Do You Need to Know Programming to Learn Penetration Testing

Penetration testing can assist yous better both the security and quality of your production. It's a complex yet artistic process where you must sympathise what y'all're doing and why you're doing information technology.

At Apriorit, we have a team of experienced penetration testing professionals who can help you find the weak spots in your software production. When working on our clients' projects, we ofttimes offering to comport penetration testing, which we consider a necessary office of security testing. In this article, nosotros focus on Kali Linux, a Linux distribution that's helpful in handling unlike penetration testing tasks, from gathering data nearly a production to testing its performance with a stress test.

Apriorit expert Oleg Gordiyenko shares his experience in penetration testing with Kali Linux. We talk about using Kali Linux for improving production security and provide a brief overview of the most popular tools preinstalled in this operating system. Keep in mind that the final choice of penetration testing tools and approaches volition fully depend on the specifics of your project, including the compages of the product nether examination.

Note: Many of the tools mentioned in this article should only be used for penetration testing for enquiry purposes.

Contents:

A few words nearly Kali Linux

Gathering information

Analyzing vulnerabilities

Sniffing and spoofing traffic

Stress testing

Pentesting of spider web applications

Decision

A few words almost Kali Linux

Kali Linux is a Debian-derived distribution of the pop Linux operating system. With the help of Kali, penetration testing becomes much easier. Advanced users can use Kali for running data security tests to detect and gear up possible vulnerabilities in their programs.

One of the principal distinctives of Kali Linux is that this system has been ported to the ARM architecture. As a result, Kali tin can be installed not only on desktops and laptops only as well on Android-based smartphones.

Kali Linux is an incredibly powerful tool for penetration testing that comes with over 600 security utilities, including such popular solutions as Wireshark, Nmap, Armitage, Aircrack, and Burp Suite.

During penetration testing, yous should pay special attention to various issues and possible attack vectors. In this article, we have a closer look at the iv stages of testing a product's information security (see Figure 1):

• Gathering information
• Analyzing vulnerabilities
• Sniffing and spoofing traffic
• Stress testing

Figure 1. Key penetration testing stages

We'll list the well-nigh useful tools for each of these stages and provide a brief overview of each tool. You lot tin can find a total list of Kali Linux tools on the official website.

Let's begin with the showtime task and see what Kali Linux tools are near helpful for collecting information about the product or organisation under examination.

Gathering information

When starting penetration testing of a product, the start thing you need to practise is gather every bit much data about the arrangement every bit you can. This phase allows you to see if the arrangement nether test can be investigated from the outside and if potential attackers could extract whatever critical data.

For instance, data about technologies, ports, protocols, software versions, entry points, and product compages may significantly increase the take a chance of an attack'south success. Your goal is to protect this information, or at the very least to make it extremely difficult for a potential assaulter to extract such information from your product.

Judging from our feel, up to 20 percent of disquisitional vulnerabilities can be detected at the information gathering stage, when the bear on on the system under examination isn't every bit significant equally at other stages of penetration testing.

Let'southward take a closer await at the tools that will be nearly helpful for investigating your product's data security and collecting valuable data about the tested production.

1. Amap

To see a list of applications running on a specified port, consider using the Amap scanner. This tool can as well be used for identifying not-ASCII based applications.

Amap establishes a connection with specified ports and sends them trigger packets. Unremarkably, trigger packets are awarding protocol handshakes. After sending the packets, Amap looks for matches in the response strings.

Amap supports several types of protocols: TCP, UDP, binary, regular, and SSL-enabled ASCII protocols.

The Amap package includes ii tools:

• amapcrap – a tool for sending random data to silent UDP, TCP, and SSL ports in gild to trigger an unexpected response
• amap – an application mapper for identifying applications running on a specific port

Amap is a nice scanner and has lots of options that can be used during penetration testing. However, there's another tool called Nmap that works improve for finding a host and scanning open up ports, and it's easier to utilize. We describe Nmap below.

ii. DNSMap

Testers frequently use DNSMap to check infrastructure security and gather data well-nigh domain names, IP netblocks, subdomains, and so on. This utility can also exist used for subdomain brute-forcing at the enumeration stage. This method is especially helpful when other domain brute-forcing methods, such every bit zone transfer, don't bring the desired results.

three. Network Mapper (Nmap)

Network Mapper (Nmap) is a popular open-source utility for penetration testing and security testing. It tin can also be used for inventorying a network, monitoring host and service uptimes, and managing service upgrade schedules.

Nmap uses raw IP packets to go detailed information on the hosts available on a network: services they offer, operating systems they run, package filters and firewalls they implement, and more than. In addition to the classic command-line Nmap there are several boosted tools such as a results viewer (Zenmap) and a tool for comparing browse results (Ndiff).

Nmap is compatible with all popular operating systems and has official binary packages for Windows, Linux, and macOS.

Nmap is one of the about pop tools for host and network scanning. Its chief benefits are its speed, universality, and efficiency. So if you're not certain where to kickoff, become with Nmap.

four. theHarvester

If you desire to run across what kind of information an assailant tin get on your organization, try using theHarvester. With the help of this tool, you tin gather data including:

• SHODAN estimator databases
• employee names
• email addresses
• hostnames
• subdomains
• open ports

theHarvester is easy to use and, at the same fourth dimension, quite constructive at the early on stages of penetration testing. It can besides exist used for checking what kind of information about your company can be found on the internet.

v. Load Balancing Detector (lbd)

To see if your website is decumbent to DDoS attacks, consider using the Load Balancing Detector (lbd). Load balancing refers to the distribution of intensive loads across multiple servers. With the assistance of lbd, y'all can check if a domain under test uses DNS and HTTP load balancing. This tool also provides you with detailed data on plant servers.

six. Arp-scan

To scan your network traffic, you tin can apply arp-scan, a tool that scans networks with layer-2, MAC, and Ethernet ARP packets. Using arp-scan, you lot can send ARP packets to specified hosts on your local network and see the responses.

With the help of Arp-scan, you can:

• Send ARP packets to whatever number of hosts, using a configurable bundle rate and output bandwidth. This is helpful for system discovery, especially when you need to scan big address spaces.
• Construct the outgoing ARP packets in a flexible mode. Using arp-browse, you can control all fields in both the ARP package and the Ethernet frame header.
• Decode and brandish the received ARP packets.

Plus, with the assist of the arp-fingerprint tool, you tin can fingerprint a specified target host.

7. SMBMap

SMBMap is a tool for enumerating shared samba drives across a domain. Information technology can list shared drives and testify their content and electric current drive permissions. SMBMap also has upload/download functionality, tin can automatically download files whose names match a specified format, and can even execute commands remotely.

The main goal of SMBMap is to simplify the discovery of sensitive and potentially vulnerable information beyond large networks.

8. SSLsplit

SSLsplit is a pop tool for penetration testing and network forensics. Information technology can conduct homo-in-the-centre (MITM) attacks against network connections encrypted with SSL/TLS. SSLsplit can transparently intercept and redirect connections. After terminating the original SSL/TLS connexion, SSLsplit initiates a new connection to the original destination address and logs all data transmitted.

SSLsplit supports patently TCP and SSL every bit well as HTTP/HTTPS connections via IPv4 and IPv6. For SSL and HTTPS connections, it can generate and sign forged X509v3 certificates on-the-fly.

By default, SSLsplit depends on OpenSSL, libpcap, libevent 2.10, libnet 1.1.x, and other libraries. As an experimental characteristic, SSLsplit generically supports the STARTTLS mechanism.

Now, let's talk about some of the nearly popular and useful Kali Linux tools for vulnerability analysis.

Analyzing vulnerabilities

Vulnerability cess is one of the most important stages of penetration testing. Analyzing vulnerabilities is quite like to gathering information, but this time we take a very specific goal — to find the weaknesses that can be successfully exploited by an aggressor. This stage plays a crucial part in penetration testing because, in most cases, vulnerabilities are what make your system or product prone to cyberattacks.

Mastering one or two effective vulnerability assessment tools will bring you more benefit than trying to use dozens of tools simultaneously. To make the choice a flake easier, we list viii of the virtually widely used Kali Linux tools for detecting vulnerabilities in systems under test.

i. APT2

APT2 is a popular tool set for automated penetration testing. It performs NMap scanning and can import the scanning results from other tools including Nexpose, Nessus, and NMap. APT2 uses the processed results to launch exploit and enumeration modules co-ordinate to the enumerated service data and configurable Condom Level.

