TASK: -1

Network VAPT

Nidhi Kindo
Batch: 02CF

CYBERSAPIENS
 Network Vulnerability Assessment and Penetration
Testing
Network Vulnerability Assessment and Penetration Testing (VAPT) is a
process of evaluating the security of a network infrastructure by identifying
vulnerabilities and attempting to exploit them, similar to how a malicious
hacker would.

Network VAPT involves the following steps:

1) Preparation: Define scope, and goals, and obtain permissions.
2) Information Gathering: Collect data about the target network.
3) Vulnerability Scanning: Use automated tools to scan for vulnerabilities.
4) Manual Testing: Verify and explore vulnerabilities manually.
5) Exploitation: Attempt to exploit vulnerabilities to gain access.
6) Post-Exploitation: Assess the extent of compromise.
7) Documentation: Record findings and vulnerabilities.
8) Reporting: Prepare and present findings and recommendations.
9) Follow-up: Monitor and retest to ensure vulnerabilities are addressed.

CYBERSAPIENS
A) Research on different tools and methods for Network
Scanning.
Network scanning is a critical part of assessing the security of a network. Here
are some popular tools and methods used for network scanning:
Tools:
1) Nmap (Network Mapper): A versatile tool for network discovery and
security auditing. It can discover hosts and services on a network and
perform various types of scans, including ping scans, port scans, and
version detection scans.
2) Wireshark: A network protocol analyzer that captures and displays data
traveling back and forth on a network. It can be used to analyze network
traffic and detect anomalies or potential security issues.
3) OpenVAS (Open Vulnerability Assessment System): A full-featured
vulnerability scanner that can detect thousands of known security
vulnerabilities in network services, operating systems, and applications.
4) Nessus: A widely used vulnerability scanner that can identify
vulnerabilities, misconfigurations, and malware in network devices and
applications.
5) Netcat (nc): A networking utility that can read and write data across
network connections, making it useful for port scanning and banner
grabbing.
6) Zenmap: The graphical user interface (GUI) version of Nmap, which
provides an easy way to visualize and interact with Nmap's scanning
capabilities.
Methods:
1) Ping Sweep (ICMP Echo Request): Sends ICMP echo requests to a range
of IP addresses to determine which hosts are active on the network.
2) TCP SYN Scan (Half-open Scan): Sends SYN packets to target ports and
listens for SYN-ACK responses to determine if the port is open.
3) TCP Connect Scan: Attempts to establish a full TCP connection with the
target port to determine if it is open.
4) UDP Scan: Sends UDP packets to target ports and analyzes the
responses to determine if the port is open.
5) OS Detection: Analyzes the responses from the target to determine the
operating system running on the target host.

CYBERSAPIENS
 6) Service Version Detection: Analyzes the responses from target ports to
determine the version of the service running on the target.
7) Aggressive Scan: Combines various scanning techniques to achieve a
more comprehensive scan but may be more likely to be detected by
intrusion detection systems (IDS) or firewalls.
When performing network scanning, it's essential to have proper authorization
and to use the tools and methods responsibly to avoid causing disruption or
harm to the network.

B) Research on Script Scanning to identify vulnerabilities

(CVEs).
Script scanning, also known as scripted scanning, is a method used in
vulnerability assessment and penetration testing to automate the process of
identifying security vulnerabilities in networks, systems, and applications.
To identify vulnerabilities, including those listed in the Common Vulnerabilities
and Exposures (CVE) database, various script scanning methods and tools can
be utilized. Here are some commonly used methods and tools:
1) Vulnerability Scanning Tools:
o OpenVAS: OpenVAS is an open-source vulnerability scanner that can
scan networks and systems for known vulnerabilities, including those
listed in the CVE database.
o Nessus: Nessus is a widely used vulnerability scanner that can identify
vulnerabilities in networks, systems, and applications, including CVE-
listed vulnerabilities.
o QualysGuard: QualysGuard is a cloud-based vulnerability management
solution that includes a vulnerability scanner capable of identifying CVE-
listed vulnerabilities.
2) Script Scanning Methods:
o Custom Scripts: Security professionals often write custom scripts using
scripting languages like Python, Bash, or PowerShell to scan for specific
CVE-listed vulnerabilities.
o Nmap Scripting Engine (NSE): Nmap, a widely used network scanning
tool, comes with a scripting engine that allows users to create custom
scripts to identify vulnerabilities, including CVEs, in target systems.

CYBERSAPIENS
3) Vulnerability Databases:
o National Vulnerability Database (NVD): The NVD is a comprehensive
database maintained by NIST that contains information about known
vulnerabilities, including CVEs, along with their severity scores and other
details. Vulnerability scanners often reference the NVD to identify CVE-
listed vulnerabilities during scans.
o CVE Details: CVE Details is another online database that provides
detailed information about CVE-listed vulnerabilities, including their
descriptions, severity levels, and affected products.
4) Automated Exploit Tools:
o Metasploit: Metasploit is a widely used penetration testing framework
that includes a large collection of exploits for known vulnerabilities,
including CVEs. Security professionals can use Metasploit to scan for and
exploit CVE-listed vulnerabilities in target systems.
o Nessus: Nessus is a widely used vulnerability scanner that can scan for
known vulnerabilities in networks, systems, and applications. It offers a
wide range of scanning options and can generate detailed reports of its
findings.
o OpenVAS: OpenVAS (Open Vulnerability Assessment System) is an open-
source vulnerability scanner that can scan for known vulnerabilities in
networks and systems. It is free to use and offers several scanning
options and reporting features.

