lOMoARcPSD|47112210

VAPT LAB Manual - vapt

cyber security (Malla Reddy Group of Institutions)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Srividya Bhaskara ([email protected])
 lOMoARcPSD|47112210

Program 1:

AIM: Monitoring Network Traffic

DESCRIPTION: Monitoring network traffic using Wireshark is an excellent way to gain

hands-on experience in capturing and analyzing network packets. Below is a step- by-step
guide to performing a basic network traffic monitoring lab experiment using Wireshark:

Objec琀椀ve:
Capture and analyze network tra昀케c to understand data 昀氀ow and iden琀椀fy key network
characteris琀椀cs.

Prerequisites:

1. A computer with Wireshark installed. Wireshark is available for various operating systems.
2. Access to a network with active communication (e.g., internet access, local network, or
virtual lab environment).

Steps:

1. Install Wireshark: If you haven't already, download and install Wireshark on your computer.
You can find the installer for your operating system on the Wireshark website.
2. Start Wireshark: Launch Wireshark on your computer. Note that you might
need administrative privileges to capture packets on some operating systems.
3. Select the Network Interface: Wireshark allows you to choose the network interface for
capturing packets. Select the appropriate interface connected to the network you want to
monitor. For example, if you are connected via Wi-Fi, select the Wi-Fi interface.
4. Start Capturing Packets: Click on the "Start" button in Wireshark to begin capturing packets
on the selected network interface.
5. Generate Network Traffic: To capture network traffic, you need to generate network
activity. Perform various network activities such as browsing websites, sending emails,
pinging other devices, or accessing network resources.
6. Stop Capturing Packets: After performing network activities, stop the packet capture
in Wireshark by clicking the "Stop" button.
7. Analyze Captured Packets: Once the capture is stopped, you will see a list of captured packets
in Wireshark's main window. Each row represents a captured packet, and the columns provide
information about the source and destination addresses, protocols, and other packet details.
8. Apply Filters (Optional): To focus on specific packets of interest, you can use display filters in
Wireshark. Filters allow you to show only packets matching specific criteria, such as source or
destination IP, protocol, or port.

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

9. Inspect Packet Contents: Select a packet of interest from the list, and Wireshark will display
detailed information about the packet, including the packet header, payload data, and other
relevant details.
10. Analyze Packet Timing and Flow: Use Wireshark's analysis features to examine packet
timing, flow, and potential network issues or anomalies.
11. Save Capture File (Optional): If you want to save the captured packets for further analysis
or documentation, you can save the capture file in a format such as PCAP (Packet Capture).
12. Review and Interpret Results: Review the captured packets, analyze network behavior, and
interpret the results to gain insights into network traffic patterns and characteristics.

VIVA QUESTIONS

1. What is network traffic monitoring?

Answer: Network traffic monitoring refers to the process of capturing and analyzing data
packets flowing through a computer network. It helps gain insights into network health,
performance, security, and assists in detecting and investigating potential security threats or
anomalies.

2. What are the common methods of network traffic monitoring?

Answer: Common methods of network traffic monitoring include packet sniffing,
NetFlow/sFlow, network taps, intrusion detection systems (IDS), and SIEM (Security
Information and Event Management) solutions.

3. Why is monitoring network traffic essential for network security?

Answer: Monitoring network traffic is essential for network security because it helps in identifying
and mitigating security threats, detecting abnormal behavior, monitoring for data exfiltration, and
ensuring compliance with security policies.

4. What are some common metrics measured during network traffic monitoring?

Answer: Common metrics measured during network traffic monitoring include bandwidth
utilization, packet loss rate, latency, traffic volume by protocol, top talkers, and top applications.

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Program 2:

AIM: Host & Services Discovery using Nmap

DESCRIPTION: Nmap (Network Mapper) is a powerful open-source tool used for network
exploration and security auditing. It can be used to discover hosts (devices) and services running
on a network. Here's a guide on how to perform host and services discovery using Nmap:

If1.you
Install Nmap:
haven't already, download and install Nmap on your system. Nmap is available for
various opera琀椀ng systems, including Windows, Linux, and macOS.

2. Determine
Iden琀椀fy the IP Target IP subnet
range or Range:you want to scan. For example, if you want to scan all devices
in the 192.168.1.0/24 subnet, the IP range is 192.168.1.1-254.

Open a terminal or command prompt and run the following command to perform a basic
3. Basic
host Host Discovery:
discovery using Nmap:

For example:

The -sn option tells Nmap to perform a ping scan to discover live hosts in the specified IP
range.

4. Aggressive Host Discovery: If you want to perform a more aggressive host discovery,
you can use the -Pn option, which skips the host discovery phase and sends probes directly to all
specified targets:

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

5. Service Discovery: To discover open ports and services running on the discovered
hosts, use the following command:

Replace <target with the IP address of a live host identified in the previous step. The -p-
IP>
option tells Nmap to scan all 65,535 ports on the target.

6. Common Ports Discovery: If you want to scan only common ports (top 1000), use the
following command:

Service Version
7.To determine Detec琀椀on:
the version of services running on open ports, use the -sV op琀椀on:

8. Save Output to a File: You can save the Nmap scan results to a file for later
analysis using the -oN op琀椀on:

9. Timing and Performance Options: Nmap allows you to control the timing
and performance of the scan. By default, Nmap uses the -T4 option, which is a
balanced setting. You can adjust the timing to be more aggressive (e.g., -T5) or
more conservative (e.g., -T3).

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

VIVA QUESTIONS:

1. What is Nmap?
Answer: Nmap (Network Mapper) is a powerful open-source network scanning tool used for
host discovery, port scanning, service enumeration, and vulnerability assessment.

