Sri Lanka Institute of Information Technology.

Individual Assignment
Topic : Penetration Testing Report For a Scenario
Based On Lab Work.

IE3022 - Applied Information Assurance.

Submitted by:
Student Registration Number Student Name
Abeywickrama O.D. IT20153540

B.Sc. (Hons) in Information Technology

specializing Cyber Security.

1|Page
 Acknowledgement
I'd want to use this time to express my gratitude to Mr. Kanishka Yapa, our lead lecturer, for
guiding us through the completion of the penetration testing report. It would be quite impossible
to finish this report without our lecturer in charge.

Abstraction
Wayne Industries (PVT) Ltd, a fictitious corporation, was subjected to penetration testing. The
purpose of our penetration testing was to discover available vulnerabilities and strategies to
attack them in the Wayne Industries (PVT) Ltd network. Manual and automatic scanning
technologies were employed to complete the scanning. The scanning operations were carried out
using manual tools such as Nmap and Metasploit, as well as automated programs like as legion
and Nessus. This pen testing report will first detail how the scanning operations were carried out,
as well as the outcomes of those efforts. Exploits for the probable vulnerabilities discovered from
the scanning operations have been carried out using the findings of various scanning activities,
and finally a vulnerability analysis and conclusion have been provided.

2|Page
 1. Executive Summary.
It is my responsibility to perform penetration testing for this organization as the pentester. By
identifying all critical assets and network architecture, as well as scanning for vulnerabilities, the
business can better protect itself. If there is a vulnerability, I should notify the firm in a thorough
report that details the flaws as well as the risk to the company. And if any of those issues arise,
I'll have to address them. They're all about A risk management report is also not required at this
time by the company.

Red squad, Blue team, and Purple team are the three sectors of my group. Internal and external
network and application assessments will be conducted by the red team. The blue team will look
at red team attacks to see if the firm is ready for them. The purple team will evaluate the efficacy
of the blue team's defensive measures and controls recommended to defend against
vulnerabilities uncovered by the red team throughout the penetration testing phase.

I was able to detect various faults in the company's information system and network assets after
performing these duties. As the core operating system for this penetration testing activity, I'm
using "Kali Linux" 2020.4 64-bit version. This operating system piqued my interest since it
includes various hacking and vulnerability scanning tools.

The target and scope region of the penetration testing would be finished by concentrating
Metasploit on the target and scope area of the penetration testing. Metasplotable2 has been
recognized as an important host with hazards. The system is publicly subject to a number of
serious and high-risk flaws. Because the system is so complicated, it will have an impact on all
users. Prioritize remediation based on the severity of danger and the amount of work required.
Red teams employ real-world cyber-attack strategies to exploit flaws in a company's staff,
procedures, and systems. They get into business networks and simulate data exfiltration while
avoiding detection by the blue team by circumventing security measures.

3|Page
 2. Introduction.
A penetration test, also known as pentesting, is a simulated attack carried out by pen testers on a
target in order to identify vulnerabilities. Attackers will try to harm the target's system and
resources, whereas pentesting does not harm the target's system or resources. Instead of causing
harm, pentesting will identify the probable points of compromise or flaws in a system.
Penetration testing might be black box, white box, or gray box. This form of testing is dependent
on the preferences of the customers. A pen tester has a specific purpose in mind. The purpose is
to find all conceivable flaws or vulnerabilities in the system and make recommendations to
address them.

This pentesting process can be broken down into four stages:

a) Information gathering and Scanning.

b) Gaining Access
c) Maintaining Access
d) Analysis

3. Purpose.
A penetration testing team was recruited by Wayne Industries (Pvt) Ltd to run a pen test. The
Red team, Blue team, and Purple team are the three primary divisions of the penetration testing
team. Internally and externally, the red team will conduct network and application assessments.
The blue team will investigate red team attacks and assess the company's preparedness for them.
The purple team will examine the penetration testing process by evaluating the effectiveness of
the blue team's proposed defensive techniques and controls for protecting against vulnerabilities
discovered by the red team.

4. Scope
When doing this VAPT, we are limited to the operating systems, network services, and other
software utilized by Wayne Industries. The Metasploitable framework is used by Wayne
Industry as their operating system in their environment.

The scope was engaging with penetration test mainly on metasplitable2 domain.

4|Page
 5. Methodology.
Industry-standard penetration testing tools and frameworks were used for vulnerability
assessment and penetration testing, including Nmap, Burp suite, Metasploit Framework, Kali-
Linux penetration testing tools, and automated vulnerability analysis by Nessus. Information
collecting, threat modeling, exploitation, and reporting were some of the common approaches
used.

6. Risk Rating.

Critical High Medium Low

The following are the basic risk categories:

Discoveries and suggestions with a high priority that may jeopardize the
Critical system's continuous availability, as well as the security and integrity of data
programs and information stored on the system. Action must be taken right
now.

Because of the inadequate design of the control, the results and

High recommendations are given top attention. To offer a more complete internal
control system, controls and procedures should be enhanced or introduced.
Actions to correct the situation should be performed as soon as possible.

Medium Areas requiring changes to controls and systems are among the findings and
recommendations with a medium priority.

Areas to increase controls or improve operational efficiencies are among the

Low findings and recommendations with a low priority. The issues in question are
ones in which management must weigh the costs and advantages of execution.

