Web Application Security Testing: Kali Linux Is the Way to Go

1© Copyright 2014 Coveros, Inc. All rights reserved.
Web Application Security Testing:
Kali Linux Is the Way to Go
Gene Gotimer, Senior Architect
gene.gotimer@coveros.com

 Coveros helps organizations accelerate the delivery of
business value through secure, reliable software
About Coveros

Kali Linux – www.kali.org
 Penetration Testing and Security Auditing Linux
distribution
 New generation of BackTrack Linux
 Debian-based
 Many install options:
– i386, x86_64, ARM
– Android devices
– ISO, VMWare, AMI
– Installed, virtual,
dual boot, live USB
– Metapackages

Not for general use!
 Single user
 Default user is root
– Many of the tools need root anyway
– Live images use toor as default root password
 Not recommended for Linux beginners
– It is a pen testing and security auditing tool
– Easy to mess up the system as root
– Easy to attack your organization from within
 even unintentionally…

Tool Categories
 Information Gathering
 Vulnerability Analysis
 Web Applications
 Password Attacks
 Wireless Attacks
 Exploitation Tools
 Sniffing/Spoofing
 Maintaining Access
 Reverse Engineering
 Stress Testing
 Hardware Hacking
 Forensics
 Reporting Tools

Top 10 Security Tools
 Aircrack-ng
– wireless password cracking
 Burp Suite
– web application proxy and security testing
 THC-Hydra
– network password cracker
 John the Ripper
– Unix and Windows password cracker
 Maltego
– intelligence and forensics

Top 10 Security Tools
 Metasploit Framework
– pentesting and exploitation tool
 Nmap
– network discovery
 OWASP Zed Attack Proxy
– web application scanner and proxy
 sqlmap
– SQL injection detection and exploitation
 Wireshark
– network protocol analyzer

Many more tools
 Hundreds of tools
 Supporting software
– GUI front ends
 Greenbone for OpenVAS
 Armitage for Metaploit
 Zenmap for Nmap
– updaters
 Metasploit
 OpenVAS
 Tools are integrated
– OpenVAS runs Nikto2, Wapiti, Nmap, Arachni
– Metasploit can run OpenVAS

Ways to Use Kali Linux
 Professional Penetration Testing
 Pen test Tool Suite
– Install on a USB drive
– Carry to the client site
– All tools you need are available
 Forensic Information Gathering
– Live boot into forensic mode
– Doesn’t touch internal hard drive
– No auto mount of removable media
 Password Recovery

Ways for non-Pentesters to Use Kali Linux
 Tool catalog
– Browse menus to find tools in any category
 Pre-installed tools
– Try a tool to see if it meets your needs
– Compare tools
 Occasional security tests
– Don’t have time/resources to maintain security testing
environment
 Exploitation software
– Demonstrate vulnerabilities

 VM with very vulnerable apps
 Do not run on production network!
 Training apps
– WebGoat, Damn Vulnerable Web Application
 Realistic, intentionally vulnerable apps
 Old, vulnerable versions of real apps
 Demo apps
 http://code.google.com/p/owaspbwa/
OWASP Broken Web Applications

 Discover hosts on a network
 Find open ports/services on a host
 Fingerprint OS
 Identify service versions
Network Scanners

 Network scanner
– Inventory
– Discovery
– Monitor
 Not a vulnerability scanner
 Variety of scan depths
 Runs in seconds to minutes
Nmap / zenmap

 Web server scanner
– Looks at the server software, e.g., Apache, for
misconfigurations
 Web application scanner
– Looks at the application for vulnerabilities
 XSS
 SQLi
 Command execution
– Fuzzing
 Typically black-box scans
Web Vulnerability Scanner

Nikto2
 Web server scanner
– Not a web application scanner
– Looks at Apache
 command-line tool
– nikto –h 192.168.56.101
 Runs in seconds to minutes, as much as a few
hours
 Report is text-only to the screen

- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2014-03-01 14:40:40 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with
Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14
OpenSSL/0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4 Perl/v5.10.1
+ Server leaks inodes via ETags, header found with file /, inode: 289297, size:
26711, mtime: 0x4e2b33fc8f300
+ The anti-clickjacking X-Frame-Options header is not present.
+ OSVDB-3268: /cgi-bin/: Directory indexing found.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via
a request to the /images directory. The value is "http://127.0.1.1/images/".
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.22).
Apache 1.3.42 (final release) and 2.0.64 are also current.
+ mod_ssl/2.2.14 appears to be outdated (current is at least 2.8.31) (may
depend on server version)
+ mod_perl/2.0.4 appears to be outdated (current is at least 2.0.7)
+ mod_mono/2.4.3 appears to be outdated (current is at least 2.8)
Nikto2

