DEVELOPING A PENETRATION TESTING LABORATORY AS A BASIS FOR

NETWORK SECURITY

A Research
Presented to the
Computer Engineering Department
College of Engineering and Architecture
Pangasinan State University
Urdaneta City

In Partial Fulfilment
of the Requirements for the Degree
Bachelor of Science in Computer Engineering
Major in System and Network Administration

ELLYSA BALANZA
JAE ANNE V. EBORA
CLARK JR. P. NONES
JUNE 2022
 APPROVAL SHEET

The Design Project entitled “DEVELOPING A PENETRATION TESTING

LABORATORY AS A BASIS FOR NETWORK SECURITY,” was prepared and

submitted by ELLYSA BALANZA, JAE ANNE V. EBORA, and CLARK JR. P.

NONES in partial fulfillment of the requirements for the degree of Bachelor of

Science in Computer Engineering Major in Systems and Network Administration

has been examined and recommended for acceptance.

FEVICLENE L. VILLAMOR, CpE KENNETH OLIVER S. LOPEZ, Ph.D.

Critic Reader Adviser

Approved by the Committee on Oral Examination

EMMERSON A. CANUEL, MSME

Advisory Committee

KHAYZELLE C. CAYABYAB, CpE JAY-AR PENTECOSTES, CpE

Advisory Committee Advisory Committee

Accepted in partial fulfillment of the requirements for the degree of

Bachelor of Science in Computer Engineering Major in Systems and Network

Administration this June 2022.

REX B. BASUEL, Meng’g, CCpE HONORIO L. CASCOLAN, Ph.D.

Department Chairman, CpE Campus Executive Director
College Dean, CEA

ii
 ACKNOWLEDGMENT

First and above all, from the bottom of our hearts, we would like to thank

God Almighty for the courage, strength, guidance, knowledge, opportunity, and

wisdom to undertake this thesis project.

This project thesis would not have been possible without the help of some

individuals and institutions. It is a great honor and pleasure to acknowledge the

support and assistance of the following people who assisted and supported us in

various ways for the success of this study.

Firstly, we would like to express our sincerest gratitude to our project

adviser, Dr. Kenneth Oliver S. Lopez, for the never-ending support, patience,

motivation, and guidance in finishing this research study. His utmost knowledge

and ideas in this study helped us go through this.

We would also like to thank our advisory committee, Engr. Emmerson A.

Canuel, Engr. Jay-Ar Pentecostes, and Engr. Khayzelle C. Cayabyab for giving

their insights on improving this study, understanding us (the researchers) and our

research study, and for the patience in giving us time to share our knowledge and

ideas with this project.

We would also like to express our gratitude to the rest of the Computer

Engineering Faculty. They motivated us and gave us some techniques to go

through this phase. Engr. Rex B. Basuel, the Dean of the College of Engineering

iii
 ACKNOWLEDGEMENT

and Architecture, thank you for the knowledge he lends us and for his favorable

response regarding this study.

To our families and friends, we express our sincerest gratitude and heartfelt

"Thank You" for giving us motivation, patience, financial needs, and extra push

during rough times. You are our inspiration.

We want to owe our deepest gratitude to the Department of Science and

Technology (DOST) to all their staff for the financial support throughout our

college life. We would not be able to get to where we are right now without their

help. We will never forget that we are the 'Scholars for the Nation.'

Lastly, gratitude and appreciation should also go to us, the researchers, for

giving the best in this study. We hope you appreciated the outcome of our hard

work, hopes, dreams, sleepless nights, blood, sweat, and tears. Thank you for not

giving up.

iv
 TABLE OF CONTENTS

DEDICATION

This study is wholeheartedly dedicated to our Almighty Father, for the courage,

strength, guidance, and knowledge, and for giving us a healthy life.

To our beloved family and friends, who have been our source of inspiration

throughout our college life up until to finish this study.

And to the faculty of the Computer Engineering Department for giving their time,

effort, and support in making this study possible.

Ellysa Balanza

Jae Anne V. Ebora

Clark Jr. P. Nones

v
 TABLE OF CONTENTS

TABLE OF CONTENTS

Page

TITLE PAGE …………………………………………………………………i

APPROVAL SHEET ………………………………………………………...ii

ACKNOWLEDGMENT ……………………………………………………......iii

DEDICATION ………………………………….…….……….………………v

TABLE OF CONTENTS …………………...………………………,………...vi

LIST OF TABLES ……………………………………………………,………… xi

LIST OF FIGURES ………………………………………………,,………… xiii

ABSTRACT ……………………………………………………,,………... xvi

CHAPTER 1: INTRODUCTION

Background of the Study …………………………….………………….. 1

Statement of the Problem …………………………….………………….. 4

Significance of the Study …………………………….………………….. 6

Scope and Delimitation of the Study ….……………..…………….….. 7

Definition of Terms and Variable …………………………………………. 9

CHAPTER 2: REVIEW OF RELATED LITERATURE AND STUDIES

Related Literature

Ethical Hacking ……………………………………………….. 13

Cybersecurity in the Philippines .………………………………. 14

Kali Linux ……………………………………………………….. 14

Penetration Testing …..………………………………………….... 15

vi
 TABLE OF CONTENTS

Reconnaissance Tools …………………………………………… 16

Scanning for Vulnerabilities Tools.………………………………. 17

Gaining Access Tools….………………………………………….. 20

Penetration Test Laboratory……………………………………… 27

Related Studies

Ethical Hacking.…………………………………………………… 32

Penetration Testing for Kali Linux.…………….………………… 33

Penetration Testing Tools.……………………….………………. 35

Research Paradigm ………………………………….……………….. 39

Conceptual Framework ……………………………….……………… 40

CHAPTER 3: METHODOLOGY

Research Design …………………….…………………..…………….. 42

Data Collection

Observation …………………………………………………….. 43

Data Gathering ……………………………………………………. 44

Tools for Analysis ………………………………………………. 44

Testing ……………………………………………………………. 45

Statistical Treatment …………………………………………… 46

CHAPTER 4: PRESENTATION AND DISCUSSION

Network Topology and Configurations ...…………………………….. 48

Penetration Testing Tools …….………………………………….…… 51

Recon-ng .……………………………………………………… 52

vii
 TABLE OF CONTENTS

theHarvester ...………………………………………………… 55

Nmap ……………………………………………………...…….. 57

Nikto ……………………………………………………………… 64

Wireshark .……………………………………………………. 68

TCPDump ..…………………………………………………….. 71

ExploitDB ..…………………………………………………….. 73

Metasploit .………………………………………………..……. 75

Brutespray ..…………………………………………………….. 78

THC-Hydra ..…………………………………………………….. 83

John-the-Ripper ..……………………………………………. 86

Burpsuite .………………………………………………...… 89

Sqlmap .…………………………………………………… 95

Cisco-Global-Exploiter …………………………………… 101

Yersinia …..………………………………………………… 104

Aircrack-ng ...……...…………………………………………… 108

Fern-WiFi-Cracker ...…………………………………………... 111

Karmetasploit …..…………………………………………… 113

Setoolkit …..………………………………………………… 114

Penetration Testing Tools’ Speed .……………………………………. 116

Penetration Testing Tools’ Coverage.………………………………… 126

Reliability and Acceptability of the Penetration Testing …………. 138

Laboratory

viii
 TABLE OF CONTENTS

Problems Encountered During the Implementation of the ………. 147

Nineteen Penetration Testing Tools

CHAPTER 5: SUMMARY, CONCLUSION, AND RECOMMENDATION

Summary ……….…………………….……………………………… 151

Conclusion .………………………………………………….………… 153

Recommendations ...…………………………………………….…… 156

BIBLIOGRAPHY ………………………………………………………….…. 159

APPENDICES

Appendix A – Actual Laboratory Setup ...…………………………... 165

Appendix B – Cisco 2811 Catalyst Router Specifications ...……… 167

Appendix C – DTE/DCE Serial Cable Specifications …...……….. 170

Appendix D – Straight-through Cable Pin Out …………..………... 171

Appendix E – Cisco 3750 Catalyst Switch Specifications ………... 172

Appendix F – Raspberry Pi 4 Model B Specifications …………..…. 178

Appendix G – Strontium Nitro 32GB MicroSD Specifications …..... 180

Appendix H – TP-Link TL-WR840N Technical Specifications …….. 181

Appendix I – Raspberry Pi 3 Model B+ Specifications …………… 182

Appendix J – Strontium Nitro 16GB MicroSD Specifications ……… 184

Appendix K - Port and Network Configurations …………………..… 185

Appendix L – SSH and Telnet Configurations ……..……..……..….. 186

Appendix M – Routing Configurations Routers: …………………... 188

EIGRP and BGP

Appendix N – DHCP Configuration on Blue Team Router ………. 190

ix
 TABLE OF CONTENTS

Appendix O – VLAN Management Configuration on Switch ……… 191

Appendix P – Access Point Configuration .………………..…...… 193

Appendix Q – Sample Laboratory Manual …………………….. 194

Appendix R – Questionnaire …………………………………….. 199

Appendix S – Computation for the Average Weighted Mean …..... 203

Appendix T – USE Questionnaire Developed by Arnold Lund …… 209

OTHER PERTINENT DOCUMENTS

A. Title Defense ………………...…………………..……………... 210

B. Minutes of the Meeting for Title Defense ..… ………………..... 212

C. Approved Project Outline ...……..……………………………… 214

D. Check-Up Defense ……………………………....…………….. 216

E. Minutes of the Meeting for Check-up Defense ..……………… 218

F. Final Defense ………………….………………....…………….. 221

G. Minutes of the Meeting for Final Defense ..…………………… 223

H. Compliance Report ….……….………………....………………. 228

I. Requisition Form for Plagiarism Grammar Scanning ….……… 231

J. Certificate of Plagiarism and Grammar Scanning ….…………. 232

CURRICULUM VITAE … ……………………………………………..... 233

x
 LIST OF TABLES

LIST OF TABLES
TABLES PAGE

1 Likert Scale Response Options 47

2 Port and Network Configurations 50

3 Classification of Penetration Testing Tools 116

3.1 Speed of the Modules Used in Recon-ng and theHarvester 117

3.2.1 Speed of the Attacks Used in Scanning Vulnerabilities 117

Tools

3.2.2 Speed for Searching Vulnerabilities Using Wireshark and 118

TCPDump

3.2.3 Speed for Searching Vulnerabilities Using ExploitDB 119

3.3.1 Speed of Port Scanning and Exploitation using Metasploit 120

3.3.2 Speed of Brute forcing Using Brutespray and THC-Hydra 120

3.3.3 Speed of de-hashing using John-the-Ripper 121

3.3.4 Speed of SQL Injection Using Burpsuite and SQLmap 121

3.3.5 Speed of Performing Denial-of-Service using Cisco- 122

Global Exploiter and Yersinia

3.3.6 Speed of Wireless Cracking Using Aircrack-ng and Fern- 123

Wifi-Cracker

3.3.7 Speed of Creating Fake Access Point Using Karmetasploit 124

3.3.8 Speed of Harvesting Credentials Using Social 124

Engineering Toolkit

4 Likert Scale with Interpretation 139

4.1 Reliability of the Penetration Testing Laboratory Under the 140

Category Usefulness

xi
 LIST OF TABLES

TABLES PAGE

4.2 Reliability of the Penetration Testing Laboratory Under the 141

Category Ease of Use

4.3 Reliability of the Penetration Testing Laboratory Under the 142

Category Ease of Learning

4.4 Reliability of the Penetration Testing Laboratory Under the 144

Category Satisfaction

xii
 LIST OF FIGURES

LIST OF FIGURES

FIGURE # PAGE

1 Research Paradigm of the Study 39

2 Conceptual Framework of the Study 41

3 Agile Process Model of the Study 42

4 Laboratory Setup in Packet Tracer 48

5 Contacts Information Scanned by Recon-ng 53

6 Hosts Information Scanned by Recon-ng 54

7 Hosts Information Scanned by theHarvester 56

8.1 Discovered IP Addresses Within the Network 58

8.2 Discovered IP Addresses with Parameters 58

9 Scanned Open Ports on Nmap 60

10 Result of Scanning Target Web Server Using Scripts 61

11.1 Brute forced Target Server Using Nmap 63

11.2 Result of Brute forced Target Web Server Using Scripts 63

12.1 Scanned Vulnerabilities on DVWA Using Nikto 65

12.2 Tuning SQl Injection on DVWA 67

13.1 Failed Login Attempt 69

13.2 Failed Login Attempt 69

14.1 Successful Login Attempt 70

14.2 Successful Login Attempt 70

15.1 Discovered DHCP and CDP Packets 70

xiii
 LIST OF FIGURES

FIGURE # PAGE

15.2 Discovered DHCP and CDP Packets 70

16 Captured Username and Password 72

17.1 Result of the searchsploit Samba Linux Command 74

17.2 Result of the searchsploit Samba Linux Metasploit 74

Command

18 Failed Exploitation on Metasploit 77

19.1 Result of the Brute-Forced Process on Target Server 80

19.2 Brute-Forced Process on Cisco Router 81

20 Dictionary Attack on the Target Server 85

21 Decrypted Hash Passwords of the Username 88

22 Response of Low-security Level of DVWA 91

23.1 Response of the Payload on the Website 92

23.2 Response of the Payload on the Website 92

24.1 Displaying the Response of the Payload Through HTML 94

24.2 Displaying the Response of the Payload Through HTML 94

25.1 Target Parameters on Low-security Level 97

25.2 Adding Backslash to the Target Parameters on Sqlmap 97

26 Target Parameters on Medium-security Level 98

27 Target Parameters on High-security Level 98

28 Target Parameters on Impossible-security Level 99

29 Result of the SQL Injection Attack Using Sqlmap 100

xiv
 LIST OF FIGURES

FIGURE # PAGE

30 Cisco 677/678 Telnet Buffer Overflow Vulnerability 102

31 Cisco IOS Router Denial of Service Vulnerability 102

32 Verification of the Successful DHCP Starvation Attack 106

33 Verification of Successful CDP Flooding on Switch 107

34.1 Scanned Access Points 109

34.2 Cracked WPA from the TP-Link Pentester 110

35 Key Database 112

36.1 Cloned Google Login Page and the Captured Credentials 115

36.2 Cloned Google Login Page and the Captured Credentials 115

37 Penetration Testing Tools and Their Penetration Testing 127

Phases

37.1 Recon-ng and theHarvester’s Coverage 128

37.2.1 Nmap and Nikto’s Coverage 130

37.2.2 Network Monitoring Tools’ Coverage 131

37.2.3 ExploitDB’s Coverage 131

37.3.1 Metasploit’s Coverage 132

37.3.2 Password Cracking Tools’ Coverage 134

37.3.3 Web Application Testing Tools’ Coverage 135

37.3.4 Network Infrastructure Tools’ Coverage 136

37.3.5 Wireless Network Testing Tools’ Coverage 137

37.3.6 Social Engineering Tools’ Coverage 137

xv
 ABSTRACT

ABSTRACT

Research Title: DEVELOPING PENETRATION TESTING LABORATORY

AS A BASIS FOR NETWORK SECURITY
Researchers: Ellysa Balanza
Jae Anne V. Ebora
Clark Jr. P. Nones
Degree/Course: BS Computer Engineering Major in Systems and Network
Administration
Institution: Pangasinan State University – Urdaneta City Campus
Year Graduated: 2022
Adviser: Dr. Kenneth Oliver S. Lopez
Keywords: Penetration testing, cybersecurity, ethical hacker, kali linux,
laboratory, attacker, target, passive reconnaissance,
scanning for vulnerabilities, gaining access, exploits

The study "Developing a Penetration Testing Laboratory as a Basis for

Network Security" focuses on developing and designing an environment suitable

and safe for penetration testing. Furthermore, nineteen (19) penetration testing

tools were tested and evaluated and were utilized in the laboratory. The

effectiveness of these tools was assessed in terms of speed and coverage. The

laboratory was divided into two (2) different sides, attacker and target. Some of the

device(s) acted as the attacker, and the other equipment operated as the targets.

The researchers simulated nineteen (19) penetration testing tools installed in the

attacker.

xvi
 ABSTRACT

The developed penetration testing laboratory was tested on the thirty (30)

students. Upon testing, the students also answered a questionnaire to determine

the reliability of the said developed laboratory in terms of the following dimensions:

Usefulness; Ease of Use; Ease of Learning; and Satisfaction. Moreover, the only

restraint in the penetration testing laboratory was three (3) of the tools did not work

successfully due to hardware constraints. On the other hand, the sixteen (16)

remaining tools were effective in the laboratory.

With the results presented, it is recommended that the nineteen (19)

penetration testing tools presented could be replaced with other tools. Also, the

attacker machine could be replaced with laptops or desktops that could be installed

with different tools. In addition, some attacks performed were limited due to the

targets deployed. Thus, it is also recommended to add or change targets that were

installed with a Windows operating system. Finally, a simulation could be

performed to challenge things, whereas two teams could be created, Red Team

for attacking and Blue Team for defending.

xvii
 CHAPTER 1

INTRODUCTION

BACKGROUND OF THE STUDY

The continuous development of technology and the Internet has

revolutionized every facet of our society at all levels, thus becoming more

dependent on these services irrespective of size and volume or use and purpose.

The numerous advantages of these evolutions come with the rapid increase of

users and their data. According to Statista, as of April 2022, five (5) billion people,

or sixty-three (63) percent of the world's population, use the Internet (Johnson,

2022). With that, the predicted number of datasphere of the International Data

Corporation (IDC) that will be on the Internet by 2025 is one hundred seventy-five

(175) zettabytes (Reinsel et al., 2018).

The exposure and threat of cyber-related crimes have been making

headlines from various media platforms, from personal to corporate security, and

data breaches, phishing scams, malicious software, identity theft, voyeurism, and

many more (Kate B, 2021). Regardless of geographic and demographic

segmentation or the significant sectors of our society from private or public

institutions, organizations, enterprises, government, and nongovernment—they

are all vulnerable in the face of cyber-related crimes (Interpol, 2020). That being

said, it primarily resulted in loss and productivity, significant expenses to the

infected systems, damage or reduction to the organization's reputation or integrity,

and operational continuity (Amer O, 2020).

1
 CHAPTER I: INTRODUCTION

Despite the infallible laws and policies implemented, there has always been

the constant challenge in catering to a secure environment, be it for an

organization or personal. There is a need for security assessments and measures,

from a set of tools to mitigate and identify these threats using security software

provided by a variety of vendors to limit the chance of mishaps and data loss. In

addition to that, according to the most significant cybersecurity testing in the

Philippines, Secuna (2022), to diminish these risks, one must venture into how

these black hat hackers think, plan and operate. These organizations would be

better positioned to discover and identify security issues, patch their systems, and

devise strategies and solutions to avoid illegal digital intrusion if they did so (MB

Technews, 2022).

Today, many government websites, colleges, and universities' portals in the

Philippines are insecure and vulnerable, which makes them susceptible to hacking.

With that, according to Manila Bulletin Technology News (MBTechNews), there

has been a rampage of incidents wherein groups of gray hat hackers in the

Philippines like Phantom Troupe, Philippine Hacking University, and Pinoy

Grayhats were illegally accessing these government portals like www.gov.ph,

career.org.gov.ph, Office of Solicitor General (OSG), Philippine National Police

Academy (PNPA), etcetera, and educational institutions like Polytechnic University

of the Philippines (PUP), Far Eastern University (FEU), Fatima School Bacood,

and many more. Unlike the black hat hackers, gray hat hackers have the intention

of either informing and securing these organizations' vulnerabilities and patching

security weaknesses or honing their skills in cybersecurity (Samaniego, 2020).

2
 CHAPTER I: INTRODUCTION

However, even if the motivation is good, unauthorized infiltration into an

organization's or company's infrastructure is rarely welcomed (Kaspersky, n.d);

thus, white hat hackers or penetration testers come into play.

Compared to black hat and gray hat hackers, white hat hackers have the

authorization to access a system or a network to find vulnerabilities to be reported

and immediately fix them. In addition, they can also be called pentester, a shorter

term for penetration testers. However, ethical hacking is not a skill that can be

learned and mastered in just months; it takes time and effort. Thus, creating a

personal lab would be very useful to simulate the penetration testing tools that are

readily available online. You do not want to test the devices on your network,

especially when you do not have permission from the owners. On the other hand,

this setup will not be ideal since the guest hosts would take other computer

resources, especially when the host has a low-level or even mid-level system. But,

with a laboratory, penetration testers could legally customize and control the

environment that will suit their needs, without defacing websites or illegally

penetrating someone else's system and network.

With that, this study entitled “Developing a Penetration Testing Laboratory

as a Basis for Network Security” was conducted to establish a laboratory that could

equip the Computer Engineering students of Pangasinan State University –

Urdaneta City Campus (PSU – UCC). Furthermore, the researchers used different

penetration testing tools and methods to evaluate their effectiveness. The

effectiveness was taken on the premise of response or speed, which refers to the

3
 CHAPTER I: INTRODUCTION

amount of time needed to complete a specific task. On the other hand, coverage

was defined as the ability of these particular tools to pass through the first three

(3) phases of penetration testing, specifically, information gathering, scanning

vulnerabilities, and gaining access.

STATEMENT OF THE PROBLEM

This study aimed to develop a penetration testing laboratory that could be

used by the Computer Engineering students of Pangasinan State University –

Urdaneta Campus (PSU – UCC) and determine the effectiveness of the different

penetration testing software as a basis for network security. Specifically, it

answered the following:

1. What must be the design of the penetration testing laboratory equipment?

2. Determine the effectiveness of the penetration testing tools based on the

speed and coverage that will be used, such as:

A. Information Gathering

a) Recon-ng; and

b) theHarvester

B. Scanning Vulnerabilities

a) Nmap;

b) Nikto;

c) Wireshark;

4
 CHAPTER I: INTRODUCTION

d) TCPDump; and

e) ExploitDB

C. Gaining Access

a) Metasploit;

b) Brutespray;

c) THC-Hydra;

d) John-the-Ripper;

e) BurpSuite;

f) Sqlmap;

g) Cisco-Global-Exploiter;

h) Yersinia;

i) Aircrack-ng;

j) Fern-WiF-Cracker;

k) Karmetasploit; and

l) Social Engineering Toolkit

3. What is the reliability and acceptability (to the students) of the developed

laboratory equipment and manual?

4. What are problems encountered during the testing of the different

penetration testing tools?

5
 CHAPTER I: INTRODUCTION

SIGNIFICANCE OF THE STUDY

This study aimed to develop a penetration testing laboratory and a

laboratory manual that could be used by the Computer Engineering students in the

Systems and Network Administration (SNA) track of PSU – UCC. Furthermore,

penetration testing tools and methods were used to simulate the actual laboratory.

This study would be most beneficial to the following:

College Institutions – Specifically to those in the field of Computer Networks,

where this research would educate students that would be interested in the

cybersecurity field; equipping them with the right tools, let them hone their skills in

an actual environment, and as well as cultivating their knowledge about different

penetration testing tools, their effectiveness, and how to utilize them to their

advantage.

Business Institutions – Since this is one of the most targeted sectors of

hackers, they are always bound to exploit these vulnerabilities, stealing data and

even money. It would be great to have a trained penetration tester to prevent such

unfortunate cases.

Government Institutions – This is also one of the most targeted sectors of

hackers, especially hacktivists; there have been many cases and records about

defacing websites and data leakage from different organizations. The penetration

tester could have prevented these beforehand.

6
 CHAPTER I: INTRODUCTION

The Researchers – With this study, it will be beneficial for the researchers

because they will gain additional knowledge, specifically in the process of

developing the laboratory and incorporating different penetration testing software

tools to practice and apply what they have learned. They can use this

understanding to equip themselves in the workforce. Furthermore, it can be of help

as a future reference for more studies or to further improve this study as the

technologies for both hardware and software are constantly being developed.

SCOPE AND DELIMITATION OF THE STUDY

This study focused on developing a penetration testing laboratory for the

Computer Engineering Department of Pangasinan State University – Urdaneta

Campus for the 2nd Semester of the Academic Year 2021 – 2022 and then testing

the effectiveness of different penetration testing tools. This study's penetration

testing laboratory setup comprised of one (1) Raspberry Pi 4 Model B 4GB

Random-Access Memory (RAM) with 32GB microSD storage, which was installed

with Kali Linux as its operating system, and it functioned as the attacker. The

researchers' used Raspberry Pi 4 Model B; others could use various devices such

as Desktop computers, laptops, and many more. It would particularly simulate the

basic features and functions of nineteen (19) different penetration testing tools

such as Recon-ng, theHarvester, Nmap, Nikto, Wireshark, TCPDump, ExploitDB,

Metasploit, Brutespray, THC-Hydra, John-the-Ripper, Burpsuite, SQLmap, Cisco-

Global-Exploiter, Yersinia, Aircrack-ng, Fern-WiFi-Cracker, Karmetasploit, and

7
 CHAPTER I: INTRODUCTION

Social Engineering Toolkit. The testing method was under gray box testing,

wherein the tester has partial knowledge of the internal infrastructure of the

laboratory setup. Also, the tools, Recon-ng, and theHarvester, were connected to

the Internet to perform, although no Internet connection was provided in the

penetration testing laboratory. Furthermore, two (2) Raspberry Pi 3 Model B+ 1GB

RAM with 16GB microSD storage was used as the target desktop and a web

server, running on a Raspbian Operating System (OS) and Ubuntu Server

Operating System, respectively. Also, a TP-Link TL-WR840N was used as the

access point for the wireless network. Other components that the researchers

included were one (1) Cisco Catalyst 3750 switch and two (2) Cisco Catalyst 2811

routers. They were used to simulate a different network, one of which was used as

the target router.

Furthermore, this laboratory was designed for internal testing only. This

means that all the penetration testing tools performed were on the researchers'

network and infrastructure alone, and they were not simulated on any device or

network to which the researchers have no permission. No other network, wireless,

or network infrastructure was tested. Researchers only used downloadable

vulnerable web applications. For the Recon-ng and theHarvester, passive

reconnaissance was performed to not directly to engage in the target system. The

access point's Broadcast Service Set Identifier (SSID) was "TP-Link Pentesters".

Moreover, for the Social Engineering Toolkit, only one feature was used since most

of the features of the tool relies on the Internet to run successfully.

8
 CHAPTER I: INTRODUCTION

Lastly, there were thirty (30) respondents from Bachelor of Science in

Computer Engineering Major in Systems and Network Administration of

Pangasinan State University – Urdaneta Campus (PSU-UCC) that tested and used

the penetration testing laboratory and the laboratory manual for guidance.

Furthermore, a survey questionnaire was used for data gathering regarding the

reliability and acceptance effectiveness of the developed laboratory.

DEFINITION OF TERMS AND VARIABLE

Application Programming Interface (API) keys – codes that are used to

identify and verify a user or an application. API Keys are available on various

platforms such as Recon-ng's marketplace and theHarvester. (Fortinet, 2022)

Black Hat Hacker – unlike the white hat hackers, they do not have

authorized access to security or network, for they break computer networks or

systems with malicious intentions. The information they learned on a system or

network could either be sold to someone or blackmail the hacked

individual/organization. (Kaspersky, 2022)

Brute-force attack – is a type of attack or technique that decrypts credentials

or mixes a variety of usernames and passwords until the precise and right login

credentials are found. (Kaspersky, 2022)

9
 CHAPTER I: INTRODUCTION

Coverage – the ability of these particular tools to pass through the first three

(3) phases of penetration, specifically, information gathering, scanning

vulnerabilities, and gaining access.

Cybercrime – crimes about the use of a computer and the Internet (e.g.,

unauthorized access to a system or network, internet fraud, website defacing,

identity theft, and password theft). (Kaspersky, 2022)

Datasphere – the theoretical location where digital data is kept. (UK

Dictionary)

Dictionary attack - is a password cracking approach in which attackers will

guess the password using a list of words. Those words and phrases can potentially

be the user's login credentials. (Swinhoe, 2020)

Exploits – taking advantage of the vulnerability in compromising the system.

Gray Box Testing – a type of approach in penetration testing wherein the

penetration tester has limited information regarding its target. (Imperva, 2021)

Gray Hat Hacker – individuals who use hacking for offensive and defensive

purposes. (Kaspersky, 2022)

Internal testing – the penetration testing tools are limited to the researcher's

network and infrastructure. They will not simulate them on any device or network

for which the researchers have no permission. No one will test on other networks,

wireless, or network infrastructure.

10
 CHAPTER I: INTRODUCTION

Intrusion Detection Systems (IDS) - analyzes and monitors network traffic

in response to cyberthreat from the network. It can detect cyberthreat behaviors

such as malware and other security violations. (Peters, 2020)

Intrusion Prevention Systems (IPS) – prevents and denies network traffic

that has a possible security threat to the network. (Peters, 2020)

Open-Source Intelligence (OSINT) – gathering data from the Internet and

other publicly accessible resources. It collects information about computers and

networks' IP addresses, domain names, hostnames, DNS data, e-mails, and

publicly available information. (Chipeta, 2022)

Passive reconnaissance - gathering information on systems and networks

without engaging them directly. It is not directly interacting with the target system

by not sending any request to the target. Therefore, the target has no means of

knowing about the attacker gathering information. (Brathwaite, 2022)

Payloads – a command used by hackers to exploit a vulnerability. It

establishes a connection with the target machine and then acquires access, which

it can exploit to steal data or carry out other malicious operations. (Kaspersky,

2022)

Penetration testing – penetration testing, for short, is simulating a

cyberattack to exploit a system or network's vulnerability. (Imperva, 2021)

Pentester – a shorter term for Penetration Tester, wherein it is an individual

who practices penetration testing. (Cyber Degrees, 2022)

11
 CHAPTER I: INTRODUCTION

Session Cookie – a file containing identifiers, either a string of letters or

numbers, wherein the website server sends it to a browser, which then helps web

pages load faster during the website's navigation. (Technopedia, 2021)

Speed – the time it takes a penetration testing tool to finish a given task.

White Hat Hackers – also known as Ethical Hackers, have the authorization

to exploit a system or network legally. The information they gathered will be used

for good. (Kaspersky, 2022)

12
 CHAPTER 2

REVIEW OF RELATED LITERATURE AND STUDIES

This chapter contains a review of literature and studies related to this

research. These give researchers an idea and particular insights into the

development of the study.

REVIEW OF RELATED LITERATURE

Ethical Hacking

The Internet is continuously growing, which has become beneficial to every

human in many different aspects of daily life. However, the Internet has its dark

sides where criminals linger. Therefore, knowing how the users can protect the

network is vital. According to Neeraj Rathore (2015), the practice of ethical hacking

is breaking inside a computer's system without any malicious intent. Its goal is to

identify security risks and report them to the users or the people who are at risk of

cyber-attacks. Ethical hackers are the security experts who hack for defensive and

constructive purposes. (Rathore, 2016)

13
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

Cybersecurity in the Philippines

The Philippines, in terms of cybersecurity, is a relatively new field of

expertise. In 2017, the Philippines spent only 0.04 percent of its GDP on

cybersecurity, whereas other ASEAN countries spent 0.07 percent. Because of the

increasing cases of hacking issues to government websites, mostly coming from

China and Russia, the government established the Department of Information and

Communications Technology (DICT). DICT aims to plan, develop, and promote

the field of ICT. Secretary Gregorio Honasan Jr., the head of DICT, has three areas

to prioritize: a) provide access for every Filipino; b) adopt more vital ICT

infrastructures; and c) reduce cybercrime and cyberterrorism activities in the

Philippines. (Romaniuk & Manjikian, 2021)

Kali Linux

Ethical hacking, security analysis, digital forensics, and decryption are

some of the frequent uses of Kali Linux. It offers more than three-hundred (300)

penetration testing tools precisely in the areas of information gathering,

vulnerability analysis, wireless attacks, web applications, exploitation, sniffing &

spoofing, password cracking, maintaining access, reporting tools, and many more.

Nmap, Wireshark, SQLmap, Burpsuite, John-the-Ripper, Hydra, and Metasploit

are known tools in this distribution. Kali Linux is a product of Offensive Security.

(Ben, 2021)

14
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

Penetration Testing

According to Imperva (2021), in the article entitled, "Penetration Testing,"

the penetration testing process has five (5) stages, namely: reconnaissance,

scanning, gaining access, maintaining access, and analysis and web application

firewall (WAF). The reconnaissance stage consists of identifying the network or

systems that will investigate, the testing methods utilized in this situation, and

gathering information about the target (e.g., domain names, mail servers.) The

scanning stage is knowing how some intrusions will be handled by the target.

Gaining access uses attacks (web attacks) to identify the target's weaknesses or

vulnerabilities. The ethical hackers will then try to exploit these vulnerabilities found

either by stealing data, intercepting the traffic and many more, to understand the

damage it might cause to a specific system or machine. It was the maintaining

access stage, where APTs or advanced persistent threats wherein an intruder

trying to have a long-term presence on a network to steal data, specifically

sensitive data. The final phase is analysis, which involves compiling the test

results. Then, the pentesters will report to the security personnel, which will create

solutions to protect the network and even data against possible attacks. (Imperva,

2021)

15
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

Reconnaissance Tools

"In the process of reconnaissance, hackers tend to be like detectives,

gathering data, and information to comprehend their victims." (Upadhyay, 2020).

Reconnaissance is one of the often-used methods in ethical hacking where it

practices covertly discovering and collecting information about a system. Steps in

Reconnaissance, according to Isha Upadhyay (2020), include: (a) collecting new

information, (b) deciding the network’s range, (c) recognizing all active machines,

(d) obtaining an operating system in use, (e) identify operational framework, (f)

show services used on each port, and (g) understanding network map.

Reconnaissance tools include Recon-ng and the harvester.

Recon-ng is among the numerous tools available for the first penetration

testing phase, reconnaissance, or information gathering. It is free and open-source

software for reconnaissance tools, written in python. It is already available and

installed in Kali Linux, operated on a command-line interface (CLI) with the same

appearance as Metasploit. Recon-ng features are interactive help, command

completion, built-in convenience functions, and interaction with databases. Unlike

the Metasploit Frameworks that can exploit a particular machine or system, recon-

ng is solely designed for web-based open-source reconnaissance. This tool can

only collect data on a specific target or domain. It provides an interactive console

with command completion and contextual assistance. Overall, Recon-ng has one

hundred fourteen modules (114) available, which can be installed on the

marketplace inside the Recon-ng. They also categorized them according to their

16
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

functionalities: reconnaissance, reporting, importing, exploitation, disabling, and

discovery modules. However, twenty-three (23) modules might need prerequisites

like application programming interface (API) keys. (Pence, 2020)

Another tool for the first phase of penetration testing is the theHarvester.

This package contains tools for gathering information. It gathers information like e-

mail addresses, virtual hosts, subdomain names, open ports or banners, and

employee names from different public sources like search engines (Kumar, 2022).

TheHarvester has almost the same features as the Recon-ng, which was also

operated in a command-line interface (CLI). They differ in the number of modules

where the theHarvester has only thirty-eight (38) modules to choose from, and

fourteen (14) require API keys. Furthermore, the modules do not require

installation since they are already available in the theHarvester. (Kumar, 2022)

Scanning for Vulnerabilities Tools

Scanning tools are software tools that examine a network for existing

vulnerabilities, such as security misconfigurations. The network scanning is

possible with the Linux command-line utilities or various cloud-based services.

(Pedamkar, 2020). According to Pedamkar (2020), seven (7) popular tools are

used to perform network scanning. One is the Nmap, or network mapper,

developed by Gordon Lyon. Nmap scans hosts and services on a network,

displays operating systems (OS), and displays the firewalls used and available on

17
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

different OS. It is considered one of the most popular tools for pentesters and

system and network administrators, and because of it, it garnered many awards

relating to security. Like the other tools, it is open-source and controlled using the

command-line interface (CLI). (Simplilearn, 2019)

Another tool is the Nikto, a pluggable web server and common gateway

interface Computer-Generated Imagery, or CGI scanner. It is written in Perl. One

of Nikto's features is an easily updateable CSV-format database. The output

reports are in plain text or HTML, and there are also HTTP versions available,

cookies support, and many more. Nikto is a web server as well as a web application

analysis tool, both free and open source. Moreover, it is a straightforward and

easy-to-use scanner that was operated on the command-line interface (CLI).

Specifically, it checks or examines a web server for potential security flaws or

vulnerabilities such as misconfigured servers and software, pre-installed

programs, insecure and outdated servers, and/or programs. Nikto quickly tests a

web server, and the results can be found visibly in the log files or an Intrusion

Prevention/Intrusion Detection System (IPS/IDS). (Shivanandhan, 2021)

Next, is the Wireshark which acts as an analyzer on a network in real-time.

It focuses on network protocols going in and out of the network. Similar to Nmap,

it is a well-known network sniffing tool which provides a Graphical User Interface

(GUI) feature to capture packets and network protocols from a network. Each

packet contains sensitive data and information that, later on, will be used for the

next phase of penetration testing. Wireshark can even decode data payloads

18
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

depending on its protocols (e.g., HTTP). Each captured packet using Wireshark

contained the following details: the time taken to capture the packet, the source

and destination IP address, the protocol used, the length, and some packet

information. However, Wireshark can even go further by sniffing usernames and

passwords if the protocol used in any webpage or web application is not encrypted

(e.g., HTTP). (CompTIA, n.d.)

Another in line for the scanning of vulnerabilities is the TCPDump.

TCPDump is a program that allows users to “dump” traffic on a network. In addition,

TCPDump tracks down network problems, as well as detects attacks or monitors

network activities, for it can be able to examine packets such as Internet Protocol

version 4 (IPv4), Internet Protocol version 6 (IPv6), Internet Control Message

Protocol version 6 (ICMPv6), User Datagram Protocol (UDP), Transmission

Control Protocol (TCP), Internet Control Message Protocol version 4 (ICMPv4),

Simple Network Management Protocol (SNMP), Border Gateway Protocol (BGP),

Routing Information Protocol (RIP), Internet Group Management Protocol (IGMP),

Protocol Independent Multicast (PIM), Distance Vector Multicast Routing Protocol

(DVMRP), Andrew File System (AFS), Server Message Block (SMB), Open

Shortest Path First (OSPF), Network File System (NFS), and many more. (Gerardi,

2020)

On the other hand, the Exploit Database or ExploitDB is the record or

repository of exploits for public security and explains inside that specific database.

Its goal is to give a complete and extensive collection of exploits in a free and easy-

19
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

to-use database through mailing lists, direct submissions, and other public

sources. (Cyber Security Intelligence, 2021). Moreover, it identifies possible

weaknesses in a specific network and stays up to date on current attacks that are

taking place in other networks. It has a website, exploit-db.com, which contains

documented exploited applications and services, sometimes with vulnerable

applications that can be searchable and downloadable, then used for exploitation.

For penetration testers and vulnerability researchers, the Exploit Database is a

repository of publicly accessible exploits and the susceptible software they relate

to. Its goal is to compile the complete collection of exploits, shellcode, and papers

available, acquired via direct contributions, mailing groups, and other publicly

available sources, and offer them in a freely accessible and easy-to-navigate

database. Included in the Exploit Database repository is searchsploit, wherein it is

a command-line search and query tool for ExploitDB that allows searching for any

exploits locally. (Offensive Security, n.d.)

Gaining Access Tools

As discussed in the Penetration Testing article in the preceding pages,

gaining access uses tools to successfully exploit a particular machine or system.

However, some tools still need other tools (from the earlier phases of ethical

hacking like reconnaissance and scanning for vulnerabilities) to gain access.

Among the plethora of tools that can be used in gaining access, one of which is

the Metasploit. This is a free and open-source penetrating framework tool. There

20
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

are numerous modules in Metasploit that allow configuring an exploit module. After

configuring, just pair it with a payload, then target a victim, and finally attack against

the target machine. According to Said (2020), one of the most popular penetration

testing tools under Kali Linux is Metasploit. It is commonly known for attacking

systems to test security exploits. There are five (5) modules which are the payload,

exploit, auxiliary, post-exploitation, and NOP generator. Before Metasploit begins,

many information-gathering tests are improved, and Metasploit combines with

numerous reconnaissance tools (Nmap and theHarvester) to locate the vulnerable

or weaknesses in a machine. Once the weakness is identified, select then an

appropriate exploit or/and payload for the exploitation of the machine. After that,

the chosen payload is executed at the target, and the ethical hacker is given a shell

to be able to connect with the payload once the exploit is successful. It provides

the penetration tester administrator privileges such as packet sniffing, keyloggers,

screen capture, rebooting of the machine, setting up a permanent backdoor,

deleting files, and many more. (Petters, 2020)

Ottawa (2022) highlighted two (2) steps in this phase, gaining access, in

helping a hacker owns a system: password cracking and privilege escalation.

Password, sometimes called PIN or passcode, protects personal access to specific

applications or systems that only authorized personnel or users know. It is

frequently linked to identification to validate its authenticity and identity (e.g.,

username or email address). THC-Hydra and John-the-Ripper are two of the most

21
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

widely used password attack tools in Kali Linux, according to Carson (2020), a

Certified Information Systems Security Professional (CISSP).

Brutespray is a penetration testing tool under the gaining access phase of

penetration testing that performs port scanning. From the name itself, once it is

performed, it automatically brutes force attacks on scanned services. The

implementation of this attack started by scanning the target's website or internal

network using Nmap, one of the tools under the reconnaissance phase, to check

the open ports and other services. After the scan, the data and information

scanned were saved in a GNMAP/XML format. The output file is used by the pen-

testers to perform brute force attacks against the open port services of the target

with dictionary attacks to capture credentials. (Ganesh, 2019)

THC-Hydra is one of the most popular brute force password cracking tools.

Similar to the Brutespray, THC-Hydra performs and uses both dictionary and brute-

force attacks, which can be both operated on a GUI feature of the Graphical User

Interface, and the command-line interface or CLI. It also allows various operating

systems like all Unix platforms such as Linux, Solaris, etc., or MacOS and

Windows. Furthermore, Hydra is effective against numerous protocols like SSH,

Telnet, and many more. Hydra is capable of working online and needs to use the

Internet to ensure that a connection is established. (Rajalingham, 2021)

John-the-Ripper is a popular open-source password cracking application

initially designed for Unix-based computers but now works on various platforms.

The three (3) main password-cracking techniques used by John-the-Ripper are (a)

22
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

single crack mode, which is the quickest and best option if the entire password file

to crack is provided; (b) wordlist mode, which compares the hash to a database of

potential password matches; and (c) incremental mode, which is the most potent

because it employs brute force to try every possible combination until it produces

a result. (Petters, 2020)

One of the online application testing methods used during the obtaining

access phase is called Sqlmap, which looks for and exploits vulnerabilities in web

applications' use of structured query language (SQL) injection. On the target host,

it allegedly finds one or more SQL injections. There are now a variety of choices

available to users, including performing a thorough backend fingerprint database

management system. In addition, it retrieves the session user and database for

database management systems (DBMS). It can also enumerate users, password

hashes, privileges, and databases. SQL dumps the entire or user-specific DBMS

tables and columns. It executes SQL commands or statements, and reads

particular files on the file system, among other things. Also, Sqlmap is utilized on

the command-line interface (CLI) and is open-source and free. MySQL, Oracle,

PostgreSQL, MariaDB, Apache, and other database management systems are

fully supported. It also supports a variety of SQL injection techniques that are both

powerful and diverse for Web Application Testing. (Imperva, n.d.)

Burp is a web application penetration testing tool with a graphical user

interface, often known as Burp Suite (GUI). The most common users of Burp are

the expert web app security researchers and bug bounty hunters. A free

23
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

Community Edition, a Professional Edition, and an Enterprise Edition are the three

editions of the tool that are offered. There are far fewer features in the Community

Edition. To offer a complete security solution for online applications is its objective,

a web application mapping spider used to map target websites and a repeater that

enables users to send requests with customized alterations. A decoder is also

useful for searching for data chunks in headers, parameter values, etc. In addition,

a comparer function analyzes the two (2) pieces of data to spot visual differences,

and an extender aids BurpSuite in integrating supporting third-party components

into the tools to expand their functionality. The tool's more intricate capabilities

include a sequencer that doubles as an entropy checker to determine whether

tokens created by the web server are indeed random. On the other hand, proxy

server and intruder are essential tools one can practice, which was used in this

study. (Huro, 2020)

Network Infrastructure Tests, on the other hand, are defined as, "Testing

network infrastructure can be accomplished with equipment that operates on one

or more layers that define an Ethernet/IP network" Payerle (2016). One of which

is the Yersinia, a framework for performing layer two attacks. It takes advantage

of some weaknesses in different network protocols such as Spanning Tree

Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol

(DTP), Dynamic Host Configuration Protocol (DHCP), Inter-Switch Link Protocol

(ISL), VLAN Trunking Protocol (VTP), and many more. (Bisson, M. n.d.)

24
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

On the other hand, Cisco Global Exploiter or CGE is an advanced and fast

yet straightforward security testing tool that can exploit the most dangerous

vulnerabilities, precisely 14 vulnerabilities of Cisco Systems. By inputting two

simple parameters (e.g., target and the vulnerability to exploit), CGE has an

intuitive and straightforward user interface executable from the command line. To

be more specific, the fourteen (14) vulnerabilities in Cisco switches and routers are

namely: (1) Cisco 677/678 Telnet Buffer Overflow Vulnerability, (2) Cisco IOS

Router Denial of Service Vulnerability, (3) Cisco IOS HTTP Auth Vulnerability, (4)

Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability, (5)

Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability, (6) Cisco

675 Web Administration Denial of Service Vulnerability, (7) Cisco Catalyst 3500

XL Remote Arbitrary Command Vulnerability, (8) Cisco IOS Software HTTP

Request Denial of Service Vulnerability, (9) Cisco 514 UDP Flood Denial of Service

Vulnerability, (10) CiscoSecure ACS for Windows NT Server Denial of Service

Vulnerability, (11) Cisco Catalyst Memory Leak Vulnerability, (12) Cisco CatOS

CiscoView HTTP Server Buffer Overflow Vulnerability, (13) 0 Encoding IDS

Bypass Vulnerability (UTF), and (14) Cisco IOS HTTP Denial of Service

Vulnerability. (James, 2018)

The main goal of the wireless network test is to identify Wi-Fi networks (e.g.,

fingerprinting, information leakage, and signal leakage), and then determines the

weakness/es of the encryption (e.g., encryption cracking, wireless sniffing.

Furthermore, it identifies the chance to evade wireless local area networks

25
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

(WLANs) using wireless control measures. Moreover, it also includes identifying

the users' credentials in accessing their networks. One of the tools in this phase is

the Aircrack-ng wherein it concentrates on several aspects of Wi-Fi security like

monitoring, capturing of packets, and the exporting of data to text files for in-depth

processing by third-party tools. Furthermore, this can test or check Wi-Fi cards and

driver capabilities. (Robb, 2019)

Fern-Wi-Fi-Cracker is a Graphical User Interface or GUI-based penetration

testing tool under the gaining access phase with the same goal as other wireless

network password cracking tools such as Aircrack-ng created by Saviour

Emmanuel Ekiko; it is to crack WEP/WPA/WPS keys. However, Fern-WiFi-Cracker

can also recover those keys. Fern Wi-Fi Cracker is operated in a graphical user

interface feature. Furthermore, some of the features of Fern Wi-Fi Cracker include

cracking of WEP, WPA/WPA2, and brute-forcing HTTP, HTTPS, TELNET, and

FTP attacks. (Tutorialspoint, n.d.)

Another tool is the Karmetasploit, it is used to create access points, capture

passwords, collect information, and perform web browser attacks (by faking these)

on clients. For example, a fake modem or access point made by a hacker or a

pentester. The only requirement is the user should connect to the created fake

access point. There is the launching of a plethora of various servers as a result.

From Domain Name Server (DNS), Post Office Protocol 3 (POP3), Internet

Message Access Protocols (IMAP), to various Hypertext Transfer Protocol (HTTP)

26
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

servers, there is already a broad net cast to gather several types of information.

(Offensive Security, n.d.)

Last is the social engineering test, Allen (2021) defined social engineering

attacks as ethical hackers conducting social engineering attacks like phishing.

Furthermore, the social engineering test aims to point out a person's weaknesses

and even a group of people. As RS Security (2018) said, "The most easily

exploitable vulnerability is human nature." The Social-Engineer Toolkit (SEToolkit)

is a penetration testing tool for social engineering, free and open-source, created

by Dave Kennedy—the founder of TrustedSec. It is capable of social engineering

attacks such as phishing, cloning websites, sending SMS, and many more.

(Borges, 2020)

Penetration Test Laboratory

In the book of Wylie, P., & Crawley, K. (2021) entitled "In the Pentester

Blueprint," they stated three approaches when considering building a laboratory.

They called the first approach a Minimalist. The minimalist approach was the

easiest to set up for it only consists of one laptop running a hypervisor, making it

portable and capable of being run almost everywhere. However, one of the

disadvantages of this setup is the need for dongles or an adapter. Tools like

Aircrack-ng need a network adapter that supports promiscuous mode. Virtual

Machine network adapters do not have that kind of feature. The following approach

27
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

is the Dedicated Lab, which uses actual computers instead of Virtual Machines.

Also, they added that, if possible, the internet is needed so that remote access will

be possible. Lastly is the Advanced Lab, this approach follows the previous

laboratory, but network devices are now present. These network devices include

network switches, routers, and firewalls.

A virtual and real environment both have merits and drawbacks. The key

advantages of a virtual arrangement are cost and scalability. Inputting a single

physical machine or many network arrangements will strain a person's budget. On

the other hand, virtual machines may not always perfectly replicate the functionality

of physical computers; therefore, approaches that work on a real machine may not

work on a virtual machine and vice versa. Furthermore, enterprises and

organizations do not operate in a virtualized environment but relatively physically.

(Wylie & Crawley, 2021)

Another penetration laboratory book entitled "Penetration Testers Open-

Source Toolkit" authored by Faircloth (2017) discusses how to build up a

penetration testing laboratory and provides realistic situations. The book highlights

that there is a general approach to setting up this kind of laboratory. Those steps

will help you build a functional and essential penetration testing laboratory. The

first step is determining the objectives, which is vital for building a lab. The second

step is to design your lab's architecture or another way around. The design should

accurately represent your objective. The author highlighted that to test wireless

attacks, you should include these: wireless access points, a wireless and wired

28
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

client machine, and an attack machine as an element of the lab. After building

those essential elements is the time when you would decide what operating system

you will be using and the brands and models of the equipment. Also, one crucial

reminder must keep in mind is to isolate your lab from any network, for it can cause

problems for other networks. It is also essential to list the reports and findings after

the testing.

There are also five types of penetration testing mentioned in this book, first

is the virtual penetration test lab, the second is the internal penetration test lab, the

third is the external penetration test lab, the fourth is the project-specific

penetration test lab, and the fifth is the ad hoc lab. The virtual penetration lab is

the simplest with only having one virtual software system with multiple operating

systems. The internal penetration lab consists of two systems (one system is the

target, and another is the tester's machine) connected to a router where it provides

services like DNS and DHCP. The objective of this laboratory is to see the existing

vulnerabilities in a corporation or a business world. The external penetration lab's

objective, on the other hand, helps to ensure if there is a way to gain access to the

network or system, given the fact that defense tools or software are present.

Therefore, a system must include a firewall. The project-specific penetration lab

creates a replica of the target system or network. There is a need for the same

equipment used in real life. However, they are rarely built because the equipment

is expensive. The last one is the ad hoc lab which is only used to test a server,

whether the server's patch or the traffic being sent.

29
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

The third step is to build the lab where physical work is already associated.

Choosing the right hardware equipment concerning your budget is very vital.

Moreover, the last approach is to run the lab. This step is not just for installing the

software, operating system, and other tools to be used and testing. This step also

involves documenting the process of building the lab and writing the results

(Faircloth, 2017).

Students would benefit greatly from developing a laboratory that integrates

hardware and software components, according to Lunetta (1998) and Hofstein &

Lunetta (1982). Laboratories provide a variety of students' goals or objectives. One

of the goals includes developing practical skills for the students wherein students

may learn to use the tools or develop any skills regarding the equipment used

correctly and safely. Students can make observations also, take measurements,

and carry out well-defined procedures. Thus, students played a vital role in

assessing the subjective usability of the laboratory. This assessment will examine

the four (4) dimensions of usability which are usefulness, ease of use, ease of

learning, and satisfaction (Lund, 2001).

Several questionnaires are used to assess users' attitudes about different

consumer items. This USE questionnaire[1] is designed where users are asked to

grade agreement with the assertions, ranging from "strongly disagree" to "strongly

agree." Lund (2001) created a brief questionnaire that could assess the usability

of software, hardware, services, and other user-support materials while also

measuring the user-important aspects of usability. Both users and practitioners

[1]
See Appendix T for the USE questionnaire
30
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

would have some faith in the goods' appearance. It would be feasible to envision

the design elements that might affect how things are rated. Although usability

aspects would be treated as dependent variables, it would not be intended to be a

diagnostic tool. The USE questionnaire is a trustworthy and reliable questionnaire

tool, according to numerous research and articles. The validity or dependability of

the USE has been reported in a little amount of published research. One study

seeks to address the problem by examining the psychometric features of the USE,

and 151 Mechanical Turk (MTurk) users rated Amazon.com and Microsoft Word

using the USE and the System Usability Scale (SUS, Brooke, 1996). The study's

conclusion states that the USE is a valid and trustworthy instrument that still

requires improvement. Various studies also concluded that the USE questionnaire

proved to be the right choice for their study. USE questionnaire provides

information by the data gathered about which aspects of the system or the product

could improve. Furthermore, the analysis's conclusion revealed that the USE

Questionnaire was a legitimate and trustworthy tool for evaluating the system or

product in question. (Gao et.al, 2018)

31
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

RELATED STUDIES

Ethical Hacking

In a study by Hartley (2015) entitled "Ethical Hacking Pedagogy: An

Analysis and Overview of Teaching Students to Hack Students to Hack," the

researcher suggested teaching students about ethical hacking. The study's

primary purpose was to prepare students, especially those interested in pursuing

the field of cybersecurity. Teachings about ethical hacking must be hands-on,

which is the same as what Logan and Clarkson (2005) found out. According to

them, teaching ethical hacking should take the form of hands-on experience rather

than a textbook and lecture format. The study also stressed the necessity of soft

skills in ethical hacking. Soft skills pertain to how a person works. The skills

included were primarily social. In Trabelsi and McCoey's (2016) study, they listed

soft skills, specifically social engineering, as one of the skills needed by students.

The others were understanding of security and understanding how hackers work

or think. (Hartley, 2015)

32
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

Penetration Testing for Kali Linux

In the study conducted by V. Santhi et al. entitled, "Penetration Testing

using Linux Tools: Attacks and Defense Strategies," they used Kali Linux to

conduct their penetration testing. The study's objective was to investigate a range

of tools that will suit their needs. They also demonstrated basic penetration testing

and explained how to defend against such attacks. There are four steps in their

methodology: planning, discovery, exploitation, and reporting. They used Ettercap,

Driftnet, Nmap, Wireshark, and Metasploit. However, no information about the

target machine's characteristics or operating system is provided. (Santhi et al.,

2016)

Kali is one of the most popular operating systems for hackers. It offers many

tools that are already pre-installed in it. In a recent study, He-Jun Lu and Yang Yu

(2021) used Kali Linux and the available tools for penetration testing of a wireless

network. They followed four steps in conducting their penetration testing. First is

the preparation, next is information collection, then the simulation attack, and lastly

is the reporting. Some other methods were used also like scanning, monitoring,

capturing of packets, and many more attacks. Their experiment's findings

demonstrated that Kali Linux had a positive impact on enhancing wireless network

security. (He-Jun & Yang, 2021)

Another study on using Kali Linux was conducted by Denis et al. (2016).

They mainly used tools already packaged in Kali Linux for penetration testing. The

test is comprised of traffic sniffing, Wi-Fi hacking, Man-in-the-Middle attack

33
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

(MITM), surveillance or spying, penetration testing on smartphones, and hacking

remote personal computers or PCs as well as the phone’s bluetooth. (Denis et al.,

2016)

Furthermore, Filipino researchers conducted a related case study about

penetration testing entitled, "Penetration Test on Home Network Environments: A

Cybersecurity Case Study." Although the primary purpose of this research is to

determine how vulnerable the public and private telecommunication companies

give the default settings of SOHO routers to their customers, this study uses a Kali

Linux as their default operating system in testing the vulnerability. De-

authentication, dictionary and brute-forcing attacks, and many more are the kinds

of attacks used to discover risks that could damage the network. (Blancaflor et al.,

2016)

34
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

Penetration Testing Tools

In a study conducted by Palak & Aman (2017) entitled, "Analysis of

Penetration Testing Tools," penetration testing is the practice of impersonating an

attacker to find weaknesses in a system that could be used for malicious ends.

The research study also provides an outline of penetration testing and specifies

the factors considered in selecting the most appropriate tools for the task.

According to the role each tool serves, their study divided them into three

categories. To find open Transmission Control Protocol (TCP) and Universal

Datagram Protocol (UDP) ports, the first category of operations is port scanning.

Second is the vulnerability analysis, wherein it is the process of finding system

vulnerabilities before they may be exploited by someone with malicious intent to

harm the network. The last category is vulnerability exploitation. Nmap was one of

the tools mentioned in this story, alongside the other tools like Dmitry, Hping3, and

Unicornscan. Their evaluation criteria include how many ports each tool scanned,

the number of open ports found, the types of ports scanned, the scan time or the

time taken by the tool to perform the whole scanning, and Operating System (OS)

version. (Palak & Aman, 2017)

Chiem Trieu Phong (2014) from Auckland University of Technology in New

Zealand conducted a research study entitled "A Study of Penetration Testing Tools

and Approaches," wherein the research's objective is to study the performance of

the different penetration testing tools in terms of response time and coverage. The

amount of time it takes for a tool to complete a certain operation is referred to as

35
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

“response time,” whereas “coverage” refers to the number of open ports or

vulnerabilities that the tools detect. The collected data is combined and compared

to determine which is more effective. Furthermore, the use of attack tree model is

used in this study. This attack tree helped the researchers to determine which

attacks on the target machines are the most effective. In addition, the attack tree

model is applied to organize offensive events on victims to provide a more

comprehensive perspective of the attacking context. Furthermore, lastly, its

ultimate goal is to provide actual value to the security community by providing

trustworthy references on penetration testing tool performances. (Pong, 2014)

A similar study is conducted by Mamilla (2021) wherein it tests the various

penetration testing tools in a Kali Linux system to determine the most efficient one.

Different types of penetration testing are mentioned, these are network penetration

tests, application penetration tests, periodic network vulnerability assessments,

physical security tests, client-side penetration tests, wireless penetration tests, and

social engineering tests. Furthermore, the attack tree model for penetration testing

is highlighted in this study, which serves as the visual aid for weighing multiple

attacks on a system. The penetration testing process is also included in this study,

planning, reconnaissance, scanning, gaining access, maintaining access, covering

tracks, analysis, and reporting, respectively, are the phases of penetration testing

mentioned in this study. The penetration testing tools were divided depending on

the attack category. The network scanning tools used are Nmap, OpenVas, Dmitry,

Unicornscan, Sparta, Netcat, SolarWinds Port Scanner, Angry IP Scanner, and

36
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

ManageEngine OpUtils. The tools used for the password cracking attack were

John-the-Ripper, IMP 2.0, L0pht Crack, Crack 5, and Cain and Abel. The tools for

vulnerability assessment were Nessus, SARA, and SATAN. Lastly, the

miscellaneous tools are Wireshark, Metasploit Framework, Recon-ng, and Peach.

