

Wondered if I could get some questions answered on the whois/netcraft section of this book.

In the Passive Information gathering section of Chapter 3, the book lists a whois performed on secmaniac.net which results in domain servers of XX.DOMAINCONTROL.COM and goes on to say that these servers are not owned by secmaniac.net:
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: SECMANIAC.NET
Created on: 03-Feb-10
Expires on: 03-Feb-12
Last Updated on: 03-Feb-10
Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM

1. How do we know these aren’t owned by secmaniac? Is the tipoff the fact that it’s “DOMAINCONTROL.COM” as opposed to “SECMANIAC.COM”?

The next section deals with NETCRAFT and lists the output below followed by an assertion that “this site appears to be hosted inside the author’s home, because the IP block appears to be part of a residential range.”
msf > whois 75.118.185.142
[*] exec: whois 75.118.185.142
WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1)
75.118.0.0 – 75.118.255.255
WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1)
75.118.184.0 – 75.118.191.255

2. As before, I’m not clear on what in the printout indicates this is part of a residential range. I’m used to seeing 192.168.x.x but this one is new to me.

On a different note, I noticed that performing the same steps in BT yield different information. The different IP addresses (96.126.127.220 as opposed to 75.118.185.142) and different outputs on whois. The different IP addresses don’t surprise me but the whois listing for 75.118.185.142 yeilds 4 lines while the current IP yields much more info. And does the book’s ip listing still comes up because the whois database hasn’t been updated?

[sil]

@DragonGorge wrote:

1. How do we know these aren’t owned by secmaniac? Is the tipoff the fact that it’s “DOMAINCONTROL.COM” as opposed to “SECMANIAC.COM”?

We know these aren’t OWNED by secmaniac because of the domain: DOMAINCONTROL.com which is a separate company altogether. You can dig out THEIR information using another whois:

whois -h whois.geektools.com domaincontrol.com

Then match up who owns those domains

@DragonGorge wrote:

2. As before, I’m not clear on what in the printout indicates this is part of a residential range. I’m used to seeing 192.168.x.x but this one is new to me.

You’re confusing things here. The IP address IS ALLOCATED for residential use. It is the PUBLIC IP addresses his provider assigned to him

@DragonGorge wrote:

On a different note, I noticed that performing the same steps in BT yield different information. The different IP addresses (96.126.127.220 as opposed to 75.118.185.142) and different outputs on whois. The different IP addresses don’t surprise me but the whois listing for 75.118.185.142 yeilds 4 lines while the current IP yields much more info. And does the book’s ip listing still comes up because the whois database hasn’t been updated?

You assume his addresses remain the same over time. If you took a look at his domain’s history, you can see he has changed it 2x since the book: http://toolbar.netcraft.com/site_report?url=http://www.secmaniac.com

[DragonGorge]

@sil wrote:

We know these aren’t OWNED by secmaniac because of the domain: DOMAINCONTROL.com which is a separate company altogether. You can dig out THEIR information using another whois:

That was what I was getting at – without researching DOMAINCONTROL we wouldn’t automatically know that it wasn’t the same company that owned secmaniac.net, right?

You’re confusing things here. The IP address IS ALLOCATED for residential use. It is the PUBLIC IP addresses his provider assigned to him

I’m confused by the line in the book that states “we can tell that this site appears to be hosted inside the author’s home, because the IP block appears to be part of a residential range.” To rephrase my question, how can we tell from the printout that this is a inside the author’s home (part of a residential range) as opposed to a business?

[sil]

Let’s take an example IP from a business: (IP is random)

[root@kenji ~/]# whois -h whois.arin.net 74.95.180.0



#

# The following results may also be obtained via:

# http://whois.arin.net/rest/nets;q=74.95.180.0?showDetails=true&showARIN=false&ext=netref2

#



Comcast Business Communications, LLC CBC-PHILADELPHIA-33 (NET-74-95-160-0-1) 74.95.160.0 - 74.95.191.255

Comcast Business Communications, LLC CBC-CM-4 (NET-74-92-0-0-1) 74.92.0.0 - 74.95.255.255

What do we notice with my example? Comcast Business Communications, What about normal Comcast cable users?

