Hands-On Web Penetration Testing with Metasploit
eBook - ePub

Hands-On Web Penetration Testing with Metasploit

The subtle art of using Metasploit 5.0 for web application exploitation

Harpreet Singh, Himanshu Sharma

  1. 544 páginas
  2. English
  3. ePUB (apto para móviles)
  4. Disponible en iOS y Android
eBook - ePub

Hands-On Web Penetration Testing with Metasploit

The subtle art of using Metasploit 5.0 for web application exploitation

Harpreet Singh, Himanshu Sharma

Detalles del libro
Vista previa del libro

Información del libro

Identify, exploit, and test web application security with ease

Key Features

  • Get up to speed with Metasploit and discover how to use it for pentesting
  • Understand how to exploit and protect your web environment effectively
  • Learn how an exploit works and what causes vulnerabilities

Book Description

Metasploit has been a crucial security tool for many years. However, there are only a few modules that Metasploit has made available to the public for pentesting web applications. In this book, you'll explore another aspect of the framework – web applications – which is not commonly used. You'll also discover how Metasploit, when used with its inbuilt GUI, simplifies web application penetration testing.

The book starts by focusing on the Metasploit setup, along with covering the life cycle of the penetration testing process. Then, you will explore Metasploit terminology and the web GUI, which is available in the Metasploit Community Edition. Next, the book will take you through pentesting popular content management systems such as Drupal, WordPress, and Joomla, which will also include studying the latest CVEs and understanding the root cause of vulnerability in detail. Later, you'll gain insights into the vulnerability assessment and exploitation of technological platforms such as JBoss, Jenkins, and Tomcat. Finally, you'll learn how to fuzz web applications to find logical security vulnerabilities using third-party tools.

By the end of this book, you'll have a solid understanding of how to exploit and validate vulnerabilities by working with various tools and techniques.

What you will learn

  • Get up to speed with setting up and installing the Metasploit framework
  • Gain first-hand experience of the Metasploit web interface
  • Use Metasploit for web-application reconnaissance
  • Understand how to pentest various content management systems
  • Pentest platforms such as JBoss, Tomcat, and Jenkins
  • Become well-versed with fuzzing web applications
  • Write and automate penetration testing reports

Who this book is for

This book is for web security analysts, bug bounty hunters, security professionals, or any stakeholder in the security sector who wants to delve into web application security testing. Professionals who are not experts with command line tools or Kali Linux and prefer Metasploit's graphical user interface (GUI) will also find this book useful. No experience with Metasploit is required, but basic knowledge of Linux and web application pentesting will be helpful.

Preguntas frecuentes

¿Cómo cancelo mi suscripción?
Simplemente, dirígete a la sección ajustes de la cuenta y haz clic en «Cancelar suscripción». Así de sencillo. Después de cancelar tu suscripción, esta permanecerá activa el tiempo restante que hayas pagado. Obtén más información aquí.
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Hands-On Web Penetration Testing with Metasploit un PDF/ePUB en línea?
Sí, puedes acceder a Hands-On Web Penetration Testing with Metasploit de Harpreet Singh, Himanshu Sharma en formato PDF o ePUB, así como a otros libros populares de Informatique y Cybersécurité. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.



Penetration Testing on Technological Platforms - JBoss

The previous chapters of this book explained how to perform penetration tests on Content Management Systems (CMSes). Now that we have a clear understanding of the different CMS architectures and the different ways to go about carrying out a test, let's move on to learning how we can carry out tests on different technologies. In this chapter, we'll learn about JBoss, its architecture, and its exploitation. JBoss is one of the most easily deployable applications for an organization focused on automating deployments of a Java-based application. Due to its flexible architecture, many organizations opt for JBoss, but it is because of its great ease of use to organizations that JBoss is also widely targeted by threat actors. The following topics will be covered in this chapter:
  • An introduction to JBoss
  • Performing reconnaissance on a JBoss - based application server using Metasploit
  • Vulnerability assessments on JBoss
  • Carrying out JBoss exploitation with the help of Metasploit modules

Technical requirements

The following are the prerequisites for this chapter:
  • A JBoss Application Server (AS) instance (https://jbossas.jboss.org/)
  • The Metasploit Framework (https://www.metasploit.com/)
  • JexBoss, which is a third-party tool (https://github.com/joaomatosf/jexboss)

An introduction to JBoss

JBoss AS is an open source Java Enterprise Edition (Java EE)-based application server. The project was started by Mark Fluery in 1999. Since then, JBoss Group (LLC) was formed in 2001, and in 2004, JBoss became a corporation under the name of JBoss, Inc. In early 2006, Oracle sought to buy JBoss, Inc., but later on in the same year, RedHat succeeded in buying the corporation.
As JBoss AS is based on Java, the application server supports cross-platform installation and, unlike other proprietary software in the market, JBoss offers the same features at very low prices. The following are some of the advantages of JBoss:
  • Flexibility due to plugin-based architecture
  • Ease of installation and setup
  • Provides the full Java EE stack, including Enterprise JavaBeans (EJB), Java Messaging Service (JMS), Java Management Extension (JMX), and Java Naming and Directory Interface (JNDI)
  • Can run an Enterprise Application (EA)
  • Is cost-efficient
Due to the flexible plugin architecture, developers don't have to spend time developing services for their applications. The goal here is to save money and resources so that developers can focus more time on the products they're developing.

The JBoss architecture (JBoss 5)

The JBoss architecture has changed gradually over the last few years and with each major release, new services have been added. In this chapter, we will look at an architectural overview of JBoss AS 5 and cover the exploitation part of the architecture in the JBoss exploitation section later in this chapter. To understand the JBoss AS architecture, refer to the following diagram:
We can divide the architecture into four main components, as follows:
  • User applications: As the name suggests, this component handles user applications and contains the XML config files, Web Application Resource (WAR) files, and so on. This is where user applications are deployed.
  • Component deployers: Deployers are used in JBoss to deploy components. MainDeployer, JARDeployer, and SARDeployer are hardcoded deployers in the JBoss server core. All other deployers are Managed Bean (MBean) services that register themselves as deployers with MainDeployer.
  • Enterprise services: This component is responsible for handling multiple things, such as transactions, security, and the web server.
  • The JBoss microcontainer: This can be used as a standalone container outside of JBoss AS. It is designed to provide an environment to configure and manage Plain Old Java Objects (POJOs).
Now, let's look at the directory structure.

JBoss files and the di...


  1. Title Page
  2. Copyright and Credits
  3. About Packt
  4. Contributors
  5. Preface
  6. Introduction
  7. Introduction to Web Application Penetration Testing
  8. Metasploit Essentials
  9. The Metasploit Web Interface
  10. The Pentesting Life Cycle with Metasploit
  11. Using Metasploit for Reconnaissance
  12. Web Application Enumeration Using Metasploit
  13. Vulnerability Scanning Using WMAP
  14. Vulnerability Assessment Using Metasploit (Nessus)
  15. Pentesting Content Management Systems (CMSes)
  16. Pentesting CMSes - WordPress
  17. Pentesting CMSes - Joomla
  18. Pentesting CMSes - Drupal
  19. Performing Pentesting on Technological Platforms
  20. Penetration Testing on Technological Platforms - JBoss
  21. Penetration Testing on Technological Platforms - Apache Tomcat
  22. Penetration Testing on Technological Platforms - Jenkins
  23. Logical Bug Hunting
  24. Web Application Fuzzing - Logical Bug Hunting
  25. Writing Penetration Testing Reports
  26. Assessment
  27. Other Books You May Enjoy