Book Image

Kali Linux Web Penetration Testing Cookbook - Second Edition

By : Gilberto Najera-Gutierrez
Book Image

Kali Linux Web Penetration Testing Cookbook - Second Edition

By: Gilberto Najera-Gutierrez

Overview of this book

Web applications are a huge point of attack for malicious hackers and a critical area for security professionals and penetration testers to lock down and secure. Kali Linux is a Linux-based penetration testing platform that provides a broad array of testing tools, many of which can be used to execute web penetration testing. Kali Linux Web Penetration Testing Cookbook gives you the skills you need to cover every stage of a penetration test – from gathering information about the system and application, to identifying vulnerabilities through manual testing. You will also cover the use of vulnerability scanners and look at basic and advanced exploitation techniques that may lead to a full system compromise. You will start by setting up a testing laboratory, exploring the latest features of tools included in Kali Linux and performing a wide range of tasks with OWASP ZAP, Burp Suite and other web proxies and security testing tools. As you make your way through the book, you will learn how to use automated scanners to find security ?aws in web applications and understand how to bypass basic security controls. In the concluding chapters, you will look at what you have learned in the context of the Open Web Application Security Project (OWASP) and the top 10 web application vulnerabilities you are most likely to encounter, equipping you with the ability to combat them effectively. By the end of this book, you will have acquired the skills you need to identify, exploit, and prevent web application vulnerabilities.
Table of Contents (12 chapters)

Configuring virtual machines for correct communication

To be able to communicate with our virtual server and client, we need to be in the same network segment; however, having virtual machines with known vulnerabilities in our local network may pose an important security risk. To avoid this risk, we will perform a special configuration in VirtualBox to allow us to communicate with both server and client virtual machines from our Kali Linux host without exposing them to the network.

Getting ready

Before we proceed, open VirtualBox and make sure that the vulnerable server and client virtual machines are turned off.

How to do it...

VirtualBox creates virtual network adapters in the base system in order to manage DHCP and virtual networks. These adapters are independent from the ones assigned to virtual machines; we will create a virtual network and add the Kali and vulnerable virtual machines to it by using the following steps:

  1. In VirtualBox, navigate to File | Preferences... | Network.
  2. Select the Host-only Networks tab.
  3. Click on the plus (+) button to add a new network.
  4. The new network (vboxnet0) will be created and its details window will pop up.
  5. In this dialog box, you can specify the network configuration; if it doesn't interfere with your local network configuration, leave it as it is. You may change it and use some other address in the segments reserved for local networks (,,
  6. Now, go to the DHCP Server tab; here, we can configure the dynamic IP address assignation in the host-only network. We'll start our dynamic addressing at
  1. After proper configuration is done, click OK.
  2. The next step is to configure the vulnerable virtual machine (vm_1). Select it and go to its Settings.
  1. Click Network and, in the Attached to: drop-down menu, select Host-only Adapter.
  2. In Name, select vboxnet0.
  3. Click OK.
  4. Follow steps 8 to 11 for the Kali virtual machine (Kali Linux 2018.1) and all of the testing machines you want to include in your lab.
  5. After configuring all virtual machines, let's test whether they can actually communicate. Let's see the network configuration of our Kali machine; open a Terminal and type:
  1. We can see that we have a network adapter called eth0 and it has the IP address Depending on the configuration you used, this may vary.
  2. For vm_1, the network address is displayed on the start screen, although you can also check the information by logging in and using ifconfig:
  1. Now, we have the IP addresses of our three machines: for Kali Linux, and for the vulnerable vm_1. Let's test the communication; we are going to ping vm_ 1 from our Kali Linux:
Ping sends an ICMP request to the destination and waits for the reply; this is useful to test whether communication is possible between two nodes in the network.
  1. We do the same to and from all of the virtual machines in our laboratory to check whether they can communicate with each other.
  2. Windows desktop systems, like Windows 7 and Windows 10, may not respond to pings; that's normal because Windows 7 is configured by default to not respond to ping requests. To check connectivity in this case, if you have Windows machines in your lab, you can use arping from the Kali machine:
arping -c 4

How it works...

A host-only network is a virtual network that acts as a LAN, but its reach is limited to the host that is running the virtual machines without exposing them to external systems. This kind of network also provides a virtual adapter for the host to communicate with the virtual machines as if they were in the same network segment.

With the configuration we just made, we will be able to communicate between the machine that will take the roles of client and attacking machine in our tests and the web server that will host our target applications.