2. How does Nmap perform host discovery?

Answer: Nmap uses various techniques for host discovery, such as ICMP ping (default), TCP
SYN scan, TCP ACK scan, and ICMP echo request.

3. What is the purpose of host discovery in Nmap?

Answer: Host discovery in Nmap identifies live hosts within a specified IP range, enabling
targeted scanning of active devices.

4. How do you specify the IP range for host discovery in Nmap?

Answer: The IP range is specified using the target specification argument when running Nmap.
For example, "nmap 192.168.1.0/24" scans all hosts in the 192.168.1.0/24 subnet.

5. What is the purpose of service discovery in Nmap?

Answer: Service discovery in Nmap identifies open ports and services running on the scanned
hosts, providing insights into the network's available services and potential attack vectors.

6. How do you perform service discovery with Nmap?

Answer: Use the "-p" option to specify the ports to scan. For example, "nmap -p 1-1000
192.168.1.100" scans ports 1 to 1000 on the host 192.168.1.100.

7. What is the significance of the "-sV" option in Nmap?

Answer: The "-sV" option enables version detection, allowing Nmap to determine the service
and its version running on open ports, providing more detailed information during service discovery.

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Program 3:

AIM: Vulnerability Scanning using OpenVAS

DESCRIPTION: OpenVAS (Open Vulnerability Assessment System) is a powerful open-

source vulnerability scanner that helps identify security issues in networks, servers, and
applications. Here's a step-by-step guide on how to perform vulnerability scanning using
OpenVAS:

1. Install OpenVAS: OpenVAS is available in different distributions and can be installed on

Linux systems. You can find installation instructions on the OpenVAS website or within
your Linux distribution's package manager.

2. Configure OpenVAS: Once OpenVAS is installed, you need to configure it before using it
for scanning. The main configuration involves setting up administrative credentials and creating
a user account.

3. Access OpenVAS Web Interface: OpenVAS provides a web-based interface to manage

and perform scans. Open your web browser and enter the URL of the OpenVAS web interface
(usually https://localhost:9392).

4. Log in to OpenVAS: Use the administrator credentials or the user account you created
during the configuration to log in to the OpenVAS web interface.

5. Create a Target: Before starting a scan, you need to define the target. A target can be an
individual host, a range of IP addresses, or an entire network. Click on "Configuration" and then
"Targets" to create a new target.

6. Configure the Scan: Once the target is defined, you can create a scan task. Click on "Scans"
and then "Task Wizard" to start the process. You'll need to provide the target and choose the scan
type (e.g., Full and Fast, Full and Fast Ultimate, etc.).

7. Schedule the Scan (Optional): You can schedule the scan to run at a specific time or set it to
run immediately. You can also configure the frequency of recurring scans if needed.

8. Run the Scan: After configuring the scan, click on "Start" to initiate the scanning process.

9. View Scan Results: Once the scan is completed, you can view the results by clicking on
"Scans" and then selecting the completed scan task. The results will provide detailed information
about the vulnerabilities discovered on the target system.

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

10. Analyze and Remediate Review the scan results to understand the
Vulnerabilities:
identified vulnerabilities. OpenVAS provides information about the severity of each
vulnerability and potential remediation steps. Prioritize and address the high-risk vulnerabilities
first.

11. Generate OpenVAS allows you to generate reports summarizing the scan results.
Reports:
Click on "Reports" and select the scan report you want to generate. The report can be saved in
various formats, such as PDF or HTML.

12. Review and Rescan: After addressing the vulnerabilities, you may want to perform another
scan to ensure that the fixes were successful and to identify any new issues that may have
emerged.

VIVA QUESTIONS:

1. What is OpenVAS?
Answer: OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability
scanner that helps identify security weaknesses in networks, systems, and applications.

2. How does OpenVAS work?

Answer: OpenVAS performs vulnerability scanning by sending various probes and tests to the
target system to identify known vulnerabilities and misconfigurations.

3. What is the difference between a vulnerability scanner and a penetration testing tool?
Answer: A vulnerability scanner like OpenVAS is used to identify known vulnerabilities and
weaknesses, whereas a penetration testing tool goes a step further by attempting to exploit those
vulnerabilities to assess their potential impact.

4. How do you set up OpenVAS for vulnerability scanning?

Answer: To set up OpenVAS, you need to install and configure it on a dedicated server. The
installation process may vary depending on the operating system used. Once installed, access the
OpenVAS web interface to configure targets and tasks for scanning.

5. How does OpenVAS handle false positives in scan results?

Answer: OpenVAS provides information about potential vulnerabilities, but it is essential to
manually verify and validate each finding. False positives can occur, so careful analysis is required
before taking any action.

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Program 4:

AIM: Perform Registry analysis

DESCRIPTION:

Performing internet penetration testing involves assessing the security of a system by simulating
cyberattacks. It includes identifying vulnerabilities, exploiting them, and providing
recommendations to enhance security. Keep in mind the importance of legal and ethical
considerations when conducting penetration tests.

4a.

Mapping

Description

Internal penetration testing mapping is a crucial phase in assessing the security of an

organization's network from within. It involves systematically scanning and mapping the
internal network to identify potential entry points and vulnerabilities. The goal is to simulate
an attacker's perspective and uncover weaknesses that could be exploited.

Objective:

The objective of this lab is to simulate an internal penetration testing scenario, focusing on
mapping the network to identify vulnerabilities and potential security risks.

Lab Environment Setup:

1. Set up a virtualized environment using platforms like VMware or VirtualBox.

2. Deploy virtual machines representing different network segments, including
servers, workstations, and network devices.
3. Ensure all virtual machines are properly isolated and connected to a dedicated internal network.