The researcher further discusses each tool mentioned in her research paper

alongside the results of each assessment and comparison. (Mamilla, 2021)

Another study about penetration testing by Bacudio, Xiaohong, Bei & Jones

(2011) is entitled "An Overview of Penetration Testing." They highlighted that

penetration testing helps determine whether or not security measures are

implemented effectively. Most importantly, this research presents the advantages,

strategies, and methodology for penetration testing. They said that penetration

testing has three phases. First is the test preparation phase, which follows specific

steps: the information gathering, the vulnerability analysis, and the vulnerability

exploit. They conducted a penetration testing process during the test phase, and

various penetration tools were used, described, and analyzed. The Nmap and

Metasploit frameworks are the two of them. There is a particular part of their study

wherein they listed three strategies for penetration testing namely the black box,

white box, and gray box. The testers in the black box do not know the target. They

need to figure out the system's flaws, for they have no prior knowledge of the target

victim. Contrary to the white box wherein the pentesters know the target and are

given all relevant info on the target. On the other hand, they defined the gray box

as "partial disclosure of information" about the target victim. Another penetration

37
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

testing strategy they mentioned is external and internal testing. The term "external

testing" refers to an attack on the test target using techniques from outside the

company or organization that controls the test target. Additionally, it seeks to

ascertain whether an outside attacker can gain access and how far he may

advance once he does. Internal testing, on the other hand, comes from the

company that controls the test target. Internal testing is concerned with figuring out

what would occur if a legitimate user with standard access privileges managed to

breach the target. (Bacudio et al., 2011)

In the research paper of Kesharwani et al. (2018) entitled, "A study on

Penetration Testing Using Metasploit Framework," the phases used by the

researchers are information gathering, scanning, and discovering the vulnerability,

exploitation, and report generation. They employed Nmap, a network mapper, and

Metasploit's auxiliary/ scanner for their scanning phase to determine the type of

services running on the webserver, their versions, the port on which they are

running, and the services that are running on the operating system. One of the

tools they used for the exploitation phase is John-the-Ripper, alongside the

Nessus, Firewalk, and Crack / Libcrack. (Kesharwani et al., 2018)

38
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

RESEARCH PARADIGM

Action Research
Design Science

Systems Grounded Theory

Development

Figure 1. Research Paradigm of the Study

This research paradigm shown in figure 1 was adapted from Dr. Napoleon

Meimban, a former Pangasinan State University – Urdaneta City faculty and a

former Dean of PSU – Graduate Studies. Dr. Kenneth Oliver S. Lopez then revised

this paradigm to fit the needs of the Bachelor of Science in Computer Engineering's

research paradigm. Together with their adviser, the researchers think of a problem

that could address through this research. One problem they have thought about is

that having a penetration testing laboratory in a hypervisor could limit the students,

especially when their devices have low CPU processing speed and slow RAM.

Therefore, the researchers and the adviser developed a penetration testing

laboratory. Design Science, the developed penetration testing laboratory will aid

Computer Engineering students of Pangasinan State University – Urdaneta City

Campus (PSU-UC) in learning ethical hacking. Action Research, the data collected

were speed and coverage for the penetration testing tools and reliability of the

39
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

developed laboratory through average weighted mean. Grounded Theory, the

developed laboratory eliminates some problems stated beforehand, such as the

low CPU speed and slow RAM. Systems Development, the developed laboratory

consists of one (1) Raspberry Pi 4 Model B as attacker machine; two (2) Raspberry

3 Model B+ as target server and target desktop; two (2) Cisco 2811 routers wherein

one (1) was the target router; two (2) Cisco Catalyst 3750 switch; and a TP-Link

TL-WR840N access point. After the penetration testing laboratory is developed, a

test on different tools will be staged.

CONCEPTUAL FRAMEWORK

Figure 2 shows the conceptual framework of the study. The study has three

phases: input, process, and output. The input phase will be composed of all the

penetration testing tool software and hardware equipment used in the study. The

process phase will be the integration. Hence, the researcher will develop a

penetration testing laboratory to analyze further the effectiveness of the

penetration testing tools and the future consumption of the Computer Engineering

students of PSU-UCC.

40
 CHAPTER II: REVIEW OF RELATED LITERATURE AND STUDIES

INPUT PROCES OUTPUT

S
Penetration
Testing
Integration Penetration
Software Tools
Testing Laboratory
& Hardware
Equipment

Figure 2. Conceptual Framework of the Study

41
 CHAPTER 3

METHODOLOGY

This section presents the procedures and methodologies applied to the

study, including the detail of the tools used for analysis and the method of research

and gathering data.

RESEARCH DESIGN

Construction

Design Testing

Requirements Deployment

Feedback

Figure 3. Agile Process Model of the Study

Figure 3 shows the agile process model used throughout the study (Isaac

S, 2022). The requirements phase was utilized to identify what hardware

components and technical specifications of these devices were incorporated in the

penetration testing laboratory. After recognizing these requirements, the second

phase includes the design. These hardware components were arranged according

to how these devices functioned later. The laboratory was divided into two (2)

terminals; some of the devices served as the attacker, and the others were

operated as the targets. The third phase, construction, was where the researchers
42
 CHAPTER III: METHODOLOGY

configured the hardware components into a working laboratory—establishing a

connection within different networks through routing protocols, VLAN

management, and some basic configurations like setting the IP addresses,

hostnames, usernames, and passwords. During the testing, nineteen (19) different

penetration testing tools were simulated in the laboratory through the attacker. The

researchers then assessed the effectiveness of these penetration testing tools.

The configuration steps done on the attacker were turned in as a laboratory

manual. After testing, the laboratory equipment, and manual were deployed to the

students of the Computer Engineering Department, Major in Systems and Network

Administration of Pangasinan State University – Urdaneta City Campus (PSU –

UCC) for evaluation of the reliability and acceptability of the developed laboratory.

Lastly, the researchers received feedback about the developed penetration testing

laboratory, which was in the form of survey questionnaire.

DATA COLLECTION

Observation

For this part, the main focus was on the penetration testing tools. Speed

and coverage of the tools were observed. Most of the penetration testing tools do

not display the time it took to generate a result, therefore the researchers used a

device to measure or monitor the speed of the penetration testing tools. The

researchers relied on the time (in seconds or minutes) it takes the tool to finish a

43
 CHAPTER III: METHODOLOGY

task. While the coverage is taken on the premise of the tools' ability to pass through

the penetration testing phases: information gathering, scanning vulnerabilities, and

gaining access.

Data Gathering

The first data to be collected in the study was the speed of the penetration

testing tools to process a task and to determine if some variables affect the results

generation. In addition, the researchers also collected data on whether these tools

can operate in their designated penetration testing phase and whether these tools

can aid or affect other tools' performance. Furthermore, a survey questionnaire

using the Likert Scale was used to gather data for the reliability of the penetration

testing laboratory. There were thirty (30) respondents, whereas all of them were

students of Bachelor of Science in Computer Engineering, major in Systems and

Network Administration at Pangasinan State University—Urdaneta City (PSU-

UCC).

Tools for Analysis

As already discussed in the preceding chapter, there are five (5) stages of

ethical hacking (Imperva, 2021). In this study, the researchers will only apply the

first three (3) phases of penetration testing: information gathering, scanning, and

gaining access. Each phase corresponds to specific penetration testing tools used

44
 CHAPTER III: METHODOLOGY

in the study. For reconnaissance, the tools Recon-ng and theHarvester were used.

However, these tools could be unnecessary since both tools' purpose was to

search for domains and emails available on the target. The researchers included

these tools so the readers would have specific knowledge on using these tools.

For the scanning phase, the tools used are NMap, Nikto, Wireshark, TCPDump,

and ExploitDB.

Furthermore, in the third phase of penetration testing, which is gaining

access, the tool used was Metasploit which was used for automated exploitation.

Brutespray, THC-Hydra, and John-the-Ripper were utilized for brute-forcing and

password cracking. BurpSuite and Sqlmap were used for Web Application Testing.

In addition, Yersinia and Cisco-Global-Exploiter were used for Network

Infrastructure Testing. At the same time, Aircrack-ng, Fern-WiFi-Cracker, and

Karmetasploit were applied for Wireless Network Infrastructure Testing. Lastly,

Social Engineering Toolkit (SEToolkit) was used for Social Engineering Testing.

Testing

In the testing phase, penetration testing tools were used in the developed

penetration testing laboratory. For the reconnaissance phase, the laboratory was

connected to the Internet and using passive reconnaissance; thus, the researchers

did not directly engage in the target system, Google (google.com). Next, in the

scanning phase, the target could be any device within the target-side portion of the
45
 CHAPTER III: METHODOLOGY

laboratory structure. The goal for this phase was to find vulnerabilities, such as

open ports, outdated software, and other existing vulnerabilities that could be

available. The third phase is gaining access. In this phase, scanned vulnerabilities

from the previous phase were used to gain access to each possible device.

Statistical Treatment

The third specific statement of the problem was to determine the reliability

and acceptability of the penetration testing laboratory to the students. The average

weighted mean was utilized to determine the designed laboratory equipment's

reliability and acceptability. The formula was:

X= ∑𝑿/𝑵

Wherein: ∑X = sum of the quantitative variables

N = total sample size

Respondents were provided a chance to rate each statement in the

questionnaire. The researchers used the Likert Scale, depicted in table 1, to

measure respondents' attitudes toward a particular question or statement. A Likert

Scale was composed of a series of three (3) or more Likert-type items represented

in similar questions combined into a single variable. Their answers were given a

corresponding number as follows:

46
 CHAPTER III: METHODOLOGY

Table 1. Likert Scale Response Options

Numerical Value Descriptive Equivalent
5 – 4.50 Strongly Agree
4.49 – 3.50 Agree
3.49 – 2.50 Neutral
2.49 – 1.50 Disagree
1.49 - 0 Strongly Disagree

47
 CHAPTER 4

PRESENTATION AND DISCUSSIONS

NETWORK TOPOLOGY AND CONFIGURATIONS

For the researchers to create a penetration testing laboratory, shown in

figure 4 is the design of the laboratory setup configured in Packet Tracer for the

visual representation of the actual laboratory structure [2]. Wherein they are divided

into two (2) terminals. One will function as the attacker during the simulation, and

the other one will act as the target. This topology is flexible for re-arrangements

and modifications, but for this study, this was established and designed to be

tested only in internal testing, not to cause harm or damage outside the network.

Figure 4. Laboratory Setup in Packet Tracer

[2]
See Appendix A see the actual laboratory setup 48
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Presented in figure 4, the researchers used two (2) Cisco Catalyst 2811

routers[3]. The routers were named RedTeam and BlueTeam. Both were equipped

with a 1-port Serial WAN interface card (WIC-1T) capable of serial connection.

Furthermore, they were connected with a DTE-DCE serial cable[4] for Wide Area

Network (WAN), which was configured by routing protocols that establish a

connection with different networks. Both of the routers’ Serial0/3/0 interfaces have

a network of 10.0.0.0 with a subnet mask of 255.0.0.0. On the other hand, the

fastEthernet0/1 interface of the RedTeam router has a network of 192.168.4.0 and

a subnet mask of 255.255.255.0. At the same time, the fastEthernet0/1 interface

of the BlueTeam was configured in a 192.168.2.0 network and a subnet mask of

255.255.255.0.

Using straight-through cables[5], the Cisco Catalyst 3750 switch[6] was

connected to the routers. Both routers were connected to the fastEthernet0/13 and

fastEthernet0/14 of the switch. Moreover, aside from the routers, connected with

another straight-through cable on the fastEthernet0/16 of the switch, the attacker

device was situated. It was operated on a Raspberry Pi 4 Model B[7] with 32 GB

microSD storage[8], installed with Kali Linux version 2022.2 as its operating system

(OS); it was particularly simulating the different tools for penetration testing,

namely: Recon-ng, theHarvester, Nmap, Nikto, Wireshark, TCP Dump, ExploitDB,

Metasploit, Brutespray, THC-hydra, John-the-Ripper, Burpsuite, SQLmap, Cisco-

Global-Exploiter, Yersinia, Aircrack-ng, Fern-WiFi-Cracker, Karmetasploit, and

Social Engineering Toolkit.

[3]
See Appendix B for the full technical specifications of Cisco Catalyst 2811 49
[4]
See Appendix C for the full technical specifications of the DTE-DCE serial cable
[5]
See Appendix D for the pin out of straight-through cables
[6]
See Appendix E for the full technical specifications of Cisco Catalyst 3750
[7]
See Appendix F for the full technical specifications of Raspberry Pi 4 Model B
[8]
See Appendix G for the full technical specifications of a 32 GB microSD card
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Furthermore, an access point was connected to the fastEthernet0/15 of the

switch to create a Wireless Local Area Network (WLAN); on the fastEthernet0/17,

a target web server was used. Connected to the access point, a target desktop

was also displayed. The researchers used the model TP-Link TL-WR840N for the

access point[9] and two (2) Raspberry Pi 3 Model B+[10] with 16 GB microSD

storage[11] for the target desktop and web server. They are configured to have a

network of 192.168.2.0 and a subnet mask of 255. 255.255.0.

Table 2. Port and Network Configurations [12]

Device Port IP Address Subnet Mask
Red Team Fa0/1 192.168.4.1 255.255.255.0
Router S0/3/0 10.0.0.2 255.0.0.0
Blue Team Fa0/1 192.168.2.1 255.255.255.0
Router S0/3/0 10.0.0.1 255.0.0.0
Attacker PC Fa0/16 192.168.4.169 255.255.255.0
Access Point Fa0/15 192.168.2.100 (DHCP) 255.255.255.0
Web Server Fa0/17 192.168.2.200 255.255.255.0
Target Wireless 192.168.2.201 255.255.255.0
Desktop

Table 2 displays the overview of basic configurations made for all devices:

IP addresses and subnet masks were identified with each corresponding interface.

On top of that, the routers have their security configured, such as Secure Shell

(SSH) and Telnet configurations[13], with routing protocols[14] to have access to

different networks. The target router was explicitly configured to become a

Dynamic Host Configuration Protocol (DHCP)[15] server for the access point to

obtain its configurations automatically. On the contrary, the switch also has a

[9]
See Appendix H for the full technical specifications of TP-Link TL-WR840N 50
[10]
See Appendix I for the full technical specifications of Raspberry Pi 3 Model B+
[11]
See Appendix J for the full technical specifications of a 16 GB microSD card
[12]
See Appendix K for the ports, and network configurations
[13]
See Appendix L for the SSH and Telnet configurations
[14]
See Appendix M for the routing protocols configurations
[15]
See Appendix N for the DHCP configurations
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Virtual Local Area Network (VLAN)[16] configured. It was done to break the physical

switch into mini virtual switches. Therefore, any hosts connected to separate

VLANs will act independently, thus represented using two (2) switches. They are

logically divided, or each device's network is segmented at the data link layer 2

(OSI Layer 2). Moreover, the access point’s Service Set Identifier (SSID) and

password[17] were also set up for the WLAN connection of the target desktop.

PENETRATION TESTING TOOLS

In this study, nineteen (19) penetration testing tools were used and tested

in the laboratory. These were divided into various stages of penetration testing but

would only utilize three (3) phases: the first phase would be reconnaissance or

information gathering, the second phase would be scanning vulnerabilities, and

the third would be gaining access. The tools used for the first phase were Recon-

ng and theHarvester. Nmap, Nikto, Wireshark, TCPDump, and ExploitDB for the

second phase. And the third phase was further sub-categorized on how they were

being practiced. With that being said, for the automated exploitation, Metasploit

was used. On the other hand, Brutespray, THC-Hydra, and John-the-Ripper were

exercised for brute-forcing and password cracking. However, for the Web

Application Testing: BurpSuite and SQLMap were used; Cisco-Global-Exploiter

and Yersinia are the tools for Network Infrastructure. Additionally, Aircrack-ng,

Fern-WiFi-Cracker, and Karmetasploit were tested for the Wireless Network

Infrastracture.

[16]
See Appendix O for the VLAN management configuration 51
[17]
See Appendix P for the access point configuration
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Lastly, the Social Engineering Toolkit was used for social engineering testing.

Recon-ng

Recon-ng[18] is among the numerous tools available for the first penetration

testing phase, reconnaissance, or information gathering. It is a free and open-

source software already available and installed in Kali Linux, operated on a

command-line interface (CLI) with the same appearance as Metasploit. It provides

an interactive console with command completion and contextual assistance.

Overall, Recon-ng has one hundred fourteen (114) available modules, which can

be installed on the marketplace inside the Recon-ng. They also categorized them

according to their functionalities: reconnaissance, reporting, importing,

exploitation, disabling, and discovery modules. However, twenty-three (23)

modules might need prerequisites like application programming interface (API)

keys that have not been dwelled by the researchers.

The researchers tested the penetration tool using passive reconnaissance.

It was not engaging directly in the target but mainly relying on the publicly available

information, which is called Open Source Intelligence (OSINT). The target was

Google (google.com), which required an Internet connection. With that being said,

anything that applies to publicly available data, specifically: IP addresses, domain

names, email addresses, names, hostnames, Domain Name System (DNS)

records, etcetera, will be collected without the target system knowing. However, in

this study, it was specifically tasked to find contacts and hosts inside the domain,

using the modules whois_pocs and hackertarget, respectively.

[18]
See Appendix Q for the laboratory manual 52
[18]
Pence, N. (2020). Recon-ng: An Open Source Reconnaissance Tool. Security Trails. Retrieved
from https://securitytrails.com/blog/recon-ng
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Command configuration of the module whois_pocs:

[recon-ng][default] > modules load whois_pocs
[recon-ng][default][whois_pocs] > options set SOURCE google.com
[recon-ng][default][whois_pocs] > run

The commands presented above were the steps to configure and run the

module. The first line was done to load the module whois_pocs. The second line

was used to identify the target using the options set source <target domain>.

Lastly, the command run was for execution. Depicted figure 5 shows the result for

the whois_pocs module. The researchers were prompted with seventy-six (76)

contact information. Since Recon-ng was not showing how many seconds it took

to generate a result, the researchers used a device to monitor the time taken, and

it showed that within forty-seven (47) seconds, it was able to prompt the result. It

was noticeable that the Internet connection and the speed of the generation of

results were directly proportional. Recon-ng listed or enumerated the information:

Uniform Resource Locators (URL), country name, email address, first name, last

name, middle name, notes, phone number, and region.

Figure 5. Contacts Information Scanned by Recon-ng

53
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Command configuration of the module hackertarget:

[recon-ng][default] > modules load hackertarget

[recon-ng][default][whois_pocs] > options set SOURCE google.com
[recon-ng][default][whois_pocs] run

For the hackertarget module, the commands above were the configuration

method used. Changing the module name and running it to execute does not differ

from how it was done in the previous module. Using the command modules load

<module name>, which was hackertarget. Likewise, in the previous section, the

target source was google.com, and run for the execution. For the result of the

module hackertarget, reflected in figure 6, the scanned hosts were five hundred

one (501) in twelve (12) seconds. Again, with the previous result, it is presented

according to their: country name, host, IP address, latitude, longitude, notes, and

region. Recon-ng consistently provided and enumerated results that were easy to

understand.

Figure 6. Hosts Information Scanned by Recon-ng

54
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

theHarvester
Another tool for the first phase of penetration testing is the theHarvester [19].

TheHarvester has almost the same features as the Recon-ng, wherein it was also

operated in a command-line interface (CLI). They do differ in the number of

modules where the theHarvester has only thirty-eight (38) modules to choose from,

and fourteen (14) of them require API keys. Furthermore, the modules do not

require installation since they are already available in the theHarvester.

The researchers tested this penetration testing tool using passive

reconnaissance like the Recon-ng. The target was google.com (Google) which

also requires an Internet connection. It was expected that the collected information

from that domain would be the IP addresses, domain names, hostnames, and any

available public data. The only module used in this tool was the hackertarget which

was tasked to find the host only of the domain google.com.

Command configuration of the module hackertarget:

$ theHarvester -d google.com -b hackertarget

The command given above means that the domain -d researchers used

was google.com, and the source module used -b was the hackertarget. Likewise,

with Recon-ng, theHarvester was not showing the measured time it was taken to

produce results. After the execution, figure 7 shows the result wherein it was

detected that there were six hundred ninety-five (695) hosts found in six (6)

seconds. TheHarvester generated straightforward results. The collected hosts

were listed together with their corresponding IP addresses in the result given.

[19]
See Appendix Q for the sample laboratory manual 55
[19]
Kumar, V. (2022). Theharvester in Kali Linux. Retrieved from https://www.cyberpratibha.com/blog/kali-linux-
theharvester-an-email-harvester/
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 7. Hosts Information Scanned by theHarvester

[20]
See Appendix Q for the sample laboratory manual.
56
[20]
Simplilearn (2019). What Is Nmap? A Comprehensive Tutorial For Network Mapping. Retrieved from
https://www.simplilearn.com/tutorials/cyber-security-tutorial/what-is-nmap
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Nmap

Nmap or network mapper[20] was one of the tools used for scanning the

vulnerability phase of penetration testing. It is also open-source and controlled

using the command-line interface (CLI) as some of the tools under this phase.

Nmap provides precise, real-time information on a network and the devices linked

to it. It offers various functions such as scanning IP addresses available in a

network, running services, open ports, operating systems (OS) with their version,

and detecting other vulnerabilities in a system. Nmap provides supplemental

information depending on the used keys and options of the scanned targets.

Discovering the IP address of the target hosts:

$ nmap -sn 192.168.2.0/24.

Discovering the IP address of the target hosts with parameter:

$ nmap -sn 192.168.2.100 – 200

In this study, the target router, the target server, and the target desktop were

used as the targets. It was assumed that the researchers did not know the exact

IP address of the target has, but knew its network. The command nmap –sn

<network/subnet mask> performed a ping scan to discover the target hosts' IP

address. The network 192.168.2.0 was used for it was the network for the target

machines.

[20]
See Appendix Q for the sample laboratory manual.
57
[20]
Simplilearn (2019). What Is Nmap? A Comprehensive Tutorial For Network Mapping. Retrieved from
https://www.simplilearn.com/tutorials/cyber-security-tutorial/what-is-nmap
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 8.1 shows the result of the scan made on Nmap; it was scanned

within twenty-seven (27) seconds and prompted with different IP addresses with

each corresponding device. On the other hand, it is noticeable that with the set

parameters in Nmap in figure 8.2, the result was quicker than scanning the network

without range. Scanning with the range as a parameter took sixteen (16) seconds.

This scan has discovered that within the network, the targets available were hosts

having an IP address of 192.168.2.1, 192.168.2.105, 192.168.2.200, and

192.168.2.201. The target router has an IP address of 192.168.2.1. While the

access point, configured in DHCP, has an IP address of 192.168.2.105, thus being

subjected to change. While 192.168.2.200 is for the target server, and

192.168.2.201 is for the target desktop.

Figure 8.1 Discovered IP Addresses within the Network

Figure 8.2 Discovered IP Addresses with Parameters

58
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Scanning for Open Ports in the Target Hosts:

$ nmap –Pn 192.168.2.1 192.168.2.105 192.168.2.200 192.168.2.201

Aside from scanning the IP addresses of the target hosts, Nmap was also

designed to scan open ports in the target hosts. The command nmap –Pn <IP

address #1> <IP address #2> <IP address #3> <IP address #4> was used. The –

Pn option is also called the default scan, which treats all IP addresses in the range

to be active; thus, using the range was discouraged. With that, it is best to specify

all the IP addresses.

Represented in figure 9 was the generated result from scanning open ports

in the discovered targets based on figure 8.1. For the target router, which has an

IP address of 192.168.2.1, port 22 or the Secure Shell (SSH) and port 23 or the

Telnet were open. Moreover, the access point, which has an IP address of

192.168.2.105, has four (4) open ports: port 22 or SSH, port 53 for the Domain

Name Service (DNS), port 80 or HTTP, and 1900 for UPnP. Next, the

192.168.2.200 IP address of the target server also has three (3) open ports: port

22 or SSH, port 80 for the HTTP, and port 445 or Service Message Block (SMB).

Lastly, the target desktop with an IP address of 192.168.2.201 has two (2) open

ports, namely: port 22 or SSH and port 5900 or VNC. Scanning for these open

ports took twenty-six (26) seconds. Therefore, with these open ports, the attacker

can use this to exploit vulnerabilities in the target systems.

59
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 9. Scanned Open Ports on Nmap

One feature of the Nmap, the scanning using scripts, was also tested by the

researchers. By default, Nmap already comprises a large number of available

scripts. The researchers downloaded a script for scanning vulnerability, and it is

called vulscan. Vulscan includes a .csv file for each vulnerability documented by

different databases such as cve.csv, exploitdb.csv, openvas.csv, osvdb.csv,

scipvuldb.csv, securityfocus.csv, securitytracker.csv, and xforce.csv. However, the

researchers only use the exploitdb.csv to scan the target server.

Configuration on scanning using scripts:

$ nmap --script-vulscan.nse --script-args vulscandb=exploitdb.csv –sV
192.168.2.200.

60
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Nmap has comprehensive coverage in terms of the number of features. In

figure 10, the target web server was used as the target for scanning. But the whole

network of the targets is scanned for scanning the number of hosts. In the number

of scanned vulnerabilities, Nmap, through the --script option, to be specific,

vulscan, has detected fifteen (15) possible vulnerabilities for OpenSSH 8.2p1

service and forty-nine (49) vulnerabilities for Apache HTTP 2.4.41. And, scanning

for vulnerabilities took twenty-eight (28) seconds.

Figure 10. Result of Scanning Target Web Server Using Scripts

Brute-forcing Target Server using Nmap Script ssh-brute. nse:

$ sudo nmap --script ssh-brute --script-args
userdb=userlist.txt,passdb=passlist.txt -p 22 192.168.2.200

61
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

In addition to the script usage presented previously, the researchers have

used another script in the Nmap entitled ssh-brute. nse, which was used to brute

force a target or targets, represented in figure 11.1. The brute-forcing attack

method is under the gaining access phase, which makes Nmap a tool also under

gaining access due to the usage of this script. However, unlike the brute-forcing

tools that were used, this Nmap script took longer to brute-force the target. The

method of brute-forcing this script is that each entry on the userlist and passlist

was paired with each other. The first username was paired with the first password.

Then after every username was paired, the first username was paired to the

second entry on the password list. This method would take hours; thus, to hasten,

the userlist.txt used only includes the target's username. Unlike in the previous

commands of Nmap that generated the time it took alongside its results, for this

one it did not. Thus, the researchers used a stopwatch to monitor the time. With

that, the brute-forcing for the target server took one hundred (100) seconds, and

the credentials of the target server were ubuntu:serveradmin, as seen from figure

11.2.

62
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figures 11.1 and 11.2. Brute-forced Target Server Using Nmap and the Result

63
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Nikto

For the second phase of penetration testing, vulnerability scanning, Nikto[21]

was used; this is a web server and web application analysis tool that is free and

open source. Moreover, it is a straightforward and easy-to-use scanner that was

operated on the command-line interface (CLI). Specifically, it checks or examines

a web server for potential security vulnerabilities, such as server and software

misconfigurations, default files and programs, insecure files and programs, out-of-

date servers and programs, and a pointer to direct a human tester to better manual

testing. It also looks for server configuration elements like multiple index files and

Hypertext Transfer Protocol (HTTP) server settings and attempts to identify

installed web servers and applications. On the other hand, Nikto is not intended to

be a discreet tool. It will quickly test a web server, and the results will be visible in

log files or an Intrusion Prevention/Intrusion Detection System (IPS/IDS).

Scanning a domain in Nikto:

$ sudo nikto –h http://192.168.2.200/

A reference from Nmap's figure 9 is the result of the scanned open ports;

the target web server has port 80 opened. Using the Damn Vulnerable Web

Application (DVWA) being hosted by the target server as a target, the researchers

used this to scan for any vulnerabilities. Basic domain scanning and tuning with

SQL injection were performed for testing on Nikto. The researchers performed

basic scanning on the specified host. The command nikto –h <IP address of the

target> or <URL of the website> was used. By default, it scanned port 80 or the

port for the HTTP, since it was not stated, port 443 can also be used to scan the

[21]
See Appendix Q for a sample of the laboratory manual 64
Shivanandhan, M. (2021). Web Server Scanning With Nikto – A Beginner's Guide. freeCodeCamp. Retrieved
[21]

from https://www.freecodecamp.org/news/an-introduction-to-web-server-scanning-with-nikto/.
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

HTTPS address. The IP address of the target is 192.168.2.200. Figure 12.1 shows

the result for the basic domain scanning in Nikto. Scanning vulnerabilities on the

target web server, DVWA, took almost two (2) minutes or one hundred (100)

seconds to accomplish. In the result, the researchers were presented with what

server currently runs on the target, cookies session ID, and the Open Source

Vulnerability Database (OSVD). This independent vulnerability database is

supposedly used to provide detailed technical information about security

vulnerabilities. The downside was that they were no longer actively making this

database because they shut it down in 2016 due to a lack of funding. Although the

OSVDB website was available on the Wayback Machine, the OSVDB listed on the

Nikto scan was not found because some of the pages were missing or not saved.

Figure 12.1 Scanned Vulnerabilities on DVWA Using Nikto

65
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Tuning configuration on Nikto:

$ sudo nikto –h http://192.168.2.200 –T 9

The researchers used option -T, which is called the Tuning option in Nikto.

