International Journal of Network Security, Vol.18, No.3, PP.

501-513, May 2016 501

Penetration Testing and Mitigation of

Vulnerabilities Windows Server
Deris Stiawan1 , Mohd Yazid Idris2 , Abdul Hanan Abdullah2 , Mohammed AlQurashi3 ,
Rahmat Budiarto3
(Corresponding author: Deris Stiawan)

Department of Computer Science, Universitas Sriwijaya, Indonesia1

Department of Computing, Universiti Teknologi Malaysia, Johor Bahru, Malaysia2
College of Computer Science and Information Technology, Al Baha University, Kingdom of Saudi Arabia3
(Email: [email protected])
(Received Jan. 15, 2015; revised and accepted Apr. 11 & Aug. 24, 2015)

Abstract ous work [14] which compares attack sophistication with

attacker skill knowledge.
Cyber attack has become a major concern over the past Meanwhile, analysis by [6, 12, 18] highlights an explo-
few years. While the technical capability to attack has sion of security threats in recent years such as Trojans,
declined, hacking tools - both simple and comprehensive viruses, worms, adware, spyware and DoS which are con-
- are themselves evolving rapidly. Certain approaches are tinuing to grow, multiply and evolve. According to [14]
necessary to protect a system from cyber threats. This indicate the technical capability to attack tended to de-
work engages with comprehensive penetration testing in crease. On the other hand, hacking tools are getting more
order to find vulnerabilities in the Windows Server and effective and also increasingly available and accessible to
exploit them. Some forms of method penetration test- the public. Moreover, attackers are able to detect vulner-
ing have been used in this experiment, including recon- abilities faster than security experts or vendors and can
naissance probes, brute force attacks based on password cause time delays by patching in vulnerabilities.
guessing, implanting malware to create a backdoor for
escalating privileges, and flooding the target. This exper- Research conducted by [26, 27] found that Windows
iment was focused on gaining access in order to ascertain Server has more serious vulnerabilities, as several of its
the identities of hackers and thus better understand their services and daemons are unsecured and open to ac-
methods and performed penetration testing to evaluate cess. This lays open the possibility of exploitation. Ad-
security flaws in the Windows Server, which is a famous ditionally [32] located vulnerabilities in the Apache and
OS for web applications. It is expected that this work will IIS HTTP server on the Windows Server operating sys-
serve as a guideline for practitioners who want to prepare tem. [28] conducted an attack scenario on the Windows
and protect their systems before putting them online. Server.
Keywords: Mitigation, penetration testing, vulnerabilities, In order to understand how to protect against and pre-
windows server vent attacks, it is useful to understand from the attacker’s
perspective what methods they will use, what goals they
have and how they launch their attacks. This experi-
1 Introduction ment takes improvised actions to highlight several types
of attacks carried out such as: probes to obtain detailed
A definition of hacking is presented by [9, 25]. These information, brute force for guessing passwords, gaining
sources also identify security violation trends in internet- privileges access and flooding the target to reduce the
working and their effects. More illegal activities such as availability of services.
hacktivism, hacking and exploiting weaknesses have been The remainder of this paper is organized as follows.
described by [12, 16, 29] offer a different perspective by Section 2 presents the related works. Section 3 presents
highlighting the potential economic threats and impacts the taxonomy of the attack this experiment is concerned.
of cyber attacks. A growing problem, hacking activities Section 4 describes experimental experiments. This sec-
combine easy to learn pentest with a variety of tools such tion deals with data collecting and an attack scenario in-
as those offered by C.E.H [11]. Moreover, they use both cluding scanning and exploitation for mitigating vulner-
simple and comprehensive tools (defined as ’Metasploit’), ability. Finally, Section 5 offers a conclusion and sugges-
as defined by [5, 21]. This reinforces the findings of previ- tions for future work.
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016 502

