CHAPTER 1
INTRODUCTION
Web Based Penetration Testing provides a user friendly way of doing penetration
testing on a system. It is web interface for many popular command line tools nicely arranged
and categorized to make the penetration testing more easily than before. It is a web based
application with PHP as the developing platform.
1.1 PURPOSE
The aim of the project is to automate the penetration testing and reduce the time of
professional penetration testers in memorizing and typing various commands and its options
again and again while the course of penetration testing. This tool can also be used for
educational purpose. As an IT Professional a student must know about the different types of
attacks, scanning networks, gathering information about a system and exploiting a remote
system etc. There are thousands of tools (most of them are command line tools) available for
these purposes. Installing these tools requires a deep knowledge and use of these tools also
requires experience with Linux OS and command lines. So, this web based framework can be
hosted on a server (which has all the dependencies installed) and can be used by students to
learn basics of penetration testing.
1.2 PROJECT SCOPE
User will be presented with a user friendly interface to the user with all the tools
categorized according to their functionalities.
Scans a network/system for different types of vulnerabilities, detects firewall, load
balancing, open ports, target location, web-server, outdated files etc.
Explore different types of CMS such as Wordpress, Drupal, Joomla by enumerating
users, directory listing, detecting service version etc.
Extracts information related to DNS and IP Addresses, extracts links and check
validity of links on a web page and much more.
Provides information about email accounts, User names and host-names/sub-domains
from different public search engines and PGP key server.
Provides an interface to use various Google dorks such as search for configuration
files, SQL errors, log files, php info, back-up and old files etc for a website.
Helps in collecting various information about a domain such as domain popularity
with Google, domain age, Alexa and Google rank, number of back-links etc.
1
Generates and tests domain typos, investigate IP through various web tools, checks
whether a domain is in blacklist or not.
Generates undetectable (bypasses most of the anti-virus products) metasploit payload
for windows, Linux, Apple OS, Android OS and for exploiting websites (ASP, PHP, JSP) and
much more.
Users can see tool description in for each tools in the web page for help.
1.3 CHAPTER WISE SUMMARY
Chapter 2 deals with the analysis of the use case diagram used in the project and
describes the hardware and software requirements of the project. Chapter 3 is dealt with the
fabrication of the web application with a module-wise explanation on the significant
functions. Chapter 4 explains how the system is implemented and the various function used
along with testing. Chapter 5 gives a conclusive assertion of the uses of this system and also
the future scope is discussed.
CHAPTER 2
SYSTEM ANALYSIS
This chapter deals with the analysis of the architecture of the system, use case
diagram, sequence diagram used in the project an describes the hardware and software
requirements of the project
2.1 DETAILED STUDY AND ANALYSIS
2
Web based penetration testing lab is web interface for many popular command line
tools nicely arranged and categorized to make the penetration testing more easier than before.
It is a web based application with PHP as the developing platform.
The Front-End tier has web pages which interacts with users to provide information
and functionality for different user roles. PHP is used for executing Linux commands on the
web pages. Apache is used as web server and Linux is used as working environment.
WEB BROWSER
WEB PAGES
Front End
(HTML, CSS, JAVASCRIPT)
Server Side Scripting
PHP
Linux Distribution
(Debian Based OS Preferable)
Fig.2.1 Product Perspective
3
2.2 PRODUCT FUNCTIONALITIES
The various functionalities of the proposed system and their interaction are described
in brief in this section. User will be allowed to perform the following actions.
Scans a network/system for different types of vulnerabilities, detects firewall, load
balancing, open ports, target location, web-server, outdated files etc.
Explore different types of cms such as Wordpress, Drupal, Joomla by enumerating
users, directory listing, detecting service version etc.
Extracts information related to DNS and IP Addresses, extracts links and check
validity of links on a web page and much more.
Provides information about email accounts, User names and host-names/sub-domains
from different public search engines and PGP key server.
Provides an interface to use various Google dorks such as search for configuration
files, SQL errors, log files, php info, back-up and old files etc for a website.
Helps in collecting various information about a domain such as domain popularity
with Google, domain age, Alexa and Google rank, number of back-links etc.
Generates and tests domain typos, investigate IP through various web tools, checks
whether a domain is in blacklist or not.
Generates undetectable (bypasses most of the anti-virus products) metasploit payload
for windows, Linux, Apple OS, Android OS and for exploiting websites (ASP, PHP,JSP) and
much more.
Helps in back-dooring exe files, debian packages and pdf by asking user to upload file
and adding payload to the uploaded file.
Helps in generating PHP backdoor using weevely, a powerful framework to deface a
vulnerable website written in PHP.
.Users can see tool description for each tools in the web page for help.
2.3 USER CHARACTERISTICS
The user must have the knowledge of basics of computer science. User must know
about the internet, Browser, Operating System and other basic computer related concepts.
User must be willing to learn the basic of penetration testing. Previous experience with
penetration testing is not mandatory, however knowledge of concepts can help in
understanding the concepts of penetration testing by practical experience.
2.4 CONSTRAINTS
GUI is only in English.
4
Server Computer must be running Linux with all the dependencies
installed.
Client computer/User Computer can have any Operating System
running.
User’s OS must be having a modern web browser with JavaScript
support.