[root@kenji ~]# whois -h whois.arin.net 67.175.82.0



#

# The following results may also be obtained via:

# http://whois.arin.net/rest/nets;q=67.175.82.0?showDetails=true&showARIN=false&ext=netref2

#



Comcast Cable Communications, Inc. COMCAST (NET-67-160-0-0-1) 67.160.0.0 - 67.191.255.255

Comcast Cable Communications, Inc ILLINOIS-19 (NET-67-175-0-0-1) 67.175.0.0 - 67.175.127.255

Notice the differences? Now let’s look at what Rel1k posts in his book:

[root@kenji ~/]# whois -h whois.arin.net 75.118.185.142



#

# The following results may also be obtained via:

# http://whois.arin.net/rest/nets;q=75.118.185.142?showDetails=true&showARIN=false&ext=netref2

#



WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1) 75.118.184.0 - 75.118.191.255

WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1) 75.118.0.0 - 75.118.255.255

Most BUSINESSES will have their business information posted on the whois. We see none of this, alongside that statement, there is no indicator of any business name or secmaniac or maniac or sec or any other worthwhile identifier to state this IP space belongs to the author. So let’s see who owns the IP space and what type of business they are in: WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1) 75.118.0.0 – 75.118.255.255 Doesn’t seem like a security company to me, its a cable provider (http://www.wowway.com/).

Let’s try this with Microsoft:

[root@kenji ~]# nslookup microsoft.com | sed -n '8p' | awk '{print "whois -h whois.arin.net "$2}' |sh|grep "^Org"|sort -u

OrgAbuseEmail:  abuse@hotmail.com

OrgAbuseEmail:  abuse@microsoft.com

OrgAbuseEmail:  abuse@msn.com

OrgAbuseHandle: ABUSE231-ARIN

OrgAbuseHandle: HOTMA-ARIN

OrgAbuseHandle: MSNAB-ARIN

OrgAbuseName:   Abuse

OrgAbuseName:   Hotmail Abuse

OrgAbuseName:   MSN ABUSE

OrgAbusePhone:  +1-425-882-8080

OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE231-ARIN

OrgAbuseRef:    http://whois.arin.net/rest/poc/HOTMA-ARIN

OrgAbuseRef:    http://whois.arin.net/rest/poc/MSNAB-ARIN

OrgId:          MSFT

OrgNOCEmail:  noc@microsoft.com

OrgNOCHandle: ZM23-ARIN

OrgNOCName:   Microsoft Corporation

OrgNOCPhone:  +1-425-882-8080

OrgNOCRef:    http://whois.arin.net/rest/poc/ZM23-ARIN

OrgName:        Microsoft Corp

OrgTechEmail:  iprrms@microsoft.com

OrgTechHandle: MSFTP-ARIN

OrgTechName:   MSFT-POC

OrgTechPhone:  +1-425-882-8080

OrgTechRef:    http://whois.arin.net/rest/poc/MSFTP-ARIN

Notice two things 1) the information for the COMPANY and 2) the AMOUNT of information being returned. Most whois lookups will return A LOT of information for companies whereas for most ISPs, the return will be a line or two long. That’s first. The second thing to notice is the names of the business itself or the association with the domain you are looking up and the return information.

[root@kenji ~/]# whois -h whois.arin.net 96.126.127.220



#

# The following results may also be obtained via:

# http://whois.arin.net/rest/nets;q=96.126.127.220?showDetails=true&showARIN=false&ext=netref2

#



NetRange:       96.126.96.0 - 96.126.127.255

CIDR:           96.126.96.0/19

OriginAS:

NetName:        LINODE-US

NetHandle:      NET-96-126-96-0-1

Parent:         NET-96-0-0-0-0

NetType:        Direct Allocation

Comment:        This block is used for static customer allocations.

