IMPORSE CYBERSECURITY TRAINING PROGRAMME

FOR DIGITAL POLICING

ICTP DP – 002

ICTP DP – 001

NETWORK PENETRATION TESTING – EHT 200

Powered by Imporse Technologies x MTN

NETWORKS PENETRATION TESTING – EHT 200, NST 230.

Module Title: Network Scanning and Enumeration

Network scanning and enumeration are foundational steps in penetration testing, where the goal is
to discover and map out the structure, devices, and services running within a target network. Nmap,
a powerful network scanner, is a critical tool used for these tasks. This module provides detailed
content on techniques for network discovery and scanning using Nmap, along with advanced
scanning techniques.

Nmap and Advanced Scanning Techniques

Introduction to Nmap

Nmap (Network Mapper) is an open-source tool used for network discovery and security auditing.
It is widely recognized for its ability to quickly and efficiently scan large networks, identify hosts,
open ports, running services, and the operating systems in use.

Key Features of Nmap:

• Host discovery: Identifying live hosts on a network.

• Port scanning: Determining the state of ports (open, closed, or filtered).

• Service and version detection: Identifying services running on open ports and their
versions.

• OS detection: Determining the operating system of a host.

• Scripting: Using Nmap Scripting Engine (NSE) to automate tasks.

Basic Scanning Techniques

1. Ping Scan (Host Discovery):

o A ping scan is used to identify live hosts on a network without performing a full
port scan. It sends ICMP Echo requests to determine if the host is up.

All Rights Reserved, 2024 @ Imporse 1

1. Ping Scan (Host Discovery):

- A ping scan is used to identify live hosts on a network without performing a full port scan. It
sends ICMP Echo requests to determine if the host is up.

nmap -sn 192.168.1.0/24

- This command scans the entire subnet `192.168.1.0/24` to identify live hosts.

2. Port Scanning:

- TCP Connect Scan (-sT): Establishes a full TCP connection (3-way handshake) with each target
port. It is the most reliable but easily detectable.

nmap -sT 192.168.1.10

- SYN Scan (-sS): Also known as a half-open scan, it sends a SYN packet to initiate a connection,
but does not complete it. This is faster and stealthier.

nmap -sS 192.168.1.10

- UDP Scan (-sU): Used to identify open UDP ports. It is slower and less reliable than TCP scans
due to the stateless nature of UDP.

nmap -sU 192.168.1.10

3. Service Version Detection:

- Nmap can detect the versions of services running on open ports. This is crucial for identifying
vulnerable software versions.

nmap -sV 192.168.1.10

4. OS Detection:

- OS detection relies on analyzing the responses of various probes sent by Nmap. It helps in
identifying the operating system running on a target host.

nmap -O 192.168.1.10

All Rights Reserved, 2024 @ Imporse 2

Advanced Scanning Techniques

1. Stealth Scans:

- Fragmentation Scan (-f): Breaks the scan packets into smaller fragments to avoid detection by
some firewalls and intrusion detection systems (IDS).

nmap -f 192.168.1.10

- Idle Scan (-sI): Uses a third-party host as a zombie to send packets, making it difficult to trace
the scan back to the attacker.

nmap -sI zombie_host 192.168.1.10

2. Timing and Performance Optimization:

- Timing Templates (-T): Nmap allows adjusting the speed of scans with templates ranging from
`T0` (paranoid) to `T5` (insane). This is useful for balancing stealth and speed.

nmap -T4 192.168.1.10

- Parallel Scanning: Adjust the number of hosts and ports Nmap scans simultaneously using the
`--min-parallelism` and `--max-parallelism` options to optimize performance.

3. Evasion Techniques:

- Decoy Scan (-D): Sends scan packets from multiple IP addresses (decoys) to confuse the
target’s logging and make it difficult to identify the real attacker.

