Adaptive Penetration Test Method
Adaptive Penetration Test Method
ISSN No:-2456-2165
Abstract:- The complexity of the Information systems is entering the target systems and starting the scan. In another
increasing day by day. This leads to more security scenario, in a company with several thousand users and their
vulnerabilities in IT Systems. Attackers use these infrastructure, unlike the previous scenario, the penetration
vulnerabilities to penetrate for the target's system. It is testing process may take several weeks or months due to the
better to find these vulnerabilities in advance before the complexity of network / application architectures and many
attacker does. The power of vulnerability assessment is different attack paths.
often overlooked. Penetration testing is a set of activities
undertaken to identify and exploit vulnerabilities. It If we need to express it in detail, some weaknesses that
helps to verify the effectiveness of the security measures can be easily detected using automated tools can become
implemented. When the existing penetration test virtually impossible to detect manually, information security
approaches and methods are examined, another issue experts say. For example, inorder for Host Header injection
that is overlooked is that not all steps are performed to be detected, 4 requests must be sent separately for each
adequately in the penetration test process. In the URL. Or, when Sensitive data Leak is handled, automated
environments where penetration tests will be scanning is needed because all pages of the web application
performed, the number of attack vectors may be limited need to be attacked by the bruteforce. In addition, some of
only if progress is made depending on the capabilities of the tests performed automatically can’t reach the number of
the Penetration Test Specialist and / or some important outputs that can be obtained automatically, even when
parts may be missing due to forgetting or lack of ability. performed manually. The number of outputs that will be
In this work, my studies on how to use the obtained can both provide the information security expert
comprehensive penetration test software in cyber with more clues, give him the chance to create more attack-
defense technology, how to apply more attack vectors vectors, and prevent possible output losses caused by human
and more results can be obtained during the tests with a factors(forgetfulness, lack of information, etc.).
new perspective and how to automate the detection of
social engineering weaknesses with an automated Basically, a company hires security experts to evaluate
application tool. is located together. Automated test and hack their networks, servers and services so that
results were compared with the results of the manual malicious users can do the same. Penetration testing devices
tests performed in 7 different environments and the will provide a report on network, service and application
superior parts are indicated in the results section. I also vulnerabilities. The report may also include how penetration
talked about which tools will be used for which testers can access IT infrastructures and applications to gain
purposes and at what stages, and I have automated access to specific accounts or systems. The report will also
several steps of penetration testing. provide suggestions on how to correct these gaps. This
allows the company to secure its networks, services and
Keywords:- Vulnerability Assessment, Adaptive Penetration applications against various future attacks.
Test, Automated Application Security, Computer Security
And Computer Ethics. In this work, an adaptive penetration test method has
been proposed for IT systems. We will cover adaptive
I. INTRODUCTION pentesting tool. This tool will enable you to collaboratively
conduct penetration tests efficiently and effectively against
Penetration testing and security assessments in general variable target environments. It allows us to create different
are critical for all companies based on an IT infrastructure. attack vectors by providing more results and yields than
However, there are some problems. Penetration testing manual pentest.
procedure may take several weeks or months, depending on
the size and complexity of the targeted network and the Rest of the paper are organized as follows.
level of detail the customer wants. A company can have up Fundamentals and related works are presented in the section
to twenty users, and all they want is a basic vulnerability 2. Proposed method is explained in the section 3.
scan to make sure they don't have a major problem with Experimental results are presented in the Section 4. Last
system configurations. In this case, the scan can be done in Section is Conclusion and Future Works. Ease of Use
one day or several days with very little interaction other than
Static analysis is also one of the common techniques The attacks that Markus and his colleagues carried out
used to find security errors in application code. The with the automated social engineering tool they created in
difference from penetration testing is that a system runs in a their work are very striking. The first is automated social
white box by analyzing the source code and identifying engineering work on five successful large Swedish-based
security vulnerabilities. Due to their different
High-tech company
IT company
Scandinavian finance company
Industrial engineering company
It's a telecommunications company.
Fig 3:- messaging results for target users with the character
Anna [4]
XSS
SQL Injection
XXE
SSRF
Subdomain Takeover
Missing security Headers
Fig 5:- Use Case Dıagram of the Adaptıve Pentest Tool
Host Header Injection
CORS
Crawling :The crawler function in scraping.py is called
Sensitive Data Leak it takes two arguments the website name and the file in
which the urls which are crawled have to be saved . There
are two crawling function based on the authentication: as
authenticated user and as unauthenticated user.
Information Flow: From vul_scan entity data is going normal get and post request. Then start the ssrf injection
to be scrapped entity. In there scrapping entity calls crawler attack to url ,or form input .If finds any vulnerable then
module to crawling the website and generate a report shows an alert to the user.
file.The relation between VuL_scanner and scrapping is an
optional means scrapping part depends on the user. If the check__xxe: one to many relation First the module
user wants to crawl the website then only this module will sends a request to the server to connect .Then check the
be working otherwise not. normal get and post request .Then start the ssrf injection
attack to url ,or form input .If finds any vulnerable then
After scraping data is going to the chk and shows an alert to the user.
wayback_urls entities .In chk entity scanner gets cookies of
the application . The relationship with Vul_scan entity is Sensitive_data: In this part this modules looking for
optional . robot.txt, password.txt files.
