Hands-On Web Penetration Testing with Metasploit E-Book

Hands-On Web Penetration Testing with Metasploit

Copyright © 2020 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor:Rohit RajkumarContent Development Editor: Ronn KurienSenior Editor: Richard Brookes-BlandTechnical Editor:Sarvesh JaywantCopy Editor: Safis EditingProject Coordinator:Neil DmelloProofreader: Safis EditingIndexer:Tejal Daruwale SoniProduction Designer:Alishon Mendonsa

First published: May 2020 Production reference: 1220520

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78995-352-7

www.packt.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the authors

Harpreet Singh is the author of Hands-On Red Team Tactics published by Packt Publishing and has more than 7 years of experience in the fields of ethical hacking, penetration testing, vulnerability research, and red teaming. He is also a certified OSCP (Offensive Security Certified Professional) and OSWP (Offensive Security Wireless Professional). Over the years, Harpreet has acquired an offensive skill set as well as a defensive skill set. He is a professional who specializes in wireless and network exploitation, including but not limited to mobile exploitation and web application exploitation, and he has also performed red team engagements for banks and financial groups.

Himanshu Sharma has already achieved fame for finding security loopholes and vulnerabilities in Apple, Google, Microsoft, Facebook, Adobe, Uber, AT&T, Avira, and many others. He has assisted international celebrities such as Harbajan Singh in recovering their hacked accounts. He has been a speaker and trainer at international conferences such as Botconf 2013, CONFidence, RSA Singapore, LeHack, Hacktivity, Hack In the Box, and SEC-T. He also spoke at the IEEE Conference for Tedx. Currently, he is the cofounder of BugsBounty, a crowdsourced security platform.

About the reviewer

Amit Kumar Sharma is a security evangelist with experience in application security and fuzz testing. During his career, he has had the chance to work with various technologies in the telecom, medical, ICS, and automotive security domains. He works as a security consultant with a reputable firm providing consultation on how security can fit in the SDLC and evangelizing technologies such as IAST, binary analysis, and fuzz testing to uncover security issues. Currently, his areas of research include DevSecOps, security in SDLC, Kubernetes security, and secrets management.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Preface

In today's rapidly evolving technological world, the security industry is changing at a phenomenal pace, while the number of cyber attacks involving organizations is also increasing rapidly. To protect themselves from these real-world attacks, many companies have introduced security audits and risk and vulnerability assessments in their process management, designed to help the company gauge the risks with respect to their business assets. To protect these assets, many companies have hired security professionals with the purpose of identifying risks, vulnerabilities, and threats in companies' applications and networks. For a security professional, building up their skills and familiarizing themselves with the latest attacks are crucial. Also, for their betterment and improved efficiency, many individuals use Metasploit as their first choice in the case of exploitation and enumeration.

As regards network exploitation and post-exploitation, we have a host of resources at our disposal, but in terms of web applications, not many opt for Metasploit. This book will help security consultants and professionals see the other side of Metasploit with regard to web applications. It will also enable readers to work more efficiently on their web application penetration testing projects with the help of Metasploit.

Who this book is for

This book is designed for pentesters, ethical hackers, security consultants, and anyone who has some knowledge of web application penetration testing and who wants to learn more about it or deep dive into the Metasploit Framework. 

What this book covers

Chapter 1, Introduction to Web Application Penetration Testing, covers the setup and installation of Metasploit, along with pentesting life cycles, the OWASP Top 10, and the Sans Top 25, in detail.

Chapter 2, Metasploit Essentials, explains the basics of Metasploit, from installation to exploitation. The basic Metasploit terminologies and other less commonly used options in Metasploit are also covered.

Chapter 3, The Metasploit Web Interface, focuses on a walkthrough of the Metasploit web GUI interface, which is available in Metasploit Community Edition, before we dive into other topics.

Chapter 4, Using Metasploit for Reconnaissance, covers the first process in a penetration testing life cycle: reconnaissance. From banner grabbing to WEBDAV recon, a basic reconnaissance process will be explained with the help of particular Metasploit modules used for this.

