Chapter 12: Further Reading — Exploitation Fundamentals and Metasploit

Essential Books

Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni (No Starch Press, 2011) The definitive guide to using Metasploit for penetration testing. Though some specifics have evolved since publication, the methodology and approach remain highly relevant. Covers the full workflow from reconnaissance through post-exploitation. Ideal for readers who want to go deeper into the framework's capabilities.

Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (No Starch Press, 2014) An excellent practical guide that walks through exploitation scenarios step by step. Weidman's writing is accessible and her lab exercises are well-designed. Particularly strong on Metasploit usage and basic exploit development. A second edition has been anticipated.

The Shellcoder's Handbook: Discovering and Exploiting Security Holes by Chris Anley, John Heasman, Felix Lindner, and Gerardo Richarte (Wiley, 2007) For those who want to understand the deep technical details of how exploits work at the memory level. Covers buffer overflows, heap exploitation, kernel exploits, and shellcode development across multiple platforms. Technical and demanding but invaluable for aspiring exploit developers.

Hacking: The Art of Exploitation by Jon Erickson (No Starch Press, 2008) A masterful introduction to exploitation from first principles. Erickson explains programming, networking, and cryptography concepts alongside exploitation techniques. The included LiveCD provides a complete practice environment. A classic that remains one of the best introductions to the field.

The Hacker Playbook 3: Practical Guide to Penetration Testing by Peter Kim (Secure Planet, 2018) A Red Team-focused guide that covers modern exploitation techniques, including Metasploit usage, post-exploitation, and evasion. Structured around realistic scenarios with practical, step-by-step instructions. Particularly useful for transitioning from lab exercises to real-world engagements.

Online Resources

Metasploit Unleashed (MSFU) — Offensive Security https://www.offsec.com/metasploit-unleashed/ A free, comprehensive online course on the Metasploit Framework created by Offensive Security. Covers everything from basic usage to advanced module development. Regularly updated to reflect the latest framework features. The gold standard for free Metasploit training.

Rapid7 Metasploit Documentation https://docs.metasploit.com/ The official documentation for the Metasploit Framework. Includes module documentation, API references, and developer guides. Essential for anyone writing custom modules or integrating Metasploit with other tools.

Exploit Database (Exploit-DB) https://www.exploit-db.com/ Maintained by Offensive Security, Exploit-DB is the largest public archive of exploits and vulnerable software. Each entry includes the exploit code, affected versions, and platform information. A critical research tool for identifying exploits during penetration tests.

MITRE ATT&CK Framework — Execution and Lateral Movement Tactics https://attack.mitre.org/ The ATT&CK framework catalogs real-world adversary techniques. The Execution (TA0002) and Lateral Movement (TA0008) tactics are directly relevant to this chapter's exploitation and post-exploitation topics. Use ATT&CK to map your exploitation activities to known adversary behaviors.

CVE Details https://www.cvedetails.com/ Comprehensive database of CVE entries with vulnerability statistics, CVSS scores, and references. Useful for researching specific vulnerabilities before exploitation.

Practice Environments

Metasploitable 2 and 3 Intentionally vulnerable virtual machines designed specifically for practicing Metasploit. Metasploitable2 provides a Linux-based target; Metasploitable3 offers both Windows and Linux targets with more modern vulnerabilities. Download from Rapid7's community resources.

Hack The Box (HTB) https://www.hackthebox.com/ An online platform with dozens of vulnerable machines ranging from beginner to advanced. Many machines require Metasploit skills. The retired machines include detailed writeups for learning. Excellent for practicing exploitation in a legal, structured environment.

TryHackMe https://tryhackme.com/ A beginner-friendly platform with guided rooms covering Metasploit, exploitation techniques, and post-exploitation. The "Metasploit" and "Blue" rooms are particularly relevant to this chapter.

VulnHub https://www.vulnhub.com/ Free downloadable vulnerable virtual machines. Build your own lab with a wide variety of targets. Search for "Metasploitable" and "boot2root" challenges.

Research Papers and Technical Resources

"EternalBlue — Exploit Analysis and Port to Microsoft Windows 10" by Sheila Berta and Pablo Sole (Black Hat USA 2017) Technical deep-dive into the EternalBlue exploit mechanism, including how it was ported to target Windows 10. Essential reading for understanding kernel pool exploitation.

"Zerologon: Unauthenticated Domain Controller Compromise" by Tom Tervoort (Secura, 2020) The original whitepaper detailing the Zerologon vulnerability. Explains the cryptographic flaw in AES-CFB8 and the complete exploit chain. A model of clear, technical vulnerability disclosure.

"Return-Oriented Programming: Systems, Languages, and Applications" by Ryan Roemer, Erik Buchanan, Hovav Shacham, and Stefan Savage (ACM TISSEC, 2012) The seminal paper on ROP, a technique essential for modern exploit development. Understanding ROP is necessary for comprehending how exploits bypass DEP and other memory protections.

Certifications and Training

Offensive Security Certified Professional (OSCP) The industry-standard certification for penetration testing. The exam requires exploiting multiple machines in a 24-hour practical test. Metasploit usage is limited in the exam to one machine, encouraging manual exploitation skills.

GIAC Penetration Tester (GPEN) SANS certification covering penetration testing methodology, exploitation, and password attacks. The associated SEC560 course provides hands-on labs with Metasploit and other tools.

Certified Ethical Hacker (CEH) — Practical EC-Council's practical certification that includes exploitation scenarios. Less rigorous than OSCP but provides a good foundation in exploitation concepts.

eLearnSecurity Junior Penetration Tester (eJPT) An accessible entry-level certification that tests practical skills including Metasploit usage. Good for beginners looking for a structured learning path before attempting more advanced certifications.