lOMoARcPSD|49747014

lOMoARcPSD|49747014

Program 1:

AIM:MonitoringNetworkTraffic

DESCRIPTION: MonitoringnetworktrafficusingWiresharkisanexcellentwayto gain

hands-onexperienceincapturingandanalyzingnetworkpackets.Belowisastep-by-step
guidetoperformingabasicnetworktrafficmonitoringlabexperimentusingWireshark:

COabpjteucrtievaen:danalyzenetworktra 昀케 ctounderstanddata 昀氀 owandidentifykeynetworkcharacteristics.

Prerequisites:

AcomputerwithWiresharkinstalled.Wiresharkisavailable forvariousoperatingsystems.
Access to a network with active communication (e.g., internet access, local network, orvirtuallab environment).

Steps:

1. InstallWireshark Ifyouhaven'talready,downloadandinstallWireshark onyourcomputer.

Youcanfindtheinstallerforyouroperatingsystemonthe Wireshark website.
2. Start Wireshark:Launch Wireshark on your computer. Note that you
mightneedadministrativeprivileges tocapturepackets onsomeoperatingsystems.
3. SelecttheNetworkInterface:Wiresharkallowsyoutochoosethenetworkinterfaceforcapturingpacke
ts.Selecttheappropriateinterfaceconnectedtothenetworkyouwanttomonitor.Forexample,ifyouareco
nnectedviaWi-Fi,select theWi-Fi interface.
4. StartCapturingPackets:
Clickonthe"Start"buttoninWiresharktobegincapturingpacketsontheselectednetworkinterface.
5. GenerateNetworkTraffic:Tocapturenetworktraffic,youneedtogeneratenetwork
activity.Performvariousnetworkactivitiessuchasbrowsingwebsites,sendingemails,pingingother
devices,oraccessingnetwork resources.
6. StopCapturingPackets:Afterperformingnetworkactivities,stopthepacketcaptureinWires
harkby clickingthe "Stop" button.
7. AnalyzeCapturedPackets: Once the capture is stopped, you will see a list of captured
packetsin Wireshark's main window. Each row represents a captured packet, and the columns
provideinformation aboutthesource anddestinationaddresses,protocols, andotherpacket details.
8. ApplyFilters(Optional): Tofocusonspecificpackets ofinterest,youcanusedisplayfilters
inWireshark. Filters allow you to show only packets matching specific criteria, such as source
ordestinationIP,protocol,orport.

1
 lOMoARcPSD|49747014

9. InspectPacketContents Selectapacketofinterestfromthelist,and
Wiresharkwilldisplaydetailedinformationaboutthepacket,includingthepacketheader,payloaddata,a
ndotherrelevantdetails.
10. AnalyzePacketTimingandFlow:UseWireshark'sanalysisfeaturestoexaminepackettiming,flow,a
ndpotentialnetworkissues oranomalies.
11. SaveCaptureFile(Optional):Ifyouwanttosavethecapturedpacketsforfurtheranalysisordocumen
tation,youcansavethe capturefileinaformatsuch asPCAP(Packet Capture).
12. Review and Interpret Results: Review the captured packets, analyze network behavior,
andinterpretthe resultstogaininsightsinto networktraffic patterns andcharacteristics.

VIVAQUESTIONS

1. Whatisnetwork trafficmonitoring?
Answe Network traffic monitoring refers to the process of capturing and analyzing
datapackets flowing through a computer network. It helps gain insights into network
health,performance, security, and assists in detecting and investigating potential security
threats oranomalies.

2. Whatare thecommonmethodsofnetwork trafficmonitoring?

Answer:Commonmethodsofnetworktrafficmonitoringincludepacketsniffing,NetFlow/
sFlow,networktaps,intrusiondetectionsystems(IDS),andSIEM(SecurityInformationandEven
tManagement)solutions.

3. Whyis monitoringnetworktrafficessentialfornetwork security?

Answer: Monitoring network traffic is essential for network security because it helps in
identifyingand mitigating security threats, detecting abnormal behavior, monitoring for data
exfiltration, andensuringcompliancewith securitypolicies.

4. Whataresomecommonmetrics measuredduring networktrafficmonitoring?

Answer: Commonmetricsmeasuredduringnetworktrafficmonitoring includebandwidth

utilization, packetlossrate, latency,traffic volumebyprotocol,toptalkers,andtopapplications.

2
 lOMoARcPSD|49747014

Program2:

AIM:Host&Services DiscoveryusingNmap

DESCRIPTION: Nmap(NetworkMapper)isapowerfulopen-sourcetoolusedfor network

explorationandsecurityauditing.Itcanbeusedtodiscoverhosts(devices)andservicesrunningonanetwo
rk.Here'saguide onhowtoperformhostandservicesdiscovery using Nmap:

I1f.yIonusthaallvNenm'taapl:ready,downloadandinstallNmaponyoursystem.Nmapisavailablefor
variousoperatingsystems,includingWindows,Linux,andmacOS.

I2d.eDnetitfeyrtmheinIePTraanrggeetoIPrsRuabnngeet:youwanttoscan.Forexample,ifyouwanttoscanalldevi

Open a terminal or command prompt and run the following command to perform a basich3o.sBtadsiisccHo

Forexample:

The-snoptiontellsNmaptoperformapingscantodiscoverlivehostsinthespecifiedIPrange.

4.Aggressive HostDiscovery: Ifyouwanttoperform amore aggressivehost discovery,

you can use the -Pn option, which skips the host discovery phase and sends probes directly to
allspecifiedtargets:

3
 lOMoARcPSD|49747014

5. Todiscoveropenportsandservicesrunningonthediscovered
ServiceDiscovery:
hosts,usethe followingcommand:

Replace <targetIP> with the IPaddressofa livehost identifiedinthepreviousstep.The-p-

option tells Nmap to scanall65,535portsonthetarget.

Ifyouwant toscanonlycommon ports(top1000),usethe

6.Common PortsDiscovery:
followingcommand:

7.TodeSteerrvmicieneVtehresiovenrDsieotnecotifosenr:vicesrunningonopenports,usethe-sVoption:

8. SaveOutputtoaFile: YoucansavetheNmapscanresultstoafileforlater
analysisusingthe-oNoption:

9.Nmapallowsyoutocontrolthetiming
TimingandPerformanceOptions:
andperformanceofthescan.Bydefault,Nmapusesthe -T4

option,whichisabalancedsetting.Youcanadjustthetimingtobemoreaggressive(e.g.,-
T5)ormoreconservative(e.g.,-T3).

