Testing an organization’s information system for unauthorized access ⋆ Ivan Tyshyk1,† and Hennadii Hulak2,3,*,† 1 Lviv Polytechnic National University, 12 Stepana Bandery str., 79013 Lviv, Ukraine 2 Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudryavska str., 04053 Kyiv, Ukraine 3 Institute of Mathematical Machines and Systems Problems of the National Academy of Sciences of Ukraine, 42 Ac. Glushkov ave., 03680 Kyiv, Ukraine Abstract Security assessment of information systems is crucial for identifying protection issues in their components and determining potential attack vectors. Penetration testing is conducted by simulating what a real attacker could do against the target system and offers an effective way of obtaining such information. This approach provides an unbiased view of the actual level of protection against attacks and demonstrates the effectiveness of security solutions for the company’s network infrastructure in practice. Penetration testing involves evaluating software or network infrastructure for vulnerabilities and attempting to exploit them for unauthorized access, bypassing, or damaging security components. These vulnerabilities may arise from misconfigurations of communication equipment, unsecured application code, network architecture design flaws, or the disclosure of confidential information. As a result of the testing, a comprehensive report is generated, explaining each vulnerability or chain of vulnerabilities exploited to gain unauthorized access to the target, detailing the steps taken to exploit them, and providing mitigation recommendations. Each identified vulnerability is assigned a risk rating, which is used to prioritize tasks for improving the security of the tested system. The paper examines methods for conducting penetration testing of an organization’s corporate network infrastructure for unauthorized access. A simulation of information systems testing for unauthorized access was performed, and potential attacks following such access were illustrated. The most common methods of exploiting potential vulnerabilities in corporate networks are presented. Keywords information system, corporate network, penetration testing, virtual machine, web application, unauthorized access, network security tool, Kali Linux1 1. Introduction programs. Now, to gain access to a hacking tool, one only needs to know the IP address of the desired site, and a few The rapid growth in the popularity of internet technologies mouse clicks are enough to carry out an attack. is accompanied by an increase in serious threats to the Information security breaches in corporate computer disclosure of personal data, critical corporate resources, networks can be caused by human factors, vulnerabilities in state secrets, and more. Every day, hackers and other the communication equipment’s operating environment, malicious actors threaten network information resources, server operating systems, and local workstations, as well as attempting to gain access to them through specialized the possibility of executing remote attacks, especially if the attacks. These attacks are becoming increasingly corporate network is distributed and connected to public sophisticated and easier to execute. Two main factors data transmission networks. contribute to this. From a security perspective, distributed systems are Firstly, the widespread penetration of the internet. primarily vulnerable to remote attacks, as the components Today, billions of various devices are connected to the of distributed systems typically use open data transmission network, increasing the likelihood of hackers accessing channels. An attacker can not only perform passive these devices and their associated computer networks eavesdropping during data transmission but also modify the through their vulnerabilities. Moreover, the global spread of traffic. While such active tampering with traffic can often the internet enables hackers to exchange information on a be detected, passive eavesdropping is nearly impossible to global scale. Secondly, the widespread availability of user- identify. friendly operating systems and development environments. Vulnerability assessment is a key task in ensuring the This factor significantly reduces the knowledge security of information systems, which involves regular requirements for attackers. In the past, hackers needed testing. Currently, Linux distributions such as Kali Linux, strong programming skills to create and distribute malicious CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0003-1465-5342 (I. Tyshyk); and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0001-9131-9233 (H. Hulak) ∗ Corresponding author. © 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). † These authors contributed equally. ivan.y.tyshyk@lpnu.ua (I. Tyshyk); h.hulak@kubg.edu.ua (H. Hulak) CEUR Workshop ceur-ws.org ISSN 1613-0073 17 Proceedings BackBox, Parrot Security OS, and several other tools are Business logic testing; Test data; Denial-of-service attack widely used for penetration testing of information systems testing; Session management verification; Web services [1]. However, given the diversity of unauthorized access testing; AJAX testing; Risk assessment; Threat likelihood. methods and the type of object being tested, an appropriate These threats pose serious risks to cloud computing security testing methodology is required that would provide a [9]. Denial-of-service attacks can disrupt access to cloud comprehensive evaluation of the security level of the target services, misconfiguration of security can open the door to system. Problem statement: In light of the above, the attackers, and cloud malware attacks threaten data privacy challenge arises in selecting an effective methodology for and integrity. This may allow an attacker to use the associated testing an organization’s information system for resources for their purposes or to steal or manipulate data unauthorized access to its resources. This includes stored in the cloud. All these threats require important conducting thorough information gathering, which will monitoring and the provision of appropriate security help the organization assess the current level of security of measures to protect cloud services and user data [2]. their information system, identify vulnerabilities, prioritize them based on criticality, and develop an action plan to 2.2. Payment card data security standard protect the system from future cyberattacks. This section compiles regulations for companies that comply with PCI (Payment Card Industry) requirements. 2. Methods for testing unauthorized The guide contains standards not only for PCI v3.2 but was access to an organization’s developed by the PCI Security Standards Council, outlining information system penetration testing methods within vulnerability management programs. The PCI Data Security Standard To ensure the best testing results, regardless of the (PCI DSS) version 3.2 was released in April 2016 by the penetration tests used, the tester must follow a standardized Payment Card Industry Security Standards Council (PCI testing methodology. The following popular testing SSC). After the update, the requirements were clarified, with methods will be discussed: additional guidelines and seven new requirements introduced.  