Mastering Kali Linux for Web Penetration Testing

Mastering Kali Linux for Web Penetration Testing

Test and evaluate all aspects of the design and implementation

Michael McPhee

BIRMINGHAM - MUMBAI

Mastering Kali Linux for Web Penetration Testing

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: June 2017

Production reference: 1230617

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-78439-507-0

www.packtpub.com

Credits

About the Author

Michael McPhee is a systems engineer at Cisco in New York, where he has worked for the last 4 years and has focused on cyber security, switching, and routing. Mike’s current role sees him consulting on security and network infrastructures, and he frequently runs clinics and delivers training to help get his customers up to speed. Suffering from a learning addiction, Mike has obtained the following certifications along the way: CEH, CCIE R&S, CCIE Security, CCIP, CCDP, ITILv3, and the Cisco Security White Belt. He is currently working on his VCP6-DV certification, following his kids to soccer games and tournaments, traveling with his wife and kids to as many places as possible, and scouting out his future all-grain beer home brewing rig. He also spends considerable time breaking his home network (for science!), much to the family's dismay.

Prior to joining Cisco, Mike spent 6 years in the U.S. Navy and another 10 working on communications systems as a systems engineer and architect for defense contractors, where he helped propose, design, and develop secure command and control networks and electronic warfare systems for the US DoD and NATO allies.

Prior publication:

Penetration Testing with the Raspberry Pi – Second Edition (with Jason Beltrame), Packt Publishing, November 2016.

To the Packt folks--thank you again for the support and for getting this book off the ground! I am blessed with the coolest team at my day job, where I receive a ton of support in pursuing all these extracurricular activities. The camaraderie from Eric Schickler and the awesome support of my manager, Mike Kamm, are especially helpful in keeping me on track and balancing my workload. In addition to my local teammates, any time I can get with my good friends, Jason Beltrame and Dave Frohnapfel, is the highlight of my week, and they have been a huge help in getting the gumption to tackle this topic. I’m lucky to have learned security at the feet of some awesome teachers, especially Mark Cairns, Bob Perciaccante, and Corey Schultz. For reasons that defy logic, Joey Muniz still sticks his neck out to support me, and I am forever in his debt--thanks dude! Lastly, I need to thank my family. Mom, you pretend to know what I am talking about and let me fortify your home network, thanks for always being so supportive. Liam and Claire--you two give me hope for the future. Keep asking questions, making jokes, and making us proud! Lastly, my beautiful wife, Cathy, keeps me healthy and happy despite myself, and the best anyone can hope for is to find a friend and partner as amazing as she is.

About the Reviewers

Aamir Lakhani is a leading senior security strategist. He is responsible for providing IT security solutions to major enterprises and government organizations.

Mr. Lakhani creates technical security strategies and leads security implementation projects for Fortune 500 companies. Industries of focus include healthcare providers, educational institutions, financial institutions, and government organizations. He has also assisted organizations in safeguarding IT and physical environments from attacks perpetrated by underground cybercrime groups. Mr. Lakhani is considered to an industry leader for creating detailed security architectures within complex computing environments. His areas of expertise include cyber defense, mobile application threats, malware management, Advanced Persistent Threat (APT) research, and investigations relating to the internet's dark security movement. He is the author of or contributor to several books, and has appeared on FOX Business News, National Public Radio, and other media outlets as an expert on cyber security.

It was my pleasure working with the author and reviewing this book! They worked hard in putting together a quality product I will easily recommend. I also want to thank my dad and mom, Mahmood and Nasreen Lakhani, for always encouraging me to be my best. Thank you for always believing in me.

Dave Frohnapfel has over 10 years of experience in the engineering field and his diverse background includes experience with a service provider, global enterprise, and engineering design for a hardware manufacturer. In his current role at Cisco Systems, he is a leader in network security. Moreover, he is passionate about helping organizations address the evolving threat landscape and focusing on game-changing technology solutions. Before Cisco, he had extensive enterprise experience in building and maintaining large data centers and service delivery networks, and he managed an international operations staff.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.comand as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1784395072.

