web service report

8/18/2019 web service report

http://slidepdf.com/reader/full/web-service-report 1/46

CHAPTER 1

INTRODUCTION

Web Based Penetration Testing provides a user friendly way of doing penetrationtesting on a system. It is web interface for many popular command line tools nicely arranged

and categorized to make the penetration testing more easily than before. It is a web based

application with PHP as the developing platform.

1.1 PURPOSE

The aim of the proect is to automate the penetration testing and reduce the time of

professional penetration testers in memorizing and typing various commands and its options

again and again while the course of penetration testing. This tool can also be used for

educational purpose. !s an IT Professional a student must know about the different types of

attacks" scanning networks" gathering information about a system and e#ploiting a remote

system etc. There are thousands of tools $most of them are command line tools% available for

these purposes. Installing these tools re&uires a deep knowledge and use of these tools also

re&uires e#perience with 'inu# () and command lines. )o" this web based framework can be

hosted on a server $which has all the dependencies installed% and can be used by students to

learn basics of penetration testing.

1.2 PROJECT SCOPE

*ser will be presented with a user friendly interface to the user with all the tools

categorized according to their functionalities.

)cans a network+system for different types of vulnerabilities" detects firewall" load

balancing" open ports" target location" web,server" outdated files etc.

-#plore different types of /) such as Wordpress" 0rupal" 1oomla by enumerating

users" directory listing" detecting service version etc.

-#tracts information related to 02) and IP !ddresses" e#tracts links and check

validity of links on a web page and much more.

Provides information about email accounts" *ser names and host,names+sub,domains

from different public search engines and P3P key server.

Provides an interface to use various 3oogle dorks such as search for configuration

files" )4' errors" log files" php info" back,up and old files etc for a website.

Helps in collecting various information about a domain such as domain popularity

with 3oogle" domain age" !le#a and 3oogle rank" number of back,links etc.

1





Web based penetration testing lab is web interface for many popular command line

tools nicely arranged and categorized to make the penetration testing more easier than before.

It is a web based application with PHP as the developing platform.

The 9ront,-nd tier has web pages which interacts with users to provide information

and functionality for different user roles. PHP is used for e#ecuting 'inu# commands on the

web pages. !pache is used as web server and 'inu# is used as working environment.

3

WEB BROWSER

WEB PAGES

Front End

HTML! CSS! JA"ASCRIPT#

9ig.5.: Product Perspective

L$n%& D$'tr$(%t$on

D)($*n B*')d OS Pr)+)r*(,)#

S)r-)r S$d) Sr$/t$n0

PHP



2.2 PRODUCT FUNCTIONALITIES

The various functionalities of the proposed system and their interaction are described

in brief in this section. *ser will be allowed to perform the following actions.

)cans a network+system for different types of vulnerabilities" detects firewall" load

balancing" open ports" target location" web,server" outdated files etc.

-#plore different types of cms such as Wordpress" 0rupal" 1oomla by enumerating

users" directory listing" detecting service version etc.

-#tracts information related to 02) and IP !ddresses" e#tracts links and check

validity of links on a web page and much more.

Provides information about email accounts" *ser names and host,names+sub,domains

from different public search engines and P3P key server.

Provides an interface to use various 3oogle dorks such as search for configuration

files" )4' errors" log files" php info" back,up and old files etc for a website.

Helps in collecting various information about a domain such as domain popularity

with 3oogle" domain age" !le#a and 3oogle rank" number of back,links etc.

3enerates and tests domain typos" investigate IP through various web tools" checks

whether a domain is in blacklist or not.

3enerates undetectable $bypasses most of the anti,virus products% metasploit payload

for windows" 'inu#" !pple ()" !ndroid () and for e#ploiting websites $!)P" PHP"1)P% and

much more.Helps in back,dooring e#e files" debian packages and pdf by asking user to upload file

and adding payload to the uploaded file.

Helps in generating PHP backdoor using weevely" a powerful framework to deface a

vulnerable website written in PHP.

.*sers can see tool description for each tools in the web page for help.

2.3 USER CHARACTERISTICS

The user must have the knowledge of basics of computer science. *ser must know

about the internet" Browser" (perating )ystem and other basic computer related concepts.

*ser must be willing to learn the basic of penetration testing. Previous e#perience with

penetration testing is not mandatory" however knowledge of concepts can help in

understanding the concepts of penetration testing by practical e#perience.

2. CONSTRAINTS

• 3*I is only in -nglish.

4



• )erver omputer must be running 'inu# with all the dependencies

installed.

• lient computer+*ser omputer can have any (perating )ystem

running.

• *ser;s () must be having a modern web browser with 1ava)cript

support.

CHAPTER 3

5



SYSTEM DESIGN

This hapter dealt with the fabrication of the web application with a module,wise

e#planation on the significant functions.

3.1 ARCHITECTURE O"ER"IEW

Web based penetration testing lab follows a simple web based structure for better

functionality with less complication.

The 9ront,-nd tier has web pages which interacts with users to provide information

and functionality.

PHP is used for interaction with (perating )ystem to e#ecute system commands and

to display the result on web page. 'inu# is used as the working environment.

*ser opens the web based penetration testing lab in a web browser and selects a

module" interface asks for re&uired information through HT/' forms. (nce the user submits

the information" it gets validated by PHP script and the commands related to the user;s &uery

gets e#ecuted by PHP with interaction with () or through PHP itself according to the user;s

&uery. (nce the e#ecution starts" results will be displayed line by line.

