ethical hacking and penetrate testing using kali and
TRANSCRIPT
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 9
Abstract
The need to ensure confidentiality has expanded
exponentially with the increase of recent Internet usage.
For users and enterprises, the reliability and accessibility
of their networks have become critical, and the
development of secure infrastructure to protect user
identity and privacy information is crucial. Internet
development and popularity have generated many issues
such as cyber theft, hacking, phishing, spamming and many
more. Individuals and companies have migrated their data
to a cloud architecture that poses new data protection
issues and threats. According to the Cybersecurity Ventures
survey, cybercrime exposure could cost 6 trillion dollars a
year worldwide by the end of 2021. Ethical Hacking
enables consumers and companies to investigate the
vulnerability in their infrastructure and of their network to
take appropriate steps to secure their networks and systems
from illegal and malicious attacks. It further protects
networks and processes by recognizing common
vulnerabilities and enabling them to take appropriate
safeguards. In the research paper, we have discussed the
Ethical Hacking and Penetrate Testing process and
practical experiments to brief fresh researchers and
students on the deployment and use of the Metasploit
framework as a student-centred learning approach. We
have performed both server-side and client-side
exploitations to understand the process. We have used the
Kali Linux Operating System (OS) tool to complete these
ethical hacking and penetration testing. In the end, we have
proposed mitigation measures and security enhancement to
resist hacking attacks.
1. Introduction
Cybercrimes on the Internet users are increasing
exponentially. The recent attacks using network flaws and
vulnerability loopholes exploitation have become serious
issues for the end-users and businesses. Data privacy and
network safety of Internet users have become critical fields
of distress. Network security scientists and engineers focus
on developing robust architectures and solutions to secure
networks, platforms, and software from illegitimate
hacking. Even though in this developed era, current security
infrastructure offers some degree of protection. Therefore,
the fundamental safety directives must be understood by
businesses and individuals to resist these assaults.
The Internet has been a requirement in every field of life
due to its usability. As an Internet user carries out an
operation, it increases the chance of criminals using
personal data in identity fraud. The company and the client
should ensure that these events do not arise often and that
their networks are secure. The websites and systems contain
sensitive information such as financial records, users’
details, and other confidential information protected with
suitable policies. When designing a secure network
infrastructure, three criteria must be considered:
confidentiality, integrity, and availability [1].
Attackers have several ways to exploit any network and
obtain private information. By hacking a web portal or
device may destroy the network and interrupt the
application services. The appropriate network firewall,
protection protocols and equipment must also be enforced
and tracked carefully.
Many firms, such as Google, Banking and Microsoft, are
encouraging Ethical Hacking to address their network flaws
and offer the ethics hacker big prize money. In addition,
many network consultants are available to analyze the
network flaws of organizations and provide them with best
practices and recommendations for improved network and
asset protection.
Linux Kali is a reliable tool that can be used to examine
networks, systems, and application vulnerabilities [2]. This
paper has used Kali to perform Metasploit-related
experiments on a preconfigured network and procedures as
part of Ethical Hacking to exploit their vulnerabilities. A
Metasploit framework is an open-source software that
Ethical Hacking and Penetrate Testing using Kali and Metasploit Framework
Mujahid Tabassum
Department of IT, University of Technology and
Applied Sciences
Muscat, Oman [email protected]
Tripti Sharma
Department of IT, University of Technology and
Applied Sciences
Muscat, Oman [email protected]
Saju Mohanan
Department of IT, University of Technology and
Applied Sciences
Muscat, Oman [email protected]
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 10
provides the infrastructure and tools to perform a
penetration test and security auditing. It exploits
vulnerabilities in networks, operating systems, and
applications and generates new exploits for new or
unknown vulnerabilities. Metasploit offers many features
such as information gathering, vulnerabilities scanning,
exploit development, client-side attack etc.
These experiments were performed as part of
student-centred learning without gaining any monetary
benefits or exploiting any organization. We have shown the
usefulness and comprehension of these tools through such
assaults to students for learning purposes. Ultimately, we
have suggested that consumers protect their networks and
implement appropriate measures to deter these assaults.
These studies were carried out as part of student-centred
learning without any money or organization exploitation.
We have demonstrated the usability and reliability of these
hacking tools as part of students and companies' learning
processes. We also ultimately recommended that users
defend their networks and take reasonable steps to prevent
these attacks.
2. Literature Review
In the following article [3], the author illustrates
Cross-Site Scripting assaults on banking websites and
proposes the necessary mitigation strategy. Online systems
are popular for Digital Banking transactions. Online
applications use Java scripting to enable complex
client-side activity on web pages, which could cause
browser server vulnerabilities attacks. A sandboxing
function protects the users' environment from malicious
JavaScript code that restricts only access to resources
associated with its originating site. Such safeguards are
unfortunately useless if a user may access malicious
JavaScript code from a trusted central location. It provides
complete access to all resources belonging to the trusted
site, e.g., authentication tokens and cookies, to a malicious
script. They are classified as cross-site scripting (XSS)
attacks. XSS assaults are generally fast but hard to spot and
prevent. One theory is that HTML encoding schemes offer
attackers several possibilities to avoid inserting malicious
scripts into trustworthy pages by bypassing server-side
input filters. Developing a customer-side approach is
enough, but JavaScript programming is hard to identify
malicious activities. Therefore, the author suggested Noxes
as a web proxy-based client-side tool to mitigate cross-site
scripting assault. Noxes is a browser proxy that utilizes
manual and automatic guidelines to prevent cross-site
scripting. The solution has certain drawbacks, requiring
several manual configurations and lacking SSL support.
Web-based applications XML-based SOAP is a widely
used application that allows users to perform various remote
operations and data transport. It is incorporated into
architectures, cloud interfaces, management, and federated
identity-based eGovernment programs. The widespread use
of this technology resulted in the emergence of numerous,
sometimes complex, extension specifications. It coincided
with an increase in the number of Web Services-related
attacks. They range from straightforward denial of service
attacks to cloud-based interfaces that compromise or
decrypt the confidentiality of communications. The author
evaluates their device's protection in the following paper [4]
by conducting Penetrate Testing and designing their own
Penetrate Testing method, called WS-Attacker.
