Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Web Penetration Testing with Kali Linux 2.0, Second Edition
Web Penetration Testing with Kali Linux 2.0, Second Edition

Web Penetration Testing with Kali Linux 2.0, Second Edition: Build your defense against web attacks with Kali Linux 2.0

Arrow left icon
Profile Icon Juned Ahmed Ansari
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Empty star icon 4 (6 Ratings)
Paperback Nov 2015 312 pages 1st Edition
eBook
€32.99
Paperback
€41.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Juned Ahmed Ansari
Arrow right icon
€18.99 per month
Full star icon Full star icon Full star icon Full star icon Empty star icon 4 (6 Ratings)
Paperback Nov 2015 312 pages 1st Edition
eBook
€32.99
Paperback
€41.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€32.99
Paperback
€41.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. €18.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Web Penetration Testing with Kali Linux 2.0, Second Edition

Chapter 2. Setting up Your Lab with Kali Linux

Preparation is the key to everything. It becomes even more important when working on a penetration testing engagement, where you get a limited amount of time to do the reconnaissance, scanning, exploitation, and finally gain access and present the customer with a detailed report. Each penetration test that you conduct would be different in nature and would require a different approach from a test that you earlier conducted. Tools play a major role in it, and you need to prepare your toolkit beforehand and have hands-on experience of all the tools that you will need to execute the test.

In this chapter, we will cover the following topics:

  • Overview of Kali Linux and changes from the previous version
  • Different ways of installing Kali Linux
  • Virtualization versus installation on physical hardware
  • Walkthrough and configuration of important tools in Kali Linux
  • Installing Tor and configuration

Kali Linux

Kali Linux is security-focused Linux distribution based on Debian. It's a rebranded version of the famous Linux distribution known as Backtrack, which came with a huge repository of open source hacking tools for network, wireless, and web application penetration testing. Although Kali Linux contains most of the tools from Backtrack, the main aim of Kali Linux is to make it portable so that it could be installed on devices based on the ARM architectures such as tablets and Chromebook, which makes the tools available at your disposal with much ease.

Using open source hacking tools comes with a major drawback: they contain a whole lot of dependencies when installed on Linux and they need to be installed in a predefined sequence. Moreover, authors of some tools have not released accurate documentation, which makes our life difficult.

Kali Linux simplifies this process; it contains many tools preinstalled with all the dependencies and is in ready to use condition so that you can...

Important tools in Kali Linux

Once you have Kali Linux up and running, you can start playing with the tools. Since this book is on web application hacking, all the major tools that we would be spending most of our time are under Applications | Web Application. Following screenshot shows the tools present under Web Application:

Important tools in Kali Linux

In Kali Linux 2.0, tools under Web Applications are further divided into four categories as listed here:

  • Web application proxies
  • Web vulnerability scanners
  • Web crawlers and directory browsing
  • CMS and framework identification

Web application proxies

A HTTP proxy is one of the most important tools in the kit of a web application hacker and Kali Linux includes several of those. A feature that you miss in one proxy would surely be there in some other proxy which highlights the real advantage of Kali Linux with it vast repository of tools.

A HTTP proxy is a software that sits in between the browser and the website intercepting all the traffic that flows between them. The main...

Using Tor for penetration testing

The main aim of a penetration test is to hack into a web application in a way that a real-world malicious hacker would do it. Tor provides an interesting option to emulate the steps that a black hat hacker uses to protect his or her identity and location. Although an ethical hacker trying to improve the security of a web application should be not be concerned about hiding his or her location, by using Tor it gives you an additional option of testing the edge security systems such as network firewalls, web application firewalls, and IPS devices.

Black hat hackers try every method to protect their location and true identity; they do not use a permanent IP address and constantly change it in order to fool the cybercrime investigators. You would find port scanning requests from a different range of IP addresses and the actual exploitation having the source IP address that your edge security systems are logging for the first time. With the necessary written approval...

Summary

This chapter was all about Kali Linux. We started by understanding the different ways in which Kali Linux can be installed and scenarios where we would be using it. Virtualizing Kali Linux is an attractive option and we discussed the pro and cons for it. Once we had Kali Linux up and running, we did an overview of the major hacking tools that we would be using to test web applications. Burp suite is a really interesting and feature-rich tool that we would be using throughout the book. We then discussed web vulnerability scanners that are of great use to identify flaws and configuration issues in well-known web servers. Finally, we set up Tor and Privoxy to emulate a real world attacker that would hide his or her real identity and location.

In the next chapter, we would perform reconnaissance, scan web applications, and identify underlying technologies used that would act as a base for further exploitation.

Left arrow icon Right arrow icon

Description

Kali Linux 2.0 is the new generation of the industry-leading BackTrack Linux penetration testing and security auditing Linux distribution. It contains several hundred tools aimed at various information security tasks such as penetration testing, forensics, and reverse engineering. At the beginning of the book, you will be introduced to the concepts of hacking and penetration testing and will get to know about the tools used in Kali Linux 2.0 that relate to web application hacking. Then, you will gain a deep understanding of SQL and command injection flaws and ways to exploit the flaws. Moving on, you will get to know more about scripting and input validation flaws, AJAX, and the security issues related to AJAX. At the end of the book, you will use an automated technique called fuzzing to be able to identify flaws in a web application. Finally, you will understand the web application vulnerabilities and the ways in which they can be exploited using the tools in Kali Linux 2.0.