There are thirteen (13) options, one of which was to scan if the target server is

vulnerable to SQL injection; it was identified as the 9th option. The result of the

command presented above is shown in figure 12.2 below. The target server

hosting the DVWA was used as the host to scan for SQL injection vulnerabilities.

It showed a lot more vulnerabilities with some details like the PHPSESSID and

security cookie was created without the HTTP only flag, which is prone to cross-

site scripting, and some potential interesting archive was also detected.

Furthermore, other vulnerabilities were also detected, like the OSVDB-728,

OSVDB-2119, OSVDB-2703, OSVDB-2948, OSVDB-4240, OSVDB-10107,

OSVDB-35876, and OSVDB-36894 which stated that the target server contains

multiple SQL injection vulnerabilities wherein it can be exploited. The previous

command, scanning the domain, generated the time it took to prompt the results,

however for this one it did not. With that, the researchers used a device to measure

the time, and the scanning for this option took thirteen (13) seconds.

66
CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 12.2 Tuning SQL Injection on DVWA

67
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Wireshark

A well-known network sniffing tool under the second phase of penetration

testing is the Wireshark[22], which provides a graphical user interface (GUI) feature

to capture packets and network protocols from a network. Each packet contains

sensitive data and information that, later on, will be used for the next phase of

penetration testing. Wireshark can even decode data payloads depending on its

protocols (e.g., HTTP). Each captured packet using Wireshark contained the

following details: the time taken to capture the packet, the source IP address, the

destination IP address, the protocol used, the length, and some of the packet

information. However, Wireshark can even go further by sniffing usernames and

passwords if the protocol used in any webpage or web application is not encrypted

(e.g., HTTP). This attack, password sniffing, could be categorized under gaining

access which makes Wireshark a tool in scanning for vulnerabilities and gaining

access phase.

For password sniffing on the Wireshark tool, the researchers used the

Damn Vulnerable Web Application as the target website. The web application is

vulnerable and uses HTTP as a protocol. The website was accessed by entering

http://192.168.2.200 in the browser URL tab, and then the researchers were

directed to the login page. Whatever credential or string was entered in the

username and password field, the Wireshark captured it. From the Wireshark, the

filter was set to HTTP to capture only HTTP packets which are shown in Figure

bbelow. As seen in Figure 13.1, instead of redirecting to another page,

[22]
See Appendix Q for the sample laboratory manual 68
[22]
Comptia, n.d. What Is Wireshark and How Is It Used? Retrieved from
https://www.comptia.org/content/articles/what-is-wireshark-and-how-to-use-it
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

the user was redirected to the login page again, represented by the GET /login.php

HTTP/1.1 from the Info column, which might indicate that the login attempt was

unsuccessful. Also, in Figure 13.2, the user has entered credentials username and

password as “admin”. Compared to Figure 14.1, the user was then redirected to

index.php, indicating that the login attempt was successful. Which also shows that

the credentials were username as “admin” and password as “password”. Speed

was an unnecessary factor for the tool Wireshark since the goal of the tool was to

capture wanted packets regardless of the time. Nonetheless, to measure the

speed of capturing packets, the researchers set a time limit of sixty (60) seconds

for every three (3) trials and determined the number of packets captured within the

time frame. The trial result showed that the Wireshark captured only two (2)

packets within the sixty (60) seconds time limit.

Figure 13.1 and Figure 13.2. Failed Login Attempt

69
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 14.1 and Figure 14.2. Successful Login Attempt

Finally, for the network monitoring in the developed laboratory, several

packets and protocols were found. However, the packets DHCP and CDP were

selected. These two (2) packets were used later on for attacks. Figure 15.1 shows

the discovered DHCP packets. On the other hand, figure 15.2 displays the CDP

packets captured.

Figure 15.1 and Figure 15.2. Discovered DHCP and CDP Packets

70
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

TCPDump

Another tool for the scanning vulnerability phase is the TCPDump[23] which

is almost the same as the Wireshark tool but differs in some features, such as

TCPDump being operated in a command-line interface (CLI). Likewise, with the

Wireshark, captured packets using TCPDump contained the following details: the

time taken in capturing the packet, the source IP address, the destination IP

address, the protocol used, the length, and some of the information of the packet.

TCPDump, although simple, can be powerful when combined with different filters.

Like Wireshark, it also captured the credentials from the website DVWA’s login

page. Thus, making TCPDump also a tool for scanning for vulnerabilities and

gaining access.

Capturing Username and Password:

$ sudo tcpdump -i eth0 –vv

In the command above, the researchers aimed to capture all traffic from the

eth0 interface of the attacker. Also, verbosity was set to inspect all packets live.

Since "HTTP" or "HTTPS" terms cannot be used as a filter, the researchers just

captured all packets. When a user accesses the website of DVWA, an HTTP-GET

method will be prompted in the terminal. Also, several protocols were seen, such

as Enhanced Interior Gateway Routing Protocol (EIGRP), Cisco Discovery

Protocol (CDP), Dynamic Host Configuration Protocol (DHCP), and Spanning Tree

Protocol (STP). With the number of protocols discovered, a ton of information was

[23]
71
See Appendix Q for the sample laboratory manual
[23]
Gerardi, R. (2020). An Introduction To Using Tcpdump At The Linux Command Line. OpenSource.
Retrieved from https://opensource.com/article/18/10/introduction-tcpdump
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

also prompted in the terminal every second. This can be frustrating, especially to

beginners. But once the user has entered credentials, the HTTP-POST method

was prompted. In figure 16, it can be seen that the user has entered the credential

username as admin, and password as the password. This also proves that

TCPDump has managed to capture credentials. And again, like the previous tool

Wireshark, the researchers conducted three (3) trials to determine the number of

packets captured within sixty (60) seconds. The number of packets captured was

the following: for the first trial, twenty (23) packets; for the second trial, two (2)

packets; and for the last trial, three (3) packets.

Figure 16. Captured Username and Password

72
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

ExploitDB
Exploit Database or ExploitDB[24] is another tool for scanning the

vulnerability phase. It has a website, exploit-db.com, which contains documented

exploited applications and services, sometimes with vulnerable applications that

can be searchable and downloadable, then used for exploitation. The Exploit

Database is a repository of publicly available exploits and the vulnerable software

they relate to, created for penetration testers and vulnerability researchers. Its goal

is to compile the complete collection of exploits, shellcode, and papers available,

acquired via direct contributions, mailing groups, and other publicly available

sources, and offer them in a freely accessible and easy-to-navigate database.

Included in the Exploit Database repository is searchsploit, wherein it is a

command-line search and query tool for ExploitDB that allows searching for any

exploits locally. Referring to figure 9, wherein Nmap scanned open ports for each

target were discovered, the researchers used the searchploit to search exploits for

the other three (3) ports in the laboratory, namely: port 23 (Telnet), port 445

(Samba), and port 5900 (VNC) since ExploitDB’s discussed function was to search

for available exploits to certain services, determining the speed in whatever aspect

was irrelevant.

Searching exploits from port 445 (Samba):

$ searchsploit samba linux

[24]
See Appendix Q for the sample laboratory manual 73
[24]
Offensive Security, n.d. Exploit Database (EDB). Retrieved from
https://www.cybersecurityintelligence.com/exploit-database-edb-515.html
 CHAPTER IV: PRESENTATION AND DISCUSSIONS
Shown in figure 17.1 is the generated result for the command searchsploit

samba linux. It is prompted with the possible exploits specifically for samba. On

the left side is the exploit title, and its path on the right side. To further specify the

result, another round of searching was conducted. This time, the term metasploit

was added so that the result will only show the exploits that were available in the

tool Metasploit, which was later on used. Figure 17.2 shows that from the previous

twenty-nine (29) result in figure 17.1, nine (9) exploits were available in Metasploit.

With that being said, the same procedure was also done for the following ports to

be assessed: port 22 or SSH, port 23 or Telnet, port 80 or HTTP, and port 5900

VNC.

Figure 17.1 Result of the searchsploit Samba Linux Command

Figure 17.2 Result of the searchsploit Samba Linux Metasploit Command

74
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Metasploit

In the third phase of the penetration testing, gaining access, several tools

were used, one of which is the Metasploit[25]. It is a free and open-source

penetrating framework tool. There are numerous modules in Metasploit that allow

to configure an exploit module, pair it with a payload, target a victim, and launch it

against the target machine. Before Metasploit begins, many information gathering

tests are improved, and it combines with numerous reconnaissance tools such as

Nmap and ExploitDB to locate the susceptible point in the system. Once the

weakness has been identified, select an exploit and payload for the exploitation.

The payload is then executed at the target and the user is given a shell to interact

with the payload once the exploit is successful. It provides the penetration tester

administrator privileges such as packet sniffing, keyloggers, screen capture,

rebooting of the machine, setting up a permanent backdoor, deleting files, and

many more.

In this study, the researchers introduced the fundamental basic commands

in knowing and exploring Metasploit, like searching for auxiliaries, exploits, and

payloads. Furthermore, in measuring the time taken for Metasploit to produce

results, the researchers used a stopwatch, since it was not present in their display.

One auxiliary that the researchers tried was the port scan module. It performs the

same operation as what Nmap did. But, the researchers only scanned the target

server instead of a group of targets. Like Nmap from figure 9, Metasploit’s port

[25]
See Appendix Q for the sample laboratory manual 75
[25]
Petters, J. (2020). What is Metasploit? The Beginner's Guide. Varonis. Retrieved from
https://www.varonis.com/blog/what-is-metasploit
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

scan module also detects the three ports, 22, 80, and 445, to be open. This process

took only twelve (12) seconds. Furthermore, one (1) exploitation module and

custom payloads were done for the target server. For the exploitation, the target

was the Server Message Block (SMB) service CVE-2017-7449, also known as

SambaCry, which was discovered from the Nmap scan performed in the target

server, as seen in figure 9. An SMB exploit allows a malicious attacker with

legitimate write access to a file share to upload and run an arbitrary file with Samba

permissions. Additionally, this exploit runs in the version 3.5.0 to 4.4.14, 4.5.10,

and 4.6.4. For the payloads, the researchers created a simple python payload and

a payload for Linux operating systems. Finally, measuring the speed for these

processes was unnecessary since it depended on the targets when a connection

will be established, and the opening of the payloads.

Exploitation module configuration:

msf6 > search samba
msf6 > use 14
msf6 exploit(linux/samba/is_known_pipename) > set payload cmd/unix/interact
msf6 > set rhosts 192.168.2.200
msf6 > exploit

The command search <exploit module name> was used to search for

specific exploit modules. From the previous tool ExploitDB, SMB service was

subjected to searching vulnerability. It showed from figure 17.2 that there were

nine (9) exploits available in Metasploit. With that, samba was declared to search

for the exploit service called samba. It is an application that operates the SMB

protocol. It supports various operating systems, including Microsoft Windows, to

76
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

use the SMB protocol for client-server networking. It also enables the

communication of Linux/Unix with Windows machines in a network. It is prompted

with the list of exploit modules that were related to samba. Either use <exploit

number> or use <name of the exploit module> to load these modules. Within the

index, exploit number fourteen (14) indicated that the exploit module used was the

linux/samba/is_known_pipename. It is noticeable that the prompter changed, and

the exploit module can be seen. The exploit module has only one (1) existing

payload, the cmd/unix/interact. Moving forward, the next line was used to set the

IP address of the target to implement the said payload, set rhosts <target’s IP

address>, using the target server with an IP address of 192.168.2.200. The exploit

commands begin the operation of exploiting the target server. However, the result

of exploitation failed, as seen in figure 18 below.

Figure 18. Failed Exploitation on Metasploit

77
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Brutespray

Brutespray[26] is a penetration testing tool under the gaining access phase

of penetration testing that performs brute force attacks depending on the target’s

services. Although it supports services other than SSH, the researchers only

focused on brute forcing the target machines' SSH service. The implementation of

this attack started by scanning the target’s website or internal network using Nmap,

one of the tools under the scanning vulnerabilities phase, to check the open ports

and other services. From figure 9 of the tool Nmap, one of the open ports

discovered to the targets was port 22 or SSH. With this, tools for brute forcing can

be used, such as Brutespray. After the scan, the data and information scanned

were saved in a GNMAP/XML format as the output file. The output file is used in

performing brute force attacks against the open port services of the target with

default credentials or dictionary attacks to gain access.

In this study, the attacker used brute force attacks to get the credentials of

the target machines. Specifically, the username was given to hasten the brute-

forcing for the target server and desktop. However, for the target router, the

username was not indicated. The attacker used wordlists for the dictionary attacks

to know the credentials of the targets.

Brute-forced attack on target-server:

$ brutespray –f /home/kali/Pentesting-Laboratory/nmap/target-server –u ‘ubuntu’
–P /home/kali/Pentesting-Laboratory/passlist.txt –s ssh –t4

[26]
See Appendix Q for the sample laboratory manual 78
Ganesh, B. (2019). Brutespray – Port Scanning and Automated Brute Force Tool. Retrieved from
[26]

https://gbhackers.com/brutespray-port-scanning-brute-force/
 CHAPTER IV: PRESENTATION AND DISCUSSION

The text above is the commands used for brute force. Wherein the –f option

indicated above means that a file is needed as a parameter. It is in the format of –

f <file name location>. The file contains the scanned services that were opened on

the target, specifically the target server. Thus, the file supplemented is located on

the directory /home/kali/Pentesting-Laboratory/nmap/. On the other hand, the

option –u specifies the exact username for the target, which is ubuntu. However,

unlike the username, the attacker did not know the password of the target server,

thus provided with a wordlist located on the directory /home/kali/Pentesting-

Laboratory/ with a file name passlist.txt launching dictionary attack. The –s

<service> indicates the type of service to attack, and it was the SSH. The –t option

is the number of threads for the brute-forced to use. The researchers used four

(4), which is the suggested number of threads to use for SSH service. Figure 19.1

shows the actual brute force process of the target-server that out of 200 possible

passwords, the 195th password matched the username ubuntu with the password

serveradmin. Also, the username and password were the same as the Nmap script

ssh-brute. nse used and can be seen in figure 11.2. The output was written to the

folder: ./brutespray-output/. The same procedure was done on the target desktop

and a slight difference in using the pi as the username.

79
 CHAPTER IV: PRESENTATION AND DISCUSSION

Figure 19.1. Result of the Brute-Forced Process on Target Server

Configuration of brute-forced attack on Cisco Router:
$ brutespray –f /home/kali/Pentesting-Laboratory/nmap/target-router –U
/home/kali/Pentesting-Laboratory/userlist.txt –P /home/kali/Pentesting-
Laboratory/passlist.txt –s ssh –t3

The commands used in brute-forcing the target-server and target desktop

are similar to the configuration used for the Cisco Router. The difference is that the

username was stated for the target server and desktop. However, for the Cisco

Router, the username was not noted and the password. Nonetheless, the scanned

information for the target router was still located on the directory

/home/kali/Pentesting-Laboratory/nmap/. Using the same method, a dictionary

80
 CHAPTER IV: PRESENTATION AND DISCUSSION

attack was issued for the username. Wherein wordlist was also provided, located

on the directory /home/kali/Pentesting-Laboratory with a filename of userlist.txt

and passlist.txt for the password. Depicted in figure 19.2 is the brute force process

of the Cisco Router. One hundred sixty-one (161) usernames were deployed, and

the 2nd username, BlueTeam, matched the username credential for the Cisco

Router. On the other hand, out of 200 possible passwords, the 199th password

matched the username BlueTeam, with the password cisco-admin. The output was

also written to the folder: ./brutespray-output/.

Figure 19.2. Brute-Forced Process on Cisco Router

81
 CHAPTER IV: PRESENTATION AND DISCUSSION

Brutespray’s display was not showing the time it took to generate the result,

thus the researchers used a device to estimate and monitor the time taken for this

tool to show results. Brute-forcing of the target router took eleven (11) minutes and

fifty-one (51) seconds. The credential captured was BlueTeam:cisco-admin. Then,

the credential captured for the target server was ubuntu:serveradmin, and brute-

forcing took two (2) minutes and forty-two (42) seconds. Lastly, for the target

desktop, brute-forcing the credential, pi: raspberry, took three (3) minutes and eight

(8) seconds. And as stated earlier, SSH was used as the target service. The thread

used for the target router was only three (3). Then, the number of threads used for

the target server and desktop was four (4).

82
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

THC-Hydra

THC-Hydra[27] is one of the most popular brute force password cracking

tools. Like the Brutespray, THC-Hydra performs and uses both dictionary and

brute-force attacks, which can be operated on a Graphical User Interface (GUI)

and the command-line interface (CLI). It also supports operating systems like all

UNIX platforms such as Linux, Solaris, etc., or MacOS and Windows. Furthermore,

Hydra is effective against numerous protocols like SSH, Telnet, and many more.

However, for this study, only the SSH service was subjected to brute forcing. Hydra

can work online and needs to ensure that the target host is up.

Exploitation module configuration:

$ hydra –l ‘ubuntu’ –P /home/kali/Pentesting-Laboratory/passwordlist.txt –t 16
–V ssh://192.168.2.200

Using the command-line interface (CLI), the researchers used brute-force

attacks to get the credentials of the target machines: target server, desktop, and

router. The information about the IP address and the service targeted, SSH, were

taken from the Nmap scan, which can be seen in figure 9. The passwords were

not disclosed although the usernames were given. The researchers then utilized

wordlists to perform a dictionary attack on the target hosts' passwords. The option

–l <login name> was used to indicate the target server’s username: ubuntu. On

the contrary, the password for the host was not given; therefore, a password list

was generated and then designated as the parameter for the –P option. The

provided password list was stored and can be accessed in the directory
[27]
See Appendix Q for the sample laboratory manual 83
[27]
Rajalingham, K. (2021). How to install and use THC Hydra?. Retrieved from https://linuxhint.com/how-to-
install-and-use-thc-hydra/)
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

/home/kali/Pentesting-Laboratory/, wherein the file name was named passlist.txt.

In addition to that, the option –t was used to specify the number of threads. The

attacker used sixteen (16) threads, which is a faster way of authenticating the

username and password. Moreover, -V, which stands for verbosity, was used to

show the attempts if the username and password being tried to match the actual

credential of the target. Lastly, the ssh, followed by an IP address,

ssh://192.168.2.200, was used to connect to the target host. This also indicates

what protocol was used, in this case, SSH.

Showed in figure 20 below is the process of using a dictionary attack to gain

the password credentials for the target server. It shows the numerous potential

passwords for the machine that went for the trial and error phase. The text in green

was an indication that the generated host's IP address 192.168.2.200, login name

ubuntu, and password serveradmin were matched credentials. Again, this

captured credential was the same as the result of ssh-brute.nse performed,

wherein the result can be seen in figure 11.2 of the tool Nmap. Also similar to the

tool Brutespray's process, and not displaying the time it took to generate the result,

the researchers’ used THC-Hydra to brute-force target router and target desktop,

as well as used a stopwatch to monitor the time taken to generate the result. As

seen from the result below, the credential captured for the target server was

ubuntu:serveradmin, and brute forcing it took two (2) minutes and twenty-nine (29)

seconds. For the target router, the credential captured was BlueTeam:cisco-

admin, and it took three (3) minutes and forty-three (43) seconds to be brute-

84
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

forced. Lastly, for the target desktop, brute forcing the credential, pi: raspberry,

took three (3) minutes and four (4) seconds. The credentials were the same as the

captured credentials by the tool Brutespray. Also, the number of threads used was

sixteen (16) for all the targets. Same to the captured credentials by the tool

Brutespray. Also, the number of threads used was sixteen (16) for all the targets.

Figure 20. Dictionary Attack on the Target Server

85
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

John-the-Ripper

John-the-Ripper [28] is a popular open-source password cracking application

initially designed for Unix-based computers but now works on various platforms.

It's a password cracking program that identifies encryption on hashed data and

compares it to a big plain-text or built-in wordlist and can use in both brute-force

and dictionary attack modes. The three (3) primary modes of password cracking

used by John-the-Ripper are single crack mode, which is the fastest and best if

you have an entire password file to crack; wordlist mode, which compares the hash

to a known list of potential password matches; and incremental mode, which is the

most powerful and uses brute force to try every possible combination until gave a

possible result. In the penetration testing laboratory, the attacker used John-the-

Ripper to decrypt the hash password of the usernames in the target server located

on its shadow.txt file. Furthermore, there were some required steps, performing

SSH in the brute-forced target server, remotely copying the shadow file to the

directory of the attacker, and making kali (attacker) the owner of the shadow.txt

file. Below is the command used to decrypt the users' passwords inside the

shadow.txt file.

Decrypting password configuration:

$ john shadow.txt
$ cat .john/john.pot

[28]
See Appendix Q for the sample laboratory manual 86
[28]
Petters, J. (2020). How to Use John the Ripper: Tips and Tutorials. Varonis. Retrieved from
https://www.varonis.com/blog/john-the-ripper
 CHAPTER IV: PRESENTATION AND DISCUSSION

Using the command john <hash passwords file name>, figure 21 is the

result of the decrypted hash passwords of the usernames present in the target

server using the built-in wordlist of John-the-Ripper and the type of encryption

algorithm used, which was the SHA512crypt. Since the mode was not indicated,

by default, the single crack mode was automatically implemented. With that, using

username: password, the target server has presented five (5) existing usernames,

along with the decrypted passwords, namely: guest: guest, ubuntu:serveradmin,

cj45:thunder24, elay:cuteako123, and jaeanne:grabewowanggandamo. Similar to

previous tools that were not displaying the time it took to produce the results, the

same method was used in this tool John-the-Ripper to measure the time it took to

prompt the results. With that, the time it took to decrypt the shadow file was twenty-

two (22) seconds.

87
 CHAPTER IV: PRESENTATION AND DISCUSSION

Figure 21. Decrypted Hash Passwords of the Username

Furthermore, John-the-Ripper saved it in a file under the john.pot file. This

.pot file contains stored decrypted hash passwords, whereas if the hash password

was entered to be decoded again, a display noticing that ‘No password hashes left

to crack', implies that the hash passwords have been cracked and stored in the

john. pot. To prompt the details of the SHA512crypt hash and decrypted

passwords, the command cat /home/kali/.john/john.pot was issued.

88
 CHAPTER IV: PRESENTATION AND DISCUSSION

BurpSuite

Burp, often known as BurpSuite[29], is a web application penetration testing

tool that operates using the graphical user interface (GUI). It is the most widely

used tool among professional web app security researchers and bug bounty

hunters. The tool is available in three editions: a free Community Edition, a

Professional Edition, and an Enterprise Edition. The Community Edition comes

with much fewer features. Its goal is to provide a comprehensive security solution

for web applications. A spider that is used to map target web applications. A

repeater, wherein it lets a user send a request with manual modifications.

Furthermore, a decoder comes in handy when looking for chunks of data in values

of parameters or headers, etc. Additionally, a comparer function compares the two

(2) items of data to identify visual differences and an extender that helps BurpSuite

employ supporting external components to be integrated into the tools to enhance

its capabilities. Lastly, a sequencer was also an entropy checker that checks for

the randomness of tokens generated by the web server, which are among the tool's

more complex features. On the other hand, proxy server and intruder are essential

tools one can practice, which was used in this study.

About the tool Nikto, the target server was vulnerable to SQL injection

attacks, as reflected in figure 12.1. Thus, SQL injection was performed in the target

server using BurpSuite. In this study, the researchers used an SQL injection attack

to enable the entire disclosure of the available data on the database server. An

external web browser was used by the attacker, wherein the proxy server was not

[29]
See Appendix Q for the sample laboratory manual 89
[29
Huro, S. (2020. How to Use Burp Suite Professional for Web Application Security [Part One]. Delta Risk.
Retrieved from https://deltarisk.com/blog/how-to-use-burp-suite-professional-for-web-application-security-part-
one/
 CHAPTER IV: PRESENTATION AND DISCUSSION

configured, and the researchers had to set it up manually. The Burp proxy server

was used to intercept and manipulate the traffic coming from the target server, the

Damn Vulnerable Web Application (DVWA), with an IP address of 192.168.2.200.

The requested input was used and reflected by the proxy server, therefore sent to

the intruder to mark the parameters set by payload markers (§) for the sniper attack

that injects one payload at a time. Hence, one-hundred forty-seven (147) payloads

were tested, which were a series of syntaxes or strings to be loaded in the input

field inserted to begin the process of SQL injection. BurpSuite was further tested

into different security levels of DVWA, which were: low, medium, high, and

impossible, whereas the same method of injecting payloads was used. And for

each trial, the time it took to generate the result was not prompted in the display,

the same method of measuring this data was done the same as on the previous

tools.

Shown in figure 22.1 are the responses of the low-security level of the target

website to the one-hundred forty-seven (147) injected payload. Only thirteen (13)

of them worked for the SQL injection on DVWA. They were arranged from highest

to lowest length number. The result prompted the researchers with the 5074

lengths of the response in bytes. It had a request number of 144 and a payload of

1' UNION SELECT user, password FROM users#. It was also discovered that the

lesser number of length was, the less chance that the SQL injection would be

successful; thus, no data was disclosed. The next successful SQL injection were

the following queries separated by semi-colon: ' UNION select user, password

90
 CHAPTER IV: PRESENTATION AND DISCUSSION

FROM users# ; x' or 1=1 or 'x'='y ; ' or user like '% ; ' or 1=1 or ''=' ; hi' or 'a'='a ; "'

or 1 --'" ; ' or ''=' ; '%20or%20''=' ; ' or 0=0 # ; 1' OR 1=1 # ; '%20or%20'x'='x ; and

%' or '0'='0 . Despite being different in payload strings and length, they all resulted

in the same thing. Although the chromium browser was installed, the researchers

cannot view the results in the render section. Therefore, putting the payload one

by one on the input field for user ID, the researchers displayed this result on the

target website. Performing SQL injection at a low-security level took three hundred

eighty (380) seconds or six (6) minutes and twenty (20) seconds.

Figure 22.1. Response to Low-security Level of DVWA

To view the results, the researchers tried to put the top three (3) payloads

1' UNION SELECT user, password FROM users#; ' UNION select user, password

FROM users#; and x' or 1=1 or ‘x’=’y on the input field of the target website to see

the result and the response of the target. Figure 23.1.1 and 23.1.2 shows the result

91
 CHAPTER IV: PRESENTATION AND DISCUSSION

of the payloads. The image on the left shows that the result of the payload strings

1' UNION SELECT user, password FROM users# and ' UNION select user,

password FROM users#. The image implies that these payload strings have

successfully captured the username and hashed passwords stored in the database

for the DVWA website. On the other hand, the image from the right only shows the

First Name and Surname of the users.

Figures 23.1.1 and 23.1.2 Response of the Payload on the Website

For the second level of testing, the security measure was set to medium,

and unlike with the low-security level, researchers are presented with the result in

figures 24.1 and 24.2. Unlike in the low-level security, the researchers discovered

that only two (2) of them worked out of one-hundred forty-seven (147) payloads.

The payload string with the highest length: 5230, was 1 = 1 union select user,
92
 CHAPTER IV: PRESENTATION AND DISCUSSION

password from users. The other payload string was 0 or 1=1 with a length of 4802.

Also, the payload string 1 = 1 union select user, password from users response

was different compared to the other payload string. The time it took to finish

conducting SQL injection at this level was three hundred fifty (350) seconds or

approximately six (6) minutes. Referring to figure 24.1, the image from the left

represents the response of the payload string 1 = 1 union select user, password

from users, and the image from the right was the response from the payload string

0 or 1=1. From that, the image from the left has successfully captured the

username and hashed password stored in the database. On the other hand, the

image from the right, figure 24.2, only captured the First Name and Surname of

the usernames from the left image. Again, although the chromium web browser

was installed, the researchers still could not use the render option to view the

result. Using the Pretty method, the generated result was in an HTML code,

displayed with the first name and surname of the users.

93
 CHAPTER IV: PRESENTATION AND DISCUSSION

Figures 24.1 and 24.2. Displaying the Response of the Payloads Through HTML

Furthermore, the researchers also tested the payloads on the remaining

security level of DVWA: high and impossible. It was found out that the payloads

were not working in any of them because of the more challenging security level

and different web interfaces than the previous ones. Therefore, BurpSuite has its

limitations and restrictions; the researchers cannot modify it however they want,

thus failing to have a successful SQL injection attack on these levels of security.

94
 CHAPTER IV: PRESENTATION AND DISCUSSION

Sqlmap

Utilized on the command-line interface (CLI), Sqlmap[30] is an open-source

penetration testing tool that automates the detection and exploits of SQL injection

problems; it also has fingerprint and enumeration features and takes over

database servers. MySQL, Oracle, PostgreSQL, MariaDB, Apache, and other

database management systems are fully supported. It also supports a variety of

SQL injection techniques that are both powerful and diverse for Web Application

Testing.

One of the performed commands in the tool Nikto previously was scanning

the target server if it was susceptible to SQL injection. Figure 12.1 have shown

that it was viable. With that, the researchers applied SQL injection attack to the

target website, Damn Vulnerable Web Application. The goal of this attack is to

disclose all the users' credentials. It was tested on a series of trials using the

different DVWA security levels from low, medium, high, and impossible. For each

security level, the web interfaces and URLs changed. However, it was different for

the PHP Default Session Storage (PHPSESSID) or the session cookie. The low-

security level on DVWA signifies that it has no security at all, thus prone to

vulnerabilities. The researchers interacted on this website using the input field.

Hence, typing the user ID within 1 – 5 displayed the ID, first name, and username.