CHAPTER 3
5
SYSTEM DESIGN
This Chapter dealt with the fabrication of the web application with a module-wise
explanation on the significant functions.
3.1 ARCHITECTURE OVERVIEW
Web based penetration testing lab follows a simple web based structure for better
functionality with less complication.
The Front-End tier has web pages which interacts with users to provide information
and functionality.
PHP is used for interaction with Operating System to execute system commands and
to display the result on web page. Linux is used as the working environment.
User opens the web based penetration testing lab in a web browser and selects a
module, interface asks for required information through HTML forms. Once the user submits
the information, it gets validated by PHP script and the commands related to the user’s query
gets executed by PHP with interaction with OS or through PHP itself according to the user’s
query. Once the execution starts, results will be displayed line by line.
Fig.3.1 Architecture Diagram
6
3.2 SYSTEM DESIGN
The section outlines the use cases for user interacting with each modules
separately. The main user in this project is the people who wants to do penetration testing.
3.2.1 Scanner Use Case
Fig. 3.2 Scanner Use Case
Scanner: User can choose a sub-module in scanner module as per his/her
requirement
URL Fuzzer: Directory check, file check, dynamic tests, static tests, web server
information, blind sql injection etc.
Nmap Scanner Menu: User scans a target for OS Fingerprinting, Open TCP and
UDP Ports, detecting service version etc.
Web Scanner: User scans a target for dangerous files, SSL check, detecting load-
balancing, detecting application at a given port etc.
Web Vulnerability Scanner: User scans a target to perform various tests such as
directory check, file check, dynamic tests, static tests, stress tests etc
Ping Sweep: User finds out which all hosts are alive in a network.
7
3.2.2 CMS-Explorer Use Case
Fig. 3.3 CMS-Explorer Use Case
CMS-Explorer: User can choose a sub-module in CMS-Explorer module as
per his/her requirement
WordPress Scan: User scans a WordPress site to enumerate users, installed
plugins, installed Tim thumbs, detect CMS version, etc.
Joomla Scan: User scans a Joomla site to find venerability, gets geo-location,
detects Joomla version running.
Drupal Scan: User scans a Drupal site to find venerability, enumerate
modules, gets geo-location, detects Joomla version running.
Detect CMS Version: User performs blind elephant scan on the given target
in order to detect target’s CMS Version.
3.2.3 Network Tools Use Case
8
Fig. 3.4 Network Tools Use Case
Network Tools: User can choose a sub-module in Network Tools module as
per his/her requirement.
DNS Queries: User chooses to perform various types of DNS related enquiry
on a host/domain.
IP Tools: User chooses to perform various types of IP related enquiry on a
host/domain such as reverse IP Look-up, port check etc.
Web Tools: User chooses to get HTTP Header information, dumps all the
links on a web page and check for the validity of links on a web page.
Network Tests: User performs simple network tests such as ping test, Traceroute etc.
3.2.4 Information Gathering Use Case
9
Fig. 3.5 Information Gathering Use Case
Information Gathering: User can choose a sub-module in this module as per
his/her requirement.
Info Gathering: User chooses to perform any of the following- retrieve
NetBIOS state, Live host identification, Enumerating all host-names which
Bing has indexed for IP address, search for possible email address etc
The Harvester: User chooses to get information about e-mail accounts, user
names and host-names/sub-domains from different public sources like search
engines and PGP key server.
Google Hacking: A collection of Google dorks very useful to gather
information about user’s target
3.2.5 Domain Tools Use Case
10
Fig. 3.6 Domain Tools Use Case
Domain Tools: User can choose a sub-module in this module as per his/her
requirement.
Domain Info: User chooses to perform any of the following- check domain
availability, check page rank by Google, check domain age, get Alexa rank
and back links, find sub-domains, who-is look-up etc.
Domain Tool: User chooses to perform any of the following- generate and
test domain typos, generate and show invalid domain type, Perform a whois
lookup on the domain name of host, investigates IP through various web
based tools etc.
3.2.6 Payload Generator Use Case
11
Fig. 3.7 Payload Generator Use Case
Payload Generator: User can choose a sub-module in this module as per
his/her requirement.
Windows OS: User uses the interface to generate metasploit payload bypasses
most of the popular anti-virus products like Avast, MacFee, Avir etc.User
chooses to mention the size of payload.
Other OS: User uses this module to generate payload fr different operating
systems like Linux Distributions, Apple OSX, Android OS.
Java Payload: User uses this module to generate a Java.jar payload which can
be used to affect any OS as Java is platform independent. It can affect
windows/mac/Linux/Android OS and all other platforms which support Java.
Web Shell: User uses this module to generate web shells for ASP, PHP, JSP.
3.2.7 Exploits Use Case
12
Fig. 3.8 Exploits Use Case
Exploits: User can choose a sub-module in this module as per his/her
requirement.
Package.deb Back-door: This tool generates a debian package encoded with
metasploit payload.
Back-dooring exe: User uploads an exe file and this tool inserts the chosen
payload in the original exe file.