Open Web Application Security Project (OWASP) [3]. To address issues related to breaches of cardholder  Payment Card Industry Data Security Standard (PCI personal data confidentiality and protect against existing DSS) [4]. exploits, various changes were included in PCI DSS v3.2,  Standard Penetration Testing Execution [5]. most of which pertain to service providers. These changes  National Institute of Standards and Technology Special added new requirements for penetration testing, which Publication (NIST SP 800-115) [6]. mandate that segmentation testing for service providers be  Open Source Security Testing Methodology Manual performed at least every six months or after any significant (OSSTMM) [7]. changes in segmentation controls/methods. Additionally, this standard contains several requirements obliging service 2.1. Open web application security project providers to continuously monitor and maintain critical security controls throughout the year. The Open Web Application Security Project (OWASP) is a project that brings together open-source software 2.3. Standard penetration testing execution developers. The members of this community create programs designed to protect web applications and web The penetration testing standard consists of seven main services. All applications are developed based on the sections. They cover all the requirements, conditions, and experience of combating malicious programs that target methods for conducting penetration tests: from web services and web applications. OWASP serves as a reconnaissance to attempts at conducting pen tests; stages starting point for system architects, developers, vendors, of information gathering and threat modeling, where testers consumers, and security professionals—essentially all work covertly to achieve the best possible testing results; specialists involved in the design, development, stages of vulnerability assessment, exploitation, and post- deployment, and security testing of web services and web exploitation, where the practical security knowledge of applications. In other words, OWASP aims to help create testers is combined with the data gathered during more secure web applications and web services. penetration tests; and finally, the reporting phase, where all The main advantage of the OWASP Testing Guide is information is presented in a format understandable to the that the test results provide a comprehensive description of client. all threats. The OWASP Testing Guide identifies all the risks Currently, the first version is in effect, in which all that may affect the system and applications and evaluates standard elements have been tested under real-world the likelihood of their occurrence. Using the threats conditions and approved. The second version is under described in OWASP, it is possible to determine an overall development, where all requirements will be detailed, risk assessment from the conducted tests and provide clarified, and improved. appropriate recommendations for mitigating these Since the plan for each penetration test is developed vulnerabilities [8]. individually, various tests can be applied: from web The OWASP Testing Guide primarily focuses on the application testing to black-box testing methods. With this following areas: Methods and tools for testing web plan, the expected level of complexity of a particular applications; Information gathering; Authentication testing; investigation can be immediately determined and applied in the volumes and areas deemed necessary by the 18 organization. Preliminary research results can be seen in the editors, image viewers, and other software. However, section related to intelligence gathering. installing such software is not recommended due to the risk Below are the main sections of the discussed standard, of compromising system security and anonymity during which form the basis for conducting penetration tests: Pre- testing. This OS is in continuous development, and future engagement agreement; Intelligence gathering; Threat updates are expected to expand its functionality and toolset, modeling; Vulnerability analysis; Exploitation; Post- as well as improve its existing capabilities. exploitation; and Reporting. It can be said that Kali Linux will remain a key tool in cybersecurity going forward, as it continues to evolve, 2.4. National institute of standards and adapting to new trends while maintaining its relevance and technology special publication effectiveness in the field of penetration testing. Currently, other distributions offer similar functionality The National Institute of Standards and Technology Special and features to Kali Linux. One of the most popular is Parrot Publication (NIST SP 800-115) is a technical guide for Security OS [10]. It is also based on Debian and includes a information security testing and assessment. The wide range of tools for penetration testing. publication was prepared by the Information Technology Parrot Security OS includes over 700 security testing Laboratory (ITL) at NIST. tools and utilizes more than 700 vulnerabilities. It features The guide defines security assessment as the process of built-in tools for analyzing anonymous networks like Tor determining how effectively an organization meets specific and I2P, tools for wireless network analysis, and intrusion security requirements. Upon reviewing the guide, you will detection tools, which facilitate the identification of find that it contains a large amount of information for potential attack scenarios. It offers a wide range of tools for conducting tests. Although the document is rarely updated, network application security analysis and vulnerability it remains relevant and can serve as a reference for building testing. Additionally, this distribution supports the use of a testing methodology. virtual machines, enhancing protection against network This guide provides practical recommendations for attacks and enabling the testing of various threat scenarios developing, implementing, and maintaining technical on information systems. information security tests, as well as processes and The mentioned features of Parrot Security help testers procedures for evaluations, covering the key elements of and cybersecurity professionals to assess and improve the technical security testing and evaluation. These security of information systems and data transmission recommendations can be used for several practical tasks, networks, as well as enhance user credential protection. such as vulnerability assessments in a system or network However, this distribution is more focused on anonymity and checking compliance with policies or other compared to Kali Linux, which primarily emphasizes requirements. security and testing. Given this, the following sections will NIST 800-115 provides a comprehensive framework for focus on network tools included in the