Thursday, 20 September 2018

Kali Linux - Website Penetration Testing

In this chapter, we will learn about website penetration testing offered by Kali Linux.

Vega Usage

Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: JavaScript. The official webpage is https://subgraph.com/vega/
Subgraph
Step 1 − To open Vega go to Applications → 03-Web Application Analysis → Vega
Vega
Step 2 − If you don’t see an application in the path, type the following command.
Subgraph
Step 3 − To start a scan, click “+” sign.
Subgraph Vega
Step 4 − Enter the webpage URL that will be scanned. In this case, it is metasploitable machine → click “ Next”.
Enter Page URL
Step 5 − Check all the boxes of the modules you want to be controlled. Then, click “Next”.
Module Boxes
Step 6 − Click “Next” again in the following screenshot.
Next Again
Step 7 − Click “Finish”.
Finish Button
Step 8 − If the following table pops up, click “Yes”.
Follow Redirect
The scan will continue as shown in the following screenshot.
Scanner Progress
Step 9 − After the scan is completed, on the left down panel you can see all the findings, that are categorized according to the severity. If you click it, you will see all the details of the vulnerabilities on the right panel such as “Request”, ”Discussion”, ”Impact”, and ”Remediation”.
Left Down Panel

ZapProxy

ZAP-OWASP Zed Attack Proxy is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. It is a Java interface.
Step 1 − To open ZapProxy, go to Applications → 03-Web Application Analysis → owaspzap.
ZapProxy
Step 2 − Click “Accept”.
Licensed Version
ZAP will start to load.
OWASP Zap
Step 3 − Choose one of the Options from as shown in the following screenshot and click “Start”.
Choose Options
Following web is metasploitable with IP :192.168.1.101
Web Metasploitable
Step 4 − Enter URL of the testing web at “URL to attack” → click “Attack”.
Url Attack
After the scan is completed, on the top left panel you will see all the crawled sites.
In the left panel “Alerts”, you will see all the findings along with the description.
Alerts
Step 5 − Click “Spider” and you will see all the links scanned.
Spider

Database Tools Usage

sqlmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Let’s learn how to use sqlmap.
Step 1 − To open sqlmap, go to Applications → 04-Database Assessment → sqlmap.
SQLMap
The webpage having vulnerable parameters to SQL Injection is metasploitable.
SQL Injection
Step 2 − To start the sql injection testing, type “sqlmap – u URL of victim”
Url Victim
Step 3 − From the results, you will see that some variable are vulnerable.
Variable Results

sqlninja

sqlninja is a SQL Injection on Microsoft SQL Server to a full GUI access. sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Full information regarding this tool can be found on http://sqlninja.sourceforge.net/
Step 1 − To open sqlninja go to Applications → 04-Database Assesment → sqlninja.
Database Assesment

CMS Scanning Tools

WPScan

WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
Step 1 − To open WPscan go to Applications → 03-Web Application Analysis → “wpscan”.
Web Application
The following screenshot pops up.
Wpscan
Step 2 − To scan a website for vulnerabilities, type “wpscan –u URL of webpage”.
If the scanner is not updated, it will ask you to update. I will recommend to do it.
Scanner Update
Once the scan starts, you will see the findings. In the following screenshot, vulnerabilities are indicated by a red arrow.
Red Arrow
Scan Starts

Joomscan

Joomla is probably the most widely-used CMS out there due to its flexibility. For this CMS, it is a Joomla scanner. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla sites.
Step 1 − To open it, just click the left panel at the terminal, then “joomscan – parameter”.
Step 2 − To get help for the usage type “joomscan /?”
Joomscan
Step 3 − To start the scan, type “ joomscan –u URL of the victim”.
OWASP
Results will be displayed as shown in the following screenshot.
Vulnerability
Suggestion

SSL Scanning Tools

TLSSLed is a Linux shell script used to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool.
The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.
To start testing, open a terminal and type “tlssled URL port“. It will start to test the certificate to find data.
Tissled
You can see from the finding that the certificate is valid until 2018 as shown in green in the following screenshot.
Certificate

w3af

w3af is a Web Application Attack and Audit Framework which aims to identify and exploit all web application vulnerabilities. This package provides a Graphical User Interface (GUI) for the framework. If you want a command-line application only, install w3af-console.
The framework has been called the “metasploit for the web”, but it’s actually much more as it also discovers the web application vulnerabilities using black-box scanning techniques. The w3af core and its plugins are fully written in Python. The project has more than 130 plugins, which identify and exploit SQL injection, cross-site scripting (XSS), remote file inclusion and more.
Step 1 − To open it, go to Applications → 03-Web Application Analysis → Click w3af.
Application W3af
Step 2 − On the “Target” enter the URL of victim which in this case will be metasploitable web address.
Target
Step 3 − Select the profile → Click “Start”.
Profile Start
Step 4 − Go to “Results” and you can see the finding with the details.
Finding Results

Posted by at No comments:

Kali Linux - Wireless Attacks

In this chapter, we will learn how to use Wi-Fi cracking tools that Kali Linux has incorporated. However, it is important that the wireless card that you has a support monitoring mode.