Numerous businesses have expanded their popularity as
the Internet has grown by shifting their marketing strategies
to digital marketing. They use web services to share massive
amounts of knowledge to promote themselves across
businesses, manufacturers, retailers, and consumers. These
websites' store user credentials, financial and payment
reports, company figures, and other relevant details.
Databases are a source of secure and easily accessible
information. Such websites are constantly attacked by
fraudulent users motivated by financial gain. SQL injection
and XSS are the most often employed application layer
assault tactics for attackers to control or disable material on
websites and applications by inputting malicious command
strings. In recent years, Structured Query Language
Injection Attacks (SQLIA) also ranked first on the Open
Platform Application Security Project's (OWASP) top ten
vulnerabilities chart, resulting in substantial attacks on
numerous websites. The author explored various structured
query language injections, cross-site scripting assaults,
bugs, and protection strategies in this article. However, this
research paper [5] relied on content interpretation and a
survey rather than an experimental method.
Nowadays, Internet use is immense and increases day by
day. Websites are employed in nearly all areas of
employment, and people are growing more and more
dependent on them. With rising internet reliance, the
question for information protection has been increased.
Since most jobs, e-commerce, texting, bill paying, etc.,
depends on the Internet. Therefore, information security is
most critical for any website and system. For every
organization, institution and the finance industry, specific
safety concerns are essentially considerable. This challenge
is challenging, especially in finance, not just because of the
related financial resources but also because of the
customer's confidential information and companies' and
clients' private data. Once an attacker hacks these systems,
they can misuse the information for various purposes. To
assess network protection, various companies perform
penetration tests to identify bugs in their web apps and
attacking behavior. This paper [6] focuses on protection in
web applications. A methodology was developed to assess
bugs in this proposed study. This framework has the same
operating module as a forum for financial institutions. After
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 11
penetration testing, a frame can be built depending on the
flaw which can offer more protection for websites like this.
The developed methodology can be used to assess
insecurity in many organizations, companies, and
organizations.
Another paper [7] would focus on exploring and
reviewing the VAPT process life cycle and VAPT
vulnerability detection tools in the framework. They
emphasize its value at different organizational levels to
update security mechanisms to protect against various
cyber-attacks. In today's world, organizations and
institutions, their networks, and data are rising
vulnerabilities are in a complicated position. It is always
easier to detect and recognize those vulnerabilities until an
intruder uses them. Thus, vulnerability evaluation and
penetration evaluation techniques help decide whether the
security device configurations function correctly or correct
the protection deficiencies.
A student-centred experiment was done as part of the
Ethical Hacking training in this article [8]. The hands-on
training and comprehensive understanding of ethical
hacking have become essential for computer security
students. However, fewer studies show extensive realistic
knowledge on ethical hacking and penetration testing in the
enclosed lab due to restricted budgets and the availability of
certain facilities. In this article, the author addressed
VIBRANT as a virtual cloud-based laboratory framework
for Ethical Hacking. It is used to enhance cryptography
education and to teach students in universities. The software
is only used by students from LJMU and not available to
other people.
The following paper [9] addresses topics relating to
ethical hacking and information systems security. When
discussing information network security, confidentiality,
integrity, and availability, we are talking about the core
three characteristics of a system. There are several
approaches for identifying existing threats to protect and
enhanced security measures. One is Kali Linux, with its
robust integrated capabilities that are particularly suitable
for carrying out such forms of attacks. In this paper, the
author presents a series of choices for using client and
server-side resources in Kali OS. They spoke mainly about
the advantages of Kali, which provides a range of hacking
methods and a free framework for device vulnerabilities.
We have reviewed many research papers in which
researchers discussed different hacking techniques.
However, there is a shortage of good hacking papers which
describe the detailed process of Metasploit attacks
including server-side and client-side example together for
fresh Ethical Hacking users. In this study, we have used Kali
to perform Metasploit-related experiments on a
preconfigured network and systems as part of Ethical
Hacking to exploit their vulnerabilities. The Metasploit
provides the infrastructure and tools for the user to perform
a penetration test and security auditing. We have exploited
vulnerabilities of a preconfigured network, operating
system, and application to generate new exploits
vulnerabilities and access them without permission. We
have used the Metasploit framework for information
gathering, vulnerabilities scanning, exploit development,
client-side attack etc. In the end, we have suggested some
proposals for end-users to defend their networks and to take
adequate steps to prevent these attacks.
3. Ethical Hacking
As businesses and individuals use many online services
and depend on the Internet, hackers find more avenues and
openings to access sensitive data through web apps and
online networks. The need to safeguard web apps and
networks against the growth of hackers and the demand for
consumers to stop such criminal attacks is then increasing
on the users' systems. Ethical hackers have therefore been
able to solve these fundamental issues. Ethical hacking
involves the identification and correction of device flaws
and vulnerabilities. This can also be defined as a hacking
mechanism without harming or destructive aim to a
network. Ethical hacking may also be described as a safety
evaluation, training, or environment protection review for
information technology. This method demonstrates the risks
faced by an IT environment and the steps to minimize those
risks. Furthermore, these techniques are also known as
Penetration Hacking, Red Teaming, or Intrusion Testing [1,
10, 11].
Ethical Hacker is those who work on a security
framework and checks for the bugs a malicious hacker
might use to exploit the networks. They use their experience
and skills to render the cyber environment alike for owners
and consumers. Ethical hacking is essential to secure the
infrastructure from harm caused by hackers. The primary
purpose behind the ethical hacking service is to assess and
report to the owner on the safety of the targeted systems and
networks.
Ethical hacking is performed along with penetration test
techniques to evaluate the security loopholes. There are
many techniques used to hack information, such as
Information gathering, Vulnerability scanning,
Exploitation, and Test Analysis.