PDF Back-door: User uploads a pdf file and this tool inserts the chosen
payload in the original PDF file. It can affect the system if opened with adobe
reader. Affected Systems are: Adobe PDF Reader
3.3 USE CASE ANALYSIS
13
Use case diagrams are used to gather the requirements of a system including internal
and external influences. These requirements are mostly design requirements. So when a
system is analyzed to gather its functionalities use cases are prepared and actors are
identified. The purpose of use case diagram is to capture the dynamic aspect of a system. But
this definition is too generic to describe the purpose. The purpose of use case diagram is to
capture the dynamic aspect of a system. But this definition is too generic to describe the
purpose. A use case is a list of steps, typically defining interactions between a role (known in
UML as an "actor") and a system, to achieve a goal. The actor can be a human or an external
system the purpose of use case diagrams can be as follows:
1.
Used to gather requirements of a system.
2.
Used to get an outside view of a system.
3.
Identify external factors influencing the system.
4.
Identify internal factors influencing the system.
5.
Show the interacting among the requirements are actors.
UML Use Case Diagrams can be used to describe the functionality of a system in a
horizontal way. That is, rather than merely representing the details of individual features of
your system, UCDs can be used to show all of its available functionality. It is important to
note, though, that UCDs are fundamentally different from sequence diagrams or flow charts
because they do not make any attempt to represent the order or number of times that the
systems actions and sub-actions should be executed.
Use Case Diagrams are behavior diagrams used to describe a set of actions (use
cases) that some system or systems (subject) should or can perform in collaboration with one
or more external of the system (actors). Each use case should provide some observable and
valuable result to the actors or other stakeholders of the system. Use case diagrams are in fact
twofold - they are both behavior diagrams (because they describe behavior of the system),
and they are also structure diagrams - as a special case of class diagrams where classifiers are
restricted to be either actors or use cases related with association. The purpose of use case
diagram is to capture the dynamic aspect of a system.
14
Use case diagrams are considered for high level requirement analysis of a system. So
when the requirements of a system are analyzed the functionalities are captured in use cases.
So we can say that uses cases are nothing but the system functionalities written in an
organized manner. Now the second things which are relevant to the use cases are the actors.
Actors can be defined as something that interacts with the system.
The purpose of use case diagram is to capture the dynamic aspect of a system. But
this definition is too generic to describe the purpose.
Use case diagrams are used to gather the requirements of a system including internal
and external influences. These requirements are mostly design requirements. So when a
system is analyzed to gather its functionalities use cases are prepared and actors are
identified.
15
Fig.3.9 Use Case Diagram for the overall System
3.4 SEQUENCE DIAGRAM
The sequence diagram is used primarily to show the interactions between objects in
the sequential order that those interactions occur. Much like the class diagram, developers
typically think sequence diagrams were meant exclusively for them. The main purpose of a
sequence diagram is to define event sequences that result in some desired outcome. The focus
is less on messages themselves and more on the order in which messages occur; nevertheless,
most sequence diagrams will communicate what messages are sent between a system's
objects as well as the order in which they occur. The diagram conveys this information along
the horizontal and vertical dimensions: the vertical dimension shows, top down, the time
16
sequence of messages/calls as they occur, and the horizontal dimension shows, left to right,
the object instances that the messages are sent to.
A sequence diagram shows object interactions arranged in time sequence. It depicts
the objects and classes involved in the scenario and the sequence of messages exchanged
between the objects needed to carry out the functionality of the scenario. Sequence diagrams
are typically associated with use case realizations in the Logical View of the system under
development. Sequence diagrams are sometimes called event diagrams, event scenarios.
Objects calling methods on themselves use messages and add new activation boxes on
top of any others to indicate a further level of processing. When an object is destroyed
(removed from memory), an X is drawn on top of the lifeline, and the dashed line ceases to
be drawn below it (this is not the case in the first example though). It should be the result of a
message, either from the object itself, or another. If a caller sends a synchronous message, it
must wait until the message is done, such as invoking a subroutine. If a caller sends an
asynchronous message, it can continue processing and doesn’t have to wait for a response.
Asynchronous calls are present in multi-threaded applications and in message-oriented
middleware. Activation boxes, or method-call boxes, are opaque rectangles drawn on top of
lifelines to represent that processes are being performed in response to the message
(Execution Specifications in UML). Objects calling methods on themselves use messages and
add new activation boxes on top of any others to indicate a further level of processing.
A message sent from outside the diagram can be represented by a message originating
from a filled-in circle (found message in UML) or from a border of the sequence diagram
(gate in UML).
The sequence diagram is used primarily to show the interactions between objects in
the sequential order that those interactions occur. Much like the class diagram, developers
typically think sequence diagrams were meant exclusively for them. However, an
organization's business staff can find sequence diagrams useful to communicate how the
business currently works by showing how various business objects interact. Besides
documenting an organization's current affairs, a business-level sequence diagram can be used
as a requirements document to communicate requirements for a future system
implementation. During the requirements phase of a project, analysts can take use cases to the
next level by providing a more formal level of refinement.
17
Sequence diagram is the most common kind of interaction diagram, which focuses on
the message interchange between a numbers of lifelines.
Sequence diagram describes an interaction by focusing on the sequence of messages
that are exchanged, along with their corresponding occurrence specifications on the lifelines.
The following nodes and edges are typically drawn in a UML sequence diagram:
lifeline, execution specification, message, combined fragment, interaction use, state invariant,
continuation, destruction occurrence.
