VAPT

VULNERABILITY ASSESSMENT PENETRATION TESTING

WHAT IS VULNERABILITY ASSESSMENT

Vulnerability assessment (VA) is a systematic technical approach to

finding the security loopholes in a network or software system.
It primarily adopts a scanning approach which is done.
both manually and performed by certain tools.
The outcome of a VA process is a report showing all vulnerabilities, which
are categorised based on their severity.
This report is further used for the next step, which is penetration testing
(PT).
What is Penetration Testing?

Penetration Testing (Pentesting) is a simulated cyberattack on a system.

Goal: Find vulnerabilities before real attackers do.
Done ethically by cybersecurity professionals.
Helps improve the security posture of organizations.
Penetration Testing Phases Overview

Planning and Preparation

Information Gathering
Scanning and Enumeration
Vulnerability Assessment
Exploitation
Post-Exploitation
Reporting and Remediation
Phase 1 – Planning & Preparation

Key Elements:
Define Purpose: Why is the test being done?
Rules of Engagement: What is allowed or not?
Scoping: Define IPs, applications, time frame.
Team & Tools: Assign testers, list tools.
Planning Deep Dive

Identify Objective: Web app test? Network? Internal?

Scoping: Black-box, white-box, or gray-box testing.
Legal Authorization: Get written permission.
Resource Allocation:
Time duration
Team size
Budget and tools
Phase 2 – Information Gathering

Also called Reconnaissance.

Passive: Whois, DNS records, social media.
Active: Ping sweeps, port scans .
Helps map the target infrastructure.
Phase 3 – Scanning & Enumeration

Scanning:
Port Scanning (Nmap)
Service Version Detection
Enumeration:
Usernames, shares, services
Exploitable banners
Protocol-specific queries (SMB, SNMP, LDAP)
Phase 4 – Vulnerability Assessment
Identify known vulnerabilities in scanned systems.
Use tools like:
Nessus
OpenVAS
Nikto
OWASP Zap
Phase 5 – Exploitation

Attempt to exploit identified vulnerabilities.

Gain access to the system, escalate privileges.
Use tools like:
Metasploit
Custom exploits
Controlled environment, avoid damage.
Phase 6 – Post-Exploitation

Understand the value of the compromised system.

Maintain access (backdoors, shells).
Check for sensitive data.
Lateral movement within the network.
Phase 7 – Clearing Tracks & Reporting

Clear logs to avoid detection (for learning purposes only).

Remove payloads, shells.

Reporting:
Findings
Exploited vulnerabilities
Screenshots and PoC
Recommendations for remediation
Remediation

Work with the organization to patch issues.

Help apply security best practices.
Retest to ensure vulnerability is fixed.
1. What is an IP Address?

An IP address (Internet Protocol address) is like a home address for a device on a

network. Just as your house has a unique address for sending mail, a device needs
an IP address to send and receive data over the internet or LAN.
IPv4 is the most commonly used version.
Format: x.x.x.x (each x is a number from 0 to 255)
Example: 192.168.1.1
Structure of IPv4 Address

IPv4 is a 32-bit address, divided into 4 octets:

Total combinations: 2^32 = 4,294,967,296 possible addresses

IP Address Classes

To manage different sizes of networks (small, medium, large), IP

addresses are divided into 5 classes: A, B, C, D, and E.
Class A (for very large networks)

Feature Value

First Octet Range 1 to 126

Starting Bits 0

Subnet Mask 255.0.0.0

Number of Networks 128 (approx.)

Hosts per Network ~16 million (2^24 - 2)

Example 10.0.0.1, 1.25.32.10

Class B (for medium-sized networks)

Feature Value

First Octet Range 128 to 191

Subnet Mask 255.255.0.0

Networks Available ~16,000

Hosts per Network ~65,000 (2^16 - 2)

Example 172.16.0.1, 150.100.50.2

Class C (for small networks)

Feature Value

First Octet Range 192 to 223

Subnet Mask 255.255.255.0

Networks Available ~2 million

Hosts per Network 254 (2^8 - 2)

Example 192.168.1.1, 200.100.10.5

Class D (for Multicasting – not for hosts)

Feature Value

First Octet Range 224 to 239

Sends data to a group of hosts (e.g., streaming video

Usage
to many users)

Example 224.0.0.1 (used in RIP routing protocol)

Class E (for Experimental / Research)

Feature Value

First Octet Range 240 to 255

Reserved for research and testing; not used in general

Usage
networks

Example 250.100.50.25
Reserved IP Address Ranges (Private IPs)

Some IP ranges are reserved for private networks — not accessible on the
internet. Used in homes, offices, schools, etc.

Class Private IP Range Example

A 10.0.0.0 to 10.255.255.255 10.1.1.1

B 172.16.0.0 to 172.31.255.255 172.16.5.4

C 192.168.0.0 to 192.168.255.255 192.168.1.1

Class First Octet Subnet Mask Host Capacity Usage Type

A 1 - 126 255.0.0.0 ~16 million Large networks

B 128 - 191 255.255.0.0 ~65,000 Medium networks

C 192 - 223 255.255.255.0 254 Small networks

D 224 - 239 Not used Multicast groups Audio/video broadcast

E 240 - 255 Not used Experimental R&D and reserved use

What is IPv6?