nmap -D RND:10 192.168.1.10

```

All Rights Reserved, 2024 @ Imporse 3

 - MAC Address Spoofing (--spoof-mac): Changes the MAC address of the scan packets to hide
the true identity of the scanning machine

nmap --spoof-mac 00:11:22:33:44:55 192.168.1.10

4. Nmap Scripting Engine (NSE):

- Introduction to NSE: The Nmap Scripting Engine allows users to write and execute custom
scripts to automate a wide range of tasks, such as vulnerability detection, network inventory, and
more.

-Example Scripts:

- Vulnerability Scanning:

nmap --script vuln 192.168.1.10

-Brute Force Login:

nmap --script ssh-brute 192.168.1.10

- Custom Scripts: Users can write custom NSE scripts in Lua to perform specific tasks tailored
to their penetration Testing needs.

Practical Applications

1. Live Host Discovery: Ethical hackers can use Nmap to map out active hosts within a target
network before conducting more detailed scans. This helps in planning attacks and identifying
potential entry points.

2. Service and Vulnerability Detection: Nmap’s version detection and NSE scripts enable ethical
hackers to identify outdated and vulnerable services running on target machines, making it easier
to prioritize attack vectors.

All Rights Reserved, 2024 @ Imporse 4

3. OS and Device Fingerprinting: By determining the operating system and network devices in
use, ethical hackers can tailor their attacks to exploit specific weaknesses inherent to those systems.

4. Bypassing Security Measures: Advanced Nmap techniques like decoy scans and MAC address
spoofing help ethical hackers bypass firewalls, IDS, and other security mechanisms, allowing for
deeper penetration into the network.

Identifying Live Hosts and Open Ports

Identifying live hosts and open ports is a crucial step in network penetration testing. This process
allows ethical hackers to discover which devices are active within a target network and what
services they are running, thereby helping to identify potential vulnerabilities. Various techniques
and tools can be employed to achieve this, with Nmap being one of the most widely used tools for
this purpose.

Understanding Host Discovery and Port Scanning

Host Discovery involves detecting active devices (hosts) within a network. Once these hosts are
identified, **Port Scanning** is used to determine which network services (ports) are open and
listening on these devices.

Techniques for Identifying Live Hosts

1. ICMP Echo Request (Ping Scan):

- The simplest method to identify live hosts is by sending an ICMP Echo Request (ping) to the
target. If the target responds with an Echo Reply, it indicates that the host is alive.

nmap -sn 192.168.1.0/24

- This command sends a ping to all IP addresses in the `192.168.1.0/24` subnet, identifying any
active hosts.

All Rights Reserved, 2024 @ Imporse 5

2. ARP Scan:

- An ARP (Address Resolution Protocol) scan is used on local networks to identify active hosts
by sending ARP requests to all IP addresses in the subnet.

nmap -PR 192.168.1.0/24

- This method is highly reliable within a local network, as ARP requests do not rely on ICMP,
which might be blocked by firewalls.

3. TCP SYN Ping:

- A TCP SYN ping scan sends a SYN packet to a target port (commonly port 80) to check if the
port is open. If the target responds with a SYN/ACK packet, the host is considered alive.

nmap -PS80 192.168.1.0/24

- This technique is effective when ICMP is blocked but TCP connections are allowed.

4. UDP Ping:

- A UDP ping scan sends a UDP packet to a specified port (often port 53, used by DNS) to check
for a response, indicating an active host.

nmap -PU53 192.168.1.0/24

- UDP ping is useful in networks where ICMP and TCP are restricted but UDP traffic is
permitted.

5. Comprehensive Ping Sweep:

- A comprehensive ping sweep involves using multiple methods (ICMP, ARP, TCP, UDP)
simultaneously to increase the likelihood of discovering live hosts.

nmap -PE -PS80 -PA443 192.168.1.0/24

- This command uses ICMP Echo, TCP SYN on port 80, and TCP ACK on port 443 to discover
hosts.

Techniques for Scanning Open Ports

All Rights Reserved, 2024 @ Imporse 6

1. TCP Connect Scan (-sT):

- This scan attempts to establish a full TCP connection with each target port by completing the
3-way handshake. It is reliable but can be easily detected by firewalls and intrusion detection
systems (IDS).

nmap -sT 192.168.1.10 - This scan will list all open ports on the target host `192.168.1.10`.

2. SYN Scan (-sS):

- A SYN scan is faster and stealthier than a TCP Connect scan. It sends a SYN packet and waits
for a SYN/ACK response to identify open ports without completing the TCP handshake, making
it less likely to be logged.

nmap -sS 192.168.1.10

- The result will display open ports on the host `192.168.1.10`.

3. UDP Scan (-sU):

- A UDP scan checks for open UDP ports by sending a UDP packet to each port and waiting for
a response. Since UDP is stateless, open ports often don’t respond, making this scan slower and
more challenging to interpret.

nmap -sU 192.168.1.10

- This will identify open UDP ports on the target host.

4. ACK Scan (-sA)

- An ACK scan is used to map out firewall rules by sending an ACK packet to a target port. Based
on the response, it can determine whether the port is filtered (by a firewall) or unfiltered.

nmap -sA 192.168.1.10

- This scan helps in understanding firewall configurations without necessarily identifying open
ports.

5. Xmas and FIN Scans (-sX and -sF)

All Rights Reserved, 2024 @ Imporse 7

 - These are stealthy scans that manipulate TCP flags (such as FIN, PSH, URG in Xmas scans) to
evade detection. They are useful for identifying open ports in firewalled networks.

nmap -sX 192.168.1.10 # Xmas Scan

nmap -sF 192.168.1.10 # FIN Scan

- These scans can reveal open ports on systems where standard scanning techniques might be
blocked.

Practical Applications

1. Reconnaissance: By identifying live hosts and open ports, ethical hackers can gather critical
information about the network's structure and the services running on it. This is often the first step
in a penetration test, setting the stage for further investigation and exploitation.

2. Target Identification: Open port information helps in pinpointing specific services that might be
vulnerable to attacks. For example, if a web server is identified with an open port 80, it can be
targeted with web application penetration testing techniques.

3. Firewall Evasion: Understanding which ports are open and how they are filtered enables ethical
hackers to craft strategies to bypass firewalls and other security mechanisms, gaining deeper access
to the network.

4. Vulnerability Assessment: Once live hosts and open ports are identified, ethical hackers can use
this information to run targeted vulnerability assessments, identifying weaknesses in the network
that could be exploited.

All Rights Reserved, 2024 @ Imporse 8

Network Mapping

Network mapping is a critical step in the process of network penetration testing, where ethical
hackers create visual representations of a network's structure. These maps help in identifying the