4
 lOMoARcPSD|49747014

Program3:

AIM:VulnerabilityScanningusingOpenVAS

DESCRIPTION:OpenVAS(OpenVulnerabilityAssessmentSystem)isapowerfulopen-
sourcevulnerabilityscannerthathelpsidentifysecurityissuesinnetworks,servers,andapplications.Her
e'sastep-by-stepguideonhowtoperformvulnerabilityscanningusingOpenVAS:

1.InstallOpenVAS OpenVAS is available in different distributions and can be installed

onLinux systems. You can find installationinstructions on the OpenVAS websiteor
withinyourLinuxdistribution's packagemanager.

2.ConfigureOpenVAS Once OpenVAS is installed, you need to configure it before using

itfor scanning. The main configuration involves setting up administrative credentials and
creatingauseraccount.

3.AccessOpenVASWebInterface: OpenVASprovidesaweb-basedinterfacetomanageand
perform scans. Open your web browser and enter the URL of the OpenVAS web
interface(usuallyhttps://localhost:9392).

4.LogintoOpenVAS: Usetheadministratorcredentialsortheuseraccountyoucreatedduringtheco
nfigurationtologintotheOpenVASwebinterface.

5.CreateaTarget: Before starting a scan, you need to define the target. A target can be
anindividual host, a range of IP addresses, or an entire network. Click on "Configuration" and
then"Targets"tocreateanew target.

6.ConfiguretheScan: Once the target is defined, you can create a scan task. Click on
"Scans"and then "Task Wizard" to start the process. You'll need to provide the target and choose
the scantype(e.g.,Fulland Fast,FullandFastUltimate,etc.).

7.ScheduletheScan(Optional): Youcanschedulethescantorunataspecifictimeorsetittorunimme
diately.Youcan alsoconfigure thefrequency ofrecurringscansifneeded.

8.RuntheScan: Afterconfiguringthescan,clickon"Start" toinitiatethescanningprocess.

9.ViewScanResults: Once the scan is completed, you can view the results by clicking
on"Scans" and then selecting the completed scan task. The results will provide detailed
informationabout thevulnerabilitiesdiscoveredon thetargetsystem.

6
 lOMoARcPSD|49747014

10. Analyze and Remediate Reviewthescanresultstounderstandthe

Vulnerabilities:
identifiedvulnerabilities.OpenVASprovidesinformationabouttheseverityofeachvulnerability and
potential remediation steps. Prioritize and address the high-risk vulnerabilitiesfirst.

11. Generate OpenVASallows youto generate reportssummarizingthescanresults.

Reports:
Clickon"Reports"andselectthescanreportyouwanttogenerate.Thereportcanbesavedinvariousformat
s,suchas PDF orHTML.

12.ReviewandRescan: Afteraddressingthevulnerabilities,youmaywanttoperformanother
scantoensurethatthefixesweresuccessfulandtoidentifyanynewissuesthatmayhaveemerged.

VIVAQUESTIONS:

1. WhatisOpenVAS?
Answe OpenVAS(OpenVulnerabilityAssessmentSystem)isanopen-
sourcevulnerabilityscannerthathelpsidentifysecurityweaknessesinnetworks,systems, andapplications.

2. HowdoesOpenVASwork?
Answe OpenVASperformsvulnerabilityscanningbysendingvariousprobesandteststothetarget
systemtoidentifyknown vulnerabilitiesand misconfigurations.

3. Whatisthedifferencebetweenavulnerabilityscannerand apenetrationtestingtool?
Answe A vulnerability scanner like OpenVAS is used to identify known vulnerabilities
andweaknesses, whereas a penetration testing tool goes a step further by attempting to exploit
thosevulnerabilitiestoassesstheirpotentialimpact.

4. Howdoyouset upOpenVASforvulnerabilityscanning?
Answe To set up OpenVAS, you need to install and configure it on a dedicated server.
Theinstallation process may vary depending on the operating system used. Once installed, access
theOpenVASweb interfaceto configuretargetsandtasksforscanning.

5Ans wer: OpenVASprovidesinformationaboutpotentialvulnerabilities,butitisessentialtomanually

HowdoesOpenVAS handle falsepositivesinscanresults?
verify and validate each finding. False positives can occur, so careful analysis is
requiredbeforetakinganyaction.

7
 lOMoARcPSD|49747014

Program4:

AIM:PerformRegistryanalysisD

ESCRIPTION:

Performing internet penetration testing involves assessing the security of a system by

simulatingcyberattacks.Itincludesidentifyingvulnerabilities,exploitingthem,andprovidingrecomme
ndationstoenhancesecurity.Keepinmindtheimportanceoflegalandethicalconsiderationswhen
conductingpenetrationtests.

4a.Mapping

Description

Internalpenetrationtestingmappingisacrucialphaseinassessingthesecurityofanorganization's
network from within. It involves systematicallyscanning and mapping theinternal network to
identify potential entry points and vulnerabilities. The goal is to simulatean
attacker'sperspective anduncoverweaknessesthatcouldbeexploited.

Objective:

Theobjectiveofthislabistosimulateaninternalpenetrationtestingscenario,focusingonmapping the
networktoidentifyvulnerabilitiesandpotentialsecurityrisks.

LabEnvironmentSetup:

1. Setupavirtualized environmentusingplatformslikeVMwareorVirtualBox.
2. Deployvirtualmachinesrepresentingdifferentnetworksegments,includingserve
rs,workstations,andnetworkdevices.
3. Ensureallvirtual machines areproperlyisolated andconnectedtoadedicated internal network.

ToolsandSoftware:

• Nmap:Forhostdiscovery,openportidentification,andnetworkmapping.
• NessusorOpenVAS:Forvulnerabilityscanning.
• Metasploit:Forexploitationandpost-exploitation.
LabPhases:

1. Discovery:

• UseNmaptodiscoveractivehostsin thenetwork:nmap-sn<target>
8
 lOMoARcPSD|49747014

• Identify openportsandservices:nmap-p--A<target>
• Document IPaddresses,openports,andidentified services.
2. TopologyMapping:
• Createanetworktopologydiagramusingtoolslikedraw.ioorLucidchart.
• Identifynetworkdevices, includingrouters,switches,andkeyservers.
• Notethephysical orlogicalconnectionsbetweendevices.
3. VulnerabilityScanning:

• RunNessusor OpenVASscansondiscovered hosts:nessus <target>or openvas<target>

• Prioritizevulnerabilitiesbasedonseverityratings.
• Documentidentifiedvulnerabilities foreachhost.
4. Exploitation:

• UseMetasploittoexploitidentifiedvulnerabilities:msfconsole
• Safelydemonstratetheexploitationprocess.
• Documentsuccessfulandunsuccessfulexploitationattempts.
5. Post-Exploitation:

• Assesstheimpactofsuccessfulexploits oncompromisedsystems.
• Documentpotential lateral movementpathswithinthenetwork.
• Identifyadditional vulnerabilities thatmaybeexploited.
6. Reporting:

• Compilea comprehensivereportdetailing theentirepenetration testingprocess.