APT2 stores all received module results on a local host and adds them to the full general noesis base of operations. Users tin can access APT2'southward knowledge base from within the application and use information technology to see the results received from an exploit module.

1 of the chief advantages of APT2 is that it's highly flexible and, thanks to the configurability of the Safe Level, enables granular command over its behavior. This tool is easy to apply and has detailed documentation, although updates aren't frequent: the terminal update was released in March 2018.

two. BruteXSS

BruteXSS is a powerful and fast cross-site scripting brute-forcer. It'south used for animate being forcing parameters. BruteXSS can inject multiple payloads from a specified wordlist to specified parameters and scan these parameters to meet if whatever are prone to the XSS vulnerability.

The principal features of BruteXSS are:

• XSS animate being forcing
• XSS scanning
• Custom wordlists
• Support for GET/POST requests

BruteXSS has a user-friendly UI and supports GET/POST requests, which makes information technology compatible with nearly web applications. But the master advantage of BruteXSS is its high level of accuracy.

3. Cisco Torch

Cisco Torch is a useful tool for mass scanning, fingerprinting, and exploitation. Its chief advantage is its power to launch multiple scanning processes in the background without compromising arrangement performance. Cisco Torch extensively uses forking and tin use several awarding layer fingerprinting methods at the aforementioned time.

Information technology can be used for discovering remote Cisco hosts with running Telnet, Web, NTP, SSH, and SNMP services besides as for launching lexicon attacks against those discovered services.

Cisco Torch is a helpful command-line tool that even less experienced testers can use effectively. Notwithstanding, it was designed generally for testing Cisco products, so information technology isn't as popular as other tools on our listing.

4. CrackMapExec

CrackMapExec is an all-in-one tool for testing Windows/Active Directory environments. It uses multiple popular technologies including the PowerSploit repository, which CrackMapExec uses as one of its submodules.

This tool can enumerate logged users and index shared SMB folders, perform psexec attacks and NTDS.dit dumping, automatically inject Mimikatz/Shellcode/DLL into the memory using PowerShell, etc.

Advantages of CrackMapExec include:

• Clear Python scripts that don't require the use of outside tools
• Fully parallel multithreading
• Uses only native WinAPI calls for detecting sessions, users, SAM hash dumping, etc.
• CrackMapExec is mostly undetectable by security scanners (when dumping clear-text credentials, injecting shellcode, etc., binary files aren't loaded)

CrackMapExec uses plain Python scripts, so it works stably and doesn't depend on any external or boosted libraries and programs. Plus, information technology uses only native WinAPI calls, thus reducing the risk of errors and fake positives during testing.

On the downside, CrackMapExec is rather complex, and you lot'll probably need more than time to master it than other programs we talk almost in this mail. Just this tool is worth the endeavour, since almost of its analogs aren't equally accurate and functional.

5. jSQL Injection

To search for data in databases on afar servers, y'all tin apply jSQL Injection. It's a lightweight (about 2.5 MB) Java tool that can automatically make injections into SQL databases.

jSQL Injection is a costless, open up-source, cantankerous-platform tool that supports Windows, Linux, and Solaris.

Master features:

• Supports GET, POST, header, and cookie methods
• Uses regular, error-based, bullheaded, and time-based injection algorithms
• Picks the most suitable algorithm automatically
• Has four options for multi-thread command: Commencement, Pause, Resume, Terminate
• Supports five authentication types: Bones, Digest, Negotiate, NTLM, Kerberos
• Creates and visualizes Spider web vanquish and SQL shell
• Reads and writes files on a host using injection
• Reads files remotely
• Supports brute-forcefulness hashes like MD5 and MySQL
• Supports simple evasion
• Displays URL calls
• Backs upward utility configurations
• Checks for updates automatically
• Finds admin pages
• Encodes and decodes strings
• Allows selection of a database blazon

jSQL Injection is an easy-to-use tool with a born brute-forcer for decrypting passwords and other encoded information. You can apply it to simultaneously scan multiple websites for SQL injection vulnerabilities. And, in contrast to like tools, jSQL Injection works well on Windows machines.