If you'd like to join our team of regular reviewers, you can e-mail us at customerreviews@packtpub.com. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

Common Web Applications and Architectures

Common architectures

Standalone models

Three-tier models

Model-View-Controller design

Web application hosting

Physical hosting

Virtual hosting

Cloud hosting

Containers – a new trend

Application development cycles

Coordinating with development teams

Post deployment - continued vigilance

Common weaknesses – where to start

Web application defenses

Standard defensive elements

Additional layers

Summary

Guidelines for Preparation and Testing

Picking your favorite testing framework

Frameworks through a product

Train like you play

The EC-Council approach

The GIAC/SANS approach

The Offensive Security approach

Open source methodologies and frameworks

ISECOM's OSSTMM

ISSAF

NIST publications

OWASP's OTG

Keeping it legal and ethical

What is legal?

What is ethical?

Labbing - practicing what we learn

Creating a virtualized environment

Our penetration testing host

Creating a target-rich environment

Finding gullible servers

Unwitting clients

Summary

Stalking Prey Through Target Recon

The imitation game

Making (then smashing) a mirror with HTTrack

Making a stealthy initial archive

Tuning stealthier archives

Is the mirror complete and up-to-date?

Touring the target environment

Open source awesomeness

Open source Intel with Google and the Google hacking database

Tuning your Google search skills

Work smarter with the Google hacking DB and Netcraft

Mastering your own domain

Digging up the dirt

Digging record types

Getting fierce

Next steps with Nikto

Employing Maltego to organize

Being social with your target

Summary

Scanning for Vulnerabilities with Arachni

Walking into spider webs

Optimal Arachni deployment tips

An encore for stacks and frameworks

The Arachni test scenario

Profiles for efficiency

Creating a new profile

Scoping and auditing options

Converting social engineering into user input and mobile platform emulation

Fingerprinting and determining platforms

Checks (please)

Plugging into Arachni extensions and third-party add-ons

Browser clusters

Kicking off our custom scan

Reviewing the results

Summary

Proxy Operations with OWASP ZAP and Burp Suite

Pulling back the curtain with ZAP

Quick refresher on launching ZAP scans

Going active with ZAP

Passive ZAP scanning

Getting fuzzy with ZAP

Taking it to a new level with Burp Suite

Recon with Burp Suite

Stay on target!

Getting particular with proxy

Going active with Spider

Activating Burp Suite

Scanning for life (or vulnerabilities)

Passive scans are a no brainer

Active scanning – Use with care!

The flight of the intruder

Stop, enumerate, and listen!

Select, attack, highlight, and repeat!

Summary

Infiltrating Sessions via Cross-Site Scripting

The low-down on XSS types

Should XSS stay or should it go?

Location, location, and location!

XSS targeting and the delivery

Seeing is believing

Don't run with XSSer(s)!

Stored XSS with BeEF

Here, phishy phishy!

Let's go Metasploiting

Building your own payload

Every good payload needs a handler

Seal the deal – Delivering shell access

Metasploit's web-focused cousin – Websploit

Summary

Injection and Overflow Testing

Injecting some fun into your testing

Is SQL any good?

A crash course in DBs gone bad

Types of SQLI

In-band or classic SQLI

Blind SQLI

Stacked or compound SQLI

SQLI tool school

Old-school SQLI via browsers

Stepping it up with SQLMap

Cooking up some menu-driven SQLI with BBQSQL

SQLI goes high-class with Oracle

The X-factor - XML and XPath injections

XML injection

XPath injection

Credential Jedi mind tricks

Going beyond persuasion – Injecting for execution

Code injections

Overflowing fun

Commix - Not-so-funny command injections

Down with HTTP?

Summary

Exploiting Trust Through Cryptography Testing

How secret is your secret?

Assessing encryption like a pro

SSLyze - it slices, it scans…

SSLscan can do it!

Nmap has SSL skills too

Exploiting the flaws

POODLE – all bark, no bite (usually)

Heartbleed-ing out

DROWNing HTTPS

Revisiting the classics

Hanging out as the Man-in-the-Middle

Scraping creds with SSLstrip

Looking legit with SSLsniff and SSLsplit

SSLsniff

SSLsplit

Alternate MITM motives

Summary

Stress Testing Authentication and Session Management

Knock knock, who's there?

Does authentication have to be hard?

Authentication 2.0 - grabbing a golden ticket

The basic authentication

Form-based authentication

Digest-based authentication

Trust but verify

This is the session you are looking for

Munching on some cookies?

Don't eat fuzzy cookies

Jedi session tricks

Functional access level control

Refining a brute's vocabulary

Summary

Launching Client-Side Attacks

Why are clients so weak?

DOM, Duh-DOM DOM DOM!!

Malicious misdirection

Catch me if you can!

