Whatweb

WhatWeb is a tool that is used to help penetration testers easily identify the available technologies and fingerprint web servers and web applications on a target system. Currently i am running OWASP Juice shop, DVWA(on kali) and metasploitable 2. You can run these commands on any of these 3 machines as metasploitable 2 linux also various vulnerable webserver like DVWA, Multidae, Twiki. You can use those but make sure you provide proper directory in the commands.

DVWA(Damn Vulnerable Web App) setup:

  1. Follow this github page’s README.md instructions DVWA

OWASP juice shop setup:

  1. First install docker using the following instructions:
curl -fsSL https://download.docker.com/linux/debian/gpg
| gpg --dearmor | sudo tee /usr/share/keyrings/dockerarchive-keyring.gpg >/dev/null

echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/
docker-archive-keyring.gpg] https://download.docker.com/
linux/debian buster stable' | sudo tee /etc/apt/sources.
list.d/docker.list

sudo apt-get update
sudo apt install -y docker-ce docker-ce-cli containerd.io
  1. OWASP Juice shop installation steps:
sudo systemctl restart docker
sudo docker pull bkimminich/juice-shop
sudo docker run --rm -p 3000:3000 bkimminich/juice-shop

I will be using DVWA and metasploitable 2 on a basic level for this practical

  1. Command:
whatweb http://localhost/DVWA
whatweb 172.30.1.134 # metasploitable2 machine ip

web_1 To put it simply, WhatWeb provides the following details:

  • The web application and its version
  • The web technologies and their versions
  • The host operating system and its version

NMAP for web app scanning:

  1. Using nmap http scripts for the web app scan, first we need to see what kind of scripts are available using the following command:
ls /usr/share/nmap/scripts/http*

web_2 2. From the list, you can choose to use a particular script to check for HTTP vulnerabilities on a target system. Let’s imagine that you want to identify whether a target web application is vulnerable to Structured Query Language (SQL) Injection attacks. The http-sql-injection NSE script will be able to identify such security flaws.

nmap --script http-sql-injection -p 80 172.30.1.134

web_3

Tip

While many scripts within Nmap can be leveraged to identify vulnerabilities within web applications, it is important to always identify the service version of the web application by simply using the –A syntax when performing an initial scan to profile your target. Once you have identified the web application’s service version, use the internet to research known vulnerabilities. As a penetration tester, it’s always good to perform additional research on vulnerabilities as you may find more information on how to compromise the target.

Metasploit for web app scanning:

  1. This time we will start by initializing the postgresql db of msfconsole to store the data.
  2. Follow the commands for initialization:
service postgresql start
sudo msfdb init
  1. Then start msfconsole
  2. To check the connectivity with the database , use the command db_status inside msfconsole web_4
  3. Then, use the following command to load the WMAP web vulnerability scanner module within Metasploit: web_5
  4. Next, use the wmap_sites –a command to set the target as the OWASP BWA virtual machine IP address, to check if the site is added or not check using wmap_sites -l , to set the target wmap_target -t : web_6
  5. To run wmap use the command wmap_run -t, this will automatically load the web scanning modules from metasploit for security testing: web_7
  6. Once the web scanning modules have been loaded, use the following commands to perform web security testing on the target web application: web_8
  7. Lastly, use the vulns command to see the overall results of the security assessment from WMAP web_9

Nikto scanning:

  1. Nikto scan command:
nikto -h 172.30.1.134

web_10 -h : This option allows use to specify target’s hostname and IP address.

  • You can read through the entire scan for different vulnerabilities.

Scanning with wpscan:

While there are many web applications within the e-commerce industry, there are many organizations that deploy the WordPress web application as their preferred Content Management System (CMS).

Within Kali Linux, you will learn about the WPScan tool, which allows penetration testers to perform vulnerability scanning and enumeration on the WordPress web application on a target server.

  1. Let’s get started with WPSCAN:
wpscan --url http://172.30.1.134:8585/wordpress --no-update

The following is a brief description of the syntax:

  • --url: Specifies the target URL
  • --no-update: Performs a scan without checking for updates WPSCAN IS APPLICABLE IN SUCH APPLICATIONS WHICH ARE BUILT WITH WORDPRESS ONLY.
  1. Next, to enumerate the login username of the target WordPress web application, use the –e u syntax
wpscan --url http://172.30.1.134:8585/wordpress --no-update -e u
Tip

To learn more about WPScan and its capabilities, please see https://tools.kali.org/web-applications/wpscan.


Further reading: