Kali Linux website penetration testing

Kali Linux is an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking) and network security assessments. In this article I will show you some of the tools with basic examples.

You can use the following knowledge for further education or to check the security of your website. The following tools should be used only where you have permission or in your own test environment.

If you are starting as a bug bounty hunter this can be interesting for you. Everyone has to start somewhere :)

websecurity

image source: Craw

Tools

Most of the tools described below correspond to the methodology presented in the picture. Using these tools, you can collect relevant information about the page you are checking, then analyze the information collected and plan how to use it, find vulnerabilities, perform tests. Each tool allows you to save the results of the action, and finally, you can create a summary report.

I will not go into details. I will only show which tools to use and how. So let’s start.

WhatWeb

WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

It is a great example of information gathering about a given website.

1
whatweb -a 3 http://example.com/ --log-brief /var/tmp/whatweb-example-com

Nikto

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

Can be used to information gathering and vulnerability detection.

1
nikto -host http://example.com/ -o /var/tmp/nikto-example-com.html

OWASP ZAP

The OWASP Zed Attack Proxy (ZAP) can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

This tool has a graphical interface. We give the address of the page to be scanned and we are waiting for the result.

zap

The tool will first scan the page and then analyze it. When the scan is finished, we will get the results sorted into categories from the smallest to the largest threats.

Arachni

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.

The tool has a web interface but you can also run it from the console.

arachni

1
arachni http://example.com/ --output-only-positives --report-save-path=/var/tmp/arachni-example-com

Skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

1
skipfish -o /var/tmp/skifish-example-com http://example.com/ -W

Wapiti

Wapiti allows you to audit the security of your websites or web applications. It performs “black-box” scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

1
wapiti -u http://example.com/ -m "backup,blindsql,buster,crlf,delay,exec,file,htaccess,methods,nikto,permamentxss,shellshock,sql,ssrf,xss" --scope page --color -d 5 -v 2 -f html -o /var/tmp/wapiti-example-com

Some useful parameters:

--flush-session - cleans the last search and detects the url again
-m "xss,sql" - select modules
--list-modules - lists the modules to be selected

DirB

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response. DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability
scanner.

1
dirb http://example.com/ -r -o /var/tmp/dirb-example-com

Sqliv

Sqliv is massive SQL injection scanner. Multiple domain scanning with SQL injection dork by Bing, Google, or Yahoo. Targeted scanning by providing specific domain (with crawling). Reverse domain scanning.

1
sqliv -t http://example.com/ -o /var/tmp/sqliv-example-com

Example with dork scan using Bing.

1
sqliv -d "inurl:index.php?id=" -e bing

It simply search multiple websites from given dork and scan the results one by one.

WPScan

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

1
wpscan --url http://example.com/ -e -U -o /var/tmp/wpscan-example-com

Paros

A Java-based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.

The tool has a graphical interface. To make a page scan, configure the web browser to work with the program proxy. Set the localhost:8080 proxy in the web browser. Then run Paros and in the browser go to the page you want to analyze. The program will display visited website. Click on it and select option Analyze-> Scan.

paros

If you would like to easily switch between various proxy in your web browser you can install FoxyProxy Standard plug-in.

jSQL Injection

jSQL Injection is a Java application for automatic SQL database injection. The tool has a graphical interface.

jsql

An address vulnerable to an attack is required. This address can be obtained from previously discussed tools, e.g. Sqliv.

Grabber

Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.

1
grabber --spider 1 --sql --xss --backup --url http://example.com/

Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

To understand the syntax of an example command, you have to understand program itself.

The following command launches a dictionary attack on the login form.

1
hydra http://example.com/ -l admin -P /usr/share/wordlists/rockyou.txt -f https-get-form "/some_part_of_address/LoginPage:User=^USER^&Password=^PASS^&Action=Login:F=Error: Bad credentials" -t64 -w 8 -V

Attacked website: http://example.com/
User login admin if you would like to try few logins use parameter -Land provide text file with all users in separate line.
Password list/usr/share/wordlists/rockyou.txt one of the default password list from Kali Linux.
-f exit after the first found login/password pair.
https-get-form says which type of service you will use
Then you provide how the http-get-form request looks like. In this example you check how site is veryfing login request and provide variable for username ^USER^ and password ^PASS^.. :F= define what happens when login has failed.
-w defines the max wait time in seconds for responses (default: 30)
-t run TASKS number of connects in parallel (default: 16)
-V verbose mode

SSH attack example:

1
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 6 ssh://192.168.1.123

Attempt to login as the root user using a password list /usr/share/wordlists/metasploit/unix_passwords.txt with 6 threads on the given SSH server ssh://192.168.1.123

Vega

Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

This tool is not installed by default on Kali Linux but you can install it yourself and test.

It is similar to Paros and also works as a proxy localhost:8888

vega

w3af

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

This tool is also not installed by default on Kali Linux but you can install it yourself and test.

w3af

Summary

Of course, there are many more such tools and each of them has many options. These are just a few examples of how to start testing. Try each tool and test other options depending on the results obtained.

Do not forget that these tools sometimes show false positive results.

If you are looking for easier ways to scan your page for vulnerability and overall quality check you may be also interested in website analysis.

If you know other interesting tools worth to mention, let me know in the comments.