Tools and Software:

 Nmap: For host discovery, open port identification, and network mapping.
 Nessus or OpenVAS: For vulnerability scanning.
 Metasploit: For exploitation and post-exploitation.
Lab Phases:

1. Discovery:

 Use Nmap to discover active hosts in the network: nmap -sn<target>

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

 Identify open ports and services: nmap -p- -A <target>

 Document IP addresses, open ports, and identified services.
2. Topology Mapping:
 Create a network topology diagram using tools like draw.io or Lucidchart.
 Identify network devices, including routers, switches, and key servers.
 Note the physical or logical connections between devices.
3. Vulnerability Scanning:

 Run Nessus or OpenVAS scans on discovered hosts: nessus <target> or openvas <target>
 Prioritize vulnerabilities based on severity ratings.
 Document identified vulnerabilities for each host.
4. Exploitation:

 Use Metasploit to exploit identified vulnerabilities: msfconsole

 Safely demonstrate the exploitation process.
 Document successful and unsuccessful exploitation attempts.
5. Post-Exploitation:

 Assess the impact of successful exploits on compromised systems.

 Document potential lateral movement paths within the network.
 Identify additional vulnerabilities that may be exploited.
6. Reporting:

 Compile a comprehensive report detailing the entire penetration testing process.

 Include an executive summary, methodology, findings, risk assessment, and
recommended mitigations.
 Provide a roadmap for improving the organization's security posture.
4b.

Scanning

Descriptio

n:

Internal penetration testing involves conducting a comprehensive security assessment within an

organization's network to identify vulnerabilities that could be exploited by potential attackers.
This process includes simulating real-world cyber threats by utilizing various testing
methodologies to uncover weaknesses in systems, applications, and network configurations.
Internal penetration testers employ ethical hacking techniques to evaluate the effectiveness of
existing security measures, providing valuable insights for organizations to strengthen their
internal defenses and enhance overall cybersecurity posture.
9

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Scanning in Internal Penetration Testing:

1. Objective:

 The primary goal of the scanning phase is to systematically identify and catalog all
active devices and services within the internal network.
2. Network Discovery:

 Utilizing tools like arp-scan and netdiscover to discover live hosts on the network.
 Understanding the importance of accurate and up-to-date network maps.
3. Network Mapping:

 Employing tools such as nmap to map the network topology.

 Gathering information on open ports, services, and their interconnections.
4. Service Enumeration:

 Identifying active services on discovered hosts.

 Extracting detailed information about the version and configuration of each service.
5. Vulnerability Scanning:

 Utilizing automated vulnerability scanning tools like Nessus or OpenVAS.

 Scanning for known vulnerabilities in the identified services and systems.
6. Importance of Scanning:

 Scanning provides a baseline understanding of the internal network's structure and

potential weak points.
 It helps in prioritizing security efforts by highlighting critical vulnerabilities.
7. Challenges and Considerations:

 Overcoming challenges such as network segmentation and firewall restrictions.

 Adapting scanning techniques to avoid disruption to critical services.
8. Documentation:

 Accurate documentation of scan results, including discovered hosts, services, and vulnerabilities.
 Providing a foundation for further exploitation and post-exploitation phases.
9. Interactive Learning:

 Encouraging participants to actively engage with scanning tools.

 Discussing different scanning scenarios and their implications.
10. Legal and Ethical Considerations:

 Reinforcing the importance of conducting scanning activities within the rules of engagement.
 Emphasizing ethical behavior and respect for the organization's policies.
11. Integration with Other Phases:

10

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

 Highlighting how scanning sets the stage for subsequent phases like vulnerability
analysis and exploitation.
 Emphasizing the iterative nature of penetration testing and the need for continuous testing.
12. Feedback and Improvement:

 Encouraging participants to provide feedback on the scanning process.

 Emphasizing the importance of continuous improvement in penetration testing methodologies.
4c. Gaining access through
CVE’s Description:

Penetration testing, also known as ethical hacking, involves assessing the security of computer
systems, networks, or web applications to identify vulnerabilities that could be exploited by
malicious actors.
Gaining unauthorized access through Common Vulnerabilities and Exposures (CVEs) is one
aspect of penetration testing that focuses on leveraging known vulnerabilities to assess the
resilience of a system or network.

Internal Penetration Testing - Gaining Access through CVEs:

1. Objective:

 The primary goal is to simulate a real-world scenario where an attacker exploits

known vulnerabilities (CVEs) to gain unauthorized access to a system or
network.
2. Preparation:

 Identify target systems or services that may be susceptible to known vulnerabilities.

 Research and compile a list of relevant CVEs associated with the target technologies.
3. Vulnerability Scanning:

 Utilize automated scanning tools like Nessus, OpenVAS, or Qualys to identify

vulnerabilities in the target systems.
 Focus on vulnerabilities with known exploits, as documented in the CVE database.
4. CVE Exploitation:

 Choose specific CVEs based on the scanning results that are applicable to the target environment.
 Utilize publicly available exploits or proof-of-concept code associated with the selected CVEs.
5. Payload Delivery:

 Develop or leverage existing payloads to exploit the identified vulnerabilities.

 Consideration of the delivery mechanism (e.g., phishing, direct exploitation) based on
the nature of the vulnerability.
6. Privilege Escalation:

 Upon successful exploitation, attempt to escalate privileges to gain higher levels of

11

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

access within the system or network.

 Utilize techniques such as privilege escalation exploits or credential harvesting.
7. Persistence:

 Establish persistence mechanisms to maintain access even after system reboots or

security measures are implemented.
 Deploy backdoors, rootkits, or other covert means of access.
8. Post-Exploitation Activities:

Conduct reconnaissance within the compromised system or network.