UML sequence diagrams model the flow of logic within your system in a visual
manner, enabling you both to document and validate your logic, and are commonly used for
both analysis and design purposes. Sequence diagrams are the most popular UML artefact
for dynamic modelling, which focuses on identifying the behaviour within your system
18
Fig.3.10 Sequence Diagram
19
3.5 FLOW CHART DIAGRAM
A flow chart diagram is a graphical means of representing or presenting, describing,
or analyzing a process.
Fig.3.11 Flow Chart Diagram
20
3.6 REQUIREMENT SPECIFICATION
3.6.1 User Requirements
A system that is user-friendly and intuitive.
The system allows easy access to information.
The system provides help related to tools used in each module.
The system categorizes the different tools in a module based on their
functionalities.
3.6.2 Functional Requirements
Anyone can use the system. Registration not required.
Web browser should allow pop-up.
The system should be able to interact with OS.
The system should be able to provide an interface to retrieve user’s query
The system should be able to display result.
The system should conform to all the specification mentioned in the Software
Requirement Specification.
3.6.3 Non Functional Requirements
The system should be efficient, reliable, and secure throughout.
21
The people with computer science background or interested in computer
science with basic internet and OS knowledge should be able to use the new
system and the system should be robust.
The system should be easily modified to suit the user, changing demands and
should be accessed on any operating system.
3.6.4 Software Requirements
Front End(Interface): HTML, PHP, JavaScript
Web Server: Apache
Development Tool: Net beans
Operating System: Linux
Internet Explorer 8 ,
Google Chrome,
Mozilla Firefox or
Intel Pentium 4 at 1
GHz
512 MB
1 GB
Server Side
Processor
RAM
Space
Linux Distribution
with LAMP and all
the dependencies
installed.
HS21 Xeon Dual Core
5160
3.0GHz/1333Mhz/4M
B L2 or above
512 MB and above
5 GB
Any modern web
browser
.
.
22
CHAPTER 4
SYSTEM IMPLEMENTATION
Systems Design will naturally lead to another stage where it becomes closer to the
actual deployment of the planned software. Since the design is already there, developers have
an idea on how the software actually looks like. All they need is to put them all together to
realize the intended software. Generally implementation of the software is considered as the
actual creation of the software. Since system design stage usually suggest that the interface,
data and actual output are created, the implementation stage brings them all together.
To implement a system successfully, a large number of inter-related tasks need to be
carried out in an appropriate sequence. Utilizing a well-proven implementation methodology
and enlisting professional advice can help but often it is the number of tasks, poor planning
and inadequate resourcing that causes problems with an implementation project, rather than
any of the tasks being particularly difficult.
4.1 MODULE IMPLEMENTATION
4.1.1 Scanner
As many as 70% of web sites have vulnerabilities that could lead to the theft of
sensitive corporate data such as credit card information and customer lists.
Hackers are concentrating their efforts on web-based applications - shopping carts,
forms, login pages, dynamic content, etc. Accessible 24/7 from anywhere in the world,
insecure web applications provide easy access to back-end corporate databases.
23
Web application attacks, launched on port 80/443, go straight through the firewall,
past operating system and network level security, and right in to the heart of your application
and corporate data. Tailor-made web applications are often insufficiently tested, have
undiscovered vulnerabilities and are therefore easy prey for hackers.
Scanner module of web based penetration testing lab consists of various tools to scan
a website or network for different possible vulnerabilities. These are the some of the features
of this modules:
Advanced and in-depth SQL injection and Cross site scripting testing
Advanced penetration testing tools, such as the nikto, nmap, xsser, fimap, fping,
uniscan etc
Port scan a web server and runs security checks against network services running
on the server.
Detects target operating system, service version, scan for TCP and UDP Services
etc.
GET HTTP headers and display the transaction, Scan web server for dangerous
Files, Outdated Versions... Etc.
What Web Scan, SSL Check, Check if domain uses load balancing, Web
Application Firewall Detection, Detect Application at given port.
Performs directory check, file check, static tests, dynamic tests, extract web
server information etc for a target URL.
Discovers which hosts are up within a range of IP addresses(Ping-Sweep),
Identify hosts
4.1.2 CMS-Explorer Module
Using the HTML,JavaScript,PHP web applications, this module is designed which
includes the necessary labels, text-boxes, buttons, forms and other web components.
This module attempts to discover the version of a (known) web application by
comparing static files at known locations against recomputed hashes for versions of those
files in all all available releases, scans WordPress, Drupal, Joomla sites for vulnerabilities,
24
The various sub modules available in the CMS-Explorer modules are:
WordPress Scan
WordPress is the world’s leading content management system. This makes it a
popular target for attackers.
Analysis of compromised WordPress installations, shows that exploitation most often
occurs due to simple configuration errors or through plug-ins and themes that have not had
security fixes applied.
WordPress Security Scanner tests vulnerabilities of a WordPress installation. Checks
include application security, WordPress plug-ins, hosting environment and web server. These
are the some of the features of this modules:
Detects Version Of WordPress.
Enumerate Users.
Enumerate Installed Plug-ins.
Enumerate installed Tim thumbs.
Enumerate Installed Themes.
WordPress Ping-back Port Scanner
Non-Intrusive Check..etc.
