KALI ARAÇLARININ WEB TABANLI MIS VE ERP UYGULAMALARINI HACKLEME VE MANIPÜLE ETME AMACIYLA KULLANIMINA YÖNELIK BIR RISK DEĞERLENDIRMESI

Öz

Web tabanlı Yönetim Bilişim Sistemleri (MIS) ve Kurumsal Kaynak Planlama (ERP) uygulamalarına olan bağımlılığın artması, bu sistemleri siber saldırganlar için cazip bir hedef haline getirmiştir. Bu çalışma, Kali Linux araçlarının web tabanlı MIS ve ERP uygulamalarını hackleme ve manipüle etme amacıyla kullanılmasına yönelik kapsamlı bir risk değerlendirmesi yapmaktadır. Keşif, tarama, numaralandırma, istismar ve istismar sonrası aşamalar da dahil olmak üzere temel sızma testi metodolojileri incelenerek bu sistemlerdeki güvenlik açıkları vurgulanmaktadır. Araştırma kapsamında SQLMap, Burp Suite, Metasploit Framework, Nmap ve Nessus gibi öne çıkan Kali Linux araçlarının detaylı bir analizi yapılmıştır. Bu araçlar, güvenlik testleri için yaygın olarak kullanılmakla birlikte, kötü niyetli faaliyetler için kullanıldığında önemli riskler teşkil etmektedir. Çalışmada vaka analizleri ve mevcut literatürden yararlanılarak, web tabanlı MIS ve ERP uygulamalarındaki kritik güvenlik açıkları ortaya konmuş ve güçlü savunma mekanizmalarının gerekliliği vurgulanmıştır. Düzenli güvenlik denetimleri, en az ayrıcalık ilkesine dayalı erişim kontrollerinin uygulanması, güvenlik farkındalığı eğitimi, ileri tehdit tespit sistemlerinin devreye alınması ve sızma testlerini düzenleyen yasal ve uyum çerçevelerine riayet edilmesi gibi proaktif risk azaltma stratejileri önerilmektedir. Araştırma, Kali Linux’un etik hackleme ve güvenlik değerlendirmeleri için önemli bir araç olduğunu, ancak yapay zeka algoritmalarının desteğiyle tarama ve saldırı süreçlerinin otomatikleştirilmesiyle kötüye kullanım riskinin arttığını ortaya koymaktadır. Sonuç olarak, kurumsal varlıkları korumak için katı bir siber güvenlik çerçevesinin benimsenmesi gerektiği vurgulanmaktadır. Gelecek çalışmaların, otomatik tehdit tespit sistemlerinin entegrasyonu ve sızma testlerinin hukuki boyutlarını ele alarak siber güvenlik dayanıklılığını artırmaya odaklanması önerilmektedir.

Anahtar Kelimeler

• Kali Linux
• web tabanlı uygulamalar
• Yönetim Bilişim Sistemleri (YBS)
• Kurumsal Kaynak Planlaması (KKP)
• hackerlık
• güvenlik açıkları
• siber riskler

A RISK ASSESSMENT ON USAGE OF KALI TOOLS TO HACK AND MANIPULATE WEB-BASED MIS AND ERP APPLICATIONS

Öz

The increasing reliance on web-based Management Information Systems (MIS) and Enterprise Resource Planning (ERP) applications has made them an attractive target for cyber attackers. This study conducts a comprehensive risk assessment of the use of Kali Linux tools in hacking and manipulating web-based MIS and ERP applications. By examining key penetration testing methodologies—including reconnaissance, scanning, enumeration, exploitation, and post-exploitation—this research highlights the vulnerabilities inherent in these systems. The study provides an in-depth analysis of prominent Kali Linux tools such as SQLMap, Burp Suite, Metasploit Framework, Nmap, and Nessus, which are commonly used for security testing but also pose significant risks when leveraged for malicious activities. Drawing on case studies and existing literature, the findings underscore the critical security gaps in web-based MIS and ERP applications, emphasizing the need for robust defense mechanisms. The study proposes proactive risk mitigation strategies, including regular security audits, implementation of least privilege access controls, security awareness training, deployment of advanced threat detection systems, and adherence to legal and compliance frameworks governing penetration testing. The research concludes that while Kali Linux serves as a valuable tool for ethical hacking and security assessments, its misuse with the support of AI algorithms and automated code generations of scanning and attacks necessitates a stringent cybersecurity framework to protect organizational assets. Future research should explore the integration of automated threat detection systems and the legal implications of penetration testing to enhance cybersecurity resilience.

