Web Security Testing with Kali Linux

Web Security Testing with Kali Linux

Web Application Security Testing using Kali Linux Gene Gotimer, Senior Architect [email protected] Copyright 2013 Coveros, Inc. All rights reserved. 1 About Coveros Coveros helps organizations accelerate the delivery of business value through secure, reliable software Copyright 2013 Coveros, Inc. All rights reserved. 2

Kali Linux Penetration Testing and Security Auditing Linux distribution New generation of BackTrack Linux Debian-based (Wheezy) Many install options: i386, x86_64, ARM Android devices ISO and VMWare image Installed, virtual, dual boot, live USB PXE, mini ISO

www.kali.org Copyright 2013 Coveros, Inc. All rights reserved. 3 Not for general use! Single user Default user is root Many of the tools need root anyway Live images use toor as default root password Not recommended for Linux beginners It is a pentesting and security auditing tool Easy to mess up the system as root Easy to attack your organization from within Copyright 2013 Coveros, Inc. All rights reserved.

4 Tool Categories Information Gathering Vulnerability Analysis Maintaining Access Reverse Engineering Web Applications Password Attacks Stress Testing Hardware Hacking Wireless Attacks

Exploitation Tools Forensics Reporting Tools Sniffing/Spoofing Copyright 2013 Coveros, Inc. All rights reserved. 5 Top 10 Security Tools Aircrack-ng wireless password cracking Burp Suite web application proxy and security testing

THC-Hydra network password cracker John the Ripper Unix and Windows password cracker Maltego intelligence and forensics Copyright 2013 Coveros, Inc. All rights reserved. 6 Top 10 Security Tools Metasploit Framework pentesting and exploitation tool

Nmap network discovery OWASP Zed Attack Proxy web application scanner and proxy sqlmap SQL injection detection and exploitation Wireshark network protocol analyzer Copyright 2013 Coveros, Inc. All rights reserved. 7

Many more tools Hundreds of tools Supporting software GUI front ends Greenbone for OpenVAS Armitage for Metaploit Zenmap for Nmap updaters Metasploit OpenVAS Tools are integrated OpenVAS runs Nikto2, Wapiti, Nmap, Arachni Metasploit can run OpenVAS Copyright 2013 Coveros, Inc. All rights reserved.

8 Ways to Use Kali Linux Professional Penetration Testing Pentest Tool Suite Install on a USB drive Carry to the client site All tools you need are available Forensic Information Gathering Live boot into forensic mode Doesnt touch internal hard drive No auto mount of removable media Password Recovery

Copyright 2013 Coveros, Inc. All rights reserved. 9 Ways for non-Pentesters to Use Kali Linux Tool catalog Browse menus to find tools in any category Pre-installed tools Try a tool to see if it meets your needs Compare tools Occasional security tests Dont have time/resources to maintain security testing environment Exploitation software Demonstrate vulnerabilities

Copyright 2013 Coveros, Inc. All rights reserved. 10 OpenVAS Open-source fork of Nessus System vulnerability scanner and manager Daily feeds of Network Vulnerability Tests (NVTs) Scans scheduled or on-demand View results by host by scan deltas Overrides false positives

backported fixes Copyright 2013 Coveros, Inc. All rights reserved. 11 Nikto2 Web server scanner Not a web application scanner Looks at Apache command-line tool nikto h 192.168.56.101 Runs in seconds -> minutes Report is text-only to the screen Copyright 2013 Coveros, Inc. All rights reserved.

12 Wapiti Web application scanner Fuzzer command-line tool wapiti http://192.168.56.101/ Runs in minutes -> hours Report is text-only to the screen Copyright 2013 Coveros, Inc. All rights reserved. 13 skipfish

Web application scanner Fuzzer, very fast with dictionaries command-line tool touch wordlist.wl skipfish o /root/sf-20131205 \ S /usr/share/skipfish/dictionaries/minimal.wl \ W wordlist.wl http://192.168.56.101/ Runs in minutes -> hours Can be timeboxed (-k duration) Report is HTML Copyright 2013 Coveros, Inc. All rights reserved. 14

OWASP Zed Attack Proxy Web application scanner and proxy Proxy, fuzzers, scanners, spiders GUI interface Can generate XML and HTML reports Copyright 2013 Coveros, Inc. All rights reserved. 15

Recently Viewed Presentations

  •  , Abounding in Love in Marriage   2   3

    , Abounding in Love in Marriage 2 3

    Oh, how beautiful! Your eyes are doves. 16 How handsome you are, my lover! Oh, how charming! And our bed is verdant. 17 The beams of our house are cedars; our rafters are firs.. -雅歌 Song of Songs 1:8-17 岂不知你们的身子是基督的肢体吗?我可以将基督的肢体作为娼妓的肢体吗?断乎不可。
  • The Choice of Organizational Form: Vertical Financial ...

    The Choice of Organizational Form: Vertical Financial ...

    Vertical Financial Ownership vs Vertical Contracting . When we abstract from transaction costs, knowing the motive for vertical integration cannot help us in predicting or prescribing organizational form. In the absence of transaction costs, vertical contracting can replicate the advantages...
  • Life in India - download.microsoft.com

    Life in India - download.microsoft.com

    Discuss the differences and similarities between Indian and Western music. Listen to following slides and try to correctly identify the musical instrument. End of PPT. Pupils to work in groups to find pictures on the internet relating to the three...
  • CHAPTER 12 SEX-LINKED TRAITS - Dearborn Public Schools

    CHAPTER 12 SEX-LINKED TRAITS - Dearborn Public Schools

    Therefore, males and females are born in roughly a 50:50 ratio. SEX-LINKED TRAITS Those traits that are controlled by genes on the X or Y chromosomes. NOTE: The Y chromosome is much smaller than the X chromosome and only contains...
  • Understanding and Applying the UAS Pilots Code Kristy

    Understanding and Applying the UAS Pilots Code Kristy

    Make safety a top priority. Recognize, plan for and accept the costs of implementing effective safety practices. Organizations of any size and scope should apply the principles of a safety management system (SMS): understand the risks in your operations, take...
  • Seismic-Safe Buildings - Northland Preparatory Academy

    Seismic-Safe Buildings - Northland Preparatory Academy

    5. Describe each type of wave - Primary (P wave), Secondary (S wave), and surface waves. Make a chart to show the speed at which each wave travels, what materials they can travel through, how they move and if they...
  • NSFA Electronic Match Card Program NSFA Paper Match

    NSFA Electronic Match Card Program NSFA Paper Match

    Allows entry on main team colours (shirt, shorts & socks) if different from club colours. Team . Photos - All players need to have a passport style photograph. If no photograph is present EMC will make that player ineligible. Top...
  • Nature of IT at EDS Electronic Data Systems

    Nature of IT at EDS Electronic Data Systems

    Nature of IT at EDS Electronic Data Systems October 2004 Mohammed Haque Kirk Garten Tom Webb Nature of IT at EDS Agenda EDS Background EDS Organizational Structure EDS Headcount EDS IT Budget vs. Revenue EDS Charge Back Example EDS Service...