Book: Metasploit: A Penetration Testers Guide (Jul, ’11)

Viewing 36 reply threads
  • Author
    Posts
    • #6578
      BillV
      Participant

      Wow, just after I noticed that basics of hacking book, I noticed this one coming out by several of the OffSec guys. Will certainly be picking up a copy!

      Metasploit: A Penetration Tester’s Guide
      By: David Kennedy, Jim O’Gorman, Devon Kearns, Mati Aharoni

      Amazon.com

      No Starch Press

      he Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, documentation is lacking and the tool can be hard to grasp for first-time users. Metasploit: A Penetration Tester’s Guide fills this gap by teaching you how to harness the Framework, use its many features, and interact with the vibrant community of Metasploit contributors.

      The authors begin by building a foundation for penetration testing and establishing a fundamental methodology. From there, they explain the Framework’s conventions, interfaces, and module system, as they show you how to assess networks with Metasploit by launching simulated attacks. Having mastered the essentials, you’ll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, devastating wireless attacks, and targeted social engineering attacks.

    • #40745
      lorddicranius
      Participant

      Very cool, thanks for the heads up BillV!

    • #40746
      dbest
      Participant

      Nice find. If they cover more than what is on metasploit unleashed its gonna be a good buy.

    • #40747
      hayabusa
      Participant

      Being that both muts and R3l1k are authoring, should be a good read.  Thanks, BillV, for the info.

    • #40748
      WCNA
      Participant

      I will be getting this one too. I talked with muts (Mahti Aharoni) quite a few times when I took the OSCP course and he really knows his stuff. I hope the book is as good as the course was.

    • #40749
      hayabusa
      Participant

      LOL… Yeah, I know.  Well, we KNOW he won’t beat out the course, with a book, else he’d lose a ton of $$.  😛  But I’m pretty sure it’ll be a great one, regardless!

    • #40750
      El33tsamurai
      Participant

      With all the book reviews lately, I wonder if Don could get for one of the month give a way’s a year pass to http://www.packtpub.com/.  That would be really cool,

    • #40751
      BillV
      Participant

      @El33tsamurai wrote:

      With all the book reviews lately, I wonder if Don could get for one of the month give a way’s a year pass to http://www.packtpub.com/.  That would be really cool,

      If anyone can get it done, it would be Don 🙂

      http://packtlib.packtpub.com/

    • #40752
      Don Donzal
      Keymaster

      I know books are great, but what do you think of the current giveaway?

      I will take your advice and hit up packtpub. Just keep in mind that the giveaways are usually scheduled months in advance.

      BTW – Thanks for the vote of confidence,
      Don

    • #40753
      hayabusa
      Participant

      @don – the current giveaway is yet another example of the respect and notice EH-net gets from great companies.  This one’s another great one.  Keep up the great work!

      Edit: Gee… Can I say great one more time??? ;-p yep… Great!  LOL (sorry)

    • #40754
      El33tsamurai
      Participant

      @BillV wrote:

      @El33tsamurai wrote:

      With all the book reviews lately, I wonder if Don could get for one of the month give a way’s a year pass to http://www.packtpub.com/.  That would be really cool,

      If anyone can get it done, it would be Don 🙂

      http://packtlib.packtpub.com/

      I agree, Don I love this site.

    • #40755
      El33tsamurai
      Participant

      @don wrote:

      I know books are great, but what do you think of the current giveaway?

      I will take your advice and hit up packtpub. Just keep in mind that the giveaways are usually scheduled months in advance.

      BTW – Thanks for the vote of confidence,
      Don

      The new one is amazing and in my defense this was before it was posted 😀

    • #40756
      Anonymous
      Participant

      Yah got this one in my amazon list too cant wait for this book should be good.

    • #40757
      cd1zz
      Participant

      All of you might want to cancel your Amazon order and order direct from the publisher. After the 40% discount, the book is the same price plus you get an EBook version of it as well 🙂

      http://www.backtrack-linux.org/backtrack/metasploit-a-penetration-testers-guide/?utm_source=twitterfeed&utm_medium=twitter

    • #40758
      lorddicranius
      Participant

      cd1zz beat me to it 😛  Just pre-ordered it from nostarch.com.  I figured the ebook link would be sent via email or be available via the website once the book was released, but nope – I got the link to download it immediately upon pressing “submit order.”  Perusing through it already!

    • #40759
      cd1zz
      Participant

      Super bad ass!