• Includeanexecutivesummary,methodology,findings,riskassessment,andrecommend
ed mitigations.
• Providearoadmapfor improving theorganization's securityposture.

4b.

Scanning

Descriptio

n:

Internal penetration testing involves conducting a comprehensive security assessment within

anorganization's network to identify vulnerabilities that could be exploited by potential
attackers.Thisprocessincludessimulatingreal-
worldcyberthreatsbyutilizingvarioustestingmethodologiestouncoverweaknessesinsystems,applicat
ions,andnetworkconfigurations.Internal penetration testers employ ethical hacking techniques to
evaluate the effectiveness
ofexistingsecuritymeasures,providingvaluableinsightsfororganizationstostrengthentheirinternaldef
enses andenhanceoverallcybersecurityposture.
9
 lOMoARcPSD|49747014

ScanninginInternalPenetrationTesting:

1. Objective:

• Theprimarygoalofthescanningphaseistosystematicallyidentifyandcatalogallactive
devicesand serviceswithin the internalnetwork.
2. NetworkDiscovery:

• Utilizingtoolslikearp-scan andnetdiscovertodiscoverlivehosts onthenetwork.

• Understandingtheimportance ofaccurate andup-to-datenetworkmaps.
3. NetworkMapping:

• Employingtoolssuchasnmaptomapthenetworktopology.
• Gatheringinformationonopenports,services,andtheirinterconnections.
4. ServiceEnumeration:

• Identifying activeservicesondiscoveredhosts.
• Extracting detailed informationabouttheversionandconfigurationofeachservice.
5. VulnerabilityScanning:

• Utilizing automatedvulnerabilityscanningtoolslikeNessusorOpenVAS.
• Scanningforknownvulnerabilitiesintheidentified servicesandsystems.
6. ImportanceofScanning:

• Scanningprovidesabaselineunderstandingoftheinternalnetwork'sstructureandpotentialwea
kpoints.
• Ithelpsinprioritizingsecurityeffortsbyhighlightingcritical vulnerabilities.
7. ChallengesandConsiderations:

• Overcomingchallenges suchasnetworksegmentationandfirewallrestrictions.
• Adaptingscanningtechniquestoavoiddisruptiontocritical services.
8. Documentation:

• Accuratedocumentation ofscanresults,including discoveredhosts,services,andvulnerabilities.

• Providingafoundationforfurtherexploitation andpost-exploitation phases.
9. InteractiveLearning:

• Encouragingparticipantstoactivelyengagewithscanningtools.
• Discussingdifferentscanningscenariosandtheirimplications.
10. LegalandEthicalConsiderations:

• Reinforcingtheimportance ofconductingscanningactivitieswithintherulesofengagement.
• Emphasizing ethicalbehaviorandrespectfortheorganization'spolicies.
11. IntegrationwithOtherPhases:

10
 lOMoARcPSD|49747014

• Highlightinghowscanningsetsthestageforsubsequentphaseslikevulnerabilityanalysisan
dexploitation.
• Emphasizingtheiterative natureofpenetration testingandtheneedfor continuoustesting.
12. FeedbackandImprovement:

• Encouragingparticipantstoprovidefeedbackonthescanningprocess.
• Emphasizing theimportance ofcontinuousimprovementinpenetration testingmethodologies.
4c. Gaining access
throughCVE’s
Description:

Penetration testing, also known as ethical hacking, involves assessing the security of
computersystems, networks, or web applications to identify vulnerabilities that could be exploited
bymaliciousactors.
Gaining unauthorized access through Common Vulnerabilities and Exposures (CVEs) is
oneaspectofpenetrationtestingthatfocusesonleveragingknownvulnerabilitiestoassesstheresilienceof
asystemor network.

InternalPenetrationTesting-GainingAccessthrough CVEs:

1. Objective:

• The primary goal is to simulate a real-world scenario where an attacker

exploitsknownvulnerabilities(CVEs)togainunauthorizedaccesstoasystemornetw
ork.
2. Preparation:

• Identifytargetsystemsorservicesthatmaybesusceptible toknownvulnerabilities.
• Researchandcompile alistofrelevantCVEsassociated withthetargettechnologies.
3. VulnerabilityScanning:

• UtilizeautomatedscanningtoolslikeNessus,OpenVAS,orQualystoidentifyvulnerabilitiesi
nthetargetsystems.
• Focusonvulnerabilitieswithknownexploits,asdocumented intheCVEdatabase.
4. CVEExploitation:

• Choosespecific CVEs basedonthescanningresults thatareapplicabletothetarget environment.

• Utilizepubliclyavailableexploitsor proof-of-conceptcodeassociatedwiththeselectedCVEs.
5. PayloadDelivery:

• Developorleverage existingpayloadstoexploittheidentified vulnerabilities.

• Considerationofthedeliverymechanism(e.g.,phishing,directexploitation)basedonthenatur
eof thevulnerability.
6. PrivilegeEscalation:

• Uponsuccessfulexploitation,attempttoescalateprivilegestogainhigherlevelsof
11
 lOMoARcPSD|49747014

accesswithin thesystemornetwork.
• Utilizetechniquessuchasprivilegeescalationexploitsorcredentialharvesting.
7. Persistence:

• Establishpersistencemechanismstomaintainaccessevenaftersystemrebootsorsecurit
ymeasuresareimplemented.
• Deploy backdoors,rootkits,or other covertmeansofaccess.
8. Post-ExploitationActivities:

•Conductreconnaissancewithinthecompromisedsystemornetwork.
•Explorelateralmovement opportunities toaccessothersystemsandsensitivedata.
9. Documentation:
• Thoroughlydocumenttheentireprocess,includingtheselectedCVEs,exploitationtechniqu
es, andtheextentof accessachieved.
• Provideclear insightsintothepotentialimpactofasuccessfulattack.
10. Reporting:

•Prepareadetailedpenetrationtestingreportoutliningthevulnerabilitiesexploited,th
emethodology used,andrecommendationsforremediation.
• Emphasizethebusinessimpactandpotentialrisksassociatedwiththeexploitedvulnerabilities.
11. LegalandEthicalConsiderations:

•Ensurethatallpenetration testingactivitiesadheretolegalandethical standards.

•Obtainproperauthorizationbeforeconductinganytesting.
12. FeedbackandRemediation:

• Engagewiththeorganization'ssecurityteamtoprovidefeedbackonthevulnerabilitie
sdiscovered.
• Collaborateonremediationstrategiesandprovideguidanceonimprovingoverallsecuri
ty posture.

