Mastering Kali Linux for Web Penetration Testing电子书

Title Page

Copyright

Mastering Kali Linux for Web Penetration Testing

Credits

About the Author

About the Reviewers

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

Common Web Applications and Architectures

Common architectures

Standalone models

Three-tier models

Model-View-Controller design

Web application hosting

Physical hosting

Virtual hosting

Cloud hosting

Containers – a new trend

Application development cycles

Coordinating with development teams

Post deployment - continued vigilance

Common weaknesses – where to start

Web application defenses

Standard defensive elements

Additional layers

Summary

Guidelines for Preparation and Testing

Picking your favorite testing framework

Frameworks through a product

Train like you play

The EC-Council approach

The GIAC/SANS approach

The Offensive Security approach

Open source methodologies and frameworks

ISECOM's OSSTMM

ISSAF

NIST publications

OWASP's OTG

Keeping it legal and ethical

What is legal?

What is ethical?

Labbing - practicing what we learn

Creating a virtualized environment

Our penetration testing host

Creating a target-rich environment

Finding gullible servers

Unwitting clients

Summary

Stalking Prey Through Target Recon

The imitation game

Making (then smashing) a mirror with HTTrack

Making a stealthy initial archive

Tuning stealthier archives

Is the mirror complete and up-to-date?

Touring the target environment

Open source awesomeness

Open source Intel with Google and the Google hacking database

Tuning your Google search skills

Work smarter with the Google hacking DB and Netcraft

Mastering your own domain

Digging up the dirt

Digging record types

Getting fierce

Next steps with Nikto

Employing Maltego to organize

Being social with your target

Summary

Scanning for Vulnerabilities with Arachni

Walking into spider webs

Optimal Arachni deployment tips

An encore for stacks and frameworks

The Arachni test scenario

Profiles for efficiency

Creating a new profile

Scoping and auditing options

Converting social engineering into user input and mobile platform emulation

Fingerprinting and determining platforms

Checks (please)

Plugging into Arachni extensions and third-party add-ons

Browser clusters

Kicking off our custom scan

Reviewing the results

Summary

Proxy Operations with OWASP ZAP and Burp Suite

Pulling back the curtain with ZAP

Quick refresher on launching ZAP scans

Going active with ZAP

Passive ZAP scanning

Getting fuzzy with ZAP

Taking it to a new level with Burp Suite

Recon with Burp Suite

Stay on target!

Getting particular with proxy

Going active with Spider

Activating Burp Suite

Scanning for life (or vulnerabilities)

Passive scans are a no brainer

Active scanning – Use with care!

The flight of the intruder

Stop, enumerate, and listen!

Select, attack, highlight, and repeat!

Summary

Infiltrating Sessions via Cross-Site Scripting

The low-down on XSS types

Should XSS stay or should it go?

Location, location, and location!

XSS targeting and the delivery

Seeing is believing

Don't run with XSSer(s)!

Stored XSS with BeEF

Here, phishy phishy!

Let's go Metasploiting

Building your own payload

Every good payload needs a handler

Seal the deal – Delivering shell access

Metasploit's web-focused cousin – Websploit

Summary

Injection and Overflow Testing

Injecting some fun into your testing

Is SQL any good?

A crash course in DBs gone bad

Types of SQLI

In-band or classic SQLI

Blind SQLI

Stacked or compound SQLI

SQLI tool school

Old-school SQLI via browsers

Stepping it up with SQLMap

Cooking up some menu-driven SQLI with BBQSQL

SQLI goes high-class with Oracle

The X-factor - XML and XPath injections

XML injection

XPath injection

Credential Jedi mind tricks

Going beyond persuasion – Injecting for execution

Code injections

Overflowing fun

Commix - Not-so-funny command injections

Down with HTTP?

Summary

Exploiting Trust Through Cryptography Testing

How secret is your secret?

Assessing encryption like a pro

SSLyze - it slices, it scans…

SSLscan can do it!

Nmap has SSL skills too

Exploiting the flaws

POODLE – all bark, no bite (usually)

Heartbleed-ing out

DROWNing HTTPS

Revisiting the classics

Hanging out as the Man-in-the-Middle

Scraping creds with SSLstrip

Looking legit with SSLsniff and SSLsplit

SSLsniff

SSLsplit

Alternate MITM motives

Summary

Stress Testing Authentication and Session Management

Knock knock, who's there?

Does authentication have to be hard?

Authentication 2.0 - grabbing a golden ticket

The basic authentication

Form-based authentication

Digest-based authentication

Trust but verify

This is the session you are looking for

Munching on some cookies?

Don't eat fuzzy cookies

Jedi session tricks

Functional access level control

Refining a brute's vocabulary

Summary

Launching Client-Side Attacks

Why are clients so weak?

DOM, Duh-DOM DOM DOM!!

Malicious misdirection

Catch me if you can!

Picking on the little guys

Sea-surfing on someone else's board

Simple account takeovers

Don't you know who I am? Account creation

Trust me, I know the way!

I don't need your validation

Trendy hacks come and go

Clickjacking (bWAPP)

Punycode

Forged or hijacked certificates

Summary

Breaking the Application Logic

Speed-dating your target

Cashing in with e-commerce

Financial applications - Show me the money

Hacking human resources

Easter eggs of evil

So many apps to choose from…

Functional Feng Shui

Basic validation checks

Sometimes, less is more?

Forgery shenanigans

What does this button do?

Timing is everything

Reaching your functional limits

Do we dare to accept files?

Summary

Educating the Customer and Finishing Up

Finishing up

Avoiding surprises with constant contact

Establishing periodic updates

When to hit the big red button

Weaving optimism with your action plan

The executive summary

Introduction

Highlights, scoring, and risk recap

More on risk

Guidance - earning your keep

Detailed findings

The Dradis framework

MagicTree

Other documentation and organization tools

Graphics for your reports

Bringing best practices

Baking in security

Honing the SDLC

Role-play - enabling the team

Picking a winner

Plans and programs

More on change management

Automate and adapt

Assessing the competition

Backbox Linux

Samurai web testing framework

Fedora Security Spin

Other Linux pen test distros

What About Windows and macOS?

Summary