Network VAPT

Network Vulnerability Assessment and Penetration Testing

(VAPT)
Network Vulnerability Assessment and Penetration Testing (VAPT) is a critical
process in cyber security, focusing on evaluating the security of a network
infrastructure. By identifying vulnerabilities and attempting to exploit them,
VAPT simulates the actions of a malicious hacker to assess the security posture
of a network. This helps organizations understand the weaknesses in their
networks and implement necessary measures to protect their assets.

Steps Involved in Network VAPT

1. Preparation:
o Define the scope of the assessment, including network segments,
systems, and applications to be tested.
o Establish goals, such as identifying vulnerabilities, assessing
compliance with security policies, or evaluating the effectiveness
of existing security measures.
o Obtain permissions from relevant stakeholders to ensure that the
testing is authorized and does not disrupt business operations.
2. Information Gathering:
o Collect data about the target network, including IP addresses,
domain names, network architecture, and existing security
measures.
o Use tools like Whois, DNS queries, and network mapping to gather
as much information as possible.
3. Vulnerability Scanning:
o Use automated tools to scan the network for known
vulnerabilities. These tools typically identify issues such as open
ports, outdated software versions, and misconfigurations.
o Example tools: Nmap, OpenVAS, Nessus.
4. Manual Testing:
o Manually verify the vulnerabilities detected during the scanning
phase to eliminate false positives.
o Explore the vulnerabilities in greater depth to understand their
potential impact and the feasibility of exploitation.
5. Exploitation:
o Attempt to exploit identified vulnerabilities to determine if
unauthorized access or other malicious actions are possible.
 o This step simulates the actions of an attacker and helps to assess
the effectiveness of existing security controls.
6. Post-Exploitation:
o Assess the extent of the compromise achieved through
exploitation. Determine what sensitive information could be
accessed or what systems could be controlled.
o Evaluate the potential damage that could result from the
exploitation of the vulnerabilities.
7. Documentation:
o Record all findings, including the vulnerabilities identified, the
steps taken to exploit them, and the potential impact.
o Include screenshots, logs, and other evidence to support the
findings.
8. Reporting:
o Prepare a detailed report summarizing the findings, including
recommendations for mitigating the identified vulnerabilities.
o Present the report to stakeholders, providing them with
actionable insights to enhance the security of their network.
9. Follow-up:
o Monitor the implementation of recommended security measures
and conduct retests to ensure that vulnerabilities have been
effectively addressed.
o Continuous monitoring is essential to maintain a secure network
environment.

Tools and Methods for Network Scanning

Network scanning is a crucial aspect of VAPT, involving the discovery of active
hosts, open ports, and services running on a network. Here are some of the
popular tools and methods used:

Tools:

1. Nmap (Network Mapper):

o A versatile and widely-used tool for network discovery and
security auditing. Nmap can perform various types of scans,
including ping sweeps, port scans, and version detection.
2. Wireshark:
o A network protocol analyzer that captures and displays data
traveling on a network. It can be used to analyze network traffic
and detect anomalies or security issues.
 3. OpenVAS (Open Vulnerability Assessment System):
o An open-source vulnerability scanner that detects thousands of
known vulnerabilities in network services, operating systems, and
applications.
4. Nessus:
o A popular vulnerability scanner that identifies vulnerabilities,
misconfigurations, and malware in network devices and
applications.
5. Netcat (nc):
o A networking utility that reads and writes data across network
connections. It’s useful for port scanning and banner grabbing.

Methods:

1. Ping Sweep (ICMP Echo Request):

o Sends ICMP echo requests to a range of IP addresses to identify
active hosts on the network.
2. TCP SYN Scan (Half-open Scan):
o Sends SYN packets to target ports and listens for SYN-ACK
responses, determining if a port is open.
3. TCP Connect Scan:
o Establishes a full TCP connection with the target port to check if it
is open.
4. UDP Scan:
o Sends UDP packets to target ports and analyzes responses to
determine if the port is open.
5. OS Detection:
o Analyzes responses from the target to identify the operating
system.
6. Service Version Detection:
o Determines the version of the service running on target ports by
analyzing responses.