Conversely, it showed how bad security practices could be for the medium security

level. Unlike the previous security level, the researchers interacted on this website

using a drop-down box. Wherein user ID can be selected. Thus, prompted with the

[30]
See Appendix Q for the sample laboratory manual 95
[30]
Imperva, n.d. SQL (Structured query language) Injection. Retrieved from
https://www.imperva.com/learn/application-security/sql-injection-sqli/
 CHAPTER IV: PRESENTATION AND DISCUSSION

same credentials for every particular user ID. The high-security level is like an

extension to the medium difficulty that has both mixtures of good and bad security

levels. Unlike the previous ones, the web interface of the high-security is different.

Instead of typing in an input field or choosing from a drop-down box, the

researchers were asked to change the user ID and prompted with another window

for the input field. Again, the researchers chose from any number within 1 – 5, and

the same result was displayed in the previous window.

General configuration on Sqlmap:

$ sudo sqlmap –u <”URL”> --cookie=<”security=level; PHPSESSID=value”> --dbs
$ sudo sqlmap –u <”URL”> --cookie=<”security=level; PHPSESSID=value”> --
tables –D <database name>
$ sudo sqlmap –u <”URL”> --cookie=<”security=level; PHPSESSID=value”> --
columns –D <database name> -T <table name>
$ sudo sqlmap –u <”URL”> --cookie=<”security=level; PHPSESSID=value”> --
columns –D <database name> -T <table name>

The main component of SQL injection attack in Sqlmap is the parameters

of the target website: URL and cookie, which were contained in the double-

quotation (“ “) symbol. However, there were a few discrepancies in setting up the

parameters for each security level, which will be discussed later in the following

paragraphs. The command –u specifies the URL of the target website. The cookie

information was identified using the command --cookie. Wherein the only thing

that’s consistent throughout was the PHPSESSID value. The value for security

depends on the level the researchers were on. With that, --dbs was used to

enumerate the database names inside the running DBMS of that website, which is

identified to be dvwa. Using that information, the researchers checked if there were

96
 CHAPTER IV: PRESENTATION AND DISCUSSION

tables in that database. The command –tables –D dvwa, since the database name

is already identified was used. There are two tables presented on the result:

guestbook, and users. The researchers simulated another command to show

whether columns were available in that table, which prompted them to eight (8)

columns. Since columns were discovered, the 4th line was initialized to dump the

DBMS database table entries.

As mentioned in the latter paragraph, there are some differences in setting

up the parameters for each security level. These security levels are low, medium,

high, and impossible. At each security level, the web interfaces changed. On a low-

security level, presented in figure 25.1, notice that there were data parameters for

ID, which was 1, and a backslash was added to cause a fatal error on the database

itself, represented in figure 25.2. The security level was set to low, and the

PHPSESSID was also indicated. After completing all commands and dumping the

data, the researchers used the same method from the previous tools to measure

the time taken to disclose all of its data, and took sixty-eight (68) seconds.

Figure 25.1. Target Parameters on Low-Security Level

Figure 25.2. Adding Backslash to the Target Parameters on Sqlmap

97
 CHAPTER IV: PRESENTATION AND DISCUSSION

On the other hand, shown in figure 26 was the command entered for the

medium security level. Compared to figure 25 previously, the pasted URL had no

data parameters. To be specific, the URL for the medium-level just ends in “sqli/”

wherein from the low-level, the URL contains the ID parameter. Therefore, the

researchers used the command --data=”ID” to set the parameters for the HTTP-

POST request to the server. The PHPSESSID remained the same, while the

security value became medium. For the medium-security level, Sqlmap dumped

all credentials at seventy-three (73) seconds.

Figure 26. Target Parameters on Medium-security Level

Moreover, incorporating the previous commands, the security level was set

to high (figure 27). Notice that still, the PHPSESSID was the same, and the data

parameters were set. However, the URL specified using the command -u was the

second URL or the redirected URL of the main page. In addition, another command

was inserted to determine where the execution of the SQL injection attack should

be performed, and it was on the original page of DVWA, thus the pasted URL. It

took sixty-two (62) seconds to dump all the data at the high-security level.

Figure 27. Target Parameters on High-security Level

98
 CHAPTER IV: PRESENTATION AND DISCUSSION

Then shown in figure 28, the researchers were prompted with the low-

security level's exact type of web interface on the impossible-security level. The

only difference it made from the low-security level is that the URL of the high-

security level contains a Cross Site Request Forgery (CSRF) token. This CSRF

tokens serve as a protection to the websites thus, heightening the security. At first,

the researchers did not set anything for the data parameters, resulting in no data

dump. However, after entering data into the input field and a backslash character,

data were dumped, making the impossible-security level a low-security. The time

it took to disclose information was sixty-five (65) seconds.

Figure 28. Target Parameters on Impossible-security Level

Figure 29 shows the result of the SQL injection attack on Damn Vulnerable

Website. Despite raising the security level for each trial from low to impossible, the

researchers always displayed the same result as presented below in a tabular

form, indicating the successful attacks. There were seven (7) columns in total. The

first column is the user IDs 1, 2, 3, 4, and 5. At the same time, the second column

is the equivalent user name for each user IDs 1 – 5: admin, gordonb, 1337, pablo,

and smithy, respectively. Additionally, the third column is the avatars of each user

ID, which are in the format of .jpg (jpeg). Furthermore, in parenthesis form, besides

the avatar column, are the hash passwords with their corresponding meaning.

99
 CHAPTER IV: PRESENTATION AND DISCUSSION

Moreover, included in the dump information is their last name and first name.

Lastly, the 7thcolumn is the time and date it was disclosed.

Figure 29. Result of the SQL Injection Attack Using Sqlmap

100
 CHAPTER IV: PRESENTATION AND DISCUSSION

Cisco-Global-Exploiter

Cisco-global-exploiter[31] is one of the tools under the gaining access phase

where it has the ability to exploit the most dangerous vulnerabilities of Cisco

Systems, specifically, fourteen (14) vulnerabilities in Cisco switches and routers

namely: Cisco 677/678 Telnet Buffer Overflow Vulnerability, Cisco IOS Router

Denial of Service Vulnerability, Cisco IOS HTTP Auth Vulnerability, Cisco IOS

HTTP Configuration Arbitrary Administrative Access Vulnerability, Cisco Catalyst

SSH Protocol Mismatch Denial of Service Vulnerability, Cisco 675 Web

Administration Denial of Service Vulnerability, Cisco Catalyst 3500 XL Remote

Arbitrary Command Vulnerability, Cisco IOS Software HTTP Request Denial of

Service Vulnerability, Cisco 514 UDP Flood Denial of Service Vulnerability,

CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability, Cisco

Catalyst Memory Leak Vulnerability , Cisco CatOS CiscoView HTTP Server Buffer

Overflow Vulnerability, 0 Encoding IDS Bypass Vulnerability (UTF), and Cisco IOS

HTTP Denial of Service Vulnerability.

Each vulnerability has its corresponding way of attacking the different Cisco

Systems, such as the denial of service, HTTP server being disabled, bypassing

authentication and executing any command on the router at the most privileged

level, and many more. CGE is executable from the command line by inputting two

simple parameters, like the target and the vulnerability to exploit. Basic syntax for

cisco-global-exploiter: cge.pl <target> <vulnerability number>.The researchers

first tried the first vulnerability, which is the Cisco 677/678 Telnet Buffer Overflow

[31]
See Appendix Q for the sample laboratory manual 101
[31]
James, P. (2018). Cisco Auditing Tool & Cisco Global Exploiter to Exploit 14 Vulnerabilities in Cisco
Switches and Routers. Retrieved from https://gbhackers.com/cisco-global-exploiter-cge/
 CHAPTER IV: PRESENTATION AND DISCUSSION

Vulnerability, which affects the operating system of the Cisco routers. Furthermore,

this vulnerability can cause a denial of service by freezing the system. Figure 30

shows the result of the attack. It shows on the result that “No telnet server detected

on 192.168.2.1 …” Therefore, the attack is not successful.

Figure 30. Cisco 677/678 Telnet Buffer Overflow Vulnerability

The researchers simulated another attack. As shown in Figure 31, the

number two (2) attack Cisco IOS Router Denial of Service Vulnerability, wherein it

can, again, cause a denial of service on both Cisco routers and switches. If the

IOS HTTP service is enabled, this vulnerability can cause the Cisco router or

switch to stop, perform slower, or reload. The result showed that there is no HTTP

server detected on 192.168.2.1.

Figure 31. Cisco IOS Router Denial of Service Vulnerability

The researchers tested some pilot tests wherein they tried all fourteen (14)

vulnerabilities under the Cisco-Global-Exploiter, respectively. However, all

fourteen (14) vulnerabilities did not successfully affect the services in Cisco routers

and switches systems. The researchers discovered that this was due to the

equipment that the researchers used. The researchers found specific models and
102
 CHAPTER IV: PRESENTATION AND DISCUSSION

versions of cisco routers and switches that must be utilized for these fourteen (14)

tools to become successful with the attack. With that being said, the researchers

cannot comment on the performance and effectiveness of Cisco-Global-Exploiter

in terms of its speed.

103
 CHAPTER IV: PRESENTATION AND DISCUSSION

Yersinia

Yersinia[32] is a penetration testing tool that performs layer two (2) attacks

on the Open Systems Interconnection (OSI) layer. It targets protocols explicitly like

the Dynamic Host Configuration Protocol (DHCP), Spanning Tree Protocol (STP),

Cisco Discovery Protocol (CDP), Hot Standby Router Protocol (HRSP), VLAN

Trunking Protocol (VTP), and many more. It performs a denial of service attack. It

is a free and open-source penetration testing tool that uses its two (2) modes: GTK

graphical interface, and the NCurses-based console interactive mode. The

researchers simulated two (2) types of attacks on the target DHCP server: the

BlueTeam router, the DHCP starvation, and the flooding of the CDP tables. Also,

these two protocols were stated to be found from the monitoring done by the tool

Wireshark, as seen in figures 15.1 and 15.2.

The idea behind DHCP is that it automates assigning IP addresses to any

devices (e.g., computers, laptops, cellphones, etc.), and the other additional

information like the default gateway or Domain Name System (DNS) is configured.

By that, DHCP has a range of IP addresses to give away, depending on the size

of the network. However, with the DHCP starvation, the attacker sends tons of fake

requests for IP addresses until all the IP address is already acquired. Since all

available IP addresses have been allocated, authorized IP address requestors

cannot connect to the network.

[32]
See Appendix Q for the sample laboratory manual 104
[32]
Bisson, M. n.d. How To Install And Use Yersinia On Kali Linux? Retrieved from
https://blog.eldernode.com/install-and-use-yersinia-on-kali-linux/
 CHAPTER IV: PRESENTATION AND DISCUSSION

The second type of attack was flooding the CDP tables. The CDP Protocol

is a proprietary layer 2 Cisco network protocol that is enabled by default and used

to collect information about the neighboring device/s. It is used to map networks

and tells the type of devices present within its network and how it was connected.

For every sixty (60) seconds, CDP messages are transmitted. Also, the time

interval for the neighboring compliant devices to cache the information is one-

hundred eighty seconds (180) seconds. However, the implementation of the

attacker to flood the CDP tables that cause the device to record in its table non-

existent MAC addresses. Furthermore, it causes the CPU process of the device to

slow down.

Figure 32 shows the verification of the successful DHCP starvation attack

from the attacker to the DHCP server on the target router. Overall, there were two-

hundred seventy-one thousand fifty-one (271,051) requests DHCP discovery

requests bombarded to the target at sixty (60) seconds. Using a device to monitor

the time, which was also used for the rest of the evaluation of this tool, at the eighty-

two (82) seconds mark, the target router started to malfunction, wherein the LED

indicators stopped flashing. The source and destination IP addresses were

consistent throughout, 0.0.0.0 and 255.255.255.255, respectively. With that being

said, depicted in figure 32, using the ifconfig eth0, no IP address was presented

because of the denial-of-service coming onto the DHCP server.

105
 CHAPTER IV: PRESENTATION AND DISCUSSION

Figure 32. Verification of the Successful DHCP Starvation Attack

Figure 33, shown below, verifies the successful flooding of the CDP table

on the switch. Different device IDs were detected as neighbors of the router, all of

which are connected to the eth0 port. The hold time or the interval of the CDP

compliant devices to cache the information is estimated to be two hundred fifty

(250) seconds or so, wherein the actual time interval is for one hundred eighty

seconds (180) seconds only. Furthermore, there are several capabilities codes

listed on each detected neighboring device. Wherein R stands for the router, S for

Switch, H for the host, and T for trans bridge. In addition, the port ID was also

identified to be eth0 for all of the fake devices. Just like what happened in the target

router, the target switch’s LED indicators stopped flashing, indicating that the

denial-of-service attack was a success. The time it took was forty-eight (48)

seconds.

106
 CHAPTER IV: PRESENTATION AND DISCUSSION

Figure 33. Verification of Successful CDP Flooding on Switch

107
 CHAPTER IV: PRESENTATION AND DISCUSSION

Aircrack-ng

Aircrack-ng[33] is another penetration testing tool under the gaining access

phase, where it evaluates Wi-Fi network security. Its functionalities include the

ability to monitor a Wi-Fi network through packet capturing and then sending the

exported data to a text file, de-authentication of connected clients from access

points, checking the capabilities of Wi-Fi cards, and cracking WEP and WPA PSK.

Aircrack-ng operates through the command-line interface (CLI) and uses various

commands to execute the attack. As already mentioned, Aircrack-ng is a suite of

tools for evaluating Wi-Fi network security. In this study, the researchers used

airmon-ng, airodump-ng, aireplay-ng, and Aircrack-ng from the Aircrack-ng Suite,

which are the steps for cracking the WPA of the access point.

Switch the wireless network adapter to monitor mode:

$ sudo airmon-ng start wlan0

The Raspberry Pi's wireless network adapter, which the researchers used

as the attacker, offers a monitor mode option. The monitor mode feature is a mode

in the wireless network adapter that enables the researchers to inspect the traffic

ongoing around the area. Airmon-ng is used to manage wireless extension modes.

The wireless card was switched from managed to monitor mode in sniffing wireless

connection. After getting inside the monitor mode, scanning for the target access

points and station is the next step, using the airodump-ng tool.

Scanning access points:

$ sudo airodump-ng wlan0mon

[33]
See Appendix Q for the sample laboratory manual 108
[33]
Robb, D. (2019). Aircrack-ng: Pen Testing Product Overview and Analysis. Retrieved from
https://www.esecurityplanet.com/products/aircrack-ng/
 CHAPTER IV: PRESENTATION AND DISCUSSION

Figure 34.1 shows the scanned access points within the vicinity. A column

of STATION can be seen. In this study, the target access point was the TP-Link-

Pentester, and the STATION was B8:27:EB:EF:B7:BB. After the researchers

gained information regarding the target access point, capturing packets were

utilized. One of the researcher’s goals is to capture the WPA Handshake, a set of

4 EAPOL messages. But to capture 4 EAPOL data, the researchers first used the

tool aireplay-ng for the de-authentication of the client connected to the access

point. Once the WPA handshake has been captured, the captured WPA

handshake was then used for password cracking.

Figure 34.1 Scanned Access Points

109
 CHAPTER IV: PRESENTATION AND DISCUSSION

Wireless Network Password Cracking:

# sudo aircrack-ng –w /home/kali/Pentesting-Laboratory/wifipass.txt -b
B0:A7:B9:F0:08:4A Wireless-Test.cap.

Figure 34.2 shows the cracked WPA from the target TP-Link-Pentester.

Depending on the complexity of the password use, cracking WPA may take hours,

days, or even months. However, in this study, the access point’s password was

set to its default password: 34859803. However, if the password is changed

wherein it already has a mixture of alphanumeric characters, the cracking process

may take more time. Finally, to determine the speed of this tool, the researchers

only focused on the cracking phase. Using a device to measure the time taken to

crack the password, thus cracking the password “34859803” took twenty-one (21)

seconds.

Figure 34.2. Cracked WPA from the TP-Link Pentester

110
 CHAPTER IV: PRESENTATION AND DISCUSSION

Fern-WiFi-Cracker

Fern-Wi-Fi-Cracker[34] is a GUI-based penetration testing tool under the

gaining access phase with the same goal as other wireless network password

cracking tools such as Aircrack-ng; it is to crack WEP/WPA/WPS keys. However,

Fern-WiFi-Cracker can also recover those keys. It is just like Aircrack-ng but with

a graphical user interface (GUI) feature.

The researchers used Fern-Wi-Fi-Cracker to simulate wireless network

cracking. Specifically, it was used to decrypt the vulnerable access point with a

Service Set Identifier (SSID) TP-Link-Pentesters. The wireless interface of the

Raspberry Pi 4 Model B, which supports monitor mode, enabled the researchers

to change from managed mode to monitor mode. Therefore, the interface wlan0

was selected. With that, Fern-WiFi-Cracker could scan the active access points

within the range. Since the target access point was detected, the researchers

chose the regular attack, which was used for Wired Equivalent Privacy (WEP) and

Wi-Fi Protected Access (WPA) Protocols. Then, provided with a wordlist for a

dictionary attack, Fern-WiFi-Cracker de-authenticated the client until the WPA

Handshake was captured. Wherein the password was located on the Key

Database option.

Indicated in figure 35 is the Key Database option of the Fern-WiFi-Cracker.

In which it was arranged in a tabular form. The first column presented the SSID

TP-Link-Pentesters of the target access point. Furthermore, in the second column,

the MAC address is also shown. Indicated in figure 35 is the Key Database option
[34]
See Appendix Q for the sample laboratory manual 111
[34]
Tutorialspoint, n.d. Kali Linux - Wireless Attacks. Retrieved from
https://www.tutorialspoint.com/kali_linux/kali_linux_wireless_attacks.htm#
 CHAPTER IV: PRESENTATION AND DISCUSSION

of the Fern Wi-Fi-Cracker. In which it was arranged in a tabular form. The first

column presented the SSID TP-Link-Pentesters of the target access point.

Furthermore, in the second column, the MAC address is also shown. The type of

encryption and the password key, the WPA and 34859803, were given,

respectively. In addition, the assigned channel was also stated. Finally, unlike the

tool Aircrack-ng, wherein only the cracking phase was tested for speed, Fern-WiFi-

Cracker’s speed was determined after pressing the “Attack” button. Like the

previous tool, the researchers used a device to measure the time to generate a

result. It took six (6) minutes and fifty-six (56) seconds to fully-cracked the wireless

network. And the time it took to crack the WPA handshake was five (5) minutes

and twenty-six (26) seconds.

Figure 35. Key Database

112
 CHAPTER IV: PRESENTATION AND DISCUSSION

Karmetasploit

Karmetasploit[35] is a tool under the gaining access phase that is used to

create fake access points or modems. When users are connected to these spoofed

access points, Karmetasploit can be able to listen to the network traffics and then,

later, can be used to capture passwords. The captured information from the target

victim was then again used to execute a web browser attack. When using

Karmetasploit, it embeds some commands from the different penetration tools

such as airmon-ng.

Creating Fake Access Point Configuration:

$ sudo airbase-ng -P -C 30 -e "TP-Link-Pentester" -v wlan0mon

From the Aircrack-ng section, figure 34.1 shows that one of the discovered

access points was the TP-Link-Pentester. With this, the researchers have targeted

this for performing fake access points. Due to the hardware limitations of the

attacker’s machine, an error was already prompted. The error was specifically on

the attacker’s wireless interface card. The researchers only used the built-in

wireless interface. Though it supports wireless network cracking, which uses

monitor mode, creating an access point was impossible. Therefore, a fake access

point cannot be created. With that, measuring the speed could not also be

determined.

[35]
See Appendix Q for the sample laboratory manual 113
[35]
Offensive Security, n.d. Karmetasploit. Retrieved from https://www.offensive-security.com/metasploit-
unleashed/karmetasploit-action/
 CHAPTER IV: PRESENTATION AND DISCUSSION

Setoolkit

Setoolkit[36] is the last penetration testing tool under the gaining access

phase. It is designed for social engineering attacks wherein humans are the main

target of the attack techniques. It has various custom attacks you can choose from,

and some of its features include creating phishing pages, cloning the original web

pages, faking phone numbers, sending SMS, and many more. The attacks are

done and operated in a command-line interface (CLI). SEtoolkit is simple and easy

to use, for it does not use any complicated commands in the execution of the

different attacks. It only uses numbers for the simulation of the attacks. Although

SEtoolkit exhibits many attacks for social engineering, only one feature under the

SEtoolkit tool was performed, specifically the cloning of the login page attack.

Google (google.com) was used as the website for the cloning attack. Measuring

the speed of this tool was, again, unnecessary.

Figure from the left, figure 36.1, shows that the researchers successfully

cloned the google.com (Google) website. The cloned website’s URL is not the

same as google.com. Instead, the URL of the fake website is the IP address of the

attacker. The cloned website was then sent to the target victim, acting like it was

the real and original website, but after the login credentials were typed in, it was

redirected back to the original website, which is google.com (Google). This cloned

website was used as a bridge by the researchers to steal usernames and

passwords from the target. Then shown in figure 36.2, the figure from the right, the

[36]
See Appendix Q for the sample laboratory manual 114
[36]
Borges, E. (2020). The Social Engineering Toolkit. Security Trails. Retrieved from
https://securitytrails.com/blog/the-social-engineering-toolkit
 CHAPTER IV: PRESENTATION AND DISCUSSION

attacker successfully sniffed the target’s username and password instantly. The

sniffed username and password were used for the next phishing attack.

Figure 36.1 and 36.2 Cloned Google Login Page and the Capture Credentials

115
 CHAPTER IV: PRESENTATION AND DISCUSSION

PENETRATION TESTING TOOLS’ SPEED

Table 3. Classification of Penetration Testing Tools

Recon-ng
Information Gathering
theHarvester
Nmap
Nikto
Scanning Vulnerabilities Wireshark
TCP Dump
ExploitDB
Metasploit
Brutespray
THC-Hydra
John-the-Ripper
BurpSuite
Sqlmap
Gaining Access
Cisco-Global-Exploiter
Yersinia
Aircrack-ng
Fern-WiFi-Cracker
Karmetasploit
Social Engineering Toolkit

Table 3 above shows the classification of the nineteen (19) penetration

testing tools. It can be seen that two (2) of the tools were under information

gathering. These were Recon-ng and theHarvester. Five (5) tools were classified

under scanning for vulnerabilities. These were Nmap, Nikto, Wireshark,

TCPDump, and ExploitDB. Lastly, twelve (12) tools were under the gaining access

phase. The tools were Metasploit, Brutespray, THC-Hydra, John-the-Ripper,

BurpSuite, Sqlmap, Cisco-Global-Exploiter, Yersinia, Aircrack-ng, Fern-WiFi-

Cracker, Karmetasploit, and Social Engineering Toolkit.

116
 CHAPTER IV: PRESENTATION AND DISCUSSION

Table 3.1. Speed of the Modules Used in Recon-ng and theHarvester

Tools Speed (s)
Using the whois_pocs 47
Recon-ng module
Using the hackertarget 12
module
theHarvester Using the hackertarget 6
module

The first phase conducted in this study was information gathering. Two (2)

tools were used during this phase. These were Recon-ng and theHarvester.

Shown in table 3.1 is the speed of the modules used in Recon-ng, and

theHarvester. Recon-ng has a total of two (2) modules used to gather information.

The whois_pocs module, which was specifically tasked to find contacts, generated

results for forty-seven (47) seconds, while the hackertarget module which was

utilized to scan hosts in a domain, produced results for twelve (12) seconds. On

the other hand, the tool theHarvester only used one (1) module which is the

hackertarget, it prompted results for six (6) seconds. However, these results may

vary according to how fast or slow the Internet connection is.

Table 3.2.1. Speed of the Attacks Used in Scanning Vulnerabilities Tools

Tools Speed (s)
Host Discovery without range 27.04
Host Discovery without range 16.14
Scanning for open ports 26.30
Scanning for vulnerabilities using
Nmap 28
vulscan.nse.
Brute-forcing method using ssh-
100
brute.nse.
Scanning vulnerabilities on the target
100
Nikto web server, DVWA.
Tuning using the SQL injection. 13
117
 CHAPTER IV: PRESENTATION AND DISCUSSION

Represented in table 3.2.1 is the two (2) of the five (5) tools used in scanning

vulnerabilities which are: Nmap, and Nikto. The tool Nmap, executed five (5)

attacks. For the ping scan to discover IP addresses of the target hosts, without and

with parameters, generated results for twenty-seven point four (27.04) seconds,

and sixteen point fourteen (16.14) seconds, respectively. While the scanning for

open ports, produced results for twenty-six point thirty seconds (26.30) seconds.

Next, is vulnerability scanning using the script vulscan.nse, wherein it provided

results at exactly twenty-eight (28) seconds. Lastly, Nmap used brute-forcing

method using the script ssh-brute.nse, which prompted results for one hundred

(100) seconds.

Table 3.2.2. Speed for Searching Vulnerabilities Using ExploitDB

Tools First trial Second trial Third trial
(number of (number of (number of
packets for 60 packets for 60 packets for 60
seconds) seconds) seconds)
Wireshark 2 2 2
TCPDump 23 2 3

Table 3.2.2 shows the two (2) tools used for network monitoring, which are

also part of scanning vulnerabilities which is the Wireshark and TCPDump.

However, measuring the speed was an unnecessary factor for these tools since

the goal was to capture wanted packets regardless of the time. The researchers

set a time limit of sixty (60) seconds for every three (3) trials and determined the

number of packets captured within the time frame. For Wireshark, it captured

118
 CHAPTER IV: PRESENTATION AND DISCUSSION

consistently only two (2) packets within sixty (60) seconds for every trial. On the

other hand, TCPDump, generated twenty-three (23), two (2), and three (3) packets

for every first, second, and third trial, respectively.

Table 3.2.3. Speed for Searching Vulnerabilities Using ExploitDB

Speed (s)
Searching Vulnerabilities NA

The last tool under the scanning for vulnerabilities phase, the tool was

ExploitDB. The function that was discussed and performed in this study was

searching for exploits to specific services and these results must be included in the

tool Metasploit. Three (3) services were subjected to searching for vulnerabilities

and these were Telnet, SMB, and VNC. The result was shown in an instant the

reason that these exploits were locally stored in the attacker's machine. For this

reason, measuring the speed of ExploitDB was not taken as seen in table 3.2.3.

Moving on to the gaining access phase, reflected in table 3, twelve (12)

tools were subjected to test for speed. The exact process from previous phases

was conducted regarding how to evaluate each tool's speed. Speed was measured

from the start of exploiting or gaining access to a certain target up to when the

process concluded. However, it can also be seen in the table that three (3) tools'

speed was not measured because they all failed to perform their attacks. But, one

(1) of these three (3) tools, Metasploit, performed other than the gaining access

phase. With that process, speed could now then be measured.

119
 CHAPTER IV: PRESENTATION AND DISCUSSION

Table 3.3.1. Speed of Port Scanning and Exploitation using Metasploit

Speed (s)
Port Scanning 12
Exploitation N/A

Starting with the tool Metasploit, as stated beforehand, it performed in

another phase other than its expected phase, which is the gaining access phase.

More of this was discussed in the proceeding parts of these chapters. Under the

scanning for vulnerabilities phase, Metasploit performed a port scan to discover

the open port to the target server. This port scanning process took twelve (12)

seconds, as seen in table 3.3.1. For the gaining access phase wherein it exploited

the SMB service running in the same target server, speed was not measured since

exploitation failed.

Table 3.3.2. Speed of Brute forcing Using Brutespray and THC-Hydra

Speed
Target Router Target Server Target Desktop
Brutespray 2 minutes 42 11 minutes 51 3 minutes 8
seconds seconds seconds
THC-Hydra 2 minutes 29 3 minutes 43 3 minutes 4
seconds seconds seconds

For the next set of tools in table 3.3.2, Brutespray and THC-Hydra, the

speed will be discussed simultaneously since both tools were almost alike in the

process. Also, both tools brute-forced the SSH service running on the targets. No

comparison can be made since the number of threads used for brute-forcing was

not the same. The number of threads for Brutespray was set to four (4) for both

the target server and target desktop, and then three (3) for the target router for the
120
 CHAPTER IV: PRESENTATION AND DISCUSSION

reason that exceeding three (3) will yield failure. For the THC-Hydra, the number

of threads used was set to sixteen for all the targets. In the order of target router,

target server, and target desktop, gleaned in table 9, the brute spray has brute-

forced the targets for two (2) minutes and forty-two (42) seconds; eleven (11)

minutes and fifty-one (51) seconds; and three (3) minutes and eight (8) seconds.

Similarly, also seen in table 9, THC-Hydra brute-forced the target for two (2)

minutes and twenty-nine (29) seconds; three (3) minutes and forty-three (43)

seconds; and three (3) minutes and four (4) seconds.

Table 3.3.3. Speed of de-hashing using John-the-Ripper

Speed (s)
De-hashing 22

Another tool in the gaining access phase was John-the-Ripper, shown in

table 3.3.3. This tool performed a de-hashing of passwords of the other users

stored in the target server. All of the four (4) other users’ hashed passwords were

successfully de-hashed by John-the-Ripper. Looking at table 10, de-hashing their

passwords took twenty-two (22) seconds.

Table 3.3.4. Speed of SQL Injection Using Burpsuite and SQLmap

Speed (s)
Security Level
Low Medium High Impossible
Burpsuite 380 350 NA NA
SQLmap 68 73 62 65

121
 CHAPTER IV: PRESENTATION AND DISCUSSION

Just like from the tools Brutespray and THC-Hydra, the Burpsuite and

SQLmap’s presentations for speed were discussed simultaneously because they

both performed a SQL injection to the same target website, which was the DVWA.

