123

Setting up a solid environment is the foundation of any successful API penetration test. In this article, we’ll walk you through creating a powerful hacking setup, from installing Kali Linux to configuring essential tools and setting up labs specifically designed for API testing. This guide is crafted to help you uncover hidden API endpoints, understand how to leverage tools like Burp Suite, OWASP ZAP, and FoxyProxy, and set up reconnaissance tools that make API hacking efficient and effective.

Whether you're just starting out or looking to refine your approach, this guide ensures you’re well-equipped for hands-on API testing. So grab a coffee, follow along, and let’s get this setup ready to tackle any API challenge!

Setting Up the Environment

1. Install Kali Linux

Download and set up the Kali Linux 64-bit VM via VMware from the official Kali website.

2. Update Kali

Ensure your Kali installation is up-to-date with the following commands:

sudo apt update -y
sudo apt upgrade -y
sudo apt dist-upgrade -y

3. Update User Accounts

After setting up the OS, updating default credentials is a security best practice.

4. Install Essential Tools

Burp Suite Community Edition

Burp Suite is crucial for intercepting and analyzing HTTP requests.

sudo apt-get install burpsuite -y

Download Jython from jython.organd add the .jar file to the Extender Options in Burp Suite.

FoxyProxy Standard

• FoxyProxy lets you control traffic routing, especially useful when switching between Burp and other proxies.
  1. Install FoxyProxy from here.
  2. Configure Proxies:
     1. BurpSuite Proxy: Set IP to 127.0.0.1, Port to 8080.
     2. Postman Proxy: Set IP to 127.0.0.1, Port to 5555.
  3. Burp Suite Certificate
     1. Using FoxyProxy, select the BurpSuite proxy.
     2. Visit http://burpsuite and download the CA certificate.
     3. Import the certificate into Firefox.

OWASP ZAP

Another essential tool for security testing.

sudo apt install zaproxy

Navigate to Manage Add-Ons (CTRL+U) to update Fuzzer and OpenAPI Support.

MITMweb Certificate Setup

• Start MITMweb: mitmweb
• Use FoxyProxy to route traffic to BurpSuite.
• Download the mitmproxy-ca-cert.pem from mitm.it.
• Import the certificate into Firefox.

Install Postman

sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz
sudo tar -xvzf postman-linux-x64.tar.gz -C /opt
sudo ln -s /opt/Postman/Postman /usr/bin/postman

Install mitmproxy2swagger

sudo pip3 install mitmproxy2swagger

Install Git

sudo apt-get install git

Install Docker

sudo apt-get install docker.io docker-compose

Install Go

sudo apt install golang-go

Install JWT Toolkit

cd /opt
sudo git clone https://github.com/ticarpi/jwt_tool
cd jwt_tool
pip3 install termcolor cprint pycryptodomex requests

Install Kiterunner

sudo git clone https://github.com/assetnote/kiterunner.git
cd kiterunner
sudo make build
sudo ln -s /opt/kiterunner/dist/kr /usr/bin/kr\

Install Arjun

• sudo apt install arjun

5. Useful Wordlists

SecLists

sudo apt install seclists

Configuring the Hacking Lab

crAPI

crAPI is an API security testing lab from OWASP.

• Create a lab directory and set up crAPI:

  cd ~
  mkdir labs
  sudo curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
  sudo docker-compose pull
  sudo docker-compose -f docker-compose.yml --compatibility up -d

  If you encounter installation issues, consider using the development version available on GitHub or APIsec’s hosted instance.

API Reconnaissance Techniques

1. Passive Reconnaissance

Google Dorking

inurl:"/wp-json/wp/v2/users"
inurl:"/api/v1" intext:"index of /"
intitle:"index.of" intext:"api.txt"
intitle:"index of" api_key OR "api key" OR apiKey -pool

Git Dorking

api key
api keys
apikey
authorization: Bearer
access_token
token

Shodan Queries

hostname:"targetname.com"
content-type: application/json
content-type: application/xml
200 OK
wp-json

Wayback Machine

Compare older API documentation for differences in endpoints. Test old endpoints during active testing.

2. Active Reconnaissance

Nmap

nmap -sC -sV <target> -oA output.txt
nmap -p- <target> -oA output-allports.txt
nmap -sV --script=http-enum <target> -p 80,443,8000,8080

Amass

amass enum -active -d <target>

Directory Brute-force

• Gobuster:

  gobuster dir -u http://target-name.com:8000 -w /usr/share/dirb/common.txt

• ffuf:

  ffuf -u http://target/FUZZ -w /usr/share/dirb/common.txt

DevTools in Browser

• Open DevTools with F12 or Ctrl+Shift+I to inspect requests, check for API calls, and examine responses.

Conclusion

With your environment fully set up, you’re now ready to dive into the world of API hacking. From configuring Kali Linux and installing critical tools to creating an ideal hacking lab, every step brings you closer to a smooth and effective penetration testing experience. Remember, a good setup not only streamlines your process but also enhances the depth and accuracy of your testing.

Stay tuned for future guides that delve deeper into API exploitation techniques, common vulnerabilities, and advanced testing tools. If you found this guide helpful and want more, leave a comment with your thoughts. Until then, keep your skills sharp, stay curious, and happy hacking!