Kali Linux penetration testing, ensuring that a penetration testing distribution [11, 12]. program meets the necessary guidelines. One popular tool used by cybersecurity specialists, data analysts, and other professionals for gathering and 2.5. Open source security testing analyzing open-source intelligence is Maltego [13]. methodology manual The presented tool allows users to create custom The Open Source Security Testing Methodology Manual entities, enabling them to represent any type of information OSSTMM is a document that is quite complex to read and in addition to the basic entity types that are part of the understand, but it contains a vast amount of relevant and software. Its primary goal is to analyze real-world highly detailed information on security. It is also the most relationships (social networks, OSINT APIs, proprietary well-known security guide globally, with approximately private data, and computer network nodes) between half a million downloads every month. The reason for its individuals, groups, web pages, domains, networks, and popularity is that its guidelines are about a decade ahead of internet infrastructure [14]. Maltego expands its data range all other documents in the security industry. The purpose of through integrations with various data processing partners. the OSSTMM is to advance the standards for Internet Data sources include DNS records, Whois, search engines, security testing. This document is designed to provide the social network services, different APIs, and various most detailed core framework for testing, which in turn metadata. Maltego can be used during the information- ensures thorough penetration testing. Regardless of other gathering phase for all security-related tasks. organizational specifics, such as the service provider’s One of the popular tools among cybersecurity corporate profile for penetration testing, this testing allows professionals is Nmap, which is designed for customizable the client to verify the level of technical evaluation. scanning of IP networks with any number of targets and determining the status of network objects (ports and 3. Methods for testing unauthorized corresponding services). Initially developed for UNIX systems, Nmap is now available for many operating access to an organization’s systems. Nmap is built for quickly scanning large networks, information system though it also works well with single targets. It uses IP Kali Linux includes various types of programs specifically packets in unique ways to discover which hosts are aimed at ensuring computer network security, although it is available on the network, what services (application names possible to install available graphical applications, text and versions) they offer, what operating systems (and OS 19 versions) they are running, what types of packet accidentally scanning network or broadcast filters/firewalls are in use, and many other characteristics. addresses, and similar edge cases. While Nmap is commonly used for security auditing, many  Detection of your IP address: For some reason, many network and system administrators find it useful for routine scanners require you to input your IP address as one tasks such as network inventory, managing service upgrade of the parameters. Nmap, however, attempts to detect schedules, and monitoring host or service uptime [15, 16]. your IP address during the ping phase. It uses the According to the developer of Nmap, some of the most address that receives an echo reply, as this is typically important features of this scanner include: the interface through which traffic should be routed. If it can’t do this (for instance, if host pinging is  Dynamic Timing Calculations: Some scanners disabled), Nmap tries to detect your primary interface require you to specify the time delay between and uses that address. You can also specify an IP sending packets. Nmap attempts to determine the address directly using the `-S` option. best delay for you. It also tracks packet retransmissions to adjust the delay during the scan. Another popular penetration testing platform is For users with root access, the primary method for Metasploit, which allows identifying, exploiting, and determining the delay is through the built-in ping verifying vulnerabilities in an information system. The function. For non-root users, it's based on the number platform provides infrastructure, content, and tools for of attempts to connect to a closed port on the target. conducting penetration tests and offers extensive security It can also select a reasonable default value. auditing [17]. The most well-known tool within it is the  Packet Retransmission: Some scanners simply send open-source Metasploit Framework, an application used for out all the query packets and collect the responses. developing and executing exploit code against a remote However, this can result in false positives or target machine [18]. negatives if packets are dropped. This is especially This framework has become a fundamental tool for important for “negative” scan types like UDP and FIN, developing exploits and addressing vulnerabilities. Before where the goal is to find ports that do **not** respond. Metasploit, penetration testers had to perform all checks In most cases, Nmap implements a configurable manually, using various tools that might or might not number of retransmissions for unresponsive ports. support the testing platform, and manually write their code  Parallel Port Scanning: Some scanners scan ports to deploy within networks. Remote testing was an linearly, one at a time, until all 65,535 ports are extraordinary task, limiting security professionals to scanned. This works for TCP on very fast local working with local companies, while organizations had to networks, but it’s not acceptable on wide-area spend significant resources on in-house IT consultants or networks like the Internet. Nmap uses non-blocking security specialists [19]. I/O and parallel scanning in all TCP and UDP modes. The modern version of Metasploit contains over 1,677 The number of parallel scans can be adjusted with the exploits for more than 25 platforms, including Android, `-M` (Max sockets) option. PHP, Python, Java, Cisco, and others. The framework also  Flexible Port Specification: I don’t always want to includes around 500 payloads [20]. scan all 65,535 ports. Additionally, scanners that only One of the most popular vulnerability scanners on the allow scanning ports from 1 to N sometimes don’t market is the Nessus Vulnerability Scanner, which has meet my needs. The `-p` option allows you to specify become a standard among vulnerability scanners. It an arbitrary number of ports and ranges to scan. For originally started as an open-source project but was later example, `-p 21-25,80,113,60000-` does exactly what acquired by Tenable and is now a commercial product you expect (the trailing dash means up to 65,536, and (Professional version). Despite this, Nessus Scanner still the leading dash means starting from 1). You can also offers a “Home” version, which is distributed for free but use