C) Research on tools and techniques for analyzing Network

Traffic.
Analyzing network traffic is essential for understanding how data flows
through a network, identifying potential security threats, and optimizing
network performance. Here are some tools and techniques commonly used for
analyzing network traffic:
1) Packet Sniffers:
o Wireshark: Wireshark is a popular open-source packet analyzer that
captures and displays the packets traveling across a network. It can
decode various protocols and provide detailed information about each
packet.

CYBERSAPIENS
 o Tcpdump: Tcpdump is a command-line packet analyzer available for
Unix-like operating systems. It captures packets and can display them in
real-time or save them to a file for later analysis.
2) Flow-based Analysis:
o NetFlow: NetFlow is a network protocol developed by Cisco that collects
and aggregates network traffic flow data. NetFlow analyzers can provide
insights into traffic patterns, top talkers, and bandwidth utilization.
o sFlow: sFlow is another network protocol for monitoring network traffic.
It provides real-time traffic sampling and can be used to analyze traffic
patterns and detect anomalies.
3) Protocol Analyzers:
o Microsoft Message Analyzer: This tool provides in-depth capture and
analysis of communications protocols, including real-time data analytics
and post-capture investigation.
o NetworkMiner: NetworkMiner is a network forensic analysis tool that
can parse PCAP files and extract files transferred over the network, as
well as other artifacts such as DNS queries and web pages.
4) Security Information and Event Management (SIEM) Systems:
o Splunk: Splunk is a SIEM platform that can ingest and analyze large
volumes of network traffic data. It can correlate network events with
other security data to identify security incidents and threats.
o ELK Stack (Elasticsearch, Logstash, Kibana): ELK Stack is an open-source
SIEM solution that can be used to collect, parse, and analyze network
traffic data. It provides real-time visibility into network activity and can
help detect and respond to security incidents.
5) Deep Packet Inspection (DPI):
o Snort: Snort is an open-source network intrusion detection system
(NIDS) that uses DPI to analyze network traffic for signs of malicious
activity. It can detect a wide range of threats, including malware,
exploits, and suspicious network behavior.
These tools and techniques provide network administrators and security
professionals with the ability to monitor and analyze network traffic
effectively, detect anomalies, and respond to security threats promptly.

CYBERSAPIENS
 PRACTICAL
Scan www.testfire.net for the services in the open ports and the potential
vulnerabilities using Nmap

Scan Details:
Command: Nmap TARGET NAME

Scan Date: [08-05-2024]

Scan Tool Used: [Nmap]
Scan Scope: Full scan of all ports and services on www.testfire.net

Findings:
1. Open Ports:
• Port 80 (HTTP)
• Port 443 (HTTPS)
• Port 8080 (HTTP-proxy)
An open port actively accepts TCP, UDP, or SCTP connections, Open ports are
what interest the most because they are the ones that are vulnerable to
attacks. Open ports also show the available services on a network.
HTTP and HTTPS (Ports 80, 443, 8080, and 8443): These hotly-targeted ports
are used for HTTP and HTTPS protocols and are vulnerable to attacks such as
cross-site scripting, SQL injections, cross-site request forgeries, and DDoS
attacks.
2. Vulnerabilities:
• One critical vulnerability was identified DH parameter with a size of less
than 1024 bits.
Command: nmap --script vuln TARGET NAME
CYBERSAPIENS
Script Output

Script Summary:
• Weak ephemeral Diffie-Hellman parameter detection for SSL/TLS
services.
• This script simulates SSL/TLS handshakes using cipher suites that have
ephemeral Diffie-Hellman as the key exchange algorithm.
• Diffie-Hellman MODP group parameters are extracted and analyzed for
vulnerability to Logjam (CVE 2015-4000) and other weaknesses.
Recommendations:
• Regularly monitor and update SSL/TLS certificates to maintain secure
communication.
• Ensure that SSL/TLS implementation is up to date with security patches.
Conclusion:
• The scan of www.testfire.net was performed.
• It was found that three ports were open: PORT 80 (HTTP), PORT 443
(HTTPS), PORT 8080 (HTTP-proxy)
• Port 443 (HTTPS) ssl-dh-params was vulnerable

Reference:
https://pixelstreet.in/blog/vapt-guide/
https://nmap.org/book/man-nse.html
https://nmap.org/nsedoc/scripts/ssl-dh-params.html
https://www.makeuseof.com/vulnerable-ports-check-when-pentesting/
https://infosecchamp.com/network-penetration-testing/

CYBERSAPIENS
 https://medium.com/@crawsecurity/understanding-vulnerability-
assessment-and-penetration-testing-vapt-a-comprehensive-guide-
ff93940fae32

CYBERSAPIENS