Also, another parameter that was considered was the difficulty level, ranging from

low, medium, high, and impossible. Although the target was the same time, their

respective process for performing SQL injection was not the same. BurpSuite

injected payloads from a list. On the other hand, SQLmap automatically performed

the SQL injection process. Starting at Burpsuite, referring to table 3.3.4, it only

managed to conduct a SQL injection at low and medium difficulty successfully. It

took three-hundred eighty (380) seconds for low-level security and three-hundred

fifty (350) seconds for medium-level security. And then BurpSuite did not manage

to capture anything at a high and impossible security level. Then for SQLmap, it

successfully conducted SQL injection at all levels. Reflected also in table 3.3.4, it

managed to finish the process at sixty-eight (68) seconds for the low level. Then

for the medium level, it took seventy-three (73) seconds. Next, it took sixty-two (62)

seconds for the high level. Lastly, for the impossible level, it took sixty-five (65)

seconds.

Table 3.3.5. Speed of Performing Denial-of-Service using Cisco-Global-Exploiter

and Yersina
Speed (s)
Cisco Global Exploiter NA

DHCP Starvation CDP Flooding Table

Yersinia
82 48

122
 CHAPTER IV: PRESENTATION AND DISCUSSION

The following tools to present were the Cisco-Global-Exploiter and Yersinia.

Again, both tools’ speeds were given simultaneously because they both targeted

the same devices, target router, and switch and performed the same attack called

denial-of-service. But no comparison was needed since they both differ in process,

although Cisco-Global-Exploiter failed to target the said devices. With that, the only

tool required to discuss at this point was the Yersinia. This tool performed two (2)

attacks, namely DHCP Starvation and CDP Flooding Table. Speed in this context

was measured from the start of the process until the target devices started to crash.

Referring to table 3.3.5, for the DHCP Starvation, it took eighty-two (82) seconds

to crash the target router, then for the CDP Flooding Table, it took forty-eight (48)

seconds.

Table 3.3.6. Speed of Wireless Cracking Using Aircrack-ng and Fern-Wifi-

Cracker
Speed
Cracking WPA Password Overall Process
Aircrack-ng 21 seconds NA
Fern-WiFi-Cracker 5 minutes 26 seconds 6 minutes 56 seconds

The next two (2) tools, Aircrack-ng and Fern-WiFi-cracker, performed

wireless network cracking at the same target access point. With this, the

presentation was then again discussed at the same time. However, a comparison

was not needed since the process was manual at the Aircrack-ng tool. On the other

hand, Fern-WiFi-cracker will do the cracking automatically once the target network

and wordlist are provided. Also, for the Aircrack-ng, the speed was only measured

by the time it cracks the captured WPA handshake, while at Fern-WiFi-cracker,

123
 CHAPTER IV: PRESENTATION AND DISCUSSION

speed was measured at the start of automated cracking and the time it takes to

crack the WPA password. With that, looking at table 3.3.6, the time it took for

Aircrack-ng to crack the WPA password was twenty-one (21) seconds. On the

other hand, Fern-WiFi-cracker took five (5) minutes and twenty-six (26) seconds

to crack the WPA password and six (6) minutes and fifty-six (56) seconds for the

overall automated cracking.

Table 3.3.7. Speed of Creating Fake Access Point Using Karmetasploit

Speed (s)
Karmetasploit NA

Table 3.3.7 above showed that Karmetasploit, another tool for gaining

access phase, has no recorded speed. It means that this tool also failed. However,

unlike the other previous tools that failed to attack their respective targets, the

reason that Karmetasploit failed was due to hardware failure. With that, speed

could not be observed for this tool.

Table 3.3.8. Speed of Harvesting Credentials Using Social Engineering Toolkit

Speed (s)
Harvested Credentials Instantly

The last tool under the gaining access phase was Social Engineering Toolkit

or SEtoolkit. The attack employed in this tool was about cloning websites,

particularly the Google log-in page. Measuring the speed for this tool was tricky.

At most, this speed could depend on the target user entering their credentials.

However, the measured speed that can be seen in table 3.3.8 refers to the time it

124
 CHAPTER IV: PRESENTATION AND DISCUSSION

took for the attacker to view the credentials in its screen/terminal once the target

has entered its credentials; thus, the term ‘instantly’ was used.

125
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

PENETRATION TESTING TOOLS’ COVERAGE

Represented in figure 37 is the list of nineteen (19) penetration testing tools

that were simulated in the penetration testing laboratory, arranged from left to right,

namely: Recon-ng, theHarvester, Nmap, Nikto, Wireshark, TCPDump, ExploitDB,

Metasploit, Brutespray, THC-Hydra, John-the-Ripper, BurpSuite, SQLmap, Cisco-

Global-Exploiter, Yersinia, Aircrack-ng, Fern-WiFi-Cracker, Karmetasploit, and

SEToolkit. Following the result and discussions in the previous section, which is

the Penetration Testing Tools, these tools can be further sub-categorized and were

not only capable of doing their assigned penetration testing phase, but some tools

can be flexible in any of the three (3) said phases.

Aside from their logo and the tool's name, the researchers used colors as

legends to identify the significant differences in a particular penetration testing

tool’s phases. For the first phase of penetration testing, which is the information

gathering, the researchers used the color blue. On the contrary, for the second

phase of penetration testing, scanning vulnerabilities, the color green was utilized

for visualization. Additionally, for the third phase of penetration testing, the gaining

access, the color red was used. However, the researchers used the color black if

the tool failed to be tested in the penetration testing laboratory; therefore, it cannot

be verified if a tool can do its assigned penetration testing phase. With that being

said, it can be ascertained that whenever a penetration testing tool has a

126
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

multicolored background, the tool can be classified into multi-phases of penetration

testing.

Legend:
Information Gathering Gaining Access

Scanning Vulnerabilities Failed

Figure 37. Penetration Testing Tools and Their Penetration Testing Phases

127
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 37.1 shows the two (2) tools used for information gathering. Starting

from left to right side, which is the Recon-ng and theHarvester. The blue

background color was used because they could passively gather information

successfully in their target domain google.com and was solely used for the first

penetration testing phase. Subsequently, gathering information from their contacts

and hosts, thus produced with publicly available information. However, these tools

provided no relation or significant effect in the developed penetration testing

laboratory; it was just deployed to demonstrate how information gathering was

used.

Figure 37.1. Recon-ng and theHarvester’s Coverage

Presented in figure 37.2.1 were two (2) of the tools used for scanning

vulnerabilities. However, notice that the image on the left, Nmap, was represented

by three (3) different colors. The first color was blue for information gathering.

Nmap was used to discover what hosts were available in the target’s network.

Other colors can be green for scanning vulnerabilities and red for the gaining

access phase. For the scanning vulnerabilities phase, the tool Nmap was utilized

to detect open ports together with the service running with it, particularly conducted

this tool to scan the target router, target server, target desktop, and the target
128
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

access point which were discovered using the host discovery scan of Nmap. For

the gaining access phase, with the use of the script entitled ssh-brute.nse, Nmap

was able to brute-force targets, which is a method of gaining access. Without a

doubt, Nmap was vital in stimulating and aiding other penetration testing tools in

successful attacks. These tools that Nmap helped with were Nikto, ExploitDB,

Brutespray, THC-Hydra, and the Cisco-Global Exploiter.

Unlike Nmap, Nikto was just depicted with its corresponding solid color

green background because it was just used to scan for vulnerabilities. From the

scan conducted using the tool Nmap, one of the discovered targets, the target

server, was found to have an open port 80. This port 80 was used for web services,

specifically for HTTP. This discovery solely utilized this tool to execute basic web

server scanning in the target website DVWA. Vulnerabilities that were learned

enabled the researchers to visit the directories that were not supposed to be

accessible. In addition, tuning for SQL injection was also performed to identify if

the target website was susceptible to SQL injection, which showed that it was since

this website was created to be vulnerable to several Web Application Testing. That

said, this tool enabled other penetration testing tools, specifically BurpSuite and

Sqlmap, to exploit these vulnerabilities, which launched a successful attack.

129
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 37.2.1 Nmap and Nikto’s Coverage

The subsequent tools identified in figure 37.2.2 were Wireshark and

TCPDump. It was explicitly expressed that these tools were represented using

different colors, which meant that some of the tools were not solely for scanning

vulnerabilities. Although Wireshark and TCP Dump were fairly different in how they

operate, like Wireshark having a GUI and TCP Dump on CLI, they were both used

as network monitoring tools. With that, both tools were identified using two

background colors: green for scanning vulnerabilities and red for gaining access.

To scan for vulnerabilities, the researchers used these tools to examine protocols

like HTTP, DHCP, CDP, and many more, some of which are used by other

penetration testing tools such as Yersinia to execute an attack. In addition to that,

these tools were also used to capture packets' information. With the ability to read

packet information, these tools were also used to sniff passwords in a vulnerable

target website, DVWA, which is a method used for gaining access.

130
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 37.2.2 Network Monitoring Tools’ Coverage

Lastly, for the ExploitDB, it was also represented using a green color only

in figure 37.2.3, wherein the goal of this tool was to compile the complete collection

of exploits, shellcodes, and many more. With the help of Nmap’s open port

scanning, this tool was able to be employed to search for the open ports in the

target router’s port 23 (Telnet), target server’s port 445 (SMB), and target desktop’s

port 5900(VNC). The result of the scanned vulnerabilities on specific open ports or

the protocols used can be utilized to know what possible exploits may or not be

applicable. Also, these results were used by Metasploit to conduct the exploitation

of such targets.

Figure 37.2.3 ExploitDB’s Coverage

Figure 37.3.1 represents the coverage of Metasploit in terms of its

penetration testing phases. It was used for automated exploitation. However, even

if the designated penetration testing phase of Metasploit is for gaining access, it

131
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

was also used for scanning vulnerabilities, thus represented using two (2) colors:

green, for scanning vulnerabilities, and red, for gaining access. The researchers

simulated various attacks using Metasploit for the gaining access phase, one of

which was creating payloads, which were known as trojans. Another attack that

was also used, wherein the only service that could be subjected to exploitation was

the SMB service, and only one (1) exploit module could be used, which is the

is_known_pipername() Arbitrary Module Load. This module's usage was based on

the result of ExploitDB's search for the service Samba. Out of nine (9) exploits

discovered for Samba, only the is_known_pipername() Arbitrary Module Load

could be used due to the relevancy of this module to the version of the SMB

running in the target server. Going back in the exploitation process, regardless of

how high the chance of these exploits being successful, the researchers were

prompted with the result "Exploit completed, but no session was created," thus

ending the attack with a failed attempt. On the other hand, for the scanning

vulnerabilities phase of the tool Metasploit, the researchers used the exploit name

portscan to scan the open ports in the target. It showed the researchers that this

tool was also capable of phase scanning vulnerabilities.

Figure 37.3.1 Metasploit’s Coverage

132
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 37.3.2 shows the tools used for password cracking, with few

noticeable differences, namely: Brutespray, THC-Hydra, and John-the-Ripper.

These three (3) tools were only performed in the gaining access phase. No other

function of the said tools has been discovered by the researchers wherein it

operated other than gaining access to their targets, thus representing the solid

color red. Two of these tools, Brutespray and THC-Hydra, operate online, meaning

that their target should be up and must have a connection to the attacker.

According to the Nmap’s scanned for open ports, the three (3) targets: target

router, target server, and target desktop, have open port 22. Although it could

change where the port it will run, the service OpenSSH was also discovered to be

running in the said open port. Under gray-box testing, which was implemented in

this study, the target usernames were known. After performing the brute force, the

target router, server, and desktop credentials were the following, respectively:

BlueTeam:cisco-admin; ubuntu:serveradmin; and pi: raspberry. Finally, the other

tool, John-the-Ripper, works offline in this study. It only needed a copy of the hash

passwords to function. Performing an SSH connection to the target server wherein

the credentials used resulted from the brute-forcing of the Brutespray and THC-

Hydra, the researchers discovered that other users were present in the system.

The researchers would then use the John-the-Ripper to de-hash their passwords.

133
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 37.3.2. Password Cracking Tools’ Coverage

Other tools used in the gaining access phase were Burpsuite and SQLmap,

as represented in figure 37.3.3. These two tools were used for web application

testing. One of the most common Web Application vulnerabilities that were being

exploited was SQL injection. This attack aims to dump sensitive information from

a database. Since Nikto detected that the target server's website, DVWA, was

susceptible to SQL injection attacks, these tools, Burpsuite and SQLmap, were

used to exploit that vulnerability. In addition, DVWA has a feature wherein the

security level could be changed from low, medium, high, and impossible. The tool

BurpSuite only managed to dump data from low to medium levels. Also, the

passwords dump was hashed. However, in the case of SQLmap, aside from

disclosing all information from low to high, all the passwords dumped were also

de-hash. It means that the passwords presented were already readable in plain

text.

134
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 37.3.3 Web Application Testing Tools’ Coverage

Moving on to Cisco-Global-Exploiter and Yersinia in figure 37.3.4, these two

(2) tools were used for network infrastructure testing, which is also under the

gaining access phase, as represented. The prime targets of these tools were the

Cisco devices present in the developed penetration testing laboratory under the

targets’ side. For the Cisco-Global-Exploiter, the attack performed was based on

the host discovery scan of the tool Nmap. It was detected there was a Cisco device

running in the penetration testing laboratory. However, it can be seen in figure

37.3.4 that Cisco-Global-Exploiter failed to perform an attack on its target,

represented by solid black color. The Yersinia, however, successfully performed a

DHCP starvation attack and a CDP Flooding Table to the target router and switch.

The attacks perpetrated by Yersinia were all Wireshark and TCPDump’s feat for

discovering the DHCP and the CDP packets running in the penetration testing

laboratory.

135
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Figure 37.3.4 Network Infrastructure Tools’ Coverage

Three (3) tools were used to continue the wireless network testing: Aircrack-

ng, Fern-WiFi-Cracker, and Karmetasploit. From figure 37.3.5, notice that aside

from gaining access, Aircrack-ng and Fern-WiFi-Cracker were also used in the

information gathering phase. In addition, both tools were almost identical in

function, other than that Fern-WiFi-Cracker was operated through GUI. In the

information gathering phase, these two tools collected data needed to move on to

the gaining access phase. These data were BSSID which is the MAC address of

the target access point, STATION or the MAC address of the client connected, and

the channel that the access point is broadcasting. Then under the gaining access

phase, once these data are collected, the tools proceeded to de-authenticate the

connected clients to capture WPA passwords. The cracking for this WPA will start

as soon as the WPA password is captured. Karmetasploit was used to create a

fake access point for the other tool under wireless network testing. Supposedly,

the researchers aim this tool to imitate the target access point’s configurations,

such as the BSSID and the channel. However, due to the hardware limitation of

136
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

the wireless card of the attacker machine, creating an access point was futile thus,

being represented by a solid black color.

Figure 37.3.5 Wireless Network Testing Tools’ Coverage

The last tool under the gaining access phase, referring to figure 37.3.6, was

the tool Social Engineering Toolkit or SEtoolkit. As implied by its name, SEtoolkit

was used for social engineering attacks. Although it posits many attacks on social

engineering, the presentation for this tool became limited. This limitation was due

to the absence of connection to the Internet. From that, the researchers only

performed credential harvesting by cloning web pages, specifically Google’s log-

in page.

Figure 37.3.6 Social Engineering Tool’s Coverage

137
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

RELIABILITY AND ACCEPTABILITY OF THE PENETRATION TESTING

LABORATORY

The third specific objective of the study was to determine the reliability and

acceptability of the penetration testing laboratory. The data used to answer the

problem was gathered through a questionnaire using the Likert Scale. There were

thirty (30) respondents, and all of them were students of Bachelor of Science in

Computer Engineering, Major in Systems and Network Administration at

Pangasinan State University—Urdaneta (PSU-UCC). Since the respondents are

all students of the Systems and Network Administration track, it is expected that

the respondents have already a prior knowledge of the ethical hacking topics and

the uses of VMware as well as the different penetration testing tools. The
[37]
questionnaire has three (3) parts. The first part was divided into four (4)

categories: Usefulness, Ease of Use, Ease of Learning, and Satisfaction, adopted

from the Usefulness, Satisfaction, and Ease of Use questionnaire by Arnie Lund

wherein some parts of the questions are modified to provide suitability of the

questionnaire in the study. Part two was to determine if any problems were

encountered during the testing. The third and last part was to know if the nineteen

(19) tools were sufficient and if not then they could suggest any tools.

[37]
See Appendix R for the questionnaire 138
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Table 4. Likert Scale with Interpretation

Scale Interpretation
5 – 4.50 Strongly Agree
4.49 – 3.50 Agree
3.49 – 2.50 Neutral
2.49 – 1.50 Disagree
1.49 - 0 Strongly Disagree

In the first part of the questionnaire, the USE questionnaire, originally, is a

thirty-item survey that investigates the four dimensions of usability which are:

usefulness, ease of use, ease of learning, and satisfaction. Furthermore, it was

originally constructed as a seven-point Likert rating scale. On the other hand, a

five-point Likert scale rating was used by the researchers in this study. As shown

in Table 4, for each dimension, there were five (5) statements answered by the

respondents through a checklist on the provided scale of Strongly Disagree –

Strongly Agree, adopted from the Likert Scale approached by Rensis Likert. All in

all, there are twenty (20) questions provided in the questionnaire. The respondents

answered each statement based on their level of agreement.

139
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

Table 4.1. Reliability and Acceptability of the Penetration Testing Laboratory

Under the Category Usefulness

Usefulness Weighted Interpretation

Mean
1. It gives me more control over the different 4.23 Agree
penetration testing tools.
2. I got to familiarize myself more with the 4.40 Agree
different penetration testing tools.
3. The information (in the laboratory manual) 4.27 Agree
provided is knowledgeable.
4. Suitability of the penetration testing 4.97 Strongly Agree
laboratory to the course major Systems and
Network Administration.
5. The penetration testing laboratory is 4.63 Strongly agree
reliable.
Overall Average Weighted Mean 4.50 Strongly Agree

The first category was usefulness, which was defined as something useful

in the sense that respondents believe that the penetration testing laboratory will

assist them in honing their skills in various penetration testing tools as well as

general knowledge of Systems and Network Administration. Table 4.1 shows the

five (5) questions under the usefulness category and their respective weighted

mean and interpretation based on the data and computations[38]. As shown in table

4.1, items one, two, and three were all interpreted as "Agree" regarding the

penetration testing laboratory's usefulness with a weighted mean of 4.23, 4.40,

and 4.27, respectively. The other two questions, four and five, were interpreted as

"Strongly Agree." "The suitability of the penetration testing laboratory to the course

major Systems and Network Administration" and "the penetration testing

[38]
See Appendix S for the computation of the average weighted mean 140
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

laboratory is reliable" have the two highest computed average weighted mean,

4.97 and 4.63, respectively.

These results showed that the penetration testing laboratory was a useful

instrument for the respondents in honing their skills in the different penetration

testing tools as well as in the general knowledge of the SNA subject. Furthermore,

the computed overall average weighted mean was 4.50, interpreted as "Strongly

Agree.

Table 4.2. Reliability and Acceptability of the Penetration Testing Laboratory

Under the Category Ease of Use
Weighted
Ease of Use Mean Interpretation

1. It is user-friendly. 4.0 Agree

2. I feel more comfortable using this 3.70 Agree
laboratory than VMWare.
3. The information (in the laboratory manual) 4.20 Agree
provided is clear.
4. The penetration testing laboratory was 3.73 Agree
easier to use than VMware.
5. The penetration testing laboratory’s 4.23 Agree
performance, in general, is consistent. (No
major technical issues.)
Overall Average Weighted Mean 3.97 Agree

The second category was ease of use. Ease of use describes how easily

and quickly the respondents use the penetration testing laboratory. Table 4.2

shows the five (5) questions under the ease-of-use category and their respective

weighted mean and interpretation based on the data and computations[39]. The

weighted means for all questions were all interpreted as “Agree.” “The penetration
[39]
See Appendix S for the computation of the average weighted mean 141
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

testing laboratory’s performance, in general, was consistent (No major technical

issues)” and “The information (in the laboratory manual) provided is clear” have

the two highest computed weighted means with 4.23 and 4.20, respectively, with

an interpretation of both “Agree.” Furthermore, the overall average weighted mean

was 3.97 and interpreted as “Agree.”

The result clearly showed that the respondents agreed that it was easy for

the respondents to use the penetration testing laboratory. Question number five

has the highest weighted mean among the five questions. The penetration testing

laboratory’s performance, in general, was consistent with no major technical

issues. Furthermore, the majority of the respondents agreed that the information

(in the laboratory manual) provided was clear.

Table 4.3. Reliability and Acceptability of the Penetration Testing Laboratory

Under the Category Ease of Learning
Weighted
Ease of Learning Mean Interpretation

1. I learned to operate the penetration testing 3.57 Agree

laboratory quickly and I easily remember how to
use it.
2. I got to learn the different penetration testing 3.37 Neutral
tools quickly.
3. I found the instructions on the laboratory manual 4.33 Agree
very helpful and easy to understand.
4. Actual equipment (e.g., routers, access points, 4.73 Strongly
switches) helps the sense of reality. Agree
5. It’s easy to digest in the mind and understand 4.00 Agree
the penetration testing laboratory in general.
Overall Average Weighted Mean 4.00 Agree

142
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

The third category was the ease of learning which was defined as how

easily the information was acquired and retained in the minds of respondents.

Table 4.3 shows the five questions under the ease-of-learning category with their

respective weighted mean and interpretation based on the data and

computations[40]. Questions one, three, and five were interpreted as “Agree” with

3.57, 4.33, and 4.00, respectively, as their weighted mean. Question number four

has the highest weighted mean with 4.55 and was interpreted as “Strongly Agree.”

Notice that question number two was interpreted as “Neutral” with a 3.37 weighted

mean. Among all the statements under the questionnaire, this statement got the

lowest weighted mean with an interpretation of “Neutral.” With that, the researchers

asked some of the respondents’ opinions why it got only a neutral response. Some

respondents answered that this is due to some of the penetration testing tools

available in the manual. Some of the tools are not familiar to them. The

respondents have not yet tackled some penetration testing tools in their SNA 2

subject resulting in the respondents having a hard time learning some of the tools

such as Aircrack-ng, THC-Hydra, and Brutespray. Furthermore, the researchers

observed that some of the respondents did not read the lab manual thoroughly.

Nevertheless, the overall average weighted mean for the category under

the ease of learning was 4.00, interpreted as “Agree.” The results showed that the

penetration testing laboratory is an excellent help for the respondents in quickly

acquiring information and knowledge about the different penetration testing tools.

About that, the number four question, which is "the actual equipment (e.g., routers,
[40]
See Appendix S for the computation of the average weighted mean 143
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

access points, switches) helps the sense of reality," has the highest weighted

mean. This shows that the help of the actual equipment provides a sense of reality

to the students. As a result, the information and steps can be easily retained in the

minds of every student.

Table 4.4. Reliability and Acceptability of the Penetration Testing Laboratory

Under the Category Satisfaction

Satisfaction Weighted Interpretation

Mean
1. I have been motivated by the penetration 4.37 Agree
testing laboratory to learn more about different
penetration testing tools.
2. I am satisfied with the penetration testing 3.83 Agree
laboratory.
3. Information in the lab manual was sufficient. 3.53 Agree
4. I have enjoyed using the penetration testing 4.30 Agree
laboratory.
5. I felt very confident testing the different tools 3.73 Agree
while using the penetration testing laboratory.
Overall Average Weighted Mean 3.97 Agree

The fourth and last category was satisfaction. Knowing the satisfaction level

of respondents about the penetration testing laboratory was essential and relevant

for the researchers to think of an improvement. Furthermore, this helps the

researchers and future researchers to provide a better quality of learning using a

penetration testing laboratory. It is vital to identify whether the respondents’

expectations have been met. Table 4.4 shows the five questions under the

satisfaction category and their respective weighted mean and interpretation based

on the data and computations [41]. All the results of the weighted mean under the

[41]
See Appendix S for the computation of the average weighted mean 144
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

satisfaction category were interpreted as “Agree.” Questions one and four have

the highest weighted mean with 4.37 and 4.30, respectively, with an interpretation

of "Agree." The result of the overall average weighted mean for the category

satisfaction was 3.97 with an interpretation of "Agree." The result clearly showed

that most of the respondents agreed that they were satisfied with the penetration

testing laboratory's performance, reliability, and acceptability to the students.

Based on the results acquired by the researchers for the four categories

Usefulness, Ease of Use, Ease of Learning, and Satisfaction with an average

weighted mean of 4.50, 3.97, 4.00, and 3.9, respectively. The usefulness category

has an interpretation of Strongly Agree and the rest of the categories, Ease of Use,

Ease of Learning, and Satisfaction have an interpretation of Agree. The

researchers then concluded that the developed penetration testing laboratory is

reliable and acceptable to the students of Bachelor of Science in Computer

Engineering major in Systems and Network Administration at Pangasinan State

University – Urdaneta (PSU-UCC).

The researchers wished to know if the respondents experienced any

technical difficulties or errors during the testing. For part two of the questionnaire,

a single question is asked, “Did you experience any technical difficulties and errors

during the simulation of the different penetration testing tools and the laboratory

equipment itself?” Possible errors and technical issues were listed such as delays

or lagging, software malfunctioning, and the operating system not functioning well.

145
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

The respondents can choose among the choices as many as possible, otherwise,

if there is still an error or technical issues that were not listed in the choices, they

can add to the given blank space provided. This part of the questionnaire helped

the researchers to what extent they need to improve on the penetration testing

laboratory. After further investigation, three (3) respondents only answered that

there were delays and lags during the testing, specifically, when using the tools

that were operated in the graphical user interface (GUI). Aside from that, there

were no other technical issues and errors reported.

Another part of the questionnaire, which is the last part, consists of only

another single question, “Are the tools provided enough for the supplement of the

Ethical Hacking topic?” The researchers wished to know if the provided penetration

testing tools, were enough to supplement the Ethical Hacking topic. This part was

free to be answerable by “Yes” or “No.” However, it was not required to answer

this part. Nevertheless, if a student answered “No,” he or she will recommend

another penetration testing tool he or she wished were included in the laboratory.

According to the researchers' data, twenty-seven (27) students among the thirty

(30) students answered “Yes.” This result means that the provided penetration

testing tools were enough to supplement the Ethical Hacking topic. The other three

(3) students who answered “No” recommended some penetration testing tools,

namely: Xerosploit, Browser Exploitation Framework (BeEF), Hashcat, Mimikazt,

Nessus, and Ettercap.

146
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

PROBLEMS ENCOUNTERED DURING THE IMPLEMENTATION OF THE

NINETEEN PENETRATION TESTING TOOLS

The researchers undoubtedly encountered challenges, errors, and

problems from setting up the lab using the provided equipment (Cisco switches,

routers, access points, and Raspberry Pi) to configuring each piece of equipment

to simulating various penetration testing tools. The major problem is the internet

connection. The researchers experienced slow internet connection, wherein the

internet plays an essential role in this study. Some of the results and outputs in

some penetration testing tools are dependent on the internet, such as Recon-ng,

and theHarvester; thus, solid, and fast internet connectivity is a great challenge for

the researchers. Furthermore, throughout the simulation of the different

penetration testing tools, the researchers, however, it is expected, encountered

different problems and issues.

BurpSuite

BurpSuite is one of the tools under the gaining access phase, a suite of

tools for web application penetration testing. The researchers faced problems

while installing the graphical user interface (GUI) of the BurpSuite. BurpSuite, by

default, is already installed in the Kali Linux operating system. However, for ARM

64-bit architectures, BurpSuite is not installed by default. It is advisable to

download it using the APT package manager. However, if the installed Kali Linux

147
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

is not in ARM 64-bit, BurpSuite cannot be installed in the APT package manager

and even on its official website.

The researchers encountered an error where BurpSuite cannot be installed

inside the attacker’s machine because the version of Kali Linux installed in the

system has a different architecture. The pre-requisite of BurpSuite is that the

system should be 64-bit. However, Kali Linux does have BurpSuite in its APT

package manager.

Cisco-Global-Exploiter

Cisco-Global-Exploiter is a security testing tool under the gaining access

phase that can exploit fourteen (14) most dangerous vulnerabilities in Cisco

switches and routers. The researchers tried all fourteen (14) attacks, but none of

them became successful. At the end of every attack, there was a message that

said that there was “No telnet server detected on 192.168.2.1 ...,” and “No HTTP

server detected on 192.168.2.1 …,”

After a further in-depth investigation by the researchers, the researchers

then found out that this is due to the equipment used. It was discovered that

specific models and versions of cisco routers and switches must be utilized for

these fourteen (14) tools to succeed with the attack. For example, for attack

number one, the Cisco 677/678 Telnet Buffer Overflow Vulnerability, this attack

only works to cisco routers models 626, 627, 633, 673, 675, 675e, 676, 77, 677i,

148
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

and 678 Telnet. The only model of the cisco router the researchers used was 2811.

Another example is attack number seven, the Cisco Catalyst 3500 XL Remote

Arbitrary Command Vulnerability. The only model of cisco switches with this

vulnerability that will work is the model Cisco Catalyst 3500 XL. The researchers

have only the model Cisco Catalyst 3750 Series Switch in this study.

Karmetasploit

Karmetasploit is one of the penetration testing tools, again from the gaining

access phase. Karmetasploit's primary goal is to create a fake access point where

the client or the victim will connect. After connecting, it will be greeted with a captive

portal, which is like a gateway to use the services. Several attacks will be made

against the victim or client after the connection, such as the attacker can now

capture password credentials and harvest data and information.

The command used for creating a fake access point is sudo airbase-ng -P

-C 30 -e "TP-Link-Pentester" -v wlan0mon, wherein the TP-Link-Pentester is the

SSID name of the access point target of the attacker. At first, the prompt shows

Access Point with BSSID xx:xx:xx:xx:xx:xx started, stating that a fake access point

has been created, but after some seconds, an error will be prompted. This error

means that the fake access point cannot be created. On the other hand, the

researchers tried simulating this in other devices such as laptops, and it worked.