    • #40760
      dbest
      Participant

      just found out about the nostarch option from my colleague and am gonna be purchasing the book. 🙂

    • #40761
      hayabusa
      Participant

      Great read, so far.  (Obviously got the pdf, already)

    • #40762
      impelse
      Participant

      How is the information between this book and the information in the offensive-security site?

    • #40763
      hayabusa
      Participant

      Honestly, I haven’t even read it, with regards to doing any comparison, to this point.  But I’ve liked what I’ve read so far, and am looking forward to some of the stuff in the later chapters (some of the expanded info on SET and FastTrack, Karmetasploit, etc.)  It’s particularly refreshing to see continued effort at documenting the framework and working with it, rather than all the emphasis, elsewhere, on paid tools and commercial versions.

      I haven’t looked closely at Metasploit Unleashed in some time, personally.  The book does start emphasizing PTES more, and following the PTES methodology (which is starting to be more common, from what I see and hear,) than I recall having seen anything of in online.  They go more deeply into building your own exploits and modules, and putting them into the framework, too, than what I recall from Unleashed.  The overall material just really looks good, and grabbed my attention.

      Maybe once I finish this book, I’ll see about doing a comparison, from my viewpoint, between the book and Metasploit Unleashed, although, personally, I’m still happy to have both.  The nice thing about books, for me, is that once you get the hard copy, or print it out, you have something you don’t have to sit in front of a monitor to look at, for a change.

    • #40764
      tturner
      Participant

      Use coupon code REDTEAM for the discount. I did not see it mentioned in this thread (but I may have missed it) so figured I’d let people know about it.

    • #40765
      cd1zz
      Participant

      I’ve read both the Unleashed and have skimmed the PDF for this new book. I would say that if you’re not very experienced with metasploit, the book is great. It seems well written, clear and covers a lot of topics. There IS a lot of overlap with the Metasploit unleased online reference but you get much more rich content in the book. Explanations etc…

      However, if you’ve spend any decent amount of time in the framework, there isn’t too much new information. I do like the karmetasploit stuff, aux module stuff and most of all, the porting exploits to the framework section.

      I do think its valuable for anyone as a solid reference because its organized into one location!

    • #40766
      hayabusa
      Participant

        In total agreement, based on my reading, thus far.

    • #40767
      Don Donzal
      Keymaster

      Official review coming from Jason Haddix soon.

      Don

    • #40768
      impelse
      Participant

      Great

    • #40769
      nicklauscombs
      Participant

      officially ordered the book from no starch and really looking forward to browsing through this book.

      to those that preordered the book and pdf did they put the pdf up for download right away? been a few days and havent seen it available for download yet….

    • #40770
      hayabusa
      Participant

      You should be able to sign into your no-starch account, and under orders, see the book, and the link to the pdf was there, too.  It was available immediately, as soon as I finished ordering.

    • #40771
      nicklauscombs
      Participant

      @hayabusa wrote:

      You should be able to sign into your no-starch account, and under orders, see the book, and the link to the pdf was there, too.  It was available immediately, as soon as I finished ordering.

      yeah that’s what i thought…. but no luck. i shot them an email to see whats up.

    • #40772
      Tancred
      Participant

      I had to log out and then log back in for my download to register as available, but it was there minutes after I’d actually made my purchase.  Any update, nicklaus?

    • #40773
      nicklauscombs
      Participant

      @Tancred wrote:

      I had to log out and then log back in for my download to register as available, but it was there minutes after I’d actually made my purchase.  Any update, nicklaus?

      not sure if there was a problem but after emailing them they quickly got back to me and made the download available. about halfway through the book and really enjoying the read so far.

    • #40774
      Tancred
      Participant

      Awesome, was just curious because I’d had a similar issue.  Can’t wait til my physical copy arrives, but I wanted to pre-order so I could have it right away. 

    • #40775
      hayabusa
      Participant

      Paperback arrived in today’s mail.  Now I can mark it up…  :-p

    • #40776
      DragonGorge
      Participant

      Wondered if I could get some questions answered on the whois/netcraft section of this book.

      In the Passive Information gathering section of Chapter 3, the book lists a whois performed on secmaniac.net which results in domain servers of XX.DOMAINCONTROL.COM and goes on to say that these servers are not owned by secmaniac.net:
      Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
      Domain Name: SECMANIAC.NET
      Created on: 03-Feb-10
      Expires on: 03-Feb-12
      Last Updated on: 03-Feb-10
      Domain servers in listed order:
      NS57.DOMAINCONTROL.COM
      NS58.DOMAINCONTROL.COM

      1. How do we know these aren’t owned by secmaniac? Is the tipoff the fact that it’s “DOMAINCONTROL.COM” as opposed to “SECMANIAC.COM”?

