Penetration Testing with BackBox
Description
Book DescriptionThis practical book outlines the steps needed to perform penetration testing using BackBox. It explains common penetration testing scenarios and gives practical explanations applicable to a real-world setting. This book is written primarily for security experts and system administrators who have an intermediate Linux capability. However, because of the simplicity and user-friendly design, it is also suitable for beginners looking to understand the principle steps of penetration testing.What you will learn
Perform reconnaissance and collect information about an unknown system
Perform vulnerability scanning, management, and assessment, as well as understand false positives
Understand how SQL injection attacks work and find injectable pages on a web server
Sniff the network to capture sensitive data and learn different methods of privilege escalation
Maintain permanent access on a target server once access is initially granted
Use exploitation tools like Metasploit to exploit the reported vulnerabilities
Learn how to document and generate reports from the entire auditing process
Who this book is for
All prices
More details
Other editions
Additional editions
Person
Stefan Umit Uygur has been an IT System and Security engineer for 14 years. He is an extremely motivated open source software evangelist with a passion for sharing knowledge and working in a community environment. He is highly experienced in Penetration Testing and Vulnerability Analysis, Management, and Assessment. He has been involved in many open source software projects, for example BackBox, where he is part of the core team. He has helped to promote the free software culture around the world by participating and organizing international conferences. He significantly contributes to shedding the false and negative perceptions around hacking and hackers by promoting the hacker world in a positive light. He explains in detail the real world of hacking, hackers' motivations, and their philosophy, ethics, and freedom. These activities are promoted mainly through national and international magazines, and in particular, during the conferences that he participates. Along with his professional activities, he has contributed to the Linux magazine, the PenTest magazine, and a few other small, periodic, technical publications.However, his main passion is continuous collaboration with the community as he believes in the community more than anything else. He strongly feels that knowledge shouldn't be owned by a few people, but should be the heritage of the entire collective. He is always grateful to the community for the skills and the knowledge he possesses. One of the definitions he gives to the community is that it is the real school and university where one truly learns.
Content
Chapter 2. Information Gathering
In this chapter, we will learn a few ways of collecting useful information about the target system. The user must have a basic knowledge of Linux systems and network protocols in order to understand the content of this chapter.
Information gathering is the absolute first step that we should perform at the very beginning of any penetration testing. It is about collecting as much as information about the target systems or applications. It is the most critical step of security assessment. Therefore, the information gathering process allows us to determine the orientation of our assessment by defining where to proceed and giving the following potential information:
- System or application information
- The system's or application's physical location
- The system ports available/open
- The system's user information
- The system's resources
- The system's environment
- Other potential information that creates risks for the system/application's integrity
During our information gathering process, we will be auditing a real environment, but for security purposes, we will replace the information with imaginary names and information. So, let's start to collect the potential information using our magic BackBox Linux.
Starting with an unknown system
Now, let's say in the very beginning we have nothing but a public URL web address and we have no other information about this environment. So, it looks like we have to manage on our own to find out the information required in order to start our security assessment. Actually no, our assessment will begin precisely with this process by looking for the information to be gathered.
So, address given is www.example.com. Now, let's start to tweak around our BackBox Linux and navigate to BackBox | Auditing | Information Gathering. In the Network submenu, we have many tools that we can use for what we need here. This is because the network is where everything begins as we are in front of a remote system.
Automater
As its name suggests, Automater is an automated tool to give some basic information about the target. All we have to do is run Automater from the menu, and a shell with the options listed will appear as shown in the following screenshot:
The main interface of Automater
The tool has a few options to use but we will be using the one against the URL web address. So, the following is the action we need to perform:
ostendali@stefan:~$ automater -t www.example.com --------------------------------The following is the output of the preceding action:
[*] www.example.com is a URL. [*] Running URL toolset [-] www.example.com is not a recognized shortened URL. [*] Scanning host now on URLVoid.com. May take a few seconds. [+] Host IP Address is 192.168.214.24 [-] IP is not listed in a blacklist [+] Latitude / Longitude: 53 / -8 [+] Country: (IE) Ireland [+] Domain creation date: 1996-03-07 (18 years ago) [-] FortiGuard URL Categorization: UncategorizedAs shown in the previous output, we have specified the -t option by following the target URL. The first attempt of trying to get the information from the shortened URL fails due to the problem of recognition. Then, it scans the host by using URLvoid.com. We have now succeeded in getting the public IP address. We know that the IP address is not blacklisted, we have the latitude and longitude of the physical location, the country location, and when this domain was registered for the first time. This is very useful information that we can store in our file, but this is not enough. We would like to know more about the target server.