6

9ig.6.: !rchitecture 0iagram



3.2SYSTEM DESIGN

The section outlines the use cases for user interacting with each modules

separately. The main user in this proect is the people who wants to do penetration testing.

3.2.1 S*nn)r U') C*')

9ig. 6.5 )canner *se ase

• S*nn)r *ser can choose a sub,module in scanner module as per his+her

re&uirement

URL F%)r 0irectory check" file check" dynamic tests" static tests" web server

information" blind s&l inection etc.

N4*/ S*nn)r M)n% *ser scans a target for () 9ingerprinting" (pen TP and

*0P Ports" detecting service version etc.

• W)( S*nn)r *ser scans a target for dangerous files" ))' check" detecting load,

balancing" detecting application at a given port etc.

• W)( "%,n)r*($,$t5 S*nn)r *ser scans a target to perform various tests such as

directory check" file check" dynamic tests" static tests" stress tests etc

• P$n0 S6))/ *ser finds out which all hosts are alive in a network.

7



3.2.2 CMS7E&/,or)r U') C*')

9ig. 6.6 /),-#plorer *se ase

• CMS7E&/,or)r *ser can choose a sub,module in /),-#plorer module as

per his+her re&uirement

WordPr)'' S*n *ser scans a WordPress site to enumerate users" installed

plugins" installed Tim thumbs" detect /) version" etc.

• Joo4,* S*n *ser scans a 1oomla site to find venerability" gets geo,location"

detects 1oomla version running.

• Dr%/*, S*n *ser scans a 0rupal site to find venerability" enumerate

modules" gets geo,location" detects 1oomla version running.

• D)t)t CMS ")r'$on *ser performs blind elephant scan on the given target

in order to detect target;s /) <ersion.

3.2.3 N)t6or8 Too,' U') C*')

8



9ig. 6.7 2etwork Tools *se ase

• N)t6or8 Too,' *ser can choose a sub,module in 2etwork Tools module as

per his+her re&uirement.

• DNS 9%)r$)' *ser chooses to perform various types of 02) related en&uiry

on a host+domain.

• IP Too,' *ser chooses to perform various types of IP related en&uiry on a

host+domain such as reverse IP 'ook,up" port check etc.

• W)( Too,' *ser chooses to get HTTP Header information" dumps all the

links on a web page and check for the validity of links on a web page.

• N)t6or8 T)'t' *ser performs simple network tests such as ping test" Trace,

route etc.

3.2. In+or4*t$on G*t:)r$n0 U') C*')

9



9ig. 6.8 Information 3athering *se ase

• In+or4*t$on G*t:)r$n0 *ser can choose a sub,module in this module as per

his+her re&uirement.

• In+o G*t:)r$n0 *ser chooses to perform any of the following, retrieve

2etBI() state" 'ive host identification" -numerating all host,names which

Bing has inde#ed for IP address" search for possible email address etc

• T:) H*r-)'t)r *ser chooses to get information about e,mail accounts" user

names and host,names+sub,domains from different public sources like search

engines and P3P key server.

• Goo0,) H*8$n0 ! collection of 3oogle dorks very useful to gather

information about user;s target

3.2.; Do4*$n Too,' U') C*')

10



9ig. 6.= 0omain Tools *se ase

• Do4*$n Too,' *ser can choose a sub,module in this module as per his+her

re&uirement.

• Do4*$n In+o *ser chooses to perform any of the following, check domain

availability" check page rank by 3oogle" check domain age" get !le#a rank

and back links" find sub,domains" who,is look,up etc.

• Do4*$n Too, *ser chooses to perform any of the following, generate and

test domain typos" generate and show invalid domain type" Perform a whois

lookup on the domain name of host, investigates IP through various web

based tools etc.

3.2.< P*5,o*d G)n)r*tor U') C*')

11



9ig. 6.> Payload 3enerator *se ase

• P*5,o*d G)n)r*tor *ser can choose a sub,module in this module as per

his+her re&uirement.

• W$ndo6' OS *ser uses the interface to generate metasploit payload bypasses

most of the popular anti,virus products like !vast" /ac9ee" !vir etc.*ser

chooses to mention the size of payload.

• Ot:)r OS *ser uses this module to generate payload fr different operating

systems like 'inu# 0istributions" !pple ()?" !ndroid ().

• J*-* P*5,o*d *ser uses this module to generate a 1ava.ar payload which can

be used to affect any () as 1ava is platform independent. It can affect

windows+mac+'inu#+!ndroid () and all other platforms which support 1ava.

• W)( S:),, *ser uses this module to generate web shells for !)P" PHP" 1)P.

3.2.= E&/,o$t' U') C*')

12



9ig. 6.@ -#ploits *se ase

• E&/,o$t' *ser can choose a sub,module in this module as per his+her

re&uirement.

• P*8*0).d)( B*87door This tool generates a debian package encoded with

metasploit payload.

• B*87door$n0 )&) *ser uploads an e#e file and this tool inserts the chosen

payload in the original e#e file.• PDF B*87door *ser uploads a pdf file and this tool inserts the chosen

payload in the original P09 file. It can affect the system if opened with adobe

reader. !ffected )ystems areA !dobe P09 eader

3.3 USE CASE ANALYSIS

13



*se case diagrams are used to gather the re&uirements of a system including internal

and e#ternal influences. These re&uirements are mostly design re&uirements. )o when a

system is analyzed to gather its functionalities use cases are prepared and actors are

identified. The purpose of use case diagram is to capture the dynamic aspect of a system. But

this definition is too generic to describe the purpose. The purpose of use case diagram is to

capture the dynamic aspect of a system. But this definition is too generic to describe the

purpose. ! use case is a list of steps" typically defining interactions between a role $known in

*/' as an Cactor C% and a system" to achieve a goal. The actor can be a human or an e#ternal

system the purpose of use case diagrams can be as followsA

:. *sed to gather re&uirements of a system.

