Free Demo

Kali Linux for Web Application Penetration Testing

Many new applications and versions of operating systems are being developed. However, developers pay less attention to software testing, primarily because of the complexity of the code in modern applications. As a result, errors and vulnerabilities may remain in the application code. The problem of identifying vulnerabilities is relevant for software developers and information security experts, as well as for technical specialists who implement and maintain business applications.

Want to have an in-depth understanding of all modern aspects of Kali Linux Penetration Testing?
Read carefully this article and bookmark it to get back later, we regularly update this page.

Kali Linux is one of the most popular penetration testing distributions, a descendant of the famous BackTrack Linux, but it is already based on Debian and accordingly supports its packages in general and applications in particular. The reason for its popularity is because it has a rather friendly interface and the availability of the necessary penetration testing tools out of the box. Kali Linux comes with a lot of tools to make it easier to use for checking, hacking, and everything else related to digital forensics.

Kali Linux is one of the very best advised distributions of Linux for whitehat hackers. Kali Linux is a powerful weapon of a hacker or someone who fights with these hackers. Even if you are not a cybersecurity specialist or a hacker, but a webmaster, you can still use some of the tools to easily start scanning your web server or web page. Kali Linux was ported to the ARM architecture, which means that it can be easily installed on the tablet.

The tools are categorized and this is very convenient. There are some installation options for workstations, for example, Raspberry Pi3, as well as for mobile platforms running Android, for example, Kali NetHunter, which is installed almost without changes on top of Android. You can see that more and more Linux port their assemblies for ARM, since all mobile devices today use this particular architecture. The official Kali website of has detailed instructions on how to assemble your image for ARM.

Reconnaissance and Information Collection with Kali Linux

Any vulnerability search begins with intelligence and information gathering. Intelligence can be active when iterating through files and directories of a site, using vulnerability scanners, manual analysis of the application; or passive using various search engines and online services. Assessing the security of a company's information infrastructure based on data from its websites and DNS records using penetration testing is called a penetration test.

The process of ethical hacking begins with the collection of general information about the object: what services are used, how many servers and what addresses they have, etc. The starting point is most often the domain of the 2nd level. Pentesters try to get the most out of this information, and they try to do it in a passive mode so that monitoring systems do not record suspicious activity. Further, we will consider some Kali Linux tools and online resources that can be used to analyze the security of web applications.

Passive Reconnaissance

This is a passive data collection through Whois services, DNS analysis, research of public Internet resources, search engines and Internet services, social networks, and much more. Begin by analyzing the site and the information on it. If you start scanning the site, you can trigger the alerts of the security system, so you can use the service that has already crawled this site. Such a service exists and this is Google.

Some Kali Linux Tools

Google dorks. Normal surfing on sites turns into a professional passive scanner when you start using special dork commands in search queries. Advanced search operators of Google are typically utilized with different instruments of pentesting to collect anonymous information, map networks, scan, and ports. Google dorks can provide a pentester with a wide range of confidential data, such as administrator login sites, usernames and passwords, confidential documents, military or government information, corporate mailing lists, bank account information, and more. Using Google dorks allows you to filter information by type of vulnerability, by type of CMS, errors that not everyone pays attention to.

Among all Google Advanced Search Operators, the most interesting are:

• site - search is carried out on a specific site;
• inurl - a pointer to the fact that the searched words should be part of the web address itself;
• intitle - search operator in the title of web pages;
• ext or filetype - search for files of a certain type by extension.

Also, when compiling a request, do not forget about operators that are specified by special characters:

• "|" - a vertical slash, it is also an OR operator - logical or. Indicates that you want to show results containing at least one of the words listed in the query.
• "" "" Are quotation marks. Indicates a search for an exact match.
• "-" - minus. It is used to clear search results and excludes from it results with the words indicated after the minus.
• "*" - an asterisk. Used as a mask and means "anything."

2IP and similar services. Various online services that provide information about the operating system, browser, location and Internet provider, as well as directly about the IP address. The service provides access to tools that can be of great help during penetration testing. On 2IP, you can find out the IP address of an object by a domain name, check the DNS records of a domain, determine the CMS used, the presence of a site in web archives, etc.

Shodan. This is a search engine developed by web developer John Matherly and focused primarily on finding devices connected to the Internet. Shodan provides information about all devices-routers, switches, desktops, servers and others, as well as services. The search engine polls the ports, captures the received banners and indexes them to find the necessary information.

HackerTarget. The service allows you to scan for vulnerabilities based on open source tools. HackerTarget can perform 12 different types of scans (scanning external ports, scanning vulnerabilities using OpenVAS, collecting domain information, WordPress, Joomla, and Drupal security tests) available for Free.Perform scanning. Information collected using HackerTarget can be used to expand the attack zone when vulnerabilities are detected on the server.

Nmap. Scan any IP address, scan limit up to 2048 addresses per day, port scan without limits, start scheduled scan.

OpenVas. Scan with the tool up to 512 IP addresses and generate reports in PDF, HTML, XML. Scheduled scanning is available.

Nikto. Web server vulnerability scanner, testing using SQLmap, advanced tools for WhatWeb / Wappalyzer, CMS scanning for WordPress, Joomla, Drupal, as well as SSL / TLS testing.

The Harvester. It is a tool for collecting e-mail addresses, subdomain names, virtual hosts, open ports or banners and names of workers from various open sources, such as search engines, pgp key servers. This is a simple but effective tool in the early stages of penetration testing to find out what information a company can collect about the Internet.

Sparta. A tool designed to automate active intelligence. The tool has a GUI interface, which allows you to intuitively understand the work of the program. After specifying the host for testing, the tool will run sequentially several scenarios for collecting information, starting from port scanning using Nmap and ending with scanning the vulnerabilities of Nikto web servers by the scanner and creating screenshots of web pages. If necessary, the services found can be transferred to the built-in brute force mechanism for selecting a password for user accounts.

Additional Resources

• Learn more about AI-enabled Attack Surface Management with ImmuniWeb® Discovery
• Learn more about AI-enabled Application Penetration Testing with ImmuniWeb
• Learn more about ImmuniWeb Partner Program opportunities
• Follow ImmuniWeb on Twitter and LinkedIn