the `-F` (fast) option to scan all ports registered in limited to **16 IP addresses**. This version was used for your `/etc/services` file (similar to **strobe**). simulating penetration testing for unauthorized access  Flexible Target Specification: I often want to scan within the organization [21]. more than one host, and I certainly don’t want to Vulnerability scanners have a certain limitation: they manually list each host in a large network scan. cannot detect **0-day vulnerabilities**. Similar to antivirus Anything that isn’t an option or option argument in software, their databases must be updated daily to ensure Nmap is treated as a target host. As mentioned earlier, effective performance. Recently, even the **U.S. you can append a file/mask to a hostname or IP government** has started using it for vulnerability address to scan all hosts with the same initial scanning. Almost every federal office and U.S. military base `` bits of the 32-bit IP address. worldwide now uses Nessus [22]. Another popular platform for conducting security audits of  Unreachable Host Detection: Some scanners allow web applications is the Burp Suite Scanner, which includes scanning large networks, but they waste a lot of time tools for mapping the web application, searching for files scanning all 65,535 ports on dead hosts! By default, and directories, modifying requests, fuzzing web Nmap checks each host to ensure it’s alive before applications, password brute-forcing, and much more. spending time scanning it. It also supports handling There is also an extension store, the BApp Store, which hosts that appear unreachable based on unusual scan enhances the functionality of specific applications. Notably, port errors. Nmap is also tolerant of users the latest release includes a Mobile Assistant for testing the security of iOS mobile applications [23]. 20 Burp Suite is an integrated platform designed for auditing  Static payloads—facilitate port forwarding and data web applications, both manually and automatically. It exchange between networks. features an intuitive interface with specially designed tabs to improve and speed up the attack process. The tool itself As a “hacker”, after scanning, you receive a acts as a proxy mechanism that intercepts and processes all comprehensive list of vulnerabilities, for which you only incoming browser requests. It also allows for installing a need to find exploits. Unfortunately, vulnerability scanners **Burp certificate** to analyze **HTTPS** connections. are quite “noisy”, and vigilant administrators can detect Objective of the paper: To simulate testing of an their activity. However, not all organizations have such organization’s corporate network for unauthorized access administrators. using the tools from the **Kali Linux** distribution, to It’s important to note a few key points about explore tools for different testing stages, and to evaluate the vulnerability scanners. They cannot detect 0-day collected vulnerability data. The information gathered by vulnerabilities. Like antivirus products, their databases must the tester will help companies determine the current be updated daily to remain effective. security level of their information systems, identify Recently, even the U.S. government started using vulnerabilities, prioritize them by criticality, and create an Nessus for vulnerability scanning. Almost every federal action plan for responding to future cyberattacks. office and military base worldwide now employs Nessus. The output data of Nmap is a list of scanned targets with The software is capable of detecting the most common additional information for each, depending on the specified types of vulnerabilities, such as (Nessus Vulnerability options. The key information is the “port state table”. This Scanner) [24]: table includes the port number, protocol, service name, and state. The state can be open, filtered, closed, or unfiltered.  The presence of vulnerable service or domain An open port state means the target machine is ready to versions. establish a connection or receive packets on that port.  Configuration errors (e.g., lack of required Filtered indicates that a firewall, network filter, or another authentication on an SMTP server). network obstacle is blocking the port, and Nmap cannot  Presence of default, empty, or weak passwords. determine if the port is open or closed. Closed ports are not associated with any application, so they may be opened at The program has a client-server architecture, which any time. Ports are considered unfiltered when they respond greatly expands scanning capabilities. Different editions to Nmap requests, but Nmap cannot determine whether offer varying features tailored to different clients. they are open or closed. Nmap reports “open/filtered” or “closed/filtered” combinations when it cannot determine 3.1. Port scanning with Nmap which of the two states describes the port. This table may Having identified the target IP range with passive also provide details about software versions if requested. information gathering as well as the secmaniac.net target IP When performing IP protocol scanning (-sO), Nmap address, we can begin to scan for open ports on the target provides information about supported IP protocols rather by port scanning, a process whereby we meticulously than open ports. In addition to the port state table, Nmap connect to ports on the remote host to identify those that may provide further information about targets: resolved are active. (Obviously, in a larger enterprise, we would have DNS names, guesses about the operating system in use, multiple IP ranges and things to attack instead of only one device types, and MAC addresses [16]. IP.) Nmap is, by far, the most popular port scanning tool. It Due to its wide range of applications and accessible integrates with Metasploit quite elegantly, storing scan open-source code, Metasploit is used by a diverse group of output in a database backend for later use. Nmap lets you people, from cybersecurity professionals to hackers. scan hosts to identify the services running on each, any of Metasploit is valuable for anyone needing a simple-to- which might offer a way in. For this example, let’s leave install, reliable tool that performs its job regardless of secmaniac.net behind and turn to the virtual machine platform or language. This software is popular among described in Appendix A, with IP address 172.16.32.131. hackers and widely available, motivating security Before we get started, take a quick look at the basic nmap professionals to study the Metasploit platform even if they syntax by entering nmap from the command line on your do not use it themselves. Back|Track machine. You’ll see immediately that nmap has The modern version of Metasploit includes over 1,677 a quite a few options, but you’ll use just a few of them for exploits for more than 25 platforms, including Android, PHP, the most part. One of our preferred nmap options is -sS. This Python, Java, Cisco, and others. The framework also contains runs a stealth TCP scan that determines whether a specific around 500 payloads, which include the following [20]: TCP-based port is open. Another preferred option is -Pn, which tells nmap not to use ping to determine whether a  Command shell payloads—allow users to execute system is running; instead, it considers all hosts “alive.” If scripts or arbitrary commands on the host. you’re performing Internet-based penetration tests, you  Dynamic payloads—enable testers to generate should use this flag, because most networks don’t allow unique payloads to bypass antivirus software. Internet Control Message Protocol (ICMP), which is the  Meterpreter payloads—allow users to intercept protocol that ping uses. If you’re performing this scan control of the device’s display through the video internally, you can probably ignore this flag. Now let’s run memory controller, capture sessions, and upload or a quick nmap scan against our machine using both the -sS download files. and -Pn flags [25]. 