Anahtar Kelimeler

• Kali Linux
• web-based applications
• MIS
• ERP
• hacking
• vulnerabilities
• cyber risks

Kaynakça

1. Acumatica. (2021). Acumatica Security. https://www.acumatica.com/cloud-erp-software/security/
2. Akhtar, Z. B., & Rawol, A. T. (2024). Uncovering cybersecurity vulnerabilities: A Kali Linux investigative exploration perspective. Sciendo.
3. Alazmi, S., & De Leon, D. C. (2022). A systematic literature review on the characteristics and effectiveness of web application vulnerability scanners. IEEE Access, 10, 33200-33219.
4. Alcorn, W. (2014). Beef-the browser exploitation framework project. https://beefproject.com/
5. Alkhalaf, A., Alkhatib, B., & Ghanem, S. (2022, December). SQL Injection Attack Detection Using Machine Learning Techniques. In International Conference on Advanced Computing and Intelligent Engineering (pp. 145-156). Singapore: Springer Nature Singapore.
6. Apache Software Foundation. (2017). CVE-2017-5638: Apache Struts 2 vulnerability. Retrieved from https://struts.apache.org/docs/s2-045.html
7. Apache Struts. (2017, March 6). S2-045: Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads. Apache Struts Announcements. https://struts.apache.org/announce#a20170306
8. Bakry, B. M. B., Adenan, A. R. B., & Others. (2022). Security attack on IoT related devices using Raspberry Pi and Kali Linux. IEEE.

