Download
Introduction
Kali is a Debian Linux based Penetration Testing arsenal used by security professionals (and others) to perform security assessments. Kali offers a range of toolsets customized for identifying and exploiting vulnerabilities in systems. This book is written leveraging tools available in Kali Linux released March 13th, 2013 as well as other open source applications.
Web Penetration Testing with Kali Linux is designed to be a guide for professional Penetration Testers looking to include Kali in a web application penetration engagement. Our goal is to identify the best Kali tool(s) for a specific assignment, provide details on using the application(s), and offer examples of what information could be obtained for reporting purposes based on expert field experience. Kali has various programs and utilities; however, this book will focus on the strongest tool(s) for a specific task at the time of publishing.
The chapters in this book are divided into tasks used in real world web application Penetration Testing. Chapter 1, Penetration Testing and Setup, provides an overview of Penetration Testing basic concepts, professional service strategies, background on the Kali Linux environment, and setting up Kali for topics presented in this book. Chapters 2-6, cover various web application Penetration Testing concepts including configuration and reporting examples designed to highlight if topics covered can accomplish your desired objective.
Chapter 7, Defensive Countermeasures, serves as a remediation source on systems vulnerable to attacks presented in previous chapters. Chapter 8, Penetration Test Executive Report, offers reporting best practices and samples that can serve as templates for building executive level reports. The purpose of designing the book in this fashion is to give the reader a guide for engaging a web application penetration with the best possible tool(s) available in Kali, offer steps to remediate a vulnerability and provide how data captured could be presented in a professional manner.
What this book covers
Chapter 1, Penetration Testing and Setup, covers fundamentals of building a professional Penetration Testing practice. Topics include differentiating a Penetration Test from other services, methodology overview, and targeting web applications. This chapter also provides steps used to set up a Kali Linux environment for tasks covered in this book.
Chapter 2, Reconnaissance, provides various ways to gather information about a target. Topics include highlighting popular free tools available on the Internet as well as Information Gathering utilities available in Kali Linux.
Chapter 3, Server Side Attacks, focuses on identifying and exploiting vulnerabilities in web servers and applications. Tools covered are available in Kali or other open source utilities.
Chapter 4, Client Side Attacks, targets hosts systems. Topics include social engineering, exploiting host system vulnerabilities, and attacking passwords, as they are the most common means to secure host systems.
Chapter 5, Attacking Authentication, looks at how users and devices authenticate to web applications. Topics include targeting the process of managing authentication sessions, compromising how data is stored on host systems, and man-in-the-middle attack techniques. This chapter also briefly touches on SQL and Cross-Site Scripting attacks.
Chapter 6, Web Attacks, explores how to take advantage of web servers and compromise web applications using exploits such as browser exploitation, proxy attacks, and password harvesting. This chapter also covers methods to interrupt services using denial of service techniques.
Chapter 7, Defensive Countermeasures, provides best practices for hardening your web applications and servers. Topics include security baselines, patch management, password policies, and defending against attack methods covered in previous chapters. This chapter also includes a focused forensics section, as it is important to properly investigate a compromised asset to avoid additional negative impact.
Chapter 8, Penetration Test Executive Report, covers best practices for developing professional post Penetration Testing service reports. Topics include an overview of methods to add value to your deliverable, document formatting, and templates that can be used to build professional reports.
What you need for this book
Readers should have a basic understanding of web applications, networking concepts, and Penetration Testing methodology. This book will include detailed examples of how to execute an attack using tools offered in Kali Linux as well as other open source applications. It is not required but beneficial to have experience using previous versions of Backtrack or similar programs. Hardware requirements for building a lab environment and setting up the Kali Linux arsenal are covered in Chapter 1, Penetration Testing and Setup.
Who this book is for
The target audience for this book are professional Penetration Testers or others looking to maximize Kali Linux for a web server or application Penetration Testing exercise. If you are looking to identify how to perform a Penetration Test against web applications and present findings to a customer is a professional manner then this book is for you.