      The next section deals with NETCRAFT and lists the output below followed by an assertion that “this site appears to be hosted inside the author’s home, because the IP block appears to be part of a residential range.”
      msf > whois 75.118.185.142
      [*] exec: whois 75.118.185.142
      WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1)
      75.118.0.0 – 75.118.255.255
      WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1)
      75.118.184.0 – 75.118.191.255

      2. As before, I’m not clear on what in the printout indicates this is part of a residential range. I’m used to seeing 192.168.x.x but this one is new to me.

      On a different note, I noticed that performing the same steps in BT yield different information. The different IP addresses (96.126.127.220 as opposed to 75.118.185.142) and different outputs on whois. The different IP addresses don’t surprise me but the whois listing for 75.118.185.142 yeilds 4 lines while the current IP yields much more info. And does the book’s ip listing still comes up because the whois database hasn’t been updated?

    • #40777
      sil
      Participant

      @DragonGorge wrote:

      1. How do we know these aren’t owned by secmaniac? Is the tipoff the fact that it’s “DOMAINCONTROL.COM” as opposed to “SECMANIAC.COM”?

      We know these aren’t OWNED by secmaniac because of the domain: DOMAINCONTROL.com which is a separate company altogether. You can dig out THEIR information using another whois:

      whois -h whois.geektools.com domaincontrol.com

      Then match up who owns those domains

      @DragonGorge wrote:

      2. As before, I’m not clear on what in the printout indicates this is part of a residential range. I’m used to seeing 192.168.x.x but this one is new to me.

      You’re confusing things here. The IP address IS ALLOCATED for residential use. It is the PUBLIC IP addresses his provider assigned to him

      @DragonGorge wrote:

      On a different note, I noticed that performing the same steps in BT yield different information. The different IP addresses (96.126.127.220 as opposed to 75.118.185.142) and different outputs on whois. The different IP addresses don’t surprise me but the whois listing for 75.118.185.142 yeilds 4 lines while the current IP yields much more info. And does the book’s ip listing still comes up because the whois database hasn’t been updated?

      You assume his addresses remain the same over time. If you took a look at his domain’s history, you can see he has changed it 2x since the book: http://toolbar.netcraft.com/site_report?url=http://www.secmaniac.com

    • #40778
      DragonGorge
      Participant

      @sil wrote:

      We know these aren’t OWNED by secmaniac because of the domain: DOMAINCONTROL.com which is a separate company altogether. You can dig out THEIR information using another whois:

      That was what I was getting at – without researching DOMAINCONTROL we wouldn’t automatically know that it wasn’t the same company that owned secmaniac.net, right?

      You’re confusing things here. The IP address IS ALLOCATED for residential use. It is the PUBLIC IP addresses his provider assigned to him

      I’m confused by the line in the book that states “we can tell that this site appears to be hosted inside the author’s home, because the IP block appears to be part of a residential range.” To rephrase my question, how can we tell from the printout that this is a inside the author’s home (part of a residential range) as opposed to a business?

    • #40779
      sil
      Participant

      Let’s take an example IP from a business: (IP is random)


      [root@kenji ~/]# whois -h whois.arin.net 74.95.180.0

      #
      # The following results may also be obtained via:
      # http://whois.arin.net/rest/nets;q=74.95.180.0?showDetails=true&showARIN=false&ext=netref2
      #

      Comcast Business Communications, LLC CBC-PHILADELPHIA-33 (NET-74-95-160-0-1) 74.95.160.0 - 74.95.191.255
      Comcast Business Communications, LLC CBC-CM-4 (NET-74-92-0-0-1) 74.92.0.0 - 74.95.255.255

      What do we notice with my example? Comcast Business Communications, What about normal Comcast cable users?