relationships between devices, the flow of data, and potential vulnerabilities within the network.
By understanding the layout of the network, ethical hackers can more effectively plan their attacks
and identify key targets that may be susceptible to exploitation.

Network Mapping involves gathering data about the network’s devices, connections, and services,
then using this data to create a visual map that represents the network’s infrastructure. This map is
a valuable tool for both defenders and attackers, as it provides a clear overview of how the network
is structured and where its weak points may lie.

Techniques for Network Mapping

1. Automated Network Mapping Tools:

- Nmap and Zenmap:

- Nmap is widely used for network discovery, but it can also be used to create basic network
maps. **Zenmap** is the graphical interface for Nmap, allowing for easy visualization of network
topologies.

nmap -A -T4 192.168.1.0/24

This command performs an aggressive scan on the network range `192.168.1.0/24`, gathering
detailed information about hosts, open ports, running services, and operating systems, which can
be used to build a network map.

- Zenmap: After performing a scan, Zenmap provides a topology view that displays the
network structure, including devices and connections.

- Microsoft Visio:

All Rights Reserved, 2024 @ Imporse 9

 - **Visio** is a diagramming tool that allows users to manually create detailed network maps
based on the data gathered during scans. It’s useful for creating customized and highly detailed
network diagrams that can be tailored to specific needs.

- SolarWinds Network Topology Mapper:

- SolarWinds offers a dedicated tool for network mapping that automatically discovers network
devices and creates visual maps. It’s particularly useful for larger networks where manual mapping
would be time-consuming.

2. Manual Network Mapping:

- Combining Scan Data:

- Ethical hackers often gather data from multiple sources (e.g., Nmap, Wireshark, ARP scans)
and manually piece together a network map. This method allows for greater control over the level
of detail and accuracy of the map.

- Example Workflow:

1. Nmap is used to scan the network for live hosts and open ports.

2. Wireshark captures network traffic to identify communication patterns and hidden devices.

3. ARP Scans provide information on the relationships between IP addresses and MAC
addresses.

4. Visi or similar tools are used to draw the network map based on the collected data.

3. Network Discovery and Topology Identification

-Network Scanning and Enumeration:

- Initial scans (like those performed with Nmap) identify live hosts, open ports, and services.
This data forms the foundation of the network map.

All Rights Reserved, 2024 @ Imporse 10

 - Enumeration techniques (like SNMP enumeration) can reveal details about the devices
themselves, such as operating systems, device types, and roles within the network.

-Topology Detection:

- Advanced Nmap scans (using options like `-A` for aggressive scanning or `-O` for OS
detection) provide information on the network’s topology, identifying how devices are connected
and the pathways data travels through.

4.Traceroute Analysis:

- Traceroute:

- Traceroute is a tool used to map the route that packets take from the source to the destination.
This helps in understanding the network’s topology by identifying the sequence of hops and the
devices involved in routing traffic.

traceroute 192.168.1.10

This command reveals the path taken to reach the target IP `192.168.1.10`, which can be used
to infer network structure.

- Nmap Traceroute:

- Nmap includes a built-in traceroute feature that can be combined with other scan data to map
out the network’s topology.

nmap --traceroute 192.168.1.1

Creating Network Maps

1. Data Collection:

- Begin by conducting comprehensive scans using tools like Nmap, which provide data on live
hosts, open ports, services, and the devices' operating systems.

All Rights Reserved, 2024 @ Imporse 11

 - Use traceroute to understand the path data takes through the network and identify key routing
devices.

2. Organizing Data:

- Compile the scan data into a coherent structure. Group devices based on their roles (e.g.,
servers, workstations, routers) and physical or logical locations within the network.

- Identify connections between devices, including which ports and services facilitate these
connections.

3.Visualizing the Network:

- Use tools like Zenmap, Visio, or SolarWinds to create a visual representation of the network.
Begin with the core infrastructure (e.g., routers, switches) and branch out to individual hosts and
devices.

- Highlight critical assets, such as servers or sensitive data repositories, and mark potential
vulnerabilities, such as open ports or outdated services.

4. Analyzing the Map:

- Once the network map is created, analyze it to identify potential vulnerabilities. Look for
unpatched devices, open ports that could be exploited, and weak points in the network’s defenses.

- Use the map to plan penetration tests, focusing on areas where an attacker could gain access to
critical systems or data.

All Rights Reserved, 2024 @ Imporse 12

Common Network Vulnerabilities

Network vulnerabilities are weaknesses or flaws in a system that can be exploited by attackers to
gain unauthorized access, disrupt services, or steal sensitive information. These vulnerabilities can
exist in various components of the network, such as hardware, software, configurations, and
protocols.

Categories of Network Vulnerabilities

1. Configuration Vulnerabilities:

o Default Configurations:

▪ Many network devices and software come with default settings that include
default passwords, open ports, and enabled services that are not required.
Attackers often exploit these defaults to gain unauthorized access.

o Misconfigured Firewalls and Access Controls:

▪ Improperly configured firewalls, routers, and access control lists (ACLs)

can allow unauthorized traffic into the network, leaving critical systems
exposed.

o Unnecessary Services:

▪ Running unnecessary services on network devices can increase the attack

surface. Attackers can exploit these services, particularly if they are
outdated or have known vulnerabilities.

2. Software Vulnerabilities:

o Unpatched Software:

▪ Failure to apply patches and updates to software, operating systems, and

applications leaves them vulnerable to known exploits. Attackers frequently
target unpatched systems with malware, ransomware, and other attacks.

o Buffer Overflows:

All Rights Reserved, 2024 @ Imporse 13

 ▪ A buffer overflow occurs when a program writes more data to a buffer than
it can hold, causing the program to overwrite adjacent memory. This
vulnerability can be exploited to execute arbitrary code, potentially leading
to full system compromise.

o Weak Encryption:

▪ Weak or outdated encryption protocols (e.g., WEP, DES) can be easily

broken by attackers, exposing sensitive data during transmission.

3. Protocol Vulnerabilities:

o Insecure Protocols:

▪ Protocols like FTP, Telnet, and HTTP transmit data in plaintext, making it