Fern Wifi Cracker

Fern Wifi cracker is one of the tools that Kali has to crack wireless.
Before opening Fern, we should turn the wireless card into monitoring mode. To do this, Type “airmon-ng start wlan-0” in the terminal.
Airmon Ng
Now, open Fern Wireless Cracker.
Step 1 − Applications → Click “Wireless Attacks” → “Fern Wireless Cracker”.
Fern Wireless Cracker
Step 2 − Select the Wireless card as shown in the following screenshot.
Wireless Card
Step 3 − Click “Scan for Access Points”.
Access Point
Step 4 − After finishing the scan, it will show all the wireless networks found. In this case, only “WPA networks” was found.
WPA Network
Step 5 − Click WPA networks as shown in the above screenshot. It shows all the wireless found. Generally, in WPA networks, it performs Dictionary attacks as such.
Step 6 − Click “Browse” and find the wordlist to use for attack.
Wordlist
Step 7 − Click “Wifi Attack”.
Wifi Attack
Step 8 − After finishing the dictionary attack, it found the password and it will show as depicted in the following screenshot picture.
Dictionary Attack

Kismet

Kismet is a WIFI network analyzing tool. It is a 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It will work with any wireless card that supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n traffic. It identifies the networks by collecting packets and also hidden networks.
To use it, turn the wireless card into monitoring mode and to do this, type “airmon-ng start wlan-0” in the terminal.
Start Wlan
Let’s learn how to use this tool.
Step 1 − To launch it, open terminal and type “kismet”.
Launch
Step 2 − Click “OK”.
Kismet
Step 3 − Click “Yes” when it asks to start Kismet Server. Otherwise it will stop functioning.
Start Server
Step 4 − Startup Options, leave as default. Click “Start”.
Leave Default
Step 5 − Now it will show a table asking you to define the wireless card. In such case, click Yes.
Define Table
Step 6 − In this case, the wireless source is “wlan0”. It will have to be written in the section “Intf” → click “Add”.
Wirless Source
Step 7 − It will start sniffing the wifi networks as shown in the following screenshot.
Networks
Step 8 − Click on any network, it produces the wireless details as shown in the following screenshot.
Wireless Network

GISKismet

GISKismet is a wireless visualization tool to represent data gathered using Kismet in a practical way. GISKismet stores the information in a database so we can query data and generate graphs using SQL. GISKismet currently uses SQLite for the database and GoogleEarth / KML files for graphing.
Let’s learn how to use this tool.
Step 1 − To open GISKismet, go to: Applications → Click “Wireless Attacks” → giskismet.
Giskismet
As you remember in the previous section, we used Kismet tool to explore data about wireless networks and all this data Kismet packs in netXML files.
Step 2 − To import this file into Giskismet, type “root@kali:~# giskismet -x Kismetfilename.netxml” and it will start importing the files.
Importing Files
Once imported, we can import them to Google Earth the Hotspots that we found before.
Step 3 − Assuming that we have already installed Google Earth, we click File → Open File that Giskismet created → Click “Open”.
Google Earth
The following map will be displayed.
Map

Ghost Phisher

Ghost Phisher is a popular tool that helps to create fake wireless access points and then later to create Man-in-The-Middle-Attack.
Step 1 − To open it, click Applications → Wireless Attacks → “ghost phishing”.
Ghost Phisher
Step 2 − After opening it, we will set up the fake AP using the following details.
  • Wireless Interface Input: wlan0
  • SSID: wireless AP name
  • IP address: IP that the AP will have
  • WAP: Password that will have this SSID to connect
Opening Ghost Phisher
Step 3 − Click the Start button.

Wifite

It is another wireless clacking tool, which attacks multiple WEP, WPA, and WPS encrypted networks in a row.
Firstly, the wireless card has to be in the monitoring mode.
Step 1 − To open it, go to Applications → Wireless Attack → Wifite.
Wifite
Step 2 − Type "wifite –showb"to scan for the networks.
Wifite Showb
Scan Network
Step 3 − To start attacking the wireless networks, click Ctrl + C.
Attacking
Step 4 − Type “1” to crack the first wireless.
Crack First
Step 5 − After attacking is complete, the key will be found.
Key Found

Posted by at No comments:

Kali Linux - Vulnerability Analyses Tools

In this chapter, we will learn how to use some of the tools that help us exploit devices or applications in order to gain access.

Cisco Tools

Kali has some tools that can be used to exploit Cisco router. One such tool is Cisco-torch which is used for mass scanning, fingerprinting, and exploitation.
Let’s open the Terminal console by clicking the left pane.
Terminal Left Panel
Then, type “cisco-torch –parameter IP of host” and if there is nothing found to exploit, then the following result will be shown.
Cisco Torch
To see what are the parameters that can be used, type “cisco-torch ?”
Cisco Parameter

Cisco Auditing Tool

It is a PERL script, which scans Cisco routers for common vulnerabilities. To use it, again open the terminal on the left pane as shown in the previous section and type “CAT –h hostname or IP”.
You can add the port parameter “-p” as shown in the following screenshot, which in this case is 23 to brute-force it.
Port Parameter

Cisco Global Exploiter

Cisco Global Exploiter (CGE) is an advanced, simple, and fast security testing tool. With these tools, you can perform several types of attacks as shown in the following screenshot. However, be careful while testing in a live environment as some of them can crash the Cisco devise. For example, option Option can stop the services.
Cisco Device
To use this tool, type “cge.pl IPaddress number of vulnerability”
The following screenshot shows the result of the test performed on Cisco router for the vulnerability number 3 from the list above. The result shows the vulnerability was successfully exploited.
Cisco Router

BED

BED is a program designed to check daemons for potential buffer overflows, format strings, et. al.
Check Daemons
In this case, we will test the testing machine with IP 192.168.1.102 and the protocol HTTP.
The command will be “bed –s HTTP –t 192.168.1.102” and testing will continue.
Testing

Posted by at No comments:
Subscribe to: Posts (Atom)