2 Related Works of attack: Probes, Remote to Local (R2L), User to Root

(U2R) and DoS as widely used in the field of intrusion
Penetration testing has been described in different ways detection/prevention system, with reference to [3, 4, 8,
since 1989 by [24]. New methods and approaches are con- 31].
tinuously being expanded from year to year. In 2001, [7]
described certain steps needed to prevent threats and con-
vey the importance of understanding the mindset of an 3 Experiments
attacker, as well as their methods and goals. In line with
that, [2] has suggested a methodology to ensure that the The dataset employed in this study was Intrusion Threat
penetration testing exercise is reliable, repeatable and re- Detection Universiti Teknologi Malaysia (ITD UTM), as
portable. shown in Figure 1, available in [30]. All attacks were
executed and infiltrated on ITD UTM. The network envi-
Analyses and predictions by [12, 18] indicate that
ronment is set up for exploitation using Windows Server
there has been an explosion of security threats in recent
and two terminal clients running as attackers. They are
years. This has been corroborated and previously pre-
connected to 3COM Superstack II 100 Mb/s, as shown in
dicted by [17, 19], which describe a future war based on
Figure 1.
cyber attacks. More recently, [23] has predicted and anal-
ysed cyber attacks in the context of further security vio-
lation trends. Meanwhile, [10] has referred to Microsoft 3.1 Data Collecting and Procedures
warning users about the strengths of character passwords Several steps must be taken to conduct these experiments.
such as: a combination of case sensitive letters and digits, This work is an improvement on some of the advice of-
maximum-minimum password age, and minimum pass- fered by [22] and this research agrees with the argument
word length. expressed by [1], particularly on these problems: (i) re-
Furthermore, it seems that every bug can cause vul- cent trends and new methods of attack have been in-
nerabilities which are existent and undocumented, of- volved, (ii) control and guideline steps for penetration,
ten never being revealed, discovered or exploited. From and (iii) various methods of attack for penetration and
the attacker’s perspective, vulnerability is an opportu- mitigation become comprehensive. In this experiment,
nity that can be exploited. A vulnerability database is a three weeks were spent collecting data and finding vul-
collection of records containing technical descriptions of nerability within CVE and security communities. More-
vulnerabilities in computer systems. Common Vulnera- over, five weeks was spent attempting penetration testing
bilities and Exposures (CVE) began in 1999 as a result of on the victim. There are some differences in the results
the adoption of a common naming practice for describing obtained in the first and second data collection. The first
software vulnerabilities and including security tools and data were collected directly from the server, regardless of
services as well as on the fixed sites of commercial and the network broadcast. Conversely, the second data were
open source software package providers. We argue that collected using the hub terminal which also captured the
dependencies exist between scanning phases and informa- broadcast network. Furthermore, this procedure was fol-
tion holes from CVE vulnerability databases. This has lowed in this section:
consequences for access.
Additionally, work by [13, 15, 20] describes the benefits 1) To distinguish between normal traffic and attack, the
of CVE compatibility, integrating vulnerability services attack was separated and divided into several stages
and tools allowing more complete security provision and based on time, machine target and method of attack.
more alert advisory services. Every month CVE MITRE 2) Machine 10.10.10.1 is a NAT Firewall server that
receives between 150 and 300 new announcement alert both allows and denies private traffic to and from
and advisory submissions from ISS, Security Focus, Neo- the internet.
hapsis, and the National Infrastructure Protection Cen-
tre. Currently CVE identifies compatible enablement 3) TCPdump is used to sniff real traffic. It uses the lib-
data exchange between security products and provides cap library to capture packets and has the ability to
a baseline for evaluating coverage of tools and services. consider the properties of an ideal as a packet snif-
There are thousands of information vulnerabilities within fer. TCPdump produced raw data (pcap files) during
the CVE database. Unfortunately, time is required to experiments conducted via 10.10.10.30.
make a patch release after exploitation has been found.
4) Machine 10.10.10.40 running on Snort IDS 2.8.5.2
Consequently, there is usually a a time delay between an
(Build 121), PCRE ver 8.12. This is used to iden-
exploitation identification and a patch and signature re-
tify the threat as well as to compare attacks carried
lease. It can be argued that there are dependencies in the
out which can be recognised by snort signature.
results between the scanning stages [15] and information
vulnerabilities in the CVE database. This means that 5) Two machine attackers, 10.10.10.15 (called Hacker
the vulnerability could be a security flaw exploitable by XP) running on Windows XP SP3 and 10.10.10.20
attackers. based on Backtrack 4 (called Hacker BT) to pene-
In this experiment followed four dominant categories trate Windows Server SP3 in 10.10.10.25.
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016
Figure 1: Topology of test bed environment
Meanwhile, in this experiment all attacks were exe-
cuted on ITD UTM. The attack scenario for penetration
is further illustrated below.
Step 1. Scanning
• Attackers probe the network 10.10.10.25 via
GFI Scanning, Nessus, N-Stealth and Nmap;
• Attackers port reconnaissance of HTTP services
via Nikto;
• Attackers find open port to potential penetra-
tion, 21 (FTP), 23 (Telnet), 80 (HTTP), 445
(SMB), 1433 (Microsoft SQL Server), 1026 (Re-
mote Server).
Step 2. Brute Force
• Attackers attempt password of FTP & Telnet
via brute-force tools;
• Attackers attempts to host 10.10.10.25 for
guessing password remote access via TSgrinder;
• Attackers attempt SQL Ping and Brute force
SQL Login;
• Attackers successfully find user authenticated of
FTP;
• Nessus confirms user access ”anonymous” en-
able and allowed in FTP;
• Attackers log in to the host via FTP Client.
Step 3. Gaining privileges
503
• Attackers try to escalate privilege to adminis-
trator level;
• Attackers attempt web attack via HTTP
and launch ”/.... access”, ”/ root access”,
”/etc/passwd”, ”/usr/bin/id”, ”/etc/shadow
access” via HTTP port 80;
• Attackers attempts XSS attack - Attackers sniff
the network via Cain Abel by utilising of ARP;
• Attackers launch man in the middle attack and
SMB Unicode;
• Attackers add user ”puma” password :
12345678 via console;
• Attackers add user ”mike” password : 12345678
via console;
• Attackers add user ”john” password : 12345678
via console;
• Attackers create directory /mkdir ”tools” in
10.10.10.25 via console;
• Attackers crack root level hashing password via
localhost;
• Attackers upload some files including Trojan to
the victim via FTP;
• Attackers successfully implant the netbus to cre-
ate backdoor via FTP;
• Attackers execute and enable netbus via remote
desktop, then implant keylogger.
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016
Figure 2: Attack scenario diagram
Step 4. DoS
• Hacker XP and Hacker BT send a large
number of ICMP packets repeatedly to flood
10.10.10.25;
• Attackers launch attack LAND via sending TCP
SYN;
• Attacker flood packets using forged source;
• Attackers flood traffic host victim via UDP to
slow down the response of the target.
3.2 Scanning
An attacker’s first steps need to obtain information about
the victim and its environment. They map the network
to determine the target, followed by scanning in order to
interrogate and reconnoitre the victim. The attacker tries
to map out the IP Address/subnet mask information and
operating system that is in use, what services daemons are
actively run and the kernel/services pack used. In other
words, the attacker tries to map out the infrastructure
and resources of the network.
In this stage, several tools and scenarios are used to
gather information, and findings known as vulnerabilities
are mixed and combined to achieve the expected results.
Some of the measures are adopted to enable these tools
to complement each other. Moreover, none of these tools
504
can provide all the detailed information. They have lim-
itations particularly in translating the feedback packet
from the target host. Some tools identify the open port
and the rest are closed.
As mentioned in Section 3.1’s attack scenario, some
open ports were found and used to scan data coming
from such ports. The success of this process depends on
the operating system and the application that is run on
the server. Some tools are used in Hacker BT running
Zenmap, Xprobe2, Nikto, HTTPrint, and Hping2. Mean-
while, the Hacker XP machine runs these tools: GFiLAN,
Legion, Nessus, N-Stealth, X-Scan, and LanSpy, which
is a comprehensive target and a slow mode of scanning.
This stage of attack depicted in Figure 2 produces visu-
alisation, as shown in Figure 3(a) and (b) below.
3.3 Vulnerability
This section presents vulnerabilities that arose during the
scanning stages. From a hacker’s perspective, searching
for any kind information that can be exploited from the
CVE database may identify vulnerabilities. It can be ar-
gued that there are dependencies between scanning and
information holes within a CVE vulnerability database
with respect to gaining access. The critical and medium
risk vulnerabilities are as follows:
1) CVE-2011-1267, CVE-2011-1268, CVE-2011-0476
confirm SMB Server-Client to allow remote code ex-
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016 505