Explore lateral movement opportunities to access other systems and sensitive data.
9. Documentation:
Thoroughly document the entire process, including the selected CVEs, exploitation
techniques, and the extent of access achieved.
 Provide clear insights into the potential impact of a successful attack.
10. Reporting:

Prepare a detailed penetration testing report outlining the vulnerabilities

exploited, the methodology used, and recommendations for remediation.
 Emphasize the business impact and potential risks associated with the exploited vulnerabilities.
11. Legal and Ethical Considerations:

Ensure that all penetration testing activities adhere to legal and ethical standards.
Obtain proper authorization before conducting any testing.
12. Feedback and Remediation:

 Engage with the organization's security team to provide feedback on the

vulnerabilities discovered.
 Collaborate on remediation strategies and provide guidance on improving overall
security posture.

4d. Sniffing POP3/FTP/Telnet

Passwords Description:

Internal Penetration Testing involves assessing the security of an organization's internal network,
systems, and applications to identify vulnerabilities that could be exploited by attackers. Sniffing
is one technique used in penetration testing to capture and analyze network traffic, including
sensitive information like passwords. Here's a brief description of sniffing passwords for POP3,
FTP, and Telnet protocols:

 POP3 (Post Office Protocol 3):

o Description: POP3 is an email retrieval protocol used to fetch emails from a
mail server to a client. When users access their email using POP3, their login
credentials (username and password) are transmitted over the network.

12

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

o Sniffing Approach: A penetration tester may use a network sniffer to capture

the POP3 traffic. By analyzing the captured packets, the tester can extract login
credentials in plain text, unless the communication is encrypted (e.g., using
POP3S, the secure version of POP3).
 FTP (File Transfer Protocol):
o Description: FTP is a standard network protocol used to transfer files between
a client and a server. It typically involves authentication, and credentials are
exchanged during the login process.
o Sniffing Approach: A penetration tester may use a network sniffer to capture
FTP traffic. FTP transmits login credentials in plain text, making it susceptible
to sniffing attacks. If the communication is not encrypted (e.g., FTPS or SFTP),
the usernames and passwords can be easily captured.
 Telnet:
oDescription: Telnet is a protocol used for accessing remote systems. It allows a
user to log in to a remote machine and execute commands as if they were
directly connected to that machine.
o Sniffing Approach: Telnet transmits data, including login credentials, in plain
text. A penetration tester can use a network sniffer to capture Telnet traffic and
extract usernames and passwords. This is a significant security risk, as plain text
credentials can be easily intercepted by malicious actors.
To enhance the security of these protocols and mitigate the risk of sniffing attacks, it is
recommended to use secure alternatives or protocols that encrypt the communication, such as:

 POP3S (Secure POP3): Uses SSL/TLS encryption for secure email retrieval.
 FTPS (File Transfer Protocol Secure): Adds a layer of security to FTP using
SSL/TLS encryption.
 SSH (Secure Shell): A secure replacement for Telnet, encrypting the communication
between client and server.

4e.ARP

Poisoning

Description:

Internal penetration testing involves assessing the security of an organization's internal network,
systems, and applications to identify vulnerabilities that could be exploited by malicious actors.
ARP (Address Resolution Protocol) poisoning, also known as ARP spoofing, is a common
technique used in such assessments to exploit weaknesses in the way local networks handle
address resolution.

Here's a description of ARP poisoning:

Address Resolution Protocol (ARP): ARP is a protocol used by network devices to map IP
13

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

addresses to physical MAC (Media Access Control) addresses. When a device on a local
network wants to communicate with another device, it uses ARP to discover the MAC address
associated with the target's IP address. ARP requests are broadcasted on the local network, and
the device with the corresponding IP address responds with its MAC address.

ARP Poisoning: ARP poisoning involves manipulating the ARP tables on devices within a
local network. The attacker sends false ARP messages to associate their MAC address with
the IP address of another device on the network, diverting traffic intended for that device
through the attacker's system. This allows the attacker to intercept, modify, or drop the traffic,
potentially leading to various types of attacks.

Stages of ARP Poisoning:

 Discovery: The attacker scans the local network to identify IP addresses and
corresponding MAC addresses.
 Poisoning: The attacker sends forged ARP messages to update the ARP tables on
targeted devices, associating the attacker's MAC address with the IP addresses of
other devices.
 Interception: With the ARP tables manipulated, traffic intended for other devices
now passes through the attacker's system. The attacker can monitor, modify, or block
the traffic as needed.
Purposes of ARP Poisoning in Penetration Testing:

 Traffic Interception: ARP poisoning allows testers to intercept and analyze

network traffic, including sensitive information such as login credentials.
 Man-in-the-Middle Attacks: By redirecting traffic through their system, attackers can
perform man-in-the-middle attacks, capturing and modifying data in transit.
 Denial of Service (DoS): ARP poisoning can be used to disrupt network
communications by intercepting and dropping traffic.
Mitigation:

To prevent ARP poisoning attacks, organizations can implement secure practices such as ARP
spoofing detection tools, network segmentation, and the use of protocols like DHCP Snooping
and Dynamic ARP Inspection. Regular security audits and penetration testing help identify and
address vulnerabilities before malicious actors can exploit them.

4f. DNS Poisoning

Description:

Internal penetration testing involves assessing the security of an organization's internal network,
systems, and applications to identify vulnerabilities and weaknesses. DNS (Domain Name
System) poisoning is a type of attack that can be included in the scope of internal penetration
testing. DNS poisoning, also known as DNS spoofing or DNS cache poisoning, involves
14

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

manipulating the DNS resolution process to redirect legitimate domain names to malicious IP
addresses.

