The Research On Penetration Testing Based On Kali Linux

With the continuous development and wide application of the network.the problem of network security is becoming more and more prominent.The threats to network security are becoming more and more diverse,and has become the main target of many hackers.How to prevent network attack,reduce the loss of network attack and ensure the normal operation of information network are a difficult problem which needs to be solved at present.At present,security test has become an important means to ensure network security.Penetration test,as a new security test method being developed at present,is undoubtedly the only choice to ensure network security.Because of it's widely using for penetration testing as an integration of many penetration testing software and tools,Kali Linux has become a "sharp sword" in the hands of security testers.In this paper,VMware software is used to build a simulated network environment of the company.There are many different systems deploys in virtual machines,including Kali Linux test host,Windows target machine,Linux target machine and other five types of virtual machines,which can simulate the real network.By referring to the PTES penetration testing standard and combining with the network environment,a reliable and practical penetration testing process is designed.According to this process,Kali Linux is used to carry out penetration testing on target machines in the environment,reproducing the important process and technical method of penetration testing.Gathering information is a critical first step when conducting penetration testing.In this paper,the Nmap tool of Kali Linux system is used to scan the host in the detection environment,collect valuable information such as open port,service version information corresponding to port,host system version,etc.Then the Nessus software is used to scan the vulnerability of the target machine in the environment and obtain the vulnerability information of the target machine.The useful information collected was analyzed comprehensively.On the one hand,Web penetration attack was carried out on simulated corporate websites,mainly including SQL injection attack,XSS cross-site scripting attack and file upload attack.The Web application penetration technology was restored.On the other hand,with the help of Metasploit tool,the target machine was vulnerability attacked,and the Shell control of the target host was obtained,and then many Shell commands were executed.Thus,the accuracy of vulnerability information is verified,and the penetration test of three typical operating systems is completed.The experiment shows that the penetration test process designed in this paper is suitable for this topic research.The constructed experimental environment meets the requirements of penetration test and achieves the effect of combining practice with learning.Three typical Web attacks are implemented and penetration tests are completed for three typical operating systems.