Figure 3: (a) Overall scanning traffic, (b) overall traffic of penetration stages. (c) refers to handshaking traffic
attackers with victim in scanning stages and (d) shows penetration.
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016
ecution if an attacker sends a specially crafted SMB presented in Section 3.1 and Figure 2 above, attackers dis-
response to a client-initiated SMB request.
2) CVE-2008-4250, RPC vulnerabilities allow remote fully used a brute force FTP log-in resulting in the mal-
code execution. An attacker could exploit this vul- ware to successfully create a backdoor. Figure 2 shows
nerability without authentication to find arbitrary illustrated penetration of Windows, as follows:
code & worm exploitations.
3) CVE-2006-5583 is vulnerable and can be exploited
with regard to buffer overflow SNMP, allowing a re-
mote attacker to execute arbitrary codes via a crafted
SNMP packet via exec code overflow.
4) CVE-2006-3439 confirms vulnerability from buffer
overflows. This attack allows remote attackers, in-
cluding anonymous users to execute an arbitrary
code via a crafted RPC message.
5) CVE-2006-0026 and CVE-2000-0071 is vulnerable to
IIS. This attack can allow local and possibly remote
attackers to execute arbitrary codes via crafted Ac-
tive Server Pages (ASP) and allows a remote attacker
to obtain the real pathname of a document.
6) CVE-2003-0352, CVE-2003-0003, Buffer overflow
in a certain DCOM interface for RPC allows
remote attackers to execute arbitrary codes
via a malformed message, as exploited by the
Blaster/MSblast/LovSAN and Nachi/Welchia
worms.
7) CVE-2011-1247, Path vulnerability from Microsoft
active accessibility enables local users to gain privi-
leges via a Trojan horse DLL in the current working
directory.
8) CVE-2011-0654, Buffer overflow in Active Directory
services. This attack allows remote attackers to exe-
cute arbitrary codes or cause a denial of service via
a malformed BROWSER ELECTION message.
3.4 Penetration Testing
The stages identified certain holes to be exploited from
previous stages and launched the attack, a so-called User-
to-Root (U2R) attack. This extends the user’s privilege
to administrator/root to obtain full authorization access.
The attacker can create the new user, implant the mal-
ware, create the backdoor and clean their track from the
log server. Normally, the attacker starts with accessing a
normal local user account then later exploits vulnerabil-
ity to privileges. Moreover, the attackers also launched
brute force for guessing the password, cracking the pass-
word, web injection and man in the middle attack.
This step is called the Remote-to-Local (R2L) attack.
Request packets were sent to a machine over a network
which then exploits machine’s vulnerability to illegally
gain local access as a user without privileges. In this
stage, the attacker focused on brute force in order to gain
access and escalate privileges. According to the scenario
506
covered multiple vulnerabilities. They successfully found
the legitimate users then created a new user, and success-
1) Hacker BT and Hacker XP attempted to conduct
surveillance whereby the attacker tries to map out
of IP Address/subnet mask information, operating
system being used, and which services are running
in 10.10.10.25. In other words, these stages are
called probes or scanning to map out and recon-
noitre the victim’s network infrastructure. Nessus,
Nmap, Nstealth, Legion and GFILanGuard are used
to communicate with the data base server several
times to check available updates of existing vulner-
abilities. There are some potential vulnerabilities to
be exploited which are as follows:
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
111/tcp open rpcbind
161/udp open snmp
445/tcp open microsoft-ds
1027/tcp open IIS
1433/tcp open ms-sql-s
2) Specific techniques are used to escalate privilege, at-
tempt password one by one via guessing, theft, sniff-
ing and cracking the password direct to target. From
the attacker’s perspective, the challenge is to find
the legitimate user and implant the Trojan to cre-
ate a backdoor. The attackers must prepare a dictio-
nary/word list, accuracy in selecting the dictionary is
a must and cracking the password in time depends on
the length of the password’s characters. Otherwise, a
brute force password via user ”administrator” can be
successfully performed of FTP by Hydra and failed
attempt Telnet.
root@bt:∼# hydra -l administrator -P
passdict.txt 10.10.10.25 ftp
[DATA] 16 tasks, 1 servers, 26870 login tries
(l:1/p:26870), ∼1679 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 10.10.10.25 login:
administrator password: intrusion
Moreover, the attacker launched TSgrinder to guess
the password of the remote desktop. This failed and
the dsniff was launched to the sniff user and pass-
word in broadcast network. HTTP brute force was
used to guess the web directory. Meanwhile, the traf-
fic attempt of brute force is dominant, as shown in
Figure 3(a).
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016
3) The attacker launched powerful tools such as Metas-