Chapter 5, Web Application Enumeration Using Metasploit, focuses on one of the most important processes in web application penetration testing, in other words, enumeration. The chapter will start with the very basics of file and directory enumeration, before proceeding to crawling and scraping from a website, and then further enumeration involving Metasploit modules.

Chapter 6, Vulnerability Scanning Using WMAP, covers the WMAP module of the Metasploit Framework for scanning web applications.

Chapter 7, Vulnerability Assessment Using Metasploit (Nessus), covers the utilization of the Nessus vulnerability scanner via Metasploit to perform vulnerability assessment scanning on a target.

Chapter 8, Pentesting CMSes – WordPress, covers the enumeration of vulnerabilities for WordPress and how to exploit them.

Chapter 9, Pentesting CMSes – Joomla, covers the enumeration of vulnerabilities for Joomla and how to exploit them.

Chapter 10, Pentesting CMSes – Drupal, covers the enumeration of vulnerabilities for Drupal and how to exploit them.

Chapter 11, Penetration Testing on Technological Platforms – JBoss, covers methods for enumerating, exploiting, and gaining access to a JBoss server.

Chapter 12, Penetration Testing on Technological Platforms – Apache Tomcat, covers methods for enumerating, exploiting, and gaining access to a Tomcat server.

Chapter 13, Penetration Testing on Technological Platforms – Jenkins, covers methods for enumerating, exploiting, and gaining access to a server running Jenkins.

Chapter 14, Web Application Fuzzing – Logical Bug Hunting, focuses on exploiting flaws that exist in the business logic of the web application. We will cover in-depth examples of these, along with methods for fuzzing a web application in order to identify a vulnerability.

Chapter 15, Writing Penetration Testing Reports, covers the basics of report writing and how different tools can be used to automate the report-writing process.

To get the most out of this book

A basic understanding of the Metasploit Framework and a scripting language such as Python or Ruby will facilitate understanding of the chapters.

Software/hardware covered in the book

OS requirements

Metasploit Framework

Windows/macOS/*nix

If you are using the digital version of this book, we advise you to type the code yourself. Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789953527_ColorImages.pdf

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

A block of code is set as follows:

html, body, #map { height: 100%; margin: 0; padding: 0}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

[default]exten => s,1,Dial(Zap/1|30)exten => s,2,Voicemail(u100)

exten => s,102,Voicemail(b100)

exten => i,1,Voicemail(s0)

Any command-line input or output is written as follows:

$ mkdir css

$ cd css

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorization from the appropriate persons responsible.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Table of Contents

Title Page

Copyright and Credits

Hands-On Web Penetration Testing with Metasploit

About Packt

Why subscribe?

Contributors

About the authors

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Disclaimer

Get in touch

Reviews

Introduction

Introduction to Web Application Penetration Testing

What is a penetration test?

Types of penetration test

White box penetration test

Black box penetration test

Gray box penetration test

Stages of penetration testing

Reconnaissance and information gathering

Enumeration

Vulnerability assessment and analysis

Exploitation

Reporting

Important terminologies

Penetration testing methodologies

Open Source Security Testing Methodology Manual (OSSTMM)

Operational security metrics

Trust analysis

Human security testing

Physical security testing

Wireless security testing

Telecommunications security testing

Data network security testing

Compliance regulations

Reporting with the STAR

OSSTMM test types 

Information Systems Security Assessment Framework (ISSAF)

Penetration Testing Execution Standard (PTES)

Pre-engagement interactions

Intelligence gathering

Threat modeling

Vulnerability analysis

Exploitation

Post-exploitation

Reporting

Common Weakness Enumeration (CWE)

OWASP Top 10

SANS TOP 25

Summary

Questions

Further reading

Metasploit Essentials

Technical requirements

Introduction to Metasploit Framework

Metasploit Framework terminology

Installing and setting up Metasploit

Installing Metasploit Framework on *nix

Installing Metasploit Framework on Windows

Getting started with Metasploit Framework

Interacting with Metasploit Framework using msfconsole

MSF console commands

Customizing global settings

Variable manipulation in MSF

Exploring MSF modules

Running OS commands in MSF

Setting up a database connection in Metasploit Framework

Loading plugins in MSF

Using Metasploit modules

Searching modules in MSF

Checking for hosts and services in MSF

Nmap scanning with MSF

Setting up payload handling in MSF

MSF payload generation

Generating an MSF payload using msfconsole (one-liner)