Here's a general overview of how DNS poisoning works and how it might be addressed
during internal penetration testing:

 Understanding DNS Poisoning:

o In a DNS poisoning attack, the attacker tries to inject malicious DNS records
into the DNS cache of a DNS server. This can lead to the redirection of
legitimate domain names to malicious IP addresses controlled by the attacker.
 Testing for DNS Poisoning:
o During internal penetration testing, security professionals may use various
tools and techniques to assess the susceptibility of the organization's DNS
infrastructure to poisoning attacks.
o Tools such as dnspoison, dnschef, or custom scripts may be used to
simulate DNS poisoning attacks and evaluate the system's response.
o Testers may also analyze the DNS configurations, look for misconfigurations,
and assess the effectiveness of monitoring and logging mechanisms.
 Mitigation and Best Practices:
o Organizations can implement several best practices to mitigate the risk
of DNS poisoning. These may include:
 Regularly updating DNS software to the latest versions to patch
known vulnerabilities.
 Configuring DNS servers to use DNS Security Extensions (DNSSEC) to
add an additional layer of security by digitally signing DNS data.
 Implementing network segmentation to limit the impact of a
successful DNS poisoning attack.
 Monitoring DNS logs for suspicious activity and implementing
alerting mechanisms.
 Social Engineering Aspects:
o Internal penetration testing may also include social engineering aspects, where
testers attempt to exploit human vulnerabilities within the organization. For
example, an attacker might try to manipulate an employee into providing
sensitive information that could aid in a DNS poisoning attack.
 Reporting and Remediation:
o The findings of the penetration test, including any vulnerabilities related
to DNS poisoning, should be documented in a comprehensive report.
o Recommendations for remediation and improving the security posture
should be provided, and the organization should address the identified
issues promptly.
 Continuous Improvement:
o Internal penetration testing is not a one-time activity. It should be part of an
ongoing security strategy, and organizations should continuously monitor
and update their security measures based on the evolving threat landscape.

15

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Program 5:

AIM: External Penetration Testing

Description:
External penetration testing is a cybersecurity practice that involves simulating real-world
cyber-attacks on an organization's external-facing systems to uncover vulnerabilities. The
process includes reconnaissance to gather information, vulnerability assessment to identify
weaknesses, exploitation to test security controls, and post-exploitation analysis. The results are
documented in a comprehensive report that outlines discovered vulnerabilities, their potential
impact, and recommendations for remediation. By proactively identifying and addressing
security flaws, external penetration testing helps organizations strengthen their defenses, protect
sensitive data, and meet compliance requirements. Regular testing and continuous improvement
are essential to staying ahead of evolving cyber threats.

5a. Evaluating external

infrastructure Description:

External penetration testing is a security assessment process that simulates real-world cyber-
attacks on an organization's external-facing systems. The goal is to identify vulnerabilities that
could be exploited by malicious actors to gain unauthorized access, disrupt services, or
compromise sensitive informat

evaluation of external infrastructure typically involves assessing various components of an

organization's network and systems that are accessible from the internet. Here's a description of
the key aspects involved in evaluating external infrastructure during penetration testing:

 Scope Definition:
o Clearly define the scope of the external penetration test, including specific IP
ranges, domains, applications, and network segments to be assessed.
o Identify any out-of-scope assets or systems that should not be tested.
 Reconnaissance:
16

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

o Gather information about the organization's external infrastructure using

publicly available sources, such as WHOIS databases, DNS records, and
social engineering techniques.
o Identify potential targets, including IP addresses, domain names, and network ranges.
 Vulnerability Scanning:
o Perform automated vulnerability scans to identify known security
vulnerabilities in the external infrastructure.
o Use tools like Nessus, OpenVAS, or Qualys to identify weaknesses in network
devices, servers, and web applications.
 Network Mapping:
o Enumerate and map the organization's external network architecture to
identify active hosts, services, and their interconnections.
o Understand the topology to identify potential points of entry for attackers.
 Application Security Testing:
o Assess the security of externally facing web applications and APIs.
o Conduct manual and automated testing to identify common vulnerabilities
like SQL injection, cross-site scripting (XSS), and insecure direct object
references.
 Firewall and Network Device Analysis:
o Evaluate the effectiveness of firewalls and other network security devices in place.
o Identify misconfigurations, rule weaknesses, and potential bypass techniques.
 Social Engineering:
o Include social engineering techniques to test the human element, such as
phishing campaigns or attempts to gather sensitive information through
social manipulation.
 Exploitation:

Attempt to exploit identified vulnerabilities to demonstrate their potential impact.

o Focus on gaining unauthorized access to systems or escalating privileges.
 Post-Exploitation:
o Assess the ability to maintain access and move laterally within the network.
o Determine the extent to which an attacker could compromise sensitive data or
disrupt services.
 Reporting:
o Provide a comprehensive report detailing the findings, including
identified vulnerabilities, their potential impact, and recommended
remediation measures.
o Include an executive summary for non-technical stakeholders.
 Remediation Support:
o Work collaboratively with the organization to prioritize and remediate
identified vulnerabilities

o Provide guidance on improving overall security posture.

