Web Penetration Testing: Step-By-Step Guide

By Radhi Shatob

This Guide is considered Entry-To-Medium level in Websites and Web Applications penetration testing, it is a good starting point for those who want to start their career as a Web Applications Penetration testers or Security analysts. Also, the book would be valuable to Information Security Managers, Systems administrators, Web administrators and Web developers who would like to understand the tools and threats that hackers pose to Websites.

This book contains step-by-step guide to 32 Web Penetration tests that are tested in the latest Kali Linux version 2020.1. It includes clear screen shots and easy to follow steps to most of Websites hacking techniques such as Website information gathering, DNS hijacking attacks, HTTP and HTTPS intercepting and decrypting, Cross Site Scripting XSS . SQL injection and more.
The Book can be used as a reference guide to Websites and Web applications penetration testers.

About the Author
Radhi Shatob is a certified information security consultant, currently provide consultations and training in information security management and Penetration testing. Has over 20 years' experience in information technology and lead many information security programs in Telecom, Financial and Oil sectors.

• Language: English
• Publisher: Tablo Publishing
• Release date: Apr 1, 2020
• ISBN: 9781922405364

Book preview

Chapter 1: Lab setup

All the exercises will be done in a virtual environment inside the student laptop, using Virtual box in a Windows 10 host or Mac. In order to do all exercises comfortably the laptop should have enough RAM, CPU and Disk space. Kali Linux will be the Main attacker Virtual machine, the victims machine will be normal Windows 10 and 8 pro machine, plus Metasploitable machine which is a vulnerable Linux server and OWASP virtual machine is other Linux server meant to test webserver specifically 

Laptop minimum requirement

In the book all exercise and tests will be performed in user laptop, so in order to run all Labs smoothly the laptop should meet the following requirement:

CPU: Core i5 or similar

RAM: 8G RAM (16G is recommended)

Disk space 120G 

Virtual box

Virtual Box is an open source virtualization platform that provided by Oracle and it works with Windows, MAC and Linux, in this training we are going to use Virtual box as our main Virtualization platform that going to host our virtual machines that we are going to practice Penetration testing on them.

Virtual Box Installation:

Go to https://www.virtualbox.org/ and download latest version of virtual box software.

From the same page also download virtual box extension pack.

Run the virtual box software 

Run virtual box extension pack software

After Virtual box installation complete, create new NAT Network 

Open Virtual box software and go to File  Preferences  Network

Add NatNetwork

Virtual Machines installation

The Lab which we are going to use will be setup inside the virtual Box software and will contain 3 VMs:

Attacker Machine which is Kali Linux

Victim machine Windows 10

Vulnerable Web sites (Metaspoliatble )

OWASP virtual machines based on Linux)

Kali Linux

Kali Linux is an open source  Debian based Linux distribution that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services, Kali contains several hundred of tools used for information security tasks such as Penetration testing, Security research, Computer forensics and Reverse Engineering.

Download Kali Linux Virtual Box VM from 

https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/

The Kali Linux Virtual box 64-bit ova file is a readymade Virtual Machine, after finishing the downloading the file:

Right click the .ova file and open with Virtual box.

Setup name for the new Kali and the CPU, RAM then click import.

Depending in your host RAM give the Kali VM RAM, for example if your host max RAM is 8G , then give Kali 4G and if your host is 16G then give Kali 8G which the recommended configuration to run Kali smoothly without problems.

Note: Those who are familiar with previous versions of Kali Linux will find Kali version 2020 is different as no more default root access and sudo command must be used to run any privileged commands. 

Start the new Kali Machine and login as 

User: kali

Password: kali

Update Kali machine 

Open Terminal and type 

#sudo apt-get update

#sudo apt-get upgrade (depending on the internet speed the upgrade may take long time to finish)

Metasploitable Linux Virtual Machine 

Metasploitable is a vulnerable Linux distro made by Rapid7. This OS contains several vulnerabilities. It is designed for penetration testers to try and hack. Rapid 7 offer this software for free for the Penetration testers community. They just need to register with Rapid 7 and then download the Metasplotable virtual machine. This is going to be one of the victims machines that we will try to hack. 