Generating an MSF payload using msfvenom

Summary

Questions

Further reading

The Metasploit Web Interface

Technical requirements

Introduction to the Metasploit web interface

Installing and setting up the web interface

Installing Metasploit Community Edition on Windows

Installing Metasploit Community Edition on Linux/Debian

Getting started with the Metasploit web interface

Interface

Main menu

Project tab bar

Navigational breadcrumbs

Tasks bar

Project creation

Default project

Creating a custom project

Target enumeration

Using the built-in option

Importing scan results

Module selection

Auxiliary module

Using an exploit module

Session interaction

Post-exploitation modules

Summary

Questions

Further reading

The Pentesting Life Cycle with Metasploit

Using Metasploit for Reconnaissance

Technical requirements

Introduction to reconnaissance

Active reconnaissance

Banner grabbing

HTTP header detection

Web robot page enumeration

Finding hidden Git repos

Open proxy detection

Passive reconnaissance

Archived domain URLs

Censys

SSL recon

Summary

Questions

Further reading

Web Application Enumeration Using Metasploit

Technical requirements

Introduction to enumeration

DNS enumeration

Going the extra mile – editing source code

Enumerating files

Crawling and scraping with Metasploit

Scanning virtual hosts

Summary

Questions

Further reading

Vulnerability Scanning Using WMAP

Technical requirements

Understanding WMAP

The WMAP scanning process

Data reconnaissance

Loading the scanner

WMAP configuration

Launching WMAP

WMAP module execution order

Adding a module to WMAP

Clustered scanning using WMAP

Summary

Questions

Further reading

Vulnerability Assessment Using Metasploit (Nessus)

Technical requirements

Introduction to Nessus

Using Nessus with Metasploit

Nessus authentication via Metasploit

Basic commands

Patching the Metasploit library

Performing a Nessus scan via Metasploit

Using the Metasploit DB for Nessus scan

Importing Nessus scan in the Metasploit DB

Summary

Questions

Further reading

Pentesting Content Management Systems (CMSes)

Pentesting CMSes - WordPress

Technical requirements

Introduction to WordPress

WordPress architecture

File/directory structure

Base folder

wp-includes

wp-admin

wp-content

WordPress reconnaissance and enumeration

Version detection

Readme.html

Meta generator

Getting the version via JavaScript and CSS files

Getting the version via the feed

Using Outline Processor Markup Language (OPML)

Unique/advanced fingerprinting

WordPress reconnaissance using Metasploit

WordPress enumeration using Metasploit

Vulnerability assessment for WordPress

WordPress exploitation part 1 – WordPress Arbitrary File Deletion

Vulnerability flow and analysis

Exploiting the vulnerability using Metasploit

WordPress exploitation part 2 – unauthenticated SQL injection

Vulnerability flow and analysis

Exploiting the vulnerability using Metasploit

WordPress exploitation part 3 – WordPress 5.0.0 Remote Code Execution

Vulnerability flow and analysis

Exploiting the vulnerability using Metasploit

Going the extra mile – customizing the Metasploit exploit

Summary

Questions

Further reading

Pentesting CMSes - Joomla

Technical requirements

An introduction to Joomla

The Joomla architecture

The file and directory structure

Reconnaissance and enumeration

Version detection

Detection via a meta tag

Detection via server headers

Detection via language configurations

Detection via README.txt

Detection via the manifest file

Detection via unique keywords

Joomla reconnaissance using Metasploit

Enumerating Joomla plugins and modules using Metasploit

Page enumeration

Plugin enumeration

Performing vulnerability scanning with Joomla

Joomla exploitation using Metasploit

How does the exploit work? 

