[ 1 ] www.it-ebooks.info Web Penetration Testing with Kali Linux Second Edition Build your defense against web attacks with Kali Linux 2.0 Juned Ahmed Ansari BIRMINGHAM - MUMBAI www.it-ebooks.info Web Penetration Testing with Kali Linux Second Edition Copyright © 2015 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: November 2015 Production reference: 1201115 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78398-852-5 www.packtpub.com www.it-ebooks.info Credits Author Copy Editor Juned Ahmed Ansari Roshni Banerjee Reviewers Project Coordinator Olivier Le Moal Shipra Chawhan Gilberto Najera-Gutierrez Janusz Oppermann Proofreader Safis Editing Commissioning Editor Kartikey Pandey Indexer Hemangini Bari Acquisition Editor Indrajit Das Production Coordinator Shantanu N. Zagade Content Development Editor Mamata Walkar Cover Work Shantanu N. Zagade Technical Editor Dhiraj Chandanshive www.it-ebooks.info About the Author Juned Ahmed Ansari (@junedlive) is a cyber security researcher based out of Mumbai. He currently leads the penetration testing and offensive security team of a large MNC. Juned has worked as a consultant for large private sector enterprises, guiding them on their cyber security program. He has also worked with start-ups, helping them make their final product secure. Juned has conducted several training sessions on advanced penetration testing, focused on teaching students stealth, and evasion techniques in highly secure environments. His primary focus areas are penetration testing, threat intelligence, and application security research. He holds leading security certifications such as GXPN, CISSP, CCSK, and CISA. Juned enjoys contributing to public groups and forums and occasionally blogs at http://securebits.in. I would like to dedicate this book to my parents, Abdul Rashid and Sherbano, and sisters, Tasneem and Lubna. Thank you all for your encouragement on every small step that I took forward. Thank you mom and dad for all the sacrifices and always believing in me. I would also additionally like to thank my seniors for their mentorship and friends and colleagues for supporting me over the years. www.it-ebooks.info About the Reviewers Olivier Le Moal is a young System Security Engineer, working in the French online poker industry. He is an open source enthusiast and holds OSCP certification. He also runs a French security blog (blog.olivierlemoal.fr). Gilberto Najera-Gutierrez leads the Security Testing Team (STT) at Sm4rt Security Services, one of the top security firms in Mexico. He also is an Offensive Security Certified Professional (OSCP), an EC-Council Certified Security Administrator (ECSA) and holds a Master's degree in Computer Science with specialization in Artificial Intelligence.Working as a Penetration Tester since 2013 and being a security enthusiast since high school, he has successfully conducted penetration tests to networks and applications of some the biggest corporations in Mexico, government agencies, and financial institutions. Janusz Oppermann is an enthusiastic and passionate security specialist and ethical hacker. He is currently working at Deloitte The Netherlands as an ethical hacker/security professional. He is experienced with security testing of (wifi-) network infrastructures, web applications, and mobile applications. Because of his broad experience with network infrastructures and security solutions in different types of organizations, he is able to find security issues, estimate risks, and give consultations on the subject. He holds several security-related certifications such as CISSP, OSCP, CCNP Security, and CEH. www.it-ebooks.info www.PacktPub.com Support files, eBooks, discount offers, and more For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. TM https://www2.packtpub.com/books/subscription/packtlib Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books. Why subscribe? • Fully searchable across every book published by Packt • Copy and paste, print, and bookmark content • On demand and accessible via a web browser Free access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access. www.it-ebooks.info Table of Contents Preface ix Chapter 1: Introduction to Penetration Testing and Web Applications 1 Proactive security testing 2 Who is a hacker? 3 Different testing methodologies 4 Ethical hacking 4 Penetration testing 4 Vulnerability assessment 5 Security audits 5 Rules of engagement 5 Black box testing or Gray box testing 5 Client contact details 6 Client IT team notifications 6 Sensitive data handling 7 Status meeting 7 The limitations of penetration testing 8 The need for testing web applications 9 Social engineering attacks 12 Training employees to defeat social engineering attacks 13 A web application overview for penetration testers 13 HTTP protocol 14 Request and response header 15 The request header 15 The response header 16 Important HTTP methods for penetration testing 17 The GET/POST method 18 The HEAD method 19 The TRACE method 19 The PUT and DELETE methods 19 [ i ] www.it-ebooks.info Table of Contents The OPTIONS method 20 Session tracking using cookies 20 Cookie 21 Cookie flow between server and client 21 Persistent and non-persistent cookies 22 Cookie parameters 22 HTML data in HTTP response 23 Multi-tier web application 23 Summary 25 Chapter 2: Setting up Your Lab with Kali Linux 27 Kali Linux 27 Improvements in Kali Linux 2.0 28 Installing Kali Linux 29 USB mode 30 VMware and ARM images of Kali Linux 32 Kali Linux on Amazon cloud 33 Installing Kali Linux on a hard drive 34 Kali Linux-virtualizing versus installing on physical hardware 35 Important tools in Kali Linux 36 Web application proxies 36 Burp proxy 37 WebScarab and Zed Attack Proxy 40 ProxyStrike 41 Web vulnerability scanner 41 Nikto 41 Skipfish 42 Web Crawler – Dirbuster 42 OpenVAS 42 Database exploitation 45 CMS identification tools 45 Web application fuzzers 46 Using Tor for penetration testing 46 Steps to set up Tor and connect anonymously 48 Visualization of a web request through Tor 50 Final words for Tor 51 Summary 52 Chapter 3: Reconnaissance and Profiling the Web Server 53 Reconnaissance 54 Passive reconnaissance versus active reconnaissance 55 Reconnaissance – information gathering 55 Domain registration details 56 Identifying hosts using DNS 58 The Recon-ng tool – a framework for information gathering 60 [ ii ] www.it-ebooks.info Table of Contents Scanning – probing the target 65 Port scanning using Nmap 66 Different options for port scan 66 Evading firewalls and IPS using Nmap 68 Spotting a firewall using back checksum option in Nmap 70 Identifying the operating system using Nmap 71 Profiling the server 72 Application version fingerprinting 72 Fingerprinting the web application framework 74 Identifying virtual hosts 76 Identifying load balancers 79 Scanning web servers for vulnerabilities and misconfigurations 82 Spidering web applications 88 Summary 93 Chapter 4: Major Flaws in Web Applications 95 Information leakage 96 Directory browsing 96 Directory browsing using DirBuster 96 Comments in HTML code 98 Mitigation 98 Authentication issues 99 Authentication protocols and flaws 99 Basic authentication 99 Digest authentication 99 Integrated authentication 99 Form-based authentication 100 Brute forcing credentials 100 Hydra – a brute force password cracker 101 Path traversal 103 Attacking path traversal using Burp proxy 104 Mitigation 106 Injection-based flaws 106 Command injection 106 SQL injection 107 Cross-site scripting 109 Attack potential of cross-site scripting attacks 112 Cross-site request forgery 112 Session-based flaws 113 Different ways to steal tokens 113 Brute forcing tokens 114 Sniffing tokens and man-in-the-middle attacks 114 Stealing session tokens using XSS attack 114 Session token sharing between application and browser 115 [ iii ] www.it-ebooks.info