      [root@kenji ~]# whois -h whois.arin.net 67.175.82.0

      #
      # The following results may also be obtained via:
      # http://whois.arin.net/rest/nets;q=67.175.82.0?showDetails=true&showARIN=false&ext=netref2
      #

      Comcast Cable Communications, Inc. COMCAST (NET-67-160-0-0-1) 67.160.0.0 - 67.191.255.255
      Comcast Cable Communications, Inc ILLINOIS-19 (NET-67-175-0-0-1) 67.175.0.0 - 67.175.127.255

      Notice the differences? Now let’s look at what Rel1k posts in his book:

      [root@kenji ~/]# whois -h whois.arin.net 75.118.185.142

      #
      # The following results may also be obtained via:
      # http://whois.arin.net/rest/nets;q=75.118.185.142?showDetails=true&showARIN=false&ext=netref2
      #

      WIDEOPENWEST OHIO WOW-CL11-1-184-118-75 (NET-75-118-184-0-1) 75.118.184.0 - 75.118.191.255
      WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1) 75.118.0.0 - 75.118.255.255

      Most BUSINESSES will have their business information posted on the whois. We see none of this, alongside that statement, there is no indicator of any business name or secmaniac or maniac or sec or any other worthwhile identifier to state this IP space belongs to the author. So let’s see who owns the IP space and what type of business they are in: WideOpenWest Finance LLC WIDEOPENWEST (NET-75-118-0-0-1) 75.118.0.0 – 75.118.255.255 Doesn’t seem like a security company to me, its a cable provider (http://www.wowway.com/).

      Let’s try this with Microsoft:


      [root@kenji ~]# nslookup microsoft.com | sed -n '8p' | awk '{print "whois -h whois.arin.net "$2}' |sh|grep "^Org"|sort -u
      OrgAbuseEmail:  abuse@hotmail.com
      OrgAbuseEmail:  abuse@microsoft.com
      OrgAbuseEmail:  abuse@msn.com
      OrgAbuseHandle: ABUSE231-ARIN
      OrgAbuseHandle: HOTMA-ARIN
      OrgAbuseHandle: MSNAB-ARIN
      OrgAbuseName:  Abuse
      OrgAbuseName:  Hotmail Abuse
      OrgAbuseName:  MSN ABUSE
      OrgAbusePhone:  +1-425-882-8080
      OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE231-ARIN
      OrgAbuseRef:    http://whois.arin.net/rest/poc/HOTMA-ARIN
      OrgAbuseRef:    http://whois.arin.net/rest/poc/MSNAB-ARIN
      OrgId:          MSFT
      OrgNOCEmail:  noc@microsoft.com
      OrgNOCHandle: ZM23-ARIN
      OrgNOCName:  Microsoft Corporation
      OrgNOCPhone:  +1-425-882-8080
      OrgNOCRef:    http://whois.arin.net/rest/poc/ZM23-ARIN
      OrgName:        Microsoft Corp
      OrgTechEmail:  iprrms@microsoft.com
      OrgTechHandle: MSFTP-ARIN
      OrgTechName:  MSFT-POC
      OrgTechPhone:  +1-425-882-8080
      OrgTechRef:    http://whois.arin.net/rest/poc/MSFTP-ARIN

      Notice two things 1) the information for the COMPANY and 2) the AMOUNT of information being returned. Most whois lookups will return A LOT of information for companies whereas for most ISPs, the return will be a line or two long. That’s first. The second thing to notice is the names of the business itself or the association with the domain you are looking up and the return information.


      [root@kenji ~/]# whois -h whois.arin.net 96.126.127.220

      #
      # The following results may also be obtained via:
      # http://whois.arin.net/rest/nets;q=96.126.127.220?showDetails=true&showARIN=false&ext=netref2
      #

      NetRange:      96.126.96.0 - 96.126.127.255
      CIDR:          96.126.96.0/19
      OriginAS:
      NetName:        LINODE-US
      NetHandle:      NET-96-126-96-0-1
      Parent:        NET-96-0-0-0-0
      NetType:        Direct Allocation
      Comment:        This block is used for static customer allocations.
      RegDate:        2011-05-06
      Updated:        2012-02-24
      Ref:            http://whois.arin.net/rest/net/NET-96-126-96-0-1

      OrgName:        Linode
      OrgId:          LINOD
      Address:        329 E. Jimmie Leeds Road
      Address:        Suite A
      City:          Galloway
      StateProv:      NJ
      PostalCode:    08205
      Country:        US
      RegDate:        2008-04-24
      Updated:        2010-08-31
      Comment:        http://www.linode.com
      Ref:            http://whois.arin.net/rest/org/LINOD

      OrgNOCHandle: LNO21-ARIN
      OrgNOCName:  Linode Network Operations
      OrgNOCPhone:  +1-609-593-7103
      OrgNOCEmail:  support@linode.com
      OrgNOCRef:    http://whois.arin.net/rest/poc/LNO21-ARIN