Joomla Scan
Joomla is one of the most popular open source content management systems and is a
common target for attackers due its popularity and the wide variety of extensions that are
available. These Joomla security scans will test a site for security issues, configuration errors
and poor reputation links so administrator can get to work mitigating the vulnerabilities
before getting hacked.
These scans will test a Joomla installation for a number of common security issues,
vulnerable modules as well as perform web reputation analysis of sites that are being linked
and sites that are hosted on the same IP address.
Determine if Joomla installation is present.
25
Detect Joomla Version Running.
Detect known exploits and security vulnerabilities.
Joomla plug-in based firewall detection.
Understand the security configuration of a Joomla install.
Run an in-depth security test that includes plug-in and theme brute forcing
with Joomscan
Get Site Geo-Location and hosting info.
Drupal Scan
Drupal is one of the world’s leading content management system. It is used on a
large number of high profile sites. It is known for its security and extensibility. Perform a
simple Drupal security test by filling out the following form. This module will test target
website in a non-intrusive manner and display any discovered vulnerabilities or configuration
errors.
This module acts as Security Scanner for Drupal installations to quickly identify
potential security issues, server reputation and other aspects of the web server.
Detect Drupal Version Running.
Scan for Vulnerabilities (Enumerates the modules).
Understand the security configuration of a Drupal install.
Get Site Geo-Location and hosting info.
Detect CMS Version (BlindElephant Scan)
A Blind Elephant scan will attempt to determine the version of content management
systems and other web scripts. This is useful when assessing the security of a given web site.
Discover the version of 14 of the most popular types of content management system
(CMS) and web application utilities.
Determine if a known vulnerable application version is in use. Develop an
understanding of an organizations website security maintenance and patching policies.
26
This scan is used to identify the version of a web application; the application may be a
web forum, blog or phpmyadmin. The important thing to note about these types of
applications is that there are many publicly available exploits for different versions of the
applications. An exploit in a single small web application can be the foothold that an attacker
will capitalize on to get deeper access on the server and perhaps even compromise of an
entire organization.
So it is vitally important that web application such as those assessed by the
Blindelephant scan are kept up to date.
BlindElephant is a tool for fingerprinting your web application version. Security
vulnerabilities in well-known web applications are a common attack vector. Keeping your
web applications up to date can reduce your risk of being hacked significantly.
The BlindElephant Web Application Finger-printer will try to discover the version of
a web application by comparing static files against precomputed hashes for versions of those
files in all available releases. The technique is fast, low-bandwidth, non-invasive, generic,
and fairly accurate.
4.1.3 Network Tools Module
Using the HTML, PHP web applications, this module is designed which includes the
necessary labels, text-boxes, buttons, forms and other web components. The interface is
developed in accordance with the previously discussed functionality of the Network Tool
module.
Find IP and DNS information quickly with this information gathering tool. Easy
access to this tool complements the in depth vulnerability scanners.
The various options available in the this module are:
DNS Queries
By its nature external facing DNS is an open and public service, while the
information is openly available you should be aware of what information is being revealed.
Security penetration testers and attackers will use information collected from DNS to expand
their knowledge of an organizations information technology infrastructure and from that
knowledge begin to understand the attack surface.
27
For example, the SPF records that an organization can publish in order to improve
email security can also reveal the IP addresses or host-names of systems with the ability to
send email. These services can all then become targets to be assessed and attacked.
DNS Lookup
Reverse DNS Lookup
Whois Lookup
MX Lookup
DNS Zone Transfer
Finds the Status Of Authority(SOA) record in a zone file
Brute Force DNS
Trace a chain of DNS Server to the source
IP Tools
A web server can be configured to server multiple virtual hosts from a single IP
address. This is a common technique in shared hosting environments in particular. However it
is also common in many organizations and can be an excellent way to expand the attack
surface when going after a web server.
IP Geo location involves attempting to find the location of an IP address in the real
world. Due to the fact that IP addresses are assigned to organization and these are ever
changing associations it can be difficult to determine exactly where in the world an IP address
is located. User can perform following operations using this tool.
IP Geo Location
Reverse IP Lookup
Port Check
Web Tools
This sub modules can be used for extracting header information, dumping all the
links of a website, checking validity of the links on a web page.
28
This module can perform the following operations:
Get HTTP Header
Extracts links from a web page
Checks the validity of websites links
Network Tests
Perform an IP trace with mtr, an advanced trace route tool that uses multiple ICMP
ping to test the connectivity to each hop across the Internet.
A ping test is used to determine the connectivity and latency of Internet connected
hosts.
User can perform the following actions with this tool:
Trace route
Test Ping target to check its availability
NPing- another utility like ping
ICMP monitoring using fping
4.1.4 Information Gathering
Using the HTML, PHP web applications, the Information Gathering module is
designed which includes the necessary labels, textboxes, buttons, forms and other web
components. The interface is developed in accordance with the previously discussed
functionality of the information gathering module.
The various options available in this module are:
Information Gathering
The information gathering steps of foot printing and scanning are of utmost
importance. Good information gathering can make the difference between a successful
penetration test and one that has failed to provide maximum benefit to the client. We can say
that Information is a weapon, a successful penetration testing and a hacking process need a
lots of relevant information that is why, information gathering so called foot printing is the
29
first step of hacking. So, gathering valid login names and emails are one of the most
important parts for penetration testing. We can use these to profile our target, brute force
authentication systems, send client-side attacks (through phishing), look through social
networks for juicy info on platforms and technologies, etc.