easy for attackers to intercept and read the data. These protocols should be
replaced with secure alternatives like SFTP, SSH, and HTTPS.

o Man-in-the-Middle (MITM) Attacks:

▪ MITM attacks occur when an attacker intercepts communication between

two parties and can alter or eavesdrop on the transmitted data.
Vulnerabilities in network protocols, such as ARP spoofing or DNS
poisoning, can facilitate MITM attacks.

o Denial of Service (DoS) Vulnerabilities:

▪ Certain protocols and services can be exploited to launch DoS or Distributed

Denial of Service (DDoS) attacks, overwhelming the target with traffic and
rendering it unavailable.

4. Authentication and Access Control Vulnerabilities:

o Weak Passwords:

▪ Weak or easily guessable passwords are a common vulnerability, often

exploited through brute-force attacks or password guessing techniques.
Implementing strong password policies is crucial to mitigate this risk.

All Rights Reserved, 2024 @ Imporse 14

 o Inadequate Multi-Factor Authentication (MFA):

▪ Relying solely on passwords without implementing MFA can leave systems

vulnerable to unauthorized access if passwords are compromised.

o Improper Privilege Management:

▪ Users with excessive or unnecessary privileges can pose a significant

security risk. Attackers who compromise such accounts can gain elevated
access to critical systems and data.

5. Network Device Vulnerabilities:

o Router and Switch Vulnerabilities:

▪ Routers and switches are critical network infrastructure components, and

their vulnerabilities can lead to serious security breaches. Issues such as
outdated firmware, weak SNMP community strings, and open management
interfaces can be exploited.

o Wireless Network Vulnerabilities:

▪ Wireless networks are often targeted due to vulnerabilities in encryption

protocols (e.g., WEP), weak passwords, and rogue access points. Attackers
can intercept wireless traffic or gain unauthorized access to the network.

o IoT Device Vulnerabilities:

▪ Internet of Things (IoT) devices often have minimal security features and
are susceptible to attacks. Vulnerabilities in IoT devices can be exploited to
gain access to the broader network.

Common Vulnerability Examples

1. CVE-2017-0144 (EternalBlue):

o Description:

All Rights Reserved, 2024 @ Imporse 15

 ▪ EternalBlue is a vulnerability in Microsoft’s SMB protocol that was
exploited by the WannaCry ransomware. It allowed attackers to execute
arbitrary code on affected systems.

o Impact:

▪ This vulnerability led to widespread infections, causing significant

disruption and financial loss.

2. CVE-2014-0160 (Heartbleed):

o Description:

▪ Heartbleed is a vulnerability in the OpenSSL cryptographic software library

that allowed attackers to read the memory of the systems protected by
vulnerable versions of OpenSSL.

o Impact:

▪ Sensitive data, including usernames, passwords, and private keys, could be

stolen, leading to severe security breaches.

3. CVE-2016-5195 (Dirty COW):

o Description:

▪ Dirty COW is a privilege escalation vulnerability in the Linux kernel that

allows attackers to gain write access to read-only memory, enabling them
to gain root access to the system.

o Impact:

▪ This vulnerability could be exploited to escalate privileges and gain control

over affected systems.

Identifying and Mitigating Network Vulnerabilities

1. Vulnerability Scanning:

All Rights Reserved, 2024 @ Imporse 16

 o Use automated vulnerability scanners (e.g., Nessus, OpenVAS) to identify potential
vulnerabilities in the network. These tools scan for known issues, such as missing
patches, misconfigurations, and outdated software.

2. Regular Patching and Updates:

o Ensure that all software, operating systems, and firmware are regularly updated
with the latest patches. This practice helps to close known vulnerabilities before
they can be exploited by attackers.

3. Security Configuration Management:

o Implement secure configuration baselines for all network devices, ensuring that
default settings are replaced with secure alternatives. Regularly review and update
these configurations to address new security challenges.

4. Strong Authentication and Access Controls:

o Enforce strong password policies, implement multi-factor authentication, and

regularly review user privileges to ensure that access is limited to what is necessary
for each user’s role.

5. Network Segmentation:

o Segment the network into smaller, isolated sections to limit the spread of an attack.
Sensitive systems should be placed in isolated segments with strict access controls.

6. Intrusion Detection and Prevention Systems (IDPS):

o Deploy IDPS solutions to monitor network traffic for suspicious activity and
respond to potential threats in real time. These systems can detect and block many
types of network-based attacks.

Practical Applications

1. Risk Assessment:

o Identifying common network vulnerabilities is essential for performing thorough

risk assessments. By understanding the potential weaknesses in a network, security

All Rights Reserved, 2024 @ Imporse 17

 professionals can prioritize remediation efforts and allocate resources more
effectively.

2. Penetration Testing:

o In penetration testing, knowledge of common vulnerabilities guides the testing

process. Ethical hackers use this knowledge to simulate attacks that exploit these
vulnerabilities, providing insights into the network’s security posture.

3. Security Awareness Training:

o Educating users and administrators about common vulnerabilities and how to avoid
them is a critical component of a comprehensive security strategy. Awareness
programs can reduce the likelihood of human error leading to a security breach.

All Rights Reserved, 2024 @ Imporse 18

Using Vulnerability Scanners (Nessus, OpenVAS): Automated Scanning Techniques

Introduction to Vulnerability Scanning

Vulnerability scanning is an essential part of network security, involving the use of automated tools
to identify potential weaknesses in systems, networks, and applications. Tools like Nessus and
OpenVAS are widely used by security professionals to perform these scans, providing detailed
reports on vulnerabilities that can be exploited by attackers. These tools streamline the process of
vulnerability management, enabling organizations to proactively address security risks.

Overview of Nessus

What is Nessus?

Nessus is a comprehensive vulnerability scanning tool developed by Tenable. It is designed to

detect a wide range of vulnerabilities, misconfigurations, and policy-violating practices across
various systems and network devices. Nessus is known for its extensive plugin library, which
allows it to perform detailed and up-to-date scans tailored to different environments and
technologies.

Key Features of Nessus

1. Comprehensive Scanning Capabilities:

o Nessus can scan for vulnerabilities across multiple platforms, including operating
systems, databases, applications, and network devices. It checks for common
vulnerabilities such as missing patches, misconfigurations, and known exploits.

2. Plugin Architecture:

o Nessus uses a modular plugin architecture, with thousands of plugins regularly

updated to cover the latest vulnerabilities and exploits. Each plugin is designed to
check for specific issues, making Nessus highly adaptable to different
environments.

3. Policy Compliance:

All Rights Reserved, 2024 @ Imporse 19

 o Nessus includes features for checking compliance with various security policies
and regulatory requirements. It can be used to enforce configuration baselines and
ensure that systems meet organizational security standards.

4. Detailed Reporting:

o The tool generates detailed reports that categorize vulnerabilities by severity,

providing clear guidance on remediation steps. Reports can be customized to suit
different audiences, such as technical teams or management.

5. Integration Capabilities:

o Nessus integrates with various security information and event management (SIEM)
systems, as well as other tools in the Tenable ecosystem, allowing for a more
comprehensive security management approach.

Overview of OpenVAS

What is OpenVAS?

OpenVAS (Open Vulnerability Assessment Scanner) is an open-source vulnerability scanning tool

that provides a free alternative to commercial scanners like Nessus. It is part of the Greenbone
Vulnerability Management (GVM) framework and is widely used in both commercial and non-
commercial environments for vulnerability management and security assessments.

Key Features of OpenVAS

1. Open-Source and Free:

o OpenVAS is open-source, making it accessible to a wide range of users without

licensing costs. It is ideal for organizations that need robust vulnerability scanning
capabilities but have limited budgets.

2. Extensive Vulnerability Database:

o OpenVAS includes a large vulnerability database, regularly updated with the latest
security checks. This database covers a broad spectrum of vulnerabilities across
different platforms and technologies.

All Rights Reserved, 2024 @ Imporse 20

 3. Customizable Scanning:

o Users can customize scan configurations and policies to suit specific needs, such as
targeting particular hosts, services, or compliance standards. This flexibility makes
OpenVAS suitable for various types of assessments.

4. Detailed Reporting and Risk Assessment:

o Like Nessus, OpenVAS generates detailed reports that categorize vulnerabilities by

severity. It also provides risk assessment scores, helping organizations prioritize
remediation efforts based on the potential impact of each vulnerability.

5. Integration with Other Tools:

o OpenVAS can be integrated with other tools within the Greenbone Security
Manager (GSM) framework, as well as external systems, to enhance vulnerability
management processes.

Setting Up Nessus and OpenVAS

Installing Nessus

1. Download and Installation:

o Nessus can be downloaded from the Tenable website. Installation is

straightforward, with versions available for various operating systems, including
Windows, Linux, and macOS.

2. Licensing:

o Nessus offers a free version (Nessus Essentials) for personal use, as well as
professional versions (Nessus Professional) with more advanced features and
support. Users need to register for a license key to activate the software.

3. Initial Configuration:

o After installation, users access Nessus through a web interface to complete the
initial setup. This includes creating an admin account, updating plugins, and
configuring scanning policies.

All Rights Reserved, 2024 @ Imporse 21

 4. Network Configuration:

o Ensure that Nessus has the necessary network access to perform scans. This may
involve configuring firewalls, opening specific ports, or setting up credentials for
authenticated scans.

Installing OpenVAS

1. Download and Installation:

o OpenVAS can be installed from the Greenbone website or through package

managers on Linux distributions. The installation process may require additional
setup for dependencies like PostgreSQL and Redis.

2. Setting Up GVM:

o OpenVAS is part of the Greenbone Vulnerability Management (GVM) framework,

so setting up OpenVAS involves installing and configuring the GVM components,
including the Greenbone Security Assistant (GSA) web interface.

3. Initial Configuration:

o After installation, users configure scan settings, including defining scan targets,
selecting scan profiles, and updating the vulnerability database.

4. Network Configuration:

o Like Nessus, OpenVAS requires proper network configuration to perform scans.

This may include setting up scanning credentials, configuring firewall rules, and
ensuring network reachability.

Using Nessus for Vulnerability Scanning

1. Creating a Scan Policy:

o In Nessus, scan policies define how a scan is conducted. Users can create custom
policies based on their specific needs, such as targeting specific vulnerabilities,
services, or compliance requirements.

All Rights Reserved, 2024 @ Imporse 22

 2. Launching a Scan:

o Once the policy is defined, users can launch a scan by selecting the target network
or hosts. Nessus performs the scan and identifies vulnerabilities, misconfigurations,
and other issues.

3. Interpreting Scan Results:

o Nessus categorizes vulnerabilities by severity (e.g., critical, high, medium, low) and
provides detailed information on each finding, including a description, potential
impact, and recommended remediation.

4. Generating Reports:

o After the scan is complete, Nessus allows users to generate reports in various
formats (PDF, HTML, CSV). These reports can be tailored to different audiences,
highlighting the most critical issues and suggesting remediation steps.

Using OpenVAS for Vulnerability Scanning

1. Defining a Scan Task:

o In OpenVAS, users create scan tasks that define what to scan and how to scan it.
Tasks include selecting target hosts, choosing scan profiles, and configuring scan
parameters.

2. Launching and Monitoring a Scan:

o Users can launch scans directly from the GSA web interface. OpenVAS provides
real-time feedback on scan progress, including logs and status updates.

3. Reviewing Scan Results:

o After the scan, OpenVAS presents the results, categorizing vulnerabilities by

severity and providing detailed descriptions, potential impacts, and remediation
suggestions.

4. Reporting and Analysis:

All Rights Reserved, 2024 @ Imporse 23

 o OpenVAS offers customizable reporting options, allowing users to generate reports
that focus on specific aspects of the scan. These reports can be used for internal
review, compliance checks, or presenting findings to stakeholders.

Best Practices for Vulnerability Scanning

1. Regular Scanning:

o Perform regular vulnerability scans to ensure that new vulnerabilities are identified
and addressed promptly. Automated scans can be scheduled to run at regular
intervals.

2. Authenticated Scans:

o Use authenticated scans whenever possible, as they provide deeper insights into
system vulnerabilities compared to unauthenticated scans. This requires
configuring credentials for the scanning tools.

3. Prioritizing Vulnerabilities:

o Focus on addressing high-severity vulnerabilities first, as they pose the most

