=Paper=
{{Paper
|id=Vol-3826/paper2
|storemode=property
|title=Testing an organization’s information system for unauthorized access
|pdfUrl=https://ceur-ws.org/Vol-3826/paper2.pdf
|volume=Vol-3826
|authors=Ivan Tyshyk,Hennadii Hulak
|dblpUrl=https://dblp.org/rec/conf/cpits/TyshykH24
}}
==Testing an organization’s information system for unauthorized access==
https://ceur-ws.org/Vol-3826/paper2.pdf
Testing an organization’s information system
for unauthorized access ⋆
Ivan Tyshyk1,† and Hennadii Hulak2,3,*,†
1
Lviv Polytechnic National University, 12 Stepana Bandery str., 79013 Lviv, Ukraine
2
Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudryavska str., 04053 Kyiv, Ukraine
3
Institute of Mathematical Machines and Systems Problems of the National Academy of Sciences of Ukraine, 42 Ac. Glushkov
ave., 03680 Kyiv, Ukraine
Abstract
Security assessment of information systems is crucial for identifying protection issues in their components
and determining potential attack vectors. Penetration testing is conducted by simulating what a real
attacker could do against the target system and offers an effective way of obtaining such information. This
approach provides an unbiased view of the actual level of protection against attacks and demonstrates the
effectiveness of security solutions for the company’s network infrastructure in practice. Penetration testing
involves evaluating software or network infrastructure for vulnerabilities and attempting to exploit them
for unauthorized access, bypassing, or damaging security components. These vulnerabilities may arise from
misconfigurations of communication equipment, unsecured application code, network architecture design
flaws, or the disclosure of confidential information. As a result of the testing, a comprehensive report is
generated, explaining each vulnerability or chain of vulnerabilities exploited to gain unauthorized access
to the target, detailing the steps taken to exploit them, and providing mitigation recommendations. Each
identified vulnerability is assigned a risk rating, which is used to prioritize tasks for improving the security
of the tested system. The paper examines methods for conducting penetration testing of an organization’s
corporate network infrastructure for unauthorized access. A simulation of information systems testing for
unauthorized access was performed, and potential attacks following such access were illustrated. The most
common methods of exploiting potential vulnerabilities in corporate networks are presented.
Keywords
information system, corporate network, penetration testing, virtual machine, web application,
unauthorized access, network security tool, Kali Linux1
1. Introduction programs. Now, to gain access to a hacking tool, one only
needs to know the IP address of the desired site, and a few
The rapid growth in the popularity of internet technologies mouse clicks are enough to carry out an attack.
is accompanied by an increase in serious threats to the Information security breaches in corporate computer
disclosure of personal data, critical corporate resources, networks can be caused by human factors, vulnerabilities in
state secrets, and more. Every day, hackers and other the communication equipment’s operating environment,
malicious actors threaten network information resources, server operating systems, and local workstations, as well as
attempting to gain access to them through specialized the possibility of executing remote attacks, especially if the
attacks. These attacks are becoming increasingly corporate network is distributed and connected to public
sophisticated and easier to execute. Two main factors data transmission networks.
contribute to this. From a security perspective, distributed systems are
Firstly, the widespread penetration of the internet. primarily vulnerable to remote attacks, as the components
Today, billions of various devices are connected to the of distributed systems typically use open data transmission
network, increasing the likelihood of hackers accessing channels. An attacker can not only perform passive
these devices and their associated computer networks eavesdropping during data transmission but also modify the
through their vulnerabilities. Moreover, the global spread of traffic. While such active tampering with traffic can often
the internet enables hackers to exchange information on a be detected, passive eavesdropping is nearly impossible to
global scale. Secondly, the widespread availability of user- identify.
friendly operating systems and development environments. Vulnerability assessment is a key task in ensuring the
This factor significantly reduces the knowledge security of information systems, which involves regular
requirements for attackers. In the past, hackers needed testing. Currently, Linux distributions such as Kali Linux,
strong programming skills to create and distribute malicious
CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0003-1465-5342 (I. Tyshyk);
and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0001-9131-9233 (H. Hulak)
∗
Corresponding author. © 2024 Copyright for this paper by its authors. Use permitted under
Creative Commons License Attribution 4.0 International (CC BY 4.0).
†
These authors contributed equally.
ivan.y.tyshyk@lpnu.ua (I. Tyshyk);
h.hulak@kubg.edu.ua (H. Hulak)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
17
Proceedings
�BackBox, Parrot Security OS, and several other tools are Business logic testing; Test data; Denial-of-service attack
widely used for penetration testing of information systems testing; Session management verification; Web services
[1]. However, given the diversity of unauthorized access testing; AJAX testing; Risk assessment; Threat likelihood.
methods and the type of object being tested, an appropriate These threats pose serious risks to cloud computing security
testing methodology is required that would provide a [9]. Denial-of-service attacks can disrupt access to cloud
comprehensive evaluation of the security level of the target services, misconfiguration of security can open the door to
system. Problem statement: In light of the above, the attackers, and cloud malware attacks threaten data privacy
challenge arises in selecting an effective methodology for and integrity. This may allow an attacker to use the associated
testing an organization’s information system for resources for their purposes or to steal or manipulate data
unauthorized access to its resources. This includes stored in the cloud. All these threats require important
conducting thorough information gathering, which will monitoring and the provision of appropriate security
help the organization assess the current level of security of measures to protect cloud services and user data [2].
their information system, identify vulnerabilities, prioritize
them based on criticality, and develop an action plan to 2.2. Payment card data security standard
protect the system from future cyberattacks.
This section compiles regulations for companies that
comply with PCI (Payment Card Industry) requirements.