Picking on the little guys

Sea-surfing on someone else's board

Simple account takeovers

Don't you know who I am? Account creation

Trust me, I know the way!

I don't need your validation

Trendy hacks come and go

Clickjacking (bWAPP)

Punycode

Forged or hijacked certificates

Summary

Breaking the Application Logic

Speed-dating your target

Cashing in with e-commerce

Financial applications - Show me the money

Hacking human resources

Easter eggs of evil

So many apps to choose from…

Functional Feng Shui

Basic validation checks

Sometimes, less is more?

Forgery shenanigans

What does this button do?

Timing is everything

Reaching your functional limits

Do we dare to accept files?

Summary

Educating the Customer and Finishing Up

Finishing up

Avoiding surprises with constant contact

Establishing periodic updates

When to hit the big red button

Weaving optimism with your action plan

The executive summary

Introduction

Highlights, scoring, and risk recap

More on risk

Guidance - earning your keep

Detailed findings

The Dradis framework

MagicTree

Other documentation and organization tools

Graphics for your reports

Bringing best practices

Baking in security

Honing the SDLC

Role-play - enabling the team

Picking a winner

Plans and programs

More on change management

Automate and adapt

Assessing the competition

Backbox Linux

Samurai web testing framework

Fedora Security Spin

Other Linux pen test distros

What About Windows and macOS?

Summary

Preface

Web applications are where customers and businesses meet. On the internet, a very large proportion of the traffic is now between servers and clients, and the power and trust placed in each application while exposing them to the outside world makes them a popular target for adversaries to steal, eavesdrop, or cripple businesses and institutions. As penetration testers, we need to think like the attacker to better understand, test, and make recommendations for the improvement of those web apps. There are many tools to fit any budget, but Kali Linux is a fantastic and industry-leading open source distribution that can facilitate many of these functions for free. Tools Kali provides, along with standard browsers and appropriate plugins, enable us to tackle most web penetration testing scenarios. Several organizations provide wonderful training environments that can be paired with a Kali pen testing box to train and hone their web pen testing skills in safe environments. These can ensure low-risk experimentation with powerful tools and features in Kali Linux that go beyond a typical script-kiddie approach. This approach assists ethical hackers in responsibly exposing, identifying, and disclosing weaknesses and flaws in web applications at all stages of development. One can safely test using these powerful tools, understand how to better identify vulnerabilities, position and deploy exploits, compromise authentication and authorization, and test the resilience and exposure applications possess. At the end, the customers will be better served with actionable intelligence and guidance that will help them secure their application and better protect their users, information, and intellectual property.

What this book covers

Chapter 1, Common Web Applications and Architectures, reviews some common web application architectures and hosting paradigms to help us identify the potential weaknesses and select the appropriate test plan.

Chapter 2, Guidelines for Preparation and Testing, helps us understand the many sources of requirements for our testing (ethical, legal, and regulatory) and how to select the appropriate testing methodology for a scenario or customer.

Chapter 3, Stalking Prey Through Target Recon, introduces open source intelligence gathering and passive recon methods to help map out a target and its attack surface.

Chapter 4, Scanning for Vulnerabilities with Arachni, discusses one of the purpose-built vulnerability scanners included in Kali that can help us conduct scans of even the largest applications and build fantastic reports.

Chapter 5, Proxy Operations with OWASP ZAP and Burp Suite, dives into proxy-based tools to show how they can not only actively scan, but passively intercept and manipulate messages to exploit many vulnerabilities.

Chapter 6, Infiltrating Sessions via Cross-Site Scripting, explores how we can test and implement Cross Site Scripting (XSS) to both compromise the client and manipulate the information flows for other attacks. Tools such as BeEF, XSSer, Websploit, and Metasploit are discussed in this chapter.

Chapter 7, Injection and Overflow Testing, looks into how we can test for various forms of unvalidated input (for example, SQL, XML, LDAP, and HTTP) that have the potential to reveal inappropriate information, escalate privileges, or otherwise damage an application's servers or modules. We'll see how Commix, BBQSQL, SQLMap, SQLninja, and SQLsus can help.

Chapter 8, Exploiting Trust Through Cryptography Testing, helps us see how we can tackle testing the strength that encryption applications may be using to protect the integrity and privacy of their communications with clients. Our tools of interest will be SSLstrip, SSLScan, SSLsplit, SSLyze, and SSLsniff.

Chapter 9, Stress Testing Authentication and Session Management, tackles the testing of various vulnerabilities and schemes focused on how web apps determine who is who and what they are entitled to see or access. Burp will be the primary tool of interest.