You can download Metasploitable from the following link: https://information.rapid7.com/metasploitable-download.html 

to install Metasploitable in Virtual Box

In Virtual BOX click on New

Give it a Name, Type= Linux, Version= Ubuntu 64k 

Next and give it 512 M Ram or 1 G ram then Next

Choose Use an existing virtual hard disk file

Go to the Metasploitable file location and choose .vmdk file 

OWASP Broken Web Apps virtual machine

OWASP Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:

Learning about web application security

Testing manual assessment techniques

Testing automated tools

Testing source code analysis tools

Observing web attacks

Testing WAFs and similar code technologies

You can download OWASP Broken Web Apps VM from the following pagehttps://sourceforge.net/projects/owaspbwa/files/1.2/

Download OWASP_Broken_Web_Apps_VM_1.2.ova

Right click the OWASP_Broken_Web_Apps_VM_1.2.ova and open with Virtual box then import the virtual machine.

Put the OWASP VM in the NAT network

Start the OWASP VM and login=root   and password=owaspbwa

Go to Kali machine and open the web browser and enter the OWASP IP address in your LAB environment.

You should get the OWASP web page 

Windows Virtual machines

The below procedures explain installation of different Windows virtual machine to use in penetration testing exercises. In this book we only need Windows 10 virtual machine. However, Microsoft made many of its operating systems available as virtual machines for testing purposes with 180 days license key. 

We will also install a normal windows 10 machine as a victim, we will be running our attacks against this machine. 

Microsoft has released several windows virtual machines that can be downloaded from the following link (make sure you select windows 10 stable and VirtualBox) 

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms

download Win10.0va file

right click the file and choose open with Virtual box.

Agree on import setting 

For Windows Server 2012 R download 180 days evaluation copy from Microsoft Site

Chapter 2: Introduction to Penetration Testing

What is a Penetration Testing (Pen-test)?

Penetration testing is the attack simulation on an IT system with the intention of finding security weaknesses to determine how the systems react to these attacks.

Wikipedia definition of Penetration testing Pentest is an attack on computer system with the intention of finding security weaknesses, potentially gaining access to its functionality and Data.

CISSP definition of Penetration testing "Pentest can determine how system react to an attack, whether or not systems defenses can be breached, and what information can be acquired from the system

Cyber Security Tests and Audits

In a Cyber security point of view, we can classify the cyber security tests and audits into three parts:

Security Audits: checklist of best practices. 

Vulnerability Assessments: Identifying the security holes. 

Penetration Tests.

Security Audits

Computer security audits is a manual or systematic measurable technical assessment and security audits that include:

Checking systems configuration for best practices.

Interviewing staff to determine the level of security awareness of the staff.

Reviewing application and operating systems access controls.

Analysis of physical access to the systems.

Security Audits should be performed with administrative privilege.

Security Audits best practice’s

Security Audits best practices can be found through the information security stranded and controls published by many organizations around the word, below a list of well-known information security organizations that published and keep updated information security best practices, controls, check lists and tools to help organizations accomplish best cyber defense. 

Here is a list of some of these organization with links to their website to obtain security controls documents and tools as all these organization offer documents and tools for free except ISO which charge fee for their standard document.

Center of Internet Security CIS ( https://www.cisecurity.org/) 

US National Institute of Standards and Technology (NIST) ( https://nvd.nist.gov/ncp/repository) 

International Organization for Standardization (ISO/IEC 27000 Family – Information Security management systems)  https://www.iso.org/isoiec-27001-information-security.html

PCI Security Standard Council which published Payment Card Industry Data Security Standards (PCI DSS) https://www.pcisecuritystandards.org/

Vulnerability Assessment

Vulnerability assessment is the process of defining, identifying and classifying security vulnerabilities in an IT system.

vulnerability types:

Authentication Vulnerability.

Authorization Vulnerability.

Input Validation Vulnerability.

The main difference between Vulnerability Assessment and Penetration testing is that in the Vulnerability Assessment no exploitation and post exploitation is done, and you don’t know whether the finding is false-positive or true-positive.

Vulnerability Assessment Steps:

Identifying assets and building asset inventory.

Categorizing assets into groups.

Scanning assets for vulnerabilities.

Ranking risks.

Patch Management.

Follow-up remediation scans

Vulnerability Assessment Tools:

Qualys

Nessus – Tenable Security (they have free