See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/371339895

Penetration Testing Report with Reconnaissance and Exploiting Process.

Technical Report · June 2023

CITATIONS READS
0 82

2 authors:

Sathishka Punyasiri Kanishka Yapa

Sri Lanka Institute of Information Technology Sri Lanka Institute of Information Technology
9 PUBLICATIONS 0 CITATIONS 18 PUBLICATIONS 2 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Sathishka Punyasiri on 06 June 2023.

The user has requested enhancement of the downloaded file.

Sri Lanka Institute of Information Technology

Penetration Testing Report

Individual Assignment
IE3022-Applied Information Assurance

Submitted by

Student Registration Number Student Name

IT20147228 D. L. S. I. Punyasiri

04/24/2022
Date of submission
Contents

Abstract ......................................................................................................................................................... 2
Introduction ................................................................................................................................................... 2
Scenario .................................................................................................................................................... 2
Penetration testing ..................................................................................................................................... 2
Reconnaissance ............................................................................................................................................. 3
Nmap ......................................................................................................................................................... 4
IE8WIN7 – 192.168.56.103 .................................................................................................................. 4
OWASPBWA – 192.168.56.104 .......................................................................................................... 5
METASPLOITABLE – 192.168.56.102 .............................................................................................. 5
Exploiting Process (OWASP machine) ........................................................................................................ 6
OWASP Broken Web Application ........................................................................................................... 6
SQL injection ........................................................................................................................................ 6
HTML Injection .................................................................................................................................... 7
Conclusion .................................................................................................................................................. 12

1
 Abstract
Penetration testing was performed on various company IT assets by the SecureX VAPT (Vulnerability
Assessment and Penetration Service) team. In the present day. A corporation called "Wayne Industries"
has engaged SecureX to conduct a thorough penetration test. This was done to determine the present
degree of security inside the organization by testing how well the security systems operate under assault.
Kali Linux will be used to assault a OWASP virtual machine for this presentation since some of the
sites are irrelevant to the lab activities in this training series.

Several flaws in the systems were discovered during this penetration test. The study also contains
suggestions for addressing the issues it identifies as a result of its findings. Since most of these flaws and
bad practices are widespread and can always be found in a penetration test, we can safely say that the
overall security of 'Wayne Industries' systems is adequate. As a result, the systems will be more secure if
the report's suggestions are put into action quickly and efficiently.

Introduction
Scenario
'Wayne Industries' is a major Sri Lankan corporation that has modified its services in a more user-
friendly fashion in recent years. Thus, a data system including various machine kinds and OSs has
been established to complete the internal network for use in the company's operating operations.
Penetration testing will be conducted by the pen testing team. Three groups worked on this. Red,
blue, and purple teams are all represented. To examine the hospitals' current resistance to assaults,
the red team will conduct evaluations of the network both internally and outside. The blue team
will review the red team's work. The purple team will evaluate the blue team's defensive
suggestions in order to address the vulnerabilities discovered by the red team.

Penetration testing
Computer systems or networks are subjected to simulated external and internal network attacks during
penetration testing, also known as pen testing. This helps an organization uncover system flaws and the
dangers they bring to the organization. An organization can use this information to improve its present
security measures before a bad actor surpasses them, providing them an advantage in the race to protect
their systems.

The penetration tester must follow a series of steps in order to successfully complete a penetration test.

• Exploitation
• Post-exploitation
• Reporting
• Pre-engagement
• Information gathering and reconnaissance
• Threat-modelling
• Vulnerability analysis

2
Reconnaissance

Nmap
Red team members do Nmap scans on each system after discovering the machines and ports.
Nmap is a network scanner that is free and open source. Sending packets and analyzing the answers is
how Nmap finds computers and services on a network. Other than detecting what devices are running on
the targeted system, it also identifies accessible hosts, opens ports, and looks for security risks. These
domains and subdomains' port statuses are of interest to me. There are a wide range of scan options in
Nmap. TCP-SYN, UDP, and FTP scans are only a few examples of these types of attacks.
The red team's next step in this exercise was to identify the operating system on each host, as well as the
open ports on each computer. In this way, they were able to scan each machine using this instrument.
IE8WIN7 – 192.168.56.103

3
The results of the Nmap scan showed that it had found a problem.

• Windows 7 Enterprise 7601 Service Pack 1 is installed on this machine (Windows

7 Enterprise 6.1).

• OpenSSH 6.7 (protocol 2.0) as well as netbios-ssn, netbios-ssn, and a few more
open ports are operating on this system.