9. Baltzan, P. (2019). Business driven technology. McGraw-Hill Education.
10. Bidhuri, V. (2019). Enhancing Password Security Using a Hybrid Approach of SCrypt Hashing and AES Encryption (Doctoral dissertation, Dublin, National College of Ireland).
11. Chandrasekaran, M., & Mishra, R. K. (2016). Security issues and their solution in cloud computing. Procedia Computer Science, 85, 3-13.
12. Ciric, V., Milosevic, M., Sokolovic, D., et al. (2024). Modular deep learning-based network intrusion detection architecture for real-world cyber-attack simulation. Simulation Modelling Practice and Theory, Elsevier.
13. CIRT. (2021). Nikto: Web server scanner. Retrieved from https://cirt.net/nikto2
14. Cisar, P., Cisar, S. M., & Fürstner, I. (2018). Security assessment with Kali Linux. Bánki Közlemények.
15. Deltek. (2021). Costpoint Security. https://www.deltek.com/en/products/project-erp/costpoint/security
16. Dissanayake, N., Jayatilaka, A., Zahedi, M., & Babar, M. A. (2022). Software security patch management-A systematic literature review of challenges, approaches, tools and practices. Information and Software Technology, 144, 106771.
17. Epicor. (2021). Epicor Security. https://www.epicor.com
18. Fadlalla, F. F., & Elshoush, H. T. (2023). Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-Art. IEEE Access, 11, 40128-40161.
19. Greenbone Networks. (2021). OpenVAS: Open vulnerability assessment system. Retrieved from https://www.openvas.org/
20. Hameed Alazawi, S. A., Abdulhameed, A. A., & Others. (2024). Comparative study on applications of cybersecurity tools for Kali Linux operating system. AIP Conference Proceedings.
21. Hameed, M. A., & Arachchilage, N. A. G. (2016). A model for the adoption process of information system security innovations in organisations: a theoretical perspective. arXiv preprint arXiv:1609.07911.
22. He, Y., Zamani, E., Yevseyeva, I., & Luo, C. (2023). Artificial intelligence–based ethical hacking for health information systems: simulation study. Journal of Medical Internet Research, 25(1), e43231.
23. Herman, H., Riadi, I., & Kurniawan, Y. (2023). Vulnerability detection with K-nearest neighbor and naive Bayes method using machine learning. International Journal of Artificial Intelligence Research, 7(1).
24. Hertzog, R., O'Gorman, J., & Aharoni, M. (2017). Kali Linux revealed. Mastering the Penetration Testing.
25. Howard, M., & Lipner, S. (2006). The security development lifecycle. Microsoft Press.
26. Ibrahim, R. Y., & Rosli, M. M. (2023, December). Evaluation of Web Application Vulnerability Scanners using SQL Injection Attacks. In 2023 IEEE 8th International Conference on Recent Advances and Innovations in Engineering (ICRAIE) (pp. 1-6). IEEE.
27. Infor. (2021). Infor Security. https://www.infor.com/trust/security
28. James, J. W. (2023). Engineering the human mind: Social engineering attack using Kali Linux. SN Computer Science.
29. Jemal, I., Cheikhrouhou, O., Hamam, H., & Mahfoudhi, A. (2020). Sql injection attack detection and prevention techniques using machine learning. International Journal of Applied Engineering Research, 15(6), 569-580.
30. Jeremiah, J. (2019). Awareness case study for understanding and preventing social engineering threats using Kali Linux penetration testing toolkit. ech Insig.
31. Johansen, G., Allen, L., Heriyanto, T., & Ali, S. (2016). Kali Linux 2–Assuring security by penetration testing. Packt Publishing.
32. Kali Linux Tutorial. (2016). BeEF XSS Framework – Kali Linux 2016. Retrieved from https://www.kalilinuxtutorials.com/beef-xss-framework-kali-linux/
33. Kali Linux. (2021). About Kali Linux. Retrieved from https://www.kali.org/about-us/
34. Khalaf, O. I., Sokiyna, M., Alotaibi, Y., Alsufyani, A., & Alghamdi, S. (2021). Web Attack Detection Using the Input Validation Method: DPDA Theory. Computers, Materials & Continua, 68(3).
35. Khan, S. U., Eusufzai, F., Azharuddin, M. R., et al. (2022). Artificial intelligence for cyber security: performance analysis of network intrusion detection. In Artificial Intelligence for Cybersecurity (pp. 121-140). Springer.
36. Kizza, J. M. (2014). Computer network security and cyber ethics. McFarland.
37. Knorr, K. (2013). Patching our critical infrastructure: Towards an efficient patch and update management for industrial control systems. In Securing critical infrastructures and critical control systems: Approaches for threat protection (pp. 190-216). IGI Global.
38. Kujanpää, K., Victor, W., & Ilin, A. (2021). Automating privilege escalation with deep reinforcement learning. In Proceedings of the ACM Workshop on Artificial Intelligence and Security.
39. Laudon, K. C., & Laudon, J. P. (2004). Management information systems: Managing the digital firm. Pearson Education Limited.
40. Lyon, G. F. (2009). Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Nmap Project.
41. Mahmood, M., Hossain, M. M., Farah, R. M., et al. (2024). Self-poisoning network to prevent reconnaissance by generative artificial intelligence. In Lecture Notes in Artificial Intelligence. Springer.
