Overview
This blog post will provide a short guide on getting started in ethical hacking of web applications and network services. There is already a lot of information on the internet which will be referenced for more detailed tutorials on the topics and tools discussed below.
If at any point you find yourself unaware of terminology used, Google is your friend. Don’t just copy-and-paste code/commands – do research to understand exactly what you are doing.
It should go without saying that it is illegal to attempt to hack anything without permission from the
owner.
Installing Virtual Box on Windows
In order to easily get started, it is recommended to use Kali Linux: an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments. Kali comes pre-installed with most of the tools you will require when testing web application security.
To run Kali from within Windows, VirtualBox can be used. VirtualBox creates a virtual environment in which additional operating systems can run. It can be download from here. Installing VirtualBox is not rocket science. Just double-click on the downloaded .exe file and follow the instructions on the screen. It is like installing any regular software on Windows.
Install Kali Linux in VirtualBox
A detailed, step-by-step guide on downloading and installing Kali can be found here.
If you’ve never used a Linux distribution before, I recommend that you familiarise yourself with the terminal. An intro tutorial can be found here.
Using the tools
Kali comes pre-installed with a lot of tools, below are several of the most important to get you started with ethical hacking.
Nmap:
Nmap is a powerful network scanning tool. It will allow you to identify open ports on a network. Nmap offers a target host at scanme.nmap.org – by running nmap scanme.nmap.org in your Kali terminal, you should see a list of open ports on the host.
Running nmap --help will give you a list of optional flags which can be used to enhance your scan. The -sV flag attempts to determine the version of the service running on that port. Therefore, running nmap -sV scanme.nmap.org, you will see additional information associated with the ports. More info regarding the tool can be found here.
BurpSuite:
Burp is a powerful tool for testing web application security. It allows you to intercept the traffic between your browser and the application server. To get started intercepting requests, you need to launch BurpSuite and configure your browser to proxy the traffic to http://127.0.0.1:8080/. If you’ve managed to do this successfully you will see that Burp is intercepting the requests from the browser in the “Proxy” tab. An in-depth intro to BurpSuite can be found here.
Dirb:
While testing web application security, it is sometimes necessary to find pages/directories which may not be navigable using the website. Perhaps there is an administration page which does not have a direct link from the site, but the admins know to go to the /admin endpoint to login – you can use dirb to find such a page. Instructions on using dirb can be found here.
The above tools are purely recommendations and there are many alternatives you may prefer to use.
Finding Vulnerabilities
Now that you have an understanding of how to use some of the tools, it’s time to learn what types of vulnerabilities you can find using them.
Generally, when looking for vulnerabilities you should start by mapping the attack surface, that would mean finding all the exposed services/ports using an nmap scan. The steps following would then depend on what services are exposed. You will often find web services running on port 80 and/or 443 (although they may be on other ports too). Web applications are a common location for vulnerabilities which give you a foothold onto the target network.
The OWASP Top 10 is a list of the current, most common web application vulnerabilities – it can be viewed here. The OWASP website contains great explanations/examples of these vulnerabilities and how to find and exploit them.
When dealing with other services (SSH, FTP, SMB, SNMP, etc.), the enumeration and exploitation will differ regarding the OS, version and configuration. Here, it is important to understand the services which you are enumerating. The server may be hosting an FTP service which allows anonymous login, or a version of SSH with known vulnerabilities. Try to gain as much information you can from all of the services and don’t be afraid to google for ways in which the services may be vulnerable.
Practise
To begin practising your ethical hacking, there are a number vulnerable web applications and servers freely available.
Web Apps
A list of vulnerable web apps can be found here.
Servers
OverTheWire provides a lot of practise machines, ranging in difficulty.
VulnHub contains many vulnerable boxes/machines which you can download and practise your hacking. You may want to begin with the RickdiculouslyEasy box.
It is recommended to try and hack these boxes yourself although, if you do get stuck, there are write-ups online which can assist you. Following along with a good write-up should teach you how a hacker thinks when enumerating and exploiting machines.
Reverse Engineering
Reverse Engineering for Beginners
Miscellaneous
Some additional tools and terminology to familiarise yourself with:
- Proxies
- VPNs
- Ports
- Services
- SSH
- FTP
- HTTP
- API