5. *sed to get an outside view of a system.

6. Identify e#ternal factors influencing the system.

7. Identify internal factors influencing the system.

8. )how the interacting among the re&uirements are actors.

*/' *se ase 0iagrams can be used to describe the functionality of a system in a

horizontal way. That is" rather than merely representing the details of individual features of

your system" *0s can be used to show all of its available functionality. It is important to

note" though" that *0s are fundamentally different from se&uence diagrams or flow charts

because they do not make any attempt to represent the order or number of times that the

systems actions and sub,actions should be e#ecuted.

*se ase 0iagrams are behavior diagrams used to describe a set of actions $usecases% that some system or systems $subect% should or can perform in collaboration with one

or more e#ternal of the system $actors%. -ach use case should provide some observable and

valuable result to the actors or other stakeholders of the system. *se case diagrams are in fact

twofold , they are both behavior diagrams $because they describe behavior of the system%"

and they are also structure diagrams , as a special case of class diagrams where classifiers are

restricted to be either actors or use cases related with association. The purpose of use case

diagram is to capture the dynamic aspect of a system.

14

http://en.wikipedia.org/wiki/Unified_Modeling_Language

http://en.wikipedia.org/wiki/Actor_(UML)

http://en.wikipedia.org/wiki/Actor_(UML)

http://en.wikipedia.org/wiki/Unified_Modeling_Language



*se case diagrams are considered for high level re&uirement analysis of a system. )o

when the re&uirements of a system are analyzed the functionalities are captured in use cases.

)o we can say that uses cases are nothing but the system functionalities written in an

organized manner. 2ow the second things which are relevant to the use cases are the actors.

!ctors can be defined as something that interacts with the system.

The purpose of use case diagram is to capture the dynamic aspect of a system. But

this definition is too generic to describe the purpose.

*se case diagrams are used to gather the re&uirements of a system including internal

and e#ternal influences. These re&uirements are mostly design re&uirements. )o when a

system is analyzed to gather its functionalities use cases are prepared and actors are

identified.

15



3. SE9UENCE DIAGRAM

The se&uence diagram is used primarily to show the interactions between obects in

the se&uential order that those interactions occur. /uch like the class diagram" developers

typically think se&uence diagrams were meant e#clusively for them. The main purpose of a

se&uence diagram is to define event se&uences that result in some desired outcome. The focus

is less on messages themselves and more on the order in which messages occurD nevertheless"

most se&uence diagrams will communicate what messages are sent between a systemEs

obects as well as the order in which they occur. The diagram conveys this information along

the horizontal and vertical dimensionsA the vertical dimension shows" top down" the time

16

9ig.6.F *se ase 0iagram for the overall )ystem



se&uence of messages+calls as they occur" and the horizontal dimension shows" left to right"

the obect instances that the messages are sent to.

! se&uence diagram shows obect interactions arranged in time se&uence. It depicts

the obects and classes involved in the scenario and the se&uence of messages e#changed

between the obects needed to carry out the functionality of the scenario. )e&uence diagrams

are typically associated with use case realizations in the 'ogical <iew of the system under

development. )e&uence diagrams are sometimes called event diagrams" event scenarios.

(bects calling methods on themselves use messages and add new activation bo#es on

top of any others to indicate a further level of processing. When an obect is destroyed

$removed from memory%" an ? is drawn on top of the lifeline" and the dashed line ceases to be drawn below it $this is not the case in the first e#ample though%. It should be the result of a

message" either from the obect itself" or another. If a caller sends a synchronous message" it

must wait until the message is done" such as invoking a subroutine. If a caller sends an

asynchronous message" it can continue processing and doesn;t have to wait for a response.

!synchronous calls are present in multi,threaded applications and in message,oriented

middleware. !ctivation bo#es" or method,call bo#es" are opa&ue rectangles drawn on top of

lifelines to represent that processes are being performed in response to the message

$-#ecution )pecifications in */'%. (bects calling methods on themselves use messages and

add new activation bo#es on top of any others to indicate a further level of processing.

! message sent from outside the diagram can be represented by a message originating

from a filled,in circle $found message in */'% or from a border of the se&uence diagram

$gate in */'%.

The se&uence diagram is used primarily to show the interactions between obects inthe se&uential order that those interactions occur. /uch like the class diagram" developers

typically think se&uence diagrams were meant e#clusively for them. However" an

organizationEs business staff can find se&uence diagrams useful to communicate how the

business currently works by showing how various business obects interact. Besides

documenting an organizationEs current affairs" a business,level se&uence diagram can be used

as a re&uirements document to communicate re&uirements for a future system

implementation. 0uring the re&uirements phase of a proect" analysts can take use cases to the

ne#t level by providing a more formal level of refinement.

17

http://en.wikipedia.org/wiki/Process_(computing)

http://en.wikipedia.org/wiki/Object_lifetime

http://en.wikipedia.org/wiki/Computer_storage

http://en.wikipedia.org/wiki/Middleware

http://en.wikipedia.org/wiki/Method_(computer_science)



http://en.wikipedia.org/wiki/Object_lifetime

http://en.wikipedia.org/wiki/Computer_storage

http://en.wikipedia.org/wiki/Middleware

http://en.wikipedia.org/wiki/Method_(computer_science)




)e&uence diagram is the most common kind of interaction diagram" which focuses on

the message interchange between a numbers of lifelines.