After that data is going from vul_scan entity to all Subdomain takeover: find for subdomain under the
other entities after one by one with the interaction of the main ip address. cors: check cors error by send a spoof
user .Serial is depends on the user of the scanner.one can request to server.
perform xxs check first on the other hand other can start
with sql_Check .Its totally depends on the user . check_host header and security header: find
vulnerabilities in the header by inspecting then and match
Working procedure: Check_sql entity: (Relationship with the signature databases.
with Vul_scan entity is one to many.) Make a request to the
server then Get a response from the server.then inject A. Parts of Adaptıve Pentestıng Tool
normal sql injection to the form input .If it does not work Crawling :- is the first step and it is the most important
then the modules go for the sqli,sql blind injection mode.If step as soon as the script starts , the crawler function in
the modules find any vulnerabilities while performing scan scraping.py is called it takes two arguments the website
it will show a message to the user . name and the file in which the urls which are crawled
have to be saved . There are two crawling function
XSS check: one to many relation based on the authentication
First the module sends a request to the server to Crawling the website as unauthenticated user (Takes
connect .Then check the normal get and post request .Then two arguments website name and the filename to save
start the XSS injection attack to url ,or form input .If finds processed urls)
any vulnerable then shows an alert to the user. Crawling the website as authenticated user (Takes three
arguments website name , filename to save processed
check__ssrf: one to many relation First the module urls and the cookie for the authenticated user)
sends a request to the server to connect. Then check the
Fig 7:- Interface of Adaptive Pentest Tool XXE Injection : It is the third option in the menu it is a
very new bug in the modern web found on the website
Menu :- it is the interface for the user , it helps the user which contain the xml file to fulfill store the data of the user
with what is the tool does and makes the navigation for or to use xml to respond to the user with the requested data
the user very easy it helps the user choose which bug . So to find XXE using the script we use call xxe function in
they want to test in the website . There are many tools check_xxe.py file it takes two arguments the website name
which do not provide the menu and take very long time and the cookie if provided . In this it changes content type
to produce the result unlike them here you can check of the request to application/xml for each request and check
only particular bug which is very time saving and helps the difference between the length and status code of the
you conserve time and gives you a list to checklist of response of the request with normal data and the request
bugs . A manual tester not having a checklist might miss with the xxe payload and if the difference shows the
to test some bug . It uses figlet a linux utility to make the possibility of the xxe attack it flags it as the xxe
animated text in the linux terminal to give it an vulnerablility found the specific url with the specific
animated look . payload . It uses xxe polyglots as the payloads .
Testing for Specific Vulnerabilities SSRF : It is the fouth option in the menu it is also a
As we stated at the beginning of the study, we focused very new bug types in this the attacker if able to exploit it
on the most known weaknesses of OWASP and included 9 can get access to the private file on the server and port
weaknesses in this section.A separate module has been scan the network on which the server is present . To find
created for each of these weaknesses and their working this bug in the script we call the function ssrf in the
philosophies are listed below. check_ssrf.py file it takes two argument as website and the
cookie if provided . In this we develop the differnce between
XSS : So first option to choose from the menu is the the normal request and malicious payload . If there is the
xss it stands for Cross-Site Scripting it is the most common differnce between the status code and response length then
bug in the mordern web application , very large enterprises we flag it as the ssrf bug found the specific payload with
are also vulnerable to this bug type . In XSS an attacker is specific payload . We uss ssrf polyglots as the payload .
able to execute the javascript on the victims browser . The
script on entering the option 1 intiates the xss function in
vi. Damn Vulnerable Web Application Fig 9:- Running Security Header scripts and results
Damn malicious Web application (DVWA) is a PHP /
MySQL web application that is vulnerable. Basic
objectives of IT security experts to test the skills and tools
in the legal environment, help web developers better
understand the process of securing their web applications
and help teachers / students in a classroom environment to
teach you how to web application security / learn to help.
vii. Bwapp
bWAPP, or a buggy web application, is a free and
open source deliberately insecure web application. Helps
security enthusiasts, developers and students discover and Fig 10:- Detection of subdomain takeover weakness with
prevent web vulnerabilities. bWAPP prepares to carry out automatic scripts
successful penetration testing and ethical hacking projects.
What makes bwapp unique is that it has 100 web
vulnerabilities. OWASP covers all known major web bugs,
including all risks from the top 10 project. bWAPP is a
PHP application that uses a MySQL database. It can be
hosted on Linux/Windows with Apache/IIS and MySQL. It
can also be installed with WAMP or XAMPP. Another
possibility is to download bee-box, a custom Linux VM
pre-installed with bwapp.
B. Performed Tests
http://testphp.vulnweb.com
Manual tests performed in the environment identified Fig 11:- Running Sensitive data Leak scripts and detection
the following weaknesses : XSS, SQL Injection, Missing of weakness
Security Headers, Subdomain takeover, Sensitive Data
Leak, Host Header Injection.
https://demo.testfire.net/
In this environment, manually and automatically
detected vulnerability numbers are equal, but automated
Fig 8:- Execution of CSS scripts over automatic tool detection time has been reduced. Weaknesses in both types
are : XSS, SQL Injection, Missing Security Headers,
http://testhtml5.vulnweb.com/ Automated tools are the perfect fit for testing a target
The only manually detected weaknesses are for more of attacks with large number of payloads as it can
XSS,XXE,CORS and Missing Security headers. Automated do it even with a thousand different payloads for one single
scripts provide additional detection of weaknesses such as test. Hence, automated tools can cover the breadth.
Host Header Injection and Sensitive Data Leak.
A vulnerable SQL Injection vulnerability is a
Typhoon Vulnerable Machine vulnerability that could allow an attacker to append queries
In this environment, missing Security Headers and to a database sent in the background because the
Sensitive Data Leak vulnerabilities have been identified information sent through the application parameters is not
with automated scripts. properly checked.
The detected XSS vulnerabilities occur when Expending of the Adaptivity in Pentesting to all
applications do not have sufficient input and output environments
controls for outside information, and a malicious user can Increasing Attack Vector with Machine Learning
execute javascript code to steal the session information of Methods
the target people, and redirect the browser of the target Artificial Intelligence in Adaptive Penetration Testing
people at will. The captured victim can perform port