5 best website pentesting tools on Kali Linux (tutorial)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hack any website we need to find one of those most common website security vulnerabilities that we can exploit in order to get something out of that website those vulnerabilities include sql injection cross-site scripting broken authentication and session management we can try to find those vulnerabilities and exploit them by hand however it's much faster to use a vulnerability scanner that would go through all those links and test for as many vulnerabilities as possible and that's why today i'm going to show you the top 5 best scanners for fighting vulnerabilities each one of those scanners will give us the power to find some of those vulnerabilities i have set up a vulnerable website with all possible exploits let's see if we can find them all first of all meet our target the damn vulnerable web application you can see it over here we have some brute forcing attacks cross site uh request forgery file inclusion file upload sql injection multiple types we're gonna use five different vulnerability scanners specially made for websites to see if we can actually detect all those vulnerabilities let's start from niktok dikta is a framework that scans web-based applications and web servers for known bad files that could potentially be dangerous another thing it can detect includes outdated config port scanning username enumeration and more let's try it out nikto is pre-installed with kali so all you need to do is type nicto give it the host and hit that enter button you can see first it identified the type of server it has found that there are there is no anti-click checking x frame option header xss protection is not present and has also noticed the cookies that were created in this session it has also found our admin beige and all of that didn't take it more than a few seconds that's already pretty good nikta has also the option to check the database for any errors you can see it over here going over the databases that it found on this website and it has found many syntax errors in them now you can also define where you want to write your output to this is good for a forensic analysis uh disabled using ssl define the board however i'm already passing the port as part of the url so there's no need for me to define it separately but niktor remains very limited we for example we don't have a way to pass cookies to it and it also does not include a wide range of attacks mainly includes some indicators to what we could do like for example launch an xss attack but we don't know where or which arguments we could use or how we could do it so let's move to something a bit more advanced let's move to something that will actually scan the whole website and give us a bit more information about it and this brings me to skip fish so skip fish is an active web application security recognizes tool it prepares an interactive site map for the targeted site the resulting map is then annotated with the output from the number of active security checks so this is pretty good it will actually go through every possible url and give us a list of those build them up a map for us for what we could exploit well let's try it out so skip fish also ships by default with kali linux we're gonna go skip fish minus h you see we can already see a bit more options than what we had on nicto which is pretty good for example we can pass a username and a password over here and define the crawling scope and also we have many reporting options we can define the output directory this is something that's actually required and we can also provide it with a word list that it will try to go through and look for links using it which is pretty awesome all right so let's try it out hip fish well not minus h anymore we have to define the output directory i'm just going to call it skip and then we have to pass the url of our vulnerable websites that we want to scan it provides us with some options to abort the scan watch number of requests per second if this drops below 100 or 200 then it will be a very long scan however i don't think this will be the case since everything is running locally on my machine so we have to do here is hit enter so in matter of seconds that it has managed to launch more than 6000 http requests and generated a report for us that we can view over here at index.html let's look at the report so you need to go into this skip folder that we have defined using the output and then hit this index.html this will give you a summary of the results of this scan for example we can see the document types that skip fish has encountered like images their urls the text css the html and then some issues that skipfish has encountered that the response varies sometimes a correct or missing charset password entry form that we can actually brute force but this is also a bit basic because skipfish could not get past the login screen of our vulnerable website it was stuck here and this one this is why it has found such limited results as the ones that we see over here it didn't manage to go into any more of the advanced links the scale injections and the other ones to give skipfish the capabilities of logging into the website we can pass it the cookie which is used in the session management of this vulnerable website we can view the cookie by hitting this inspect button going to application and then you can see over here there's a bhp session id and a security level defined as low we need to copy both of those cookies and pass them to skip fish to pass the cookie skip fish we need to use the minus c flag followed by the cookie name and the cookie value you put this equal sign between the two and for each cookie that you need to define you'll have to use the c flag so i've defined the php session but i also need to define the level of security right so we've got now the two cookies that we will need to pass the first login screen let's try the scanners catfish again with more capabilities now that it can go past the first login screen the cookies should be actually placed before the url for skipfish to function correctly you can see that the number of http requests has already gone way up and the scan is taking more time my cpu is actually in use which is a good indicator that we've managed to go past the login screen all right voila we've got a report let's check it out right look at the difference we've already identified many different types the last time we only had some very basic overview of the document types but more importantly we've also identified more issues like for example numerical find names so we can actually enumerate over those urls there's an html forms a password entry form there are hidden files that skip fish has managed to find and it has managed to trigger many errors that nowadays actually has access to all the resources on this web server all right that's pretty good we've