Script Scanning to Identify Vulnerabilities (CVEs)

Script scanning automates the process of identifying vulnerabilities, including
those listed in the Common Vulnerabilities and Exposures (CVE) database. Here
are methods and tools commonly used:
Vulnerability Scanning Tools:

1. OpenVAS:
o Scans networks and systems for known vulnerabilities, including
CVEs.
2. Nessus:
o Identifies vulnerabilities in networks, systems, and applications,
including CVE-listed vulnerabilities.
3. QualysGuard:
o A cloud-based vulnerability management solution that identifies
CVE-listed vulnerabilities.

Script Scanning Methods:

1. Custom Scripts:
o Security professionals create custom scripts using languages like
Python, Bash, or PowerShell to scan for specific CVE-listed
vulnerabilities.
2. Nmap Scripting Engine (NSE):
o Nmap’s scripting engine allows users to create custom scripts to
identify vulnerabilities, including CVEs.

Tools and Techniques for Analyzing Network Traffic

Network traffic analysis is essential for understanding data flow, identifying
potential threats, and optimizing performance.

Packet Sniffers:

1. Wireshark:
o Captures and displays network packets, decoding various
protocols and providing detailed packet information.
2. Tcpdump:
o A command-line packet analyzer that captures packets and can
display them in real-time or save them for later analysis.

Flow-based Analysis:

1. NetFlow:
 o Collects and aggregates network traffic flow data, providing
insights into traffic patterns and bandwidth utilization.
2. sFlow:
o Provides real-time traffic sampling and can be used to analyze
traffic patterns and detect anomalies.

Protocol Analyzers:

1. Microsoft Message Analyzer:

o Provides in-depth capture and analysis of communication
protocols, with real-time data analytics.
2. NetworkMiner:
o A network forensic analysis tool that parses PCAP files and
extracts files transferred over the network.

Security Information and Event Management (SIEM) Systems:

1. Splunk:
o Ingests and analyzes large volumes of network traffic data,
correlating network events with other security data.
2. ELK Stack (Elasticsearch, Logstash, Kibana):
o An open-source SIEM solution that collects, parses, and analyzes
network traffic data.

Deep Packet Inspection (DPI):

1. Snort:
o An open-source network intrusion detection system that uses DPI
to analyze network traffic for signs of malicious activity.

Practical Application

Objective: Scan the target website www.testfire.net for open services and
potential vulnerabilities using Nmap.

Command: nmap www.testfire.net

Scan Tool Used: Nmap

Scan Scope: Full scan of all ports and services on www.testfire.net

Findings:

1. Open Ports:
o Port 80 (HTTP): Open, associated with web services.
o Port 443 (HTTPS): Open, associated with secure web services.
o Port 8080 (HTTP-proxy): Open, often used for proxy services.
2. Vulnerabilities:
o Weak DH Parameter: Detected with a size of less than 1024 bits
on port 443 (HTTPS). This indicates a vulnerability to the Logjam
attack (CVE-2015-4000).

Recommendations:

• Regularly update SSL/TLS certificates to ensure secure communication.

• Ensure that SSL/TLS implementations are up to date with the latest
security patches.

Conclusion:

• The scan revealed three open ports on www.testfire.net, with a

significant vulnerability related to weak Diffie-Hellman parameters on
the HTTPS port. Immediate steps should be taken to address this
vulnerability and ensure the overall security of the network.

Reference
https://medium.com/@mohanad.hussam23/full-guide-to-network-
penetration-testing-and-network-penetration-methodology-43f5c9fdb91d
https://medium.com/@davevishwas98/basics-of-network-vapt-f16bff5bf325
https://medium.com/@billgats.3421/complete-notes-about-vapt-
07d593c0dcb4
https://medium.com/@ibo1916a/what-is-nmap-a0aae7f65694
https://medium.com/@riteshs4hu/a-step-by-step-guide-to-nmap-scanning-
for-beginners-45d00dd759f9
https://medium.com/@aka.0x4C3DD/exploring-nmap-a-comprehensive-guide-
to-network-scanning-and-security-3bf494da33e1