Joomla shell upload

Summary 

Questions

Further reading

Pentesting CMSes - Drupal

Technical requirements

Introduction to Drupal and its architecture

Drupal's architecture

Directory structure

Drupal reconnaissance and enumeration

Detection via README.txt

Detection via meta tags

Detection via server headers

Detection via CHANGELOG.txt

Detection via install.php

Plugin, theme, and module enumeration

Drupal vulnerability scanning using droopescan

Exploiting Drupal

Exploiting Drupal using Drupalgeddon2

Understanding the Drupalgeddon vulnerability

Exploiting Drupalgeddon2 using Metasploit

The RESTful Web Services exploit – unserialize()

Understanding serialization

What is a POP chain?

Deserializing the payload

Exploiting RESTful Web Services RCE via unserialize() using Metasploit

Summary

Questions

Further reading

Performing Pentesting on Technological Platforms

Penetration Testing on Technological Platforms - JBoss

Technical requirements

An introduction to JBoss

The JBoss architecture (JBoss 5)

JBoss files and the directory structure

Reconnaissance and enumeration

Detection via the home page

Detection via the error page

Detection via the title HTML tag

Detection via X-Powered-By

Detection via hashing favicon.ico

Detection via stylesheets (CSS)

Carrying out a JBoss status scan using Metasploit

JBoss service enumeration

Performing a vulnerability assessment on JBoss AS

Vulnerability scanning using JexBoss

Vulnerable JBoss entry points

JBoss exploitation

JBoss exploitation via the administration console

Exploitation via the JMX console (the MainDeployer method)

Exploitation via the JMX console using Metasploit (MainDeployer)

Exploitation via the JMX console (BSHDeployer)

Exploitation via the JMX console using Metasploit (BSHDeployer)

Exploitation via the web console (Java applet)

Exploitation via the web console (the Invoker method)

Creating BSH scripts

Deploying the BSH script using webconsole_invoker.rb

Exploitation via JMXInvokerServlet (JexBoss)

Exploitation via JMXInvokerServlet using Metasploit

Summary

Questions

Further reading

Penetration Testing on Technological Platforms - Apache Tomcat

Technical requirements

An introduction to Tomcat

The Apache Tomcat architecture

Files and their directory structures

Detecting Tomcat installations

Detection via the HTTP response header – X-Powered-By

Detection via the HTTP response header – WWW-Authenticate

Detection via HTML tags – the title tag

Detection via HTTP 401 Unauthorized error

Detection via unique fingerprinting (hashing)

Detection via directories and files

Version detection

Version detection via the HTTP 404 error page

Version disclosure via Release-Notes.txt

Version disclosure via Changelog.html

Exploiting Tomcat

The Apache Tomcat JSP upload bypass vulnerability

Tomcat WAR shell upload (authenticated)

An introduction to Apache Struts

Understanding OGNL

OGNL expression injection

Testing for remote code execution via OGNL injection

Testing for blind remote code execution via OGNL injection

Testing for OGNL out-of-band injection

Struts 2 exploitation using Metasploit

Summary

Questions

Further reading

Penetration Testing on Technological Platforms - Jenkins

Technical requirements

Introduction to Jenkins

Jenkins terminology

The Stapler library

URL routing

Apache Groovy

Meta-programming

Abstract syntax tree

Pipeline

Jenkins reconnaissance and enumeration

Detecting Jenkins using favicon hashes

Detecting Jenkins using HTTP response headers

Jenkins enumeration using Metasploit

Exploiting Jenkins

Jenkins ACL bypass

Understanding Jenkins unauthenticated RCE

Summary

Questions

Further reading

Logical Bug Hunting

Web Application Fuzzing - Logical Bug Hunting

Technical requirements

What is fuzzing?