Hence, the error is due to the hardware limitation of the attacker’s machine

149
 CHAPTER IV: PRESENTATION AND DISCUSSIONS

specifically its wireless interface, which is a vital element for creating an access

point.

150
 CHAPTER V: SUMMARY, CONCLUSION, AND RECOMMENDATIONS

CHAPTER 5

SUMMARY, CONCLUSION, AND RECOMMENDATION

This chapter presents the researchers' general opinions on the study by

discussing the study's summary and conclusion and some recommendations for

the study's following service of this study soon.

SUMMARY

This study entitled "Developing a Penetration Testing Laboratory as a Basis

for Network Security" aimed to create a Penetration Testing Laboratory. The

researchers designed a penetration testing laboratory, wherein several penetration

testing tools were tested without conducting any illegal activity and with utmost

consideration to legal consequences; the design is flexible, and modifications and

configurations can be changed. Equipment used for the developed penetration

testing laboratory were three (3) Raspberry Pi machines, two (2) routers, one (1)

switch, and an access point. Consequently, the target router was configured as a

DHCP server. Both routers are configured with routings such as EIGRP and BGP.

With that, nineteen (19) tools were tested. A laboratory manual was

provided for the users to guide them regarding how to use each tool. Of the

nineteen (19) tools, sixteen (16) tools have successfully gained access to the

different targets, some of which only aided some tools to gain access, and one (1)

tool failed due to the operating system used by the target desktop. However, it was

guaranteed that other operating systems, specifically Windows will work. The

151
 CHAPTER V: SUMMARY, CONCLUSION, AND RECOMMENDATIONS

laboratory manual did not include the remaining two (2) tools. During the testing

of the said laboratory, thirty (30) respondents tried evaluating the reliability and

acceptability of the developed laboratory. To determine the reliability and

acceptability, a questionnaire was formulated. The questionnaire was divided into

three (3) parts. The first part was divided into four (4) dimensions: Usefulness,

Ease of Use, Ease of Learning, and Satisfaction. The dimension Usefulness has

garnered respondents a "Strongly Agree" response. The remaining dimensions

have scored "Agree." For the second part, problems encountered, the respondents

answered that they have encountered a problem. For the last part, the respondents

were to answer if the seventeen (17) tools presented in the laboratory manual were

sufficient. Most of them said that it was enough while some said "no" and they gave

some suggestions of tools.

In this study, several problems were encountered during the conduction of

this study. One problem encountered was the Internet connection. The other was

about the tools used. For the tools, one tool was not available for the attacker

machines installed operating system, while some, although installed, failed to

function properly.

152
 CHAPTER V: SUMMARY, CONCLUSION, AND RECOMMENDATIONS

CONCLUSIONS

The developed penetration testing laboratory consists of an attacker

computer which is a Raspberry Pi 4 Model B, and two (2) Raspberry Pi 3 Model

B+ are the target computers, namely the target server and target desktop. The

attacker machine is running the Kali Linux operating system, which is dedicated to

penetration testing. The target server runs Ubuntu Server for ARM, and the target

desktop runs the Raspbian operating system. In addition to the computers, one (1)

switch and two (2) routers were also included. The switch was a Cisco Catalyst

3750, and the routers were Cisco 2811. Also included was an access point, TP-

Link TL-WR840N was also included. Finally, aside from developing a penetration

testing laboratory, a laboratory manual was also composed wherein it contains

how to use the nineteen (19) penetration testing tools.

The nineteen (19) tools used were categorized according to the phase they

were used. Two (2) of them were under the information gathering, which were the

Recon-ng and theHarvester. Five (5) of the tools were categorized under the

scanning for vulnerabilities phase, and these were Nmap, Nikto, Wireshark,

TCPDump, and ExploitDB. For the last phase of the study, the gaining access

phase, the remaining twelve (12) tools were under it. These were Metasploit,

Brutespray, THC-Hydra, John-the-Ripper, Burpsuite, SQLmap, Cisco-Global-

Exploiter (CGE), Yersinia, Aircrack-ng, Fern-WiFi-Cracker, Karmetasploit, and

Social Engineering Toolkit. Of these nineteen (19) tools, two (2) of them were not

included in the created laboratory manual, CGE, and Karmetasploit. For the CGE,

153
 CHAPTER V: SUMMARY, CONCLUSION, AND RECOMMENDATIONS

the target of these tools was not available in the developed laboratory, making it

pointless. Then for the Karmetasploit, the wireless card of the attacker machine

was not capable of creating an access point which is the vital function needed to

perform Karmetasploit. In addition, the researchers created an attack tree which

was followed in conducting penetration testing. From the tools under gaining

access, nine (9) have successfully attacked their targets. The three (3) remaining

tools have failed; specifically, the tools stated beforehand that were not used and

the Metasploit. Although a very useful tool, Metasploit has failed to attack due to

the reason that the vulnerable Samba app used by the target server was not

supported by its architecture.

To determine the reliability and acceptability of the developed laboratory,

thirty (30) students from the Systems and Network Administration 2 students of

Pangasinan State University - Urdaneta City Campus (PSU-UCC) were asked to

be the respondents. They answered a three (3) part questionnaire. The first part

was to determine the reliability of the laboratory in terms of four (4) dimensions.

The first dimension was Usefulness which scored an average weighted mean

(AWM) of 4.50 with a descriptive equivalent of "Strongly Agree." This means that

the respondents have found that the developed laboratory would be useful in

honing their penetration testing skills. The next dimension was the Ease of Use. It

garnered 3.97 AWM and a descriptive equivalent of "Agree." This means that the

respondents operate the laboratory with ease. The third dimension was Ease of

Learning, where it scored 4.00 AWM with a descriptive equivalent to "Agree." It

154
 CHAPTER V: SUMMARY, CONCLUSION, AND RECOMMENDATIONS

proves that the respondents could absorb information in the created laboratory

manual easily. For the final dimension, Satisfaction, it also scored 3.97 AWM with

a descriptive equivalent of "Agree." It shows that the respondents were satisfied in

the developed laboratory. In the second part of the questionnaire, they were to

answer problems have arisen during their evaluation. Only three (3) respondents

have responded and stated that the problem they have encountered was delays

and lags. For the last part, the respondents were asked whether the seventeen

(17) tools presented were enough. Twenty-seven (27) of them answered "Yes"

while the remaining said "No" and gave some possible tools to be included. The

tools were Xerosploit, Browser Exploitation Framework (BeEF), Hashcat,

Mimikazt, Nessus, and Ettercap.

The researchers encountered several problems upon conducting this study.

One main problem faced by the researchers was the Internet connection. Although

it did not directly affect the outcome of this study, the Internet played a vital role in

writing it. Other problems encountered were about the tools BurpSuite, Cisco-

Global-Exploiter (CGE), and Karmetasploit. The tool BurpSuite was found to be

only available for ARM 64-bit architectures. The first installed Kali Linux was only

32bit thus, forcing the researchers to install the 64-bit version. Then for the tool

CGE, as stated earlier, the target devices that could be used with CGE were not

included in the developed laboratory. Then for the Karmetasploit, again, the

wireless card of the attacker machine does not support creating an access point.

155
 CHAPTER V: SUMMARY, CONCLUSION, AND RECOMMENDATIONS

RECOMMENDATIONS

Based on the summary and conclusions presented above, the researchers thus

recommended the following:

1. Setting up a firewall and IDS/IPS was highly encouraged for future

researchers to set it up as close as in real-life scenarios, and configure more

security features on the devices, since the developed penetration testing

laboratory has no firewalls and Intrusion Detection System or Intrusion

Prevention System (IDS/IPS).

2. Tools Recon-ng, theHarvester, and Social Engineering Toolkit (SEtoolkit)

rely significantly on the Internet connection. For future researchers to

provide more demonstrations, especially SEtoolkit, an Internet connection

must be provided within the laboratory. However, it is advisable also not to

connect some targets to the Internet since it may be the avenue for the black

hat hackers to hack the laboratory and the network provided.

3. Metasploit was a powerful penetration testing tool. However, due to financial

constraints, the researchers were not able to setup up a target machine

running on a Windows operating system. Metasploit has numerous modules

for a Windows machine; thus, future researchers could explore more when

a Windows target machine is included in the prospective study.

4. Karmetasploit, as stated earlier, failed due to the hardware limitation of the

attacker machine. It is encouraged to include an external Wi-Fi adapter for

156
 CHAPTER V: SUMMARY, CONCLUSION, AND RECOMMENDATIONS

the attacker machine, specifically, the TP-Link TL-WN722N model since it

is available in local online stores here in the Philippines.

5. Aside from the service SSH, brute force can also be applied to other

services. Also, for Web Application Testing, the researchers only performed

SQL injection. DVWA is a website that hosts different modules for web

application testing. Examples are Brute Force, Command Injection, Cross-

Site Scripting (XSS), and many more. With this, future researchers are

encouraged to add more lessons to be included in the laboratory manual.

6. To know the capability of Cisco-Global-Exploiter (CGE), future researchers

need to replace the routers and switches with the right model that is

exploitable by the CGE. If not possible, CGE could be replaced with other

penetration testing tools such as Cisco-Auditing-Tool, Cisco-Ocs, and

Cisco-Torch. However, these tools might be obsolete. Thus, future

researchers could altogether remove CGE and focus on Yersinia.

7. It is highly urged that future researchers should add more or replace

penetration testing tools, or if they were to use the same tools as the

researchers of this study used, they are also highly encouraged to dive

deeper into these tools. Moreover, future researchers could add penetration

testing tools such as Xerosploit, Browser Exploitation Framework (BeEF),

Hashcat, Mimikazt, Nessus, and Ettercap.

8. Some minor problem that was not stated is that the attacker machine

sometimes hangs or lags. Thus a hard reboot was needed. For this to may

157
 CHAPTER V: SUMMARY, CONCLUSION, AND RECOMMENDATIONS

not be experienced by future researchers, instead of the Raspberry Pi 4

Model B, future researchers could utilize a laptop as an attacker machine

installed with Kali-Linux or other operating-system dedicated for penetration

testing such as Parrot OS.

9. To simulate actual penetration testing, future researchers could split into

two groups. One will act as the Red Team and the other as the Blue Team.

Blue Team will configure the topology, which could vary depending on the

difficulty. Therefore, the attacker Red Team will have little or no idea about

the target Blue Team.

158
 BIBLIOGRAPHY

14 Tips for Public Wi-Fi Hotspot Security (pcmag.com). Retrieved March 2, 2021,
from sea.pcmag.com Website:
https://sea.pcmag.com/networking/32315/14-tips-for-public-wi-fi-hotspot
security

Aar, Palak & Sharma, Aman. (2017). Analysis of Penetration Testing Tools.
International Journal of Advanced Research in Computer Science and
Software Engineering. 7. 36. 10.23956/ijarcsse.v7i9.408

Amer, O. (2020, Feb). FBI: Crybercrime losses tripled over the last 5 years.
Retrieved May 2022 from https://www.welivesecurity.com/2020/02/13/fbi
cybercrime-losses-tripled-last-5-years/

Art, S. (2020 June). Pinoy hackers patch sites without authorization. Retrieved
May 2022 from https://mb.com.ph/2020/07/01/pinoy-hackers-patch-sites
without-authorization/

Art, S. (2020, August). Hackers breach the Philippine Government website anew.
Retrieved May 2022 from https://mb.com.ph/2020/08/28/hackers-breach
philippine-government-website-anew/

Art, S. (2020, December). Office of the Solicitor General of the Philippines hacked.
Retrieved May 2022 from https://mb.com.ph/2020/12/01/office-of-the
solicitor-general-of-the-philippines-hacked/
Art, S. (2021, February). PNPA databased hacked, website defaced. Retrieved
May 2022 from https://mb.com.ph/2021/02/03/pnpa-database-hacked
website-defaced/

Bacudio, Aileen & Yuan, Xiaohong & Chu, Bei & Jones, Monique. (2011). An
Overview of Penetration Testing. International Journal of Network Security
& Its Applications. 3. 19-38. 10.5121/ijnsa.2011.3602
Ben, W. (2021). What is Kali Linux? Kali. Retrieved from
https://www.kali.org/docs/introduction/what-is-kali-linux/
Bisson, M. n.d. How To Install And Use Yersinia On Kali Linux? Retrieved from
https://blog.eldernode.com/install-and-use-yersinia-on-kali-linux/

Blancaflor, E., Alvarez, L.A., Dioniso, N.M., Acuna, G.E., Funilas, J.R., & Odicta,
J.M. (2021). Penetration Test on Home Network Environments: A
Cybersecurity Case Study. Association for Computing Machinery New
York, NY, United States. 100–
104https://doi.org/10.1145/3483816.3483834

159
 BIBLIOGRAPHY

Borges, E. (2020). The Social Engineering Toolkit. Security Trails. Retrieved from
https://securitytrails.com/blog/the-social-engineering-toolkit
Brathwaite, S. (2021, February 23). Active vs Passive cybersecurity
reconnaissance in Information Security. SecurityMadeSimple. Retrieved
June 9, 2022, from https://www.securitymadesimple.org/cybersecurity-
blog/active-vs-passive-cyber-reconnaissance-in-information-security
Chipeta, C. (2022, May 12). Open Source Intelligence (OSINT): Top Tools and
Techniques | UpGuard. UpGuard. Retrieved June 9, 2022, from
https://www.upguard.com/blog/open-source-intelligence

Common Cyber Security Measures (n.d). Retrieved October 21, 2021, from
nibusinessinfo.co.uk. Website
https://www.nibusinessinfo.co.uk/content/common-cyber-security
measures
Comptia, n.d. What Is Wireshark and How Is It Used? Retrieved from
https://www.comptia.org/content/articles/what-is-wireshark-and-how-to-
use-it-Cyber threat encounter rate by country 2019. Retrieved March 2,
2021, from Statista.com. Website:
https://www.statista.com/statistics/194133/cybercrime-rate-in-selected
countries/
CyberDegrees.org Staff. (2022, May 13). Penetration Tester Career Overview |
Cyber Degrees. Explore Cybersecurity Degrees and Careers |
CyberDegrees.Org. Retrieved June 9, 2022, from
https://www.cyberdegrees.org/jobs/penetration-tester/
David, R. (2018, November). The Digitization of the World from Edge to Core.
Retrieved May 2022 from https://www.seagate.com/files/www-content/our-
story/trends/files/idc-seagate-dataage-whitepaper.pdf

Faircloth, J. (2017). Building penetration test labs. Penetration Tester’s Open

Source Toolkit, 371–400. doi:10.1016/b978-0-12-802149-1.00010-5
FBI: Cybercrime losses tripled over the last 5 years. Retrieved March 2, 2021,
from welivesecurity.com. Website:
https://www.welivesecurity.com/2020/02/13/fbi-cybercrime- losses-tripled
last-5-years/
Ganesh, B. (2019). Brutespray – Port Scanning and Automated Brute Force Tool.
Retrieved from https://gbhackers.com/brutespray-port-scanning-brute-
force/
Gao M, Kortum P, Oswald F. (2018). Psychometric Evaluation of the USE
(Usefulness, Satisfaction, and Ease of use) Questionnaire for Reliability and
Validity. Proceedings of the Human Factors and Ergonomics Society
Annual Meeting. 2018;62(1):1414-1418. doi:10.1177/1541931218621322

160
 BIBLIOGRAPHY

Gerardi, R. (2020). An Introduction To Using Tcpdump At The Linux Command

Line. OpenSource. Retrieved from
https://opensource.com/article/18/10/introduction-tcpdump

Hartley, R. (2015). Ethical Hacking Pedagogy: An Analysis and Overview of

Teaching Students to Hack Students to Hack. Journal of International
Technology and Information Management, 24(4), 95–104.
https://scholarworks.lib.csusb.edu/jitim/vol24/iss4/6

He-Jun Lu, Yang Yu, "Research on Wi-Fi Penetration Testing with Kali Linux",
Complexity, vol. 2021,ArticleID 5570001, 8 pages, 2021. https://doi.
org/10.1155/2021/5570001
Huro, S. (2020). How to Use Burp Suite Professional for Web Application Security
[Part One]. Delta Risk. Retrieved from https://deltarisk.com/blog/how-to-
use-burp-suite-professional-for-web-application-security-part-one/
Imperva (2021). Penetration Testing. Retrieved from:
https://www.imperva.com/learn/application-security/penetration-testing/
Imperva, n.d. SQL (Structured query language) Injection. Retrieved from
https://www.imperva.com/learn/application-security/sql-injection-sqli/

Interpol. (2020, August). INTERPOL report shows alarming rate of cyberattacks

during COVID-19. Website: https://www.interpol.int/en/News-and
Events/News/2020/INTERPOL-report-shows-alarming-rate-of
cyberattacks-during-COVID-19
IXcdDqLLBRJLgxrfzgQMd6F5zvk9kK65Az2mdQt90i6KNfGhVFSbR7w3tX
B2O3RBCYajlpaFVWPvABEiPrfMBp~0QDMLyfsj91h8j1loEsOFnc7CHmw
nNDig__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA
James, P. (2018). Cisco Auditing Tool & Cisco Global Exploiter to Exploit 14
Vulnerabilities in Cisco Switches and Routers. Retrieved from
https://gbhackers.com/cisco-global-exploiter-cge/
Joseph J. (2022, May 9). Global digital population as of April 2022. Retrieved May
2022 from https://www.statista.com/statistics/617136/digital-population-
worldwide/
K. (2020, October 26). Payload. Kaspersky IT Encyclopedia. Retrieved June 9,
2022, from https://encyclopedia.kaspersky.com/glossary/payload/
Kaspersky. (2021, January 13). What is Cybercrime - Definition.
Www.Kaspersky.Com. Retrieved June 9, 2022, from
https://www.kaspersky.com/resource-center/threats/cybercrime
Kaspersky. (2022a, February 9). What is a Black-Hat hacker?
Www.Kaspersky.Com. Retrieved June 9, 2022, from
https://www.kaspersky.com/resource-center/threats/black-hat-hacker

161
 BIBLIOGRAPHY

Kaspersky. (2022b, March 30). White Hat Hackers: The Good, the Bad, or the
Ugly? Www.Kaspersky.Com. Retrieved June 9, 2022, from
https://www.kaspersky.com/resource-center/definitions/white-hat-hackers
Kaspersky. (2022c, May 11). Brute Force Attack: Definition and Examples.
Www.Kaspersky.Com. Retrieved June 9, 2022, from
https://www.kaspersky.com/resource-center/definitions/brute-force-attack

Kaspersky. (n.d). Black hat, White, hat, and Gray hat hackers – Definition and
Explanation Retrieved May 2022 from https://www.kaspersky.com/resource
center/definitions/hacker-hat-types

Kate, B. (2021, September). What is cybercrime? Retrieved May 2022 from

https://www.techtarget.com/searchsecurity/definition/cybercrime
Kumar, V. (2022). Theharvester in Kali Linux. Retrieved from
https://www.cyberpratibha.com/blog/kali-linux-theharvester-an-email-
harvester/
Lund, Arnold. Measuring Usability with the USE Questionnaire. Usability and User
Experience Newsletter of the STC Usability SIG. 8.
Lynch, B., Lynch, B., Lynch, B., Hasson, E., Hewitt, N., Johnston, D., Oh, J., &
Lynch, B. (2019, December 29). What is Penetration Testing | Step-By-Step
Process & Methods | Imperva. Learning Center. Retrieved June 9, 2022,
from https://www.imperva.com/learn/application-security/penetration-
testing/
Lynch, B., Lynch, B., Lynch, B., Hasson, E., Hewitt, N., Johnston, D., Oh, J., &
Lynch, B. (2020, September 24). Gray Box Testing Techniques | Matrix,
Orthogonal, Pattern, and more | Imperva. Learning Center. Retrieved June
9, 2022, from https://www.imperva.com/learn/application-security/gray-box-
testing/
M. Denis, C. Zena and T. Hayajneh (2016). "Penetration testing: Concepts, attack
methods, and defense strategies," 2016 IEEE Long Island Systems,
Applications, and Technology Conference (LISAT), 2016, pp. 1-6, doi:
10.1109/LISAT.2016.7494156.

Mamilla, Sushmitha Reddy, "A Study of Penetration Testing Processes and Tools"
(2021). Electronic Theses, Projects, and Dissertations. 1220.
https://scholarworks.lib.csusb.edu/etd/1220
MB Technews. (2022, June 4th). SMEs and government agencies get
cybersecurity assistance. Retrieved from
https://mb.com.ph/2022/06/04/smes-and-government-agencies-get-
cybersecurity-assistance/
Offensive Security, n.d. Exploit Database (EDB). Retrieved from

162
 BIBLIOGRAPHY

https://www.cybersecurityintelligence.com/exploit-database-edb-515.html
Offensive Security, n.d. Karmetasploit. Retrieved from https://www.offensive-
security.com/metasploit-unleashed/karmetasploit-
action/OJbnA9YzeNknJxuxGpKSJ~2Tji4usvoNDBi0eF6aXwRlMFgqtAYB
GQXAg KQ8PlI8DeY0bsSQ6v2C3suTUAeMf5KGq-
WzjCP4aEmdtO0~WSy8zvcytL0FYn4MleuPjYkIy6nLil5LGtE9rK0IfklcjJEl4
avJKZ
2vALeCk6GlfMPw4SNDLIcyPLu7LPTrl5R2SVJtwXFLR5oaYpud2TXB2Xk
vJ
Oxford University Press (OUP). (n.d.). datasphere. Lexico.Com. Retrieved June 9,
2022, from https://www.lexico.com/definition/datasphere

Pawan Kesharwani1, Sudhanshu Shekhar Pandey, Vishal Dixit, & Lokendra

Kumar Tiwar. (2018). A study on Penetration Testing Using Metasploit
Framework. International Research Journal of Engineering and Technology
(IRJET). 05(12). 193-194. e-ISSN: 2395-0056. p-ISSN: 2395-0072
Pence, N. (2020). Recon-ng: An Open Source Reconnaissance Tool. Security
Trails. Retrieved from https://securitytrails.com/blog/recon-ng
Petters, J. (2020). How to Use John the Ripper: Tips and Tutorials. Varonis.
Retrieved from https://www.varonis.com/blog/john-the-ripper)
Petters, J. (2020). What is Metasploit? The Beginner's Guide. Varonis. Retrieved
from https://www.varonis.com/blog/what-is-metasploit
Petters, J. (2020, March 29). IDS vs. IPS: What is the Difference? Varonis.
Retrieved June 9, 2022, from https://www.varonis.com/blog/ids-vs-
ips#:%7E:text=IPS%3A%20What%20is%20the%20Difference%3F,-
Jeff%20Petters&text=Intrusion%20Detection%20Systems%20(IDS)%20an
alyze,detects%20%E2%80%94%20helping%20stop%20the%20attack.

Phong, C.T. (2014). A Study of Penetration Testing Tools and Approaches.

Retrieved from https://core.ac.uk/download/pdf/56364552.pdf

Privacy Commission probes April hacking incidents. Retrieved March 7, 2021,

from www.pna.gov.ph. Website: https://www.pna.gov.ph/articles/1066539
Rajalingham, K. (2021). How to install and use THC Hydra?. Retrieved from
https://linuxhint.com/how-to-install-and-use-thc-hydra/
Rathore, N. (2016). ETHICAL HACKING & SECURITY AGAINST CYBER CRIME.
i-manager's Journal on Information Technology. 5. 10.26634/JIT.5.1.4796.
Research & Technology (IJERT), 5(12), 153–158.
https://d1wqtxts1xzle7.cloudfront.net/62343648/penetration-testing-using
linux-tools-IJERTV5IS12016620200311-108973-1vwr76w-with-cover-page
v2.pdf?Expires=1636073392&Signature=Yb

163
 BIBLIOGRAPHY

Robb, D. (2019). Aircrack-ng: Pen Testing Product Overview and Analysis.

Retrieved from https://www.esecurityplanet.com/products/aircrack-ng/
Sacolick, I. (2022, April 6th). What is agile methodology? Modern software
development explained. Retrieved from
https://www.infoworld.com/article/3237508/what-is-agile-methodology-
modern-software-development-explained.html

Santhi, V., Kumar, K., & Kumar, B. L. (2016). Penetration Testing using Linux
Tools: Attacks and Defense Strategies. International Journal of Engineering
Shivanandhan, M. (2021). Web Server Scanning With Nikto – A Beginner's Guide.
freeCodeCamp. Retrieved from https://www.freecodecamp.org/news/an-
introduction-to-web-server-scanning-with-nikto/
Simplilearn (2019). What Is Nmap? A Comprehensive Tutorial For Network
Mapping. Retrieved from https://www.simplilearn.com/tutorials/cyber-
security-tutorial/what-is-nmap-testing.html
Swinhoe, D. (2020, August 5). What is a dictionary attack? And how you can easily
stop them. CSO Online. Retrieved June 9, 2022, from
https://www.csoonline.com/article/3568794/what-is-a-dictionary-attack-
and-how-you-can-easily-stop-them.html
Techopedia. (2021, October 21). Session Cookie. Techopedia.Com. Retrieved
June 9, 2022, from https://www.techopedia.com/definition/4910/session-
cookie
Tutorialspoint, n.d. Kali Linux - Wireless Attacks. Retrieved from
https://www.tutorialspoint.com/kali_linux/kali_linux_wireless_attacks.htm#
What Is an API Key? | API Key Definition. (n.d.). Fortinet. Retrieved June 9, 2022,
from https://www.fortinet.com/resources/cyberglossary/api-key

What is Penetration Testing. Retrieved March 7, 2021, from cisco.com. Website:

https://www.cisco.com/c/en/us/products/security/what-is-pen
Wylie, P., & Crawley, K. (2021). In the Pentester Blueprint. John Wiley & Sons,
Inc., Indianapolis, Indiana Published

164
 APPENDICES

APPENDIX A
(ACTUAL LABORATORY SETUP)

Access Point
RPi 3B+ RPi 3B+ TP-Link TL-
(Target (Target Web WR840N
Desktop) Server)

RPi 4B
(Attacker)

2811 Cisco
3750 Cisco
2811 Cisco Router
Switch
Router (BlueTeam)
(RedTeam)

165
Page 1 of 2
 APPENDICES

APPENDIX A
(ACTUAL LABORATORY SETUP)

RPi 3B+
(Target
Desktop)

RPi 3B+
(Target Web
Server)

RPi 4B
(Attacker)

166
Page 2 of 2
 APPENDICES

APPENDIX B
(CISCO 2811 ROUTER FULL TECHNICAL SPECIFICATIONS)

167
Page 1 of 3
 APPENDICES

APPENDIX B
(CISCO 2811 ROUTER FULL TECHNICAL SPECIFICATIONS)

Page 2 of 3 168
 APPENDICES

APPENDIX B
(CISCO 2811 CATALYST ROUTER FULL TECHNICAL SPECIFICATIONS)

169
Page 3 of 3
 APPENDICES

APPENDIX C

(DTE/DCE SERIAL CABLE TECHNICAL SPECIFICATIONS)

Specification of DTE/DCE Serial Cable

170
 APPENDICES

APPENDIX D

(STRAIGHT-THROUGH CABLE PIN OUT)

171
 APPENDICES

APPENDIX E

(CISCO 3750 CATALYST FULL TECHNICAL SPECIFICATIONS)

Page 1 of 6 172
 APPENDICES

APPENDIX E

(CISCO 3750 CATALYST FULL TECHNICAL SPECIFICATIONS)

173
Page 2 of 6
 APPENDICES

APPENDIX E

(CISCO 3750 CATALYST FULL TECHNICAL SPECIFICATIONS)

174
Page 3 of 6
 APPENDICES

APPENDIX E

(CISCO 3750 CATALYST FULL TECHNICAL SPECIFICATIONS)

Page 4 of 6 175
 APPENDICES

APPENDIX E

(CISCO 3750 CATALYST FULL TECHNICAL SPECIFICATIONS)

Page 5 of 6 176
 APPENDICES

APPENDIX E

(CISCO 3750 CATALYST FULL TECHNICAL SPECIFICATIONS)

Page 6 of 6 177
 APPENDICES

APPENDIX F

(RASPBERRY PI 4 MODEL B FULL TECHNICAL SPECIFICATIONS)

Page 1 of 2 178
 APPENDICES

APPENDIX F

(RASPBERRY PI 4 MODEL B FULL TECHNICAL SPECIFICATIONS)

Page 2 of 2 179
 APPENDICES

APPENDIX G

(FULL SPECIFICATION OF STRONTIUM NITRO SRN32TFR1QR 32GB

MICROSD CARD CLASS 10)

180
 APPENDICES

APPENDIX H

(TP-LINK TL-WR840N FULL TECHNICAL SPECIFICATIONS)

181
 APPENDICES

APPENDIX I

(RASPBERRY PI 3 MODEL B+ FULL TECHNICAL SPECIFICATIONS)

182
Page 1 of 2
 APPENDICES

APPENDIX I

(RASPBERRY PI 3 MODEL B+ FULL TECHNICAL SPECIFICATIONS)

