In this chapter, we will cover:
Updating and upgrading Kali Linux
Installing and running OWASP Mantra
Setting up the Iceweasel browser
Creating a vulnerable virtual machine
Creating a client virtual machine
Configuring virtual machines for correct communication
Getting to know web applications on a vulnerable VM
Before we start testing web applications' security, we need to be sure that we have all the necessary up-to-date tools. This recipe covers the basic task of keeping Kali Linux and its tools at their most recent versions.
We start from having Kali Linux installed as the main operating system on a computer with Internet access; the version that we will be using through this book is 2.0. You can download the live CD and installer from https://www.kali.org/downloads/.
Log in as a root on Kali Linux; the default password is "toor", without the quotes. You can also use
suto switch the user or
sudoto execute single commands if using a regular user is preferred instead of root.
Open a terminal.
apt-get updatecommand. This will download the updated list of packages (applications and tools) that are available to install.
Once the update is finished, run the following command to update non-system packages to their last stable version:
In this recipe, we have covered a basic procedure for package update in Debian-based systems (such as Kali Linux). The first call to
apt-get with the
update parameter downloaded the most recent list of packages available for our specific system in the configured repositories. After it downloads and installs all the packages that have the most recent versions in the repository, the
dist-upgrade parameter downloads and installs system packages (such as kernel and kernel modules) not installed with
In this book, we assume that Kali Linux is installed as the main operating system on the computer; there is also the option of installing it in a virtual machine. In such a case, skip the recipe called Installing VirtualBox and configure the network options of your Kali VM as stated in Configuring virtual machines for correct communication.
People in OWASP (Open Web Application Security Project, https://www.owasp.org/) have put together a Mozilla Firefox mod with plenty of add-ons aimed at helping penetration testers and developers to test web applications for bugs or security flaws. In this recipe, we will install OWASP-Mantra (http://www.getmantra.com/) in our Kali Linux, run it for the first time, and see some of its features.
Most of the web application penetration testing is done through a web browser; that's the reason why we need to have one with the correct set of tools to perform such a task. The OWASP Mantra includes a collection of add-ons to perform tasks, such as:
Sniffing and intercepting HTTP requests
Debugging client-side code
Viewing and modifying cookies
Gathering information about sites and applications
Fortunately for us, OWASP Mantra is included in the default Kali Linux repositories. So, to make sure that we get the latest version of the browser, we need to update the packages list:
Open a terminal and run:
apt-get install owasp-mantra-ff
After the installation is finished, navigate to menu: Applications | 03 - Web Application Analysis | Web Vulnerability Scanners | owasp-mantra-ff to start Mantra for the first time. Or use a terminal with the following command:
With the new browser open, click on the OWASP logo and then Tools. Here we can access all the tools that OWASP Mantra includes.
You may also be interested in Mantra on Chromium (MoC), which is an alternative release of Mantra based on the Chromium web browser. Currently, it is only available for windows: http://www.getmantra.com/mantra-on-chromium.html
If we don't like OWASP Mantra, we can use the latest version of Firefox and install our own selection of testing-related add-ons. Kali Linux includes Iceweasel, another variant of Firefox, which we will use in this recipe to see how to install our testing tools in a browser.
Open Iceweasel and navigate to Tools | Add-ons, as shown in the following screenshot:
In the search box, type
tamper dataand hit Enter.
A dialog box will pop up, asking us to accept the EULA; click on Accept and Install...
Next, we search for
cookies manager+in the search box.
Click on Install in the Cookies Manager+ add-on.
Now, search and install Firebug.
Search and install Hackbar.
Search and install HTTP Requester.
Search and install Passive Recon.
Firebug: This is a must-have for any web developer; its main function is to be an in-line debugger for web pages. It will also be useful when you have to perform some client-side modifications to pages.
Hackbar: This is a very simple add-on that helps us to try different input values without having to change or rewrite the full URL. We will be using this a lot when doing manual checks for Cross-site scripting and injections.
Passive Recon: It allows us to get public information about the website being visited by querying DNS records, Whois, and searching information, such as email addresses, links, and collaborators in Google, among other things.