At the same time, even though jSQL Injection is more comfy to piece of work with than, say, SQLMap, it supports fewer SQL injection types than the latter. Plus, jSQL Injection doesn't let you to make any changes to databases and has limited automatization capabilities, since information technology tin can't exist used in scripts.

Information technology's also noteworthy that the version of jSQL Injection preinstalled in Kali Linux is outdated: there are newer releases of the tool.

half dozen. NoSQLMap

NoSQLMap is an open-source tool written in Python that was created to audit and automate injection attacks. Information technology can also be used for exploiting default configuration weaknesses in NoSQL web applications and databases. The project's goal is to create a penetration testing tool that tin can simplify attacks on MongoDB servers and web applications and create concepts for such attacks to debunk the myth that NoSQL is fully allowed to SQL injection.

Features:

• Performs automatic list and cloning attacks against MongoDB and CouchDB databases.
• Extracts database names, users, and password hashes from MongoDB through web applications.
• Scans subnets and IP lists to find MongoDB and CouchDB databases with default access and version enumeration.
• Carries out dictionary and brute-strength attacks to hack passwords of detected MongoDB and CouchDB hashes.
• Performs injection attacks on PHP application parameters to return all database entries.
• Screens JavaScript values and injects arbitrary code to return all database records.
• Conducts timing-based attacks like to blind SQL injections for validating the vulnerabilities of JavaScript injections with no feedback from the awarding.

One of the main problems is that currently, this tool's exploits are focused on MongoDB and CouchDB databases. The developers of NoSQLMap promise to add back up for Redis and Cassandra in time to come releases. However, since the homepage for the project isn't working, we aren't sure if NoSQLMap is nevertheless supported by its creators.

7. SQLmap

SQLmap is an open-source tool that can help you lot automate the detection and exploitation of SQL injection flaws and the taking over of database servers. SQLmap has a powerful detection engine and tin be launched on Windows.

SQLmap offers back up for:

• Popular database management systems including MySQL, Oracle, and IBM DB2
• Half-dozen SQL injection techniques: error-based, time-based blind, boolean-based blind, UNION query, stacked queries, and out-of-band
• Direct connections to the database without passing via SQL injection past providing DBMS credentials, IP accost, port, and database name
• User enumeration, privileges, roles, password hashes, databases, tables, and columns
• Automatic recognition of password hash formats and support for password smashing with a lexicon-based assail
• Dumping of database tables according to a user's choice: fully or only for a range of specified entries or columns. The user tin can also specify a range of characters from a cavalcade's entry to be dumped
• Searching for specific database names, specific tables, or specific columns in database tables
• Downloading and uploading whatever files from the database server file system for databases using MySQL, PostgreSQL, or Microsoft SQL Server software
• Executing arbitrary commands and retrieving their standard output on the database server operating system (for databases using MySQL, PostgreSQL, or Microsoft SQL Server software)
• Establishing an out-of-band stateful TCP connection betwixt the database server operating arrangement and the attacker'southward automobile
• Escalating user privileges for database processes via Metasploit's Meterpreter getsystem command

SQLmap has one of the richest sets of configurations and capabilities among similar testing tools, so you'll definitely need some time to learn how to use it to the fullest. Yet, the man page is outdated.

8. Open Vulnerability Assessment Organization (OpenVAS)

Open Vulnerability Cess System (OpenVAS), previously named GNessUs, is a framework that consists of several services and tools for detecting and managing network vulnerabilities. This framework tin be used to actively monitor network hosts in order to notice security issues, decide their severity, and control the way they're dealt with. Substantially, it'southward a tool for detecting hosts that are vulnerable due to the use of sometime software or misconfiguration.

OpenVAS can scan open up ports of a monitored host, send specially formed packets to imitate an attack, authorize on a specific host, get access to the admin console, run certain commands, and and then on.

The framework uses a collection of Network Vulnerability Tests (NVT), which include effectually 50,000 security tests for vulnerability detection. The description of known issues is so checked confronting two popular vulnerability management databases: CVE and OpenSCAP. The latter supports several specifications, including OVAL, XCCDF, ARF, CVSS, CCE, and CVE. Just remember that afterward installing OpenVAS, you'll need some time to update the current version of the NVT database.