Ethical hacking involves automatic methods. The
hacking process without automated software is inefficient
and time-consuming. There are several tools and ways that
can be used for ethical hacking and penetration testing.
NMAP is a standard automated tool for port scanning and
service usability applications in hacking environments.
Nessus is another home consumer hacking app.
Metasploit consists of a directory containing a list of
vulnerabilities accessible, which is simple to use with one of
the best penetration test tools. The Metasploit Framework is
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 12
open-source software that, based on its commercial
products, is built. It provides the infrastructure and tools for
the user to perform a penetration test and security auditing.
Metasploit framework eases the effort to exploit
vulnerabilities in networks, operating systems and
applications and generate new exploits for new or unknown
vulnerabilities. Metasploit offers many features such as
information gathering, vulnerabilities scanning, exploit
development, client-side attack etc., [12, 13].
4. Penetrate Testing
The penetration test is one of the standard means of
assessing protection status and increasing safety threats. It is
also known as Pentest. Pentest is a controlled effort to
penetrate a system or network to identify vulnerabilities. It
is an approved simulated cyber assault conducted on a
network to evaluate device security. Pentest employs tactics
identical to hackers when attacking usually. This
mechanism requires adequate steps to be taken before
unauthorized individuals can explore vulnerabilities. These
checks are carried out to examine several of the bugs,
including the possibility for unauthorized parties to have
access to the software and the application's data.
The penetration test is used to identify exploitation and
weakness in the enterprise's network and allow developers
to build safe and effective systems. Business and individuals
must secure their systems and information from external or
internal attackers and constantly monitor the security
loopholes. The test results are regarded as private and
confidential because it reveals both system problems and
how they can be utilized. Pentest can be accomplished by
attacking the system close to external threats and figuring
out what can be achieved. By using an attack chain series to
reach the targeted system [13, 14].
5. Ethical Hacking and Penetrate Testing Model
An ethical hacker is a white hat hacker who exploits for a
legitimate cause, for example, to protect organizational
networks. They have legal rights to enter and exploit
organization networks to find our vulnerabilities. They used
various tools to scan open ports, find websites loophole and
bugs through a proper mechanism to attack the system. To
perform an Ethical Hacking, they need five steps [12, 13]:
Reconnaissance
Scanning and Enumeration
Gaining Access
Maintaining Access
Clearing Tracks
Figure 1: Ethical Hacking & Penetrate Testing Procedure
5.1. Reconnaissance
Reconnaissance is an essential method used for
penetrating testing and the origin of several privacy
infringements. The method includes the gathering of a
targeted system to find bugs and weaknesses. In the first
step, the hacker obtains detailed information about security
measures on the targeted network. This phase is known as
Footprint or information gathering. Footprinting is
completed with the following objectives [11, 13]:
Get full system knowledge to reduce the attack area.
To understand the detail of the security structure
Draw information database of attack.
Develop or create Network Map.
Reconnaissance is a collection of strategies and
procedures used to identify targeted device security flaws
without user knowledge and use these flaws to enter the
system. This information includes three parameters, such as
Network, Host, and involved people details. The attacker
acts as a detective and collects as much as possible details of
the targeted system to understand it. This process involves
examining email lists, identifying open-source and access
points, operating system fingerprinting, revealing running
services on ports, and mapping related information. Their
purpose is to understand the system better than internal
people. They analyze vulnerabilities and utilize every flaw
to get benefited.
Reconnaissance can be divided into two phases, as
Active and Passive [12].
Passive: In this process, hackers tried to gather the
targeted system information without directly
involving or communicating with the system. They
used public sources such as search engines, OSINT,
Shodan, Whois Lookup, social media, Social
Engineering, and related tools. Network sniffing also
comes under the passive phase in which a hacker
gains IP addresses, naming conventions, servers,
networks, and services information of the targeted
system. It is a natural process that can reveal a
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 13
massive amount of critical information on a targeted
system.
Active: In this process, hackers are directly involved
with the targeted system to gain related information.
However, this is a risky task and could be detected
by network security devices. It needs professional
expert knowledge and experience. If security
barriers detect the hacker, the network administrator
could attack back to identify and trap them again.
Several applications can be used for this purpose,
such as NMAP, Tracert, Ping, ZemMAP, NSlookup,
etc.
5.2. Gaining Access
In the 3rd phase, once an attacker completed the
reconnaissance phase and collected all vulnerabilities
information, he will enter a targeted system using various
techniques by cracking the security password or bypassing
security barriers. In this phase, he will be getting access to
the targeted system; in the next step, he needs to increase his
privilege at the administrator level to control the application
and services for data manipulation. Hacker could use
several methods for password cracking [12, 15]:
Bruteforce: Hacker uses the primary method of trying
all possible combinations until they are successfully
cracking the passwords.
Dictionary Attack: In this method, the hacker tries
dictionary words combination to crack the
passwords.
Rule base Attack: In this method, they used necessary
known information to retrieve the detailed
information and break security barriers.
Rainbow Table: In this method, the hacker used a hash
value of the password and compared it with the list of
pre-computed hash values to crack the password.
This is a better method instead of using the
Bruteforce or Dictionary attacks.
Passive Online Attack: In this method, the hacker does
not change the state of the targeted system; instead,
they tried to monitor or capture the data processing
to get the transmitted data. Wire Sniffing, Man in the
Middle, Reply Attack are examples.
Active Online Attack: This is the most natural way to
access unauthorized administrator access into a
targeted system using password guessing, Trojan,
spyware, keyloggers, hash injection, or phishing
methods.
5.3. Maintaining Access
In the following step, the attacker needs to maintain the
victim system's access or control to perform illegal
activities. Once he gained access, he can exploit the system,
steal private information, manipulate resources/data, or
destroy the system. His main goal is to keep himself on a
low profile to keep control and hide from the administrator
until finishing his job. If an attacker has achieved this point,
the organizational assets and prestige may become very
dangerous. Hacker used Rootkits to gain access at the OS
level and Trojan Horse to gain access at the application
level. Furthermore, they used Trojan Horses to retrieve and
transfer the user's personal information such as usernames,
passwords, credit cards, and other related data [13].