      OrgAbuseHandle: LAS12-ARIN
      OrgAbuseName:  Linode Abuse Support
      OrgAbusePhone:  +1-609-593-7103
      OrgAbuseEmail:  abuse@linode.com
      OrgAbuseRef:    http://whois.arin.net/rest/poc/LAS12-ARIN

      OrgTechHandle: LNO21-ARIN
      OrgTechName:  Linode Network Operations
      OrgTechPhone:  +1-609-593-7103
      OrgTechEmail:  support@linode.com
      OrgTechRef:    http://whois.arin.net/rest/poc/LNO21-ARIN

      RNOCHandle: LNO21-ARIN
      RNOCName:  Linode Network Operations
      RNOCPhone:  +1-609-593-7103
      RNOCEmail:  support@linode.com
      RNOCRef:    http://whois.arin.net/rest/poc/LNO21-ARIN

      RTechHandle: LNO21-ARIN
      RTechName:  Linode Network Operations
      RTechPhone:  +1-609-593-7103
      RTechEmail:  support@linode.com
      RTechRef:    http://whois.arin.net/rest/poc/LNO21-ARIN

      RAbuseHandle: LAS12-ARIN
      RAbuseName:  Linode Abuse Support
      RAbusePhone:  +1-609-593-7103
      RAbuseEmail:  abuse@linode.com
      RAbuseRef:    http://whois.arin.net/rest/poc/LAS12-ARIN

      So who is this? What kind of company is it? I will let you answer this question now. It all boils down to power of logic and reasoning when unsure. You can i) Visit the website a whois returns to see more about the type of business associated with
      the address and so forth.

      This is THE BIGGEST REASON that I am a stickler for understanding the common grounds of networking and systems before even attempting to venture out into security.

    • #40780
      DragonGorge
      Participant

      For the challenge on the current (as opposed to the book’s) whois/netcraft results…

      Performing a whois on secmaniac.net yields:

      Domain name: secmaniac.net

      Registrant Contact:
        Whois Privacy Protection Service, Inc.
        Whois Agent ()
       
        Fax:
        PMB 368, 14150 NE 20th St - F1
        C/O secmaniac.net
        Bellevue, WA 98007
        US

      Administrative Contact:
        Whois Privacy Protection Service, Inc.
        Whois Agent (vmhpxgmj@whoisprivacyprotect.com)
        +1.4252740657
        Fax: +1.4259744730
        PMB 368, 14150 NE 20th St - F1
        C/O secmaniac.net
        Bellevue, WA 98007
        US

      Technical Contact:
        Whois Privacy Protection Service, Inc.
        Whois Agent (vmhpxgmj@whoisprivacyprotect.com)
        +1.4252740657
        Fax: +1.4259744730
        PMB 368, 14150 NE 20th St - F1
        C/O secmaniac.net
        Bellevue, WA 98007
        US

      Status: Locked

      Name Servers:
        ns1.secmaniac.net
        ns2.secmaniac.net
        ns3.secmaniac.net
        ns4.secmaniac.net

      Not a lot of company related info here (as opposed to what we’d get from yahoo.com) and the Netcraft query yields 96.126.127.220 for the ip and the owner of the netblock being Linode. Additionally, the “C/O secmaniac.net” would be a clue that we’re dealing with some kind of hosting/proxy service.

      So looking at the results of your previous posting on the 96.126.127.220 we again see a info pertaining to Linode and further inspection of Linode indicates this is a web hosting company, i.e. this is not a residential. Yes/No/Partial credit?

      Curiously, doing a nslookup on secmaniac.net yields a different ip and doing yet another whois on that ip yields the following

      > set type=any
      > secmaniac.net

      Non-authoritative answer:
      Name: secmaniac.net
      Address: 184.106.97.209

      whois results:
      Rackspace Hosting RACKS-8-NET-4 (NET-184-106-0-0-1) 184.106.0.0 - 184.106.255.255
      Slicehost RACKS-8-1292257565649418 (NET-184-106-96-0-1) 184.106.96.0 - 184.106.99.255

      Which appears to be yet another web/cloud hosting company.

      However, I can ping 96.126.127.220 but not 184.106.97.209 so my conclusion would be that the nslookup info is stale and secmaniac.net has been moving around quite a bit since the book was written.

      I’d still like to do the same analysis on a real residential site.

Viewing 36 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?