Web Application Security Testing using Kali Linux Gene Gotimer, Senior Architect [email protected] Copyright 2013 Coveros, Inc. All rights reserved. 1 About Coveros Coveros helps organizations accelerate the delivery of business value through secure, reliable software Copyright 2013 Coveros, Inc. All rights reserved. 2
Kali Linux Penetration Testing and Security Auditing Linux distribution New generation of BackTrack Linux Debian-based (Wheezy) Many install options: i386, x86_64, ARM Android devices ISO and VMWare image Installed, virtual, dual boot, live USB PXE, mini ISO
www.kali.org Copyright 2013 Coveros, Inc. All rights reserved. 3 Not for general use! Single user Default user is root Many of the tools need root anyway Live images use toor as default root password Not recommended for Linux beginners It is a pentesting and security auditing tool Easy to mess up the system as root Easy to attack your organization from within Copyright 2013 Coveros, Inc. All rights reserved.
Exploitation Tools Forensics Reporting Tools Sniffing/Spoofing Copyright 2013 Coveros, Inc. All rights reserved. 5 Top 10 Security Tools Aircrack-ng wireless password cracking Burp Suite web application proxy and security testing
THC-Hydra network password cracker John the Ripper Unix and Windows password cracker Maltego intelligence and forensics Copyright 2013 Coveros, Inc. All rights reserved. 6 Top 10 Security Tools Metasploit Framework pentesting and exploitation tool
Nmap network discovery OWASP Zed Attack Proxy web application scanner and proxy sqlmap SQL injection detection and exploitation Wireshark network protocol analyzer Copyright 2013 Coveros, Inc. All rights reserved. 7
Many more tools Hundreds of tools Supporting software GUI front ends Greenbone for OpenVAS Armitage for Metaploit Zenmap for Nmap updaters Metasploit OpenVAS Tools are integrated OpenVAS runs Nikto2, Wapiti, Nmap, Arachni Metasploit can run OpenVAS Copyright 2013 Coveros, Inc. All rights reserved.
8 Ways to Use Kali Linux Professional Penetration Testing Pentest Tool Suite Install on a USB drive Carry to the client site All tools you need are available Forensic Information Gathering Live boot into forensic mode Doesnt touch internal hard drive No auto mount of removable media Password Recovery
Copyright 2013 Coveros, Inc. All rights reserved. 9 Ways for non-Pentesters to Use Kali Linux Tool catalog Browse menus to find tools in any category Pre-installed tools Try a tool to see if it meets your needs Compare tools Occasional security tests Dont have time/resources to maintain security testing environment Exploitation software Demonstrate vulnerabilities
Copyright 2013 Coveros, Inc. All rights reserved. 10 OpenVAS Open-source fork of Nessus System vulnerability scanner and manager Daily feeds of Network Vulnerability Tests (NVTs) Scans scheduled or on-demand View results by host by scan deltas Overrides false positives
backported fixes Copyright 2013 Coveros, Inc. All rights reserved. 11 Nikto2 Web server scanner Not a web application scanner Looks at Apache command-line tool nikto h 192.168.56.101 Runs in seconds -> minutes Report is text-only to the screen Copyright 2013 Coveros, Inc. All rights reserved.
12 Wapiti Web application scanner Fuzzer command-line tool wapiti http://192.168.56.101/ Runs in minutes -> hours Report is text-only to the screen Copyright 2013 Coveros, Inc. All rights reserved. 13 skipfish
Web application scanner Fuzzer, very fast with dictionaries command-line tool touch wordlist.wl skipfish o /root/sf-20131205 \ S /usr/share/skipfish/dictionaries/minimal.wl \ W wordlist.wl http://192.168.56.101/ Runs in minutes -> hours Can be timeboxed (-k duration) Report is HTML Copyright 2013 Coveros, Inc. All rights reserved. 14
OWASP Zed Attack Proxy Web application scanner and proxy Proxy, fuzzers, scanners, spiders GUI interface Can generate XML and HTML reports Copyright 2013 Coveros, Inc. All rights reserved. 15
Open Graphics Library (OpenGL) - Cross-platform standard specification for multimedia graphics . DirectX - Collection of APIs related to multimedia tasks for Microsoft Windows . Windows API - Allows applications from older versions os Windows to operate on newer versions.
Organizational barriers to LPNs practicing within scope (Mueller et al, 2012) Need for effective models of RN-LPN collaboration. Institute of Medicine's Future of Nursing (2011) acknowledges LPN contributions to care: LPNs viewed as essential to performing delegated care in the...
Develop the follow-up letter using standardized language for the opening paragraphs and for the sections on findings, corrective action, concerns and recommendations. Requirements . for Pass-through Entities. O. FFICE OF THE . C. HIEF. F. INANCIAL. O. FFICER. Post-Award .
A united and collaborative care delivery community, fostering health equity for all. GOAL: Prepare our partners to move from volume to value. Welcome! ... Evaluate clinical data entry and audit/clinical decision support processes. Evaluate Hixny utilization and review workflow integration...
14 by 16 family room with 2 ceiling fansUpstairs loft with Queen bed. Kitchen: Dishwasher - Garbage Disposal23 CU ft Fridge w/ice makerElectric Stove Convection Micro Wave6 Drawer Pantry ... Kingsize Bed on pedestal with 4 drawersplus 8 drawer built...
Chapter 6 Global Information Systems and Market Research Introduction Understand the importance of information technology and marketing information systems Utilize a framework for information scanning and opportunity identification Understand the formal market research process Know how to manage the marketing...
Paired Sampling in Density-Sensitive Active Learning ... of straddling the boundary with paired samples Three factors affect sampling Local density Conditional entropy maximization Utility score Illustrative Example Left Figure significant shift in the current hypothesis large reduction in ...