ploit, Cain and Abel and Netcat to find the com-
mand prompt. They attempted to obtain privileges
and attack launches via the command prompt, which
freely creates a new user account and removes the
traces. In this step, after obtaining a valid user, the
attackers attempted to implant a Trojan to create
the backdoor. They successfully implanted the Net-
bus Trojan and executed the ”Abel” in an ARP poi-
son attack. New users ”puma”, ”mike” and ”john”
were created before the attackers attempted to crack
the administrator password via John the Ripper and
Rainbow.The attacker attempted an IIS attack via
buffer overflow and SQL injection to break into a sys-
tem. During that time, they tried to find the weak-
nesses and structure of the website via SQL injection
in order to ascertain certain information and the er-
ror page from HTTP server.
4) Finally, to reduce availability the attackers contin-
uously launched DoS attacks by flooding the ICMP
and UDP. They were successful; the system could not
respond and crashed after a few minutes. Repeated
requests meant that the target was unable to handle
the service and reduce the availability. The results of
this scenario are shown in Figure 3(b) below.
4 Experiment Results and Discus-
sion
Snort is used to identify and recognize threats from
data traffic. It produces lots of logs contained in ma-
chine 10.10.10.30 ”var/log/snort” directory. The scan-
ning stages produces 677,914 packets and snort identi-
fied 45,139 alerts among them as threats. Meanwhile,
in the penetration stage there were 33,865,687 packets
and 265,200 were identified by the existing signature as a
threat.
4.1 Attack Pattern
This section presented some sample attack patterns
(Probe, U2R, R2L and DoS) from the experiment. Ev-
ery alert was compiled via snort and pcap files. In this
case, the pcap file was extracted and revealed some fea-
tures such as: time stamp, source IP Address, destination
IP Address, Protocol, size of protocol, Flag of Protocol,
Total Length of packet and content of packet.
From observations that were made, specific character-
istics of line to line attacks from can be recognised from
the header and payload of packets. They have a unique
pattern which tends to iterate in a particular line. Some
characteristics of pattern are as follows:
1) Web scanning, especially HTTP and HTTPS recon-
naissance, has the following characteristics: (i) each In this phase, snort confirms that there are 4078 lines
packet has a source and destination IP address and identified as ”SCAN FIN” as shown in Figure 4 below
port numbers are spoofed, (ii) connections are said and Table 1 shows the total attempts at probe attacks.
507
to be state and number of ports accessed by a single
source, (iii) TCP flags are used randomly during the
attack, (iv) packet size and packet length are changed
frequently.
2) Netbus have these characteristics: (i) computer vic-
tims or servers typically listen on specific ports wait-
ing for instructions from attackers, (ii) they use TCP
protocol and port address 12345 to communicate
and each message has a fixed-length header, (iii) the
variable-sized data section follows the header and its
size is specified in the message-size field of the header,
(iv) the flag is fixed to the computer victim during
the communication process.
3) Brute force of FTP: (i) this attack generates repeti-
tion response, particularly content of flags and pro-
tocol length, (ii) anonymous user login attempts will
occur, (iii) the port address and flags are fixed dur-
ing attack, (iii) data connection uses the well-know
port 20 at the server side and control connection is
established on port 21.
4) Scenario of NetBIOS NULL session attack tries to
attack enumeration user and getting administrator
level, it have characteristic: (i) Packet size, total
length and flags fixed with randomly generated on
Port 139 (NetBIOS Session Service) and Port 445
(Common Internet File System), (ii) The flag value
is fixed and dominate by NetBIOS protocol session,
(iii) Vulnerability in Port 445 is possible to launched
SMB or Common Internet File System (CIFS) at-
tack, (iv) The TCP protocol are fixed during attack
attempt, NetBios Session Services (NBSS) port 135,
Remote Procedure Call (RPC) port 137, NetBIOS
Name Service port 138 and NetBIOS Datagram Ser-
vice port 139.
5) The characteristics of man in the middle attacks are:
(i) the ARP packet lack flag and protocol length
value, (ii) the ARP broadcasts from the attacker to
all IP addresses in one subnetmask and without infor-
mation of port source and destination, (iii) NetBIOS
datagram fixed used port 138 and NetBIOS Name
Service port 137.
Meanwhile, the number of rows that were gener-
ated by snort due to repetition of the same informa-
tion were observed. This can be simplified by initialis-
ing the signature-id and priority. Each alert comprises of
signature-id, priority, source of IP Address, source port,
destination of IP Address, destination of port address,
timestamp, Time To Live, Type of Service, IP Length
and Datagram length.
4.2 Identify of Probe
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016 508