Retrieve NetBIOS State
Live Host Identification
Retrieve netcraft.com information on host
Search for possible email address
Enumerating all host-names which Bing has indexed for IP address
Search URL for Data
(MD5,MySQL,Wordpress,Domain,URL,IP4,IP6,SSN,EMAIL,CCN,Twitter,D
OC,EXE,ZIP,IMG)
TheHarvester
This Tool provides us information about e-mail accounts, user names and hostnames/sub-domains from different public sources like search engines and PGP key server.
This tool is designed to help the penetration tester on an earlier stage; it is an
effective, simple and easy to use. This tool acts as front end of the harvester by Christian
Martorella.
The sources supported are:
Google Hacking
Google hacking is the term used when a hacker tries to find exploitable targets and
sensitive data by using search engines. The Google Hacking Database (GHDB) is a database
of queries that identify sensitive data. Although Google blocks some of the better known
Google hacking queries, nothing stops a hacker from crawling your site and launching the
Google Hacking Database queries directly onto the crawled content.
Information that the Google Hacking Database identifies:
Advisories and server vulnerabilities
Error messages that contain too much information
Files containing passwords
Sensitive directories
Pages containing login portals
Pages containing network or vulnerability data such as firewall logs.
The easiest way to check whether your web site & applications have Google hacking
vulnerabilities, is to use this tool. This tool scans entire website and automatically checks for
pages that are identified by Google hacking queries as per dorks chosen by user.
4.1.5 Domain Tools
Using the HTML, PHP web applications, this module is designed which includes the
necessary labels, text-boxes, buttons, forms and other web components. The interface is
developed in accordance with the previously discussed functionality of the Domain Tools
module.
The various options available in the this module are:
Domain info
User can collect the following information about a domain by using this tool.
31
Availability of a domain name
Check page rank with Google
Check Domain age
Get Alexa rank and number of back-links
Perform whois lookup and finds sub-domains
Domain Tools
User can collect the following information about a domain by using this tool.
Generate and Test Domain Typos
Generate and Show Invalid Domain Names
Generate and Check Domain Popularity with Google
Perform a whois lookup on the domain name of host
Blacklist Checker
Investing IP related to domain through different web based tools
The information from this tool can be used for
Typo squatting
URL hijacking
Phishing etc.
4.1.6 Payload Generator
Using the HTML, PHP web applications, the Payload Generator module is designed
which includes the necessary labels, text-boxes, buttons, forms and other web components.
The interface is developed in accordance with the previously discussed functionality of the
Payload Generator module.
32
This module can be helpful in generating metasploit payload for all operating
systems available (Windows, Linux, Apple OSX, and Android).
The various options available in this module are:
Windows OS Payload
This module asks user to enter information like IP address and port number of
computer to connect back, name of the payload, how stealthy it should be ( if it is more
stealth then the chances of getting detected by anti-virus products are less ) and asks to
choose the payload type.
Based on the user’s query it generates the undetectable (Bypasses most of the
popular anti-virus products) and encoded metasploit payload for Windows OS (All Versions).
Other OS
This module asks user to enter information like IP address and port number of
computer to connect back, name of the package, and operating system for which payload has
to be generated.
Based on the user’s choice it generates the OS specific payload. It can generate
payload for Linux, Apple OSX and Android OS.
Java.jar Payload
This module asks user to enter information like IP address and port number of
computer to connect back, name of the package.
Payload generated by this tool is a Java.jar file. As Java is a platform independent
language, this payload can affect any OS which is having Java installed. Affected Systems
are: Linux, Windows, Android and Apple OSX.
Web shell
This module asks user to enter information like IP address and port number of
computer to connect back, name of the package, and type of web shell ( ASP, PHP, JSP ) for
which payload has to be generated.
33
Payload generated by this tool is either a ASP file, JSP file or a PHP file. Affected
Systems are: websites
4.1.6 Automated Exploits
Using the HTML, PHP web applications, the Automated Exploits module is designed
which includes the necessary labels, text-boxes, buttons, forms and other web components.
This tool is capable of back-dooring exe file, debian packages, pdf and automates the
process of backdooring PHP files.
The various options available in the this module are:
Package.deb Backdoor
This module asks user to enter information like IP address and port number of
computer to connect back, name of the package, and allow user to choose a debian package.
This tool generates the payload and attaches it with the debian package choosen by
user and then the final package is exported as the name specified by user. Affected Systems
are: Linux ( Debian Based ).
Backdooring exe files
This module asks user to enter information like IP address and port number of
computer to connect back, name of the package, and allow user to upload an exe file.
This tool generates the metasploit payload and attaches it with the exe file uploaded
by user and then the final package is exported as the name specified by user. Affected
Systems are: Windows OS (All Version).
PDF Backdoor
This module asks user to enter information like IP address and port number of
computer to connect back, name of the package, and allow user to upload a pdf file.