2. Methods for testing unauthorized The guide contains standards not only for PCI v3.2 but was
access to an organization’s developed by the PCI Security Standards Council, outlining
information system penetration testing methods within vulnerability
management programs. The PCI Data Security Standard
To ensure the best testing results, regardless of the (PCI DSS) version 3.2 was released in April 2016 by the
penetration tests used, the tester must follow a standardized Payment Card Industry Security Standards Council (PCI
testing methodology. The following popular testing SSC). After the update, the requirements were clarified, with
methods will be discussed: additional guidelines and seven new requirements
introduced.
Open Web Application Security Project (OWASP) [3]. To address issues related to breaches of cardholder
Payment Card Industry Data Security Standard (PCI personal data confidentiality and protect against existing
DSS) [4]. exploits, various changes were included in PCI DSS v3.2,
Standard Penetration Testing Execution [5]. most of which pertain to service providers. These changes
National Institute of Standards and Technology Special added new requirements for penetration testing, which
Publication (NIST SP 800-115) [6]. mandate that segmentation testing for service providers be
Open Source Security Testing Methodology Manual performed at least every six months or after any significant
(OSSTMM) [7]. changes in segmentation controls/methods. Additionally,
this standard contains several requirements obliging service
2.1. Open web application security project providers to continuously monitor and maintain critical
security controls throughout the year.
The Open Web Application Security Project (OWASP) is a
project that brings together open-source software
2.3. Standard penetration testing execution
developers. The members of this community create
programs designed to protect web applications and web The penetration testing standard consists of seven main
services. All applications are developed based on the sections. They cover all the requirements, conditions, and
experience of combating malicious programs that target methods for conducting penetration tests: from
web services and web applications. OWASP serves as a reconnaissance to attempts at conducting pen tests; stages
starting point for system architects, developers, vendors, of information gathering and threat modeling, where testers
consumers, and security professionals—essentially all work covertly to achieve the best possible testing results;
specialists involved in the design, development, stages of vulnerability assessment, exploitation, and post-
deployment, and security testing of web services and web exploitation, where the practical security knowledge of
applications. In other words, OWASP aims to help create testers is combined with the data gathered during
more secure web applications and web services. penetration tests; and finally, the reporting phase, where all
The main advantage of the OWASP Testing Guide is information is presented in a format understandable to the
that the test results provide a comprehensive description of client.
all threats. The OWASP Testing Guide identifies all the risks Currently, the first version is in effect, in which all
that may affect the system and applications and evaluates standard elements have been tested under real-world
the likelihood of their occurrence. Using the threats conditions and approved. The second version is under
described in OWASP, it is possible to determine an overall development, where all requirements will be detailed,
risk assessment from the conducted tests and provide clarified, and improved.
appropriate recommendations for mitigating these Since the plan for each penetration test is developed
vulnerabilities [8]. individually, various tests can be applied: from web
The OWASP Testing Guide primarily focuses on the application testing to black-box testing methods. With this
following areas: Methods and tools for testing web plan, the expected level of complexity of a particular
applications; Information gathering; Authentication testing; investigation can be immediately determined and applied in
the volumes and areas deemed necessary by the
18
�organization. Preliminary research results can be seen in the editors, image viewers, and other software. However,
section related to intelligence gathering. installing such software is not recommended due to the risk
Below are the main sections of the discussed standard, of compromising system security and anonymity during
which form the basis for conducting penetration tests: Pre- testing. This OS is in continuous development, and future
engagement agreement; Intelligence gathering; Threat updates are expected to expand its functionality and toolset,
modeling; Vulnerability analysis; Exploitation; Post- as well as improve its existing capabilities.
exploitation; and Reporting. It can be said that Kali Linux will remain a key tool in
cybersecurity going forward, as it continues to evolve,
2.4. National institute of standards and adapting to new trends while maintaining its relevance and
technology special publication effectiveness in the field of penetration testing.
Currently, other distributions offer similar functionality
The National Institute of Standards and Technology Special
and features to Kali Linux. One of the most popular is Parrot
Publication (NIST SP 800-115) is a technical guide for
Security OS [10]. It is also based on Debian and includes a
information security testing and assessment. The
wide range of tools for penetration testing.
publication was prepared by the Information Technology
Parrot Security OS includes over 700 security testing
Laboratory (ITL) at NIST.
tools and utilizes more than 700 vulnerabilities. It features
The guide defines security assessment as the process of
built-in tools for analyzing anonymous networks like Tor
determining how effectively an organization meets specific
and I2P, tools for wireless network analysis, and intrusion
security requirements. Upon reviewing the guide, you will
detection tools, which facilitate the identification of
find that it contains a large amount of information for
potential attack scenarios. It offers a wide range of tools for
conducting tests. Although the document is rarely updated,
network application security analysis and vulnerability
it remains relevant and can serve as a reference for building
testing. Additionally, this distribution supports the use of
a testing methodology.
virtual machines, enhancing protection against network
This guide provides practical recommendations for
attacks and enabling the testing of various threat scenarios
developing, implementing, and maintaining technical
on information systems.
information security tests, as well as processes and
The mentioned features of Parrot Security help testers
procedures for evaluations, covering the key elements of
and cybersecurity professionals to assess and improve the
technical security testing and evaluation. These
security of information systems and data transmission
recommendations can be used for several practical tasks,
networks, as well as enhance user credential protection.
such as vulnerability assessments in a system or network
However, this distribution is more focused on anonymity
and checking compliance with policies or other
compared to Kali Linux, which primarily emphasizes
requirements.
security and testing. Given this, the following sections will
NIST 800-115 provides a comprehensive framework for
focus on network tools included in the Kali Linux
penetration testing, ensuring that a penetration testing
distribution [11, 12].
program meets the necessary guidelines.