)e&uence diagram describes an interaction by focusing on the se&uence of messages

that are e#changed" along with their corresponding occurrence specifications on the lifelines.

The following nodes and edges are typically drawn in a */' se&uence diagramA

lifeline" e#ecution specification" message" combined fragment" interaction use" state invariant"

continuation" destruction occurrence.

*/' se&uence diagrams model the flow of logic within your system in a visual

manner" enabling you both to document and validate your logic" and are commonly used for

both analysis and design purposes. )e&uence diagrams are the most popular */' artefact

for dynamic modelling" which focuses on identifying the behaviour within your system

18



9ig.6.:G )e&uence 0iagram

19



3.; FLOW CHART DIAGRAM

! flow chart diagram is a graphical means of representing or presenting" describing"

or analyzing a process.

9ig.6.:: 9low hart 0iagram

20



3.< RE9UIREMENT SPECIFICATION

3.<.1 U')r R)>%$r)4)nt'

• ! system that is user,friendly and intuitive.

• The system allows easy access to information.

• The system provides help related to tools used in each module.

• The system categorizes the different tools in a module based on their

functionalities.

3.<.2 F%nt$on*, R)>%$r)4)nt'

•!nyone can use the system. egistration not re&uired.

• Web browser should allow pop,up.

• The system should be able to interact with ().

• The system should be able to provide an interface to retrieve user;s &uery

• The system should be able to display result.

• The system should conform to all the specification mentioned in the )oftware

e&uirement )pecification.

3.<.3 Non F%nt$on*, R)>%$r)4)nt'

• The system should be efficient" reliable" and secure throughout.

21



• The people with computer science background or interested in computer

science with basic internet and () knowledge should be able to use the new

system and the system should be robust.

• The system should be easily modified to suit the user" changing demands and

should be accessed on any operating system.

3.<. So+t6*r) R)>%$r)4)nt'

• Front EndInt)r+*)# HT/'" PHP" 1ava)cript

• W)( S)r-)r !pache

• D)-),o/4)nt Too, 2et beans

•

O/)r*t$n0 S5't)4 'inu#

3.<.; M$n$4%4 H*rd6*r) R)>%$r)4)nt'

Table 6.:A Hardware )pecifications

C,$)nt S$d) Pro)''or RAM S/*)

Internet -#plorer @ "

3oogle hrome"

/ozilla 9irefo# or

!ny modern web

browser

Intel Pentium 7 at :

3Hz

8:5 /B : 3B

S)r-)r S$d) Pro)''or RAM S/*)

'inu# 0istribution

with '!/P and all

the dependencies

installed.

H)5: ?eon 0ual ore

8:=G

6.G3Hz+:666/hz+7/

B '5 or above

8:5 /B and above 8 3B

22

.

.



CHAPTER

SYSTEM IMPLEMENTATION

)ystems 0esign will naturally lead to another stage where it becomes closer to the

actual deployment of the planned software. )ince the design is already there" developers have

an idea on how the software actually looks like. !ll they need is to put them all together to

realize the intended software. 3enerally implementation of the software is considered as the

actual creation of the software. )ince system design stage usually suggest that the interface"

data and actual output are created" the implementation stage brings them all together.

To implement a system successfully" a large number of inter,related tasks need to be

carried out in an appropriate se&uence. *tilizing a well,proven implementation methodology

and enlisting professional advice can help but often it is the number of tasks" poor planning

and inade&uate resourcing that causes problems with an implementation proect" rather than

any of the tasks being particularly difficult.

.1 MODULE IMPLEMENTATION

.1.1 S*nn)r

!s many as >G of web sites have vulnerabilities that could lead to the theft of

sensitive corporate data such as credit card information and customer lists.

Hackers are concentrating their efforts on web,based applications , shopping carts"

forms" login pages" dynamic content" etc. !ccessible 57+> from anywhere in the world"

insecure web applications provide easy access to back,end corporate databases.

23



Web application attacks" launched on port @G+776" go straight through the firewall"

past operating system and network level security" and right in to the heart of your application

and corporate data. Tailor,made web applications are often insufficiently tested" have

undiscovered vulnerabilities and are therefore easy prey for hackers.

)canner module of web based penetration testing lab consists of various tools to scan

a website or network for different possible vulnerabilities. These are the some of the features

of this modulesA

• !dvanced and in,depth )4' inection and ross site scripting testing

• !dvanced penetration testing tools" such as the nikto" nmap" #sser" fimap" fping"

uniscan etc

• Port scan a web server and runs security checks against network services running

on the server.

• 0etects target operating system" service version" scan for TP and *0P )ervices

etc.

• 3-T HTTP headers and display the transaction" )can web server for dangerous

9iles" (utdated <ersions... -tc.

• What Web )can" ))' heck" heck if domain uses load balancing" Web

!pplication 9irewall 0etection" 0etect !pplication at given port.

• Performs directory check" file check" static tests" dynamic tests" e#tract web

server information etc for a target *'.

• 0iscovers which hosts are up within a range of IP addresses$Ping,)weep%"

Identify hosts

.1.2 CMS7E&/,or)r Mod%,)

*sing the HT/'"1ava)cript"PHP web applications" this module is designed which

includes the necessary labels" te#t,bo#es" buttons" forms and other web components.