significant risk to the network. Use the tools' risk assessment features to prioritize
remediation efforts.

4. Continuous Monitoring:

o Integrate vulnerability scanning with continuous monitoring tools to keep track of

changes in the network and respond to new threats as they emerge.

5. Regular Updates:

o Keep the vulnerability scanners and their databases updated to ensure that they can
detect the latest vulnerabilities and exploits.

Tools and Techniques for Manual Assessment

1. Command-Line Tools:

o Netcat, Nmap (Advanced Use):

All Rights Reserved, 2024 @ Imporse 24

 ▪ Use these tools for deeper exploration of network services, including banner
grabbing, manual packet crafting, and detailed service interrogation.

o Telnet, SSH, RDP:

▪ Manually interact with services using these protocols to check for default
credentials, weak authentication mechanisms, or exposed administrative
interfaces.

2. Web Application Testing Tools:

o Burp Suite, OWASP ZAP:

▪ Use these tools for manual testing of web applications, focusing on areas
where automated tools may not fully probe, such as multi-step forms, API
endpoints, and AJAX calls.

o Fiddler, Postman:

▪ Manually test API endpoints and HTTP requests to check for improper input
validation, insecure methods, and authentication flaws.

3. Source Code Review:

o Static Analysis:

▪ If access to the source code is available, manually review the code for
security issues such as hardcoded credentials, insecure functions, or
improper error handling.

o Dynamic Analysis:

▪ Combine static analysis with dynamic testing to understand how

vulnerabilities manifest in a live environment.

4. Custom Scripting:

o Python, Bash, PowerShell:

All Rights Reserved, 2024 @ Imporse 25

 ▪ Write custom scripts to automate specific manual checks or to exploit
identified vulnerabilities in ways that automated tools cannot.

5. Reverse Engineering:

o Binary Analysis:

▪ For applications or services where source code is not available, use reverse
engineering techniques to understand how binaries function and identify
potential vulnerabilities.

All Rights Reserved, 2024 @ Imporse 26

Module Title: Exploitation Techniques

Exploiting Network Services: Techniques for Exploiting Vulnerabilities in Network Services

Introduction to Exploiting Network Services

Exploiting network services is a core component of penetration testing, where the goal is to identify
and exploit vulnerabilities within services running on networked systems. Network services, such
as web servers, databases, file sharing, and more, often present attack surfaces that, if inadequately
secured, can be leveraged to gain unauthorized access, escalate privileges, or disrupt services.
Understanding how to exploit these vulnerabilities is essential for both offensive and defensive
security operations.

Understanding Network Services

1. Common Network Services:

o Web Servers: HTTP/HTTPS services, often running on ports 80/443, serve web
pages and APIs.

o File Sharing Services: SMB, FTP, NFS, and other protocols used for sharing files
across networks.

o Databases: Services like MySQL, MSSQL, and PostgreSQL, which store and
manage data.

o Remote Access Services: SSH, Telnet, RDP, and similar services used for remote
system management.

2. Vulnerability Types:

o Unpatched Software: Exploitable bugs in outdated software versions.

o Misconfigurations: Weak or default configurations that expose sensitive services.

o Default Credentials: Use of out-of-the-box credentials that attackers can easily

guess.

o Protocol Flaws: Inherent weaknesses in the protocols that can be exploited.

All Rights Reserved, 2024 @ Imporse 27

Exploitation Techniques

1. Service Identification and Version Detection:

o Banner Grabbing: Use tools like Netcat or Telnet to connect to a service and
extract version information from banners.

o Nmap Service Detection: Employ Nmap's service detection (-sV) to identify the
running services and their versions.

o Manual Inspection: Analyze the output from service scans to manually verify the
software versions and configurations.

2. Exploiting Known Vulnerabilities:

o CVE Exploitation:

▪ Identify known vulnerabilities (CVE) associated with the detected service

versions. Use public exploit databases like Exploit-DB to find relevant
exploits.

o Metasploit Framework:

▪ Leverage the Metasploit Framework to exploit known vulnerabilities in

network services. Select and configure the appropriate exploit module, set
the payload, and execute the attack.

o Custom Exploits:

▪ When a specific exploit does not exist, create custom scripts or modify
existing ones to exploit the vulnerability, particularly for zero-day
vulnerabilities or lesser-known bugs.

3. Brute Force and Credential Exploitation:

o Password Cracking:

▪ Use tools like Hydra or Medusa to perform brute-force attacks against

network services that require authentication, such as SSH, FTP, or RDP.

All Rights Reserved, 2024 @ Imporse 28

 o Default Credentials:

▪ Check for the presence of default credentials in network services. Often,

administrators leave default passwords unchanged, creating an easy entry
point.

o Credential Harvesting:

▪ Harvest credentials from network traffic using tools like Wireshark or

tcpdump if the service transmits information over unencrypted channels.

4. Service-Specific Exploitation:

o Web Server Exploits:

▪ Utilize web application vulnerabilities such as SQL Injection or Directory

Traversal to gain access to underlying services and data.

o Database Exploits:

▪ Attack databases directly using SQL Injection or exploiting weak

authentication mechanisms. Tools like SQLmap can automate these attacks.

o Remote Access Service Exploits:

▪ Exploit vulnerabilities in remote access services (e.g., SSH, Telnet) to gain

shell access. Known exploits for SSH can lead to privilege escalation.

5. Post-Exploitation Activities:

o Maintaining Access:

▪ After successfully exploiting a network service, establish a persistent

presence on the compromised system. Techniques include adding new user
accounts, modifying startup scripts, or deploying backdoors.

o Privilege Escalation:

All Rights Reserved, 2024 @ Imporse 29

 ▪ Use the foothold gained through service exploitation to escalate privileges
on the target system. This might involve exploiting local vulnerabilities or
misconfigurations.

o Lateral Movement:

▪ Once inside a network, move laterally to other systems by leveraging trust

relationships, shared credentials, or exploiting additional network services.

Tools and Techniques

1. Exploitation Frameworks:

o Metasploit: A versatile framework for developing and executing exploit code

against a target machine. It includes hundreds of pre-built exploits and payloads.

o Core Impact: A commercial penetration testing tool that offers automated and
manual exploitation capabilities.

o Cobalt Strike: Another commercial tool designed for advanced post-exploitation

tasks.

2. Custom Scripting:

o Python/Perl/Bash: Write custom scripts to automate specific attacks or to exploit