17

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

5b. Creating topological map &identifying IP address of target

Description:
External penetration testing involves simulating a cyber-attack on a computer system, network, or
web application from an external perspective to identify vulnerabilities and weaknesses. Creating
a topological map and identifying IP addresses are crucial steps in this process. Here's a general
guide on how to approach these tasks:
1. Reconnaissance:

 Domain Information Gathering:

o Use tools like whois to gather information about the target domain, including
registration details.
o Employ DNS interrogation tools like nslookup or dig to find subdomains.
2. Mapping the Network Topology:

 Network Scanning:
o Use tools like Nmap to discover live hosts and open ports on the target network.
o Conduct ping sweeps to identify live hosts.
 Topology Mapping:
o Create a visual representation of the network topology, including routers,
switches, and servers.
3. Service Identification:

 Banner Grabbing:
o Use tools like Banner Grab or Telnet to identify the services running on open ports.
4. Vulnerability Assessment:

 Scan for Vulnerabilities:

o Use vulnerability scanning tools such as Nessus or OpenVAS to identify
weaknesses in the target's systems.
5. Identifying IP Addresses:

 Network Range Discovery:

o Utilize tools like ARIN or RIPE to find information about IP address ranges
assigned to the target organization.
 DNS Enumeration:
o Use tools like DNSRecon or Fierce to enumerate DNS records and identify
associated IP addresses.
6. Social Engineering:

 Phishing:
o Conduct phishing simulations to test the human element and gather
additional information.
7. Documentation:

18

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Create a Topological Map:

o Document the identified network topology, including IP addresses,
subdomains, and services.
 Risk Assessment:
o Evaluate the vulnerabilities discovered and prioritize them based on potential impact.
8. Reporting:

Penetration Testing Report:

o Provide a detailed report outlining the findings, vulnerabilities, and
recommended remediation steps.
Additional points:

 Legal and Authorization:

o Ensure that you have proper authorization before conducting any penetration
testing. Unauthorized testing can lead to legal consequences.
 Anonymity:
o Use techniques like VPNs or proxies to maintain anonymity during the testing.
 Continuous Monitoring:
o Regularly update the topological map as the target environment evolves.

5c. Lookupdomain registry for IP

information Description:

Performing external penetration testing involves assessing the security of a system from an
external perspective, often simulating the actions of a malicious actor. However, it's crucial to
note that penetration testing should only be conducted on systems and networks for which you
have explicit authorization.

If you are authorized to conduct external penetration testing and want to gather information about
a domain's IP address, you can use various tools and techniques. One common method is to query
domain registration information. Here are steps you can follow:

WHOIS Lookup:

WHOIS is a protocol used to query databases that store the registered users or assignees of an
Internet resource, such as a domain name, an IP address block, or an autonomous system.
There are online WHOIS lookup tools, as well as command-line options.

 Online WHOIS Lookup:

o Websites like WHOIS.com or ICANN WHOIS allow you to enter a domain
name and retrieve registration details.
 Command Line (Linux):
o Open a terminal and use the whois command:

19

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

DNS Resolution:
You can also resolve the domain to its IP address using DNS tools:

 nslookup (Windows) or dig (Linux):

o Use the nslookup command on Windows or the dig command on Linux to
get the IP address associated with a domain.
bashCopy code

or
bashCopy code

 Online DNS Lookup Tools:

o Websites like MXToolbox or DNS Lookupprovide online tools to query DNS records.
Additional Considerations:

 WHOIS Privacy Protection: Some domain registrars offer privacy protection

services, which replace the actual contact information with generic data. In such cases,
you may not get detailed information about the registrant.
 APIs: Some organizations offer APIs that allow you to programmatically query
domain information. Be sure to check if the domain registry you're interested in
provides such services.

5d. Examining use of IPV6 at remote

location Description:

External penetration testing involves assessing the security of a network or system from an
external perspective, typically simulating the actions of a potential attacker. When specifically
examining the use of IPv6 at a remote location, there are several considerations and steps you
can take to ensure a thorough assessment:

 Inventory of IPv6 Assets:

o Identify all IPv6-enabled devices and systems in the remote location. This
includes routers, switches, servers, and any other networked devices.
 Network Topology Mapping:
o Create a detailed map of the IPv6 network topology. Understand how
devices are interconnected and the flow of IPv6 traffic within the
network.
 Vulnerability Scanning:
o Perform vulnerability scans on IPv6 addresses to identify potential
20

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

weaknesses and security flaws. Use specialized tools that support IPv6
scanning.
 Enumeration and Discovery:
o Enumerate IPv6 addresses and services. Look for open ports, running services,
and any potential misconfigurations.
 Security Policy and Configuration Review:
o Review the IPv6-related security policies and configurations on routers,
firewalls, and other network devices. Ensure that security best practices are
followed, and unnecessary services are disabled.
 Firewall and ACL Assessment:
o Evaluate the effectiveness of IPv6 firewall rules and Access Control Lists
(ACLs). Check for any overly permissive rules that might expose the network to
unnecessary risks.
 Endpoint Security:
o Assess the security posture of individual devices with IPv6 capabilities. This
includes servers, workstations, and other networked equipment.
 Traffic Analysis:
o Monitor and analyze IPv6 network traffic for any anomalous patterns or potential
signs of malicious activity.
 Penetration Testing:
o Conduct penetration testing exercises to simulate real-world attacks on the
IPv6 infrastructure. This may involve exploiting known vulnerabilities,
attempting privilege escalation, or other attack scenarios.
 Security Awareness Training:
o Assess the level of security awareness among the remote location's
personnel. Social engineering tests can be valuable to identify potential
weaknesses in human security practices.
 Incident Response Testing:
o Evaluate the effectiveness of the incident response plan for IPv6-related
incidents. This may include testing the detection and response capabilities to
IPv6-specific threats.
 Documentation Review:
o Review the documentation related to IPv6 implementation, including any
security guidelines or procedures. Ensure that the best practices are being
followed.

21

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Program 6:

AIM: Different types of vulnerability

Procedure:

scanning Description:

Vulnerability scanning is a critical component of cybersecurity that involves identifying and

assessing vulnerabilities in computer systems, networks, and applications. There are various
types of vulnerability scanning, each serving a specific purpose. Here are some common types:

 Network Scanning:
o Port Scanning:Identifies open ports and services on a network.
o Host Discovery:Determines active hosts on a network.
o Operating System Detection:Attempts to identify the operating system
running on a target system.
 Web Application Scanning:
o Automated Scanning: Uses tools to automatically discover and assess
vulnerabilities in web applications.
o Manual Testing: Involves manual inspection of web applications for
vulnerabilities, often using tools like Burp Suite.