21 root@bt:~# nmap -sS -Pn 172.16.32.131 If this were the first time we connected to the database Nmap scan report for 172.16.32.131 name, we would see a lot of text output as Metasploit sets Host is up (0.00057s latency). up all the necessary tables. Otherwise, the command will Not shown: 990 closed ports return to the msfconsole prompt. Metasploit provides a PORT STATE SERVICE number of commands that we can use to interact with the 21/tcp open ftp database, as you’ll see throughout this book. (For a complete 25/tcp open smtp list, enter help.) For now, we’ll use db_status to make sure 80/tcp open http that we’re connected correctly. 135/tcp open msrpc 139/tcp open netbios-ssn msf > db_status 443/tcp open https [*] postgresql connected to msfbook 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS Everything seems to be set up just fine. 1433/tcp open ms-sql-s When you are working with other team members, with 3389/tcp open ms-term-serv various individuals scanning at different times and from Nmap done: 1 IP address scanned in 14.34 seconds different locations, it helps to know how to run nmap on its own and then import its results into the Framework. Next, As you can see, nmap reports a list of open ports, along we’ll examine how to import a basic nmap-generated XML with a description of the associated service for each. For export file (generated with nmap’s -oX option) into the more detail, try using the -A flag. This option will attempt Framework. First, we scan the Windows virtual machine advanced service enumeration and banner grabbing, which using the -oX option to generate a Subnet1.xml file: may give you even more details about the target system. For example, here’s what we’d see if we were to call nmap with nmap -Pn -sS -A -oX Subnet1 192.168.1.0/24 the -sS and -A flags, using our same target system: After generating the XML file, we use the db_import root@bt:~# nmap -Pn -sS -A 172.16.32.131 command to import it into our database. We can then verify Nmap scan report for 172.16.32.131 that the import worked by using the db_hosts command, Host is up (0.0035s latency). which lists the entries of the system that have been created, Not shown: 993 closed ports as shown here: PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC msf > db_connect postgres:toor@127.0.0.1/msf3 139/tcp open netbios-ssn msf > db_import Subnet1.xml 445/tcp open microsoft-ds Microsoft Windows 10 msf > db_hosts -c address microsoft-ds address ------- 777/tcp open unknown 192.168.1.1 192.168.1.10 192.168.1.101 1039/tcp open unknown 192.168.1.102 192.168.1.109 192.168.1.116 1138/tcp open msrpc Microsoft Windows RPC 192.168.1.142 192.168.1.152 192.168.1.154 1433/tcp open ms-sql-s Microsoft SQL Server 192.168.1.171 192.168.1.155 192.168.1.174 192.168.1.180 192.168.1.181 192.168.1.2 When you’re running a complex penetration test with a lot of targets, keeping track of everything can be a This tells us that we’ve successfully imported the output challenge. Luckily, Metasploit has you covered with of our nmap scans into Metasploit, as evidenced by the IP expansive support for multiple database systems. To ensure addresses populated when we run the db_hosts commands. that database support is available for your system, you A more advanced nmap scan method, TCP idle scan, should first decide which database system you want to run. allows us to scan a target stealthily by spoofing the IP Metasploit supports MySQL and PostgreSQL; because address of another host on the network. For this type of scan PostgreSQL is the default, we’ll stick with it in this to work, we first need to locate an idle host on the network discussion. First, we start the database subsystem using the that uses incremental IP IDs (which are used to track packet built-in Back|Track init.d scripts. order). When we discover an idle system that uses incremental IP IDs, the IP IDs become predictable, and we root@bt~# /etc/init.d/postgresql-8.3 start can then predict the next ID. However, when spoofing the After PostgreSQL has started, we tell the Framework to address of an idle host while scanning a target’s responses connect to the database instance. This connection requires from open ports, we can see a break in the predictability of a username, password, the name of the host on which the the IP ID sequence, which indicates that we have discovered database is running, and the database name we want to use. an open port. To learn more about this module and IP ID Back|Track’s default PostgreSQL username is postgres with sequences, visit [25] Use the Framework’s the password toor, but we’ll use msfbook as the database scanner/ip/ipidseq module to scan for a host that fits the name. Let’s make the connection. TCP idle scan requirements, as shown next (Fig. 1): msf > db_connect postgres:toor@127.0.0.1/msfbook 22 try scanning a host using the system at 192.168.1.109 shown by using the -sI command line flag to specify the idle host (Fig. 3): msf auxiliary(ipidseq) > nmap -PN -sI 192.168.1.109 192.168.1.155 [*] exec: nmap -PN -sI 192.168.1.109 192.168.1.155 Figure 1: Display of required host parameters for ipidseq scanning This figure displays the required options for the ipidseq scan. One notable one, RHOSTS, can take IP ranges (such as Figure 3: Detecting multiple open ports on our target 192.168.1.20–192.168.1.30); Classless Inter-Domain Routing system (CIDR) ranges (such as 192.168.1.0/24); multiple ranges By using the idle host, we were able to discover several open separated by commas (such as 192.168.1.0/24, ports on our target system without sending a single packet 192.168.3.0/24); and a text file with one host per line (such to the system. as file:/tmp/hostlist.txt). All these options give us quite a bit of flexibility in specifying our targets. 