Reference no: EM133674447
Advanced Cyber Exploitation and Mitigation Methodologies
Project 1: Reconnaissance and Enumeration
Task 1: Gather Publicly Available Information
1) Open a web browser and search for the name of the Damn Vulnerable Web App instance.
2) Look for any publicly available information about the target organization, such as company websites, social media profiles (e.g., Facebook, LinkedIn), and job postings.
a) In this case, you will find a plethora of information regarding these intentionally vulnerable systems. You will not find standard corporate information like you would during a real penetration test but the habit, technique, and process is good to practice. Furthermore, you will be able to learn more about the images, the technology stacks used, and the intentionally present vulnerabilities. All this will become important in later phases of the penetration test.
3) Take notes on any information found. Notes are always helpful!
Task 2: Perform Service Banner Grabbing
1. Open a terminal window (Command Prompt on Windows, Terminal on macOS/Linux).
2. Use the "nc" (Netcat) command followed by the IP address and port number to connect to a service running on the Damn Vulnerable Linux instance. For example: ncumgc-web-dvwa.azurewebsites.net 80 to connect to the HTTP service on port 80. You can also use the IP Address 10.13.246.8instead of the name.
3. Note the response received, which may include information about the service and its version number.
4. Repeat this process for other common services such as HTTP (port 80), HTTPS (port 443), FTP (port 21), etc., using the appropriate port numbers. Based your activities on what you discovered during earlier steps.
Task 3: Fingerprint Service Versions Through Telnet
1. Open a terminal window (Command Prompt on Windows, Terminal on macOS/Linux).
2. Use the "telnet" command followed by the IP address and port number to connect to a service running on the Damn Vulnerable Web App instance. For example: telnet umgc-web-dvwa.azurewebsites.net80 to connect to the HTTP service on port 80. You can also use the IP Address 10.13.246.8instead of the name.
3. Interact with the service by sending commands (e.g., typing "GET / HTTP/1.0" for HTTP) and observing the responses.
4. Note any information received, such as the server type and version number.
5. Repeat this process for other services on different ports as needed.
Active Reconnaissance
Task 1: Scan for Live Hosts with Ping Sweep
1. Open a terminal window on your Linux workstation.
2. Use the "ping" command followed by the network range to perform a ping sweep and identify live hosts: ping -b10.13.246.8
o This command will send ICMP echo requests to the broadcast address of the network.
3. This will not complete in a reasonable amount of time! Wait a few minutes and then use ctrl+c to exit the process. We'll see the difference another tool can make in a moment.
Task 2: Use Traceroute to Map Network Paths
1. Open a terminal window on your Linux workstation.
2. Type the following command to perform a traceroute to the Damn Vulnerable Web App instance: traceroute 10.13.246.8
o This command will trace the network path to the specified IP address and display the route taken by packets.
3. Observe the output to identify the hops (routers) between your workstation and the Damn Vulnerable Web app instance.
Task 3: Enumerate Hosts Using Nmap
1. Open a terminal window on your Linux workstation.
2. Type the following command to perform a service version detection scan on the Damn Vulnerable Linux instance: nmap -sn10.13.246.0/24
o This command will scan the specified IP network and determine if any hosts are online and responsive.
3. Wait for the scan to complete and observe the list of hosts.
Document Findings
Enter the information gathered during reconnaissance and enumeration, including details about the targets, services running on the target hosts, and any other relevant findings in Section 3.1of the Penetration Test Report.
Also, remember to insert your screenshots in the appropriate appendix in your Penetration Test Report. Also, don't forget to document specific findings from each task in the hands-on sections above.
Finally, answer the Reflection Questions below (insert your answers in the appendix after the screenshots in the Penetration Test Report):
1. Now that you have initiated a penetration test, what do you think are 3-5 goals of penetration testing?
2. How might publicly accessible information gathered during reconnaissance and enumeration further some or all of those goals?
3. What are some differences between active and passive reconnaissance and enumeration?
4. Why is banner grabbing an effective technique to employ?
5. What difference(s) did you observe between the active reconnaissance using ping -b and nmap -sn? What technical explanation is there for your observation?
Project 2: Vulnerability Discovery
Task 1: Scan for Services Using Nmap
We used nmap in Project 1 to conduct basic reconnaissance and enumeration. Now we are going to use additional features to gain more knowledge about our targets. First, let's baseline again to ensure our landscape has not changed.
1. Open a terminal window on your Linux workstation.
2. Use the "nmap" command followed by the network range to perform a ping sweep and identify live hosts: nmap -sn10.13.246.0/24
3. Take stock of the IP addresses of the live hosts and note if anything has changed.
Task 2: Scan for Open Ports and Services Using Nmap
Let's advance and attempt to gain more detailed knowledge about our targets.
1. Open a terminal window on your Linux workstation.
2. Type the following command to perform a port scan on the Damn Vulnerable Linux instance: nmap10.13.246.8
3. Wait for the scan to complete and observe the list of hosts as well as open ports and services.
4. Now, repeat step 2 using nmap -sSfor all hosts identified previously.
o Note whether there is any difference in the results.
5. Now, repeat step 2, this time using nmap -sOfor all hosts identified previously.
o Note whether there is any difference in the results.
Task 3: Conduct Vulnerability Assessment Using Nikto
Assuming you found at least one target with a web server (indicated by an open port 80 and/or 443), we can advance again in our discovery process. We'll move away now from nmap and engage a web specific vulnerability scanner.
1. Open a terminal window on your Linux workstation.
2. Type the following command to run Nikto against the Damn Vulnerable Web App instance: nikto -h 10.13.246.8
o This command will launch Nikto and perform a comprehensive scan of the specified web server (10.13.246.8) to identify potential vulnerabilities and misconfigurations.
3. Wait for the scan to complete and observe the list of vulnerabilities detected by Nikto.
4. Review the scan results to prioritize vulnerabilities based on severity and potential impact.
Task 4: Nessus Vulnerability Scan
First, register for an essentials license
You'll get an email with the activation code.
1. Launch Nessus by browsing to localhost:8834 and use the activation code to register. You'll need to create a local username and password (make it easy to remember).
2. The first time Nessus launches will take some time. The tool has to download plugins and compile them. When Nessus is ready, you will see a screen similar to the following:
3. Create a new Basic Network Scan. You can name the scan anything you want, I used "My First Scan". Use the IP address of the DVWA system (10.13.246.8):
4. Click on the "Launch Scan" button:
5. When the scan finishes, you'll see a day and time in the "Last Scanned" column:
6. Click on the scan and you will see an overview screen like the following (note: you may not see these exact vulnerabilities):
7. Click on one of the vulnerability categories to get a list of specific vulnerabilities related to that technology or service:
8. You can then click on specific vulnerabilities from that list to get even more detail:
Task 5: Document Findings
Enter the information gathered during your vulnerability discovery activities, including details about the targets, services running on the target hosts, and any other relevant findings in Section 3.2of the Penetration Test Report.
Also, remember to insert your screenshots in the appropriate appendix in your Penetration Test Report. Also, don't forget to document specific findings from each task in the hands-on sections above.
Finally, answer the Reflection Questions below (insert your answers in the appendix after the screenshots in the Penetration Test Report):
1. How did active and passive reconnaissance results from Project 1 inform your understanding of the vulnerability discovery results?
2. Which of the tools used during this phase of the penetration test yield the most useful results for the next phase?
3. What information gathered during vulnerability discovery can be used to further the penetration testing?
4. Is vulnerability scanning invasive or noninvasive?