5.4. Maintaining Access
After gaining the required information or exploiting the
system, the attacker's main job is to clear his footprint and
delete all information related to his identity. To complete
this job, he will destroy evidence of his presence on the
targeted system or network. This process is known as
clearing tracks. In this step, an attacker will perform the
following things [53]:
Disable Auditing: Removing audit information is a
smart move because no traces can be discovered
while monitoring is switched off. On Windows
System, hackers may use the “Auditpol” command
to remove the auditing and to verify the logging
standard established by the system administrator.
Clearing Logs: Logs maintain the trace of proof of the
intrusion. Clearing logs is the excellent move for a
hacker to remove his presence. On the Windows
System, they can run Clearlog.exe to perform this
task. However, they need to run the Shred tool to
achieve the same job on the Linux system.
Modifying Logs: In some cases, it easy to alter the logs
using a text editor to delete the history.
Erasing Command History: On a Linux system, the
bash application keeps a record of all running
commands. Therefore, it is essential to remove the
command history. It can be done using the Shred
application.
Ethical
Hacking
Stages
Tools Purpose
Reconnaissance
-
Passive Tools
Wireshark Work on Windows
OS and Linux OS
Network Traffic
Analyser
Google Work on Windows
OS and Linux OS
Give basic
information of
website
FindSubDomains.com To find out website
identity
VirusTotal Analysis of
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 14
potentially
malicious files
Behavioural
Analyser
Shodan IoT base Search
Engine
Assist to find
devices IP addresses
OSINT Monitor relevant
information
contained on the
social media
Reconnaissance
-
Active Tools
NMAP Network Scanner
Find system services
and application
related information
Nessus Vulnerability
Scanner
OpenVAS Vulnerability
Scanner
Nikto Web Server
Vulnerability
Scanner
Metasploit Exploitation Toolkit
NSLookup Use to obtain
information
regarding DNS
ZemMap Used for the network
diagnostics
Ping To find out local
computer IP address
and connectivity
Gaining Access John The Ripper Run on Windows
and Linux OS
Password Cracking
Tool
Aircrack Wireless Password
Cracking Tools
Fluxion Social Engineering
Tool
Used to get WiFi
password using
Keystrokes
Cain & Abel Run on Windows
OS
Tool to Crack
Passwords
Metasploit
Penetration
Testing Software
Cyber Security
Framework
Used for Penetrate
Testing
Maintaining
Access
Beast Run on Windows
OS
Trojan Horse used to
create backdoors
OSForensics Run on Windows
OS
Forensic tool use to
delete the log files
and registry files.
Clearing Tracks Shred Run on Linux. Use
to clear Bash
command and logs
Table 1: Ethical Hacking Tool and Apps [12, 16]
6. Methodology
We have created a dummy environment to attack ethical
hackers who exploit the system to get confidential
information from any company. We planned to perform the
attack on a dummy company to steal confidential
information. To obtain that information, we have used
server and client-side exploitation. First, we gather the
company network infrastructure and internal information.
All staff computers are running Windows 7 Operating
System with Microsoft Security Essential Antivirus. Their
network security contains a hardware firewall to filter out
unauthorized packets from entering their network.
Furthermore, most of the staff phones have Android
Operating systems. Inside the company, the staff uses
“Skype for Business” to communicate among each and
video conferencing between different branches. We planned
to use Metasploit to create a payload to access the company
laptops and mobile phones. A client-side exploit is used as
direct access into the targeted company infrastructure by
using a phishing email to send the exploit to the appropriate
staff working in the company during the server-side exploit.
If the company staff does not fall for the phishing email
exploit, we planned a backup plan of using the server-side
exploit. For this purpose, we must enter the company
network to launch the exploit. Therefore, this plan required
more careful planning, how to access the company network
from the inside. On the contrary, the server-side exploit will
be able to access into company computer without the user
executing the file to run the exploit because this method will
not leave any evidence of the user opening an infected file.
To assist in gaining confidential information of the
company, we used to exploit to access company’s staff
mobile devices to extract information that might be useful.
6.1. Metasploit
The Metasploit Framework is open-source software that,
based on its commercial products, are built. It provides the
infrastructure and tools for the user to perform a penetration
test and security auditing. Metasploit framework eases the
effort to exploit vulnerabilities in networks, operating
systems and applications and generate new exploits for new
or unknown vulnerabilities. Metasploit offers many features
such as information gathering, vulnerabilities scanning,
exploit development, client-side attack etc., [17].
6.2. Basic Concept of Metasploit
Workspace: A workspace is a container that contains
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 15
data, reports, targets, and tasks that the user needed for the
penetration test. All penetration action must be done inside
a workspace in the Metasploit framework.
Module: Most actions perform in Metasploit require the
use of a module. Module is a piece of code that extends the
functionality of Metasploit framework.
Discovery scan: It is a scanning perform by Metasploit to
enumerate and fingerprint targets.
Exploit: An exploit is a program that advantages a
specific vulnerability and delivers a payload to the target
and provides attacker access to the targeted system.
Meterpreter: Meterpreter is a multi-function payload that
provides an interactive shell. It runs on memory, so it does
not detect intrusion detection systems.
Payload: A payload is a shellcode that executes on
target’s system after an exploit successfully compromises
the system. Bind shell payload or reverse shell payload is
the two options that define how you want to connect to the
shell.
Vulnerability: It is a security flaw or weakness that allows
the attacker to compromise a target.
Listener: A listener waits for an incoming connection
message from the other end of the connection and manages
the connection when the message is received [18, 19].
6.3. Functionality of Metasploit
Reconnaissance is the process of gathering information to
understand a network better and create a list of target IP
addresses. A discovery scan identifies the operating systems
running on the network, maps those systems to IP addresses,
and enumerates the open ports on those systems. In default
settings, a discovery scan includes a UDP scan that sends
UDP probes to the most known ports such as DNS, DHCP,
and SNMP. It can also use Nmap to perform basic TCP port
scanning, and additional scanner modules are also executed
to obtain more information about the target host [17, 18,
19].