4d. Sniffing

POP3/FTP/TelnetPasswords

Description:

InternalPenetrationTestinginvolvesassessingthesecurityofanorganization'sinternalnetwork,
systems, and applications to identify vulnerabilities that could be exploited by attackers.
Sniffingis one technique used in penetration testing to capture and analyze network traffic,
includingsensitive information like passwords. Here's a brief description of sniffing passwords
for POP3,FTP,andTelnetprotocols:

• POP3(PostOfficeProtocol3):
o Description:POP3isanemailretrievalprotocolusedtofetchemailsfroma
mailservertoaclient.WhenusersaccesstheiremailusingPOP3,theirlogincredentials
(username and password)aretransmittedoverthenetwork.

12
 lOMoARcPSD|49747014

o Sniffing Approach:A penetrationtestermay use a network sniffer to capturethe

POP3 traffic. By analyzing the captured packets, the tester can extract
logincredentialsinplaintext,unlessthecommunicationis encrypted(e.g.,
usingPOP3S,thesecureversion ofPOP3).
• FTP(FileTransferProtocol):
o Description:FTPisastandardnetworkprotocolusedtotransferfilesbetween
a client and a server. It typically involves authentication, and credentials
areexchanged during theloginprocess.
o Sniffing Approach: A penetration tester may use a network sniffer to
captureFTP traffic. FTP transmits login credentials in plain text, making it
susceptibleto sniffing attacks. If the communication is not encrypted (e.g., FTPS
or SFTP),theusernamesandpasswordscanbeeasilycaptured.
• Telnet:
o Description: Telnet is a protocol used for accessing remote systems. It allows
auser to log in to a remote machine and execute commands as if they
weredirectly connectedto thatmachine.
o Sniffing Approach: Telnet transmits data, including login credentials, in
plaintext. A penetration tester can use a network sniffer to capture Telnet traffic
andextract usernames and passwords. This is a significant security risk, as plain
textcredentialscan beeasilyinterceptedbymaliciousactors.
Toenhancethesecurityoftheseprotocolsandmitigatetheriskofsniffingattacks,itisrecommendedto
usesecurealternativesorprotocols thatencryptthe communication,such as:

• POP3S(SecurePOP3):UsesSSL/TLSencryptionforsecureemail retrieval.
• FTPS(FileTransferProtocolSecure):AddsalayerofsecuritytoFTPusingSSL/
TLSencryption.
• SSH(SecureShell):AsecurereplacementforTelnet,encryptingthecommunicationbetwee
nclientandserver.

4e.ARP

PoisoningD

escription:

Internal penetration testing involves assessing the security of an organization's internal

network,systems, and applications to identify vulnerabilities that could be exploited by malicious
actors.ARP (AddressResolutionProtocol)poisoning,also known as ARP spoofing, is a
commontechnique used in such assessments to exploit weaknesses in the way local networks
handleaddressresolution.

Here'sadescription ofARPpoisoning:

AddressResolutionProtocol(ARP):ARPisaprotocolusedbynetworkdevicestomapIP
13
 lOMoARcPSD|49747014

addressestophysicalMAC(MediaAccessControl)addresses.Whenadeviceon alocalnetwork wants

to communicate with another device, it uses ARP to discover the MAC addressassociated with
the target's IP address. ARP requests are broadcasted on the local network, andthedevice
withthecorrespondingIPaddressrespondswithitsMACaddress.

ARP Poisoning: ARP poisoning involves manipulating the ARP tables on devices within
alocal network. The attackersends false ARP messages to associatetheirMAC address withthe
IP address of another device on the network, diverting traffic intended for that devicethrough
the attacker's system. This allows the attacker to intercept, modify, or drop the
traffic,potentiallyleadingto varioustypes ofattacks.

StagesofARPPoisoning:

• Discovery:TheattackerscansthelocalnetworktoidentifyIPaddressesandcorrespondingMA
Caddresses.
• Poisoning: The attacker sends forged ARP messages to update the ARP tables
ontargeted devices, associating the attacker's MAC address with the IP addresses
ofotherdevices.
• Interception:With the ARP tables manipulated, traffic intended for other devicesnow
passes through the attacker's system. The attacker can monitor, modify, or
blockthetrafficas needed.
PurposesofARPPoisoninginPenetrationTesting:

• TrafficInterception:ARPpoisoningallowstesterstointerceptandanalyzenetworktraffi
c,includingsensitiveinformationsuchaslogin credentials.
• Man-in-the-
MiddleAttacks:Byredirectingtrafficthroughtheirsystem,attackerscanperformman-in-
the-middleattacks,capturing and modifyingdataintransit.
• DenialofService(DoS):ARPpoisoningcanbeusedtodisruptnetworkcommunicationsby
interceptinganddropping traffic.
Mitigation:

To prevent ARP poisoning attacks, organizations can implement secure practices such as
ARPspoofing detection tools, network segmentation, and the use of protocols like DHCP
Snoopingand Dynamic ARP Inspection. Regular security audits and penetration testing help
identify andaddressvulnerabilitiesbeforemaliciousactorscanexploitthem.

4f.DNSPoisoning

Description:

Internal penetration testing involves assessing the security of an organization's internal

network,systems,andapplicationstoidentifyvulnerabilitiesandweaknesses.DNS(DomainNameSys
tem) poisoning is a type of attack that can be included in the scope of internal
penetrationtesting.DNSpoisoning,alsoknownasDNSspoofingorDNScachepoisoning,involves
14
 lOMoARcPSD|49747014

manipulatingtheDNSresolutionprocesstoredirectlegitimatedomainnamestomaliciousIPaddresses.

Here'sageneraloverviewofhowDNSpoisoningworksandhowitmightbeaddressedduringinternalp
enetrationtesting:

• UnderstandingDNSPoisoning:
o InaDNSpoisoningattack,theattackertriestoinjectmaliciousDNSrecords
intotheDNScacheofaDNSserver.Thiscanleadtotheredirectionoflegitimate
domainnamesto maliciousIPaddressescontrolledbytheattacker.
• TestingforDNSPoisoning:
o Duringinternalpenetrationtesting,securityprofessionalsmayusevarious
toolsandtechniquestoassessthesusceptibilityoftheorganization'sDNSinfrastructu
re topoisoningattacks.
o Toolssuchasdnspoison,dnschef,orcustomscriptsmaybeusedtosimulateDNS
poisoning attacksandevaluatethesystem'sresponse.
o TestersmayalsoanalyzetheDNSconfigurations,lookformisconfigurations,andasses
sthe effectivenessofmonitoringand loggingmechanisms.
• MitigationandBestPractices:
o OrganizationscanimplementseveralbestpracticestomitigatetheriskofDNS
poisoning.Thesemayinclude:
▪ RegularlyupdatingDNSsoftwaretothelatestversionstopatchknown
vulnerabilities.
▪ ConfiguringDNSserverstouseDNSSecurityExtensions(DNSSEC)toaddan
additionallayerofsecuritybydigitallysigningDNSdata.
▪ Implementingnetworksegmentationtolimittheimpactofasuccessful
DNS poisoning attack.
▪ MonitoringDNSlogsforsuspiciousactivityandimplementingalertin
g mechanisms.
• SocialEngineeringAspects:
o Internalpenetrationtestingmayalsoincludesocialengineeringaspects,where
testersattempttoexploithumanvulnerabilitieswithintheorganization.Forexample,an
attackermighttrytomanipulateanemployeeintoprovidingsensitiveinformation that
couldaidinaDNSpoisoningattack.
• ReportingandRemediation:
o The findings of the penetration test, including any vulnerabilities
relatedtoDNSpoisoning,shouldbe documented inacomprehensivereport.
o Recommendations for remediation and improving the security
postureshould be provided, and the organization should address the
identifiedissuespromptly.
• ContinuousImprovement:
o Internalpenetrationtestingisnotaone-timeactivity.Itshouldbepartofan
ongoingsecuritystrategy,andorganizationsshouldcontinuouslymonitorandupd
atetheir securitymeasures basedontheevolvingthreatlandscape.