5|Page
 7. Technical Review

7.1 Information Gathering and Scanning (Reconnaissance).

To do a good penetration test, we need to know enough about the target we'll be scanning. It
might take up to a month to perform successful footprinting and reconnaissance efforts. During
the information collection process, a range of tools may be used to cover a variety of
methodologies. Instead of focusing on sensitive information, we focus on the system's structure,
location, people, and behavior at this phase.

1) Ping

Initially, a ping command was sent from the attacker system to the target machine to see if it was
up and running.

6|Page
 2) Nmap

By simply entering the command Nmap and the

domain name, we may scan our target with the
Nmap program. Using Nmap and the target's IP
address, we could perform the command. The
start time, domain name, IP address, latency,
number of ports scanned, as well as the port's
status and running service are all displayed here.

To reach the host there is only one hop available. The packet should only go through one hop to
reach the target. This is found using traceroute.

3) Net BIOS Enumeration

Enumerate NetBIOS name information via the nbtscan
program. It sends a NetBIOS status query to each of
the addresses in the specified range and displays the
results in a human-readable format

7|Page
 4) Service Enumeration

• Legion

I used Legion tool to perform a service enumeration to target. And default credentials have
identified on target ( IP – 192.168.56.103 )

Legion tool was able to successfully identify the operating system that the target host is using

5) Nessus

The findings of the Nessus scan are shown in the screenshot above. From the Nessus scan, 65
vulnerabilities were discovered. 10 of the 65 vulnerabilities are rated as critical, 6 are rated as
high, 18 are rated as medium, and 5 are rated as low.

8|Page
Our team will keep a careful eye on all discovered flaws and determine which ones potentially
cause harm to Wayne Industry's systems.

7.2 Gaining Access and Maintaining Access

Following that, we will attempt to exploit each of the open ports. We'll use the 23 open ports
discovered by nmap for this, and the results of successful attempts will be displayed in the report.

9|Page
Vsftdp 2.3.4
A backdoor was established by an attacker in Vsftpd 2.3.4. A user can gain root access to the
Metasploitable computer by using this backdoor. This instance was exploited using the
Metasploitable framework.

Metasploit was utilized to obtain the code that

can be used to construct a back door in the
Metasploitable computer. As you can see, this
backdoor grants root access to the target
operating system, allowing it to do any unlawful
actions.

Risk Rating : High

Recommendations :

Despite the fact that the Vsftdp 2.3.4 version has a vulnerability, the latest versions of ftp do not.
The best solution is to upgrade to the latest ftp version.

10 | P a g e
Open Root Bind Shell
According to the identifications, the Metasploitable2 host was running an open root bind shell
listener. The bind shell communicated on TCP port 1524. The Metasploitable2 root shell listener
was communicated with using Netcat. The presence of a bind shell listener indicates a past
compromise.

Risk Rating : Critical

Remediation :

Take out the bound shell. If this is not an allowed or anticipated activity, activate the Incident
Response Plan.

11 | P a g e
SSH_LOGIN Bruteforce Attack

The ssh login module is highly versatile, since it can not only test a set of credentials over a
range of IP addresses, but it can also attempt brute force logins.

Risk Rating : Critical

Remediation :

Follow the SSH hardening instructions and update the default parameters in ssh config to
improve the authentication procedure and meet the required security level.

12 | P a g e
VNC
After opening the Metasploit framework, a simple search based on VNC service version 3.3
returned exploits or modules connected to the VNC service utilized in Metasploitable.

Risk Rating : Critical

Remediation :

The purple team has recommended to secure the VNC service of Metasploitable system with a
strong password

13 | P a g e
Linux Telnetd

This is an application protocol for obtaining remote administrator access on another system.
Telnet's port number is 23, and our machine's telnet port 23 is open.

Telnet's fundamental security problem is that it sends data in plain text, therefore an attacker may
gain the login and password by running a Wireshark connection in the background within the
system. As seen below, entered to log into the system.

Risk Rating : Medium

Remediation :

As telnet is a unsecured and transfers data in clear text it is highly advised that SSH is used

14 | P a g e
 Risk Analysis

Critical High Medium

3 1 1

Severity Vulnerability Remediation

Rating
High Vsftdp 2.3.4 Upgrade to the latest ftp version

Critical SSH_LOGIN Follow the SSH hardening instructions and update the default
parameters in ssh config to improve the authentication procedure
Bruteforce Attack and meet the required security level

Critical VNC Use strong password

Critical Open Root Bind Take out the bound shell. If this is not an allowed or
Shell anticipated activity, activate the Incident Response Plan.

Medium Linux Telnetd As telnet is a unsecured and transfers data in clear text it is
highly advised that SSH is used

Final Analysis
Various information collecting and scanning techniques and methodologies should be used to
detect the vulnerabilities in a target. Nessus scan and legion tool uncover more vulnerabilities
than nmap scanning. Metasploit can be used to exploit the majority of the vulnerabilities found.
A pent tester's job is to uncover any conceivable gaps that an attacker may exploit to get access
to a target. If the suggested measures are installed as quickly as feasible, a pen testing operation
will only deliver an improvement in terms of security for the target host. The best suggestion for
the vulnerabilities discovered in Wayne Industries operating system is to upgrade the versions
they are running. The most recent versions or those that have been patched should be utilized.

15 | P a g e