• MAC Address: 08:00:27:10: B8:D0 (Oracle VirtualBox virtual NIC)

OWASPBWA – 192.168.56.104

4
The nmap scan was able to identify a number of security issues.

• OWASPBWA is the hostname of this computer. Linux 2.6.X is currently being

used.
• OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0), HTTP, Netbios-
ssn, and Imap are some of the open ports that offer services.
• As a guest, the account can be accessed. User is the degree of authentication
required.
• The MAC address is captured as, 08:00:27:62:BF:8B

The members of the red team have set up this computer to serve as a web server for
Wayne Industries.

METASPLOITABLE – 192.168.56.102

5
This may be determined by looking at a person's most recent IP address.

• OS type is Unix (Samba 3.0.20-Debian)

6
 • Several ports have reopened. Some examples are FTP, Telnet, and SSH.
• Logins to FTP can be used anonymously by attackers.
• Port 80 is being used by Apache httpd 2.2.8, an HTTP web server.
• MAC Address : 08:00:27:56:E3 is this

Exploiting Process (OWASP machine)

OWASP Broken Web Application

SQL injection

SQL injection, more often referred to as SQLI, is a common attack method that involves
injecting malicious SQL code into backend databases in order to get access to data that was
never intended to be displayed. This data might include anything from confidential company
information to user lists to personally identifiable information about individual customers.
A SQL injection technique was employed by the red team to get all of the login information
for this interface.

Enter some appropriate syntax to modify the SQL query into the "Name" input. In this example
we used ' or 1=1 -- . This causes the application to perform the query:
SELECT * FROM users WHERE username = '' OR 1=1-- ' AND password = 'foo'
Because the comment sequence (--) causes the remainder of the query to be ignored, this is
equivalent to:
SELECT * FROM users WHERE username = ' ' OR 1=1. In this example the SQL injection
attack has resulted in a bypass of the login, and we are now authenticated as "admin".

7
SQL injection mitigation strategies that can be applied in this way.

With a wide range of attack vectors, preventative measures such as input validation, parametrized queries,
stored procedures, and escaping work well. SQL injection attacks can take a variety of forms, and as a result,
database security measures are typically ineffective. If you want to protect yourself from all angles, combine
the above-mentioned strategies with a solid WAF. Custom web-based apps that would otherwise go
unprotected are the primary benefit of a WAF.

HTML Injection

HTML Injection may occur User or attacker-controlled input may be included in the web server response
without being encoded. This means the attacker can deliver data that is then included into the web page that
the victim sees.
Insert a searchable text, such as "CANARY," into the web page's accessible parameters together with
characters often used in HTML, JavaScript, or other code.
Make note of any places where the test string appears unencoded in the response Please be aware that some
locations may allow HTML Injection.

Determine the prefix and suffix needed to make the injected code "fit" syntactically then add a
payload between. Inject the exploit.
Red team - <h1>sliit hacked</h1> Red team used this example html code to explain whether
it is vulnerable for HTML injection.

8
Avoid incorporating user feedback into emails if at all possible. Before include user input in emails, ensure
sure it is HTML-encoded. Identifying malicious material and rejecting the request can be accomplished by
using regular expressions or other ways.

9
 Conclusion

This full internal and external system was constantly being scanned for vulnerabilities and logical
flaws/best practices issues were found on a regular basis when gathering information and scanning for
vulnerabilities.
As an added bonus, many of these flaws are discovered during a penetration test. Therefore, it can be
said that Hopewell Hospital's infrastructure has an appropriate degree of security measures when seen in
the context of its total security.

10

View publication stats