Figure 4: Probe stages

Figure 5: Root to Local (R2L)

International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016
Table 1: The Number of Alert from Scanning stages
No Detected Alert
1 SCAN FIN
2 NETBIOS SMB repeated logon failure
3 WEBROOT DIRECTORY TRAVERSAL
4 WEB-MISC http directory traversal
5 NETBIOS SMB repeated logon failure
6 NETBIOS SMB-DS repeated logon failure
7 (portscan) TCP Portscan
8 ICMP Timestamp Reply
9 SQL ping attempt
10 ICMP Information Request
11 SCAN nmap XMAS
12 ICMP webtrends scanner
13 RPC portmap listing TCP 111
14 SCAN Amanda client version request
15 ICMP superscan echo
16 NETBIOS SMB-DS ADMIN$ unicode share access
17 NETBIOS SMB-DS D$ unicode share access
18 (portscan) TCP Portsweep
19 NETBIOS SMB-DS C$ share access
20 NETBIOS SMB-DS ADMIN$ share access
4.3 Identify R2L
Figure 5 shows one of the attacks as described in the 2nd
scenario above. This attack focuses on obtaining privi-
leges for the system. The attacker launched several meth-
ods to attempt to find the passwords for FTP and Tel-
net. Moreover, Figure 3(b) demonstrates that traffic of
brute force becomes very dominant. Meanwhile, Table 2
shows the number of alerts from this attack. The attack-
ers tried repeatedly to guess the password by using the
default user.
4.4 Identify U2R
The attackers just focused on how to gain escalating priv-
ileges via level ”administrator/root”. They succeeded in
creating some new users with administrator level, im-
planting the malware and finding the backdoor. Figure 6
shows a sample from this attack and how the attackers
got into the system via an ”anonymous” user, then at-
tempts privileges infiltration via change working directory
(CWD) of FTP. Table 3 shows the number of alerts from
this attack.
4.5 Identify DoS
Flooding to Denial of Services (DoS) is the final scenario.
Within hours the attackers attempted to disrupt the nor-
mal functioning to affect the availability of the target and
succeeded. The system response delay value rose slightly
as compared to before the attack. The result was system
509
Priority Total
2 4078
1 453
3 433
2 142
1 101
1 74
2 49
1 31
3 17
3 15
2 10
2 9
2 6
2 4
2 4
3 4
3 2
3 2
3 1
3 1
failures and crashes shows in Figure 7. Table 4 shows the
number of alerts from this attack.
4.6 Network Traffic Visualisation
This section presented the overall network traffic from
scanning and penetration stages shown in Figure 3 be-
low. Item (a) depicts the overall traffic of HTTP from
scanning stages and item (b) shows the dominant traf-
fic from brute force attacks. Pecentage of SSH/Telnet is
allocated 84.96% and ICMP allocated 6.41% from total
overall traffic.
This attack focused on achieving access and escalat-
ing privileges, especially penetration via brute force to
FTP and Telnet. Point (c) in Figure 3 shows some scan-
ning tools from attackers to victim and some of the tools
with open connections to the internet. We also see here
whether there are any updates of existing vulnerabilities
in their database. Meanwhile, item (d) is handshaking
traffic attackers and victims in penetration stages; the
mark indicates that the attacker launched a comprehen-
sive attack. Items (c) and (d) highlight greater traffic
flows from 10.10.10.20 and 10.10.10.15 to victim.
5 Conclusions and Future Works
We believe that penetration testing is vital in the search
for all kinds of vulnerabilities and for evaluating overall
systems. However, the small amount of vulnerability in-
formation obtained should be of particular concern. This
paper presents the vulnerabilities of Windows Server.
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016 510

Table 2: The Number of Alert from R2L stages

No Detected Alert Priority Total

1 INFO FTP Bad login 2 67625
2 WEB-PHP remote include path 1 2709
3 WEB-MISC cross site scripting attempt 1 1380
4 COMMUNITY WEB-PHP XSS attempt 1 596
5 COMMUNITY WEB-PHP XSS attempt 1 510
6 NETBIOS SMB repeated logon failure 1 453
7 NETBIOS SMB-DS repeated logon failure 1 106
8 WEB-MISC Tomcat servlet mapping cross site scripting attempt 1 19
9 (ftp telnet) Invalid FTP Command 3 18
10 WEB-CGI perl command attempt 2 13
11 FTP CWD ãttempt 2 2

Table 3: The Number of Alert from U2R stages

No Detected Alert Priority Total

1 WEB-MISC /etc/passwd 2 1876
2 NETBIOS SMB repeated logon failure 1 1161
3 ATTACK-RESPONSES Invalid URL 2 150
4 BACKDOOR netbus active 1 36
5 WEB-IIS CodeRed v2 root.exe access 1 19
6 BACKDOOR sensepost.exe command shell attempt 2 16
7 DOUBLE DECODING ATTACK 1 14
8 WEB-ATTACKS /etc/shadow access 2 12
9 BACKDOOR c99shell.php command request 1 4
10 WEB-MISC bad HTTP/1.1 request, Potentially worm attack 2 3
11 BACKDOOR netbus getinfo 1 1
12 FTP CWD ... 1 1
13 FTP CWD Root directory transversal attempt 3 1

Table 4: The Number of Alert from DoS stages

No Detected Alert Priority Total

1 BAD-TRAFFIC tcp port 0 traffic 3 12548
2 ICMP PING Windows 3 8334
3 ICMP PING 3 6300
4 ICMP Echo Reply 3 2125
5 ICMP Destination Unreachable Port Unreachable 3 2082
6 (snort decoder) Bad Traffic Loopback IP 3 1332
7 (snort decoder) Bad Traffic Same Src/Dst IP 3 678
8 ATTACK-RESPONSES Invalid URL 2 150
9 SNMP trap udp 2 30
10 NETBIOS SMB Trans Max Param/Count DOS attempt 3 12
11 DDOS Stacheldraht client check gag 2 7
12 COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt 2 4
13 DDOS mstream client to handler 2 2
14 NETBIOS SMB-DS Trans unicode Max Param DOS attempt 3 1
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016 511

Figure 6: User to Root (U2R)

Figure 7: Denial of services (DoS)