Once we know the IP address with some limited information, say for example, the target is up and running on the network, we can proceed to look for further details and we would like to know what kind of application is running on this web server. It's common knowledge that today's web servers are mostly made up of a content management system (CMS). Therefore, we will need to investigate which CMS is running on the server that we are assessing.
Whatweb
There are many ways to find out what kind of apps we are dealing with at the target side and most of them require lot of efforts to figure out. We have a very nice tool in BackBox Linux that will promptly give us such information. The tool is called Whatweb and we can find it in the Web-Application submenu. So, let's go through the usage of this tool against our target. As usual, we will have prompted a shell and all we have to do is as follows:
ostendali@stefan:~$ whatweb example.com http://example.it [301] ASP_NET, Country[ITALY][IT], HTTPServer[Microsoft-IIS/6.0], IP[192.168.136.35], Microsoft-IIS[6.0], PHP[5.2.6,], RedirectLocation[http://www.example.it/gcc/], Title[Document Moved], X-Powered-By[PHP/5.2.6, ASP.NET] http://www.example.it/gcc/ [200] ASP_NET, Cookies[fc2077641e221a696231930410b801df,jfcookie,jfcookie%5Blang%5D,lang], Country[ITALY][IT], HTTPServer[Microsoft-IIS/6.0], IP[192.168.136.35], Joomla[1.5][com_content,com_flexicontact,com_remository], probably Mambo[com_content,com_flexicontact,com_remository], Meta-Author[ostendali], MetaGenerator[Joomla! 1.5 - Open Source Content Management], Microsoft-IIS[6.0], PHP[5.2.6,], Script[text/javascript], Title[Technology Applications], X-Powered-By[PHP/5.2.6, ASP.NET]Whatweb will give us a bit more information about the target system and especially what we were looking for, the application type. In the action performed earlier, we can see that all the information on the targeted system is clear. This includes the country location, the web server (in this case, it is Microsoft) the PHP version, the IP address, the author's name, and most importantly the CMS type, which is Joomla as we can clearly see from the previous output.
The previous information given by the Whatweb tool is very important because it also gives us the version of the apps installed. This is very useful in order to look for some vulnerabilities or exploitation of that specific version of the application. We will talk about this and run through it in the next chapters of this book.
We have collected additional information on the target system and we save the information in a file and go further because we still need to gather more information in order to be more familiar with the target system.
Recon-ng
If you like a more sophisticated information gathering tool, Recon-ng is the one you want. This new BackBox tool has amazing options that can really help us while doing our auditing. It would be beneficial to go briefly through this tool and its usage. We say briefly because this tool alone could comprise one chapter. Therefore, let's just take a look at the functionality available in this amazing tool.
Recon-ng is a fully featured great command-line tool designed to automate the collection of publicly available information. Briefly, it is a set information gathering utility with many features and functions. One of the relevant features is modularity. This means the modules that are already included and offered to the ordinary users and also the availability for those who want to build their own modules.
You will find Recon-ng by navigating to BackBox | Auditing | Information Gathering | Web Application. Just a single click and we will have our usual shell prompting up. However, at this time, we will be asked for our user account and password with high privileges (sudo to elevate the user privilege or root password for whoever set up the root account and removed the user account from sudo) because this tool requires some elevated privileges to perform its actions. Immediately after typing our password, we will be in the Recon-ng console environment.
By typing the help command, we are able to view the basic commands available. Even if we are in the Recon-ng console, the traditional command line for Linux system commands are fully enabled, so we can run our system commands as well in case we need some information from our system through shell usage.
Recon-ng
First of all, we are going to create our own workspace by performing the following command:
ostendali@stefan:~$ sudo recon-ng -w backboxIn order to show the available modules, we can type the following command and we will have all the modules listed:
recon-ng > show modulesThe modules are divided into three different areas for four different purposes as...