One of the chief advantages of  OpenVAS is that, in dissimilarity to other scanners, it's completely free. It's compatible with the VirtualBox, ESXi, and Hyper-V virtualization systems.

While trying to become ahold of valuable data from the outside is helpful during penetration testing, eavesdropping and intercepting sensitive information from the within may be even more informative. In the next section, we talk about tools you can employ for intercepting and analyzing network traffic.

Sniffing and spoofing traffic

After vulnerability assessment, we can move to a stage that'south just as interesting and important: traffic sniffing and traffic spoofing. As a penetration tester, you tin utilise traffic sniffing and spoofing for many reasons. One of the main uses is for detecting network vulnerabilities and weak spots that tin be targeted by attackers. You tin can cheque the paths that packets pass within your network and see to where and to whom packets are moving, what information they contain, whether they're encrypted, etc.

The possibility of a packet being intercepted and whatever potentially useful information it contains being accessed by an aggressor poses a meaning threat to your network's security. Moreover, if an attacker intercepts a parcel, they can switch the original package with a malicious one, which tin have devastating consequences.Therefore, your goal is to make information technology as hard every bit possible to sniff and spoof packets sent across your network with the help of encryption, tunneling, and other similar techniques.

Below, we briefly describe six of the most popular Kali Linux tools for sniffing and spoofing network traffic.

1. Arpspoof

Arpspoof is a pop tool for intercepting packets on a local network with commutation. Information technology redirects packets sent within the local network by substituting ARP responses.

Arpspoof is effective for sniffing traffic on a commutator. IP forwarding by the kernel (or by a similarly interim user fashion program such as fragrouter) must be enabled beforehand.

2. Burp Suite

Burp Suite is an integrated platform for running spider web awarding security tests. This platform includes a prepare of tools that can be effectively used at each phase of the testing process, starting with website map creation and analysis of the spider web application set on surface and moving on to search and exploitation of security vulnerabilities.

Burp Suite provides you with full command over the testing process and allows you lot to combine avant-garde manual techniques with high-level automation, making testing faster and more than constructive.

Burp Suite includes:

• A sniffing proxy for inspecting and modifying  traffic sent between your browser and the target spider web application
• An avant-garde web application scanner that can help you automatically notice several vulnerability types
• An application spider for crawling both content and functionality
• Intruder, Repeater, and Sequencer tools

Burp Suite is able to save your work and resume the workflow subsequently. Plus, the platform is extensible, so you tin can hands write your own plugins to perform complex and highly customizable tasks. Simply like any other security testing tool, Burp Suite can significantly damage a web application. Therefore, make certain to make fill-in copies of the tested application before using Burp Suite and never use it against systems that you don't have permission to test.

Also, note that in contrast to many tools listed in this commodity, Burp Suite is a paid product and non an open-source tool. However, it'southward piece of cake to utilise and has an intuitive interface, so it can be used even past newbie testers. At the same time, the platform tin can be configured co-ordinate to your needs and has a number of powerful features that will be helpful to advanced testers.

three. DNSChef

DNSChef is a highly configurable DNS proxy that can be used by both penetration testers and malware analysts. This cross-platform awarding tin forge responses based on lists of both included and excluded domains. DNSChef supports multiple types of DNS records, can lucifer domains with wildcards, tin can proxy true responses for non-matching domains, and tin can define external configuration files.

A DNS proxy is a tool used for analyzing application network traffic. For example, a DNS proxy can be used to imitation requests for badguy.com into pointing not to the real host somewhere on the net but to a local car that will terminate or intercept the request.

Most DNS proxies just betoken to a single IP address for all DNS queries or implement simply elementary filtering. DNSChef was created every bit office of a penetration examination in which a more flexible system was needed.

DNS proxy will be helpful when there'south no other way to brand an application use any other proxy server. For case, some mobile applications can ignore the operating organisation settings for an HTTP proxy. In this case, a DNS proxy server such as DNSChef volition aid you lot trick the awarding and redirect its connections to the chosen target.