unique vulnerabilities that are not covered by existing tools.

3. Manual Techniques:

o Netcat for Manual Exploits: Use Netcat to create manual connections and exploit
vulnerabilities by sending crafted requests.

o Command Injection: If the service allows input that is executed as a command,

leverage this to inject commands manually.

Real-World Examples

1. Exploitation of Open SMB Shares:

All Rights Reserved, 2024 @ Imporse 30

 o Attacking improperly configured SMB shares to gain access to sensitive files or
escalate privileges.

2. Exploiting Unpatched Web Servers:

o Using known vulnerabilities in web server software (e.g., Apache, Nginx) to

execute remote code.

3. Remote Code Execution via SSH:

o Gaining shell access by exploiting weak SSH configurations or using exploits for
specific SSH vulnerabilities.

Man-in-the-Middle Attacks: Understanding and Executing MITM Attacks to Intercept

Communications

Introduction to Man-in-the-Middle (MITM) Attacks

A Man-in-the-Middle (MITM) attack is a type of cyber attack where an attacker secretly intercepts
and potentially alters the communication between two parties who believe they are directly
communicating with each other. This type of attack is particularly dangerous because it can be
used to steal sensitive information, inject malicious content, or manipulate communications
without the knowledge of the communicating parties.

Understanding the Mechanics of MITM Attacks

1. Basic Concept:

o In a MITM attack, the attacker positions themselves between the victim and the
intended communication partner, either by redirecting traffic or by exploiting
vulnerabilities in the communication channel. The attacker can then monitor,
capture, or alter the data being transmitted.

2. Common MITM Attack Scenarios:

o Unsecured Wi-Fi Networks: Public Wi-Fi networks are often targets for MITM
attacks because the traffic is usually unencrypted, making it easier for attackers to
intercept communications.

All Rights Reserved, 2024 @ Imporse 31

 o ARP Spoofing: Attackers send forged ARP (Address Resolution Protocol)
messages to a local network, associating their MAC address with the IP address of
another host, such as the gateway, enabling them to intercept traffic.

o DNS Spoofing: By corrupting a DNS server or injecting malicious DNS entries, an

attacker can redirect a victim's traffic to a fraudulent site without their knowledge.

3. Types of MITM Attacks:

o Passive MITM: The attacker simply monitors and records the communication
between two parties without altering it. This is often used for eavesdropping.

o Active MITM: The attacker not only intercepts but also modifies the
communication. This can include injecting malicious code, altering messages, or
redirecting traffic to malicious sites.

Executing MITM Attacks

1. Preparation:

o Setting Up the Attack Environment: Ensure you have a controlled environment,

such as a lab with virtual machines, where you can safely practice MITM attacks
without violating any legal or ethical boundaries.

o Tools: Familiarize yourself with the tools commonly used for MITM attacks, such
as Wireshark for packet capturing, Ettercap for ARP poisoning, and SSLstrip for
intercepting HTTPS traffic.

2. ARP Spoofing (Poisoning):

o Concept: ARP spoofing involves sending fake ARP responses to a target’s

machine, associating the attacker's MAC address with the IP address of a legitimate
host (e.g., the gateway). This tricks the victim’s machine into sending data meant
for the legitimate host to the attacker instead.

o Execution:

▪ Use tools like Ettercap, Bettercap, or arpspoof to perform ARP poisoning.

All Rights Reserved, 2024 @ Imporse 32

 ▪ After poisoning the ARP cache of the victim, the attacker can intercept and
manipulate the data flow between the victim and the network gateway.

3. DNS Spoofing:

o Concept: DNS spoofing involves altering the DNS responses to redirect the
victim’s traffic to a different IP address, usually to a malicious server controlled by
the attacker.

o Execution:

▪ Use tools like dnsspoof or manually inject forged DNS responses into the
network to redirect traffic.

▪ When the victim attempts to access a legitimate website, they are instead
directed to a malicious site without their knowledge.

4. SSL/TLS Stripping:

o Concept: SSL/TLS stripping downgrades a secure HTTPS connection to an

unencrypted HTTP connection, allowing the attacker to intercept sensitive
information, such as login credentials.

o Execution:

▪ Use SSLstrip to intercept and modify HTTPS traffic, forcing it to be

transmitted over HTTP instead.

▪ Monitor the victim's traffic and capture sensitive data that would normally
be encrypted.

5. Packet Sniffing:

o Concept: Packet sniffing involves capturing network traffic to analyze the data
being transmitted over the network. In the context of a MITM attack, packet
sniffing allows the attacker to capture sensitive information such as usernames,
passwords, and other private communications.

o Execution:

All Rights Reserved, 2024 @ Imporse 33

 ▪ Use tools like Wireshark or tcpdump to capture and analyze network traffic.

▪ Focus on protocols that transmit data in plaintext, such as HTTP, FTP, and
SMTP, to extract valuable information.

Defense Against MITM Attacks

1. Encryption:

o Always use encrypted connections (e.g., HTTPS, SSH) to ensure that even if traffic
is intercepted, it cannot be easily read or modified by the attacker.

2. VPNs (Virtual Private Networks):

o Use a VPN to create a secure tunnel for your data, making it much harder for
attackers to perform a successful MITM attack.

3. Strong Authentication:

o Implement strong, multi-factor authentication methods that are not easily

compromised, even if a MITM attack is underway.

4. Network Security Practices:

o Secure your network by configuring proper ARP defenses, such as using static ARP
entries or implementing dynamic ARP inspection (DAI) on your switches.

o Regularly monitor your network for unusual ARP activity, DNS anomalies, and
other signs of a MITM attack.

Tools for MITM Attacks

1. Ettercap:

o A comprehensive suite for MITM attacks on LAN. It features sniffing of live

connections, content filtering, and many other interesting tricks.

2. Wireshark:

o A powerful network protocol analyzer that captures and displays data traveling back
and forth on a network in real-time.

All Rights Reserved, 2024 @ Imporse 34

 3. SSLstrip:

o A tool that intercepts and silently downgrades HTTPS to HTTP, capturing data that
would normally be protected by SSL/TLS encryption.

4. Cain & Abel:

o A Windows-based tool that can be used for password recovery and MITM attacks.
It can perform ARP poisoning, sniffing, and other forms of network analysis.

Real-World Examples

1. Wi-Fi MITM Attack:

o An attacker sets up a rogue Wi-Fi access point in a public area and entices users to
connect to it. Once connected, the attacker can intercept all of the victim's internet
traffic, potentially capturing sensitive information.

2. Corporate Network Attack:

o An insider performs ARP spoofing on the corporate network to intercept emails,