3.2. Port scanning with metasploit The THREADS value sets the number of concurrent threads to use while scanning. By default, all scanner In addition to its ability to use third-party scanners, modules have their THREADS value initially set to 1. We Metasploit has several port scanners built into its auxiliary can raise this value to speed up our scans or lower it to modules that directly integrate with most aspects of the reduce network traffic. In general, you should not set the Framework. In later chapters, we’ll use these port scanners THREADS value greater than 16 when running Metasploit to leverage compromised systems to access and attack; his on Windows, and not greater than 128 on UNIX-like process, often called pivoting, allows us to use internally operating systems. connected systems to route traffic to a network that would Now let’s set our values and run the module. We’ll set otherwise be inaccessible. For example, suppose you the value for RHOSTS to 192.168.1.0/24, set THREADS to 50, compromise a system behind a firewall that is using and then run the scan. The result is shown in Fig. 2 Network Address Translation (NAT). The system behind the NAT-based firewall uses private IP addresses, which you cannot contact directly from the Internet. If you use Metasploit to compromise a system behind a NAT, you might be able to use that compromised internal system to pass traffic (pivot) to internally hosted and private IP-based systems to penetrate the network farther behind the firewall. To see the list of port scanning tools that the Framework offers, enter the following [25]: Let’s conduct a simple scan of a single host using Metasploit’s SYN Port Scanner. In the following Fig. 4, we start the scan by using scanner/portscan/ syn, set RHOSTS to 192.168.1.155, set THREADS to 50, and then run the scan. From the results, you can see that ports 135, 139, and 445 are open on IP address 192.168.1.155, leveraging the portscan syn module within Metasploit. When you are conducting a penetration test, there is no shame in looking for an easy win. A targeted scan looks for specific operating systems, services, program versions, or configurations that are known to be exploitable and that provide an easy door into a target network. For example, it is common to scan a target network for the vulnerability Figure 2: Detection of several potential idle hosts that still MS08-067, as this is (still) an extremely common hole that perform idle scanning will give you SYSTEM access much more quickly than scanning an entire target network for vulnerabilities. Judging by the results of our scan, we see several potential idle hosts that we can use to perform idle scanning. We’ll 23 Convenience for the system administrator can be a gold mine for the penetration tester, and accessible SNMP servers can offer considerable information about a specific system or even make it possible to compromise a remote device. If, for instance, you can get the read/write SNMP community string for a Cisco router, you can download the router’s entire configuration, modify it, and upload it back to the router. The Metasploit Framework includes a built-in auxiliary module called scanner/snmp/snmp_enum that is designed specifically for SNMP sweeps. Before you start the scan, keep in mind that the Read-Only (RO) and Read/Write (RW) community strings will play an important role in the type of information you will be able to extract from a given Figure 4: Scan of a single host using Metasploit’s device. On Windows-based devices configured with SNMP, you can often use the RO or RW community strings to Metasploit can scour a network and attempt to identify extract patch levels, running services, usernames, uptime, versions of Microsoft Windows using its smb_version routes, and other information that can make things much module. I run the module, list my options, set RHOSTS, and easier for you during a pen test. (Community strings are begin scanning (Fig. 5): essentially passwords used to query a device for information or to write configuration information to the device.) After you guess the community strings, SNMP itself (depending on the version) can allow anything from excessive information disclosure to full system compromise. SNMPv1 and v2 are inherently flawed protocols. SNMPv3, which incorporates encryption and better check mechanisms, is significantly more secure. To gain access to a switch, you’ll first need to attempt to find its community strings. The Framework’s use scanner/snmp/snmp_login module will try a word list against one or a range of IP addresses. Figure 5: Identification versions of Microsoft Windows using its smb version module As you can see the smb_version scanner has pinpointed the operating system as Windows 10. Because we are scanning only one system, we leave THREADS set to 1. If we had been scanning several systems, such as a class C subnet range, we might consider upping the THREADS using the set THREADS number option. The results of this scan are stored in the Metasploit database for use at a later time and A quick Google search for GSM7224 from the output tells us to be accessed with the db_hosts command: that the scanner has found both the public and private community strings for a Netgear switch. This result, believe it or not, has not been staged for this book. These are the default factory settings for this switch. You will encounter many jaw-dropping situations like these throughout your pen testing career because many administrators simply attach devices to a network with all their defaults still in place. The situation is even scarier when you find these devices accessible from the Internet within a large corporation. We have discovered a system running Windows 10 without Many applications and services lack custom modules in having to do a full scan of the network. This is a great way Metasploit. Thankfully, the Framework has many features to target hosts quickly and quietly who are likely to be more that can be useful when you’re building a custom scanner, vulnerable when our goal is to avoid being noticed. including offering access to all of its exploit classes and The Simple Network Management Protocol (SNMP) is methods, and support for proxies, Secure Sockets Layer typically used in network devices to report information (SSL), reporting, and threading. It can be very useful to write such as bandwidth utilization, collision rates, and other your scanner during security assessments because doing so information. However, some operating systems also have will allow you to locate every instance of a bad password or SNMP servers that can provide information such as CPU unpatched service quickly on a target system. The utilization, free memory, and other system-specific details. Metasploit Framework scanner modules include various 24 mixins, such as exploit mixins for TCP, SMB, and so on, and client. In this chapter, we will discuss several vulnerability the auxiliary scanner mixin that is built into the Framework. scanners and how they can be integrated within Metasploit. Mixins are portions of code with predefined functions and We’ll highlight some auxiliary modules in the Metasploit calls that are preconfigured for you. The Auxiliary: Scanner Framework that can locate specific vulnerabilities in remote mixin overloads the Auxiliary run method; calls the module systems [27, 28]. method at runtime with run_host(ip), run_range(range), or Let’s look at how a scan