4. OWASP Zed Attack Proxy

OWASP Zed Attack Proxy (ZAP) is ane of the almost popular and widely used security tools. The main advantages of OWASP ZAP are that it's costless, open-source, and cross-platform. Plus, it'south actively supported by volunteers all over the world and is fully internationalized.

ZAP includes a number of helpful features such as automated and passive scanners, proxy server interception, a fuzzer, and traditional and AJAX spider web crawlers.

You tin can use OWASP ZAP for automatically detecting security weaknesses in your web applications during development and testing. It's also a corking tool for experienced penetration testers to use when running transmission security testing.

5. MITMf

MITMf is a popular framework for MITM attacks that'south based on sergio-proxy and basically is an effort to breath new life into this project.

The MITMf creators wanted to make an all-in-one tool for both network attacks and MITM attacks while constantly updating and improving existing attacks and techniques. Initially, the MITMf was created to set critical drawbacks of other tools such equally Mallory and Ettercap. But afterwards, it was completely rewritten to ensure a high level of framework scalability so that every user can use MITMf for performing their own MITM attacks.

Main features of the MITMf framework:

• Congenital-in SMB, HTTP, and DNS servers that tin exist managed and used by many plugins
• A modified SSLStrip proxy with enabled HTTP modification and partial HSTS bypass
• Agile filtering and manipulation of packets in the latest versions (starting from version 0.9.8)
• On-the-fly editing of the configuration file, even if MITMf is running
• Ability to capture multiple types of network data, including FTP, IRC, Pop, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1 /v2 (all supported protocols like HTTP, SMB, LDAP, etc.) and Kerberos protocol credentials with Net-Creds, which starts simultaneously with MITMf
• Integration with the responder tool allows NBT-NS, LLMNR, and MDNS poisoning
• Support for the Web Proxy Auto-Discovery Protocol (WPAD) fraud server

6. Wireshark

Wireshark is a pop network protocol analyzer. With this tool, you can run into everything that's happening on your network at the micro level.

In many industries, Wireshark has become the aureate standard for network traffic analysis.

Wireshark is essentially the successor to a project created back in 1998. Since then, many network experts from around the globe have supported the development of Wireshark.

Currently, this project has ane of the richest characteristic sets:

• Deep inspection of hundreds of protocols
• Total back up for multiple platforms including Windows, Linux, Solaris, macOS, NetBSD, and FreeBSD
• Live capture of network data and analysis in offline mode
• Several options for browsing captured network information, including a GUI and the TTY-way TShark utility
• Powerful display filters
• Rich VoIP analysis
• Rich options for reading live data
• Custom coloring rules for packet assay
• Output tin be exported to several popular formats
• Decryption back up for multiple protocols
• Read/write many different captured file formats

Even though Wireshark isn't that easy to use and requires boosted time for studying its features and functionality, it's probably the most effective tool for intercepting network traffic, encrypting packets, and researching network paths.

Next, we switch our focus to tools that can help y'all improve the results of one more than of import office of penetration testing: stress testing.

Stress testing

The main goal of any stress testing tool is to put the tested system or awarding under circumstances where information technology tin can human activity in a style that may compromise its security and create an opportunity for a successful attack. For instance, nosotros can simulate a situation in which the software is so overloaded that in that location appears a time window at launch, creating an opportunity for an assail to be performed or malware to exist injected.

Below, we provide a brief overview of four useful tools for stress testing.

1.  DHCPig

DHCPig is an improved script for initiating a DHCP exhaustion attack. This script is written in Python with the employ of the scapy network library.

DHCPig consumes all IP addresses on the local network, thus banning new users from obtaining IP addresses. To execute DHCPig, you'll need admin privileges and the scapy network 2.1 or newer. The script doesn't require whatever additional configurations; all you need to do is pass the interface as a parameter.

Make sure to utilize this tool wisely to avoid accidentally blocking hosts and obtaining IP addresses.

Information technology'southward noteworthy that while DHCPig is constructive and quite popular, information technology hasn't received whatsoever significant updates since 2017.