 Database Scanning:
o Identifying Database Vulnerabilities: Scans databases for
vulnerabilities, misconfigurations, and weak access controls.
 Wireless Network Scanning:
o Wireless Network Discovery:Identifies active wireless networks and access points.
o Encryption Assessment: Assesses the security of wireless network encryption protocols.
 Cloud Infrastructure Scanning:
o Cloud Service Configuration Scanning: Checks cloud service configurations for

22

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

security vulnerabilities.
o Container Scanning: Examines containers for vulnerabilities and misconfigurations.
 Host Scanning:
o Operating System and Service Version Scanning:Identifies vulnerabilities
associated with specific operating systems and service versions.
o Credential Scanning: Checks for weak or default credentials on systems.
 Compliance Scanning:
o Ensuring Regulatory Compliance: Scans for vulnerabilities that might violate
regulatory compliance standards.
 IoT Device Scanning:
o Identifying IoT Vulnerabilities: Scans Internet of Things (IoT) devices for
security weaknesses.

23

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

 Mobile Application Scanning:

o Mobile App Vulnerability Assessment:Identifies vulnerabilities in mobile
applications, such as insecure data storage or insecure communication.
 Social Engineering Vulnerability Scanning:
o Phishing Simulations: Tests an organization's susceptibility to phishing attacks.
o User Awareness Assessments: Assesses the security awareness of users through
various means.
 Thick Client Application Scanning:
o Assessing Standalone Applications:Identifies vulnerabilities in standalone
applications that run on client machines.
 Incident Response Scanning:
o Post-Incident Analysis: Scans systems after a security incident to identify
how the compromise occurred and assesses the extent of the impact.

24

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Program7:

AIM: Vulnerability scanning with Nessus

Procedure:

Nessus is a widely used vulnerability scanning tool that helps identify security vulnerabilities in
a network, system, or application. Here is a general guide on how to perform vulnerability
scanning using Nessus:

1. Installation:

 Download and install Nessus from the Tenable website.

 Follow the installation instructions provided for your operating system.
2. Setup:

 Launch Nessus and access the web interface. Typically, you can access it by navigating to
https://localhost:8834 in a web browser.
 Log in with the credentials you set during the installation.
3. Create a New Scan:

 Click on "Scans" in the top navigation bar.

 Click "New Scan" to create a new scanning configuration.
4. Configure Scan Settings:

 Provide a meaningful name for the scan.

 Choose the target to scan (IP addresses, ranges, domains, etc.).
 Set the scan policy (e.g., internal network scan, external scan).
 Adjust other settings based on your requirements.
5. Select Plugins and Policies:

 Nessus uses plugins to perform various types of checks. Choose the plugins or policies
that match your scanning requirements.
 Consider compliance checks, malware detection, or specific vulnerability categories.
6. Schedule the Scan:

 Set up a schedule for the scan if needed (daily, weekly, etc.).

7. Launch the Scan:

 Save the scan configuration and click "Launch" to start the scan.
8. Review Scan Results:

 Once the scan is complete, review the results in the Nessus interface.
 Prioritize vulnerabilities based on severity levels.
25

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

9. Generate Reports:

 Generate reports to share with relevant stakeholders.

 Reports can include details on identified vulnerabilities, their severity, and
recommended remediation steps.

10. Remediation:

 Work with your IT team to remediate identified vulnerabilities.

 Re-scan periodically to ensure that vulnerabilities are addressed.
Tips and Best Practices:

 Regular Scanning: Perform regular scans to stay on top of the evolving threat landscape.
 Credential Scanning:Provide credentials for authenticated scans to get more accurate results.
 Prioritize and Plan Remediation: Focus on addressing high-risk vulnerabilities first.
 Review and Customize Policies: Tailor scan policies to your organization's specific needs.
 Integrate with Other Tools: Nessus can integrate with other security tools and
platforms for a more comprehensive security strategy.
 Stay Informed: Keep track of Nessus updates and security bulletins to ensure the tool
is using the latest vulnerability checks.

26

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Program 8 & 9:

AIM: Web application assessment with

nikto&burp
Procedure:
suite Description:
Web application assessment using tools like Nikto and Burp Suite is a common practice for
identifying potential vulnerabilities and securing web applications. Here's a basic guide on
how you can perform a web application assessment using Nikto and Burp Suite:

1. Set Up Your Environment:

 Ensure you have Nikto and Burp Suite installed on your machine.
2. Configure Burp Suite:

 Open Burp Suite and configure your browser to use Burp as a proxy. Set up an
interception point to analyze and modify HTTP requests and responses.
3. Configure Nikto:

 Nikto is a web server scanner that performs comprehensive tests against web servers for
multiple items, including over 6700 potentially dangerous files/programs, checks for
outdated versions of over 1250 servers, and version-specific problems on over 270
servers.
 Run Nikto from the command line. For
example: phpCopy code

 Replace <target_url> with the URL of the web application you want to assess.
4. Burp Suite Spidering:

 Use Burp Suite's Spider tool to crawl the web application. This helps in mapping out the
structure and functionality of the application.
5. Manual Exploration:

 Manually navigate through the web application to identify and analyze different functionalities.
6. Burp Suite Active Scanning:

 Burp Suite's Active Scanner can automatically scan for a variety of common web
application vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and
more.
 Configure the active scanner with the appropriate settings, including payload options and scope.
7. Review and Analyze Results:

 Analyze the results from both Nikto and Burp Suite. Pay attention to identified
vulnerabilities, warnings, and informational findings.
27

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

8. Exploitation and Verification:

 If vulnerabilities are found, you may attempt exploitation to verify the risk. However,
ensure you have proper authorization before attempting any exploitation.
9. Documentation:

 Document your findings, including identified vulnerabilities, their severity, and potential impact.
10. Reporting:

 Generate a comprehensive report that includes a summary of the assessment,

identified vulnerabilities, and recommendations for remediation.
Important Considerations:

 Authorization: Ensure you have proper authorization before scanning or testing

any web application.
 False Positives/Negatives: Be aware that automated tools can produce false positives
and false negatives. Manual verification is crucial.
 Scope: Clearly define the scope of your assessment to avoid unintended consequences.
 Data Privacy: Respect privacy and legal considerations while conducting assessments.