International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016
This server presents many open invitations for attack-
ers to exploit as can be gathered from all the experiments
conducted: implanting malware, password guessing, root-
ing, web injection, creating a backdoor and DoS. It can be
concluded that the OS is vulnerable and open to exploita-
tion, and thus requires more effort to be secured. Our
conclusions are as follows: (i) there are relationships re-
sulting from the scanning and information from the CVE
vulnerability database, (ii) update policy and manage-
ment of authentication for user, (iii) it is important that
security operators assume that they will be hacked and
should better secure themselves for that reason.
Meanwhile, what this experiment indicates is that
there a large number of new attacks that could remain
hidden in the data and would not be identified using ex-
isting Snort signature. Snort cannot be used as a se-
curity platform to protect against threats; it cannot be
expected to detect all threats and trigger the necessary
response. However, Snort is adept at protocol analysis,
content matching, and packet logging. Therefore, some
future work must be conducted such as: (i) how to ex-
tract the data to analysed, (ii) how to classify the threat
and normal access, and (iii) how to visualise alert to show
details of taxonomy information from Snort.
References
[1] N. Athanasiades, R. Abler, J. Levine, H. Owen,
and G. Riley, “Intrusion detection testing and
benchmarking methodologies,” in First IEEE In-
ternational Workshop on Information Assurance
(IWIA’03), pp. 63–72, 2003.
[2] N. Barrett, “Penetration testing and social engineer-
ing: Hacking the weakest link,” Information Security
Technical Report, vol. 8, pp. 56–64, 2003.
[3] R. Beghdad, “Critical study of neural networks in
detecting intrusions,” Computers & Security, vol. 27,
pp. 168–175, 2008.
[4] R. Beghdad, “Efficient deterministic method for de-
tecting new U2R attacks,” Computer Communica-
tions, vol. 32, pp. 1104–1110, 2009.
[5] D. Bradbury, “Hands-on with metasploit express,”
Network Security, vol. 2010, pp. 7–11, 2010.
[6] V. Broucek and P. Turner, “Technical, legal and eth-
ical dilemmas: Distinguishing risks arising from mal-
ware and cyber-attack tools in the ’cloud’-a forensic
computing perspective,” Journal of Computer Virol-
ogy and Hacking Techniques, vol. 9, pp. 27–33, 2013.
[7] R. Bruen, “Intrusion detection systems: Problems
and opportunities,” Software Focus, vol. 2, pp. 151–
156, 2001.
[8] S. Chebrolu, A. Abraham, and J. P. Thomas, “Fea-
ture deduction and ensemble design of intrusion de-
tection systems,” Computers & Security, vol. 24, pp.
295–307, 2005.
[9] B. Clive, “Hacking: An abuse of privilege,” Com-
puter Audit Update, vol. 1990, no. 1, pp. 21–24, 1989.
512
[10] E. Conrad, S. Misenar, and J. Feldman, Domain 2:
Access Control (Chap. 3), CISSP Study Guide, pp.
37–89, 2010.
[11] J. Conrad, “Seeking help: The important role of eth-
ical hackers,” Network Security, vol. 2012, pp. 5–8,
2012.
[12] S. David, “The state of network security,” Network
Security, vol. 2012, pp. 14–20, 2012.
[13] H. Gascon, A. Orfila, and J. Blasco, “Analysis of
update delays in signature-based network intrusion
detection systems,” Computers & Security, vol. 30,
no. 8, pp. 613-624, 2011.
[14] S. Hansman and R. Hunt, “A taxonomy of network
and computer attacks,” Computers & Security, vol.
24, pp. 31–43, 2005.
[15] H. Holm, “Performance of automated network vul-
nerability scanning at remediating security issues,”
Computers & Security, vol. 31, no. 2, pp. 164–175,
2012.
[16] J. Hua and S. Bapna, “The economic impact of cy-
ber terrorism,” The Journal of Strategic Information
Systems, vol. 22, no. 3, pp. 175–186, 2013.
[17] G. Kenneth, “Cyber Weapons Convention,” Com-
puter Law & Security Review, vol. 26, pp. 547–551,
2010.
[18] S. Mansfield-Devine, “DDoS: Threats and mitiga-
tion,” Network Security, vol. 2011, pp. 5–12, 2011.
[19] N. Martin and J. Rice, “Cybercrime: Understanding
and addressing the concerns of stakeholders,” Com-
puters & Security, vol. 30, pp. 803–814, 2011.
[20] R. A. Martin, “Managing vulnerabilities in net-
worked systems,” IEEE Computer, vol. 34, no. 11,
pp. 32–38, 2001.
[21] K. K. M. D. Maynor, Metasploit Toolkit for Penetra-
tion Testing, Exploit Development, and Vulnerability
Research, Elsevier Inc, pp. 1-64, 2007.
[22] P. Mell, V. Hu, R. Lippmann, J. Haines, and M.
Zissman, An Overview of Issues in Testing Intrusion
Detection Systems, Technical Report NISTIR 7007,
July 11, 2003.
[23] D. E. Neghina and E. Scarlat, “Managing informa-
tion technology security in the context of cyber crime
trends,” International Journal of Computers Com-
munications & Control, vol. 8, pp. 97–104, 2013.
[24] C. P. Pfleeger, S. L. Pfleeger, and M. F. Theofanos,
“A methodology for penetration testing,” Computers
& Security, vol. 8, pp. 613–620, 1989.
[25] R. J. Potts, “Hacking: The threats,” Computer Audit
Update, vol. 1990, no. 1, pp. 14–15, 1989.
[26] E. Schultz, “RPC in Windows systems: What you
don’t know could hurt you,” Network Security, vol.
2004, pp. 5–8, 2004.
[27] E. Schultz, “Windows 2000 security A postmortem
analysis,” Network Security, vol. 2004, pp. 6–9, 2004.
[28] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghor-
bani, “Toward developing a systematic approach to
generate benchmark datasets for intrusion detec-
tion,” Computers & Security, vol. 31, pp. 357–374,
2012.
International Journal of Network Security, Vol.18, No.3, PP.501-513, May 2016 513

