Hands-On Web Penetration Testing with Metasploit
eBook - ePub

Hands-On Web Penetration Testing with Metasploit

The subtle art of using Metasploit 5.0 for web application exploitation

Harpreet Singh, Himanshu Sharma

  1. 544 pages
  2. English
  3. ePUB (adapté aux mobiles)
  4. Disponible sur iOS et Android
eBook - ePub

Hands-On Web Penetration Testing with Metasploit

The subtle art of using Metasploit 5.0 for web application exploitation

Harpreet Singh, Himanshu Sharma

DĂ©tails du livre
Aperçu du livre
Table des matiĂšres
Citations

À propos de ce livre

Identify, exploit, and test web application security with ease

Key Features

  • Get up to speed with Metasploit and discover how to use it for pentesting
  • Understand how to exploit and protect your web environment effectively
  • Learn how an exploit works and what causes vulnerabilities

Book Description

Metasploit has been a crucial security tool for many years. However, there are only a few modules that Metasploit has made available to the public for pentesting web applications. In this book, you'll explore another aspect of the framework – web applications – which is not commonly used. You'll also discover how Metasploit, when used with its inbuilt GUI, simplifies web application penetration testing.

The book starts by focusing on the Metasploit setup, along with covering the life cycle of the penetration testing process. Then, you will explore Metasploit terminology and the web GUI, which is available in the Metasploit Community Edition. Next, the book will take you through pentesting popular content management systems such as Drupal, WordPress, and Joomla, which will also include studying the latest CVEs and understanding the root cause of vulnerability in detail. Later, you'll gain insights into the vulnerability assessment and exploitation of technological platforms such as JBoss, Jenkins, and Tomcat. Finally, you'll learn how to fuzz web applications to find logical security vulnerabilities using third-party tools.

By the end of this book, you'll have a solid understanding of how to exploit and validate vulnerabilities by working with various tools and techniques.

What you will learn

  • Get up to speed with setting up and installing the Metasploit framework
  • Gain first-hand experience of the Metasploit web interface
  • Use Metasploit for web-application reconnaissance
  • Understand how to pentest various content management systems
  • Pentest platforms such as JBoss, Tomcat, and Jenkins
  • Become well-versed with fuzzing web applications
  • Write and automate penetration testing reports

Who this book is for

This book is for web security analysts, bug bounty hunters, security professionals, or any stakeholder in the security sector who wants to delve into web application security testing. Professionals who are not experts with command line tools or Kali Linux and prefer Metasploit's graphical user interface (GUI) will also find this book useful. No experience with Metasploit is required, but basic knowledge of Linux and web application pentesting will be helpful.

Foire aux questions

Comment puis-je résilier mon abonnement ?
Il vous suffit de vous rendre dans la section compte dans paramĂštres et de cliquer sur « RĂ©silier l’abonnement ». C’est aussi simple que cela ! Une fois que vous aurez rĂ©siliĂ© votre abonnement, il restera actif pour le reste de la pĂ©riode pour laquelle vous avez payĂ©. DĂ©couvrez-en plus ici.
Puis-je / comment puis-je télécharger des livres ?
Pour le moment, tous nos livres en format ePub adaptĂ©s aux mobiles peuvent ĂȘtre tĂ©lĂ©chargĂ©s via l’application. La plupart de nos PDF sont Ă©galement disponibles en tĂ©lĂ©chargement et les autres seront tĂ©lĂ©chargeables trĂšs prochainement. DĂ©couvrez-en plus ici.
Quelle est la différence entre les formules tarifaires ?
Les deux abonnements vous donnent un accĂšs complet Ă  la bibliothĂšque et Ă  toutes les fonctionnalitĂ©s de Perlego. Les seules diffĂ©rences sont les tarifs ainsi que la pĂ©riode d’abonnement : avec l’abonnement annuel, vous Ă©conomiserez environ 30 % par rapport Ă  12 mois d’abonnement mensuel.
Qu’est-ce que Perlego ?
Nous sommes un service d’abonnement Ă  des ouvrages universitaires en ligne, oĂč vous pouvez accĂ©der Ă  toute une bibliothĂšque pour un prix infĂ©rieur Ă  celui d’un seul livre par mois. Avec plus d’un million de livres sur plus de 1 000 sujets, nous avons ce qu’il vous faut ! DĂ©couvrez-en plus ici.
Prenez-vous en charge la synthÚse vocale ?
Recherchez le symbole Écouter sur votre prochain livre pour voir si vous pouvez l’écouter. L’outil Écouter lit le texte Ă  haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, l’accĂ©lĂ©rer ou le ralentir. DĂ©couvrez-en plus ici.
Est-ce que Hands-On Web Penetration Testing with Metasploit est un PDF/ePUB en ligne ?
Oui, vous pouvez accĂ©der Ă  Hands-On Web Penetration Testing with Metasploit par Harpreet Singh, Himanshu Sharma en format PDF et/ou ePUB ainsi qu’à d’autres livres populaires dans Ciencia de la computaciĂłn et Ciberseguridad. Nous disposons de plus d’un million d’ouvrages Ă  dĂ©couvrir dans notre catalogue.