2. FunkLoad

FunkLoad is popular web tester for testing functions and load on spider web applications. The utility is written in Python and lets you lot perform tasks such as functional web projection testing, operation and load testing, and stress testing. It tin exist used for finding weak spots in a tested web application, detecting bugs that weren't exposed during cursory testing, and checking an awarding'southward recoverability.

FunkLoad tin exist used to write web agents with the help of scripts for repetitive tasks, which saves testers lots of fourth dimension. It can also be used for regression testing. When all tests are over, FunkLoad will provide y'all with a detailed report about the functioning of the tested application.

As for its downsides, FunkLoad doesn't always piece of work properly with cookies and sometimes may even ignore them.

iii. MDK3

MDK3 is a proof-of-concept tool that you can use for exploiting vulnerabilities of the IEEE 802.11 protocol.

Note: This tool tin just exist legally used with the network possessor'due south consent. It's your responsibility to brand sure that you have permission of the network owner to run MDK against their network.

MDK3 is a new Musket modernistic (modern-musket-r1) that tin can send directed probe requests with invalid SSIDs to a targeted admission indicate. Subsequently a certain number of sent probe requests are received, the access indicate is supposed to lock upward and reboot.

This tool can be used for Wi-Fi jamming, deauthenticating clients, confusing wireless network monitors, and running an assail aimed at downgrading the encryption algorithm from WPA to a less protected protocol or skipping the encryption process altogether.

MDK3 has several modes:

• Beacon flood
• Authentication DoS
• Bones probing and ESSID bruteforce
• Deauthentication/ Amok disassociation
• WIDS/WIPS confusion
• MAC filter bruteforce
• And more than

With the assistance of MDK3, you lot tin discover both critical and small-scale operation bug and weak spots of the tested Wi-Fi network.

four. SlowHTTPTest

SlowHTTPTest is a tool for simulating a low-bandwidth Awarding Layer DoS attack. This tool has a rich fix of configurations and is compatible with many Linux platforms.

SlowHTTPTest exploits different vulnerabilities of the HTTP protocol by sending partial HTTP requests to occupy limited server resource or extending the time for reading responses to legitimate requests, thus creating a denial of service.

SlowHTTPTest allows y'all to configure the level of detail for data output, from simple condition information automatically generated every v seconds (Level 1) to a full dump of the traffic (Level four). It tin can be hands installed via apt-get and is highly configurable.

Using SlowHTTPTest, you can implement such attacks as slowloris, Deadening Read, and Apache Range Header. But retrieve that sometimes the server might respond slower not because of a DoS attack but because of SlowHTTPTest itself, as information technology can occupy all of the available computing resources. This tool sometimes slows down virtual machines and machines with low capacity.

5. t50

t50, previously named F22 Raptor, is a popular multi-protocol tool for packet injection designed specifically for *nix systems. It supports fifteen pop protocols including TCP, UDP, and ESP, and tin send them all sequentially. The developers of t50 merits it'southward the but tool capable of encapsulating all supported protocols within the Generic Routing Encapsulation (GRE).

You can use t50 for simulating DoS and DDoS attacks and checking how the tested network behaves under stress, overload, and assail. This tool can hit up to one million packets per second in gigabit networks and has more often than not high performance.

t50 is a great tool that can inject packets fast. Plus, it offers a rich prepare of options and additional features, and then take your time mastering it. Simply make sure to utilise a version newer than v.eight, as this version contains a lot of serious errors that were fixed in newer releases.

Pentesting of spider web applications

Finally, let's talk about tools that will be helpful for testing and interacting with different web applications, interfaces, and admin panels. A modernistic spider web application is a system with a complex architecture that may contain multiple vulnerabilities with different levels of severity. Furthermore, many applications are connected with international payment systems, ordering services, CRMs, etc.

For this section, we've selected five helpful Kali Linux tools and prepared a cursory overview for each of them.

1. ATSCAN

ATSCAN is a useful tool for avant-garde search, massive dork exploitation, and automated detection of websites with vulnerabilities. Information technology supports popular search engines including Google, Bing, Yandex, Ask.com, and Sogou.

Bachelor for all popular platforms, ATSCAN tin perform massive dork search, run multiple scans simultaneously, execute external commands, search for admin pages, automatically detect errors, and more. It includes XSS scanner, LFI/AFD scanner, and other scanners.

two. DIRB

DIRB is a popular web content scanner that searches for existing (and mayhap hidden) web objects. It uses dictionary-based attacks to form requests for a webserver and analyzes the received responses.