183
Page 2 of 2
 APPENDICES

APPENDIX J
(FULL SPECIFICATIONS OF STRONTIUM NITRO SRN32TFU1QR 16GB
MICRO SD CARD

184
 APPENDICES
APPENDIX K
(PORTS AND NETWORK CONFIGURATIONS)
Red Team router:
Router>enable
Router#configure terminal
Router(config)#hostname RedTeam
RedTeam(config)#interface fastethernet
0/1
RedTeam(config-if)#ip address
192.168.4.1 255.255.255.0
RedTeam(config-if)#no shutdown
RedTeam(config-if)#exit
RedTeam(config)#interface serial0/3/0
RedTeam(config-if)#ip add 10.0.0.2
255.0.0.0
RedTeam(config-if)#no shutdown
RedTeam(config-if)#end
Blue Team router:
Router>enable
Router#configure terminal
Router(config)#hostname BlueTeam
BlueTeam(config)#interface fastethernet
0/1
BlueTeam (config-if)#ip address
192.168.3.1 255.255.255.0
BlueTeam(config-if)#no shutdown
BlueTeam(config-if)#exit
BlueTeam(config)#interface serial0/3/0
BlueTeam(config-if)#ip add 10.0.0.1
255.0.0.0
BlueTeam(config-if)#no shutdown
BlueTeam(config-if)#end
#Enter privileged mode
#Enter global configuration mode
#Changing hostname
#Enter interface configuration mode
#Assigning IP address and subnet mask
#Enables/brings up an interface
#Goes back to global configuration
mode
#Goes to interface configuration mode
#Assigning IP address and subnet mask
#Enables/brings up an interface
#Enter privileged EXEC mode
#Enter privileged mode
#Enter global configuration mode
#Changing hostname
#Enter interface configuration mode
#Assigning IP address and subnet mask
#Enables/brings up an interface
#Goes back to global configuration
mode
#Goes to interface configuration mode
#Assigning IP address and subnet mask
#Enables/brings up an interface
#Enter privileged EXEC mode
185
 APPENDICES
APPENDIX L
(SSH AND TELNET CONFIGURATIONS)
SSH Red Team router:
RedTeam>enable
RedTeam #configure terminal
RedTeam(config)#hostname RedTeam
RedTeam (config)#username RedTeam
password admin-cisco
RedTeam(config)#ip domain-name
RedTeam.com
RedTeam(config)#cyrpto key generate rsa
> 768
RedTeam(config)#ip ssh ver 2
RedTeam(config)#line vty 0 4
RedTeam(config-line)#login local
RedTeam(config-line)#transport input ssh
RedTeam(config-line)#enable password
admin-cisco
RedTeam(config)#end
Page 1 of 2
#Enter privileged mode
#Enter global configuration mode
#Changing hostname
#Creating username and password
#Configure the DNS domain of the
router
#Generating an SSH key to be used
#Configure SSH version
#Configure VTY lines up to 5
devices
#Input password to the console
session
#Enable SSH protocol for inbound
connection
#Password for the console session
#Enter privileged EXEC mode
186
 APPENDICES

APPENDIX L
(SSH AND TELNET CONFIGURATIONS)

SSH and Telnet Blue Team router:

BlueTeam>enable
BlueTeam#configure terminal
RedTeam(config)#hostname RedTeam
BlueTeam (config)#username BlueTeam
password cisco-admin
BlueTeam (config)#ip domain-name
BlueTeam.com
BlueTeam (config)#cyrpto key generate rsa
> 768
BlueTeam (config)#ip ssh ver 2
BlueTeam (config)#line vty 0 4
BlueTeam (config-line)#transport input ssh
BlueTeam (config-line)login local
BlueTeam (config-line)#exit
BlueTeam(config)#line vty 5 10
BlueTeam(config-line)#transport input
telnet
BlueTeam(config-line)#exit
#Enter privileged mode
#Enter global configuration mode
#Changing hostname
#Creating username and password
#Configure DNS domain of the
router
#Generating an SSH key to be used
#Configure SSH version
#Configure VTY lines up to 5
devices
#Enable SSH protocol for inbound
connection
#Input password to the console
session
#Enter global configuration mode
#Configure VTY line up to 5 devices
#Enable Telnet protocol for inbound
connection
#Enter privileged EXEC mode

187
Page 2 of 2
 APPENDICES

APPENDIX M

(ROUTING CONFIGURATIONS ROUTERS: EIGRP AND BGP)

ENHANCED INTERIOR GATEWAY ROUTING PROTOCOL (EIGRP)

CONFIGURATIONS:
Red Team
RedTeam>en #Enter privileged mode
RedTeam #configure terminal #Enter global configuration mode
RedTeam (config)#router eigrp 10 #Enable EIGRP and setting the ASN
RedTeam (config-router)#network #Including local interfaces in EIGRP
192.168.4.0 255.255.255.0
RedTeam (config-router)#network
10.0.0.0 255.0.0.0
RedTeam (config-router)#end #Goes back to privileged EXEC
mode

Blue Team
BlueTeam>en
BlueTeam#configure terminal
BlueTeam(config)#router eigrp 10
BlueTeam(config-router)#network
192.168.2.0 255.255.255.0
BlueTeam(config-router)#network
10.0.0.0 255.0.0.0
BlueTeam(config-router)#end
#Enter privileged mode
#Enter global configuration mode
#Enable EIGRP and setting the ASN
#Local interfaces to include in
EIGRP
#Goes back to privileged EXEC
mode

188
Page 1 of 2
 APPENDICES

APPENDIX M

(ROUTING CONFIGURATIONS ROUTERS: EIGRP AND BGP)

BORDER GATEWAY PROTOCOL (BGP) CONFIGURATIONS:

Red Team
RedTeam>en
RedTeam#config terminal
RedTeam(config)#router bgp 65001
RedTeam(config-router)#network
192.168.4.0
RedTeam(config-router)#network
10.0.0.0
RedTeam(config-router)#neighbor
192.168.2.1 remote-as 65002
#Enter privileged mode
#Enter global configuration mode
#Enabling BGP and setting ASN
#Broadcasting a BGP on the
connected network
#Establishing this IP address as a
neighbor of a remote ASN

RedTeam(config-router)#neighbor
10.0.0.1 remote-as 65002
RedTeam(config-router)#end #Goes back to privileged EXEC mode

Blue Team
BlueTeam>en
BlueTeam #configure terminal
BlueTeam (config)#router bgp 65002
BlueTeam (config-router)#network
192.168.2.0
BlueTeam (config-router)#network
10.0.0.0
BlueTeam (config-router)#neighbor
192.168.4.1 remote-as 65001
BlueTeam (config-router)#neighbor
10.0.0.2 remote-as 65001
BlueTeam (config-router)#end
#Enter privileged mode
#Enter global configuration mode
#Enabling BGP and setting ASN
#Broadcasting a BGP on the
connected network
#Establishing this IP address as a
neighbor of a remote ASN
#Goes back to privileged EXEC
mode

189
Page 2 of 2
 APPENDICES

APPENDIX N

(DHCP CONFIGURATION ON BLUE TEAM ROUTER)

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) CONFIGURATION:

BlueTeam>en
BlueTeam#configure terminal
BlueTeam(config)#ip dhcp pool
BlueTeamDHCP
BlueTeam(dhcp-config)#network
192.168.3.0 255.255.255.0
BlueTeam(dhcp-config)#default-router
192.168.3.1
BlueTeam(dhcp-config)#exit
BlueTeam(config)#ip dhcp excluded-
address 192.168.3.1
BlueTeam(config)#end
#Enter privileged mode
#Enter global configuration mode
#Creating a DHCP pool
#Defining a network and subnet
mask for the clients to obtain
#Defining the default gateway
#Goes back to global configuration
mode
#For the router to reserve or exclude
a specific IP address
#Goes back to privileged EXEC
mode

190
 APPENDICES
APPENDIX O
(VLAN MANAGEMENT CONFIGURATION ON SWITCH)
VIRTUAL LOCAL AREA NETWORK (VLAN) CONFIGURATIONS:
Switch>en
Switch#configure terminal
Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#vlan 30
Switch(config-vlan)#vlan 40
Switch(config-vlan)#exit
Switch(config)#end
Switch>en
Switch#configure terminal
Switch(config)#interface fastethernet0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access
vlan10
Switch(config-if)#exit
Switch(config)#end
Switch>en
Switch#configure terminal
Switch(config)#interface fastethernet0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access
vlan30
Switch(config-if)#exit
Switch(config)#end
Page 1 of 2
#Enter privileged mode
#Enter global configuration mode
#Creating VLANs 10, 20, 30 and 40
#Goes back to global configuration
mode
#Goes back to privileged EXEC
mode
#Enter privileged mode
#Enter global configuration mode
#Enter interface configuration mode
# Identifying a port as an access port
#Assigning an interface to the
desired VLAN
#Goes back to global configuration
mode
#Goes back to privileged EXEC
mode
#Enter privileged mode
#Enter global configuration mode
#Enter interface configuration mode
# Identifying a port as an access port
#Assigning an interface to the
desired VLAN
#Goes back to global configuration
mode
#Goes back to privileged EXEC
mode
191
 APPENDICES
APPENDIX O
(VLAN MANAGEMENT CONFIGURATION ON SWITCH)
VIRTUAL LOCAL AREA NETWORK (VLAN) CONFIGURATIONS:
Switch>en
Switch#configure terminal
Switch(config)#interface fastethernet0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access
vlan10
Switch(config-if)#exit
Switch(config)#end
Switch>en
Switch#configure terminal
Switch(config)#interface fastethernet0/4
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access
vlan30
Switch(config-if)#exit
Switch(config)#end
Page 2 of 2
#Enter privileged mode
#Enter global configuration mode
#Enter interface configuration mode
# Identifying a port as an access port
#Assigning an interface to the
desired VLAN
#Goes back to global configuration
mode
#Goes back to privileged EXEC
mode
#Enter privileged mode
#Enter global configuration mode
#Enter interface configuration mode
# Identifying a port as an access port
#Assigning an interface to the
desired VLAN
#Goes back to global configuration
mode
#Goes back to privileged EXEC
mode
192
 APPENDICES

APPENDIX P

(ACCESS POINT CONFIGURATION)

193
 APPENDICES

APPENDIX Q

(SAMPLE LABORATORY EXERCISES FROM THE LABORATORY MANUAL)

See attached SD Card for the full copy of laboratory manual.

194
Page 1 of 5
 APPENDICES

See attached SD Card for the full copy of laboratory manual.

Page 2 of 5 195
 APPENDICES

See attached SD Card for the full copy of laboratory manual.

196
Page 3 of 5
 APPENDICES

See attached SD Card for the full copy of laboratory manual.

Page 4 of 5 197
 APPENDICES

See attached SD Card for the full copy of laboratory manual.

198
Page 5 of 5
 APPENDICES

APPENDIX R

(QUESTIONNAIRE)

DEVELOPING A PENETRATION TESTING LABORATORY AS A BASIS FOR

NETWORK SECURITY1

Name (Optional): _________________________________

I. Reliability and Acceptability of the Penetration Testing Laboratory. We
wish to know how reliable and acceptable this penetration testing laboratory
is for you as well as how satisfied you are with the overall performance of the
penetration testing (pentesting) laboratory. Rate the following areas in terms
of usefulness, ease of use, ease of learning, and satisfaction.
Direction: Check () the column of your answer following the scale below:
1 – Strongly Disagree
2 – Disagree
3 – Neutral
4 – Agree
5 – Strongly Agree
a. USEFULNESS. We wish to know if the penetration testing laboratory is
useful to you in honing your skills in the different penetration testing tools
as well as in the general knowledge of the Systems and Network
Administration subject.
Strongly Disagree Neutral Agree Strongly
Disagree Agree

1. It gives me more control

over the different
penetration testing tools.

2. I got to familiarize
myself more with the
different penetration
testing tools.

Page 1 of 4 199
 APPENDICES

3. The information (in the

laboratory manual)
provided is
knowledgeable.

4. Suitability of the
penetration testing
laboratory to the course
major Systems and
Network Administration.

5. The penetration testing

laboratory is reliable.

b. EASE OF USE. How easy and quick for you to use the penetration testing
laboratory?
Strongly Disagree Neutral Agree Strongly
Disagree Agree

1. It is user-friendly.

2. I feel more comfortable

using this laboratory
than VMWare.

3. The information (in the

laboratory manual)
provided is clear.

4. The penetration testing

laboratory was easier to
use than VMware.

5. The penetration testing

laboratory’s
performance, in general,
is consistent. There are
no major technical
issues.

200
Page 2 of 4
 APPENDICES

c. EASE OF LEARNING. How easily is the information acquired, instilled, and

retained in your mind?
Strongly Disagree Neutral Agree Strongly
Disagree Agree

1. I learned to operate the

penetration testing
laboratory quickly and I
easily remember how to
use it.

2. I got to learn the different

penetration testing tools
quickly.

3. I found the instructions

on the laboratory manual
very helpful and easy to
understand.

4. Actual equipment (e.g.,

routers, access points,
switches) helps the
sense of reality.

5. It’s easy to digest in the

mind and understand the
penetration testing
laboratory in general.

d. SATISFACTION. We wish to know your level of satisfaction for the

penetration testing laboratory. This information will help us (the researchers
and future researchers) for the improvement and to provide a better quality
of learning through the use of penetration testing laboratories. Did the
penetration testing laboratory meet your expectations as a user and as a
student?
Strongly Disagree Neutral Agree Strongly
Disagree Agree

1. I have been motivated

by the penetration
testing laboratory to
learn more about
different penetration
testing tools.

201
Page 3 of 4
 APPENDICES

2. I am satisfied with the

penetration testing
laboratory.

3. Information in the lab

manual was sufficient.

4. I have enjoyed using

the penetration testing
laboratory.

5. I felt very confident

testing the different
tools while using the
penetration testing
laboratory.

II. Did you experience any technical difficulties and errors during the simulation
of the different penetration testing tools and the laboratory equipment itself?

Direction: If yes, put check () in the box provided. (You may choose as
many as possible.)
Delays, lagging
Software malfunction
Operating System not functioning well
Others comment below:
________________________________________________________________
III. Are the tools provided enough for the supplement of the Ethical Hacking
topic? (Optional)
___ Yes ___ No
If not, please recommend penetration testing tools you wish were included
in the laboratory.
________________________________________________________________

202
Page 4 of 4
 APPENDICES

APPENDIX S

(COMPUTATION FOR THE AVERAGE WEIGHTED MEAN UNDER

USEFULNESS, EASE OF USE, EASE OF LEARNING, AND SATISFACTION)

Data Gathered:

Numerical Rating
1 2 3 4 5
A. Usefulness Strongly Disagree Neutral Agree Strongly
Disagree Agree
1. It gives me more control 0 0 6 11 13
over the different
penetration testing tools.

2. I got to familiarize myself 0 0 4 10 16

more with the different
penetration testing tools.
3. The information (in the 0 0 3 16 11
laboratory manual)
provided is knowledgeable.

4. Suitability of the 0 0 0 1 29
penetration testing
laboratory to the course
major Systems and
Network Administration.
5. The penetration testing 0 0 3 5 22
laboratory is reliable.

203
Page 1 of 6
 APPENDICES

Numerical Rating
1 2 3 4 5
b. Ease of Use Strongly Disagree Neutral Agree Strongly
Disagree Agree
1. It is user-friendly. 0 0 9 12 9

2. I feel more comfortable 0 1 12 12 5

using this laboratory than
VMWare.
3. The information (in the 0 2 4 15 10
laboratory manual)
provided is clear.

4. The penetration testing 0 2 11 10 7

laboratory was easier to
use than VMware.

5. The penetration testing 0 0 6 11 13

laboratory’s performance,
in general, is consistent.
There are no major
technical issues.

Numerical Rating
1 2 3 4 5
c. Ease of Learning Strongly Disagree Neutral Agree Strongly
Disagree Agree
1. I learned to operate 0 4 9 13 4
the penetration testing
laboratory quickly and I
easily remember how to
use it.
2. I got to learn the 0 5 11 12 2
different penetration
testing tools quickly.

Page 2 of 6 204
 APPENDICES

3. I found the 0 0 5 10 15
instructions on the
laboratory manual very
helpful and easy to
understand.
4. Actual equipment 0 0 2 4 24
(e.g., routers, access
points, switches) helps
the sense of reality.
5. It's easy to digest the 0 0 9 12 9
mind and understand the
penetration testing
laboratory in general.

Numerical Rating
1 2 3 4 5
d. Satisfaction Strongly Disagree Neutral Agree Strongly
Disagree Agree
1. I have been 0 2 0 13 15
motivated by the
penetration testing
laboratory to learn
more about different
penetration testing
tools.
2. I am satisfied with 0 0 9 17 4
the penetration testing
laboratory.
3. Information in the 0 3 12 11 4
lab manual was
sufficient.

4. I have enjoyed using 0 0 2 17 11

the penetration testing
laboratory.

5. I felt very confident 0 2 6 20 2

testing the different
tools while using the
penetration testing
laboratory.

205
Page 3 of 6
 APPENDICES

Formula used:

X= ∑𝑿/𝑵

Wherein: ∑X = sum of the quantitative variables

N = total sample size

Computed Weighted Means:

Numerical Rating Weighted

1 2 3 4 5 Mean
A. Usefulness Strongly Disagree Neutral Agree Strongly
Disagree Agree
1. It gives me more 0 0 18 44 65 4.233333333
control over the
different penetration
testing tools.
2. I got to familiarize 0 0 12 40 80 4.40
myself more with the
different penetration
testing tools.
3. The information 0 0 9 64 55 4.266666667
(in the laboratory
manual) provided is
knowledgeable.
4. Suitability of the 0 0 0 4 145 4.97
penetration testing
laboratory to the
course major
Systems and
Network
Administration.
5. The penetration 0 0 9 20 110 4.633333333
testing laboratory is
reliable.
Overall Average Weighted Mean 4.50

Page 4 of 6 206
 APPENDICES

Numerical Rating Weighted

1 2 3 4 5 Mean
b. Ease of Use Strongly Disagree Neutral Agree Strongly
Disagree Agree
1. It is user-friendly. 0 0 27 48 45 4.00

2. I feel more 0 2 36 48 25 3.70

comfortable using this
laboratory than
VMWare.
3. The information (in 0 4 12 60 50 4.20
the laboratory manual)
provided is clear.

4. The penetration 0 4 33 40 35 3.73

testing laboratory was
easier to use than
VMware.
5. The penetration 0 0 18 44 65 4.23
testing laboratory’s
performance, in
general, is consistent.
There are no major
technical issues.
Overall Average Weighted Mean 3.97

Numerical Rating Weighted

1 2 3 4 5 Mean
c. Ease of Learning Strongly Disagree Neutral Agree Strongly
Disagree Agree
1. I learned to operate 0 8 27 52 20 3.57
the penetration
testing laboratory
quickly and I easily
remember how to use
it.
2. I got to learn the 0 10 33 48 10 3.37
different penetration
testing tools quickly.
3. I found the 0 0 15 40 75 4.33
instructions on the
laboratory manual
very helpful and easy
to understand.

Page 5 of 6 207
 APPENDICES

4. Actual equipment 0 0 6 16 120 4.73

(e.g., routers, access
points, switches)
helps the sense of
reality.
5. It's easy to digest 0 0 27 48 45 4.00
the mind and
understand the
penetration testing
laboratory in general.
Overall Average Weighted Mean 4.00

Numerical Rating Weighted

1 2 3 4 5 Mean
d. Satisfaction Strongly Disagree Neutral Agree Strongly
Disagree Agree
1. I have been 0 4 0 52 75 4.37
motivated by the
penetration testing
laboratory to learn
more about different
penetration testing
tools.
2. I am satisfied with 0 0 27 68 20 3.83
the penetration
testing laboratory.
3. Information in the 0 6 36 44 20 3.53
lab manual was
sufficient.

4. I have enjoyed 0 0 6 68 55 4.30

using the penetration
testing laboratory.

5. I felt very confident 0 4 18 80 10 3.73

testing the different
tools while using the
penetration testing
laboratory.
Overall Average Weighted Mean 3.95

Page 6 of 6 208
 APPENDICES

APPENDIX T

(USE QUESTIONNAIRE DEVELOPED BY ARNOLD LUND)

A. Usefulness
1. It helps me be more effective.
2. It helps me be more productive.
3. It is useful.
4. It gives me more control over the activities in my life.
5. It makes the things I want to accomplish easier to get done.
6. It saves me time when I use it.
7. It meets my needs.
8. It does everything I would expect it to do

B. Ease of Use
1. It is easy to use.
2. It is simple to use.
3. It is user-friendly.
4. It requires the fewest steps possible to accomplish what I want to do with it.
5. It is flexible.
6. Using it is effortless.
7. I can use it without written instructions.
8. I don't notice any inconsistencies as I use it.
9. Both occasional and regular users would like it.
10. I can recover from mistakes quickly and easily.
11. I can use it successfully every time.

C. Ease of Learning
1. I learned to use it quickly.
2. I easily remember how to use it.
3. It is easy to learn to use it.
4. I quickly became skillful with it

D. Satisfaction
1. I am satisfied with it.
2. I would recommend it to a friend.
3. It is fun to use.
4. It works the way I want it to work.
5. It is wonderful.
6. I feel I need to have it.
7. It is pleasant to use.

209
OTHER PERTINENT DOCUMENTS

A. TITLE DEFENSE

Page 1 of 2 210
OTHER PERTINENT DOCUMENTS

A. TITLE DEFENSE

Page 2 of 2 211
 OTHER PERTINENT DOCUMENTS

B. MINUTES OF THE MEETING FOR TITLE DEFENSE

212
Page 1 of 2
 OTHER PERTINENT DOCUMENTS

B. MINUTES OF THE MEETING FOR TITLE DEFENSE

Page 2 of 2

Page 2 of 2 213
OTHER PERTINENT DOCUMENTS

C. APPROVED PROJECT OUTLINE

Page 1 of 2 214
OTHER PERTINENT DOCUMENTS

C. APPROVED PROJECT OUTLINE

Page 2 of 2 215
OTHER PERTINENT DOCUMENTS

D. CHECK-UP DEFENSE

216
Page 1 of 2
 OTHER PERTINENT DOCUMENTS

D. CHECK-UP DEFENSE

Page 2 of 2
E. MINUTES OF THE MEETING FOR CHECK-UP DEFENSE

Page 1 of 3

217
Page 2 of 2
 OTHER PERTINENT DOCUMENTS

E. MINUTES OF THE MEETING FOR CHECK-UP DEFENSE

218
Page 1 of 3
 OTHER PERTINENT DOCUMENTS

E. MINUTES OF THE MEETING FOR CHECK-UP DEFENSE

219
Page 2 of 3
 OTHER PERTINENT DOCUMENTS

E. MINUTES OF THE MEETING FOR CHECK-UP DEFENSE

220
Page 3 of 3
OTHER PERTINENT DOCUMENTS

F. FINAL DEFENSE

221
Page 1 of 2
OTHER PERTINENT DOCUMENTS

F. FINAL DEFENSE

Page 2 of 2 222
 OTHER PERTINENT DOCUMENTS

G. MINUTES OF THE MEETING FOR FINAL DEFENSE

Page 1 of 5 223
 OTHER PERTINENT DOCUMENTS

G. MINUTES OF THE MEETING FOR FINAL DEFENSE

Page 2 of 5 224
 OTHER PERTINENT DOCUMENTS

G. MINUTES OF THE MEETING FOR FINAL DEFENSE

Page 3 of 5 225
 OTHER PERTINENT DOCUMENTS

G. MINUTES OF THE MEETING FOR FINAL DEFENSE

Page 4 of 5 226
 OTHER PERTINENT DOCUMENTS

G. MINUTES OF THE MEETING FOR FINAL DEFENSE

Page 5 of 5 227
OTHER PERTINENT DOCUMENTS

H. COMPLIANCE REPORT

228
Page 1 of 3
OTHER PERTINENT DOCUMENTS

H. COMPLIANCE REPORT

229
Page 2 of 3
OTHER PERTINENT DOCUMENTS

H. COMPLIANCE REPORT

Page 3 of 3 230
 OTHER PERTINENT DOCUMENTS

I. REQUISITION FORM FOR PLAGIARISM AND GRAMMAR SCANNING

231
 OTHER PERTINENT DOCUMENTS

J. CERTIFICATE OF PLAGIARISM AND GRAMMAR SCANNING

232
 CURRICULUM VITAE

#135 Camangaan, Binalonan, Pangasinan

Contact No.: 09458006943
E-mail Address: [email protected]

ELLYSA BALANZA

EDUCATIONAL BACKGROUND

Tertiary Pangasinan State University - Urdaneta

Brgy. San Vicente, Urdaneta City, Pangasinan

Bachelor of Science in Computer Engineering

2018-2022

Secondary Pangasinan State University - Urdaneta (Senior High School)

Brgy. San Vicente, Urdaneta City, Pangasinan

Science, Technology, Engineering, and Mathematics

2016-2018

Juan G. Macaraeg National High School (Junior High School)

Binalonan, Pangasinan

Special Science Class

2012-2016

233
 CURRICULUM VITAE

SEMINARS AND TRAINING

Systems and Network Administration and Embedded System Seminar and

Workshop
Pangasinan State University- Urdaneta City Campus
June 29, 2022

The Role of Mechanical Engineering in Mechatronics and Robotics System

Zoom
May 27, 2022
Seminar on Job Hunting Strategies in the Adaptive Normal
Zoom
March 25, 2022
5th ICpEP Regional Convention and General Assembly 2021
Zoom
November 25-27, 2021
1st ICpEP International Convention and 9th ICpEP National Convention
2021
Muscat, Oman
August 27-29, 2021
Cybersecurity Training Sessions with CompTIA: Threats, Attacks, &
Vulnerabilities
Zoom
October 7, 2021
3rd Regional Convention and General Assembly 2018
Pangasinan State University-Lingayen Campus
Lingayen, Pangasinan
October 26, 2018

234
 CURRICULUM VITAE

AWARDS AND CERTIFICATIONS

1ST Runner-Up ICpEP Quizbowl Challenge
5th ICpEP Regional Convention and General Assembly 2021
Zoom
November 25-27, 2021
SKILLS
Leadership Skills

Adaptability and Communication Skills

In-depth knowledge of MS Office

Knowledgeable of Debian-based Linux operating systems

Knowledge of Cisco Networking

I hereby certify that the above information is true and correct to the best of my

knowledge.

ELLYSA BALANZA

235
 CURRICULUM VITAE

#10 Zone 1 Bued, Binalonan, Pangasinan

Contact No.: 09450724855
E-mail Address: [email protected]

JAE ANNE V. EBORA

EDUCATIONAL BACKGROUND

Tertiary Pangasinan State University - Urdaneta

Brgy. San Vicente, Urdaneta City, Pangasinan

Bachelor of Science in Computer Engineering

2018-2022

Secondary Pangasinan State University - Urdaneta (Senior High School)

Brgy. San Vicente, Urdaneta City, Pangasinan

Science, Technology, Engineering, and Mathematics

2016-2018

Juan G. Macaraeg National High School (Junior High School)

Binalonan, Pangasinan

2012-2016

236
 CURRICULUM VITAE

SEMINARS AND TRAINING

Systems and Network Administration and Embedded System Seminar and

Workshop
Pangasinan State University- Urdaneta City Campus
June 29, 2022

The Role of Mechanical Engineering in Mechatronics and Robotics System

Zoom
May 27, 2022
5th ICpEP Regional Convention and General Assembly 2021
Zoom
November 25-27, 2021
Cybersecurity Training Sessions with CompTIA: Threats, Attacks, &
Vulnerabilities
Zoom
October 14, 2021

Introduction to Machine Learning

Zoom
October 9, 2021
Cybersecurity Training Sessions with CompTIA: Network Security
Zoom
October 7, 2021
3rd Regional Convention and General Assembly 2018
Pangasinan State University-Lingayen Campus
Lingayen, Pangasinan
October 26, 2018

237
 CURRICULUM VITAE

AWARDS AND CERTIFICATIONS

1ST Runner-Up ICpEP Pitching Competition
5th ICpEP Regional Convention and General Assembly 2021
Zoom
November 25-27, 2021

SKILLS
Leadership Skills

Adaptability and Communication Skills

In-depth knowledge of MS Office

Knowledgeable of Debian-based Linux operating systems

Knowledge of Cisco Networking

I hereby certify that the above information is true and correct to the best of my

knowledge.

JAE ANNE V. EBORA

238
 CURRICULUM VITAE

#57 Nibaliw Norte, Bautista, Pangasinan

Contact No.: 09634799248
E-mail Address: [email protected]

CLARK JR. P. NONES

EDUCATIONAL BACKGROUND

Tertiary Pangasinan State University (Urdaneta Campus)

Brgy. San Vicente, Urdaneta City, Pangasinan

Bachelor of Science in Computer Engineering

2018-2022

Secondary Bautista National High School (Senior High School)

Poblacion East, Bautista, Pangasinan

Science, Technology, Engineering, and Mathematics

2016-2018

Bautista National High School (Junior High School)

Poblacion East, Bautista, Pangasinan

Special Science Class

2012-2016

239
 CURRICULUM VITAE

SEMINARS AND TRAINING

Systems and Network Administration and Embedded System Seminar and

Workshop
Pangasinan State University- Urdaneta City Campus
June 29, 2022

Embedded Security System

Zoom
May 31, 2022
Cybersecurity Fundamentals: Advanced Persistent Threats
Zoom
May 19, 2022
Web Application Penetration Testing Bootcamp
Zoom
May 19, 2022
Seminar on Job Hunting Strategies in the Adaptive Normal
Zoom
March 25, 2022
CompTia Modern Pentesting Workshop
Zoom
March 18, 2022
Software Freedom Day 2021: Cyber security with open-source software
Zoom
October 2, 2021
5th ICpEP Regional Convention and General Assembly 2021
Zoom
November 25-27, 2021

240
 CURRICULUM VITAE

SKILLS
Leadership Skills

Communication Skills

In-depth knowledge of MS Office

Knowledgeable of Debian-based Linux operating systems

Knowledge of programming languages C++ and Python

Knowledge of HTML, CSS, and Javascript

Knowledge of Cisco Networking

I hereby certify that the above information is true and correct to the best of my

knowledge.

CLARK JR. P. NONES

241