Sri Lanka Institute of Information Technology
Penetration Testing Report for a Scenario
based on Labs.
Individual Assignment
IE3022 - Applied Information Assurance
Student Registration Number Student Name
IT2127004 Nupearachchige P. G. N
1|Page
� Table of Content
Introduction………………………………………………………………………...3
Technical Review…………………………………………………………………...4
Penetration test on Target 01 (metasploitable2)…………………………………6
Penetration test on Target 02 (Windows Server 2008)………………………….10
Recommending Mitigation Controls …………………………………………… 17
Conclusion………………………………………………………………………….17
2|Page
� Introduction
A company called "CyberOps" that offers VAPT (Vulnerability Assessment and Penetration
Service) services was hired by "Sentinal Industries" to do a full penetration test on their network
and apps. The job has been split up among three groups: purple, blue, and red.
• Both internal and external networks and apps will be looked at by the "red team" to find
weaknesses that attackers can use..
• The blue team will look at the threats from the red team and see how ready the company
is for them.
• The purple team will look at how the tests were done and see how well the blue team's
protective strategies and controls worked.
"Sentinal Industries" hasn't told the red team what areas they can't go into, and they don't need a
risk management report right now. But they need a short business effect review that lists every
weakness and vulnerability that was found. The company also needs an evaluation of how well
their existing controls are working and suggestions for how to make them better in order to
reduce threats and fix problems caused by weaknesses.
Overall, "CyberOps" is dedicated to giving "Sentinal Industries" a full review and suggestions
that will help them improve their security and keep their most important assets safe from cyber
threats.
The goal of this process is to figure out how secure Sentinal Industries is and how easy it would be for hackers
to get in.
3|Page
� Technical Review
Information Gathering and Scanning (Reconnaissance).
To do a good security test, we need to know enough about the target we'll be scanning. It could take up to a
month to finish scouting and footprinting jobs successfully. During the process of gathering information, a
number of tools can be used to cover a range of methods. At this point, we're more interested in the location,
people, behaviour, and layout of the system than in sensitive material.
1) Ifconfig
This network utility allows users to view and configure network interfaces on a system.
2) The Harvester
The Harvester is a robust reconnaissance tool utilised in ethical hacking and cybersecurity investigations. The
data scraper retrieves information pertaining to a certain subject from a range of diverse sources, encompassing
search engines, prominent media platforms, and domain name registrars, among other entities. An extractor has
the capability to acquire many types of information, such as e-mail addresses, subdomains, and names of
workers. This information might be valuable for conducting vulnerability assessments or penetration testing.
4|Page
� 3) Maltego
Maltego is a powerful tool that can be used to gather information about “Sentinal Industries”
websites during a penetration testing process. By selecting the "Website" entity and entering the
website's domain name or IP address, Maltego can retrieve valuable information such as server
details, subdomains, and related websites. This data can be used to aid in conducting a thorough
security assessment of the website, assisting in identifying potential flaws that attackers might
exploit.
4) Recon-ng
The red team uses the tool Recon-ng Framework to perform reconnaissance on “Sentinal
Industries” websites. Using this tool, the team will be able to compile data on domain names,
5|Page
� subdomains, IP addresses, open ports, and other vital particulars that may be utilized to spot
flaws in online applications. The modular design of Recon-ng Framework makes it simple to
automate and adapt the information gathering process. The red team may thoroughly examine the
web apps utilizing Recon-ng Framework and find any vulnerabilities that attackers might use.
Penetration test on Target 01 (metasploitable2).
Getting the IP address ‘192.168.100.6’ of the machine 1 using the command,
ifconfig and Open ports of the machine 1 had been identified by the command,
nmap -sV -p 21,22,139,445,443,80 -v 192.168.100.7
uses the "nmap" network scanning tool to check the software versions
running on specific ports (FTP, SSH, etc.) of the target IP address
192.168.100.7. The "-v" option provides detailed output, while "-sV" performs
service version detection.
6|Page
� Above nmap scan identified some open ports related to given nmap command. Im more focusing on ssh open
port on this penetration test on “Sentinal Industries”
Critical SSH vulnerabilities include weak encryption, brute force attacks, key compromise, outdated software,
misconfigurations, port exhaustion, denial of service, user enumeration, and tunneling abuse. Regularly update,
configure securely, and protect SSH keys to mitigate risks.
7|Page
� Below is the Nessus scan for machine 1.
8|Page
� In here it shows on performing password cracking using Hydra tool. Mainly, two text
files need to be created to store set of usernames and passwords, as in the below figures,
hydra -L Usernames.txt -P Passwords.txt ssh://[192.168.100.7]/
The "Hydra" tool is used in this order to hit an SSH server at IP address 192.168.100.7 with brute force. The -L
flag points to a file with usernames, the -P flag points to a file with passwords, and "ssh://[IP_ADDRESS]/"
points to the server you want to connect to. Hydra constantly tries different login and password pairs from the
files to get in without permission, which could be harmful to the "Cyber Sentinals"
And using the above command the password of machine 1, was cracked using ssh open port.
Username: msfadmin
Password: msfadmin
9|Page
� Penetration test on Target 02 (Windows Server 2008)
Getting the IP address ‘192.168.100.4’ of machine 2, using the command,
ipconfig
In here the nmap tool was used in the same way, just as for the previous device and the IP
in this device is dynamic and not static. Which has the same command,
nmap -sV -p 21,22,139,445,443,80 -v 192.168.100.4
10 | P a g e
� We can identify more information regarding the target through exploring the service information on
Exploitdb
11 | P a g e
� First have to initiate postgresql database service to continue with following command.
Use msfconsole command to open Metasploit console.
The exploit module can be searched using the command ‘search [service name]’. The following command was
given to search exploit modules.
search MS17-10
12 | P a g e
� Information about the module can be found using the info [module name/ module
number]
13 | P a g e
� Then we can choose the exploit from the list to attack. Im choosing the 0 th exploitation using use 0
Now set RHOST, this is simply the targeted machines Ip address, then set LHOST or our machine IP
address for the next step.
14 | P a g e
� Finally using exploit / run command can do the exploitation.
So now you are inside the targeted machine you can go to different directories.
15 | P a g e
�16 | P a g e
� Recommending Mitigation Controls
I. It is recommended to do updates on the operating systems of all machines,
particularly those that have internet connectivity.: It is more probable for older
operating systems to possess well-documented vulnerabilities that may be used by
malicious actors.
II. It is recommended to implement robust password policies and enable two-
factor authentication for all user accounts.: This measure will enhance the
level of difficulty for potential attackers attempting to obtain unauthorized access
to computer systems, even in cases when they possess the correct password.
III. One effective measure to control access to computers is the implementation of a firewall,
which serves to limit connectivity only to the essential ports and IP addresses. This measure will
effectively block unauthorized access attempts by potential attackers to devices that are intended
to remain inaccessible to them.
IV. Utilize a remote monitoring and management (RMM) solution: to effectively oversee and
inspect any computer systems for any potentially illicit or questionable actions. A Risk
Management and Mitigation (RMM) tool possesses the capability to promptly identify and
address assaults, therefore mitigating the potential for substantial harm.
V.
Conclusion
The penetration test conducted by CyberOps revealed critical, high, medium, and low
vulnerabilities within Sentinal Industries' systems. These vulnerabilities stem from the
company's inadequate implementation of security controls. To address these shortcomings and
safeguard its infrastructure, Sentinal Industries must adopt a proactive approach to cybersecurity
by implementing a comprehensive security strategy that encompasses both technical and
organizational measures.
17 | P a g e
