This is my first contribution in an ongoing series on detailing the best free, open source hacking and penetration tools available. My goal is to show you some of the quality tools that IT security experts are using every day in their jobs as network security and pen-testing professionals. There are hundreds of tools out there, but I will focus and those that meet four key criteria:
Open source
Free
High quality
Widely used and trusted in the IT security/pen-testing community
As such, no hacker/penetration tool box is complete without the addition of the versatile and powerful Metasploit.
What Is Metasploit?
Metasploit is among the most widely used exploitation tools in the hacking/security field. It's used by both novices and advanced professionals. Insecure.Org, run by Fyodor, the founder of Nmap, annually surveys security professionals for their opinion on the top security software. Metasploit has consistently ranked among the top ten since its inception and currently ranks second. That should give you some idea of how important Metasploit is in the security community.
Metasploit is a self-described "framework" for cyber exploitation. As a framework, it eases the effort to exploit known vulnerabilities in networks, operating systems and applications, and to develop new exploits for new or unknown vulnerabilities. As of last Thursday, Project Basecamp announced the development of a Stuxnet-like module for Metasploit.
Metasploit has developed a Meterpreter that when loaded into a target system, makes maintaining access and controlling the target much easier. As such, every self-respecting hacker (and even those without self-respect) should have some basic knowledge of Metasploit. This series of articles will initially focus on conferring at least a rudimentary understanding of how Metasploit works and how it can be utilized by the hacker/penetration tester to own the box, download data and cover your tracks.
A Little Background
Metasploit was developed in 2003 as an open source project by H.D. Moore. Originally developed in PERL, the developer team rewrote Metasploit in Ruby in 2007. This is critical, because you need to have Ruby on your system in order to run Metasploit and to develop your own exploits.
After many years of success in the hacker/penetration tester community, it was purchased by Rapid7 in 2009. After its purchase, the Metaspoloit framework was split into three versions. Two are commercial versions; Metasploit Express and Metasploit Professional, the latter selling for $1800. These two have nice GUIs and numerous bells and whistles, including the automation of several attacks, but there is still a free and open source community edition known as the Metasploit Community.
Fortunately, some independent developers at Armitage have created a free and open source GUI for Metasploit that is both beautiful and elegant, for those that prefer the point-and-click mode of operation.
There is a Windows version of Metasploit, but many of the features (raw IP packet injection, wireless driver exploitation, SMB relaying attacks, etc.) are unavailable in the Windows environment, though some of these limitations can be overcome by using Cygwin or running Windows in a virtual environment on Linux.
For these and other reasons, we will commence this series using the more flexible command line interface (CLI) version in Linux, and eventually we will install and use the Armitage GUI.
Download and Installation
The first step in our process is to download and install Metasploit. Although there is a Windows version, I will focus on the Linux version because of its greater flexibility and capability. Let's walk through the download and installation on my favorite Linux distro, Ubuntu.
To install the latest version of the Metasploit 4 Framework (MSF4) on Ubuntu 10.04 (or any other Debian-based distros), use the following commands. This downloads and installs the generic Linux binary which comes bundled with all the necessary components you need for Metasploit to install and run. This should work for most users and is the easiest and quickest way to get the Metasploit Framework running under Ubuntu and other Debian-based Linux distros.
This downloads the current version of the Metasploit framework via Wget.
Before you can run the installer, you need to make it executable. In the terminal, you must change the mode to execute (x) for Metasploit:
chmod +x framework-4.*-linux-full.run
And now execute the installer by getting root privileges by typing sudo and ./ with the name of our package:
sudo ./framework-4.*-linux-full.run
You should then be prompted for your root password. After entering that, you should get a screen that looks something like this:
Go ahead and click Forward.
Agree to the terms of the license agreement and click Forward.
I suggest that you select Yes for automatic updates so that your exploit framework has the latest and greatest updates. Click Forward.
Here, Metasploit is asking whether you want to insert a different service script. You can just accept the default and hit Forward.
Be patient now; it will take Metasploit a few minutes to install and build your database. After it's done, you are ready to run Metasploit. Simply type:
In this tutorial, we will follow up on a previous tutorial on MySQL . In that tutorial, I showed you the basics of running a MySQL server on BackTrack. In addition, you might want to take a look at my tutorial on the basics of databases , if you are not familiar with databases and DataBase Management Systems (DBMS). Since MySQL is SO important in so many web applications, I will be doing more MySQL tutorials in the future. The more you know about MySQL, the better you can hack MySQL! Generally, MySQL is teamed up with PHP and an Apache web server (often referred to as LAMPP or XAMPP) to build dynamic, database driven web sites. Such development packages as Drupal, Joomla, Wordpress, Ruby on Rails and others all use MySQL as their default database. Millions of websites have MySQL backends and very often they are "homegrown" websites, without much attention on security. In this tutorial, we will looking to extract information about an online MySQL database before we
Encrypt your Internet. Use Top Secure VPN For Online Privacy Call Forging: To call someone from their own number or any number. 1. Go to http://www.mobivox.com and register there for free account. 2. During registration, remember to insert Victim mobile number in “Phone number” field as shown below. 3. Complete registration and confirm your email id and then login to your account. click on “Direct WebCall”. 4. You will arrive at page shown below. In “Enter a number” box, select your country and also any mobile number(you can enter yours). Now, simply hit on “Call Now” button to call your friend with his own number. 5. That’s it. Your friend will be shocked to see his own number calling him. I have spent last two days simply playing this cool mobile hack prank. Note: This trick will only knowledge purpose… Just try this trick only known person. Trace Mobile Location: Click On Below Link To Trace Unknown Number -> Trace Mobile Location
A keylogger is a hardware device or a software program that records the real time activity of a computer user including the keyboard keys they press. Use Cases for a Keylogger Keyloggers are used in Information Technology (IT) organizations to troubleshoot technical problems with computers and business networks. Keyloggers can also be used by a family (or business) to monitor the network usage of people without their direct knowledge; they are sometimes used as part of home parental controls. Finally, malicious individuals may use keyloggers on public computers to steal passwords or credit card information. What Information a Keylogger Can Collect The capabilities of keyloggers vary, but when installed on a device they can generally do the following: capture any passwords entered by users on the device take screen captures of the device at periodic intervals record the URLs that were visited via Web browsers, and possibly also take screen captures of th
Agree to the terms of the license agreement and click Forward.
Comments
Post a Comment