DIRB is provided with a set of preconfigured dictionaries for attacks, although you can use your own as well. In some cases, you can utilize DIRB as a regular CGI scanner, simply don't forget that it'south a content scanner and non a vulnerability scanner.

The master goal of DIRB is to assist testers run a quality web application audit, especially a security inspect. It covers some of the gaps left past classic vulnerability scanners. DIRB looks for specific web objects that other CGI scanners usually aren't searching for. At the same time, it doesn't await for specific vulnerabilities of potentially vulnerable web content.

3. Fimap

Fimap is a useful tool written in Python that tin can detect both local and remote file inclusion bugs in web applications. It can audit, exploit, and even look up information on these bugs in search engines.

In essence, Fimap is supposed to be something like SQLmap but for LFI/DFI bugs instead of SQL injection. Currently, Fimap is under heavy development, but its main features are quite usable.

Main features:

• Fully automated auditing of separated URLs, URL lists, and Google search results
• Detects and exploits file inclusion bugs
• Tests and exploits multiple errors
• Injects deleted files
• Has a blind style that can be used when a server has disabled error reporting
• Has an interactive exploit mode for spawning shell and opposite shell on vulnerable systems
• Allows calculation custom requests and paths to XML files and writing custom plugins
• Scans and exploits GET, Mail service, and cookies
• Allows proxies
• Is uniform with Windows and tin can assail Windows servers

4. IronWASP

IronWASP is a free open-source tool for scanning web application security. While it was initially created for Windows, it'due south also compatible with Linux. IronWASP mainly supports Python and Ruby only can also use plugins and modules written in C# and VB.NET.

IronWASP has a simple graphical interface that's easy to apply and is provided with a powerful scanning engine and support for entry sequence recording. It scans web applications for over 25 types of well-known vulnerabilities and weaknesses. Reports can be equanimous in HTML and RTF formats.

IronWASP includes a large variety of built-in modules and provides a number of specific tools:

• WiHawk — A Wi-Fi router vulnerability scanner
• XmlChor — An automatic exploitation tool for XPATH injection
• IronSAP — An SAP security scanner
• SSL Security Checker — A scanner for detecting SSL installation vulnerabilities
• OWASP Skanda — An automatic SSRF operation tool
• CSRF PoC Generator — A tool for generating exploits for CSRF vulnerabilities
• HAWAS — A tool for automatically detecting and decoding encoded strings and hashes on websites

5. Nikto

Nikto is an open-source tool for scanning web servers. It searches for default and potentially dangerous files, configurations, and programs on web servers of whatsoever blazon.

Nikto examines the web server under test to detect possible problems and security vulnerabilities, including:

• Wrong settings for the web server or in software
• Insecure files and programs
• Default files and programs
• Outdated services and programs

Nikto is made on LibWhisker2 (past RFP) and tin work on any platform with the Perl environment. The utility supports SSL, host authentication, proxy, payload encoding, and more.

Conclusion

Kali Linux is a powerful and extremely useful tool that every penetration tester must exist familiar with. While it offers an impressively rich set up of tools for every phase of the penetration testing process, the final selection of tools to use will always depend on the tasks and goals of your current project. Nether different circumstances, the same tools can prove completely dissimilar levels of accurateness and efficiency.

In this article, we talked nigh means y'all can utilise Kali Linux for penetration testing. We listed some of the well-nigh popular and commonly used Kali Linux tools for information gathering, vulnerability analysis, sniffing and spoofing network traffic, stress testing, and interacting with web applications and administrative panels. We'd like to point out over again that many of these tools should only be used for research and security audit purposes, and in some cases strictly in closed networks.

At Apriorit, we have a team of security experts who are passionate most searching for hidden vulnerabilities, mitigating them, and hardening the protection of tested products. Feel gratuitous to contact us if yous take a question about penetration testing or have a challenging cybersecurity project in mind!

gayevized.blogspot.com

Source: https://www.apriorit.com/dev-blog/611-kali-linux-for-pentesting

Share this post