One popular tool used by cybersecurity specialists, data
analysts, and other professionals for gathering and
2.5. Open source security testing
analyzing open-source intelligence is Maltego [13].
methodology manual The presented tool allows users to create custom
The Open Source Security Testing Methodology Manual entities, enabling them to represent any type of information
OSSTMM is a document that is quite complex to read and in addition to the basic entity types that are part of the
understand, but it contains a vast amount of relevant and software. Its primary goal is to analyze real-world
highly detailed information on security. It is also the most relationships (social networks, OSINT APIs, proprietary
well-known security guide globally, with approximately private data, and computer network nodes) between
half a million downloads every month. The reason for its individuals, groups, web pages, domains, networks, and
popularity is that its guidelines are about a decade ahead of internet infrastructure [14]. Maltego expands its data range
all other documents in the security industry. The purpose of through integrations with various data processing partners.
the OSSTMM is to advance the standards for Internet Data sources include DNS records, Whois, search engines,
security testing. This document is designed to provide the social network services, different APIs, and various
most detailed core framework for testing, which in turn metadata. Maltego can be used during the information-
ensures thorough penetration testing. Regardless of other gathering phase for all security-related tasks.
organizational specifics, such as the service provider’s One of the popular tools among cybersecurity
corporate profile for penetration testing, this testing allows professionals is Nmap, which is designed for customizable
the client to verify the level of technical evaluation. scanning of IP networks with any number of targets and
determining the status of network objects (ports and
3. Methods for testing unauthorized corresponding services). Initially developed for UNIX
systems, Nmap is now available for many operating
access to an organization’s systems. Nmap is built for quickly scanning large networks,
information system though it also works well with single targets. It uses IP
Kali Linux includes various types of programs specifically packets in unique ways to discover which hosts are
aimed at ensuring computer network security, although it is available on the network, what services (application names
possible to install available graphical applications, text and versions) they offer, what operating systems (and OS
19
�versions) they are running, what types of packet accidentally scanning network or broadcast
filters/firewalls are in use, and many other characteristics. addresses, and similar edge cases.
While Nmap is commonly used for security auditing, many Detection of your IP address: For some reason, many
network and system administrators find it useful for routine scanners require you to input your IP address as one
tasks such as network inventory, managing service upgrade of the parameters. Nmap, however, attempts to detect
schedules, and monitoring host or service uptime [15, 16]. your IP address during the ping phase. It uses the
According to the developer of Nmap, some of the most address that receives an echo reply, as this is typically
important features of this scanner include: the interface through which traffic should be routed.
If it can’t do this (for instance, if host pinging is
Dynamic Timing Calculations: Some scanners disabled), Nmap tries to detect your primary interface
require you to specify the time delay between and uses that address. You can also specify an IP
sending packets. Nmap attempts to determine the address directly using the `-S` option.
best delay for you. It also tracks packet
retransmissions to adjust the delay during the scan. Another popular penetration testing platform is
For users with root access, the primary method for Metasploit, which allows identifying, exploiting, and
determining the delay is through the built-in ping verifying vulnerabilities in an information system. The
function. For non-root users, it's based on the number platform provides infrastructure, content, and tools for
of attempts to connect to a closed port on the target. conducting penetration tests and offers extensive security
It can also select a reasonable default value. auditing [17]. The most well-known tool within it is the
Packet Retransmission: Some scanners simply send open-source Metasploit Framework, an application used for
out all the query packets and collect the responses. developing and executing exploit code against a remote
However, this can result in false positives or target machine [18].
negatives if packets are dropped. This is especially This framework has become a fundamental tool for
important for “negative” scan types like UDP and FIN, developing exploits and addressing vulnerabilities. Before
where the goal is to find ports that do **not** respond. Metasploit, penetration testers had to perform all checks
In most cases, Nmap implements a configurable manually, using various tools that might or might not
number of retransmissions for unresponsive ports. support the testing platform, and manually write their code
Parallel Port Scanning: Some scanners scan ports to deploy within networks. Remote testing was an
linearly, one at a time, until all 65,535 ports are extraordinary task, limiting security professionals to
scanned. This works for TCP on very fast local working with local companies, while organizations had to
networks, but it’s not acceptable on wide-area spend significant resources on in-house IT consultants or
networks like the Internet. Nmap uses non-blocking security specialists [19].
I/O and parallel scanning in all TCP and UDP modes. The modern version of Metasploit contains over 1,677
The number of parallel scans can be adjusted with the exploits for more than 25 platforms, including Android,
`-M` (Max sockets) option. PHP, Python, Java, Cisco, and others. The framework also
Flexible Port Specification: I don’t always want to includes around 500 payloads [20].
scan all 65,535 ports. Additionally, scanners that only One of the most popular vulnerability scanners on the
allow scanning ports from 1 to N sometimes don’t market is the Nessus Vulnerability Scanner, which has
meet my needs. The `-p` option allows you to specify become a standard among vulnerability scanners. It
an arbitrary number of ports and ranges to scan. For originally started as an open-source project but was later
example, `-p 21-25,80,113,60000-` does exactly what acquired by Tenable and is now a commercial product
you expect (the trailing dash means up to 65,536, and (Professional version). Despite this, Nessus Scanner still
the leading dash means starting from 1). You can also offers a “Home” version, which is distributed for free but
use the `-F` (fast) option to scan all ports registered in limited to **16 IP addresses**. This version was used for
your `/etc/services` file (similar to **strobe**). simulating penetration testing for unauthorized access
Flexible Target Specification: I often want to scan within the organization [21].
more than one host, and I certainly don’t want to Vulnerability scanners have a certain limitation: they
manually list each host in a large network scan. cannot detect **0-day vulnerabilities**. Similar to antivirus
Anything that isn’t an option or option argument in software, their databases must be updated daily to ensure
Nmap is treated as a target host. As mentioned earlier, effective performance. Recently, even the **U.S.
you can append a file/mask to a hostname or IP government** has started using it for vulnerability
address to scan all hosts with the same initial scanning. Almost every federal office and U.S. military base
`` bits of the 32-bit IP address. worldwide now uses Nessus [22].