RegDate:        2011-05-06

Updated:        2012-02-24

Ref:            http://whois.arin.net/rest/net/NET-96-126-96-0-1



OrgName:        Linode

OrgId:          LINOD

Address:        329 E. Jimmie Leeds Road

Address:        Suite A

City:           Galloway

StateProv:      NJ

PostalCode:     08205

Country:        US

RegDate:        2008-04-24

Updated:        2010-08-31

Comment:        http://www.linode.com

Ref:            http://whois.arin.net/rest/org/LINOD



OrgNOCHandle: LNO21-ARIN

OrgNOCName:   Linode Network Operations

OrgNOCPhone:  +1-609-593-7103

OrgNOCEmail:  support@linode.com

OrgNOCRef:    http://whois.arin.net/rest/poc/LNO21-ARIN



OrgAbuseHandle: LAS12-ARIN

OrgAbuseName:   Linode Abuse Support

OrgAbusePhone:  +1-609-593-7103

OrgAbuseEmail:  abuse@linode.com

OrgAbuseRef:    http://whois.arin.net/rest/poc/LAS12-ARIN



OrgTechHandle: LNO21-ARIN

OrgTechName:   Linode Network Operations

OrgTechPhone:  +1-609-593-7103

OrgTechEmail:  support@linode.com

OrgTechRef:    http://whois.arin.net/rest/poc/LNO21-ARIN



RNOCHandle: LNO21-ARIN

RNOCName:   Linode Network Operations

RNOCPhone:  +1-609-593-7103

RNOCEmail:  support@linode.com

RNOCRef:    http://whois.arin.net/rest/poc/LNO21-ARIN



RTechHandle: LNO21-ARIN

RTechName:   Linode Network Operations

RTechPhone:  +1-609-593-7103

RTechEmail:  support@linode.com

RTechRef:    http://whois.arin.net/rest/poc/LNO21-ARIN



RAbuseHandle: LAS12-ARIN

RAbuseName:   Linode Abuse Support

RAbusePhone:  +1-609-593-7103

RAbuseEmail:  abuse@linode.com

RAbuseRef:    http://whois.arin.net/rest/poc/LAS12-ARIN

So who is this? What kind of company is it? I will let you answer this question now. It all boils down to power of logic and reasoning when unsure. You can i) Visit the website a whois returns to see more about the type of business associated with
the address and so forth.

This is THE BIGGEST REASON that I am a stickler for understanding the common grounds of networking and systems before even attempting to venture out into security.

[DragonGorge]

For the challenge on the current (as opposed to the book’s) whois/netcraft results…

Performing a whois on secmaniac.net yields:

Domain name: secmaniac.net



Registrant Contact:

  Whois Privacy Protection Service, Inc.

  Whois Agent ()

 

  Fax:

  PMB 368, 14150 NE 20th St - F1

  C/O secmaniac.net

  Bellevue, WA 98007

  US



Administrative Contact:

  Whois Privacy Protection Service, Inc.

  Whois Agent (vmhpxgmj@whoisprivacyprotect.com)

  +1.4252740657

  Fax: +1.4259744730

  PMB 368, 14150 NE 20th St - F1

  C/O secmaniac.net

  Bellevue, WA 98007

  US



Technical Contact:

  Whois Privacy Protection Service, Inc.

  Whois Agent (vmhpxgmj@whoisprivacyprotect.com)

  +1.4252740657

  Fax: +1.4259744730

  PMB 368, 14150 NE 20th St - F1

  C/O secmaniac.net

  Bellevue, WA 98007

  US



Status: Locked



Name Servers:

  ns1.secmaniac.net

  ns2.secmaniac.net

  ns3.secmaniac.net

  ns4.secmaniac.net

Not a lot of company related info here (as opposed to what we’d get from yahoo.com) and the Netcraft query yields 96.126.127.220 for the ip and the owner of the netblock being Linode. Additionally, the “C/O secmaniac.net” would be a clue that we’re dealing with some kind of hosting/proxy service.

So looking at the results of your previous posting on the 96.126.127.220 we again see a info pertaining to Linode and further inspection of Linode indicates this is a web hosting company, i.e. this is not a residential. Yes/No/Partial credit?

Curiously, doing a nslookup on secmaniac.net yields a different ip and doing yet another whois on that ip yields the following

> set type=any

> secmaniac.net



Non-authoritative answer:

Name:	secmaniac.net

Address: 184.106.97.209



whois results:

Rackspace Hosting RACKS-8-NET-4 (NET-184-106-0-0-1) 184.106.0.0 - 184.106.255.255

Slicehost RACKS-8-1292257565649418 (NET-184-106-96-0-1) 184.106.96.0 - 184.106.99.255

Which appears to be yet another web/cloud hosting company.

However, I can ping 96.126.127.220 but not 184.106.97.209 so my conclusion would be that the nslookup info is stale and secmaniac.net has been moving around quite a bit since the book was written.

I’d still like to do the same analysis on a real residential site.

[Author]

Posts