15
 lOMoARcPSD|49747014

Program5:

AIM:ExternalPenetration Testing

Description:
Externalpenetrationtestingisacybersecuritypracticethatinvolvessimulatingreal-worldcyber-
attacksonanorganization'sexternal-
facingsystemstouncovervulnerabilities.Theprocessincludesreconnaissancetogatherinformation,v
ulnerabilityassessmenttoidentifyweaknesses, exploitation to test security controls, and post-
exploitation analysis. The results aredocumented in a comprehensive report that outlines
discovered vulnerabilities, their
potentialimpact,andrecommendationsforremediation.Byproactivelyidentifyingandaddressingsecu
rity flaws, external penetration testing helps organizations strengthen their defenses,
protectsensitive data, and meet compliance requirements. Regular testing and continuous
improvementare essentialtostayingaheadofevolvingcyberthreats.

5a. Evaluating

externalinfrastructureDescription:

External penetration testing is a security assessment process that simulates real-world cyber-
attacks on an organization's external-facing systems. The goal is to identify vulnerabilities
thatcouldbeexploitedbymaliciousactorstogainunauthorizedaccess,disruptservices,orcompromise
sensitiveinformatevaluationofexternalinfrastructuretypicallyinvolvesassessingvariouscomponent
sofanorganization's network and systems that are accessible from the internet. Here's a
description ofthekeyaspectsinvolvedinevaluatingexternalinfrastructureduring penetrationtesting:

• ScopeDefinition:
o Clearlydefinethe scopeoftheexternalpenetrationtest,includingspecificIP
ranges,domains,applications,andnetworksegmentstobeassessed.
o Identifyanyout-of-scopeassetsorsystems that shouldnotbetested.
• Reconnaissance:

oGather information about the organization's external infrastructure

usingpublicly available sources, such as WHOIS databases, DNS records,
andsocialengineeringtechniques.
o Identifypotential targets,includingIPaddresses,domainnames,andnetworkranges.
• VulnerabilityScanning:
o Perform automated vulnerability scans to identify known security
vulnerabilitiesintheexternalinfrastructure.
o Use tools like Nessus, OpenVAS, or Qualys to identify weaknesses in
networkdevices, servers,andwebapplications.
•
•
 lOMoARcPSD|49747014

•
• NetworkMapping:
o Enumerateandmaptheorganization'sexternalnetworkarchitecturetoidentifyactiv
ehosts,services,and theirinterconnections.
o Understandthetopology toidentifypotential pointsofentryforattackers.
• ApplicationSecurityTesting:
o Assessthesecurityofexternally facingwebapplicationsandAPIs.
o Conduct manual and automated testing to identify common
vulnerabilitieslike SQL injection, cross-site scripting (XSS), and insecure
direct objectreferences.
• FirewallandNetworkDeviceAnalysis:
o Evaluate theeffectivenessoffirewallsandother networksecuritydevicesinplace.
o Identifymisconfigurations,ruleweaknesses,andpotentialbypasstechniques.
• SocialEngineering:
o Includesocialengineeringtechniquestotestthehumanelement,suchas
phishing campaigns or attempts to gather sensitive information
throughsocialmanipulation.
• Exploitation:

Attempttoexploitidentified vulnerabilitiestodemonstratetheirpotentialimpact.
o Focusongainingunauthorized accesstosystemsorescalating privileges.
• Post-Exploitation:
o Assesstheabilitytomaintain accessandmovelaterallywithinthenetwork.
o Determinethe extenttowhichan attackercould
compromisesensitivedataordisruptservices.
• Reporting:
o Provideacomprehensivereportdetailingthefindings,including
identifiedvulnerabilities,theirpotentialimpact,andrecommendedremediationmea
sures.
o Includeanexecutive summaryfornon-technical stakeholders.
• RemediationSupport:
o Workcollaborativelywiththeorganizationtoprioritizeandremediateidentifie
dvulnerabilities

o Provideguidanceonimproving overallsecurityposture.

5b.Creatingtopologicalmap&identifyingIPaddressoftargetDescription:
Externalpenetration testinginvolvessimulating acyber-attack onacomputersystem,network,or
web application from an external perspective to identify vulnerabilities and weaknesses.
Creatinga topological map and identifying IP addresses are crucial steps in this process. Here's a
generalguideon how toapproachthesetasks:
1. Reconnaissance:

• DomainInformation Gathering:
o Usetoolslikewhoistogatherinformationaboutthetargetdomain,includingregistration
details.
o EmployDNSinterrogationtools like nslookupordigto findsubdomains.
2. MappingtheNetwork Topology:

•
 lOMoARcPSD|49747014

• NetworkScanning:
o UsetoolslikeNmapto discoverlivehosts andopenportsonthetargetnetwork.
o Conductpingsweeps toidentify livehosts.
• TopologyMapping:
o Createavisualrepresentationofthenetworktopology,includingrouters,switches,
and servers.
3. ServiceIdentification:

• BannerGrabbing:
o Usetools likeBannerGraborTelnetto identifytheservices running onopenports.
4. VulnerabilityAssessment:

• ScanforVulnerabilities:
o UsevulnerabilityscanningtoolssuchasNessusorOpenVAStoidentifyweaknessesin
thetarget'ssystems.
5. IdentifyingIPAddresses:

• NetworkRangeDiscovery:
o UtilizetoolslikeARINorRIPEtofindinformationaboutIPaddressrangesassignedto
thetargetorganization.
• DNSEnumeration:
o UsetoolslikeDNSReconorFiercetoenumerateDNSrecordsandidentify
associatedIPaddresses.
6. SocialEngineering:

• Phishing:
o Conductphishingsimulationstotestthehumanelementandgatheradditiona
linformation.
7. Documentation:
• CreateaTopological Map:
o Document the identified network topology, including IP
addresses,subdomains, and services.
• RiskAssessment:
o Evaluatethevulnerabilitiesdiscoveredandprioritizethembasedonpotentialimpact.
8. Reporting:

• PenetrationTestingReport:
o Provideadetailedreportoutliningthefindings,vulnerabilities,andrecommend
ed remediationsteps.
Additionalpoints:

• LegalandAuthorization:
o Ensurethatyouhaveproperauthorizationbeforeconductinganypenetrationtestin
g.Unauthorizedtestingcanlead tolegal consequences.
• Anonymity:
o Usetechniques likeVPNsor proxiestomaintainanonymityduringthetesting.
• ContinuousMonitoring:
o Regularlyupdatethetopological mapasthetargetenvironmentevolves.
 lOMoARcPSD|49747014

5c. Lookupdomain registry for

IPinformationDescription:

Performingexternalpenetrationtestinginvolvesassessingthesecurityofasystemfroman
external perspective, often simulating the actions of a malicious actor. However, it's crucial
tonote that penetration testing should only be conducted on systems and networks for which
youhaveexplicitauthorization.

If you are authorized to conduct external penetration testing and want to gather information
abouta domain's IP address, you can use various tools and techniques. One common method is to
querydomain registrationinformation.Herearestepsyou canfollow:

WHOISLookup:

WHOIS is a protocol used to query databases that store the registered users or assignees of
anInternet resource, such as a domain name, an IP address block, or an autonomous
system.There areonlineWHOISlookuptools,as wellascommand-line options.

• OnlineWHOISLookup:
o WebsiteslikeWHOIS.comorICANNWHOISallowyoutoenteradomain
nameandretrieveregistrationdetails.
• CommandLine(Linux):
o Openaterminalandusethewhoiscommand:

DNSResolution:
Youcanalso resolvethe domaintoitsIP addressusingDNStools:

nslookup(Windows)ordig(Linux):
•
o UsethenslookupcommandonWindowsorthedigcommandonLinuxto
get the IP address associated with a
domain.bashCopycode

or
bashCopycode

•OnlineDNSLookup Tools:
o WebsiteslikeMXToolbox orDNS LookupprovideonlinetoolstoqueryDNS records.
AdditionalConsiderations:

• WHOISPrivacyProtection:Somedomainregistrarsofferprivacyprotectionservices,
which replace the actual contact information with generic data. In such
cases,youmaynotgetdetailedinformationabouttheregistrant.
• APIs:SomeorganizationsofferAPIsthatallowyoutoprogrammaticallyquerydomaininfor
mation.Besuretocheckifthedomainregistryyou'reinterestedinprovidessuch services.
 lOMoARcPSD|49747014

5d.ExamininguseofIPV6atremotelocation

Description:

External penetration testing involves assessing the security of a network or system from
anexternal perspective, typically simulating the actions of a potential attacker. When
specificallyexamining the use of IPv6 at a remote location, there are several considerations and
steps youcan taketoensureathorough assessment:

• InventoryofIPv6Assets:
o IdentifyallIPv6-enableddevicesandsystemsintheremotelocation.This
includesrouters,switches,servers,andanyothernetworkeddevices.
• NetworkTopologyMapping:
o CreateadetailedmapoftheIPv6networktopology.Understandhow
devicesareinterconnectedandtheflowofIPv6trafficwithinthenetwork.
• VulnerabilityScanning:
o PerformvulnerabilityscansonIPv6addressestoidentifypotential
weaknessesandsecurityflaws.UsespecializedtoolsthatsupportIPv6scanning.
• EnumerationandDiscovery:
o EnumerateIPv6addressesandservices.Lookforopenports,runningservices,
andanypotentialmisconfigurations.
• SecurityPolicyandConfigurationReview:
o ReviewtheIPv6-relatedsecuritypoliciesandconfigurationsonrouters,
firewalls,andothernetworkdevices.Ensurethatsecuritybestpracticesarefollowed,and
unnecessaryservicesaredisabled.
• FirewallandACLAssessment:
o EvaluatetheeffectivenessofIPv6firewallrulesandAccessControlLists
(ACLs).Checkforanyoverlypermissiverulesthatmightexposethenetworktounnecess
aryrisks.
• EndpointSecurity:
o AssessthesecuritypostureofindividualdeviceswithIPv6capabilities.Thisinclude
sservers,workstations,and othernetworkedequipment.
• TrafficAnalysis:
o MonitorandanalyzeIPv6networktrafficforanyanomalouspatternsorpotentialsignsof
maliciousactivity.
• PenetrationTesting:
o Conductpenetrationtestingexercisestosimulatereal-worldattacksonthe
IPv6infrastructure.Thismayinvolveexploitingknownvulnerabilities,attemptingp
rivilege escalation,orotherattackscenarios.
• SecurityAwarenessTraining:
o Assessthelevelofsecurityawarenessamongtheremotelocation's
personnel.Socialengineeringtestscanbevaluabletoidentifypotentialweaknessesin
human securitypractices.
• IncidentResponseTesting:
o EvaluatetheeffectivenessoftheincidentresponseplanforIPv6-related
incidents.ThismayincludetestingthedetectionandresponsecapabilitiestoIPv6-
specificthreats.
• DocumentationReview:
o ReviewthedocumentationrelatedtoIPv6implementation,includingany
 lOMoARcPSD|49747014

securityguidelinesorprocedures.Ensurethatthebestpracticesarebeingfollowed.

Program6:

AIM:DifferenttypesofvulnerabilityPro

cedure:

scanningDescription:

Vulnerability scanning is a critical component of cybersecurity that involves identifying

andassessing vulnerabilitiesin computer systems,networks, and applications. There are
varioustypesofvulnerabilityscanning,eachservingaspecificpurpose. Herearesomecommon types:

• NetworkScanning:
o PortScanning:Identifies openportsandservicesonanetwork.
o HostDiscovery:Determinesactivehostsonanetwork.
o OperatingSystemDetection:Attemptstoidentifytheoperatingsystemrunningon
atargetsystem.
• WebApplicationScanning:
o AutomatedScanning:Uses toolsto automatically discover andassess
vulnerabilitiesinwebapplications.
o Manual Testing: Involves manual inspection of web applications
forvulnerabilities, oftenusingtoolslikeBurpSuite.