6.4. Four Phase of Discovery Scan
Ping scan: Ping scan is the first phase of the discovery
scan. It tells Nmap to perform a normal ICMP ping sweep to
determine if the hosts are online, if there is an echo reply,
then the discovery scan includes the host in the port scan.
Port scan: During the second phase, Nmap is used to
identify the services available on the open ports. Then, it
sends probes to the ports to determine the state of the port by
classifying the responses from the ports.
OS and version detection: The third phase begins when
Nmap sends various probes to the open ports to detect the
service version numbers and operating system based on how
the system reply to the inquiries. The information provided
by the operating system and version numbers helps to locate
vulnerabilities.
Data import: During the last phase, Nmap gathers all the
collected data and creates a report imported to the project
[20].
7. Experiments and Results
Three main types of payload modules could be used in
the Metasploit framework.
Singles: Singles payloads are generally self-contained so
that they can be used in conjunction with none Metasploit
handlers such as netcat, and it is completely standalone.
Stagers: Multiple similar stagers are used to set up a
network connection with small bandwidth and reliability
between the attacker and victim.
Stages: Payload components that are being downloaded
by Stager’s modules are called Stages. Stages such as
Meterpreter provides advanced features with no size
limitation. To have a successful attack on the targeted
system, a reasonable planning steps need to be conducted.
The steps that hacker need to conduct as follows:
Determine the network information of the targeted
system.
Determine the operating system of the targeted system.
Determine the common and open ports on the targeted
system.
The most important part is getting to know the
company's network structure, such as public IP addresses of
servers, private network subnet, provided services, network
security, and so on. Once hackers gathered all the network
information, they can plan whether to perform an attack
inside or outside the company network. Figure 2 explain the
network diagram.
Figure 2: Experimental Network Environment
Besides that, we have determined the operating system of
the targeted system to find out the latest vulnerabilities for
that operating system and find the suitable framework
module to perform an attack on the system. After that, we
need to find out the common and open ports on the targeted
system. This ensures that the framework can generate a
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 16
session between the targeted system and the local attack
machine with the specific open ports. As ethical hackers we
can use common ports such as HTTP port to bypass the
firewall as normally, the HTTP port is enabled by default in
the firewall. Nmap is a network exploration tool, and it will
be used to perform port scanning and determine the targeted
operating system [21].
There are two types of exploit can be done such as
client-side and server-side exploit. Client-side exploit
means exploiting vulnerabilities in the client side by
executing malicious files to create a session. In contrast,
server-side exploitation exploits vulnerabilities on the
server side without executing anything at the client
machine.
7.1. Client-Side Exploit
To exploit a machine, a payload is needed to create a
communication link between the victim and the server.
Msfvenom is a Metasploit tool used to generate a complete
payload and encode the payload to make sure it functions
properly. Msfvenom also generated a payload to be merged
into an existing executable file. Msfvenom is the latest new
single framework instance combined with the previous
Msfpayload and Msfencode command line.
The payload generated by msfvenom is not good
because the payload is not encrypted and can be detected by
security software. The security software is hindrance to
client-side exploitation. So, to create a payload that will
evade security software such as antivirus, an advanced
payload generator must generate and encrypt the payload. A
veil is a tool that is used to generate Metasploit payloads
that will evade common antivirus. Using Veil, the chance of
client-side exploitation will be increased compared to
msfvenom as the encryption is not as strong as Veil. Below
are the steps of generating Metasploit payload using Veil
3.0 and exploiting it to the victim machines. In Kali Linux,
we launched the Veil 3.0 by entering “./Veil.py”.
Veil-Evasion tool is used to generate Metasploit payload
[22].
Figure 3: Usability of Veil-Evasion Tool
The python script “python/meterpreter/rev_tcp.py” is
used to generate Metasploit Reverse TCP payload, which
can specify TCP port manually shown in figure 4.
Figure 4: TCP Port Payload
After that, we have used the Pyherion encrypter to
encrypt the Metasploit payload to provide better antivirus
evasion. Set the Metasploit local server to
“invisible.viewdns.net” which is the domain of the attacker.
Set the listener port to 443 so that the connection can be
pass through the company firewall.
Figure 5: Payload Configuration
Then set the payload name to “mgmtsys_setup” which is
the fake management system setup file.
Figure 6: Specify output file name
Use Pyinstaller to compile the Python payload script to
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 17
payload executable so that the file can be executed with the
Windows platform. The payload executable is created
successfully, shown in figure 7.
Figure 7: Payload Successfully Generated
After generating payload, set up the listener using
Metasploit Console to get the incoming connection from the
victim company PC. In this case, the LHOST can be set
using IP address instead of the domain name because the
listener is in our server. So, insert interface’s IP address is
more than enough. The LPORT will be the same as
generated payload LPORT, which is 443.
Figure 8: Setup Listener
Assume that the workers are received the payload via
email. Execute the payload by double click the file. After
the victim company workers executed the file, the PC
establishes a connection to the Metasploit server.
Figure 9: Session Established
Now we have gained full access to the victim PCs. We
can do whatever we want, such as download prototypes of
victim company product details, private files, and financial
statements.
7.2. Server-Side Exploit
EternalBlue is one of Windows Operating System’s
vulnerability codename MS17-010, a leak on April 14,
2017 [23]. This exploit was developed by National Security
Agency (NSA) but was leak out by a group of hackers called
Shadow Brockers. This exploit affects different Windows
OS from Windows XP to Windows 7. The exploit works by
using a loophole in Microsoft Server Message Block 1.0,
which oversees network file sharing protocol, allowing
computer applications to access files in a computer network.
DoublePulsar is a tool that allows it to create a backdoor
to inject any malware into the victim's computer. Thus, it is
used together with EternalBlue exploit [24]. It was also used
during the WannaCry ransomware attack. The tools also run
inside the system kernel mode, which means it will have
high-level access over the computer system.