already managed to gather a lot more information than what we had with nicto but we still do not have clear view of which exploits are possible like we don't know how to exploit this website so let's try something a bit more advanced pubity is another penetration testing tool that allows you to audit the security of a website it performs many scans like sql injections cross-site scripting and all the other attacks that are known to be exploitable on websites it uses both kit and boost methods as part of its attacking capabilities and it has many features like http https now let's see what can we do with it clear this minus h now look at the amount of options that we have available with this tool it's already marvelous well first of all there are there's a list of modules let's check this out this command will list all the attacks that webt come equipped with so for example it can do a blind sql attack uh brute force login forms detect files related vulnerabilities such as directory traversals and include vulnerabilities and a lot more this seems to be pretty awesome let's try it out we need to provide it with the minus u for url now if we launch it like this it will be also stuck on the login screen so we need to pass the cookie as a json file all right let me show you what this json file looks like at cookie.json it will simply include the php session id and the security level the same two cookies that we've defined webt has a special tool to get those cookies if you don't want to do this yourself so we've passed the cookie we're going to be logged in however framework is might actually reach the log out button so we don't want that to happen we don't want to end this session so we're going to exclude it we're going to do minus x and add to it an exclusion for log out dot ph however since i've already used this tool before i will need to flush the old attacks so it will actually execute them again all right you can see over here that has already detected all the flows that are in the configuration selected the cookies and now it's trying an execution to get more files of this web server here it's actually trying to traverse the path now this will take a moment until it finishes so we'll be back when this is done all right so the scan is completed now we can see for example that it has found an xss vulnerability under this link which is correct because there should be an exist vulnerability here it is exploitable using this long blob now once the execution completes the tool will generate a report for us you can see that it has found an sql injection traversals command execution for http secure headers vulnerabilities hdb only flag cookies so much stuff now i didn't let it run the whole sql injection module because that will take too long that's why i didn't find those but i'm going to show you in a moment how to do a specific attack and focus on it cross-site scriptings there are five different variabilities if you click on them it will take you and tell you where under which url they were present however if you click on this http request it will not show the exploit because it was too long but what you could do is go back to the output from the console and search for the variability that you want let's try their selected access you can see that an alert has been triggered even though our website does not include an alert this is basically a reflected cross-site scripting attack webpt has managed to actually find it and find an exploit for us which is super good now let's try a specific attack to do that we're going to use the same command however we're going to append minus m that will let us choose which module we would like to use and we can go for blind sql we can also choose how aggressive the framework would be so i'm going to choose the highest level which is insane and instead of going over every url i'm going to focus on the scale blind injection now this has been a very awesome tool it gave us the power to launch any attack we wanted and it also has different levels of aggressiveness which makes it super awesome there are similar tools which brings me to the o wasp z attack proxy the z attack proxy scanner is a very good penetration testing tool its main power is the fact that it has a graphical user interface let's try it out once it's been installed all you have to do is type set a proxy and this will launch the graphical user interface and voila we've got ourselves a graphical user interface that will allow us to scan websites all you have to do is hit this quick start fill up the url that you would like to attack in my case since i want to use cookies to log in i'm going to need to make a script i'm going to include a link in the description so you can set it up the same way the first thing we're going to do is to launch a spider to scan all the possible url this will enumerate every sub url in this website you can see those urls over here now once this operation is complete we can launch a full scan hit this quick start button and hit attack you can see the progress down here which urls it is trying and this will take a long while now once the scan is completed you will get a whole list of every vulnerability that was found i think it has managed to find all the vulnerabilities on this website on top of that if you double click on one of those vulnerabilities you will see a description of this vulnerability solution on how to mitigate it in the case of an sql injection you will also be able to see the attack so what to actually use to trickle to trigger this sql injection vulnerability and the fact that it gives you the attack gives it many extra points for me the setup is a bit tedious if you have to go through all those steps to make sure that it can log in and all of that but once everything is set it's a super amazing tool but i still have one last tool to show you it's the xss er this cross-site scripter it's an automatic framework to detect exploit and report xss vulnerabilities in web-based applications it's a super powerful tool let me show you let's look at what it can do i think this is the longest option menu that i've seen between all those scanners although it's a specialized tool so you think that the more general tools will have more options but this is just unbelievable the first thing this tool comes equipped with is the checker systems these options are useful to know if your target is using filters against xss attacks there are also some special techniques that uses fuzzing to improve your cross-site scripting now i hope you had a lot of fun hacking this website and hopefully the website scanners will also be helpful in your penetration testing ethical hacking career and see you again next time
Info
Channel: Nour's tech talk
Views: 61,972
Rating: undefined out of 5
Keywords:
Id: y6W1kc1jOkI
Channel Id: undefined
Length: 14min 34sec (874 seconds)
Published: Wed Aug 03 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.