This module attempts to discover the version of a $known% web application by

comparing static files at known locations against recomputed hashes for versions of those

files in all all available releases" scans WordPress" 0rupal" 1oomla sites for vulnerabilities"

24



The various sub modules available in the /),-#plorer modules areA

WordPr)'' S*n

WordPress is the world;s leading content management system. This makes it a

popular target for attackers.

!nalysis of compromised WordPress installations" shows that e#ploitation most often

occurs due to simple configuration errors or through plug,ins and themes that have not had

security fi#es applied.

WordPress )ecurity )canner tests vulnerabilities of a WordPress installation. hecks

include application security" WordPress plug,ins" hosting environment and web server. These

are the some of the features of this modulesA

• 0etects <ersion (f WordPress.

• -numerate *sers.

• -numerate Installed Plug,ins.

• -numerate installed Tim thumbs.

• -numerate Installed Themes.

• WordPress Ping,back Port )canner

• 2on,Intrusive heck..etc.

Joo4,* S*n

1oomla is one of the most popular open source content management systems and is a

common target for attackers due its popularity and the wide variety of e#tensions that are

available. These 1oomla security scans will test a site for security issues" configuration errors

and poor reputation links so administrator can get to work mitigating the vulnerabilities

before getting hacked.

These scans will test a 1oomla installation for a number of common security issues"

vulnerable modules as well as perform web reputation analysis of sites that are being linked

and sites that are hosted on the same IP address.

• 0etermine if 1oomla installation is present.

25



• 0etect 1oomla <ersion unning.

• 0etect known e#ploits and security vulnerabilities.

•

1oomla plug,in based firewall detection.

• *nderstand the security configuration of a 1oomla install.

• un an in,depth security test that includes plug,in and theme brute forcing

with 1oomscan

• 3et )ite 3eo,'ocation and hosting info.

Dr%/*, S*n

0rupal is one of the world;s leading content management system. It is used on a

large number of high profile sites. It is known for its security and e#tensibility. Perform a

simple 0rupal security test by filling out the following form. This module will test target

website in a non,intrusive manner and display any discovered vulnerabilities or configuration

errors.

This module acts as )ecurity )canner for 0rupal installations to &uickly identify

potential security issues" server reputation and other aspects of the web server.

• 0etect 0rupal <ersion unning.

• )can for <ulnerabilities $-numerates the modules%.

• *nderstand the security configuration of a 0rupal install.

3et )ite 3eo,'ocation and hosting info.

D)t)t CMS ")r'$on B,$ndE,)/:*nt S*n#

! Blind -lephant scan will attempt to determine the version of content management

systems and other web scripts. This is useful when assessing the security of a given web site.

0iscover the version of :7 of the most popular types of content management system

$/)% and web application utilities.

0etermine if a known vulnerable application version is in use. 0evelop an

understanding of an organizations website security maintenance and patching policies.

26



This scan is used to identify the version of a web applicationD the application may be a

web forum" blog or phpmyadmin. The important thing to note about these types of

applications is that there are many publicly available e#ploits for different versions of the

applications. !n e#ploit in a single small web application can be the foothold that an attacker

will capitalize on to get deeper access on the server and perhaps even compromise of an

entire organization.

)o it is vitally important that web application such as those assessed by the

Blindelephant scan are kept up to date.

Blind-lephant is a tool for fingerprinting your web application version. )ecurity

vulnerabilities in well,known web applications are a common attack vector. eeping your web applications up to date can reduce your risk of being hacked significantly.

The Blind-lephant Web !pplication 9inger,printer will try to discover the version of

a web application by comparing static files against precomputed hashes for versions of those

files in all available releases. The techni&ue is fast" low,bandwidth" non,invasive" generic"

and fairly accurate.

.1.3 N)t6or8 Too,' Mod%,)

*sing the HT/'" PHP web applications" this module is designed which includes the

necessary labels" te#t,bo#es" buttons" forms and other web components. The interface is

developed in accordance with the previously discussed functionality of the 2etwork Tool

module.

9ind IP and 02) information &uickly with this information gathering tool. -asy

access to this tool complements the in depth vulnerability scanners.

The various options available in the this module areA

DNS 9%)r$)'

By its nature e#ternal facing 02) is an open and public service" while the

information is openly available you should be aware of what information is being revealed.

)ecurity penetration testers and attackers will use information collected from 02) to e#pand

their knowledge of an organizations information technology infrastructure and from that

knowledge begin to understand the attack surface.

27



9or e#ample" the )P9 records that an organization can publish in order to improve

email security can also reveal the IP addresses or host,names of systems with the ability to

send email. These services can all then become targets to be assessed and attacked.

• 02) 'ookup

• everse 02) 'ookup

• Whois 'ookup

• /? 'ookup

• 02) Jone Transfer

• 9inds the )tatus (f !uthority$)(!% record in a zone file

• Brute 9orce 02)

• Trace a chain of 02) )erver to the source

IP Too,'

! web server can be configured to server multiple virtual hosts from a single IP

address. This is a common techni&ue in shared hosting environments in particular. However it

is also common in many organizations and can be an e#cellent way to e#pand the attack

surface when going after a web server.

IP 3eo location involves attempting to find the location of an IP address in the real

world. 0ue to the fact that IP addresses are assigned to organization and these are ever

changing associations it can be difficult to determine e#actly where in the world an IP address

is located. *ser can perform following operations using this tool.

• IP 3eo 'ocation

• everse IP 'ookup

• Port heck

W)( Too,'

This sub modules can be used for e#tracting header information" dumping all the

links of a website" checking validity of the links on a web page.