Another popular platform for conducting security audits of
Unreachable Host Detection: Some scanners allow
web applications is the Burp Suite Scanner, which includes
scanning large networks, but they waste a lot of time
tools for mapping the web application, searching for files
scanning all 65,535 ports on dead hosts! By default,
and directories, modifying requests, fuzzing web
Nmap checks each host to ensure it’s alive before
applications, password brute-forcing, and much more.
spending time scanning it. It also supports handling
There is also an extension store, the BApp Store, which
hosts that appear unreachable based on unusual scan
enhances the functionality of specific applications. Notably,
port errors. Nmap is also tolerant of users
the latest release includes a Mobile Assistant for testing the
security of iOS mobile applications [23].
20
�Burp Suite is an integrated platform designed for auditing Static payloads—facilitate port forwarding and data
web applications, both manually and automatically. It exchange between networks.
features an intuitive interface with specially designed tabs
to improve and speed up the attack process. The tool itself As a “hacker”, after scanning, you receive a
acts as a proxy mechanism that intercepts and processes all comprehensive list of vulnerabilities, for which you only
incoming browser requests. It also allows for installing a need to find exploits. Unfortunately, vulnerability scanners
**Burp certificate** to analyze **HTTPS** connections. are quite “noisy”, and vigilant administrators can detect
Objective of the paper: To simulate testing of an their activity. However, not all organizations have such
organization’s corporate network for unauthorized access administrators.
using the tools from the **Kali Linux** distribution, to It’s important to note a few key points about
explore tools for different testing stages, and to evaluate the vulnerability scanners. They cannot detect 0-day
collected vulnerability data. The information gathered by vulnerabilities. Like antivirus products, their databases must
the tester will help companies determine the current be updated daily to remain effective.
security level of their information systems, identify Recently, even the U.S. government started using
vulnerabilities, prioritize them by criticality, and create an Nessus for vulnerability scanning. Almost every federal
action plan for responding to future cyberattacks. office and military base worldwide now employs Nessus.
The output data of Nmap is a list of scanned targets with The software is capable of detecting the most common
additional information for each, depending on the specified types of vulnerabilities, such as (Nessus Vulnerability
options. The key information is the “port state table”. This Scanner) [24]:
table includes the port number, protocol, service name, and
state. The state can be open, filtered, closed, or unfiltered. The presence of vulnerable service or domain
An open port state means the target machine is ready to versions.
establish a connection or receive packets on that port. Configuration errors (e.g., lack of required
Filtered indicates that a firewall, network filter, or another authentication on an SMTP server).
network obstacle is blocking the port, and Nmap cannot Presence of default, empty, or weak passwords.
determine if the port is open or closed. Closed ports are not
associated with any application, so they may be opened at The program has a client-server architecture, which
any time. Ports are considered unfiltered when they respond greatly expands scanning capabilities. Different editions
to Nmap requests, but Nmap cannot determine whether offer varying features tailored to different clients.
they are open or closed. Nmap reports “open/filtered” or
“closed/filtered” combinations when it cannot determine 3.1. Port scanning with Nmap
which of the two states describes the port. This table may Having identified the target IP range with passive
also provide details about software versions if requested. information gathering as well as the secmaniac.net target IP
When performing IP protocol scanning (-sO), Nmap address, we can begin to scan for open ports on the target
provides information about supported IP protocols rather by port scanning, a process whereby we meticulously
than open ports. In addition to the port state table, Nmap connect to ports on the remote host to identify those that
may provide further information about targets: resolved are active. (Obviously, in a larger enterprise, we would have
DNS names, guesses about the operating system in use, multiple IP ranges and things to attack instead of only one
device types, and MAC addresses [16]. IP.) Nmap is, by far, the most popular port scanning tool. It
Due to its wide range of applications and accessible integrates with Metasploit quite elegantly, storing scan
open-source code, Metasploit is used by a diverse group of output in a database backend for later use. Nmap lets you
people, from cybersecurity professionals to hackers. scan hosts to identify the services running on each, any of
Metasploit is valuable for anyone needing a simple-to- which might offer a way in. For this example, let’s leave
install, reliable tool that performs its job regardless of secmaniac.net behind and turn to the virtual machine
platform or language. This software is popular among described in Appendix A, with IP address 172.16.32.131.
hackers and widely available, motivating security Before we get started, take a quick look at the basic nmap
professionals to study the Metasploit platform even if they syntax by entering nmap from the command line on your
do not use it themselves. Back|Track machine. You’ll see immediately that nmap has
The modern version of Metasploit includes over 1,677 a quite a few options, but you’ll use just a few of them for
exploits for more than 25 platforms, including Android, PHP, the most part. One of our preferred nmap options is -sS. This
Python, Java, Cisco, and others. The framework also contains runs a stealth TCP scan that determines whether a specific
around 500 payloads, which include the following [20]: TCP-based port is open. Another preferred option is -Pn,
which tells nmap not to use ping to determine whether a
Command shell payloads—allow users to execute system is running; instead, it considers all hosts “alive.” If
scripts or arbitrary commands on the host. you’re performing Internet-based penetration tests, you
Dynamic payloads—enable testers to generate should use this flag, because most networks don’t allow
unique payloads to bypass antivirus software. Internet Control Message Protocol (ICMP), which is the
Meterpreter payloads—allow users to intercept protocol that ping uses. If you’re performing this scan
control of the device’s display through the video internally, you can probably ignore this flag. Now let’s run
memory controller, capture sessions, and upload or a quick nmap scan against our machine using both the -sS
download files. and -Pn flags [25].
21
� root@bt:~# nmap -sS -Pn 172.16.32.131 If this were the first time we connected to the database
Nmap scan report for 172.16.32.131 name, we would see a lot of text output as Metasploit sets
Host is up (0.00057s latency). up all the necessary tables. Otherwise, the command will
Not shown: 990 closed ports return to the msfconsole prompt. Metasploit provides a
PORT STATE SERVICE number of commands that we can use to interact with the
21/tcp open ftp database, as you’ll see throughout this book. (For a complete
25/tcp open smtp list, enter help.) For now, we’ll use db_status to make sure
80/tcp open http that we’re connected correctly.