7.2.1 Windows Escalate UAC Protection Bypass
Windows Escalate UAC Protection Bypass is an exploit
that allows a hacker to bypass User Access Control to gain
full privilege in making changes to the operating system.
This is done by utilizing a trusted publisher certificate
during process injection, which will turn off UAC flag [25].
Once the hacker has successfully access the victim
computer remotely using EternalBlue with DoublePulsar
exploit, the hacker will be able to have full administrator
privilege of the victim's computer remotely using this
exploit [25, 26].
7.2.2 Exploit PC Remotely
To use this exploit, first, we have scanned computers that
are connected to the network. To do so, we used Nmap tool.
Since we are accessing from inside the internal network, we
can check the network address of the company by typing
“nmap -sn 192.168.199.0/24”. 192.168.199.0/24 is the
network address of the company. By adding -sn command,
Nmap will also ping the host to check the connectivity from
the hacker to the victim computer. After the scan has
successfully completed, the results are shown in figure 10.
In this scenario, we target the host IP address of
192.168.199.137.
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 18
Figure 10: Nmap - Result of the connected computer to the
network
After this we used Metasploit by launching Msfconsole.
Next, to check whether this victim's IP address is vulnerable
to EternalBlue exploit, the hacker would need to use
Metaspoilt Scanner for EternalBlue by typing use
auxiliary/scanner/smb/smb_ms17_010. This will execute
the module scanner for this exploit vulnerability.
Figure 11: Metasploit Scanner
To know what information is required for this exploit, we
used command show options to list all the modules' options.
RHOSTS, which is the remote host IP address, is necessary
for the scanner to work. Since the hacker has already known
the victim's IP address, we used the command set RHOSTS
to follow the victim's IP address. The results are shown in
figure 12.
Figure 12: Metasploit Scanner EthernalBlue – Set RHOSTS
Next, we run the scanner by using the command exploit.
The victim's computer is vulnerable to EternalBlue exploit.
This means that we have access to the victim file by using
this exploit shown in figure 13.
Figure 13: Metasploit Scanner Results
Now we know that the victim is vulnerable to the exploit,
we used further steps to explode by running the command.
Figure 14: Metasploit Ethernal Hacker Exploit
To know what information is needed, the show options
command is used. Now set the RHOSTS with the victim's IP
address. Since the victim uses a 64-bit version of Windows,
we need to set TARGETARCHITECTURE x64 and then
set the PROCESSINJECT to explorer.exe. This will inject
the exploit to explorer.exe. After this we set payload. In this
scenario, we have used Meterpreter reverse TCP/IP.
Meterpreter allow the hacker control victim computer such
as detect key stroke of the victim, use VNC to see what the
victim is currently doing and so on. Now when show options
command is entered. We can see the EternalBlue options
and Payload options. In Payload options, LHOST is needed
to use this payload. Set the LHOST which is the IP address
of the hacker computer. To launch the exploit, enter the
command exploit. This will execute the loophole and inject
the DLL into the victim computer. Once the Meterpreter
command is shown, means the exploit is successful shown
in the figure 15.
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 19
Figure 15: Exploit Successfully
Now we have control over the victim computer with
fewer privileges than in Figure 16.
Figure 16: Exploit Access
Now to have full privilege, we would need to launch
another exploit to gain full access. First, minimize the
current connection to the victim's PC by using a command
background. It is important to remember which session is in
the background. Then use exploit/windows/local/bypassuac
command to gain full access. In the show options command,
bypassuac exploit required session. Since our minimized
session of the connection to the victim computer is session
2, we need to set the session to 2. This means the exploit will
use the successful connection to the victim computer of the
previous exploit to inject this exploit. Next, we need to set
the payload, which is the windows/meterpreter/reverse_tcp.
Figure 17: Bypass UAC Set Payload
Now we need to use the command show options to see
what info is required for the payload. It required the host IP
address of the hacker. We set the LHOST and the LPORT.
Now by entering the command exploit, the exploit will start
to execute. Once we see the Meterpreter command, we can
successfully execute the exploit on the victim computer. We
can see in figure 18 by running getprivs that we have full
privilege on the victim computer operating system.
Figure 18: Meterpreter - Enable privileges
7.3. Discussion
We have used two types of exploits such as client-side
and server-side exploit. Each has its own pros and cons.
Pros
Client-Side Exploit Server-Side Exploit
Easy to exploit the NAT
enabled network devices as the
malicious file contains the
hacker’s server public IP
address and port.
Exploit by Metasploit server
without execute malicious file
at client side.
Able to exploit to everyone by
giving the malicious file to
everyone without specify the
targeted IP addresses one by
one.
This kind of exploit can bypass
antivirus checking.
Cons
Client-Side Exploit Server-Side Exploit
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 20
We need to send the malicious
file to client-side to exploit the
machine. It also requires user
interaction, such as click on the
malicious file.
Hard to exploit the
NAT-enabled network devices
as not every internal device is
configured as a virtual server
that maps the internal devices
to the WAN interface with a
specific port.
The malicious file may be
detected by Antivirus and
remove it.
Hard to exploit multiple target
machines at the same time.
Today, cybercrimes are growing exponentially
worldwide, causing significant financial damage to
companies and individuals. Recent studies and research on
cyber protection show that hacked and infected data cases
increase from common sources including smartphone
phones, IoT networks, social networking, and other
services. Figure 19 provides detail on the forms of
cyberattack methods in the USA [27].
Figure 19: Types of growing number of cyber-attack methods in
USA
Metasploit attacks can better be protected against
traditional security measures such as patching, running
programs or less privileged systems, restricting access to
networks to trusted hosts and other general controls. We
suggest using CIS (Critical Security Controls) controls are a
prescribed series of cyber security actions that include
concrete and actionable means of stopping the most
common and harmful attacks [29, 30]. The new CIS
Controls comply with current independent guidelines and
guidance on defense. People can use CIS controls to
maintain their safety enhancement program.