access confidential documents, or capture login credentials for sensitive systems.

All Rights Reserved, 2024 @ Imporse 35

Exploit Development Basics: Fundamentals of Developing Custom Exploits for Network
Services

Introduction to Exploit Development

Exploit development is the process of creating code or techniques that leverage vulnerabilities in
software or network services to achieve unauthorized actions. This could involve gaining remote
access, escalating privileges, or extracting sensitive information from a target system.
Understanding the fundamentals of exploit development is crucial for ethical hackers and
penetration testers to simulate real-world attacks and assess the security posture of networks and
systems.

Understanding Vulnerabilities

1. What is a Vulnerability?

o A vulnerability is a flaw or weakness in software, hardware, or protocol that can be

exploited by an attacker to perform unauthorized actions within a system.
Vulnerabilities can arise from coding errors, misconfigurations, or the inherent
design of protocols and services.

2. Types of Vulnerabilities:

o Buffer Overflows: Occur when more data is written to a buffer than it can hold,
causing data to overwrite adjacent memory, potentially allowing arbitrary code
execution.

o Format String Vulnerabilities: Arise when user-controlled input is improperly

handled in formatted output functions, allowing attackers to read or write memory.

o Command Injection: Occurs when untrusted input is improperly sanitized,

allowing attackers to execute arbitrary commands on the host system.

o SQL Injection: Involves injecting malicious SQL queries through user input fields
to manipulate a database.

Setting Up the Development Environment

All Rights Reserved, 2024 @ Imporse 36

 1. Choosing the Right Tools:

o Development Environment: Set up a secure and isolated environment for exploit

development using virtual machines (VMs) with vulnerable software or services.

o Debugger: Use debuggers like GDB (GNU Debugger) or Immunity Debugger to

step through the code and analyze the behavior of the target application.

o Disassembler/Decompiler: Tools like IDA Pro or Ghidra are essential for

analyzing binary files and understanding how they function at a low level.

2. Understanding the Target:

o Analyze the target system or service to identify the operating system, architecture,
and software version. This information is critical for tailoring an exploit to the
specific environment.

Fundamentals of Exploit Development

1. Analyzing a Vulnerability:

o Finding the Vulnerability: Begin by identifying a known vulnerability or

discovering a new one through techniques like fuzzing, code review, or manual
testing.

o Understanding the Root Cause: Break down the vulnerability to understand how
it occurs, what conditions trigger it, and what the impact is.

2. Crafting the Exploit:

o Payload Design: The payload is the code that executes once the vulnerability is
exploited. This could be a reverse shell, a bind shell, or any custom code that
achieves the desired outcome.

o Constructing the Exploit: Write the code that will trigger the vulnerability,
incorporating the payload and ensuring it will execute as intended. This often
involves manipulating inputs or constructing data structures that overflow buffers
or corrupt memory.

All Rights Reserved, 2024 @ Imporse 37

 3. Testing and Debugging:

o Step-by-Step Execution: Use a debugger to execute the exploit in a controlled

environment. Step through the code to observe how the exploit interacts with the
vulnerable service.

o Troubleshooting: If the exploit fails, analyze the output and logs to determine
where the issue lies. It might involve adjusting offsets, modifying payloads, or
rethinking the attack vector.

4. Bypassing Protections:

o Address Space Layout Randomization (ASLR): ASLR randomizes memory

addresses, making it harder to predict where code will execute. Techniques like
return-oriented programming (ROP) can bypass ASLR.

o Data Execution Prevention (DEP): DEP prevents the execution of code in certain
regions of memory. To bypass DEP, attackers often use techniques like code reuse
attacks (e.g., ROP).

o Stack Canaries: Stack canaries are values placed on the stack to detect buffer
overflows. Exploit developers need to understand how to bypass or disable these
protections.

Developing Custom Exploits for Network Services

1. Targeting Specific Network Services:

o Identifying the Attack Surface: Focus on network services that listen on open
ports, such as web servers, FTP servers, or custom applications. Use network
scanning tools like Nmap to identify these services.

o Protocol Understanding: Thoroughly understand the protocol used by the target

service. This includes knowing how data is transmitted, what commands are
available, and how the service processes input.

2. Buffer Overflows in Network Services:

All Rights Reserved, 2024 @ Imporse 38

 o Crafting Input: Send specially crafted packets to the network service to trigger
buffer overflows. This might involve sending oversized requests or malformed
data.

o Controlling Execution Flow: Once a buffer overflow is triggered, manipulate the

execution flow to redirect it to your payload. This often involves overwriting return
addresses or function pointers.

3. Remote Code Execution:

o Creating Remote Exploits: Design an exploit that can be executed remotely,

sending the payload over the network to achieve code execution on the target
system.

o Handling Network Protocols: Ensure that your exploit handles the network
protocol correctly, maintaining the necessary handshake or session to execute the
attack successfully.

Real-World Exploit Development Examples

1. MS08-067 Windows Server Service Vulnerability:

o This vulnerability in the Windows Server service allowed remote code execution
by sending a specially crafted RPC request. Exploit developers crafted payloads
that exploited this vulnerability to execute arbitrary code on vulnerable Windows
machines.

2. Heartbleed (CVE-2014-0160):

o The Heartbleed vulnerability in OpenSSL allowed attackers to read memory from

the server by exploiting improper bounds checking in the heartbeat extension.
Developers created exploits to retrieve sensitive information like private keys and
session tokens.

3. EternalBlue (CVE-2017-0144):

All Rights Reserved, 2024 @ Imporse 39

 o EternalBlue exploited a vulnerability in the SMB protocol, allowing remote code
execution on unpatched Windows machines. The exploit was later used in the
WannaCry ransomware attack.

Ethical Considerations

1. Responsible Disclosure:

o Always report vulnerabilities to the affected vendors or responsible parties before

making them public. This allows for patches or mitigations to be developed and
deployed, reducing the risk of widespread exploitation.

2. Legal Compliance:

o Ensure that your exploit development activities comply with local and international
laws. Unauthorized exploitation of vulnerabilities can lead to legal consequences,
even if done with good intentions.

All Rights Reserved, 2024 @ Imporse 40