135/tcp open msrpc
139/tcp open netbios-ssn msf > db_status
443/tcp open https [*] postgresql connected to msfbook
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS Everything seems to be set up just fine.
1433/tcp open ms-sql-s When you are working with other team members, with
3389/tcp open ms-term-serv various individuals scanning at different times and from
Nmap done: 1 IP address scanned in 14.34 seconds different locations, it helps to know how to run nmap on its
own and then import its results into the Framework. Next,
As you can see, nmap reports a list of open ports, along we’ll examine how to import a basic nmap-generated XML
with a description of the associated service for each. For export file (generated with nmap’s -oX option) into the
more detail, try using the -A flag. This option will attempt Framework. First, we scan the Windows virtual machine
advanced service enumeration and banner grabbing, which using the -oX option to generate a Subnet1.xml file:
may give you even more details about the target system. For
example, here’s what we’d see if we were to call nmap with nmap -Pn -sS -A -oX Subnet1 192.168.1.0/24
the -sS and -A flags, using our same target system:
After generating the XML file, we use the db_import
root@bt:~# nmap -Pn -sS -A 172.16.32.131 command to import it into our database. We can then verify
Nmap scan report for 172.16.32.131 that the import worked by using the db_hosts command,
Host is up (0.0035s latency). which lists the entries of the system that have been created,
Not shown: 993 closed ports as shown here:
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC msf > db_connect postgres:toor@127.0.0.1/msf3
139/tcp open netbios-ssn msf > db_import Subnet1.xml
445/tcp open microsoft-ds Microsoft Windows 10 msf > db_hosts -c address
microsoft-ds address -------
777/tcp open unknown 192.168.1.1 192.168.1.10 192.168.1.101
1039/tcp open unknown 192.168.1.102 192.168.1.109 192.168.1.116
1138/tcp open msrpc Microsoft Windows RPC 192.168.1.142 192.168.1.152 192.168.1.154
1433/tcp open ms-sql-s Microsoft SQL Server 192.168.1.171 192.168.1.155 192.168.1.174
192.168.1.180 192.168.1.181 192.168.1.2
When you’re running a complex penetration test with a
lot of targets, keeping track of everything can be a This tells us that we’ve successfully imported the output
challenge. Luckily, Metasploit has you covered with of our nmap scans into Metasploit, as evidenced by the IP
expansive support for multiple database systems. To ensure addresses populated when we run the db_hosts commands.
that database support is available for your system, you A more advanced nmap scan method, TCP idle scan,
should first decide which database system you want to run. allows us to scan a target stealthily by spoofing the IP
Metasploit supports MySQL and PostgreSQL; because address of another host on the network. For this type of scan
PostgreSQL is the default, we’ll stick with it in this to work, we first need to locate an idle host on the network
discussion. First, we start the database subsystem using the that uses incremental IP IDs (which are used to track packet
built-in Back|Track init.d scripts. order). When we discover an idle system that uses
incremental IP IDs, the IP IDs become predictable, and we
root@bt~# /etc/init.d/postgresql-8.3 start can then predict the next ID. However, when spoofing the
After PostgreSQL has started, we tell the Framework to address of an idle host while scanning a target’s responses
connect to the database instance. This connection requires from open ports, we can see a break in the predictability of
a username, password, the name of the host on which the the IP ID sequence, which indicates that we have discovered
database is running, and the database name we want to use. an open port. To learn more about this module and IP ID
Back|Track’s default PostgreSQL username is postgres with sequences, visit [25] Use the Framework’s
the password toor, but we’ll use msfbook as the database scanner/ip/ipidseq module to scan for a host that fits the
name. Let’s make the connection. TCP idle scan requirements, as shown next (Fig. 1):
msf > db_connect
postgres:toor@127.0.0.1/msfbook
22
� try scanning a host using the system at 192.168.1.109 shown
by using the -sI command line flag to specify the idle host
(Fig. 3):
msf auxiliary(ipidseq) > nmap -PN -sI 192.168.1.109
192.168.1.155
[*] exec: nmap -PN -sI 192.168.1.109 192.168.1.155
Figure 1: Display of required host parameters for ipidseq
scanning
This figure displays the required options for the ipidseq
scan. One notable one, RHOSTS, can take IP ranges (such as Figure 3: Detecting multiple open ports on our target
192.168.1.20–192.168.1.30); Classless Inter-Domain Routing system
(CIDR) ranges (such as 192.168.1.0/24); multiple ranges
By using the idle host, we were able to discover several open
separated by commas (such as 192.168.1.0/24,
ports on our target system without sending a single packet
192.168.3.0/24); and a text file with one host per line (such
to the system.
as file:/tmp/hostlist.txt). All these options give us quite a bit
of flexibility in specifying our targets. 3.2. Port scanning with metasploit
The THREADS value sets the number of concurrent
threads to use while scanning. By default, all scanner In addition to its ability to use third-party scanners,
modules have their THREADS value initially set to 1. We Metasploit has several port scanners built into its auxiliary
can raise this value to speed up our scans or lower it to modules that directly integrate with most aspects of the
reduce network traffic. In general, you should not set the Framework. In later chapters, we’ll use these port scanners
THREADS value greater than 16 when running Metasploit to leverage compromised systems to access and attack; his
on Windows, and not greater than 128 on UNIX-like process, often called pivoting, allows us to use internally
operating systems. connected systems to route traffic to a network that would
Now let’s set our values and run the module. We’ll set otherwise be inaccessible. For example, suppose you
the value for RHOSTS to 192.168.1.0/24, set THREADS to 50, compromise a system behind a firewall that is using
and then run the scan. The result is shown in Fig. 2 Network Address Translation (NAT). The system behind the
NAT-based firewall uses private IP addresses, which you
cannot contact directly from the Internet. If you use
Metasploit to compromise a system behind a NAT, you
might be able to use that compromised internal system to
pass traffic (pivot) to internally hosted and private IP-based
systems to penetrate the network farther behind the
firewall. To see the list of port scanning tools that the
Framework offers, enter the following [25]:
Let’s conduct a simple scan of a single host using
Metasploit’s SYN Port Scanner. In the following Fig. 4, we
start the scan by using scanner/portscan/ syn, set RHOSTS
to 192.168.1.155, set THREADS to 50, and then run the scan.