Network protection software and resources exist to
support the company not only secure its classified details
but also its total efficiency, credibility and even its business
capacity. Two main advantages of efficient network defense
are continued operating capacity and intact integrity. Table
2 shows the overview of tools that could be used to protect
against Metasploit exploitations [30, 31].
Mitigation
Techniques
Purpose
Nmap Through running Nmap, users may discover
which ports are accessible on a computer and
the resources on it to store or find where weak
points occur in their network.
Nessus It aims to provide a secure, strong, up-to-date,
and easy-to-use remote security scanner. The
services running on non-standard ports can be
identified by its intelligent service
identification.
Benchmark
Tools
After the network is scanned it is useful to verify
if the OS or device settings conform to existing
best practices in the industry. The Center for
Internet Protection (CIS) Free Benchmark and
Scoring Tool offers a fast and simple means of
evaluating your systems to match their level of
security with the minimum benchmark of CIS
due consideration.
Anti-malware
software
Malware is intended to propagate across
operating systems and networks in the form of
malware, trojans, keyloggers, spyware, etc.
Anti-malware tools are a form of network
protection software designed to detect and avoid
the dissemination of malicious programs.
Email security It is aimed at shortening human security
vulnerabilities. Using phishing tactics attackers
persuade e-mail users to exchange information
sensitively via desktop or mobile devices or
download malware into the targeted network
accidentally.
It aims to detect hazardous communications and
can also be used to block threats and avoid
sensitive details from being shared.
Firewall, IDS
and Web
Security
These methods includes software, hardware,
procedures and more is an overview of the
network security steps taken by companies to
maintain secure web use while linked to an
internal network. This prevents the use of
browsers as entry points for the network by
web-based attacks.
Table 2: Metasploit attacks Mitigation Techniques
8. Proposed Security Prevention
A preventive measure can be taken to prevent these
exploits from successfully hacking into the victim's
computer. One of the important actions that can be done are
by installing top-tier antivirus such as Bitdefender,
Kaspersky, and Norton. These antiviruses might be more
expensive than other brands, but it can detect malware
undetected by another brand antivirus. Besides that, regular
updates of Windows will patch up specific loopholes inside
the operating system that might be used by exploit to enter
your computer remotely. Blocking unused port is also
crucial in a company or large organization since
server-sided exploit will be able to use the port that is open
to access your organization's computer and devices.
Implementation of the port block should be done on
software firewalls such as Windows firewall and hardware
firewall like a router in your network. Blocking port 445
will prevent Ethernal Blue from using the Windows
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 21
loophole to enter your operating system. Additionally,
implement Intrusion Prevention System (IPS) into the
organization’s network to detect and prevent vulnerability
exploits by monitoring the network traffic flows.
9. Conclusion
There are several guidelines available to deter phishing
assaults such as defend email from spam. Companies and
individual should use the filtering functions of the email.
This function is not 100% correct, however. Set the
browsers to blacklist any fake domains. In this procedure,
users can retain all bogus websites, even false websites, and
the page should be disabled if a user attempts to load the site
and a warning is shown.
In addition, changing the password periodically and not
using the same password for all accounts is a safe idea. In
addition, websites should have a machine captcha to
improve safety. The company will even ban any fraudulent
activity from its websites. Our victim website, for example,
cannot be cloned. The corporation should avoid the copying
of those acts. Moreover, the company must educate its staff
to become knowledgeable of the attacks and restrict
employees' access to the network and machines of the
organization.
The port scan is checking ports but not linking to our
server so that the port scan does not interfere but may
otherwise be a legitimate attempt at contact. However,
companies and customers can concentrate on tracking
traffic across the network and track incoming source traffic
to the same endpoint utilizing separate port numbers. The
firewall can block the source IP address when the targeted
source has been detected. They must enforce rules to deny
traffic from dangerous and unknown sources.
The Metasploit framework can generate various kinds of
payloads for different situations to allow attackers to
accomplish their goals. Based on the scenario above,
exploitation of systems is an area a company should always
keep an eye on. Successful execution of exploit to the
company will result in huge loss in confidential data loss
and the company's reputation.
References
[1] Tabassum, M. and Elkhateeb, K., 2009. Network Capability
Analysis and Related Implementations Improvements
Recommendations.
[2] Perumal, S., Tabassum, M., Samy, G.N., Ponnan, S.,
Ramamoorthy, A.K. and Sasikala, K.J., Cybercrime Issues in
Smart Cities Networks and Prevention Using Ethical
Hacking. Data-Driven Mining, Learning and Analytics for
Secured Smart Cities: Trends and Advances, p.333.
[3] Kirda, E., Kruegel, C., Vigna, G. and Jovanovic, N., 2006,
April. Noxes: a client-side solution for mitigating cross-site
scripting attacks. In Proceedings of the 2006 ACM
symposium on Applied computing (pp. 330-337).
[4] Mainka, C., Somorovsky, J. and Schwenk, J., 2012, June.
Penetration testing tool for web services security. In 2012
IEEE Eighth World Congress on Services (pp. 163-170).
IEEE.
[5] Johari, R. and Sharma, P., 2012, May. A survey on web
application vulnerabilities (SQLIA, XSS) exploitation and
security engine for SQL injection. In 2012 International
Conference on Communication Systems and Network
Technologies (pp. 453-458). IEEE.
[6] Goutam, A. and Tiwari, V., 2019, November. Vulnerability
Assessment and Penetration Testing to Enhance the Security
of Web Application. In 2019 4th International Conference on
Information Systems and Computer Networks (ISCON) (pp.
601-605). IEEE.
[7] Khera, Y., Kumar, D. and Garg, N., 2019, February. Analysis
and Impact of Vulnerability Assessment and Penetration
Testing. In 2019 International Conference on Machine
Learning, Big Data, Cloud and Parallel Computing
(COMITCon) (pp. 525-530). IEEE.
[8] Younis, Y.A., Kifayat, K., Topham, L., Shi, Q. and Askwith,
B., 2019, March. Teaching Ethical Hacking: Evaluating
Students' Levels of Achievements and Motivations. In
International Conference on Technical Sciences (ICST2019)
(Vol. 6, p. 04).