Fuzzing terminology

Fuzzing attack types

Application fuzzing

Protocol fuzzing

File-format fuzzing

Introduction to web app fuzzing

Fuzzer installation (Wfuzz)

Fuzzer installation (ffuf)

Identifying web application attack vectors

HTTP request verbs

Fuzzing HTTP methods/verbs using Wfuzz

Fuzzing HTTP methods/verbs using ffuf

Fuzzing HTTP methods/verbs using Burp Suite Intruder

HTTP request URIs

Fuzzing an HTTP request URl path using Wfuzz

 Fuzzing an HTTP request URl path using ffuf

Fuzzing an HTTP request URl path using Burp Suite Intruder

Fuzzing HTTP request URl filenames and file extensions using Wfuzz

Fuzzing HTTP request URl filenames and file extensions using ffuf

Fuzzing HTTP request URl filenames and file extensions using Burp Suite Intruder

Fuzzing an HTTP request URl using Wfuzz (GET parameter + value)

Fuzzing an HTTP request URl using Burp Suite Intruder (GET parameter + value)

HTTP request headers

Fuzzing standard HTTP headers using Wfuzz, ffuf, and Burp Suite

Scenario 1 – Cookie header fuzzing

Scenario 2 – User-defined cookie header fuzzing

Fuzzing a custom header using Wfuzz, ffuf, and Burp Suite

Scenario 3 – Custom header fuzzing

Summary

Questions

Further reading

Writing Penetration Testing Reports

Technical requirements

Introduction to report writing 

Writing executive reports

Title page

Document version control

Table of contents

Objective

Defined scope

Key findings (impact)

Issue overview

Strategic recommendations

Writing detailed technical reports

Title page

Document version control

Table of contents

Report summary

Defined scope

Methodology used

CVSS

Vulnerability summary

Conclusion

Appendix

Introduction to Dradis Framework

Pre-installation configuration

Installation and setup

Getting started with Dradis

Importing third-party reports into Dradis

Defining the security testing methodology in Dradis

Organizing reports using Dradis

Exporting reports in Dradis

Working with Serpico 

Installation and setup

Getting started with Serpico

Importing data from Metasploit to Serpico

Importing third-party reports into Serpico 

User management in Serpico

Managing templates in Serpico

Generating reports in multiple formats

Summary

Questions

Further reading

Assessment

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Chapter 15

Other Books You May Enjoy

Leave a review - let other readers know what you think

Introduction

This section discusses the basics of web application testing. We will then move on to discuss the basics of Metasploit and later dive into the Metasploit Framework web interface. 

This section contains the following chapters:

Chapter 1

, 

Introduction to Web Application Penetration Testing

Chapter 2

, 

Metasploit Essentials

Chapter 3

, 

The Metasploit Web Interface

Introduction to Web Application Penetration Testing

In today's world, there are automated tools and SaaS solutions that can test the security of a system or application. Automation often fails at a logical level when an application needs to be tested for business-logic flaws. It is important to learn how the penetration tester can help organizations stay a step ahead of cyber attacks and why the organization needs to follow a strict patch-management cycle to secure their assets.

In this book, you will learn how to perform a penetration test on web applications that are built on different platforms using the famous Metasploit framework. As most of us have heard about this tool and its importance in regular penetration tests, this book will be focused on how we can perform penetration testing on a variety of web applications, such as content management systems (CMSes) and content delivery and content integration systems (CD/CI), using the Metasploit framework. To learn more about the tools and techniques, we first need to understand the basics of penetration testing. 

In this chapter, we will cover the following topics:

What is penetration testing?

Types of penetration testing

Stages of penetration testing

Important terminologies

Penetration testing methodologies

Common weakness enumeration

(

CWE

)

What is a penetration test?

Penetration testing, also known as pen testing, is an authorized attack on a computer system that is done to evaluate the security of the system/network. The test is performed to identify vulnerabilities and the risks they pose. A typical penetration test is a five-stage process that identifies the target systems, their vulnerabilities, and the exploitability of each vulnerability. The goal is to find as many vulnerabilities as possible and report back in a universally acceptable format for the client to understand. Let's look at the different types of penetration testing in the next section.

Types of penetration test

Depending upon the client's requirement, penetration tests can be categorized into three types:

White box

Black box

Gray box

We will discuss each of these in the following sections.

White box penetration test

A white box penetration test, or a glass box or clear box penetration test, is a type of test in which the information and details regarding the target system, network, or application are fully shared by the client, such as the login credentials of the systems, the SSH/Telnet login for the network devices, and the application source code that needs to be tested. Since the information retrieved from the client regarding their system, network, or application is highly sensitive, it is recommended that you have all the information in an encrypted format.