From the results, you can see that ports 135, 139, and 445
are open on IP address 192.168.1.155, leveraging the
portscan syn module within Metasploit.
When you are conducting a penetration test, there is no
shame in looking for an easy win. A targeted scan looks for
specific operating systems, services, program versions, or
configurations that are known to be exploitable and that
provide an easy door into a target network. For example, it
is common to scan a target network for the vulnerability
Figure 2: Detection of several potential idle hosts that still MS08-067, as this is (still) an extremely common hole that
perform idle scanning will give you SYSTEM access much more quickly than
scanning an entire target network for vulnerabilities.
Judging by the results of our scan, we see several potential
idle hosts that we can use to perform idle scanning. We’ll
23
� Convenience for the system administrator can be a gold
mine for the penetration tester, and accessible SNMP
servers can offer considerable information about a specific
system or even make it possible to compromise a remote
device. If, for instance, you can get the read/write SNMP
community string for a Cisco router, you can download the
router’s entire configuration, modify it, and upload it back
to the router. The Metasploit Framework includes a built-in
auxiliary module called scanner/snmp/snmp_enum that is
designed specifically for SNMP sweeps. Before you start the
scan, keep in mind that the Read-Only (RO) and Read/Write
(RW) community strings will play an important role in the
type of information you will be able to extract from a given
Figure 4: Scan of a single host using Metasploit’s device. On Windows-based devices configured with SNMP,
you can often use the RO or RW community strings to
Metasploit can scour a network and attempt to identify extract patch levels, running services, usernames, uptime,
versions of Microsoft Windows using its smb_version routes, and other information that can make things much
module. I run the module, list my options, set RHOSTS, and easier for you during a pen test. (Community strings are
begin scanning (Fig. 5): essentially passwords used to query a device for information
or to write configuration information to the device.) After
you guess the community strings, SNMP itself (depending
on the version) can allow anything from excessive
information disclosure to full system compromise. SNMPv1
and v2 are inherently flawed protocols. SNMPv3, which
incorporates encryption and better check mechanisms, is
significantly more secure. To gain access to a switch, you’ll
first need to attempt to find its community strings. The
Framework’s use scanner/snmp/snmp_login module will try
a word list against one or a range of IP addresses.
Figure 5: Identification versions of Microsoft Windows
using its smb version module
As you can see the smb_version scanner has pinpointed the
operating system as Windows 10. Because we are scanning
only one system, we leave THREADS set to 1. If we had been
scanning several systems, such as a class C subnet range, we
might consider upping the THREADS using the set
THREADS number option. The results of this scan are
stored in the Metasploit database for use at a later time and A quick Google search for GSM7224 from the output tells us
to be accessed with the db_hosts command: that the scanner has found both the public and private
community strings for a Netgear switch. This result, believe
it or not, has not been staged for this book. These are the
default factory settings for this switch.
You will encounter many jaw-dropping situations like
these throughout your pen testing career because many
administrators simply attach devices to a network with all
their defaults still in place. The situation is even scarier
when you find these devices accessible from the Internet
within a large corporation.
We have discovered a system running Windows 10 without Many applications and services lack custom modules in
having to do a full scan of the network. This is a great way Metasploit. Thankfully, the Framework has many features
to target hosts quickly and quietly who are likely to be more that can be useful when you’re building a custom scanner,
vulnerable when our goal is to avoid being noticed. including offering access to all of its exploit classes and
The Simple Network Management Protocol (SNMP) is methods, and support for proxies, Secure Sockets Layer
typically used in network devices to report information (SSL), reporting, and threading. It can be very useful to write
such as bandwidth utilization, collision rates, and other your scanner during security assessments because doing so
information. However, some operating systems also have will allow you to locate every instance of a bad password or
SNMP servers that can provide information such as CPU unpatched service quickly on a target system. The
utilization, free memory, and other system-specific details. Metasploit Framework scanner modules include various
24
�mixins, such as exploit mixins for TCP, SMB, and so on, and client. In this chapter, we will discuss several vulnerability
the auxiliary scanner mixin that is built into the Framework. scanners and how they can be integrated within Metasploit.
Mixins are portions of code with predefined functions and We’ll highlight some auxiliary modules in the Metasploit
calls that are preconfigured for you. The Auxiliary: Scanner Framework that can locate specific vulnerabilities in remote
mixin overloads the Auxiliary run method; calls the module systems [27, 28].
method at runtime with run_host(ip), run_range(range), or Let’s look at how a scan works at the most basic level.
run_batch(batch); and then processes the IP addresses. We In the following listing, we use netcat to grab a banner from
can leverage Auxiliary: Scanner to call additional, built-in the target 192.168.1.203. Banner grabbing is the act of
Metasploit functionality. connecting to a remote network service and reading the
service identification (banner) that is returned. Many
3.3. Vulnerability scanning network services such as web, file transfer, and mail servers
return their banner either immediately upon connecting to
A vulnerability scanner is an automated program designed
them or in response to a specific command. Here we connect
to look for weaknesses in computers, computer systems,
to a web server on TCP port 80 and issue a GET HTTP
networks, and applications. The program probes a system
request that allows us to look at the header information that
by sending data to it over a network and analyzing the
the remote server returns in response to our request.