[9] Cisar, P. and Pinter, R., 2019. Some ethical hacking
possibilities in Kali Linux environment. Journal of Applied
Technical and Educational Sciences, 9(4), pp.129-149.
[10] Holik, F., Horalek, J., Marik, O., Neradova, S. and Zitta, S.,
2014, November. Effective penetration testing with
Metasploit framework and methodologies. In 2014 IEEE
15th International Symposium on Computational
Intelligence and Informatics (CINTI) (pp. 237-242). IEEE.
[11] Perumal, S., Tabassum, M., Samy, G.N., Ponnan, S.,
Ramamoorthy, A.K. and Sasikala, K.J., Cybercrime Issues in
Smart Cities Networks and Prevention Using Ethical
Hacking. Data-Driven Mining, Learning and Analytics for
Secured Smart Cities: Trends and Advances, p.333.
[12] TechLoop, Shaik Ajmal, 2019, Reconnanissance the key to
Ethical Hacking!, Viewed on 15 June 2020, Access link:
https://medium.com/techloop/reconnaissance-the-key-to-eth
ical-hacking-3b853510d977
[13] Patil, S., Jangra, A., Bhale, M., Raina, A. and Kulkarni, P.,
2017, September. Ethical hacking: The need for cyber
security. In 2017 IEEE International Conference on Power,
Control, Signals and Instrumentation Engineering (ICPCSI)
(pp. 1602-160
[14] Tabassum, M., Perumal, S., Mohanan, S., Suresh, P.,
Cheriyan, S. and Hassan, W., 2021. IoT, IR 4.0, and AI
Technology Usability and Future Trend Demands:
Multi-Criteria Decision-Making for Technology Evaluation.
In Design Methodologies and Tools for 5G Network
Development and Application (pp. 109-144). IGI Global.
[15] GreyCampus, Gaining Access, Access link:
https://www.greycampus.com/opencampus/ethical-hacking/
gaining-access
[16] INFOSEC, Howard Poston, Top 10 Network Recon Tools,
Viewed on 11 June 2020, Access
link:https://resources.infosecinstitute.com/category/certifica
tions-training/ethical-hacking/network-recon/#gref
International Journal of Innovation in Computational Science and Engineering Volume-2 Issue-1, pp:09-22
ISSN: 2708-3128 May-2021
IJICSE@2021 22
[17] Holik, F., Horalek, J., Marik, O., Neradova, S. and Zitta, S.,
2014, November. Effective penetration testing with
Metasploit framework and methodologies. In 2014 IEEE
15th International Symposium on Computational
Intelligence and Informatics (CINTI) (pp. 237-242). IEEE.
[18] Offensive Security 2017, Payload Types in the Metasploit
Framework, Offensive Security, viewed 10 May 2021,
<https://www.offensive-security.com/metasploit-unleashed/
payload-types/>.
[19] Shinde, P.S. and Ardhapurkar, S.B., 2016, February. Cyber
security analysis using vulnerability assessment and
penetration testing. In 2016 World Conference on Futuristic
Trends in Research and Innovation for Social Welfare
(Startup Conclave) (pp. 1-5). IEEE.
[20] Lehrfeld, M. and Guest, P., 2016, March. Building an ethical
hacking site for learning and student engagement. In
SoutheastCon 2016 (pp. 1-6). IEEE.
[21] Mathew, K., Tabassum, M. and Siok, M.V.L.A., 2014,
August. A study of open ports as security vulnerabilities in
common user computers. In 2014 International Conference
on Computational Science and Technology (ICCST) (pp.
1-6). IEEE.
[22] The Security Sleuth 2015, Using Veil to bypass antivirus and
disguise a Metasploit backdoor, The Security Sleuth, viewed
20 March 2021,
<https://www.security-sleuth.com/sleuth-blog/2015/2/3/usin
g-veil-with-metasploit>.
[23] Burgess, M 2017, Everything you need to know about
EternalBlue – the NSA exploit linked to Petya, WIRED UK,
viewed 21 April 2021,
<http://www.wired.co.uk/article/what-is-eternal-blue-exploi
t-vulnerability-patch>.
[24] Sterling, B 2017, Double Pulsar NSA leaked hacks in the
wild, WIRED, viewed 19 April 2021,
<https://www.wired.com/beyond-the-beyond/2017/04/doubl
e-pulsar-nsa-leaked-hacks-wild>.
[25] Kennedy, D 2017, Windows Escalate UAC Protection
Bypass, Rapid7, viewed 15 April 2021,
<https://www.rapid7.com/db/modules/exploit/windows/loca
l/bypassuac>.
[26] Tabassum, M. and Mathew, K., 2014, August. Software
evolution analysis of linux (Ubuntu) OS. In 2014
International Conference on Computational Science and
Technology (ICCST) (pp. 1-7). IEEE.
[27] Webroot, n.a, What is Social Engineering?, Viewd on 29
March 2021, Access link:
https://www.webroot.com/us/en/resources/tips-articles/what
-is-social-engineering.
[28] Tabassum, M., Gabr, M., Mohanan, S. and Mathew, K.,
2020. Development of smart vehicle security and
entertainment system (SSES) using raspberry pi. Int. J. Eng
Adv. Technol, 9(3), pp.4077-4083.
[29] N.a, SANS, “CIS Controls v8”, April 21, 2021, Viewed on
16 May 2021, Access link:
https://www.sans.org/blog/cis-controls-v8/.
[30] Setiawan, E.B. and Setiyadi, A., 2018, August. Web
vulnerability analysis and implementation. In IOP
Conference Series: Materials Science and Engineering (Vol.
407, No. 1, p. 012081). IOP Publishing.
[31] Sharma, T. and Tabassum, M., 2021. Enhanced Algorithm to
Optimize QoS and Security Parameters in Ad hoc Networks.
In Design Methodologies and Tools for 5G Network
Development and Application (pp. 1-27). IGI Global.