+ OpenSSL/0.9.8k appears to be outdated (current is at least 1.0.1c). OpenSSL
0.9.8r is also current.
+ Python/2.6.5 appears to be outdated (current is at least 2.7.3)
+ PHP/5.3.2-1ubuntu4.5 appears to be outdated (current is at least 5.4.4)
+ Perl/v5.10.1 appears to be outdated (current is at least v5.14.2)
+ proxy_html/3.0.1 appears to be outdated (current is at least 3.1.2)
+ mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4
Perl/v5.10.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer
overflow which may allow a remote shell (difficult to exploit). CVE-2002-0082,
OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to
XST
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.5
+ Cookie phpbb2owaspbwa_data created without the httponly flag
+ Cookie phpbb2owaspbwa_sid created without the httponly flag
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL
databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3092: /cgi-bin/: This might be interesting... possibly a system shell
found.
+ OSVDB-3268: /icons/: Directory indexing found.
Nikto2

+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ Uncommon header 'x-pingback' found, with contents:
http://192.168.56.102/wordpress/xmlrpc.php
+ /wordpress/: A Wordpress installation was found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 1 error(s) and 32 item(s) reported on remote host
+ End Time: 2014-03-01 14:41:23 (GMT-5) (43 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto2

Wapiti
 Fuzzer
– wapiti http://192.168.56.101/vicnum/
 Runs in minutes to a few hours
– can get “stuck” on a URL
 Report is text-only to the screen

skipfish
 Fuzzer, very fast with dictionaries
– touch wordlist.wl
– skipfish –o /root/bsc-20140604
–S /usr/share/skipfish/dictionaries/minimal.wl
–W wordlist.wl http://192.168.56.101/
 Runs in minutes to hours
– Can be time boxed (-k duration in h:m:s)
 Report is HTML

 Acts as a “man-in-the-middle”
– inspect requests and responses
– modify in-flight
Intercepting Proxy
WebProxy
Web
Browser
Web
Server

OWASP Zed Attack Proxy
 Web application scanner and proxy
 Intercepting proxy
 Fuzzer
 Scanner
 Spider
 GUI interface
 Can generate XML and HTML reports

 Not just find vulnerabilities, exploit them
 Could be a true hacker tool
 Can be used to prove vulnerability is real and can
be exploited
Exploitation Tools

 Metasploit Framework– prove vulnerabilities
– choose and configure exploit
– scan target
– choose and configure payload
– choose encoding technique
– execute exploit
 Armitage– Graphical front end
– launch scan
– suggest exploits
Metasploit / Armitage

 Audit systems
 Track vulnerabilities
 Mark false positives
 Not good one-time scan tools
Vulnerability Management

OpenVAS / Greenbone
 Open-source fork of Nessus
 System vulnerability scanner and manager
 Daily feeds of Network Vulnerability Tests (NVTs)
 Scans scheduled or on-demand
 View results
– by host or by scan
– deltas
 Overrides
– false positives
– backported fixes

 Kali Linux is useful for:
– finding security tools
– trying security tools
– using security tools
www.kali.org
Summary

 Coveros is an ICAgile Member Training Organization (MTO)
with courses accredited by ICAgile.
 By participating in this session, you have started upon the
path to earning internationally recognized Agile Professional
Certifications. This course covers 4 of the more than 400
learning objectives from the ICAgile Learning Roadmap.
 To claim your learning credits, navigate to www.icagile.com
and select link to claim ICAgile learning credits.
 You will need to register and provide the code for this
specific event: BSW14-WSTL
Congratulations!

Gene Gotimer
gene.gotimer@coveros.com
www.coveros.com
@CoverosGene
Questions?

Web Application Security Testing: Kali Linux Is the Way to Go

More Related Content

What's hot (18)

Viewers also liked (12)

Similar to Web Application Security Testing: Kali Linux Is the Way to Go (20)

More from Gene Gotimer (20)

Recently uploaded (20)

Web Application Security Testing: Kali Linux Is the Way to Go