• DatabaseScanning:
o Identifying Database Vulnerabilities: Scans databases for
vulnerabilities,misconfigurations,andweakaccesscontrols.
• WirelessNetworkScanning:
o WirelessNetworkDiscovery:Identifiesactivewirelessnetworksandaccesspoints.
o EncryptionAssessment:Assessesthesecurityofwirelessnetworkencryptionprotocols.
• CloudInfrastructureScanning:
o CloudServiceConfigurationScanning:Checkscloudserviceconfigurationsfor
securityvulnerabilities.
ContainerScanning:Examinescontainersforvulnerabilitiesandmisconfigurations.
o
• HostScanning:
o OperatingSystemandServiceVersionScanning:Identifiesvulnerabilitiesassociatedw
ithspecificoperating systemsand service versions.
o Credential Scanning:Checksforweakordefaultcredentialsonsystems.
• ComplianceScanning:
o EnsuringRegulatoryCompliance:Scansforvulnerabilitiesthatmightviolate
regulatorycompliancestandards.
• IoTDeviceScanning:
o IdentifyingIoTVulnerabilities:ScansInternetofThings(IoT)devicesfor
securityweaknesses.
 lOMoARcPSD|49747014

• MobileApplicationScanning:
o MobileAppVulnerabilityAssessment:Identifiesvulnerabilitiesinmobile
applications, suchasinsecuredatastorageorinsecurecommunication.
• SocialEngineeringVulnerabilityScanning:
o PhishingSimulations:Testsanorganization's susceptibility tophishingattacks.
o UserAwarenessAssessments:Assessesthesecurityawarenessofusersthroughvario
usmeans.
• ThickClientApplicationScanning:
o AssessingStandaloneApplications:Identifiesvulnerabilitiesinstandalone
applicationsthatrunonclientmachines.
• IncidentResponseScanning:
o Post-IncidentAnalysis:Scanssystemsafterasecurityincidenttoidentify
howthecompromiseoccurredandassesses theextentoftheimpact.
 lOMoARcPSD|49747014

Program7:

AIM:VulnerabilityscanningwithNessusP

rocedure:

Nessus is a widely used vulnerability scanning tool that helps identify security vulnerabilities
ina network, system, or application. Here is a general guide on how to perform
vulnerabilityscanningusingNessus:

1. Installation:

• DownloadandinstallNessus fromtheTenablewebsite.
• Followtheinstallation instructionsprovidedforyouroperatingsystem.
2. Setup:

• LaunchNessusandaccessthewebinterface.Typically,youcanaccessitbynavigatingto
https://localhost:8834inawebbrowser.
• Loginwith thecredentialsyousetduringtheinstallation.
3. CreateaNewScan:

• Clickon"Scans" in thetop navigationbar.

• Click"NewScan"tocreateanewscanningconfiguration.
4. ConfigureScanSettings:

• Provideameaningfulname forthescan.
• Choosethetargettoscan(IP addresses,ranges, domains,etc.).
• Setthescanpolicy(e.g.,internalnetworkscan, externalscan).
• Adjustothersettingsbasedonyourrequirements.
5. SelectPluginsandPolicies:

• Nessususespluginstoperformvarioustypesofchecks.Choosethepluginsorpoliciesthat
matchyourscanning requirements.
• Considercompliancechecks,malwaredetection,orspecificvulnerabilitycategories.
6. ScheduletheScan:

• Setupaschedule for thescanifneeded(daily,weekly,etc.).

7. LaunchtheScan:

• Savethescanconfigurationandclick"Launch" tostartthescan.
8. ReviewScanResults:

• Oncethescaniscomplete,reviewtheresultsin theNessusinterface.
• Prioritizevulnerabilitiesbasedonseveritylevels.
25
 lOMoARcPSD|49747014

9. GenerateReports:

• Generatereportstosharewithrelevant stakeholders.
• Reportscanincludedetailsonidentifiedvulnerabilities,theirseverity,andrecommend
ed remediationsteps.

10. Remediation:

• WorkwithyourIT teamtoremediate identified vulnerabilities.

• Re-scanperiodically toensurethatvulnerabilitiesareaddressed.
TipsandBestPractices:

• Regular Scanning:Performregularscanstostayontopof theevolvingthreatlandscape.

• CredentialScanning:Providecredentialsforauthenticatedscanstogetmoreaccurate results.
• Prioritize andPlanRemediation: Focusonaddressinghigh-riskvulnerabilitiesfirst.
• ReviewandCustomizePolicies:Tailorscanpoliciestoyourorganization'sspecific needs.
• IntegratewithOtherTools:Nessuscanintegratewithothersecuritytoolsandplatformsfora
more comprehensivesecuritystrategy.
• StayInformed:KeeptrackofNessus updates andsecurity
bulletinstoensurethetoolisusingthelatestvulnerabilitychecks.

26
 lOMoARcPSD|49747014

Program 8&9:

AIM: Web application assessment

withnikto&burp
Procedure:
suiteDescription:
Web application assessment using tools like Nikto and Burp Suite is a common practice
foridentifying potential vulnerabilities and securing web applications. Here's a basic guide
onhowyoucan performawebapplicationassessmentusing NiktoandBurpSuite:

1. SetUpYourEnvironment:

• EnsureyouhaveNikto andBurpSuite installedonyourmachine.

2. ConfigureBurpSuite:

• OpenBurpSuiteandconfigureyourbrowsertouseBurpasaproxy.Setupaninterceptionpointto
analyzeandmodifyHTTP requestsandresponses.
3. ConfigureNikto:

• Nikto is a web server scanner that performs comprehensive tests against web servers
formultiple items, including over 6700 potentially dangerous files/programs, checks
foroutdated versions of over1250 servers, and version-specific problems on
over270servers.
• RunNiktofromthecommandline.Forexample:
phpCopy code

• Replace <target_url>withtheURLofthewebapplicationyouwanttoassess.
4. BurpSuiteSpidering:

• Use Burp Suite's Spider tool to crawl the web application. This helps in mapping out
thestructure andfunctionalityof the application.
5. ManualExploration:

• Manuallynavigate throughthewebapplication toidentifyandanalyzedifferent functionalities.

6. BurpSuiteActiveScanning:

• Burp Suite's Active Scanner can automatically scan for a variety of common
webapplication vulnerabilities such as SQL injection, Cross-Site Scripting (XSS),
andmore.
• Configuretheactive scannerwiththeappropriatesettings,including payloadoptionsandscope.
7. ReviewandAnalyzeResults:

• AnalyzetheresultsfrombothNiktoandBurpSuite.Payattentiontoidentifiedvulnerabilities,
warnings,andinformationalfindings.
27
 lOMoARcPSD|49747014

8. ExploitationandVerification:

• Ifvulnerabilitiesarefound,youmayattemptexploitationtoverifytherisk.However,ensureyou
haveproperauthorizationbefore attemptingany exploitation.
9. Documentation:

• Documentyourfindings,including identifiedvulnerabilities,theirseverity,andpotentialimpact.
10. Reporting:

• Generateacomprehensivereportthatincludesasummaryoftheassessment,identifie
dvulnerabilities,and recommendationsforremediation.
ImportantConsiderations:

• Authorization:Ensureyouhaveproperauthorizationbeforescanningortestinganywe
b application.
• FalsePositives/
Negatives:Beawarethatautomatedtoolscanproducefalsepositivesandfalsenegatives.Man
ualverificationiscrucial.
• Scope:Clearlydefinethescopeofyour assessment toavoidunintendedconsequences.
• DataPrivacy:Respectprivacyandlegalconsiderationswhileconductingassessments.