Chapter 10, Launching Client-Side Attacks, focuses on how to test for vulnerabilities (CSRF, DOM-XSS, and so on) that allow attackers to actually compromise a client and either steal its information or alter its behavior, as the earlier chapters dealt with how to test the servers and applications themselves. JavaScript and other forms of implant will be the focus.

Chapter 11, Breaking the Application Logic, explains how to test for a variety of flaws in the business logic of an application. Important as it is, it requires significant understanding of what the app is intending and how it is implemented.

Chapter 12, Educating the Customer and Finishing Up, wraps up the book with a look at providing useful and well-organized guidance and insights to the customer. This chapter also looks at complementary or alternate toolsets worth a look.

What you need for this book

Hardware list:

The exercises performed in this book and the tools used can be deployed on any modern Windows, Linux, or Mac OS machine capable of running a suitable virtualization platform and a more recent version of the OS. Suggested minimum requirements should allow for at least the following resources to be available to your virtual platforms:

4 virtual CPUs

4-8 GB of RAM

802.3 Gigabit Ethernet, shared with host machine

802.11a/g/n/ac WiFi link, shared with host machine

Software list:

Desktop/Laptop Core OS and Hypervisor:

Virtualization should be provided by one of Kali Linux's supported hypervisors, namely one of the following options. The operating system and hardware will need to support the minimum requirements, with an eye toward dedicating the previous hardware recommendations to the guest virtual machines:

For Windows:

VMware Workstation Pro 12 or newer (Player does not support multiple VMs at a time)--http://www.vmware.com/products/workstation.html

VirtualBox 5.1 or newer--https://www.virtualbox.org/wiki/Downloads

For Mac OS:

VMware Fusion 7.X or newer--http://www.vmware.com/products/fusion.html

Parallels 12 for Mac--http://www.parallels.com/products/desktop/

VirtualBox 5.1 or newer--https://www.virtualbox.org/wiki/Downloads

For Linux:

VMWare Workstation 12 or newer (Player does not support multiple VMs at a time)--http://www.vmware.com/products/workstation-for-linux.html

VirtualBox 5.1 or newer--https://www.virtualbox.org/wiki/Downloads

For Barebones Hypervisors:

VMware ESXi/vSphere 5.5 or newer

Microsoft Hyper-V 2016

Redhat KVM/sVirt 5 or newer

Applications and virtual machines:

Essential:

Kali Linux VM (choose 64-bit VM, Vbox, or Hyper-V image)--https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/

Alternatives:

Kali Linux ISO (64 bit, for Virtual-Box or Parallels)--https://www.kali.org/downloads/

Target VMs:

OWASP Broken Web Application: https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

Metasploitable 2--https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

Metasploitable 3--https://community.rapid7.com/community/metasploit/blog/2016/11/15/test-your-might-with-the-shiny-new-metasploitable3

Bee Box--http://www.itsecgames.com

Damn Vulnerable Web Application (DVWA)--http://www.dvwa.co.uk

OWASP Mutillidae 2--https://sourceforge.net/projects/mutillidae/files/

Windows Eval Mode OS + Browser--https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Who this book is for

This book is focused on IT pentesters, security consultants, and ethical hackers who want to expand their knowledge and gain expertise on advanced web penetration techniques. Prior knowledge of penetration testing will be beneficial.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: As with general exploits, we can see the payload's options in following screenshot using show options and see the commands with -h to guide ourselves through the entire operation.

A block of code is set as follows:

Any command-line input or output is written as follows:

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: When we click on the Login button, our helpful database spills the beans and we realize exactly what the query we are trying to attack is, as shown in following screenshot.

Warnings or important notes appear in a box like this.

Tips and tricks appear like this.

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply e-mail feedback@packtpub.com, and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.

You can download the code files by following these steps:

Log in or register to our website using your e-mail address and password.

Hover the mouse pointer on the SUPPORT tab at the top.

Click on Code Downloads & Errata.

Enter the name of the book in the Search box.

Select the book for which you're looking to download the code files.

Choose from the drop-down menu where you purchased this book from.

Click on Code Download.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR / 7-Zip for Windows

Zipeg / iZip / UnRarX for Mac

7-Zip / PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Kali-Linux-for-Web-Penetration-Testing. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from https://www.packtpub.com/sites/default/files/downloads/MasteringKaliLinuxforWebPenetrationTesting_ColorImages.pdf.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list