responses received, to enumerate any vulnerabilities
present on the target by using its vulnerability database as
root@bt:/opt/framework3/msf3# nc 192.168.1.203 80
a reference. Various operating systems tend to respond
GET HTTP 1/1
differently when sent particular network probes because of
HTTP/1.1 400 Bad Request
the different networking implementations in use. These
Server: Microsoft-IIS/5.1
unique responses serve as a fingerprint that the
vulnerability scanner uses to determine the operating
The information returned tells us that the system
system version and even its patch level. A vulnerability
running on port 80 is a Microsoft IIS 5.1-based web server.
scanner can also use a given set of user credentials to log
Armed with this information, we could use a vulnerability
into the remote system and enumerate the software and
scanner, as shown in Fig. 6, to determine whether this
services to determine whether they are patched. With the
version of IIS has any vulnerabilities associated with it and
results it obtains, the scanner presents a report outlining
whether this particular server has been patched. Of course,
any vulnerabilities detected on the system. That report can
in practice, it’s not that simple. Vulnerability scans often
be useful for both network administrators and penetration
contain many false positives (reported vulnerability where
testers [25, 26].
none exists) and false negatives (failure to log a
Vulnerability scanners generally create a lot of traffic on
vulnerability where one exists) due to subtle differences in
a network and are therefore not typically used in a
system and application configurations. In addition, the
penetration test when one of the objectives is to remain
creators of vulnerability scanners have an incentive to
undetected. If, however, you are running a penetration test
report positives: The more “hits” a vulnerability scanner
and stealth is not an issue, a vulnerability scanner can save
finds, the better it looks to a potential buyer. Vulnerability
you from having to probe systems manually to determine
scanners are only as good as their vulnerabilities database,
their patch levels and vulnerabilities. Whether you use an
and they can easily be fooled by misleading banners or
automated scanner or do it manually, scanning is one of the
inconsistent configurations. Let’s take a look at some of the
most important steps in the penetration testing process; if
more useful vulnerability scanners, including NeXpose,
done thoroughly, it will provide the best value to your
Nessus, and some specialized scanners.
Figure 6: Vulnerability scan results against the target web server
25
�4. Information system testing machine is specifically designed to be highly vulnerable for
training, exploit testing, and beginner learning. Unlike other
process vulnerable virtual machines, Metasploitable focuses on
For conducting unauthorized access testing of the vulnerabilities in the Linux operating system and network
organization’s information system, tools from the Kali services rather than individual applications [29].
Linux distribution were used. The unauthorized access testing of the organization’s
During the simulation, Kali Linux will be utilized in two information system began with the information-gathering
different modes: as a virtual machine and in Live USB mode. process to predict possible attack vectors and methods for
As a virtual machine, this operating system will be used to obtaining unauthorized access. To simulate the
conduct attacks after gaining access to the organization’s information-gathering process, the official website diia.gov,
network. In Live USB mode, the operating system will run which belongs to the Ministry of Digital Transformation of
on a physical machine without installation, allowing the use Ukraine, was researched.
of the hardware capabilities of the computer from which the During the information gathering on public resources,
testing is performed. data was found about individuals working in the
To test the information system, a virtual machine was organization, as well as the email format used within the
created using Oracle VM VirtualBox. The virtual machine organization (Fig. 7). This information could be useful for
selected for the testing is Metasploitable 2, as this virtual conducting social engineering attacks on one of the
organization’s employees.
Figure 7: Information about the organization found using the EmailHunter utility
For further information gathering, Maltego was used. This sources on the Internet. As a result of scanning the
is a software tool for information discovery that generates a diia.gov.ua domain, the results are shown in Fig. 8. Here, we
graph based on link analysis. It is used in online can see the physical addresses of the AWS servers hosting
investigations to automate the process and find connections the Diia website, as well as servers connected to the Kyiv
between pieces of information located across different office of Diia.
Figure 8: Graph generated as a result of the Maltego utility operation
26
�The gathered information can be used to identify priority We can identify each of these using a proxy tool such as
attack vectors, and the availability of this information Tamper Data or Burp Suite.
enables the possibility of conducting social engineering
attacks. After analyzing the website using these methods, a
sufficient amount of information was collected to determine
possible attack vectors. This phase is the longest, and the
more information gathered, the higher the chances of
finding vulnerabilities.
After gaining access to the information system, you can
perform a scan of the system using the Nmap network
scanner to gather information about the existing network
elements and the openness of certain ports. Using the
information about open ports, we can predict which attack
vectors are optimal for further testing and what to focus on.
The results of scanning the test network with Nmap are
shown in Fig. 9. For example, from the Nmap scan, we can
observe that port 80 (HTTP) is open, allowing us to continue
its investigation. Since this port is HTTP and not HTTPS,
meaning it is less secure, we can likely intercept and
understand the information transmitted to this port.
To be able to crack the usernames and passwords of a
web form, we need to identify the parameters of the login
page and how the form responds to incorrect login attempts.
The key parameters we must determine are:
**IP address** of the website Figure 9: Result of the Nmap utility operation
**URL**
BurpSuite (Fig. 10) intercepts the request and shows us the
**Form type**
key fields required for cracking the web form using THC-
**Username field**
Hydra. After the login form address (/dvwa/login.php), the
**Password field**
next field is the name of the field that accepts the username.
**Error message**. In this case, it is “username”, but in some forms, it could be
something else, such as “login”.
Figure 10: Result of Burp Suite operation. The image highlights the information required for further attack execution.
The command looks like this:
hydra -l admin -P /usr/share/dirb/wordlists/small.txt
192.168.1.51 http-post-form
"/dvwa/login.php:username=^USER^&password=^PASS^&
Login=Login:Login failed" –V
The result of executing the command is shown in Fig. 11.
