Web Application Security Testing using Kali Linux Gene Gotimer, Senior Architect [email protected] Copyright 2013 Coveros, Inc. All rights reserved. 1 About Coveros Coveros helps organizations accelerate the delivery of business value through secure, reliable software Copyright 2013 Coveros, Inc. All rights reserved. 2
Kali Linux Penetration Testing and Security Auditing Linux distribution New generation of BackTrack Linux Debian-based (Wheezy) Many install options: i386, x86_64, ARM Android devices ISO and VMWare image Installed, virtual, dual boot, live USB PXE, mini ISO
www.kali.org Copyright 2013 Coveros, Inc. All rights reserved. 3 Not for general use! Single user Default user is root Many of the tools need root anyway Live images use toor as default root password Not recommended for Linux beginners It is a pentesting and security auditing tool Easy to mess up the system as root Easy to attack your organization from within Copyright 2013 Coveros, Inc. All rights reserved.
Exploitation Tools Forensics Reporting Tools Sniffing/Spoofing Copyright 2013 Coveros, Inc. All rights reserved. 5 Top 10 Security Tools Aircrack-ng wireless password cracking Burp Suite web application proxy and security testing
THC-Hydra network password cracker John the Ripper Unix and Windows password cracker Maltego intelligence and forensics Copyright 2013 Coveros, Inc. All rights reserved. 6 Top 10 Security Tools Metasploit Framework pentesting and exploitation tool
Nmap network discovery OWASP Zed Attack Proxy web application scanner and proxy sqlmap SQL injection detection and exploitation Wireshark network protocol analyzer Copyright 2013 Coveros, Inc. All rights reserved. 7
Many more tools Hundreds of tools Supporting software GUI front ends Greenbone for OpenVAS Armitage for Metaploit Zenmap for Nmap updaters Metasploit OpenVAS Tools are integrated OpenVAS runs Nikto2, Wapiti, Nmap, Arachni Metasploit can run OpenVAS Copyright 2013 Coveros, Inc. All rights reserved.
8 Ways to Use Kali Linux Professional Penetration Testing Pentest Tool Suite Install on a USB drive Carry to the client site All tools you need are available Forensic Information Gathering Live boot into forensic mode Doesnt touch internal hard drive No auto mount of removable media Password Recovery
Copyright 2013 Coveros, Inc. All rights reserved. 9 Ways for non-Pentesters to Use Kali Linux Tool catalog Browse menus to find tools in any category Pre-installed tools Try a tool to see if it meets your needs Compare tools Occasional security tests Dont have time/resources to maintain security testing environment Exploitation software Demonstrate vulnerabilities
Copyright 2013 Coveros, Inc. All rights reserved. 10 OpenVAS Open-source fork of Nessus System vulnerability scanner and manager Daily feeds of Network Vulnerability Tests (NVTs) Scans scheduled or on-demand View results by host by scan deltas Overrides false positives
backported fixes Copyright 2013 Coveros, Inc. All rights reserved. 11 Nikto2 Web server scanner Not a web application scanner Looks at Apache command-line tool nikto h 192.168.56.101 Runs in seconds -> minutes Report is text-only to the screen Copyright 2013 Coveros, Inc. All rights reserved.
12 Wapiti Web application scanner Fuzzer command-line tool wapiti http://192.168.56.101/ Runs in minutes -> hours Report is text-only to the screen Copyright 2013 Coveros, Inc. All rights reserved. 13 skipfish
Web application scanner Fuzzer, very fast with dictionaries command-line tool touch wordlist.wl skipfish o /root/sf-20131205 \ S /usr/share/skipfish/dictionaries/minimal.wl \ W wordlist.wl http://192.168.56.101/ Runs in minutes -> hours Can be timeboxed (-k duration) Report is HTML Copyright 2013 Coveros, Inc. All rights reserved. 14
OWASP Zed Attack Proxy Web application scanner and proxy Proxy, fuzzers, scanners, spiders GUI interface Can generate XML and HTML reports Copyright 2013 Coveros, Inc. All rights reserved. 15
Oh, how beautiful! Your eyes are doves. 16 How handsome you are, my lover! Oh, how charming! And our bed is verdant. 17 The beams of our house are cedars; our rafters are firs.. -雅歌 Song of Songs 1:8-17 岂不知你们的身子是基督的肢体吗？我可以将基督的肢体作为娼妓的肢体吗？断乎不可。
Vertical Financial Ownership vs Vertical Contracting . When we abstract from transaction costs, knowing the motive for vertical integration cannot help us in predicting or prescribing organizational form. In the absence of transaction costs, vertical contracting can replicate the advantages...
Discuss the differences and similarities between Indian and Western music. Listen to following slides and try to correctly identify the musical instrument. End of PPT. Pupils to work in groups to find pictures on the internet relating to the three...
Therefore, males and females are born in roughly a 50:50 ratio. SEX-LINKED TRAITS Those traits that are controlled by genes on the X or Y chromosomes. NOTE: The Y chromosome is much smaller than the X chromosome and only contains...
Make safety a top priority. Recognize, plan for and accept the costs of implementing effective safety practices. Organizations of any size and scope should apply the principles of a safety management system (SMS): understand the risks in your operations, take...
5. Describe each type of wave - Primary (P wave), Secondary (S wave), and surface waves. Make a chart to show the speed at which each wave travels, what materials they can travel through, how they move and if they...
Allows entry on main team colours (shirt, shorts & socks) if different from club colours. Team . Photos - All players need to have a passport style photograph. If no photograph is present EMC will make that player ineligible. Top...
Nature of IT at EDS Electronic Data Systems October 2004 Mohammed Haque Kirk Garten Tom Webb Nature of IT at EDS Agenda EDS Background EDS Organizational Structure EDS Headcount EDS IT Budget vs. Revenue EDS Charge Back Example EDS Service...
Ready to download the document? Go ahead and hit continue!