Informations

Année
2020
ISBN
9781789951639

Penetration Testing on Technological Platforms - JBoss

The previous chapters of this book explained how to perform penetration tests on Content Management Systems (CMSes). Now that we have a clear understanding of the different CMS architectures and the different ways to go about carrying out a test, let's move on to learning how we can carry out tests on different technologies. In this chapter, we'll learn about JBoss, its architecture, and its exploitation. JBoss is one of the most easily deployable applications for an organization focused on automating deployments of a Java-based application. Due to its flexible architecture, many organizations opt for JBoss, but it is because of its great ease of use to organizations that JBoss is also widely targeted by threat actors. The following topics will be covered in this chapter:
  • An introduction to JBoss
  • Performing reconnaissance on a JBoss - based application server using Metasploit
  • Vulnerability assessments on JBoss
  • Carrying out JBoss exploitation with the help of Metasploit modules

Technical requirements

The following are the prerequisites for this chapter:
  • A JBoss Application Server (AS) instance (https://jbossas.jboss.org/)
  • The Metasploit Framework (https://www.metasploit.com/)
  • JexBoss, which is a third-party tool (https://github.com/joaomatosf/jexboss)

An introduction to JBoss

JBoss AS is an open source Java Enterprise Edition (Java EE)-based application server. The project was started by Mark Fluery in 1999. Since then, JBoss Group (LLC) was formed in 2001, and in 2004, JBoss became a corporation under the name of JBoss, Inc. In early 2006, Oracle sought to buy JBoss, Inc., but later on in the same year, RedHat succeeded in buying the corporation.
As JBoss AS is based on Java, the application server supports cross-platform installation and, unlike other proprietary software in the market, JBoss offers the same features at very low prices. The following are some of the advantages of JBoss:
  • Flexibility due to plugin-based architecture
  • Ease of installation and setup
  • Provides the full Java EE stack, including Enterprise JavaBeans (EJB), Java Messaging Service (JMS), Java Management Extension (JMX), and Java Naming and Directory Interface (JNDI)
  • Can run an Enterprise Application (EA)
  • Is cost-efficient
Due to the flexible plugin architecture, developers don't have to spend time developing services for their applications. The goal here is to save money and resources so that developers can focus more time on the products they're developing.

The JBoss architecture (JBoss 5)

The JBoss architecture has changed gradually over the last few years and with each major release, new services have been added. In this chapter, we will look at an architectural overview of JBoss AS 5 and cover the exploitation part of the architecture in the JBoss exploitation section later in this chapter. To understand the JBoss AS architecture, refer to the following diagram:
We can divide the architecture into four main components, as follows:
  • User applications: As the name suggests, this component handles user applications and contains the XML config files, Web Application Resource (WAR) files, and so on. This is where user applications are deployed.
  • Component deployers: Deployers are used in JBoss to deploy components. MainDeployer, JARDeployer, and SARDeployer are hardcoded deployers in the JBoss server core. All other deployers are Managed Bean (MBean) services that register themselves as deployers with MainDeployer.
  • Enterprise services: This component is responsible for handling multiple things, such as transactions, security, and the web server.
  • The JBoss microcontainer: This can be used as a standalone container outside of JBoss AS. It is designed to provide an environment to configure and manage Plain Old Java Objects (POJOs).
Now, let's look at the directory structure.

JBoss files and the di...

Table des matiĂšres

  1. Title Page
  2. Copyright and Credits
  3. About Packt
  4. Contributors
  5. Preface
  6. Introduction
  7. Introduction to Web Application Penetration Testing
  8. Metasploit Essentials
  9. The Metasploit Web Interface
  10. The Pentesting Life Cycle with Metasploit
  11. Using Metasploit for Reconnaissance
  12. Web Application Enumeration Using Metasploit
  13. Vulnerability Scanning Using WMAP
  14. Vulnerability Assessment Using Metasploit (Nessus)
  15. Pentesting Content Management Systems (CMSes)
  16. Pentesting CMSes - WordPress
  17. Pentesting CMSes - Joomla
  18. Pentesting CMSes - Drupal
  19. Performing Pentesting on Technological Platforms
  20. Penetration Testing on Technological Platforms - JBoss
  21. Penetration Testing on Technological Platforms - Apache Tomcat
  22. Penetration Testing on Technological Platforms - Jenkins
  23. Logical Bug Hunting
  24. Web Application Fuzzing - Logical Bug Hunting
  25. Writing Penetration Testing Reports
  26. Assessment
  27. Other Books You May Enjoy