28

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Program 10:

AIM: Implement Web application assessment with owaspzap,

Procedure:

OWASP ZAP & GitHub Actions

Coding is more than just typing lines of text; it’s about ensuring your web applications are secure. One

crucial aspect of security is protecting your web apps from vulnerabilities. In this blog post, we’ll walk

you through integrating OWASP ZAP (Zed Attack Proxy), a powerful tool for Dynamic Application

Security Testing (DAST), with GitHub Actions.

What is OWASP ZAP (DAST)?

OWASP ZAP, also known as the Zed Attack Proxy, is a tool that helps you identify security

vulnerabilities in your web applications. It works by simulating attacks on your web app to uncover

weaknesses that malicious hackers could exploit. In essence, it acts like a security guard for your web

applications, making sure they’re well-protected.

29

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

What is GitHub Actions?

GitHub Actions is a feature offered by GitHub, your developer’s best friend, that lets you automate

various tasks in your software development workflow. Think of it as a virtual assistant for your coding

tasks, like testing, building, and deploying your code automatically.

Why Integrate OWASP ZAP with GitHub Actions?

Integrating OWASP ZAP with GitHub Actions is a smart move for several reasons:

1. Continuous Security Testing: By integrating OWASP ZAP into your GitHub Actions workflow,

you can automatically test your web application’s security every time you make changes. This means

you can catch and fix vulnerabilities early in your development process.

2. Realistic Testing: OWASP ZAP simulates real-world attacks, giving you a better understanding of

your web app’s security posture.

3. Automatic Feedback: You receive immediate feedback on your web app’s security, making it

easier to address any security concerns.

Now, let’s dive into the steps of how to set up OWASP ZAP in GitHub Actions.

Setting up OWASP ZAP in GitHub Actions

Here’s a step-by-step guide:

Step 1: Set Up Your Web Application

Before you begin, make sure your web application is up and running, accessible via a URL. OWASP

ZAP will need this URL to test your web app’s security.

30

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

Let’s identify a test web application for running DAST scan. I ‘ll go to google and I’ll search for the test

vulnerable application. Now this is a test one web application , which is a vulnerable web application

available for testing.

Home of Acunetix Art

Test site for Acunetix WVS. Warning: This is not a real shop. This is an example PHP application,
which is…
testphp.vulnweb.com

Step 2: Create a Workflow

Start by creating a repository for your project in GitHub. Let’s call it “GitHubAction_OWASP-ZAP-

SCAN” After that clone the git repository in local system. Now, create a GitHub Actions workflow file

(e.g., .github/workflows/owasp-zap-scan.yml) in your repository.

Git Repository

Add Secrets to GitHub

31

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

In your GitHub repository, go to “Settings” > “Secrets” and add a secret named git_hub_token with the

value of the token you generated.This keeps your token secure.

GitHub Token

Define the Workflow:

Here’s workflow that use yaml:

owasp-zap-scan.yml

name: OWASP ZAP Integration with GitHub Actions

on: [push]

jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan the web application
steps:
- name: Checkout
uses: actions/checkout@v2

32

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

with:
ref: main
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
docker_name: 'owasp/zap2docker-stable'
target: 'http://testphp.vulnweb.com/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'

This workflow triggers an OWASP ZAP scan whenever changes are pushed to the main branch.

Here’s what the code does step by step:

1. It specifies that this action should run when there is a “push” event, which typically means when

code is pushed or updated in the repository.

2. It defines a job named “zap_scan” that will run on a computer running Ubuntu.

3. Inside the job, there are some steps that will be executed in order:

 “Checkout” step: This step checks out (or downloads) the latest code from the “main” branch of the

repository.

 “ZAP Scan” step: This step uses a tool called OWASP ZAP to scan a web application. Here are the

details:

 It uses a specific version of ZAP, which is contained in a Docker container (a sort of isolated

environment for running software).

 It specifies the web application to scan, which is “http://testphp.vulnweb.com/" in this case.

33

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

 It tells ZAP to use a set of security rules defined in a file named “rules.tsv” located in a folder called

“.zap” within the repository.

 It provides some additional command-line options to ZAP using the “cmd_options” parameter,

which might include specific settings or configurations for the scan.

In simpler terms, this code sets up an automated security scan for a web application every time there’s a

code update in a GitHub repository. It uses a tool called OWASP ZAP to check for security issues in the

web application, and the results of this scan can help identify and fix potential security problems in the

application.

Step 3: Run Your Workflow

Commit the workflow file and push it to your GitHub repository. GitHub Actions will automatically run

the workflow, and you can view the scan results to identify any security vulnerabilities in your web app.

git add .
git status
git commit -m "Create owasp-zap-scan.yml"
git push

34

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

OWASP-ZAP-Scan Job

35

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

36

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

37

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

ZAP Scan Baseline Report

ZAP Scan Download

38

Downloaded by Srividya Bhaskara ([email protected])

 lOMoARcPSD|47112210

39

Downloaded by Srividya Bhaskara ([email protected])