Black box penetration test

A black box penetration test is an attacker-simulated test in which the penetration tester will act as a threat actor with no internal information regarding the targeted systems, networks, or applications. This type of testing really focuses on the first phase of penetration testing—reconnaissance. The more a pen tester can gain information about a target organization, the better the results will be. In this type of test, the pen tester is not provided with any architectural diagrams, layouts of the network, or any source code files. 

Gray box penetration test

A gray box penetration test is the halfway point between the white box and black box test. In a typical gray box test, the pen tester is provided with some knowledge of the applications, systems, or networks. Because of its nature, this type of test is quite efficient and more focused on an organization that has a deadline in place. Using the information provided by the client, the pen tester can focus on the systems with greater risks and save a lot of time performing their own recon.

Now that we have a clear understanding of the types of pen tests that can be done, let's look at the stages of a penetration test. 

Stages of penetration testing

To have a better understanding of penetration testing, let's go through the stages of the process:

Stage 1: Reconnaissance 

Stage 2: Enumeration

Stage 3: Vulnerability assessment and analysis

Stage 4: Exploitation (includes the post-exploitation period)

Stage 5: Reporting

This can be seen in the following diagram:

Each and every stage has its own set of tools and techniques that can be used to perform the testing efficiently.

Reconnaissance and information gathering

Reconnaissance is the very first stage of performing a penetration test. In this stage, a pen tester will try to identify the system or application in question and find as much information as they can about it. This is the most crucial stage of testing as this step defines the attack surface. In white box testing, the recon may not be important because all the information regarding the in-scope target is already provided by the client.

The black box test heavily relies on this stage as no information is given to the tester. In the context of a web application penetration test, we will be focusing on identifying the technology used by the web application, the domain/subdomain information, the HTTP protocol recon and enumeration, and any other details that could help us increase our efficiency. The scope for the target and the goal are generally defined at this stage.

The following is the list of tools that can be used to perform recon on a web application:

Identifying applications running on a 

nonstandard port (user-defined custom ports)

: Amap, Nmap, and so on

Identifying the DNS and subdomains

: dnsenum, dnsmap, dnswalk, dnsrecon, dnstracer, Fierce, dnscan, Sublist3r, and so on

Identifying technological platforms

: BlindElephant, Wappalyzer, WhatWeb, and so on

Identifying content management systems

: WPScan, Joomscan, CMScan, Drupscan, and so on

Now, let's look at enumeration.

Enumeration

In the enumeration stage, each and every application, system, or network identified in the previous stage (recon) will be scanned for different attack surfaces—for example, files and directory enumeration in the case of a web application, and ports and services in the case of a network device. This stage will help the tester to identify the attack vectors. An attack vector is a path or method for the attacker to gain access or penetrate the target system; in this case, the pen tester. The most common attack vectors used are phishing emails, malware, and unpatched vulnerabilities. 

A pen tester can perform file and directory enumeration, HTTP method enumerations, host enumeration, and a few other enumeration methods to find an insertion point where vulnerabilities might exist. In a white box test, this stage doesn't really play an important role as all the information and details are already given to the tester, but it doesn't mean that you should not go through with this stage. It's always a good practice to perform enumeration and scanning, even when all the details are provided. This will help the tester to find obsolete attack paths that are not supported by the application but may help the tester to penetrate the network.

This stage is very crucial for the black box and gray box test as all the information that was retrieved by performing reconnaissance on the target system or application is identified by the pen tester. Enumeration could become a tedious process if done manually, so there are publicly available tools and some Metasploit modules that can be used to enumerate applications quickly.

The following is a list of tools that can be used to perform enumeration on a web application:

F

iles and directory enumeration

: Dirsearch, dirb, dirbuster, 

Metasploit Framework, 

BurpSuite, gobuster, and so on

HTTP protocol supported methods enumeration

: Nmap, BurpSuite, Metasploit Framework, wfuzz, and so on

Testing for r

ate limiting

: BurpSuite, ffuf, wfuzz, and so on

Let's now look at vulnerability assessment.