This tool generates the metasploit payload and attaches it with the pdf file uploaded
by user and then the final package is exported as the name specified by user. Affected
Systems are: Adobe PDF Reader
4.2 TESTING
34
Software testing is an investigation conducted to provide stakeholders with
information about the quality of the product or service under test. Software testing can also
provide an objective, independent view of the software to allow the business to appreciate
and understand the risks of software implementation. Test techniques include, but are not
limited to the process of executing a program or application with the intent of finding
software bugs (errors or other defects).
Software testing can be stated as the process of validating and verifying that a
computer program/application/product:
Meets the requirements that guided its design and development,
Works as expected,
Can be implemented with the same characteristics,
Satisfies the needs of stakeholders.
In order to fully test that all the requirements of an application are met, there must be at
least two test cases for each requirement: one positive test and one negative test. If a
requirement has sub-requirements, each sub-requirement must have at least two test cases.
Keeping track of the link between the requirement and the test is frequently done using a
traceability matrix. Written test cases should include a description of the functionality to be
tested, and the preparation required to ensure that the test can be conducted..
The basic objective of writing test cases is to validate the testing coverage of the
application. If you are working in any CMMI company then you will strictly follow test cases
standards. So writing test cases brings some sort of standardization and minimizes the ad-hoc
approach in testing.
4.2.1 Scanner Module
Table 4.1 Test cases for Scanner module
S.
No
Test Case
Name
Test Case
Procedure
Expected
Result
35
Obtained Result
Status
(Pass/
Fail)
1.
Empty URL
fields
Leave all the text
fields in the form
blank
The form does
not get submitted
A Pop-Up appears
stating URL is empty
Pass
Pass
2.
Result Page
Press the start
button
Result page
should appear
Result page appears
with loading animation
in between form and
tool Description
3.
Reset
Press the reset
button
URL field should
be cleared.
URL field cleared
Pass
4.
Passing values
to the server
Enter valid values
in all the text
fields and press
submit
The values
should be passed
to the server
The values are passed
to the server.
Pass
5.
Selecting
fields from
side menu list
Select a module
from side menu
list
Related page
should be loaded
A page related to that
modules gets loaded
Pass
6.
Selecting
Hide/Show in
side bar
Click hide/show
text in left side
Sub modules of
module should
hide/show
In case of hide, sub
modules hide and only
Scanner module name
is visible
4.2.2 CMS-Explorer Module
S.
No
Test Case
Name
Test Case
Procedure
Expected
Result
36
Obtained Result
Status
(Pass/
Fail)
1.
Empty URL
fields
Leave all the text
fields in the form
blank
The form does
not get submitted
A Pop-Up appears
stating URL is empty
Pass
2.
Empty
Pingback port
in wordpress
Leave the text
fields in the form
for pingback port
blank
The form does
not get submitted
A Pop-Up appears
stating pingback port is
empty
Pass
3.
Result Page
Press the start
button
Result page
should appear
Result page appears
with loading animation
in between form and
tool Description
Pass
4.
Reset
Press the reset
button
URL field should
be cleared.
URL field cleared
Pass
5.
Passing values
to the server
Enter valid values
in all the text
fields and press
submit
The values
should be passed
to the server
The values are passed
to the server.
Pass
6.
Selecting
fields from
side menu list
Select a module
from side menu
list
Related page
should be loaded
A page related to that
modules gets loaded
Pass
7.
Selecting
Hide/Show in
side bar
Click hide/show
text in left side
Sub modules of
module should
hide/show
In case of hide, sub
modules hide and only
Scanner module name
is visible
Table 4.2 Test cases for CMS-Explorer Module
4.2.3 Network Tools Module
S.
No
Test Case
Name
Test Case
Procedure
Expected
Result
37
Obtained Result
Status
(Pass/
Fail)
1.
Empty URL
fields
Leave all the text
fields in the form
blank
The form does
not get submitted
A Pop-Up appears
stating URL is empty
Pass
Pass
2.
Result Page
Press the start
button
Result page
should appear
Result page appears
with loading animation
in between form and
tool Description
3.
Reset
Press the reset
button
URL field should
be cleared.
URL field cleared
Pass
4.
Passing values
to the server
Enter valid values
in all the text
fields and press
submit
The values
should be passed
to the server
The values are passed
to the server.
Pass
5.
Selecting
fields from
side menu list
Select a module
from side menu
list
Related page
should be loaded
A page related to that
modules gets loaded
Pass
6.
Selecting
Hide/Show in
side bar
Click hide/show
text in left side
Sub modules of
module should
hide/show
In case of hide, sub
modules hide and only
Scanner module name
is visible
Pass
Table 4.3 Test cases for Network Tools Module
4.2.4 Information Gathering Module, Domain Tool Module
S.
No
Test Case
Name
Test Case
Procedure
Expected
Result
38
Obtained Result
Status
(Pass/
Fail)
1.
Empty URL
fields
Leave all the text
fields in the form
blank
The form does
not get submitted
A Pop-Up appears
stating URL is empty
Pass
Pass
2.
Result Page
Press the start
button
Result page
should appear
Result page appears
with loading animation
in between form and
tool Description
3.
Reset
Press the reset
button
URL field should
be cleared.
URL field cleared
Pass
4.
Passing values
to the server
Enter valid values
in all the text
fields and press
submit
The values
should be passed
to the server
The values are passed
to the server.
Pass
5.