28



This module can perform the following operationsA

• 3et HTTP Header

• -#tracts links from a web page

• hecks the validity of websites links

N)t6or8 T)'t'

Perform an IP trace with mtr" an advanced trace route tool that uses multiple I/P

ping to test the connectivity to each hop across the Internet.

! ping test is used to determine the connectivity and latency of Internet connected

hosts.

*ser can perform the following actions with this toolA

• Trace route

Test Ping target to check its availability

2Ping, another utility like ping

I/P monitoring using fping

.1. In+or4*t$on G*t:)r$n0

*sing the HT/'" PHP web applications" the Information 3athering module is

designed which includes the necessary labels" te#tbo#es" buttons" forms and other web

components. The interface is developed in accordance with the previously discussed

functionality of the information gathering module.

The various options available in this module areA

In+or4*t$on G*t:)r$n0

The information gathering steps of foot printing and scanning are of utmost

importance. 3ood information gathering can make the difference between a successful

penetration test and one that has failed to provide ma#imum benefit to the client. We can say

that Information is a weapon" a successful penetration testing and a hacking process need a

lots of relevant information that is why" information gathering so called foot printing is the

29





Goo0,) H*8$n0

3oogle hacking is the term used when a hacker tries to find e#ploitable targets and

sensitive data by using search engines. The 3oogle Hacking 0atabase $3H0B% is a database

of &ueries that identify sensitive data. !lthough 3oogle blocks some of the better known

3oogle hacking &ueries" nothing stops a hacker from crawling your site and launching the

3oogle Hacking 0atabase &ueries directly onto the crawled content.

Information that the 3oogle Hacking 0atabase identifiesA

• !dvisories and server vulnerabilities

• -rror messages that contain too much information

• 9iles containing passwords

• )ensitive directories

• Pages containing login portals

• Pages containing network or vulnerability data such as firewall logs.

The easiest way to check whether your web site K applications have 3oogle hacking

vulnerabilities" is to use this tool. This tool scans entire website and automatically checks for

pages that are identified by 3oogle hacking &ueries as per dorks chosen by user.

.1.; Do4*$n Too,'

*sing the HT/'" PHP web applications" this module is designed which includes the

necessary labels" te#t,bo#es" buttons" forms and other web components. The interface is

developed in accordance with the previously discussed functionality of the 0omain Tools

module.


Do4*$n $n+o

*ser can collect the following information about a domain by using this tool.

31



• !vailability of a domain name

• heck page rank with 3oogle

•

heck 0omain age

• 3et !le#a rank and number of back,links

• Perform whois lookup and finds sub,domains

Do4*$n Too,'

*ser can collect the following information about a domain by using this tool.

•3enerate and Test 0omain Typos

• 3enerate and )how Invalid 0omain 2ames

• 3enerate and heck 0omain Popularity with 3oogle

• Perform a whois lookup on the domain name of host

• Blacklist hecker

• Investing IP related to domain through different web based tools

The information from this tool can be used for

• Typo s&uatting

• *' hiacking

• Phishing etc.

.1.< P*5,o*d G)n)r*tor

*sing the HT/'" PHP web applications" the Payload 3enerator module is designed

which includes the necessary labels" te#t,bo#es" buttons" forms and other web components.

The interface is developed in accordance with the previously discussed functionality of the

Payload 3enerator module.

32



This module can be helpful in generating metasploit payload for all operating

systems available $Windows" 'inu#" !pple ()?" and !ndroid%.

The various options available in this module areA

W$ndo6' OS P*5,o*d

This module asks user to enter information like IP address and port number of

computer to connect back" name of the payload" how stealthy it should be $ if it is more

stealth then the chances of getting detected by anti,virus products are less % and asks to

choose the payload type.

Based on the user;s &uery it generates the undetectable $Bypasses most of the

popular anti,virus products% and encoded metasploit payload for Windows () $!ll <ersions%.

Ot:)r OS


computer to connect back" name of the package" and operating system for which payload has

to be generated.

Based on the user;s choice it generates the () specific payload. It can generate

payload for 'inu#" !pple ()? and !ndroid ().

J*-*.?*r P*5,o*d


computer to connect back" name of the package.

Payload generated by this tool is a 1ava.ar file. !s 1ava is a platform independent

language" this payload can affect any () which is having 1ava installed. !ffected )ystems

areA 'inu#" Windows" !ndroid and !pple ()?.

W)( ':),,


computer to connect back" name of the package" and type of web shell $ !)P" PHP" 1)P % for

which payload has to be generated.

33



Payload generated by this tool is either a !)P file" 1)P file or a PHP file. !ffected

)ystems areA websites

.1.< A%to4*t)d E&/,o$t'

*sing the HT/'" PHP web applications" the !utomated -#ploits module is designed

which includes the necessary labels" te#t,bo#es" buttons" forms and other web components.

This tool is capable of back,dooring e#e file" debian packages" pdf and automates the

process of backdooring PHP files.


P*8*0).d)( B*8door


computer to connect back" name of the package" and allow user to choose a debian package.

This tool generates the payload and attaches it with the debian package choosen by

user and then the final package is e#ported as the name specified by user. !ffected )ystems

areA 'inu# $ 0ebian Based %.

B*8door$n0 )&) +$,)'


computer to connect back" name of the package" and allow user to upload an e#e file.

This tool generates the metasploit payload and attaches it with the e#e file uploaded

by user and then the final package is e#ported as the name specified by user. !ffected

)ystems areA Windows () $!ll <ersion%.