[29] M. D. Steve, “Hacktivism: Assessing the damage,” Abdul Hanan Abdullah (SCOPUS ID: 11338934800),
Network Security, vol. 2011, pp. 5–13, 2011. received his B.Sc. and M.Sc from University of San
[30] D. Stiawan, M. Y. Idris, and A. H. Abdullah, “Pene- Francisco, California, and Ph.D from Aston University,
tration testing and network auditing: Linux ” Jour- Birmingham, United Kingdom. He is a Senior Professor
nal of Information Processing Systems, vol. 11, pp. at Faculty of Computing, Universiti Teknologi Malaysia
104–115, 2015. (UTM). Currently, he is the Head of Pervasive Comput-
[31] G. C. Tjhai, M. Papadaki, S. M. Furnell, and N. ing Research Group. His research areas of interest include
L. Clarke, “The problem of false alarms: Evaluation Pervasive Computing, Network Security, Cloud and Grid
with snort and DARPA 1999 dataset,” in Trust, Pri- Computing.
vacy and Security in Digital Business, LNCS 5185,
Mohammed AlQurashi received B.Sc. in Computer
pp. 139-150, Springer, 2008.
from King Abdul Aziz University, Saudi Arabia in 2009,
[32] S. W. Woo, H. Joh, O. H. Alhazmi, and Y. K.
and M.Sc. in Computer Science from University of Texas
Malaiya, “Modeling vulnerability discovery process
at San Antonio, USA, in 2013. Currently, he is a lec-
in Apache and IIS HTTP servers,” Computers & Se-
turer and researcher at Smart Network Research Group,
curity, vol. 30, pp. 50–62, 2011.
at College of Computer Science and IT, Albaha Univer-
Deris Stiawan (SCOPUS ID: 36449642900), received sity, Saudi Arabia. His research interests include, Infor-
his Ph.D degree in Computer Science from Universiti mation Security, Cloud computing, and Network Security.
Teknologi Malaysia in 2013. Currently he is an senior
lecturer in Faculty of Computer Science, University Rahmat Budiarto (SCOPUS ID: 6603477220) received
of Sriwijaya, Indonesia. In 2011, He holds Certified B.Sc. degree from Bandung Institute of Technology in
Ethical Hacker (C—EH) & Certified Hacker Forensic 1986, M.Eng, and Dr.Eng in Computer Science from
Investigator (C—HFI) licensed from EC-Council. His Nagoya Institute of Technology in 1995 and 1998, respec-
research interests concern network & information se- tively. He is currently a professor and the head of Smart
curity fields, focused on network attack and intrusion Networked Research Group at College of Computer Sci-
prevention/detection system. ence and IT, Albaha University, Saudi Arabia. His re-
Mohd Yazid Idris (SCOPUS ID: 36448800600), is a search interests include IPv6, network security, Wireless
senior lecturer at of Computing, Universiti Teknologi sensor networks and MANETs.
Malaysia. He obtained his M.Sc and Ph.D in the area
of Software Engineering, and Information Technology
(IT) Security in 1998 and 2008 respectively. In software
engineering, he focuses on the research of designing and
development of mobile and telecommunication software.
His main research activity in IT security is in the area
of Intrusion Prevention and Detection (ITD). He is
currently active in various academic activities and in-
volves in university-industry link initiative in both areas.