IPv6 (Internet Protocol version 6) is the latest version of the Internet Protocol, designed to replace
IPv4 due to the exhaustion of available IPv4 addresses.
IPv6 allows more devices to connect to the internet with a much larger address space than IPv4.

Why Do We Need IPv6?

Reason Explanation

IPv4 supports ~4.3 billion addresses (2³²). That's not

Limited IPv4 addresses enough for the modern world with billions of phones,
computers, IoT devices.
More users, more websites, more devices = more IPs
Growth of the internet
needed
Everything from refrigerators to smartwatches needs
IoT revolution
an IP
IPv6 has built-in support for IPsec (for
Better security
authentication and encryption)
IPv4 vs IPv6 – Quick Comparison

Feature IPv4 IPv6

Address Length 32 bits 128 bits

Format Decimal (e.g., 192.168.0.1) Hexadecimal (e.g., 2001:0db8::1)

Total Addresses 4.3 billion (2³²) 340 undecillion (2¹²⁸)

Security Optional Mandatory (IPSec support)

Types of IPv6 Addresses

Type Description

One-to-one communication (unique to

Unicast
one interface)

One-to-many communication (multiple

Multicast
receivers)

One-to-nearest communication
Anycast
(delivered to closest node)
What is a MAC Address?
A MAC address (Media Access Control address) is a unique identifier assigned to every network device (like a
computer, router, switch port, or phone) that connects to a network.
It is used to identify devices at the Data Link Layer (Layer 2) of the OSI model.

Format of MAC Address:

It is a 48-bit (6-byte) address.
Usually written in hexadecimal like this:

00:1A:2B:3C:4D:5E
00-1A-2B-3C-4D-5E
Windows computers often list it as a “Physical Address“
Apple products might call it a “Wi-Fi Address“
Network professionals sometimes refer to it as a “Hardware ID“

Different systems write MAC addresses in slightly different ways:

Linux systems use colons: 00:0A:95:9D:67:16
Some Windows programs use hyphens: 00-0A-95-9D-67-16
Cisco equipment uses periods: 000A.959D.6716
But they’re all the same thing—just written differently.
Introduction to Port Numbers
Ports are logical endpoints for
communication.
Used to identify specific services or
applications on a device.
Combine with IP addresses to send/receive
data properly.
 Port Number Categories
Type Range Purpose

Common services (HTTP,

Well-Known Ports 0 – 1023
SSH, etc.)

Registered Ports 1024 – 49151 Software & apps

Temporary connections
Dynamic Ports 49152 – 65535
(e.g., browsing)
 Protocol Types
TCP (Transmission Control Protocol):
- Reliable, connection-oriented
- Used by HTTP, FTP, SSH
UDP (User Datagram Protocol):
- Fast, connectionless
- Used by DNS, DHCP, streaming
 Common Port Numbers
Port Protocol Service Usage

20 TCP FTP Data File transfers

File
21 TCP FTP Ctrl
command/control

Secure remote
22 TCP SSH
access

Unsecure remote
23 TCP Telnet
access

25 TCP SMTP Email sending

53 TCP/UDP DNS Domain resolution

Port Protocol Service Usage

IP address
67/68 UDP DHCP
assignment

Web browsing
80 TCP HTTP
(non-secure)

110 TCP POP3 Email download

Email access on
143 TCP IMAP
server

Secure web
443 TCP HTTPS
browsing

3306 TCP MySQL Database

3389 TCP RDP Remote Desktop

 Introduction to Nmap
Nmap (Network Mapper) is a free and open-
source tool
Used for network discovery and security
auditing
Helps ethical hackers find live hosts, open
ports, and services
 Why Learn Nmap?
Helps in reconnaissance
Used in penetration testing and vulnerability
assessments
Basic Nmap Scan Types
Ping Scan: nmap -sn 192.168.56.0/24 — Finds live hosts (no port scan)
TCP Connect: nmap -sT 192.168.56.102 — Connects to ports (easier to detect)
SYN Scan: nmap -sS 192.168.56.102 — Stealthy scan (needs root)
Version Detect: nmap -sV 192.168.56.102 — Shows software name and version
OS Detection: nmap -O 192.168.56.102 — Tries to detect OS
Aggressive Scan: nmap -A 192.168.56.102 — All-in-one scan
UDP Scan: sudo nmap -sU -p 53 192.168.56.102 — Scans UDP ports (slow)
1. Find Live Hosts: nmap -sn 192.168.56.0/24
2. TCP Scan: nmap -sT 192.168.56.102
3. SYN Scan: nmap -sS 192.168.56.102
4. Version Detection: nmap -sV 192.168.56.102
5. OS Detection: nmap -O 192.168.56.102
6. Aggressive Scan: nmap -A 192.168.56.102
7. Vulnerability Scan: nmap --script vuln 192.168.56.102
Secure Protocols

Secure protocols are special rules used in communication to protect data from
hackers. They ensure:
Confidentiality (data is hidden from others),
Integrity (data isn’t changed),
Authentication (you're talking to the right person/device).

Examples: HTTPS, SSH, SFTP, TLS, etc.