works at the most basic level. run_batch(batch); and then processes the IP addresses. We In the following listing, we use netcat to grab a banner from can leverage Auxiliary: Scanner to call additional, built-in the target 192.168.1.203. Banner grabbing is the act of Metasploit functionality. connecting to a remote network service and reading the service identification (banner) that is returned. Many 3.3. Vulnerability scanning network services such as web, file transfer, and mail servers return their banner either immediately upon connecting to A vulnerability scanner is an automated program designed them or in response to a specific command. Here we connect to look for weaknesses in computers, computer systems, to a web server on TCP port 80 and issue a GET HTTP networks, and applications. The program probes a system request that allows us to look at the header information that by sending data to it over a network and analyzing the the remote server returns in response to our request. responses received, to enumerate any vulnerabilities present on the target by using its vulnerability database as root@bt:/opt/framework3/msf3# nc 192.168.1.203 80 a reference. Various operating systems tend to respond GET HTTP 1/1 differently when sent particular network probes because of HTTP/1.1 400 Bad Request the different networking implementations in use. These Server: Microsoft-IIS/5.1 unique responses serve as a fingerprint that the vulnerability scanner uses to determine the operating The information returned tells us that the system system version and even its patch level. A vulnerability running on port 80 is a Microsoft IIS 5.1-based web server. scanner can also use a given set of user credentials to log Armed with this information, we could use a vulnerability into the remote system and enumerate the software and scanner, as shown in Fig. 6, to determine whether this services to determine whether they are patched. With the version of IIS has any vulnerabilities associated with it and results it obtains, the scanner presents a report outlining whether this particular server has been patched. Of course, any vulnerabilities detected on the system. That report can in practice, it’s not that simple. Vulnerability scans often be useful for both network administrators and penetration contain many false positives (reported vulnerability where testers [25, 26]. none exists) and false negatives (failure to log a Vulnerability scanners generally create a lot of traffic on vulnerability where one exists) due to subtle differences in a network and are therefore not typically used in a system and application configurations. In addition, the penetration test when one of the objectives is to remain creators of vulnerability scanners have an incentive to undetected. If, however, you are running a penetration test report positives: The more “hits” a vulnerability scanner and stealth is not an issue, a vulnerability scanner can save finds, the better it looks to a potential buyer. Vulnerability you from having to probe systems manually to determine scanners are only as good as their vulnerabilities database, their patch levels and vulnerabilities. Whether you use an and they can easily be fooled by misleading banners or automated scanner or do it manually, scanning is one of the inconsistent configurations. Let’s take a look at some of the most important steps in the penetration testing process; if more useful vulnerability scanners, including NeXpose, done thoroughly, it will provide the best value to your Nessus, and some specialized scanners. Figure 6: Vulnerability scan results against the target web server 25 4. Information system testing machine is specifically designed to be highly vulnerable for training, exploit testing, and beginner learning. Unlike other process vulnerable virtual machines, Metasploitable focuses on For conducting unauthorized access testing of the vulnerabilities in the Linux operating system and network organization’s information system, tools from the Kali services rather than individual applications [29]. Linux distribution were used. The unauthorized access testing of the organization’s During the simulation, Kali Linux will be utilized in two information system began with the information-gathering different modes: as a virtual machine and in Live USB mode. process to predict possible attack vectors and methods for As a virtual machine, this operating system will be used to obtaining unauthorized access. To simulate the conduct attacks after gaining access to the organization’s information-gathering process, the official website diia.gov, network. In Live USB mode, the operating system will run which belongs to the Ministry of Digital Transformation of on a physical machine without installation, allowing the use Ukraine, was researched. of the hardware capabilities of the computer from which the During the information gathering on public resources, testing is performed. data was found about individuals working in the To test the information system, a virtual machine was organization, as well as the email format used within the created using Oracle VM VirtualBox. The virtual machine organization (Fig. 7). This information could be useful for selected for the testing is Metasploitable 2, as this virtual conducting social engineering attacks on one of the organization’s employees. Figure 7: Information about the organization found using the EmailHunter utility For further information gathering, Maltego was used. This sources on the Internet. As a result of scanning the is a software tool for information discovery that generates a diia.gov.ua domain, the results are shown in Fig. 8. Here, we graph based on link analysis. It is used in online can see the physical addresses of the AWS servers hosting investigations to automate the process and find connections the Diia website, as well as servers connected to the Kyiv between pieces of information located across different office of Diia. Figure 8: Graph generated as a result of the Maltego utility operation 26 The gathered information can be used to identify priority We can identify each of these using a proxy tool such as attack vectors, and the availability of this information Tamper Data or Burp Suite. enables the possibility of conducting social engineering attacks. After analyzing the website using these methods, a sufficient amount of information was collected to determine possible attack vectors. This phase is the longest, and the more information gathered, the higher the chances of finding vulnerabilities. After gaining access to the information system, you can perform a scan of the system using the Nmap network scanner to gather information about the existing network elements and the openness of certain ports. Using the information about open ports, we can predict which attack vectors are optimal for further testing and what to focus on. The results of scanning the test network with Nmap are shown in Fig. 9. For example, from the Nmap scan, we can observe that port 80 (HTTP) is open, allowing us to continue its investigation. Since this port is HTTP and not HTTPS, meaning it is less secure, we can likely intercept and understand the information transmitted to this port. To be able to crack the usernames and passwords of a web form, we need to identify the parameters of the login page and how the form responds to incorrect login attempts. The key parameters we must determine are:  **IP address** of the website Figure 9: Result of the Nmap utility operation  **URL** BurpSuite (Fig. 10) intercepts the request and shows us the  **Form type** key fields required for cracking the web form using THC-  **Username field** Hydra. After the login form address (/dvwa/login.php), the  **Password field** next field is the name of the field that accepts the username.  **Error message**. In this case, it is “username”, but in some forms, it could be something else, such as “login”. Figure 10: Result of Burp Suite operation. The image highlights the information required for further attack execution. The command looks like this: hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.51 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^& Login=Login:Login failed" –V The result of executing the command is shown in Fig. 11. 27 [3] OWASP Web Security Testing Guide. URL: https://owasp.org/www-project-web-security- testing-guide/ [4] What is PCI DSS (Payment Card Industry Data Security Standard)? URL: https://www.techtarget.com/searchsecurity/definitio n/PCI-DSS-Payment-Card-Industry-Data-Security- Standard [5] Penetration Testing Execution Standard (PTES). URL: https://www.geeksforgeeks.org/penetration-testing- execution-standard-ptes [6] Security Considerations for Exchanging Files over the Internet. URL: https://csrc.nist.gov/publications/itl- bulletin [7] Open-Source Security Testing Methodology Manual. Figure 11: Here you can see the successfully intercepted URL: data that the user used for authentication on the web server https://www.sciencedirect.com/topics/computer- in the information system science/open-source-security-testing-methodology- manual 5. Conclusions [8] S. Shevchenko, et al., Information Security Risk As a result of the conducted testing, a significant number of Management using Cognitive Modeling, in: vulnerabilities in the information resources were identified. Workshop on Cybersecurity Providing in Information The information gathered by the tester about the and Telecommunication Systems II, CPITS-II, vol. vulnerabilities will help companies assess the current 3550 (2023) 297–305. security level of their information system, identify [9] D. Berestov, et al., Analysis of Features and Prospects vulnerabilities, and prioritize them based on their criticality, of Application of Dynamic Iterative Assessment of as well as develop a response plan for future cyberattacks. Information Security Risks, in: Workshop on The research revealed that each system is unique in its way Cybersecurity Providing in Information and due to the use of different types of rules (signatures) and Telecommunication Systems, CPITS, vol. 2923 (2021) applications. This requires in-depth knowledge of attacks 329–335. and the system documentation from the developer to [10] Itgovernance.co.uk., Penetration Testing (2021). URL: configure the system for monitoring specific (non-standard) https://www.itgovernance.co.uk/penetration-testing applications. [11] V. Susukailo, I. Opirskyy, S. Vasylyshyn, Analysis of Kali Linux was chosen because it contains many tools the Attack Vectors used by Threat Actors during the for penetration testing, enabling periodic testing of Pandemic, IEEE 15th International Scientific and networks and nodes, as well as security auditing of Technical Conference on Computer Sciences and corporate networks to identify existing vulnerabilities, and Information Technologies, CSIT 2020, 2 (2020) 261– misconfigurations, and mitigate them before they can be 264. exploited by attackers. [12] S. Parasram, Digital Forensics with Kali Linux - Future research directions may focus on developing Second Edition, [S.l.]: Packt Publishing (2020). network utilities to implement protection for various types [13] Maltego. URL: of operating environments from unauthorized interference https://hackyourmom.com/kibervijna/zbir- and subsequently integrating them into a comprehensive informacziyi-pro-suprotyvnyka/osint-akademiya/4- utility system managed by the operating system. relizy-maltego-prynczypy-roboty-ta-mozhlyvosti/ Additionally, improving the overall efficiency of monitoring [14] R. Marusenko, V. Sokolov, P. Skladannyi, Social the information system for identifying various types of Engineering Penetration Testing in Higher Education vulnerabilities in its assets will enhance protection against Institutions, Advances in Computer Science for many types of network attacks. Engineering and Education VI, vol. 181 (2023) 1132– 1147. [15] Nmap: the Network Mapper - Free Security Scanner. References URL: https://nmap.org [1] S. V. N. Parasram, et al., Kali Linux 2018: Assuring [16] Nmap Reference Guide | Nmap Network Scanning. Security by Penetration Testing Fourth Edition, Packt Nmap.org, Chapter 15 (2021). URL: Publishing (2018). https://nmap.org/book/man.html [2] D. Shevchuk, et al., Designing Secured Services for [17] P. Anakhov, et al., Protecting Objects of Critical Authentication, Authorization, and Accounting of Information Infrastructure from Wartime Cyber Users, in: Cybersecurity Providing in Information and Attacks by Decentralizing the Telecommunications Telecommunication Systems II, vol. 3550 (2023) 217– Network, in: Workshop on Cybersecurity Providing in 225 Information and Telecommunication Systems, vol. 3050 (2023) 240-245. 28 [18] A. Singh, Metasploit Penetration Testing Cookbook, Packt Publishing (2012). [19] A. Stoykov, Metasploitable 2 Full Walkthrough, MATRIX Labs (2021). URL: https://matrixlabsblog.wordpress.com/2019/04/02/me tasploitable-2-full-walkthrough/ [20] M. Carey, et al., Nessus Network Auditing, O'reilly (2008). doi: 10.1016/B978-1-59749-208-9.X0001-9. [21] Rapid7, Metasploit Editions: Network Pen Testing Tool (2021). URL: https://www.rapid7.com/products/metasploit/downlo ad/editions [22] Tenable®, Nessus Product Family (2021). URL: https://www.tenable.com/products/nessus [23] Kali.tools, Burp Suite - Kali Linux Tools (2021). URL: https://kali.tools/?p=1589 [24] Ptsecurity.com, Penetration Testing of Corporate Information Systems: Statistics and Findings, 2019 (2019). URL: https://www.ptsecurity.com/ww- en/analytics/corp-vulnerabilities-2019/ [25] D. Kennedy, et al., Metasploit: The Penetration Tester’s Guide (2011). [26] J. Hutchens, Kali Linux Network Scanning Cookbook, Packt Publishing (2014). [27] D. R. Mathew, J. Benjamin, Penetration Testing and Vulnerability Scanning of Web Application Using Burp Suite, in: National Conference on Emerging Computer Applications (NCECA), 3(1) (2021). [28] S. V. N. Parasram, et al., Kali Linux 2018: Assuring Security by Penetration Testing Fourth Edition, Packt Publishing (2018). [29] Metasploitable 2. URL: https://docs.rapid7.com/ metasploit/metasploitable-2 29