Kali Linux is an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments. In this article I will show you some of the tools with basic examples.
You can use the following knowledge for further education or to check the security of your website. The following tools should be used only where you have permission or in your own test environment.
If you are starting as a bug bounty hunter this can be interesting for you. Everyone has to start somewhere :)
image source: Craw
Tools
Most of the tools described below correspond to the methodology presented in the picture. Using these tools, you can collect relevant information about the page you are checking, then analyze the information collected and plan how to use it, find vulnerabilities, perform tests. Each tool allows you to save the results of the action, and finally, you can create a summary report.
I will not go into details. I will only show which tools to use and how. So let’s start.
WhatWeb
WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
It is a great example of information gathering about a given website.
1 | whatweb -a 3 http://example.com/ --log-brief /var/tmp/whatweb-example-com |
Nikto
Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.
Can be used to information gathering and vulnerability detection.
1 | nikto -host http://example.com/ -o /var/tmp/nikto-example-com.html |
OWASP ZAP
The OWASP Zed Attack Proxy (ZAP) can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
This tool has a graphical interface. We give the address of the page to be scanned and we are waiting for the result.
The tool will first scan the page and then analyze it. When the scan is finished, we will get the results sorted into categories from the smallest to the largest threats.
Arachni
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.
The tool has a web interface but you can also run it from the console.
1 | arachni http://example.com/ --output-only-positives --report-save-path=/var/tmp/arachni-example-com |
Skipfish
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
1 | skipfish -o /var/tmp/skifish-example-com http://example.com/ -W |
Wapiti
Wapiti allows you to audit the security of your websites or web applications. It performs “black-box” scans (it does not study the source code) of the web application by crawling the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets the list of URLs, forms and their inputs, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
1 | wapiti -u http://example.com/ -m "backup,blindsql,buster,crlf,delay,exec,file,htaccess,methods,nikto,permamentxss,shellshock,sql,ssrf,xss" --scope page --color -d 5 -v 2 -f html -o /var/tmp/wapiti-example-com |
Some useful parameters:
--flush-session
- cleans the last search and detects the url again-m "xss,sql"
- select modules--list-modules
- lists the modules to be selected
DirB
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analizing the response. DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability
scanner.
1 | dirb http://example.com/ -r -o /var/tmp/dirb-example-com |
Sqliv
Sqliv is massive SQL injection scanner. Multiple domain scanning with SQL injection dork by Bing, Google, or Yahoo. Targeted scanning by providing specific domain (with crawling). Reverse domain scanning.
1 | sqliv -t http://example.com/ -o /var/tmp/sqliv-example-com |
Example with dork scan using Bing.
1 | sqliv -d "inurl:index.php?id=" -e bing |
It simply search multiple websites from given dork and scan the results one by one.
WPScan
WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.
1 | wpscan --url http://example.com/ -e -U -o /var/tmp/wpscan-example-com |
Paros
A Java-based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
The tool has a graphical interface. To make a page scan, configure the web browser to work with the program proxy. Set the localhost:8080
proxy in the web browser. Then run Paros and in the browser go to the page you want to analyze. The program will display visited website. Click on it and select option Analyze-> Scan
.
If you would like to easily switch between various proxy in your web browser you can install FoxyProxy Standard plug-in.
jSQL Injection
jSQL Injection is a Java application for automatic SQL database injection. The tool has a graphical interface.
An address vulnerable to an attack is required. This address can be obtained from previously discussed tools, e.g. Sqliv.
Grabber
Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.
1 | grabber --spider 1 --sql --xss --backup --url http://example.com/ |
Hydra
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.
To understand the syntax of an example command, you have to understand program itself.
The following command launches a dictionary attack on the login form.
1 | hydra http://example.com/ -l admin -P /usr/share/wordlists/rockyou.txt -f https-get-form "/some_part_of_address/LoginPage:User=^USER^&Password=^PASS^&Action=Login:F=Error: Bad credentials" -t64 -w 8 -V |
Attacked website: http://example.com/
User login admin
if you would like to try few logins use parameter -L
and provide text file with all users in separate line.
Password list/usr/share/wordlists/rockyou.txt
one of the default password list from Kali Linux.-f
exit after the first found login/password pair.https-get-form
says which type of service you will use
Then you provide how the http-get-form request looks like. In this example you check how site is veryfing login request and provide variable for username ^USER^
and password ^PASS^
.. :F=
define what happens when login has failed.-w
defines the max wait time in seconds for responses (default: 30)-t
run TASKS number of connects in parallel (default: 16)-V
verbose mode
SSH attack example:
1 | hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 6 ssh://192.168.1.123 |
Attempt to login as the root
user using a password list /usr/share/wordlists/metasploit/unix_passwords.txt
with 6
threads on the given SSH server ssh://192.168.1.123
Vega
Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
This tool is not installed by default on Kali Linux but you can install it yourself and test.
It is similar to Paros and also works as a proxy localhost:8888
w3af
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
This tool is also not installed by default on Kali Linux but you can install it yourself and test.
Summary
Of course, there are many more such tools and each of them has many options. These are just a few examples of how to start testing. Try each tool and test other options depending on the results obtained.
Do not forget that these tools sometimes show false positive results.
If you are looking for easier ways to scan your page for vulnerability and overall quality check you may be also interested in website analysis.
If you know other interesting tools worth to mention, let me know in the comments.