42. Marchetti, K., & Bodily, P. (2022, May). John the Ripper: An Examination and Analysis of the Popular Hash Cracking Algorithm. In 2022 Intermountain Engineering, Technology and Computing (IETC) (pp. 1-6). IEEE.
43. Martínez, A. L., Cano, A., & Ruiz-Martínez, A. (2025). Generative Artificial Intelligence-Supported Pentesting: A Comparison between Claude Opus, GPT-4, and Copilot. arXiv preprint arXiv:2501.06963.
44. Maryam, U. (2023). Phishing Attacks Facilitated by Open-Source Intelligence. International Journal of Computer and Information Engineering, 17(10), 587-590.
45. Matherly, J. (2015). Shodan: The search engine for the internet of things. Retrieved from https://www.shodan.io/
46. Messier, R. (2024). Learning Kali Linux: Security testing, penetration testing & ethical hacking. Packt Publishing.
47. Microsoft. (2021). Dynamics 365 Security. https://docs.microsoft.com/en-us/dynamics365/security/
48. Moorthy, R. S. S., & Nathiya, N. (2023). Botnet detection using artificial intelligence. Procedia Computer Science, 219, 1023–1030.
49. Moustafa, N. (2022). Digital forensics in the era of artificial intelligence. Taylor & Francis.
50. Muniz, J., & Lakhani, A. (2015). Penetration testing with raspberry pi. Packt Publishing Ltd.
51. Najera-Gutierrez, G., & Ansari, J. A. (2018). Web penetration testing with Kali Linux: Explore the methods and tools of ethical hacking with Kali Linux. Packt Publishing.
52. Nilă, C., Preda, M., & Apostol, I. (2021). Reactive wifi honeypot. In Proceedings of the IEEE Conference on Electronics and Artificial Intelligence.
53. NIST. (2017). Digital identity guidelines: Authentication and lifecycle management. Special Publication 800-63B. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-63b
54. Odoo. (2021). Odoo Security. https://www.odoo.com/security
55. Oracle. (2021). NetSuite Security. https://www.netsuite.com/portal/products/security.shtml
56. Ordoñez, G. S., & Guerra, T. C. (2018). Prototype of a security system with artificial intelligence using neural networks and evolutionary algorithms. In Springer International Conference Proceedings, Monterrey, Mexico.
57. OWASP. (2021). Cross-Site Scripting (XSS). Retrieved from https://owasp.org/www-community/attacks/xss/
58. OWASP. (2021). OWASP top ten project. Retrieved from https://owasp.org/www-project-top-ten/
59. Oz, E. (2008). Management information systems. Thomson Course Technology. https://www.amazon.com/Management-Information-Systems-Sixth-Effy/dp/1423901789
60. Pamarthi, K. (2020). Artificial intelligence and machine learning techniques to control SQL injection attacks. Journal of Scientific and Engineering Research, 7(5), 101–108.
61. Parasram, S. V. N., Samm, A., Boodoo, D., Johansen, G., & Others. (2018). Kali Linux 2018: Assuring security
62. Park, J. S. (2017). U.S. Patent No. 9,769,177. Washington, DC: U.S. Patent and Trademark Office.
63. Pfleeger, C. P., & Pfleeger, S. L. (2006). Security in computing. Prentice Hall.
64. Rapid7. (2018). Drupal CKEditor Module XSS Vulnerability. Retrieved from https://blog.rapid7.com/2018/03/28/drupal-ckeditor-module-xss-vulnerability/
65. Rapid7. (2018, March 8). Apache Struts 2: CVE-2017-5638. Rapid7 Blog. https://blog.rapid7.com/2018/03/08/apache-struts-2-cve-2017-5638/
66. Rapid7. (2021). Metasploit: Penetration testing software. Retrieved from https://www.metasploit.com/
67. Sage. (2021). Sage X3 Security. https://www.sage.com/en-us/products/sage-x3/security/
68. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). The protection of information in computer systems. IEEE Computer, 29(2), 38-47.
69. SAP. (2021). SAP S/4HANA Security. https://www.sap.com/products/s4hana-erp/security.html Steube, J. (2016). Hashcat: Advanced password recovery. Retrieved from https://hashcat.net/hashcat/
70. SYSPRO. (2021). SYSPRO Security. https://www.syspro.com/security/
71. Tabassum, M., Mohanan, S., & Sharma, T. (2021). Ethical Hacking and Penetrate Testing using Kali and Metasploit Framework. International Journal of Innovation in Computational Science and Engineering, 2(1), 09-22.
72. Tracy, M., Jansen, W., & McLarnon, M. (2002). Guidelines on Securing Public Web Servers Web Servers. NIST Special Publication, 800, 44.
73. U.S. Government Accountability Office. (2018). Data protection: Actions taken by Equifax and federal agencies in response to the 2017 breach (GAO-18-559). Retrieved from https://www.gao.gov/assets/gao-18-559.pdf
74. Van Hauser, M., & Kühn, D. (2021). Hydra: A parallelized login cracker. Retrieved from https://github.com/vanhauser-thc/thc-hydra
75. Wang, P., & Johnson, C. (2024). The impacts of generative artificial intelligence (AI) in knowledge discovery and generation for cyber defense. Issues in Information Systems, 25(1), 215–229.
76. Weidman, G. (2014). Penetration testing: a hands-on introduction to hacking. No starch press.
77. Zhuravchak, D., Opanovych, M., et al. (2024). Design of an integrated defense-in-depth system with an artificial intelligence assistant to counter malware. Eastern-European Journal of Enterprise Technologies, 9(3), 45–60.