27
� [3] OWASP Web Security Testing Guide. URL:
https://owasp.org/www-project-web-security-
testing-guide/
[4] What is PCI DSS (Payment Card Industry Data
Security Standard)? URL:
https://www.techtarget.com/searchsecurity/definitio
n/PCI-DSS-Payment-Card-Industry-Data-Security-
Standard
[5] Penetration Testing Execution Standard (PTES). URL:
https://www.geeksforgeeks.org/penetration-testing-
execution-standard-ptes
[6] Security Considerations for Exchanging Files over the
Internet. URL: https://csrc.nist.gov/publications/itl-
bulletin
[7] Open-Source Security Testing Methodology Manual.
Figure 11: Here you can see the successfully intercepted URL:
data that the user used for authentication on the web server https://www.sciencedirect.com/topics/computer-
in the information system science/open-source-security-testing-methodology-
manual
5. Conclusions [8] S. Shevchenko, et al., Information Security Risk
As a result of the conducted testing, a significant number of Management using Cognitive Modeling, in:
vulnerabilities in the information resources were identified. Workshop on Cybersecurity Providing in Information
The information gathered by the tester about the and Telecommunication Systems II, CPITS-II, vol.
vulnerabilities will help companies assess the current 3550 (2023) 297–305.
security level of their information system, identify [9] D. Berestov, et al., Analysis of Features and Prospects
vulnerabilities, and prioritize them based on their criticality, of Application of Dynamic Iterative Assessment of
as well as develop a response plan for future cyberattacks. Information Security Risks, in: Workshop on
The research revealed that each system is unique in its way Cybersecurity Providing in Information and
due to the use of different types of rules (signatures) and Telecommunication Systems, CPITS, vol. 2923 (2021)
applications. This requires in-depth knowledge of attacks 329–335.
and the system documentation from the developer to [10] Itgovernance.co.uk., Penetration Testing (2021). URL:
configure the system for monitoring specific (non-standard) https://www.itgovernance.co.uk/penetration-testing
applications. [11] V. Susukailo, I. Opirskyy, S. Vasylyshyn, Analysis of
Kali Linux was chosen because it contains many tools the Attack Vectors used by Threat Actors during the
for penetration testing, enabling periodic testing of Pandemic, IEEE 15th International Scientific and
networks and nodes, as well as security auditing of Technical Conference on Computer Sciences and
corporate networks to identify existing vulnerabilities, and Information Technologies, CSIT 2020, 2 (2020) 261–
misconfigurations, and mitigate them before they can be 264.
exploited by attackers. [12] S. Parasram, Digital Forensics with Kali Linux -
Future research directions may focus on developing Second Edition, [S.l.]: Packt Publishing (2020).
network utilities to implement protection for various types [13] Maltego. URL:
of operating environments from unauthorized interference https://hackyourmom.com/kibervijna/zbir-
and subsequently integrating them into a comprehensive informacziyi-pro-suprotyvnyka/osint-akademiya/4-
utility system managed by the operating system. relizy-maltego-prynczypy-roboty-ta-mozhlyvosti/
Additionally, improving the overall efficiency of monitoring [14] R. Marusenko, V. Sokolov, P. Skladannyi, Social
the information system for identifying various types of Engineering Penetration Testing in Higher Education
vulnerabilities in its assets will enhance protection against Institutions, Advances in Computer Science for
many types of network attacks. Engineering and Education VI, vol. 181 (2023) 1132–
1147.
[15] Nmap: the Network Mapper - Free Security Scanner.
References URL: https://nmap.org
[1] S. V. N. Parasram, et al., Kali Linux 2018: Assuring [16] Nmap Reference Guide | Nmap Network Scanning.
Security by Penetration Testing Fourth Edition, Packt Nmap.org, Chapter 15 (2021). URL:
Publishing (2018). https://nmap.org/book/man.html
[2] D. Shevchuk, et al., Designing Secured Services for [17] P. Anakhov, et al., Protecting Objects of Critical
Authentication, Authorization, and Accounting of Information Infrastructure from Wartime Cyber
Users, in: Cybersecurity Providing in Information and Attacks by Decentralizing the Telecommunications
Telecommunication Systems II, vol. 3550 (2023) 217– Network, in: Workshop on Cybersecurity Providing in
225 Information and Telecommunication Systems, vol.
3050 (2023) 240-245.
28
�[18] A. Singh, Metasploit Penetration Testing Cookbook,
Packt Publishing (2012).
[19] A. Stoykov, Metasploitable 2 Full Walkthrough,
MATRIX Labs (2021). URL:
https://matrixlabsblog.wordpress.com/2019/04/02/me
tasploitable-2-full-walkthrough/
[20] M. Carey, et al., Nessus Network Auditing, O'reilly
(2008). doi: 10.1016/B978-1-59749-208-9.X0001-9.
[21] Rapid7, Metasploit Editions: Network Pen Testing
Tool (2021). URL:
https://www.rapid7.com/products/metasploit/downlo
ad/editions
[22] Tenable®, Nessus Product Family (2021). URL:
https://www.tenable.com/products/nessus
[23] Kali.tools, Burp Suite - Kali Linux Tools (2021). URL:
https://kali.tools/?p=1589
[24] Ptsecurity.com, Penetration Testing of Corporate
Information Systems: Statistics and Findings, 2019
(2019). URL: https://www.ptsecurity.com/ww-
en/analytics/corp-vulnerabilities-2019/
[25] D. Kennedy, et al., Metasploit: The Penetration
Tester’s Guide (2011).
[26] J. Hutchens, Kali Linux Network Scanning Cookbook,
Packt Publishing (2014).
[27] D. R. Mathew, J. Benjamin, Penetration Testing and
Vulnerability Scanning of Web Application Using
Burp Suite, in: National Conference on Emerging
Computer Applications (NCECA), 3(1) (2021).
[28] S. V. N. Parasram, et al., Kali Linux 2018: Assuring
Security by Penetration Testing Fourth Edition, Packt
Publishing (2018).
[29] Metasploitable 2. URL: https://docs.rapid7.com/
metasploit/metasploitable-2
29