Vulnerability assessment and analysis

Once we have identified an attack vector, we need to perform vulnerability scanning, which occurs in this stage of penetration testing. A vulnerability assessment is done on the web application to identify vulnerabilities on a web page, directory, HTTP protocol method, HTTP headers, and so on. The Scanning can be done using publicly available tools or paid-for licensed tools. All types of testing—white box, black box, and gray box— rely heavily on this stage. 

Once a vulnerability scan has been done, we need to assess and analyze each vulnerability that is found and then filter out the false positives. Filtering out the false positives helps the pen tester to work on the vulnerabilities that actually exist and not the ones that were found because of time delay or the scanner's error. All the vulnerability filtration happens at this stage.

The following is the list of tools that can be used to perform vulnerability assessment and scanning on a web application:

System and network vulnerability assessment

: Nessus, OpenVAS, and so on

Web application vulnerability assessment

: Nikto, Acunetix, BurpSuite, Nessus, and so on

Exploitation

The exploitation stage is the second most crucial stage after the reconnaissance stage. This stage proves whether a certain vulnerability found in the previous stage is exploitable. A pen tester can always identify the success of penetration testing projects if they can exploit the vulnerabilities that are found. Exploitation can be done automatically using certain tools, such as Metasploit Framework and Canvas. This is because we don't know how a certain web application or system will behave when we use our payloads.

Generally, in all types of tests, we need to confirm from the client whether we are authorized to perform memory-based exploitation, such as exploiting buffer/heap overflows and running memory corruption exploits. The advantage of doing this is that we can have access to the target system by running a specific exploit (this only works if the target system is vulnerable to this specific exploit). The issue with using such exploits is that the system/server/web application may crash, which could cause a business continuity issue.

Once we have exploited a system or web application, we can either stop at that or we can perform post-exploitation work (if authorized by the client) to move inside the network (pivoting) and locate business-critical servers.

Please make sure that all the payloads, web shells, files, and scripts are uploaded to the target system for exploitation so that they can be cleaned up after taking proper proof-of-concept (PoC) screenshots. This should be done at all times; otherwise, a genuine attacker can find the web shells and easily use them to attack the organization.

Reporting

The reporting stage is the final stage of the penetration testing process and involves reporting each and every vulnerability found on the target (in-scope). The reported vulnerabilities will be listed according to the severity level defined by the Common Vulnerability Scoring System (CVSS), which is a free and open standard that is used to assess the vulnerabilities. 

As pen testers, we need to understand how important this stage really is for the client. All the work that has been done by the testers on the client system should be reported in a structured format. The report should include a short introduction to the test, the scope of work, the rules of engagement, a short and crisp summary, the vulnerabilities found, and the proof of concept for each vulnerability, with some recommendations and patching techniques from the reference links.

There are some publicly available tools, such as Serpico, Magic Tree, BurpSuite, and Acunetix that can be used to ease the process of reporting. As this is an important stage of pen testing, all the details that were found during the test should be included in the report.

We can provide two different kinds of report: an executive report for management and a technical report for the technical team in place. This could help both the management and the technical team of an organization to understand and fix the vulnerabilities found by the penetration testers.

Important terminologies

Now that we are familiar with the standards, let's now cover the important terminology that we will be using a lot in the upcoming chapters:

Vulnerability

: A weakness in a system that may allow an attacker to gain unauthorized access to it.

Spoofing

: A situation where an individual or program successfully masks data as something else in order to obtain an unlawful advantage.

Exploit

: A piece of code, a program, a method, or a sequence of commands that takes advantage of a vulnerability to gain unauthorized access to a system/application.

Payload

: The actual code that is executed on the system after/during exploitation to perform the desired task.

Risk

: Anything that can affect the confidentiality, integrity, and availability of data. Unpatched software, misconfigured servers, unsafe internet surfing habits, and so on all contribute to risk.

Threat

: Anything that may have the potential to cause serious harm to a computer system, network, or application.

Black box

: A method of testing during which the tester has no information about the internal structure or functioning of a system.

White box

: A method of testing during which the tester has complete knowledge of the internal structure and functioning of a system.