Tamper Data: This add-on has the ability to capture any request on the server just after it is sent by the browser, thus giving us the chance to modify the data after introducing it in the application's forms and before it reaches the server.
This is the first of the four recipes that will help us to get a virtual laboratory up and running to practice our penetration tests. We will use a VirtualBox to run the virtual machines in such a laboratory. In this recipe, we will see how to install VirtualBox and get it working.
Before we install anything in Kali Linux, we must make sure that we have the latest version of package lists:
Now, we have VirtualBox running and we are ready to set up the virtual machines to make our own testing laboratory.
VirtualBox will allow us to run multiple machines inside our Kali Linux computer through virtualization. With this, we can mount a full laboratory with different computers using different operating systems and run them in parallel as far as the memory resources and processing power of our Kali host allow us to.
The VirtualBox Extension Pack gives the VirtualBox's virtual machine extra features, such as USB 2.0/3.0 support and Remote Desktop capabilities. It can be downloaded from https://www.virtualbox.org/wiki/Downloads. After it is downloaded, just double click on it and VirtualBox will do the rest.
Go to http://sourceforge.net/projects/owaspbwa/files/ and download the latest release's
.ovafile. At the time of writing, it is
VirtualBox's import dialog will launch. If you want to change the machine's name or description, you can do it by double-clicking on the values. We will name it
vulnerable_vm.and leave the rest of the options as they are. Click on Import.
After the machine starts, we will be asked for login and password, type
rootas the login and
owaspbwaas the password and we are set.
OWASP-bwa is a project aimed at providing security professionals and enthusiasts with a safe environment to develop attacking skills and identify and exploit vulnerabilities in web applications, in order to be able to help developers and administrators fix and prevent them.
This virtual machine includes different types of web applications, some of them are based on PHP, some in Java; we even have a couple of .NET-based vulnerable applications. There are also some vulnerable versions of known applications, such as WordPress or Joomla.
There are many options when we talk about vulnerable applications and virtual machines. A remarkable website that holds a great collection of such applications is VulnHub (https://www.vulnhub.com/). It also has walkthroughs that will help you to solve some challenges and develop your skills.
In this book, we will use another virtual machine for some recipes: bWapp Bee-box, which can also be downloaded from VulnHub: https://www.vulnhub.com/entry/bwapp-bee-box-v16,53/.
When we get to the man in the middle (MITM) and client-side attacks, we will need another machine to make requests to the already set up server. In this recipe, we will download a Microsoft Windows virtual machine and import it to VirtualBox.
First we need to go to the download site http://dev.modern.ie/tools/vms/#downloads.
Through this book we will use the IE8 on Win7 virtual machine.
Right-click on it and then click on Extract Here.
Once extracted, open the
.ovafile and import it in VirtualBox.
Microsoft provides these virtual machines for developers to test their applications with the help of different versions of Windows and Internet Explorer with a free license limited to 30 days, which is enough for us to practice.
As penetration testers, it is important to be aware that real-world applications can be multiplatform and that users of those applications may have a lot of different systems and web browsers to communicate with them; knowing this, we should be prepared to perform successful tests with any of the client-server infrastructure combinations.
As for server and client virtual machines, if you are not comfortable using an already built configuration, you can always build and configure your own virtual machines. Here is some information about how to do it: https://www.virtualbox.org/manual/.
To be able to communicate with our virtual server and client, we need to be in the same network segment; however, having virtual machines with known vulnerabilities in our local network may pose an important security risk. To avoid this risk, we will perform a special configuration in VirtualBox to allow us to communicate with both server and client virtual machines from our Kali Linux host without exposing them to the network.
Before we proceed, open VirtualBox and make sure that the vulnerable server and client virtual machines are turned off.
In VirtualBox navigate to File | Preferences… | Network.
Select the Host-only Networks tab.
- Click on the () button to add a new network.
The new network (vboxnet0) will be created and its "details window" will pop up. If it doesn't, select the network and click on the () button to edit its properties.