PDF B*8door


computer to connect back" name of the package" and allow user to upload a pdf file.

This tool generates the metasploit payload and attaches it with the pdf file uploaded

by user and then the final package is e#ported as the name specified by user. !ffected

)ystems areA !dobe P09 eader

.2 TESTING

34



)oftware testing is an investigation conducted to provide stakeholders with

information about the &uality of the product or service under test. )oftware testing can also

provide an obective" independent view of the software to allow the business to appreciate

and understand the risks of software implementation. Test techni&ues include" but are not

limited to the process of e#ecuting a program or application with the intent of finding

software bugs $errors or other defects%.

)oftware testing can be stated as the process of validating and verifying that a

computer program+application+productA

• /eets the re&uirements that guided its design and development"

• Works as e#pected"

•

an be implemented with the same characteristics"• )atisfies the needs of stakeholders.

In order to fully test that all the re&uirements of an application are met" there must be at

least two test cases for each re&uirementA one positive test and one negative test. If a

re&uirement has sub,re&uirements" each sub,re&uirement must have at least two test cases.

eeping track of the link between the re&uirement and the test is fre&uently done using a

traceability matri#. Written test cases should include a description of the functionality to be

tested" and the preparation re&uired to ensure that the test can be conducted. .

The basic obective of writing test cases is to validate the testing coverage of the

application. If you are working in any //I company then you will strictly follow test cases

standards. )o writing test cases brings some sort of standardization and minimizes the ad,hoc

approach in testing.

.2.1 S*nn)r Mod%,)

Table 7.: Test cases for )canner module

S.

No

T)'t C*')

N*4)

T)'t C*')

Pro)d%r)

E&/)t)d

R)'%,tO(t*$n)d R)'%,t

St*t%'

P*''@

F*$,#

35



:.-mpty *'

fields

'eave all the te#t

fields in the form

blank

The form does

not get submitted

! Pop,*p appears

stating *' is emptyPass

5. esult PagePress the start

button

esult page

should appear

esult page appears

with loading animation

in between form and

tool 0escription

Pass

6. esetPress the reset

button

*' field should

be cleared.*' field cleared Pass

7.Passing values

to the server

-nter valid values

in all the te#t

fields and press

submit

The values

should be passed

to the server

The values are passed

to the server.Pass

8.

)electing

fields from

side menu list

)elect a module

from side menu

list

elated page

should be loaded

! page related to that

modules gets loadedPass

=.

)electing

Hide+)how in

side bar

lick hide+show

te#t in left side

)ub modules of

module should

hide+show

In case of hide" sub

modules hide and only

)canner module name

is visible

.2.2 CMS7E&/,or)r Mod%,)

S.

No

T)'t C*')

N*4)

T)'t C*')

Pro)d%r)

E&/)t)d

R)'%,tO(t*$n)d R)'%,t

St*t%'

P*''@

F*$,#

36



:.-mpty *'

fields

'eave all the te#t

fields in the form

blank

The form does

not get submitted

! Pop,*p appears


5.

-mpty

Pingback port

in wordpress

'eave the te#t

fields in the form

for pingback port

blank

The form does

not get submitted

! Pop,*p appears

stating pingback port is

empty

Pass


button

esult page

should appear

esult page appears


in between form and

tool 0escription

Pass


button

*' field should


8.Passing values

to the server

-nter valid values

in all the te#t

fields and press

submit

The values

should be passed

to the server


to the server.Pass

=.

)electing

fields from

side menu list

)elect a module

from side menu

list

elated page

should be loaded



>.

)electing

Hide+)how in

side bar

lick hide+show

te#t in left side

)ub modules of

module should

hide+show



)canner module name

is visible

Table 7.5 Test cases for /),-#plorer /odule

.2.3 N)t6or8 Too,' Mod%,)

S.

No

T)'t C*')

N*4)

T)'t C*')

Pro)d%r)

E&/)t)d

R)'%,tO(t*$n)d R)'%,t

St*t%'

P*''@

F*$,#

37



:.-mpty *'

fields

'eave all the te#t

fields in the form

blank

The form does

not get submitted

! Pop,*p appears



button

esult page

should appear

esult page appears


in between form and

tool 0escription

Pass


button

*' field should


7.Passing values

to the server

-nter valid values

in all the te#t

fields and press

submit

The values

should be passed

to the server


to the server.Pass

8.

)electing

fields from

side menu list

)elect a module

from side menu

list

elated page

should be loaded



=.

)electing

Hide+)how in

side bar

lick hide+show

te#t in left side

)ub modules of

module should

hide+show



)canner module name

is visible

Pass

Table 7.6 Test cases for 2etwork Tools /odule

.2. In+or4*t$on G*t:)r$n0 Mod%,)! Do4*$n Too, Mod%,)

S.

No

T)'t C*')

N*4)

T)'t C*')

Pro)d%r)

E&/)t)d

R)'%,tO(t*$n)d R)'%,t

St*t%'

P*''@

F*$,#

38



:.-mpty *'

fields

'eave all the te#t

fields in the form

blank

The form does

not get submitted

! Pop,*p appears



button

esult page

should appear

esult page appears


in between form and

tool 0escription

Pass


button

*' field should


7.Passing values

to the server

-nter valid values

in all the te#t

fields and press

submit

The values

should be passed

to the server


to the server.Pass

8.

)electing

fields from

side menu list

)elect a module

from side menu

list

elated page

should be loaded



=.