Who is this book for?

If you are already working as a network penetration tester and want to expand your knowledge of web application hacking, then this book tailored for you. Those who are interested in learning more about the Kali Sana tools that are used to test web applications will find this book a thoroughly useful and interesting guide.

What you will learn

  • Set up your lab with Kali Linux 2.0
  • Identify the difference between hacking a web application and network hacking
  • Understand the different techniques used to identify the flavor of web applications
  • Expose vulnerabilities present in web servers and their applications using serverside attacks
  • Use SQL and crosssite scripting (XSS) attacks
  • Check for XSS flaws using the burp suite proxy
  • Find out about the mitigation techniques used to negate the effects of the Injection and Blind SQL attacks

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Nov 26, 2015
Length: 312 pages
Edition : 1st
Language : English
ISBN-13 : 9781783988525
Vendor :
Offensive Security
Category :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. €18.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Nov 26, 2015
Length: 312 pages
Edition : 1st
Language : English
ISBN-13 : 9781783988525
Vendor :
Offensive Security
Category :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 120.97
Web Penetration Testing with Kali Linux 2.0, Second Edition
€41.99
Kali Linux: Wireless Penetration Testing Beginner's Guide, Second Edition
€36.99
Kali Linux Web Penetration Testing Cookbook
€41.99
Total 120.97 Stars icon

Table of Contents

11 Chapters
1. Introduction to Penetration Testing and Web Applications Chevron down icon Chevron up icon
2. Setting up Your Lab with Kali Linux Chevron down icon Chevron up icon
3. Reconnaissance and Profiling the Web Server Chevron down icon Chevron up icon
4. Major Flaws in Web Applications Chevron down icon Chevron up icon
5. Attacking the Server Using Injection-based Flaws Chevron down icon Chevron up icon
6. Exploiting Clients Using XSS and CSRF Flaws Chevron down icon Chevron up icon
7. Attacking SSL-based Websites Chevron down icon Chevron up icon
8. Exploiting the Client Using Attack Frameworks Chevron down icon Chevron up icon
9. AJAX and Web Services – Security Issues Chevron down icon Chevron up icon
10. Fuzzing Web Applications Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
(6 Ratings)
5 star 66.7%
4 star 0%
3 star 16.7%
2 star 0%
1 star 16.7%
Filter icon Filter
Top Reviews

Filter reviews by




ryan Mar 09, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a very thorough book. Plenty of examples of everything. Each idea and point is explained extremely well too. I could not be happier with this. It certainly has allowed me to expand my horizon in the security field.
Amazon Verified review Amazon
Perry Nally Jan 19, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great read. If you are new to either web penetration testing or kali linux, you'll learn a ton of very useful tools and techniques on how to determine hack-ability of a website. If you're not new to this, you'll be able to use this book as a great reference. YOu get tons of info and how-to's for each vulnerability. You get right to the nitty-gritty. The author attempt to help you get into the mind set of a person who would hack your site which helps to determine the various attack vectors. There were a few vectors mentioned that I did not think of, including some very useful shortcuts along the way. You could never really say this type of book is ever really "complete", but this is the most complete book I've read on the subject to date. Highly recommend it if you are on the fence.
Amazon Verified review Amazon
NG CHING WA (HotMail) Jan 13, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is very structural for both beginner and advanced forensic practitioners. There are detailed working steps to guide reader in applying Kali Linux in Penetration Test...Daniel
Amazon Verified review Amazon
Hugo Dec 22, 2015
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I liked this book because the author gives a good immersion on the theme, he introduces about the ecosystem of web applications, the needs of security, the structure, major flaws and the possible attackers. The steps to execute the penetration test are crucial and he presented the points that you need to carry on, exploring the flaws with the possible doors and the best tools. Security technology is an activity where you can never stop, you have to have caution and your team prepared to solve the flaws fast as possible.This book makes me understand what I need to do, what is more important, this subject is so dynamic that you never feel totally comfortable to deal with, but now I can see what an efficient pen test is like. So this book delivers what it promises and I would recommend for anyone who work or are interested on this topic, this book is very worthwhile.
Amazon Verified review Amazon
Xilobyte6 Feb 17, 2017
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
The author makes a good attempt at explaining the different tools. One will need to read this book though several times to be able to formulate a standardise plan. Upon rereading it, you find that some of these tools and modules do not even exist in a default Kali install nor is there any method in the book to acquire them. So this data is extremely important to include if you are going to talk about a particular module. Next, going from pages 82-84, there is a jump in context. We are reading about nmap and such one moment then all of a sudden we have jumped into the middle of another framework. Something has been edited out here. If I compare this book to other similar books that I am reading at the same time on this same subject, I would say, move on to another book instead. This one is simply trying to cover way too much with not enough effort. All they had to do was leave the book on the table a little long and develop it more.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.