28
 lOMoARcPSD|49747014

Program 10:

AIM:ImplementWebapplicationassessmentwithowaspzap,

Procedure:

OWASPZAP&GitHubActions

Coding is more than just typing lines of text; it’s about ensuring your web applications are secure.
Onecrucial aspect of security is protecting your web apps from vulnerabilities. In this blog post, we’ll
walkyou through integrating OWASP ZAP (Zed Attack Proxy), a powerful tool for Dynamic
ApplicationSecurityTesting(DAST), withGitHubActions.

WhatisOWASPZAP(DAST)?

OWASPZAP,alsoknownastheZedAttackProxy,isatoolthathelpsyouidentifysecurityvulnerabilities in your
web applications. It works by simulating attacks on your web app to uncoverweaknesses that malicious
hackers could exploit. In essence, it acts like a security guard for your webapplications,
makingsurethey’rewell-protected.

29
 lOMoARcPSD|49747014

WhatisGitHubActions?

GitHub Actions is a feature offered by GitHub, your developer’s best friend, that lets you
automatevarious tasks in your software development workflow. Think of it as a virtual assistant for your
codingtasks,liketesting,building,anddeployingyourcodeautomatically.

WhyIntegrateOWASPZAPwithGitHubActions?

IntegratingOWASPZAPwithGitHubActionsisasmartmoveforseveralreasons:

1. Continuous Security Testing: By integrating OWASP ZAP into your GitHub Actions
workflow,youcanautomaticallytestyourwebapplication’ssecurityeverytimeyoumakechanges.Thisme
ansyoucancatchandfixvulnerabilitiesearlyinyourdevelopmentprocess.

2. Realistic Testing: OWASP ZAP simulates real-world attacks, giving you a better understanding
ofyourwebapp’ssecurityposture.

3. Automatic Feedback: You receive immediate feedback on your web app’s security, making
iteasiertoaddressanysecurityconcerns.

Now,let’sdiveintothestepsofhowtosetupOWASPZAPinGitHubActions.

SettingupOWASPZAPinGitHubActions

Here’sastep-by-stepguide:

Step1:SetUpYourWebApplication

Beforeyoubegin,makesureyourwebapplicationisupandrunning,accessibleviaaURL.OWASPZAPwillneed
thisURLtotestyourwebapp’ssecurity.

30
 lOMoARcPSD|49747014

Let’s identify a test web application for running DAST scan. I ‘ll go to google and I’ll search for the
testvulnerable application. Now this is a test one web application , which is a vulnerable web
applicationavailable fortesting.

HomeofAcunetixArt
Test site for Acunetix WVS. Warning: This is not a real shop. This is an example PHP
application,whichis…
testphp.vulnweb.com

Step2:CreateaWorkflow

Start by creating a repository for your project in GitHub. Let’s call it “GitHubAction_OWASP-ZAP-
SCAN” After that clone the git repository in local system. Now, create a GitHub Actions workflow
file(e.g.,.github/workflows/owasp-zap-scan.yml)inyourrepository.

GitRepository

AddSecretstoGitHub

31
 lOMoARcPSD|49747014

InyourGitHubrepository,goto“Settings”>“Secrets”andaddasecretnamedgit_hub_tokenwiththevalueofthet
okenyougenerated.Thiskeepsyourtokensecure.

GitHubToken

DefinetheWorkflow:

Here’sworkflowthatuseyaml:

owasp-zap-scan.yml

name:
OWASP ZA Integration with GitHub Actions
P
on: [push]

jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan the web

appli
catio
nstep
s:
- name:
Checkoutuses:
actions/checkout@v2
lOMoARcPSD|49747014
 lOMoARcPSD|49747014

with:
ref: main
- name: ZAP
Scanuses:
zaproxy/[email protected]
with:
docker_name: 'owasp/zap2docker-
stable'target:
'http://testphp.vulnweb.com/'rules_file_nam
e: '.zap/rules.tsv'
cmd_options:'-a'

ThisworkflowtriggersanOWASPZAPscanwheneverchangesarepushedtothemainbranch.

Here’swhatthecodedoesstepbystep:

1. Itspecifiesthatthisactionshouldrunwhenthereisa“push”event,whichtypicallymeanswhencodeispushe
dorupdatedintherepository.

2. Itdefinesajobnamed“zap_scan”thatwillrunonacomputerrunningUbuntu.

3. Insidethejob,therearesomestepsthatwillbeexecutedinorder:

• “Checkout”step:Thisstepchecksout(ordownloads)thelatestcodefromthe“main”branchoftherepositor
y.

• “ZAPScan”step:ThisstepusesatoolcalledOWASPZAPtoscanawebapplication.Herearethedetails:

• ItusesaspecificversionofZAP,whichiscontainedinaDockercontainer(asortofisolatedenvironmentforru
nning software).

• Itspecifiesthewebapplicationtoscan,whichis“http://testphp.vulnweb.com/"inthiscase.
33
lOMoARcPSD|49747014
 lOMoARcPSD|49747014

• Ittells ZAPtouseasetofsecurity
rulesdefinedinafilenamed“rules.tsv”locatedinafoldercalled“.zap”withintherepository.

• Itprovidessome additionalcommand-lineoptionsto ZAPusing

the“cmd_options”parameter,whichmightincludespecific settingsorconfigurationsforthescan.

In simpler terms, this code sets up an automated security scan for a web application every time there’s
acode update in a GitHub repository. It uses a tool called OWASP ZAP to check for security issues in
theweb application, and the results of this scan can help identify and fix potential security problems in
theapplication.

Step3:RunYourWorkflow

Committheworkflowfileandpush ittoyourGitHub

repository.GitHubActionswillautomaticallyruntheworkflow,andyoucanviewthescanresultstoidentifyanyse

curityvulnerabilitiesinyourwebapp.

gi add"C .
tg status
it commit -m reate owasp-zap-scan.yml"
gi
t
gitpush
lOMoARcPSD|49747014

34
 lOMoARcPSD|49747014

OWASP-ZAP-ScanJob

35
lOMoARcPSD|49747014

36
lOMoARcPSD|49747014

37
 lOMoARcPSD|49747014

ZAPScanBaselineReport

ZAPScanDownload

38
lOMoARcPSD|49747014

39