)electing

Hide+)how in

side bar

lick hide+show

te#t in left side

)ub modules of

module should

hide+show



)canner module name

is visible

Pass

Table 7.7 Test cases for Information 3athering /odule and 0omain Tool /odule

.2.; P*5,o*d G)n)r*tor Mod%,)

S.

No

T)'t C*')

N*4)

T)'t C*')

Pro)d%r)

E&/)t)d

R)'%,tO(t*$n)d R)'%,t

St*t%'

P*''@

F*$,#

39





:.

-mpty IP"Port"

package name

fields

'eave all the

9ield in the form

blank

The form does

not get submitted

! Pop,*p appears

stating IP is emptyPass


button

esult page

should appear

esult page appears


in between form and

tool 0escription

Pass


button

*' field should


7.Passing values

to the server

-nter valid values

in all the te#t

fields and press

submit

The values

should be passed

to the server


to the server.Pass

8.

)electing

fields from

side menu list

)elect a module

from side menu

list

elated page

should be loaded



=. *pload *pload a file

9ile should be

uploaded and a

message should

be generated in

result section

9ile uploaded and

checked in the upload

directory

Pass

Table 7.= Test cases for !utomated -#ploits module

CHAPTER ;

CONCLUSION AND FUTURE SCOPE

;.1 CONCLUSION

Web based penetration testing lab is a web interface of various command line tools

along with some of its uni&ue features.

41



The Web interface is very powerful and general and makes it a easy to use it

efficiently. It provides an effective way for the penetration testers to test a network or website

or system. Thus the Web based penetration testing lab is being developed in PHP and the

above mentioned concepts are being implemented successfully.

;.2 FUTURE SCOPE

This interface will make the penetration testing much easier than before.It can also be

used for educational purpose to teach students the basics of penetration testing and to make

them aware about various tools and techni&ues to secure a system. It can be e#tended in the

future by adding any latest tool in the proect.

APPENDIX A

SAMPLE SOURCE CODE

<?php

if(isset($_POST['su!it'"##

42



$ip%$_POST['ip'"&

$pt%$_POST['pt'"&

$p)*%$_POST['p)*'"&

$+%$_POST['+'"&

$s%$_POST['s'"&

if($ip%%'',,$pt%%''#

e+h -<s+ipt tpe%'te/ts+ipt'$.!s*(fe 500feOut 500*Pth ':*s' +tet ';u e t etee ts

+e+t:...'=#&<s+ipt-&

=

e:se

e>uie_+e ':i*.php'

she::(--#&

she::(-su sh +!pss.sh $+ $ip $pt e/p:its$p)* $s-#&

e/e+(-su +!:iu/she::+ee/e+./32 e/p:its$p)*-#&

e/e+(-su +!:iu/she::+ee/e+./64 e/p:its$p)*-#&

e/e+(-su +h! 777 e/p:its$p)*-#&

e/e+(-su ip e/p:its$p)*.ip e/p:its$p)*-#&

e/e+(-su ip utu$p)*.ip utuutu.i+

utuutu.if utu$p)* -#&

e+h '<p<P: @A*uti<<p'&

43



e+h'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'

&

e+h '<p<COST< DD'.$ip.'<p'&

e+h '<p<CPOET< DD'.$pt.'<p'&

e+h '<p<PF@GFHI JFKI< DD'.$p)*.'<p'&

e+h '<p<PF;COFL< DDMiMsshe::_eese_t+p<p'&

e+h '<p<FNFCFCI OE LOQJCOFL i efu:t f!t R< DD<

hef%e/p:its'.$p)*.'@:i+) hee<'&

e+h '<p<FNFCFCI OE LOQJCOFL i ip f!t R< DD<

hef%e/p:its'.$p)*.'.ip@:i+) hee<'&

e+h '<p<FNFCFCI OE LOQJCOFL utu A::es i ip f!t R<

DD< hef%utu'.$p)*.'.ip@:i+) hee<'&

e+h '<p<FI@TIL S;STIKS FEI< DDQiMs OS<p'&

e+h'<pBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBB<p'&

e+h '<Jte<;u + se this p+)*e t i+ti! s+i:

e*ieei* te+hi>ues '&

e+h '<p<T stt :istee +p pste this +e i t u

te!i:<<p'&

e+h 'su !sf+:i e/p:it!u:tih:e PF;COFL%'.$+.' COST%'.$ip.' CPOET%'.

$pt.' I'&

e+h -<s+ipt tpe%'te/ts+ipt'$.!s*( fe 500feOut

500 *Pth ':*s' +tet '-.$p)*. -Heete Su++essfu::P:ese efe

esu:t se+ti fte this !ess*e'=#&<s+ipt-&

APPENDI B

SCREEN SHOTS

44



S+ee Sht 1 S+e p*e

45



S+ee Sht 2 S+e Eesu:t P*e

S+ee Sht 3 QiMs P:

REFERENCES

M:N obin 2i#on" Learning PHP, MySQL & JavaScript " .

M5N Elliot White, O PHP the complete Reference 9ebruary :F@@

M6N 'uke Welling K 'aura Thomson" PHP and /y)4' Web 0evelopment 9ourth -dition.

M7N Thomas !. Powell" The Complete Reference !J!" .

M8N 1on 0uckett" #eginning HTML, "HTML,CSS, an$ JavaScript .

M=N M(nlineN httpA++ phpfreaks.com

M>N MonlineN httpA++www.w6schools.com

M@N MonlineN httpA++www.php.net

MFN MonlineN PHP 9" httpsA++wiki.php.net+rfc

http://www.w3schools.com/

http://www.w3schools.com/

Documents

web service report