Selecting
fields from
side menu list
Select a module
from side menu
list
Related page
should be loaded
A page related to that
modules gets loaded
Pass
6.
Selecting
Hide/Show in
side bar
Click hide/show
text in left side
Sub modules of
module should
hide/show
In case of hide, sub
modules hide and only
Scanner module name
is visible
Pass
Table 4.4 Test cases for Information Gathering Module and Domain Tool Module
4.2.5 Payload Generator Module
S.
No
Test Case
Name
Test Case
Procedure
Expected
Result
39
Obtained Result
Status
(Pass/
Fail)
1.
Empty IP,Port,
package name
fields
Leave all the
Field in the form
blank
The form does
not get submitted
A Pop-Up appears
stating IP is empty
Pass
Pass
2.
Result Page
Press the start
button
Result page
should appear
Result page appears
with loading animation
in between form and
tool Description
3.
Reset
Press the reset
button
URL field should
be cleared.
URL field cleared
Pass
4.
Passing values
to the server
Enter valid values
in all the text
fields and press
submit
The values
should be passed
to the server
The values are passed
to the server.
Pass
5.
Selecting
fields from
side menu list
Select a module
from side menu
list
Related page
should be loaded
A page related to that
modules gets loaded
Pass
6.
Selecting
Hide/Show in
side bar
Click hide/show
text in left side
Sub modules of
module should
hide/show
In case of hide, sub
modules hide and only
Scanner module name
is visible
Pass
7.
IP Validation
Enter an URL in
place of IP
Form should not
be submitted
A Pop-Up appears
stating You have not
entered a valid IP
Pass
Table 4.5 Test cases for Payload Generator module
4.2.6 Automated Exploits Module
S.
No
Test Case
Name
Test Case
Procedure
Expected
Result
40
Obtained Result
Status
(Pass/
Fail)
1.
Empty IP,Port,
package name
fields
Leave all the
Field in the form
blank
The form does
not get submitted
A Pop-Up appears
stating IP is empty
Pass
Pass
2.
Result Page
Press the start
button
Result page
should appear
Result page appears
with loading animation
in between form and
tool Description
3.
Reset
Press the reset
button
URL field should
be cleared.
URL field cleared
Pass
4.
Passing values
to the server
Enter valid values
in all the text
fields and press
submit
The values
should be passed
to the server
The values are passed
to the server.
Pass
5.
Selecting
fields from
side menu list
Select a module
from side menu
list
Related page
should be loaded
A page related to that
modules gets loaded
Pass
File should be
uploaded and a
message should
be generated in
result section
File uploaded and
checked in the upload
directory
Pass
6.
Upload
Upload a file
Table 4.6 Test cases for Automated Exploits module
CHAPTER 5
CONCLUSION AND FUTURE SCOPE
5.1 CONCLUSION
Web based penetration testing lab is a web interface of various command line tools
along with some of its unique features.
41
The Web interface is very powerful and general and makes it a easy to use it
efficiently. It provides an effective way for the penetration testers to test a network or website
or system. Thus the Web based penetration testing lab is being developed in PHP and the
above mentioned concepts are being implemented successfully.
5.2 FUTURE SCOPE
This interface will make the penetration testing much easier than before.It can also be
used for educational purpose to teach students the basics of penetration testing and to make
them aware about various tools and techniques to secure a system. It can be extended in the
future by adding any latest tool in the project.
echo '<p><b>AVAILABLE FOR DOWNLOAD in default format @</b> --><a
href=exploits/'.$pkg.'>Click here</a>';
echo '<p><b>AVAILABLE FOR DOWNLOAD in zip format @</b> --><a
href=exploits/'.$pkg.'.zip>Click here</a>';
echo '<p><b>AVAILABLE FOR DOWNLOAD autorun filles in zip format @</b>
--><a href=autorun/'.$pkg.'.zip>Click here</a>';
echo '<p><b>AFFECTED SYSTEMS ARE</b>
-->Windows OS</p>';
echo'<p>************************************************************************
*****</p>';
echo '<b>Note:</b>You can send this package to victim by any social
engineering techniques ';
echo '<p><b>To start listener copy and paste this code in to your
terminal:</b></p>';
echo 'sudo msfcli exploit/multi/handler PAYLOAD='.$c.' LHOST='.$ip.' LPORT='.
$port.' E';
echo "<script type='text/javascript'>$.msg({ fadeIn : 500,fadeOut :
500, bgPath : 'dlgs/', content : '".$pkg. "Generated Successfully!Please refer
result section after this message'});</script>";
APPENDIX B
SCREEN SHOTS
44
Screen Shot 1: Scanner page
45
Screen Shot 2: Scanner Result Page
Screen Shot 3: Windows Payload
REFERENCES
[1] Robin Nixon, Learning PHP, MySQL & JavaScript, .
[2] Elliot White, “PHP the complete Reference” February 1988
[3] Luke Welling & Laura Thomson, PHP and MySQL Web Development Fourth Edition.
[4] Thomas A. Powell, The Complete Reference – AJAX.
[5] Jon Duckett, Beginning HTML, XHTML,CSS, and JavaScript.
[6] [Online] http:// phpfreaks.com
[7] [online] http://www.w3schools.com
[8] [online] http://www.php.net
[9] [online] PHP RFC, https://wiki.php.net/rfc