In this dialog box, you can specify the network configuration, if it doesn't interfere with your local network configuration, leave it as it is. You may change it and use some other address in the segments reserved for local networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
After proper configuration is done, click OK.
The next step is to configure the vulnerable virtual machine (vulnerable_vm). Select it and go to its settings.
Click Network and, in the Attached to: drop-down menu, select Host-only Adapter.
In Name, select vboxnet0.
Follow steps 7 to 10 in the client virtual machine (IE8 - Win7).
Let's see the network configuration of our host system: open a terminal and type:
Log into vulnerable_vm and check its IP address for adapter
Now, let's go to our client machine IE8 - Win7; open a command prompt and type:
Now, we have the IP addresses of our three machines:
192.168.56.1for the host
192.168.56.103for IE8 - Win7
To test the communication, we are going to ping both virtual machines from our host:
ping -c 4 192.168.56.102 ping -c 4 192.168.56.103
Ping sends an ICMP request to the destination and waits for the reply; this is useful to test whether communication is possible between two nodes in the network.
The IE8 - Win7 machine may not respond to pings; that's normal because Windows 7 is configured by default to not respond to ping requests. To check connectivity in this case, we can use
arpingfrom the Kali host:
arping –c 4 192.168.56.103
A host-only network is a virtual network that acts as a LAN but its reach is limited to the host that is running the virtual machines without exposing them to external systems. This kind of network also provides a virtual adapter for the host to communicate with the virtual machines as if they were in the same network segment.
With the configuration we just made, we will be able to communicate between a client and server and both of them can communicate with the Kali Linux host, which will act as the attacking machine.
OWASP-bwa contains many web applications, intentionally made vulnerable to the most common attacks. Some of them are focused on the practice of some specific technique while others try to replicate real-world applications that happen to have vulnerabilities.
In this recipe, we will take a tour of our vulnerable_vm and get to know some of the applications it includes.
We need to have our vulnerable_vm running and its network correctly configured. For this book, we will be using 192.168.56.102 as its IP address.
With vulnerable_vm running, open your Kali Linux host's web browser and go to
http://192.168.56.102. You will see a list of all applications the server contains:
Let's go to Damn Vulnerable Web Application.
adminas a user name and
adminas a password. We can see a menu on the left; this menu contains links to all the vulnerabilities that we can practice in this application: Brute Force, Command Execution, SQL Injection, and so on. Also, the DVWA Security section is where we can configure the security (or complexity) levels of the vulnerable inputs.
Log out and return to the server's homepage.
Now we click on OWASP WebGoat.NET. This is a .NET application where we will be able to practice file and code injection attacks, cross-site scripting, and encryption vulnerabilities. It also has a WebGoat Coins Customer Portal that simulates a shopping application and can be used to practice not only the exploitation of vulnerabilities but also their identification.
Now return to the server's home page.
Another interesting application included in this virtual machine is BodgeIt, which is a minimalistic version of an online store based on JSP—it has a list of products that we can add to a shopping basket, a search page with advanced options, a registration form for new users, and a login form. There is no direct reference to vulnerabilities; instead, we will need to look for them.
We won't be able to look at all the applications in a single recipe, but we will be using some of them in this book.
Training applications: These are the ones that have sections dedicated to practice-specific vulnerabilities or attack techniques; some of them include tutorials, explanations, or other kind of guidance.
Realistic, intentionally vulnerable applications: Applications that act as real-world applications (stores, blogs, and social networks) and are intentionally left vulnerable by their developers for the sake of training.
Old (vulnerable) versions of real applications: Old versions of real applications, such as WordPress and Joomla are known to have exploitable vulnerabilities; these are useful to test our vulnerability identification skills.
Applications for testing tools: The applications in this group can be used as a benchmark for automated vulnerability scanners.
Demonstration pages / small applications: These are small applications that have only one or a few vulnerabilities, for demonstration purposes only.
OWASP demonstration application: OWASP AppSensor is an interesting application, it simulates a social network and could have some vulnerabilities in it. But it will log any attack attempts, which is useful when trying to learn; for example, how to bypass some security devices such as a web application firewall.